Repository: aporeto-inc/trireme
Branch: master
Commit: e77251373ca9
Files: 549
Total size: 3.9 MB

Directory structure:
gitextract_oai4eol3/

├── .github/
│   ├── ISSUE_TEMPLATE.md
│   └── PULL_REQUEST_TEMPLATE.md
├── .gitignore
├── .lint.windows.sh
├── .test.sh
├── .test.windows.sh
├── .travis.yml
├── CONTRIBUTING.md
├── Gopkg.toml
├── LICENSE
├── Makefile
├── NOTICE
├── README.md
├── buildflags/
│   ├── buildflags.go
│   └── buildflags_rhel.go
├── cmd/
│   └── systemdutil/
│       ├── exec.go
│       ├── exec_windows.go
│       └── systemdutil.go
├── collector/
│   ├── default.go
│   ├── default_test.go
│   ├── interfaces.go
│   └── mockcollector/
│       └── mockcollector.go
├── common/
│   ├── events.go
│   ├── hooks.go
│   ├── oauthtokens.go
│   └── service.go
├── controller/
│   ├── config.go
│   ├── config_nonwindows.go
│   ├── config_windows.go
│   ├── constants/
│   │   ├── constants.go
│   │   ├── constants_nonrhel6.go
│   │   ├── constants_rhel6.go
│   │   └── constants_test.go
│   ├── controller.go
│   ├── helpers.go
│   ├── interfaces.go
│   ├── internal/
│   │   ├── enforcer/
│   │   │   ├── acls/
│   │   │   │   ├── acl.go
│   │   │   │   ├── acl_test.go
│   │   │   │   ├── aclcache.go
│   │   │   │   ├── aclcache_test.go
│   │   │   │   ├── icmpacl.go
│   │   │   │   ├── ports.go
│   │   │   │   ├── ports_test.go
│   │   │   │   ├── utils.go
│   │   │   │   └── utils_test.go
│   │   │   ├── apiauth/
│   │   │   │   ├── apiauth.go
│   │   │   │   ├── apiauth_test.go
│   │   │   │   └── types.go
│   │   │   ├── applicationproxy/
│   │   │   │   ├── applicationproxy.go
│   │   │   │   ├── common/
│   │   │   │   │   └── common.go
│   │   │   │   ├── http/
│   │   │   │   │   ├── error_handler.go
│   │   │   │   │   ├── http.go
│   │   │   │   │   ├── ping_http.go
│   │   │   │   │   └── transport.go
│   │   │   │   ├── markedconn/
│   │   │   │   │   ├── mark_linux.go
│   │   │   │   │   ├── mark_windows.go
│   │   │   │   │   ├── markedconn.go
│   │   │   │   │   ├── markedconn_darwin.go
│   │   │   │   │   ├── markedconn_test.go
│   │   │   │   │   ├── markedconn_windows_test.go
│   │   │   │   │   ├── origdest_linux.go
│   │   │   │   │   ├── origdest_windows.go
│   │   │   │   │   ├── platformdata.go
│   │   │   │   │   ├── platformdata_test.go
│   │   │   │   │   └── platformdata_windows.go
│   │   │   │   ├── pingrequest/
│   │   │   │   │   └── pingrequest.go
│   │   │   │   ├── protomux/
│   │   │   │   │   ├── protomux.go
│   │   │   │   │   └── protomux_test.go
│   │   │   │   ├── servicecache/
│   │   │   │   │   ├── servicecache.go
│   │   │   │   │   └── servicecache_test.go
│   │   │   │   ├── serviceregistry/
│   │   │   │   │   ├── serviceregistry.go
│   │   │   │   │   └── serviceregistry_test.go
│   │   │   │   ├── tcp/
│   │   │   │   │   ├── lookup.go
│   │   │   │   │   ├── ping_tcp.go
│   │   │   │   │   ├── tcp.go
│   │   │   │   │   ├── tcp_test.go
│   │   │   │   │   └── verifier/
│   │   │   │   │       ├── testdata/
│   │   │   │   │       │   ├── generate-certs.sh
│   │   │   │   │       │   ├── myca-cert.pem
│   │   │   │   │       │   ├── myclient-bad-cert.pem
│   │   │   │   │       │   ├── myclient-dns-cert.pem
│   │   │   │   │       │   ├── myclient-ip-cert.pem
│   │   │   │   │       │   └── myserver-cert.pem
│   │   │   │   │       ├── verifier.go
│   │   │   │   │       └── verifier_test.go
│   │   │   │   └── tlshelper/
│   │   │   │       └── tlshelper.go
│   │   │   ├── constants/
│   │   │   │   └── constants.go
│   │   │   ├── dnsproxy/
│   │   │   │   ├── common.go
│   │   │   │   ├── dns.go
│   │   │   │   ├── dns_darwin.go
│   │   │   │   ├── dns_linux.go
│   │   │   │   ├── dns_linux_test.go
│   │   │   │   ├── dns_report.go
│   │   │   │   ├── dns_test.go
│   │   │   │   ├── dns_unsupported.go
│   │   │   │   ├── dns_windows.go
│   │   │   │   ├── dns_windows_test.go
│   │   │   │   ├── dnsproxy.go
│   │   │   │   ├── mockdnsproxy/
│   │   │   │   │   └── mockdnsproxy.go
│   │   │   │   └── mutex_map.go
│   │   │   ├── enforcer.go
│   │   │   ├── envoyauthorizer/
│   │   │   │   ├── envoyauthorizerenforcer.go
│   │   │   │   └── envoyproxy/
│   │   │   │       ├── auth_server.go
│   │   │   │       └── sds_server.go
│   │   │   ├── flowstats/
│   │   │   │   └── state.go
│   │   │   ├── lookup/
│   │   │   │   ├── lookup.go
│   │   │   │   └── lookup_test.go
│   │   │   ├── metadata/
│   │   │   │   └── metadata.go
│   │   │   ├── mockenforcer/
│   │   │   │   └── mockenforcer.go
│   │   │   ├── nfqdatapath/
│   │   │   │   ├── afinetrawsocket/
│   │   │   │   │   ├── afinetrawsocket.go
│   │   │   │   │   ├── afinetrawsocket_osx.go
│   │   │   │   │   └── afinetrawsocket_windows.go
│   │   │   │   ├── autoport.go
│   │   │   │   ├── autoport_nonwindows.go
│   │   │   │   ├── autoport_windows.go
│   │   │   │   ├── countererrors.go
│   │   │   │   ├── datapath.go
│   │   │   │   ├── datapath_common_test.go
│   │   │   │   ├── datapath_darwin.go
│   │   │   │   ├── datapath_icmp.go
│   │   │   │   ├── datapath_linux.go
│   │   │   │   ├── datapath_tcp.go
│   │   │   │   ├── datapath_test.go
│   │   │   │   ├── datapath_udp.go
│   │   │   │   ├── datapath_windows.go
│   │   │   │   ├── diagnostics_tcp.go
│   │   │   │   ├── interfaces.go
│   │   │   │   ├── nflog/
│   │   │   │   │   ├── nflog_common.go
│   │   │   │   │   ├── nflog_darwin.go
│   │   │   │   │   ├── nflog_linux.go
│   │   │   │   │   ├── nflog_test.go
│   │   │   │   │   └── nflog_windows.go
│   │   │   │   ├── nfq_darwin.go
│   │   │   │   ├── nfq_linux.go
│   │   │   │   ├── nfq_windows.go
│   │   │   │   ├── nfq_windows_test.go
│   │   │   │   ├── ping_tcp.go
│   │   │   │   ├── ping_test.go
│   │   │   │   ├── test_utils.go
│   │   │   │   ├── test_utils_linux.go
│   │   │   │   ├── tokenaccessor/
│   │   │   │   │   ├── interfaces.go
│   │   │   │   │   ├── mocktokenaccessor/
│   │   │   │   │   │   └── mocktokenaccessor.go
│   │   │   │   │   ├── tokenaccessor.go
│   │   │   │   │   └── tokenaccessor_test.go
│   │   │   │   ├── utils.go
│   │   │   │   └── utils_test.go
│   │   │   ├── proxy/
│   │   │   │   ├── enforcerproxy.go
│   │   │   │   ├── enforcerproxy_test.go
│   │   │   │   └── rpcserver.go
│   │   │   ├── secretsproxy/
│   │   │   │   ├── secretsproxy.go
│   │   │   │   ├── secretsproxy_windows.go
│   │   │   │   └── transformer.go
│   │   │   └── utils/
│   │   │       ├── ephemeralkeys/
│   │   │       │   ├── ephemeralkeys.go
│   │   │       │   ├── interfaces.go
│   │   │       │   └── mockephemeralkeys/
│   │   │       │       └── mockephemeralkeys.go
│   │   │       ├── nsenter/
│   │   │       │   ├── nsenter.c
│   │   │       │   ├── nsenter.go
│   │   │       │   └── nsenter_linux.go
│   │   │       ├── packetgen/
│   │   │       │   ├── interfaces.go
│   │   │       │   ├── packet_gen.go
│   │   │       │   ├── packet_gen_test.go
│   │   │       │   └── packet_templates.go
│   │   │       └── rpcwrapper/
│   │   │           ├── interfaces.go
│   │   │           ├── mockrpcwrapper/
│   │   │           │   └── mockrpcwrapper.go
│   │   │           ├── rpc_handle.go
│   │   │           ├── rpc_handlemock.go
│   │   │           ├── rpc_handletest.go
│   │   │           ├── rpc_testhelper.go
│   │   │           └── types.go
│   │   ├── processmon/
│   │   │   ├── interfaces.go
│   │   │   ├── mockprocessmon/
│   │   │   │   └── mockprocessmon.go
│   │   │   ├── processmon.go
│   │   │   ├── processmon_linux_test.go
│   │   │   ├── processmon_test.go
│   │   │   ├── processmon_windows.go
│   │   │   └── testbinary/
│   │   │       └── testbinary.go
│   │   ├── supervisor/
│   │   │   ├── interfaces.go
│   │   │   ├── iptablesctrl/
│   │   │   │   ├── acls.go
│   │   │   │   ├── acls_darwin.go
│   │   │   │   ├── acls_linux.go
│   │   │   │   ├── acls_nonwindows.go
│   │   │   │   ├── acls_rhel6.go
│   │   │   │   ├── acls_windows.go
│   │   │   │   ├── acls_windows_test.go
│   │   │   │   ├── comparators.go
│   │   │   │   ├── constants_nonwindows.go
│   │   │   │   ├── constants_windows.go
│   │   │   │   ├── icmp_linux.go
│   │   │   │   ├── icmp_linux_test.go
│   │   │   │   ├── icmp_rhel6.go
│   │   │   │   ├── icmp_windows.go
│   │   │   │   ├── instance.go
│   │   │   │   ├── ipsets.go
│   │   │   │   ├── iptables.go
│   │   │   │   ├── iptablesV4_test.go
│   │   │   │   ├── iptablesV6_test.go
│   │   │   │   ├── iptables_linux_test.go
│   │   │   │   ├── iptables_rhel6_test.go
│   │   │   │   ├── iptables_windows_test.go
│   │   │   │   ├── ipv4.go
│   │   │   │   ├── ipv6.go
│   │   │   │   ├── ipv6_nonwindows.go
│   │   │   │   ├── ipv6_windows.go
│   │   │   │   ├── legacyacls.go
│   │   │   │   ├── portset.go
│   │   │   │   ├── rules.go
│   │   │   │   ├── rules_rhel6.go
│   │   │   │   ├── rules_windows.go
│   │   │   │   ├── templates.go
│   │   │   │   └── templates_test.go
│   │   │   ├── mocksupervisor/
│   │   │   │   └── mocksupervisor.go
│   │   │   ├── noop/
│   │   │   │   └── supervisornoop.go
│   │   │   ├── supervisor.go
│   │   │   └── supervisor_test.go
│   │   └── windows/
│   │       ├── rulespec_windows.go
│   │       ├── rulespec_windows_test.go
│   │       └── utils.go
│   ├── mockcontroller/
│   │   └── mocktrireme.go
│   ├── pkg/
│   │   ├── aclprovider/
│   │   │   ├── ipsetprovider.go
│   │   │   ├── ipsetprovider_windows.go
│   │   │   ├── ipsetprovidermock.go
│   │   │   ├── iptablesprovider.go
│   │   │   ├── iptablesprovider_test.go
│   │   │   ├── iptablesprovider_windows.go
│   │   │   └── iptablesprovidermock.go
│   │   ├── auth/
│   │   │   └── auth.go
│   │   ├── bufferpool/
│   │   │   └── bufferpool.go
│   │   ├── claimsheader/
│   │   │   ├── bytes.go
│   │   │   ├── bytes_test.go
│   │   │   ├── claimsheader.go
│   │   │   ├── claimsheader_test.go
│   │   │   ├── constants.go
│   │   │   ├── ct.go
│   │   │   ├── datapath_version.go
│   │   │   ├── options.go
│   │   │   ├── ping_type.go
│   │   │   └── types.go
│   │   ├── cleaner/
│   │   │   └── cleaner.go
│   │   ├── connection/
│   │   │   ├── connection.go
│   │   │   ├── connection_test.go
│   │   │   └── connectioncache.go
│   │   ├── counters/
│   │   │   ├── counters.go
│   │   │   ├── counters_test.go
│   │   │   ├── countertype_string.go
│   │   │   ├── default.go
│   │   │   ├── default_test.go
│   │   │   └── types.go
│   │   ├── dmesgparser/
│   │   │   └── dmesgparser.go
│   │   ├── ebpf/
│   │   │   ├── bpfbuild/
│   │   │   │   └── socket-filter-bpf.go
│   │   │   ├── ebpf_darwin.go
│   │   │   ├── ebpf_linux.go
│   │   │   ├── ebpf_rhel6.go
│   │   │   ├── ebpf_windows.go
│   │   │   └── interface.go
│   │   ├── env/
│   │   │   └── parameters.go
│   │   ├── flowtracking/
│   │   │   ├── flowtracking.go
│   │   │   ├── flowtracking_nonlinux.go
│   │   │   ├── interfaces.go
│   │   │   └── mockflowclient/
│   │   │       └── mockflowclient.go
│   │   ├── fqconfig/
│   │   │   ├── fqconfig.go
│   │   │   └── fqconfig_test.go
│   │   ├── ipsetmanager/
│   │   │   ├── constants_nonwindows.go
│   │   │   ├── constants_windows.go
│   │   │   ├── helpers.go
│   │   │   ├── ipsetmanager.go
│   │   │   ├── ipsetmanager_test.go
│   │   │   ├── ipsetprovider.go
│   │   │   ├── ipsetprovider_windows.go
│   │   │   ├── ipsetprovidermock.go
│   │   │   ├── ipsets.go
│   │   │   └── mock_ipsetmanager/
│   │   │       └── ipsetmanagermock.go
│   │   ├── packet/
│   │   │   ├── constants.go
│   │   │   ├── helpers.go
│   │   │   ├── packet.go
│   │   │   ├── packet_test.go
│   │   │   └── types.go
│   │   ├── packetprocessor/
│   │   │   └── packetprocessor.go
│   │   ├── packettracing/
│   │   │   └── packettracing.go
│   │   ├── pingconfig/
│   │   │   ├── pingconfig.go
│   │   │   └── pingconfig_test.go
│   │   ├── pkiverifier/
│   │   │   ├── pkiverifier.go
│   │   │   └── pkiverifier_test.go
│   │   ├── pucontext/
│   │   │   ├── pucontext.go
│   │   │   └── pucontext_test.go
│   │   ├── remoteenforcer/
│   │   │   ├── interfaces.go
│   │   │   ├── internal/
│   │   │   │   ├── client/
│   │   │   │   │   ├── interfaces.go
│   │   │   │   │   ├── mockclient/
│   │   │   │   │   │   └── mockclient.go
│   │   │   │   │   ├── reportsclient/
│   │   │   │   │   │   └── client.go
│   │   │   │   │   └── statsclient/
│   │   │   │   │       └── client.go
│   │   │   │   ├── statscollector/
│   │   │   │   │   ├── collector.go
│   │   │   │   │   ├── collector_reader.go
│   │   │   │   │   ├── collector_test.go
│   │   │   │   │   ├── collector_trireme.go
│   │   │   │   │   ├── interfaces.go
│   │   │   │   │   └── mockstatscollector/
│   │   │   │   │       └── mockstatscollector.go
│   │   │   │   └── tokenissuer/
│   │   │   │       ├── mocktokenclient/
│   │   │   │       │   └── mocktokenclient.go
│   │   │   │       └── tokenissuer.go
│   │   │   ├── mockremoteenforcer/
│   │   │   │   └── mockremoteenforcer.go
│   │   │   ├── remoteenforcer_linux.go
│   │   │   ├── remoteenforcer_stub.go
│   │   │   ├── remoteenforcer_test.go
│   │   │   └── type.go
│   │   ├── secrets/
│   │   │   ├── compactpki/
│   │   │   │   ├── compactpki.go
│   │   │   │   └── compactpki_test.go
│   │   │   ├── compactpki.go
│   │   │   ├── compactpki_test.go
│   │   │   ├── interfaces.go
│   │   │   ├── mocksecrets/
│   │   │   │   └── mocksecrets.go
│   │   │   ├── null.go
│   │   │   ├── rpc/
│   │   │   │   └── rpc.go
│   │   │   ├── secrets.go
│   │   │   ├── test_utils.go
│   │   │   └── testhelper/
│   │   │       └── testhelper.go
│   │   ├── servicetokens/
│   │   │   └── servicetokens.go
│   │   ├── tokens/
│   │   │   ├── binarycodec.go
│   │   │   ├── binaryjwt.go
│   │   │   ├── binaryjwt314.go
│   │   │   ├── binaryjwt500.go
│   │   │   ├── binaryjwt_test.go
│   │   │   ├── binaryjwtclaimtypes.go
│   │   │   ├── errors.go
│   │   │   ├── jwt.go
│   │   │   ├── jwt_test.go
│   │   │   ├── mocktokens/
│   │   │   │   └── mocktokens.go
│   │   │   └── tokens.go
│   │   ├── urisearch/
│   │   │   ├── urisearch.go
│   │   │   └── urisearch_test.go
│   │   └── usertokens/
│   │       ├── common/
│   │       │   ├── common.go
│   │       │   └── common_test.go
│   │       ├── mockusertokens/
│   │       │   └── mockusertokens.go
│   │       ├── oidc/
│   │       │   └── oidc.go
│   │       ├── pkitokens/
│   │       │   ├── jwt.go
│   │       │   ├── jwt_test.go
│   │       │   ├── publickeys.go
│   │       │   └── publickeys_test.go
│   │       └── usertokens.go
│   └── runtime/
│       └── runtime.go
├── doc.go
├── docs/
│   ├── README.md
│   ├── docker_host_networks.md
│   ├── linux_processes.md
│   ├── policy_design.md
│   ├── secure-application_segmentation.md
│   └── trireme_architecture.md
├── fix_bpf
├── mockgen.sh
├── monitor/
│   ├── api/
│   │   └── spec/
│   │       ├── Makefile
│   │       └── protos/
│   │           ├── monitor.pb.go
│   │           └── monitor.proto
│   ├── config/
│   │   └── config.go
│   ├── constants/
│   │   └── constants.go
│   ├── external/
│   │   ├── interfaces.go
│   │   └── mockexternal/
│   │       └── mockinterfaces.go
│   ├── extractors/
│   │   ├── constants.go
│   │   ├── constants_windows.go
│   │   ├── docker.go
│   │   ├── docker_test.go
│   │   ├── error.go
│   │   ├── error_test.go
│   │   ├── interface.go
│   │   ├── kubernetes.go
│   │   ├── kubernetes_test.go
│   │   ├── linux.go
│   │   ├── linux_test.go
│   │   ├── ssh.go
│   │   ├── ssh_test.go
│   │   ├── testdata/
│   │   │   └── curl
│   │   ├── uid.go
│   │   ├── uid_test.go
│   │   ├── util.go
│   │   ├── windows.go
│   │   └── windows_test.go
│   ├── interfaces.go
│   ├── internal/
│   │   ├── cni/
│   │   │   ├── extractor.go
│   │   │   ├── monitor.go
│   │   │   └── processor.go
│   │   ├── docker/
│   │   │   ├── config.go
│   │   │   ├── helpers.go
│   │   │   ├── helpers_test.go
│   │   │   ├── mockdocker/
│   │   │   │   └── mockdocker.go
│   │   │   ├── monitor.go
│   │   │   ├── monitor_linux_test.go
│   │   │   ├── monitor_test.go
│   │   │   └── types.go
│   │   ├── k8s/
│   │   │   ├── config.go
│   │   │   ├── event_handler.go
│   │   │   ├── event_handler_test.go
│   │   │   ├── event_retry_handler.go
│   │   │   ├── event_retry_handler_test.go
│   │   │   ├── helpers_test.go
│   │   │   ├── mocks_pod_cache_test.go
│   │   │   ├── mocks_runtime_cache_test.go
│   │   │   ├── monitor.go
│   │   │   ├── monitor_test.go
│   │   │   ├── on_startup.go
│   │   │   ├── on_startup_test.go
│   │   │   ├── pod_cache.go
│   │   │   ├── pod_cache_test.go
│   │   │   ├── runtime_cache.go
│   │   │   ├── runtime_cache_linux.go
│   │   │   ├── runtime_cache_test.go
│   │   │   ├── runtime_cache_unsupported.go
│   │   │   ├── runtime_cache_windows.go
│   │   │   └── testdata/
│   │   │       └── kubeconfig
│   │   ├── kubernetes/
│   │   │   ├── DEPRECATED.txt
│   │   │   ├── cache.go
│   │   │   ├── cache_test.go
│   │   │   ├── client.go
│   │   │   ├── client_test.go
│   │   │   ├── config.go
│   │   │   ├── handler.go
│   │   │   ├── handler_test.go
│   │   │   ├── kubernetes.go
│   │   │   ├── monitor.go
│   │   │   └── monitor_test.go
│   │   ├── linux/
│   │   │   ├── config.go
│   │   │   ├── monitor.go
│   │   │   ├── processor.go
│   │   │   └── processor_test.go
│   │   ├── pod/
│   │   │   ├── config.go
│   │   │   ├── config_test.go
│   │   │   ├── controller.go
│   │   │   ├── controller_test.go
│   │   │   ├── delete_controller.go
│   │   │   ├── delete_controller_test.go
│   │   │   ├── mockcache_test.go
│   │   │   ├── mockclient_test.go
│   │   │   ├── mockinformer_test.go
│   │   │   ├── mockmanager_test.go
│   │   │   ├── mockzapcore_test.go
│   │   │   ├── monitor.go
│   │   │   ├── monitor_test.go
│   │   │   ├── resync.go
│   │   │   ├── resync_test.go
│   │   │   ├── testdata/
│   │   │   │   └── kubeconfig
│   │   │   ├── watcher.go
│   │   │   └── watcher_test.go
│   │   ├── uid/
│   │   │   ├── config.go
│   │   │   ├── monitor.go
│   │   │   └── processor.go
│   │   └── windows/
│   │       ├── config.go
│   │       ├── monitor.go
│   │       ├── processor.go
│   │       └── processor_test.go
│   ├── mockmonitor/
│   │   └── mockmonitor.go
│   ├── monitor.go
│   ├── monitor_windows.go
│   ├── options.go
│   ├── options_windows.go
│   ├── processor/
│   │   ├── interfaces.go
│   │   └── mockprocessor/
│   │       └── mockprocessor.go
│   ├── registerer/
│   │   ├── interfaces.go
│   │   ├── registerer.go
│   │   └── registerer_test.go
│   ├── remoteapi/
│   │   ├── client/
│   │   │   ├── client.go
│   │   │   ├── client_nonwindows.go
│   │   │   ├── client_windows.go
│   │   │   ├── interfaces.go
│   │   │   └── mockclient/
│   │   │       └── mockclient.go
│   │   └── server/
│   │       ├── interfaces.go
│   │       ├── server.go
│   │       ├── server_nonwindows.go
│   │       ├── server_test.go
│   │       ├── server_windows.go
│   │       ├── uidlistener.go
│   │       └── uidlistener_nonlinux.go
│   └── server/
│       ├── pipe.go
│       ├── pipe_windows.go
│       └── server.go
├── plugins/
│   └── pam/
│       ├── README.md
│       ├── uidmonitorpam.go
│       └── uidmonitorpam_c.go
├── policy/
│   ├── apiservices.go
│   ├── interfaces.go
│   ├── mockpolicy/
│   │   └── mockpolicy.go
│   ├── policy.go
│   ├── policy_test.go
│   ├── policyerror.go
│   ├── policyerror_test.go
│   ├── puinfo.go
│   ├── runtime.go
│   ├── runtime_test.go
│   ├── tagstore.go
│   ├── tagstore_test.go
│   ├── types.go
│   └── types_test.go
├── protogen.sh
├── scripts/
│   ├── fix_bpf
│   ├── lint.sh
│   ├── lint.windows.sh
│   ├── test.sh
│   └── test.windows.sh
├── third_party/
│   └── generated/
│       └── envoyproxy/
│           └── data-plane-api/
│               └── envoy/
│                   ├── api/
│                   │   └── v2/
│                   │       ├── core/
│                   │       │   ├── address.pb.go
│                   │       │   ├── base.pb.go
│                   │       │   └── http_uri.pb.go
│                   │       └── discovery.pb.go
│                   ├── service/
│                   │   ├── auth/
│                   │   │   └── v2/
│                   │   │       ├── attribute_context.pb.go
│                   │   │       └── external_auth.pb.go
│                   │   └── discovery/
│                   │       └── v2/
│                   │           └── sds.pb.go
│                   └── type/
│                       ├── http_status.pb.go
│                       └── percent.pb.go
└── utils/
    ├── README.md
    ├── allocator/
    │   ├── allocator.go
    │   └── interfaces.go
    ├── cache/
    │   ├── cache.go
    │   └── cache_test.go
    ├── cgnetcls/
    │   ├── cgnetcls.go
    │   ├── cgnetcls_osx.go
    │   ├── cgnetcls_test.go
    │   ├── cgnetcls_windows.go
    │   ├── constants.go
    │   ├── constants_nonwindows.go
    │   ├── interfaces.go
    │   ├── mockcgnetcls/
    │   │   └── mockcgnetcls.go
    │   └── netcls.go
    ├── constants/
    │   ├── constants.go
    │   ├── constants_linux.go
    │   └── constants_rhel6.go
    ├── cri/
    │   ├── common.go
    │   ├── cri_client_setup.go
    │   ├── cri_client_setup_linux.go
    │   ├── cri_client_setup_linux_test.go
    │   ├── cri_client_setup_unsupported.go
    │   ├── cri_client_setup_windows.go
    │   ├── cri_runtime_wrapper.go
    │   ├── cri_runtime_wrapper_test.go
    │   ├── interface.go
    │   └── mockcri/
    │       ├── mock_runtime_service.go
    │       └── mockinterface.go
    ├── crypto/
    │   ├── crypto.go
    │   └── crypto_test.go
    ├── fqdn/
    │   ├── fqdn.go
    │   └── fqdn_test.go
    ├── frontman/
    │   ├── driver_windows.go
    │   ├── driver_windows_test.go
    │   ├── rulecleanup_windows.go
    │   ├── rulecleanup_windows_test.go
    │   ├── utils_windows.go
    │   └── wrapper_windows.go
    ├── ipprefix/
    │   ├── ipprefix.go
    │   └── ipprefix_test.go
    ├── netinterfaces/
    │   └── netinterfaces.go
    ├── nfqparser/
    │   ├── constants.go
    │   ├── nfqlayout.go
    │   ├── nfqparser.go
    │   └── nfqparser_test.go
    ├── portcache/
    │   ├── portcache.go
    │   └── portcache_test.go
    └── portspec/
        ├── portspec.go
        └── portspec_test.go

================================================
FILE CONTENTS
================================================

================================================
FILE: .github/ISSUE_TEMPLATE.md
================================================
#### Actual behavior
*Description of the actual behavior.*

#### Expected behavior
*Description of the expected behavior.*

#### Steps to reproduce
*Description of the various steps required to reproduce the error.*

#### Solution proposal
*Description of what you thingk would need to be done.*

#### Installation type
- [ ] console.aporeto.com
- [ ] on-prem
- [ ] dev

> Version: ?
> Customer: ?
> ETA: ?


================================================
FILE: .github/PULL_REQUEST_TEMPLATE.md
================================================
#### Description
*Changes proposed in this pull request.*

#### Test plan
*Outline the test plan used to test this change before merging it.*

> Fixes #.


================================================
FILE: .gitignore
================================================
.DS_Store
example/example
vendor
coverage.txt
controller/internal/processmon/testbinary/testbinary
Gopkg.lock
profile.out


================================================
FILE: .lint.windows.sh
================================================
#!/usr/bin/env bash

# goimports and gofmt complain about cr-lf line endings, so don't run them on 
#	a Windows machine where git is configured to auto-convert line endings

OS=`uname -s`
if [[ $OS == *"NT-"* ]]; then 
	GOIMPORTS_OPTION=
	GOFMT_OPTION=
else
	GOIMPORTS_OPTION=--enable=goimports
	GOFMT_OPTION=--enable=gofmt
fi
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 golangci-lint run --deadline=10m --disable-all --exclude-use-default=false --enable=errcheck --enable=ineffassign --enable=govet --enable=golint --enable=unused --enable=structcheck --enable=varcheck --enable=deadcode --enable=unconvert --enable=goconst --enable=gosimple --enable=misspell --enable=staticcheck --enable=unparam --enable=prealloc --enable=nakedret --enable=typecheck $GOIMPORTS_OPTION $GOFMT_OPTION --skip-dirs=vendor/github.com/iovisor ./...


================================================
FILE: .test.sh
================================================
#!/usr/bin/env bash

set -e
echo "" > coverage.txt

./mockgen.sh
./fix_bpf

## FIX ME. go1.14 automatically enables unsafe ptr checks when doing race checks,
## and it is not clear if this is compatible (it is disabled on Windows)
##
## This needs to be revisited and maybe remove "-gcflags=all=-d=checkptr=0" below
## for go1.14 once we determine if there is a real pointer issue in the tests.
##
## this is the file that fails when ptr checking is enabled:
## go.aporeto.io/trireme-lib/controller/internal/enforcer/applicationproxy/markedconn_test.go
##
## to see the failure, test that package individually setting "checkptr=1"

case "$(go version)" in
    *1.13*) CHECKPTR=""  ;;
    *)      CHECKPTR="-gcflags=all=-d=checkptr=0" ;;
esac

for d in $(go list ./... | grep -v 'mock|bpf'); do
    go test ${CHECKPTR} -race -tags test -coverprofile=profile.out -covermode=atomic $d
    if [ -f profile.out ]; then
        cat profile.out >> coverage.txt
        rm profile.out
    fi
done


================================================
FILE: .test.windows.sh
================================================
#!/usr/bin/env bash

# use wine to execute if not running tests on a Windows machine
OS=`uname -s`
if [[ $OS == *"NT-"* ]]; then
	WINE_EXEC=
else
	WINE_EXEC="-exec wine"
fi

set -e
echo "" > coverage.windows.txt

for d in $(CGO_ENABLED=0 go list ./... | grep -v remoteenforcer | grep -v remoteapi | grep -v "plugins/pam"); do
    CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go test -tags test $WINE_EXEC -coverprofile=profile.windows.out -covermode=atomic $d
    if [ -f profile.windows.out ]; then
        cat profile.windows.out >> coverage.windows.txt
        rm profile.windows.out
    fi
done


================================================
FILE: .travis.yml
================================================
language: go
sudo: required
dist: bionic

go_import_path: go.aporeto.io/trireme-lib

matrix:
  include:
    - go: "1.13.x"
    - go: "1.14.x"
    - go: master
  allow_failures:
    - go: master
  fast_finish: true

addons:
  apt:
    packages:
      - libnetfilter-queue-dev
      - libnetfilter-log-dev
      - iptables
      - ipset
      - wine-stable

env:
  global:
    - TOOLS_CMD=golang.org/x/tools/cmd
    - PATH=$GOROOT/bin:$PATH
    - SUDO_PERMITTED=1

before_install:
  - GO111MODULE=on go get github.com/golangci/golangci-lint/cmd/golangci-lint@v1.21.0
  - GO111MODULE=off go get github.com/golang/dep/cmd/dep
  - sudo apt-get -y install wine32

install:
  - dep ensure
  - ./fix_bpf
  - dep status || true

script:
  - GO111MODULE=off ./.test.sh
  - golangci-lint run --deadline=10m --disable-all --exclude-use-default=false --enable=errcheck --enable=goimports --enable=ineffassign --enable=govet --enable=golint --enable=unused --enable=structcheck --enable=varcheck --enable=deadcode --enable=unconvert --enable=goconst --enable=gosimple --enable=misspell --enable=staticcheck --enable=unparam --enable=prealloc --enable=nakedret --enable=gofmt --enable=typecheck --skip-dirs=vendor/github.com/iovisor ./...
  - GO111MODULE=off ./.lint.windows.sh
  - GO111MODULE=off ./.test.windows.sh


================================================
FILE: CONTRIBUTING.md
================================================
Contributing
------------

As an open source project, your contributions are important to the future of Trireme. Whether you're looking to write code, add new documentation, or just report a bug, you'll be helping everyone who uses Trireme in the future.

### Reporting Bugs

Filing issues is a simple but very important part of contributing to Trireme. It provides a metric for measuring progress and allows the community to know what is being worked on. "Issues" in the context of the project refer to everything from broken aspects of the framework, to regressions and unimplemented features. Trireme uses [GitHub Issues](https://github.com/aporeto-inc/trireme-lib/issues) for tracking issues!

When opening an issue or a pull request, labels will be applied to it. You can check the Issue and Pull Request Lifecycle [here](https://github.com/aporeto-inc/trireme-lib/wiki/Issue-and-Pull-Request-Lifecycle).

### Contributing to the project

There are always bugs to be fixed and features to be implemented, some large, some small. Fixing even the smallest bug is enormously helpful! If you have something in mind, don't hesitate to create a pull request [here](https://github.com/aporeto-inc/trireme-lib/pulls)!

When contributing to a project you must propose a pull request for each modifications you do.
To do a PR, please follow this instructions :

```bash
git checkout master #make sure your base is the master
git checkout -b nameOfYourNewBranch #create a new branch and start to work locally on this branch

... #do your change

./.test.sh

git add yourFile* #add the files to the commit
git commit #create a beautiful messages for the commit, please follow the guideline below
git push origin nameOfYourNewBranch #push the branch on the remote origin
```

Then we advise to create your PR from the github website, make sure to read your changes again.
More documentation here : https://git-scm.com/documentation

Pull requests will not be accepted if the tests are not passing and if the coverage of the tests has dicreased.

### Coding Guidelines

Go Coding Style Guidelines
You must follow the golint, gofmt guide style when coding in Go. You must also know by heart Effective Go.
Install the linter on your system and add it to your pre-commit hook.

### Do's and don'ts

DO
* Be consistent.
* Use symmetry. If you provide a way to do something, provide a way to undo it.
* All public methods and functions must be commented.
* A comment has a space between // and the first letter.
* A comment starts with a capitalized letter and ends with a final dot.
* Be careful with the commenting. This could be released to GoDoc at anytime.
* An interface or a struct Thing comment should be in the form of "// A Thing is a thing", not "// Thing is a thing"
* Code must go straight to the point. Do not over engineer by thinking "maybe one day". If that day comes, update your code.
* Use short explicit name for variables. "objectThatMayBeCreatedIfEverythingIsFine" is overkill. "obj" is enough. Use best judgement.
* A function must do what its name says. "catchPokemon(pokeball) bool" should not get an int as parameters, and do an addition.
* Organize your packages consistently.
* Skip a line between the function declaration and the first line of code.
* A constructor must use the "return &Struct{a: 1}" pattern, not "newthing:= &Struct{}; thing.a = 1; return a".
* Always provide a way to understand what went wrong or what went well in a function/method. A log is useless.
* A function or method that starts by "Is" or "Are" must return a boolean.
* Order of appearance of methods should be consistent:
* Imports
* Constants (if any)
* Variables (if any)
* Helper functions (if any)
* Main structure
* Constructor (if any)
* Implemented interface methods (if any)
* Public methods (if any)
* Private methods (if any)

DON'T

* Do not write more than a main structure per file.
* Do not ignore returned errors. Never. Handle them, or pass them back. You can use github.com/kisielk/errcheck to help you find them.
* Do not over log. Go philosophy is "no news, good news". Carefully minimize all logs above the "debug" level.
* Do not put logs in a helper functions. Return an error and let the main program decide what to do.
* Don't use new().
* Do not pass entire structure down, because at some point you need one value. Just pass the value. (see "maybe one day" point)
* Do not export methods if they are not used outside of the package (see "maybe one day" point)
* Do not let an unused function in the code, delete it. Use Go Oracle to find the referrers if needed. (if we need it later, git is our friend)
* Do not let Todos hanging in the code forever. Fix them asap.
* Do not overuse wrappers. If a library provides a structure that matches what you need, use it  (see "maybe one day" point).
* Do not store duplicate information: a.Name = b.Name, a.B = b. a.B.Name is enough
* Don't use strings. Strings are bad for anything else than giving information to a human. Use a constant or a structure.
* Do not copy and paste business logic code. If you need the same code twice, write a function.
* Do not use map[string]map[string]chan map[string]bool, create a Type.
* Do not pass information through maps. Maps content cannot be controlled by the compiler (see "don't use string" point)
* Do not overused go routines. Remember that if someone wants to thread something, he can use "go" himself. Leave the guy a choice.
* Do not let old naming. If a structure doesn't do what it did in the beginning, rename it. gorename is our friend here.
* Do not paste StackOverflow code without understanding exactly what it does. You should also add a backlink.

### Commit Messages

The style and format of your commit messages are very important to the health of the project. A good commit message helps not only users reading the release notes, but also your fellow developers as they review git log or git blame to figure out what you were doing.

Commit messages should be in the following format:

```
#comments
<type>: <summary>
<body>
<footer>
<transition-state >
```

### Types

* Allowed type values are:
* New — A new feature has been implemented
* Fixed — A bug has been fixed
* Docs — Documentation has been added or tweaked
* Formatting — Code has been reformatted to conform to style guidelines
* Test — Test cases have been added
* Task — A build task has been added or updated

### Message summary

The summary is one of the most important parts of the commit message, because that is what we see when scanning through a list of commits, and it is also what we use to generate change logs.
The summary should be a concise description of the commit, preferably 72 characters or less (so we can see the entire description in github), beginning with a lowercase letter and with a terminating period. It should describe only the core issue addressed by the commit. If you find that the summary needs to be very long, your commit is probably too big! Smaller commits are better.

For a New commit, the summary should answer the question, “What is new and where?” For a Fixed commit, the summary should answer the question, “What was fixed?”, for example “Wrong Python version in Kafka Dockerfile”. It should not answer the question, “What was done to fix it?” That belongs in the body.

Do not simply reference another issue or pull request by number in the summary. First of all, we want to know what was actually changed and why, which may not be fully explained in the referenced issue. Second, github will not create a link to the referenced issue in the commit summary.

### Message body

The details of the commit go in the body. Specifically, the body should include the motivation for the change for New, Fixed and Task types. For Fixed commits, you should also contrast behavior before the commit with behavior after the commit.
If the summary can completely express everything, there is no need for a message body.

### Message footer

If the commit closes an issue by fixing the bug, implementing a feature, or rendering it obsolete, or if it references an issue without closing it, that should be indicated in the message footer.
Issues closed by a commit should be listed on a separate line in the footer with an appropriate prefix:
"Fixes" for Fixed commit types
"Closes" for all other commit types
For example:

```
Fixes #1234
```

or in the case of multiple issues, like this:

```
Fixes 1234, 2345
```

Issues that a commit references without closing them should be listed on a separate line in the footer with the prefix "Refs", like this:

```
Refs #1234
```

or in the case of multiple issues, like this:

```
Refs #1234, #2345
```

If a commit changes the API or behavior in such a way that existing code may break, a description of the change, what might break, and how existing code should be modified must be noted in the footer like this:

```
BREAKING CHANGE:
Dockerfile of Kafka has been changed, you must generate a new image of Kafka.
```

### Examples

```
Fixed: Wrong Python version in Kafka Dockerfile

Previously, the Kafka's Dockerfile installed the version 3.0 of Python. This version of Python
did not work with the lib configobj.

We now make sure to install the version 2.7 of Python by specifying the version when installing
Python.

Fixes 1234
```


================================================
FILE: Gopkg.toml
================================================
required = ["github.com/docker/distribution"]

[[constraint]]
  branch = "master"
  name = "github.com/aporeto-inc/go-ipset"

[[constraint]]
  name = "github.com/docker/docker"
  version = "v17.05.0-ce-rc3"

[[constraint]]
  name = "github.com/docker/distribution"
  revision = "b38e5838b7b2f2ad48e06ec4b500011976080621"

[[override]]
  name = "github.com/ti-mo/netfilter"
  version = "=0.3.0"

# as per github.com/ti-mo/netfilter go.mod file
[[constraint]]
  name = "github.com/mdlayher/netlink"
  revision = "a1644773bc99cfd147417f646434a663b5892505"
#
# The most significant dependency for the Kubernetes monitor: the controller-runtime
# NOTE: change with care and always adjust the Kubernetes dependencies below
#
[[override]]
  name = "sigs.k8s.io/controller-runtime"
  version = "v0.1.10"

#
# Kubernetes dependencies
# NOTE: always match exactly to what controller-runtime uses
#
[[constraint]]
  name = "k8s.io/api"
  version = "kubernetes-1.13.1"

[[override]]
  name = "k8s.io/apiextensions-apiserver"
  version = "kubernetes-1.13.1"

[[override]]
  name = "k8s.io/apimachinery"
  version = "kubernetes-1.13.1"

[[override]]
  name = "k8s.io/apiserver"
  version = "kubernetes-1.13.1"

[[constraint]]
  name = "k8s.io/client-go"
  version = "kubernetes-1.13.1"

[[override]]
  name = "k8s.io/code-generator"
  version = "kubernetes-1.13.1"

[[override]]
  name = "k8s.io/gengo"
  branch = "master"

[[constraint]]
  name = "github.com/envoyproxy/go-control-plane"
  version = "v0.9.0"

[[constraint]]
  name = "github.com/aporeto-inc/oxy"
  branch = "sirupsen"

[[constraint]]
  name = "go.aporeto.io/netlink-go"
  branch = "master"

[[constraint]]
  name = "go.aporeto.io/tg"
  branch = "master"

[[constraint]]
  name = "github.com/hashicorp/go-version"
  version = "v1.0.0"

[prune]
  go-tests = true
  unused-packages = true


================================================
FILE: LICENSE
================================================
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/

   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

   1. Definitions.

      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.

      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.

      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.

      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.

      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.

      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.

      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).

      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.

      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."

      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.

   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.

   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.

   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:

      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and

      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and

      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and

      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.

      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.

   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.

   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.

   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.

   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.

   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.

   END OF TERMS AND CONDITIONS

   APPENDIX: How to apply the Apache License to your work.

      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.

   Copyright [yyyy] [name of copyright owner]

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.


================================================
FILE: Makefile
================================================

## all: default is to show the help text
.PHONY: all help
all: help

ci: test lint

## vet: run go vet on the source
vet:
	go vet ./...

## test: test with race checks
test:
	@ scripts/test.sh

## lint: run the linter
lint:
	@ scripts/lint.sh

#
# help uses all the ## marks for help text
#
.PHONY: help
## help: prints this help message
help:
	@ echo "Usage: "
	@ echo
	@ echo "Run 'make <target>' where <target> is one of:"
	@ echo
	@ sed -n 's/^##//p' ${MAKEFILE_LIST} | column -t -s ':' |  sed -e 's/^/ /' | sort


================================================
FILE: NOTICE
================================================

Trirem Project -  

Copyright (c) 2016 Aporeto, Inc. All Rights Reserved

This product includes software developed at Aporeto Inc. 


================================================
FILE: README.md
================================================
# Trireme

<img src="docs/trireme.png" width="400">

[![Build Status](https://travis-ci.org/aporeto-inc/trireme-lib.svg?branch=go-mod)](https://travis-ci.org/aporeto-inc/trireme-lib) [![codecov](https://codecov.io/gh/aporeto-inc/trireme-lib/branch/go-mod/graph/badge.svg)](https://codecov.io/gh/aporeto-inc/trireme-lib) [![Twitter URL](https://img.shields.io/badge/twitter-follow-blue.svg)](https://twitter.com/aporeto_trireme) [![Slack URL](https://img.shields.io/badge/slack-join-green.svg)](https://triremehq.slack.com/messages/general/) [![License](https://img.shields.io/badge/license-GPL--2.0-blue.svg)](https://www.gnu.org/licenses/gpl-2.0.html) [![Documentation](https://img.shields.io/badge/docs-godoc-blue.svg)](https://godoc.org/go.aporeto.io/trireme-lib) [![Go Report Card](https://goreportcard.com/badge/go.aporeto.io/trireme-lib)](https://goreportcard.com/report/go.aporeto.io/trireme-lib)


Welcome to Trireme, an open-source library curated by Aporeto to provide cryptographic isolation for cloud-native applications. Trireme-lib is a Zero-Trust networking
library that makes it possible to setup security policies and segment applications by enforcing end-to-end authentication and authorization without the need
for complex control planes or IP/port-centric ACLs and east-west firewalls.

Trireme-lib supports both containers and Linux processes as well user-based activation, and it allows security policy enforcement between any of these entities.

# TL;DR

Trireme-lib is a library. The following projects use it:

* [Trireme as a set of simple examples to get started](https://github.com/aporeto-inc/trireme-example)
* [Trireme implementing NetworkPolicies on Kubernetes](https://github.com/aporeto-inc/trireme-kubernetes/tree/master/deployment)

# Description

In the Trireme world, a processing unit (PU) end-point can be a container, Kubernetes POD, or a general Linux process. It can also be a user session
to a particular server. We will be referring to processing units as PUs throughout this discussion.

The technology behind Trireme is streamlined, elegant, and simple. It is based on the concepts of Zero-Trust networking:

1. The identity is the set of attributes and metadata that describes the container as key/value pairs. Trireme provides an extensible interface for defining these identities. Users can choose customized methods appropriate to their environment for establishing PU identity. For example, in a Kubernetes environment, the identity can be the set of labels identifying a POD.
2. There is an authorization policy that defines when PUs with different types of identity attributes can interact or exchange traffic. The authorization policy implements an Attribute-Based Access Control (ABAC) mechanism (https://en.wikipedia.org/wiki/Attribute-Based_Access_Control), where the policy describes relationships between identity attributes.
3. Every communication between two PUs is controlled through a cryptographic end-to-end authentication and authorization step, by overlaying an authorization function over the TCP negotiation. The authorization steps are performed during the `SYN`/`SYNACK`/`ACK` negotiation.

The result of this approach is the decoupling of network security from the underlying network infrastructure because this approach is centered on workload identity attributes and interactions between workloads. Network security can be achieved simply by managing application identity and authorization policy. Segmentation granularity can be adjusted based on the needs of the platform.

Trireme is a node-centric library. Each node participating in the Trireme cluster must spawn one instance of a process that uses this library to transparently insert the authentication and authorization step. Trireme provides the data path functions but does not implement either the identity management or the policy resolution function. Function implementation depends on the particular operational environment. Users have to provide PolicyLogic (ABAC “rules”) to Trireme for well-defined PUs, such as containers.

# Existing implementation using Trireme library

* [This example](https://github.com/aporeto-inc/trireme-example) is a straightforward implementation of the PolicyLogic for a simple use-case.

* [Kubernetes-Integration](https://github.com/aporeto-inc/kubernetes-integration) is a full implementation of PolicyLogic that follows the Kubernetes Network Policies model.

* [Bare-Metal-Integration](https://github.com/aporeto-inc/trireme-bare-metal) is an implementation of Trireme for Kubernetes on-prem, with a Cumulus agent that allows you to have a very simple networking model (routes are advertised by Cumulus) together with Trireme for policy enforcement.

# Security Model

Trireme is a Zero-Trust networking library. The security model behind Zero-trust networking is:
* The Network is always untrusted. It doesn't matter if you are inside or outside your enterprise.
* Every Flow/Connection needs to be authenticated and authorized by the endpoints.
* The network information (IP/Port) is completely irrelevant to the authorization/authentication.

With Trireme, there is no need to define any security rules with IPs, port numbers, or ACLs. Everything is based on identity attributes; your IP and port allocation scheme is not relevant to Trireme and it is compatible with most underlying networking technologies. The end-to-end authentication and authorization approach is also compatible with NATs and IPv4/IPv6 translations.


A PU is a logical unit of control to which you attach identity and authorization policies. It provides a simple mechanism where the identity is derived out of the Docker manifest; however, other mechanisms are possible for more sophisticated identity definition. For instance, you may want to tag your 3-tier container application as "frontend," "backend," and "database." By associating corresponding labels and containers, these labels become "the identity." A policy for the “backend” containers can simply accept traffic only from “frontend” containers. Alternatively, an orchestration system might define a composite identity for each container and implement more sophisticated policies.


PolicyLogic defines the set of authorization rules as a function of the identity of attributes and loads these rules into Trireme when a container is instantiated. Authorization rules describe the set of identities with which a particular container is allowed to interact. We provide an example of this integration logic with Kubernetes [here](https://github.com/aporeto-inc/kubernetes-integration). Furthermore, we provide an example of a simple policy where two containers can only talk to each other if they have matching labels in [this example](https://github.com/aporeto-inc/trireme-lib/tree/master/example). Each rule defines a match based on the identity attributes. PolicyLogic assumes a whitelist model where everything is dropped unless explicitly allowed by the authorization policy.


PU identities are cryptographically signed with a node-specific secret and sent as part of a TCP connection setup negotiation. Trireme supports both mutual and receiver-only authorization. Moreover, it supports two authentication and signing modes: (1) A pre-shared key and (2) a PKI mechanism based on ECDSA. In the case of ECDSA, public keys are either transmitted on the wire or pre-populated through an out-of-band mechanism to improve efficiency. Trireme also supports two identity encoding mechanisms: (1) A signed JSON Web Token (JWT) and (2) a custom binary mapping mechanism.

With these mechanisms, the Trireme run-time on each node will only allow communication after an end-to-end authentication and authorization step is performed between the containers.

# Trireme Architecture

Trireme-lib is built as a set of modules (Go packages) that provide a default implementation for each component. It is simple to swap the default implementation of each of those modules with custom-built ones for more complex and specific features.

Conceptually, Trireme acts on PU events. In the default implementation, the PU is a Docker container. Trireme can be easily extended to other PUs such as processes, files, sockets, and so forth.
Trireme consists of two main packages:

* The `Monitor` listens to a well-defined PU creation module. The built-in monitor listens to Docker events and generates a standard Trireme PU runtime representation. Additional monitors provided can listen to events on creation of Linux processes or user sessions from the Linux PAM module. The `Monitor` hands over the PU runtime to an external `Resolver`.
  * The `Resolver` is implemented outside of Trireme and is not part of the library. The `Resolver` depends on the orchestration system used for managing identity and policy. If you plan to implement your own policy with Trireme, you will essentially need to implement a `Resolver`.
* The `Controller` receives instructions from the `Resolver` and enforces the policy by analyzing the redirected packets and enforcing the identity and policy rules.

# Defining Your Own Policy

Trireme allows you to define any type of identity attribute or policy to associate with the PUs.
In order to define your own policies and identities, you need to implement a `Resolver` interface that will receive policy requests from Trireme whenever a policy resolution is required.

# Resolver Implementation

```go
// A Resolver must be implemented by a policy engine that receives monitor events.
type Resolver interface {

	// HandlePUEvent is called by all monitors when a PU event is generated. The implementer
	// is responsible to update all components by explicitly adding a new PU.
	HandlePUEvent(ctx context.Context, puID string, event common.Event, runtime RuntimeReader) error
}
```

Each container event generates a call to `HandlePUEvent`

The `Resolver` can then issue explicit calls to the `Controller` in order to implement the policy decision. The `Controller` interface is consumed by the `Resolver` and it is described below:

```go
// TriremeController is the main API of the Trireme controller
type TriremeController interface {
	// Run initializes and runs the controller.
	Run(ctx context.Context) error

	// CleanUp cleans all the supervisors and ACLs for a clean exit
	CleanUp() error

	// Enforce asks the controller to enforce policy on a processing unit
	Enforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) (err error)

	// UnEnforce asks the controller to un-enforce policy on a processing unit
	UnEnforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) (err error)

	// UpdatePolicy updates the policy of the isolator for a container.
	UpdatePolicy(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) error

	// UpdateSecrets updates the secrets of running enforcers managed by trireme. Remote enforcers will get the secret updates with the next policy push
	UpdateSecrets(secrets secrets.Secrets) error

	// UpdateConfiguration updates the configuration of the controller. Only specific configuration
	// parameters can be updated during run time.
	UpdateConfiguration(networks []string) error
}
```

# Prerequisites

* Trireme-lib requires IPTables with access to the `Mangle` module.
* Trireme-lib requires access to the Docker event API socket (`/var/run/docker.sock` by default).
* Trireme-lib requires privileged access.
* Trireme-lib requires to run in the Host PID namespace.

[![Analytics](https://ga-beacon.appspot.com/UA-90317101-1/welcome-page)](https://github.com/igrigorik/ga-beacon)


================================================
FILE: buildflags/buildflags.go
================================================
// +build !rhel6

package buildflags

// Distro constants
const (
	Rhel6 = ""
	Rhel5 = ""
)

// IsRHEL6 returns true if the build flag was set for rhel6
func IsRHEL6() bool {
	return false
}

// IsRHEL5 returns true if the build flag was set for rhel5
func IsRHEL5() bool {
	return false
}

// IsLegacyKernel returns true if the build flag was set for rhel5/rhel6
func IsLegacyKernel() bool {
	return false
}


================================================
FILE: buildflags/buildflags_rhel.go
================================================
// +build rhel6

package buildflags

// Distro constants
const (
	Rhel6 = "rhel6"
	Rhel5 = "rhel5"
)

// IsRHEL6 returns true if the build flag was set for rhel6
func IsRHEL6() bool {
	return true
}

// IsRHEL5 returns true if the build flag was set for rhel5
func IsRHEL5() bool {
	return false
}

// IsLegacyKernel returns true if the build flag was set for rhel5/rhel6
func IsLegacyKernel() bool {
	return true
}


================================================
FILE: cmd/systemdutil/exec.go
================================================
// +build !windows

package systemdutil

import (
	"syscall"

	"go.aporeto.io/enforcerd/trireme-lib/common"
)

func execve(c *CLIRequest, env []string) error {
	return syscall.Exec(c.Executable, append([]string{c.Executable}, c.Parameters...), env)
}

func getPUType() common.PUType {
	return common.LinuxProcessPU
}


================================================
FILE: cmd/systemdutil/exec_windows.go
================================================
package systemdutil

import (
	"os"
	"os/exec"

	"go.aporeto.io/enforcerd/trireme-lib/common"
)

// execve does not exist in Windows, so we do the best we can.
func execve(c *CLIRequest, env []string) error {
	cmd := exec.Command(c.Executable, c.Parameters...)
	cmd.Env = env
	cmd.Stdin = os.Stdin
	cmd.Stdout = os.Stdout
	cmd.Stderr = os.Stderr
	return cmd.Run()
}

func getPUType() common.PUType {
	return common.WindowsProcessPU
}


================================================
FILE: cmd/systemdutil/systemdutil.go
================================================
package systemdutil

import (
	"encoding/hex"
	"errors"
	"fmt"
	"os"
	"os/exec"
	"path"
	"regexp"
	"strings"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/remoteapi/client"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

// ExecuteCommandFromArguments processes the command from the arguments
func ExecuteCommandFromArguments(arguments map[string]interface{}) error {

	p := NewRequestProcessor()

	c, err := p.ParseCommand(arguments)
	if err != nil {
		return err
	}

	return p.ExecuteRequest(c)
}

// RequestType is the type of the request
type RequestType int

const (
	// CreateRequest requests a create event
	CreateRequest RequestType = iota
	// DeleteCgroupRequest requests deletion based on the cgroup - issued by the kernel
	DeleteCgroupRequest
	// DeleteServiceRequest requests deletion by the service ID
	DeleteServiceRequest
)

// CLIRequest captures all CLI parameters
type CLIRequest struct {
	// Request is the type of the request
	Request RequestType
	// Cgroup is only provided for delete cgroup requests
	Cgroup string
	// Executable is the path to the executable
	Executable string
	// Parameters are the parameters of the executable
	Parameters []string
	// Labels are the user labels attached to the request
	Labels []string
	// ServiceName is a user defined service name
	ServiceName string
	// Services are the user defined services (protocol, port)
	Services []common.Service
	// HostPolicy indicates that this is a host policy
	HostPolicy bool
	// NetworkOnly indicates that the request is only for traffic coming from the network
	NetworkOnly bool
	// AutoPort indicates that auto port feature is enabled for the PU
	AutoPort bool
}

// RequestProcessor is an instance of the processor
type RequestProcessor struct {
	address string
}

// NewRequestProcessor creates a default request processor
func NewRequestProcessor() *RequestProcessor {
	return &RequestProcessor{
		address: common.TriremeSocket,
	}
}

// NewCustomRequestProcessor creates a new request processor
func NewCustomRequestProcessor(address string) *RequestProcessor {
	r := NewRequestProcessor()

	if address != "" {
		r.address = address
	}

	return r
}

// Generic command line arguments
// Assumes a command like that:
// usage = `Trireme Client Command
//
// Usage: enforcerd -h | --help
// 		 trireme -v | --version
// 		 trireme run
// 			[--service-name=<sname>]
// 			[[--ports=<ports>]...]
// 			[[--label=<keyvalue>]...]
// 			[--networkonly]
// 			[--hostpolicy]
//          [--uidpolicy]
// 			[<command> [--] [<params>...]]
// 		 trireme rm
//          [--service-name=<sname>]
// 			[--hostpolicy]
//          [--uidpolicy]
// 		 trireme <cgroup>
//
// Run Client Options:
// 	--service-name=<sname>              Service name for the executed command [default ].
// 	--ports=<ports>                     Ports that the executed service is listening to [default ].
// 	--label=<keyvalue>                  Label (key/value pair) attached to the service [default ].
// 	--networkonly                       Control traffic from the network only and not from applications [default false].
// 	--hostpolicy                        Default control of the base namespace [default false].
// 	--uidpolicy                         Default control of the base namespace [default false].
//
// `

// ParseCommand parses a command based on the above specification
// This is a helper function for CLIs like in Trireme Example.
// Proper use is through the CLIRequest structure
func (r *RequestProcessor) ParseCommand(arguments map[string]interface{}) (*CLIRequest, error) {

	c := &CLIRequest{}

	// First parse a command that only provides the cgroup
	// The kernel will only send us a command with one argument
	if value, ok := arguments["<cgroup>"]; ok && value != nil {
		c.Cgroup = value.(string)
		c.Request = DeleteCgroupRequest
		return c, nil
	}

	if value, ok := arguments["--service-name"]; ok && value != nil {
		c.ServiceName = value.(string)
	}

	if value, ok := arguments["--hostpolicy"]; ok && value != nil {
		c.HostPolicy = value.(bool)
	}

	// If the command is remove use hostpolicy and service-id
	if arguments["rm"].(bool) {
		c.Request = DeleteServiceRequest
		return c, nil
	}

	// Process the rest of the arguments of the run command
	if value, ok := arguments["run"]; !ok || value == nil {
		return nil, errors.New("invalid command")
	}

	// This is a create request - proceed
	c.Request = CreateRequest

	if value, ok := arguments["<command>"]; ok && value != nil {
		c.Executable = value.(string)
	}

	if value, ok := arguments["--label"]; ok && value != nil {
		c.Labels = value.([]string)
	}

	if value, ok := arguments["<params>"]; ok && value != nil {
		c.Parameters = value.([]string)
	}

	if value, ok := arguments["--ports"]; ok && value != nil {
		services, err := ParseServices(value.([]string))
		if err != nil {
			return nil, err
		}
		c.Services = services
	}

	if value, ok := arguments["--autoport"]; ok && value != nil {
		c.AutoPort = value.(bool)
	}

	if value, ok := arguments["--networkonly"]; ok && value != nil {
		c.NetworkOnly = value.(bool)
	}

	return c, nil
}

// CreateAndRun creates a processing unit
func (r *RequestProcessor) CreateAndRun(c *CLIRequest) error {
	var err error

	// If its not hostPolicy and the command doesn't exist we return an error
	if !c.HostPolicy {
		if c.Executable == "" {
			return errors.New("command must be provided")
		}
		if !path.IsAbs(c.Executable) {
			c.Executable, err = exec.LookPath(c.Executable)
			if err != nil {
				return err
			}
		}
		if c.ServiceName == "" {
			c.ServiceName = c.Executable
		}
	}

	puType := getPUType()
	if c.NetworkOnly {
		puType = common.HostNetworkPU
	} else if c.HostPolicy {
		puType = common.HostPU
	}

	exeTags := executableTags(c)
	c.Labels = append(c.Labels, exeTags...)

	// This is added since the release_notification comes in this format
	// Easier to massage it while creation rather than change at the receiving end depending on event
	request := &common.EventInfo{
		PUType:             puType,
		Name:               c.ServiceName,
		Executable:         c.Executable,
		Tags:               c.Labels,
		PID:                int32(os.Getpid()),
		EventType:          common.EventStart,
		Services:           c.Services,
		NetworkOnlyTraffic: c.NetworkOnly,
		HostService:        c.HostPolicy,
		AutoPort:           c.AutoPort,
	}

	if err := sendRequest(r.address, request); err != nil {
		return err
	}

	if c.HostPolicy {
		return nil
	}

	env := os.Environ()
	env = append(env, "APORETO_WRAP=1")
	return execve(c, env)
}

// DeleteService will issue a delete command
func (r *RequestProcessor) DeleteService(c *CLIRequest) error {

	request := &common.EventInfo{
		PUType:      getPUType(),
		PUID:        c.ServiceName,
		EventType:   common.EventStop,
		HostService: c.HostPolicy,
	}

	// Send Stop request
	if err := sendRequest(r.address, request); err != nil {
		return err
	}

	// Send destroy request
	request.EventType = common.EventDestroy

	return sendRequest(r.address, request)
}

// DeleteCgroup will issue a delete command based on the cgroup
// This is used mainly by the cleaner.
func (r *RequestProcessor) DeleteCgroup(c *CLIRequest) error {
	regexCgroup := regexp.MustCompile(`^/trireme/(ssh-)?[a-zA-Z0-9_\-:.$%]{1,64}$`)

	if !regexCgroup.Match([]byte(c.Cgroup)) {
		return fmt.Errorf("invalid cgroup: %s", c.Cgroup)
	}

	var eventPUID string
	var eventType common.PUType

	if strings.HasPrefix(c.Cgroup, common.TriremeCgroupPath) {
		eventType = getPUType()
		eventPUID = c.Cgroup[len(common.TriremeCgroupPath):]
	} else {
		// Not our Cgroup
		return nil
	}

	request := &common.EventInfo{
		PUType:    eventType,
		PUID:      eventPUID,
		EventType: common.EventStop,
	}

	// Send Stop request
	if err := sendRequest(r.address, request); err != nil {
		return err
	}

	// Send destroy request
	request.EventType = common.EventDestroy

	return sendRequest(r.address, request)
}

// ExecuteRequest executes the command with an RPC request
func (r *RequestProcessor) ExecuteRequest(c *CLIRequest) error {

	switch c.Request {
	case CreateRequest:
		return r.CreateAndRun(c)
	case DeleteCgroupRequest:
		return r.DeleteCgroup(c)
	case DeleteServiceRequest:
		return r.DeleteService(c)
	default:
		return fmt.Errorf("unknown request: %d", c.Request)
	}
}

// sendRequest sends an RPC request to the provided address
func sendRequest(address string, event *common.EventInfo) error {

	client, err := client.NewClient(address)
	if err != nil {
		return err
	}

	return client.SendRequest(event)
}

func executableTags(c *CLIRequest) []string {

	tags := []string{}

	if fileMd5, err := extractors.ComputeFileMd5(c.Executable); err == nil {
		tags = append(tags, fmt.Sprintf("@app:%s:filechecksum=%s", extractors.OSHostString, hex.EncodeToString(fileMd5)))
	}

	depends := extractors.Libs(c.ServiceName)
	for _, lib := range depends {
		tags = append(tags, fmt.Sprintf("@app:%s:lib:%s=true", extractors.OSHostString, lib))
	}

	return tags
}

// ParseServices parses strings with the services and returns them in an
// validated slice
func ParseServices(ports []string) ([]common.Service, error) {

	// If no ports are provided, we add the default 0 port
	if len(ports) == 0 {
		ports = append(ports, "0")
	}

	// Parse the ports and create the services. Cleanup any bad ports
	services := []common.Service{}
	protocol := packet.IPProtocolTCP

	for _, p := range ports {
		// check for port string of form port#/udp eg 8085/udp
		portProtocolPair := strings.Split(p, "/")
		if len(portProtocolPair) > 2 || len(portProtocolPair) <= 0 {
			return nil, fmt.Errorf("Invalid port format. Expected format is of form 80 or 8085/udp")
		}

		if len(portProtocolPair) == 2 {
			if portProtocolPair[1] == "tcp" {
				protocol = packet.IPProtocolTCP
			} else if portProtocolPair[1] == "udp" {
				protocol = packet.IPProtocolUDP
			} else {
				return nil, fmt.Errorf("Invalid protocol specified. Only tcp/udp accepted")
			}
		}

		s, err := portspec.NewPortSpecFromString(portProtocolPair[0], nil)
		if err != nil {
			return nil, fmt.Errorf("Invalid port spec: %s ", err)
		}

		services = append(services, common.Service{
			Protocol: uint8(protocol),
			Ports:    s,
		})
	}

	return services, nil
}


================================================
FILE: collector/default.go
================================================
package collector

import (
	"encoding/binary"

	"github.com/cespare/xxhash"
	"go.aporeto.io/underwater/core/policy/services"
)

// DefaultCollector implements a default collector infrastructure to syslog
type DefaultCollector struct{}

// NewDefaultCollector returns a default implementation of an EventCollector
func NewDefaultCollector() EventCollector {
	return &DefaultCollector{}
}

// CollectFlowEvent is part of the EventCollector interface.
func (d *DefaultCollector) CollectFlowEvent(record *FlowRecord) {}

// CollectContainerEvent is part of the EventCollector interface.
func (d *DefaultCollector) CollectContainerEvent(record *ContainerRecord) {}

// CollectUserEvent is part of the EventCollector interface.
func (d *DefaultCollector) CollectUserEvent(record *UserRecord) {}

// CollectTraceEvent collects iptables trace events
func (d *DefaultCollector) CollectTraceEvent(records []string) {}

// CollectPacketEvent collects packet events from the datapath
func (d *DefaultCollector) CollectPacketEvent(report *PacketReport) {}

// CollectCounterEvent collect counters from the datapath
func (d *DefaultCollector) CollectCounterEvent(report *CounterReport) {}

// CollectDNSRequests collect counters from the datapath
func (d *DefaultCollector) CollectDNSRequests(report *DNSRequestReport) {}

// CollectPingEvent collects ping events from the datapath
func (d *DefaultCollector) CollectPingEvent(report *PingReport) {}

// CollectConnectionExceptionReport collects the connection exception report
func (d *DefaultCollector) CollectConnectionExceptionReport(report *ConnectionExceptionReport) {}

// StatsFlowHash is a hash function to hash flows. Ignores source ports. Returns two hashes
// flowhash - minimal with SIP/DIP/Dport
// contenthash - hash with all contents to compare quickly and report when changes are observed
func StatsFlowHash(r *FlowRecord) (flowhash, contenthash uint64) {

	hash := xxhash.New()
	hash.Write([]byte(r.Source.ID))       // nolint errcheck
	hash.Write([]byte(r.Destination.ID))  // nolint errcheck
	hash.Write([]byte(r.Destination.URI)) // nolint errcheck
	hash.Write([]byte(r.Source.IP))       // nolint errcheck
	hash.Write([]byte(r.Destination.IP))  // nolint errcheck
	port := make([]byte, 2)
	binary.BigEndian.PutUint16(port, r.Destination.Port)
	hash.Write(port) // nolint errcheck
	flowhash = hash.Sum64()

	hash.Write([]byte(r.Action.String()))         // nolint errcheck
	hash.Write([]byte(r.ObservedAction.String())) // nolint errcheck
	hash.Write([]byte(r.DropReason))              // nolint errcheck
	hash.Write([]byte(r.PolicyID))                // nolint errcheck
	return flowhash, hash.Sum64()
}

// StatsFlowContentHash is a hash function to hash flows. Ignores source ports. Returns
// contenthash - hash with all contents to compare quickly and report when changes are observed
func StatsFlowContentHash(r *FlowRecord) (contenthash uint64) {

	_, contenthash = StatsFlowHash(r)
	return contenthash
}

// StatsUserHash is a hash function to hash user records.
func StatsUserHash(r *UserRecord) error {
	hash, err := services.HashClaims(r.Claims, r.Namespace)
	if err != nil {
		return err
	}
	r.ID = hash
	return nil
}

// ConnectionExceptionReportHash is a hash function to hash connection exception reports.
func ConnectionExceptionReportHash(r *ConnectionExceptionReport) uint64 {

	hash := xxhash.New()
	hash.Write([]byte(r.PUID))          // nolint errcheck
	hash.Write([]byte(r.SourceIP))      // nolint errcheck
	hash.Write([]byte(r.DestinationIP)) // nolint errcheck
	hash.Write([]byte(r.Reason))        // nolint errcheck
	hash.Write([]byte(r.State))         // nolint errcheck
	port := make([]byte, 2)
	binary.BigEndian.PutUint16(port, r.DestinationPort)
	hash.Write(port) // nolint errcheck

	return hash.Sum64()
}


================================================
FILE: collector/default_test.go
================================================
package collector

import (
	"testing"

	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

func TestStatsUserHash(t *testing.T) {
	type args struct {
		userRecord *UserRecord
		hash       string
	}
	tests := []struct {
		name    string
		args    args
		wantErr bool
	}{
		{
			name: "Test_StatsUserHash1",
			args: args{
				userRecord: &UserRecord{
					Namespace: "/_apotests",
					Claims: []string{
						"CN=b01a6042-437-allow",
						"O=b01a6042-437-allow",
					},
				},
				hash: "14815208496714115169",
			},
			wantErr: false,
		},
		{
			name: "Test_StatsUserHash2",
			args: args{
				userRecord: &UserRecord{
					Namespace: "/_apotests",
					Claims: []string{
						"CN=apotests-master-staging2 Root CA",
						"O=_apotests/b01a6042-437c-44ab-a17f-e14f6f915b87",
						"OU=aporeto-enforcerd",
					},
				},
				hash: "3750309273572959404",
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if err := StatsUserHash(tt.args.userRecord); (err != nil) != tt.wantErr {
				t.Errorf("StatsUserHash() error = %v, wantErr %v", err, tt.wantErr)
			}
			if tt.args.hash != tt.args.userRecord.ID {
				t.Errorf("Wanted %s but got %s", tt.args.hash, tt.args.userRecord.ID)
			}
		})
	}
}

func TestStatsFlowHash(t *testing.T) {
	type args struct {
		r *FlowRecord
	}
	tests := []struct {
		name            string
		args            args
		wantFlowhash    uint64
		wantContenthash uint64
	}{
		{
			name: "basic hash",
			args: args{
				r: &FlowRecord{
					ContextID:             "context",
					Namespace:             "ns",
					Source:                EndPoint{},
					Destination:           EndPoint{},
					Tags:                  []string{"tag=val"},
					DropReason:            "none",
					PolicyID:              "default",
					ObservedPolicyID:      "default",
					ServiceType:           policy.ServiceL3,
					ServiceID:             "svc",
					Count:                 1,
					Action:                policy.Accept,
					ObservedAction:        policy.Accept,
					ObservedActionType:    policy.ObserveContinue,
					L4Protocol:            7,
					SourceController:      "src-controller",
					DestinationController: "dst-controller",
					RuleName:              "1",
				},
			},
			wantFlowhash:    11145182160106660097,
			wantContenthash: 5951126184511352450,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			gotFlowhash, gotContenthash := StatsFlowHash(tt.args.r)
			if gotFlowhash != tt.wantFlowhash {
				t.Errorf("StatsFlowHash() gotFlowhash = %v, want %v", gotFlowhash, tt.wantFlowhash)
			}
			if gotContenthash != tt.wantContenthash {
				t.Errorf("StatsFlowHash() gotContenthash = %v, want %v", gotContenthash, tt.wantContenthash)
			}

			gothash := StatsFlowContentHash(tt.args.r)
			if gothash != tt.wantContenthash {
				t.Errorf("StatsFlowHash() gothash = %v, want %v", gothash, tt.wantContenthash)
			}
		})
	}
}


================================================
FILE: collector/interfaces.go
================================================
package collector

import (
	"fmt"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/gaia"
)

// Flow event description
const (
	// FlowReject indicates that a flow was rejected
	FlowReject = "reject"
	// FlowAccept logs that a flow is accepted
	FlowAccept = "accept"
	// MissingToken indicates that the token was missing
	MissingToken = "missingtoken"
	// InvalidToken indicates that the token was invalid
	InvalidToken = "token"
	// InvalidFormat indicates that the packet metadata were not correct
	InvalidFormat = "format"
	// InvalidHeader indicates that the TCP header was not there.
	InvalidHeader = "header"
	// InvalidPayload indicates that the TCP payload was not there or bad.
	InvalidPayload = "payload"
	// InvalidContext indicates that there was no context in the metadata
	InvalidContext = "context"
	// InvalidConnection indicates that there was no connection found
	InvalidConnection = "connection"
	// InvalidState indicates that a packet was received without proper state information
	InvalidState = "state"
	// InvalidNonse indicates that the nonse check failed
	InvalidNonse = "nonse"
	// PolicyDrop indicates that the flow is rejected because of the policy decision
	PolicyDrop = "policy"
	// APIPolicyDrop indicates that the request was dropped because of failed API validation.
	APIPolicyDrop = "api"
	// UnableToDial indicates that the proxy cannot dial out the connection
	UnableToDial = "dial"
	// CompressedTagMismatch indicates that the compressed tag version is dissimilar
	CompressedTagMismatch = "compressedtagmismatch"
	// EncryptionMismatch indicates that the policy encryption varies between client and server enforcer
	EncryptionMismatch = "encryptionmismatch"
	// DatapathVersionMismatch indicates that the datapath version is dissimilar
	DatapathVersionMismatch = "datapathversionmismatch"
	// PacketDrop indicate a single packet drop
	PacketDrop = "packetdrop"
)

// Container event description
const (
	// ContainerStart indicates a container start event
	ContainerStart = "start"
	// ContainerStop indicates a container stop event
	ContainerStop = "stop"
	// ContainerCreate indicates a container create event
	ContainerCreate = "create"
	// ContainerDelete indicates a container delete event
	ContainerDelete = "delete"
	// ContainerUpdate indicates a container policy update event
	ContainerUpdate = "update"
	// ContainerFailed indicates an event that a container was stopped because of policy issues
	ContainerFailed = "forcestop"
	// ContainerIgnored indicates that the container will be ignored by Trireme
	ContainerIgnored = "ignore"
	// ContainerDeleteUnknown indicates that policy for an unknown  container was deleted
	ContainerDeleteUnknown = "unknowncontainer"
)

const (
	// PolicyValid Normal flow accept
	PolicyValid = "V"
	// DefaultEndPoint  provides a string for unknown container sources
	DefaultEndPoint = "default"
	// SomeClaimsSource provides a string for some claims flow source.
	SomeClaimsSource = "some-claims"
)

// EventCollector is the interface for collecting events.
type EventCollector interface {

	// CollectFlowEvent collect a  flow event.
	CollectFlowEvent(record *FlowRecord)

	// CollectContainerEvent collects a container events
	CollectContainerEvent(record *ContainerRecord)

	// CollectUserEvent  collects a user event
	CollectUserEvent(record *UserRecord)

	// CollectTraceEvent collects a set of trace messages generated with Iptables trace command
	CollectTraceEvent(records []string)

	// CollectPacketEvent collects packet event from nfqdatapath
	CollectPacketEvent(report *PacketReport)

	// CollectCounterEvent collects the counters from
	CollectCounterEvent(counterReport *CounterReport)

	// CollectDNSRequests collects the dns requests
	CollectDNSRequests(request *DNSRequestReport)

	// CollectPingEvent collects the ping events
	CollectPingEvent(report *PingReport)

	// CollectConnectionExceptionReport collects the connection exception report
	CollectConnectionExceptionReport(report *ConnectionExceptionReport)
}

// EndPointType is the type of an endpoint (PU or an external IP address )
type EndPointType byte

const (
	// EndPointTypeExternalIP indicates that the endpoint is an external IP address
	EndPointTypeExternalIP EndPointType = iota
	// EndPointTypePU indicates that the endpoint is a PU.
	EndPointTypePU
	// EndPointTypeClaims indicates that the endpoint is of type claims.
	EndPointTypeClaims
)

func (e *EndPointType) String() string {

	switch *e {
	case EndPointTypeExternalIP:
		return "ext"
	case EndPointTypePU:
		return "pu"
	case EndPointTypeClaims:
		return "claims"
	}

	return "pu" // backward compatibility (CS: 04/24/2018)
}

// EndPoint is a structure that holds all the endpoint information
type EndPoint struct {
	ID         string
	IP         string
	URI        string
	HTTPMethod string
	UserID     string
	Type       EndPointType
	Port       uint16
}

// FlowRecord describes a flow record for statistis
type FlowRecord struct {
	ContextID             string
	Namespace             string
	Source                EndPoint
	Destination           EndPoint
	Tags                  []string
	DropReason            string
	PolicyID              string
	ObservedPolicyID      string
	ServiceType           policy.ServiceType
	ServiceID             string
	Count                 int
	Action                policy.ActionType
	ObservedAction        policy.ActionType
	ObservedActionType    policy.ObserveActionType
	L4Protocol            uint8
	SourceController      string
	DestinationController string
	RuleName              string
}

func (f *FlowRecord) String() string {
	return fmt.Sprintf("<flowrecord contextID:%s namespace:%s count:%d sourceID:%s destinationID:%s sourceIP: %s destinationIP:%s destinationPort:%d action:%s mode:%s>",
		f.ContextID,
		f.Namespace,
		f.Count,
		f.Source.ID,
		f.Destination.ID,
		f.Source.IP,
		f.Destination.IP,
		f.Destination.Port,
		f.Action.String(),
		f.DropReason,
	)
}

// ContainerRecord is a statistics record for a container
type ContainerRecord struct {
	ContextID string
	IPAddress policy.ExtendedMap
	Tags      *policy.TagStore
	Event     string
}

// UserRecord reports a new user access. These will be reported
// periodically.
type UserRecord struct {
	ID        string
	Namespace string
	Claims    []string
}

// PacketReport is the struct which is used to report packets captured in datapath
type PacketReport struct {
	TCPFlags        int
	Claims          []string
	DestinationIP   string
	DestinationPort int
	DropReason      string
	Encrypt         bool
	Event           packettracing.PacketEvent
	Length          int
	Mark            int
	Namespace       string
	PacketID        int
	Protocol        int
	PUID            string
	SourceIP        string
	SourcePort      int
	TriremePacket   bool
	Timestamp       int64
	Payload         []byte
}

// DNSRequestReport object is used to report dns requests being made by PU's
type DNSRequestReport struct {
	ContextID   string
	Namespace   string
	Source      *EndPoint
	Destination *EndPoint
	NameLookup  string
	Error       string
	Count       int
	Ts          time.Time
	IPs         []string
}

// Counters represent a single entry with name and current val
type Counters uint32

// CounterReport is called from the PU which reports Counters from the datapath
type CounterReport struct {
	Namespace string
	PUID      string
	Timestamp int64
	Counters  []Counters
}

// PingReport represents a single ping report from datapath.
type PingReport struct {
	PingID               string
	IterationID          int
	Type                 gaia.PingProbeTypeValue
	PUID                 string
	Namespace            string
	FourTuple            string
	RTT                  string
	Protocol             int
	ServiceType          string
	PayloadSize          int
	PayloadSizeType      gaia.PingProbePayloadSizeTypeValue
	PolicyID             string
	PolicyAction         policy.ActionType
	AgentVersion         string
	ApplicationListening bool
	SeqNum               uint32
	TargetTCPNetworks    bool
	ExcludedNetworks     bool
	Error                string
	Claims               []string
	ClaimsType           gaia.PingProbeClaimsTypeValue
	ACLPolicyID          string
	ACLPolicyAction      policy.ActionType
	PeerCertIssuer       string
	PeerCertSubject      string
	PeerCertExpiry       time.Time
	IsServer             bool
	ServiceID            string

	// Remote pu fields.
	RemoteController    string
	RemotePUID          string
	RemoteEndpointType  EndPointType
	RemoteNamespace     string
	RemoteNamespaceType gaia.PingProbeRemoteNamespaceTypeValue
}

// IPTablesTrace is a bundle of iptables trace records
type IPTablesTrace struct {
	Namespace string
	Timestamp int64
	Records   []*IPTablesTraceRecord
}

// IPTablesTraceRecord is the info parsed out from a trace event message
type IPTablesTraceRecord struct {
	TTL                  int
	Chain                string
	DestinationIP        string
	DestinationInterface string
	DestinationPort      int
	Length               int
	PacketID             int
	Protocol             int
	RuleID               int
	SourceIP             string
	SourceInterface      string
	SourcePort           int
	TableName            string
}

// ConnectionExceptionReport represents a single connection exception report from datapath.
type ConnectionExceptionReport struct {
	Timestamp       time.Time
	PUID            string
	Namespace       string
	Protocol        int
	SourceIP        string
	DestinationIP   string
	DestinationPort uint16
	State           string
	Reason          string
	Value           uint32
}


================================================
FILE: collector/mockcollector/mockcollector.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: collector/interfaces.go

// Package mockcollector is a generated GoMock package.
package mockcollector

import (
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	collector "go.aporeto.io/enforcerd/trireme-lib/collector"
)

// MockEventCollector is a mock of EventCollector interface
// nolint
type MockEventCollector struct {
	ctrl     *gomock.Controller
	recorder *MockEventCollectorMockRecorder
}

// MockEventCollectorMockRecorder is the mock recorder for MockEventCollector
// nolint
type MockEventCollectorMockRecorder struct {
	mock *MockEventCollector
}

// NewMockEventCollector creates a new mock instance
// nolint
func NewMockEventCollector(ctrl *gomock.Controller) *MockEventCollector {
	mock := &MockEventCollector{ctrl: ctrl}
	mock.recorder = &MockEventCollectorMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockEventCollector) EXPECT() *MockEventCollectorMockRecorder {
	return m.recorder
}

// CollectFlowEvent mocks base method
// nolint
func (m *MockEventCollector) CollectFlowEvent(record *collector.FlowRecord) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectFlowEvent", record)
}

// CollectFlowEvent indicates an expected call of CollectFlowEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectFlowEvent(record interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectFlowEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectFlowEvent), record)
}

// CollectContainerEvent mocks base method
// nolint
func (m *MockEventCollector) CollectContainerEvent(record *collector.ContainerRecord) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectContainerEvent", record)
}

// CollectContainerEvent indicates an expected call of CollectContainerEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectContainerEvent(record interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectContainerEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectContainerEvent), record)
}

// CollectUserEvent mocks base method
// nolint
func (m *MockEventCollector) CollectUserEvent(record *collector.UserRecord) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectUserEvent", record)
}

// CollectUserEvent indicates an expected call of CollectUserEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectUserEvent(record interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectUserEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectUserEvent), record)
}

// CollectTraceEvent mocks base method
// nolint
func (m *MockEventCollector) CollectTraceEvent(records []string) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectTraceEvent", records)
}

// CollectTraceEvent indicates an expected call of CollectTraceEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectTraceEvent(records interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectTraceEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectTraceEvent), records)
}

// CollectPacketEvent mocks base method
// nolint
func (m *MockEventCollector) CollectPacketEvent(report *collector.PacketReport) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectPacketEvent", report)
}

// CollectPacketEvent indicates an expected call of CollectPacketEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectPacketEvent(report interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectPacketEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectPacketEvent), report)
}

// CollectCounterEvent mocks base method
// nolint
func (m *MockEventCollector) CollectCounterEvent(counterReport *collector.CounterReport) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectCounterEvent", counterReport)
}

// CollectCounterEvent indicates an expected call of CollectCounterEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectCounterEvent(counterReport interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectCounterEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectCounterEvent), counterReport)
}

// CollectDNSRequests mocks base method
// nolint
func (m *MockEventCollector) CollectDNSRequests(request *collector.DNSRequestReport) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectDNSRequests", request)
}

// CollectDNSRequests indicates an expected call of CollectDNSRequests
// nolint
func (mr *MockEventCollectorMockRecorder) CollectDNSRequests(request interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectDNSRequests", reflect.TypeOf((*MockEventCollector)(nil).CollectDNSRequests), request)
}

// CollectPingEvent mocks base method
// nolint
func (m *MockEventCollector) CollectPingEvent(report *collector.PingReport) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectPingEvent", report)
}

// CollectPingEvent indicates an expected call of CollectPingEvent
// nolint
func (mr *MockEventCollectorMockRecorder) CollectPingEvent(report interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectPingEvent", reflect.TypeOf((*MockEventCollector)(nil).CollectPingEvent), report)
}

// CollectConnectionExceptionReport mocks base method
// nolint
func (m *MockEventCollector) CollectConnectionExceptionReport(report *collector.ConnectionExceptionReport) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectConnectionExceptionReport", report)
}

// CollectConnectionExceptionReport indicates an expected call of CollectConnectionExceptionReport
// nolint
func (mr *MockEventCollectorMockRecorder) CollectConnectionExceptionReport(report interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectConnectionExceptionReport", reflect.TypeOf((*MockEventCollector)(nil).CollectConnectionExceptionReport), report)
}


================================================
FILE: common/events.go
================================================
package common

import (
	"context"
)

// TriremeSocket is the standard API server Trireme socket path
// it is set via ConfigureTriremeSocketPath() and canonicalized with
// utils.GetPathOnHostViaProcRoot() at point of use
var TriremeSocket = "/var/run/trireme.sock"

// ConfigureTriremeSocketPath updates the TriremeSocket path
func ConfigureTriremeSocketPath(path string) {
	TriremeSocket = path
}

// PUType defines the PU type
type PUType int

const (
	// ContainerPU indicates that this PU is a container
	ContainerPU PUType = iota
	// LinuxProcessPU indicates that this is Linux process
	LinuxProcessPU
	// WindowsProcessPU indicates that this is Windows process
	WindowsProcessPU
	// HostPU is a host wrapping PU
	HostPU
	// HostNetworkPU is a PU for a network service in a host
	HostNetworkPU
	// KubernetesPU indicates that this is KubernetesPod
	KubernetesPU
	// TransientPU PU -- placeholder to run processing. This should not
	// be inserted in any cache. This is valid only for processing a packet
	TransientPU
)

const (
	// TriremeCgroupPath is the standard Trireme cgroup path
	TriremeCgroupPath = "/trireme/"

	// TriremeDockerHostNetwork is the path for Docker HostNetwork container based activations
	TriremeDockerHostNetwork = "/trireme_docker_hostnet/"
)

// EventInfo is a generic structure that defines all the information related to a PU event.
// EventInfo should be used as a normalized struct container that
type EventInfo struct {

	// EventType refers to one of the standard events that Trireme handles.
	EventType Event `json:"eventtype,omitempty"`

	// PUType is the the type of the PU
	PUType PUType `json:"putype,omitempty"`

	// The PUID is a unique value for the Processing Unit. Ideally this should be the UUID.
	PUID string `json:"puid,omitempty"`

	// The Name is a user-friendly name for the Processing Unit.
	Name string `json:"name,omitempty"`

	// The Executable is the executable name  for the Processing Unit.
	Executable string `json:"executable,omitempty"`

	// Tags represents the set of MetadataTags associated with this PUID.
	Tags []string `json:"tags,omitempty"`

	// The path for the Network Namespace.
	NS string `json:"namespace,omitempty"`

	// Cgroup is the path to the cgroup - used for deletes
	Cgroup string `json:"cgroup,omitempty"`

	// IPs is a map of all the IPs that fully belong to this processing Unit.
	IPs map[string]string `json:"ipaddressesutype,omitempty"`

	// Services is a list of services of interest - for host control
	Services []Service `json:"services,omitempty"`

	// The PID is the PID on the system where this Processing Unit is running.
	PID int32 `json:"pid,omitempty"`

	// HostService indicates that the request is for the root namespace
	HostService bool `json:"hostservice,omitempty"`

	// AutoPort indicates that the PU will have auto port feature enabled
	AutoPort bool `json:"autoport,omitempty"`

	// NetworkOnlyTraffic indicates that traffic towards the applications must be controlled.
	NetworkOnlyTraffic bool `json:"networktrafficonly,omitempty"`

	// Root indicates that this request is coming from a roor user. Its overwritten by the enforcer
	Root bool `json:"root,omitempty"`
}

// Event represents the event picked up by the monitor.
type Event string

// Values of the events
const (
	EventStart   Event = "start"
	EventStop    Event = "stop"
	EventUpdate  Event = "update"
	EventCreate  Event = "create"
	EventDestroy Event = "destroy"
	EventPause   Event = "pause"
	EventUnpause Event = "unpause"
	EventResync  Event = "resync"
)

var (
	// EventMap used for validations
	EventMap = map[Event]*struct{}{
		"start":   nil,
		"stop":    nil,
		"update":  nil,
		"create":  nil,
		"destroy": nil,
		"pause":   nil,
		"unpause": nil,
		"resync":  nil,
	}
)

// EventResponse encapsulate the error response if any.
type EventResponse struct {
	Error string
}

// A EventHandler is type of event handler functions.
type EventHandler func(ctx context.Context, event *EventInfo) error

// A State describes the state of the PU.
type State int

const (
	// StateStarted is the state of a started PU.
	StateStarted State = iota + 1

	// StateStopped is the state of stopped PU.
	StateStopped

	// StatePaused is the state of a paused PU.
	StatePaused

	// StateDestroyed is the state of destroyed PU.
	StateDestroyed

	// StateUnknwown is the state of PU in an unknown state.
	StateUnknwown
)


================================================
FILE: common/hooks.go
================================================
package common

// Values for hook methods
const (
	MetadataHookPolicy      = "metadata:policy"
	MetadataHookHealth      = "metadata:health"
	MetadataHookCertificate = "metadata:certificate"
	MetadataHookKey         = "metadata:key"
	MetadataHookToken       = "metadata:token"
	AWSHookInfo             = "aws:info"
	AWSHookRole             = "aws:role"
)

// AWSRole reserved prefix
const (
	AWSRoleARNPrefix = "@awsrole=arn:aws:iam::"

	AWSRolePrefix = "@awsrole="
)

// Metadata API constants
const (
	MetadataKey   = "X-Aporeto-Metadata"
	MetadataValue = "secrets"
)


================================================
FILE: common/oauthtokens.go
================================================
package common

import (
	"context"
	"time"
)

// ServiceTokenType is the type of the token.
type ServiceTokenType string

// Values of ServiceTokenType
const (
	ServiceTokenTypeOAUTH ServiceTokenType = "oauth"

	ServiceTokenTypeAWS ServiceTokenType = "aws"
)

// ServiceTokenIssuer is an interface of an implementation that can issue service tokens on behalf
// of a PU. The user of the library must provide the implementation. ServiceTokens can be OAUTH
// tokens or cloud provider specific tokens such AWS Role credentials.
type ServiceTokenIssuer interface {
	Issue(ctx context.Context, contextID string, stype ServiceTokenType, audience string, validity time.Duration) (string, error)
}


================================================
FILE: common/service.go
================================================
package common

import (
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

// Service is a protocol/port service of interest - used to pass user requests
type Service struct {
	// Ports are the corresponding ports
	Ports *portspec.PortSpec `json:"ports,omitempty"`

	// Port is the service port. This has been deprecated and will be removed in later releases 01/13/2018
	Port uint16

	// Protocol is the protocol number
	Protocol uint8 `json:"protocol,omitempty"`

	// Addresses are the IP addresses. An empty list means 0.0.0.0/0
	Addresses map[string]struct{} `json:"addresses,omitempty"`

	// FQDNs is the list of FQDNs for the service.
	FQDNs []string `json:"fqdns,omitempty"`
}

// ConvertServicesToPortList converts an array of services to a port list
func ConvertServicesToPortList(services []Service) string {

	portlist := ""
	for _, s := range services {
		portlist = portlist + s.Ports.String() + ","
	}

	if len(portlist) == 0 {
		portlist = "0"
	} else {
		portlist = portlist[:len(portlist)-1]
	}

	return portlist
}

// ConvertServicesToProtocolPortList converts an array of services to tcp/udp port list
func ConvertServicesToProtocolPortList(services []Service) (string, string) {

	tcpPortlist := ""
	udpPortlist := ""
	for _, s := range services {
		if s.Protocol == packet.IPProtocolTCP {
			tcpPortlist = tcpPortlist + s.Ports.String() + ","
		} else {
			udpPortlist = udpPortlist + s.Ports.String() + ","
		}
	}

	if len(tcpPortlist) == 0 {
		tcpPortlist = "0"
	} else {
		tcpPortlist = tcpPortlist[:len(tcpPortlist)-1]
	}

	if len(udpPortlist) == 0 {
		udpPortlist = "0"
	} else {
		udpPortlist = udpPortlist[:len(udpPortlist)-1]
	}

	return tcpPortlist, udpPortlist
}


================================================
FILE: controller/config.go
================================================
package controller

import (
	"context"
	"fmt"
	"sync"
	"time"

	"github.com/blang/semver"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
	enforcerproxy "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/proxy"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor"
	supervisornoop "go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor/noop"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/env"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packetprocessor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"

	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

// config specifies all configurations accepted by trireme to start.
type config struct {
	// Required Parameters.
	serverID string

	// External Interface implementations that we allow to plugin to components.
	collector collector.EventCollector
	service   packetprocessor.PacketProcessor
	secret    secrets.Secrets

	// Configurations for fine tuning internal components.
	mode                   constants.ModeType
	fq                     fqconfig.FilterQueue
	isBPFEnabled           bool
	linuxProcess           bool
	mutualAuth             bool
	packetLogs             bool
	validity               time.Duration
	procMountPoint         string
	externalIPcacheTimeout time.Duration
	runtimeCfg             *runtime.Configuration
	runtimeErrorChannel    chan *policy.RuntimeError
	remoteParameters       *env.RemoteParameters
	tokenIssuer            common.ServiceTokenIssuer
	ipv6Enabled            bool
	agentVersion           semver.Version
	iptablesLockfile       string
}

// Option is provided using functional arguments.
type Option func(*config)

// OptionBPFEnabled is an option
func OptionBPFEnabled(bpfEnabled bool) Option {
	return func(cfg *config) {
		cfg.isBPFEnabled = bpfEnabled
	}
}

// OptionIptablesLockfile is a string option to set the path to the iptables lockfile
func OptionIptablesLockfile(iptablesLockfile string) Option {
	return func(cfg *config) {
		cfg.iptablesLockfile = iptablesLockfile
	}
}

//OptionIPv6Enable is an option to enable ipv6
func OptionIPv6Enable(ipv6Enabled bool) Option {
	return func(cfg *config) {
		cfg.ipv6Enabled = ipv6Enabled
	}
}

// OptionCollector is an option to provide an external collector implementation.
func OptionCollector(c collector.EventCollector) Option {
	return func(cfg *config) {
		cfg.collector = c
	}
}

// OptionDatapathService is an option to provide an external datapath service implementation.
func OptionDatapathService(s packetprocessor.PacketProcessor) Option {
	return func(cfg *config) {
		cfg.service = s
	}
}

// OptionSecret is an option to provide an external datapath service implementation.
func OptionSecret(s secrets.Secrets) Option {
	return func(cfg *config) {
		cfg.secret = s
	}
}

// OptionEnforceLinuxProcess is an option to request support for linux process support.
func OptionEnforceLinuxProcess() Option {
	return func(cfg *config) {
		cfg.linuxProcess = true
	}
}

// OptionEnforceFqConfig is an option to override filter queues.
func OptionEnforceFqConfig(f fqconfig.FilterQueue) Option {
	return func(cfg *config) {
		cfg.fq = f
	}
}

// OptionDisableMutualAuth is an option to disable MutualAuth (enabled by default)
func OptionDisableMutualAuth() Option {
	return func(cfg *config) {
		cfg.mutualAuth = false
	}
}

// OptionRuntimeConfiguration is an option to provide target network configuration.
func OptionRuntimeConfiguration(c *runtime.Configuration) Option {
	return func(cfg *config) {
		cfg.runtimeCfg = c
	}
}

// OptionProcMountPoint is an option to provide proc mount point.
func OptionProcMountPoint(p string) Option {
	return func(cfg *config) {
		cfg.procMountPoint = p
	}
}

// OptionRuntimeErrorChannel configures the error channel for the policy engine.
func OptionRuntimeErrorChannel(errorChannel chan *policy.RuntimeError) Option {
	return func(cfg *config) {
		cfg.runtimeErrorChannel = errorChannel
	}

}

// OptionPacketLogs is an option to enable packet level logging.
func OptionPacketLogs() Option {
	return func(cfg *config) {
		cfg.packetLogs = true
	}
}

// OptionRemoteParameters is an option to set the parameters for the remote
func OptionRemoteParameters(p *env.RemoteParameters) Option {
	return func(cfg *config) {
		cfg.remoteParameters = p
	}
}

// OptionTokenIssuer provides the token issuer.
func OptionTokenIssuer(t common.ServiceTokenIssuer) Option {
	return func(cfg *config) {
		cfg.tokenIssuer = t
	}
}

// OptionAgentVersion is an option to set agent version.
func OptionAgentVersion(v semver.Version) Option {
	return func(cfg *config) {
		cfg.agentVersion = v
	}
}

func (t *trireme) newEnforcers(ctx context.Context) error {
	zap.L().Debug("LinuxProcessSupport", zap.Bool("Status", t.config.linuxProcess))
	var err error
	if t.config.linuxProcess {
		t.enforcers[constants.LocalServer], err = enforcer.New(
			t.config.mutualAuth,
			t.config.fq,
			t.config.collector,
			t.config.secret,
			t.config.serverID,
			t.config.validity,
			constants.LocalServer,
			t.config.procMountPoint,
			t.config.externalIPcacheTimeout,
			t.config.packetLogs,
			t.config.runtimeCfg,
			t.config.tokenIssuer,
			t.config.isBPFEnabled,
			t.config.agentVersion,
			policy.None,
		)
		if err != nil {
			return fmt.Errorf("Failed to initialize LocalServer enforcer: %s ", err)
		}
		err = t.setupEnvoyAuthorizer()
		if err != nil {
			return fmt.Errorf("Failed to initialize LocalEnvoyAuthorizer enforcer: %s ", err)
		}
	}

	if t.config.mode == constants.RemoteContainer {
		enforcerProxy := enforcerproxy.NewProxyEnforcer(
			ctx,
			t.config.mutualAuth,
			t.config.fq,
			t.config.collector,
			t.config.secret,
			t.config.serverID,
			t.config.validity,
			"enforce",
			t.config.procMountPoint,
			t.config.externalIPcacheTimeout,
			t.config.packetLogs,
			t.config.runtimeCfg,
			t.config.runtimeErrorChannel,
			t.config.remoteParameters,
			t.config.tokenIssuer,
			t.config.isBPFEnabled,
			t.config.ipv6Enabled,
			t.config.iptablesLockfile,
			rpcwrapper.NewRPCServer(),
		)
		t.enforcers[constants.RemoteContainer] = enforcerProxy
		t.enforcers[constants.RemoteContainerEnvoyAuthorizer] = enforcerProxy
	}

	zap.L().Debug("TriremeMode", zap.Int("Status", int(t.config.mode)))
	return nil
}

func (t *trireme) newSupervisors() error {

	noopSup := supervisornoop.NewNoopSupervisor()

	if t.config.linuxProcess {
		sup, err := supervisor.NewSupervisor(
			t.config.collector,
			t.enforcers[constants.LocalServer],
			constants.LocalServer,
			t.config.runtimeCfg,
			t.config.ipv6Enabled,
			t.config.iptablesLockfile,
		)
		if err != nil {
			return fmt.Errorf("Could Not create process supervisor :: received error %v", err)
		}

		t.supervisors[constants.LocalServer] = sup
		err = t.setupEnvoySupervisor(noopSup)
		if err != nil {
			return fmt.Errorf("Could Not create envoy supervisor :: received error %v", err)
		}
	}

	if t.config.mode == constants.RemoteContainer {
		t.supervisors[constants.RemoteContainer] = noopSup
		t.supervisors[constants.RemoteContainerEnvoyAuthorizer] = noopSup
	}

	return nil
}

// newTrireme returns a reference to the trireme object based on the parameter subelements.
func newTrireme(ctx context.Context, c *config) TriremeController {

	var err error

	t := &trireme{
		config:               c,
		enforcers:            map[constants.ModeType]enforcer.Enforcer{},
		supervisors:          map[constants.ModeType]supervisor.Supervisor{},
		puTypeToEnforcerType: map[common.PUType]constants.ModeType{},
		locks:                sync.Map{},
		enablingTrace:        make(chan *traceTrigger, 10),
	}

	zap.L().Debug("Creating Enforcers")
	if err = t.newEnforcers(ctx); err != nil {
		zap.L().Error("Unable to create datapath enforcers", zap.Error(err))
		return nil
	}

	zap.L().Debug("Creating Supervisors")
	if err = t.newSupervisors(); err != nil {
		zap.L().Error("Unable to start datapath supervisor", zap.Error(err))
		return nil
	}

	if c.linuxProcess {
		t.puTypeToEnforcerType[common.LinuxProcessPU] = constants.LocalServer
		t.puTypeToEnforcerType[common.WindowsProcessPU] = constants.LocalServer
		t.puTypeToEnforcerType[common.HostPU] = constants.LocalServer
		t.puTypeToEnforcerType[common.HostNetworkPU] = constants.LocalServer
	}

	if t.config.mode == constants.RemoteContainer {
		t.puTypeToEnforcerType[common.ContainerPU] = constants.RemoteContainer
		t.puTypeToEnforcerType[common.KubernetesPU] = constants.RemoteContainer
	}

	return t
}


================================================
FILE: controller/config_nonwindows.go
================================================
// +build !windows

package controller

import (
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

func (t *trireme) setupEnvoyAuthorizer() error {

	var err error
	t.enforcers[constants.LocalEnvoyAuthorizer], err = enforcer.New(
		t.config.mutualAuth,
		t.config.fq,
		t.config.collector,
		t.config.secret,
		t.config.serverID,
		t.config.validity,
		constants.LocalEnvoyAuthorizer,
		t.config.procMountPoint,
		t.config.externalIPcacheTimeout,
		t.config.packetLogs,
		t.config.runtimeCfg,
		t.config.tokenIssuer,
		t.config.isBPFEnabled,
		t.config.agentVersion,
		policy.None,
	)
	return err
}

func (t *trireme) setupEnvoySupervisor(sup supervisor.Supervisor) error {

	t.supervisors[constants.LocalEnvoyAuthorizer] = sup
	return nil
}


================================================
FILE: controller/config_windows.go
================================================
// +build windows

package controller

import (
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor"
)

func (t *trireme) setupEnvoyAuthorizer() error {
	return nil
}

func (t *trireme) setupEnvoySupervisor(sup supervisor.Supervisor) error {
	return nil
}


================================================
FILE: controller/constants/constants.go
================================================
package constants

import (
	"path/filepath"
	"time"
)

const (
	// DefaultProcMountPoint The default proc mountpoint
	DefaultProcMountPoint = "/proc"
	// DefaultAporetoProcMountPoint The aporeto proc mountpoint just in case we are launched with some specific docker config
	DefaultAporetoProcMountPoint = "/aporetoproc"
	// DefaultSecretsPath is the default path for the secrets proxy.
	DefaultSecretsPath = "@secrets"

	// EnforcerdCleanerName is the path of the cleaner script.
	EnforcerdCleanerName = "cleaner"

	// DefaultEnforcerdCleanerPath is the default path of the cleaner.  For now set this to
	// /sbin/cleaner.  Note that the cleaner path is set via the container master enforcer but
	// it is ultimately run in the host and not in the container. Prior to defender integrations
	// we used the same path /sbin/cleaner in the host and /sbin/cleaner in the container and it
	// worked.  Now, with the defender integration we use a tarball to install the enforcer and
	// all the binaries, and it may install anywhere on the host, as specified by the defender
	// installer.  The container does not know where it was installed. Furthermore, we no longer
	// install via .deb or .rpm files so there is no system files installed, and cleaner will not
	// be found in /sbin/cleaner when installed via the defender bundle installer.  So a new
	// startup flag is defined now, `--cleaner-path` and environment variable
	// `ENFORCED_CLEANER_PATH` that defender can use to tell us where it installed the
	// cleaner. With this, the container enforcer can properly set the cleaner path in the
	// cgroups v1 release_agent.
	//
	// TLDR; We now use /enforcerd-tools/cleaner in the container, and it will be installed in
	// /path/to/install/ation/dir/enforcerd-tools/cleaner in the host.  container enforcer will
	// tell cgroup sub-system to use /enforcerd-tools/cleaner but cgroups executes it on the
	// host and can't find it here. Ergo, it won't work on a defender install this way.
	//
	// TODO - fix this so cleaner can be installed by defender and the installation path can be
	// discovered by container enforcer
	DefaultEnforcerdCleanerPath = "/sbin/cleaner"

	// RemoteEnforcerBuildName is the name of the remote enforcer binary we will build and deploy
	RemoteEnforcerBuildName = "remoteenforcerd"

	// RemoteEnforcerSrcName is the name of the original copy of the remote enforcer binary
	RemoteEnforcerSrcName = "remoteenforcer"
)

const (
	// DefaultRemoteArg is the default arguments for a remote enforcer
	DefaultRemoteArg = "enforce"
)

const (

	// EnvMountPoint is an environment variable which will contain the mount point
	EnvMountPoint = "TRIREME_ENV_PROC_MOUNTPOINT"

	// EnvEnforcerType is an environment variable which will indicate what enforcer type we want to use
	EnvEnforcerType = "TRIREME_ENV_ENFORCER_TYPE"

	// EnvContextSocket stores the path to the context specific socket
	EnvContextSocket = "TRIREME_ENV_SOCKET_PATH"

	// EnvStatsChannel stores the path to the stats channel
	EnvStatsChannel = "TRIREME_ENV_STATS_CHANNEL_PATH"

	// EnvDebugChannel stores the path to the debug channel
	EnvDebugChannel = "TRIREME_ENV_DEBUG_CHANNEL_PATH"

	// EnvRPCClientSecret is the secret used between RPC client/server
	EnvRPCClientSecret = "TRIREME_ENV_SECRET"

	// EnvStatsSecret is the secret to be used for the stats channel
	EnvStatsSecret = "TRIREME_ENV_STATS_SECRET"

	// EnvContainerPID is the PID of the container
	EnvContainerPID = "TRIREME_ENV_CONTAINER_PID"

	// EnvNSPath is the path of the network namespace
	EnvNSPath = "TRIREME_ENV_NS_PATH"

	// EnvNsenterErrorState stores the error state as reported by remote enforcer
	EnvNsenterErrorState = "TRIREME_ENV_NSENTER_ERROR_STATE"

	// EnvNsenterLogs stores the logs as reported by remote enforcer
	EnvNsenterLogs = "TRIREME_ENV_NSENTER_LOGS"

	// EnvLogLevel store the log level to be used.
	EnvLogLevel = "TRIREME_ENV_LOG_LEVEL"

	// EnvLogFormat store the log format to be used.
	EnvLogFormat = "TRIREME_ENV_LOG_FORMAT"

	// EnvLogID store the context Id for the log file to be used.
	EnvLogID = "TRIREME_ENV_LOG_ID"

	// EnvCompressedTags stores whether we should be using compressed tags.
	EnvCompressedTags = "TRIREME_ENV_COMPRESSED_TAGS"

	// EnvEnforcerdToolsDir is the path to the /enforcerd-tools directory so remote enforcerd can find tools.
	EnvEnforcerdToolsDir = "TRIREME_ENV_ENFORCERD_TOOLS_DIR"

	// EnvEnforcerdNFQueues exports the number of nfqueues to remote enforcer
	EnvEnforcerdNFQueues = "TRIREME_ENV_NUM_NFQUEUES"
)

// ModeType defines the mode of the enforcement and supervisor.
type ModeType int

const (
	// RemoteContainer indicates that the Supervisor is implemented in the
	// container namespace
	RemoteContainer ModeType = iota
	// LocalServer indicates that the Supervisor applies to Linux processes
	LocalServer
	// LocalEnvoyAuthorizer indicates to use a local envoyproxy as enforcer/authorizer
	LocalEnvoyAuthorizer
	// RemoteContainerEnvoyAuthorizer indicates to use the envoyproxy enforcer/authorizer for containers
	RemoteContainerEnvoyAuthorizer
)

// LogLevel corresponds to log level of any logger. eg: zap.
type LogLevel string

// LogOptions
const (
	// OptionLogLevel represents the log-level
	OptionLogLevel = "log-level"
	// OptionLogFormat represents the log-format
	OptionLogFormat = "log-format"
	// OptionLogFilePath represents the log location path
	OptionLogFilePath = "log-file-path"
)

// Various log levels.
const (
	Info  LogLevel = "Info"
	Debug LogLevel = "Debug"
	Trace LogLevel = "Trace"
	Error LogLevel = "Error"
	Warn  LogLevel = "Warn"
)

// API service related constants
const (
	CallbackURIExtension = "/aporeto/oidc/callback"
)

// Protocol constants
const (
	TCPProtoNum    = "6"
	UDPProtoNum    = "17"
	TCPProtoString = "TCP"
	UDPProtoString = "UDP"
	AllProtoString = "ALL"
)

//MaxICMPCodes constant puts the maximum number of codes that can be put in a single string
const MaxICMPCodes = 25

// Channel variables
var (
	StatsChannel string
	DebugChannel string
)

// PortNumberLabelString is the label to use for port numbers
const (
	PortNumberLabelString = "@sys:port"
)

// ControllerLabelString is the label to use for control planes
const (
	ControllerLabelString = "$controller"
)

// Token and cache default validities. These have performance implications.
// The faster the datapath issues new tokens it affects performance. However,
// making it too slow can potentially allow reuse of the tokens. The
// token issuance rate must be always faster than the expiration rate.
const (
	// SynTokenRefreshTime determines how often the data path creates new tokens.
	SynTokenRefreshTime = 5 * time.Minute
	// SynTokenValidity determines how long after the tokens are considered valid.
	SynTokenValidity = 10 * time.Minute
)

// SocketsPath is used to find the socket file corresponding to the container
var SocketsPath string

// RemoteEnforcerPath sets the path of the remote enforcer
var RemoteEnforcerPath string

// ConfigureRemoteEnforcerPath updates the remote enforcer path
func ConfigureRemoteEnforcerPath(path string) {
	RemoteEnforcerPath = filepath.Join(path, RemoteEnforcerBuildName)
}

// ConfigureSocketsPath updates the sockets path
func ConfigureSocketsPath(sockPath string) {
	SocketsPath = sockPath
	StatsChannel = filepath.Join(sockPath, "statschannel.sock")
	DebugChannel = filepath.Join(sockPath, "debugchannel.sock")
}

// Mark used by the proxies/ping to bypass trap rules.
const (
	ProxyMarkInt = 0x40
	ProxyMark    = "0x40"
)

const (
	// ChainPrefix represents trireme chain prefix.
	ChainPrefix = "TRI-"
)


================================================
FILE: controller/constants/constants_nonrhel6.go
================================================
// +build !rhel6

package constants

// IpsetBinaryName is the ipset binary name
const IpsetBinaryName = "aporeto-ipset"


================================================
FILE: controller/constants/constants_rhel6.go
================================================
// +build rhel6

package constants

// IpsetBinaryName is the (system) ipset binary name on RHEL6
const IpsetBinaryName = "ipset"


================================================
FILE: controller/constants/constants_test.go
================================================
package constants

import (
	"path/filepath"
	"testing"
)

func TestConfigureRemoteEnforcerPath(t *testing.T) {
	arg := "foo"
	want := filepath.Join("foo", "remoteenforcerd")

	t.Run("Test with one path", func(t *testing.T) {

		ConfigureRemoteEnforcerPath(arg)
		got := RemoteEnforcerPath
		if got != want {
			t.Errorf("RemoteEnforcerPath was wrong, got: %s, want: %s.", got, want)
		}
	})

}

func TestConfigureSocketsPath(t *testing.T) {
	path := "the/path"
	want1 := filepath.Join(path, "statschannel.sock")
	want2 := filepath.Join(path, "debugchannel.sock")

	t.Run("Test with one path", func(t *testing.T) {

		ConfigureSocketsPath(path)
		got := SocketsPath
		got1 := filepath.Join(path, want1)
		got2 := filepath.Join(path, want2)
		if got != path {
			t.Errorf("ConfigureSocketsPath was wrong, got: %s, want: %s.", got, path)
		}
		if got != path {
			t.Errorf("ConfigureSocketsPath was wrong, got: %s, want: %s.", got1, want1)
		}
		if got != path {
			t.Errorf("ConfigureSocketsPath was wrong, got: %s, want: %s.", got2, want2)
		}
	})
}


================================================
FILE: controller/controller.go
================================================
package controller

import (
	"context"
	"fmt"
	"os/exec"
	"sync"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/dmesgparser"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/env"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

type traceTrigger struct {
	duration time.Duration
	expiry   time.Time
}

// trireme contains references to all the different components of the controller.
// Depending on the configuration we might have multiple supervisor and enforcer types.
// The initialization process must provide the mode that Trireme will run in.
type trireme struct {
	config               *config
	supervisors          map[constants.ModeType]supervisor.Supervisor
	enforcers            map[constants.ModeType]enforcer.Enforcer
	puTypeToEnforcerType map[common.PUType]constants.ModeType
	enablingTrace        chan *traceTrigger
	locks                sync.Map
}

// New returns a trireme interface implementation based on configuration provided.
func New(ctx context.Context, serverID string, mode constants.ModeType, opts ...Option) TriremeController {

	c := &config{
		serverID:               serverID,
		collector:              collector.NewDefaultCollector(),
		mode:                   mode,
		mutualAuth:             true,
		validity:               constants.SynTokenValidity,
		procMountPoint:         constants.DefaultProcMountPoint,
		externalIPcacheTimeout: -1,
		remoteParameters: &env.RemoteParameters{
			LogFormat:      "console",
			LogWithID:      false,
			CompressedTags: claimsheader.CompressionTypeV1,
		},
	}

	for _, opt := range opts {
		opt(c)
	}

	zap.L().Debug("Trireme configuration", zap.String("configuration", fmt.Sprintf("%+v", c)))

	return newTrireme(ctx, c)
}

// Run starts the supervisor and the enforcer and go routines. It doesn't try to clean
// up if something went wrong. It will be up to the caller to decide what to do.
func (t *trireme) Run(ctx context.Context) error {

	// Start all the supervisors.
	for _, s := range t.supervisors {

		if err := s.Run(ctx); err != nil {
			zap.L().Error("Error when starting the supervisor", zap.Error(err))
			return fmt.Errorf("Error while starting supervisor %v", err)
		}
	}

	// Start all the enforcers.
	for _, e := range t.enforcers {
		if err := e.Run(ctx); err != nil {
			return fmt.Errorf("unable to start the enforcer: %s", err)
		}
	}
	go t.runIPTraceCollector(ctx)
	return nil
}

// CleanUp cleans all the acls and all the remote supervisors
func (t *trireme) CleanUp() error {
	for _, s := range t.supervisors {
		s.CleanUp() // nolint
	}

	for _, e := range t.enforcers {
		e.CleanUp() // nolint
	}
	return nil
}

// Enforce asks the controller to enforce policy to a processing unit
func (t *trireme) Enforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) error {
	lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
	lock.(*sync.Mutex).Lock()
	defer lock.(*sync.Mutex).Unlock()
	return t.doHandleCreate(ctx, puID, policy, runtime)
}

// Enforce asks the controller to enforce policy to a processing unit
func (t *trireme) UnEnforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) error {
	lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
	lock.(*sync.Mutex).Lock()
	defer func() {
		t.locks.Delete(puID)
		lock.(*sync.Mutex).Unlock()
	}()
	return t.doHandleDelete(ctx, puID, policy, runtime)
}

// UpdatePolicy updates a policy for an already activated PU. The PU is identified by the contextID
func (t *trireme) UpdatePolicy(ctx context.Context, puID string, plc *policy.PUPolicy, runtime *policy.PURuntime) error {
	lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
	lock.(*sync.Mutex).Lock()
	defer lock.(*sync.Mutex).Unlock()
	return t.doUpdatePolicy(ctx, puID, plc, runtime)
}

func (t *trireme) EnableDatapathPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, direction packettracing.TracingDirection, interval time.Duration) error {
	lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
	lock.(*sync.Mutex).Lock()
	defer lock.(*sync.Mutex).Unlock()
	return t.doHandleEnableDatapathPacketTracing(ctx, puID, policy, runtime, direction, interval)
}

func (t *trireme) EnableIPTablesPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, interval time.Duration) error {
	lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
	lock.(*sync.Mutex).Lock()
	defer lock.(*sync.Mutex).Unlock()
	return t.doHandleEnableIPTablesPacketTracing(ctx, puID, policy, runtime, interval)
}

// Ping runs ping based on the given config.
func (t *trireme) Ping(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, pingConfig *policy.PingConfig) error {
	lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
	lock.(*sync.Mutex).Lock()
	defer lock.(*sync.Mutex).Unlock()
	return t.enforcers[t.modeTypeFromPolicy(policy, runtime)].Ping(ctx, puID, pingConfig)
}

func (t *trireme) DebugCollect(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, debugConfig *policy.DebugConfig) error {
	lock, _ := t.locks.LoadOrStore(puID, &sync.Mutex{})
	lock.(*sync.Mutex).Lock()
	defer lock.(*sync.Mutex).Unlock()
	return t.enforcers[t.modeTypeFromPolicy(policy, runtime)].DebugCollect(ctx, puID, debugConfig)
}

// UpdateSecrets updates the secrets of the controllers.
func (t *trireme) UpdateSecrets(secrets secrets.Secrets) error {
	for _, enforcer := range t.enforcers {
		if err := enforcer.UpdateSecrets(secrets); err != nil {
			zap.L().Error("unable to update secrets", zap.Error(err))
		}
	}
	return nil
}

// UpdateConfiguration updates the configuration of the controller. Only
// a limited number of parameters can be updated at run time.
func (t *trireme) UpdateConfiguration(cfg *runtime.Configuration) error {

	failure := false

	for _, s := range t.supervisors {
		err := s.SetTargetNetworks(cfg)
		if err != nil {
			zap.L().Error("Failed to update target networks in supervisor", zap.Error(err))
			failure = true
		}
	}

	for _, e := range t.enforcers {
		if cfg.LogLevel != "" {
			if err := e.SetLogLevel(cfg.LogLevel); err != nil {
				zap.L().Error("unable to set log level", zap.Error(err))
			}
		}

		err := e.SetTargetNetworks(cfg)
		if err != nil {
			zap.L().Error("Failed to update target networks in controller", zap.Error(err))
			failure = true
		}
	}

	if failure {
		return fmt.Errorf("configuration update failed")
	}

	return nil
}

// doHandleCreate is the detailed implementation of the create event.
func (t *trireme) doHandleCreate(ctx context.Context, contextID string, policyInfo *policy.PUPolicy, runtimeInfo *policy.PURuntime) error {

	containerInfo := policy.PUInfoFromPolicyAndRuntime(contextID, policyInfo, runtimeInfo)

	logEvent := &collector.ContainerRecord{
		ContextID: contextID,
		IPAddress: policyInfo.IPAddresses(),
		Tags:      policyInfo.Annotations(),
		Event:     collector.ContainerStart,
	}

	defer func() {
		t.config.collector.CollectContainerEvent(logEvent)
	}()

	addTransmitterLabel(contextID, containerInfo)
	if !mustEnforce(contextID, containerInfo) {
		logEvent.Event = collector.ContainerIgnored
		return nil
	}

	modeType := t.modeTypeFromPolicy(containerInfo.Policy, containerInfo.Runtime)

	if err := t.enforcers[modeType].Enforce(ctx, contextID, containerInfo); err != nil {
		logEvent.Event = collector.ContainerFailed
		return fmt.Errorf("unable to setup enforcer: %s", err)
	}

	if err := t.supervisors[modeType].Supervise(contextID, containerInfo); err != nil {
		if werr := t.enforcers[modeType].Unenforce(ctx, contextID); werr != nil {
			zap.L().Warn("Failed to clean up state after failures",
				zap.String("contextID", contextID),
				zap.Error(werr),
			)
		}

		logEvent.Event = collector.ContainerFailed
		return fmt.Errorf("unable to setup supervisor: %s", err)
	}

	return nil
}

// doHandleDelete is the detailed implementation of the delete event.
func (t *trireme) doHandleDelete(ctx context.Context, contextID string, policyInfo *policy.PUPolicy, runtime *policy.PURuntime) error {

	modeType := t.modeTypeFromPolicy(policyInfo, runtime)

	errS := t.supervisors[modeType].Unsupervise(contextID)
	errE := t.enforcers[modeType].Unenforce(ctx, contextID)

	t.config.collector.CollectContainerEvent(&collector.ContainerRecord{
		ContextID: contextID,
		IPAddress: runtime.IPAddresses(),
		Tags:      nil,
		Event:     collector.ContainerDelete,
	})

	if errS != nil || errE != nil {
		return fmt.Errorf("unable to delete context id %s, supervisor %s, enforcer %s", contextID, errS, errE)
	}

	return nil
}

// doUpdatePolicy is the detailed implementation of the update policy event.
func (t *trireme) doUpdatePolicy(ctx context.Context, contextID string, newPolicy *policy.PUPolicy, runtime *policy.PURuntime) error {

	containerInfo := policy.PUInfoFromPolicyAndRuntime(contextID, newPolicy, runtime)

	addTransmitterLabel(contextID, containerInfo)

	if !mustEnforce(contextID, containerInfo) {
		return nil
	}

	modeType := t.modeTypeFromPolicy(containerInfo.Policy, containerInfo.Runtime)

	if err := t.enforcers[modeType].Enforce(ctx, contextID, containerInfo); err != nil {
		//We lost communication with the remote and killed it lets restart it here by feeding a create event in the request channel
		if werr := t.supervisors[modeType].Unsupervise(contextID); werr != nil {
			zap.L().Warn("Failed to clean up after enforcerments failures",
				zap.String("contextID", contextID),
				zap.Error(werr),
			)
		}
		return fmt.Errorf("unable to update policy for pu %s: %s", contextID, err)
	}

	if err := t.supervisors[modeType].Supervise(contextID, containerInfo); err != nil {
		if werr := t.enforcers[modeType].Unenforce(ctx, contextID); werr != nil {
			zap.L().Warn("Failed to clean up after enforcerments failures",
				zap.String("contextID", contextID),
				zap.Error(werr),
			)
		}
		return fmt.Errorf("supervisor failed to update policy for pu %s: %s", contextID, err)
	}

	t.config.collector.CollectContainerEvent(&collector.ContainerRecord{
		ContextID: contextID,
		IPAddress: runtime.IPAddresses(),
		Tags:      containerInfo.Runtime.Tags(),
		Event:     collector.ContainerUpdate,
	})

	return nil
}

//Debug Handlers
func (t *trireme) doHandleEnableDatapathPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, direction packettracing.TracingDirection, interval time.Duration) error {

	return t.enforcers[t.modeTypeFromPolicy(policy, runtime)].EnableDatapathPacketTracing(ctx, puID, direction, interval)
}

func (t *trireme) doHandleEnableIPTablesPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, interval time.Duration) error {

	modeType := t.modeTypeFromPolicy(policy, runtime)

	sysctlCmd, err := exec.LookPath("sysctl")
	if err != nil {
		return fmt.Errorf("sysctl command not found")
	}

	cmd := exec.Command(sysctlCmd, "-w", "net.netfilter.nf_log_all_netns=1")
	if err := cmd.Run(); err != nil {
		return fmt.Errorf("remote container iptables tracing will not work %s", err)
	}

	t.enablingTrace <- &traceTrigger{
		duration: interval,
		expiry:   time.Now().Add(interval),
	}

	if err := t.supervisors[modeType].EnableIPTablesPacketTracing(ctx, puID, interval); err != nil {
		return err
	}

	return t.enforcers[modeType].EnableIPTablesPacketTracing(ctx, puID, interval)
}

func (t *trireme) runIPTraceCollector(ctx context.Context) {
	//Run dmesg once to establish baseline
	expiry := time.Now()
	hdl := dmesgparser.New()
	for {
		select {
		case <-ctx.Done():
			return
		case traceparams := <-t.enablingTrace:
			if !traceparams.expiry.After(expiry) {
				//if we already have a request expiring later drop this
				continue
			}

			expiry = traceparams.expiry
		case <-time.After(1 * time.Second):
			if !time.Now().After(expiry) {
				messages, err := hdl.RunDmesgCommand()
				if err != nil {
					zap.L().Warn("Unable to run dmesg", zap.Error(err))
					continue
				}
				t.config.collector.CollectTraceEvent(messages)

			}
		}
	}

}

func (t *trireme) modeTypeFromPolicy(policyInfo *policy.PUPolicy, runtime *policy.PURuntime) constants.ModeType {
	if policyInfo == nil {
		// there are edge cases when policyInfo really can be nil - and it is fine
		// let's just fall back to the normal enforcertype mapping if this is the case
		//
		// Here is an example: when a PU Create event failed, but the PU gets destroyed afterwards, there is a stop
		// event generated which will call UnEnforce. However, in this case there is no guarantee that PUPolicy has
		// actually ever been set.
		zap.L().Debug("modeTypeFromPolicy received no PU policy", zap.String("name", runtime.Name()))
		return t.puTypeToEnforcerType[runtime.PUType()]
	}

	switch policyInfo.EnforcerType() {
	case policy.EnforcerMapping:
		return t.puTypeToEnforcerType[runtime.PUType()]
	case policy.EnvoyAuthorizerEnforcer:
		switch runtime.PUType() {
		case common.KubernetesPU:
			fallthrough
		case common.ContainerPU:
			return constants.RemoteContainerEnvoyAuthorizer
		case common.HostPU:
			fallthrough
		case common.HostNetworkPU:
			fallthrough
		case common.LinuxProcessPU, common.WindowsProcessPU:
			return constants.LocalEnvoyAuthorizer
		default:
			return t.puTypeToEnforcerType[runtime.PUType()]
		}
	default:
		return t.puTypeToEnforcerType[runtime.PUType()]
	}
}


================================================
FILE: controller/helpers.go
================================================
package controller

import (
	"context"

	"github.com/blang/semver"
	enforcerconstants "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

// LaunchRemoteEnforcer launches a remote enforcer instance.
func LaunchRemoteEnforcer(ctx context.Context, logLevel string, logFormat string, logID string, numQueues int, agentVersion semver.Version) error {

	return remoteenforcer.LaunchRemoteEnforcer(ctx, logLevel, logFormat, logID, numQueues, agentVersion)
}

// addTransmitterLabel adds the enforcerconstants.TransmitterLabel as a fixed label in the policy.
// The ManagementID part of the policy is used as the enforcerconstants.TransmitterLabel.
// If the Policy didn't set the ManagementID, we use the Local contextID as the
// default enforcerconstants.TransmitterLabel.
func addTransmitterLabel(contextID string, containerInfo *policy.PUInfo) {

	if containerInfo.Policy.ManagementID() == "" {
		containerInfo.Policy.AddIdentityTag(enforcerconstants.TransmitterLabel, contextID)
	} else {
		containerInfo.Policy.AddIdentityTag(enforcerconstants.TransmitterLabel, containerInfo.Policy.ManagementID())
	}
}

// MustEnforce returns true if the Policy should go Through the Enforcer/internal/supervisor.
// Return false if:
//   - PU is in host namespace.
//   - Policy got the AllowAll tag.
func mustEnforce(contextID string, containerInfo *policy.PUInfo) bool {

	if containerInfo.Policy.TriremeAction() == policy.AllowAll {
		zap.L().Debug("PUPolicy with AllowAll Action. Not policing", zap.String("contextID", contextID))
		return false
	}

	return true
}


================================================
FILE: controller/interfaces.go
================================================
package controller

import (
	"context"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// TriremeController is the main API of the Trireme controller
type TriremeController interface {
	// Run initializes and runs the controller.
	Run(ctx context.Context) error

	// CleanUp cleans all the supervisors and ACLs for a clean exit
	CleanUp() error

	// Enforce asks the controller to enforce policy on a processing unit
	Enforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) (err error)

	// UnEnforce asks the controller to ub-enforce policy on a processing unit
	UnEnforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) (err error)

	// UpdatePolicy updates the policy of the isolator for a container.
	UpdatePolicy(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) error

	// UpdateSecrets updates the secrets of running enforcers managed by trireme. Remote enforcers will get the secret updates with the next policy push
	UpdateSecrets(secrets secrets.Secrets) error

	// UpdateConfiguration updates the configuration of the controller. Only specific configuration
	// parameters can be updated during run time.
	UpdateConfiguration(cfg *runtime.Configuration) error
	DebugInfo
}

// DebugInfo is the interface implemented by controllers to support configuring debug options
type DebugInfo interface {
	// EnableReceivedPacketTracing will enable tracing of packets received by the datapath for a particular PU. Setting Disabled as tracing direction will stop tracing for the contextID
	EnableDatapathPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, direction packettracing.TracingDirection, interval time.Duration) error
	// EnablePacketTracing enable iptables -j trace for the particular pu and is much wider packet stream.
	EnableIPTablesPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, interval time.Duration) error
	// Ping runs ping based on the given config.
	Ping(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, pingConfig *policy.PingConfig) error
	// DebugCollect collects debug information, such as packet capture
	DebugCollect(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, debugConfig *policy.DebugConfig) error
}


================================================
FILE: controller/internal/enforcer/acls/acl.go
================================================
package acls

import (
	"errors"
	"fmt"
	"net"
	"reflect"
	"strings"

	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/ipprefix"
	"go.aporeto.io/gaia/protocols"
)

// acl holds all the ACLS in an internal DB

type acl struct {
	tcpCache  ipprefix.IPcache
	udpCache  ipprefix.IPcache
	icmpCache ipprefix.IPcache
}

func newACL() *acl {
	return &acl{
		tcpCache:  ipprefix.NewIPCache(),
		udpCache:  ipprefix.NewIPCache(),
		icmpCache: ipprefix.NewIPCache(),
	}
}

// errNoMatchFromRule must stop the LPM check
var errNoMatchFromRule = errors.New("No Match")
var errNotFound = errors.New("No Match")

func (a *acl) addICMPToCache(ip net.IP, mask int, baseRule string, listOfDisjunctives []string, policy *policy.FlowPolicy) {
	var icmpRuleList []*icmpRule

	val, exists := a.icmpCache.Get(ip, mask)
	if !exists {
		icmpRuleList = []*icmpRule{}
	} else {
		icmpRuleList = val.([]*icmpRule)
	}

	newRule := &icmpRule{baseRule, listOfDisjunctives, policy}
	icmpRuleList = append(icmpRuleList, newRule)
	a.icmpCache.Put(ip, mask, icmpRuleList)
}

func (a *acl) removeICMPFromCache(ip net.IP, mask int, baseRule string, listOfDisjunctives []string, policy *policy.FlowPolicy) error {
	var icmpRuleList []*icmpRule
	val, exists := a.icmpCache.Get(ip, mask)
	if !exists {
		// nothing to remove
		return nil
	}
	icmpRuleList = val.([]*icmpRule)

	searchRule := icmpRule{baseRule, listOfDisjunctives, policy}
	newIcmpRuleList := make([]*icmpRule, 0, len(icmpRuleList))
	for _, rule := range icmpRuleList {
		if reflect.DeepEqual(searchRule, *rule) {
			// this is a full match, skip
			continue
		}
		// TODO: partial matches aren't handled. Should they?
		newIcmpRuleList = append(newIcmpRuleList, rule)
	}

	a.icmpCache.Put(ip, mask, newIcmpRuleList)

	return nil
}

func (a *acl) removeFromCache(ip net.IP, mask int, nomatch bool, proto string, ports []string, policy *policy.FlowPolicy) error {

	removeICMPCache := func(baseRule string, listOfDisjunctives []string) error {
		return a.removeICMPFromCache(ip, mask, baseRule, listOfDisjunctives, policy)
	}

	// the TCP or UDP cases use this part
	removeCache := func(lookupCache ipprefix.IPcache, port string) error {
		val, exists := lookupCache.Get(ip, mask)
		if !exists {
			// nothing to remove
			return nil
		}
		portList := val.(portActionList)

		newPortList := make(portActionList, 0, len(portList))
		r, err := newPortAction(port, policy, nomatch)
		if err != nil {
			return fmt.Errorf("unable to create port action: %s", err)
		}

		for _, portAction := range portList {
			if reflect.DeepEqual(*r, *portAction) {
				// this is a full match, skip
				continue
			}
			// TODO: partial matches aren't handled. Should they?
			newPortList = append(newPortList, portAction)
		}

		lookupCache.Put(ip, mask, newPortList)

		return nil
	}

	switch strings.ToLower(proto) {
	case constants.TCPProtoNum:
		for _, port := range ports {
			if err := removeCache(a.tcpCache, port); err != nil {
				return err
			}
		}
		return nil

	case constants.UDPProtoNum:
		for _, port := range ports {
			if err := removeCache(a.udpCache, port); err != nil {
				return err
			}
		}
		return nil

	default:
		// ICMP protocol
		if splits := strings.Split(proto, "/"); strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP || strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP6 {
			return removeICMPCache(proto, ports)
		}

		// unknown protocol - nothing to do
		return nil
	}
}

func (a *acl) addToCache(ip net.IP, mask int, port string, proto string, policy *policy.FlowPolicy, nomatch bool) error {
	var err error
	var portList portActionList
	var lookupCache ipprefix.IPcache
	switch strings.ToLower(proto) {
	case constants.TCPProtoNum:
		{
			lookupCache = a.tcpCache
		}
	case constants.UDPProtoNum:
		{
			lookupCache = a.udpCache
		}
	default:
		return nil
	}
	r, err := newPortAction(port, policy, nomatch)
	if err != nil {
		return fmt.Errorf("unable to create port action: %s", err)
	}
	val, exists := lookupCache.Get(ip, mask)
	if !exists {
		portList = portActionList{}
	} else {
		portList = val.(portActionList)
	}

	/* check if this is duplicate entry */
	for _, portAction := range portList {
		if *r == *portAction {
			return nil
		}
	}

	portList = append(portList, r)
	lookupCache.Put(ip, mask, portList)

	return nil
}

func (a *acl) removeIPMask(ip net.IP, mask int) {
	a.tcpCache.Put(ip, mask, nil)
	a.udpCache.Put(ip, mask, nil)
	a.icmpCache.Put(ip, mask, nil)
}

func (a *acl) matchRule(ip net.IP, port uint16, proto uint8, preReport *policy.FlowPolicy) (report *policy.FlowPolicy, packetPolicy *policy.FlowPolicy, err error) {
	report = preReport

	err = errNotFound

	lookup := func(val interface{}) bool {
		if val != nil {
			portList := val.(portActionList)

			report, packetPolicy, err = portList.lookup(port, report)
			if err == nil || err == errNoMatchFromRule {
				return true
			}
		}
		return false
	}
	if proto == packet.IPProtocolTCP {
		a.tcpCache.RunFuncOnLpmIP(ip, lookup)
	} else if proto == packet.IPProtocolUDP {
		a.udpCache.RunFuncOnLpmIP(ip, lookup)
	}

	return report, packetPolicy, err
}

func (a *acl) addRule(rule policy.IPRule) (err error) {

	addCache := func(address, port, proto string) error {
		addr, err := ParseAddress(address)
		if err != nil {
			return err
		}

		if err := a.addToCache(addr.IP, addr.Mask, port, proto, rule.Policy, addr.NoMatch); err != nil {
			return err
		}

		return nil
	}

	addICMPCache := func(address, baseRule string, listOfDisjunctives []string) error {
		addr, err := ParseAddress(address)
		if err != nil {
			return err
		}

		a.addICMPToCache(addr.IP, addr.Mask, baseRule, listOfDisjunctives, rule.Policy)

		return nil
	}

	for _, proto := range rule.Protocols {
		switch strings.ToLower(proto) {
		case constants.TCPProtoNum, constants.UDPProtoNum:
			for _, address := range rule.Addresses {
				for _, port := range rule.Ports {
					if err := addCache(address, port, proto); err != nil {
						return err
					}
				}
			}
		}
		if splits := strings.Split(proto, "/"); strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP || strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP6 {
			for _, address := range rule.Addresses {
				if err := addICMPCache(address, proto, rule.Ports); err != nil {
					return err
				}
			}
		}
	}

	return nil
}

// getMatchingAction does lookup in acl in a common way for accept/reject rules.
func (a *acl) getMatchingAction(ip net.IP, port uint16, proto uint8, preReport *policy.FlowPolicy) (report *policy.FlowPolicy, packet *policy.FlowPolicy, err error) {

	return a.matchRule(ip, port, proto, preReport)
}


================================================
FILE: controller/internal/enforcer/acls/acl_test.go
================================================
package acls

import (
	"net"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

var (
	rules = policy.IPRuleList{
		policy.IPRule{
			Addresses: []string{"172.0.0.0/8"},
			Ports:     []string{"400:500"},
			Protocols: []string{constants.TCPProtoNum},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "tcp172/8"},
		},
		policy.IPRule{
			Addresses: []string{"172.17.0.0/16"},
			Ports:     []string{"400:500"},
			Protocols: []string{constants.TCPProtoNum},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "tcp172.17/16"},
		},
		policy.IPRule{
			Addresses: []string{"192.168.100.0/24"},
			Protocols: []string{constants.TCPProtoNum},
			Ports:     []string{"80"},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "tcp192.168.100/24"},
		},
		policy.IPRule{
			Addresses: []string{"10.1.1.1"},
			Protocols: []string{constants.TCPProtoNum},
			Ports:     []string{"80"},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "tcp10.1.1.1"}},
		policy.IPRule{
			Addresses: []string{"0.0.0.0/0"},
			Protocols: []string{constants.TCPProtoNum},
			Ports:     []string{"443"},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "tcp0/0"}},
		policy.IPRule{
			Addresses: []string{"0.0.0.0/0"},
			Protocols: []string{constants.UDPProtoNum},
			Ports:     []string{"443"},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "udp0/0"}},
	}
)

func TestLookup(t *testing.T) {

	Convey("Given a good DB", t, func() {

		a := newACL()
		So(a, ShouldNotBeNil)
		for _, r := range rules {
			err := a.addRule(r)
			So(err, ShouldBeNil)
		}

		Convey("When I lookup for a matching address and a port range, I should get the right action", func() {
			ip := net.ParseIP("172.17.0.1")
			port := uint16(401)
			r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
			So(err, ShouldBeNil)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "tcp172.17/16")
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "tcp172.17/16")
		})

		Convey("When I lookup for a matching address with less specific match and a port range, I should get the right action", func() {
			ip := net.ParseIP("172.16.0.1")
			port := uint16(401)
			r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
			So(err, ShouldBeNil)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "tcp172/8")
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "tcp172/8")
		})

		Convey("When I lookup for a matching address exact port, I should get the right action", func() {
			ip := net.ParseIP("192.168.100.1")
			port := uint16(80)
			r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
			So(err, ShouldBeNil)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "tcp192.168.100/24")
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "tcp192.168.100/24")
		})

		Convey("When I lookup for a non matching address . I should get reject", func() {
			ip := net.ParseIP("192.168.200.1")
			port := uint16(80)
			r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
			So(err, ShouldNotBeNil)
			So(p, ShouldBeNil)
			So(r, ShouldBeNil)
		})

		Convey("When I lookup for a matching address but failed port, I should get reject", func() {
			ip := net.ParseIP("192.168.100.1")
			port := uint16(600)
			r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
			So(err, ShouldNotBeNil)
			So(p, ShouldBeNil)
			So(r, ShouldBeNil)
		})

		Convey("When I lookup for a matching exact address exact port, I should get the right action", func() {
			ip := net.ParseIP("10.1.1.1")
			port := uint16(80)
			r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
			So(err, ShouldBeNil)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "tcp10.1.1.1")
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "tcp10.1.1.1")
		})

	})
}

func TestICMPMatch(t *testing.T) {

	var icmpRules = policy.IPRuleList{
		policy.IPRule{
			Addresses: []string{"0.0.0.0/0"},
			Protocols: []string{"ICMP/8/1:3"},
			Ports:     []string{},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "icmp0/0-8/1:3",
			},
		},
		policy.IPRule{
			Addresses: []string{"684D:1111:222:3333:4444:5555:6:77"},
			Protocols: []string{"ICMP6"},
			Ports:     []string{},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "icmp6",
			},
		},
		policy.IPRule{
			Addresses: []string{"192.0.2.1"},
			Protocols: []string{"icmp"},
			Ports:     []string{},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "removeme",
			},
		},
	}

	Convey("Given a good DB", t, func() {

		a := newACL()
		So(a, ShouldNotBeNil)
		for _, r := range icmpRules {
			err := a.addRule(r)
			So(err, ShouldBeNil)
		}

		Convey("When I lookup for a matching address for icmp but wrong type or code, I should get the right action", func() {
			ip := net.ParseIP("172.17.0.1")
			r, p, err := a.matchICMPRule(ip.To4(), 8, 2)
			So(err, ShouldBeNil)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "icmp0/0-8/1:3")
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "icmp0/0-8/1:3")
		})

		Convey("When I lookup for a matching address for icmp, I should not get a match", func() {
			ip := net.ParseIP("172.17.0.1")
			r, p, err := a.matchICMPRule(ip.To4(), 8, 4)
			So(err, ShouldNotBeNil)
			So(p, ShouldBeNil)
			So(r, ShouldBeNil)
		})

		Convey("When I lookup for a matching address for icmp6, I should get the right action", func() {
			ip := net.ParseIP("684D:1111:222:3333:4444:5555:6:77")
			r, p, err := a.matchICMPRule(ip, 8, 1)
			So(err, ShouldBeNil)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "icmp6")
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "icmp6")
		})

		Convey("When I lookup for a non-matching address for icmp6, I should not get a match", func() {
			ip := net.ParseIP("684D:1111:222:3333:4444:5555:6:77")
			r, p, err := a.matchICMPRule(ip, 8, 1)
			So(err, ShouldBeNil)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "icmp6")
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "icmp6")
		})
	})
}

func TestICMPRemove(t *testing.T) {

	var icmpRules = policy.IPRuleList{
		policy.IPRule{
			Addresses: []string{"192.0.2.1"},
			Protocols: []string{"icmp"},
			Ports:     []string{},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "removeme",
			},
		},
	}

	removeMePolicy := &policy.FlowPolicy{
		Action:   policy.Accept,
		PolicyID: "removeme",
	}

	Convey("Given a good DB", t, func() {

		a := newACL()
		So(a, ShouldNotBeNil)
		for _, r := range icmpRules {
			err := a.addRule(r)
			So(err, ShouldBeNil)
		}

		Convey("When I try to remove a rule which does not exist, then it should not error", func() {
			ip := net.ParseIP("192.0.2.2")
			err := a.removeFromCache(ip, 32, false, "icmp", nil, removeMePolicy)
			So(err, ShouldBeNil)
		})

		Convey("When I try to remove a rule which does not match, then nothing should change", func() {
			ip := net.ParseIP("192.0.2.1")
			oldVal, ok := a.icmpCache.Get(ip, 32)
			So(ok, ShouldBeTrue)
			old := oldVal.([]*icmpRule)
			So(old, ShouldNotBeEmpty)
			err := a.removeFromCache(ip, 32, false, "icmp", nil, removeMePolicy)
			So(err, ShouldBeNil)
			newVal, ok := a.icmpCache.Get(ip, 32)
			So(ok, ShouldBeTrue)
			new := newVal.([]*icmpRule)
			So(new, ShouldNotBeEmpty)
			So(old, ShouldResemble, new)
		})

		Convey("When I try to remove a rule which matches, then it should get removed", func() {
			ip := net.ParseIP("192.0.2.1")
			oldVal, ok := a.icmpCache.Get(ip, 32)
			So(ok, ShouldBeTrue)
			old := oldVal.([]*icmpRule)
			So(old, ShouldNotBeEmpty)
			err := a.removeFromCache(ip, 32, false, "icmp", []string{}, removeMePolicy)
			So(err, ShouldBeNil)
			newVal, ok := a.icmpCache.Get(ip, 32)
			So(ok, ShouldBeTrue)
			new := newVal.([]*icmpRule)
			So(new, ShouldBeEmpty)
		})

	})
}

func TestRemove(t *testing.T) {

	// keep one policy here for a direct pointer comparison
	policyOne := &policy.FlowPolicy{
		Action:   policy.Accept,
		PolicyID: "1",
	}

	removeRules := policy.IPRuleList{
		policy.IPRule{
			Addresses: []string{"192.0.2.1"},
			Ports:     []string{"80"},
			Protocols: []string{constants.TCPProtoNum},
			Policy:    policyOne,
		},
		policy.IPRule{
			Addresses: []string{"192.0.2.1"},
			Ports:     []string{"80"},
			Protocols: []string{constants.UDPProtoNum},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "2",
			},
		},
	}

	// and one here for a content comparison
	policyTwo := &policy.FlowPolicy{
		Action:   policy.Accept,
		PolicyID: "2",
	}

	Convey("Given a good DB", t, func() {

		a := newACL()
		So(a, ShouldNotBeNil)
		for _, r := range removeRules {
			err := a.addRule(r)
			So(err, ShouldBeNil)
		}

		Convey("When I try to remove a rule with an unsupported protocol, then it should not error", func() {
			ip := net.ParseIP("192.0.2.1")
			err := a.removeFromCache(ip, 32, false, "unsupported", nil, nil)
			So(err, ShouldBeNil)
		})

		Convey("When I try to remove a TCP rule which does not exist, then it should not error", func() {
			ip := net.ParseIP("192.0.2.2")
			err := a.removeFromCache(ip, 32, false, constants.TCPProtoNum, []string{"42"}, nil)
			So(err, ShouldBeNil)
		})

		Convey("When I try to remove a TCP rule which cannot be parsed correctly, then it should error", func() {
			ip := net.ParseIP("192.0.2.1")
			err := a.removeFromCache(ip, 32, false, constants.TCPProtoNum, []string{"invalid port"}, nil)
			So(err, ShouldNotBeNil)
		})

		Convey("When I try to remove a UDP rule which does not exist, then it should not error", func() {
			ip := net.ParseIP("192.0.2.2")
			err := a.removeFromCache(ip, 32, false, constants.UDPProtoNum, []string{"43"}, nil)
			So(err, ShouldBeNil)
		})

		Convey("When I try to remove a UDP rule which cannot be parsed correctly, then it should error", func() {
			ip := net.ParseIP("192.0.2.1")
			err := a.removeFromCache(ip, 32, false, constants.UDPProtoNum, []string{"another invalid port"}, nil)
			So(err, ShouldNotBeNil)
		})

		Convey("When I try to remove a TCP rule which does not match, then nothing should change", func() {
			ip := net.ParseIP("192.0.2.1")
			oldVal, ok := a.tcpCache.Get(ip, 32)
			So(ok, ShouldBeTrue)
			old := oldVal.(portActionList)
			So(old, ShouldNotBeEmpty)
			err := a.removeFromCache(ip, 32, false, constants.TCPProtoNum, []string{"44"}, policyOne)
			So(err, ShouldBeNil)
			newVal, ok := a.tcpCache.Get(ip, 32)
			So(ok, ShouldBeTrue)
			new := newVal.(portActionList)
			So(new, ShouldNotBeEmpty)
			So(old, ShouldResemble, new)
		})

		Convey("When I try to remove a TCP rule which matches, then it should get removed", func() {
			ip := net.ParseIP("192.0.2.1")
			oldVal, ok := a.tcpCache.Get(ip, 32)
			So(ok, ShouldBeTrue)
			old := oldVal.(portActionList)
			So(old, ShouldNotBeEmpty)
			oldLength := len(old)
			err := a.removeFromCache(ip, 32, false, constants.TCPProtoNum, []string{"80"}, policyOne)
			So(err, ShouldBeNil)
			newVal, ok := a.tcpCache.Get(ip, 32)
			So(ok, ShouldBeTrue)
			new := newVal.(portActionList)
			So(new, ShouldHaveLength, oldLength-1)
		})

		Convey("When I try to remove a UDP rule which does not match, then nothing should change", func() {
			ip := net.ParseIP("192.0.2.1")
			oldVal, ok := a.udpCache.Get(ip, 32)
			So(ok, ShouldBeTrue)
			old := oldVal.(portActionList)
			So(old, ShouldNotBeEmpty)
			err := a.removeFromCache(ip, 32, false, constants.UDPProtoNum, []string{"45"}, policyTwo)
			So(err, ShouldBeNil)
			newVal, ok := a.udpCache.Get(ip, 32)
			So(ok, ShouldBeTrue)
			new := newVal.(portActionList)
			So(new, ShouldNotBeEmpty)
			So(old, ShouldResemble, new)
		})

		Convey("When I try to remove a UDP rule which matches, then it should get removed", func() {
			ip := net.ParseIP("192.0.2.1")
			oldVal, ok := a.udpCache.Get(ip, 32)
			So(ok, ShouldBeTrue)
			old := oldVal.(portActionList)
			So(old, ShouldNotBeEmpty)
			oldLength := len(old)
			err := a.removeFromCache(ip, 32, false, constants.UDPProtoNum, []string{"80"}, policyTwo)
			So(err, ShouldBeNil)
			newVal, ok := a.udpCache.Get(ip, 32)
			So(ok, ShouldBeTrue)
			new := newVal.(portActionList)
			So(new, ShouldHaveLength, oldLength-1)
		})
	})
}

func TestObservedLookup(t *testing.T) {

	ip1 := "200.17.0.0/17"
	ip2 := "200.18.0.0/17"
	ip3 := "200.0.0.0/9"
	var (
		rulesWithObservation = policy.IPRuleList{
			policy.IPRule{
				Addresses: []string{ip1},
				Ports:     []string{"401"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					Action:        policy.Accept,
					ObserveAction: policy.ObserveContinue,
					PolicyID:      "observed-continue-tcp200.17/17"},
			},
			policy.IPRule{
				Addresses: []string{ip2},
				Ports:     []string{"401"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					Action:        policy.Accept,
					ObserveAction: policy.ObserveApply,
					PolicyID:      "observed-applied-tcp200.18/17"},
			},
			policy.IPRule{
				Addresses: []string{ip3},
				Ports:     []string{"401"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					Action:   policy.Accept,
					PolicyID: "tcp200/9"},
			},
		}
	)

	Convey("Given a good DB", t, func() {
		a := newACL()
		So(a, ShouldNotBeNil)
		for _, r := range rulesWithObservation {
			err := a.addRule(r)
			So(err, ShouldBeNil)
		}

		// Ensure all the elements are there in the cache
		cidrs := []string{ip1, ip2, ip3}

		for _, cidr := range cidrs {
			ip, ipnet, _ := net.ParseCIDR(cidr)
			size, _ := ipnet.Mask.Size()
			_, ok := a.tcpCache.Get(ip, size)
			So(ok, ShouldEqual, true)
		}

		Convey("When I lookup for a matching address and a port range, I should get the right action and observed action", func() {
			ip := net.ParseIP("200.17.0.1")
			port := uint16(401)
			r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
			So(err, ShouldBeNil)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "tcp200/9")
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "observed-continue-tcp200.17/17")
		})

		Convey("When I lookup for a matching address and a port range, I should get the observed action as applied", func() {
			ip := net.ParseIP("200.18.0.1")
			port := uint16(401)
			r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
			So(err, ShouldBeNil)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "observed-applied-tcp200.18/17")
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "observed-applied-tcp200.18/17")
		})

		Convey("When I lookup for a matching address and a port range with an already reported action of reject, I should get the observed action as applied", func() {
			ip := net.ParseIP("200.18.0.1")
			port := uint16(401)
			preReported := &policy.FlowPolicy{
				Action:   policy.Reject,
				PolicyID: "preReportedPolicyID",
			}
			r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, preReported)
			So(err, ShouldBeNil)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "observed-applied-tcp200.18/17")
			So(r.Action, ShouldEqual, policy.Reject)
			So(r.PolicyID, ShouldEqual, "preReportedPolicyID")
		})
	})
}

func TestNomatchLookup(t *testing.T) {

	ip1 := "200.17.0.0/16"
	ip2 := "200.18.0.0/16"
	ip3 := "200.0.0.0/8"
	var (
		rulesWithNomatch = policy.IPRuleList{
			policy.IPRule{
				Addresses: []string{"!" + ip1},
				Ports:     []string{"401"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					Action:   policy.Accept,
					PolicyID: "nomatch-tcp200.17/16"},
			},
			policy.IPRule{
				Addresses: []string{"!" + ip2},
				Ports:     []string{"401"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					Action:   policy.Accept,
					PolicyID: "nomatch-tcp200.18/16"},
			},
			policy.IPRule{
				Addresses: []string{ip3},
				Ports:     []string{"401"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					Action:   policy.Accept,
					PolicyID: "tcp200/8"},
			},
		}
	)

	Convey("Given a good DB", t, func() {
		a := newACL()
		So(a, ShouldNotBeNil)
		for _, r := range rulesWithNomatch {
			err := a.addRule(r)
			So(err, ShouldBeNil)
		}

		// Ensure all the elements are there in the cache
		cidrs := []string{ip1, ip2, ip3}

		for _, cidr := range cidrs {
			ip, ipnet, _ := net.ParseCIDR(cidr)
			size, _ := ipnet.Mask.Size()
			_, ok := a.tcpCache.Get(ip, size)
			So(ok, ShouldEqual, true)
		}

		Convey("When I lookup for a nomatch address and a port range, I should get nomatch", func() {
			ip := net.ParseIP("200.17.0.1")
			port := uint16(401)
			_, _, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
			So(err, ShouldNotBeNil)
		})

		Convey("When I lookup for another nomatch address and a port range, I should get nomatch", func() {
			ip := net.ParseIP("200.18.0.1")
			port := uint16(401)
			_, _, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
			So(err, ShouldNotBeNil)
		})

		Convey("When I lookup for a matching address and a port range, I should get the accept action", func() {
			ip := net.ParseIP("200.19.0.1")
			port := uint16(401)
			r, p, err := a.getMatchingAction(ip.To4(), port, packet.IPProtocolTCP, nil)
			So(err, ShouldBeNil)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "tcp200/8")
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "tcp200/8")
		})
	})
}


================================================
FILE: controller/internal/enforcer/acls/aclcache.go
================================================
package acls

import (
	"errors"
	"net"

	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// ACLCache holds all the ACLS in an internal DB
// map[prefixes][subnets] -> list of ports with their actions
type ACLCache struct {
	reject  *acl
	accept  *acl
	observe *acl
}

// NewACLCache a new ACL cache
func NewACLCache() *ACLCache {
	return &ACLCache{
		reject:  newACL(),
		accept:  newACL(),
		observe: newACL(),
	}
}

// AddRule adds a single rule to the ACL Cache
func (c *ACLCache) AddRule(rule policy.IPRule) (err error) {

	if rule.Policy.ObserveAction.ObserveApply() {
		return c.observe.addRule(rule)
	}

	if rule.Policy.Action.Accepted() {
		return c.accept.addRule(rule)
	}

	return c.reject.addRule(rule)
}

// AddRuleList adds a list of rules to the cache
func (c *ACLCache) AddRuleList(rules policy.IPRuleList) (err error) {

	for _, rule := range rules {
		if err = c.AddRule(rule); err != nil {
			return
		}
	}

	return
}

// RemoveRulesForAddress is going to remove all rules for the provided address, protocol and ports.
func (c *ACLCache) RemoveRulesForAddress(address *Address, protocol string, ports []string, policy *policy.FlowPolicy) error {

	if err := c.reject.removeFromCache(address.IP, address.Mask, address.NoMatch, protocol, ports, policy); err != nil {
		return err
	}
	if err := c.accept.removeFromCache(address.IP, address.Mask, address.NoMatch, protocol, ports, policy); err != nil {
		return err
	}
	if err := c.observe.removeFromCache(address.IP, address.Mask, address.NoMatch, protocol, ports, policy); err != nil {
		return err
	}
	return nil
}

// RemoveIPMask removes the entries indexed with (ip, mask). This is an idempotent operation
// and thus does not returns an error
func (c *ACLCache) RemoveIPMask(ip net.IP, mask int) {

	c.reject.removeIPMask(ip, mask)
	c.accept.removeIPMask(ip, mask)
	c.observe.removeIPMask(ip, mask)
}

// GetMatchingAction gets the action from the acl cache
func (c *ACLCache) GetMatchingAction(ip net.IP, port uint16, proto uint8, defaultFlowPolicy *policy.FlowPolicy) (report *policy.FlowPolicy, packet *policy.FlowPolicy, err error) {

	report, packet, err = c.reject.getMatchingAction(ip, port, proto, report)
	if err == nil {
		return
	}

	report, packet, err = c.accept.getMatchingAction(ip, port, proto, report)
	if err == nil {
		return
	}

	report, packet, err = c.observe.getMatchingAction(ip, port, proto, report)
	if err == nil {
		return
	}

	if report == nil {
		report = defaultFlowPolicy
	}

	if packet == nil {
		packet = defaultFlowPolicy
	}

	if defaultFlowPolicy.Action.Accepted() {
		return report, packet, nil
	}

	return report, packet, errors.New("no match")
}

// GetMatchingICMPAction gets the action based on icmp policy
func (c *ACLCache) GetMatchingICMPAction(ip net.IP, icmpType, icmpCode int8, defaultFlowPolicy *policy.FlowPolicy) (report *policy.FlowPolicy, packet *policy.FlowPolicy, err error) {

	report, packet, err = c.reject.matchICMPRule(ip, icmpType, icmpCode)
	if err == nil {
		return
	}

	report, packet, err = c.accept.matchICMPRule(ip, icmpType, icmpCode)
	if err == nil {
		return
	}

	report, packet, err = c.observe.matchICMPRule(ip, icmpType, icmpCode)
	if err == nil {
		return
	}

	if report == nil {
		report = defaultFlowPolicy
	}

	if packet == nil {
		packet = defaultFlowPolicy
	}

	if defaultFlowPolicy.Action.Accepted() {
		return report, packet, nil
	}

	return report, packet, errors.New("no match")
}


================================================
FILE: controller/internal/enforcer/acls/aclcache_test.go
================================================
// +build !windows

package acls

import (
	"net"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

var catchAllPolicy = &policy.FlowPolicy{Action: policy.Reject | policy.Log, PolicyID: "default", ServiceID: "default"}

func TestEmptyACLCacheLookup(t *testing.T) {

	Convey("Given an empty ACL Cache", t, func() {
		c := NewACLCache()
		Convey("When I lookup for a matching address but failed port, I should get reject", func() {
			ip := net.ParseIP("192.168.100.1")
			port := uint16(600)
			a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
			So(err, ShouldNotBeNil)
			So(a.Action&policy.Reject, ShouldEqual, policy.Reject)
			So(a.PolicyID, ShouldEqual, "default")
			So(p.Action&policy.Reject, ShouldEqual, policy.Reject)
			So(p.ServiceID, ShouldEqual, "default")
		})

		Convey("When I lookup for a matching address but failed port, I should get accept", func() {
			ip := net.ParseIP("192.168.100.1")
			port := uint16(600)
			defaultFlowPolcy := &policy.FlowPolicy{Action: policy.Accept | policy.Log, PolicyID: "default", ServiceID: "default"}
			a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, defaultFlowPolcy)
			So(err, ShouldBeNil)
			So(a.Action&policy.Accept, ShouldEqual, policy.Accept)
			So(a.PolicyID, ShouldEqual, "default")
			So(p.Action&policy.Accept, ShouldEqual, policy.Accept)
			So(p.ServiceID, ShouldEqual, "default")
		})
	})
}

func TestRejectPrioritizedOverAcceptCacheLookup(t *testing.T) {

	rules = policy.IPRuleList{
		policy.IPRule{
			Addresses: []string{"172.0.0.0/8"},
			Ports:     []string{"1"},
			Protocols: []string{constants.TCPProtoNum},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "tcp172/8"},
		},
		policy.IPRule{
			Addresses: []string{"0.0.0.0/0"},
			Ports:     []string{"1"},
			Protocols: []string{constants.TCPProtoNum},
			Policy: &policy.FlowPolicy{
				Action:   policy.Reject,
				PolicyID: "catchAllDrop"},
		},
	}

	Convey("Given an ACL Cache with accept and reject rules", t, func() {
		c := NewACLCache()
		So(c, ShouldNotBeNil)
		err := c.AddRuleList(rules)
		So(err, ShouldBeNil)

		Convey("When I lookup for a matching address to both accept and reject rule, I should get reject", func() {
			ip := net.ParseIP("172.1.1.1")
			port := uint16(1)
			a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
			So(err, ShouldBeNil)
			So(a.Action, ShouldEqual, policy.Reject)
			So(a.PolicyID, ShouldEqual, "catchAllDrop")
			So(p.Action, ShouldEqual, policy.Reject)
			So(p.PolicyID, ShouldEqual, "catchAllDrop")
		})
	})
}

func TestEmptyACLWithObserveContinueCacheLookup(t *testing.T) {

	rules = policy.IPRuleList{
		policy.IPRule{
			Addresses: []string{"0.0.0.0/0"},
			Ports:     []string{"1"},
			Protocols: []string{constants.TCPProtoNum},
			Policy: &policy.FlowPolicy{
				Action:        policy.Accept,
				ObserveAction: policy.ObserveContinue,
				PolicyID:      "ObserveAcceptContinue"},
		},
	}

	Convey("Given an empty ACL Cache", t, func() {
		c := NewACLCache()
		So(c, ShouldNotBeNil)
		err := c.AddRuleList(rules)
		So(err, ShouldBeNil)

		Convey("When I lookup for a matching address, I should get accept", func() {
			ip := net.ParseIP("192.168.100.1")
			port := uint16(1)
			a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
			So(err, ShouldNotBeNil)
			So(a.Action, ShouldEqual, policy.Accept)
			So(a.PolicyID, ShouldEqual, "ObserveAcceptContinue")
			So(p.Action&policy.Reject, ShouldEqual, policy.Reject)
			So(p.PolicyID, ShouldEqual, "default")
		})
	})
}

func TestEmptyACLWithObserveApplyCacheLookup(t *testing.T) {

	rules = policy.IPRuleList{
		policy.IPRule{
			Addresses: []string{"0.0.0.0/0"},
			Ports:     []string{"1"},
			Protocols: []string{constants.TCPProtoNum},
			Policy: &policy.FlowPolicy{
				Action:        policy.Accept,
				ObserveAction: policy.ObserveApply,
				PolicyID:      "observeAcceptApply"},
		},
	}

	Convey("Given an empty ACL Cache", t, func() {
		c := NewACLCache()
		So(c, ShouldNotBeNil)
		err := c.AddRuleList(rules)
		So(err, ShouldBeNil)

		Convey("When I lookup for a matching address, I should get accept", func() {
			ip := net.ParseIP("192.168.100.1")
			port := uint16(1)
			a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
			So(err, ShouldBeNil)
			So(a.Action, ShouldEqual, policy.Accept)
			So(a.PolicyID, ShouldEqual, "observeAcceptApply")
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "observeAcceptApply")
		})
	})
}

func TestObserveContinueApplyCacheLookup(t *testing.T) {

	rules = policy.IPRuleList{
		policy.IPRule{
			Addresses: []string{"172.1.0.0/16"},
			Ports:     []string{"1"},
			Protocols: []string{constants.TCPProtoNum},
			Policy: &policy.FlowPolicy{
				Action:        policy.Reject,
				ObserveAction: policy.ObserveContinue,
				PolicyID:      "observeRejectContinue-172.1/16"},
		},
		policy.IPRule{
			Addresses: []string{"172.0.0.0/8"},
			Ports:     []string{"1"},
			Protocols: []string{constants.TCPProtoNum},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "tcp172/8"},
		},
		policy.IPRule{
			Addresses: []string{"172.0.0.0/8"},
			Ports:     []string{"1"},
			Protocols: []string{constants.TCPProtoNum},
			Policy: &policy.FlowPolicy{
				Action:        policy.Accept,
				ObserveAction: policy.ObserveApply,
				PolicyID:      "observeRejectApply"},
		},
		policy.IPRule{
			Addresses: []string{"172.0.0.0/8"},
			Ports:     []string{"1"},
			Protocols: []string{constants.TCPProtoNum},
			Policy: &policy.FlowPolicy{
				Action:        policy.Reject,
				ObserveAction: policy.ObserveContinue,
				PolicyID:      "observeRejectContinue"},
		},
	}

	Convey("Given an ACL Cache with accept observe-apply and observe-continue rules for same prefix", t, func() {
		c := NewACLCache()
		So(c, ShouldNotBeNil)
		err := c.AddRuleList(rules)
		So(err, ShouldBeNil)

		Convey("When I lookup for a matching address to /16, I should get report reject and packet accept and ignore observe-apply rule", func() {
			ip := net.ParseIP("172.1.1.1")
			port := uint16(1)
			a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
			So(err, ShouldBeNil)
			So(a.Action, ShouldEqual, policy.Reject)
			So(a.PolicyID, ShouldEqual, "observeRejectContinue-172.1/16")
			// So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "tcp172/8")
		})

		Convey("When I lookup for a matching address to /8, I should get report reject and packet accept and ignore observe-apply rule", func() {
			ip := net.ParseIP("172.2.1.1")
			port := uint16(1)
			a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
			So(err, ShouldBeNil)
			So(a.Action, ShouldEqual, policy.Reject)
			So(a.PolicyID, ShouldEqual, "observeRejectContinue")
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "tcp172/8")
		})
	})
}

func TestAcceptWithNomatchCacheLookup(t *testing.T) {

	rules = policy.IPRuleList{
		policy.IPRule{
			Addresses: []string{"0.0.0.0/1", "!10.10.10.0/24", "128.0.0.0/1", "!10.0.0.0/8", "10.10.0.0/16"},
			Ports:     []string{"0:65535"},
			Protocols: []string{constants.TCPProtoNum},
			Policy: &policy.FlowPolicy{
				Action: policy.Accept,
			},
		},
	}

	Convey("Given an ACL Cache with accept policy with some nomatch addresses", t, func() {
		c := NewACLCache()
		So(c, ShouldNotBeNil)
		err := c.AddRuleList(rules)
		So(err, ShouldBeNil)

		Convey("When I lookup address within nomatch outer but also within match inner, I should get accept", func() {
			ip := net.ParseIP("10.10.2.100")
			port := uint16(443)
			a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
			So(err, ShouldBeNil)
			So(a.Action, ShouldEqual, policy.Accept)
			So(p.Action, ShouldEqual, policy.Accept)
		})

		Convey("When I lookup address within nomatch, I should get no match", func() {
			ip := net.ParseIP("10.10.10.100")
			port := uint16(443)
			_, _, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
			So(err, ShouldNotBeNil)
		})

		Convey("When I lookup address within nomatch outer and not also within match inner, I should get no match", func() {
			ip := net.ParseIP("10.4.10.100")
			port := uint16(443)
			_, _, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
			So(err, ShouldNotBeNil)
		})

		Convey("When I lookup address within match outer and not also within match inner, I should get accept", func() {
			ip := net.ParseIP("192.168.10.100")
			port := uint16(443)
			a, p, err := c.GetMatchingAction(ip.To4(), port, packet.IPProtocolTCP, catchAllPolicy)
			So(err, ShouldBeNil)
			So(a.Action, ShouldEqual, policy.Accept)
			So(p.Action, ShouldEqual, policy.Accept)
		})
	})
}

func TestRemoveRules(t *testing.T) {

	Convey("Given an ACL Cache with some rules", t, func() {
		ip := net.ParseIP("172.1.0.0")
		So(ip, ShouldNotBeNil)
		c := NewACLCache()
		So(c, ShouldNotBeNil)
		err := c.AddRuleList(policy.IPRuleList{
			policy.IPRule{
				Addresses: []string{"172.1.0.0/16"},
				Ports:     []string{"1"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					Action:   policy.Reject,
					PolicyID: "reject",
				},
			},
			policy.IPRule{
				Addresses: []string{"172.1.0.0/16"},
				Ports:     []string{"1"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					ObserveAction: policy.ObserveApply,
					PolicyID:      "observeApply",
				},
			},
			policy.IPRule{
				Addresses: []string{"172.1.0.0/16"},
				Ports:     []string{"1"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					Action:   policy.Accept,
					PolicyID: "accept",
				},
			},
		})
		So(err, ShouldBeNil)
		val, ok := c.reject.tcpCache.Get(ip, 16)
		So(ok, ShouldBeTrue)
		So(val.(portActionList), ShouldNotBeEmpty)
		val, ok = c.observe.tcpCache.Get(ip, 16)
		So(ok, ShouldBeTrue)
		So(val.(portActionList), ShouldNotBeEmpty)
		val, ok = c.accept.tcpCache.Get(ip, 16)
		So(ok, ShouldBeTrue)
		So(val.(portActionList), ShouldNotBeEmpty)

		Convey("Then I should error if I pass unparseable rules", func() {
			err := c.RemoveRulesForAddress(
				&Address{IP: ip, Mask: 16, NoMatch: false},
				constants.TCPProtoNum,
				[]string{"invalid"},
				&policy.FlowPolicy{
					Action:   policy.Reject,
					PolicyID: "reject",
				},
			)
			So(err, ShouldNotBeNil)
		})

		Convey("Then I should be able to remove the rules", func() {
			err := c.RemoveRulesForAddress(
				&Address{IP: ip, Mask: 16, NoMatch: false},
				constants.TCPProtoNum,
				[]string{"1"},
				&policy.FlowPolicy{
					Action:   policy.Reject,
					PolicyID: "reject",
				},
			)
			So(err, ShouldBeNil)
			err = c.RemoveRulesForAddress(
				&Address{IP: ip, Mask: 16, NoMatch: false},
				constants.TCPProtoNum,
				[]string{"1"},
				&policy.FlowPolicy{
					ObserveAction: policy.ObserveApply,
					PolicyID:      "observeApply",
				},
			)
			So(err, ShouldBeNil)
			err = c.RemoveRulesForAddress(
				&Address{IP: ip, Mask: 16, NoMatch: false},
				constants.TCPProtoNum,
				[]string{"1"},
				&policy.FlowPolicy{
					Action:   policy.Accept,
					PolicyID: "accept",
				},
			)
			So(err, ShouldBeNil)
			val, ok := c.reject.tcpCache.Get(ip, 16)
			So(ok, ShouldBeTrue)
			So(val.(portActionList), ShouldBeEmpty)
			val, ok = c.observe.tcpCache.Get(ip, 16)
			So(ok, ShouldBeTrue)
			So(val.(portActionList), ShouldBeEmpty)
			val, ok = c.accept.tcpCache.Get(ip, 16)
			So(ok, ShouldBeTrue)
			So(val.(portActionList), ShouldBeEmpty)
		})

	})
}


================================================
FILE: controller/internal/enforcer/acls/icmpacl.go
================================================
package acls

import (
	"net"
	"strconv"
	"strings"

	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

type icmpRule struct {
	baseRule           string
	listOfDisjunctives []string
	policy             *policy.FlowPolicy
}

func (rule *icmpRule) match(icmpType, icmpCode int8) (*policy.FlowPolicy, bool) {

	type evaluator func(int8) bool

	processList := func(vs []string, f func(string) evaluator) []evaluator {
		vals := make([]evaluator, len(vs))

		for i, v := range vs {
			vals[i] = f(v)
		}

		return vals
	}

	genCodes := func(val string) evaluator {

		genCode := func(v string) evaluator {

			switch splits := strings.Split(v, ":"); len(splits) {
			case 1:
				numVal, _ := strconv.Atoi(v)
				return func(input int8) bool { return input == int8(numVal) }
			default:
				min := splits[0]
				max := splits[1]

				minVal, _ := strconv.Atoi(min)
				maxVal, _ := strconv.Atoi(max)

				return func(input int8) bool { return input >= int8(minVal) && input <= int8(maxVal) }
			}
		}

		splits := strings.Split(val, ",")
		vals := processList(splits, genCode)

		return func(input int8) bool {
			result := false
			for _, v := range vals {
				result = result || v(input)
			}

			return result
		}
	}

	processSingleTypeCode := func(icmpTypeCode string) (evaluator, evaluator) {
		splits := strings.Split(icmpTypeCode, "/")

		var typeEval evaluator
		var codeEval evaluator

		typeEval = func(val int8) bool { return true }
		codeEval = func(val int8) bool { return true }

		for i, val := range splits {
			switch i {
			case 0:
			case 1:
				codeVal, _ := strconv.Atoi(val)
				typeEval = func(input int8) bool { return input == int8(codeVal) }
			case 2:
				codeEval = genCodes(val)
			}
		}

		return typeEval, codeEval
	}

	matches := func(icmpType, icmpCode int8, icmpTypeCode string) bool {
		typeMatch, codeMatch := processSingleTypeCode(icmpTypeCode)
		return typeMatch(icmpType) && codeMatch(icmpCode)
	}

	if !matches(icmpType, icmpCode, rule.baseRule) {
		return rule.policy, false
	}

	action := true

	for _, r := range rule.listOfDisjunctives {
		action = false
		if matches(icmpType, icmpCode, r) {
			return rule.policy, true
		}
	}

	return rule.policy, action
}

func (a *acl) matchICMPRule(ip net.IP, icmpType int8, icmpCode int8) (*policy.FlowPolicy, *policy.FlowPolicy, error) {

	var report *policy.FlowPolicy
	var match bool

	lookup := func(val interface{}) bool {
		if val != nil {
			icmpRules := val.([]*icmpRule)
			for _, icmpRule := range icmpRules {
				report, match = icmpRule.match(icmpType, icmpCode)
				if match {
					return true
				}
			}
			return false
		}

		return false
	}

	a.icmpCache.RunFuncOnLpmIP(ip, lookup)

	if !match {
		return nil, nil, errNotFound
	}

	return report, report, nil
}


================================================
FILE: controller/internal/enforcer/acls/ports.go
================================================
package acls

import (
	"errors"
	"fmt"
	"strconv"
	"strings"

	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// ErrNoMatch is error returned when no match is found.
var ErrNoMatch = errors.New("No Match")

// portAction captures the minimum and maximum ports for an action
type portAction struct {
	min     uint16
	max     uint16
	policy  *policy.FlowPolicy
	nomatch bool
}

// portActionList is a list of Port Actions
type portActionList []*portAction

// newPortAction parses a port spec and creates the action
func newPortAction(tcpport string, policy *policy.FlowPolicy, nomatch bool) (*portAction, error) {

	p := &portAction{}
	if strings.Contains(tcpport, ":") {
		parts := strings.Split(tcpport, ":")
		if len(parts) != 2 {
			return nil, fmt.Errorf("invalid port: %s", tcpport)
		}

		port, err := strconv.Atoi(parts[0])
		if err != nil {
			return nil, err
		}
		p.min = uint16(port)

		port, err = strconv.Atoi(parts[1])
		if err != nil {
			return nil, err
		}
		p.max = uint16(port)

	} else {
		port, err := strconv.Atoi(tcpport)
		if err != nil {
			return nil, err
		}

		p.min = uint16(port)
		p.max = p.min
	}

	if p.min > p.max {
		return nil, errors.New("min port is greater than max port")
	}

	p.policy = policy
	p.nomatch = nomatch

	return p, nil
}

func (p *portActionList) lookup(port uint16, preReported *policy.FlowPolicy) (report *policy.FlowPolicy, packet *policy.FlowPolicy, err error) {

	report = preReported

	// Scan the ports - TODO: better algorithm needed here
	for _, pa := range *p {
		if port >= pa.min && port <= pa.max {

			if pa.nomatch {
				return report, packet, errNoMatchFromRule
			}

			// Check observed policies.
			if pa.policy.ObserveAction.Observed() {
				if report == nil {
					report = pa.policy
				}
				if pa.policy.ObserveAction.ObserveContinue() {
					continue
				}
				packet = pa.policy
				return report, packet, nil
			}

			packet = pa.policy
			if report == nil {
				report = packet
			}
			return report, packet, nil
		}
	}

	return report, packet, ErrNoMatch
}


================================================
FILE: controller/internal/enforcer/acls/ports_test.go
================================================
// +build !windows

package acls

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

func TestEmptyPortListLookup(t *testing.T) {

	Convey("Given an empty port action list", t, func() {
		pl := &portActionList{}

		Convey("When I lookup for a matching port, I should not get any result", func() {
			r, p, err := pl.lookup(10, nil)
			So(err, ShouldNotBeNil)
			So(r, ShouldBeNil)
			So(p, ShouldBeNil)
		})
	})
}

func TestPortListLookup(t *testing.T) {

	rule := policy.IPRule{
		Addresses: []string{"172.0.0.0/8"},
		Ports:     []string{"1:999"},
		Protocols: []string{"tcp"},
		Policy: &policy.FlowPolicy{
			Action:   policy.Accept,
			PolicyID: "portMatch",
		},
	}

	Convey("Given a non-empty port action list", t, func() {
		var pl portActionList
		for _, port := range rule.Ports {
			pa, err := newPortAction(port, rule.Policy, false)

			So(err, ShouldBeNil)
			So(pa, ShouldNotBeNil)

			pl = append(pl, pa)
		}

		Convey("When I lookup for a non matching port, I should get error", func() {
			r, p, err := pl.lookup(0, nil)
			So(err, ShouldNotBeNil)
			So(r, ShouldBeNil)
			So(p, ShouldBeNil)
		})

		Convey("When I lookup for a non matching port, I should get error but get the unmodified reported flow input", func() {
			r, p, err := pl.lookup(0, &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "portPreMatch"},
			)
			So(err, ShouldNotBeNil)
			So(r, ShouldNotBeNil)
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "portPreMatch")
			So(p, ShouldBeNil)
		})

		Convey("When I lookup for a matching port, I should get accept", func() {
			r, p, err := pl.lookup(10, nil)
			So(err, ShouldBeNil)
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "portMatch")
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "portMatch")
		})

		Convey("When I lookup for a matching port, and a report action, packet must be reported with no error", func() {
			r, p, err := pl.lookup(10, &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "portPreMatch"},
			)
			So(err, ShouldBeNil)
			So(r, ShouldNotBeNil)
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "portPreMatch")
			So(p, ShouldNotBeNil)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "portMatch")
		})
	})
}

func TestPortListLookupObservedPolicyContinue(t *testing.T) {

	rule := policy.IPRule{
		Addresses: []string{"172.0.0.0/8"},
		Ports:     []string{"1:999"},
		Protocols: []string{"tcp"},
		Policy: &policy.FlowPolicy{
			ObserveAction: policy.ObserveContinue,
			Action:        policy.Accept,
			PolicyID:      "portMatch",
		},
	}

	Convey("Given a non-empty port action list", t, func() {
		var pl portActionList
		for _, port := range rule.Ports {
			pa, err := newPortAction(port, rule.Policy, false)
			So(err, ShouldBeNil)
			So(pa, ShouldNotBeNil)

			pl = append(pl, pa)
		}

		Convey("When I lookup for a non matching port, I should get error", func() {
			r, p, err := pl.lookup(0, nil)
			So(err, ShouldNotBeNil)
			So(r, ShouldBeNil)
			So(p, ShouldBeNil)
		})

		Convey("When I lookup for a non matching port, I should get error but get the unmodified reported flow input", func() {
			r, p, err := pl.lookup(0, &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "portPreMatch"},
			)
			So(err, ShouldNotBeNil)
			So(r, ShouldNotBeNil)
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "portPreMatch")
			So(p, ShouldBeNil)
		})

		Convey("When I lookup for a matching port with observed policy, I should get report but no packet action and error ", func() {
			r, p, err := pl.lookup(10, nil)
			So(err, ShouldEqual, ErrNoMatch)
			So(r.ObserveAction, ShouldEqual, policy.ObserveContinue)
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "portMatch")
			So(p, ShouldBeNil)
		})

		Convey("When I lookup for a matching port with observed policy and pre-existing report, I should get unmodified report but no packet action and error ", func() {
			r, p, err := pl.lookup(10, &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "portPreMatch",
			})
			So(err, ShouldEqual, ErrNoMatch)
			So(r.ObserveAction, ShouldEqual, policy.ObserveNone)
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "portPreMatch")
			So(p, ShouldBeNil)
		})
	})
}

func TestPortListLookupObservedPolicyApply(t *testing.T) {

	rule := policy.IPRule{
		Addresses: []string{"172.0.0.0/8"},
		Ports:     []string{"1:999"},
		Protocols: []string{"tcp"},
		Policy: &policy.FlowPolicy{
			ObserveAction: policy.ObserveApply,
			Action:        policy.Accept,
			PolicyID:      "portMatch",
		},
	}

	Convey("Given a non-empty port action list", t, func() {
		var pl portActionList
		for _, port := range rule.Ports {
			pa, err := newPortAction(port, rule.Policy, false)
			So(err, ShouldBeNil)
			So(pa, ShouldNotBeNil)

			pl = append(pl, pa)
		}

		Convey("When I lookup for a non matching port, I should get error", func() {
			r, p, err := pl.lookup(0, nil)
			So(err, ShouldNotBeNil)
			So(r, ShouldBeNil)
			So(p, ShouldBeNil)
		})

		Convey("When I lookup for a non matching port, I should get error but get the unmodified reported flow input", func() {
			r, p, err := pl.lookup(0, &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "portPreMatch"},
			)
			So(err, ShouldNotBeNil)
			So(r, ShouldNotBeNil)
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "portPreMatch")
			So(p, ShouldBeNil)
		})

		Convey("When I lookup for a matching port with observed policy apply, I should get report and packet action and no error ", func() {
			r, p, err := pl.lookup(10, nil)

			So(err, ShouldBeNil)

			So(r.ObserveAction, ShouldEqual, policy.ObserveApply)
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "portMatch")

			So(p.ObserveAction, ShouldEqual, policy.ObserveApply)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "portMatch")
		})

		Convey("When I lookup for a matching port with observed policy and pre-existing report, I should get unmodified report, packet action and no error ", func() {
			r, p, err := pl.lookup(10, &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "portPreMatch",
			})

			So(err, ShouldBeNil)

			So(r.ObserveAction, ShouldEqual, policy.ObserveNone)
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "portPreMatch")

			So(p.ObserveAction, ShouldEqual, policy.ObserveApply)
			So(p.Action, ShouldEqual, policy.Accept)
			So(p.PolicyID, ShouldEqual, "portMatch")
		})
	})
}

func TestPortListWithNomatchLookup(t *testing.T) {

	rule := policy.IPRule{
		Addresses: []string{"0.0.0.0/1", "128.0.0.0/1", "!172.0.0.0/8"},
		Ports:     []string{"1:999"},
		Protocols: []string{"tcp"},
		Policy: &policy.FlowPolicy{
			Action:   policy.Accept,
			PolicyID: "portMatch",
		},
	}

	Convey("Given a non-empty port action list", t, func() {
		var pl portActionList
		for _, port := range rule.Ports {
			pa, err := newPortAction(port, rule.Policy, true)

			So(err, ShouldBeNil)
			So(pa, ShouldNotBeNil)

			pl = append(pl, pa)
		}

		Convey("When I lookup for a non matching port, I should get error", func() {
			r, p, err := pl.lookup(0, nil)
			So(err, ShouldNotBeNil)
			So(r, ShouldBeNil)
			So(p, ShouldBeNil)
		})

		Convey("When I lookup for a non matching port, I should get error but get the unmodified reported flow input", func() {
			r, p, err := pl.lookup(0, &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "portPreMatch"},
			)
			So(err, ShouldNotBeNil)
			So(r, ShouldNotBeNil)
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "portPreMatch")
			So(p, ShouldBeNil)
		})

		Convey("When I lookup for a matching port, I should get no match", func() {
			r, p, err := pl.lookup(10, nil)
			So(err, ShouldNotBeNil)
			So(r, ShouldBeNil)
			So(p, ShouldBeNil)
		})

		Convey("When I lookup for a matching port, I should get no match but the unmodified reported flow input", func() {
			r, p, err := pl.lookup(10, &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "portPreMatch"},
			)
			So(err, ShouldNotBeNil)
			So(r, ShouldNotBeNil)
			So(r.Action, ShouldEqual, policy.Accept)
			So(r.PolicyID, ShouldEqual, "portPreMatch")
			So(p, ShouldBeNil)
		})
	})
}


================================================
FILE: controller/internal/enforcer/acls/utils.go
================================================
package acls

import (
	"fmt"
	"net"
	"strconv"
	"strings"
)

// Address is a parsed IP address or CIDR
type Address struct {
	IP      net.IP
	Mask    int
	NoMatch bool
}

// ParseAddress parses `address` as an IP or CIDR address - based on the notation that we allow in our backend.
// If the address is prefixed with a "!"", then the NoMatch attribute will be true.
// If the Address is of the format "IP/BitMask" (e.g. 192.0.2.0/24), then the mask will be set to 24.
// If the address is of the form "IP" (e.g. 192.0.2.1), then the mask will be added automatically.
func ParseAddress(address string) (*Address, error) {
	var mask int
	var err error
	parts := strings.Split(address, "/")
	nomatch := strings.HasPrefix(parts[0], "!")
	if nomatch {
		parts[0] = parts[0][1:]
	}
	ip := net.ParseIP(parts[0])
	if ip == nil {
		return nil, fmt.Errorf("invalid ip address: %s", parts[0])
	}

	if len(parts) == 1 {
		if ip.To4() != nil {
			mask = 32
		} else {
			mask = 128
		}
	} else {
		mask, err = strconv.Atoi(parts[1])
		if err != nil {
			return nil, fmt.Errorf("invalid mask '%s': %w", parts[1], err)
		}
	}

	return &Address{IP: ip, Mask: mask, NoMatch: nomatch}, nil
}


================================================
FILE: controller/internal/enforcer/acls/utils_test.go
================================================
package acls

import (
	"net"
	"reflect"
	"testing"
)

func TestParseAddress(t *testing.T) {
	ipv4 := net.ParseIP("192.0.2.1")
	if ipv4 == nil {
		panic("ipv4 address invalid at test prerequisite")
	}
	ipv6 := net.ParseIP("2001:db8::1")
	if ipv6 == nil {
		panic("ipv6 address invalid at test prerequisite")
	}
	type args struct {
		address string
	}
	tests := []struct {
		name    string
		args    args
		want    *Address
		wantErr bool
	}{
		{
			name: "invalid IP address",
			args: args{
				address: "invalid IP address",
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "invalid network mask",
			args: args{
				address: "192.0.2.0/invalid",
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "IPv4 address without mask",
			args: args{
				address: "192.0.2.1",
			},
			want: &Address{
				IP:      ipv4,
				Mask:    32,
				NoMatch: false,
			},
		},
		{
			name: "IPv6 address without mask",
			args: args{
				address: "2001:db8::1",
			},
			want: &Address{
				IP:      ipv6,
				Mask:    128,
				NoMatch: false,
			},
		},
		{
			name: "IPv4 address with mask",
			args: args{
				address: "192.0.2.1/24",
			},
			want: &Address{
				IP:      ipv4,
				Mask:    24,
				NoMatch: false,
			},
		},
		{
			name: "IPv6 address with mask",
			args: args{
				address: "2001:db8::1/64",
			},
			want: &Address{
				IP:      ipv6,
				Mask:    64,
				NoMatch: false,
			},
		},
		{
			name: "IPv4 address with mask and nomatch",
			args: args{
				address: "!192.0.2.1/24",
			},
			want: &Address{
				IP:      ipv4,
				Mask:    24,
				NoMatch: true,
			},
		},
		{
			name: "IPv6 address with mask and nomatch",
			args: args{
				address: "!2001:db8::1/64",
			},
			want: &Address{
				IP:      ipv6,
				Mask:    64,
				NoMatch: true,
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got, err := ParseAddress(tt.args.address)
			if (err != nil) != tt.wantErr {
				t.Errorf("ParseAddress() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("ParseAddress() = %v, want %v", got, tt.want)
			}
		})
	}
}


================================================
FILE: controller/internal/enforcer/apiauth/apiauth.go
================================================
package apiauth

import (
	"context"
	"fmt"
	"net"
	"net/http"
	"strings"
	"sync"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/serviceregistry"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/servicetokens"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

const (
	// DefaultValidity is default service token validity.
	DefaultValidity = 60 * time.Second

	// TriremeOIDCCallbackURI is the callback URI that must be presented by
	// any OIDC provider.
	TriremeOIDCCallbackURI = "/aporeto/oidc/callback"
)

// Processor is an API Authorization processor.
type Processor struct {
	puContext string

	issuer  string // the issuer ID .. need to get rid of that part with the new tokens
	secrets secrets.Secrets
	sync.RWMutex
}

// New will create a new authorization processor.
func New(contextID string, s secrets.Secrets) *Processor {
	return &Processor{
		puContext: contextID,
		secrets:   s,
	}
}

func (p *Processor) retrieveNetworkContext(originalIP *net.TCPAddr) (*serviceregistry.PortContext, error) {

	return serviceregistry.Instance().RetrieveExposedServiceContext(originalIP.IP, originalIP.Port, "")
}

func (p *Processor) retrieveApplicationContext(address *net.TCPAddr) (*serviceregistry.ServiceContext, *serviceregistry.DependentServiceData, error) {

	return serviceregistry.Instance().RetrieveDependentServiceDataByIDAndNetwork(p.puContext, address.IP, address.Port, "")
}

// UpdateSecrets is called to update the authorizer secrets.
func (p *Processor) UpdateSecrets(s secrets.Secrets) {
	p.Lock()
	defer p.Unlock()

	p.secrets = s
}

// ApplicationRequest processes an application side request and returns
// the token that is associated with this application, together with an
// error if the request must be rejected.
func (p *Processor) ApplicationRequest(r *Request) (*AppAuthResponse, error) {

	d := &AppAuthResponse{
		TLSListener: true,
	}

	// Derive the service context for this request. This is another PU
	// or some external service. Context is derived based on the original
	// destination of the request.
	sctx, serviceData, err := p.retrieveApplicationContext(r.OriginalDestination)
	if err != nil {
		return d, &AuthError{
			status:  http.StatusBadGateway,
			message: fmt.Sprintf("Cannot identify application context: %s", err),
		}
	}
	d.PUContext = sctx.PUContext
	d.ServiceID = serviceData.APICache.ID

	// First we process network type rules (L3 based decision)
	_, netaction, noNetAccesPolicy := sctx.PUContext.ApplicationACLPolicyFromAddr(r.OriginalDestination.IP, uint16(r.OriginalDestination.Port), uint8(packet.IPProtocolTCP))
	d.NetworkPolicyID = netaction.PolicyID
	d.NetworkServiceID = netaction.ServiceID
	if noNetAccesPolicy == nil && netaction.Action.Rejected() {
		return d, &AuthError{
			status:  http.StatusNetworkAuthenticationRequired,
			message: "Unauthorized Service - Rejected Outgoing Request by Network Policies",
		}
	}

	// For external services we validate policy at the ingress.
	if serviceData.APICache.External {
		d.External = true

		// Get the corresponding scopes
		found, rule := serviceData.APICache.FindRule(r.Method, r.URL.Path)
		if !found {
			return d, &AuthError{
				status:  http.StatusForbidden,
				message: "Uknown or unauthorized service: policy not found",
			}
		}
		d.HookMethod = rule.HookMethod
		// If there is an authorization policy attached to the rule, we must validate
		// against the identity of the PU.
		if !rule.Public {
			// Validate the policy based on the scopes of the PU.
			// TODO: Add user scopes
			if !serviceData.APICache.MatchClaims(rule.ClaimMatchingRules, append(sctx.PUContext.Identity().GetSlice(), sctx.PUContext.Scopes()...)) {
				return d, &AuthError{
					status:  http.StatusForbidden,
					message: "Unauthorized service: rejected by policy",
				}
			}
		}

		d.Action = policy.Accept | policy.Log
		if !serviceData.ServiceObject.NoTLSExternalService {
			d.Action = d.Action | policy.Encrypt
		}
		d.TLSListener = !serviceData.ServiceObject.NoTLSExternalService

		return d, nil
	}

	p.RLock()
	defer p.RUnlock()

	secret := p.secrets

	token, err := servicetokens.CreateAndSign(
		p.issuer,
		sctx.PUContext.Identity().GetSlice(),
		sctx.PUContext.Scopes(),
		sctx.PUContext.ManagementID(),
		DefaultValidity,
		secret.EncodingKey(),
		nil,
	)
	if err != nil {
		return d, &AuthError{
			status:  http.StatusInternalServerError,
			message: "Unable to issue service token",
			err:     err,
		}
	}

	d.Token = token

	return d, nil
}

// NetworkRequest authorizes a network request and either accepts the request
// or potentially issues a redirect.
func (p *Processor) NetworkRequest(ctx context.Context, r *Request) (*NetworkAuthResponse, error) {

	// First retrieve the context and policy for this request. Network
	// requests are indexed based on the original destination and port.
	pctx, err := p.retrieveNetworkContext(r.OriginalDestination)
	if err != nil {
		return nil, &AuthError{
			status:  http.StatusInternalServerError,
			message: "Internal server error - cannot identify destination policy",
			err:     err,
		}
	}

	// Create a basic response. We will update this response with information
	// as we continue processing.
	d := &NetworkAuthResponse{
		PUContext:   pctx.PUContext,
		ServiceID:   pctx.Service.ID,
		Action:      policy.Reject,
		SourceType:  collector.EndPointTypeExternalIP,
		TLSListener: pctx.Service.PrivateTLSListener,
		Namespace:   pctx.PUContext.ManagementNamespace(),
	}

	// We process first OIDC callbacks. These are the redirects after a user
	// has been authorized. We do not apply any network rule checks in this
	// case. If the callback is authorized we return the cookie and JWT
	// for the user.
	if strings.HasPrefix(r.RequestURI, TriremeOIDCCallbackURI) {
		callbackResponse, err := pctx.Authorizer.Callback(ctx, r.URL)
		if err == nil {
			d.Action = policy.Accept | policy.Encrypt | policy.Log
			d.Redirect = true
			d.RedirectURI = callbackResponse.OriginURL
			d.Cookie = callbackResponse.Cookie
			d.Data = callbackResponse.Data
			d.SourceType = collector.EndPointTypeClaims
			d.NetworkPolicyID = "default"
			d.NetworkServiceID = "default"
		}
		return d, &AuthError{
			message: callbackResponse.Message,
			status:  callbackResponse.Status,
		}
	}

	// We first process the network access rules based on external networks or
	// incoming IP addresses. We cannot process yet the Aporeto authorization
	// rules until after we decode the claims. The aclPolicy holds the matched
	// rules. If the method returns no error we store it in the noNetAccessPolicy
	// variable. This indicates that we have found no external network rule that
	// allows the request and we must validate the PU to PU rules. We will not
	// know what to do until after we decode all the incoming claims.
	// We perform this function early so that we don't waste CPU cycles with
	// processing tokens if the network policy does not allow the connection.
	aclReportPolicy, aclActualPolicy, noNetAccessPolicy := pctx.PUContext.NetworkACLPolicyFromAddr(
		r.SourceAddress.IP,
		uint16(r.OriginalDestination.Port),
		uint8(packet.IPProtocolTCP),
	)
	d.NetworkPolicyID = aclActualPolicy.PolicyID
	d.NetworkServiceID = aclActualPolicy.ServiceID

	if aclActualPolicy.Action.Logged() {
		d.Action = d.Action | policy.Log
	}

	if aclReportPolicy.ObserveAction.Observed() {
		d.ObservedPolicyID = aclReportPolicy.PolicyID
		d.ObservedAction = aclReportPolicy.Action
	}

	if noNetAccessPolicy == nil && aclActualPolicy.Action.Rejected() {
		d.DropReason = collector.PolicyDrop
		d.SourceType = collector.EndPointTypeExternalIP
		return d, &AuthError{
			message: "Access denied by network policy",
			status:  http.StatusNetworkAuthenticationRequired,
		}
	}

	// Retrieve the headers with the key and auth parameters. If the parameters do not
	// exist, we will end up with empty values, but processing can continue. The authorizer
	// will validate if they are needed or not.
	token, key := processHeaders(r)

	// Calculate the user attributes. User attributes can be derived either from a
	// token or from a certificate. The authorizer library will parse them. We don't
	// care if there are no user credentials. It might be a request from a PU,
	// or it might be a request to a public interface. Only if the service mandates
	// user credentials, we get the redirect directive.
	userCredentials(ctx, pctx, r, d)

	// Calculate the Aporeto PU claims by parsing the token if it exists. If the token
	// is empty the DecodeAporetoClaims method will return no error.
	var aporetoClaims []string
	var pingPayload *policy.PingPayload
	d.SourcePUID, aporetoClaims, pingPayload, err = pctx.Authorizer.DecodeAporetoClaims(token, key)
	if err != nil {
		d.DropReason = collector.PolicyDrop
		return d, &AuthError{
			message: fmt.Sprintf("Invalid Authorization Token: %s", err),
			status:  http.StatusForbidden,
		}
	}

	if pingPayload != nil && pingPayload.PingID != "" {
		d.PingConfig = &PingConfig{
			PingID:      pingPayload.PingID,
			IterationID: pingPayload.IterationID,
			Claims:      aporetoClaims,
			PayloadSize: len(token) + len(key),
		}
	}

	// If the other side is a PU we will always put the source type as PU.
	isPUSource := false
	if len(aporetoClaims) > 0 {
		isPUSource = true
		d.SourceType = collector.EndPointTypePU
	}

	// We need to verify network policy, before validating the API policy. If a network
	// policy has given us an accept because of IP address based ACLs we proceed anyway.
	// This is rather convoluted, but a user might choose to implement network
	// policies with ACLs only, and we have to cover this case.
	if noNetAccessPolicy != nil || aclReportPolicy.ObserveAction.ObserveApply() {

		// If we have not found an IP based access policy and the other side
		// is a PU we can visit the network rules based on tag authorization.
		if isPUSource {
			netReportPolicy, netActualPolicy := pctx.PUContext.SearchRcvRules(policy.NewTagStoreFromSlice(aporetoClaims))

			d.NetworkPolicyID = netActualPolicy.PolicyID
			d.NetworkServiceID = aclActualPolicy.ServiceID
			d.ObservedPolicyID = ""
			d.ObservedAction = policy.ActionType(0)

			if netReportPolicy.ObserveAction.Observed() {
				d.ObservedPolicyID = netReportPolicy.PolicyID
				d.ObservedAction = netReportPolicy.Action
			}

			if netActualPolicy.Action.Rejected() {
				d.DropReason = collector.PolicyDrop
				return d, &AuthError{
					message: "Access not authorized by network policy",
					status:  http.StatusNetworkAuthenticationRequired,
				}
			}
		} else {
			// If no network access policy and no PU claims, this request
			// is dropped.
			d.DropReason = collector.PolicyDrop
			return d, &AuthError{
				message: "Access denied by network policy: no policy found",
				status:  http.StatusNetworkAuthenticationRequired,
			}
		}
	} else {
		if aclActualPolicy.Action.Accepted() {
			aporetoClaims = append(aporetoClaims, aclActualPolicy.Labels...)
		}
	}

	// We can now validate the API authorization. This is the final step
	// before forwarding.
	allClaims := append(aporetoClaims, d.UserAttributes...)
	accept, public := pctx.Authorizer.Check(r.Method, r.URL.Path, allClaims)
	if !accept && !public {
		// If the authorization check returns reject, we need to validate
		// if this is a public request, it will be accepted.
		d.DropReason = collector.APIPolicyDrop

		// We need to process the redirects here. The reject might be forcing
		// us to issue a redirect. Redirects are valid only if the source
		// is a user. It doesn't make sense to redirect a PU.
		// If the source is not a PU, then ping cannot be enabled.
		if !isPUSource {
			authError := &AuthError{
				message: "No token presented or invalid token: Please authenticate first",
				status:  http.StatusTemporaryRedirect,
			}
			if d.Redirect {
				d.RedirectURI = pctx.Authorizer.RedirectURI(r.URL.String())
				return d, authError
			} else if len(pctx.Service.UserRedirectOnAuthorizationFail) > 0 {
				d.RedirectURI = pctx.Service.UserRedirectOnAuthorizationFail + "?failure_message=authorization"
				return d, authError
			}
		}

		zap.L().Debug("No match found for the request or authorization Error",
			zap.String("Request", r.Method+" "+r.RequestURI),
			zap.Strings("User Attributes", d.UserAttributes),
			zap.Strings("Aporeto Claims", aporetoClaims),
		)

		return d, &AuthError{
			message: fmt.Sprintf("Unauthorized Access to %s", r.URL),
			status:  http.StatusUnauthorized,
		}
	}

	d.Action = policy.Accept
	if r.TLS != nil {
		d.Action = d.Action | policy.Encrypt
	}

	if aclActualPolicy.Action.Logged() {
		d.Action = d.Action | policy.Log
	}

	// We update the request headers with the claims and pass back
	// the information.
	pctx.Authorizer.UpdateRequestHeaders(r.Header, d.UserAttributes)
	d.Header = r.Header

	return d, nil

}

// userCredentials will find all the user credentials in the http request.
// TODO: In addition to looking at the headers, we need to look at the parameters
// in case authorization is provided there.
// It will return the userAttributes and a boolean instructing whether a redirect
// must be performed. If no user credentials are found, it will allow processing
// to proceed. It might be a
func userCredentials(ctx context.Context, pctx *serviceregistry.PortContext, r *Request, d *NetworkAuthResponse) {
	if r.TLS == nil {
		return
	}

	userCerts := r.TLS.PeerCertificates

	var userToken string
	authToken := r.Header.Get("Authorization")
	if len(authToken) < 7 {
		if r.Cookie != nil {
			userToken = r.Cookie.Value
		}
	} else {
		userToken = strings.TrimPrefix(authToken, "Bearer ")
	}

	userAttributes, redirect, refreshedToken, err := pctx.Authorizer.DecodeUserClaims(ctx, pctx.Service.ID, userToken, userCerts)
	if err != nil {
		zap.L().Warn("Partially failed to extract and decode user claims", zap.Error(err))
	}

	if len(userAttributes) > 0 {
		d.SourceType = collector.EndPointTypeClaims
	}

	if refreshedToken != userToken {
		d.Cookie = &http.Cookie{
			Name:     "X-APORETO-AUTH",
			Value:    refreshedToken,
			HttpOnly: true,
			Secure:   true,
			Path:     "/",
		}
	}

	d.UserAttributes = userAttributes
	d.Redirect = redirect
}

func processHeaders(r *Request) (string, string) {
	token := r.Header.Get("X-APORETO-AUTH")
	if token != "" {
		r.Header.Del("X-APORETO-AUTH")
	}
	key := r.Header.Get("X-APORETO-KEY")
	if key != "" {
		r.Header.Del("X-APORETO-KEY")
	}
	return token, key
}


================================================
FILE: controller/internal/enforcer/apiauth/apiauth_test.go
================================================
// +build !windows

package apiauth

import (
	"context"
	"crypto/tls"
	"fmt"
	"net"
	"net/http"
	"net/url"
	"testing"
	"time"

	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	triremecommon "go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/serviceregistry"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/testhelper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/servicetokens"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/usertokens/mockusertokens"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

const (
	policyID        = "somepolicy"
	rejectPolicyID  = "somerejectepolicy"
	serviceID       = "someservice"
	rejectServiceID = "somerejectservice"
	namespace       = "somenamespace"
	appLabel        = "app=web"
)

func newBaseApplicationServices(ctrl *gomock.Controller, id string, ipAddr string, exposedPortValue, publicPortValue, privatePortValue uint16, external bool) *policy.ApplicationService {

	exposedPort, err := portspec.NewPortSpec(exposedPortValue, exposedPortValue, nil)
	So(err, ShouldBeNil)
	publicPort, err := portspec.NewPortSpec(publicPortValue, publicPortValue, nil)
	So(err, ShouldBeNil)
	privatePort, err := portspec.NewPortSpec(privatePortValue, privatePortValue, nil)
	So(err, ShouldBeNil)

	return &policy.ApplicationService{
		ID: id,
		NetworkInfo: &triremecommon.Service{
			Ports:     exposedPort,
			Protocol:  6,
			Addresses: map[string]struct{}{ipAddr: struct{}{}},
		},
		PublicNetworkInfo: &triremecommon.Service{
			Ports:     publicPort,
			Protocol:  6,
			Addresses: map[string]struct{}{ipAddr: struct{}{}},
		},
		PrivateNetworkInfo: &triremecommon.Service{
			Ports:     privatePort,
			Protocol:  6,
			Addresses: map[string]struct{}{},
		},
		Type:                 policy.ServiceHTTP,
		PublicServiceTLSType: policy.ServiceTLSTypeAporeto,
		External:             external,
		HTTPRules: []*policy.HTTPRule{
			{
				URIs:    []string{"/admin"},
				Methods: []string{"GET"},
				ClaimMatchingRules: [][]string{
					{appLabel},
				},
				Public: false,
			},
			{
				URIs:    []string{"/public"},
				Methods: []string{"GET"},
				Public:  true,
			},
			{
				URIs:    []string{"/forbidden"},
				Methods: []string{"GET"},
				ClaimMatchingRules: [][]string{
					{"Nobody"},
				},
				Public: false,
			},
		},
		UserAuthorizationType:    policy.UserAuthorizationOIDC,
		UserAuthorizationHandler: mockusertokens.NewMockVerifier(ctrl),
	}
}

func newAPIAuthProcessor(ctrl *gomock.Controller) (*serviceregistry.Registry, *pucontext.PUContext, secrets.Secrets) {

	contextID := "test"
	baseService := newBaseApplicationServices(ctrl, "base", "10.1.1.0/24", uint16(80), uint16(443), uint16(80), false)
	externalService := newBaseApplicationServices(ctrl, "external", "45.0.0.0/8", uint16(80), uint16(443), uint16(80), true)
	externalBadService := newBaseApplicationServices(ctrl, "external", "100.0.0.0/8", uint16(80), uint16(443), uint16(80), true)

	exposedServices := policy.ApplicationServicesList{baseService}
	dependentServices := policy.ApplicationServicesList{baseService, externalService, externalBadService}

	networkACLs := policy.IPRuleList{
		{
			Addresses: []string{"10.1.1.0/24"},
			Ports:     []string{"80"},
			Protocols: []string{"6"},
			Policy: &policy.FlowPolicy{
				Action:    policy.Accept,
				PolicyID:  policyID,
				ServiceID: serviceID,
				Labels:    []string{"service=external"},
			},
		},
		{
			Addresses: []string{"45.0.0.0/8"},
			Ports:     []string{"80"},
			Protocols: []string{"6"},
			Policy: &policy.FlowPolicy{
				Action:    policy.Accept,
				PolicyID:  policyID,
				ServiceID: serviceID,
				Labels:    []string{"service=external"},
			},
		},
		{
			Addresses: []string{"100.0.0.0/8"},
			Ports:     []string{"80"},
			Protocols: []string{"6"},
			Policy: &policy.FlowPolicy{
				Action:        policy.Reject,
				PolicyID:      rejectPolicyID,
				ServiceID:     rejectServiceID,
				ObserveAction: policy.ObserveApply,
				Labels:        []string{"service=external"},
			},
		},
	}

	applicationACLs := policy.IPRuleList{
		{
			Addresses: []string{"100.0.0.0/8"},
			Ports:     []string{"80"},
			Protocols: []string{"6"},
			Policy: &policy.FlowPolicy{
				Action:    policy.Reject,
				PolicyID:  rejectPolicyID,
				ServiceID: rejectServiceID,
				Labels:    []string{"service=external"},
			},
		},
	}

	plc := policy.NewPUPolicy(
		contextID,
		namespace,
		policy.Police,
		applicationACLs,
		networkACLs,
		policy.DNSRuleList{},
		policy.TagSelectorList{},
		policy.TagSelectorList{
			policy.TagSelector{
				Clause: []policy.KeyValueOperator{
					{
						Key:      "app",
						Value:    []string{"web"},
						Operator: policy.Equal,
						ID:       "somepolicy",
					},
				},
				Policy: &policy.FlowPolicy{
					Action:        policy.Accept,
					ServiceID:     "pu" + serviceID,
					PolicyID:      "pu" + policyID,
					ObserveAction: policy.ObserveApply,
				},
			},
			policy.TagSelector{
				Clause: []policy.KeyValueOperator{
					{
						Key:      "app",
						Value:    []string{"bad"},
						Operator: policy.Equal,
						ID:       "rejectpolicy",
					},
				},
				Policy: &policy.FlowPolicy{
					Action:   policy.Reject,
					PolicyID: "reject" + policyID,
				},
			},
		},
		policy.NewTagStore(),
		policy.NewTagStoreFromSlice([]string{appLabel, "type=aporeto"}),
		nil,
		nil,
		0,
		0,
		exposedServices,
		dependentServices,
		[]string{appLabel},
		policy.EnforcerMapping,
		policy.Reject|policy.Log,
		policy.Reject|policy.Log,
	)

	puInfo := policy.NewPUInfo(contextID, namespace, triremecommon.ContainerPU)
	puInfo.Policy = plc
	pctx, err := pucontext.NewPU(contextID, puInfo, nil, time.Second*1000)
	So(err, ShouldBeNil)
	_, s, _ := testhelper.NewTestCompactPKISecrets()

	r := serviceregistry.Instance()
	_, err = r.Register(contextID, puInfo, pctx, s)
	So(err, ShouldBeNil)

	return r, pctx, s
}

func Test_New(t *testing.T) {
	Convey("When I create a new processor it should be correctly propulated", t, func() {
		ctrl := gomock.NewController(t)
		_, _, s := newAPIAuthProcessor(ctrl)
		p := New("test", s)

		So(p.puContext, ShouldEqual, "test")
		So(p.secrets, ShouldEqual, s)
	})
}

func Test_ApplicationRequest(t *testing.T) {
	Convey("Given a valid authorization processor", t, func() {
		ctrl := gomock.NewController(t)
		_, pctx, s := newAPIAuthProcessor(ctrl)
		p := New("test", s)

		Convey("Given a request without context, it should error", func() {

			u, _ := url.Parse("http://www.foo.com/public") // nolint
			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("20.1.1.1"),
					Port: 8080,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/public",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        nil,
			}
			_, err := p.ApplicationRequest(r)
			So(err, ShouldNotBeNil)

			authErr, ok := err.(*AuthError)
			So(ok, ShouldBeTrue)
			So(authErr.Status(), ShouldEqual, http.StatusBadGateway)
		})

		Convey("Given a request with valid context that is not external, I should get a token", func() {
			u, _ := url.Parse("http://www.foo.com/public") // nolint
			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.2"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/public",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        nil,
			}
			response, err := p.ApplicationRequest(r)
			So(err, ShouldBeNil)
			So(response, ShouldNotBeNil)
			So(len(response.Token), ShouldBeGreaterThan, 0)
			So(response.PUContext, ShouldEqual, pctx)
			So(response.TLSListener, ShouldBeTrue)
		})

		Convey("Given a request for a public external service, I should accept it", func() {
			u, _ := url.Parse("http://www.foo.com/public") // nolint
			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("45.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/public",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        nil,
			}
			response, err := p.ApplicationRequest(r)
			So(err, ShouldBeNil)
			So(response, ShouldNotBeNil)
			So(len(response.Token), ShouldEqual, 0)
			So(response.PUContext, ShouldEqual, pctx)
			So(response.TLSListener, ShouldBeTrue)
		})

		Convey("Given a request for a controlled external service with valid policy, I should accept it", func() {
			u, _ := url.Parse("http://www.foo.com/admin") // nolint
			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("45.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/admin",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        nil,
			}
			response, err := p.ApplicationRequest(r)
			So(err, ShouldBeNil)
			So(response, ShouldNotBeNil)
			So(len(response.Token), ShouldEqual, 0)
			So(response.PUContext, ShouldEqual, pctx)
			So(response.TLSListener, ShouldBeTrue)
		})

		Convey("Given a request for a controlled external service with forbidden policy, I should reject it", func() {
			u, _ := url.Parse("http://www.foo.com/forbidden") // nolint
			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("45.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/forbidden",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        nil,
			}
			_, err := p.ApplicationRequest(r)
			So(err, ShouldNotBeNil)
			authErr, ok := err.(*AuthError)
			So(ok, ShouldBeTrue)
			So(authErr.Status(), ShouldEqual, http.StatusForbidden)
		})

		Convey("Given a request for a controlled external service with an uknown URI, I should reject it", func() {
			u, _ := url.Parse("http://www.foo.com/random") // nolint
			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("45.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/random",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        nil,
			}
			_, err := p.ApplicationRequest(r)
			So(err, ShouldNotBeNil)
			authErr, ok := err.(*AuthError)
			So(ok, ShouldBeTrue)
			So(authErr.Status(), ShouldEqual, http.StatusForbidden)
		})

		Convey("Given a request for a an external service dropped by network rules it should be rejected", func() {
			u, _ := url.Parse("http://www.foo.com/random") // nolint
			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("100.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/public",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        nil,
			}
			_, err := p.ApplicationRequest(r)
			So(err, ShouldNotBeNil)
			authErr, ok := err.(*AuthError)
			So(ok, ShouldBeTrue)
			So(authErr.Status(), ShouldEqual, http.StatusNetworkAuthenticationRequired)
		})
	})
}

func Test_NetworkRequest(t *testing.T) {
	Convey("Given a valid authorization processor", t, func() {
		ctx, cancel := context.WithCancel(context.Background())
		defer cancel()

		ctrl := gomock.NewController(t)
		_, pctx, s := newAPIAuthProcessor(ctrl)
		p := New("test", s)

		Convey("Requests for bad context should return errors", func() {
			u, _ := url.Parse("http://www.foo.com/public") // nolint
			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("20.1.1.1"),
					Port: 8080,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/public",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        nil,
			}
			_, err := p.NetworkRequest(ctx, r)
			So(err, ShouldNotBeNil)

			authErr, ok := err.(*AuthError)
			So(ok, ShouldBeTrue)
			So(authErr.Status(), ShouldEqual, http.StatusInternalServerError)
		})

		Convey("Requests a valid context with a drop network policy must be rejected", func() {
			u, _ := url.Parse("http://www.foo.com/public") // nolint
			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("100.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/public",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        nil,
			}
			response, err := p.NetworkRequest(ctx, r)
			So(err, ShouldNotBeNil)
			So(response, ShouldNotBeNil)

			authErr, ok := err.(*AuthError)
			So(ok, ShouldBeTrue)
			So(authErr.Status(), ShouldEqual, http.StatusNetworkAuthenticationRequired)
			So(response.NetworkPolicyID, ShouldEqual, rejectPolicyID)
			So(response.NetworkServiceID, ShouldEqual, rejectServiceID)
			So(response.DropReason, ShouldEqual, collector.PolicyDrop)
			So(response.SourceType, ShouldEqual, collector.EndPointTypeExternalIP)
		})

		Convey("Requests a valid context with an invalid token, I should get forbidden", func() {
			u, _ := url.Parse("http://www.foo.com/public") // nolint
			h := http.Header{}
			h.Add("X-APORETO-AUTH", "badvalue")
			h.Add("X-APORETO-KEY", "badvalue")

			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("45.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/public",
				Header:     h,
				Cookie:     nil,
				TLS:        nil,
			}
			response, err := p.NetworkRequest(ctx, r)
			So(err, ShouldNotBeNil)
			So(response, ShouldNotBeNil)

			authErr, ok := err.(*AuthError)
			So(ok, ShouldBeTrue)
			So(authErr.Status(), ShouldEqual, http.StatusForbidden)
			So(authErr.Message(), ShouldContainSubstring, "Invalid Authorization Token:")
			So(response.NetworkPolicyID, ShouldEqual, policyID)
			So(response.NetworkServiceID, ShouldEqual, serviceID)
			So(response.DropReason, ShouldEqual, collector.PolicyDrop)
			So(response.SourceType, ShouldEqual, collector.EndPointTypeExternalIP)
		})

		Convey("Requests a valid context with a valid Aporeto token to a public URL from a valid network it should succeed", func() {
			u, _ := url.Parse("http://www.foo.com/public") // nolint
			token, err := servicetokens.CreateAndSign(
				"somenode",
				pctx.Identity().GetSlice(),
				pctx.Scopes(),
				pctx.ManagementID(),
				DefaultValidity,
				s.EncodingKey(),
				nil,
			)
			So(err, ShouldBeNil)

			h := http.Header{}
			h.Add("X-APORETO-AUTH", token)
			h.Add("X-APORETO-KEY", string(s.TransmittedKey()))

			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("45.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/public",
				Header:     h,
				Cookie:     nil,
				TLS:        nil,
			}
			response, err := p.NetworkRequest(ctx, r)
			So(err, ShouldBeNil)
			So(response.NetworkPolicyID, ShouldEqual, policyID)
			So(response.NetworkServiceID, ShouldEqual, serviceID)
			So(response.SourceType, ShouldEqual, collector.EndPointTypePU)
		})

		Convey("Requests a valid context with a valid Aporeto token based on PU network policy it should succeed", func() {
			u, _ := url.Parse("http://www.foo.com/public") // nolint
			token, err := servicetokens.CreateAndSign(
				"somenode",
				pctx.Identity().GetSlice(),
				pctx.Scopes(),
				pctx.ManagementID(),
				DefaultValidity,
				s.EncodingKey(),
				nil,
			)
			So(err, ShouldBeNil)

			h := http.Header{}
			h.Add("X-APORETO-AUTH", token)
			h.Add("X-APORETO-KEY", string(s.TransmittedKey()))

			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("60.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/public",
				Header:     h,
				Cookie:     nil,
				TLS:        nil,
			}
			response, err := p.NetworkRequest(ctx, r)
			So(err, ShouldBeNil)
			So(response.ObservedPolicyID, ShouldEqual, "pu"+policyID)
			So(response.ObservedAction, ShouldEqual, policy.Accept)
			So(response.NetworkPolicyID, ShouldEqual, "pu"+policyID)
			So(response.SourceType, ShouldEqual, collector.EndPointTypePU)
		})

		Convey("Requests a valid context with no Aporeto claims and no network policy, it should be dropped", func() {
			u, _ := url.Parse("http://www.foo.com/public") // nolint

			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("60.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/public",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        nil,
			}
			response, err := p.NetworkRequest(ctx, r)
			So(err, ShouldNotBeNil)
			authErr, ok := err.(*AuthError)
			So(ok, ShouldBeTrue)
			So(authErr.Status(), ShouldEqual, http.StatusNetworkAuthenticationRequired)
			So(response.NetworkPolicyID, ShouldEqual, collector.DefaultEndPoint)
			So(response.SourceType, ShouldEqual, collector.EndPointTypeExternalIP)
		})

		Convey("Requests a valid context with a valid Aporeto token but network reject, it should be rejected", func() {
			u, _ := url.Parse("http://www.foo.com/public") // nolint
			badTags := append(pctx.Identity().GetSlice(), "app=bad")
			token, err := servicetokens.CreateAndSign(
				"badnode",
				badTags,
				pctx.Scopes(),
				"badnodeID",
				DefaultValidity,
				s.EncodingKey(),
				nil,
			)
			So(err, ShouldBeNil)

			h := http.Header{}
			h.Add("X-APORETO-AUTH", token)
			h.Add("X-APORETO-KEY", string(s.TransmittedKey()))

			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("60.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/public",
				Header:     h,
				Cookie:     nil,
				TLS:        nil,
			}
			response, err := p.NetworkRequest(ctx, r)
			So(err, ShouldNotBeNil)
			So(response.NetworkPolicyID, ShouldEqual, "reject"+policyID)
			So(response.SourceType, ShouldEqual, collector.EndPointTypePU)
		})

		Convey("Requests a valid context with a valid Aporeto token to a private URL it should succeed", func() {
			u, _ := url.Parse("http://www.foo.com/admin") // nolint
			token, err := servicetokens.CreateAndSign(
				"somenode",
				pctx.Identity().GetSlice(),
				pctx.Scopes(),
				pctx.ManagementID(),
				DefaultValidity,
				s.EncodingKey(),
				nil,
			)
			So(err, ShouldBeNil)

			h := http.Header{}
			h.Add("X-APORETO-AUTH", token)
			h.Add("X-APORETO-KEY", string(s.TransmittedKey()))

			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("45.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/admin",
				Header:     h,
				Cookie:     nil,
				TLS:        nil,
			}
			response, err := p.NetworkRequest(ctx, r)
			So(err, ShouldBeNil)
			So(response.NetworkPolicyID, ShouldEqual, policyID)
			So(response.NetworkServiceID, ShouldEqual, serviceID)
			So(response.SourceType, ShouldEqual, collector.EndPointTypePU)
		})

		Convey("Requests a valid context with a valid Aporeto token to a forbidden URL it should return error", func() {
			u, _ := url.Parse("http://www.foo.com/forbidden") // nolint
			token, err := servicetokens.CreateAndSign(
				"somenode",
				pctx.Identity().GetSlice(),
				pctx.Scopes(),
				"forbiddennode",
				DefaultValidity,
				s.EncodingKey(),
				nil,
			)
			So(err, ShouldBeNil)

			h := http.Header{}
			h.Add("X-APORETO-AUTH", token)
			h.Add("X-APORETO-KEY", string(s.TransmittedKey()))

			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("45.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/forbidden",
				Header:     h,
				Cookie:     nil,
				TLS:        nil,
			}
			response, err := p.NetworkRequest(ctx, r)
			So(err, ShouldNotBeNil)
			authError, ok := err.(*AuthError)
			So(ok, ShouldBeTrue)
			So(authError.Status(), ShouldEqual, http.StatusUnauthorized)
			So(response.NetworkPolicyID, ShouldEqual, policyID)
			So(response.NetworkServiceID, ShouldEqual, serviceID)
			So(response.SourceType, ShouldEqual, collector.EndPointTypePU)
		})
	})
}

func Test_UserCredentials(t *testing.T) {

	Convey("Given a valid authorizer", t, func() {
		ctx, cancel := context.WithCancel(context.Background())
		defer cancel()

		ctrl := gomock.NewController(t)
		serviceRegistry, _, s := newAPIAuthProcessor(ctrl)
		p := New("test", s)
		So(p, ShouldNotBeNil)

		portContext, err := serviceRegistry.RetrieveExposedServiceContext(net.ParseIP("10.1.1.1"), 80, "")
		So(err, ShouldBeNil)
		So(portContext, ShouldNotBeNil)

		verifier, ok := portContext.Service.UserAuthorizationHandler.(*mockusertokens.MockVerifier)
		So(ok, ShouldBeTrue)

		Convey("When the request is not TLS, there is no user data", func() {
			u, _ := url.Parse("http://www.foo.com/admin")
			d := &NetworkAuthResponse{}
			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("45.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/admin",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        nil,
			}
			userCredentials(ctx, portContext, r, d)
			So(len(d.UserAttributes), ShouldEqual, 0)
		})

		Convey("When the request is TLS and a user is identified, the claims are correct", func() {
			u, _ := url.Parse("http://www.foo.com/admin")
			d := &NetworkAuthResponse{}

			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("45.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/admin",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        &tls.ConnectionState{},
			}
			verifier.EXPECT().Validate(ctx, gomock.Any()).Return([]string{"user=flash"}, false, "", nil)
			userCredentials(ctx, portContext, r, d)
			So(len(d.UserAttributes), ShouldEqual, 1)
			So(d.UserAttributes[0], ShouldEqual, "user=flash")
			So(d.SourceType, ShouldEqual, collector.EndPointTypeClaims)
			So(d.Redirect, ShouldBeFalse)
		})

		Convey("When the request is TLS and user authorization fails with a redirect, the redirect should be set", func() {
			u, _ := url.Parse("http://www.foo.com/admin")
			d := &NetworkAuthResponse{}

			h := http.Header{}
			h.Add("Authorization", "Bearer MockJWTToken")
			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("45.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/admin",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        &tls.ConnectionState{},
			}
			verifier.EXPECT().Validate(ctx, gomock.Any()).Return(nil, true, "MockJWTToken", fmt.Errorf("auth failed"))
			userCredentials(ctx, portContext, r, d)
			So(len(d.UserAttributes), ShouldEqual, 0)
			So(d.Redirect, ShouldBeTrue)
		})

		Convey("When the request is TLS and user authorization succeeds with a refresh token, the cookie must be set", func() {
			u, _ := url.Parse("http://www.foo.com/admin")
			d := &NetworkAuthResponse{}

			h := http.Header{}
			h.Add("Authorization", "Bearer MockJWTToken")
			r := &Request{
				SourceAddress: &net.TCPAddr{
					IP:   net.ParseIP("45.1.1.1"),
					Port: 1000,
				},
				OriginalDestination: &net.TCPAddr{
					IP:   net.ParseIP("10.1.1.1"),
					Port: 80,
				},
				Method:     "GET",
				URL:        u,
				RequestURI: "/admin",
				Header:     http.Header{},
				Cookie:     nil,
				TLS:        &tls.ConnectionState{},
			}
			verifier.EXPECT().Validate(ctx, gomock.Any()).Return(nil, true, "NewToken", fmt.Errorf("auth failed"))
			userCredentials(ctx, portContext, r, d)
			So(len(d.UserAttributes), ShouldEqual, 0)
			So(d.Redirect, ShouldBeTrue)
			So(d.Cookie, ShouldNotBeNil)
			So(d.Cookie.Name, ShouldEqual, "X-APORETO-AUTH")
			So(d.Cookie.Value, ShouldEqual, "NewToken")
			So(d.Cookie.HttpOnly, ShouldBeTrue)
			So(d.Cookie.Secure, ShouldBeTrue)
			So(d.Cookie.Path, ShouldEqual, "/")
		})
	})
}


================================================
FILE: controller/internal/enforcer/apiauth/types.go
================================================
package apiauth

import (
	"crypto/tls"
	"net"
	"net/http"
	"net/url"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// Request captures all the important items of request that are needed
// for processing the authorization decision.
type Request struct {

	// SourceAddress, only required for network authorization requests.
	SourceAddress *net.TCPAddr

	// OriginalDestination required for all requests.
	OriginalDestination *net.TCPAddr

	// HTTP header information.
	Method     string
	URL        *url.URL
	RequestURI string
	Header     http.Header
	Cookie     *http.Cookie

	// TLS information. This is optional if mutual TLS based authorization
	// must be supported.
	TLS *tls.ConnectionState
}

// NetworkAuthResponse is the decision of the authorization process.
type NetworkAuthResponse struct {

	// Discovered service context and associated information.
	PUContext *pucontext.PUContext
	ServiceID string
	Namespace string

	// Network policy ID and service that affect the call.
	NetworkPolicyID  string
	NetworkServiceID string
	ObservedPolicyID string
	ObservedAction   policy.ActionType

	// Definition of the source.
	SourceType collector.EndPointType
	SourcePUID string

	// Action associated with the response and DropReason if dropped.
	Action     policy.ActionType
	DropReason string

	// Redirect information that should be used by the responder.
	Redirect    bool
	RedirectURI string
	Cookie      *http.Cookie
	Data        string
	Header      http.Header

	// UserAttrbutes discovered from the tokens.
	UserAttributes []string

	// TLSListener determines that TLS must be re-initiated towards
	// the listener.
	TLSListener bool

	// Fields used when ping is enabled.
	PingConfig *PingConfig
}

// PingConfig holds config specific for ping traffic.
type PingConfig struct {
	PingID      string
	IterationID int
	Claims      []string
	PayloadSize int
}

// AppAuthResponse is the decision of the authorization process.
type AppAuthResponse struct {
	// Discovered context and service information
	PUContext *pucontext.PUContext
	ServiceID string
	External  bool

	// Network policy ID and service ID that affect the response.
	NetworkPolicyID  string
	NetworkServiceID string

	// Action of the response and DropReason if the call must be dropped.
	Action     policy.ActionType
	DropReason string

	// Resolved token
	Token string

	// HookMethod is the corresponding HTTP rule hook method
	HookMethod string

	// TLSListener indicates that the external entity is a TLS listener,
	// and we must start a TLS session. Only applies to External connections.
	TLSListener bool
}

// AuthError implements the error interface, but provides additional information
// for the types of errors discovered.
type AuthError struct {
	status  int
	message string
	err     error
}

// Error implement the string interface of error.
func (a *AuthError) Error() string {
	return a.message
}

// Message returns the message of the error.
func (a *AuthError) Message() string {
	return a.message
}

// Status returns the status of the message.
func (a *AuthError) Status() int {
	return a.status
}


================================================
FILE: controller/internal/enforcer/applicationproxy/applicationproxy.go
================================================
package applicationproxy

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"errors"
	"fmt"
	"net"
	"strconv"
	"sync"

	"github.com/blang/semver"
	"github.com/opentracing/opentracing-go"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	tcommon "go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/common"
	httpproxy "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/http"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/markedconn"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/protomux"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/serviceregistry"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/tcp"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/tokenaccessor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/ephemeralkeys"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.uber.org/zap"
)

// ServerInterface describes the methods required by an application processor.
type ServerInterface interface {
	UpdateSecrets(cert *tls.Certificate, ca *x509.CertPool, secrets secrets.Secrets, certPEM, keyPEM string)
	ShutDown() error
}

type clientData struct {
	protomux  *protomux.MultiplexedListener
	netserver map[common.ListenerType]ServerInterface
}

// AppProxy maintains state for proxies connections from listen to backend.
type AppProxy struct {
	cert *tls.Certificate

	tokenaccessor   tokenaccessor.TokenAccessor
	collector       collector.EventCollector
	puFromID        cache.DataStore
	secrets         secrets.Secrets
	datapathKeyPair ephemeralkeys.KeyAccessor
	agentVersion    semver.Version

	clients     cache.DataStore
	tokenIssuer tcommon.ServiceTokenIssuer
	sync.RWMutex
}

// NewAppProxy creates a new instance of the application proxy.
func NewAppProxy(
	tp tokenaccessor.TokenAccessor,
	c collector.EventCollector,
	puFromID cache.DataStore,
	s secrets.Secrets,
	t tcommon.ServiceTokenIssuer,
	datapathKeyPair ephemeralkeys.KeyAccessor,
	agentVersion semver.Version,
) (*AppProxy, error) {

	return &AppProxy{
		collector:       c,
		tokenaccessor:   tp,
		secrets:         s,
		puFromID:        puFromID,
		cert:            nil,
		clients:         cache.NewCache("clients"),
		tokenIssuer:     t,
		datapathKeyPair: datapathKeyPair,
		agentVersion:    agentVersion,
	}, nil
}

// Run starts all the network side proxies. Application side proxies will
// have to start during enforce in order to support multiple Linux processes.
func (p *AppProxy) Run(ctx context.Context) error {

	return nil
}

// Enforce implements enforcer.Enforcer interface. It will create the necessary
// proxies for the particular PU. Enforce can be called multiple times, once
// for every policy update.
func (p *AppProxy) Enforce(ctx context.Context, puID string, puInfo *policy.PUInfo) error {

	p.Lock()
	defer p.Unlock()

	span, tctx := opentracing.StartSpanFromContext(ctx, "applicationproxy.enforce")
	defer span.Finish()

	if puInfo.Policy.ServicesListeningPort() == "0" {
		zap.L().Warn("Services listening port not specified - not activating proxy")
		return nil
	}

	data, err := p.puFromID.Get(puID)
	if err != nil || data == nil {
		return fmt.Errorf("undefined PU - Context not found: %s", puID)
	}

	puContext, ok := data.(*pucontext.PUContext)
	if !ok {
		return fmt.Errorf("bad data types for puContext")
	}

	sctx, err := serviceregistry.Instance().Register(puID, puInfo, puContext, p.secrets)
	if err != nil {
		return fmt.Errorf("policy conflicts detected: %s", err)
	}

	caPool, err := p.expandCAPool(sctx.RootCA)
	if err != nil {
		return err
	}

	// For updates we need to update the certificates if we have new ones. Otherwise
	// we return. There is nothing else to do in case of policy update.
	if c, cerr := p.clients.Get(puID); cerr == nil {
		if _, perr := p.processCertificateUpdates(puInfo, c.(*clientData), caPool); perr != nil {
			zap.L().Error("unable to update certificates and services", zap.Error(perr))
			return perr
		}
		return nil
	}

	// Create the network listener and cache it so that we can terminate it later.
	l, err := p.createNetworkListener(tctx, ":"+puInfo.Policy.ServicesListeningPort())
	if err != nil {
		zap.L().Error("Failed to create network listener", zap.Error(err))
		return fmt.Errorf("Cannot create listener on port %s: %s", puInfo.Policy.ServicesListeningPort(), err)
	}

	// Create a new client entry and start the servers.
	client := &clientData{
		netserver: map[common.ListenerType]ServerInterface{},
	}
	client.protomux = protomux.NewMultiplexedListener(l, constants.ProxyMarkInt, puID)

	// Listen to HTTP requests from the clients
	client.netserver[common.HTTPApplication], err = p.registerAndRun(tctx, puID, common.HTTPApplication, client.protomux, caPool, true)
	if err != nil {
		return fmt.Errorf("Cannot create listener type %d: %s", common.HTTPApplication, err)
	}

	// Listen to HTTPS requests on the network side.
	client.netserver[common.HTTPSNetwork], err = p.registerAndRun(tctx, puID, common.HTTPSNetwork, client.protomux, caPool, false)
	if err != nil {
		return fmt.Errorf("Cannot create listener type %d: %s", common.HTTPSNetwork, err)
	}

	// Listen to HTTP requests on the network side - mainly used for health probes - completely insecure for
	// anything else.
	client.netserver[common.HTTPNetwork], err = p.registerAndRun(tctx, puID, common.HTTPNetwork, client.protomux, caPool, false)
	if err != nil {
		return fmt.Errorf("Cannot create listener type %d: %s", common.HTTPNetwork, err)
	}

	// TCP Requests for clients
	client.netserver[common.TCPApplication], err = p.registerAndRun(tctx, puID, common.TCPApplication, client.protomux, caPool, true)
	if err != nil {
		return fmt.Errorf("Cannot create listener type %d: %s", common.TCPApplication, err)
	}

	// TCP Requests from the network side
	client.netserver[common.TCPNetwork], err = p.registerAndRun(tctx, puID, common.TCPNetwork, client.protomux, caPool, false)
	if err != nil {
		return fmt.Errorf("Cannot create listener type %d: %s", common.TCPNetwork, err)
	}

	if _, err = p.processCertificateUpdates(puInfo, client, caPool); err != nil {
		zap.L().Error("Failed to update certificates", zap.Error(err))
		return fmt.Errorf("Certificates not updated: %s", err)
	}

	// Add the client to the cache
	p.clients.AddOrUpdate(puID, client)

	// Start the connection multiplexer
	go client.protomux.Serve(tctx) // nolint

	return nil
}

// Unenforce implements enforcer.Enforcer interface. It will shutdown the app side
// of the proxy.
func (p *AppProxy) Unenforce(ctx context.Context, puID string) error {
	p.Lock()
	defer p.Unlock()

	// Remove pu from registry
	if err := serviceregistry.Instance().Unregister(puID); err != nil {
		return err
	}

	// Find the correct client.
	c, err := p.clients.Get(puID)
	if err != nil {
		return fmt.Errorf("Unable to find client")
	}
	client := c.(*clientData)

	// Terminate the connection multiplexer.
	// Do it before shutting down servers below to avoid Accept() errors.
	client.protomux.Close()

	// Shutdown all the servers and unregister listeners.
	for t, server := range client.netserver {
		if err := client.protomux.UnregisterListener(t); err != nil {
			zap.L().Error("Unable to unregister client", zap.Int("type", int(t)), zap.Error(err))
		}
		if err := server.ShutDown(); err != nil {
			zap.L().Debug("Unable to shutdown client server", zap.Error(err))
		}
	}

	// Remove the client from the cache.
	return p.clients.Remove(puID)
}

// GetFilterQueue is a stub for TCP proxy
func (p *AppProxy) GetFilterQueue() *fqconfig.FilterQueue {
	return nil
}

// Ping runs ping to the given config based on the service type. Returns error on invalid types.
func (p *AppProxy) Ping(ctx context.Context, contextID string, sctx *serviceregistry.ServiceContext, sdata *serviceregistry.DependentServiceData, pingConfig *policy.PingConfig) error {

	if pingConfig == nil || sctx == nil || sdata == nil {
		zap.L().Debug("unable to run ping",
			zap.Reflect("pingconfig", pingConfig),
			zap.Reflect("serviceCtx", sctx),
			zap.Reflect("serviceData", sdata),
		)

		return nil
	}

	c, err := p.clients.Get(contextID)
	if err != nil {
		return fmt.Errorf("unable to find client with contextID: %s", contextID)
	}
	client := c.(*clientData)

	switch sdata.ServiceObject.Type {
	case policy.ServiceTCP:
		return client.netserver[common.TCPApplication].(*tcp.Proxy).InitiatePing(ctx, sctx, sdata, pingConfig)
	case policy.ServiceHTTP:
		return client.netserver[common.HTTPApplication].(*httpproxy.Config).InitiatePing(ctx, sctx, sdata, pingConfig)
	default:
		return fmt.Errorf("unknown service type: %d", sdata.ServiceObject.Type)
	}
}

// UpdateSecrets updates the secrets of running enforcers managed by trireme. Remote enforcers will
// get the secret updates with the next policy push.
func (p *AppProxy) UpdateSecrets(secret secrets.Secrets) error {
	p.Lock()
	defer p.Unlock()
	p.secrets = secret
	return nil
}

// registerAndRun registers a new listener of the given type and runs the corresponding server
func (p *AppProxy) registerAndRun(ctx context.Context, puID string, ltype common.ListenerType, mux *protomux.MultiplexedListener, caPool *x509.CertPool, appproxy bool) (ServerInterface, error) {

	// Create a new sub-ordinate listerner and register it for the requested type.
	listener, err := mux.RegisterListener(ltype)
	if err != nil {
		return nil, fmt.Errorf("Cannot register listener: %s", err)
	}

	// Start the corresponding proxy
	switch ltype {
	case common.HTTPApplication, common.HTTPSApplication, common.HTTPNetwork, common.HTTPSNetwork:

		// If the protocol is encrypted, wrap it with TLS.
		encrypted := false
		if ltype == common.HTTPSNetwork {
			encrypted = true
		}

		c := httpproxy.NewHTTPProxy(p.collector, puID, caPool, appproxy, constants.ProxyMarkInt, p.secrets, p.tokenIssuer, p.datapathKeyPair, p.agentVersion)
		return c, c.RunNetworkServer(ctx, listener, encrypted)

	default:
		c := tcp.NewTCPProxy(p.collector, puID, p.cert, caPool, p.agentVersion, constants.ProxyMarkInt)
		return c, c.RunNetworkServer(ctx, listener)
	}
}

// createNetworkListener starts a network listener (traffic from network to PUs)
func (p *AppProxy) createNetworkListener(ctx context.Context, port string) (net.Listener, error) {
	return markedconn.NewSocketListener(ctx, port, constants.ProxyMarkInt)
}

// processCertificateUpdates processes the certificate information and updates
// the servers.
func (p *AppProxy) processCertificateUpdates(puInfo *policy.PUInfo, client *clientData, caPool *x509.CertPool) (bool, error) { // nolint:unparam

	// If there are certificates provided, we will need to update them for the
	// services. If the certificates are nil, we ignore them.
	certPEM, keyPEM, caPEM := puInfo.Policy.ServiceCertificates()
	if certPEM == "" || keyPEM == "" {
		return false, nil
	}

	// Process any updates on the cert pool
	if caPEM != "" {
		if !caPool.AppendCertsFromPEM([]byte(caPEM)) {
			zap.L().Warn("Failed to add Services CA")
		}
	}

	// Create the TLS certificate
	tlsCert, err := tls.X509KeyPair([]byte(certPEM), []byte(keyPEM))
	if err != nil {
		return false, fmt.Errorf("Invalid certificates: %s", err)
	}

	for _, server := range client.netserver {
		server.UpdateSecrets(&tlsCert, caPool, p.secrets, certPEM, keyPEM)
	}
	return true, nil
}

func (p *AppProxy) expandCAPool(externalCAs [][]byte) (*x509.CertPool, error) {

	caPool := x509.NewCertPool()

	if ok := caPool.AppendCertsFromPEM(p.secrets.CertAuthority()); !ok {
		return nil, fmt.Errorf("cannot append secrets CA %s", string(p.secrets.CertAuthority()))
	}

	for _, ca := range externalCAs {
		if ok := caPool.AppendCertsFromPEM(ca); !ok {
			return nil, fmt.Errorf("cannot append external service ca %s ", string(ca))
		}
	}

	return caPool, nil
}

// ServiceData returns the servicectx and dependentservice for the given ip:port.
func (p *AppProxy) ServiceData(
	contextID string,
	ip net.IP,
	port int,
	serviceAddresses map[string][]string) (*serviceregistry.ServiceContext, *serviceregistry.DependentServiceData, error) {

	if sctx, sdata, err := serviceregistry.Instance().RetrieveDependentServiceDataByIDAndNetwork(contextID, ip, port, ""); err == nil {
		return sctx, sdata, nil
	}

	if len(serviceAddresses) == 0 {
		return nil, nil, errors.New("no service context found")
	}

	sctx, err := serviceregistry.Instance().RetrieveServiceByID(contextID)
	if err != nil {
		return nil, nil, err
	}

	update := false
	for _, svc := range sctx.PU.Policy.DependentServices() {

		addrs, ok := serviceAddresses[svc.ID]
		if !ok {
			continue
		}

		min, max := svc.NetworkInfo.Ports.Range()

		for _, addr := range addrs {

			if ip := net.ParseIP(addr); ip.To4() == nil {
				continue
			}

			if _, exists := svc.NetworkInfo.Addresses[addr+"/32"]; exists {
				continue
			}

			_, ipNet, _ := net.ParseCIDR(addr + "/32")
			for i := int(min); i <= int(max); i++ {
				if err := ipsetmanager.V4().AddIPPortToDependentService(contextID, ipNet, strconv.Itoa(i)); err != nil {
					zap.L().Debug("Error adding dependent service ip port to ipset", zap.Error(err))
				}
			}

			update = true
			svc.NetworkInfo.Addresses[ipNet.String()] = struct{}{}
		}
	}

	if update {
		if err := serviceregistry.Instance().UpdateDependentServicesByID(contextID); err != nil {
			zap.L().Error("Error updating dependent services", zap.Error(err))
		}
	}

	return serviceregistry.Instance().RetrieveDependentServiceDataByIDAndNetwork(contextID, ip, port, "")
}


================================================
FILE: controller/internal/enforcer/applicationproxy/common/common.go
================================================
package common

import (
	"crypto/x509/pkix"
	"encoding/asn1"
	"net"

	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// ListenerType are the types of listeners that can be used.
type ListenerType int

// Values of ListenerType
const (
	TCPApplication ListenerType = iota
	TCPNetwork
	HTTPApplication
	HTTPNetwork
	HTTPSApplication
	HTTPSNetwork
)

// ExtractExtension returns true and the value of the given oid If any.
func ExtractExtension(oid asn1.ObjectIdentifier, extensions []pkix.Extension) (bool, []byte) {

	for _, ext := range extensions {
		if !ext.Id.Equal(oid) {
			continue
		}

		return true, ext.Value
	}

	return false, nil
}

// GetTLSServerName provides the server name to use in TLS config based on service configuration and destination IP.
func GetTLSServerName(
	addrAndPort string,
	service *policy.ApplicationService,
) (name string, err error) {

	if service != nil && service.NetworkInfo != nil && len(service.NetworkInfo.FQDNs) != 0 {
		name = service.NetworkInfo.FQDNs[0]
		return name, nil
	}

	name, _, err = net.SplitHostPort(addrAndPort)
	return name, err
}


================================================
FILE: controller/internal/enforcer/applicationproxy/http/error_handler.go
================================================
package httpproxy

import (
	"context"
	"io"
	"net"
	"net/http"
)

const (
	// TriremeBadGatewayText is the message to send when downstream fails.
	TriremeBadGatewayText = ":The downstream port cannot be accessed. Please validate your service ports and address/hosts configuration"

	// TriremeGatewayTimeout is the message to send when downstream times-out.
	TriremeGatewayTimeout = ":The downstream node timed-out."

	// StatusClientClosedRequest non-standard HTTP status code for client disconnection
	StatusClientClosedRequest = 499

	// StatusClientClosedRequestText non-standard HTTP status for client disconnection
	StatusClientClosedRequestText = "Client Closed Request"
)

// TriremeHTTPErrHandler Standard error handler
type TriremeHTTPErrHandler struct{}

func (e TriremeHTTPErrHandler) ServeHTTP(w http.ResponseWriter, req *http.Request, err error) {
	statusCode := http.StatusInternalServerError

	if e, ok := err.(net.Error); ok {
		if e.Timeout() {
			statusCode = http.StatusGatewayTimeout
		} else {
			statusCode = http.StatusBadGateway
		}
	} else if err == io.EOF {
		statusCode = http.StatusBadGateway
	} else if err == context.Canceled {
		statusCode = StatusClientClosedRequest
	}

	w.WriteHeader(statusCode)
	w.Write([]byte(statusText(statusCode))) // nolint errcheck
}

func statusText(statusCode int) string {

	prefix := http.StatusText(statusCode)

	switch statusCode {
	case http.StatusGatewayTimeout:
		return prefix + TriremeGatewayTimeout
	case http.StatusBadGateway:
		return prefix + TriremeBadGatewayText
	case StatusClientClosedRequest:
		return StatusClientClosedRequestText
	}
	return prefix
}


================================================
FILE: controller/internal/enforcer/applicationproxy/http/http.go
================================================
package httpproxy

import (
	"bytes"
	"context"
	"crypto/tls"
	"crypto/x509"
	"encoding/json"
	"encoding/pem"
	"fmt"
	"net"
	"net/http"
	"net/url"
	"strings"
	"sync"
	"time"

	"github.com/blang/semver"
	jwt "github.com/dgrijalva/jwt-go"
	"github.com/vulcand/oxy/forward"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/apiauth"
	pcommon "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/markedconn"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/protomux"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/serviceregistry"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/tlshelper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/flowstats"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/metadata"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/ephemeralkeys"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/bufferpool"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/gaia"
	"go.aporeto.io/gaia/x509extensions"
	"go.uber.org/zap"
)

type statsContextKeyType string

const (
	statsContextKey = statsContextKeyType("statsContext")

	// TriremeOIDCCallbackURI is the callback URI that must be presented by
	// any OIDC provider.
	TriremeOIDCCallbackURI = "/aporeto/oidc/callback"
	typeCertificate        = "CERTIFICATE"
)

// JWTClaims is the structure of the claims we are sending on the wire.
type JWTClaims struct {
	jwt.StandardClaims
	SourceID string
	Scopes   []string
	Profile  []string
}

type hookFunc func(w http.ResponseWriter, r *http.Request) (bool, error)

// Config maintains state for proxies connections from listen to backend.
type Config struct {
	cert             *tls.Certificate
	ca               *x509.CertPool
	keyPEM           string
	certPEM          string
	secrets          secrets.Secrets
	datapathKeyPair  ephemeralkeys.KeyAccessor
	collector        collector.EventCollector
	puContext        string
	localIPs         map[string]struct{}
	applicationProxy bool
	mark             int
	server           *http.Server
	fwd              *forward.Forwarder
	fwdTLS           *forward.Forwarder
	tlsClientConfig  *tls.Config
	auth             *apiauth.Processor
	metadata         *metadata.Client
	tokenIssuer      common.ServiceTokenIssuer
	hooks            map[string]hookFunc
	agentVersion     semver.Version

	sync.RWMutex
}

// NewHTTPProxy creates a new instance of proxy reate a new instance of Proxy
func NewHTTPProxy(
	c collector.EventCollector,
	puContext string,
	caPool *x509.CertPool,
	applicationProxy bool,
	mark int,
	secrets secrets.Secrets,
	tokenIssuer common.ServiceTokenIssuer,
	datapathKeyPair ephemeralkeys.KeyAccessor,
	agentVersion semver.Version,
) *Config {

	h := &Config{
		collector:        c,
		puContext:        puContext,
		ca:               caPool,
		applicationProxy: applicationProxy,
		mark:             mark,
		secrets:          secrets,
		localIPs:         markedconn.GetInterfaces(),
		tlsClientConfig: &tls.Config{
			RootCAs: caPool,
		},
		auth:            apiauth.New(puContext, secrets),
		metadata:        metadata.NewClient(puContext, tokenIssuer),
		tokenIssuer:     tokenIssuer,
		datapathKeyPair: datapathKeyPair,
		agentVersion:    agentVersion,
	}

	hooks := map[string]hookFunc{
		common.MetadataHookPolicy:      h.policyHook,
		common.MetadataHookHealth:      h.healthHook,
		common.MetadataHookCertificate: h.certificateHook,
		common.MetadataHookKey:         h.keyHook,
		common.MetadataHookToken:       h.tokenHook,
		common.AWSHookInfo:             h.awsInfoHook,
		common.AWSHookRole:             h.awsTokenHook,
	}

	h.hooks = hooks

	return h
}

// clientTLSConfiguration calculates the right certificates and requests to the clients.
func (p *Config) clientTLSConfiguration(conn net.Conn, originalConfig *tls.Config) (*tls.Config, error) {
	if mconn, ok := conn.(*markedconn.ProxiedConnection); ok {
		ip, port := mconn.GetOriginalDestination()
		portContext, err := serviceregistry.Instance().RetrieveExposedServiceContext(ip, port, "")
		if err != nil {
			return nil, fmt.Errorf("Unknown service: %s", err)
		}
		if portContext.Service.UserAuthorizationType == policy.UserAuthorizationMutualTLS || portContext.Service.UserAuthorizationType == policy.UserAuthorizationJWT {
			clientCAs := p.ca
			// now append the User given CA certPool
			if portContext.ClientTrustedRoots != nil {
				// append only when the certpool is given
				if len(portContext.Service.MutualTLSTrustedRoots) > 0 {
					if !clientCAs.AppendCertsFromPEM(portContext.Service.MutualTLSTrustedRoots) {
						return nil, fmt.Errorf("Unable to process client CAs")
					}
				}
			}
			config := p.newBaseTLSConfig()
			config.ClientAuth = tls.VerifyClientCertIfGiven
			config.ClientCAs = clientCAs
			return config, nil
		}
		return originalConfig, nil
	}
	return nil, fmt.Errorf("Invalid connection")
}

// newBaseTLSConfig creates the new basic TLS configuration for the server.
func (p *Config) newBaseTLSConfig() *tls.Config {
	c := tlshelper.NewBaseTLSServerConfig()
	c.NextProtos = []string{"h2"}
	c.GetCertificate = p.GetCertificateFunc
	c.ClientCAs = p.ca
	return c
}

// newBaseTLSClientConfig creates the new basic TLS configuration for the client.
func (p *Config) newBaseTLSClientConfig() *tls.Config {
	c := tlshelper.NewBaseTLSClientConfig()
	c.NextProtos = []string{"h2"}
	c.GetCertificate = p.GetCertificateFunc
	c.GetClientCertificate = p.GetClientCertificateFunc
	return c
}

// GetClientCertificateFunc returns the certificate that will be used by the Proxy as a client during the TLS
func (p *Config) GetClientCertificateFunc(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
	p.RLock()
	defer p.RUnlock()
	if p.cert != nil {
		cert, err := x509.ParseCertificate(p.cert.Certificate[0])
		if err != nil {
			zap.L().Error("http: Cannot build the cert chain")
		}
		if cert != nil {
			by, _ := x509CertToPem(cert)
			pemCert, err := buildCertChain(by, p.secrets.CertAuthority())
			if err != nil {
				zap.L().Error("http: Cannot build the cert chain")
			}
			var certChain tls.Certificate
			var certDERBlock *pem.Block
			for {
				certDERBlock, pemCert = pem.Decode(pemCert)
				if certDERBlock == nil {
					break
				}
				if certDERBlock.Type == typeCertificate {
					certChain.Certificate = append(certChain.Certificate, certDERBlock.Bytes)
				}
			}
			certChain.PrivateKey = p.cert.PrivateKey
			return &certChain, nil
		}
		return p.cert, nil
	}
	return nil, nil
}

// RunNetworkServer runs an HTTP network server. If TLS is needed, the
// listener should be already a TLS listener.
func (p *Config) RunNetworkServer(ctx context.Context, l net.Listener, encrypted bool) error {
	p.Lock()
	defer p.Unlock()

	if p.server != nil {
		return fmt.Errorf("Server already running")
	}

	// for usage by callbacks below
	protoListener, _ := l.(*protomux.ProtoListener)

	// If its an encrypted, wrap the listener in a TLS context. This is activated
	// for the listener from the network, but not for the listener from a PU.
	if encrypted {
		config := p.newBaseTLSConfig()
		config.GetConfigForClient = func(helloMsg *tls.ClientHelloInfo) (*tls.Config, error) {
			p.RLock()
			defer p.RUnlock()
			return p.clientTLSConfiguration(helloMsg.Conn, config)
		}
		config.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
			p.RLock()
			defer p.RUnlock()
			return p.cert, nil
		}
		l = tls.NewListener(l, config)
	}
	// now create a client config, this is required if Aporeto is a client.
	p.tlsClientConfig = p.newBaseTLSClientConfig()

	reportStats := func(ctx context.Context) {
		if state := ctx.Value(statsContextKey); state != nil {
			if r, ok := state.(*flowstats.ConnectionState); ok {
				r.Stats.Action = policy.Reject | policy.Log
				r.Stats.DropReason = collector.UnableToDial
				r.Stats.PolicyID = collector.DefaultEndPoint
				p.collector.CollectFlowEvent(r.Stats)
			}
		}
	}

	networkDialerWithContext := func(ctx context.Context, network, _ string) (net.Conn, error) {
		raddr, ok := ctx.Value(http.LocalAddrContextKey).(*net.TCPAddr)
		if !ok {
			reportStats(ctx)
			return nil, fmt.Errorf("invalid destination address")
		}
		var platformData *markedconn.PlatformData
		if protoListener != nil {
			platformData = markedconn.TakePlatformData(protoListener.Listener, raddr.IP, raddr.Port)
		}
		conn, err := markedconn.DialMarkedWithContext(ctx, "tcp", raddr.String(), platformData, p.mark)
		if err != nil {
			reportStats(ctx)
			return nil, fmt.Errorf("Failed to dial remote: %s", err)
		}
		return conn, nil
	}

	appDialerWithContext := func(ctx context.Context, network, _ string) (net.Conn, error) {
		raddr, ok := ctx.Value(http.LocalAddrContextKey).(*net.TCPAddr)
		if !ok {
			reportStats(ctx)
			return nil, fmt.Errorf("invalid destination address")
		}
		pctx, err := serviceregistry.Instance().RetrieveExposedServiceContext(raddr.IP, raddr.Port, "")
		if err != nil {
			return nil, err
		}
		raddr.Port = pctx.TargetPort
		var platformData *markedconn.PlatformData
		if protoListener != nil {
			platformData = markedconn.TakePlatformData(protoListener.Listener, raddr.IP, raddr.Port)
		}
		conn, err := markedconn.DialMarkedWithContext(ctx, "tcp", raddr.String(), platformData, p.mark)
		if err != nil {
			reportStats(ctx)
			return nil, fmt.Errorf("Failed to dial remote: %s", err)
		}
		return conn, nil
	}

	// Dial functions for the websockets.
	netDial := func(network, addr string) (net.Conn, error) {
		raddr, err := net.ResolveTCPAddr(network, addr)
		if err != nil {
			reportStats(ctx)
			return nil, err
		}
		var platformData *markedconn.PlatformData
		if protoListener != nil {
			platformData = markedconn.TakePlatformData(protoListener.Listener, raddr.IP, raddr.Port)
		}
		conn, err := markedconn.DialMarkedWithContext(ctx, "tcp", raddr.String(), platformData, p.mark)
		if err != nil {
			reportStats(ctx)
			return nil, fmt.Errorf("Failed to dial remote: %s", err)
		}
		return conn, nil
	}

	appDial := func(network, addr string) (net.Conn, error) {
		raddr, err := net.ResolveTCPAddr(network, addr)
		if err != nil {
			reportStats(ctx)
			return nil, err
		}
		pctx, err := serviceregistry.Instance().RetrieveExposedServiceContext(raddr.IP, raddr.Port, "")
		if err != nil {
			return nil, err
		}
		raddr.Port = pctx.TargetPort
		var platformData *markedconn.PlatformData
		if protoListener != nil {
			platformData = markedconn.TakePlatformData(protoListener.Listener, raddr.IP, raddr.Port)
		}
		conn, err := markedconn.DialMarkedWithContext(ctx, "tcp", raddr.String(), platformData, p.mark)
		if err != nil {
			reportStats(ctx)
			return nil, fmt.Errorf("Failed to dial remote: %s", err)
		}
		return conn, nil
	}

	// Create an encrypted downstream transport. We will mark the downstream connection
	// to let the iptables rule capture it.
	encryptedTransport := &http.Transport{
		TLSClientConfig:     p.tlsClientConfig,
		DialContext:         networkDialerWithContext,
		MaxIdleConnsPerHost: 2000,
		MaxIdleConns:        2000,
		ForceAttemptHTTP2:   true,
	}

	// Create an unencrypted transport for talking to the application. If encryption
	// is selected do not verify the certificates. This is supposed to be inside the
	// same system. TODO: use pinned certificates.
	transport := &http.Transport{
		TLSClientConfig: &tls.Config{
			InsecureSkipVerify: true,
			GetClientCertificate: func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { // nolint
				p.RLock()
				defer p.RUnlock()
				return p.cert, nil
			},
		},
		DialContext:         appDialerWithContext,
		MaxIdleConns:        2000,
		MaxIdleConnsPerHost: 2000,
	}

	// Create the proxies downwards the network and the application.
	var err error
	p.fwdTLS, err = forward.New(
		forward.RoundTripper(encryptedTransport),
		forward.WebsocketTLSClientConfig(&tls.Config{RootCAs: p.ca}),
		forward.WebSocketNetDial(netDial),
		forward.BufferPool(bufferpool.NewPool(32*1204)),
		forward.ErrorHandler(TriremeHTTPErrHandler{}),
	)
	if err != nil {
		return fmt.Errorf("Cannot initialize encrypted transport: %s", err)
	}

	p.fwd, err = forward.New(
		forward.RoundTripper(NewTriremeRoundTripper(transport)),
		forward.WebsocketTLSClientConfig(&tls.Config{InsecureSkipVerify: true}),
		forward.WebSocketNetDial(appDial),
		forward.BufferPool(bufferpool.NewPool(32*1204)),
		forward.ErrorHandler(TriremeHTTPErrHandler{}),
	)
	if err != nil {
		return fmt.Errorf("Cannot initialize unencrypted transport: %s", err)
	}

	processor := p.processAppRequest
	if !p.applicationProxy {
		processor = p.processNetRequest
	}

	p.server = &http.Server{
		Handler: http.HandlerFunc(processor),
	}

	go func() {
		<-ctx.Done()
		p.server.Close() // nolint
	}()
	go p.server.Serve(l) // nolint

	return nil
}

// ShutDown terminates the server.
func (p *Config) ShutDown() error {
	return p.server.Close()
}

// UpdateSecrets updates the secrets
func (p *Config) UpdateSecrets(cert *tls.Certificate, caPool *x509.CertPool, s secrets.Secrets, certPEM, keyPEM string) {
	p.Lock()
	p.cert = cert
	p.ca = caPool
	p.secrets = s
	p.certPEM = certPEM
	p.keyPEM = keyPEM
	p.tlsClientConfig.RootCAs = caPool
	p.Unlock()

	p.metadata.UpdateSecrets([]byte(certPEM), []byte(keyPEM))
	p.auth.UpdateSecrets(s)
}

// GetCertificateFunc implements the TLS interface for getting the certificate. This
// allows us to update the certificates of the connection on the fly.
func (p *Config) GetCertificateFunc(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
	p.RLock()
	defer p.RUnlock()
	// First we check if this is a direct access to the public port. In this case
	// we will use the service public certificate. Otherwise, we will return the
	// enforcer certificate since this is internal access.
	if mconn, ok := clientHello.Conn.(*markedconn.ProxiedConnection); ok {
		ip, port := mconn.GetOriginalDestination()
		portContext, err := serviceregistry.Instance().RetrieveExposedServiceContext(ip, port, "")
		if err != nil {
			return nil, fmt.Errorf("service not available: %s %d", ip.String(), port)
		}
		service := portContext.Service
		if service.PublicNetworkInfo != nil && service.PublicNetworkInfo.Ports.Min == uint16(port) && len(service.PublicServiceCertificate) > 0 {
			tlsCert, err := tls.X509KeyPair(service.PublicServiceCertificate, service.PublicServiceCertificateKey)
			if err != nil {
				return nil, fmt.Errorf("failed to parse server certificate: %s", err)
			}
			return &tlsCert, nil
		}
		if p.cert != nil {

			cert, err := x509.ParseCertificate(p.cert.Certificate[0])
			if err != nil {
				return nil, fmt.Errorf("Leaf cert is missing")
			}
			if cert != nil {
				by, _ := x509CertToPem(cert)
				pemCert, err := buildCertChain(by, p.secrets.CertAuthority())
				if err != nil {
					zap.L().Error("http: Cannot build the cert chain")
					return nil, fmt.Errorf("Cannot build the cert chain")
				}
				var certChain tls.Certificate
				//certPEMBlock := []byte(rootcaBundle)
				var certDERBlock *pem.Block
				for {
					certDERBlock, pemCert = pem.Decode(pemCert)
					if certDERBlock == nil {
						break
					}
					if certDERBlock.Type == typeCertificate {
						certChain.Certificate = append(certChain.Certificate, certDERBlock.Bytes)
					}
				}
				certChain.PrivateKey = p.cert.PrivateKey
				//certChain.Certificate
				return &certChain, nil
			}
			return p.cert, nil
		}
		return nil, fmt.Errorf("no cert available - cert is nil")
	}
	if p.cert != nil {
		return p.cert, nil
	}
	return nil, fmt.Errorf("no cert available - cert is nil")
}

func buildCertChain(certPEM, caPEM []byte) ([]byte, error) {
	zap.L().Debug("http: BEFORE in buildCertChain certPEM", zap.String("certPEM", string(certPEM)), zap.String("caPEM", string(caPEM)))
	certChain := []*x509.Certificate{}
	clientPEMBlock := certPEM

	derBlock, _ := pem.Decode(clientPEMBlock)
	if derBlock != nil {
		if derBlock.Type == typeCertificate {
			cert, err := x509.ParseCertificate(derBlock.Bytes)
			if err != nil {
				return nil, err
			}
			certChain = append(certChain, cert)
		} else {
			return nil, fmt.Errorf("invalid pem block type: %s", derBlock.Type)
		}
	}
	var certDERBlock *pem.Block
	for {
		certDERBlock, caPEM = pem.Decode(caPEM)
		if certDERBlock == nil {
			break
		}
		if certDERBlock.Type == typeCertificate {
			cert, err := x509.ParseCertificate(certDERBlock.Bytes)
			if err != nil {
				return nil, err
			}
			certChain = append(certChain, cert)
		} else {
			return nil, fmt.Errorf("invalid pem block type: %s", certDERBlock.Type)
		}
	}
	by, _ := x509CertChainToPem(certChain)
	zap.L().Debug("http: After building the cert chain", zap.String("certChain", string(by)))
	return x509CertChainToPem(certChain)
}

// x509CertChainToPem converts chain of x509 certs to byte.
func x509CertChainToPem(certChain []*x509.Certificate) ([]byte, error) {
	var pemBytes bytes.Buffer
	for _, cert := range certChain {
		if err := pem.Encode(&pemBytes, &pem.Block{Type: typeCertificate, Bytes: cert.Raw}); err != nil {
			return nil, err
		}
	}
	return pemBytes.Bytes(), nil
}

// x509CertToPem converts x509 to byte.
func x509CertToPem(cert *x509.Certificate) ([]byte, error) {
	var pemBytes bytes.Buffer
	if err := pem.Encode(&pemBytes, &pem.Block{Type: typeCertificate, Bytes: cert.Raw}); err != nil {
		return nil, err
	}
	return pemBytes.Bytes(), nil
}
func (p *Config) processAppRequest(w http.ResponseWriter, r *http.Request) {

	zap.L().Debug("Processing Application Request", zap.String("URI", r.RequestURI), zap.String("Host", r.Host))
	originalDestination := r.Context().Value(http.LocalAddrContextKey).(*net.TCPAddr)

	// Authorize the request by calling the authorizer library.
	authRequest := &apiauth.Request{
		OriginalDestination: originalDestination,
		Method:              r.Method,
		URL:                 r.URL,
		RequestURI:          r.RequestURI,
	}

	resp, err := p.auth.ApplicationRequest(authRequest)
	if err != nil {
		if resp.PUContext != nil {
			state := flowstats.NewAppConnectionState(p.puContext, r, authRequest, resp)
			state.Stats.Action = resp.Action
			state.Stats.PolicyID = resp.NetworkPolicyID
			p.collector.CollectFlowEvent(state.Stats)
		}
		http.Error(w, err.Error(), err.(*apiauth.AuthError).Status())
		return
	}

	state := flowstats.NewAppConnectionState(p.puContext, r, authRequest, resp)
	if resp.External {
		defer p.collector.CollectFlowEvent(state.Stats)
	}

	if resp.HookMethod != "" {
		if hook, ok := p.hooks[resp.HookMethod]; ok {
			if isHook, err := hook(w, r); err != nil || isHook {
				if err != nil {
					state.Stats.Action = policy.Reject
					state.Stats.DropReason = collector.PolicyDrop
				}
				return
			}
		} else {
			http.Error(w, "Invalid hook configuration", http.StatusInternalServerError)
			return
		}
	}

	httpScheme := "http://"
	if resp.TLSListener {
		httpScheme = "https://"
	}

	// Create the new target URL based on the Host parameter that we had.
	r.URL, err = url.ParseRequestURI(httpScheme + r.Host)
	if err != nil {
		http.Error(w, "Invalid destination host name", http.StatusUnprocessableEntity)
		return
	}

	// Add the headers with the authorization parameters and public key. The other side
	// must validate our public key.
	p.RLock()
	r.Header.Add("X-APORETO-KEY", string(p.secrets.TransmittedKey()))
	p.RUnlock()
	r.Header.Add("X-APORETO-AUTH", resp.Token)

	contextWithStats := context.WithValue(r.Context(), statsContextKey, state)
	// Forward the request.
	p.fwdTLS.ServeHTTP(w, r.WithContext(contextWithStats))
}

func (p *Config) processNetRequest(w http.ResponseWriter, r *http.Request) {

	zap.L().Debug("Processing Network Request", zap.String("URI", r.RequestURI), zap.String("Host", r.Host))
	originalDestination := r.Context().Value(http.LocalAddrContextKey).(*net.TCPAddr)

	sourceAddress, err := net.ResolveTCPAddr("tcp", r.RemoteAddr)
	if err != nil {
		zap.L().Error("Internal server error - cannot determine source address information", zap.Error(err))
		http.Error(w, "Invalid network information", http.StatusForbidden)
		return
	}

	requestCookie, _ := r.Cookie("X-APORETO-AUTH") // nolint errcheck

	pr := &collector.PingReport{}

	request := &apiauth.Request{
		OriginalDestination: originalDestination,
		SourceAddress:       sourceAddress,
		Header:              r.Header,
		URL:                 r.URL,
		Method:              r.Method,
		RequestURI:          r.RequestURI,
		Cookie:              requestCookie,
		TLS:                 r.TLS,
	}

	response, err := p.auth.NetworkRequest(r.Context(), request)

	var userID string
	if response != nil && len(response.UserAttributes) > 0 {
		userData := &collector.UserRecord{
			Namespace: response.Namespace,
			Claims:    response.UserAttributes,
		}
		p.collector.CollectUserEvent(userData)
		userID = userData.ID
	}

	state := flowstats.NewNetworkConnectionState(p.puContext, userID, request, response)
	defer func() {
		if response != nil && response.PingConfig != nil {
			pr.PingID = response.PingConfig.PingID
			pr.IterationID = response.PingConfig.IterationID
			pr.Type = gaia.PingProbeTypeRequest
			pr.RemotePUID = response.SourcePUID
			pr.PUID = response.PUContext.ManagementID()
			pr.Namespace = response.Namespace
			pr.PayloadSize = response.PingConfig.PayloadSize
			pr.PayloadSizeType = gaia.PingProbePayloadSizeTypeReceived
			pr.Protocol = 6
			pr.ServiceType = "L7"
			pr.FourTuple = fmt.Sprintf("%s:%s:%d:%d",
				sourceAddress.IP.String(),
				originalDestination.IP.String(),
				sourceAddress.Port,
				originalDestination.Port)
			pr.PolicyID = response.NetworkPolicyID
			pr.PolicyAction = response.Action
			pr.ServiceID = response.ServiceID
			pr.AgentVersion = p.agentVersion.String()
			pr.RemoteEndpointType = collector.EndPointTypePU
			pr.IsServer = true
			pr.Claims = response.PingConfig.Claims
			pr.ClaimsType = gaia.PingProbeClaimsTypeReceived
			pr.RemoteNamespaceType = gaia.PingProbeRemoteNamespaceTypePlain
			pr.TargetTCPNetworks = true
			pr.ExcludedNetworks = false

			if len(r.TLS.PeerCertificates) > 0 {
				if len(r.TLS.PeerCertificates[0].Subject.Organization) > 0 {
					pr.RemoteNamespace = r.TLS.PeerCertificates[0].Subject.Organization[0]
				}
				pr.PeerCertIssuer = r.TLS.PeerCertificates[0].Issuer.String()
				pr.PeerCertSubject = r.TLS.PeerCertificates[0].Subject.String()
				pr.PeerCertExpiry = r.TLS.PeerCertificates[0].NotAfter

				if found, controller := pcommon.ExtractExtension(x509extensions.Controller(), r.TLS.PeerCertificates[0].Extensions); found {
					pr.RemoteController = string(controller)
				}
			}

			p.collector.CollectPingEvent(pr)
		} else {
			p.collector.CollectFlowEvent(state.Stats)
		}
	}()

	if err != nil {

		zap.L().Debug("Authorization error",
			zap.Error(err),
			zap.String("URI", r.RequestURI),
			zap.String("Host", r.Host),
		)
		authError, ok := err.(*apiauth.AuthError)
		if !ok {
			http.Error(w, "Internal type error", http.StatusInternalServerError)
			return
		}

		if response == nil {
			// Basic errors are captured here.
			http.Error(w, authError.Message(), authError.Status())
			return
		}

		if response.PingConfig != nil {
			pr.Error = response.DropReason
		}

		if !response.Redirect {
			// If there is no redirect, we also return an error.
			http.Error(w, authError.Message(), authError.Status())
			return
		}

		// Redirect logic. Populate information here. This is forcing a
		// redirect rather than an error.
		if response.Cookie != nil {
			http.SetCookie(w, response.Cookie)
		}
		w.Header().Add("Location", response.RedirectURI)
		http.Error(w, response.Data, authError.Status())

		return
	}

	// Select as http or https for communication with listening service.
	httpPrefix := "http://"
	if response.TLSListener {
		httpPrefix = "https://"
	}

	// Create the target URI. Websocket Gorilla proxy takes it from the URL. For normal
	// connections we don't want that.
	if forward.IsWebsocketRequest(r) {
		r.URL, err = url.ParseRequestURI(httpPrefix + originalDestination.String())
	} else {
		r.URL, err = url.ParseRequestURI(httpPrefix + r.Host)
	}
	if err != nil {
		state.Stats.DropReason = collector.InvalidFormat
		http.Error(w, fmt.Sprintf("Invalid HTTP Host parameter: %s", err), http.StatusBadRequest)
		return
	}

	// Update the request headers with the user attributes as defined by the mappings
	r.Header = response.Header

	// Update the statistics and forward the request. We always encrypt downstream
	state.Stats.Action = policy.Accept | policy.Encrypt | policy.Log

	// // Treat the remote proxy scenario where the destination IPs are in a remote
	// // host. Check of network rules that allow this transfer and report the corresponding
	// // flows.
	// if _, ok := p.localIPs[originalDestination.IP.String()]; !ok {
	// 	_, action, err := pctx.PUContext.ApplicationACLPolicyFromAddr(originalDestination.IP, uint16(originalDestination.Port))
	// 	if err != nil || action.Action.Rejected() {
	// 		defer p.collector.CollectFlowEvent(reportDownStream(state.stats, action))
	// 		http.Error(w, fmt.Sprintf("Access denied by network policy to downstream IP: %s", originalDestination.IP.String()), http.StatusNetworkAuthenticationRequired)
	// 		return
	// 	}
	// 	if action.Action.Accepted() {
	// 		defer p.collector.CollectFlowEvent(reportDownStream(state.stats, action))
	// 	}
	// }

	contextWithStats := context.WithValue(r.Context(), statsContextKey, state)
	p.fwd.ServeHTTP(w, r.WithContext(contextWithStats))
	zap.L().Debug("Forwarding Request", zap.String("URI", r.RequestURI), zap.String("Host", r.Host))
}

func (p *Config) policyHook(w http.ResponseWriter, r *http.Request) (bool, error) {
	if r.Header.Get(common.MetadataKey) != common.MetadataValue {
		http.Error(w, "unauthorized request for policy", http.StatusForbidden)
		return true, fmt.Errorf("unauthorized")
	}

	data, _, err := p.metadata.GetCurrentPolicy()
	if err != nil {
		http.Error(w, "Unable to retrieve current policy", http.StatusInternalServerError)
		return true, err
	}
	if _, err := w.Write(data); err != nil {
		zap.L().Error("Unable to write policy response")
	}

	return true, nil
}

func (p *Config) certificateHook(w http.ResponseWriter, r *http.Request) (bool, error) {
	if r.Header.Get(common.MetadataKey) != common.MetadataValue {
		http.Error(w, "unauthorized request for certificate", http.StatusForbidden)
		return true, fmt.Errorf("unauthorized")
	}

	if _, err := w.Write(p.metadata.GetCertificate()); err != nil {
		zap.L().Error("Unable to write response")
	}

	return true, nil
}

func (p *Config) keyHook(w http.ResponseWriter, r *http.Request) (bool, error) {
	if r.Header.Get(common.MetadataKey) != common.MetadataValue {
		http.Error(w, "unauthorized request for private key", http.StatusForbidden)
		return true, fmt.Errorf("unauthorized")
	}

	if _, err := w.Write(p.metadata.GetPrivateKey()); err != nil {
		zap.L().Error("Unable to write response")
	}

	return true, nil
}

func (p *Config) healthHook(w http.ResponseWriter, r *http.Request) (bool, error) {

	// Health hook will only return ok if the current policy is already populated.
	plc, _, err := p.metadata.GetCurrentPolicy()
	if err != nil || plc == nil {
		http.Error(w, "Unable to retrieve current policy", http.StatusInternalServerError)
		return true, err
	}

	if _, err := w.Write([]byte("OK\n")); err != nil {
		zap.L().Error("Unable to write response to health API")
	}
	return true, nil
}

func (p *Config) tokenHook(w http.ResponseWriter, r *http.Request) (bool, error) {

	if r.Header.Get(common.MetadataKey) != common.MetadataValue {
		http.Error(w, "unauthorized request for token", http.StatusForbidden)
		return true, fmt.Errorf("unauthorized")
	}

	audience := r.URL.Query().Get("audience")
	validityString := r.URL.Query().Get("validity")

	validity := time.Minute * 60
	var err error
	if validityString != "" {
		validity, err = time.ParseDuration(validityString)
		if err != nil {
			http.Error(w, "Invalid validity time requested. Please use notation of number+unit. Example: `10m`", http.StatusUnprocessableEntity)
			return true, nil
		}
	}

	token, err := p.tokenIssuer.Issue(r.Context(), p.puContext, common.ServiceTokenTypeOAUTH, audience, validity)
	if err != nil {
		http.Error(w, fmt.Sprintf("Unable to issue token: %s", err), http.StatusBadRequest)
		return true, nil
	}

	if _, err := w.Write([]byte(token)); err != nil {
		zap.L().Error("Unable to write response on token API")
	}
	return true, nil
}

func (p *Config) awsInfoHook(w http.ResponseWriter, r *http.Request) (bool, error) {

	if err := validateAWSHeaders(r); err != nil {
		http.Error(w, fmt.Sprintf("invalid user agent: %s", err), http.StatusForbidden)
		return true, err
	}

	awsRole, id, err := p.awsRole()
	if err != nil {
		return true, err
	}

	type info struct {
		Code               string    `json:"Code,omitempty"`
		LastUpdated        time.Time `json:"LastUpdated,omitempty"`
		InstanceProfileArn string    `json:"InstanceProfileArn,omitempty"`
		InstanceProfileID  string    `json:"InstanceProfileId,omitempty"`
	}

	out := &info{
		Code:               "Success",
		LastUpdated:        time.Now(),
		InstanceProfileArn: awsRole,
		InstanceProfileID:  id,
	}

	data, err := json.MarshalIndent(out, " ", " ")
	if err != nil {
		return true, fmt.Errorf("error in marshall of info: %s", err)
	}

	if _, err = w.Write(data); err != nil {
		return true, fmt.Errorf("unable to write data response: %s", err)
	}

	return true, nil
}

func (p *Config) awsTokenHook(w http.ResponseWriter, r *http.Request) (bool, error) {

	if err := validateAWSHeaders(r); err != nil {
		http.Error(w, fmt.Sprintf("invalid user agent: %s", err), http.StatusForbidden)
		return true, err
	}

	awsRole, id, err := p.awsRole()
	if err != nil {
		return true, err
	}

	awsRoleParts := strings.Split(awsRole, "/")
	if len(awsRoleParts) == 0 {
		http.Error(w, fmt.Sprintf("invalid role: %s", err), http.StatusNotFound)
		return true, fmt.Errorf("invalid role: %s", awsRole)
	}

	awsRoleName := awsRoleParts[len(awsRoleParts)-1]

	if strings.HasSuffix(r.RequestURI, "security-credentials/") {
		if _, err := w.Write([]byte(awsRoleName)); err != nil {
			return true, err
		}
		return true, nil
	}

	if !strings.HasSuffix(r.RequestURI, "security-credentials/"+awsRoleName) {
		http.Error(w, "not found", http.StatusNotFound)
		return true, fmt.Errorf("not found")
	}

	token, err := p.tokenIssuer.Issue(r.Context(), id, common.ServiceTokenTypeAWS, awsRole, time.Hour)
	if err != nil {
		http.Error(w, fmt.Sprintf("Unable to issue token: %s", err), http.StatusBadRequest)
		return true, nil
	}

	if _, err := w.Write([]byte(token)); err != nil {
		zap.L().Error("Unable to write response on token API")
	}
	return true, nil
}

func (p *Config) awsRole() (string, string, error) {

	_, plc, err := p.metadata.GetCurrentPolicy()
	if err != nil {
		return "", "", err
	}

	awsRole := ""
	for _, scope := range plc.Scopes {
		if strings.HasPrefix(scope, common.AWSRoleARNPrefix) {
			if awsRole != "" && awsRole != scope[len(common.AWSRolePrefix):] {
				return "", "", fmt.Errorf("overlapping roles detected")
			}
			awsRole = scope[len(common.AWSRolePrefix):]
		}
	}

	if awsRole == "" {
		return "", "", fmt.Errorf("role not found")
	}

	return awsRole, plc.ManagementID, nil
}

var (
	allowedAgents = []string{"aws-cli/", "aws-chalice/", "Boto3/", "Botocore/", "aws-sdk-"}
)

func validateAWSHeaders(r *http.Request) error {

	userAgent, ok := r.Header["User-Agent"]
	if !ok {
		return fmt.Errorf("no user-agent provided")
	}

	for _, u := range userAgent {
		for _, t := range allowedAgents {
			if strings.HasPrefix(u, t) {
				return nil
			}
		}
	}

	return fmt.Errorf("invalid user agent: %v", userAgent)
}

// func reportDownStream(record *collector.FlowRecord, action *policy.FlowPolicy) *collector.FlowRecord {
// 	return &collector.FlowRecord{
// 		ContextID: record.ContextID,
// 		Destination: &collector.EndPoint{
// 			URI:        record.Destination.URI,
// 			HTTPMethod: record.Destination.HTTPMethod,
// 			Type:       collector.EndPointTypeExternalIP,
// 			Port:       record.Destination.Port,
// 			IP:         record.Destination.IP,
// 			ID:         action.ServiceID,
// 		},
// 		Source: &collector.EndPoint{
// 			Type: record.Destination.Type,
// 			ID:   record.Destination.ID,
// 			IP:   "0.0.0.0",
// 		},
// 		Action:      action.Action,
// 		L4Protocol:  record.L4Protocol,
// 		ServiceType: record.ServiceType,
// 		ServiceID:   record.ServiceID,
// 		Tags:        record.Tags,
// 		PolicyID:    action.PolicyID,
// 		Count:       1,
// 	}
// }


================================================
FILE: controller/internal/enforcer/applicationproxy/http/ping_http.go
================================================
package httpproxy

import (
	"context"
	"fmt"
	"net"
	"net/http"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/apiauth"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/markedconn"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/serviceregistry"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/servicetokens"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/gaia"
	"go.aporeto.io/gaia/x509extensions"
	"go.uber.org/zap"
)

const fourTupleKey = "fourTuple"

type fourTuple struct {
	sourceAddress      net.IP
	destinationAddress net.IP
	sourcePort         int
	destinationPort    int
}

// InitiatePing starts an encrypted connection to the given config.
func (p *Config) InitiatePing(ctx context.Context, sctx *serviceregistry.ServiceContext, sdata *serviceregistry.DependentServiceData, pingConfig *policy.PingConfig) error {

	zap.L().Debug("Initiating L7 ping")

	for i := 0; i < pingConfig.Iterations; i++ {
		if err := p.sendPingRequest(ctx, pingConfig, sctx, sdata, i); err != nil {
			return err
		}
	}

	return nil
}

func (p *Config) sendPingRequest(
	ctx context.Context,
	pingConfig *policy.PingConfig,
	sctx *serviceregistry.ServiceContext,
	sdata *serviceregistry.DependentServiceData,
	iterationID int) error {

	pingID := pingConfig.ID
	destIP := pingConfig.IP
	destPort := pingConfig.Port

	_, netaction, _ := sctx.PUContext.ApplicationACLPolicyFromAddr(destIP, destPort, packet.IPProtocolTCP)

	pingErr := "dial"
	if e := pingConfig.Error(); e != "" {
		pingErr = e
	}

	pr := &collector.PingReport{
		PingID:               pingID,
		IterationID:          iterationID,
		ServiceID:            sdata.APICache.ID,
		PUID:                 sctx.PUContext.ManagementID(),
		Namespace:            sctx.PUContext.ManagementNamespace(),
		Protocol:             6,
		ServiceType:          "L7",
		AgentVersion:         p.agentVersion.String(),
		ApplicationListening: false,
		ACLPolicyID:          netaction.PolicyID,
		ACLPolicyAction:      netaction.Action,
		Error:                pingErr,
		TargetTCPNetworks:    pingConfig.TargetTCPNetworks,
		ExcludedNetworks:     pingConfig.ExcludedNetworks,
		Type:                 gaia.PingProbeTypeRequest,
		RemoteEndpointType:   collector.EndPointTypeExternalIP,
		Claims:               sctx.PUContext.Identity().GetSlice(),
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypePlain,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeTransmitted,
	}

	ft := &fourTuple{}

	p.RLock()
	encodingKey := p.secrets.EncodingKey()
	pubKey := p.secrets.TransmittedKey()
	p.RUnlock()

	pingPayload := &policy.PingPayload{
		PingID:      pingID,
		IterationID: iterationID,
	}

	token, err := servicetokens.CreateAndSign(
		"",
		sctx.PUContext.Identity().GetSlice(),
		sctx.PUContext.Scopes(),
		sctx.PUContext.ManagementID(),
		apiauth.DefaultValidity,
		encodingKey,
		pingPayload,
	)
	if err != nil {
		return err
	}

	networkDialerWithContext := func(ctx context.Context, _, addr string) (net.Conn, error) {

		conn, err := dial(ctx, addr, p.mark)
		if err != nil {
			return nil, fmt.Errorf("unable to dial remote: %s", err)
		}

		if v := ctx.Value(fourTupleKey); v != nil {
			if r, ok := v.(*fourTuple); ok {
				laddr := conn.LocalAddr().(*net.TCPAddr)
				raddr := conn.RemoteAddr().(*net.TCPAddr)
				r.sourceAddress = laddr.IP
				r.sourcePort = laddr.Port
				r.destinationAddress = raddr.IP
				r.destinationPort = raddr.Port
			}
		}

		return conn, nil
	}

	raddr := &net.TCPAddr{
		IP:   destIP,
		Port: int(destPort),
	}

	// ServerName: Use first configured FQDN or the destination IP
	serverName, err := common.GetTLSServerName(raddr.String(), sdata.ServiceObject)
	if err != nil {
		return fmt.Errorf("unable to get the server name: %s", err)
	}

	// Used to validate the hostname in the returned server certs.
	// TODO: Maybe we should elevate this as first class citizen ?
	p.tlsClientConfig.ServerName = serverName

	encryptedTransport := &http.Transport{
		TLSClientConfig:     p.tlsClientConfig,
		DialContext:         networkDialerWithContext,
		MaxIdleConnsPerHost: 2000,
		MaxIdleConns:        2000,
		ForceAttemptHTTP2:   true,
	}

	client := &http.Client{
		Transport: encryptedTransport,
		Timeout:   5 * time.Second,
	}

	host := fmt.Sprintf("https://%s:%d", destIP, destPort)
	ctxWithReport := context.WithValue(ctx, fourTupleKey, ft) // nolint: golint,staticcheck
	req, err := http.NewRequestWithContext(ctxWithReport, "GET", host, nil)
	if err != nil {
		return err
	}

	defer p.collector.CollectPingEvent(pr)

	pr.PayloadSize = len(pubKey) + len(token)

	req.Header.Add("X-APORETO-KEY", string(pubKey))
	req.Header.Add("X-APORETO-AUTH", token)

	startTime := time.Now()
	res, err := client.Do(req)
	if err != nil {
		pr.Error = err.Error()
		pr.FourTuple = fmt.Sprintf(
			"%s:%s:%d:%d",
			ft.sourceAddress.String(),
			ft.destinationAddress.String(),
			ft.sourcePort,
			ft.destinationPort,
		)
		return err
	}

	res.Body.Close() // nolint: errcheck

	pr.Error = ""
	pr.RTT = time.Since(startTime).String()
	pr.ApplicationListening = true
	pr.Type = gaia.PingProbeTypeResponse
	pr.FourTuple = fmt.Sprintf(
		"%s:%s:%d:%d",
		ft.destinationAddress.String(),
		ft.sourceAddress.String(),
		ft.destinationPort,
		ft.sourcePort,
	)

	if len(res.TLS.PeerCertificates) > 0 {
		pr.RemotePUID = res.TLS.PeerCertificates[0].Subject.CommonName
		pr.RemoteEndpointType = collector.EndPointTypePU
		if len(res.TLS.PeerCertificates[0].Subject.Organization) > 0 {
			pr.RemoteNamespace = res.TLS.PeerCertificates[0].Subject.Organization[0]
		}
		pr.PeerCertIssuer = res.TLS.PeerCertificates[0].Issuer.String()
		pr.PeerCertSubject = res.TLS.PeerCertificates[0].Subject.String()
		pr.PeerCertExpiry = res.TLS.PeerCertificates[0].NotAfter

		if found, controller := common.ExtractExtension(x509extensions.Controller(), res.TLS.PeerCertificates[0].Extensions); found {
			pr.RemoteController = string(controller)
		}
	}

	return nil
}

func dial(ctx context.Context, addr string, mark int) (net.Conn, error) {

	d := net.Dialer{
		Timeout: 5 * time.Second,
		Control: markedconn.ControlFunc(mark, false, nil),
	}
	return d.DialContext(ctx, "tcp", addr)
}


================================================
FILE: controller/internal/enforcer/applicationproxy/http/transport.go
================================================
package httpproxy

import (
	"net/http"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/flowstats"
)

// TriremeRoundTripper is the Trireme RoundTripper that will handle
// responses.
type TriremeRoundTripper struct {
	http.RoundTripper
}

// NewTriremeRoundTripper creates a new RoundTripper that handles the
// responses.
func NewTriremeRoundTripper(r http.RoundTripper) *TriremeRoundTripper {
	return &TriremeRoundTripper{
		RoundTripper: r,
	}
}

// RoundTrip implements the RoundTripper interface. It will add a cookie
// in the response in case of OIDC requests with refresh tokens.
func (t *TriremeRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {

	res, err := t.RoundTripper.RoundTrip(req)
	if err != nil || res == nil {
		return res, err
	}

	data := req.Context().Value(statsContextKey)
	if data == nil {
		return res, nil
	}

	state, ok := data.(*flowstats.ConnectionState)
	if ok && state.Cookie == nil {
		return res, nil
	}

	if v := state.Cookie.String(); v != "" {
		res.Header.Add("Set-Cookie", v)
	}

	return res, nil
}


================================================
FILE: controller/internal/enforcer/applicationproxy/markedconn/mark_linux.go
================================================
// +build linux

package markedconn

import (
	"net"
	"syscall"

	"go.uber.org/zap"
)

func makeListenerConfig(mark int) net.ListenConfig {
	return net.ListenConfig{
		Control: func(_, _ string, c syscall.RawConn) error {
			return c.Control(func(fd uintptr) {
				if err := syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, mark); err != nil {
					zap.L().Error("Failed to mark connection", zap.Error(err))
				}
				if err := syscall.SetsockoptInt(int(fd), syscall.SOL_TCP, 23, 16*1024); err != nil {
					zap.L().Error("Cannot set tcp fast open options", zap.Error(err))
				}
			})
		},
	}
}

// ControlFunc used in the dialer.
func ControlFunc(mark int, block bool, platformData *PlatformData) Control {

	return func(_, _ string, c syscall.RawConn) error {
		return c.Control(func(fd uintptr) {

			if err := syscall.SetNonblock(int(fd), !block); err != nil {
				zap.L().Error("unable to set socket options", zap.Error(err))
			}
			if err := syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, mark); err != nil {
				zap.L().Error("Failed to assing mark to socket", zap.Error(err))
			}
			if err := syscall.SetsockoptInt(int(fd), syscall.SOL_TCP, 30, 1); err != nil {
				zap.L().Debug("Failed to set fast open socket option", zap.Error(err))
			}
		})
	}
}


================================================
FILE: controller/internal/enforcer/applicationproxy/markedconn/mark_windows.go
================================================
// +build windows

package markedconn

import (
	"net"
	"syscall"

	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
	"go.uber.org/zap"
)

func makeListenerConfig(mark int) net.ListenConfig {
	return net.ListenConfig{}
}

// ControlFunc used in the dialer.
func ControlFunc(mark int, block bool, platformData *PlatformData) Control {

	return func(_, _ string, c syscall.RawConn) error {
		return c.Control(func(fd uintptr) {

			if platformData == nil {
				return
			}

			// call FrontmanApplyDestHandle to update WFP redirect data before the connect() call on the new socket
			if err := frontman.Wrapper.ApplyDestHandle(fd, platformData.handle); err != nil {
				zap.L().Error("could not update proxy redirect", zap.Error(err))
			}
		})
	}
}


================================================
FILE: controller/internal/enforcer/applicationproxy/markedconn/markedconn.go
================================================
// +build linux windows

package markedconn

import (
	"context"
	"fmt"
	"net"
	"syscall"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/utils/netinterfaces"
	"go.uber.org/zap"
)

// Control represents the dial control used to manipulate the raw connection.
type Control func(network, address string, c syscall.RawConn) error

func makeDialer(mark int, platformData *PlatformData) net.Dialer {
	// platformData is the destHandle
	return net.Dialer{
		Control: ControlFunc(mark, true, platformData),
	}
}

// DialMarkedWithContext will dial a TCP connection to the provide address and mark the socket
// with the provided mark.
func DialMarkedWithContext(ctx context.Context, network string, addr string, platformData *PlatformData, mark int) (net.Conn, error) {
	// platformData is for Windows
	if platformData != nil && platformData.postConnectFunc != nil {
		defer platformData.postConnectFunc(platformData.handle)
	}
	d := makeDialer(mark, platformData)

	conn, err := d.DialContext(ctx, network, addr)
	if err != nil {
		zap.L().Error("Failed to dial to downstream node",
			zap.Error(err),
			zap.String("Address", addr),
			zap.String("Network type", network),
		)
	}
	return conn, err
}

// NewSocketListener will create a listener and mark the socket with the provided mark.
func NewSocketListener(ctx context.Context, port string, mark int) (net.Listener, error) {
	listenerCfg := makeListenerConfig(mark)

	listener, err := listenerCfg.Listen(ctx, "tcp", port)

	if err != nil {
		return nil, fmt.Errorf("Failed to create listener: %s", err)
	}

	return ProxiedListener{
		netListener:      listener,
		mark:             mark,
		platformDataCtrl: NewPlatformDataControl(),
	}, nil
}

// ProxiedConnection is a proxied connection where we can recover the
// original destination.
type ProxiedConnection struct {
	originalIP            net.IP
	originalPort          int
	originalTCPConnection *net.TCPConn
	platformData          *PlatformData
}

// PlatformData is proxy/socket data (platform-specific)
type PlatformData struct {
	handle          uintptr
	postConnectFunc func(fd uintptr)
}

// GetOriginalDestination sets the original destination of the connection.
func (p *ProxiedConnection) GetOriginalDestination() (net.IP, int) {
	return p.originalIP, p.originalPort
}

// GetPlatformData gets the platform-specific socket data (needed for Windows)
func (p *ProxiedConnection) GetPlatformData() *PlatformData {
	return p.platformData
}

// GetTCPConnection returns the TCP connection object.
func (p *ProxiedConnection) GetTCPConnection() *net.TCPConn {
	return p.originalTCPConnection
}

// LocalAddr implements the corresponding method of net.Conn, but returns the original
// address.
func (p *ProxiedConnection) LocalAddr() net.Addr {

	return &net.TCPAddr{
		IP:   p.originalIP,
		Port: p.originalPort,
	}
}

// RemoteAddr returns the remote address
func (p *ProxiedConnection) RemoteAddr() net.Addr {
	return p.originalTCPConnection.RemoteAddr()
}

// Read reads data from the connection.
func (p *ProxiedConnection) Read(b []byte) (n int, err error) {
	return p.originalTCPConnection.Read(b)
}

// Write writes data to the connection.
func (p *ProxiedConnection) Write(b []byte) (n int, err error) {
	return p.originalTCPConnection.Write(b)
}

// Close closes the connection.
func (p *ProxiedConnection) Close() error {
	return p.originalTCPConnection.Close()
}

// SetDeadline passes the read deadline to the original TCP connection.
func (p *ProxiedConnection) SetDeadline(t time.Time) error {
	return p.originalTCPConnection.SetDeadline(t)
}

// SetReadDeadline implements the call by passing it to the original connection.
func (p *ProxiedConnection) SetReadDeadline(t time.Time) error {
	return p.originalTCPConnection.SetReadDeadline(t)
}

// SetWriteDeadline implements the call by passing it to the original connection.
func (p *ProxiedConnection) SetWriteDeadline(t time.Time) error {
	return p.originalTCPConnection.SetWriteDeadline(t)
}

// ProxiedListener is a proxied listener that uses proxied connections.
type ProxiedListener struct {
	netListener      net.Listener
	mark             int
	platformDataCtrl *PlatformDataControl
}

type passFD interface {
	Control(func(uintptr)) error
}

func getOriginalDestination(conn *net.TCPConn) (net.IP, int, *PlatformData, error) { // nolint interfacer

	rawconn, err := conn.SyscallConn()
	if err != nil {
		return nil, 0, nil, err
	}

	localIPString, _, err := net.SplitHostPort(conn.LocalAddr().String())
	if err != nil {
		return nil, 0, nil, err
	}

	localIP := net.ParseIP(localIPString)

	return getOriginalDestPlatform(rawconn, localIP.To4() != nil)
}

// Accept implements the accept method of the interface.
func (l ProxiedListener) Accept() (c net.Conn, err error) {
	nc, err := l.netListener.Accept()
	if err != nil {
		return nil, err
	}

	tcpConn, ok := nc.(*net.TCPConn)
	if !ok {
		zap.L().Error("Received a non-TCP connection - this should never happen", zap.Error(err))
		return nil, fmt.Errorf("Not a tcp connection - ignoring")
	}

	ip, port, platformData, err := getOriginalDestination(tcpConn)
	if err != nil {
		zap.L().Error("Failed to discover original destination - aborting", zap.Error(err))
		return nil, err
	}
	l.platformDataCtrl.StorePlatformData(ip, port, platformData)

	return &ProxiedConnection{
		originalIP:            ip,
		originalPort:          port,
		originalTCPConnection: tcpConn,
		platformData:          platformData,
	}, nil
}

// Addr implements the Addr method of net.Listener.
func (l ProxiedListener) Addr() net.Addr {
	return l.netListener.Addr()
}

// Close implements the Close method of the net.Listener.
func (l ProxiedListener) Close() error {
	return l.netListener.Close()
}

// GetInterfaces retrieves all the local interfaces.
func GetInterfaces() map[string]struct{} {
	ipmap := map[string]struct{}{}

	ifaces, err := netinterfaces.GetInterfacesInfo()
	if err != nil {
		zap.L().Error("Unable to get interfaces info", zap.Error(err))
	}

	for _, iface := range ifaces {
		for _, ip := range iface.IPs {
			ipmap[ip.String()] = struct{}{}
		}
	}

	return ipmap
}


================================================
FILE: controller/internal/enforcer/applicationproxy/markedconn/markedconn_darwin.go
================================================
// +build darwin

package markedconn

import (
	"context"
	"fmt"
	"net"
	"syscall"

	"go.aporeto.io/enforcerd/trireme-lib/utils/netinterfaces"
	"go.uber.org/zap"
)

// Control represents the dial control used to manipulate the raw connection.
type Control func(network, address string, c syscall.RawConn) error

// DialMarkedWithContext dials a TCP connection and associates a mark. Propagates the context.
func DialMarkedWithContext(ctx context.Context, network string, addr string, platformData *PlatformData, mark int) (net.Conn, error) {
	d := net.Dialer{}
	conn, err := d.DialContext(ctx, network, addr)
	if err != nil {
		zap.L().Error("Failed to dial to downstream node",
			zap.Error(err),
			zap.String("Address", addr),
			zap.String("Network type", network),
		)
	}
	return conn, err

}

// ControlFunc used in the dialer.
func ControlFunc(mark int, block bool, platformData *PlatformData) Control {
	return nil
}

// NewSocketListener creates a socket listener with marked connections.
func NewSocketListener(ctx context.Context, port string, mark int) (net.Listener, error) {
	listenerCfg := net.ListenConfig{}
	listener, err := listenerCfg.Listen(ctx, "tcp", port)

	if err != nil {
		return nil, fmt.Errorf("Failed to create listener: %s", err)
	}

	return ProxiedListener{netListener: listener, mark: mark}, nil
}

// ProxiedConnection is a proxied connection where we can recover the
// original destination.
type ProxiedConnection struct {
	net.Conn
	originalIP            net.IP
	originalPort          int
	originalTCPConnection *net.TCPConn
}

// PlatformData is proxy/socket data (platform-specific)
type PlatformData struct {
	handle          uintptr          // nolint: structcheck
	postConnectFunc func(fd uintptr) // nolint: structcheck
}

// GetTCPConnection returns the TCP connection object.
func (p *ProxiedConnection) GetTCPConnection() *net.TCPConn {
	return p.originalTCPConnection
}

// GetOriginalDestination sets the original destination of the connection.
func (p *ProxiedConnection) GetOriginalDestination() (net.IP, int) {
	return p.originalIP, p.originalPort
}

// GetPlatformData gets the socket data (needed for Windows)
func (p *ProxiedConnection) GetPlatformData() *PlatformData {
	return nil
}

// ProxiedListener is a proxied listener that uses proxied connections.
type ProxiedListener struct {
	netListener net.Listener
	mark        int
}

// Accept implements the accept method of the interface.
func (l ProxiedListener) Accept() (c net.Conn, err error) {
	nc, err := l.netListener.Accept()
	if err != nil {
		return nil, err
	}

	return &ProxiedConnection{nc, net.IP{}, 0, nil}, nil
}

// Addr implements the Addr method of net.Listener.
func (l ProxiedListener) Addr() net.Addr {
	return l.netListener.Addr()
}

// Close implements the Close method of the net.Listener.
func (l ProxiedListener) Close() error {
	return l.netListener.Close()
}

// GetInterfaces retrieves all the local interfaces.
func GetInterfaces() map[string]struct{} {
	ipmap := map[string]struct{}{}

	ifaces, err := netinterfaces.GetInterfacesInfo()
	if err != nil {
		zap.L().Debug("Unable to get interfaces info", zap.Error(err))
	}

	for _, iface := range ifaces {
		for _, ip := range iface.IPs {
			ipmap[ip.String()] = struct{}{}
		}
	}

	return ipmap

}


================================================
FILE: controller/internal/enforcer/applicationproxy/markedconn/markedconn_test.go
================================================
// +build linux

package markedconn

import (
	"context"
	"encoding/binary"
	"net"
	"syscall"
	"testing"
	"unsafe"

	"github.com/magiconair/properties/assert"
)

type testPassFD struct {
}

func (*testPassFD) Control(f func(uintptr)) error {
	f(0)
	return nil
}

func TestGetOrigDestV4(t *testing.T) {

	testGetOrigV4 := func(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err syscall.Errno) {

		assert.Equal(t, trap, uintptr(syscall.SYS_GETSOCKOPT), "expected syscall trap to be SYS.GETSOCKOPT")
		assert.Equal(t, unsafe.Alignof(a4), unsafe.Alignof(&sockaddr4{}), "uintptr and sockaddr4 alignment must be the same")
		sa := (*(*sockaddr4)(unsafe.Pointer(a4))) // nolint
		sa.family = syscall.AF_INET

		copy(sa.data[2:6], []byte{127, 0, 0, 1})
		binary.BigEndian.PutUint16(sa.data[:2], 3000)

		*(*sockaddr4)(unsafe.Pointer(a4)) = sa // nolint
		return 0, 0, 0
	}

	test := &testPassFD{}
	ip, port, _, _ := getOriginalDestInternal(test, true, testGetOrigV4)
	assert.Equal(t, ip.String(), "127.0.0.1", "ip should be 127.0.0.1")
	assert.Equal(t, port, 3000, "port should be 3000")
}

func TestGetOrigDestV6(t *testing.T) {
	testGetOrigV6 := func(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err syscall.Errno) {
		assert.Equal(t, trap, uintptr(syscall.SYS_GETSOCKOPT), "expected syscall trap to be SYS.GETSOCKOPT")
		assert.Equal(t, unsafe.Alignof(a4), unsafe.Alignof(&sockaddr6{}), "uintptr and sockaddr6 alignment must be the same")
		sa := (*(*sockaddr6)(unsafe.Pointer(a4))) // nolint
		sa.family = syscall.AF_INET6

		copy(sa.ip[:], net.ParseIP("::1"))
		binary.BigEndian.PutUint16(sa.port[:], 3000)

		*(*sockaddr6)(unsafe.Pointer(a4)) = sa // nolint
		return 0, 0, 0
	}

	test := &testPassFD{}
	ip, port, _, _ := getOriginalDestInternal(test, false, testGetOrigV6) // nolint
	assert.Equal(t, ip.String(), "::1", "ip should be ::1")
	assert.Equal(t, port, 3000, "port should be 3000")
}

func TestGetOrigDestV4Err1(t *testing.T) {

	testGetOrigV4 := func(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err syscall.Errno) {
		return 0, 0, 0
	}

	test := &testPassFD{}
	_, _, _, err := getOriginalDestInternal(test, true, testGetOrigV4) // nolint

	assert.Equal(t, err != nil, true, "error should not be nil")
}

func TestGetOrigDestV6Err1(t *testing.T) {
	testGetOrigV6 := func(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err syscall.Errno) {
		return 0, 0, 0
	}

	test := &testPassFD{}
	_, _, _, err := getOriginalDestInternal(test, false, testGetOrigV6) // nolint
	assert.Equal(t, err != nil, true, "error should not be nil")
}

func TestGetOrigDestV4Err2(t *testing.T) {

	testGetOrigV4 := func(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err syscall.Errno) {
		return 0, 0, 1
	}

	test := &testPassFD{}
	_, _, _, err := getOriginalDestInternal(test, true, testGetOrigV4) // nolint
	assert.Equal(t, err != nil, true, "error should not be nil")
}

func TestGetOrigDestV6Err2(t *testing.T) {
	testGetOrigV6 := func(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err syscall.Errno) {
		return 0, 0, 1
	}

	test := &testPassFD{}

	_, _, _, err := getOriginalDestInternal(test, false, testGetOrigV6) // nolint
	assert.Equal(t, err != nil, true, "error should not be nil")
}

func TestLocalAddr(t *testing.T) {
	ip, _, _ := net.ParseCIDR("172.17.0.2/24")
	proxyConn := ProxiedConnection{originalIP: ip, originalPort: 80}

	naddr := proxyConn.LocalAddr()
	netAddr := naddr.(*net.TCPAddr)

	assert.Equal(t, ip, netAddr.IP, "ip should be equal to 172.17.0.2")
	assert.Equal(t, 80, netAddr.Port, "ip should be equal to 172.17.0.2")
}

func TestSocketListener(t *testing.T) {
	ctx, cancel := context.WithCancel(context.Background()) // nolint
	_, err := NewSocketListener(ctx, ":1111", 100)

	assert.Equal(t, err, nil, "error  should be nil")
	cancel() // nolint
}

func TestGetInterfaces(t *testing.T) {

	ipmap := GetInterfaces()

	b := len(ipmap) != 0
	assert.Equal(t, b, true, "ipmap should not be empty")
}


================================================
FILE: controller/internal/enforcer/applicationproxy/markedconn/markedconn_windows_test.go
================================================
// +build windows

package markedconn

import (
	"context"
	"errors"
	"syscall"
	"testing"
	"unsafe"

	"github.com/magiconair/properties/assert"
	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
)

type abi struct {
	destHandle        uintptr
	destHandleApplied uintptr
	destHandleFreed   uintptr
	destInfoOverride  *frontman.DestInfo
}

var (
	goodIP   = syscall.StringToUTF16("192.168.100.101") // nolint
	badIP    = syscall.StringToUTF16("192.xxxxxxx")     // nolint
	goodPort = uint16(8080)
)

func (a *abi) FrontmanOpenShared() (uintptr, error) {
	return 1234, nil
}

func (a *abi) GetDestInfo(driverHandle, socket, destInfo uintptr) (uintptr, error) {
	destInfoPtr := (*frontman.DestInfo)(unsafe.Pointer(destInfo)) // nolint:govet
	if a.destInfoOverride != nil {
		if a.destInfoOverride.DestHandle == uintptr(syscall.InvalidHandle) {
			return 0, errors.New("INVALID_HANDLE_VALUE")
		}
		*destInfoPtr = *a.destInfoOverride
		return 1, nil
	}
	destInfoPtr.IPAddr = &goodIP[0]
	destInfoPtr.Port = goodPort
	a.destHandle++
	destInfoPtr.DestHandle = a.destHandle
	return 1, nil
}

func (a *abi) ApplyDestHandle(socket, destHandle uintptr) (uintptr, error) {
	if a.destHandleApplied == destHandle {
		return 0, errors.New("ApplyDestHandle called more than once")
	}
	a.destHandleApplied = destHandle
	return 1, nil
}

func (a *abi) FreeDestHandle(destHandle uintptr) (uintptr, error) {
	a.destHandleFreed = destHandle
	return 1, nil
}

func (a *abi) NewIpset(driverHandle, name, ipsetType, ipset uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) GetIpset(driverHandle, name, ipset uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) DestroyAllIpsets(driverHandle, prefix uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) ListIpsets(driverHandle, ipsetNames, ipsetNamesSize, bytesReturned uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) IpsetAdd(driverHandle, ipset, entry, timeout uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) IpsetAddOption(driverHandle, ipset, entry, option, timeout uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) IpsetDelete(driverHandle, ipset, entry uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) IpsetDestroy(driverHandle, ipset uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) IpsetFlush(driverHandle, ipset uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) IpsetTest(driverHandle, ipset, entry uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) PacketFilterStart(frontman, firewallName, receiveCallback, loggingCallback uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) PacketFilterClose() (uintptr, error) {
	return 1, nil
}

func (a *abi) PacketFilterForward(info, packet uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) AppendFilter(driverHandle, outbound, filterName, isGotoFilter uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) InsertFilter(driverHandle, outbound, priority, filterName, isGotoFilter uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) DestroyFilter(driverHandle, filterName uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) EmptyFilter(driverHandle, filterName uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) GetFilterList(driverHandle, outbound, buffer, bufferSize, bytesReturned uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) AppendFilterCriteria(driverHandle, filterName, criteriaName, ruleSpec, ipsetRuleSpecs, ipsetRuleSpecCount uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) DeleteFilterCriteria(driverHandle, filterName, criteriaName uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) ListIpsetsDetail(driverHandle, format, ipsetNames, ipsetNamesSize, bytesReturned uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) GetCriteriaList(driverHandle, format, criteriaList, criteriaListSize, bytesReturned uintptr) (uintptr, error) {
	return 1, nil
}

type testPassFD struct {
}

func (*testPassFD) Control(f func(uintptr)) error {
	f(0)
	return nil
}

func TestWindowsGetOrigDest(t *testing.T) {

	a := &abi{}
	frontman.Driver = a
	test := &testPassFD{}

	ip, port, pd, _ := getOriginalDestPlatform(test, true)
	assert.Equal(t, ip.String(), syscall.UTF16ToString(goodIP), "ip is wrong")
	assert.Equal(t, port, int(goodPort), "port is wrong")
	pd.postConnectFunc(a.destHandle)
	assert.Equal(t, a.destHandleFreed != 0, true, "destHandle not freed")
}

func TestWindowsGetOrigDestBadDestInfo(t *testing.T) {

	a := &abi{}
	frontman.Driver = a
	test := &testPassFD{}
	a.destInfoOverride = &frontman.DestInfo{DestHandle: uintptr(syscall.InvalidHandle)}

	_, _, _, err := getOriginalDestPlatform(test, true)
	assert.Equal(t, err != nil, true, "GetDestInfo should fail")
	assert.Equal(t, a.destHandleApplied == 0, true, "ApplyDestHandle should not be called")
	assert.Equal(t, a.destHandleFreed == 0, true, "FreeDestHandle should not be called")
}

func TestWindowsGetOrigDestBadIP(t *testing.T) {

	a := &abi{}
	frontman.Driver = a
	test := &testPassFD{}
	a.destHandle = 1000
	a.destInfoOverride = &frontman.DestInfo{IPAddr: &badIP[0], Port: goodPort, DestHandle: a.destHandle}

	_, _, _, err := getOriginalDestPlatform(test, true)
	assert.Equal(t, err != nil, true, "GetDestInfo should fail")
	assert.Equal(t, a.destHandleApplied == 0, true, "ApplyDestHandle should not be called")
	assert.Equal(t, a.destHandleFreed == a.destHandle, true, "FreeDestHandle should be called")
}

func TestSocketListenerWindows(t *testing.T) {
	ctx, cancel := context.WithCancel(context.Background()) // nolint
	_, err := NewSocketListener(ctx, ":1111", 100)

	assert.Equal(t, err, nil, "error  should be nil")
	cancel() // nolint
}


================================================
FILE: controller/internal/enforcer/applicationproxy/markedconn/origdest_linux.go
================================================
// +build linux

package markedconn

import (
	"fmt"
	"net"
	"syscall"
	"unsafe"
)

const (
	sockOptOriginalDst = 80
)

type sockaddr4 struct {
	family uint16
	data   [14]byte
}

type sockaddr6 struct {
	family   uint16
	port     [2]byte
	flowInfo [4]byte // nolint
	ip       [16]byte
	scopeID  [4]byte // nolint
}

type origDest func(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2 uintptr, err syscall.Errno)

func getOriginalDestPlatform(rawConn passFD, v4Proto bool) (net.IP, int, *PlatformData, error) {
	return getOriginalDestInternal(rawConn, v4Proto, syscall.Syscall6)
}

func getOriginalDestInternal(rawConn passFD, v4Proto bool, getOrigDest origDest) (net.IP, int, *PlatformData, error) { // nolint interfacer{
	var getsockopt func(fd uintptr)
	var netIP net.IP
	var port int
	var err error

	getsockopt4 := func(fd uintptr) {
		var addr sockaddr4
		size := uint32(unsafe.Sizeof(addr))
		_, _, e1 := getOrigDest(syscall.SYS_GETSOCKOPT, uintptr(fd), uintptr(syscall.SOL_IP), uintptr(sockOptOriginalDst), uintptr(unsafe.Pointer(&addr)), uintptr(unsafe.Pointer(&size)), 0) // nolint

		if e1 != 0 {
			err = fmt.Errorf("Failed to get original destination: %s", e1)
			return
		}

		if addr.family != syscall.AF_INET {
			err = fmt.Errorf("invalid address family. Expected AF_INET")
			return
		}

		netIP = addr.data[2:6]
		port = int(addr.data[0])<<8 + int(addr.data[1])
	}

	getsockopt6 := func(fd uintptr) {
		var addr sockaddr6
		size := uint32(unsafe.Sizeof(addr))

		_, _, e1 := getOrigDest(syscall.SYS_GETSOCKOPT, uintptr(fd), uintptr(syscall.SOL_IPV6), uintptr(sockOptOriginalDst), uintptr(unsafe.Pointer(&addr)), uintptr(unsafe.Pointer(&size)), 0) // nolint
		if e1 != 0 {
			err = fmt.Errorf("Failed to get original destination: %s", e1)
			return
		}

		if addr.family != syscall.AF_INET6 {
			err = fmt.Errorf("invalid address family. Expected AF_INET6")
			return
		}

		netIP = addr.ip[:]
		port = int(addr.port[0])<<8 + int(addr.port[1])
	}

	if v4Proto {
		getsockopt = getsockopt4
	} else {
		getsockopt = getsockopt6
	}

	if err1 := rawConn.Control(getsockopt); err1 != nil {
		return nil, 0, nil, fmt.Errorf("Failed to get original destination: %s", err)
	}

	if err != nil {
		return nil, 0, nil, err
	}

	return netIP, port, nil, nil
}


================================================
FILE: controller/internal/enforcer/applicationproxy/markedconn/origdest_windows.go
================================================
// +build windows

package markedconn

import (
	"fmt"
	"net"

	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
	"go.uber.org/zap"
)

func getOriginalDestPlatform(rawConn passFD, v4Proto bool) (net.IP, int, *PlatformData, error) {
	var netIP net.IP
	var port int
	var destHandle uintptr
	var err error

	freeFunc := func(fd uintptr) {
		if err1 := frontman.Wrapper.FreeDestHandle(fd); err1 != nil {
			zap.L().Error("failed to free dest handle", zap.Error(err1))
		}
	}

	ctrlFunc := func(fd uintptr) {
		var destInfo frontman.DestInfo
		if err1 := frontman.Wrapper.GetDestInfo(fd, &destInfo); err1 != nil {
			err = err1
			return
		}
		destHandle = destInfo.DestHandle
		port = int(destInfo.Port)
		// convert allocated wchar_t* to golang string
		ipAddrStr := frontman.WideCharPointerToString(destInfo.IPAddr)
		netIP = net.ParseIP(ipAddrStr)
		if netIP == nil {
			err = fmt.Errorf("GetDestInfo failed to get valid IP (%s)", ipAddrStr)
			// FrontmanGetDestInfo returned success, so clean up acquired resources
			freeFunc(destHandle)
		}
	}

	if err1 := rawConn.Control(ctrlFunc); err1 != nil {
		return nil, 0, nil, fmt.Errorf("Failed to get original destination: %s", err)
	}

	if err != nil {
		return nil, 0, nil, err
	}

	return netIP, port, &PlatformData{destHandle, freeFunc}, nil
}


================================================
FILE: controller/internal/enforcer/applicationproxy/markedconn/platformdata.go
================================================
// +build !windows

package markedconn

import (
	"net"
)

// PlatformDataControl dummy impl
// PlatformDataControl is only needed for Windows now, and allows retrieval of kernel socket data.
type PlatformDataControl struct {
}

// NewPlatformDataControl returns initialized PlatformDataControl
func NewPlatformDataControl() *PlatformDataControl {
	return &PlatformDataControl{}
}

// StorePlatformData saves the data after GetDestInfo is called.
func (n *PlatformDataControl) StorePlatformData(ip net.IP, port int, platformData *PlatformData) {
}

// RemovePlatformData removes the data from storage and returns it
func RemovePlatformData(l net.Listener, conn net.Conn) *PlatformData {
	return nil
}

// TakePlatformData removes the data from storage and returns it
func TakePlatformData(l net.Listener, ip net.IP, port int) *PlatformData {
	return nil
}


================================================
FILE: controller/internal/enforcer/applicationproxy/markedconn/platformdata_test.go
================================================
// +build windows

package markedconn

import (
	"net"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func TestStoreTake(t *testing.T) {

	var nd *PlatformData

	Convey("Given a ProxiedListener with a PlatformDataControl", t, func() {

		proxiedListener := ProxiedListener{
			netListener:      nil,
			mark:             100,
			platformDataCtrl: NewPlatformDataControl(),
		}

		platformData := &PlatformData{
			1, func(fd uintptr) {},
		}

		ip := net.ParseIP("192.168.100.100")
		port := 20992

		Convey("When I store PlatformData for an ip/port, it should be retained until removed", func() {

			nd = TakePlatformData(proxiedListener, ip, port)
			So(nd, ShouldBeNil)

			proxiedListener.platformDataCtrl.StorePlatformData(ip, port, platformData)
			nd = TakePlatformData(proxiedListener, ip, port)
			So(nd, ShouldEqual, platformData)
			So(nd.handle, ShouldEqual, 1)

			nd = TakePlatformData(proxiedListener, ip, port)
			So(nd, ShouldBeNil)
		})
	})
}

func TestStoreRemove(t *testing.T) {

	var nd *PlatformData

	Convey("Given a ProxiedListener with a PlatformDataControl", t, func() {

		proxiedListener := ProxiedListener{
			netListener:      nil,
			mark:             101,
			platformDataCtrl: NewPlatformDataControl(),
		}

		platformData := &PlatformData{
			2, func(fd uintptr) {},
		}

		ip := net.ParseIP("192.168.100.101")
		port := 20993

		proxiedConn := &ProxiedConnection{
			originalIP:            ip,
			originalPort:          port,
			originalTCPConnection: nil,
			platformData:          platformData,
		}

		Convey("When I store PlatformData for an ip/port, it should be retained until removed", func() {

			nd = TakePlatformData(proxiedListener, ip, port)
			So(nd, ShouldBeNil)

			proxiedListener.platformDataCtrl.StorePlatformData(ip, port, platformData)
			nd = RemovePlatformData(proxiedListener, proxiedConn)
			So(nd, ShouldEqual, platformData)
			So(nd.handle, ShouldEqual, 2)

			nd = TakePlatformData(proxiedListener, ip, port)
			So(nd, ShouldBeNil)
		})
	})
}

func TestStoreMultiple(t *testing.T) {

	var nd *PlatformData

	Convey("Given a ProxiedListener with a PlatformDataControl", t, func() {

		proxiedListener := ProxiedListener{
			netListener:      nil,
			mark:             100,
			platformDataCtrl: NewPlatformDataControl(),
		}

		platformData1 := &PlatformData{
			1, func(fd uintptr) {},
		}
		platformData2 := &PlatformData{
			2, func(fd uintptr) {},
		}
		platformData3 := &PlatformData{
			3, func(fd uintptr) {},
		}

		ip1 := net.ParseIP("192.168.100.100")
		port1 := 20992

		ip2 := net.ParseIP("192.168.100.101")
		port2 := 20993

		Convey("When I store PlatformData for an ip/port, it should be retained until removed", func() {

			proxiedListener.platformDataCtrl.StorePlatformData(ip1, port1, platformData1)
			proxiedListener.platformDataCtrl.StorePlatformData(ip2, port2, platformData2)
			proxiedListener.platformDataCtrl.StorePlatformData(ip1, port1, platformData3)

			nd = TakePlatformData(proxiedListener, ip2, port2)
			So(nd, ShouldEqual, platformData2)
			So(nd.handle, ShouldEqual, 2)

			nd = TakePlatformData(proxiedListener, ip1, port1)
			So(nd, ShouldEqual, platformData3)
			So(nd.handle, ShouldEqual, 3)

			nd = TakePlatformData(proxiedListener, ip1, port1)
			So(nd, ShouldBeNil)
		})
	})
}


================================================
FILE: controller/internal/enforcer/applicationproxy/markedconn/platformdata_windows.go
================================================
// +build windows

package markedconn

import (
	"fmt"
	"net"
	"sync"
)

// PlatformDataControl is for Windows.
// For proxied connections, we map the original ip/port to platform-specific data that needs to be retrieved
// when we make the real connection.
type PlatformDataControl struct {
	platformData map[string]*PlatformData
	mu           *sync.Mutex
}

// NewPlatformDataControl returns initialized PlatformDataControl
func NewPlatformDataControl() *PlatformDataControl {
	return &PlatformDataControl{
		platformData: make(map[string]*PlatformData),
		mu:           &sync.Mutex{},
	}
}

// StorePlatformData saves the data after GetDestInfo is called.
func (n *PlatformDataControl) StorePlatformData(ip net.IP, port int, platformData *PlatformData) {
	key := fmt.Sprintf("%s:%d", ip.String(), port)
	n.mu.Lock()
	n.platformData[key] = platformData
	n.mu.Unlock()
}

// RemovePlatformData returns the data for the given ip/port, and removes it from the map.
// The listener should be a ProxiedListener, from which we can get the ctrl.
func RemovePlatformData(l net.Listener, conn net.Conn) *PlatformData {
	n := getPlatformDataControlFromListener(l)
	if n == nil {
		return nil
	}
	if proxyConn, ok := conn.(*ProxiedConnection); ok {
		ip, port := proxyConn.GetOriginalDestination()
		return n.takePlatformData(ip, port)
	}
	return nil
}

// TakePlatformData returns the data for the given ip/port, and removes it from the map.
// The listener should be a ProxiedListener, from which we can get the ctrl.
func TakePlatformData(l net.Listener, ip net.IP, port int) *PlatformData {
	n := getPlatformDataControlFromListener(l)
	if n == nil {
		return nil
	}
	return n.takePlatformData(ip, port)
}

// takePlatformData returns the data for the given ip/port, and removes it from the map
func (n *PlatformDataControl) takePlatformData(ip net.IP, port int) *PlatformData {
	key := fmt.Sprintf("%s:%d", ip.String(), port)
	n.mu.Lock()
	nd := n.platformData[key]
	delete(n.platformData, key)
	n.mu.Unlock()
	return nd
}

// if listener is a ProxiedListener, we get its platform data ctrl
func getPlatformDataControlFromListener(l net.Listener) *PlatformDataControl {
	if proxiedL, ok := l.(ProxiedListener); ok {
		return proxiedL.platformDataCtrl
	}
	return nil
}


================================================
FILE: controller/internal/enforcer/applicationproxy/pingrequest/pingrequest.go
================================================
package pingrequest

import (
	"bufio"
	"bytes"
	"errors"
	"net/http"

	"github.com/vmihailenco/msgpack"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// PingHeaderKey holds the value for aporeto ping.
const PingHeaderKey = "X-APORETO-PING"

// CreateRaw is same as 'Create' but will return raw bytes of
// the request (wire format) returned by 'Create'.
func CreateRaw(host string, pingPayload *policy.PingPayload) ([]byte, error) {

	req, err := Create(host, pingPayload)
	if err != nil {
		return nil, err
	}

	var buf bytes.Buffer
	if err := req.Write(&buf); err != nil {
		return nil, err
	}

	return buf.Bytes(), nil
}

// ExtractRaw is same as 'Extract' but will parse the raw
// bytes of the request passed and calls 'Validate'.
func ExtractRaw(rawReq []byte) (*policy.PingPayload, error) {

	buf := bytes.NewBuffer(rawReq)
	req, err := http.ReadRequest(bufio.NewReader(buf))
	if err != nil {
		return nil, err
	}

	return Extract(req)
}

// Create creates a new http request with the given host.
// It encodes the pingPayload passed with msgpack encoding and
// adds the data bytes to the header with key 'X-APORETO-PING'.
// It also returns the request.
func Create(host string, pingPayload *policy.PingPayload) (*http.Request, error) {

	req, err := http.NewRequest("GET", host, nil)
	if err != nil {
		return nil, err
	}

	payload, err := encode(pingPayload)
	if err != nil {
		return nil, err
	}

	req.Header.Add(PingHeaderKey, string(payload))

	return req, nil
}

// Extract verifies If the given request has the header
// 'X-APORETO-PING'. If it doesn't returns error, If it did have
// the header, it will try to decode the data using msgpack
// encoding and will return the ping payload.
func Extract(req *http.Request) (*policy.PingPayload, error) {

	payload := req.Header.Get(PingHeaderKey)
	if payload == "" {
		return nil, errors.New("missing ping payload in header")
	}

	pingPayload, err := decode([]byte(payload))
	if err != nil {
		return nil, err
	}

	return pingPayload, nil
}

func encode(pingPayload *policy.PingPayload) ([]byte, error) {
	return msgpack.Marshal(pingPayload)
}

func decode(data []byte) (*policy.PingPayload, error) {

	pingPayload := &policy.PingPayload{}

	if err := msgpack.Unmarshal(data, pingPayload); err != nil {
		return nil, err
	}

	return pingPayload, nil
}


================================================
FILE: controller/internal/enforcer/applicationproxy/protomux/protomux.go
================================================
package protomux

import (
	"context"
	"fmt"
	"net"
	"sync"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/markedconn"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/serviceregistry"
	"go.uber.org/zap"
)

// ProtoListener is
type ProtoListener struct {
	net.Listener
	connection chan net.Conn
	mark       int
}

// NewProtoListener creates a listener for a particular protocol.
func NewProtoListener(mark int) *ProtoListener {
	return &ProtoListener{
		connection: make(chan net.Conn),
		mark:       mark,
	}
}

// Accept accepts new connections over the channel.
func (p *ProtoListener) Accept() (net.Conn, error) {
	c, ok := <-p.connection
	if !ok {
		return nil, fmt.Errorf("mux: listener closed")
	}
	return c, nil
}

// MultiplexedListener is the root listener that will split
// connections to different protocols.
type MultiplexedListener struct {
	root     net.Listener
	done     chan struct{}
	shutdown chan struct{}
	wg       sync.WaitGroup
	protomap map[common.ListenerType]*ProtoListener
	puID     string

	defaultListener *ProtoListener
	localIPs        map[string]struct{}
	mark            int
	sync.RWMutex
}

// NewMultiplexedListener returns a new multiplexed listener. Caller
// must register protocols outside of the new object creation.
func NewMultiplexedListener(l net.Listener, mark int, puID string) *MultiplexedListener {

	return &MultiplexedListener{
		root:     l,
		done:     make(chan struct{}),
		shutdown: make(chan struct{}),
		wg:       sync.WaitGroup{},
		protomap: map[common.ListenerType]*ProtoListener{},
		localIPs: markedconn.GetInterfaces(),
		mark:     mark,
		puID:     puID,
	}
}

// RegisterListener registers a new listener. It returns the listener that the various
// protocol servers should use. If defaultListener is set, this will become
// the default listener if no match is found. Obviously, there cannot be more
// than one default.
func (m *MultiplexedListener) RegisterListener(ltype common.ListenerType) (*ProtoListener, error) {
	m.Lock()
	defer m.Unlock()

	if _, ok := m.protomap[ltype]; ok {
		return nil, fmt.Errorf("Cannot register same listener type multiple times")
	}

	p := &ProtoListener{
		Listener:   m.root,
		connection: make(chan net.Conn),
		mark:       m.mark,
	}
	m.protomap[ltype] = p

	return p, nil
}

// UnregisterListener unregisters a listener. It returns an error if there are services
// associated with this listener.
func (m *MultiplexedListener) UnregisterListener(ltype common.ListenerType) error {
	m.Lock()
	defer m.Unlock()

	delete(m.protomap, ltype)

	return nil
}

// RegisterDefaultListener registers a default listener.
func (m *MultiplexedListener) RegisterDefaultListener(p *ProtoListener) error {
	m.Lock()
	defer m.Unlock()

	if m.defaultListener != nil {
		return fmt.Errorf("Default listener already registered")
	}

	m.defaultListener = p
	return nil
}

// UnregisterDefaultListener unregisters the default listener.
func (m *MultiplexedListener) UnregisterDefaultListener() error {
	m.Lock()
	defer m.Unlock()

	if m.defaultListener == nil {
		return fmt.Errorf("No default listener registered")
	}

	m.defaultListener = nil

	return nil
}

// Close terminates the server without the context.
func (m *MultiplexedListener) Close() {
	close(m.shutdown)
}

// Serve will demux the connections
func (m *MultiplexedListener) Serve(ctx context.Context) error {

	defer func() {
		close(m.done)
		m.wg.Wait()

		m.RLock()
		defer m.RUnlock()

		for _, l := range m.protomap {
			close(l.connection)
			// Drain the connections enqueued for the listener.
			for c := range l.connection {
				c.Close() // nolint
			}
		}
	}()

	go func() {
		for {
			select {
			case <-time.After(5 * time.Second):
				m.Lock()
				m.localIPs = markedconn.GetInterfaces()
				m.Unlock()
			case <-ctx.Done():
				return
			}
		}
	}()

	for {
		select {
		case <-ctx.Done():
			return nil
		case <-m.shutdown:
			return nil
		default:

			c, err := m.root.Accept()
			if err != nil {
				// check if the error is due to shutdown in progress
				select {
				case <-ctx.Done():
					return nil
				case <-m.shutdown:
					return nil
				default:
				}
				// if it is an actual error (which can happen in Windows we can't get origin ip/port from our driver),
				// then log an error and continue accepting connections.
				zap.L().Error("error from Accept", zap.Error(err))
				break
			}
			m.wg.Add(1)
			go m.serve(c)
		}
	}
}

func (m *MultiplexedListener) serve(conn net.Conn) {
	defer m.wg.Done()

	c, ok := conn.(*markedconn.ProxiedConnection)
	if !ok {
		zap.L().Error("Wrong connection type")
		return
	}

	ip, port := c.GetOriginalDestination()
	remoteAddr := c.RemoteAddr()
	if remoteAddr == nil {
		zap.L().Error("Connection remote address cannot be found. Abort")
		return
	}

	local := false
	m.Lock()
	localIPs := m.localIPs
	m.Unlock()
	if _, ok = localIPs[networkOfAddress(remoteAddr.String())]; ok {
		local = true
	}

	var listenerType common.ListenerType
	if local {
		_, serviceData, err := serviceregistry.Instance().RetrieveDependentServiceDataByIDAndNetwork(m.puID, ip, port, "")
		if err != nil {
			zap.L().Error("Cannot discover target service",
				zap.String("ContextID", m.puID),
				zap.String("ip", ip.String()),
				zap.Int("port", port),
				zap.String("Remote IP", remoteAddr.String()),
				zap.Error(err),
			)
			return
		}
		listenerType = serviceData.ServiceType
	} else {
		pctx, err := serviceregistry.Instance().RetrieveExposedServiceContext(ip, port, "")
		if err != nil {
			zap.L().Error("Cannot discover target service",
				zap.String("ip", ip.String()),
				zap.Int("port", port),
				zap.String("Remote IP", remoteAddr.String()),
			)
			return
		}

		listenerType = pctx.Type
	}

	m.RLock()
	target, ok := m.protomap[listenerType]
	m.RUnlock()
	if !ok {
		c.Close() // nolint
		return
	}

	select {
	case target.connection <- c:
	case <-m.done:
		c.Close() // nolint
	}
}

func networkOfAddress(addr string) string {
	ip, _, err := net.SplitHostPort(addr)
	if err != nil {
		return addr
	}

	return ip
}


================================================
FILE: controller/internal/enforcer/applicationproxy/protomux/protomux_test.go
================================================
// +build !windows

package protomux

import (
	"testing"

	"github.com/magiconair/properties/assert"
)

func TestNetworkAddress(t *testing.T) {
	ip := networkOfAddress("172.17.0.2:80")
	assert.Equal(t, ip, "172.17.0.2", "ip should be 172.17.0.2")

	ip = networkOfAddress("[ff::1]:80")
	assert.Equal(t, ip, "ff::1", "ip should be ff::1")
}


================================================
FILE: controller/internal/enforcer/applicationproxy/servicecache/servicecache.go
================================================
package servicecache

import (
	"fmt"
	"net"
	"sync"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/utils/ipprefix"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

type entry struct {
	id    string
	ports *portspec.PortSpec
	data  interface{}
}

type entryList []*entry

func (e entryList) Delete(i int) entryList {
	if i >= len(e) || i < 0 {
		return e
	}
	return append(e[:i], e[i+1:]...)
}

// ServiceCache is a new service cache
type ServiceCache struct {
	// ipprefixs is map[prefixlength][prefix] -> array of entries indexed by port
	local  ipprefix.IPcache
	remote ipprefix.IPcache
	// hostcaches is map[host] -> array of entries indexed by port.
	remoteHosts map[string]entryList
	localHosts  map[string]entryList
	// portCaches is list of all ports where we can retrieve a service based on the port.
	remotePorts entryList
	localPorts  entryList
	sync.RWMutex
}

// NewTable creates a new table
func NewTable() *ServiceCache {

	return &ServiceCache{
		local:       ipprefix.NewIPCache(),
		remote:      ipprefix.NewIPCache(),
		remoteHosts: map[string]entryList{},
		localHosts:  map[string]entryList{},
	}
}

// Add adds a service into the cache. Returns error of if any overlap has been detected.
func (s *ServiceCache) Add(e *common.Service, id string, data interface{}, local bool) error {
	s.Lock()
	defer s.Unlock()

	record := &entry{
		ports: e.Ports,
		data:  data,
		id:    id,
	}
	if err := s.addPorts(e, record, local); err != nil {
		return err
	}

	if err := s.addHostService(e, record, local); err != nil {
		return err
	}

	return s.addIPService(e, record, local)
}

// Find searches for a matching service, given an IP and port. Caller must specify
// the local or remote context.
func (s *ServiceCache) Find(ip net.IP, port int, host string, local bool) interface{} {
	s.RLock()
	defer s.RUnlock()

	if host != "" {
		if data := s.findHost(host, port, local); data != nil {
			return data
		}
	}

	return s.findIP(ip, port, local)
}

// FindListeningServicesForPU returns a service that is found and the associated
// portSpecifications that refer to this service.
func (s *ServiceCache) FindListeningServicesForPU(id string) (interface{}, *portspec.PortSpec) {
	s.RLock()
	defer s.RUnlock()

	for _, spec := range s.localPorts {
		if spec.id == id {
			return spec.data, spec.ports
		}
	}
	return nil, nil
}

// DeleteByID will delete all entries related to this ID from all references.
func (s *ServiceCache) DeleteByID(id string, local bool) {
	s.Lock()
	defer s.Unlock()

	hosts := s.remoteHosts
	cache := s.remote
	if local {
		hosts = s.localHosts
		cache = s.local
	}

	if local {
		s.localPorts = deleteMatchingPorts(s.localPorts, id)
	} else {
		s.remotePorts = deleteMatchingPorts(s.remotePorts, id)
	}

	for host, ports := range hosts {
		hosts[host] = deleteMatchingPorts(ports, id)
		if len(hosts[host]) == 0 {
			delete(hosts, host)
		}
	}

	deleteMatching := func(val interface{}) interface{} {
		if val == nil {
			return nil
		}

		entryL := val.(entryList)
		r := deleteMatchingPorts(entryL, id)
		if len(r) == 0 {
			return nil
		}

		return r
	}

	cache.RunFuncOnVals(deleteMatching)
}

func deleteMatchingPorts(list entryList, id string) entryList {
	remainingPorts := entryList{}
	for _, spec := range list {
		if spec.id != id {
			remainingPorts = append(remainingPorts, spec)
		}
	}
	return remainingPorts
}

func (s *ServiceCache) addIPService(e *common.Service, record *entry, local bool) error {

	cache := s.remote
	if local {
		cache = s.local
	}

	addresses := e.Addresses

	// If addresses are nil, I only care about ports.
	if len(e.Addresses) == 0 && len(e.FQDNs) == 0 {
		addresses = map[string]struct{}{}
		addresses["0.0.0.0/0"] = struct{}{}
		addresses["::/0"] = struct{}{}
	}

	for addrS := range addresses {
		var records entryList
		var addr *net.IPNet
		var err error

		if _, addr, err = net.ParseCIDR(addrS); err != nil {
			continue
		}

		mask, _ := addr.Mask.Size()
		v, exists := cache.Get(addr.IP, mask)

		if !exists {
			records = entryList{}
		} else {
			records = v.(entryList)
			for _, spec := range records {
				if spec.ports.Overlaps(e.Ports) {
					return fmt.Errorf("service port overlap for a given IP not allowed: ip %s, port %s", addr.String(), e.Ports.String())
				}
			}
		}

		records = append(records, record)
		cache.Put(addr.IP, mask, records)
	}

	return nil
}

func (s *ServiceCache) addHostService(e *common.Service, record *entry, local bool) error {
	hostCache := s.remoteHosts
	if local {
		hostCache = s.localHosts
	}

	// If addresses are nil, I only care about ports.
	if len(e.FQDNs) == 0 {
		return nil
	}

	for _, host := range e.FQDNs {
		if _, ok := hostCache[host]; !ok {
			hostCache[host] = entryList{}
		}
		for _, spec := range hostCache[host] {
			if spec.ports.Overlaps(e.Ports) {
				return fmt.Errorf("service port overlap for a given host not allowed: host %s, port %s", host, e.Ports.String())
			}
		}
		hostCache[host] = append(hostCache[host], record)
	}
	return nil
}

// findIP searches for a matching service, given an IP and port
func (s *ServiceCache) findIP(ip net.IP, port int, local bool) interface{} {

	cache := s.remote
	if local {
		cache = s.local
	}

	if ip == nil {
		return nil
	}

	var data interface{}

	findMatch := func(val interface{}) bool {
		if val != nil {
			records := val.(entryList)
			for _, e := range records {
				if e.ports.IsIncluded(port) {
					data = e.data
					return true
				}
			}
		}
		return false
	}

	cache.RunFuncOnLpmIP(ip, findMatch)
	return data
}

// findIP searches for a matching service, given an IP and port
func (s *ServiceCache) findHost(host string, port int, local bool) interface{} {
	hostCache := s.remoteHosts
	if local {
		hostCache = s.localHosts
	}

	entries, ok := hostCache[host]
	if !ok {
		return nil
	}
	for _, e := range entries {
		if e.ports.IsIncluded(port) {
			return e.data
		}
	}

	return nil
}

// addPorts will only work for local ports.
func (s *ServiceCache) addPorts(e *common.Service, record *entry, local bool) error {
	if !local {
		return nil
	}

	for _, spec := range s.localPorts {
		if spec.ports.Overlaps(e.Ports) {
			return fmt.Errorf("service port overlap in the global port list: %+v %s", e.Addresses, e.Ports.String())
		}
	}

	s.localPorts = append(s.localPorts, record)

	return nil
}


================================================
FILE: controller/internal/enforcer/applicationproxy/servicecache/servicecache_test.go
================================================
// +build !windows

package servicecache

import (
	"net"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

func TestEntries(t *testing.T) {
	Convey("Given an entry list", t, func() {

		Convey("If I delete the last element, I should the right data", func() {
			e := entryList{
				{
					id: "1",
				},
				{
					id: "2",
				},
				{
					id: "3",
				},
				{
					id: "4",
				},
			}
			new := e.Delete(3)
			So(len(new), ShouldEqual, 3)
			So(new[0], ShouldResemble, &entry{id: "1"})
			So(new[1], ShouldResemble, &entry{id: "2"})
			So(new[2], ShouldResemble, &entry{id: "3"})
		})

		Convey("If I delete the first element in the list, I should get the right data", func() {
			e := entryList{
				{
					id: "1",
				},
				{
					id: "2",
				},
				{
					id: "3",
				},
			}
			new := e.Delete(0)
			So(len(new), ShouldEqual, 2)
			So(new[0], ShouldResemble, &entry{id: "2"})
			So(new[1], ShouldResemble, &entry{id: "3"})
		})

		Convey("If I try to delete out of bounds, the list should not be modified", func() {
			e := entryList{
				{
					id: "1",
				},
				{
					id: "3",
				},
			}
			new := e.Delete(4)
			So(len(new), ShouldEqual, 2)
			So(new[0], ShouldResemble, &entry{id: "1"})
			So(new[1], ShouldResemble, &entry{id: "3"})
		})
		Convey("If I delete the last element list I should get an empty list", func() {
			e := entryList{
				{
					id: "1",
				},
			}
			new := e.Delete(0)
			So(len(new), ShouldEqual, 0)
		})
	})
}

func createServices() (*common.Service, *common.Service, *common.Service) {
	n1 := "172.17.1.0/24"
	n2 := "192.168.0.0/16"
	n3 := "20.1.1.1/32"

	s1 := &common.Service{
		Ports: &portspec.PortSpec{
			Min: uint16(0),
			Max: uint16(100),
		},
		Protocol:  6,
		Addresses: map[string]struct{}{n1: struct{}{}, n2: struct{}{}, n3: struct{}{}},
		FQDNs:     []string{"host1", "host2", "host3"},
	}

	n4 := "10.1.1.0/28"

	s2 := &common.Service{
		Ports: &portspec.PortSpec{
			Min: uint16(150),
			Max: uint16(200),
		},
		Protocol:  6,
		Addresses: map[string]struct{}{n4: struct{}{}},
		FQDNs:     []string{"host4"},
	}

	s3 := &common.Service{
		Ports: &portspec.PortSpec{
			Min: uint16(1000),
			Max: uint16(2000),
		},
		Protocol:  6,
		Addresses: map[string]struct{}{},
	}

	return s1, s2, s3
}
func TestServiceCache(t *testing.T) {
	Convey("Given a new cache", t, func() {
		c := NewTable()
		Convey("When I add a set of entries, I should succeed", func() {

			s1, s2, s3 := createServices()

			cerr := c.Add(s1, "1", "first data", true)
			So(cerr, ShouldBeNil)
			So(c.local, ShouldNotBeNil)
			So(c.localHosts, ShouldNotBeNil)
			So(len(c.localHosts), ShouldEqual, 3)

			cerr = c.Add(s2, "2", "second data", true)
			So(cerr, ShouldBeNil)
			So(c.local, ShouldNotBeNil)
			So(c.localHosts, ShouldNotBeNil)
			So(len(c.localHosts), ShouldEqual, 4)

			cerr = c.Add(s3, "3", "third data", true)
			So(cerr, ShouldBeNil)
			So(len(c.localHosts), ShouldEqual, 4)

		})

		Convey("If I try to add overlapping ports for a given prefix, I should get error", func() {
			s1, s2, s3 := createServices()
			cerr := c.Add(s1, "1", "first data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s2, "2", "second data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s3, "3", "third data", true)
			So(cerr, ShouldBeNil)

			n5 := "10.1.1.0/28"
			s4 := &common.Service{
				Ports: &portspec.PortSpec{
					Min: uint16(100),
					Max: uint16(300),
				},
				Protocol:  6,
				Addresses: map[string]struct{}{n5: struct{}{}},
			}
			cerr = c.Add(s4, "4", "failed data", true)
			So(cerr, ShouldNotBeNil)
		})

		Convey("If I try to add overlapping ports for a given host, I should get error", func() {
			s1, s2, s3 := createServices()
			cerr := c.Add(s1, "1", "first data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s2, "2", "second data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s3, "3", "third data", true)
			So(cerr, ShouldBeNil)

			s4 := &common.Service{
				Ports: &portspec.PortSpec{
					Min: uint16(100),
					Max: uint16(300),
				},
				Protocol:  6,
				Addresses: nil,
				FQDNs:     []string{"host4"},
			}
			cerr = c.Add(s4, "4", "failed data", true)
			So(cerr, ShouldNotBeNil)
		})

		Convey("When I search for valid entries, I should get the right responses", func() {
			s1, s2, s3 := createServices()
			cerr := c.Add(s1, "1", "first data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s2, "2", "second data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s3, "3", "third data", true)
			So(cerr, ShouldBeNil)

			data := c.Find(net.ParseIP("10.1.1.1").To4(), 175, "", true)
			So(data, ShouldNotBeNil)
			So(data.(string), ShouldResemble, "second data")

			data = c.Find(net.ParseIP("192.168.1.1").To4(), 50, "", true)
			So(data, ShouldNotBeNil)
			So(data.(string), ShouldResemble, "first data")

			data = c.Find(net.ParseIP("50.50.50.50").To4(), 1001, "", true)
			So(data, ShouldNotBeNil)
			So(data.(string), ShouldResemble, "third data")

			data = c.Find(nil, 50, "host2", true)
			So(data, ShouldNotBeNil)
			So(data.(string), ShouldResemble, "first data")

			data = c.Find(nil, 150, "host4", true)
			So(data, ShouldNotBeNil)
			So(data.(string), ShouldResemble, "second data")
		})

		Convey("When I search for a good IP, but invalid port, I should get nil ", func() {
			s1, s2, s3 := createServices()
			cerr := c.Add(s1, "1", "first data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s2, "2", "second data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s3, "3", "third data", true)
			So(cerr, ShouldBeNil)

			data := c.Find(net.ParseIP("10.1.1.1").To4(), 50, "", true)
			So(data, ShouldBeNil)
		})

		Convey("When I search for a good IP, but uknown host, I should get nil ", func() {
			s1, s2, s3 := createServices()
			cerr := c.Add(s1, "1", "first data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s2, "2", "second data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s3, "3", "third data", true)
			So(cerr, ShouldBeNil)

			data := c.Find(nil, 50, "uknown", true)
			So(data, ShouldBeNil)
		})

		Convey("When I search for a good IP, but invalid host, I should get nil ", func() {
			s1, s2, s3 := createServices()
			cerr := c.Add(s1, "1", "first data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s2, "2", "second data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s3, "3", "third data", true)
			So(cerr, ShouldBeNil)

			data := c.Find(nil, 50, "host4", true)
			So(data, ShouldBeNil)
		})

		Convey("When I search for a good exact IP, and valid port, I should get the data ", func() {
			s1, s2, s3 := createServices()
			cerr := c.Add(s1, "1", "first data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s2, "2", "second data", true)
			So(cerr, ShouldBeNil)
			cerr = c.Add(s3, "3", "third data", true)
			So(cerr, ShouldBeNil)

			data := c.Find(net.ParseIP("20.1.1.1").To4(), 50, "", true)
			So(data, ShouldNotBeNil)
			So(data.(string), ShouldResemble, "first data")
		})
	})
}

func TestDelete(t *testing.T) {
	Convey("When I delete the first of entries, I should not be able to find them any more", t, func() {
		c := NewTable()
		s1, s2, s3 := createServices()
		cerr := c.Add(s1, "1", "first data", true)
		So(cerr, ShouldBeNil)
		cerr = c.Add(s2, "2", "second data", true)
		So(cerr, ShouldBeNil)
		cerr = c.Add(s3, "3", "third data", false)
		So(cerr, ShouldBeNil)

		c.DeleteByID("1", true)
		data := c.Find(net.ParseIP("192.168.1.1").To4(), 50, "", true)
		So(data, ShouldBeNil)
	})
}

func TestFindExistingServices(t *testing.T) {
	Convey("Given a table with entries", t, func() {
		c := NewTable()
		s1, s2, s3 := createServices()
		cerr := c.Add(s1, "1", "first data", true)
		So(cerr, ShouldBeNil)
		cerr = c.Add(s2, "2", "second data", true)
		So(cerr, ShouldBeNil)
		cerr = c.Add(s3, "3", "third data", true)
		So(cerr, ShouldBeNil)

		Convey("When I retrieve the service list from the local, it should be correct", func() {
			data, spec := c.FindListeningServicesForPU("3")
			So(data, ShouldNotBeNil)
			So(data, ShouldResemble, "third data")
			So(spec, ShouldNotBeNil)
		})
	})
}


================================================
FILE: controller/internal/enforcer/applicationproxy/serviceregistry/serviceregistry.go
================================================
package serviceregistry

import (
	"crypto/x509"
	"fmt"
	"net"
	"sync"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/servicecache"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/auth"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/urisearch"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/tg/tglib"
)

// ServiceContext includes all the all the service related information
// for dependent services. It is indexed by the PU ID and a PU can
// easily retrieve all the state with a simple lookup. Note, that
// there is one ServiceContext for every PU.
type ServiceContext struct {
	PU        *policy.PUInfo
	PUContext *pucontext.PUContext
	RootCA    [][]byte

	// Dependent Services are services that are consumed by the PU.
	// The dependent service cache is only accessible internally,
	// so that all types are properly converted.
	dependentServiceCache *servicecache.ServiceCache
}

// DependentServiceData are the data that are held for each service
// in the dependentServiceCache.
type DependentServiceData struct {
	// Used for authorization
	APICache *urisearch.APICache
	// Used by the protomux to find the right service type.
	ServiceType common.ListenerType
	// ServiceObject is the original service object.
	ServiceObject *policy.ApplicationService
}

// PortContext includes all the needed associations to refer to a service by port.
// For incoming connections the only available information is the IP/port
// pair of the original request and we use this to map the connection and
// request to a port. For network services we have additional state data
// such as the authorizers. Note that there is one PortContext for every
// service of every PU.
type PortContext struct {
	ID                 string
	Type               common.ListenerType
	Service            *policy.ApplicationService
	Authorizer         *auth.Processor
	PUContext          *pucontext.PUContext
	TargetPort         int
	ClientTrustedRoots *x509.CertPool
}

// Registry is a service registry. It maintains all the state information
// and provides a simple API to retrieve the data. The registry always
// locks and allows multi-threading.
type Registry struct {
	indexByName map[string]*ServiceContext
	indexByPort *servicecache.ServiceCache
	sync.Mutex
}

var instance = Registry{
	indexByName: map[string]*ServiceContext{},
	indexByPort: servicecache.NewTable(),
}

//Instance returns the service registry instance
func Instance() *Registry {
	return &instance
}

// Register registers a new service with the registry. If the service
// already exists it updates the service with the new information, otherwise
// it creates a new service.
func (r *Registry) Register(
	puID string,
	pu *policy.PUInfo,
	puContext *pucontext.PUContext,
	secrets secrets.Secrets,
) (*ServiceContext, error) {

	r.Lock()
	defer r.Unlock()

	sctx := &ServiceContext{
		PU:                    pu,
		PUContext:             puContext,
		dependentServiceCache: servicecache.NewTable(),
		RootCA:                [][]byte{},
	}

	// Delete all old references first. Since the registry is locked
	// nobody will be affected.
	r.indexByPort.DeleteByID(puID, true)
	r.indexByPort.DeleteByID(puID, false)

	if err := r.updateDependentServices(sctx); err != nil {
		return nil, err
	}

	if err := r.updateExposedServices(sctx, secrets); err != nil {
		return nil, err
	}

	r.indexByName[puID] = sctx

	return sctx, nil
}

// buildExposedServices builds the caches for the exposed services. It assumes that an authorization
func (r *Registry) updateExposedServices(sctx *ServiceContext, secrets secrets.Secrets) error {

	for _, service := range sctx.PU.Policy.ExposedServices() {
		if service.Type != policy.ServiceHTTP && service.Type != policy.ServiceTCP {
			continue
		}
		if err := r.updateExposedPortAssociations(sctx, service, secrets); err != nil {
			return err
		}
	}

	return nil
}

// Unregister unregisters a pu from the registry.
func (r *Registry) Unregister(puID string) error {
	r.Lock()
	defer r.Unlock()

	delete(r.indexByName, puID)
	r.indexByPort.DeleteByID(puID, true)
	r.indexByPort.DeleteByID(puID, false)
	return nil
}

// RetrieveServiceByID retrieves a service by the PU ID. Returns error if not found.
func (r *Registry) RetrieveServiceByID(id string) (*ServiceContext, error) {
	r.Lock()
	defer r.Unlock()

	svc, ok := r.indexByName[id]
	if !ok {
		return nil, fmt.Errorf("Service not found: %s", id)
	}

	return svc, nil
}

// RetrieveExposedServiceContext retrieves a service by the provided IP and or port. This
// is called by the network side of processing to find the context.
func (r *Registry) RetrieveExposedServiceContext(ip net.IP, port int, host string) (*PortContext, error) {
	r.Lock()
	defer r.Unlock()

	data := r.indexByPort.Find(ip, port, host, true)
	if data == nil {
		return nil, fmt.Errorf("Service information not found: %s %d %s", ip.String(), port, host)
	}

	portContext, ok := data.(*PortContext)
	if !ok {
		return nil, fmt.Errorf("Internal server error")
	}

	return portContext, nil
}

// RetrieveDependentServiceDataByIDAndNetwork will return the service data that match the given
// PU and the given IP/port information.
func (r *Registry) RetrieveDependentServiceDataByIDAndNetwork(id string, ip net.IP, port int, host string) (*ServiceContext, *DependentServiceData, error) {
	sctx, err := r.RetrieveServiceByID(id)
	if err != nil {
		return nil, nil, fmt.Errorf("Services for PU %s not found: %s", id, err)
	}
	data := sctx.dependentServiceCache.Find(ip, port, "", false)
	if data == nil {
		return nil, nil, fmt.Errorf("Service not found for this PU: %s", id)
	}
	serviceData, ok := data.(*DependentServiceData)
	if !ok {
		return nil, nil, fmt.Errorf("Internal server error - bad data types")
	}
	return sctx, serviceData, nil
}

// updateExposedPortAssociations will insert the association between a port
// and a service in the global exposed service cache. This is  needed
// for all incoming connections, so that can determine both the type
// of proxy as well the correct policy for this connection. This
// association cannot have overlaps.
func (r *Registry) updateExposedPortAssociations(sctx *ServiceContext, service *policy.ApplicationService, secrets secrets.Secrets) error {

	// Do All the basic validations first.
	if service.PrivateNetworkInfo == nil {
		return fmt.Errorf("Private network is required for exposed services")
	}
	port, err := service.PrivateNetworkInfo.Ports.SinglePort()
	if err != nil {
		return fmt.Errorf("Multi-port is not supported for exposed services: %s", err)
	}
	if service.PublicNetworkInfo != nil {
		if _, err := service.PublicNetworkInfo.Ports.SinglePort(); err != nil {
			return fmt.Errorf("Multi-port is not supported for public network services: %s", err)
		}
	}

	// Find any existing state and get the authorizer. We do not want
	// to re-initialize the authorizer for every policy update.
	authProcessor, err := r.createOrUpdateAuthProcessor(sctx, service, secrets)
	if err != nil {
		return err
	}

	clientCAs := x509.NewCertPool()
	if (service.UserAuthorizationType == policy.UserAuthorizationMutualTLS || service.UserAuthorizationType == policy.UserAuthorizationJWT) &&
		len(service.MutualTLSTrustedRoots) > 0 {
		if !clientCAs.AppendCertsFromPEM(service.MutualTLSTrustedRoots) {
			return fmt.Errorf("Unable to process client CAs")
		}
	}

	// Add the new references.
	if err := r.indexByPort.Add(
		service.PrivateNetworkInfo,
		sctx.PU.ContextID,
		&PortContext{
			ID:                 sctx.PU.ContextID,
			Service:            service,
			TargetPort:         int(port),
			Type:               serviceTypeToNetworkListenerType(service.Type, false),
			Authorizer:         authProcessor,
			ClientTrustedRoots: clientCAs,
			PUContext:          sctx.PUContext,
		},
		true,
	); err != nil {
		return fmt.Errorf("Possible port overlap: %s", err)
	}

	if service.PublicNetworkInfo != nil {
		if err := r.indexByPort.Add(
			service.PublicNetworkInfo,
			sctx.PU.ContextID,
			&PortContext{
				ID:                 sctx.PU.ContextID,
				Service:            service,
				TargetPort:         int(port),
				Type:               serviceTypeToNetworkListenerType(service.Type, service.PublicServiceTLSType == policy.ServiceTLSTypeNone),
				Authorizer:         authProcessor,
				ClientTrustedRoots: clientCAs,
				PUContext:          sctx.PUContext,
			},
			true,
		); err != nil {
			return fmt.Errorf("Possible port overlap with public services: %s", err)
		}
	}

	return nil
}

func updateDependentService(service *policy.ApplicationService, sctx *ServiceContext) error {

	if len(service.CACert) != 0 {
		sctx.RootCA = append(sctx.RootCA, service.CACert)
	}

	serviceData := &DependentServiceData{
		ServiceType:   serviceTypeToApplicationListenerType(service.Type),
		ServiceObject: service,
	}
	if service.Type == policy.ServiceHTTP {
		serviceData.APICache = urisearch.NewAPICache(service.HTTPRules, service.ID, service.External)
	}

	if err := sctx.dependentServiceCache.Add(
		service.NetworkInfo,
		sctx.PU.ContextID,
		serviceData,
		false,
	); err != nil {
		return fmt.Errorf("Possible overlap in dependent services: %s", err)
	}

	return nil
}

// UpdateDependentServicesByID will the dependent services for the ID
func (r *Registry) UpdateDependentServicesByID(id string) error {

	sctx, err := r.RetrieveServiceByID(id)
	if err != nil {
		return fmt.Errorf("Services for PU %s not found: %s", id, err)
	}

	r.Lock()
	sctx.dependentServiceCache = servicecache.NewTable()
	err = r.updateDependentServices(sctx)
	r.Unlock()

	return err
}

// updateDependentService will update all the information in the
// ServiceContext for the dependent services.
func (r *Registry) updateDependentServices(sctx *ServiceContext) error {

	for _, service := range sctx.PU.Policy.DependentServices() {
		if err := updateDependentService(service, sctx); err != nil {
			return err
		}
	}

	return nil
}

func (r *Registry) createOrUpdateAuthProcessor(sctx *ServiceContext, service *policy.ApplicationService, secrets secrets.Secrets) (*auth.Processor, error) {

	var cert *x509.Certificate
	if len(service.FallbackJWTAuthorizationCert) > 0 {
		var err error
		cert, err = tglib.ParseCertificate([]byte(service.FallbackJWTAuthorizationCert))
		if err != nil {
			return nil, err
		}
	}

	portContext, _ := r.indexByPort.FindListeningServicesForPU(sctx.PU.ContextID)
	var authProcessor *auth.Processor
	if portContext != nil {
		existingPortCtx, ok := portContext.(*PortContext)
		if !ok {
			return nil, fmt.Errorf("Internal error - unusable data structure")
		}
		authProcessor = existingPortCtx.Authorizer
		authProcessor.UpdateSecrets(secrets, cert)
	} else {
		authProcessor = auth.NewProcessor(secrets, cert)
	}

	authProcessor.AddOrUpdateService(
		urisearch.NewAPICache(service.HTTPRules, service.ID, false),
		service.UserAuthorizationType,
		service.UserAuthorizationHandler,
		service.UserTokenToHTTPMappings,
	)

	return authProcessor, nil
}

func serviceTypeToNetworkListenerType(serviceType policy.ServiceType, noTLS bool) common.ListenerType {
	switch serviceType {
	case policy.ServiceHTTP:
		if noTLS {
			return common.HTTPNetwork
		}
		return common.HTTPSNetwork
	default:
		return common.TCPNetwork
	}
}

func serviceTypeToApplicationListenerType(serviceType policy.ServiceType) common.ListenerType {
	switch serviceType {
	case policy.ServiceHTTP:
		return common.HTTPApplication
	default:
		return common.TCPApplication
	}
}


================================================
FILE: controller/internal/enforcer/applicationproxy/serviceregistry/serviceregistry_test.go
================================================
// +build !windows

package serviceregistry

import (
	"net"
	"testing"
	"time"

	. "github.com/smartystreets/goconvey/convey"
	triremecommon "go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/testhelper"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

func newBaseApplicationServices(exposedPortValue, publicPortValue, privatePortValue, dependentPortValue uint16) (*policy.ApplicationService, *policy.ApplicationService) {

	exposed1 := "10.1.1.0/24"
	exposed2 := "20.1.1.0/24"
	public1 := "30.1.1.0/24"
	public2 := "40.1.1.0/24"
	dependent1 := "50.1.1.0/24"
	dependent2 := "60.1.1.0/24"

	exposedPort, err := portspec.NewPortSpec(exposedPortValue, exposedPortValue, nil)
	So(err, ShouldBeNil)
	publicPort, err := portspec.NewPortSpec(publicPortValue, publicPortValue, nil)
	So(err, ShouldBeNil)
	privatePort, err := portspec.NewPortSpec(privatePortValue, privatePortValue, nil)
	So(err, ShouldBeNil)
	dependentPort, err := portspec.NewPortSpec(dependentPortValue, dependentPortValue, nil)
	So(err, ShouldBeNil)

	return &policy.ApplicationService{
			ID: "policyExposed",
			NetworkInfo: &triremecommon.Service{
				Ports:     exposedPort,
				Protocol:  6,
				Addresses: map[string]struct{}{exposed1: struct{}{}, exposed2: struct{}{}},
			},
			PublicNetworkInfo: &triremecommon.Service{
				Ports:     publicPort,
				Protocol:  6,
				Addresses: map[string]struct{}{public1: struct{}{}},
			},
			PrivateNetworkInfo: &triremecommon.Service{
				Ports:     privatePort,
				Protocol:  6,
				Addresses: map[string]struct{}{},
			},
			Type:                 policy.ServiceHTTP,
			PublicServiceTLSType: policy.ServiceTLSTypeAporeto,
		},
		&policy.ApplicationService{
			ID: "policyDepend",
			NetworkInfo: &triremecommon.Service{
				Ports:    dependentPort,
				Protocol: 6,
				FQDNs:    []string{"www.google.com"},
				Addresses: map[string]struct{}{
					dependent1: struct{}{},
					dependent2: struct{}{},
				},
			},
			PublicNetworkInfo: &triremecommon.Service{
				Ports:     publicPort,
				Protocol:  6,
				Addresses: map[string]struct{}{public2: struct{}{}},
			},
			PrivateNetworkInfo: &triremecommon.Service{
				Ports:     privatePort,
				Protocol:  6,
				Addresses: map[string]struct{}{},
			},
			Type:                 policy.ServiceHTTP,
			PublicServiceTLSType: policy.ServiceTLSTypeAporeto,
		}
}

func newPU(name string, exposedPort, publicPort, privatePort, dependentPort uint16, doubleExposed, doubleDependent bool) (*policy.PUInfo, *pucontext.PUContext, secrets.Secrets) {
	exposed, dependent := newBaseApplicationServices(exposedPort, publicPort, privatePort, dependentPort)

	exposedServices := policy.ApplicationServicesList{exposed}
	if doubleExposed {
		exposedServices = append(exposedServices, exposed)
	}

	dependentServices := policy.ApplicationServicesList{dependent}
	if doubleDependent {
		dependentServices = append(dependentServices, dependent)
	}
	plc := policy.NewPUPolicy(
		name+"-policyid1",
		"/ns1",
		policy.Police,
		policy.IPRuleList{},
		policy.IPRuleList{},
		policy.DNSRuleList{},
		policy.TagSelectorList{},
		policy.TagSelectorList{},
		policy.NewTagStore(),
		policy.NewTagStoreFromSlice([]string{"app=web", "type=aporeto"}),
		nil,
		nil,
		0,
		0,
		exposedServices,
		dependentServices,
		[]string{},
		policy.EnforcerMapping,
		policy.Reject|policy.Log,
		policy.Reject|policy.Log,
	)

	puInfo := policy.NewPUInfo(name, "/ns1", triremecommon.ContainerPU)
	puInfo.Policy = plc
	pctx, err := pucontext.NewPU(name, puInfo, nil, time.Second*1000)
	So(err, ShouldBeNil)
	_, s, _ := testhelper.NewTestCompactPKISecrets()
	return puInfo, pctx, s
}

func TestRegister(t *testing.T) {
	Convey("Given a new registry", t, func() {
		r := Instance()
		Convey("When I register a new PU with no services", func() {
			puInfo, pctx, s := newPU("pu1", 8080, 443, 80, 8080, false, false)
			sctx, err := r.Register("pu1", puInfo, pctx, s)
			Convey("The data structures should be correct and I should be able to retrieve the service", func() {
				So(err, ShouldBeNil)
				So(sctx, ShouldNotBeNil)
				So(sctx.PU, ShouldResemble, puInfo)
				So(sctx.PUContext, ShouldResemble, pctx)
				So(sctx.dependentServiceCache, ShouldNotBeNil)
			})
			Convey("And I should be able to retrieve the services using the three provided methods", func() {
				serviceContext, rerr := r.RetrieveServiceByID("pu1")
				So(rerr, ShouldBeNil)
				So(serviceContext, ShouldNotBeNil)
				So(serviceContext, ShouldResemble, sctx)

				portContext, perr := r.RetrieveExposedServiceContext(net.ParseIP("10.1.1.1").To4(), 80, "")
				So(perr, ShouldBeNil)
				So(portContext, ShouldNotBeNil)
				So(portContext.ID, ShouldResemble, "pu1")
				So(portContext.TargetPort, ShouldEqual, 80)
				So(portContext.Service, ShouldResemble, puInfo.Policy.ExposedServices()[0])
				So(portContext.Type, ShouldEqual, common.HTTPSNetwork)

			})
			Convey("Update the dependent services by fqdn, and it should be able to find", func() {
				for _, dependentService := range pctx.DependentServices("www.google.com") {
					dependentService.NetworkInfo.Addresses["4.4.4.4/32"] = struct{}{}
				}

				err := r.UpdateDependentServicesByID("pu1")
				So(err, ShouldBeNil)

				_, _, err = r.RetrieveDependentServiceDataByIDAndNetwork("pu1", net.ParseIP("4.4.4.4").To4(), 8080, "")
				So(err, ShouldBeNil)
			})
			Convey("But I should get errors for non existing ports or services", func() {
				serviceContext, rerr := r.RetrieveServiceByID("badpu")
				So(rerr, ShouldNotBeNil)
				So(serviceContext, ShouldBeNil)

				portContext, perr := r.RetrieveExposedServiceContext(net.ParseIP("100.1.1.1").To4(), 100, "")
				So(perr, ShouldNotBeNil)
				So(portContext, ShouldBeNil)
			})

			Convey("When I register a second service with no overlaps", func() {
				puInfo, pctx, s := newPU("pu2", 8000, 4443, 8080, 10000, false, false)
				sctx, err := r.Register("pu2", puInfo, pctx, s)
				So(err, ShouldBeNil)
				So(sctx, ShouldNotBeNil)

				Convey("And I should be able to retrieve the updated services using the three provided methods", func() {
					serviceContext, rerr := r.RetrieveServiceByID("pu2")
					So(rerr, ShouldBeNil)
					So(serviceContext, ShouldNotBeNil)
					So(serviceContext, ShouldResemble, sctx)

					portContext, perr := r.RetrieveExposedServiceContext(net.ParseIP("10.1.1.1").To4(), 8080, "")
					So(perr, ShouldBeNil)
					So(portContext, ShouldNotBeNil)
					So(portContext.ID, ShouldResemble, "pu2")
					So(portContext.TargetPort, ShouldEqual, 8080)
					So(portContext.Service, ShouldResemble, puInfo.Policy.ExposedServices()[0])
					So(portContext.Type, ShouldEqual, common.HTTPSNetwork)
				})
			})

			Convey("When I register a second service with port overlaps, I should get errors", func() {
				// exposedService overlap
				puInfo, pctx, s := newPU("pu2", 8080, 4443, 8080, 10000, true, false)
				sctx, err := r.Register("pu2", puInfo, pctx, s)
				So(err, ShouldNotBeNil)
				So(sctx, ShouldBeNil)

				// dependentService overlap
				puInfo, pctx, s = newPU("pu2", 8080, 4443, 8080, 10000, false, true)
				sctx, err = r.Register("pu2", puInfo, pctx, s)
				So(err, ShouldNotBeNil)
				So(sctx, ShouldBeNil)

				// both overlaps
				puInfo, pctx, s = newPU("pu2", 8080, 4443, 8080, 10000, true, true)
				sctx, err = r.Register("pu2", puInfo, pctx, s)
				So(err, ShouldNotBeNil)
				So(sctx, ShouldBeNil)

			})

			Convey("When I re-register the service with updates on the ports", func() {
				puInfo, pctx, s := newPU("pu1", 8000, 4443, 8080, 10000, false, false)
				sctx, err := r.Register("pu1", puInfo, pctx, s)
				So(err, ShouldBeNil)
				So(sctx, ShouldNotBeNil)

				Convey("And I should be able to retrieve the updated services using the three provided methods", func() {
					serviceContext, rerr := r.RetrieveServiceByID("pu1")
					So(rerr, ShouldBeNil)
					So(serviceContext, ShouldNotBeNil)
					So(serviceContext, ShouldResemble, sctx)

					portContext, perr := r.RetrieveExposedServiceContext(net.ParseIP("10.1.1.1").To4(), 8080, "")
					So(perr, ShouldBeNil)
					So(portContext, ShouldNotBeNil)
					So(portContext.ID, ShouldResemble, "pu1")
					So(portContext.TargetPort, ShouldEqual, 8080)
					So(portContext.Service, ShouldResemble, puInfo.Policy.ExposedServices()[0])
					So(portContext.Type, ShouldEqual, common.HTTPSNetwork)
				})
			})

			Convey("When I unregister the service, it should be deleted", func() {
				uerr := r.Unregister("pu1")
				So(uerr, ShouldBeNil)
				retrievedContext, rerr := r.RetrieveServiceByID("pu1")
				So(rerr, ShouldNotBeNil)
				So(retrievedContext, ShouldBeNil)
				portContext, perr := r.RetrieveExposedServiceContext(net.ParseIP("10.1.1.1").To4(), 80, "")
				So(perr, ShouldNotBeNil)
				So(portContext, ShouldBeNil)
			})
		})
	})
}

func TestServiceTypeToNetworkListenerType(t *testing.T) {
	Convey("When I convert a network HTTP service it should be HTTPNetwork", t, func() {
		t := serviceTypeToNetworkListenerType(policy.ServiceHTTP, true)
		So(t, ShouldEqual, common.HTTPNetwork)
	})
	Convey("When I convert a network HTTPS service it should be HTTPSNetwork", t, func() {
		t := serviceTypeToNetworkListenerType(policy.ServiceHTTP, false)
		So(t, ShouldEqual, common.HTTPSNetwork)
	})
	Convey("When I convert a TCP service it should be TCPNetwork", t, func() {
		t := serviceTypeToNetworkListenerType(policy.ServiceTCP, false)
		So(t, ShouldEqual, common.TCPNetwork)
	})
}

func TestServiceTypeToApplicationListenerType(t *testing.T) {
	Convey("When I convert an application HTTP service it should be HTTPApplication", t, func() {
		t := serviceTypeToApplicationListenerType(policy.ServiceHTTP)
		So(t, ShouldEqual, common.HTTPApplication)
	})
	Convey("When I convert an application TCP service it should be TCPApplication", t, func() {
		t := serviceTypeToApplicationListenerType(policy.ServiceTCP)
		So(t, ShouldEqual, common.TCPApplication)
	})
}


================================================
FILE: controller/internal/enforcer/applicationproxy/tcp/lookup.go
================================================
package tcp

import (
	"fmt"
	"net"
	"strconv"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

const indeterminateRemoteController = ""

// proxyFlowProperties is a struct used to pass flow information up
type proxyFlowProperties struct {
	myControllerID string
	SourceIP       string
	DestIP         string
	PolicyID       string
	ServiceID      string
	DestType       collector.EndPointType
	SourceType     collector.EndPointType
	SourcePort     uint16
	DestPort       uint16
}

type lookup struct {
	SourceIP   net.IP
	DestIP     net.IP
	SourcePort uint16
	DestPort   uint16
	collector  collector.EventCollector
	puContext  *pucontext.PUContext
	pfp        *proxyFlowProperties
	client     bool
}

// IDLookup performs policy lookup based on incoming tags from remote PU and matching against our policy DB.
// Stats reporting is done for:
//   - all rejects
//   - accepts on server
func (l *lookup) IDLookup(remoteController, remotePUID string, tags *policy.TagStore) bool { // nolint: staticcheck

	remoteController = ""
	// TODO: Enable this
	// if remoteController == l.pfp.myControllerID {
	// 	remoteController = ""
	// }

	report, packet := l.Policy(tags)

	if packet.Action.Rejected() {
		l.ReportStats(
			collector.EndPointTypePU,
			remoteController,
			remotePUID,
			collector.PolicyDrop,
			report,
			packet,
			false,
		)
		zap.L().Debug("lookup reject", zap.Bool("client", l.client), zap.Strings("tags", tags.GetSlice()))
		return false
	}

	if !l.client && packet.Action.Accepted() {
		l.ReportStats(
			collector.EndPointTypePU,
			remoteController,
			remotePUID,
			"N/A",
			report,
			packet,
			false,
		)
		zap.L().Debug("lookup accept", zap.Bool("client", l.client), zap.Strings("tags", tags.GetSlice()))
	}
	return true
}

// Policy performs policy lookup based on incoming tags from remote PU and matching against our policy DB.
// It also returns the report and packet policy.
func (l *lookup) Policy(tags *policy.TagStore) (*policy.FlowPolicy, *policy.FlowPolicy) {

	var report *policy.FlowPolicy
	var packet *policy.FlowPolicy

	if l.client {
		tags.AppendKeyValue(constants.PortNumberLabelString, fmt.Sprintf("%s/%s", constants.TCPProtoString, strconv.Itoa(int(l.DestPort))))
		report, packet = l.puContext.SearchTxtRules(tags, false)
	} else {
		tags.AppendKeyValue(constants.PortNumberLabelString, fmt.Sprintf("%s/%s", constants.TCPProtoString, strconv.Itoa(int(l.DestPort))))
		report, packet = l.puContext.SearchRcvRules(tags)
	}

	return report, packet
}

func (l *lookup) IPLookup() bool {

	var report *policy.FlowPolicy
	var packetPolicy *policy.FlowPolicy
	var noPolicy error

	if l.client {
		report, packetPolicy, noPolicy = l.puContext.ApplicationACLPolicyFromAddr(l.DestIP, l.DestPort, packet.IPProtocolTCP)
	} else {
		report, packetPolicy, noPolicy = l.puContext.NetworkACLPolicyFromAddr(l.SourceIP, l.DestPort, packet.IPProtocolTCP)
	}

	matchString := "none"
	if noPolicy != nil {
		matchString = noPolicy.Error()
	}

	// Clients and Servers should reject and report if a reject action is found.
	if packetPolicy.Action.Rejected() {

		l.ReportStats(
			collector.EndPointTypeExternalIP,
			indeterminateRemoteController,
			packetPolicy.ServiceID,
			collector.PolicyDrop,
			report,
			packetPolicy,
			false,
		)
		zap.L().Debug(
			"IP ACL Lookup Reject",
			zap.Bool("client", l.client),
			zap.String("match", matchString),
			zap.String("src-ip", l.pfp.SourceIP),
			zap.Uint16("src-port", l.SourcePort),
			zap.String("dst-ip", l.pfp.DestIP),
			zap.Uint16("dst-port", l.DestPort),
			zap.String("report", report.PolicyID),
			zap.String("policy", packetPolicy.PolicyID))
		return false
	}

	if !l.client && packetPolicy.Action.Accepted() {
		l.ReportStats(
			collector.EndPointTypeExternalIP,
			indeterminateRemoteController,
			packetPolicy.ServiceID,
			"N/A",
			report,
			packetPolicy,
			false,
		)
	}
	zap.L().Debug(
		"IP ACL Lookup Accept",
		zap.Bool("client", l.client),
		zap.String("match", matchString),
		zap.String("src-ip", l.pfp.SourceIP),
		zap.Uint16("src-port", l.SourcePort),
		zap.String("dst-ip", l.pfp.DestIP),
		zap.Uint16("dst-port", l.DestPort),
		zap.String("report", report.PolicyID),
		zap.String("policy", packetPolicy.PolicyID))
	return true
}

func (l *lookup) ReportStats(remoteType collector.EndPointType, remoteController string, remotePUID string, mode string, report *policy.FlowPolicy, packet *policy.FlowPolicy, accept bool) {

	dstController, dstID, srcController, srcID := "", "", "", ""

	if l.client {
		l.pfp.DestType = remoteType
		if l.pfp.myControllerID != remoteController {
			dstController = remoteController
		}
		dstID = remotePUID
		srcID = l.puContext.ManagementID()
	} else {
		l.pfp.SourceType = remoteType
		dstID = l.puContext.ManagementID()
		if l.pfp.myControllerID != remoteController {
			srcController = remoteController
		}
		srcID = remotePUID
	}

	if accept {
		l.reportAcceptedFlow(
			l.pfp,
			srcID,
			dstID,
			l.puContext,
			report,
			packet,
			srcController,
			dstController,
		)
		return
	}

	l.reportRejectedFlow(
		l.pfp,
		srcID,
		dstID,
		l.puContext,
		mode,
		report,
		packet,
		srcController,
		dstController,
	)
}

func (l *lookup) reportFlow(flowproperties *proxyFlowProperties, sourceID string, destID string, context *pucontext.PUContext, mode string, report *policy.FlowPolicy, actual *policy.FlowPolicy, sourceController string, destController string) {

	c := &collector.FlowRecord{
		ContextID: context.ID(),
		Source: collector.EndPoint{
			ID:   sourceID,
			IP:   flowproperties.SourceIP,
			Port: flowproperties.SourcePort,
			Type: flowproperties.SourceType,
		},
		Destination: collector.EndPoint{
			ID:   destID,
			IP:   flowproperties.DestIP,
			Port: flowproperties.DestPort,
			Type: flowproperties.DestType,
		},

		Action:                actual.Action,
		DropReason:            mode,
		PolicyID:              actual.PolicyID,
		L4Protocol:            packet.IPProtocolTCP,
		ServiceType:           policy.ServiceTCP,
		ServiceID:             flowproperties.ServiceID,
		Namespace:             context.ManagementNamespace(),
		SourceController:      sourceController,
		DestinationController: destController,
	}

	if context.Annotations() != nil {
		c.Tags = context.Annotations().GetSlice()
	}

	if report.ObserveAction.Observed() {
		c.ObservedAction = report.Action
		c.ObservedPolicyID = report.PolicyID
		c.ObservedActionType = report.ObserveAction
	}

	l.collector.CollectFlowEvent(c)
}

func (l *lookup) reportAcceptedFlow(flowproperties *proxyFlowProperties, sourceID string, destID string, context *pucontext.PUContext, report *policy.FlowPolicy, packet *policy.FlowPolicy, sourceController string, destController string) {

	l.reportFlow(flowproperties, sourceID, destID, context, "N/A", report, packet, sourceController, destController)
}

func (l *lookup) reportRejectedFlow(flowproperties *proxyFlowProperties, sourceID string, destID string, context *pucontext.PUContext, mode string, report *policy.FlowPolicy, packet *policy.FlowPolicy, sourceController string, destController string) {

	if report == nil {
		report = &policy.FlowPolicy{
			Action:   policy.Reject | policy.Log,
			PolicyID: "default",
		}
	}
	if packet == nil {
		packet = report
	}
	l.reportFlow(flowproperties, sourceID, destID, context, mode, report, packet, sourceController, destController)
}


================================================
FILE: controller/internal/enforcer/applicationproxy/tcp/ping_tcp.go
================================================
package tcp

import (
	"bytes"
	"context"
	"crypto/tls"
	"crypto/x509"
	"encoding/json"
	"fmt"
	"io"
	"net"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/markedconn"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/pingrequest"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/serviceregistry"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/gaia"
	"go.aporeto.io/gaia/x509extensions"
	"go.uber.org/zap"
)

// InitiatePing initiates the ping request
func (p *Proxy) InitiatePing(ctx context.Context, sctx *serviceregistry.ServiceContext, sdata *serviceregistry.DependentServiceData, pingConfig *policy.PingConfig) error {

	zap.L().Debug("Initiating L4 ping")

	for i := 0; i < pingConfig.Iterations; i++ {
		if err := p.sendPingRequest(ctx, pingConfig, sctx, sdata, i); err != nil {
			return err
		}
	}

	return nil
}

func (p *Proxy) sendPingRequest(
	ctx context.Context,
	pingConfig *policy.PingConfig,
	sctx *serviceregistry.ServiceContext,
	sdata *serviceregistry.DependentServiceData,
	iterationID int) error {

	pingID := pingConfig.ID
	destIP := pingConfig.IP
	destPort := pingConfig.Port

	_, netaction, _ := sctx.PUContext.ApplicationACLPolicyFromAddr(destIP, destPort, packet.IPProtocolTCP)

	pingErr := "dial"
	if e := pingConfig.Error(); e != "" {
		pingErr = e
	}

	pr := &collector.PingReport{
		PingID:               pingID,
		IterationID:          iterationID,
		PUID:                 sctx.PUContext.ManagementID(),
		Namespace:            sctx.PUContext.ManagementNamespace(),
		Protocol:             6,
		ServiceType:          "L4",
		AgentVersion:         p.agentVersion.String(),
		ApplicationListening: false,
		ACLPolicyID:          netaction.PolicyID,
		ACLPolicyAction:      netaction.Action,
		Error:                pingErr,
		TargetTCPNetworks:    pingConfig.TargetTCPNetworks,
		ExcludedNetworks:     pingConfig.ExcludedNetworks,
		Type:                 gaia.PingProbeTypeRequest,
		RemoteEndpointType:   collector.EndPointTypeExternalIP,
		ClaimsType:           gaia.PingProbeClaimsTypeReceived,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypePlain,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeTransmitted,
	}

	defer p.collector.CollectPingEvent(pr)

	conn, err := dial(ctx, destIP, destPort, p.mark)
	if err != nil {
		return err
	}
	defer conn.Close() // nolint: errcheck

	src := conn.RemoteAddr().(*net.TCPAddr)
	pl := p.getPolicyReporter(sctx.PUContext, src.IP, src.Port, destIP, int(destPort), sdata.ServiceObject)
	pl.client = true

	// ServerName: Use first configured FQDN or the destination IP
	serverName, err := common.GetTLSServerName(conn.RemoteAddr().String(), sdata.ServiceObject)
	if err != nil {
		return fmt.Errorf("unable to get the server name: %s", err)
	}

	// Encrypt Down Connection
	p.RLock()
	ca := p.caPool
	p.RUnlock()

	tlsCert, err := tls.X509KeyPair([]byte(pingConfig.ServiceCertificate), []byte(pingConfig.ServiceKey))
	if err != nil {
		return fmt.Errorf("unable to parse X509 certificate: %w", err)
	}

	certs := []tls.Certificate{
		tlsCert,
	}

	t, err := getClientTLSConfig(ca, certs, serverName, false)
	if err != nil {
		return fmt.Errorf("unable to generate tls configuration: %s", err)
	}

	// Do TLS
	tlsConn := tls.Client(conn, t)
	defer tlsConn.Close() // nolint errcheck

	payload := &policy.PingPayload{
		PingID:      pingID,
		IterationID: iterationID,
		ServiceType: policy.ServiceTCP,
	}

	host := fmt.Sprintf("https://%s:%d", destIP, destPort)
	data, err := pingrequest.CreateRaw(host, payload)
	if err != nil {
		return err
	}

	laddr := tlsConn.LocalAddr().(*net.TCPAddr)
	raddr := tlsConn.RemoteAddr().(*net.TCPAddr)

	startTime := time.Now()
	if err := write(tlsConn, data); err != nil {
		pr.Error = err.Error()
		pr.FourTuple = fmt.Sprintf(
			"%s:%s:%d:%d",
			laddr.IP.String(),
			raddr.IP.String(),
			laddr.Port,
			raddr.Port,
		)
		return err
	}

	pr.Error = ""
	pr.RTT = time.Since(startTime).String()
	pr.PayloadSize = len(data)
	pr.ApplicationListening = true
	pr.Type = gaia.PingProbeTypeResponse
	pr.FourTuple = fmt.Sprintf(
		"%s:%s:%d:%d",
		raddr.IP.String(),
		laddr.IP.String(),
		raddr.Port,
		laddr.Port,
	)

	if len(tlsConn.ConnectionState().PeerCertificates) > 0 {
		return extract(pr, tlsConn.ConnectionState().PeerCertificates[0], pl)
	}

	return nil
}

func (p *Proxy) processPingRequest(conn *tls.Conn, pl *lookup) error {

	zap.L().Debug("Processing ping request")

	if err := conn.SetReadDeadline(time.Now().Add(3 * time.Second)); err != nil {
		return err
	}

	var dst bytes.Buffer
	if _, err := io.Copy(&dst, conn); err != nil {
		return err
	}

	pp, err := pingrequest.ExtractRaw(dst.Bytes())
	if err != nil {
		return err
	}

	pr := &collector.PingReport{
		PingID:          pp.PingID,
		IterationID:     pp.IterationID,
		Type:            gaia.PingProbeTypeRequest,
		PUID:            pl.puContext.ManagementID(),
		Namespace:       pl.puContext.ManagementNamespace(),
		PayloadSize:     len(dst.Bytes()),
		PayloadSizeType: gaia.PingProbePayloadSizeTypeReceived,
		Protocol:        6,
		ServiceType:     "L4",
		FourTuple: fmt.Sprintf("%s:%s:%d:%d",
			pl.SourceIP.String(),
			pl.DestIP.String(),
			pl.SourcePort,
			pl.DestPort),
		AgentVersion:        p.agentVersion.String(),
		RemoteEndpointType:  collector.EndPointTypePU,
		IsServer:            true,
		ClaimsType:          gaia.PingProbeClaimsTypeReceived,
		RemoteNamespaceType: gaia.PingProbeRemoteNamespaceTypePlain,
		TargetTCPNetworks:   true,
		ExcludedNetworks:    false,
	}

	if pp.ServiceType != policy.ServiceTCP {
		pr.Error = fmt.Sprintf("service type mismatch, expected: %d, actual: %d", policy.ServiceTCP, pp.ServiceType)
	}

	if len(conn.ConnectionState().PeerCertificates) > 0 {
		if err := extract(pr, conn.ConnectionState().PeerCertificates[0], pl); err != nil {
			return err
		}
	}

	p.collector.CollectPingEvent(pr)

	return nil
}

func extract(pr *collector.PingReport, cert *x509.Certificate, pl *lookup) error {

	pr.RemotePUID = cert.Subject.CommonName
	pr.RemoteEndpointType = collector.EndPointTypePU
	if len(cert.Subject.Organization) > 0 {
		pr.RemoteNamespace = cert.Subject.Organization[0]
	}
	pr.PeerCertIssuer = cert.Issuer.String()
	pr.PeerCertSubject = cert.Subject.String()
	pr.PeerCertExpiry = cert.NotAfter

	if found, controller := common.ExtractExtension(x509extensions.Controller(), cert.Extensions); found {
		pr.RemoteController = string(controller)
	}

	if found, value := common.ExtractExtension(x509extensions.IdentityTags(), cert.Extensions); found {

		claims := []string{}
		if err := json.Unmarshal(value, &claims); err != nil {
			return fmt.Errorf("unable to unmarshal tags: %w", err)
		}

		pr.Claims = claims

		tags := policy.NewTagStoreFromSlice(claims)
		_, pkt := pl.Policy(tags)

		pr.PolicyID = pkt.PolicyID
		pr.PolicyAction = pkt.Action
		if pkt.Action.Rejected() {
			pr.Error = collector.PolicyDrop
		}
	}

	return nil
}

func pingEnabled(conn *tls.Conn) bool {

	peerCerts := conn.ConnectionState().PeerCertificates
	if len(peerCerts) <= 0 {
		return false
	}

	found, _ := common.ExtractExtension(x509extensions.Ping(), peerCerts[0].Extensions)
	return found
}

func dial(ctx context.Context, ip net.IP, port uint16, mark int) (net.Conn, error) {

	raddr := &net.TCPAddr{
		IP:   ip,
		Port: int(port),
	}

	d := net.Dialer{
		Timeout: 5 * time.Second,
		Control: markedconn.ControlFunc(mark, false, nil),
	}
	return d.DialContext(ctx, "tcp", raddr.String())
}

func write(conn net.Conn, data []byte) error {

	if err := conn.SetWriteDeadline(time.Now().Add(5 * time.Second)); err != nil {
		return err
	}

	n, err := conn.Write(data)
	if err != nil && err != io.EOF {
		return err
	}

	if n != len(data) {
		return fmt.Errorf("failed to write data, expected: %v, written: %v", len(data), n)
	}

	return nil
}


================================================
FILE: controller/internal/enforcer/applicationproxy/tcp/tcp.go
================================================
package tcp

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"io"
	"net"
	"sync"
	"syscall"
	"time"

	"github.com/blang/semver"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/markedconn"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/protomux"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/serviceregistry"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/tcp/verifier"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/tlshelper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

// Proxy maintains state for proxies connections from listen to backend.
type Proxy struct {
	collector      collector.EventCollector
	myControllerID string
	puID           string
	mark           int

	// TLS cert for the service
	certificate *tls.Certificate
	// caPool contains the system roots and in addition the services external CAs
	caPool *x509.CertPool

	// Verfier implements ID and IP ACL rules using the Peer Certificate Validation Handler
	verifier verifier.Verifier

	// List of local IP's
	localIPs map[string]struct{}

	agentVersion semver.Version

	sync.RWMutex
}

// NewTCPProxy creates a new instance of proxy reate a new instance of Proxy
func NewTCPProxy(
	c collector.EventCollector,
	puID string,
	certificate *tls.Certificate,
	caPool *x509.CertPool,
	agentVersion semver.Version,
	mark int,
) *Proxy {

	localIPs := markedconn.GetInterfaces()

	return &Proxy{
		collector:    c,
		puID:         puID,
		verifier:     verifier.New(caPool),
		localIPs:     localIPs,
		certificate:  certificate,
		caPool:       caPool,
		agentVersion: agentVersion,
		mark:         mark,
	}
}

// RunNetworkServer implements enforcer.Enforcer interface
func (p *Proxy) RunNetworkServer(
	ctx context.Context,
	listener net.Listener,
) error {

	go func() {
		for {
			select {
			case <-time.After(5 * time.Second):
				p.Lock()
				p.localIPs = markedconn.GetInterfaces()
				p.Unlock()
			case <-ctx.Done():
				return
			}
		}
	}()

	// Encryption is done transparently for TCP.
	go p.serve(ctx, listener)

	return nil
}

// UpdateSecrets updates the secrets of the connections.
func (p *Proxy) UpdateSecrets(
	cert *tls.Certificate,
	caPool *x509.CertPool,
	s secrets.Secrets,
	certPEM string,
	keyPEM string,
) {
	p.Lock()
	defer p.Unlock()

	p.certificate = cert
	p.caPool = caPool

	p.verifier.TrustCAs(caPool)
}

func (p *Proxy) serve(
	ctx context.Context,
	listener net.Listener,
) {
	for {
		select {
		case <-ctx.Done():
			return
		default:
			conn, err := listener.Accept()
			if err != nil {
				return
			}
			if protoListener, ok := listener.(*protomux.ProtoListener); ok {
				// Windows: we don't really need the platform-specific data map for plain tcp (we can get it from the conn).
				// So just remove from the map here.
				markedconn.RemovePlatformData(protoListener.Listener, conn)
			}
			go p.handle(ctx, conn)
		}
	}
}

// ShutDown shuts down the server.
func (p *Proxy) ShutDown() error {
	return nil
}

func (p *Proxy) getService(
	ip net.IP,
	port int,
	local bool,
) (*policy.ApplicationService, error) {

	// If the destination is a local IP, it means that we are processing a client connection.
	if local {
		_, serviceData, err := serviceregistry.Instance().RetrieveDependentServiceDataByIDAndNetwork(p.puID, ip, port, "")
		if err != nil {
			return nil, fmt.Errorf("unknown dependent service pu:%s %s/%d: %s", p.puID, ip.String(), port, err)
		}
		return serviceData.ServiceObject, nil
	}

	portContext, err := serviceregistry.Instance().RetrieveExposedServiceContext(ip, port, "")
	if err != nil {
		return nil, fmt.Errorf("unknown exposed service %s/%d: %s", ip.String(), port, err)
	}
	return portContext.Service, nil
}

// handle handles a connection. upstream connection is the connection
// to the next hop while downstream connection is the client who
// initiated this connection.
// Client PU:
//   - upstream connection is from client to proxy.
//   - downstream connection is from proxy to the nexthop (service, LB, PU)
// Server PU:
//   - upstream connection is from client or another enforcer
//   - downstream connection is from proxy to the server nexthop
func (p *Proxy) handle(ctx context.Context, upConn net.Conn) {

	defer upConn.Close() // nolint

	// TODO: handle proxy protocol

	proxiedUpConn := upConn.(*markedconn.ProxiedConnection)
	ip, port := proxiedUpConn.GetOriginalDestination()
	platformData := proxiedUpConn.GetPlatformData()

	service, err := p.getService(ip, port, p.isLocal(upConn))
	if err != nil {
		zap.L().Error("no service found", zap.Error(err))
		return
	}

	puContext, err := p.puContextFromContextID(p.puID)
	if err != nil {
		zap.L().Error("no pu found", zap.String("puid", p.puID), zap.Error(err))
		return
	}

	p.handleWithPUAndService(ctx, upConn, ip, port, platformData, puContext, service)
}

func (p *Proxy) getPolicyReporter(
	puContext *pucontext.PUContext,
	sip net.IP,
	sport int,
	dip net.IP,
	dport int,
	service *policy.ApplicationService,
) *lookup {

	pfp := &proxyFlowProperties{
		myControllerID: p.myControllerID,
		DestIP:         dip.String(),
		DestPort:       uint16(dport),
		SourceIP:       sip.String(),
		SourcePort:     0, // TODO: Investigate if this should be set
		ServiceID:      service.ID,
		DestType:       collector.EndPointTypePU,
		SourceType:     collector.EndPointTypePU,
	}

	return &lookup{
		SourceIP:   sip,
		DestIP:     dip,
		SourcePort: uint16(sport),
		DestPort:   uint16(dport),
		collector:  p.collector,
		puContext:  puContext,
		pfp:        pfp,
	}
}

func (p *Proxy) handleWithPUAndService(
	ctx context.Context,
	upConn net.Conn,
	origDestIP net.IP,
	origDestPort int,
	platformData *markedconn.PlatformData,
	puContext *pucontext.PUContext,
	service *policy.ApplicationService,
) {
	// If we received connection isn't on private port, downstream connection has to be changed to
	// service listening port.
	downPort := origDestPort
	if downPort == service.PublicPort() {
		downPort = service.PrivatePort()
	}

	// Initialize a policy and reporting object
	src := upConn.RemoteAddr().(*net.TCPAddr)
	pr := p.getPolicyReporter(puContext, src.IP, src.Port, origDestIP, origDestPort, service)

	downConn, err := p.initiateDownstreamTCPConnection(ctx, origDestIP, downPort, platformData)
	if err != nil {
		// Report rejection
		pr.ReportStats(collector.EndPointTypeExternalIP, "", "default", collector.UnableToDial, nil, nil, false)
		return
	}
	defer downConn.Close() // nolint

	if err := p.proxyData(ctx, upConn, downConn, service, pr); err != nil {
		zap.L().Debug("Error with proxying data", zap.Error(err))
	}
}

func (p *Proxy) startEncryptedClientDataPath(
	ctx context.Context,
	downConn net.Conn,
	upConn net.Conn,
	service *policy.ApplicationService,
	pr *lookup,
) error {

	// Set a flag so policy engine knows if its on server or client
	pr.client = true

	// ServerName: Use first configured FQDN or the destination IP
	serverName, err := common.GetTLSServerName(downConn.RemoteAddr().String(), service)
	if err != nil {
		return fmt.Errorf("unable to get the server name: %s", err)
	}

	// Encrypt Down Connection
	p.RLock()
	ca := p.caPool
	certs := []tls.Certificate{}
	if p.certificate != nil {
		certs = append(certs, *p.certificate)
	}
	p.RUnlock()

	t, err := getClientTLSConfig(ca, certs, serverName, service.External)
	if err != nil {
		return fmt.Errorf("unable to generate tls configuration: %s", err)
	}

	t.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
		return p.verifier.VerifyPeerCertificate(rawCerts, verifiedChains, pr, false)
	}

	// Do TLS
	tlsConn := tls.Client(downConn, t)
	defer tlsConn.Close() // nolint errcheck
	downConn = tlsConn

	zap.L().Debug(
		"Handle client connection",
		zap.String("src", upConn.RemoteAddr().String()),
		zap.String("dst", downConn.RemoteAddr().String()),
		zap.String("tls.server", t.ServerName),
		zap.Bool("tls.rootCAs", t.RootCAs != nil),
		zap.Int("tls.certs", len(t.Certificates)),
	)

	// TLS will automatically start negotiation on write. Nothing to do for us.
	p.copyData(ctx, upConn, downConn)
	return nil
}

func (p *Proxy) startEncryptedServerDataPath(
	ctx context.Context,
	downConn net.Conn,
	upConn net.Conn,
	service *policy.ApplicationService,
	pr *lookup,
) error {

	zap.L().Debug(
		"Handle server connection",
		zap.String("src", upConn.RemoteAddr().String()),
		zap.String("dst", downConn.RemoteAddr().String()),
		zap.String("orig-dst", pr.DestIP.String()),
		zap.Uint16("orig-dstport", pr.DestPort),
	)

	if service.PrivateTLSListener {
		zap.L().Debug("convert connection to server as TLS")
		downConn = tls.Client(downConn, &tls.Config{
			InsecureSkipVerify: true,
		})
	}

	proxiedUpConn := upConn.(*markedconn.ProxiedConnection)
	_, originalPort := proxiedUpConn.GetOriginalDestination()

	// Use Aporeto certs
	p.RLock()
	caPool := p.caPool
	clientCerts := []tls.Certificate{}
	if p.certificate != nil {
		clientCerts = []tls.Certificate{*p.certificate}
	}
	p.RUnlock()

	tlsConfig, err := getServerTLSConfig(
		caPool,
		clientCerts,
		originalPort,
		service,
	)
	if err != nil {
		return fmt.Errorf("invalid tls server configuration: %s", err)
	}

	if tlsConfig != nil {
		// Register Peer Certificate Verification so we can apply policies.
		tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
			return p.verifier.VerifyPeerCertificate(rawCerts, verifiedChains, pr, tlsConfig.ClientAuth == tls.RequireAndVerifyClientCert)
		}

		tlsConn := tls.Server(upConn.(*markedconn.ProxiedConnection).GetTCPConnection(), tlsConfig)
		defer tlsConn.Close() // nolint errcheck

		// Manually initiating the TLS handshake to get the connection state.
		// The call to write will skip TLS handshake.
		if err := tlsConn.Handshake(); err != nil {
			return err
		}

		if pingEnabled(tlsConn) {
			return p.processPingRequest(tlsConn, pr)
		}

		upConn = tlsConn
	} else {
		// In case of no TLS, apply IP policies right here.
		action := pr.IPLookup()
		zap.L().Debug("ip acl lookup", zap.Bool("action", action))
		if !action {
			return fmt.Errorf("ip acl drop")
		}
	}

	// TLS will automatically start negotiation on write. Nothing to for us.
	p.copyData(ctx, upConn, downConn)
	return nil
}

func (p *Proxy) copyData(
	ctx context.Context,
	source, dest net.Conn,
) {
	var wg sync.WaitGroup
	wg.Add(2)
	go func() {
		dataprocessor(ctx, source, dest)
		wg.Done()
	}()
	go func() {
		dataprocessor(ctx, dest, source)
		wg.Done()
	}()
	wg.Wait()
}

type readwithContext func(p []byte) (n int, err error)

func (r readwithContext) Read(p []byte) (int, error) { return r(p) }

func dataprocessor(
	ctx context.Context,
	source net.Conn,
	dest net.Conn,
) { // nolint
	defer func() {
		switch connType := dest.(type) {
		case *tls.Conn:
			connType.CloseWrite() // nolint errcheck
		case *net.TCPConn:
			connType.CloseWrite() // nolint errcheck
		case *markedconn.ProxiedConnection:
			connType.GetTCPConnection().CloseWrite() // nolint errcheck
		}
	}()

	if _, err := io.Copy(dest, readwithContext(
		func(p []byte) (int, error) {
			select {
			case <-ctx.Done():
				return 0, ctx.Err()
			default:
				return source.Read(p)
			}
		},
	),
	); err != nil { // nolint
		logErr(err)
	}
}

func (p *Proxy) proxyData(
	ctx context.Context,
	upConn net.Conn,
	downConn net.Conn,
	service *policy.ApplicationService,
	pr *lookup,
) error {

	// If the destination is not a local IP, it means that we are processing a client connection.
	if p.isLocal(upConn) {
		return p.startEncryptedClientDataPath(ctx, downConn, upConn, service, pr)
	}

	return p.startEncryptedServerDataPath(ctx, downConn, upConn, service, pr)
}

func (p *Proxy) puContextFromContextID(
	puID string,
) (*pucontext.PUContext, error) {

	sctx, err := serviceregistry.Instance().RetrieveServiceByID(puID)
	if err != nil {
		return nil, fmt.Errorf("Context not found %s", puID)
	}

	return sctx.PUContext, nil
}

// initiateDownstreamTCPConnection initiates a downstream TCP connection
func (p *Proxy) initiateDownstreamTCPConnection(
	ctx context.Context,
	ip net.IP,
	port int,
	platformData *markedconn.PlatformData,
) (net.Conn, error) {

	raddr := &net.TCPAddr{
		IP:   ip,
		Port: port,
	}
	return markedconn.DialMarkedWithContext(ctx, "tcp", raddr.String(), platformData, p.mark)
}

func (p *Proxy) isLocal(conn net.Conn) bool {

	host, _, err := net.SplitHostPort(conn.RemoteAddr().String())
	if err != nil {
		return false
	}

	p.RLock()
	defer p.RUnlock()

	if _, ok := p.localIPs[host]; ok {
		return true
	}
	return false
}

func logErr(err error) bool {
	switch err.(type) {
	case syscall.Errno:
		zap.L().Error("Connection error to destination", zap.Error(err))
	default:
		zap.L().Error("Connection terminated", zap.Error(err))
	}
	return false
}

// getPublicServerTLSConfig provides the TLS configuration for the public port.
// There is a valid case where we dont provide TLS configuration (nil) but error
// is also nil to support the case of publicly exposed port.
func getPublicServerTLSConfig(
	caPool *x509.CertPool,
	clientCerts []tls.Certificate,
	service *policy.ApplicationService,
) (t *tls.Config, err error) {

	// Apply Public configuration
	if (service.PublicServiceTLSType != policy.ServiceTLSTypeCustom) && (service.PublicServiceTLSType != policy.ServiceTLSTypeAporeto) {
		return nil, nil
	}

	t = tlshelper.NewBaseTLSServerConfig()

	// Server Cert and Key.
	if service.PublicServiceTLSType == policy.ServiceTLSTypeCustom {
		// Use custom certs
		if len(service.PublicServiceCertificate) > 0 && len(service.PublicServiceCertificateKey) > 0 {

			cert, err := tls.X509KeyPair(service.PublicServiceCertificate, service.PublicServiceCertificateKey)
			if err != nil {
				return nil, fmt.Errorf("invalid public cert pair")
			}
			t.Certificates = []tls.Certificate{cert}
		}
	} else if service.PublicServiceTLSType == policy.ServiceTLSTypeAporeto {
		// Use Aporeto certs
		t.Certificates = clientCerts
	}

	// mTLS with client
	if service.UserAuthorizationType == policy.UserAuthorizationMutualTLS {
		t.ClientAuth = tls.RequireAndVerifyClientCert
		t.ClientCAs = caPool
		if len(service.MutualTLSTrustedRoots) > 0 {
			if !t.ClientCAs.AppendCertsFromPEM(service.MutualTLSTrustedRoots) {
				return nil, fmt.Errorf("Unable to process client CAs")
			}
		}
	}

	return t, nil
}

// getExposedServerMTLSConfig provides the mTLS configuration for the server.
func getExposedServerMTLSConfig(
	caPool *x509.CertPool,
	certs []tls.Certificate,
) (t *tls.Config, err error) {

	if len(certs) == 0 {
		return nil, fmt.Errorf("Failed to start encryption")
	}

	t = tlshelper.NewBaseTLSServerConfig()
	t.Certificates = certs
	t.ClientCAs = caPool
	t.ClientAuth = tls.RequireAndVerifyClientCert
	return t, nil
}

// getServerTLSConfig provides the server TLS configuration. It handles the
// server on public and exposed ports.
// returns:
//    - error
//    - tls.Config which can be nil even when error is nil to indicate no TLS
func getServerTLSConfig(
	caPool *x509.CertPool,
	certs []tls.Certificate,
	originalPort int,
	service *policy.ApplicationService,
) (t *tls.Config, err error) {

	if originalPort != service.PublicPort() {
		// mTLS for Up Connection for exposed ports protected by Aporeto
		return getExposedServerMTLSConfig(caPool, certs)
	}
	// TLS configuration supported on public ports
	return getPublicServerTLSConfig(caPool, certs, service)
}

// getTLSConfig generates a tls.Config for a given client based on the service it may be accessing.
// - Services protected by Aporeto should do mTLS.
// - External (Third Party) Services do TLS only.
func getClientTLSConfig(
	caPool *x509.CertPool,
	clientCerts []tls.Certificate,
	serverName string,
	external bool,
) (t *tls.Config, err error) {

	t = tlshelper.NewBaseTLSClientConfig()
	t.RootCAs = caPool
	t.ServerName = serverName

	if !external {
		if len(clientCerts) == 0 {
			return nil, fmt.Errorf("no client certs provided for mTLS")
		}
		// Do mTLS enforcer protected services. TLS for external service.
		t.Certificates = clientCerts
	}
	return t, nil
}


================================================
FILE: controller/internal/enforcer/applicationproxy/tcp/tcp_test.go
================================================
package tcp

import (
	"crypto/tls"
	"crypto/x509"
	"log"
	"reflect"
	"testing"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	acommon "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/common"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

func testTLSCertificate() tls.Certificate {
	certPem := []byte(`-----BEGIN CERTIFICATE-----
MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
6MF9+Yw1Yy0t
-----END CERTIFICATE-----`)
	keyPem := []byte(`-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
-----END EC PRIVATE KEY-----`)
	cert, err := tls.X509KeyPair(certPem, keyPem)
	if err != nil {
		log.Fatal(err)
	}
	return cert
}

func Test_getClientTLSConfig(t *testing.T) {
	type args struct {
		caPool      *x509.CertPool
		clientCerts []tls.Certificate
		serverName  string
		external    bool
	}
	basicCaPool, _ := x509.SystemCertPool()
	basicTLSCert := testTLSCertificate()
	basicTLSCertList := []tls.Certificate{basicTLSCert}
	tests := []struct {
		name    string
		args    args
		wantT   *tls.Config
		wantErr bool
	}{
		{
			name: "basic external service",
			args: args{
				external:    true,
				caPool:      nil,                 // no caPool => we dont need additional CAs to validate server certs. they might be using digicert/letsencrypt/any std cert.
				clientCerts: []tls.Certificate{}, // no certs. for external service dont use client certs
				serverName:  "www.google.com",
			},
			wantT: &tls.Config{
				PreferServerCipherSuites: true,
				SessionTicketsDisabled:   true,
				MaxVersion:               tls.VersionTLS12,
				ServerName:               "www.google.com",
			},
			wantErr: false,
		},
		{
			name: "basic external service ignored client certs",
			args: args{
				external:    true,
				caPool:      nil,              // no caPool => we dont need additional CAs to validate server certs. they might be using digicert/letsencrypt/any std cert.
				clientCerts: basicTLSCertList, // clientCerts should be ignored for external service.
				serverName:  "www.google.com",
			},
			wantT: &tls.Config{
				PreferServerCipherSuites: true,
				SessionTicketsDisabled:   true,
				MaxVersion:               tls.VersionTLS12,
				ServerName:               "www.google.com",
			},
			wantErr: false,
		},
		{
			name: "basic external service with trusted ca pool and ignored cert list",
			args: args{
				caPool:      basicCaPool,      // caPool should be used to validate server certs
				clientCerts: basicTLSCertList, // should be ignored as we dont provide client certs for external service
				serverName:  "www.google.com",
				external:    true,
			},
			wantT: &tls.Config{
				PreferServerCipherSuites: true,
				SessionTicketsDisabled:   true,
				MaxVersion:               tls.VersionTLS12,
				RootCAs:                  basicCaPool,
				ServerName:               "www.google.com",
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			gotT, err := getClientTLSConfig(tt.args.caPool, tt.args.clientCerts, tt.args.serverName, tt.args.external)
			if (err != nil) != tt.wantErr {
				t.Errorf("getClientTLSConfig() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(gotT, tt.wantT) {
				t.Errorf("getClientTLSConfig() = %+v, want %+v", gotT, tt.wantT)
			}
		})
	}
}

func Test_getTLSServerName(t *testing.T) {
	type args struct {
		addrAndPort string
		service     *policy.ApplicationService
	}
	tests := []struct {
		name     string
		args     args
		wantName string
		wantErr  bool
	}{
		{
			name:     "nil service and bad addr (error)",
			args:     args{},
			wantName: "",
			wantErr:  true,
		},
		{
			name: "service with nil network info and bad addr (error)",
			args: args{
				service: &policy.ApplicationService{},
			},
			wantName: "",
			wantErr:  true,
		},
		{
			name: "no fqdn and bad addr (error)",
			args: args{
				service: &policy.ApplicationService{
					NetworkInfo: &common.Service{
						FQDNs: []string{},
					},
				},
			},
			wantName: "",
			wantErr:  true,
		},
		{
			name: "no fqdn and valid addr (success)",
			args: args{
				addrAndPort: "dns:80",
				service: &policy.ApplicationService{
					NetworkInfo: &common.Service{
						FQDNs: []string{},
					},
				},
			},
			wantName: "dns",
			wantErr:  false,
		},
		{
			name: "fqdn and valid addr use fqdn[0]",
			args: args{
				addrAndPort: "dns:80",
				service: &policy.ApplicationService{
					NetworkInfo: &common.Service{
						FQDNs: []string{"www.google.com", "alt.google.com"},
					},
				},
			},
			wantName: "www.google.com",
			wantErr:  false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			gotName, err := acommon.GetTLSServerName(tt.args.addrAndPort, tt.args.service)
			if (err != nil) != tt.wantErr {
				t.Errorf("getTLSServerName() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if gotName != tt.wantName {
				t.Errorf("getTLSServerName() = %v, want %v", gotName, tt.wantName)
			}
		})
	}
}


================================================
FILE: controller/internal/enforcer/applicationproxy/tcp/verifier/testdata/generate-certs.sh
================================================
#!/bin/bash

# This files generates new certs if the generated certs expire. We cant use openssl as this has aporeto extensions

echo "Generate CA"
tg cert --name myca --org acme --common-name root --is-ca --pass secret --force

echo "Generate Client-IP Cert With Aporeto extensions but missing key tags"
tg cert --name myclient-bad --org acme --common-name client-bad \
        --auth-client --signing-cert myca-cert.pem \
        --signing-cert-key myca-key.pem \
        --signing-cert-key-pass secret \
        --tags "\$controller=10.10.10.10" \
        --ip 10.10.10.10 --force

echo "Generate Client-IP Cert"
tg cert --name myclient-ip --org acme --common-name client-ip \
        --auth-client --signing-cert myca-cert.pem \
        --signing-cert-key myca-key.pem \
        --signing-cert-key-pass secret \
        --tags "\$identity=processingunit" --tags "\$id=some" --tags "\$controller=10.10.10.10" \
        --ip 10.10.10.10 --force

echo "Generate Client-DNS Cert"
tg cert --name myclient-dns --org acme --common-name client-dns \
        --auth-client --signing-cert myca-cert.pem \
        --signing-cert-key myca-key.pem \
        --signing-cert-key-pass secret \
        --tags "\$identity=processingunit" --tags "\$id=some" --tags "\$controller=www.client.com" \
        --dns www.client.com --force

echo "Generate Server Cert"
tg cert --name myserver --org acme --common-name server \
        --auth-server --signing-cert myca-cert.pem \
        --signing-cert-key myca-key.pem \
        --signing-cert-key-pass secret \
        --tags "\$identity=processingunit" --tags "\$id=some" --tags "\$controller=www.server.com" \
        --dns www.server.com --force

rm -f *-key.pem


================================================
FILE: controller/internal/enforcer/applicationproxy/tcp/verifier/testdata/myca-cert.pem
================================================
-----BEGIN CERTIFICATE-----
MIIBcDCCARWgAwIBAgIQWzOkU1NT1yBh8UFbjCAo5zAKBggqhkjOPQQDAjAeMQ0w
CwYDVQQKEwRhY21lMQ0wCwYDVQQDEwRyb290MB4XDTIwMDUzMTE2MjYxNFoXDTMw
MDQwOTE2MjYxNFowHjENMAsGA1UEChMEYWNtZTENMAsGA1UEAxMEcm9vdDBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABGnz6woeFke5RO87STAXabmBbI1AaVAU41vk
zVts0dsr5rPi+ao61GLTU9Hb10d1z9g+YQFKRi2P+hV5gyArl1KjNTAzMA4GA1Ud
DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MBAGCisGAQQBg4xuAQEEAltdMAoG
CCqGSM49BAMCA0kAMEYCIQCPgFyYMc1uv0lsimdTkM+WEc4ffansxrAcGKjlouJ+
0AIhAMyJE1UFshHOsEgowZblHHrNgk+RzBGgwogC4Z7NqK5u
-----END CERTIFICATE-----


================================================
FILE: controller/internal/enforcer/applicationproxy/tcp/verifier/testdata/myclient-bad-cert.pem
================================================
-----BEGIN CERTIFICATE-----
MIIBsjCCAVigAwIBAgIRAKXo6pjvtuJSeCQrXdRtLYUwCgYIKoZIzj0EAwIwHjEN
MAsGA1UEChMEYWNtZTENMAsGA1UEAxMEcm9vdDAeFw0yMDA1MzExNjI2MTRaFw0z
MDA0MDkxNjI2MTRaMCQxDTALBgNVBAoTBGFjbWUxEzARBgNVBAMTCmNsaWVudC1i
YWQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAREEB67QHsxYDrR56gf75ziphGw
2Food8R6K9PFbE7myRZUE4iDZOiMTjMZ5NnclRdnwG1S38XdwQPSh2RCvGnOo3Ew
bzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/
BAIwADAPBgNVHREECDAGhwQKCgoKMCkGCisGAQQBg4xuAQEEG1siJGNvbnRyb2xs
ZXI9MTAuMTAuMTAuMTAiXTAKBggqhkjOPQQDAgNIADBFAiEA1BRp64Y06JfrzaWn
gqo+GlOhdRL9hQbLF3lrUrRlEeICIEarze+yQBrEkoON6e5Iw+W1XDuCCMr//D1M
sL7/6mXB
-----END CERTIFICATE-----


================================================
FILE: controller/internal/enforcer/applicationproxy/tcp/verifier/testdata/myclient-dns-cert.pem
================================================
-----BEGIN CERTIFICATE-----
MIIB5zCCAY2gAwIBAgIRANny7E6cG8+6zqSZfqwnz/QwCgYIKoZIzj0EAwIwHjEN
MAsGA1UEChMEYWNtZTENMAsGA1UEAxMEcm9vdDAeFw0yMDA1MzExNjI2MTVaFw0z
MDA0MDkxNjI2MTVaMCQxDTALBgNVBAoTBGFjbWUxEzARBgNVBAMTCmNsaWVudC1k
bnMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQHxnm6sG42k2I+KObch3FUMkJW
XrH+3t+4xo0x25y/Yv+KFB2PSujhEi9rOPTvZ8qr6HafeWP8S4sZX0imhDn6o4Gl
MIGiMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMBkGA1UdEQQSMBCCDnd3dy5jbGllbnQuY29tMFIGCisGAQQBg4xuAQEE
RFsiJGlkZW50aXR5PXByb2Nlc3Npbmd1bml0IiwiJGlkPXNvbWUiLCIkY29udHJv
bGxlcj13d3cuY2xpZW50LmNvbSJdMAoGCCqGSM49BAMCA0gAMEUCIDxMgcWlLYop
7r3CM3xztxtp3ztNLu9P0A2K7MQVIudrAiEA9tx5Qy1UysHqtnryRyYmH8aYZdg2
vg5/nZLC+fVwVII=
-----END CERTIFICATE-----


================================================
FILE: controller/internal/enforcer/applicationproxy/tcp/verifier/testdata/myclient-ip-cert.pem
================================================
-----BEGIN CERTIFICATE-----
MIIB2TCCAX+gAwIBAgIRANWzODJFxt9yZ5VPKV6ZDu8wCgYIKoZIzj0EAwIwHjEN
MAsGA1UEChMEYWNtZTENMAsGA1UEAxMEcm9vdDAeFw0yMDA1MzExNjI2MTVaFw0z
MDA0MDkxNjI2MTVaMCMxDTALBgNVBAoTBGFjbWUxEjAQBgNVBAMTCWNsaWVudC1p
cDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOD/wAKaXveeeLAcL9pyUVsKWVdZ
tUheLlTrK7trS1+b6aj+JRd4+jH0pFW81GsVBP4+BmZpbz58Mcdvcl0lkaKjgZgw
gZUwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB
/wQCMAAwDwYDVR0RBAgwBocECgoKCjBPBgorBgEEAYOMbgEBBEFbIiRpZGVudGl0
eT1wcm9jZXNzaW5ndW5pdCIsIiRpZD1zb21lIiwiJGNvbnRyb2xsZXI9MTAuMTAu
MTAuMTAiXTAKBggqhkjOPQQDAgNIADBFAiEArSuUzPLzYsQlEyJEsz1Ezr5APKLy
FHqunYKPZ2OrXcgCIAJx2tsToRHRd0CX8z9Rg2ccfFDrvRiyTI9e7Ex2Vi3R
-----END CERTIFICATE-----


================================================
FILE: controller/internal/enforcer/applicationproxy/tcp/verifier/testdata/myserver-cert.pem
================================================
-----BEGIN CERTIFICATE-----
MIIB4zCCAYmgAwIBAgIRAL/SlY1qRcZo+xiwdErtkvAwCgYIKoZIzj0EAwIwHjEN
MAsGA1UEChMEYWNtZTENMAsGA1UEAxMEcm9vdDAeFw0yMDA1MzExNjI2MTVaFw0z
MDA0MDkxNjI2MTVaMCAxDTALBgNVBAoTBGFjbWUxDzANBgNVBAMTBnNlcnZlcjBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABNwHz7QdTpN0UF8aNEGloW34h2lBD0Vt
4bF9zubzFU8iTTOrZSuSsdk/85sJ4QWMU9VKiUhZLuHN+tRXQCurB+ujgaUwgaIw
DgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC
MAAwGQYDVR0RBBIwEIIOd3d3LnNlcnZlci5jb20wUgYKKwYBBAGDjG4BAQREWyIk
aWRlbnRpdHk9cHJvY2Vzc2luZ3VuaXQiLCIkaWQ9c29tZSIsIiRjb250cm9sbGVy
PXd3dy5zZXJ2ZXIuY29tIl0wCgYIKoZIzj0EAwIDSAAwRQIgW5ukpr1XFZyXcMWx
sNnvKiYE8Wgbm89PJf4Ra26104oCIQCSfI1nu7d7Y95CBmq8Gq8Tz27ysGEitRZY
68ANaB+R2w==
-----END CERTIFICATE-----


================================================
FILE: controller/internal/enforcer/applicationproxy/tcp/verifier/verifier.go
================================================
package verifier

import (
	"crypto/x509"
	"encoding/asn1"
	"encoding/json"
	"fmt"
	"sync"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// aporetoASNTagsExtension holds the value of the Aporeto Tags Extension
var aporetoASNTagsExtension asn1.ObjectIdentifier

// aporetoPingExtension holds the value of the Aporeto Ping Extension
var aporetoPingExtension asn1.ObjectIdentifier

// PolicyReporter is the interface to allow looking up policies and report stats
type PolicyReporter interface {
	IDLookup(remoteContoller, remotePUID string, tags *policy.TagStore) bool
	IPLookup() bool
	Policy(tags *policy.TagStore) (*policy.FlowPolicy, *policy.FlowPolicy)
	ReportStats(remoteType collector.EndPointType, remoteController string, remotePUID string, mode string, report *policy.FlowPolicy, packet *policy.FlowPolicy, accept bool)
}

// Verifier interface defines the methods a verifier must implement
type Verifier interface {

	// TrustCA replaces the trusted CA list.
	TrustCAs(caPool *x509.CertPool)

	// VerifyPeerCertificate verifies if this TLS connection should be admitted.
	VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate, policy PolicyReporter, mustHaveClientIDCert bool) error
}

// verifier implements the Verifier interface
type verifier struct {
	sync.RWMutex
	// trustedCAs stores the list of certs to be trusted
	trustedCAPool *x509.CertPool
}

func init() {
	aporetoASNTagsExtension = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 50798, 1, 1}
	aporetoPingExtension = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 50798, 1, 4}
}

// New returns a new instance of Verifier
func New(caPool *x509.CertPool) Verifier {
	return &verifier{
		trustedCAPool: caPool,
	}
}

// certHasDNSOrIPSAN checks if a given name exists in a SAN for the certificate.
func certHasDNSOrIPSAN(san string, cert *x509.Certificate) bool {

	// san found in SAN in certs
	for _, name := range cert.DNSNames {
		if san == name {
			return true
		}
	}

	for _, ip := range cert.IPAddresses {
		if san == ip.String() {
			return true
		}
	}

	return false
}

// TrustCA replaces the trusted CA list.
func (v *verifier) TrustCAs(caPool *x509.CertPool) {

	// Update verifier
	v.Lock()
	v.trustedCAPool = caPool
	v.Unlock()
}

// VerifyPeerCertificate validates that policies allow mTLS between two enforcers based on
// aporeto-tags. If no aporeto tags are found, it applies IP based ACLs.
//
func (v *verifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate, pr PolicyReporter, mustHaveClientIDCert bool) error {

	v.RLock()
	opts := x509.VerifyOptions{
		Roots: v.trustedCAPool,
		KeyUsages: []x509.ExtKeyUsage{
			x509.ExtKeyUsageServerAuth,
			x509.ExtKeyUsageClientAuth,
		},
	}
	v.RUnlock()

	// Is this an Aporeto Cert we are trusting
	if opts.Roots != nil {
		for _, certChain := range verifiedChains {
			tags := []string{}
			ping := false
			for _, cert := range certChain {
				for _, e := range cert.Extensions {
					if e.Id.Equal(aporetoPingExtension) {
						ping = true
						continue
					}

					// If there is an Aporeto extension, get the value
					if e.Id.Equal(aporetoASNTagsExtension) {
						if err := json.Unmarshal(e.Value, &tags); err == nil {
							if ping {
								break
							}
						}
					}
				}

				// No Aporeto tags
				if len(tags) == 0 {
					continue
				}

				rtags := policy.NewTagStoreFromSlice(tags)

				// check if we have remote controller
				rcontroller, ok := rtags.Get(policy.TagKeyController)
				if !ok {
					continue
				}

				// check if $identity == processingunit
				if pu, ok := rtags.Get(policy.TagKeyIdentity); !ok && pu != policy.TagValueProcessingUnit {
					continue
				}

				// check if we have remote puid
				rpuid, ok := rtags.Get(policy.TagKeyID)
				if !ok {
					continue
				}

				if _, err := cert.Verify(opts); err != nil {
					continue
				}

				// TODO: Check controller against verified CA
				// fmt.Println(strings.Join(tags, " "))
				// if !certHasDNSOrIPSAN(controller, cert) {
				// 	fmt.Println("No IP or DNS SAN", strings.Join(cert.DNSNames, " "))
				// 	continue
				// }

				// If ping is enabled in the certificate, we defer the policy lookup and the server
				// application will never receive any packets related to ping irrespective of policy.
				if ping {
					return nil
				}

				if !pr.IDLookup(rcontroller, rpuid, rtags) {
					return fmt.Errorf("ID policy lookup rejection")
				}

				return nil
			}
		}
	}

	if mustHaveClientIDCert {
		return fmt.Errorf("ID lookup not performed")
	}

	if !pr.IPLookup() {
		return fmt.Errorf("IP policy lookup rejection")
	}

	return nil
}


================================================
FILE: controller/internal/enforcer/applicationproxy/tcp/verifier/verifier_test.go
================================================
package verifier

import (
	"crypto/x509"
	"encoding/pem"
	"io/ioutil"
	"testing"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

func Test_verifier_TrustCAs(t *testing.T) {
	type fields struct {
		trustedCAPool *x509.CertPool
	}
	type args struct {
		caPool *x509.CertPool
	}
	sysPool, err := x509.SystemCertPool()
	if err != nil {
		t.Errorf("unable to get system certs")
	}
	tests := []struct {
		name   string
		fields fields
		args   args
	}{
		{
			"basic nil",
			fields{
				trustedCAPool: nil,
			},
			args{
				caPool: nil,
			},
		},
		{
			"basic valid",
			fields{
				trustedCAPool: sysPool,
			},
			args{
				caPool: sysPool,
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			v := &verifier{
				trustedCAPool: tt.fields.trustedCAPool,
			}
			v.TrustCAs(tt.args.caPool)
			if v.trustedCAPool != tt.args.caPool {
				t.Errorf("ca pool not appropriately setup")
			}
		})
	}
}

// Dummy PolicyLookup implementer to test
type policyReporter struct {
	ip    int
	ipret bool
	id    int
	idret bool
}

func (p *policyReporter) IDLookup(remoteController, remotePUID string, tags *policy.TagStore) bool {
	p.id++
	return p.idret
}
func (p *policyReporter) IPLookup() bool {
	p.ip++
	return p.ipret
}

func (p *policyReporter) ReportStats(remoteType collector.EndPointType, remoteController string, remotePUID string, mode string, report *policy.FlowPolicy, packet *policy.FlowPolicy, accept bool) {

}

func (p *policyReporter) Policy(tags *policy.TagStore) (*policy.FlowPolicy, *policy.FlowPolicy) {
	return nil, nil
}

func Test_verifier_VerifyPeerCertificate(t *testing.T) {
	type fields struct {
		trustedCAs *x509.CertPool
	}
	type args struct {
		rawCerts             [][]byte
		verifiedChains       [][]*x509.Certificate
		policyReporter       *policyReporter
		mustHaveClientIDCert bool
	}
	type want struct {
		err     bool
		ipCount int
		idCount int
	}

	// Aporeto CA Root
	certs, err := ioutil.ReadFile("./testdata/myca-cert.pem")
	if err != nil {
		panic("unable to load CA")
	}
	block, _ := pem.Decode(certs)
	if block == nil {
		panic("failed to parse certificate PEM")
	}
	aporetoCertRoot, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		panic("failed to parse certificate: " + err.Error())
	}
	aporetoCAPool := x509.NewCertPool()
	if ok := aporetoCAPool.AppendCertsFromPEM(certs); !ok {
		panic("unable to append CA to root")
	}

	// Aporeto Client Bad Cert Leaf with Tags
	certs, err = ioutil.ReadFile("./testdata/myclient-bad-cert.pem")
	if err != nil {
		panic("unable to load client bad cert")
	}
	block, _ = pem.Decode(certs)
	if block == nil {
		panic("failed to parse client bad certificate PEM")
	}
	aporetoClientBadCertWithExtension, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		panic("failed to parse client bad certificate: " + err.Error())
	}

	// Aporeto Client IP Cert Leaf with Tags
	certs, err = ioutil.ReadFile("./testdata/myclient-ip-cert.pem")
	if err != nil {
		panic("unable to load client ip cert")
	}
	block, _ = pem.Decode(certs)
	if block == nil {
		panic("failed to parse client ip certificate PEM")
	}
	aporetoClientIPCertWithExtension, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		panic("failed to parse client ip certificate: " + err.Error())
	}

	// Aporeto Client DNS Cert Leaf with Tags
	certs, err = ioutil.ReadFile("./testdata/myclient-dns-cert.pem")
	if err != nil {
		panic("unable to load client dns cert")
	}
	block, _ = pem.Decode(certs)
	if block == nil {
		panic("failed to parse client dns certificate PEM")
	}
	aporetoClientDNSCertWithExtension, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		panic("failed to parse client dns certificate: " + err.Error())
	}

	// Aporeto Server Cert Leaf with Tags
	certs, err = ioutil.ReadFile("./testdata/myserver-cert.pem")
	if err != nil {
		panic("unable to load server cert")
	}
	block, _ = pem.Decode(certs)
	if block == nil {
		panic("failed to parse server certificate PEM")
	}
	aporetoServerCertWithExtension, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		panic("failed to parse server certificate: " + err.Error())
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		want   want
	}{
		{
			name:   "ip lookup - success (no aporeto tags)",
			fields: fields{},
			args: args{
				policyReporter: &policyReporter{
					ipret: true,
					idret: true,
				},
			},
			want: want{
				err:     false,
				ipCount: 1,
				idCount: 0,
			},
		},
		{
			name:   "ip lookup - failure (no aporeto tags)",
			fields: fields{},
			args: args{
				policyReporter: &policyReporter{
					ipret: false,
					idret: false,
				},
			},
			want: want{
				err:     true,
				ipCount: 1,
				idCount: 0,
			},
		},
		{
			name: "ip lookup - success (no trusted CAs)",
			fields: fields{
				trustedCAs: x509.NewCertPool(),
			},
			args: args{
				verifiedChains: [][]*x509.Certificate{
					{
						aporetoClientIPCertWithExtension,
						aporetoCertRoot,
					},
				},
				policyReporter: &policyReporter{
					ipret: true,
					idret: true,
				},
			},
			want: want{
				err:     false,
				ipCount: 1,
				idCount: 0,
			},
		},
		{
			name:   "ip lookup - success (missing chain in trusted CAs)",
			fields: fields{},
			args: args{
				verifiedChains: [][]*x509.Certificate{
					{
						aporetoClientIPCertWithExtension,
					},
				},
				policyReporter: &policyReporter{
					ipret: true,
					idret: true,
				},
			},
			want: want{
				err:     false,
				ipCount: 1,
				idCount: 0,
			},
		},
		{
			name: "ip lookup - success (missing aporeto tags in verified chain)",
			fields: fields{
				trustedCAs: aporetoCAPool,
			},
			args: args{
				verifiedChains: [][]*x509.Certificate{
					{
						aporetoCertRoot,
					},
				},
				policyReporter: &policyReporter{
					ipret: true,
					idret: true,
				},
			},
			want: want{
				err:     false,
				ipCount: 1,
				idCount: 0,
			},
		},
		{
			name: "id lookup (client Bad) - failure",
			fields: fields{
				trustedCAs: aporetoCAPool,
			},
			args: args{
				verifiedChains: [][]*x509.Certificate{
					{
						aporetoClientBadCertWithExtension,
						aporetoCertRoot,
					},
				},
				policyReporter: &policyReporter{
					ipret: true,
					idret: true,
				},
				mustHaveClientIDCert: true,
			},
			want: want{
				err:     true,
				ipCount: 0,
				idCount: 0,
			},
		},
		{
			name: "id lookup (client IP) - success",
			fields: fields{
				trustedCAs: aporetoCAPool,
			},
			args: args{
				verifiedChains: [][]*x509.Certificate{
					{
						aporetoClientIPCertWithExtension,
						aporetoCertRoot,
					},
				},
				policyReporter: &policyReporter{
					ipret: true,
					idret: true,
				},
			},
			want: want{
				err:     false,
				ipCount: 0,
				idCount: 1,
			},
		},
		{
			name: "id lookup (client DNS) - success",
			fields: fields{
				trustedCAs: aporetoCAPool,
			},
			args: args{
				verifiedChains: [][]*x509.Certificate{
					{
						aporetoClientDNSCertWithExtension,
						aporetoCertRoot,
					},
				},
				policyReporter: &policyReporter{
					ipret: true,
					idret: true,
				},
			},
			want: want{
				err:     false,
				ipCount: 0,
				idCount: 1,
			},
		},
		{
			name: "id lookup (server) - success",
			fields: fields{
				trustedCAs: aporetoCAPool,
			},
			args: args{
				verifiedChains: [][]*x509.Certificate{
					{
						aporetoServerCertWithExtension,
						aporetoCertRoot,
					},
				},
				policyReporter: &policyReporter{
					ipret: true,
					idret: true,
				},
			},
			want: want{
				err:     false,
				ipCount: 0,
				idCount: 1,
			},
		},
		{
			name: "id lookup (server) - must have client id - failure",
			fields: fields{
				trustedCAs: aporetoCAPool,
			},
			args: args{
				policyReporter: &policyReporter{
					ipret: true,
					idret: true,
				},
				mustHaveClientIDCert: true,
			},
			want: want{
				err:     true,
				ipCount: 0,
				idCount: 0,
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			v := New(tt.fields.trustedCAs)
			err := v.VerifyPeerCertificate(tt.args.rawCerts, tt.args.verifiedChains, tt.args.policyReporter, tt.args.mustHaveClientIDCert)
			if (err != nil) != tt.want.err {
				t.Errorf("verifier.VerifyPeerCertificate() error = %v, want.err %v", err, tt.want.err)
				return
			}
			if tt.args.policyReporter.id != tt.want.idCount {
				t.Errorf("verifier.VerifyPeerCertificate() id have = %v, want %v", tt.args.policyReporter.id, tt.want.idCount)
				return
			}
			if tt.args.policyReporter.ip != tt.want.ipCount {
				t.Errorf("verifier.VerifyPeerCertificate() ip have = %v, want %v", tt.args.policyReporter.ip, tt.want.ipCount)
				return
			}
		})
	}
}


================================================
FILE: controller/internal/enforcer/applicationproxy/tlshelper/tlshelper.go
================================================
package tlshelper

import "crypto/tls"

// The intent of this file is to provide secure base TLS configurations across all our proxies.

// TODO: This configuration can become limiting but thats what we support.
//   Feature: Users might want to add additional configs or alternatively
//            if the service is exposed, auto-discover them from the certificate
//            provided.

// NewBaseTLSClientConfig provides the generic base config to be used on a client.
func NewBaseTLSClientConfig() *tls.Config {

	return &tls.Config{
		PreferServerCipherSuites: true,
		SessionTicketsDisabled:   true,
		// for now lets make it TLS1.2 as supported max Version.
		// TODO: Need to test before enabling TLS 1.3, currently TLS 1.3 doesn't work with envoy.
		MaxVersion: tls.VersionTLS12,
	}
}

// NewBaseTLSServerConfig provides the generic base config to be used on a server.
func NewBaseTLSServerConfig() *tls.Config {
	return &tls.Config{
		PreferServerCipherSuites: true,
		SessionTicketsDisabled:   true,
		ClientAuth:               tls.VerifyClientCertIfGiven,
		CipherSuites: []uint16{
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		},
	}
}


================================================
FILE: controller/internal/enforcer/constants/constants.go
================================================
package enforcerconstants

const (
	// TCPAuthenticationOptionBaseLen specifies the length of base TCP Authentication Option packet
	TCPAuthenticationOptionBaseLen = 4
	// TCPAuthenticationOptionAckLen specifies the length of TCP Authentication Option in the ack packet
	TCPAuthenticationOptionAckLen = 20
	// TransmitterLabel is the name of the label used to identify the Transmitter Context
	TransmitterLabel = "AporetoContextID"
	// DefaultNetwork to be used
	DefaultNetwork = "0.0.0.0/0"
	// DefaultExternalIPTimeout is the default used for the cache for External IPTimeout.
	DefaultExternalIPTimeout = "500ms"
)


================================================
FILE: controller/internal/enforcer/dnsproxy/common.go
================================================
package dnsproxy

import (
	"net"
	"strconv"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/serviceregistry"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.uber.org/zap"
)

func configureDependentServices(puCtx *pucontext.PUContext, fqdn string, ips []string) {

	dependentServicesModified := false

	for _, dependentService := range puCtx.DependentServices(fqdn) {
		min, max := dependentService.NetworkInfo.Ports.Range()

		for _, ipString := range ips {
			if ip := net.ParseIP(ipString); ip.To4() != nil {
				if _, exists := dependentService.NetworkInfo.Addresses[ipString+"/32"]; exists {
					continue
				}
				_, ipNet, _ := net.ParseCIDR(ipString + "/32")
				for i := int(min); i <= int(max); i++ {
					if err := ipsetmanager.V4().AddIPPortToDependentService(puCtx.ID(), ipNet, strconv.Itoa(i)); err != nil {
						zap.L().Debug("dnsproxy: error adding dependent service ip port to ipset", zap.Error(err))
					}
				}
				dependentServicesModified = true
				dependentService.NetworkInfo.Addresses[ipNet.String()] = struct{}{}
			} else {
				if _, exists := dependentService.NetworkInfo.Addresses[ipString+"/128"]; exists {
					continue
				}
				_, ipNet, _ := net.ParseCIDR(ipString + "/128")
				for i := int(min); i <= int(max); i++ {
					if err := ipsetmanager.V6().AddIPPortToDependentService(puCtx.ID(), ipNet, strconv.Itoa(i)); err != nil {
						zap.L().Debug("dnsproxy: error adding dependent service ip port to ipset", zap.Error(err))
					}
				}
				dependentServicesModified = true
				dependentService.NetworkInfo.Addresses[ipNet.String()] = struct{}{}
			}
		}
	}

	if dependentServicesModified {
		if err := serviceregistry.Instance().UpdateDependentServicesByID(puCtx.ID()); err != nil {
			zap.L().Error("dnsproxy: error updating dependent services", zap.Error(err))
		}
	}
}


================================================
FILE: controller/internal/enforcer/dnsproxy/dns.go
================================================
// +build linux

package dnsproxy

import (
	"context"
	"net"
	"strconv"
	"sync"
	"syscall"
	"time"

	"github.com/miekg/dns"
	"go.aporeto.io/trireme-lib/collector"
	"go.aporeto.io/trireme-lib/controller/pkg/flowtracking"
	"go.aporeto.io/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/trireme-lib/policy"
	"go.aporeto.io/trireme-lib/utils/cache"
	"go.uber.org/zap"
)

// Proxy struct represents the object for dns proxy
type Proxy struct {
	puFromID          cache.DataStore
	conntrack         flowtracking.FlowClient
	collector         collector.EventCollector
	contextIDToServer map[string]*dns.Server
	chreports         chan dnsReport
	updateIPsets      ipsetmanager.ACLManager
	sync.RWMutex
}

type serveDNS struct {
	contextID string
	*Proxy
}

const (
	dnsRequestTimeout = 2 * time.Second
	proxyMarkInt      = 0x40 //Duplicated from supervisor/iptablesctrl refer to it
)

func socketOptions(_, _ string, c syscall.RawConn) error {
	var opErr error
	err := c.Control(func(fd uintptr) {
		if err := syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, proxyMarkInt); err != nil {
			zap.L().Error("Failed to mark connection", zap.Error(err))
		}
	})

	if err != nil {
		return err
	}

	return opErr
}

func listenUDP(network, addr string) (net.PacketConn, error) {
	var lc net.ListenConfig

	lc.Control = socketOptions

	return lc.ListenPacket(context.Background(), network, addr)
}

func forwardDNSReq(r *dns.Msg, ip net.IP, port uint16) (*dns.Msg, []string, error) {
	var ips []string
	c := new(dns.Client)
	c.Dialer = &net.Dialer{
		Control: func(_, _ string, c syscall.RawConn) error {
			return c.Control(func(fd uintptr) {
				if err := syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, proxyMarkInt); err != nil {
					zap.L().Error("Failed to assing mark to socket", zap.Error(err))
				}
			})
		},
		Timeout: dnsRequestTimeout,
	}

	in, _, err := c.Exchange(r, net.JoinHostPort(ip.String(), strconv.Itoa(int(port))))
	if err != nil {
		return nil, nil, err
	}

	for _, ans := range in.Answer {
		if ans.Header().Rrtype == dns.TypeA {
			t, _ := ans.(*dns.A)
			ips = append(ips, t.A.String())
		}

		if ans.Header().Rrtype == dns.TypeAAAA {
			t, _ := ans.(*dns.AAAA)
			ips = append(ips, t.AAAA.String())
		}
	}

	return in, ips, nil
}

func (s *serveDNS) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
	var err error
	lAddr := w.LocalAddr().(*net.UDPAddr)
	rAddr := w.RemoteAddr().(*net.UDPAddr)
	var puCtx *pucontext.PUContext

	defer func() {
		if puCtx != nil {
			s.reportDNSLookup(r.Question[0].Name, puCtx, rAddr.IP, "")
		}
	}()

	origIP, origPort, _, err := s.conntrack.GetOriginalDest(net.ParseIP("127.0.0.1"), rAddr.IP, uint16(lAddr.Port), uint16(rAddr.Port), 17)
	if err != nil {
		zap.L().Error("Failed to find flow for the redirected dns traffic", zap.Error(err))
		return
	}

	data, err := s.puFromID.Get(s.contextID)
	if err != nil {
		zap.L().Error("context not found for the PU with ID", zap.String("contextID", s.contextID))
		return
	}

	dnsReply, ips, err := forwardDNSReq(r, origIP, origPort)
	if err != nil {
		zap.L().Debug("Forwarded dns request returned error", zap.Error(err))
		return
	}

	puCtx = data.(*pucontext.PUContext)
	ps, err1 := puCtx.GetPolicyFromFQDN(r.Question[0].Name)
	if err1 == nil {
		for _, p := range ps {
			s.updateIPsets.UpdateIPsets(ips, p.Policy.ServiceID)
			if err1 := puCtx.UpdateApplicationACLs(policy.IPRuleList{{Addresses: ips,
				Ports:     p.Ports,
				Protocols: p.Protocols,
				Policy:    p.Policy,
			}}); err1 != nil {
				zap.L().Error("Adding IP rule returned error", zap.Error(err1))
			}
		}
	}

	if err = w.WriteMsg(dnsReply); err != nil {
		zap.L().Error("Writing dns response back to the client returned error", zap.Error(err))
	}
}

// StartDNSServer starts the dns server on the port provided for contextID
func (p *Proxy) StartDNSServer(contextID, port string) error {
	netPacketConn, err := listenUDP("udp", "127.0.0.1:"+port)
	if err != nil {
		return err
	}

	var server *dns.Server

	storeInMap := func() {
		p.Lock()
		defer p.Unlock()

		p.contextIDToServer[contextID] = server
	}

	server = &dns.Server{NotifyStartedFunc: storeInMap, PacketConn: netPacketConn, Handler: &serveDNS{contextID, p}}

	go func() {
		if err := server.ActivateAndServe(); err != nil {
			zap.L().Error("Could not start DNS proxy server", zap.Error(err))
		}
	}()

	return nil
}

// ShutdownDNS shuts down the dns server for contextID
func (p *Proxy) ShutdownDNS(contextID string) {
	p.Lock()
	defer p.Unlock()
	if s, ok := p.contextIDToServer[contextID]; ok {
		if err := s.Shutdown(); err != nil {
			zap.L().Error("shutdown of dns server returned error", zap.String("contextID", contextID), zap.Error(err))
		}
		delete(p.contextIDToServer, contextID)
	}
}

// New creates an instance of the dns proxy
func New(puFromID cache.DataStore, conntrack flowtracking.FlowClient, c collector.EventCollector, aclmanager ipsetmanager.ACLManager) *Proxy {
	ch := make(chan dnsReport)
	p := &Proxy{chreports: ch, puFromID: puFromID, collector: c, conntrack: conntrack, contextIDToServer: map[string]*dns.Server{}, updateIPsets: aclmanager}
	go p.reportDNSRequests(ch)
	return p
}


================================================
FILE: controller/internal/enforcer/dnsproxy/dns_darwin.go
================================================
package dnsproxy

import (
	"go.aporeto.io/trireme-lib/collector"
	"go.aporeto.io/trireme-lib/controller/pkg/flowtracking"
	"go.aporeto.io/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/trireme-lib/utils/cache"
)

// Proxy struct represents the object for dns proxy
type Proxy struct {
}

// New creates an instance of the dns proxy
func New(puFromID cache.DataStore, conntrack flowtracking.FlowClient, c collector.EventCollector, aclmanager ipsetmanager.ACLManager) *Proxy {
	return &Proxy{}
}

// ShutdownDNS shuts down the dns server for contextID
func (p *Proxy) ShutdownDNS(contextID string) {

}

// StartDNSServer starts the dns server on the port provided for contextID
func (p *Proxy) StartDNSServer(contextID, port string) error {
	return nil
}


================================================
FILE: controller/internal/enforcer/dnsproxy/dns_linux.go
================================================
// +build linux

package dnsproxy

import (
	"context"
	"fmt"
	"net"
	"strconv"
	"sync"
	"syscall"
	"time"

	"github.com/miekg/dns"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/flowtracking"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.uber.org/zap"
)

// removeExpiredEntryFunc is the type of the function that gets called when an IP entry expires (when its TTL hits 0)
type removeExpiredEntryFunc func(string)

// Proxy struct represents the object for dns proxy
type Proxy struct {
	puFromID                 cache.DataStore
	conntrack                flowtracking.FlowClient
	collector                collector.EventCollector
	contextIDToServer        map[string]*dns.Server
	chreports                chan dnsReport
	contextIDToDNSNames      *cache.Cache
	contextIDToDNSNamesLocks *mutexMap
	IPToTTL                  *cache.Cache
	IPToTTLLocks             *mutexMap
	removeExpiredEntry       removeExpiredEntryFunc
	sync.Mutex
}
type dnsNamesToIP struct {
	nameToIP     map[string][]string
	dnsNamesLock sync.Mutex
}
type dnsttlinfo struct {
	ipaddress string
	ttl       uint32
}

type iptottlinfo struct {
	ipaddress  string
	expiryTime time.Time
	timer      *time.Timer
	contextIDs map[string]struct{}
	fqdns      map[string]struct{}
}
type serveDNS struct {
	contextID string
	*Proxy
}

const (
	dnsRequestTimeout = 2 * time.Second
)

func socketOptions(_, _ string, c syscall.RawConn) error {
	var opErr error
	err := c.Control(func(fd uintptr) {
		if err := syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, constants.ProxyMarkInt); err != nil {
			zap.L().Error("dnsproxy: failed to mark connection", zap.Error(err))
		}
	})

	if err != nil {
		return err
	}

	return opErr
}

func listenUDP(ctx context.Context, network, addr string) (net.PacketConn, error) {
	var lc net.ListenConfig

	lc.Control = socketOptions

	return lc.ListenPacket(ctx, network, addr)
}

func forwardDNSReq(r *dns.Msg, ip net.IP, port uint16) ([]byte, []string, []*dnsttlinfo, error) {
	var ips []string
	var resp []byte
	var msg *dns.Msg
	var conn *dns.Conn
	var err error

	c := new(dns.Client)

	dial := func(address string) (*dns.Conn, error) {
		c.Dialer = &net.Dialer{
			Control: func(_, _ string, c syscall.RawConn) error {
				return c.Control(func(fd uintptr) {
					if err := syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, constants.ProxyMarkInt); err != nil {
						zap.L().Error("dnsproxy: failed to assing mark to socket", zap.Error(err))
					}
				})
			},
			Timeout: dnsRequestTimeout,
		}

		conn, err := c.Dial(address)
		if err != nil {
			return nil, err
		}

		return conn, nil
	}

	sendRequest := func(r *dns.Msg, conn *dns.Conn) error {
		opt := r.IsEdns0()
		// If EDNS0 is used use that for size.
		if opt != nil && opt.UDPSize() >= dns.MinMsgSize {
			conn.UDPSize = opt.UDPSize()
		}
		// Otherwise use the client's configured UDP size.
		if opt == nil && c.UDPSize >= dns.MinMsgSize {
			conn.UDPSize = c.UDPSize
		}

		t := time.Now()
		// write with the appropriate write timeout
		if err = conn.SetWriteDeadline(t.Add(c.Dialer.Timeout)); err != nil {
			return err
		}

		if err = conn.WriteMsg(r); err != nil {
			return err
		}

		return nil
	}

	readResponse := func(conn *dns.Conn) ([]byte, *dns.Msg, error) {
		if err := conn.SetReadDeadline(time.Now().Add(c.Dialer.Timeout)); err != nil {
			return nil, nil, err
		}

		p, err := conn.ReadMsgHeader(nil)
		if err != nil {
			return nil, nil, err
		}

		m := new(dns.Msg)
		if err := m.Unpack(p); err != nil {
			// If an error was returned, we still want to allow the user to use
			// the message, but naively they can just check err if they don't want
			// to use an erroneous message
			return nil, nil, err
		}

		return p, m, nil
	}

	if conn, err = dial(net.JoinHostPort(ip.String(), strconv.Itoa(int(port)))); err != nil {
		return nil, nil, nil, err
	}

	defer conn.Close() // nolint: errcheck

	if err := sendRequest(r, conn); err != nil {
		return nil, nil, nil, err
	}

	if resp, msg, err = readResponse(conn); err != nil {
		return nil, nil, nil, err
	}
	dnsttlinfolist := []*dnsttlinfo{}

	for _, ans := range msg.Answer {
		if ans.Header().Rrtype == dns.TypeA {
			t, _ := ans.(*dns.A)

			ips = append(ips, t.A.String())
			dnsttlinfolist = append(dnsttlinfolist, &dnsttlinfo{
				ipaddress: t.A.String(),
				ttl:       ans.Header().Ttl,
			})
		}

		if ans.Header().Rrtype == dns.TypeAAAA {
			t, _ := ans.(*dns.AAAA)
			ips = append(ips, t.AAAA.String())

			dnsttlinfolist = append(dnsttlinfolist, &dnsttlinfo{
				ipaddress: t.AAAA.String(),
				ttl:       ans.Header().Ttl,
			})
		}
	}
	return resp, ips, dnsttlinfolist, nil
}

const (
	strInvalidDNSRequest = "invalid DNS request"
)

func (s *serveDNS) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
	var err error
	lAddr := w.LocalAddr().(*net.UDPAddr)
	rAddr := w.RemoteAddr().(*net.UDPAddr)
	var pctx *pucontext.PUContext
	var ipsRaw []string
	var origIP net.IP
	var origPort uint16
	var reportError string

	defer func() {
		if pctx != nil {
			// if there is no question section, this was an invalid request
			name := "invalid"
			if len(r.Question) > 0 {
				name = r.Question[0].Name
			}
			s.reportDNSLookup(name, pctx, rAddr.IP, uint16(rAddr.Port), origIP, origPort, ipsRaw, reportError)
		}
	}()

	pctxRaw, err := s.puFromID.Get(s.contextID)
	if err != nil {
		zap.L().Error("dnsproxy: context not found for the PU with ID", zap.String("contextID", s.contextID), zap.Error(err))
		reportError = fmt.Sprintf("PU context: %s", err)
		return
	}
	pctx = pctxRaw.(*pucontext.PUContext)

	// check if the DNS request is actually valid
	// we have seen with the AWS resolve in the past that it *does* respond with an empty Question section
	if len(r.Question) <= 0 {
		pctx.Counters().IncrementCounter(counters.ErrDNSInvalidRequest)
		zap.L().Debug("dnsproxy: invalid DNS request received (missing question section)", zap.String("contextID", s.contextID))
		reportError = strInvalidDNSRequest
		return
	}

	// TODO: shouldn't we let the lookup go regardless of our problems?
	origIP, origPort, _, err = s.conntrack.GetOriginalDest(net.ParseIP("127.0.0.1"), rAddr.IP, uint16(lAddr.Port), uint16(rAddr.Port), 17)
	if err != nil {
		zap.L().Error("dnsproxy: failed to find flow for the redirected DNS traffic", zap.String("contextID", s.contextID), zap.Error(err))
		reportError = fmt.Sprintf("conntrack: DNS request flow: %s", err)
		return
	}

	// perform the upstream DNS lookup
	dnsReply, ipsRaw, dnsttlinfolistRaw, err := forwardDNSReq(r, origIP, origPort)
	if err != nil {
		pctx.Counters().IncrementCounter(counters.ErrDNSForwardFailed)
		zap.L().Debug("dnsproxy: forwarded DNS request returned error", zap.String("contextID", s.contextID), zap.Error(err))
		reportError = fmt.Sprintf("DNS request failed: %s", err)
		return
	}

	// get all policies associated with the FQDN from
	policies, policyName, err1 := pctx.GetPolicyFromFQDN(r.Question[0].Name)

	// if they exist, then err1 is nil, and we need to update
	// - the ipsets
	// - the applicationacls inside of the enforcer
	// - the internal cache
	if err1 == nil {
		type ipDetail struct {
			ttl        uint32
			updateOnly bool
		}
		ipsToProcess := make(map[string]ipDetail, len(ipsRaw))
		for _, pol := range policies {
			for _, i := range dnsttlinfolistRaw {
				// TODO: this does not work yet - will come in a separate PR
				//if checkIfACLExists(pctx, pol, i.ipaddress) {
				//	// no need to program ACLs and ipsets
				//	// however, there are two cases here:
				//	// 1. this was a static entry in the external network, and we truly want to skip it
				//	// 2. this comes from us programming it down below
				//	// In case (2) we need to actually call handleTTLInfoList but with updateOnly to extend the TTL
				//	// This way no new expiry entries will be made when not necessary as for static entries,
				//	// but they will be extended when necessary as well.
				//	if _, ok := ipsToProcess[i.ipaddress]; !ok {
				//		ipsToProcess[i.ipaddress] = ipDetail{ttl: i.ttl, updateOnly: true}
				//	}
				//	continue
				//}

				if _, ok := ipsToProcess[i.ipaddress]; !ok {
					ipsToProcess[i.ipaddress] = ipDetail{ttl: i.ttl, updateOnly: false}
				}
				ips := []string{i.ipaddress}

				// makes sure to update any ipsets related to the serviceID of the policy
				// this matches the case when the destinations are *not* overlapping with the target networks and the decision is not done
				// in the enforcer
				zap.L().Debug("dnsproxy: ipset: adding IP addresses", zap.String("contextID", s.contextID), zap.String("serviceID", pol.Policy.ServiceID), zap.Strings("ipaddresses", ips))
				ipsetmanager.V4().UpdateACLIPsets(ips, pol.Policy.ServiceID)
				ipsetmanager.V6().UpdateACLIPsets(ips, pol.Policy.ServiceID)

				// makes sure to update the ApplicationACLs inside of the enforcer
				// this matches the case when the destination is overlapping with the target networks, and the decision is made inside
				// of the enforcer, and not with ipsets
				zap.L().Debug("dnsproxy: adding IP addresses to enforcer ApplicationACLs", zap.String("contextID", s.contextID), zap.String("serviceID", pol.Policy.ServiceID), zap.Strings("ipaddresses", ips))
				if err1 := pctx.UpdateApplicationACLs(policy.IPRuleList{{
					Addresses: ips,
					Ports:     pol.Ports,
					Protocols: pol.Protocols,
					Policy:    pol.Policy,
				}}); err1 != nil {
					zap.L().Error("dnsproxy: adding IP rule returned error", zap.String("contextID", s.contextID), zap.Error(err1))
				}
			}
		}

		// for processing in our caches, we only care about the IPs that we needed to program ACLs/ipsets
		ips := make([]string, 0, len(ipsToProcess))
		var dnsttlinfolist, dnsttlinfolistUpdateOnly []*dnsttlinfo
		for ip, d := range ipsToProcess {
			if d.updateOnly {
				dnsttlinfolistUpdateOnly = append(dnsttlinfolistUpdateOnly, &dnsttlinfo{ipaddress: ip, ttl: d.ttl})
			} else {
				ips = append(ips, ip)
				dnsttlinfolist = append(dnsttlinfolist, &dnsttlinfo{ipaddress: ip, ttl: d.ttl})
			}
		}

		// update the cache/map for this FQDN with new
		s.updateFQDNWithIPs(s.contextID, policyName, ips)

		// add or update only if required the expiry entries
		s.handleTTLInfoList(s.contextID, policyName, dnsttlinfolist, false)
		s.handleTTLInfoList(s.contextID, policyName, dnsttlinfolistUpdateOnly, true)
	}

	configureDependentServices(pctx, r.Question[0].Name, ipsRaw)

	// write the DNS reply back to the client
	if _, err = w.Write(dnsReply); err != nil {
		pctx.Counters().IncrementCounter(counters.ErrDNSResponseFailed)
		zap.L().Error("dnsproxy: writing DNS response back to the client returned error", zap.String("contextID", s.contextID), zap.Error(err))
	}
}

// TODO: this does not work yet - will come in a separate PR
// func checkIfACLExists(pctx *pucontext.PUContext, pol policy.PortProtocolPolicy, ipStr string) bool {
// 	ip := net.ParseIP(ipStr)
// 	if ip == nil {
// 		return false
// 	}
// 	for _, protoStr := range pol.Protocols {
// 		proto, err := strconv.Atoi(protoStr)
// 		if err != nil {
// 			continue
// 		}
// 		for _, portStr := range pol.Ports {
// 			// it could be a range definition
// 			var ports []uint16
// 			if strings.Contains(portStr, ":") {
// 				tmp := strings.SplitN(portStr, ":", 2)
// 				if len(tmp) != 2 {
// 					continue
// 				}
// 				startPort, err := strconv.Atoi(tmp[0])
// 				if err != nil {
// 					continue
// 				}
// 				endPort, err := strconv.Atoi(tmp[1])
// 				if err != nil {
// 					continue
// 				}
// 				ports = make([]uint16, 0, endPort-startPort+1)
// 				for i := startPort; i <= endPort; i++ {
// 					ports = append(ports, uint16(i))
// 				}
// 			} else {
// 				port, err := strconv.Atoi(portStr)
// 				if err != nil {
// 					continue
// 				}
// 				ports = []uint16{uint16(port)}
// 			}

// 			for _, port := range ports {
// 				reportPol, actionPol, err := pctx.ApplicationACLPolicyFromAddr(ip, port, uint8(proto))
// 				if err == nil && (reportPol != nil || actionPol != nil) {
// 					zap.L().Debug("dnsproxy: ACL already found for IP",
// 						zap.String("contextID", pctx.ManagementID()),
// 						zap.String("ipaddress", ipStr),
// 						zap.Any("reportPol", reportPol),
// 						zap.Any("actionPol", actionPol),
// 					)
// 					return true
// 				}
// 			}
// 		}
// 	}
// 	return false
// }

func (p *Proxy) handleTTLInfoList(contextID, fqdn string, dnsttlinfolist []*dnsttlinfo, updateOnly bool) {
	for _, dnsinfo := range dnsttlinfolist {
		zap.L().Debug("handleTTLInfoList", zap.String("fqdn", fqdn), zap.String("ipaddress", dnsinfo.ipaddress), zap.Bool("updateOnly", updateOnly))
		p.handleTTLInfo(contextID, fqdn, dnsinfo, updateOnly)
	}
}

func (p *Proxy) handleTTLInfo(contextID, fqdn string, dnsinfo *dnsttlinfo, updateOnly bool) {
	newEntryExpiryTime := time.Now().Add(time.Duration(dnsinfo.ttl) * time.Second)
	ul := p.IPToTTLLocks.Lock(dnsinfo.ipaddress)
	defer ul.Unlock()
	ttlInfoRaw, err := p.IPToTTL.Get(dnsinfo.ipaddress)
	if err != nil {
		// if we are supposed to be updating only
		// then skip this entry
		if updateOnly {
			return
		}

		// otherwise add a new entry
		newEntry := iptottlinfo{
			ipaddress:  dnsinfo.ipaddress,
			expiryTime: newEntryExpiryTime,
			contextIDs: map[string]struct{}{contextID: {}},
			fqdns:      map[string]struct{}{fqdn: {}},
		}
		// NOTE: the dnsinfo.ipaddress is in a for loop
		// so we need to make sure the IP address is on the stack when the callback is called
		// hence the anonymous function wrapping of the timer
		func(ipaddress string) {
			newEntry.timer = time.AfterFunc(time.Duration(dnsinfo.ttl)*time.Second, func() {
				if p.removeExpiredEntry != nil {
					p.removeExpiredEntry(ipaddress)
				}
			})
		}(dnsinfo.ipaddress)
		if err := p.IPToTTL.Add(dnsinfo.ipaddress, newEntry); err != nil {
			zap.L().Debug("dnsproxy: failed to add entry to IPToTTL cache", zap.String("contextID", contextID), zap.Any("iptottlinfo", newEntry), zap.Error(err))
			return
		}
	} else {
		// update TTL info and reset timer if necessary
		ttlInfo := ttlInfoRaw.(iptottlinfo)
		if newEntryExpiryTime.After(ttlInfo.expiryTime) {
			ttlInfo.timer.Reset(time.Duration(dnsinfo.ttl) * time.Second)
		}
		ttlInfo.expiryTime = newEntryExpiryTime
		ttlInfo.contextIDs[contextID] = struct{}{}
		ttlInfo.fqdns[fqdn] = struct{}{}
		p.IPToTTL.AddOrUpdate(dnsinfo.ipaddress, ttlInfo)
	}
}

func (p *Proxy) defaultRemoveExpiredEntry(ipaddress string) {
	// retrieve the IPtoTTLInfo
	ul := p.IPToTTLLocks.Lock(ipaddress)
	defer ul.Unlock()
	ttlInfoRaw, err := p.IPToTTL.Get(ipaddress)
	if err != nil {
		zap.L().Debug("dnsproxy: entry already gone from IPToTTL cache", zap.String("ipaddress", ipaddress))
		return
	}
	ttlInfo := ttlInfoRaw.(iptottlinfo)

	for contextID := range ttlInfo.contextIDs {
		pctxRaw, err := p.puFromID.Get(contextID)
		if err != nil {
			zap.L().Error("dnsproxy: context not found for the PU with ID", zap.String("contextID", contextID))
			continue
		}
		pctx := pctxRaw.(*pucontext.PUContext)

		for fqdn := range ttlInfo.fqdns {
			policies, policyName, err := pctx.GetPolicyFromFQDN(fqdn)
			if err != nil {
				continue
			}

			// remove IP address from ipsets
			for _, pol := range policies {
				zap.L().Debug("dnsproxy: ipset: removing IP address", zap.String("contextID", contextID), zap.String("serviceID", pol.Policy.ServiceID), zap.String("ipaddress", ipaddress))
				ipsetmanager.V4().DeleteEntryFromIPset([]string{ipaddress}, pol.Policy.ServiceID)
				ipsetmanager.V6().DeleteEntryFromIPset([]string{ipaddress}, pol.Policy.ServiceID)

				// remove IP address from enforcer ApplicationACLs
				zap.L().Debug("dnsproxy: removing IP address from enforcer ApplicationACL", zap.String("contextID", contextID), zap.String("ipaddress", ipaddress))
				if err := pctx.RemoveApplicationACL(ipaddress, pol.Protocols, pol.Ports, pol.Policy); err != nil {
					zap.L().Debug("dnsproxy: RemoveApplicationACL failed", zap.String("contextID", contextID), zap.String("serviceID", pol.Policy.ServiceID), zap.String("ipaddress", ipaddress), zap.Error(err))
				}
			}

			p.removeIPfromFQDN(contextID, policyName, ipaddress)
		}
	}

	// clean up after ourselves and remove ourselves from the cache
	if err := p.IPToTTL.Remove(ipaddress); err != nil {
		zap.L().Debug("dnsproxy: failed to remove entry from IPToTTL cache", zap.String("ipaddress", ipaddress), zap.Error(err))
	}
	p.IPToTTLLocks.Remove(ipaddress)

}

// StartDNSServer starts the dns server on the port provided for contextID
func (p *Proxy) StartDNSServer(ctx context.Context, contextID, port string) error {
	netPacketConn, err := listenUDP(ctx, "udp", "127.0.0.1:"+port)
	if err != nil {
		return err
	}

	var server *dns.Server

	storeInMap := func() {
		p.Lock()
		defer p.Unlock()

		p.contextIDToServer[contextID] = server
	}

	server = &dns.Server{NotifyStartedFunc: storeInMap, PacketConn: netPacketConn, Handler: &serveDNS{contextID, p}}

	go func() {
		if err := server.ActivateAndServe(); err != nil {
			zap.L().Error("dnsproxy: could not start DNS proxy server", zap.String("contextID", contextID), zap.Error(err))
		}
	}()

	return nil
}

// shutdownDNS shuts down the dns server for contextID
func (p *Proxy) shutdownDNS(contextID string) {

	if s, ok := p.contextIDToServer[contextID]; ok {
		if err := s.Shutdown(); err != nil {
			zap.L().Error("dnsproxy: shutdown of DNS server returned error", zap.String("contextID", contextID), zap.Error(err))
		}
		delete(p.contextIDToServer, contextID)
	}
}

// New creates an instance of the dns proxy
func New(ctx context.Context, puFromID cache.DataStore, conntrack flowtracking.FlowClient, c collector.EventCollector) *Proxy {
	ch := make(chan dnsReport)
	p := &Proxy{
		chreports:                ch,
		puFromID:                 puFromID,
		collector:                c,
		conntrack:                conntrack,
		contextIDToServer:        map[string]*dns.Server{},
		contextIDToDNSNames:      cache.NewCache("contextIDtoDNSNames"),
		contextIDToDNSNamesLocks: newMutexMap(),
		IPToTTL:                  cache.NewCache("IPToTTL"),
		IPToTTLLocks:             newMutexMap(),
	}
	p.removeExpiredEntry = p.defaultRemoveExpiredEntry
	go p.reportDNSRequests(ctx, ch)
	return p
}

// SyncWithPlatformCache is only needed in Windows currently
func (p *Proxy) SyncWithPlatformCache(ctx context.Context, pctx *pucontext.PUContext) error {
	return nil
}

// HandleDNSResponsePacket is only needed in Windows currently
func (p *Proxy) HandleDNSResponsePacket(dnsPacketData []byte, sourceIP net.IP, sourcePort uint16, destIP net.IP, destPort uint16, puFromContextID func(string) (*pucontext.PUContext, error)) error {
	return nil
}

// Enforce starts enforcing policies for the given policy.PUInfo.
func (p *Proxy) Enforce(ctx context.Context, contextID string, puInfo *policy.PUInfo) error {
	// during the first Enforce call, we still need to initialize map
	// we do that and return
	ul := p.contextIDToDNSNamesLocks.Lock(contextID)
	defer ul.Unlock()
	tmp, err := p.contextIDToDNSNames.Get(contextID)
	if err != nil {
		// this means that the map is not initialized yet, do so now
		return p.doHandleCreate(ctx, contextID, puInfo)
	}

	// during a policy refresh, we will enter this part here:
	// - iterate over all DNSACLs for this PU
	// - for all already learned IPs for all DNS names: program ipsets and enforcer ApplicationACLs
	dnsNames := tmp.(*dnsNamesToIP).Copy()
	for fqdn, policies := range puInfo.Policy.DNSACLs {
		ips, ok := dnsNames.nameToIP[fqdn]
		if ok {
			// we have already learned those DNS names
			// make sure to reprogram ipsets and ApplicationACLs in the enforcer
			// on a policy refresh
			for _, pol := range policies {
				zap.L().Debug("dnsproxy: ipset: adding IP addresses after policy refresh", zap.String("contextID", contextID), zap.String("fqdn", fqdn), zap.String("serviceID", pol.Policy.ServiceID), zap.Strings("ipaddresses", ips))
				ipsetmanager.V4().UpdateACLIPsets(ips, pol.Policy.ServiceID)
				ipsetmanager.V6().UpdateACLIPsets(ips, pol.Policy.ServiceID)

				// makes sure to update the ApplicationACLs inside of the enforcer
				// this matches the case when the destination is overlapping with the target networks, and the decision is made inside
				// of the enforcer, and not with ipsets
				data, err := p.puFromID.Get(contextID)
				if err != nil {
					zap.L().Error("dnsproxy: context not found for the PU with ID", zap.String("contextID", contextID))
					continue
				}
				pctx := data.(*pucontext.PUContext)
				if err1 := pctx.UpdateApplicationACLs(policy.IPRuleList{{
					Addresses: ips,
					Ports:     pol.Ports,
					Protocols: pol.Protocols,
					Policy:    pol.Policy,
				}}); err1 != nil {
					zap.L().Error("dnsproxy: adding IP rule returned error after policy refresh", zap.String("contextID", contextID), zap.Error(err1))
				}
			}
			continue
		}
		// This is a new fqdn. DNS proxy will fix these IPs as it learns them
		dnsNames.nameToIP[fqdn] = []string{}
	}
	// this is only necessary to add new FQDNs to the map - which is essential for the DNS proxy to know about
	p.contextIDToDNSNames.AddOrUpdate(contextID, dnsNames)
	return nil
}

func (p *Proxy) doHandleCreate(_ context.Context, contextID string, puInfo *policy.PUInfo) error {
	nameToIP := &dnsNamesToIP{
		nameToIP: map[string][]string{},
	}
	for name := range puInfo.Policy.DNSACLs {
		nameToIP.nameToIP[name] = []string{}
	}
	if err := p.contextIDToDNSNames.Add(contextID, nameToIP); err != nil {
		zap.L().Error("dnsproxy: contextID already enforced", zap.String("contextID", contextID))
	}

	return nil
}

// Unenforce stops enforcing policy for the given IP.
func (p *Proxy) Unenforce(_ context.Context, contextID string) error {
	p.Lock()
	defer p.Unlock()
	ul := p.contextIDToDNSNamesLocks.Lock(contextID)
	if err := p.contextIDToDNSNames.Remove(contextID); err != nil {
		zap.L().Error("dnsproxy: contextID already removed/unenforced", zap.String("contextID", contextID))
	}
	p.contextIDToDNSNamesLocks.Remove(contextID)
	ul.Unlock()
	p.shutdownDNS(contextID)
	return nil
}

func (d *dnsNamesToIP) Copy() *dnsNamesToIP {
	d.dnsNamesLock.Lock()
	defer d.dnsNamesLock.Unlock()
	newdns := &dnsNamesToIP{
		nameToIP: make(map[string][]string, len(d.nameToIP)),
	}
	for key, value := range d.nameToIP {
		newvalue := make([]string, len(value))
		copy(newvalue, value)
		newdns.nameToIP[key] = newvalue
	}

	return newdns
}

// updateFQDNWithIPs will add any new IPs in `ips` and add it to the internal map of `contextIDToDNSNames` for our s.contextID
func (p *Proxy) updateFQDNWithIPs(contextID, fqdn string, ips []string) {
	ul := p.contextIDToDNSNamesLocks.Lock(contextID)
	defer ul.Unlock()
	tmp, err := p.contextIDToDNSNames.Get(contextID)
	if err != nil {
		zap.L().Debug("dnsproxy: failed to get fqdn map for contextID in updateFQDNWithIPs", zap.String("contextID", contextID))
		return
	}
	fqdntoIPs := tmp.(*dnsNamesToIP).Copy()
	existingIPsMap := make(map[string]struct{}, len(fqdntoIPs.nameToIP[fqdn]))
	for _, e := range fqdntoIPs.nameToIP[fqdn] {
		existingIPsMap[e] = struct{}{}
	}
	toAdd := make([]string, 0, len(ips))
	for _, newIP := range ips {
		if _, ok := existingIPsMap[newIP]; ok {
			continue
		}
		toAdd = append(toAdd, newIP)
	}
	fqdntoIPs.nameToIP[fqdn] = append(fqdntoIPs.nameToIP[fqdn], toAdd...)
	_ = p.contextIDToDNSNames.AddOrUpdate(contextID, fqdntoIPs)
	zap.L().Debug("dnsproxy: updating FQDN map after IP addresses were added", zap.String("contextID", contextID), zap.Any("fqdntoIPs", fqdntoIPs.nameToIP))
}

func (p *Proxy) removeIPfromFQDN(contextID, fqdn string, ipAddress string) {
	ul := p.contextIDToDNSNamesLocks.Lock(contextID)
	defer ul.Unlock()
	tmp, err := p.contextIDToDNSNames.Get(contextID)
	if err != nil {
		zap.L().Debug("dnsproxy: failed to get fqdn map for contextID in removeIPfromFQDN", zap.String("contextID", contextID))
		return
	}
	fqdntoIPs := tmp.(*dnsNamesToIP).Copy()
	existingIPsMap := make(map[string]struct{}, len(fqdntoIPs.nameToIP[fqdn]))
	for _, e := range fqdntoIPs.nameToIP[fqdn] {
		existingIPsMap[e] = struct{}{}
	}

	// remove IP from map/cache
	if len(fqdntoIPs.nameToIP[fqdn]) > 0 {
		ips := make([]string, 0, len(fqdntoIPs.nameToIP[fqdn])-1)
		var found bool
		for _, ip := range fqdntoIPs.nameToIP[fqdn] {
			if ip == ipAddress {
				found = true
				continue
			}
			ips = append(ips, ip)
		}
		if !found {
			zap.L().Debug("dnsproxy: ipaddress was already removed from list", zap.String("contextID", contextID), zap.String("fqdn", fqdn), zap.String("ipaddress", ipAddress))
		}
		fqdntoIPs.nameToIP[fqdn] = ips
	}

	zap.L().Debug("dnsproxy: updating FQDN map after IP address was deleted", zap.String("contextID", contextID), zap.Any("iplist", fqdntoIPs.nameToIP))
	_ = p.contextIDToDNSNames.AddOrUpdate(contextID, fqdntoIPs) // nolint
}


================================================
FILE: controller/internal/enforcer/dnsproxy/dns_linux_test.go
================================================
// +build linux

package dnsproxy

import (
	"bufio"
	"context"
	"fmt"
	"net"
	"os"
	"reflect"
	"regexp"
	"strings"
	"sync"
	"testing"
	"time"

	"github.com/magiconair/properties/assert"
	"github.com/miekg/dns"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/acls"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
)

type flowClientDummy struct {
}

func (c *flowClientDummy) Close() error {
	return nil
}

func (c *flowClientDummy) UpdateMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32, network bool) error {
	return nil
}

func (c *flowClientDummy) UpdateNetworkFlowMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32) error {
	return nil
}

func (c *flowClientDummy) UpdateApplicationFlowMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32) error {
	return nil
}

func findDNSServerIP() net.IP {

	file, err := os.Open("/etc/resolv.conf")

	if err != nil {
		return net.ParseIP("8.8.8.8")
	}

	scanner := bufio.NewScanner(file)

	// this regex is doing a whole word search
	s := "\\b" + "nameserver" + "\\b"
	match := regexp.MustCompile(s)

	for scanner.Scan() {
		line := scanner.Text()
		if match.MatchString(line) {
			return net.ParseIP(strings.Fields(line)[1])
		}
	}

	return net.ParseIP("8.8.8.8")
}

func (c *flowClientDummy) GetOriginalDest(ipSrc, ipDst net.IP, srcport, dstport uint16, protonum uint8) (net.IP, uint16, uint32, error) {

	dnsServerIP := findDNSServerIP()
	fmt.Println("using DNS Server IP", dnsServerIP)
	return dnsServerIP, 53, 100, nil
}

func addDNSNamePolicy(context *pucontext.PUContext) {
	context.DNSACLs = policy.DNSRuleList{
		"www.google.com.": []policy.PortProtocolPolicy{
			{Ports: []string{"80"},
				Protocols: []string{"tcp"},
				Policy: &policy.FlowPolicy{
					Action:   policy.Accept,
					PolicyID: "2",
				}},
		},
	}
}

func CustomDialer(ctx context.Context, network, address string) (net.Conn, error) {
	d := net.Dialer{}
	return d.DialContext(ctx, "udp", "127.0.0.1:53001")
}

func createCustomResolver() *net.Resolver {
	r := &net.Resolver{
		PreferGo: true,
		Dial:     CustomDialer,
	}

	return r
}

// DNSCollector implements a default collector infrastructure to syslog
type DNSCollector struct{}

// CollectFlowEvent is part of the EventCollector interface.
func (d *DNSCollector) CollectFlowEvent(record *collector.FlowRecord) {}

// CollectContainerEvent is part of the EventCollector interface.
func (d *DNSCollector) CollectContainerEvent(record *collector.ContainerRecord) {}

// CollectUserEvent is part of the EventCollector interface.
func (d *DNSCollector) CollectUserEvent(record *collector.UserRecord) {}

// CollectTraceEvent collects iptables trace events
func (d *DNSCollector) CollectTraceEvent(records []string) {}

// CollectPingEvent collects ping events
func (d *DNSCollector) CollectPingEvent(report *collector.PingReport) {}

// CollectPacketEvent collects packet events from the datapath
func (d *DNSCollector) CollectPacketEvent(report *collector.PacketReport) {}

// CollectCounterEvent collect counters from the datapath
func (d *DNSCollector) CollectCounterEvent(report *collector.CounterReport) {}

// CollectConnectionExceptionReport collects the connection exception report
func (d *DNSCollector) CollectConnectionExceptionReport(_ *collector.ConnectionExceptionReport) {
}

var r collector.DNSRequestReport
var l sync.Mutex

// CollectDNSRequests collect counters from the datapath
func (d *DNSCollector) CollectDNSRequests(report *collector.DNSRequestReport) {
	l.Lock()
	r = *report
	l.Unlock()
}

func TestDNS(t *testing.T) {
	ctx, cancel := context.WithCancel(context.Background())
	defer cancel()
	puIDcache := cache.NewCache("puFromContextID")

	fp := &policy.PUInfo{
		Runtime: policy.NewPURuntimeWithDefaults(),
		Policy:  policy.NewPUPolicyWithDefaults(),
	}
	pu, _ := pucontext.NewPU("pu1", fp, nil, 24*time.Hour) // nolint

	addDNSNamePolicy(pu)

	puIDcache.AddOrUpdate("pu1", pu)
	conntrack := &flowClientDummy{}
	collector := &DNSCollector{}

	proxy := New(ctx, puIDcache, conntrack, collector)

	err := proxy.StartDNSServer(ctx, "pu1", "53001")
	assert.Equal(t, err == nil, true, "start dns server")

	resolver := createCustomResolver()
	waitTimeBeforeReport = 3 * time.Second
	resolver.LookupIPAddr(ctx, "www.google.com") // nolint
	resolver.LookupIPAddr(ctx, "www.google.com") // nolint

	assert.Equal(t, err == nil, true, "err should be nil")

	time.Sleep(5 * time.Second)
	l.Lock()
	assert.Equal(t, r.NameLookup == "www.google.com.", true, "lookup should be www.google.com")
	assert.Equal(t, r.Count >= 2 && r.Count <= 10, true, fmt.Sprintf("count should be 2, got %d", r.Count))
	l.Unlock()
	proxy.Unenforce(ctx, "pu1") // nolint
}

const (
	contextID   = "host"
	serviceID   = "serviceID"
	port80      = "80"
	fqdn        = "www.example.com."
	fqdnTwo     = "two.example.com."
	fqdnKeep    = "keep.example.com."
	ip192_0_2_1 = "192.0.2.1"
	ip192_0_2_2 = "192.0.2.2"
	ip192_0_2_3 = "192.0.2.3"
)

func TestProxy_removeIPfromFQDN(t *testing.T) {
	type args struct {
		contextID string
		fqdn      string
		ipAddress string
	}
	tests := []struct {
		name             string
		args             args
		existing         map[string]*dnsNamesToIP
		wantContextEntry bool
		want             map[string][]string
	}{
		{
			name: "context not in cache",
			args: args{
				contextID: "does not exist",
				fqdn:      fqdn,
				ipAddress: "",
			},
			wantContextEntry: false,
		},
		{
			name: "nothing to remove from empty list",
			args: args{
				contextID: contextID,
				fqdn:      fqdn,
				ipAddress: ip192_0_2_1,
			},
			wantContextEntry: true,
			existing: map[string]*dnsNamesToIP{
				contextID: {
					nameToIP: map[string][]string{
						fqdnKeep: {ip192_0_2_1},
						fqdn:     {},
					},
				},
			},
			want: map[string][]string{
				fqdnKeep: {ip192_0_2_1},
				fqdn:     {},
			},
		},
		{
			name: "IP does not match from existing list",
			args: args{
				contextID: contextID,
				fqdn:      fqdn,
				ipAddress: ip192_0_2_1,
			},
			wantContextEntry: true,
			existing: map[string]*dnsNamesToIP{
				contextID: {
					nameToIP: map[string][]string{
						fqdnKeep: {ip192_0_2_1},
						fqdn:     {ip192_0_2_2},
					},
				},
			},
			want: map[string][]string{
				fqdnKeep: {ip192_0_2_1},
				fqdn:     {ip192_0_2_2},
			},
		},
		{
			name: "IP successfully being removed from list",
			args: args{
				contextID: contextID,
				fqdn:      fqdn,
				ipAddress: ip192_0_2_1,
			},
			wantContextEntry: true,
			existing: map[string]*dnsNamesToIP{
				contextID: {
					nameToIP: map[string][]string{
						fqdnKeep: {ip192_0_2_1},
						fqdn:     {ip192_0_2_1},
					},
				},
			},
			want: map[string][]string{
				fqdnKeep: {ip192_0_2_1},
				fqdn:     {},
			},
		},
		{
			name: "IP successfully being removed from list with other entries",
			args: args{
				contextID: contextID,
				fqdn:      fqdn,
				ipAddress: ip192_0_2_2,
			},
			wantContextEntry: true,
			existing: map[string]*dnsNamesToIP{
				contextID: {
					nameToIP: map[string][]string{
						fqdnKeep: {ip192_0_2_1},
						fqdn:     {ip192_0_2_1, ip192_0_2_2, ip192_0_2_3},
					},
				},
			},
			want: map[string][]string{
				fqdnKeep: {ip192_0_2_1},
				fqdn:     {ip192_0_2_1, ip192_0_2_3},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			p := &Proxy{
				contextIDToDNSNames:      cache.NewCache("contextIDtoDNSNames"),
				contextIDToDNSNamesLocks: newMutexMap(),
			}
			for k, v := range tt.existing {
				p.contextIDToDNSNames.AddOrUpdate(k, v)
			}
			p.removeIPfromFQDN(tt.args.contextID, tt.args.fqdn, tt.args.ipAddress)

			val, err := p.contextIDToDNSNames.Get(tt.args.contextID)
			if (err == nil) != tt.wantContextEntry {
				t.Errorf("entry for context %q does not exist", tt.args.contextID)
			}
			if err == nil {
				m := val.(*dnsNamesToIP)
				if !reflect.DeepEqual(m.nameToIP, tt.want) {
					t.Errorf("want %#v, have %#v", tt.want, m.nameToIP)
				}
			}
		})
	}
}

func TestProxy_updateFQDNWithIPs(t *testing.T) {
	type args struct {
		contextID   string
		fqdn        string
		ipAddresses []string
	}
	tests := []struct {
		name             string
		args             args
		existing         map[string]*dnsNamesToIP
		wantContextEntry bool
		want             map[string][]string
	}{
		{
			name: "context not in cache",
			args: args{
				contextID:   "does not exist",
				fqdn:        fqdn,
				ipAddresses: nil,
			},
			wantContextEntry: false,
		},
		{
			name: "adding an empty list",
			args: args{
				contextID:   contextID,
				fqdn:        fqdn,
				ipAddresses: []string{},
			},
			wantContextEntry: true,
			existing: map[string]*dnsNamesToIP{
				contextID: {
					nameToIP: map[string][]string{
						fqdnKeep: {ip192_0_2_1},
						fqdn:     {},
					},
				},
			},
			want: map[string][]string{
				fqdnKeep: {ip192_0_2_1},
				fqdn:     {},
			},
		},
		{
			name: "adding IPs to an empty list",
			args: args{
				contextID:   contextID,
				fqdn:        fqdn,
				ipAddresses: []string{ip192_0_2_2, ip192_0_2_3},
			},
			wantContextEntry: true,
			existing: map[string]*dnsNamesToIP{
				contextID: {
					nameToIP: map[string][]string{
						fqdnKeep: {ip192_0_2_1},
						fqdn:     {},
					},
				},
			},
			want: map[string][]string{
				fqdnKeep: {ip192_0_2_1},
				fqdn:     {ip192_0_2_2, ip192_0_2_3},
			},
		},
		{
			name: "adding an existing IP to the list",
			args: args{
				contextID:   contextID,
				fqdn:        fqdn,
				ipAddresses: []string{ip192_0_2_2},
			},
			wantContextEntry: true,
			existing: map[string]*dnsNamesToIP{
				contextID: {
					nameToIP: map[string][]string{
						fqdnKeep: {ip192_0_2_1},
						fqdn:     {ip192_0_2_1, ip192_0_2_2},
					},
				},
			},
			want: map[string][]string{
				fqdnKeep: {ip192_0_2_1},
				fqdn:     {ip192_0_2_1, ip192_0_2_2},
			},
		},
		{
			name: "adding an existing IP and a new IP to an existing list",
			args: args{
				contextID:   contextID,
				fqdn:        fqdn,
				ipAddresses: []string{ip192_0_2_2, ip192_0_2_3},
			},
			wantContextEntry: true,
			existing: map[string]*dnsNamesToIP{
				contextID: {
					nameToIP: map[string][]string{
						fqdnKeep: {ip192_0_2_1},
						fqdn:     {ip192_0_2_1, ip192_0_2_2},
					},
				},
			},
			want: map[string][]string{
				fqdnKeep: {ip192_0_2_1},
				fqdn:     {ip192_0_2_1, ip192_0_2_2, ip192_0_2_3},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			p := &Proxy{
				contextIDToDNSNames:      cache.NewCache("contextIDtoDNSNames"),
				contextIDToDNSNamesLocks: newMutexMap(),
			}
			for k, v := range tt.existing {
				p.contextIDToDNSNames.AddOrUpdate(k, v)
			}
			p.updateFQDNWithIPs(tt.args.contextID, tt.args.fqdn, tt.args.ipAddresses)

			val, err := p.contextIDToDNSNames.Get(tt.args.contextID)
			if (err == nil) != tt.wantContextEntry {
				t.Errorf("entry for context %q does not exist", tt.args.contextID)
			}
			if err == nil {
				m := val.(*dnsNamesToIP)
				if !reflect.DeepEqual(m.nameToIP, tt.want) {
					t.Errorf("want %#v, have %#v", tt.want, m.nameToIP)
				}
			}
		})
	}
}

func TestProxy_defaultRemoveExpiredEntry(t *testing.T) {
	type args struct {
		ipaddress string
	}
	type existing struct {
		pus   map[string]*pucontext.PUContext
		fqdns map[string]*dnsNamesToIP
		ips   map[string]iptottlinfo
	}
	type want struct {
		removedFromIPToTTL bool
		fqdns              map[string]*dnsNamesToIP
	}
	tests := []struct {
		name     string
		args     args
		existing existing
		want     want
	}{
		{
			name: "TTL info for IP does not exist in cache",
			args: args{ipaddress: ip192_0_2_1},
			existing: existing{
				ips: map[string]iptottlinfo{
					ip192_0_2_2: {
						contextIDs: map[string]struct{}{
							contextID: {},
						},
						fqdns: map[string]struct{}{
							fqdn:    {},
							fqdnTwo: {},
						},
					},
				},
				fqdns: map[string]*dnsNamesToIP{
					contextID: {
						nameToIP: map[string][]string{},
					},
				},
			},
			want: want{
				removedFromIPToTTL: true,
				fqdns: map[string]*dnsNamesToIP{
					contextID: {
						nameToIP: map[string][]string{},
					},
				},
			},
		},
		{
			name: "PUContext in TTL info for IP does not exist in cache",
			args: args{ipaddress: ip192_0_2_1},
			existing: existing{
				ips: map[string]iptottlinfo{
					ip192_0_2_1: {
						contextIDs: map[string]struct{}{
							contextID: {},
						},
						fqdns: map[string]struct{}{
							fqdn:    {},
							fqdnTwo: {},
						},
					},
				},
				fqdns: map[string]*dnsNamesToIP{
					contextID: {
						nameToIP: map[string][]string{},
					},
				},
				pus: map[string]*pucontext.PUContext{},
			},
			want: want{
				removedFromIPToTTL: true,
				fqdns: map[string]*dnsNamesToIP{
					contextID: {
						nameToIP: map[string][]string{},
					},
				},
			},
		},
		{
			name: "successfully remove 192_0_2_1",
			args: args{ipaddress: ip192_0_2_1},
			existing: existing{
				pus: map[string]*pucontext.PUContext{
					contextID: {
						RWMutex:         sync.RWMutex{},
						ApplicationACLs: acls.NewACLCache(),
						DNSACLs: map[string][]policy.PortProtocolPolicy{
							fqdn: {
								{
									Ports:     []string{port80},
									Protocols: []string{constants.TCPProtoNum},
									Policy: &policy.FlowPolicy{
										ServiceID: serviceID,
									},
								},
							},
						},
					},
				},
				fqdns: map[string]*dnsNamesToIP{
					contextID: {
						nameToIP: map[string][]string{
							fqdn: {ip192_0_2_1, ip192_0_2_2},
						},
					},
				},
				ips: map[string]iptottlinfo{
					ip192_0_2_1: {
						contextIDs: map[string]struct{}{
							contextID: {},
						},
						fqdns: map[string]struct{}{
							fqdn:    {},
							fqdnTwo: {},
						},
					},
				},
			},
			want: want{
				removedFromIPToTTL: true,
				fqdns: map[string]*dnsNamesToIP{
					contextID: {
						nameToIP: map[string][]string{
							fqdn: {ip192_0_2_2},
						},
					},
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			p := &Proxy{
				puFromID:                 cache.NewCache("puFromContextID"),
				contextIDToServer:        map[string]*dns.Server{},
				contextIDToDNSNames:      cache.NewCache("contextIDtoDNSNames"),
				contextIDToDNSNamesLocks: newMutexMap(),
				IPToTTL:                  cache.NewCache("IPToTTL"),
				IPToTTLLocks:             newMutexMap(),
			}
			for k, v := range tt.existing.pus {
				p.puFromID.AddOrUpdate(k, v)
			}
			for k, v := range tt.existing.fqdns {
				p.contextIDToDNSNames.AddOrUpdate(k, v)
			}
			for k, v := range tt.existing.ips {
				p.IPToTTL.AddOrUpdate(k, v)
			}
			p.defaultRemoveExpiredEntry(tt.args.ipaddress)

			// we check to see if the entries got removed correctly
			if _, err := p.IPToTTL.Get(tt.args.ipaddress); (err != nil) != tt.want.removedFromIPToTTL {
				t.Errorf("entry exists in IPToTTL cache: %v, want.removedFromIPToTTL %v", (err != nil), tt.want.removedFromIPToTTL)
			}
			for contextID, wantFqdns := range tt.want.fqdns {
				existingFqdnsRaw, err := p.contextIDToDNSNames.Get(contextID)
				if err != nil {
					t.Errorf("no map for context %q in contextIDToDNSNames any longer", contextID)
				}
				existingFqdns := existingFqdnsRaw.(*dnsNamesToIP)
				if !reflect.DeepEqual(wantFqdns.nameToIP, existingFqdns.nameToIP) {
					t.Errorf("context %q: have fqdns %#v - want fqdns %#v", contextID, existingFqdns.nameToIP, wantFqdns.nameToIP)
				}
			}
		})
	}
}

func TestProxy_handleTTLInfoList(t *testing.T) {
	type args struct {
		contextID      string
		fqdn           string
		dnsttlinfolist []*dnsttlinfo
		updateOnly     bool
	}
	type existing struct {
		ips map[string]iptottlinfo
	}
	type want struct {
		mustFireExpiry               bool
		newEntry                     bool
		existingEntryIncreasedExpiry bool
	}
	tests := []struct {
		name     string
		args     args
		existing existing
		want     want
	}{
		{
			name: "creating new TTL info in the cache for new IP when updateOnly is false",
			args: args{
				contextID: contextID,
				fqdn:      fqdn,
				dnsttlinfolist: []*dnsttlinfo{
					{
						ipaddress: ip192_0_2_1,
						ttl:       1,
					},
				},
				updateOnly: false,
			},
			existing: existing{
				ips: map[string]iptottlinfo{},
			},
			want: want{
				mustFireExpiry: true,
				newEntry:       true,
			},
		},
		{
			name: "not creating new TTL info in the cache for new IP when updateOnly is true",
			args: args{
				contextID: contextID,
				fqdn:      fqdn,
				dnsttlinfolist: []*dnsttlinfo{
					{
						ipaddress: ip192_0_2_1,
						ttl:       1,
					},
				},
				updateOnly: true,
			},
			existing: existing{
				ips: map[string]iptottlinfo{},
			},
			want: want{
				mustFireExpiry: false,
				newEntry:       false,
			},
		},
		{
			name: "updating existing TTL info in the cache",
			args: args{
				contextID: contextID,
				fqdn:      fqdn,
				dnsttlinfolist: []*dnsttlinfo{
					{
						ipaddress: ip192_0_2_1,
						ttl:       1,
					},
				},
				updateOnly: true,
			},
			existing: existing{
				ips: map[string]iptottlinfo{
					ip192_0_2_1: {
						ipaddress:  ip192_0_2_1,
						expiryTime: time.Now(),
						contextIDs: map[string]struct{}{},
						fqdns:      map[string]struct{}{},
					},
				},
			},
			want: want{
				mustFireExpiry:               true,
				existingEntryIncreasedExpiry: true,
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			p := &Proxy{
				puFromID:                 cache.NewCache("puFromContextID"),
				contextIDToServer:        map[string]*dns.Server{},
				contextIDToDNSNames:      cache.NewCache("contextIDtoDNSNames"),
				contextIDToDNSNamesLocks: newMutexMap(),
				IPToTTL:                  cache.NewCache("IPToTTL"),
				IPToTTLLocks:             newMutexMap(),
			}

			// exercises the expiry trigger
			var wg sync.WaitGroup
			if tt.want.mustFireExpiry {
				wg.Add(1)
			}
			p.removeExpiredEntry = func(ipaddress string) {
				// this is just to exercise the expiry trigger
				t.Logf("removeExpiredEntry %q", ipaddress)
				wg.Done()
			}

			for k, v := range tt.existing.ips {
				// TODO: this is awful, not sure how to better mock this at this point
				v.timer = time.AfterFunc(time.Second, func() {
					if p.removeExpiredEntry != nil {
						p.removeExpiredEntry(k)
					}
				})
				p.IPToTTL.AddOrUpdate(k, v)
			}
			p.handleTTLInfoList(tt.args.contextID, tt.args.fqdn, tt.args.dnsttlinfolist, tt.args.updateOnly)
			wg.Wait()

			if tt.want.newEntry {
				for _, i := range tt.args.dnsttlinfolist {
					if _, err := p.IPToTTL.Get(i.ipaddress); err != nil {
						t.Errorf("no new entry for IP %q", i.ipaddress)
					}
				}
			}

			if tt.want.existingEntryIncreasedExpiry {
				for _, i := range tt.args.dnsttlinfolist {
					iptottlExisting, ok := tt.existing.ips[i.ipaddress]
					if !ok {
						t.Errorf("not in the existing map %q", i.ipaddress)
					}
					iptottlRaw, err := p.IPToTTL.Get(i.ipaddress)
					if err != nil {
						t.Errorf("no entry for IP %q", i.ipaddress)
					}
					iptottlUpdated := iptottlRaw.(iptottlinfo)

					if !iptottlUpdated.expiryTime.After(iptottlExisting.expiryTime) {
						t.Errorf("expiry time not updated")
					}
				}
			}
		})
	}
}

func TestProxy_Enforce(t *testing.T) {
	type args struct {
		contextID string
		puInfo    *policy.PUInfo
	}
	type existing struct {
		fqdns map[string]*dnsNamesToIP
		pus   map[string]*pucontext.PUContext
	}
	type want struct {
		fqdns map[string]*dnsNamesToIP
	}
	tests := []struct {
		name     string
		args     args
		existing existing
		want     want
		wantErr  bool
	}{
		{
			name: "if this is the first enforce call on a PU, simply initialize the data structures, with FQDNs from policy",
			args: args{
				contextID: contextID,
				puInfo: &policy.PUInfo{
					Runtime:   nil,
					ContextID: contextID,
					Policy: &policy.PUPolicy{
						DNSACLs: map[string][]policy.PortProtocolPolicy{
							fqdn: {
								{
									Ports:     []string{port80},
									Protocols: []string{constants.TCPProtoNum},
									Policy: &policy.FlowPolicy{
										ServiceID: serviceID,
									},
								},
							},
							fqdnTwo: {
								{
									Ports:     []string{port80},
									Protocols: []string{constants.TCPProtoNum},
									Policy: &policy.FlowPolicy{
										ServiceID: serviceID,
									},
								},
							},
						},
					},
				},
			},
			existing: existing{
				fqdns: map[string]*dnsNamesToIP{},
				pus:   map[string]*pucontext.PUContext{},
			},
			want: want{
				fqdns: map[string]*dnsNamesToIP{
					contextID: {
						nameToIP: map[string][]string{
							fqdn:    {},
							fqdnTwo: {},
						},
					},
				},
			},
		},
		{
			name: "new FQDNs from a policy simply register with the DNS proxy",
			args: args{
				contextID: contextID,
				puInfo: &policy.PUInfo{
					Runtime:   nil,
					ContextID: contextID,
					Policy: &policy.PUPolicy{
						DNSACLs: map[string][]policy.PortProtocolPolicy{
							fqdn: {
								{
									Ports:     []string{port80},
									Protocols: []string{constants.TCPProtoNum},
									Policy: &policy.FlowPolicy{
										ServiceID: serviceID,
									},
								},
							},
							fqdnTwo: {
								{
									Ports:     []string{port80},
									Protocols: []string{constants.TCPProtoNum},
									Policy: &policy.FlowPolicy{
										ServiceID: serviceID,
									},
								},
							},
						},
					},
				},
			},
			existing: existing{
				fqdns: map[string]*dnsNamesToIP{
					contextID: {
						nameToIP: map[string][]string{},
					},
				},
				pus: map[string]*pucontext.PUContext{},
			},
			want: want{
				fqdns: map[string]*dnsNamesToIP{
					contextID: {
						nameToIP: map[string][]string{
							fqdn:    {},
							fqdnTwo: {},
						},
					},
				},
			},
		},
		{
			name: "existing FQDNs update ipsets and ApplicationACLs",
			args: args{
				contextID: contextID,
				puInfo: &policy.PUInfo{
					Runtime:   nil,
					ContextID: contextID,
					Policy: &policy.PUPolicy{
						DNSACLs: map[string][]policy.PortProtocolPolicy{
							fqdn: {
								{
									Ports:     []string{port80},
									Protocols: []string{constants.TCPProtoNum},
									Policy: &policy.FlowPolicy{
										ServiceID: serviceID,
									},
								},
							},
							fqdnTwo: {
								{
									Ports:     []string{port80},
									Protocols: []string{constants.TCPProtoNum},
									Policy: &policy.FlowPolicy{
										ServiceID: serviceID,
									},
								},
							},
						},
					},
				},
			},
			existing: existing{
				fqdns: map[string]*dnsNamesToIP{
					contextID: {
						nameToIP: map[string][]string{
							fqdn:    {ip192_0_2_1},
							fqdnTwo: {ip192_0_2_2},
						},
					},
				},
				pus: map[string]*pucontext.PUContext{
					contextID: {
						RWMutex:         sync.RWMutex{},
						ApplicationACLs: acls.NewACLCache(),
						DNSACLs: map[string][]policy.PortProtocolPolicy{
							fqdn: {
								{
									Ports:     []string{port80},
									Protocols: []string{constants.TCPProtoNum},
									Policy: &policy.FlowPolicy{
										ServiceID: serviceID,
									},
								},
							},
						},
					},
				},
			},
			want: want{
				fqdns: map[string]*dnsNamesToIP{
					contextID: {
						nameToIP: map[string][]string{
							fqdn:    {ip192_0_2_1},
							fqdnTwo: {ip192_0_2_2},
						},
					},
				},
			},
		},
		{
			name: "existing FQDNs do not update ipsets and ApplicationACLs if PU context does not exist",
			args: args{
				contextID: contextID,
				puInfo: &policy.PUInfo{
					Runtime:   nil,
					ContextID: contextID,
					Policy: &policy.PUPolicy{
						DNSACLs: map[string][]policy.PortProtocolPolicy{
							fqdn: {
								{
									Ports:     []string{port80},
									Protocols: []string{constants.TCPProtoNum},
									Policy: &policy.FlowPolicy{
										ServiceID: serviceID,
									},
								},
							},
							fqdnTwo: {
								{
									Ports:     []string{port80},
									Protocols: []string{constants.TCPProtoNum},
									Policy: &policy.FlowPolicy{
										ServiceID: serviceID,
									},
								},
							},
						},
					},
				},
			},
			existing: existing{
				fqdns: map[string]*dnsNamesToIP{
					contextID: {
						nameToIP: map[string][]string{
							fqdn:    {ip192_0_2_1},
							fqdnTwo: {ip192_0_2_2},
						},
					},
				},
				pus: map[string]*pucontext.PUContext{},
			},
			want: want{
				fqdns: map[string]*dnsNamesToIP{
					contextID: {
						nameToIP: map[string][]string{
							fqdn:    {ip192_0_2_1},
							fqdnTwo: {ip192_0_2_2},
						},
					},
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			p := &Proxy{
				puFromID:                 cache.NewCache("puFromContextID"),
				contextIDToServer:        map[string]*dns.Server{},
				contextIDToDNSNames:      cache.NewCache("contextIDtoDNSNames"),
				contextIDToDNSNamesLocks: newMutexMap(),
			}
			for k, v := range tt.existing.fqdns {
				p.contextIDToDNSNames.AddOrUpdate(k, v)
			}
			for k, v := range tt.existing.pus {
				p.puFromID.AddOrUpdate(k, v)
			}
			if err := p.Enforce(ctx, tt.args.contextID, tt.args.puInfo); (err != nil) != tt.wantErr {
				t.Errorf("Proxy.Enforce() error = %v, wantErr %v", err, tt.wantErr)
			}
			for contextID, wantFqdns := range tt.want.fqdns {
				existingFqdnsRaw, err := p.contextIDToDNSNames.Get(contextID)
				if err != nil {
					t.Errorf("no map for context %q in contextIDToDNSNames any longer", contextID)
				}
				existingFqdns := existingFqdnsRaw.(*dnsNamesToIP)
				if !reflect.DeepEqual(wantFqdns.nameToIP, existingFqdns.nameToIP) {
					t.Errorf("context %q: have fqdns %#v - want fqdns %#v", contextID, existingFqdns.nameToIP, wantFqdns.nameToIP)
				}
			}
		})
	}
}


================================================
FILE: controller/internal/enforcer/dnsproxy/dns_report.go
================================================
// +build linux windows

package dnsproxy

import (
	"context"
	"fmt"
	"net"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
)

var (
	waitTimeBeforeReport = 5 * time.Minute
)

type dnsReport struct {
	key        string
	contextID  string
	nameLookup string
	error      string
	source     collector.EndPoint
	dest       collector.EndPoint
	namespace  string
	ips        []string
}

func (p *Proxy) sendToCollector(report dnsReport, count int) {
	r := &collector.DNSRequestReport{
		ContextID:   report.contextID,
		NameLookup:  report.nameLookup,
		Source:      &report.source,
		Destination: &report.dest,
		Namespace:   report.namespace,
		Error:       report.error,
		Count:       count,
		Ts:          time.Now(),
		IPs:         report.ips,
	}
	p.collector.CollectDNSRequests(r)
}

func (p *Proxy) reportDNSRequests(ctx context.Context, chreport chan dnsReport) {
	dnsReports := map[string]int{}
	sendReport := make(chan dnsReport)
	deleteReport := make(chan dnsReport)

	for {
		select {
		case r := <-chreport:
			dnsReports[r.key]++
			switch dnsReports[r.key] {
			case 1:
				// dispatch immediately
				p.sendToCollector(r, 1)
				go func(r dnsReport) {
					<-time.After(waitTimeBeforeReport)
					deleteReport <- r
				}(r)
			case 2:
				go func(r dnsReport) {
					<-time.After(waitTimeBeforeReport)
					sendReport <- r
				}(r)
			}
		case r := <-sendReport:
			p.sendToCollector(r, dnsReports[r.key]-1)
			delete(dnsReports, r.key)
		case r := <-deleteReport:
			if dnsReports[r.key] == 1 {
				delete(dnsReports, r.key)
			}
		case <-ctx.Done():
			return
		}
	}
}

func (p *Proxy) reportDNSLookup(name string, pucontext *pucontext.PUContext, srcIP net.IP, srcPort uint16, dnsIP net.IP, dnsPort uint16, ips []string, err string) {
	p.chreports <- dnsReport{
		contextID:  pucontext.ID(),
		nameLookup: name,
		error:      err,
		namespace:  pucontext.ManagementNamespace(),
		source: collector.EndPoint{
			IP:   srcIP.String(),
			Port: srcPort,
			ID:   pucontext.ManagementID(),
			Type: collector.EndPointTypePU,
		},
		dest: collector.EndPoint{
			IP:   dnsIP.String(),
			Port: dnsPort,
			ID:   pucontext.ManagementID(),
			Type: collector.EndPointTypePU,
		},
		ips: ips,
		key: fmt.Sprintf("%s:%s:%s:%s:%s:%s", pucontext.ID(), name, err, pucontext.ManagementNamespace(), srcIP.String(), pucontext.ManagementID()),
	}
}


================================================
FILE: controller/internal/enforcer/dnsproxy/dns_test.go
================================================
// +build linux

package dnsproxy

import (
	"context"
	"net"
	"sync"
	"testing"
	"time"

	"github.com/magiconair/properties/assert"
	"go.aporeto.io/trireme-lib/collector"
	provider "go.aporeto.io/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/trireme-lib/policy"
	"go.aporeto.io/trireme-lib/utils/cache"
)

type flowClientDummy struct {
}

func (c *flowClientDummy) Close() error {
	return nil
}

func (c *flowClientDummy) UpdateMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32, network bool) error {
	return nil
}

func (c *flowClientDummy) UpdateNetworkFlowMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32) error {
	return nil
}

func (c *flowClientDummy) UpdateApplicationFlowMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32) error {
	return nil
}

func (c *flowClientDummy) GetOriginalDest(ipSrc, ipDst net.IP, srcport, dstport uint16, protonum uint8) (net.IP, uint16, uint32, error) {
	return net.ParseIP("8.8.8.8"), 53, 100, nil
}

func addDNSNamePolicy(context *pucontext.PUContext) {
	context.DNSACLs = policy.DNSRuleList{
		"www.google.com": []policy.PortProtocolPolicy{
			{Ports: []string{"80"},
				Protocols: []string{"tcp"},
				Policy: &policy.FlowPolicy{
					Action:   policy.Accept,
					PolicyID: "2",
				}},
		},
	}
}

func CustomDialer(ctx context.Context, network, address string) (net.Conn, error) {
	d := net.Dialer{}
	return d.DialContext(ctx, "udp", "127.0.0.1:53001")
}

func createCustomResolver() *net.Resolver {
	r := &net.Resolver{
		PreferGo: true,
		Dial:     CustomDialer,
	}

	return r
}

// DNSCollector implements a default collector infrastructure to syslog
type DNSCollector struct{}

// CollectFlowEvent is part of the EventCollector interface.
func (d *DNSCollector) CollectFlowEvent(record *collector.FlowRecord) {}

// CollectContainerEvent is part of the EventCollector interface.
func (d *DNSCollector) CollectContainerEvent(record *collector.ContainerRecord) {}

// CollectUserEvent is part of the EventCollector interface.
func (d *DNSCollector) CollectUserEvent(record *collector.UserRecord) {}

// CollectTraceEvent collects iptables trace events
func (d *DNSCollector) CollectTraceEvent(records []string) {}

// CollectPingEvent collects ping events
func (d *DNSCollector) CollectPingEvent(report *collector.PingReport) {}

// CollectPacketEvent collects packet events from the datapath
func (d *DNSCollector) CollectPacketEvent(report *collector.PacketReport) {}

// CollectCounterEvent collect counters from the datapath
func (d *DNSCollector) CollectCounterEvent(report *collector.CounterReport) {}

var r collector.DNSRequestReport
var l sync.Mutex

// CollectDNSRequests collect counters from the datapath
func (d *DNSCollector) CollectDNSRequests(report *collector.DNSRequestReport) {
	l.Lock()
	r = *report
	l.Unlock()
}

func TestDNS(t *testing.T) {
	puIDcache := cache.NewCache("puFromContextID")

	fp := &policy.PUInfo{
		Runtime: policy.NewPURuntimeWithDefaults(),
		Policy:  policy.NewPUPolicyWithDefaults(),
	}
	pu, _ := pucontext.NewPU("pu1", fp, 24*time.Hour) // nolint

	addDNSNamePolicy(pu)

	puIDcache.AddOrUpdate("pu1", pu)
	conntrack := &flowClientDummy{}
	collector := &DNSCollector{}

	ips := provider.NewTestIpsetProvider()
	proxy := New(puIDcache, conntrack, collector, ipsetmanager.CreateIPsetManager(ips, ips))

	err := proxy.StartDNSServer("pu1", "53001")
	assert.Equal(t, err == nil, true, "start dns server")

	resolver := createCustomResolver()
	ctx := context.Background()
	waitTimeBeforeReport = 3 * time.Second
	resolver.LookupIPAddr(ctx, "www.google.com") //nolint
	resolver.LookupIPAddr(ctx, "www.google.com") //nolint

	assert.Equal(t, err == nil, true, "err should be nil")

	time.Sleep(5 * time.Second)
	l.Lock()
	assert.Equal(t, r.NameLookup == "www.google.com.", true, "lookup should be www.google.com")
	assert.Equal(t, r.Count >= 2 && r.Count <= 10, true, "count should be 2")
	l.Unlock()
	proxy.ShutdownDNS("pu1")
}


================================================
FILE: controller/internal/enforcer/dnsproxy/dns_unsupported.go
================================================
// +build !linux,!windows

package dnsproxy

import (
	"context"
	"net"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/flowtracking"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
)

// Proxy struct represents the object for dns proxy
type Proxy struct {
}

// New creates an instance of the dns proxy
func New(ctx context.Context, puFromID cache.DataStore, conntrack flowtracking.FlowClient, c collector.EventCollector) *Proxy {
	return &Proxy{}
}

// ShutdownDNS shuts down the dns server for contextID
func (p *Proxy) ShutdownDNS(contextID string) {

}

// StartDNSServer starts the dns server on the port provided for contextID
func (p *Proxy) StartDNSServer(ctx context.Context, contextID, port string) error {
	return nil
}

// SyncWithPlatformCache is only needed in Windows currently
func (p *Proxy) SyncWithPlatformCache(ctx context.Context, pctx *pucontext.PUContext) error {
	return nil
}

// HandleDNSResponsePacket is only needed in Windows currently
func (p *Proxy) HandleDNSResponsePacket(dnsPacketData []byte, sourceIP net.IP, sourcePort uint16, destIP net.IP, destPort uint16, puFromContextID func(string) (*pucontext.PUContext, error)) error {
	return nil
}

// Enforce starts enforcing policies for the given policy.PUInfo.
func (p *Proxy) Enforce(ctx context.Context, contextID string, puInfo *policy.PUInfo) error {
	return nil
}

// Unenforce stops enforcing policy for the given IP.
func (p *Proxy) Unenforce(_ context.Context, contextID string) error {
	return nil
}


================================================
FILE: controller/internal/enforcer/dnsproxy/dns_windows.go
================================================
// +build windows

package dnsproxy

import (
	"context"
	"errors"
	"net"
	"sync"
	"syscall"

	"github.com/miekg/dns"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/flowtracking"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.uber.org/zap"
)

var clearWindowsDNSCacheFunc = clearWindowsDNSCache

// Proxy struct represents the object for dns proxy
type Proxy struct {
	puFromID   cache.DataStore
	collector  collector.EventCollector
	contextIDs map[string]struct{}
	chreports  chan dnsReport
	sync.RWMutex
}

// New creates an instance of the dns proxy
func New(ctx context.Context, puFromID cache.DataStore, conntrack flowtracking.FlowClient, c collector.EventCollector) *Proxy {
	ch := make(chan dnsReport)
	p := &Proxy{chreports: ch, puFromID: puFromID, collector: c, contextIDs: make(map[string]struct{})}
	go p.reportDNSRequests(ctx, ch)
	return p
}

// StartDNSServer starts the dns server on the port provided for contextID
func (p *Proxy) StartDNSServer(ctx context.Context, contextID, port string) error {
	p.Lock()
	defer p.Unlock()
	p.contextIDs[contextID] = struct{}{}
	return nil
}

// ShutdownDNS shuts down the dns server for contextID
func (p *Proxy) ShutdownDNS(contextID string) {
	p.Lock()
	defer p.Unlock()
	delete(p.contextIDs, contextID)
}

// SyncWithPlatformCache is called on policy change.
// Clear the Windows DNS cache in order to guarantee proxying.
func (p *Proxy) SyncWithPlatformCache(ctx context.Context, pctx *pucontext.PUContext) error {

	if pctx.UsesFQDN() {
		return clearWindowsDNSCacheFunc()
	}
	return nil
}

// HandleDNSResponsePacket parses the DNS response and forwards the information to each PU based on policy
func (p *Proxy) HandleDNSResponsePacket(dnsPacketData []byte, sourceIP net.IP, sourcePort uint16, destIP net.IP, destPort uint16, puFromContextID func(string) (*pucontext.PUContext, error)) error {

	// parse dns
	msg := &dns.Msg{}
	err := msg.Unpack(dnsPacketData)
	if err != nil {
		return err
	}

	// Make sure we have a question
	if len(msg.Question) <= 0 {
		return nil
	}

	var ips []string
	for _, ans := range msg.Answer {
		if ans.Header().Rrtype == dns.TypeA {
			t, _ := ans.(*dns.A)
			ips = append(ips, t.A.String())
		}

		if ans.Header().Rrtype == dns.TypeAAAA {
			t, _ := ans.(*dns.AAAA)
			ips = append(ips, t.AAAA.String())
		}
	}

	// let each pu handle it
	pus := make([]*pucontext.PUContext, 0, len(p.contextIDs))
	p.Lock()
	for id := range p.contextIDs {
		puCtx, err := puFromContextID(id)
		if err != nil {
			zap.L().Error("dnsproxy: DNS Proxy failed to get PUContext", zap.Error(err))
			continue
		}
		pus = append(pus, puCtx)
	}
	p.Unlock()

	for _, puCtx := range pus {
		ppps, _, err := puCtx.GetPolicyFromFQDN(msg.Question[0].Name)
		if err == nil {
			for _, ppp := range ppps {
				ipsetmanager.V4().UpdateACLIPsets(ips, ppp.Policy.ServiceID)
				ipsetmanager.V6().UpdateACLIPsets(ips, ppp.Policy.ServiceID)
				if err = puCtx.UpdateApplicationACLs(policy.IPRuleList{{Addresses: ips,
					Ports:     ppp.Ports,
					Protocols: ppp.Protocols,
					Policy:    ppp.Policy,
				}}); err != nil {
					zap.L().Error("dnsproxy: adding IP rule returned error", zap.Error(err))
				}
			}
		}

		// source and destination is swapped because we are looking at response packet
		p.reportDNSLookup(msg.Question[0].Name, puCtx, destIP, destPort, sourceIP, sourcePort, ips, "")

		configureDependentServices(puCtx, msg.Question[0].Name, ips)
	}

	return nil
}

func clearWindowsDNSCache() error {
	dnsAPIDll := syscall.NewLazyDLL("dnsapi.dll")
	flushDNSCacheProc := dnsAPIDll.NewProc("DnsFlushResolverCache")
	ret, _, err := flushDNSCacheProc.Call()
	if err != syscall.Errno(0) {
		return err
	}
	if ret == 0 {
		return errors.New("DnsFlushResolverCache failed")
	}
	return nil
}

// Enforce starts enforcing policies for the given policy.PUInfo.
func (p *Proxy) Enforce(ctx context.Context, contextID string, puInfo *policy.PUInfo) error {
	return nil
}

// Unenforce stops enforcing policy for the given IP.
func (p *Proxy) Unenforce(_ context.Context, contextID string) error {
	return nil
}


================================================
FILE: controller/internal/enforcer/dnsproxy/dns_windows_test.go
================================================
// +build windows

package dnsproxy

import (
	"context"
	"encoding/hex"
	"errors"
	"net"
	"sync"
	"testing"
	"time"

	"github.com/magiconair/properties/assert"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
)

func addDNSNamePolicy(context *pucontext.PUContext) {
	context.DNSACLs = policy.DNSRuleList{
		"google.com.": []policy.PortProtocolPolicy{
			{Ports: []string{"80"},
				Protocols: []string{"6"},
				Policy: &policy.FlowPolicy{
					Action:   policy.Accept,
					PolicyID: "2",
				}},
		},
	}
}

// DNSCollector implements a default collector infrastructure to syslog
type DNSCollector struct{}

// CollectFlowEvent is part of the EventCollector interface.
func (d *DNSCollector) CollectFlowEvent(record *collector.FlowRecord) {}

// CollectContainerEvent is part of the EventCollector interface.
func (d *DNSCollector) CollectContainerEvent(record *collector.ContainerRecord) {}

// CollectUserEvent is part of the EventCollector interface.
func (d *DNSCollector) CollectUserEvent(record *collector.UserRecord) {}

// CollectTraceEvent collects iptables trace events
func (d *DNSCollector) CollectTraceEvent(records []string) {}

// CollectPacketEvent collects packet events from the datapath
func (d *DNSCollector) CollectPacketEvent(report *collector.PacketReport) {}

// CollectCounterEvent collect counters from the datapath
func (d *DNSCollector) CollectCounterEvent(report *collector.CounterReport) {}

// CollectPingEvent collects ping events from the datapath
func (d *DNSCollector) CollectPingEvent(report *collector.PingReport) {}

// CollectConnectionExceptionReport collects the connection exception report
func (d *DNSCollector) CollectConnectionExceptionReport(_ *collector.ConnectionExceptionReport) {}

var r collector.DNSRequestReport
var l sync.Mutex

// CollectDNSRequests collect counters from the datapath
func (d *DNSCollector) CollectDNSRequests(report *collector.DNSRequestReport) {
	l.Lock()
	r = *report
	l.Unlock()
}

const (
	dnsResponseHex1 = "45200048d22f00006a11ad8f08080808c0a8000e0035e7560034385a00088180000100010000000006676f6f676c6503636f6d0000010001c00c000100010000009d0004acd90d0e"
	dnsResponseHex2 = "45200054eb6700006a11944b08080808c0a8000e0035e7570040863400098180000100010000000006676f6f676c6503636f6d00001c0001c00c001c00010000012b00102607f8b040020c030000000000000066"
)

func TestDNS(t *testing.T) {
	puIDcache := cache.NewCache("puFromContextID")

	dnsResponsePacket1, _ := hex.DecodeString(dnsResponseHex1)
	dnsResponsePacket2, _ := hex.DecodeString(dnsResponseHex2)

	parsedPacket1, _ := packet.New(uint64(packet.PacketTypeNetwork), dnsResponsePacket1, "83", true)
	parsedPacket2, _ := packet.New(uint64(packet.PacketTypeNetwork), dnsResponsePacket2, "83", true)

	fp := &policy.PUInfo{
		Runtime: policy.NewPURuntimeWithDefaults(),
		Policy:  policy.NewPUPolicyWithDefaults(),
	}
	pu, _ := pucontext.NewPU("pu1", fp, nil, 24*time.Hour) // nolint

	findPU := func(id string) (*pucontext.PUContext, error) {
		if id == "pu1" {
			return pu, nil
		}
		return nil, errors.New("unknown PU")
	}

	addDNSNamePolicy(pu)

	puIDcache.AddOrUpdate("pu1", pu)
	collector := &DNSCollector{}

	ips := ipsetmanager.NewTestIpsetProvider()
	ipsetmanager.SetIpsetTestInstance(ips)
	proxy := New(context.Background(), puIDcache, nil, collector)

	err := proxy.StartDNSServer(context.Background(), "pu1", "53001")
	assert.Equal(t, err == nil, true, "start dns server")

	err = proxy.HandleDNSResponsePacket(parsedPacket1.GetUDPData(), parsedPacket1.SourceAddress(), parsedPacket1.SourcePort(), parsedPacket1.DestinationAddress(), parsedPacket1.DestPort(), findPU)
	assert.Equal(t, err == nil, true, "dns packet 1 failed")

	err = proxy.HandleDNSResponsePacket(parsedPacket2.GetUDPData(), parsedPacket2.SourceAddress(), parsedPacket2.SourcePort(), parsedPacket2.DestinationAddress(), parsedPacket2.DestPort(), findPU)
	assert.Equal(t, err == nil, true, "dns packet 2 failed")

	// wait a sec for report delivered via channel, and then expect one report since the next will be time-delayed
	time.Sleep(1 * time.Second)
	l.Lock()
	assert.Equal(t, r.NameLookup == "google.com.", true, "lookup should be google.com")
	assert.Equal(t, r.Count == 1, true, "count should be 1")
	l.Unlock()

	defaultFlowPolicy := &policy.FlowPolicy{Action: policy.Reject | policy.Log, PolicyID: "default", ServiceID: "default"}

	// test acls updated
	rpt, pkt, err := pu.ApplicationACLs.GetMatchingAction(net.ParseIP("172.217.13.14"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
	assert.Equal(t, err == nil, true, "GetMatchingAction failed")
	assert.Equal(t, rpt.Action.Accepted(), true, "should be accepted (report)")
	assert.Equal(t, pkt.Action.Accepted(), true, "should be accepted (packet)")
	rpt, pkt, err = pu.ApplicationACLs.GetMatchingAction(net.ParseIP("2607:f8b0:4002:c03::66"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
	assert.Equal(t, err == nil, true, "GetMatchingAction failed")
	assert.Equal(t, rpt.Action.Accepted(), true, "should be accepted (report)")
	assert.Equal(t, pkt.Action.Accepted(), true, "should be accepted (packet)")

	// test SyncWithPlatformCache
	clearWindowsDNSCacheFunc = func() error {
		return errors.New("error from unit test")
	}
	defer func() {
		clearWindowsDNSCacheFunc = clearWindowsDNSCache
	}()
	err = proxy.SyncWithPlatformCache(context.Background(), pu)
	assert.Equal(t, err != nil, true, "clearWindowsDNSCache not called with DNSACLs present")
	assert.Matches(t, err.Error(), "error from unit test")
	pu.DNSACLs = policy.DNSRuleList{}
	err = proxy.SyncWithPlatformCache(context.Background(), pu)
	assert.Equal(t, err == nil, true, "clearWindowsDNSCache called without DNSACLs present")

	proxy.ShutdownDNS("pu1")
}


================================================
FILE: controller/internal/enforcer/dnsproxy/dnsproxy.go
================================================
package dnsproxy

import (
	"context"
	"net"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// DNSProxy defines an interface that trireme uses for Dns Proxy
type DNSProxy interface {

	// StartDNSServer starts the dns server on the port provided for contextID
	StartDNSServer(ctx context.Context, contextID, port string) error

	// Enforce starts enforcing policies for the given policy.PUInfo.
	Enforce(ctx context.Context, contextID string, puInfo *policy.PUInfo) error

	// Unenforce stops enforcing policy for the given IP.
	Unenforce(ctx context.Context, contextID string) error

	// SyncWithPlatformCache is only needed in Windows
	SyncWithPlatformCache(ctx context.Context, pctx *pucontext.PUContext) error

	// HandleDNSResponsePacket is only needed in Windows
	HandleDNSResponsePacket(dnsPacketData []byte, sourceIP net.IP, sourcePort uint16, destIP net.IP, destPort uint16, puFromContextID func(string) (*pucontext.PUContext, error)) error
}


================================================
FILE: controller/internal/enforcer/dnsproxy/mockdnsproxy/mockdnsproxy.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/internal/enforcer/dnsproxy/dnsproxy.go

// Package mockdnsproxy is a generated GoMock package.
package mockdnsproxy

import (
	context "context"
	net "net"
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	pucontext "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	policy "go.aporeto.io/enforcerd/trireme-lib/policy"
)

// MockDNSProxy is a mock of DNSProxy interface
// nolint
type MockDNSProxy struct {
	ctrl     *gomock.Controller
	recorder *MockDNSProxyMockRecorder
}

// MockDNSProxyMockRecorder is the mock recorder for MockDNSProxy
// nolint
type MockDNSProxyMockRecorder struct {
	mock *MockDNSProxy
}

// NewMockDNSProxy creates a new mock instance
// nolint
func NewMockDNSProxy(ctrl *gomock.Controller) *MockDNSProxy {
	mock := &MockDNSProxy{ctrl: ctrl}
	mock.recorder = &MockDNSProxyMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockDNSProxy) EXPECT() *MockDNSProxyMockRecorder {
	return m.recorder
}

// StartDNSServer mocks base method
// nolint
func (m *MockDNSProxy) StartDNSServer(ctx context.Context, contextID, port string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "StartDNSServer", ctx, contextID, port)
	ret0, _ := ret[0].(error)
	return ret0
}

// StartDNSServer indicates an expected call of StartDNSServer
// nolint
func (mr *MockDNSProxyMockRecorder) StartDNSServer(ctx, contextID, port interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StartDNSServer", reflect.TypeOf((*MockDNSProxy)(nil).StartDNSServer), ctx, contextID, port)
}

// Enforce mocks base method
// nolint
func (m *MockDNSProxy) Enforce(ctx context.Context, contextID string, puInfo *policy.PUInfo) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Enforce", ctx, contextID, puInfo)
	ret0, _ := ret[0].(error)
	return ret0
}

// Enforce indicates an expected call of Enforce
// nolint
func (mr *MockDNSProxyMockRecorder) Enforce(ctx, contextID, puInfo interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Enforce", reflect.TypeOf((*MockDNSProxy)(nil).Enforce), ctx, contextID, puInfo)
}

// Unenforce mocks base method
// nolint
func (m *MockDNSProxy) Unenforce(ctx context.Context, contextID string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Unenforce", ctx, contextID)
	ret0, _ := ret[0].(error)
	return ret0
}

// Unenforce indicates an expected call of Unenforce
// nolint
func (mr *MockDNSProxyMockRecorder) Unenforce(ctx, contextID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Unenforce", reflect.TypeOf((*MockDNSProxy)(nil).Unenforce), ctx, contextID)
}

// SyncWithPlatformCache mocks base method
// nolint
func (m *MockDNSProxy) SyncWithPlatformCache(ctx context.Context, pctx *pucontext.PUContext) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SyncWithPlatformCache", ctx, pctx)
	ret0, _ := ret[0].(error)
	return ret0
}

// SyncWithPlatformCache indicates an expected call of SyncWithPlatformCache
// nolint
func (mr *MockDNSProxyMockRecorder) SyncWithPlatformCache(ctx, pctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SyncWithPlatformCache", reflect.TypeOf((*MockDNSProxy)(nil).SyncWithPlatformCache), ctx, pctx)
}

// HandleDNSResponsePacket mocks base method
// nolint
func (m *MockDNSProxy) HandleDNSResponsePacket(dnsPacketData []byte, sourceIP net.IP, sourcePort uint16, destIP net.IP, destPort uint16, puFromContextID func(string) (*pucontext.PUContext, error)) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "HandleDNSResponsePacket", dnsPacketData, sourceIP, sourcePort, destIP, destPort, puFromContextID)
	ret0, _ := ret[0].(error)
	return ret0
}

// HandleDNSResponsePacket indicates an expected call of HandleDNSResponsePacket
// nolint
func (mr *MockDNSProxyMockRecorder) HandleDNSResponsePacket(dnsPacketData, sourceIP, sourcePort, destIP, destPort, puFromContextID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HandleDNSResponsePacket", reflect.TypeOf((*MockDNSProxy)(nil).HandleDNSResponsePacket), dnsPacketData, sourceIP, sourcePort, destIP, destPort, puFromContextID)
}


================================================
FILE: controller/internal/enforcer/dnsproxy/mutex_map.go
================================================
package dnsproxy

import (
	"sync"
)

// mutexMap
type mutexMap struct {
	// as the mutex map has a map of its own
	// we also need to lock access to this map
	l sync.Mutex
	m map[string]*sync.Mutex
}

// unlocker defines the Unlock mechanism which is returned by the Lock method
type unlocker interface {
	// Unlock releases the lock
	Unlock()
}

// newMutexMap initializes a new map of strings which provide a mutex
func newMutexMap() *mutexMap {
	return &mutexMap{m: map[string]*sync.Mutex{}}
}

// Remove removes an entry from the mutex map
func (m *mutexMap) Remove(entry string) {
	m.l.Lock()
	defer m.l.Unlock()
	delete(m.m, entry)
}

// Lock will gain a lock on `entry`. The caller must call `Unlock` on the returned unlocker when done.
func (m *mutexMap) Lock(entry string) unlocker {
	m.l.Lock()
	e, ok := m.m[entry]
	if !ok {
		m.m[entry] = &sync.Mutex{}
		e = m.m[entry]
	}
	m.l.Unlock()
	e.Lock()
	return e
}


================================================
FILE: controller/internal/enforcer/enforcer.go
================================================
package enforcer

import (
	"context"
	"fmt"
	"time"

	"github.com/blang/semver"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/envoyauthorizer"
	"go.aporeto.io/gaia"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/tokenaccessor"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/ephemeralkeys"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ebpf"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.uber.org/zap"
)

// A Enforcer is an implementation of the enforcer datapath. The interface
// can be implemented by one or multiple datapaths.
type Enforcer interface {

	// Enforce starts enforcing policies for the given policy.PUInfo.
	Enforce(ctx context.Context, contextID string, puInfo *policy.PUInfo) error

	// Unenforce stops enforcing policy for the given IP.
	Unenforce(ctx context.Context, contextID string) error

	// GetFilterQueue returns the current FilterQueueConfig.
	GetFilterQueue() fqconfig.FilterQueue

	// GetBPFObject returns the bpf pobject
	GetBPFObject() ebpf.BPFModule

	// Run starts the PolicyEnforcer.
	Run(ctx context.Context) error

	// UpdateSecrets -- updates the secrets of running enforcers managed by trireme. Remote enforcers will get the secret updates with the next policy push
	UpdateSecrets(secrets secrets.Secrets) error

	// SetTargetNetworks sets the target network configuration of the controllers.
	SetTargetNetworks(cfg *runtime.Configuration) error

	// SetLogLevel sets log level.
	SetLogLevel(level constants.LogLevel) error

	// Cleanup request a clean up of the controllers.
	CleanUp() error

	// GetServiceMeshType returns the serviceMeshType
	GetServiceMeshType() policy.ServiceMesh

	DebugInfo
}

// DebugInfo is interface to implement methods to configure datapath packet tracing in the nfqdatapath
type DebugInfo interface {
	//  EnableDatapathPacketTracing will enable tracing of packets received by the datapath for a particular PU. Setting Disabled as tracing direction will stop tracing for the contextID
	EnableDatapathPacketTracing(ctx context.Context, contextID string, direction packettracing.TracingDirection, interval time.Duration) error

	// EnablePacketTracing enable iptables -j trace for the particular pu and is much wider packet stream.
	EnableIPTablesPacketTracing(ctx context.Context, contextID string, interval time.Duration) error

	// Ping runs ping based on the given config.
	Ping(ctx context.Context, contextID string, pingConfig *policy.PingConfig) error

	// DebugCollect collects debug information, such as packet capture
	DebugCollect(ctx context.Context, contextID string, debugConfig *policy.DebugConfig) error
}

// enforcer holds all the active implementations of the enforcer
type enforcer struct {
	proxy     *applicationproxy.AppProxy
	transport *nfqdatapath.Datapath
}

// Run implements the run interfaces and runs the individual data paths
func (e *enforcer) Run(ctx context.Context) error {

	if e.proxy != nil {
		if err := e.proxy.Run(ctx); err != nil {
			return err
		}
	}

	if e.transport != nil {
		if err := e.transport.Run(ctx); err != nil {
			return err
		}
	}

	return nil
}

// Enforce implements the enforce interface by sending the event to all the enforcers.
func (e *enforcer) Enforce(ctx context.Context, contextID string, puInfo *policy.PUInfo) error {
	if e.transport != nil {
		if err := e.transport.Enforce(ctx, contextID, puInfo); err != nil {
			return fmt.Errorf("unable to enforce in nfq: %s", err)
		}
	}

	if e.proxy != nil {
		// NOTE: Passing ctx here breaks proxy. Root cause unknown for now
		if err := e.proxy.Enforce(context.Background(), contextID, puInfo); err != nil {
			return fmt.Errorf("unable to enforce in proxy: %s", err)
		}
	}

	return nil
}

// Unenforce implements the Unenforce interface by sending the event to all the enforcers.
func (e *enforcer) Unenforce(ctx context.Context, contextID string) error {

	var perr, nerr, serr error

	if e.proxy != nil {
		if perr = e.proxy.Unenforce(ctx, contextID); perr != nil {
			zap.L().Error("Failed to unenforce contextID in proxy",
				zap.String("ContextID", contextID),
				zap.Error(perr),
			)
		}
	}

	if e.transport != nil {
		if nerr = e.transport.Unenforce(ctx, contextID); nerr != nil {
			zap.L().Error("Failed to unenforce contextID in transport",
				zap.String("ContextID", contextID),
				zap.Error(nerr),
			)
		}
	}

	if perr != nil || nerr != nil || serr != nil {
		return fmt.Errorf("Failed to unenforce. proxy: %s transport: %s secret: %s", perr, nerr, serr)
	}

	return nil
}

func (e *enforcer) SetTargetNetworks(cfg *runtime.Configuration) error {
	return e.transport.SetTargetNetworks(cfg)
}

// Updatesecrets updates the secrets of the enforcers
func (e *enforcer) UpdateSecrets(secrets secrets.Secrets) error {
	if e.proxy != nil {
		if err := e.proxy.UpdateSecrets(secrets); err != nil {
			return err
		}
	}

	if e.transport != nil {
		if err := e.transport.UpdateSecrets(secrets); err != nil {
			return err
		}
	}

	return nil
}

// SetLogLevel sets log level.
func (e *enforcer) SetLogLevel(level constants.LogLevel) error {

	if e.transport != nil {
		if err := e.transport.SetLogLevel(level); err != nil {
			return err
		}
	}

	return nil
}

// Cleanup implements the cleanup interface.
func (e *enforcer) CleanUp() error {
	if e.transport != nil {
		return e.transport.CleanUp()
	}
	return nil
}

//GetBPFObject returns the bpf object
func (e *enforcer) GetBPFObject() ebpf.BPFModule {
	return e.transport.GetBPFObject()
}

// GetServiceMeshType returns the serviceMesh type
func (e *enforcer) GetServiceMeshType() policy.ServiceMesh {
	return e.transport.GetServiceMeshType()
}

// GetFilterQueue returns the current FilterQueueConfig of the transport path.
func (e *enforcer) GetFilterQueue() fqconfig.FilterQueue {
	return e.transport.GetFilterQueue()
}

// EnableDatapathPacketTracing implemented the datapath packet tracing
func (e *enforcer) EnableDatapathPacketTracing(ctx context.Context, contextID string, direction packettracing.TracingDirection, interval time.Duration) error {
	return e.transport.EnableDatapathPacketTracing(ctx, contextID, direction, interval)

}

// EnableIPTablesPacketTracing enable iptables -j trace for the particular pu and is much wider packet stream.
func (e *enforcer) EnableIPTablesPacketTracing(ctx context.Context, contextID string, interval time.Duration) error {
	return nil
}

// Ping runs ping to the given config.
func (e *enforcer) Ping(ctx context.Context, contextID string, pingConfig *policy.PingConfig) error {

	srv := policy.ServiceL3
	sctx, sdata, err := e.proxy.ServiceData(
		contextID,
		pingConfig.IP,
		int(pingConfig.Port),
		pingConfig.ServiceAddresses)
	if err == nil {
		srv = sdata.ServiceObject.Type
	}

	switch pingConfig.Mode {
	case gaia.ProcessingUnitRefreshPingModeAuto:
		switch srv {
		case policy.ServiceHTTP, policy.ServiceTCP:
			return e.proxy.Ping(ctx, contextID, sctx, sdata, pingConfig)
		default:
			return e.transport.Ping(ctx, contextID, pingConfig)
		}

	case gaia.ProcessingUnitRefreshPingModeL3:
		return e.transport.Ping(ctx, contextID, pingConfig)

	case gaia.ProcessingUnitRefreshPingModeL4, gaia.ProcessingUnitRefreshPingModeL7:
		return e.proxy.Ping(ctx, contextID, sctx, sdata, pingConfig)

	default:
		return e.transport.Ping(ctx, contextID, pingConfig)
	}
}

func (e *enforcer) DebugCollect(ctx context.Context, contextID string, debugConfig *policy.DebugConfig) error {
	// this is handled in remoteenforcer
	return nil
}

// New returns a new policy enforcer that implements both the data paths.
func New(
	mutualAuthorization bool,
	fqConfig fqconfig.FilterQueue,
	collector collector.EventCollector,
	secrets secrets.Secrets,
	serverID string,
	validity time.Duration,
	mode constants.ModeType,
	procMountPoint string,
	externalIPCacheTimeout time.Duration,
	packetLogs bool,
	cfg *runtime.Configuration,
	tokenIssuer common.ServiceTokenIssuer,
	isBPFEnabled bool,
	agentVersion semver.Version,
	serviceMeshType policy.ServiceMesh,
) (Enforcer, error) {
	if mode == constants.RemoteContainerEnvoyAuthorizer || mode == constants.LocalEnvoyAuthorizer {
		return envoyauthorizer.NewEnvoyAuthorizerEnforcer(mode, collector, externalIPCacheTimeout, secrets, tokenIssuer)
	}

	tokenAccessor, err := tokenaccessor.New(serverID, validity, secrets)

	if err != nil {
		zap.L().Fatal("Cannot create a token engine")
	}

	datapathKeypair, err := ephemeralkeys.NewWithRenewal()
	if err != nil {
		zap.L().Fatal("Cannot create a ephemeral key pair", zap.Error(err))
	}

	puFromContextID := cache.NewCache("puFromContextID")

	transport := nfqdatapath.New(
		mutualAuthorization,
		fqConfig,
		collector,
		serverID,
		validity,
		secrets,
		mode,
		procMountPoint,
		externalIPCacheTimeout,
		packetLogs,
		tokenAccessor,
		puFromContextID,
		cfg,
		isBPFEnabled,
		agentVersion,
		serviceMeshType,
	)
	var appProxy *applicationproxy.AppProxy

	if serviceMeshType == policy.None {
		appProxy, err = applicationproxy.NewAppProxy(tokenAccessor, collector, puFromContextID, secrets, tokenIssuer, datapathKeypair, agentVersion)
		if err != nil {
			return nil, fmt.Errorf("App proxy %s", err)
		}
	}

	return &enforcer{
		proxy:     appProxy,
		transport: transport,
	}, nil
}


================================================
FILE: controller/internal/enforcer/envoyauthorizer/envoyauthorizerenforcer.go
================================================
package envoyauthorizer

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"sync"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/serviceregistry"
	enforcerconstants "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/envoyauthorizer/envoyproxy"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/metadata"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ebpf"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.uber.org/zap"
)

// Enforcer implements the Enforcer interface as an envoy authorizer
// and starts envoy external authz filter gRPC servers for enforcement.
type Enforcer struct {
	mode                   constants.ModeType
	collector              collector.EventCollector
	externalIPCacheTimeout time.Duration
	secrets                secrets.Secrets
	tokenIssuer            common.ServiceTokenIssuer

	puContexts   cache.DataStore
	clients      cache.DataStore
	systemCAPool *x509.CertPool

	metadata *metadata.Client
	sync.RWMutex
}

// envoyAuthzServers, envoy servers used my enforcer
type envoyServers struct {
	ingress *envoyproxy.AuthServer
	egress  *envoyproxy.AuthServer
	sds     *envoyproxy.SdsServer
}

// NewEnvoyAuthorizerEnforcer creates a new envoy authorizer
func NewEnvoyAuthorizerEnforcer(mode constants.ModeType, eventCollector collector.EventCollector, externalIPCacheTimeout time.Duration, secrets secrets.Secrets, tokenIssuer common.ServiceTokenIssuer) (*Enforcer, error) {
	// abort if this is not the right mode
	if mode != constants.RemoteContainerEnvoyAuthorizer && mode != constants.LocalEnvoyAuthorizer {
		return nil, fmt.Errorf("enforcer mode type must be either RemoteContainerEnvoyAuthorizer or LocalEnvoyAuthorizer, got: %d", mode)
	}
	zap.L().Info("Creating Envoy Authorizer Enforcer")
	// same logic as in the nfqdatapath
	if externalIPCacheTimeout <= 0 {
		var err error
		externalIPCacheTimeout, err = time.ParseDuration(enforcerconstants.DefaultExternalIPTimeout)
		if err != nil {
			externalIPCacheTimeout = time.Second
		}
	}

	// same logic as in app proxy
	systemPool, err := x509.SystemCertPool()
	if err != nil {
		return nil, err
	}

	if ok := systemPool.AppendCertsFromPEM(secrets.CertAuthority()); !ok {
		return nil, fmt.Errorf("error while adding provided CA")
	}
	// TODO: systemPool needs the same treatment as the AppProxy and a `processCertificateUpdates` and `expandCAPool` implementation as well
	return &Enforcer{
		mode:                   mode,
		collector:              eventCollector,
		externalIPCacheTimeout: externalIPCacheTimeout,
		secrets:                secrets,
		tokenIssuer:            tokenIssuer,
		puContexts:             cache.NewCache("puContexts"),
		clients:                cache.NewCache("clients"),
		// auth:                   apiauth.New(puContexts, registry, secrets),
		// metadata:               metadata.NewClient(puContext, registry, tokenIssuer),
	}, nil
}

// Secrets implements the LockedSecrets
func (e *Enforcer) Secrets() (secrets.Secrets, func()) {
	e.RLock()
	return e.secrets, e.RUnlock
}

// Enforce starts enforcing policies for the given policy.PUInfo.
// here we do the following:
// 1. create a new PU always and instantiate a new apiAuth, as we want to be as stateless as possible.
// 2. create a PUcontext as this will be used in auth code.
// 3. If envoy servers are not present then create all 3 envoy servers.
// 4. If the servers are already present under policy update then update the service certs.
func (e *Enforcer) Enforce(ctx context.Context, contextID string, puInfo *policy.PUInfo) error {
	e.Lock()
	defer e.Unlock()

	zap.L().Debug("Enforce for the envoy for pu", zap.String("puID", contextID))
	// here we 1st need to create a PuContext, as the PU context will derive the
	// serviceCtxt which will be used by the authorizer to determine the policyInfo.

	pu, err := pucontext.NewPU(contextID, puInfo, nil, e.externalIPCacheTimeout)
	if err != nil {
		return fmt.Errorf("error creating new pu: %s", err)
	}
	// Add the puContext to the cache as we need to later while serving the requests.
	e.puContexts.AddOrUpdate(contextID, pu)

	sctx, err := serviceregistry.Instance().Register(contextID, puInfo, pu, e.secrets)
	if err != nil {
		return fmt.Errorf("policy conflicts detected: %s", err)
	}

	caPool := e.expandCAPool(sctx.RootCA)

	// now instantiate the apiAuth and metadata
	// create a new server if it doesn't exist yet
	if _, err := e.clients.Get(contextID); err != nil {
		zap.L().Debug("creating new auth and sds servers", zap.String("puID", contextID))
		ingressServer, err := envoyproxy.NewExtAuthzServer(contextID, e.puContexts, e.collector, envoyproxy.IngressDirection, e.secrets, e.tokenIssuer)
		if err != nil {
			zap.L().Error("Cannot create and run IngressServer", zap.Error(err))
			return err
		}

		egressServer, err := envoyproxy.NewExtAuthzServer(contextID, e.puContexts, e.collector, envoyproxy.EgressDirection, e.secrets, e.tokenIssuer)
		if err != nil {
			zap.L().Error("Cannot create and run EgressServer", zap.Error(err))
			ingressServer.Stop()
			return err
		}
		sdsServer, err := envoyproxy.NewSdsServer(contextID, puInfo, caPool, e.secrets)
		if err != nil {
			zap.L().Error("Cannot create and run SdsServer", zap.Error(err))
			return err
		}
		// Add the EnvoyServers to our cache
		if err := e.clients.Add(contextID, &envoyServers{ingress: ingressServer, egress: egressServer, sds: sdsServer}); err != nil {
			ingressServer.Stop()
			egressServer.Stop()
			sdsServer.Stop()
			return err
		}

	} else {
		// we have this client already, this is only a policy update
		zap.L().Debug("handling policy update for envoy servers", zap.String("puID", contextID))
		// For updates we need to update the certificates if we have new ones. Otherwise
		// we return. There is nothing else to do in case of policy update.
		// this required for the Envoy servers.
		if c, cerr := e.clients.Get(contextID); cerr == nil {
			_, perr := e.processCertificateUpdates(puInfo, c.(*envoyServers), caPool)
			if perr != nil {
				zap.L().Error("unable to update certificates for services", zap.Error(perr))
				return perr
			}
			return nil
		}
	}

	return nil
}

// processCertificateUpdates processes the certificate information and updates
// the servers.
func (e *Enforcer) processCertificateUpdates(puInfo *policy.PUInfo, server *envoyServers, caPool *x509.CertPool) (bool, error) {

	// If there are certificates provided, we will need to update them for the
	// services. If the certificates are nil, we ignore them.
	certPEM, keyPEM, caPEM := puInfo.Policy.ServiceCertificates()
	if certPEM == "" || keyPEM == "" {
		return false, nil
	}

	// Process any updates on the cert pool
	if caPEM != "" {
		if !caPool.AppendCertsFromPEM([]byte(caPEM)) {
			zap.L().Warn("Failed to add Services CA")
		}
	}

	// Create the TLS certificate
	tlsCert, err := tls.X509KeyPair([]byte(certPEM), []byte(keyPEM))
	if err != nil {
		return false, fmt.Errorf("Invalid certificates: %s", err)
	}
	// Here update the enforcer secrets because we are using the LockedSecrets.
	// Also, send a update event to the SDS server so it can send a new cert to the envoy Sidecar.
	// // update all the server certs, the Write lock has already been acquired by the Enforce function, so no need to lock again.
	server.ingress.UpdateSecrets(&tlsCert, caPool, e.secrets, certPEM, keyPEM)
	server.egress.UpdateSecrets(&tlsCert, caPool, e.secrets, certPEM, keyPEM)
	server.sds.UpdateSecrets(&tlsCert, caPool, e.secrets, certPEM, keyPEM)

	if e.metadata != nil {
		e.metadata.UpdateSecrets([]byte(certPEM), []byte(keyPEM))
	}
	return true, nil
}

func (e *Enforcer) expandCAPool(externalCAs [][]byte) *x509.CertPool {
	systemPool, err := x509.SystemCertPool()
	if err != nil {
		zap.L().Error("cannot process system pool", zap.Error(err))
		return e.systemCAPool
	}
	if ok := systemPool.AppendCertsFromPEM(e.secrets.CertAuthority()); !ok {
		zap.L().Error("cannot appen system CA", zap.Error(err))
		return e.systemCAPool
	}
	for _, ca := range externalCAs {
		if ok := systemPool.AppendCertsFromPEM(ca); !ok {
			zap.L().Error("cannot append external service ca", zap.String("CA", string(ca)))
		}
	}
	return systemPool
}

// Unenforce stops enforcing policy for the given IP.
func (e *Enforcer) Unenforce(ctx context.Context, contextID string) error {
	e.Lock()
	defer e.Unlock()

	// stop the authz servers
	rawAuthzServers, err := e.clients.Get(contextID)
	if err != nil {
		return err
	}

	server := rawAuthzServers.(*envoyServers)
	shutdownCtx, shutdownCtxCancel := context.WithTimeout(ctx, time.Second*10)
	defer shutdownCtxCancel()

	var wg sync.WaitGroup
	shutdownCh := make(chan struct{})
	wg.Add(3)
	go func() {
		server.ingress.GracefulStop()
		wg.Done()
	}()
	go func() {
		server.egress.GracefulStop()
		wg.Done()
	}()
	go func() {
		server.sds.GracefulStop()
		wg.Done()
	}()
	go func() {
		wg.Wait()
		shutdownCh <- struct{}{}
	}()

	select {
	case <-shutdownCtx.Done():
		zap.L().Warn("Graceful shutdown of envoy server did not finish in time. Shutting down hard now...", zap.String("puID", contextID), zap.Error(shutdownCtx.Err()))
		var wg sync.WaitGroup
		wg.Add(3)
		go func() {
			server.ingress.Stop()
			wg.Done()
		}()
		go func() {
			server.egress.Stop()
			wg.Done()
		}()
		go func() {
			server.sds.Stop()
			wg.Done()
		}()
		wg.Wait()
	case <-shutdownCh:
	}

	if err := e.puContexts.RemoveWithDelay(contextID, 10*time.Second); err != nil {
		zap.L().Debug("Unable to remove PU context from cache", zap.String("puID", contextID), zap.Error(err))
	}

	return nil
}

// UpdateSecrets -- updates the secrets of running enforcers managed by trireme. Remote enforcers will get the secret updates with the next policy push
func (e *Enforcer) UpdateSecrets(secrets secrets.Secrets) error {
	e.Lock()
	defer e.Unlock()
	e.secrets = secrets
	return nil
}

// SetTargetNetworks is unimplemented in the envoy authorizer
func (e *Enforcer) SetTargetNetworks(cfg *runtime.Configuration) error {
	return nil
}

// SetLogLevel is unimplemented in the envoy authorizer
func (e *Enforcer) SetLogLevel(level constants.LogLevel) error {
	return nil
}

// CleanUp is unimplemented in the envoy authorizer
func (e *Enforcer) CleanUp() error {
	return nil
}

// Run is unimplemented in the envoy authorizer
func (e *Enforcer) Run(ctx context.Context) error {
	return nil
}

// GetBPFObject is unimplemented in the envoy authorizer
func (e *Enforcer) GetBPFObject() ebpf.BPFModule {
	return nil
}

// GetServiceMeshType is unimplemented in the envoy authorizer
func (e *Enforcer) GetServiceMeshType() policy.ServiceMesh {
	return policy.None
}

// GetFilterQueue is unimplemented in the envoy authorizer
func (e *Enforcer) GetFilterQueue() fqconfig.FilterQueue {
	return nil
}

// EnableDatapathPacketTracing is unimplemented in the envoy authorizer
func (e *Enforcer) EnableDatapathPacketTracing(ctx context.Context, contextID string, direction packettracing.TracingDirection, interval time.Duration) error {
	return nil
}

// EnableIPTablesPacketTracing is unimplemented in the envoy authorizer
func (e *Enforcer) EnableIPTablesPacketTracing(ctx context.Context, contextID string, interval time.Duration) error {
	return nil
}

// Ping is unimplemented in the envoy authorizer
func (e *Enforcer) Ping(ctx context.Context, contextID string, pingConfig *policy.PingConfig) error {
	return nil
}

// DebugCollect is unimplemented in the envoy authorizer
func (e *Enforcer) DebugCollect(ctx context.Context, contextID string, debugConfig *policy.DebugConfig) error {
	return nil
}


================================================
FILE: controller/internal/enforcer/envoyauthorizer/envoyproxy/auth_server.go
================================================
package envoyproxy

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"net"
	"net/http"
	"net/url"
	"sync"

	envoy_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
	ext_auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
	envoy_type "github.com/envoyproxy/go-control-plane/envoy/type"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/apiauth"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/flowstats"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/metadata"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.uber.org/zap"
	"google.golang.org/genproto/googleapis/rpc/code"
	"google.golang.org/grpc"

	//rpc "istio.io/gogo-genproto/googleapis/google/rpc"
	status "google.golang.org/genproto/googleapis/rpc/status"
)

const (
	// IngressSocketPath is the unix socket path where the authz server will be listening on for the ingress authz server
	//IngressSocketPath = "@aporeto_envoy_authz_ingress"
	IngressSocketPath = "127.0.0.1:1999"

	// EgressSocketPath is the unix socket path where the authz server will be listening on for the egress authz server
	EgressSocketPath = "127.0.0.1:1998"
	//EgressSocketPath = "@aporeto_envoy_authz_egress"

	// aporetoKeyHeader is the HTTP header name for the key header
	aporetoKeyHeader = "x-aporeto-key"

	// aporetoAuthHeader is the HTTP header name for the auth header
	aporetoAuthHeader = "x-aporeto-auth"
)

// Direction is used to indicate if the authorization server is ingress or egress.
// NOTE: the type is currently set to uint8 and not bool because in Istio there are 3 types:
// - SIDECAR_INBOUND
// - SIDECAR_OUTBOUND
// - GATEWAY
// And we are not sure yet if we need an extra authz server for GATEWAY.
type Direction uint8

const (
	// UnknownDirection is only used to denote uninitialized variables
	UnknownDirection Direction = 0

	// IngressDirection refers to inbound / ingress traffic.
	// NOTE: for Istio use this in conjunction with SIDECAR_INBOUND
	IngressDirection Direction = 1

	// EgressDirection refers to outbound / egress traffic.
	// NOTE: for Istio use this in conjunction with SIDECAR_OUTBOUND
	EgressDirection Direction = 2
)

// String overwrites the string interface
func (d Direction) String() string {
	switch d {
	case UnknownDirection:
		return "UnknownDirection"
	case IngressDirection:
		return "IngressDirection"
	case EgressDirection:
		return "EgressDirection"
	default:
		return fmt.Sprintf("Unimplemented(%d)", d)
	}
}

// AuthServer struct, the server to hold the envoy External Auth.
type AuthServer struct {
	puID       string
	puContexts cache.DataStore
	secrets    secrets.Secrets
	socketPath string
	server     *grpc.Server
	direction  Direction
	collector  collector.EventCollector
	auth       *apiauth.Processor
	metadata   *metadata.Client
	sync.RWMutex
}

// Secrets implements locked secrets
// func (s *AuthServer) Secrets() secrets.Secrets {
// 	s.RLock()
// 	defer s.RUnlock()
// 	return s.secrets
// }

// NewExtAuthzServer creates a new envoy ext_authz server
func NewExtAuthzServer(puID string, puContexts cache.DataStore, collector collector.EventCollector, direction Direction, secrets secrets.Secrets, tokenIssuer common.ServiceTokenIssuer) (*AuthServer, error) {
	var socketPath string
	switch direction {
	case UnknownDirection:
		return nil, fmt.Errorf("direction must be set to ingress or egress")
	case IngressDirection:
		socketPath = IngressSocketPath
	case EgressDirection:
		socketPath = EgressSocketPath
	default:
		return nil, fmt.Errorf("direction must be set to ingress or egress")
	}
	if direction == UnknownDirection || direction > EgressDirection {
		return nil, fmt.Errorf("direction must be set to ingress or egress")
	}

	s := &AuthServer{
		puID:       puID,
		puContexts: puContexts,
		secrets:    secrets,
		socketPath: socketPath,
		server:     grpc.NewServer(),
		direction:  direction,
		auth:       apiauth.New(puID, secrets),
		metadata:   metadata.NewClient(puID, tokenIssuer),
		collector:  collector,
	}

	// register with gRPC
	ext_auth.RegisterAuthorizationServer(s.server, s)

	addr, err := net.ResolveTCPAddr("tcp", s.socketPath)
	if err != nil {
		return nil, err
	}
	nl, err := net.ListenTCP("tcp", addr)
	if err != nil {
		return nil, err
	}
	// start and listen to the server
	zap.L().Debug("ext_authz_server: Auth Server started the server on", zap.Any("addr", nl.Addr()), zap.String("puID", puID))
	go s.run(nl)

	return s, nil
}

// UpdateSecrets updates the secrets
// Whenever the Envoy makes a request for certificate, the certs and keys are fetched from
// the Proxy.
func (s *AuthServer) UpdateSecrets(cert *tls.Certificate, caPool *x509.CertPool, secrets secrets.Secrets, certPEM, keyPEM string) {
	s.Lock()
	defer s.Unlock()
	s.secrets = secrets
	// we need update the apiAuth secrets.
	s.auth.UpdateSecrets(secrets)
}

func (s *AuthServer) run(lis net.Listener) {
	zap.L().Debug("Starting to serve gRPC for ext_authz server", zap.String("puID", s.puID), zap.String("direction", s.direction.String()))
	if err := s.server.Serve(lis); err != nil {
		zap.L().Error("gRPC server for ext_authz failed", zap.String("puID", s.puID), zap.Error(err), zap.String("direction", s.direction.String()))
	}
	zap.L().Debug("stopped serving gRPC for ext_authz server", zap.String("puID", s.puID), zap.String("direction", s.direction.String()))
}

// Stop calls the function with the same name on the backing gRPC server
func (s *AuthServer) Stop() {
	s.server.Stop()
}

// GracefulStop calls the function with the same name on the backing gRPC server
func (s *AuthServer) GracefulStop() {
	s.server.GracefulStop()
}

// Check implements the AuthorizationServer interface
func (s *AuthServer) Check(ctx context.Context, checkRequest *ext_auth.CheckRequest) (*ext_auth.CheckResponse, error) {
	zap.L().Debug("Envoy check, DIR", zap.Uint8("dir", uint8(s.direction)))
	switch s.direction {
	case IngressDirection:
		return s.ingressCheck(ctx, checkRequest)
	case EgressDirection:
		return s.egressCheck(ctx, checkRequest)
	default:
		return nil, fmt.Errorf("direction: %s", s.direction)
	}
}

// ingressCheck implements the AuthorizationServer for ingress connections
func (s *AuthServer) ingressCheck(ctx context.Context, checkRequest *ext_auth.CheckRequest) (*ext_auth.CheckResponse, error) {

	// now extract the attributes and call the API auth to decode and check all the claims in request.
	var sourceIP, destIP, aporetoAuth, aporetoKey string
	var source, dest *ext_auth.AttributeContext_Peer
	var httpReq *ext_auth.AttributeContext_HttpRequest
	var destPort, srcPort int
	var urlStr, method, scheme string
	attrs := checkRequest.GetAttributes()
	if attrs != nil {
		source = attrs.GetSource()
		dest = attrs.GetDestination()

		if source != nil {
			if addr := source.GetAddress(); addr != nil {
				if sockAddr := addr.GetSocketAddress(); sockAddr != nil {
					sourceIP = sockAddr.GetAddress()
					srcPort = int(sockAddr.GetPortValue())
				}
			}
		}
		if dest != nil {
			if destAddr := dest.GetAddress(); destAddr != nil {
				if destSockAddr := destAddr.GetSocketAddress(); destSockAddr != nil {
					destIP = destSockAddr.GetAddress()
					destPort = int(destSockAddr.GetPortValue())
				}
			}
		}

		if request := attrs.GetRequest(); request != nil {
			httpReq = request.GetHttp()
			if httpReq != nil {
				httpReqHeaders := httpReq.GetHeaders()
				aporetoAuth, _ = httpReqHeaders[aporetoAuthHeader] // nolint
				aporetoKey, _ = httpReqHeaders[aporetoKeyHeader]   // nolint
				zap.L().Debug("ext_authz ingress", zap.Any("httpReqHeaders", httpReqHeaders), zap.String("aporetoKey", aporetoKey))
				urlStr = httpReq.GetPath()
				method = httpReq.GetMethod()
				scheme = httpReq.GetScheme()

			}
		}
	}
	zap.L().Debug("ext_authz ingress", zap.String("source addr", sourceIP), zap.String("source, dest", source.GetAddress().GetSocketAddress().GetAddress()), zap.String("dest addr", dest.GetAddress().GetSocketAddress().GetAddress()))
	zap.L().Debug("ext_authz ingress", zap.Any("destPort", destPort), zap.Any("srcPort", srcPort), zap.String("scheme", scheme))

	requestCookie := &http.Cookie{Name: aporetoAuthHeader, Value: aporetoAuth} // nolint errcheck
	hdr := make(http.Header)

	hdr.Add(aporetoAuthHeader, aporetoAuth) //string(p.secrets.TransmittedKey()))
	hdr.Add(aporetoKeyHeader, aporetoKey)   //resp.Token)

	// Create the new target URL based on the method+path parameter that we had.
	URL, err := url.ParseRequestURI("http:" + method + urlStr)
	if err != nil {
		zap.L().Error("ext_authz ingress: Cannot parse the URI", zap.Error(err))
		return nil, err
	}
	zap.L().Debug("ext_authz ingress", zap.String("URL", URL.String()))
	request := &apiauth.Request{
		OriginalDestination: &net.TCPAddr{IP: net.ParseIP(destIP), Port: destPort},
		SourceAddress:       &net.TCPAddr{IP: net.ParseIP(sourceIP), Port: srcPort},
		Header:              hdr,
		URL:                 URL,
		Method:              method,
		RequestURI:          "",
		Cookie:              requestCookie,
		TLS:                 nil,
	}

	response, err := s.auth.NetworkRequest(ctx, request)
	var userID string
	if response != nil && len(response.UserAttributes) > 0 {
		userData := &collector.UserRecord{
			Namespace: response.Namespace,
			Claims:    response.UserAttributes,
		}
		s.collector.CollectUserEvent(userData)
		userID = userData.ID
	}

	state := flowstats.NewNetworkConnectionState(s.puID, userID, request, response)
	defer s.collector.CollectFlowEvent(state.Stats)

	if err != nil {
		if response == nil {
			zap.L().Error("ext_authz ingress: auth.Networkrequest response is nil")
			return createDeniedCheckResponse(code.Code_PERMISSION_DENIED, envoy_type.StatusCode_Forbidden, "No aporeto service installed"), nil
		}
		return createDeniedCheckResponse(code.Code_PERMISSION_DENIED, envoy_type.StatusCode_Forbidden, "Access not authorized by network policy"), nil
	}
	if response.Action.Rejected() {
		zap.L().Error("ext_authz ingress: Access *NOT* authorized by network policy", zap.String("puID", s.puID))
		//flow.DropReason = "access not authorized by network policy"
		return createDeniedCheckResponse(code.Code_PERMISSION_DENIED, envoy_type.StatusCode_Forbidden, "Access not authorized by network policy"), nil
	}
	zap.L().Debug("ext_authz ingress: Access authorized by network policy", zap.String("puID", s.puID), zap.String("dst: ", destIP), zap.String("src: ", sourceIP))
	return &ext_auth.CheckResponse{
		Status: &status.Status{
			Code: int32(code.Code_OK),
		},
		HttpResponse: &ext_auth.CheckResponse_OkResponse{
			OkResponse: &ext_auth.OkHttpResponse{},
		},
	}, nil
}

// egressCheck implements the AuthorizationServer for egress connections
func (s *AuthServer) egressCheck(_ context.Context, checkRequest *ext_auth.CheckRequest) (*ext_auth.CheckResponse, error) {
	zap.L().Debug("ext_authz egress: checkRequest", zap.String("puID", s.puID), zap.String("checkRequest", checkRequest.String()))

	var sourceIP, destIP string
	var source, dest *ext_auth.AttributeContext_Peer
	var httpReq *ext_auth.AttributeContext_HttpRequest
	var destPort, srcPort int
	var urlStr, method string
	attrs := checkRequest.GetAttributes()
	if attrs != nil {
		source = attrs.GetSource()
		dest = attrs.GetDestination()

		if source != nil {
			if addr := source.GetAddress(); addr != nil {
				if sockAddr := addr.GetSocketAddress(); sockAddr != nil {
					sourceIP = sockAddr.GetAddress()
					srcPort = int(sockAddr.GetPortValue())
				}
			}
		}
		if dest != nil {
			if destAddr := dest.GetAddress(); destAddr != nil {
				if destSockAddr := destAddr.GetSocketAddress(); destSockAddr != nil {
					destIP = destSockAddr.GetAddress()
					destPort = int(destSockAddr.GetPortValue())
				}
			}
		}

		if request := attrs.GetRequest(); request != nil {
			httpReq = request.GetHttp()
			urlStr = httpReq.GetPath()
			method = httpReq.GetMethod()
		}
	}
	// Create the new target URL based on the path parameter that we have from envoy.
	URL, err := url.ParseRequestURI(urlStr)
	if err != nil {
		zap.L().Error("ext_authz egress: Cannot parse the URI", zap.Error(err))
		return nil, err
	}

	authRequest := &apiauth.Request{
		OriginalDestination: &net.TCPAddr{IP: net.ParseIP(destIP), Port: destPort},
		SourceAddress:       &net.TCPAddr{IP: net.ParseIP(sourceIP), Port: srcPort},
		URL:                 URL,
		Method:              method,
		RequestURI:          "",
	}
	r := new(http.Request)
	r.RemoteAddr = sourceIP

	resp, err := s.auth.ApplicationRequest(authRequest)
	if err != nil {
		if resp.PUContext != nil {
			state := flowstats.NewAppConnectionState(s.puID, r, authRequest, resp)
			state.Stats.Action = resp.Action
			state.Stats.PolicyID = resp.NetworkPolicyID
			s.collector.CollectFlowEvent(state.Stats)
		}
		zap.L().Error("ext_authz egress: Access *NOT* authorized by network policy", zap.String("puID", s.puID), zap.Error(err))
		//flow.DropReason = "access not authorized by network policy"
		return createDeniedCheckResponse(code.Code_PERMISSION_DENIED, envoy_type.StatusCode_Forbidden, "Access not authorized by network policy"), err
	}
	// record the flow stats
	state := flowstats.NewAppConnectionState(s.puID, r, authRequest, resp)
	// If the flow is external, then collect the stats here as the policy decision has already been made.
	if resp.External {
		defer s.collector.CollectFlowEvent(state.Stats)
	}
	if resp.Action.Rejected() {
		zap.L().Error("ext_authz egress: Access action rejected by network policy", zap.String("puID", s.puID))
		//flow.DropReason = "access not authorized by network policy"
		return createDeniedCheckResponse(code.Code_PERMISSION_DENIED, envoy_type.StatusCode_Forbidden, "Access not authorized by network policy"), nil
	}
	// now create the response and inject our identity
	zap.L().Debug("ext_authz egress: injecting header", zap.String("puID", s.puID))
	// build our identity token
	var transmittedKey []byte
	if s.secrets != nil {
		transmittedKey = s.secrets.TransmittedKey()
	} else {
		zap.L().Error("ext_authz egress:the secrerts are nil")
	}
	zap.L().Debug("ext_authz egress: Request accepted for", zap.String("dst", destIP))
	return &ext_auth.CheckResponse{
		Status: &status.Status{
			Code: int32(code.Code_OK),
		},
		HttpResponse: &ext_auth.CheckResponse_OkResponse{
			OkResponse: &ext_auth.OkHttpResponse{
				Headers: []*envoy_core.HeaderValueOption{
					{
						Header: &envoy_core.HeaderValue{
							Key:   aporetoKeyHeader,
							Value: string(transmittedKey),
						},
					},
					{
						Header: &envoy_core.HeaderValue{
							Key:   aporetoAuthHeader,
							Value: resp.Token,
						},
					},
				},
			},
		},
	}, nil
}

func createDeniedCheckResponse(rpcCode code.Code, httpCode envoy_type.StatusCode, body string) *ext_auth.CheckResponse { // nolint
	return &ext_auth.CheckResponse{
		Status: &status.Status{
			Code: int32(rpcCode),
		},
		HttpResponse: &ext_auth.CheckResponse_DeniedResponse{
			DeniedResponse: &ext_auth.DeniedHttpResponse{
				Status: &envoy_type.HttpStatus{
					Code: httpCode,
				},
				Body: body,
			},
		},
	}
}


================================================
FILE: controller/internal/enforcer/envoyauthorizer/envoyproxy/sds_server.go
================================================
package envoyproxy

import (
	"bytes"
	"crypto/tls"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"net"
	"sync"
	"time"

	"context"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.uber.org/zap"
	"google.golang.org/grpc"

	v2 "github.com/envoyproxy/go-control-plane/envoy/api/v2"
	envoy_api_v2_auth "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth"
	envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
	sds "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2"

	"github.com/golang/protobuf/ptypes"
	//"github.com/gogo/protobuf/types"
	"google.golang.org/grpc/metadata"
)

const (
	// SdsSocketpath is the socket path on which the envoy will talk to the remoteEnforcer.
	//SdsSocketpath = "@aporeto_envoy_sds"
	SdsSocketpath = "127.0.0.1:2999"
	//SdsSocketpath = "/var/run/sds/uds_path"
	typeCertificate = "CERTIFICATE"
)

// Options to create a SDS server to task to envoy
type Options struct {
	SocketPath string
}

// sdsCerts is the structure will pass the upstream certs downwards.
type sdsCerts struct {
	key    string
	cert   string
	caPool *x509.CertPool
}

// SdsDiscoveryStream is the same as the sds.SecretDiscoveryService_StreamSecretsServer
type SdsDiscoveryStream interface {
	Send(*v2.DiscoveryResponse) error
	Recv() (*v2.DiscoveryRequest, error)
	grpc.ServerStream
}

var _ sds.SecretDiscoveryServiceServer = &SdsServer{}

// SdsServer to talk with envoy for sds.
type SdsServer struct {
	sdsGrpcServer   *grpc.Server
	sdsGrpcListener net.Listener

	errCh   chan error
	puInfo  *policy.PUInfo
	cert    *tls.Certificate
	ca      *x509.CertPool
	keyPEM  string
	certPEM string
	secrets secrets.Secrets
	sync.RWMutex
	// conncache is a cache of the sdsConnection, here the key is the connectionID and val is the secret.
	conncache cache.DataStore
	// updCertsChannel is used whenever there is a cert-update/Enfore
	updCertsChannel chan sdsCerts
	connMap         map[string]bool
}

type secretItem struct {
	CertificateChain []byte
	PrivateKey       []byte

	RootCert []byte

	// RootCertOwnedByCompoundSecret is true if this SecretItem was created by a
	// K8S secret having both server cert/key and client ca and should be deleted
	// with the secret.
	RootCertOwnedByCompoundSecret bool

	// ResourceName passed from envoy SDS discovery request.
	// "ROOTCA" for root cert request, "default" for key/cert request.
	ResourceName string

	// Credential token passed from envoy, caClient uses this token to send
	// CSR to CA to sign certificate.
	Token string

	// Version is used(together with token and ResourceName) to identify discovery request from
	// envoy which is used only for confirm purpose.
	Version string

	CreatedTime time.Time

	ExpireTime time.Time
}

// clientConn is ID for the connection between client and SDS server.
type clientConn struct {
	clientID string
	// the TLS cert information cached for this particular connection
	secret *secretItem

	// connectionID is the ID for each new request, make it a combo of nodeID+counter.
	connectionID string
	stream       SdsDiscoveryStream
}

// NewSdsServer creates a instance of a server.
func NewSdsServer(contextID string, puInfo *policy.PUInfo, caPool *x509.CertPool, secrets secrets.Secrets) (*SdsServer, error) {
	if puInfo == nil {
		zap.L().Error("SDS Server: puInfo NIL ")
		return nil, fmt.Errorf("the puinfo cannot be nil")
	}

	sdsOptions := &Options{SocketPath: SdsSocketpath}
	sdsServer := &SdsServer{
		puInfo:          puInfo,
		ca:              caPool,
		errCh:           make(chan error),
		secrets:         secrets,
		conncache:       cache.NewCache("servers"),
		updCertsChannel: make(chan sdsCerts),
		connMap:         make(map[string]bool),
	}
	if err := sdsServer.CreateSdsService(sdsOptions); err != nil {
		zap.L().Error("SDS Server:Error while starting the envoy sds server.")
		return nil, err
	}
	zap.L().Debug("SDS Server: SDS start success", zap.String("pu", puInfo.ContextID))
	return sdsServer, nil
}

// CreateSdsService does the following
// 1. create grpc server.
// 2. create a listener on the Unix Domain Socket.
// 3.
func (s *SdsServer) CreateSdsService(options *Options) error { // nolint: unparam
	s.sdsGrpcServer = grpc.NewServer()
	s.register(s.sdsGrpcServer)

	addr, err := net.ResolveTCPAddr("tcp", options.SocketPath)
	if err != nil {
		return err
	}
	nl, err := net.ListenTCP("tcp", addr)
	if err != nil {
		return err
	}
	// if err := os.Remove(options.SocketPath); err != nil && !os.IsNotExist(err) {
	// 	zap.L().Error("SDS Server: envoy-reireme, failed to remove the udspath", zap.Error(err))
	// 	return err
	// }
	// zap.L().Debug("SDS Server: Start listening on UDS path", zap.Any("socketPath", options.SocketPath))
	// addr, _ := net.ResolveUnixAddr("unix", options.SocketPath)

	// sdsGrpcListener, err := net.ListenUnix("unix", addr)
	// if err != nil {
	// 	zap.L().Error("SDS Server:cannot listen on the socketpath", zap.Error(err))
	// 	return err
	// }
	// //make sure the socket path can be accessed.
	// if _, err := os.Stat(options.SocketPath); err != nil {
	// 	zap.L().Error("SDS Server: SDS uds file doesn't exist", zap.String("socketPath:", options.SocketPath))
	// 	return fmt.Errorf("sds uds file %q doesn't exist", options.SocketPath)
	// }
	// if err := os.Chmod(options.SocketPath, 0666); err != nil {
	// 	zap.L().Error("SDS Server: Failed to update permission", zap.String("socketPath:", options.SocketPath))
	// 	return fmt.Errorf("failed to update %q permission", options.SocketPath)
	// }
	s.sdsGrpcListener = nl

	zap.L().Debug("SDS Server: run the grpc server at", zap.Any("addr", s.sdsGrpcListener.Addr()))
	s.Run()
	return nil
}

// Run starts the sdsGrpcServer to serve
func (s *SdsServer) Run() {
	go func() {
		if s.sdsGrpcListener != nil {
			if err := s.sdsGrpcServer.Serve(s.sdsGrpcListener); err != nil {
				zap.L().Error("SDS Server: Error while serve", zap.Error(err))
				s.errCh <- err
			}
		}
		zap.L().Error("SDS Server: the listener is nil, cannot start the SDS server for", zap.String("puID", s.puInfo.ContextID))
	}()
}

// Stop stops all the listeners and the grpc servers.
func (s *SdsServer) Stop() {
	if s.sdsGrpcListener != nil {
		s.sdsGrpcListener.Close() // nolint
	}
	if s.sdsGrpcServer != nil {
		s.sdsGrpcServer.Stop()
	}
}

// GracefulStop calls the function with the same name on the backing gRPC server
func (s *SdsServer) GracefulStop() {
	s.sdsGrpcServer.GracefulStop()
}

// register adds the SDS handle to the grpc server
func (s *SdsServer) register(sdsGrpcServer *grpc.Server) {
	zap.L().Debug("SDS Server:  envoy-trireme registering the secret discovery")
	sds.RegisterSecretDiscoveryServiceServer(sdsGrpcServer, s)
}

// UpdateSecrets updates the secrets
// Whenever the Envoy makes a request for certificate, the certs and keys are fetched from
// the Proxy.
func (s *SdsServer) UpdateSecrets(cert *tls.Certificate, caPool *x509.CertPool, secrets secrets.Secrets, certPEM, keyPEM string) {
	s.Lock()
	defer s.Unlock()

	s.cert = cert
	s.ca = caPool
	//s.secrets = secrets
	s.certPEM = certPEM
	s.keyPEM = keyPEM
	s.updCertsChannel <- sdsCerts{key: keyPEM, cert: certPEM, caPool: caPool}
}

// now implement the interfaces of the SDS grpc server.
// type SecretDiscoveryServiceServer interface {
// 	DeltaSecrets(SecretDiscoveryService_DeltaSecretsServer) error
// 	StreamSecrets(SecretDiscoveryService_StreamSecretsServer) error
// 	FetchSecrets(context.Context, *v2.DiscoveryRequest) (*v2.DiscoveryResponse, error)
// }

// DeltaSecrets checks for the delta and sends the changes.
func (s *SdsServer) DeltaSecrets(stream sds.SecretDiscoveryService_DeltaSecretsServer) error {
	return nil
}

func startStreaming(stream SdsDiscoveryStream, discoveryReqCh chan *v2.DiscoveryRequest) {
	defer close(discoveryReqCh)
	for {
		req, err := stream.Recv()
		if err != nil {
			zap.L().Error("SDS Server: Connection terminated with err", zap.Error(err))
			return
		}
		discoveryReqCh <- req
	}
}

// StreamSecrets is the function invoked by the envoy in-order to pull the certs, this also sends the response back to the envoy.
// It does the following:
// 1. create a receiver thread to stream the requests.
// 2. parse the discovery request.
// 3. track the request.
// 4. call the Aporeto api to generate the secret
func (s *SdsServer) StreamSecrets(stream sds.SecretDiscoveryService_StreamSecretsServer) error {
	ctx := stream.Context()
	token := ""
	metadata, ok := metadata.FromIncomingContext(ctx)
	if !ok {
		return fmt.Errorf("unable to get metadata from incoming context")
	}
	if h, ok := metadata["authorization"]; ok {
		if len(h) != 1 {
			return fmt.Errorf("credential token from %q must have 1 value in gRPC metadata but got %d", "authorization", len(h))
		}
		token = h[0]
	}
	zap.L().Debug("SDS Server: IN stream secrets, token", zap.String("token", token))

	// create new connection
	conn := &clientConn{}
	conn.stream = stream
	discoveryReqCh := make(chan *v2.DiscoveryRequest, 1)
	go startStreaming(stream, discoveryReqCh)

	for {
		// wait for the receiver thread to stream the request and send it to us over here.
		select {
		case req, ok := <-discoveryReqCh:
			// if req == nil {
			// 	zap.L().Warn("SDS Server: The request is nil")
			// 	continue
			// }
			// Now check the following:
			// 1. Return if stream is closed.
			// 2. Return if its invalid request.
			if !ok {
				zap.L().Error("SDS Server: Receiver channel closed, which means the Receiver stream is closed")
				return fmt.Errorf("Receiver closed the channel")
			}
			// then check for the req.Node
			if req.Node == nil {
				zap.L().Error("Invalid discovery request with no node")
				return fmt.Errorf("invalid discovery request with no node")
			}
			if req.ErrorDetail != nil {
				zap.L().Error("SDS Server: ERROR from envoy for processing the resource", zap.String("error", req.GetErrorDetail().String()))
				continue
			}

			// now according to the Istio pilot SDS secret config we have 2 configs, this configs are pushed to envoy through Istio.
			// 1. SDSDefaultResourceName is the default name in sdsconfig, used for fetching normal key/cert.
			// 2. SDSRootResourceName is the sdsconfig name for root CA, used for fetching root cert.
			// therefore from the above we receive 2 requests, 1 for default and 2 for the ROOTCA

			// now check for the resourcename, it should atleast have one, else continue and stream the next request.
			// according to the definition this could be empty.
			if len(req.ResourceNames) == 0 {
				continue
			}
			if len(req.ResourceNames) > 1 {
				return fmt.Errorf("SDS Server: invalid resourceNames, greater than one")
			}
			resourceName := req.ResourceNames[0]
			conn.clientID = req.Node.GetId()
			//if len(conn.connectionID) == 0 {
			conn.connectionID = createConnID(conn.clientID, resourceName)

			// if this is not the 1st request and if the secret is already present then dont proceed as this is a ACK according to the XDS protocol.
			if req.VersionInfo != "" && s.checkSecretPresent(conn.connectionID, req, token) {
				zap.L().Warn("SDS Server: got a ACK from envoy", zap.String("connectionID", conn.connectionID), zap.String("resourceName", resourceName), zap.String("version", req.VersionInfo))
				continue
			}
			secret := s.generateSecret(req, token)
			if secret == nil {
				zap.L().Error("SDS Server: the Certs cannot be served so return nil")
				return fmt.Errorf("the aporeto SDS server cannot generate server, the certs are nil")
			}
			conn.secret = secret
			s.conncache.AddOrUpdate(conn.connectionID, conn)

			resp := &v2.DiscoveryResponse{
				TypeUrl:     "type.googleapis.com/envoy.api.v2.auth.Secret",
				VersionInfo: secret.Version,
				Nonce:       secret.Version,
			}
			retSecret := &envoy_api_v2_auth.Secret{
				Name: secret.ResourceName,
			}
			if secret.RootCert != nil {
				retSecret.Type = getRootCert(secret)
			} else {
				retSecret.Type = getTLScerts(secret)
			}
			endSecret, err := ptypes.MarshalAny(retSecret)
			if err != nil {
				zap.L().Error("SDS Server: Cannot marshall the secret", zap.Error(err))
				continue
			}
			resp.Resources = append(resp.Resources, endSecret)
			if err = stream.Send(resp); err != nil {
				zap.L().Error("SDS Server: Failed to send the resp cert", zap.Error(err))
				return err
			}
			if secret.RootCert != nil {
				zap.L().Debug("SDS Server: Successfully sent root cert", zap.String("rootCA", string(secret.RootCert)))
			} else {
				zap.L().Debug("SDS Server: Successfully sent default cert", zap.String("default cert", string(secret.CertificateChain)))
			}
		case updateCerts := <-s.updCertsChannel:
			// 1st check if the connection is present

			if _, err := s.conncache.Get(conn.connectionID); err != nil {
				zap.L().Warn("SDS server: updCertsChannel, no connID found in cache,", zap.String("connID", conn.connectionID))
				continue
			}
			fmt.Println("connID found now send certs")
			if updateCerts.key != "" && updateCerts.cert != "" {
				if err := s.sendUpdatedCerts(updateCerts, conn); err != nil {
					zap.L().Error("SDS Server: send updated certs failed", zap.Error(err))
				}
			}
		}
	}

}

func (s *SdsServer) sendUpdatedCerts(apoSecret sdsCerts, conn *clientConn) error {
	var err error
	pemCert := []byte{} // nolint
	t := time.Now()

	if apoSecret.key != "" && apoSecret.cert != "" {
		caPEM := s.secrets.CertAuthority()

		pemCert, err = buildCertChain([]byte(apoSecret.cert), caPEM)
		if err != nil {
			zap.L().Error("SDS Server: Cannot build the cert chain")
			return fmt.Errorf("SDS Server: Cannot build the cert chain")
		}

		resp := &v2.DiscoveryResponse{
			TypeUrl:     "type.googleapis.com/envoy.api.v2.auth.Secret",
			VersionInfo: t.String(),
			Nonce:       t.String(),
		}
		retSecret := &envoy_api_v2_auth.Secret{
			Name: "default",
		}

		retSecret.Type = &envoy_api_v2_auth.Secret_TlsCertificate{
			TlsCertificate: &envoy_api_v2_auth.TlsCertificate{
				CertificateChain: &envoy_api_v2_core.DataSource{
					Specifier: &envoy_api_v2_core.DataSource_InlineBytes{
						InlineBytes: pemCert,
					},
				},
				PrivateKey: &envoy_api_v2_core.DataSource{
					Specifier: &envoy_api_v2_core.DataSource_InlineBytes{
						InlineBytes: []byte(apoSecret.key),
					},
				},
			},
		}

		endSecret, err := ptypes.MarshalAny(retSecret)
		if err != nil {
			zap.L().Error("SDS Server: Cannot marshall the secret")
			return fmt.Errorf("SDS Server: Cannot marshall the secret")
		}

		resp.Resources = append(resp.Resources, endSecret)
		if err = conn.stream.Send(resp); err != nil {
			zap.L().Error("SDS Server: Failed to send the resp cert")
			return err
		}

	}
	return nil
}

func (s *SdsServer) checkSecretPresent(connID string, req *v2.DiscoveryRequest, token string) bool {
	val, err := s.conncache.Get(connID)
	if err != nil {
		return false
	}
	e := val.(*clientConn)
	return e.secret.ResourceName == req.ResourceNames[0] && e.secret.Token == token && e.secret.Version == req.VersionInfo
}

func createConnID(clientID, resourceName string) string {
	temp := clientID + resourceName
	zap.L().Debug("SDS Server: generated a unique ID", zap.String("connID", temp), zap.String("resource", resourceName))
	return temp
}

// FetchSecrets gets the discovery request and call the Aporeto backend to fetch the certs.
// 1. parse the discovery request.
// 2. track the request.
// 3. call the Aporeto api to generate the secret
func (s *SdsServer) FetchSecrets(ctx context.Context, req *v2.DiscoveryRequest) (*v2.DiscoveryResponse, error) {
	token := ""
	metadata, ok := metadata.FromIncomingContext(ctx)
	if !ok {
		return nil, fmt.Errorf("unable to get metadata from incoming context")
	}
	if h, ok := metadata["authorization"]; ok {
		if len(h) != 1 {
			return nil, fmt.Errorf("credential token from %q must have 1 value in gRPC metadata but got %d", "authorization", len(h))
		}
		token = h[0]
	}
	zap.L().Info("SDS Server: IN stream secrets, token", zap.String("token", token))
	secret := s.generateSecret(req, token)

	resp := &v2.DiscoveryResponse{
		TypeUrl: "type.googleapis.com/envoy.api.v2.auth.Secret",
	}
	retSecret := &envoy_api_v2_auth.Secret{
		Name: secret.ResourceName,
	}
	if secret.RootCert != nil {
		retSecret.Type = getRootCert(secret)
	} else {
		retSecret.Type = getTLScerts(secret)
	}
	endSecret, err := ptypes.MarshalAny(retSecret)
	if err != nil {
		zap.L().Error("SDS Server: Cannot marshall the secret")
		return nil, err
	}
	resp.Resources = append(resp.Resources, endSecret)

	if secret.RootCert != nil {
		zap.L().Debug("SDS Server: Successfully sent root cert", zap.Any("rootCA", string(secret.RootCert)))
	} else {
		zap.L().Debug("SDS Server: Successfully sent default cert", zap.Any("default cert", string(secret.CertificateChain)))
	}
	return resp, nil
}

// generateSecret is the call which talks to the metadata API to fetch the certs.
func (s *SdsServer) generateSecret(req *v2.DiscoveryRequest, token string) *secretItem {

	var err error
	var pemCert []byte
	t := time.Now()
	var expTime time.Time

	if s.puInfo.Policy == nil {
		zap.L().Error("SDS Server:  The policy is nil, Policy cannot be nil.")
	}
	// now fetch the certificates for the PU/Service.
	certPEM, keyPEM, _ := s.puInfo.Policy.ServiceCertificates()
	if certPEM == "" || keyPEM == "" {
		zap.L().Error("SDS Server:  the certs are empty")
		return nil
	}

	caPEM := s.secrets.CertAuthority()
	if req.ResourceNames[0] == "default" {

		expTime, _ = getExpTimeFromCert([]byte(certPEM))
		pemCert, _ = buildCertChain([]byte(certPEM), caPEM)
		if err != nil {
			zap.L().Error("SDS Server: Cannot build the cert chain")
			return nil
		}

	} else {

		expTime, _ = getExpTimeFromCert(caPEM)
		pemCert, err = getTopRootCa(caPEM)
		if err != nil {
			zap.L().Error("SDS Server:  Cannot build the Root cert chain")
		}
	}
	if err != nil {
		zap.L().Error("SDS Server: cannot get exp time", zap.Error(err))
		return nil
	}
	if req.ResourceNames[0] == "default" {
		return &secretItem{
			CertificateChain: pemCert,
			PrivateKey:       []byte(keyPEM),
			//PrivateKey:   []byte(keyPEMdebug),
			ResourceName: req.ResourceNames[0],
			Token:        token,
			CreatedTime:  t,
			ExpireTime:   expTime,
			Version:      t.String(),
		}
	}

	return &secretItem{
		RootCert:     pemCert,
		ResourceName: req.ResourceNames[0],
		Token:        token,
		CreatedTime:  t,
		ExpireTime:   expTime,
		Version:      t.String(),
	}

}

func buildCertChain(certPEM, caPEM []byte) ([]byte, error) {
	zap.L().Debug("SDS Server: BEFORE in buildCertChain certPEM", zap.String("certPEM", string(certPEM)), zap.String("caPEM", string(caPEM)))
	certChain := []*x509.Certificate{}
	//certPEMBlock := caPEM
	clientPEMBlock := certPEM
	derBlock, _ := pem.Decode(clientPEMBlock)
	if derBlock != nil {
		if derBlock.Type == typeCertificate {
			cert, err := x509.ParseCertificate(derBlock.Bytes)
			if err != nil {
				return nil, err
			}
			certChain = append(certChain, cert)
		} else {
			return nil, fmt.Errorf("invalid pem block type: %s", derBlock.Type)
		}
	}
	var certDERBlock *pem.Block
	for {
		certDERBlock, caPEM = pem.Decode(caPEM)
		if certDERBlock == nil {
			break
		}
		if certDERBlock.Type == typeCertificate {
			cert, err := x509.ParseCertificate(certDERBlock.Bytes)
			if err != nil {
				return nil, err
			}
			certChain = append(certChain, cert)
		} else {
			return nil, fmt.Errorf("invalid pem block type: %s", certDERBlock.Type)
		}
	}
	by, _ := x509CertChainToPem(certChain)
	zap.L().Debug("SDS Server: After building the cert chain", zap.String("certChain", string(by)))
	return x509CertChainToPem(certChain)
}

// x509CertToPem converts x509 to byte.
func x509CertToPem(cert *x509.Certificate) ([]byte, error) {
	var pemBytes bytes.Buffer
	if err := pem.Encode(&pemBytes, &pem.Block{Type: typeCertificate, Bytes: cert.Raw}); err != nil {
		return nil, err
	}
	return pemBytes.Bytes(), nil
}

// x509CertChainToPem converts chain of x509 certs to byte.
func x509CertChainToPem(certChain []*x509.Certificate) ([]byte, error) {
	var pemBytes bytes.Buffer
	for _, cert := range certChain {
		if err := pem.Encode(&pemBytes, &pem.Block{Type: typeCertificate, Bytes: cert.Raw}); err != nil {
			return nil, err
		}
	}
	return pemBytes.Bytes(), nil
}

// getTopRootCa get the top root CA
func getTopRootCa(certPEMBlock []byte) ([]byte, error) {
	zap.L().Debug("SDS Server: BEFORE root cert", zap.String("root_cert", string(certPEMBlock)))
	//rootCert := []*x509.Certificate{}
	var certChain tls.Certificate
	//certPEMBlock := []byte(rootcaBundle)
	var certDERBlock *pem.Block
	for {
		certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
		if certDERBlock == nil {
			break
		}
		if certDERBlock.Type == typeCertificate {
			certChain.Certificate = append(certChain.Certificate, certDERBlock.Bytes)
		}
	}
	zap.L().Debug("SDS Server: the root ca", zap.String("cert", string(certChain.Certificate[len(certChain.Certificate)-1])))
	x509Cert, err := x509.ParseCertificate(certChain.Certificate[len(certChain.Certificate)-1])
	if err != nil {
		panic(err)
	}
	by, _ := x509CertToPem(x509Cert)
	zap.L().Debug("SDS Server: After building the cert chain", zap.String("rootCert", string(by)))
	return x509CertToPem(x509Cert)
}

// getExpTimeFromCert gets the exp time from the cert, assumning the cert is in pem encoded.
func getExpTimeFromCert(cert []byte) (time.Time, error) {
	block, _ := pem.Decode(cert)
	if block == nil {
		zap.L().Error("getExpTimeFromCert: error while pem decode")
		return time.Time{}, fmt.Errorf("Cannot decode the pem certs")
	}
	x509Cert, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		zap.L().Error("failed to parse the certs", zap.Error(err))
		return time.Time{}, err
	}
	return x509Cert.NotAfter, nil
}

func getRootCert(secret *secretItem) *envoy_api_v2_auth.Secret_ValidationContext {
	return &envoy_api_v2_auth.Secret_ValidationContext{
		ValidationContext: &envoy_api_v2_auth.CertificateValidationContext{
			TrustedCa: &envoy_api_v2_core.DataSource{
				Specifier: &envoy_api_v2_core.DataSource_InlineBytes{
					InlineBytes: secret.RootCert,
				},
			},
		},
	}
}

func getTLScerts(secret *secretItem) *envoy_api_v2_auth.Secret_TlsCertificate {
	return &envoy_api_v2_auth.Secret_TlsCertificate{
		TlsCertificate: &envoy_api_v2_auth.TlsCertificate{
			CertificateChain: &envoy_api_v2_core.DataSource{
				Specifier: &envoy_api_v2_core.DataSource_InlineBytes{
					InlineBytes: secret.CertificateChain,
				},
			},
			PrivateKey: &envoy_api_v2_core.DataSource{
				Specifier: &envoy_api_v2_core.DataSource_InlineBytes{
					InlineBytes: secret.PrivateKey,
				},
			},
		},
	}
}


================================================
FILE: controller/internal/enforcer/flowstats/state.go
================================================
package flowstats

import (
	"net"
	"net/http"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/apiauth"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// ConnectionState captures the connection state. This state
// is passed to the RoundTripper for any last minute adjustments.
type ConnectionState struct {
	Stats  *collector.FlowRecord
	Cookie *http.Cookie
}

// NewAppConnectionState will create the initial connection state object.
func NewAppConnectionState(nativeID string, r *http.Request, authRequest *apiauth.Request, resp *apiauth.AppAuthResponse) *ConnectionState {

	sourceIP := "0.0.0.0/0"
	sourcePort := 0
	if sourceAddress, err := net.ResolveTCPAddr("tcp", r.RemoteAddr); err == nil {
		sourceIP = sourceAddress.IP.String()
		sourcePort = sourceAddress.Port
	}

	var tags policy.TagStore
	if resp.PUContext.Annotations() != nil {
		tags = *resp.PUContext.Annotations()
	}

	return &ConnectionState{
		Stats: &collector.FlowRecord{
			ContextID: nativeID,
			Destination: collector.EndPoint{
				URI:        r.Method + " " + r.RequestURI,
				HTTPMethod: r.Method,
				Type:       collector.EndPointTypeExternalIP,
				Port:       uint16(authRequest.OriginalDestination.Port),
				IP:         authRequest.OriginalDestination.IP.String(),
				ID:         resp.NetworkServiceID,
			},
			Source: collector.EndPoint{
				Type:       collector.EndPointTypePU,
				ID:         resp.PUContext.ManagementID(),
				IP:         sourceIP,
				Port:       uint16(sourcePort),
				HTTPMethod: r.Method,
				URI:        r.Method + " " + r.RequestURI,
			},
			Action:      resp.Action,
			L4Protocol:  packet.IPProtocolTCP,
			ServiceType: policy.ServiceHTTP,
			ServiceID:   resp.ServiceID,
			Tags:        tags.GetSlice(),
			Namespace:   resp.PUContext.ManagementNamespace(),
			PolicyID:    resp.NetworkPolicyID,
			Count:       1,
		},
	}
}

// NewNetworkConnectionState will create the initial connection state object.
func NewNetworkConnectionState(nativeID string, userID string, r *apiauth.Request, d *apiauth.NetworkAuthResponse) *ConnectionState {

	var mgmtID, namespace, serviceID string
	var tags policy.TagStore

	if d.PUContext != nil {
		mgmtID = d.PUContext.ManagementID()
		namespace = d.PUContext.ManagementNamespace()
		if d.PUContext.Annotations() != nil {
			tags = *d.PUContext.Annotations()
		}
		serviceID = d.ServiceID
	} else {
		mgmtID = collector.DefaultEndPoint
		namespace = collector.DefaultEndPoint
		tags = *policy.NewTagStore()
		serviceID = collector.DefaultEndPoint
	}

	sourceType := collector.EndPointTypeExternalIP
	sourceID := collector.DefaultEndPoint
	networkPolicyID := collector.DefaultEndPoint
	action := policy.Reject | policy.Log

	if d != nil {
		sourceType = d.SourceType
		if sourceType == collector.EndPointTypeClaims {
			sourceType = collector.EndPointTypeExternalIP
		}

		switch d.SourceType {
		case collector.EndPointTypePU:
			sourceID = d.SourcePUID
		case collector.EndPointTypeClaims:
			sourceID = d.NetworkServiceID
		default:
			sourceID = d.NetworkServiceID
		}

		if d.NetworkPolicyID != "" {
			networkPolicyID = d.NetworkPolicyID
		}
		action = d.Action
	}

	c := &ConnectionState{
		Stats: &collector.FlowRecord{
			ContextID: nativeID,
			Destination: collector.EndPoint{
				ID:         mgmtID,
				Type:       collector.EndPointTypePU,
				IP:         r.OriginalDestination.IP.String(),
				Port:       uint16(r.OriginalDestination.Port),
				URI:        r.Method + " " + r.RequestURI,
				HTTPMethod: r.Method,
				UserID:     userID,
			},
			Source: collector.EndPoint{
				ID:     sourceID,
				Type:   sourceType,
				IP:     r.SourceAddress.IP.String(),
				Port:   uint16(r.SourceAddress.Port),
				UserID: userID,
			},
			Action:      action,
			L4Protocol:  packet.IPProtocolTCP,
			ServiceType: policy.ServiceHTTP,
			PolicyID:    networkPolicyID,
			ServiceID:   serviceID,
			Tags:        tags.GetSlice(),
			Namespace:   namespace,
			Count:       1,
		},
	}

	if d != nil {
		if d.Action.Rejected() {
			c.Stats.DropReason = d.DropReason
		}

		if d.ObservedPolicyID != "" {
			c.Stats.ObservedPolicyID = d.ObservedPolicyID
			c.Stats.ObservedAction = d.ObservedAction
		}

		c.Cookie = d.Cookie
	}

	return c
}


================================================
FILE: controller/internal/enforcer/lookup/lookup.go
================================================
package lookup

import (
	"errors"
	"fmt"
	"sort"
	"strings"

	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
	"go.uber.org/zap"
)

// ForwardingPolicy is an instance of the forwarding policy
type ForwardingPolicy struct {
	tags    []policy.KeyValueOperator
	count   int
	index   int
	actions interface{}
}

// intList is a list of integeres
type intList []int

//PolicyDB is the structure of a policy
type PolicyDB struct {
	// rules    []policy
	numberOfPolicies       int
	equalPrefixes          map[string]intList
	equalMapTable          map[string]map[string][]*ForwardingPolicy
	equalIDMapTable        map[string][]*ForwardingPolicy
	notEqualMapTable       map[string]map[string][]*ForwardingPolicy
	notStarTable           map[string][]*ForwardingPolicy
	defaultNotExistsPolicy *ForwardingPolicy
}

//NewPolicyDB creates a new PolicyDB for efficient search of policies
func NewPolicyDB() (m *PolicyDB) {

	m = &PolicyDB{
		numberOfPolicies:       0,
		equalPrefixes:          map[string]intList{},
		equalMapTable:          map[string]map[string][]*ForwardingPolicy{},
		equalIDMapTable:        map[string][]*ForwardingPolicy{},
		notEqualMapTable:       map[string]map[string][]*ForwardingPolicy{},
		notStarTable:           map[string][]*ForwardingPolicy{},
		defaultNotExistsPolicy: nil,
	}

	return m
}

func (array intList) sortedInsert(value int) intList {
	l := len(array)
	if l == 0 {
		array = append(array, value)
		return array
	}

	i := sort.Search(l, func(i int) bool {
		return array[i] <= value
	})

	if i == 0 { // new value is the largest
		array = append([]int{value}, array...)
		return array
	}

	if i == l-1 { // new value is the smallest
		array = append(array, value)
		return array
	}

	inserted := append(array[0:i], value)

	return append(inserted, array[i:]...)

}

//AddPolicy adds a policy to the database
func (m *PolicyDB) AddPolicy(selector policy.TagSelector) (policyID int) {

	// Create a new policy object
	e := ForwardingPolicy{
		count:   0,
		tags:    selector.Clause,
		actions: selector.Policy,
	}

	// For each tag of the incoming policy add a mapping between the map tables
	// and the structure that represents the policy
	for _, keyValueOp := range selector.Clause {

		switch keyValueOp.Operator {

		case policy.KeyExists:
			m.equalPrefixes[keyValueOp.Key] = m.equalPrefixes[keyValueOp.Key].sortedInsert(0)
			if _, ok := m.equalMapTable[keyValueOp.Key]; !ok {
				m.equalMapTable[keyValueOp.Key] = map[string][]*ForwardingPolicy{}
			}
			m.equalMapTable[keyValueOp.Key][""] = append(m.equalMapTable[keyValueOp.Key][""], &e)
			e.count++

		case policy.KeyNotExists:
			m.notStarTable[keyValueOp.Key] = append(m.notStarTable[keyValueOp.Key], &e)
			if len(selector.Clause) == 1 {
				m.defaultNotExistsPolicy = &e
			}

		case policy.Equal:
			if _, ok := m.equalMapTable[keyValueOp.Key]; !ok {
				m.equalMapTable[keyValueOp.Key] = map[string][]*ForwardingPolicy{}
			}
			for _, v := range keyValueOp.Value {
				if end := len(v) - 1; v[end] == '*' {
					m.equalPrefixes[keyValueOp.Key] = m.equalPrefixes[keyValueOp.Key].sortedInsert(end)
					m.equalMapTable[keyValueOp.Key][v[:end]] = append(m.equalMapTable[keyValueOp.Key][v[:end]], &e)
				} else {
					m.equalMapTable[keyValueOp.Key][v] = append(m.equalMapTable[keyValueOp.Key][v], &e)
				}
			}
			if keyValueOp.ID != "" {
				if _, ok := m.equalIDMapTable[keyValueOp.ID]; !ok {
					m.equalIDMapTable[keyValueOp.ID] = []*ForwardingPolicy{}
				}
				m.equalIDMapTable[keyValueOp.ID] = append(m.equalIDMapTable[keyValueOp.ID], &e)
			}
			e.count++

		default: // policy.NotEqual
			if _, ok := m.notEqualMapTable[keyValueOp.Key]; !ok {
				m.notEqualMapTable[keyValueOp.Key] = map[string][]*ForwardingPolicy{}
			}
			for _, v := range keyValueOp.Value {
				m.notEqualMapTable[keyValueOp.Key][v] = append(m.notEqualMapTable[keyValueOp.Key][v], &e)
				e.count++
			}
		}
	}

	// Increase the number of policies
	m.numberOfPolicies++

	// Give the policy an index
	e.index = m.numberOfPolicies

	// Return the ID
	return e.index

}

var (
	errInvalidTag = errors.New("tag must be k=v")
)

// Custom implementation for splitting strings. Gives significant performance
// improvement. Do not allocate new strings
func (m *PolicyDB) tagSplit(tag string, k *string, v *string) error {
	l := len(tag)
	if l < 3 {
		return errInvalidTag
	}

	if tag[0] == '=' {
		return errInvalidTag
	}

	for i := 0; i < l; i++ {
		if tag[i] == '=' {
			if i+1 >= l {
				return errInvalidTag
			}
			*k = tag[:i]
			*v = tag[i+1:]
			return nil
		}
	}

	return errInvalidTag
}

// Search searches for a set of tags in the database to find a policy match
func (m *PolicyDB) Search(tags *policy.TagStore) (int, interface{}) {

	count := make([]int, m.numberOfPolicies+1)

	skip := make([]bool, m.numberOfPolicies+1)

	// Disable all policies that fail the not key exists
	copiedTags := tags.GetSlice()
	var k, v string

	for _, t := range copiedTags {
		if err := m.tagSplit(t, &k, &v); err != nil {
			continue
		}
		for _, policy := range m.notStarTable[k] {
			skip[policy.index] = true
		}
	}

	// Go through the list of tags
	for _, t := range copiedTags {

		// Search for matches of t (tag id)
		if index, action := searchInMapTable(m.equalIDMapTable[t], nil, count, skip); index >= 0 {
			return index, action
		}

		if err := m.tagSplit(t, &k, &v); err != nil {
			continue
		}

		var ports *portspec.PortSpec
		if k == constants.PortNumberLabelString {
			// We should get range here
			tagValue, servicePorts, err := parseTagValueRange(v)
			if err != nil || servicePorts == nil {
				continue
			}
			v = tagValue
			ports = servicePorts
		}

		// Search for matches of k=v
		if index, action := searchInMapTable(m.equalMapTable[k][v], ports, count, skip); index >= 0 {
			return index, action
		}

		// Search for matches in prefixes
		for _, i := range m.equalPrefixes[k] {
			if i <= len(v) {
				if index, action := searchInMapTable(m.equalMapTable[k][v[:i]], nil, count, skip); index >= 0 {
					return index, action
				}
			}
		}

		// Parse all of the policies that have a key that matches the incoming tag key
		// and a not equal operator and that has a not match rule
		for value, policies := range m.notEqualMapTable[k] {
			if v == value {
				continue
			}

			if index, action := searchInMapTable(policies, nil, count, skip); index >= 0 {
				return index, action
			}
		}
	}

	if m.defaultNotExistsPolicy != nil && !skip[m.defaultNotExistsPolicy.index] {
		return m.defaultNotExistsPolicy.index, m.defaultNotExistsPolicy.actions
	}

	return -1, nil
}

func searchInMapTable(table []*ForwardingPolicy, ports *portspec.PortSpec, count []int, skip []bool) (int, interface{}) {
	for _, policy := range table {

		// Skip the policy if we have marked it
		if skip[policy.index] {
			continue
		}

		if ports != nil {
			for _, tag := range policy.tags {
				if tag.PortRange != nil && tag.PortRange.Intersects(ports) {
					count[policy.index]++
					break
				}
			}
		} else {
			// Since a policy is hit, the count of remaining tags is reduced by one
			count[policy.index]++
		}

		// If all tags of the policy have been hit, there is a match
		if count[policy.index] == policy.count {
			return policy.index, policy.actions
		}

	}

	return -1, nil
}

// PrintPolicyDB is a debugging function to dump the map
func (m *PolicyDB) PrintPolicyDB() {

	zap.L().Debug("Print Policy DB: equal table")

	for key, values := range m.equalMapTable {
		for value, policies := range values {
			zap.L().Debug("Print Policy DB",
				zap.String("policies", fmt.Sprintf("%#v", policies)),
				zap.String("key", key),
				zap.String("value", value),
			)
		}
	}

	zap.L().Debug("Print Policy DB: equal id table")

	for key, values := range m.equalIDMapTable {
		for _, policies := range values {
			zap.L().Debug("Print Policy DB",
				zap.String("policies", fmt.Sprintf("%#v", policies)),
				zap.String("key", key),
			)
		}
	}

	zap.L().Debug("Print Policy DB - not equal table")

	for key, values := range m.notEqualMapTable {
		for value, policies := range values {
			zap.L().Debug("Print Policy DB",
				zap.String("policies", fmt.Sprintf("%#v", policies)),
				zap.String("key", key),
				zap.String("value", value),
			)
		}
	}

}

func parseTagValueRange(value string) (string, *portspec.PortSpec, error) {
	index := strings.Index(value, "/")
	if index == -1 {
		// means there was no range
		return value, nil, nil
	}
	rangeSpec, err := portspec.NewPortSpecFromString(value[index+1:], nil)
	if err != nil {
		return "", nil, err
	}
	return value[:index], rangeSpec, nil
}


================================================
FILE: controller/internal/enforcer/lookup/lookup_test.go
================================================
// +build !windows

package lookup

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

var (
	appEqWeb = policy.KeyValueOperator{
		Key:      "app",
		Value:    []string{"web"},
		Operator: policy.Equal,
		ID:       "1",
	}
	envEqDemo = policy.KeyValueOperator{
		Key:      "env",
		Value:    []string{"demo"},
		Operator: policy.Equal,
		ID:       "2",
	}

	envEqDemoOrQa = policy.KeyValueOperator{
		Key:      "env",
		Value:    []string{"demo", "qa"},
		Operator: policy.Equal,
		ID:       "3",
	}

	dcKeyExists = policy.KeyValueOperator{
		Key:      "dc",
		Operator: policy.KeyExists,
	}

	langNotJava = policy.KeyValueOperator{
		Key:      "lang",
		Value:    []string{"java"},
		Operator: policy.NotEqual,
	}

	envNotDemoOrQA = policy.KeyValueOperator{
		Key:      "env",
		Value:    []string{"demo", "qa"},
		Operator: policy.NotEqual,
	}

	envKeyNotExists = policy.KeyValueOperator{
		Key:      "env",
		Operator: policy.KeyNotExists,
	}

	vulnerKey = policy.KeyValueOperator{
		Key:      "vulnerability",
		Value:    []string{"high"},
		Operator: policy.Equal,
	}

	vulnerLowKey = policy.KeyValueOperator{
		Key:      "vulnerability",
		Value:    []string{"low"},
		Operator: policy.Equal,
	}

	namespaceKey = policy.KeyValueOperator{
		Key:      "namespace",
		Value:    []string{"/a/b/*"},
		Operator: policy.Equal,
	}

	appEqWebAndenvEqDemo = policy.TagSelector{
		Clause: []policy.KeyValueOperator{appEqWeb, envEqDemo},
		Policy: &policy.FlowPolicy{Action: policy.Accept},
	}

	appEqWebAndEnvEqDemoOrQa = policy.TagSelector{
		Clause: []policy.KeyValueOperator{appEqWeb, envEqDemoOrQa},
		Policy: &policy.FlowPolicy{Action: policy.Accept},
	}

	dcTagExists = policy.TagSelector{
		Clause: []policy.KeyValueOperator{dcKeyExists},
		Policy: &policy.FlowPolicy{Action: policy.Accept},
	}

	policylangNotJava = policy.TagSelector{
		Clause: []policy.KeyValueOperator{langNotJava},
		Policy: &policy.FlowPolicy{Action: policy.Accept},
	}

	appEqWebAndenvNotDemoOrQA = policy.TagSelector{
		Clause: []policy.KeyValueOperator{appEqWeb, envNotDemoOrQA},
		Policy: &policy.FlowPolicy{Action: policy.Accept},
	}

	envKeyNotExistsAndAppEqWeb = policy.TagSelector{
		Clause: []policy.KeyValueOperator{envKeyNotExists, appEqWeb},
		Policy: &policy.FlowPolicy{Action: policy.Accept},
	}

	vulnTagPolicy = policy.TagSelector{
		Clause: []policy.KeyValueOperator{vulnerKey},
		Policy: &policy.FlowPolicy{Action: policy.Accept},
	}

	policyNamespace = policy.TagSelector{
		Clause: []policy.KeyValueOperator{namespaceKey, vulnerLowKey},
		Policy: &policy.FlowPolicy{Action: policy.Accept},
	}

	domainParent = policy.KeyValueOperator{
		Key:      "domain",
		Value:    []string{"com.example.*", "com.*", "com.longexample.*", "com.ex.*"},
		Operator: policy.Equal,
	}

	domainFull = policy.KeyValueOperator{
		Key:      "domain",
		Value:    []string{"com.example.web"},
		Operator: policy.Equal,
	}

	policyDomainParent = policy.TagSelector{
		Clause: []policy.KeyValueOperator{domainParent},
		Policy: &policy.FlowPolicy{Action: policy.Accept},
	}

	policyDomainFull = policy.TagSelector{
		Clause: []policy.KeyValueOperator{domainFull},
		Policy: &policy.FlowPolicy{Action: policy.Accept},
	}

	policyEnvDoesNotExist = policy.TagSelector{
		Clause: []policy.KeyValueOperator{envKeyNotExists},
		Policy: &policy.FlowPolicy{Action: policy.Accept},
	}
)

// TestConstructorNewPolicyDB tests the NewPolicyDB constructor
func TestConstructorNewPolicyDB(t *testing.T) {
	Convey("Given that I instantiate a new policy DB, I should not get nil", t, func() {

		p := &PolicyDB{}

		policyDB := NewPolicyDB()

		So(policyDB, ShouldHaveSameTypeAs, p)
	})
}

// TestFuncAddPolicy tests the add policy function
func TestFuncAddPolicy(t *testing.T) {

	Convey("Given an empty policy DB", t, func() {
		policyDB := NewPolicyDB()

		Convey("When I add a single policy it should be associated with all the tags", func() {
			index := policyDB.AddPolicy(appEqWebAndenvEqDemo)

			So(policyDB.numberOfPolicies, ShouldEqual, 1)
			So(index, ShouldEqual, 1)
			for _, c := range appEqWebAndenvEqDemo.Clause {
				So(policyDB.equalMapTable[c.Key][c.Value[0]], ShouldNotBeNil)
				So(policyDB.equalMapTable[c.Key][c.Value[0]][0].index, ShouldEqual, index)
				So(policyDB.equalPrefixes[c.Key], ShouldNotContain, c.Key)
			}
		})

		Convey("When I add a policy with the not equal operator, it should be added to the notEqual db", func() {
			index := policyDB.AddPolicy(policylangNotJava)

			So(policyDB.numberOfPolicies, ShouldEqual, 1)
			So(index, ShouldEqual, 1)
			for _, c := range policylangNotJava.Clause {
				So(policyDB.notEqualMapTable[c.Key][c.Value[0]], ShouldNotBeNil)
				So(policyDB.notEqualMapTable[c.Key][c.Value[0]][0].index, ShouldEqual, index)
				So(policyDB.equalPrefixes, ShouldNotContainKey, c.Key)
			}
		})

		Convey("When I add a policy with the KeyExists operator, it should be added as a prefix of 0", func() {
			index := policyDB.AddPolicy(dcTagExists)

			key := dcTagExists.Clause[0].Key
			So(policyDB.numberOfPolicies, ShouldEqual, 1)
			So(index, ShouldEqual, 1)
			So(policyDB.equalPrefixes, ShouldContainKey, key)
			So(policyDB.equalPrefixes[key], ShouldContain, 0)
			So(policyDB.equalMapTable[key], ShouldHaveLength, 1)
			So(policyDB.equalMapTable[key], ShouldContainKey, "")
			So(policyDB.equalPrefixes[key], ShouldHaveLength, 1)
		})

		Convey("When I add a policy with prefixes, it should be associated with the right prefixes", func() {
			index := policyDB.AddPolicy(policyDomainParent)

			key := policyDomainParent.Clause[0].Key
			value0 := policyDomainParent.Clause[0].Value[0]
			value1 := policyDomainParent.Clause[0].Value[1]
			value2 := policyDomainParent.Clause[0].Value[2]
			value3 := policyDomainParent.Clause[0].Value[3]
			So(policyDB.numberOfPolicies, ShouldEqual, 1)
			So(index, ShouldEqual, 1)
			So(policyDB.equalMapTable[key], ShouldHaveLength, 4)
			So(policyDB.equalMapTable[key], ShouldContainKey, value0[:len(value0)-1])
			So(policyDB.equalMapTable[key], ShouldContainKey, value1[:len(value1)-1])
			So(policyDB.equalMapTable[key], ShouldContainKey, value2[:len(value2)-1])
			So(policyDB.equalMapTable[key], ShouldContainKey, value3[:len(value3)-1])
			So(policyDB.equalPrefixes[key], ShouldHaveLength, 4)
			So(policyDB.equalPrefixes[key], ShouldContain, len(value0)-1)
			So(policyDB.equalPrefixes[key], ShouldContain, len(value1)-1)
			So(policyDB.equalPrefixes[key], ShouldContain, len(value2)-1)
			So(policyDB.equalPrefixes[key], ShouldContain, len(value3)-1)
		})

	})
}

// TestFuncSearch tests the search function of the lookup
func TestFuncSearch(t *testing.T) {
	// policy1 : app=web and env=demo
	// policy2 : lang != java
	// policy3 : dc=*
	// policy4: app=web and env IN (demo, qa)
	// policy5: app=web and env NotIN (demo, qa)
	// policy6: app=web not env=*
	// policy7: domain IN ("com.*", "com.example.*")
	// policy8: domain=com.example.web
	// policy9: env doesn't exist
	// policy10: vulnerability=high
	// policy11: namespace=/a/b/* and vulnerability=low

	Convey("Given an empty policyDB", t, func() {
		policyDB := NewPolicyDB()
		Convey("Given that I add two policy rules", func() {
			index1 := policyDB.AddPolicy(appEqWebAndenvEqDemo)
			index2 := policyDB.AddPolicy(policylangNotJava)
			index3 := policyDB.AddPolicy(dcTagExists)
			index4 := policyDB.AddPolicy(appEqWebAndEnvEqDemoOrQa)
			index5 := policyDB.AddPolicy(appEqWebAndenvNotDemoOrQA)
			index6 := policyDB.AddPolicy(envKeyNotExistsAndAppEqWeb)
			index7 := policyDB.AddPolicy(policyDomainParent)
			index8 := policyDB.AddPolicy(policyDomainFull)
			index9 := policyDB.AddPolicy(policyEnvDoesNotExist)
			index10 := policyDB.AddPolicy(vulnTagPolicy)
			index11 := policyDB.AddPolicy(policyNamespace)

			So(index1, ShouldEqual, 1)
			So(index2, ShouldEqual, 2)
			So(index3, ShouldEqual, 3)
			So(index4, ShouldEqual, 4)
			So(index5, ShouldEqual, 5)
			So(index6, ShouldEqual, 6)
			So(index9, ShouldEqual, 9)

			Convey("The vulnerability tag policy should match", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("vulnerability", "high")

				index, action := policyDB.Search(tags)
				So(index, ShouldEqual, index10)
				So(action.(*policy.FlowPolicy).Action, ShouldEqual, policy.Accept)
			})

			Convey("A policy that matches ID should match", func() {
				tags := policy.NewTagStoreFromSlice([]string{"1"})
				index, action := policyDB.Search(tags)
				So(action, ShouldNotBeNil)
				So(index, ShouldEqual, index6)
			})

			Convey("A policy that matches only the namespace, shoud not match", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("namespace", "/a/b/c/d")
				tags.AppendKeyValue("env", "privatedemo")

				index, action := policyDB.Search(tags)
				So(action, ShouldBeNil)
				So(index, ShouldEqual, -1)
			})

			Convey("A policy that matches namespace and vulnerability low, shoud match", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("namespace", "/a/b/c/d")
				tags.AppendKeyValue("vulnerability", "low")
				tags.AppendKeyValue("env", "privatedemo")

				index, action := policyDB.Search(tags)
				So(action, ShouldNotBeNil)
				So(index, ShouldEqual, index11)
			})

			Convey("Given that I search for a single matching that matches the equal rules, it should return the correct index,", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("app", "web")
				tags.AppendKeyValue("env", "demo")

				index, action := policyDB.Search(tags)
				So(index, ShouldEqual, index1)
				So(action.(*policy.FlowPolicy).Action, ShouldEqual, policy.Accept)
			})

			Convey("Given that I search for a single matching that matches the not equal rules, it should return the right index,", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("lang", "go")
				tags.AppendKeyValue("env", "demo")

				index, action := policyDB.Search(tags)
				So(index, ShouldEqual, index2)
				So(action.(*policy.FlowPolicy).Action, ShouldEqual, policy.Accept)
			})

			Convey("Given that I search for rules that match the KeyExists Policy, it should return the right index  ", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("dc", "EAST")
				tags.AppendKeyValue("env", "demo")

				index, action := policyDB.Search(tags)
				So(index, ShouldEqual, index3)
				So(action.(*policy.FlowPolicy).Action, ShouldEqual, policy.Accept)
			})

			Convey("Given that I search for a single matching that matches the Or rules, it should return the right index,", func() {

				tags := policy.NewTagStore()
				tags.AppendKeyValue("app", "web")
				tags.AppendKeyValue("env", "qa")

				index, action := policyDB.Search(tags)
				So(index, ShouldEqual, index4)
				So(action.(*policy.FlowPolicy).Action, ShouldEqual, policy.Accept)
			})

			Convey("Given that I search for a single matching that matches the NOT Or rlues, it should return the right index,", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("app", "web")
				tags.AppendKeyValue("env", "prod")

				index, action := policyDB.Search(tags)
				So(index, ShouldEqual, index5)
				So(action.(*policy.FlowPolicy).Action, ShouldEqual, policy.Accept)
			})

			Convey("Given that I search for a single clause  that fails in the Not OR operator, it should fail ,", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("lang", "java")
				tags.AppendKeyValue("env", "demo")
				tags.AppendKeyValue("app", "db")

				index, action := policyDB.Search(tags)
				So(index, ShouldEqual, -1)
				So(action, ShouldBeNil)
			})

			Convey("Given that I search for rules that do not match, it should return an error ", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("tag", "node")
				tags.AppendKeyValue("env", "node")

				index, action := policyDB.Search(tags)
				So(index, ShouldEqual, -1)
				So(action, ShouldBeNil)
			})

			Convey("Given that I search for a single that succeeds in the Not Key  operator, it should succeed ,", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("app", "web")

				index, action := policyDB.Search(tags)
				So(index, ShouldEqual, index6)
				So(action.(*policy.FlowPolicy).Action, ShouldEqual, policy.Accept)
			})

			Convey("Given that I search for a value that matches a prefix", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("domain", "com.example.db")
				index, action := policyDB.Search(tags)
				So(index, ShouldEqual, index7)
				So(action.(*policy.FlowPolicy).Action, ShouldEqual, policy.Accept)
			})

			Convey("Given that I search for a value that matches a complete value ", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("domain", "com.example.web")

				index, action := policyDB.Search(tags)
				So(index, ShouldEqual, index8)
				So(action.(*policy.FlowPolicy).Action, ShouldEqual, policy.Accept)
			})

			Convey("Given that I search for a value that matches some of the prefix, it should return err  ", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("domain", "co")
				tags.AppendKeyValue("env", "node")

				index, action := policyDB.Search(tags)
				So(index, ShouldEqual, -1)
				So(action, ShouldBeNil)
			})

			Convey("Given that I search for a value matches only the env not exists policy ", func() {
				tags := policy.NewTagStore()
				tags.AppendKeyValue("sometag", "nomatch")

				index, action := policyDB.Search(tags)
				So(index, ShouldEqual, index9)
				So(action.(*policy.FlowPolicy).Action, ShouldEqual, policy.Accept)
			})

		})

	})
}

// TestFuncDumbDB is a mock test for the print function
func TestFuncDumpDB(t *testing.T) {
	Convey("Given an empty policy DB", t, func() {
		policyDB := NewPolicyDB()

		Convey("Given that I add two policy rules, I should be able to print the db ", func() {
			index1 := policyDB.AddPolicy(appEqWebAndenvEqDemo)
			index2 := policyDB.AddPolicy(policylangNotJava)
			So(index1, ShouldEqual, 1)
			So(index2, ShouldEqual, 2)

			policyDB.PrintPolicyDB()

		})
	})
}


================================================
FILE: controller/internal/enforcer/metadata/metadata.go
================================================
package metadata

import (
	"context"
	"encoding/json"
	"sync"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/apiauth"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/serviceregistry"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// Client is a metadata client.
type Client struct {
	puContext   string
	tokenIssuer common.ServiceTokenIssuer
	certPEM     []byte
	keyPEM      []byte

	sync.RWMutex
}

// NewClient returns a new metadata client
func NewClient(puContext string, t common.ServiceTokenIssuer) *Client {
	return &Client{
		puContext:   puContext,
		tokenIssuer: t,
	}
}

// UpdateSecrets updates the secrets of the client.
func (c *Client) UpdateSecrets(cert, key []byte) {
	c.Lock()
	defer c.Unlock()

	c.certPEM = cert
	c.keyPEM = key
}

// GetCertificate returns back the certificate.
func (c *Client) GetCertificate() []byte {
	c.RLock()
	defer c.RUnlock()

	return c.certPEM
}

// GetPrivateKey returns the private key associated with this service.
func (c *Client) GetPrivateKey() []byte {
	c.RLock()
	defer c.RUnlock()

	return c.keyPEM
}

// GetCurrentPolicy returns the current policy of the datapath. It returns
// the marshalled policy as well as the original object for any farther processing.
func (c *Client) GetCurrentPolicy() ([]byte, *policy.PUPolicyPublic, error) {

	sctx, err := serviceregistry.Instance().RetrieveServiceByID(c.puContext)
	if err != nil {
		return nil, nil, err
	}

	plc := sctx.PU.Policy.ToPublicPolicy()
	plc.ServicesCertificate = ""
	plc.ServicesPrivateKey = ""
	data, err := json.MarshalIndent(plc, "  ", "  ")
	if err != nil {
		data = []byte("Internal Server Error")
	}

	return data, plc, nil
}

// IssueToken issues an OAUTH token for this PU for the desired audience
// and validity. The request will use the token issuer to contact the OIDC
// provider and issue the token.
func (c *Client) IssueToken(ctx context.Context, stype common.ServiceTokenType, audience string, validity time.Duration) (string, error) {
	return c.tokenIssuer.Issue(ctx, c.puContext, stype, audience, validity)
}

// Authorize request will use the enforcerd databases and context to authorize
// an http request given the provided credentials.
func (c *Client) Authorize(request *apiauth.Request) error {

	// TODO
	return nil
}


================================================
FILE: controller/internal/enforcer/mockenforcer/mockenforcer.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/internal/enforcer/enforcer.go

// Package mockenforcer is a generated GoMock package.
package mockenforcer

import (
	context "context"
	reflect "reflect"
	time "time"

	gomock "github.com/golang/mock/gomock"
	constants "go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	ebpf "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ebpf"
	fqconfig "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	packettracing "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
	secrets "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	runtime "go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	policy "go.aporeto.io/enforcerd/trireme-lib/policy"
)

// MockEnforcer is a mock of Enforcer interface
// nolint
type MockEnforcer struct {
	ctrl     *gomock.Controller
	recorder *MockEnforcerMockRecorder
}

// MockEnforcerMockRecorder is the mock recorder for MockEnforcer
// nolint
type MockEnforcerMockRecorder struct {
	mock *MockEnforcer
}

// NewMockEnforcer creates a new mock instance
// nolint
func NewMockEnforcer(ctrl *gomock.Controller) *MockEnforcer {
	mock := &MockEnforcer{ctrl: ctrl}
	mock.recorder = &MockEnforcerMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockEnforcer) EXPECT() *MockEnforcerMockRecorder {
	return m.recorder
}

// Enforce mocks base method
// nolint
func (m *MockEnforcer) Enforce(ctx context.Context, contextID string, puInfo *policy.PUInfo) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Enforce", ctx, contextID, puInfo)
	ret0, _ := ret[0].(error)
	return ret0
}

// Enforce indicates an expected call of Enforce
// nolint
func (mr *MockEnforcerMockRecorder) Enforce(ctx, contextID, puInfo interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Enforce", reflect.TypeOf((*MockEnforcer)(nil).Enforce), ctx, contextID, puInfo)
}

// Unenforce mocks base method
// nolint
func (m *MockEnforcer) Unenforce(ctx context.Context, contextID string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Unenforce", ctx, contextID)
	ret0, _ := ret[0].(error)
	return ret0
}

// Unenforce indicates an expected call of Unenforce
// nolint
func (mr *MockEnforcerMockRecorder) Unenforce(ctx, contextID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Unenforce", reflect.TypeOf((*MockEnforcer)(nil).Unenforce), ctx, contextID)
}

// GetFilterQueue mocks base method
// nolint
func (m *MockEnforcer) GetFilterQueue() fqconfig.FilterQueue {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetFilterQueue")
	ret0, _ := ret[0].(fqconfig.FilterQueue)
	return ret0
}

// GetFilterQueue indicates an expected call of GetFilterQueue
// nolint
func (mr *MockEnforcerMockRecorder) GetFilterQueue() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetFilterQueue", reflect.TypeOf((*MockEnforcer)(nil).GetFilterQueue))
}

// GetBPFObject mocks base method
// nolint
func (m *MockEnforcer) GetBPFObject() ebpf.BPFModule {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetBPFObject")
	ret0, _ := ret[0].(ebpf.BPFModule)
	return ret0
}

// GetBPFObject indicates an expected call of GetBPFObject
// nolint
func (mr *MockEnforcerMockRecorder) GetBPFObject() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetBPFObject", reflect.TypeOf((*MockEnforcer)(nil).GetBPFObject))
}

// Run mocks base method
// nolint
func (m *MockEnforcer) Run(ctx context.Context) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Run", ctx)
	ret0, _ := ret[0].(error)
	return ret0
}

// Run indicates an expected call of Run
// nolint
func (mr *MockEnforcerMockRecorder) Run(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Run", reflect.TypeOf((*MockEnforcer)(nil).Run), ctx)
}

// UpdateSecrets mocks base method
// nolint
func (m *MockEnforcer) UpdateSecrets(secrets secrets.Secrets) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "UpdateSecrets", secrets)
	ret0, _ := ret[0].(error)
	return ret0
}

// UpdateSecrets indicates an expected call of UpdateSecrets
// nolint
func (mr *MockEnforcerMockRecorder) UpdateSecrets(secrets interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateSecrets", reflect.TypeOf((*MockEnforcer)(nil).UpdateSecrets), secrets)
}

// SetTargetNetworks mocks base method
// nolint
func (m *MockEnforcer) SetTargetNetworks(cfg *runtime.Configuration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SetTargetNetworks", cfg)
	ret0, _ := ret[0].(error)
	return ret0
}

// SetTargetNetworks indicates an expected call of SetTargetNetworks
// nolint
func (mr *MockEnforcerMockRecorder) SetTargetNetworks(cfg interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetTargetNetworks", reflect.TypeOf((*MockEnforcer)(nil).SetTargetNetworks), cfg)
}

// SetLogLevel mocks base method
// nolint
func (m *MockEnforcer) SetLogLevel(level constants.LogLevel) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SetLogLevel", level)
	ret0, _ := ret[0].(error)
	return ret0
}

// SetLogLevel indicates an expected call of SetLogLevel
// nolint
func (mr *MockEnforcerMockRecorder) SetLogLevel(level interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLogLevel", reflect.TypeOf((*MockEnforcer)(nil).SetLogLevel), level)
}

// CleanUp mocks base method
// nolint
func (m *MockEnforcer) CleanUp() error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CleanUp")
	ret0, _ := ret[0].(error)
	return ret0
}

// CleanUp indicates an expected call of CleanUp
// nolint
func (mr *MockEnforcerMockRecorder) CleanUp() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CleanUp", reflect.TypeOf((*MockEnforcer)(nil).CleanUp))
}

// GetServiceMeshType mocks base method
// nolint
func (m *MockEnforcer) GetServiceMeshType() policy.ServiceMesh {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetServiceMeshType")
	ret0, _ := ret[0].(policy.ServiceMesh)
	return ret0
}

// GetServiceMeshType indicates an expected call of GetServiceMeshType
// nolint
func (mr *MockEnforcerMockRecorder) GetServiceMeshType() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServiceMeshType", reflect.TypeOf((*MockEnforcer)(nil).GetServiceMeshType))
}

// EnableDatapathPacketTracing mocks base method
// nolint
func (m *MockEnforcer) EnableDatapathPacketTracing(ctx context.Context, contextID string, direction packettracing.TracingDirection, interval time.Duration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "EnableDatapathPacketTracing", ctx, contextID, direction, interval)
	ret0, _ := ret[0].(error)
	return ret0
}

// EnableDatapathPacketTracing indicates an expected call of EnableDatapathPacketTracing
// nolint
func (mr *MockEnforcerMockRecorder) EnableDatapathPacketTracing(ctx, contextID, direction, interval interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EnableDatapathPacketTracing", reflect.TypeOf((*MockEnforcer)(nil).EnableDatapathPacketTracing), ctx, contextID, direction, interval)
}

// EnableIPTablesPacketTracing mocks base method
// nolint
func (m *MockEnforcer) EnableIPTablesPacketTracing(ctx context.Context, contextID string, interval time.Duration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "EnableIPTablesPacketTracing", ctx, contextID, interval)
	ret0, _ := ret[0].(error)
	return ret0
}

// EnableIPTablesPacketTracing indicates an expected call of EnableIPTablesPacketTracing
// nolint
func (mr *MockEnforcerMockRecorder) EnableIPTablesPacketTracing(ctx, contextID, interval interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EnableIPTablesPacketTracing", reflect.TypeOf((*MockEnforcer)(nil).EnableIPTablesPacketTracing), ctx, contextID, interval)
}

// Ping mocks base method
// nolint
func (m *MockEnforcer) Ping(ctx context.Context, contextID string, pingConfig *policy.PingConfig) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Ping", ctx, contextID, pingConfig)
	ret0, _ := ret[0].(error)
	return ret0
}

// Ping indicates an expected call of Ping
// nolint
func (mr *MockEnforcerMockRecorder) Ping(ctx, contextID, pingConfig interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Ping", reflect.TypeOf((*MockEnforcer)(nil).Ping), ctx, contextID, pingConfig)
}

// DebugCollect mocks base method
// nolint
func (m *MockEnforcer) DebugCollect(ctx context.Context, contextID string, debugConfig *policy.DebugConfig) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DebugCollect", ctx, contextID, debugConfig)
	ret0, _ := ret[0].(error)
	return ret0
}

// DebugCollect indicates an expected call of DebugCollect
// nolint
func (mr *MockEnforcerMockRecorder) DebugCollect(ctx, contextID, debugConfig interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DebugCollect", reflect.TypeOf((*MockEnforcer)(nil).DebugCollect), ctx, contextID, debugConfig)
}

// MockDebugInfo is a mock of DebugInfo interface
// nolint
type MockDebugInfo struct {
	ctrl     *gomock.Controller
	recorder *MockDebugInfoMockRecorder
}

// MockDebugInfoMockRecorder is the mock recorder for MockDebugInfo
// nolint
type MockDebugInfoMockRecorder struct {
	mock *MockDebugInfo
}

// NewMockDebugInfo creates a new mock instance
// nolint
func NewMockDebugInfo(ctrl *gomock.Controller) *MockDebugInfo {
	mock := &MockDebugInfo{ctrl: ctrl}
	mock.recorder = &MockDebugInfoMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockDebugInfo) EXPECT() *MockDebugInfoMockRecorder {
	return m.recorder
}

// EnableDatapathPacketTracing mocks base method
// nolint
func (m *MockDebugInfo) EnableDatapathPacketTracing(ctx context.Context, contextID string, direction packettracing.TracingDirection, interval time.Duration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "EnableDatapathPacketTracing", ctx, contextID, direction, interval)
	ret0, _ := ret[0].(error)
	return ret0
}

// EnableDatapathPacketTracing indicates an expected call of EnableDatapathPacketTracing
// nolint
func (mr *MockDebugInfoMockRecorder) EnableDatapathPacketTracing(ctx, contextID, direction, interval interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EnableDatapathPacketTracing", reflect.TypeOf((*MockDebugInfo)(nil).EnableDatapathPacketTracing), ctx, contextID, direction, interval)
}

// EnableIPTablesPacketTracing mocks base method
// nolint
func (m *MockDebugInfo) EnableIPTablesPacketTracing(ctx context.Context, contextID string, interval time.Duration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "EnableIPTablesPacketTracing", ctx, contextID, interval)
	ret0, _ := ret[0].(error)
	return ret0
}

// EnableIPTablesPacketTracing indicates an expected call of EnableIPTablesPacketTracing
// nolint
func (mr *MockDebugInfoMockRecorder) EnableIPTablesPacketTracing(ctx, contextID, interval interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EnableIPTablesPacketTracing", reflect.TypeOf((*MockDebugInfo)(nil).EnableIPTablesPacketTracing), ctx, contextID, interval)
}

// Ping mocks base method
// nolint
func (m *MockDebugInfo) Ping(ctx context.Context, contextID string, pingConfig *policy.PingConfig) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Ping", ctx, contextID, pingConfig)
	ret0, _ := ret[0].(error)
	return ret0
}

// Ping indicates an expected call of Ping
// nolint
func (mr *MockDebugInfoMockRecorder) Ping(ctx, contextID, pingConfig interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Ping", reflect.TypeOf((*MockDebugInfo)(nil).Ping), ctx, contextID, pingConfig)
}

// DebugCollect mocks base method
// nolint
func (m *MockDebugInfo) DebugCollect(ctx context.Context, contextID string, debugConfig *policy.DebugConfig) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DebugCollect", ctx, contextID, debugConfig)
	ret0, _ := ret[0].(error)
	return ret0
}

// DebugCollect indicates an expected call of DebugCollect
// nolint
func (mr *MockDebugInfoMockRecorder) DebugCollect(ctx, contextID, debugConfig interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DebugCollect", reflect.TypeOf((*MockDebugInfo)(nil).DebugCollect), ctx, contextID, debugConfig)
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/afinetrawsocket/afinetrawsocket.go
================================================
// +build linux

package afinetrawsocket

import (
	"fmt"
	"io/ioutil"
	"strconv"
	"strings"
	"syscall"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
)

type socketv4 struct {
	fd     int
	insock *syscall.SockaddrInet4
}

type socketv6 struct {
	fd     int
	insock *syscall.SockaddrInet6
}

type rawsocket struct {
	insockv4 *socketv4
	insockv6 *socketv6
}

const (
	// RawSocketMark is the mark asserted on all packet sent out of this socket
	RawSocketMark = 0x63
	// NetworkRawSocketMark is the mark on packet egressing
	//the raw socket coming in from network
	NetworkRawSocketMark = 0x40000063
	//ApplicationRawSocketMark is the mark on packet egressing
	//the raw socket coming from application
	ApplicationRawSocketMark = 0x40000062
)

// SocketWriter interface exposes an interface to write and close sockets
type SocketWriter interface {
	WriteSocket(buf []byte, version packet.IPver, data packet.PlatformMetadata) error
}

// CreateSocket returns a handle to SocketWriter interface
func CreateSocket(mark int, deviceName string) (SocketWriter, error) {
	var sockv6 *socketv6
	var sockv4 *socketv4
	var err error
	createSocketv4 := func() (*socketv4, error) {

		fd, err := syscall.Socket(syscall.AF_INET, syscall.SOCK_RAW, syscall.IPPROTO_UDP)
		if err != nil {
			return nil, fmt.Errorf("received error %s while open ipv4 socket", err)
		}

		if err := syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_MARK, mark); err != nil {
			syscall.Close(fd) // nolint: errcheck
			return nil, fmt.Errorf("received error %s while setting socket Option SO_MARK", err)
		}

		if err := syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, syscall.IP_HDRINCL, 0); err != nil {
			syscall.Close(fd) // nolint: errcheck
			return nil, fmt.Errorf("received error %s while setting socket Option IP_HDRINCL", err)
		}

		if err := syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, syscall.IP_MTU_DISCOVER, syscall.IP_PMTUDISC_DONT); err != nil {
			syscall.Close(fd) // nolint: errcheck
			return nil, fmt.Errorf("received error %s while setting socket Option IP_PMTUDISC_DONT", err)
		}

		return &socketv4{
			fd: fd,
			insock: &syscall.SockaddrInet4{
				Port: 0,
			},
		}, nil
	}

	createSocketv6 := func() (*socketv6, error) {

		fd, err := syscall.Socket(syscall.AF_INET6, syscall.SOCK_RAW, syscall.IPPROTO_UDP)
		if err != nil {
			return nil, fmt.Errorf("received error %s while open ipv6 socket", err)
		}

		if err := syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_MARK, mark); err != nil {
			syscall.Close(fd) // nolint: errcheck
			return nil, fmt.Errorf("received error %s while setting socket Option SO_MARK", err)
		}

		if err := syscall.SetsockoptInt(fd, syscall.IPPROTO_IPV6, syscall.IP_HDRINCL, 0); err != nil {
			syscall.Close(fd) // nolint: errcheck
			return nil, fmt.Errorf("received error %s while setting socket Option IP_HDRINCL", err)
		}

		if err := syscall.SetsockoptInt(fd, syscall.IPPROTO_IPV6, syscall.IPV6_MTU_DISCOVER, syscall.IPV6_PMTUDISC_DONT); err != nil {
			syscall.Close(fd) // nolint: errcheck
			return nil, fmt.Errorf("received error %s while setting socket Option IP_PMTUDISC_DONT ipv6", err)
		}

		return &socketv6{
			fd: fd,
			insock: &syscall.SockaddrInet6{
				Port: 0,
			},
		}, nil
	}

	sockv4, err = createSocketv4()
	if err != nil {
		return nil, err
	}
	if IsIpv6Supported() {
		sockv6, err = createSocketv6()
		if err != nil {
			return nil, err
		}
	}
	return &rawsocket{
		insockv4: sockv4,
		insockv6: sockv6,
	}, nil
}

func (sock *rawsocket) WriteSocket(buf []byte, version packet.IPver, data packet.PlatformMetadata) error {
	// copy the dest addr
	if version == packet.V4 {
		copy(sock.insockv4.insock.Addr[:], buf[16:20])
		if err := syscall.Sendto(sock.insockv4.fd, buf[20:], 0, sock.insockv4.insock); err != nil {
			return fmt.Errorf("received error %s while sending to socket", err)
		}
	} else if sock.insockv6 != nil {

		copy(sock.insockv6.insock.Addr[:], buf[24:40])
		if err := syscall.Sendto(sock.insockv6.fd, buf[40:], 0, sock.insockv6.insock); err != nil {
			return fmt.Errorf("received error %s while sending to socket", err)
		}

	}

	return nil
}

// IsIpv6Supported returns true if the system supports ipv6 else returns false
func IsIpv6Supported() bool {
	ipv6ConfPath := "/proc/sys/net/ipv6/conf/all/disable_ipv6"
	data, err := ioutil.ReadFile(ipv6ConfPath)
	if err != nil {
		return false
	}
	val, err := strconv.Atoi(strings.Trim(string(data), "\n"))
	if err != nil {
		return false
	}
	if val == 1 {
		return false
	}
	return true
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/afinetrawsocket/afinetrawsocket_osx.go
================================================
// +build darwin

package afinetrawsocket

import "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"

const (
	// RawSocketMark is the mark asserted on all packet sent out of this socket
	RawSocketMark = 0x63
	// NetworkRawSocketMark is the mark on packet egressing
	//the raw socket coming in from network
	NetworkRawSocketMark = 0x40000063
	//ApplicationRawSocketMark is the mark on packet egressing
	//the raw socket coming from application
	ApplicationRawSocketMark = 0x40000062
)

// SocketWriter interface exposes an interface to write and close sockets
type SocketWriter interface {
	WriteSocket(buf []byte, version packet.IPver, data packet.PlatformMetadata) error
	CloseSocket() error
}

type rawsocket struct { // nolint
}

// CreateSocket returns a handle to SocketWriter interface
func CreateSocket(mark int, deviceName string) (SocketWriter, error) {
	return nil, nil
}

// WriteSocket writes data into raw socket.
func (sock *rawsocket) WriteSocket(buf []byte, version packet.IPver, data packet.PlatformMetadata) error {
	//This is an IP frame dest address at byte[16]

	return nil
}

// CloseSocket closes the raw socket.
func (sock *rawsocket) CloseSocket() error {
	return nil
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/afinetrawsocket/afinetrawsocket_windows.go
================================================
// +build windows

package afinetrawsocket

import (
	"errors"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
)

type rawsocket struct {
}

// WindowPlatformMetadata is platform-specific data about the packet
type WindowPlatformMetadata struct {
	PacketInfo frontman.PacketInfo
	IgnoreFlow bool
	DropFlow   bool
	Drop       bool
	SetMark    uint32
}

const (
	// RawSocketMark is the mark asserted on all packet sent out of this socket
	RawSocketMark = 0x63
	// NetworkRawSocketMark is the mark on packet egressing
	//the raw socket coming in from network
	NetworkRawSocketMark = 0x40000063
	//ApplicationRawSocketMark is the mark on packet egressing
	//the raw socket coming from application
	ApplicationRawSocketMark = 0x40000062
)

// SocketWriter interface exposes an interface to write and close sockets
type SocketWriter interface {
	WriteSocket(buf []byte, version packet.IPver, data packet.PlatformMetadata) error
}

// CreateSocket returns a handle to SocketWriter interface
func CreateSocket(mark int, deviceName string) (SocketWriter, error) {
	return &rawsocket{}, nil
}

// WriteSocket on Windows calls into the driver to forward the packet
func (sock *rawsocket) WriteSocket(buf []byte, version packet.IPver, data packet.PlatformMetadata) error {
	if data == nil {
		return errors.New("no PlatformMetadata for WriteSocket")
	}
	windata, ok := data.(*WindowPlatformMetadata)
	if !ok {
		return errors.New("no WindowPlatformMetadata for WriteSocket")
	}
	return windata.forwardPacket(buf, version)
}

// Clone the WindowPlatformMetadata structure
func (w *WindowPlatformMetadata) Clone() packet.PlatformMetadata {
	platformMetadata := &WindowPlatformMetadata{
		PacketInfo: w.PacketInfo,
		IgnoreFlow: w.IgnoreFlow,
		Drop:       w.Drop,
	}
	return platformMetadata
}

// forwardPacket takes a raw packet and sends it to the driver to be sent on the network
func (w *WindowPlatformMetadata) forwardPacket(buf []byte, version packet.IPver) error {

	if w.IgnoreFlow && w.DropFlow {
		return errors.New("ignoreFlow and dropFlow cannot both be true")
	}

	// Could set port/addr in packet info but not required by the driver for forwarding of the packet.
	// Create a copy of the packet info so that these changes don't modifiy the current PacketInfo
	packetInfo := w.PacketInfo
	packetInfo.Outbound = 1
	packetInfo.NewPacket = 1
	packetInfo.Drop = 0
	packetInfo.IgnoreFlow = 0
	if version == packet.V4 {
		packetInfo.Ipv4 = 1
	} else {
		packetInfo.Ipv4 = 0
	}
	if w.Drop {
		packetInfo.Drop = 1
	}
	if w.IgnoreFlow {
		packetInfo.IgnoreFlow = 1
	}
	if w.DropFlow {
		packetInfo.DropFlow = 1
	}
	packetInfo.PacketSize = uint32(len(buf))
	if err := frontman.Wrapper.PacketFilterForward(&packetInfo, buf); err != nil {
		return err
	}
	return nil
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/autoport.go
================================================
package nfqdatapath

import (
	"path/filepath"
	"sync"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
	"go.uber.org/zap"
)

type readSystemFiles interface {
	readOpenSockFD(pid string) []string
	readProcNetTCP() (inodeMap map[string]string, userMap map[string]map[string]bool, err error)
	getCgroupList() []string
	listCgroupProcesses(cgroupname string) ([]string, error)
}

type defaultRead struct{}

var readFiles readSystemFiles
var d *defaultRead
var lock sync.RWMutex

func init() {
	lock.Lock()
	readFiles = d
	lock.Unlock()
}

func (d *Datapath) autoPortDiscovery() {
	for {
		d.findPorts()
		time.Sleep(2 * time.Second)
	}
}

// resync adds new port for the PU and removes the stale ports
func (d *Datapath) resync(newPortMap map[string]map[string]bool) {

	for k, vs := range d.puToPortsMap {
		m := newPortMap[k]

		for v := range vs {
			if m == nil || !m[v] {
				err := ipsetmanager.V4().DeletePortFromServerPortSet(k, v)
				if err != nil {
					zap.L().Debug("autoPortDiscovery: Delete port set returned error", zap.Error(err))
				}
				err = ipsetmanager.V6().DeletePortFromServerPortSet(k, v)
				if err != nil {
					zap.L().Debug("autoPortDiscovery: Delete port set returned error", zap.Error(err))
				}
				// delete the port from contextIDFromTCPPort cache
				err = d.contextIDFromTCPPort.RemoveStringPorts(v)
				if err != nil {
					zap.L().Debug("autoPortDiscovery: can not remove port from cache", zap.Error(err))
				}
			}
		}
	}

	for k, vs := range newPortMap {
		m := d.puToPortsMap[k]
		for v := range vs {
			if m == nil || !m[v] {
				portSpec, err := portspec.NewPortSpecFromString(v, k)
				if err != nil {
					continue
				}
				d.contextIDFromTCPPort.AddPortSpec(portSpec)
				err = ipsetmanager.V4().AddPortToServerPortSet(k, v)
				if err != nil {
					zap.L().Error("autoPortDiscovery: Failed to add port to portset", zap.String("context", k), zap.String("port", v))
				}
				err = ipsetmanager.V6().AddPortToServerPortSet(k, v)
				if err != nil {
					zap.L().Error("autoPortDiscovery: Failed to add port to portset", zap.String("context", k), zap.String("port", v))
				}
			}
		}
	}

	d.puToPortsMap = newPortMap
}

var lastRun time.Time

func (d *Datapath) findPorts() {
	lock.Lock()
	defer lock.Unlock()

	// Rate limit this function to run every 5 milliseconds
	if time.Since(lastRun) <= 5*time.Millisecond {
		return
	}

	lastRun = time.Now()

	cgroupList := readFiles.getCgroupList()

	newPUToPortsMap := map[string]map[string]bool{}
	inodeMap, _, err := readFiles.readProcNetTCP()
	if err != nil {
		zap.L().Error("autoPortDiscovery: /proc/net/tcp read failed with error", zap.Error(err))
		return
	}

	for _, cgroupPath := range cgroupList {
		/* cgroup is also the contextID */
		newMap := map[string]bool{}

		cgroup := filepath.Base(cgroupPath)

		// check if a PU exists with that contextID and is marked with auto port
		pu, err := d.puFromContextID.Get(cgroup)
		if err != nil {
			continue
		}
		p := pu.(*pucontext.PUContext)

		// we skip AutoPort discovery if it is not enabled
		if !p.Autoport() {
			continue
		}

		procs, err := readFiles.listCgroupProcesses(cgroupPath)
		if err != nil {
			zap.L().Warn("autoPortDiscovery: Cgroup processes could not be retrieved", zap.String("cgroupPath", cgroupPath), zap.String("cgroup", cgroup), zap.Error(err))
			continue
		}
		zap.L().Debug("autoPortDiscovery: processes for cgroup detected", zap.String("cgroupPath", cgroupPath), zap.String("cgroup", cgroup), zap.String("id", p.ID()), zap.Strings("procs", procs))

		for _, proc := range procs {
			openSockFDs := readFiles.readOpenSockFD(proc)
			for _, sock := range openSockFDs {
				if inodeMap[sock] != "" {
					newMap[inodeMap[sock]] = true
				}
			}
		}

		newPUToPortsMap[cgroup] = newMap
	}

	d.resync(newPUToPortsMap)
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/autoport_nonwindows.go
================================================
// +build !windows

package nfqdatapath

import (
	"fmt"
	"io/ioutil"
	"os"
	"os/user"
	"strconv"
	"strings"

	"go.aporeto.io/enforcerd/trireme-lib/utils/cgnetcls"
	"go.uber.org/zap"
)

const (
	procNetTCPFile     = "/proc/net/tcp"
	uidFieldOffset     = 7
	inodeFieldOffset   = 9
	procHeaderLineNum  = 0
	portOffset         = 1
	ipPortOffset       = 1
	sockStateOffset    = 3
	sockListeningState = "0A"
	hexFormat          = 16
	integerSize        = 64
	minimumFields      = 2
)

func getUserName(uid string) (string, error) {

	u, err := user.LookupId(uid)
	if err != nil {
		return "", err
	}
	return u.Username, nil
}

func (d *defaultRead) readProcNetTCP() (inodeMap map[string]string, userMap map[string]map[string]bool, err error) {

	buffer, err := ioutil.ReadFile(procNetTCPFile)
	if err != nil {
		return nil, nil, fmt.Errorf("Failed to read /proc/net/tcp file %s", err)
	}

	inodeMap = map[string]string{}
	userMap = map[string]map[string]bool{}

	s := string(buffer)

	for cnt, line := range strings.Split(s, "\n") {

		line := strings.Fields(line)
		// continue if not a valid line
		if len(line) < uidFieldOffset {
			continue
		}

		/* Look at socket which are in listening state only */
		if (cnt == procHeaderLineNum) || (line[sockStateOffset] != sockListeningState) {
			continue
		}

		/* Get the UID */
		uid := line[uidFieldOffset]
		inode := line[inodeFieldOffset]

		portString := ""
		{
			ipPort := strings.Split(line[ipPortOffset], ":")

			if len(ipPort) < minimumFields {
				zap.L().Warn("Failed to extract port")
				continue
			}

			portNum, err := strconv.ParseInt(ipPort[portOffset], hexFormat, integerSize)
			if err != nil {
				zap.L().Warn("failed to parse port", zap.String("port", ipPort[portOffset]))
				continue
			}

			portString = strconv.Itoa(int(portNum))
		}

		inodeMap[inode] = portString

		// /proc/net/tcp file contains uid. Conversion to
		// userName is required as they are keys to lookup tables.
		userName, err := getUserName(uid)
		if err != nil {
			zap.L().Debug("Error converting to username", zap.Error(err))
			continue
		}

		portMap := userMap[userName]
		if portMap == nil {
			portMap = map[string]bool{}
		}
		portMap[portString] = true
		userMap[userName] = portMap
	}

	return inodeMap, userMap, nil
}

func (d *defaultRead) readOpenSockFD(pid string) []string {
	var inodes []string
	fdPath := "/proc/" + pid + "/fd/"

	buffer, err := ioutil.ReadDir(fdPath)
	if err != nil {
		zap.L().Warn("Failed to read", zap.String("file", fdPath), zap.Error(err))
		return nil
	}

	for _, f := range buffer {
		link, err := os.Readlink(fdPath + f.Name())

		if err != nil {
			zap.L().Warn("Failed to read", zap.String("file", fdPath+f.Name()))
			continue
		}
		if strings.Contains(link, "socket:") {
			socketInode := strings.Split(link, ":")

			if len(socketInode) < minimumFields {
				zap.L().Warn("Failed to parse socket inodes")
				continue
			}

			inodeString := socketInode[1]
			inodeString = strings.TrimSuffix(inodeString, "]")
			inodeString = strings.TrimPrefix(inodeString, "[")

			inodes = append(inodes, inodeString)
		}
	}
	return inodes
}

func (d *defaultRead) getCgroupList() []string {
	return cgnetcls.GetCgroupList()
}

func (d *defaultRead) listCgroupProcesses(cgroupname string) ([]string, error) {
	return cgnetcls.ListCgroupProcesses(cgroupname)
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/autoport_windows.go
================================================
// +build windows

package nfqdatapath

func (d *defaultRead) readProcNetTCP() (inodeMap map[string]string, userMap map[string]map[string]bool, err error) {

	inodeMap = map[string]string{}
	userMap = map[string]map[string]bool{}

	return inodeMap, userMap, nil
}

func (d *defaultRead) readOpenSockFD(pid string) []string {
	var inodes []string

	return inodes
}

func (d *defaultRead) getCgroupList() []string {
	return []string{}
}

func (d *defaultRead) listCgroupProcesses(cgroupname string) ([]string, error) {
	return []string{}, nil
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/countererrors.go
================================================
package nfqdatapath

import (
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
)

func appSynCounterFromError(err error) counters.CounterType {

	switch err {
	case tokens.ErrTokenEncodeFailed:
		return counters.ErrSynTokenEncodeFailed
	case tokens.ErrTokenHashFailed:
		return counters.ErrSynTokenHashFailed
	case tokens.ErrTokenSignFailed:
		return counters.ErrSynTokenSignFailed
	case tokens.ErrSharedSecretMissing:
		return counters.ErrSynSharedSecretMissing
	case tokens.ErrInvalidSecret:
		return counters.ErrSynInvalidSecret
	case tokens.ErrInvalidSignature:
		return counters.ErrSynInvalidSignature
	default:
		return counters.ErrSynTokenFailed
	}
}

func appSynAckCounterFromError(err error) counters.CounterType {

	switch err {
	case tokens.ErrTokenEncodeFailed:
		return counters.ErrSynAckTokenEncodeFailed
	case tokens.ErrTokenHashFailed:
		return counters.ErrSynAckTokenHashFailed
	case tokens.ErrTokenSignFailed:
		return counters.ErrSynAckTokenSignFailed
	case tokens.ErrSharedSecretMissing:
		return counters.ErrSynAckSharedSecretMissing
	case tokens.ErrInvalidSecret:
		return counters.ErrSynAckInvalidSecret
	case tokens.ErrInvalidSignature:
		return counters.ErrSynAckInvalidSignature
	default:
		return counters.ErrSynAckTokenFailed
	}
}

func appAckCounterFromError(err error) counters.CounterType {

	switch err {
	case tokens.ErrTokenEncodeFailed:
		return counters.ErrAckTokenEncodeFailed
	case tokens.ErrTokenHashFailed:
		return counters.ErrAckTokenHashFailed
	case tokens.ErrInvalidSecret:
		return counters.ErrAckInvalidSecret
	case tokens.ErrSharedSecretMissing:
		return counters.ErrAckSharedSecretMissing
	default:
		return counters.ErrAckTokenFailed
	}
}

func netSynCounterFromError(err error) counters.CounterType {

	switch err {
	case tokens.ErrInvalidTokenLength:
		return counters.ErrSynInvalidTokenLength
	case tokens.ErrMissingSignature:
		return counters.ErrSynMissingSignature
	case tokens.ErrCompressedTagMismatch:
		return counters.ErrSynCompressedTagMismatch
	case tokens.ErrDatapathVersionMismatch:
		return counters.ErrSynDatapathVersionMismatch
	case tokens.ErrTokenDecodeFailed:
		return counters.ErrSynTokenDecodeFailed
	case tokens.ErrTokenExpired:
		return counters.ErrSynTokenExpired
	case tokens.ErrPublicKeyFailed:
		return counters.ErrSynPublicKeyFailed
	case tokens.ErrSharedKeyHashFailed:
		return counters.ErrSynSharedKeyHashFailed
	default:
		return counters.ErrSynDroppedInvalidToken
	}
}

func netSynAckCounterFromError(err error) counters.CounterType {

	switch err {
	case tokens.ErrInvalidTokenLength:
		return counters.ErrSynAckInvalidTokenLength
	case tokens.ErrMissingSignature:
		return counters.ErrSynAckMissingSignature
	case tokens.ErrCompressedTagMismatch:
		return counters.ErrSynAckCompressedTagMismatch
	case tokens.ErrDatapathVersionMismatch:
		return counters.ErrSynAckDatapathVersionMismatch
	case tokens.ErrTokenDecodeFailed:
		return counters.ErrSynAckTokenDecodeFailed
	case tokens.ErrTokenExpired:
		return counters.ErrSynAckTokenExpired
	case tokens.ErrPublicKeyFailed:
		return counters.ErrSynAckPublicKeyFailed
	case tokens.ErrSharedKeyHashFailed:
		return counters.ErrSynAckSharedKeyHashFailed
	default:
		return counters.ErrSynAckInvalidToken
	}
}

func netAckCounterFromError(err error) counters.CounterType {
	switch err {
	case tokens.ErrInvalidTokenLength:
		return counters.ErrAckInvalidTokenLength
	case tokens.ErrMissingSignature:
		return counters.ErrAckMissingSignature
	case tokens.ErrCompressedTagMismatch:
		return counters.ErrAckCompressedTagMismatch
	case tokens.ErrDatapathVersionMismatch:
		return counters.ErrAckDatapathVersionMismatch
	case tokens.ErrTokenDecodeFailed:
		return counters.ErrAckTokenDecodeFailed
	case tokens.ErrTokenExpired:
		return counters.ErrAckTokenExpired
	case tokens.ErrSharedSecretMissing:
		return counters.ErrAckSharedSecretMissing
	case tokens.ErrTokenHashFailed:
		return counters.ErrAckTokenHashFailed
	case tokens.ErrSignatureMismatch:
		return counters.ErrAckSignatureMismatch
	default:
		return counters.ErrAckInvalidToken
	}
}

func appUDPSynCounterFromError(err error) counters.CounterType {

	switch err {
	case tokens.ErrTokenEncodeFailed:
		return counters.ErrUDPSynTokenEncodeFailed
	case tokens.ErrTokenHashFailed:
		return counters.ErrUDPSynTokenHashFailed
	case tokens.ErrTokenSignFailed:
		return counters.ErrUDPSynTokenSignFailed
	case tokens.ErrSharedSecretMissing:
		return counters.ErrUDPSynSharedSecretMissing
	case tokens.ErrInvalidSecret:
		return counters.ErrUDPSynInvalidSecret
	case tokens.ErrInvalidSignature:
		return counters.ErrUDPSynInvalidSignature
	default:
		return counters.ErrUDPSynTokenFailed
	}
}

func appUDPSynAckCounterFromError(err error) counters.CounterType {

	switch err {
	case tokens.ErrTokenEncodeFailed:
		return counters.ErrUDPSynAckTokenEncodeFailed
	case tokens.ErrTokenHashFailed:
		return counters.ErrUDPSynAckTokenHashFailed
	case tokens.ErrTokenSignFailed:
		return counters.ErrUDPSynAckTokenSignFailed
	case tokens.ErrSharedSecretMissing:
		return counters.ErrUDPSynAckSharedSecretMissing
	case tokens.ErrInvalidSecret:
		return counters.ErrUDPSynAckInvalidSecret
	case tokens.ErrInvalidSignature:
		return counters.ErrUDPSynAckInvalidSignature
	default:
		return counters.ErrUDPSynAckTokenFailed
	}
}

func appUDPAckCounterFromError(err error) counters.CounterType {

	switch err {
	case tokens.ErrTokenEncodeFailed:
		return counters.ErrUDPAckTokenEncodeFailed
	case tokens.ErrTokenHashFailed:
		return counters.ErrUDPAckTokenHashFailed
	case tokens.ErrInvalidSecret:
		return counters.ErrUDPAckInvalidSecret
	case tokens.ErrSharedSecretMissing:
		return counters.ErrUDPAckSharedSecretMissing
	default:
		return counters.ErrUDPAckTokenFailed
	}
}

func netUDPSynCounterFromError(err error) counters.CounterType {

	switch err {
	case tokens.ErrInvalidTokenLength:
		return counters.ErrUDPSynInvalidTokenLength
	case tokens.ErrMissingSignature:
		return counters.ErrUDPSynMissingSignature
	case tokens.ErrCompressedTagMismatch:
		return counters.ErrUDPSynCompressedTagMismatch
	case tokens.ErrDatapathVersionMismatch:
		return counters.ErrUDPSynDatapathVersionMismatch
	case tokens.ErrTokenDecodeFailed:
		return counters.ErrUDPSynTokenDecodeFailed
	case tokens.ErrTokenExpired:
		return counters.ErrUDPSynTokenExpired
	case tokens.ErrPublicKeyFailed:
		return counters.ErrUDPSynPublicKeyFailed
	case tokens.ErrSharedKeyHashFailed:
		return counters.ErrUDPSynSharedKeyHashFailed
	default:
		return counters.ErrUDPSynDroppedInvalidToken
	}
}

func netUDPSynAckCounterFromError(err error) counters.CounterType {

	switch err {
	case tokens.ErrInvalidTokenLength:
		return counters.ErrUDPSynAckInvalidTokenLength
	case tokens.ErrMissingSignature:
		return counters.ErrUDPSynAckMissingSignature
	case tokens.ErrCompressedTagMismatch:
		return counters.ErrUDPSynAckCompressedTagMismatch
	case tokens.ErrDatapathVersionMismatch:
		return counters.ErrUDPSynAckDatapathVersionMismatch
	case tokens.ErrTokenDecodeFailed:
		return counters.ErrUDPSynAckTokenDecodeFailed
	case tokens.ErrTokenExpired:
		return counters.ErrUDPSynAckTokenExpired
	case tokens.ErrPublicKeyFailed:
		return counters.ErrUDPSynAckPublicKeyFailed
	case tokens.ErrSharedKeyHashFailed:
		return counters.ErrUDPSynAckSharedKeyHashFailed
	default:
		return counters.ErrUDPSynAckInvalidToken
	}
}

func netUDPAckCounterFromError(err error) counters.CounterType {
	switch err {
	case tokens.ErrInvalidTokenLength:
		return counters.ErrUDPAckInvalidTokenLength
	case tokens.ErrMissingSignature:
		return counters.ErrUDPAckMissingSignature
	case tokens.ErrCompressedTagMismatch:
		return counters.ErrUDPAckCompressedTagMismatch
	case tokens.ErrDatapathVersionMismatch:
		return counters.ErrUDPAckDatapathVersionMismatch
	case tokens.ErrTokenDecodeFailed:
		return counters.ErrUDPAckTokenDecodeFailed
	case tokens.ErrTokenExpired:
		return counters.ErrUDPAckTokenExpired
	case tokens.ErrSharedSecretMissing:
		return counters.ErrUDPAckSharedSecretMissing
	case tokens.ErrTokenHashFailed:
		return counters.ErrUDPAckTokenHashFailed
	case tokens.ErrSignatureMismatch:
		return counters.ErrUDPAckSignatureMismatch
	default:
		return counters.ErrUDPAckInvalidToken
	}
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/datapath.go
================================================
package nfqdatapath

// Go libraries
import (
	"context"
	"errors"
	"fmt"
	"os/exec"
	"strconv"
	"sync"
	"time"

	"github.com/blang/semver"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/acls"
	enforcerconstants "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/dnsproxy"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/afinetrawsocket"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/nflog"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/tokenaccessor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/ephemeralkeys"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ebpf"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/flowtracking"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	tpacket "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packetprocessor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portcache"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
	"go.uber.org/zap"
)

// DefaultExternalIPTimeout is the default used for the cache for External IPTimeout.
const DefaultExternalIPTimeout = "500ms"

var collectCounterInterval = 30 * time.Second

// GetUDPRawSocket is placeholder for createSocket function. It is useful to mock tcp unit tests.
var GetUDPRawSocket = afinetrawsocket.CreateSocket

type debugpacketmessage struct {
	Mark    int
	p       *packet.Packet
	tcpConn *connection.TCPConnection
	udpConn *connection.UDPConnection
	err     error
	network bool
}

// Datapath is the structure holding all information about a connection filter
type Datapath struct {

	// Configuration parameters
	filterQueue    fqconfig.FilterQueue
	collector      collector.EventCollector
	tokenAccessor  tokenaccessor.TokenAccessor
	service        packetprocessor.PacketProcessor
	scrts          secrets.Secrets
	nflogger       nflog.NFLogger
	procMountPoint string

	targetNetworks *acls.ACLCache
	// Internal structures and caches
	// Key=ContextId Value=puContext
	puFromContextID cache.DataStore
	puFromMark      cache.DataStore
	puFromHash      cache.DataStore
	// hostPU is the host PU context associated with the datapath.
	// There can not be more than one host PU.
	hostPU *pucontext.PUContext

	contextIDFromTCPPort *portcache.PortCache
	contextIDFromUDPPort *portcache.PortCache
	// For remotes this is a reverse link to the context
	puFromIP *pucontext.PUContext

	//tcpClient and tcpServer is a connection cache with key being the flow hash
	// and the value being the connection object.
	tcpClient connection.TCPCache
	tcpServer connection.TCPCache

	tcpConnectionExpirationNotifier func(*connection.TCPConnection)

	udpSourcePortConnectionCache cache.DataStore

	// Hash on full five-tuple and return the connection
	// These are auto-expired connections after 60 seconds of inactivity.
	udpAppOrigConnectionTracker  cache.DataStore
	udpAppReplyConnectionTracker cache.DataStore
	udpNetOrigConnectionTracker  cache.DataStore
	udpNetReplyConnectionTracker cache.DataStore
	udpNatConnectionTracker      cache.DataStore
	udpFinPacketTracker          cache.DataStore
	// CacheTimeout used for Trireme auto-detecion
	ExternalIPCacheTimeout time.Duration

	// Packettracing Cache :: We don't mark this in pucontext since it gets recreated on every policy update and we need to persist across them
	packetTracingCache cache.DataStore

	// mode captures the mode of the enforcer
	mode constants.ModeType

	// ack size
	ackSize uint32

	// conntrack is the conntrack client
	conntrack flowtracking.FlowClient
	dnsProxy  dnsproxy.DNSProxy

	mutualAuthorization bool
	packetLogs          bool

	// udp socket fd for application.
	udpSocketWriter afinetrawsocket.SocketWriter

	puToPortsMap map[string]map[string]bool
	// bpf module
	bpf ebpf.BPFModule

	agentVersion semver.Version

	secretsLock        sync.RWMutex
	logLevelLock       sync.RWMutex
	targetNetworksLock sync.RWMutex

	// defines if serviceMesh is enabled and tells which type of serviceMesh is enabled
	serviceMeshType policy.ServiceMesh
}

type tracingCacheEntry struct {
	direction packettracing.TracingDirection
}

func createPolicy(networks []string) policy.IPRuleList {
	var rules policy.IPRuleList

	f := policy.FlowPolicy{
		Action: policy.Accept,
	}

	addresses := []string{}

	addresses = append(addresses, networks...)

	iprule := policy.IPRule{
		Addresses: addresses,
		Ports:     []string{"0:65535"},
		Protocols: []string{constants.TCPProtoNum},
		Policy:    &f,
	}

	rules = append(rules, iprule)
	return rules
}

func (d *Datapath) cachePut(cache connection.TCPCache, key string, conn *connection.TCPConnection) {
	cache.Put(key, conn)
	conn.StartTimer(func() {
		cache.Remove(key)
		d.tcpConnectionExpirationNotifier(conn)
	})
}

func (d *Datapath) cacheGet(cache connection.TCPCache, key string) (*connection.TCPConnection, bool) {
	return cache.Get(key)
}

func (d *Datapath) cacheRemove(cache connection.TCPCache, key string) {
	conn, exists := cache.Get(key)
	if exists {
		conn.StopTimer()
		cache.Remove(key)
	}
}

const waitBeforeRemovingConn = 5 * time.Second

// New will create a new data path structure. It instantiates the data stores
// needed to track sessions. The data path is started with a different call.
// Only required parameters must be provided. Rest a pre-populated with defaults.
func New(
	mutualAuth bool,
	filterQueue fqconfig.FilterQueue,
	collector collector.EventCollector,
	serverID string,
	validity time.Duration,
	secrets secrets.Secrets,
	mode constants.ModeType,
	procMountPoint string,
	ExternalIPCacheTimeout time.Duration,
	packetLogs bool,
	tokenaccessor tokenaccessor.TokenAccessor,
	puFromContextID cache.DataStore,
	cfg *runtime.Configuration,
	isBPFEnabled bool,
	agentVersion semver.Version,
	serviceMeshType policy.ServiceMesh,
) *Datapath {

	if ExternalIPCacheTimeout <= 0 {
		var err error
		ExternalIPCacheTimeout, err = time.ParseDuration(enforcerconstants.DefaultExternalIPTimeout)
		if err != nil {
			ExternalIPCacheTimeout = time.Second
		}
	}

	var bpf ebpf.BPFModule

	if isBPFEnabled {
		if bpf = ebpf.LoadBPF(); bpf != nil {
			zap.L().Info("eBPF is Enabled in the system")

			cmd := exec.Command("aporeto-conntrack", "-F")
			if err := cmd.Run(); err != nil {
				zap.L().Error("Failed to flush conntrack", zap.Error(err))
			}
		} else {
			zap.L().Info("eBPF is disabled as it is not supported")
		}
	} else {
		zap.L().Info("eBPF is disabled as it is not supported")
	}

	if mode == constants.RemoteContainer || mode == constants.LocalServer {
		// Make conntrack liberal for TCP
		adjustConntrack(mode)
	}

	contextIDFromTCPPort := portcache.NewPortCache("contextIDFromTCPPort")
	contextIDFromUDPPort := portcache.NewPortCache("contextIDFromUDPPort")

	udpSocketWriter, err := GetUDPRawSocket(afinetrawsocket.ApplicationRawSocketMark, "udp")

	if err != nil {
		zap.L().Error("Unable to create raw socket for udp packet transmission", zap.Error(err))
	}

	d := &Datapath{}
	d.puFromMark = cache.NewCache("puFromMark")
	d.puFromHash = cache.NewCache("puFromHash")
	d.contextIDFromTCPPort = contextIDFromTCPPort
	d.contextIDFromUDPPort = contextIDFromUDPPort

	d.puFromContextID = puFromContextID
	d.tcpClient = connection.NewTCPConnectionCache()
	d.tcpServer = connection.NewTCPConnectionCache()
	d.tcpConnectionExpirationNotifier = d.tcpConnectionExpirationFunc

	d.udpSourcePortConnectionCache = cache.NewCacheWithExpiration("udpSourcePortConnectionCache", time.Second*60)
	d.udpAppOrigConnectionTracker = cache.NewCacheWithExpiration("udpAppOrigConnectionTracker", time.Second*60)
	d.udpAppReplyConnectionTracker = cache.NewCacheWithExpiration("udpAppReplyConnectionTracker", time.Second*60)
	d.udpNetOrigConnectionTracker = cache.NewCacheWithExpiration("udpNetOrigConnectionTracker", time.Second*60)
	d.udpNetReplyConnectionTracker = cache.NewCacheWithExpiration("udpNetReplyConnectionTracker", time.Second*60)
	d.udpNatConnectionTracker = cache.NewCacheWithExpiration("udpNatConnectionTracker", time.Second*60)
	d.udpFinPacketTracker = cache.NewCacheWithExpiration("udpFinPacketTracker", time.Second*60)
	d.packetTracingCache = cache.NewCache("PacketTracingCache")
	d.targetNetworks = acls.NewACLCache()
	d.ExternalIPCacheTimeout = ExternalIPCacheTimeout
	d.filterQueue = filterQueue
	d.mutualAuthorization = mutualAuth
	d.collector = collector
	d.tokenAccessor = tokenaccessor
	d.scrts = secrets
	d.ackSize = secrets.AckSize()
	d.mode = mode
	d.procMountPoint = procMountPoint
	d.packetLogs = packetLogs
	d.udpSocketWriter = udpSocketWriter
	d.puToPortsMap = map[string]map[string]bool{}
	d.bpf = bpf
	d.agentVersion = agentVersion
	d.serviceMeshType = serviceMeshType

	if err = d.SetTargetNetworks(cfg); err != nil {
		zap.L().Error("Error adding target networks to the ACLs", zap.Error(err))
	}

	d.nflogger = nflog.NewNFLogger(11, 10, d.puContextDelegate, collector)

	ephemeralkeys.UpdateDatapathSecrets(secrets)

	if mode != constants.RemoteContainer {
		go d.autoPortDiscovery()
	}

	return d
}

func (d *Datapath) collectCounters() {

	keysList := d.puFromContextID.KeyList()
	for _, keys := range keysList {
		val, err := d.puFromContextID.Get(keys)
		if err != nil {
			continue
		}
		counters := val.(*pucontext.PUContext).Counters().GetErrorCounters()
		d.collector.CollectCounterEvent(
			&collector.CounterReport{
				PUID:      val.(*pucontext.PUContext).ManagementID(),
				Counters:  counters,
				Namespace: val.(*pucontext.PUContext).ManagementNamespace(),
			})
	}

	counters := counters.GetErrorCounters()
	d.collector.CollectCounterEvent(
		&collector.CounterReport{
			PUID:      "",
			Counters:  counters,
			Namespace: "",
		})
}

func (d *Datapath) counterCollector(ctx context.Context) {

	for {
		select {
		case <-ctx.Done():
			d.collectCounters()
			return
		case <-time.After(collectCounterInterval):
			d.collectCounters()
		}
	}
}

func (d *Datapath) reportErrorCounters(pu *pucontext.PUContext) {

	counters := pu.Counters().GetErrorCounters()
	d.collector.CollectCounterEvent(&collector.CounterReport{
		PUID:      pu.ManagementID(),
		Counters:  counters,
		Namespace: pu.ManagementNamespace(),
	})
}

// Enforce implements the Enforce interface method and configures the data path for a new PU
func (d *Datapath) Enforce(ctx context.Context, contextID string, puInfo *policy.PUInfo) error {
	// Always create a new PU context
	pu, err := pucontext.NewPU(contextID, puInfo, d.tokenAccessor, d.ExternalIPCacheTimeout)
	if err != nil {
		return fmt.Errorf("error creating new pu: %s", err)
	}

	// Cache PUs for retrieval based on packet information
	if pu.Type() != common.ContainerPU {

		mark, tcpPorts, udpPorts := pu.GetProcessKeys()
		d.puFromMark.AddOrUpdate(mark, pu)

		for _, port := range tcpPorts {
			if port == "0" {
				continue
			}

			portSpec, err := portspec.NewPortSpecFromString(port, contextID)
			if err != nil {
				continue
			}

			if puInfo.Runtime.PUType() == common.HostPU {
				d.contextIDFromTCPPort.AddPortSpecToEnd(portSpec)
			} else {
				d.contextIDFromTCPPort.AddPortSpec(portSpec)
			}
		}

		for _, port := range udpPorts {

			portSpec, err := portspec.NewPortSpecFromString(port, contextID)
			if err != nil {
				continue
			}

			// check for host pu and add its ports to the end.
			if puInfo.Runtime.PUType() == common.HostPU {
				d.contextIDFromUDPPort.AddPortSpecToEnd(portSpec)
				d.hostPU = pu
			} else {
				d.contextIDFromUDPPort.AddPortSpec(portSpec)
			}
		}

	} else {
		d.puFromIP = pu
	}

	oldPU, err := d.puFromContextID.Get(contextID)
	if err != nil {
		// start the dns proxy server for the first time.
		if err := d.dnsProxy.StartDNSServer(ctx, contextID, puInfo.Policy.DNSProxyPort()); err != nil {
			zap.L().Error("could not start dns server for PU", zap.String("contexID", contextID), zap.Error(err))
		}
	} else {
		old := oldPU.(*pucontext.PUContext)
		old.StopProcessing()
		d.reportErrorCounters(old)
	}
	if err := d.dnsProxy.Enforce(ctx, contextID, puInfo); err != nil {
		zap.L().Error("Unable to update dns proxy config", zap.Error(err))
	}
	// Cache PU to its contextID hash.
	d.puFromHash.AddOrUpdate(pu.HashID(), pu)

	// Cache PU from contextID for management and policy updates
	d.puFromContextID.AddOrUpdate(contextID, pu)

	if d.dnsProxy != nil {
		if err := d.dnsProxy.SyncWithPlatformCache(ctx, pu); err != nil {
			zap.L().Warn("error syncing with DNS cache", zap.Error(err))
		}
	}

	return nil
}

// Unenforce removes the configuration for the given PU
func (d *Datapath) Unenforce(ctx context.Context, contextID string) error {

	var err error

	puContext, err := d.puFromContextID.Get(contextID)
	if err != nil {
		return fmt.Errorf("contextid not found in enforcer: %s", err)
	}
	// Pu is being unenforcer. Collect its counters
	pu := puContext.(*pucontext.PUContext)
	// this context pointer is about to get lost. reclaims its counters
	d.reportErrorCounters(pu)

	// Cleanup the mark information
	if pu.Mark() != "" {
		if err = d.puFromMark.Remove(pu.Mark()); err != nil {
			zap.L().Debug("Unable to remove cache entry during unenforcement",
				zap.String("Mark", pu.Mark()),
				zap.Error(err),
			)
		}
	}

	// Cleanup the port cache
	for _, port := range pu.TCPPorts() {
		if port == "0" {
			continue
		}

		if err := d.contextIDFromTCPPort.RemoveStringPorts(port); err != nil {
			zap.L().Debug("Unable to remove cache entry during unenforcement",
				zap.String("TCPPort", port),
				zap.Error(err),
			)
		}
	}

	for _, port := range pu.UDPPorts() {
		if port == "0" {
			continue
		}

		if err := d.contextIDFromUDPPort.RemoveStringPorts(port); err != nil {
			zap.L().Debug("Unable to remove cache entry during unenforcement",
				zap.String("UDPPort", port),
				zap.Error(err),
			)
		}
	}

	// Cleanup the contextID hash cache.
	if err := d.puFromHash.RemoveWithDelay(pu.HashID(), 10*time.Second); err != nil {
		zap.L().Warn("unable to remove pucontext from hash cache",
			zap.String("hash", pu.HashID()),
			zap.Error(err),
		)
	}

	// Cleanup the contextID cache
	if err := d.puFromContextID.RemoveWithDelay(contextID, 10*time.Second); err != nil {
		zap.L().Warn("Unable to remove context from cache",
			zap.String("contextID", contextID),
			zap.Error(err),
		)
	}
	if err := d.dnsProxy.Unenforce(ctx, contextID); err != nil {
		zap.L().Warn("Unable to unenforce dnsproxy",
			zap.String("contextID", contextID),
			zap.Error(err),
		)
	}

	return nil
}

// SetTargetNetworks sets new target networks used by datapath
func (d *Datapath) SetTargetNetworks(cfg *runtime.Configuration) error {

	var err error
	networks := cfg.TCPTargetNetworks

	if len(networks) == 0 {
		networks = []string{"0.0.0.0/1", "128.0.0.0/1", "::/0"}
	}

	targetNetworks := acls.NewACLCache()
	targetacl := createPolicy(networks)

	if err = targetNetworks.AddRuleList(targetacl); err == nil {
		d.targetNetworksLock.Lock()
		d.targetNetworks = targetNetworks
		d.targetNetworksLock.Unlock()
		return nil
	}

	return err
}

// GetBPFObject returns the bpf object
func (d *Datapath) GetBPFObject() ebpf.BPFModule {
	return d.bpf
}

// GetFilterQueue returns the filter queues used by the data path
func (d *Datapath) GetFilterQueue() fqconfig.FilterQueue {

	return d.filterQueue
}

// Run starts the application and network interceptors
func (d *Datapath) Run(ctx context.Context) error {

	zap.L().Debug("Start datapath tracking and network interceptor", zap.Int("mode", int(d.mode)))

	if d.conntrack == nil {
		conntrackClient, err := flowtracking.NewClient(ctx)
		if err != nil {
			return err
		}
		d.conntrack = conntrackClient
	}

	if d.dnsProxy == nil {
		d.dnsProxy = dnsproxy.New(ctx, d.puFromContextID, d.conntrack, d.collector)
	}

	d.startInterceptors(ctx)
	go d.nflogger.Run(ctx)
	go d.counterCollector(ctx)
	return nil
}

// UpdateSecrets updates the secrets used for signing communication between trireme instances
func (d *Datapath) UpdateSecrets(s secrets.Secrets) error {

	d.secretsLock.Lock()
	d.scrts = s
	d.secretsLock.Unlock()

	ephemeralkeys.UpdateDatapathSecrets(s)
	return nil
}

func (d *Datapath) secrets() secrets.Secrets {

	d.secretsLock.RLock()
	defer d.secretsLock.RUnlock()

	return d.scrts
}

// PacketLogsEnabled returns true if the packet logs are enabled.
func (d *Datapath) PacketLogsEnabled() bool {
	d.logLevelLock.RLock()
	defer d.logLevelLock.RUnlock()

	return d.packetLogs
}

// SetLogLevel sets log level.
func (d *Datapath) SetLogLevel(level constants.LogLevel) error {

	d.logLevelLock.Lock()
	defer d.logLevelLock.Unlock()

	d.packetLogs = false
	if level == constants.Trace {
		d.packetLogs = true
	}

	return nil
}

// CleanUp implements the cleanup interface.
func (d *Datapath) CleanUp() error {

	if d.bpf != nil {
		d.bpf.Cleanup()
	}
	d.cleanupPlatform()

	return nil
}

func (d *Datapath) puContextDelegate(hash string) (*pucontext.PUContext, error) {

	pu, err := d.puFromHash.Get(hash)
	if err != nil {
		return nil, fmt.Errorf("unable to find pucontext in cache with hash %s: %v", hash, err)
	}

	return pu.(*pucontext.PUContext), nil
}

func (d *Datapath) reportFlow(p *packet.Packet, src, dst *collector.EndPoint, context *pucontext.PUContext,
	mode string, report *policy.FlowPolicy, actual *policy.FlowPolicy,
	sourceController string, destinationController string) {

	c := &collector.FlowRecord{
		ContextID:   context.ID(),
		Source:      *src,
		Destination: *dst,
		//
		Action:                actual.Action,
		DropReason:            mode,
		PolicyID:              actual.PolicyID,
		L4Protocol:            p.IPProto(),
		Namespace:             context.ManagementNamespace(),
		Count:                 1,
		SourceController:      sourceController,
		DestinationController: destinationController,
		RuleName:              actual.RuleName,
	}

	if context.Annotations() != nil {
		c.Tags = context.Annotations().GetSlice()
	}

	if report.ObserveAction.Observed() {
		c.ObservedAction = report.Action
		c.ObservedPolicyID = report.PolicyID
		c.ObservedActionType = report.ObserveAction
	}

	d.collector.CollectFlowEvent(c)
}

// contextFromIP returns the PU context from the default IP if remote. Otherwise
// it returns the context from the port or mark values of the packet. Synack
// packets are again special and the flow is reversed. If a container doesn't supply
// its IP information, we use the default IP. This will only work with remotes
// and Linux processes.
func (d *Datapath) contextFromIP(app bool, mark string, port uint16, protocol uint8) (*pucontext.PUContext, error) {

	if d.puFromIP != nil {
		return d.puFromIP, nil
	}

	if protocol == packet.IPProtocolICMP {
		if d.hostPU != nil {
			return d.hostPU, nil
		}
	}

	if app {
		pu, err := d.puFromMark.Get(mark)

		if err != nil {
			zap.L().Error("Unable to find context for application flow with mark",
				zap.String("mark", mark),
				zap.Int("protocol", int(protocol)),
				zap.Int("port", int(port)),
			)
			return nil, counters.CounterError(counters.ErrMarkNotFound, errors.New("Mark Not Found"))
		}
		return pu.(*pucontext.PUContext), nil
	}

	// Network packets for non container traffic
	if protocol == packet.IPProtocolTCP {
		contextID, err := d.contextIDFromTCPPort.GetSpecValueFromPort(port)
		if err != nil {
			zap.L().Debug("Could not find PU context for TCP server port", zap.Uint16("port", port))
			return nil, counters.CounterError(counters.ErrPortNotFound, fmt.Errorf(" TCP Port Not Found %v", port))
		}

		pu, err := d.puFromContextID.Get(contextID)
		if err != nil {
			return nil, counters.CounterError(counters.ErrContextIDNotFound, err)
		}
		return pu.(*pucontext.PUContext), nil
	}

	// This is the UDP case
	contextID, err := d.contextIDFromUDPPort.GetSpecValueFromPort(port)
	if err != nil {
		zap.L().Debug("Could not find PU context for UDP server port", zap.Uint16("port", port))
		return nil, counters.CounterError(counters.ErrPortNotFound, fmt.Errorf("UDP Port Not Found %v", port))
	}

	pu, err := d.puFromContextID.Get(contextID)
	if err != nil {
		return nil, counters.CounterError(counters.ErrContextIDNotFound, fmt.Errorf("contextID %s not Found", contextID))
	}

	return pu.(*pucontext.PUContext), nil
}

// EnableDatapathPacketTracing enable nfq datapath packet tracing
func (d *Datapath) EnableDatapathPacketTracing(ctx context.Context, contextID string, direction packettracing.TracingDirection, interval time.Duration) error {

	if _, err := d.puFromContextID.Get(contextID); err != nil {
		return fmt.Errorf("contextID %s does not exist", contextID)
	}
	d.packetTracingCache.AddOrUpdate(contextID, &tracingCacheEntry{
		direction: direction,
	})
	go func() {
		<-time.After(interval)
		d.packetTracingCache.Remove(contextID) // nolint
	}()

	return nil
}

// EnableIPTablesPacketTracing enable iptables -j trace for the particular pu and is much wider packet stream.
func (d *Datapath) EnableIPTablesPacketTracing(ctx context.Context, contextID string, interval time.Duration) error {
	return nil
}

// DebugCollect collects debug information for remote enforcers
func (d *Datapath) DebugCollect(ctx context.Context, contextID string, debugConfig *policy.DebugConfig) error {
	// this is handled in remoteenforcer
	return nil
}

func (d *Datapath) collectUDPPacket(msg *debugpacketmessage) {
	var value interface{}
	var err error
	report := &collector.PacketReport{
		Payload: make([]byte, 64),
	}
	if msg.udpConn == nil {
		if d.puFromIP == nil {
			return
		}
		if value, err = d.packetTracingCache.Get(d.puFromIP.ID()); err != nil {
			//not being traced return
			return
		}

		report.Claims = d.puFromIP.Identity().GetSlice()
		report.PUID = d.puFromIP.ManagementID()
		report.Namespace = d.puFromIP.ManagementNamespace()
		report.Encrypt = false

	} else {
		//udpConn is not nil
		if value, err = d.packetTracingCache.Get(msg.udpConn.Context.ID()); err != nil {
			return
		}
		report.Encrypt = msg.udpConn.ServiceConnection
		report.Claims = msg.udpConn.Context.Identity().GetSlice()
		report.PUID = msg.udpConn.Context.ManagementID()
		report.Namespace = msg.udpConn.Context.ManagementNamespace()
	}

	if msg.network && !packettracing.IsNetworkPacketTraced(value.(*tracingCacheEntry).direction) {
		return
	} else if !msg.network && !packettracing.IsApplicationPacketTraced(value.(*tracingCacheEntry).direction) {
		return
	}
	report.Protocol = int(packet.IPProtocolUDP)
	report.DestinationIP = msg.p.DestinationAddress().String()
	report.SourceIP = msg.p.SourceAddress().String()
	report.DestinationPort = int(msg.p.DestPort())
	report.SourcePort = int(msg.p.SourcePort())
	if msg.err != nil {
		report.DropReason = msg.err.Error()
		report.Event = packettracing.PacketDropped
	} else {
		report.DropReason = ""
		report.Event = packettracing.PacketReceived
	}
	report.Length = int(msg.p.IPTotalLen())
	report.Mark = msg.Mark
	report.PacketID, _ = strconv.Atoi(msg.p.ID())
	report.TriremePacket = true
	buf := msg.p.GetBuffer(0)
	if len(buf) > 64 {
		copy(report.Payload, msg.p.GetBuffer(0)[0:64])
	} else {
		copy(report.Payload, msg.p.GetBuffer(0))
	}

	d.collector.CollectPacketEvent(report)
}

func (d *Datapath) collectTCPPacket(msg *debugpacketmessage) {
	var value interface{}
	var err error
	var report *collector.PacketReport

	if msg.tcpConn == nil {
		if d.puFromIP == nil {
			return
		}

		if value, err = d.packetTracingCache.Get(d.puFromIP.ID()); err != nil {
			//not being traced return
			return
		}

		report = &collector.PacketReport{}
		report.Claims = d.puFromIP.Identity().GetSlice()
		report.PUID = d.puFromIP.ManagementID()
		report.Encrypt = false
		report.Namespace = d.puFromIP.ManagementNamespace()

	} else {

		if value, err = d.packetTracingCache.Get(msg.tcpConn.Context.ID()); err != nil {
			//not being traced return
			return
		}

		report = &collector.PacketReport{}
		report.Encrypt = msg.tcpConn.ServiceConnection
		report.Claims = msg.tcpConn.Context.Identity().GetSlice()
		report.PUID = msg.tcpConn.Context.ManagementID()
		report.Namespace = msg.tcpConn.Context.ManagementNamespace()
	}

	if msg.network && !packettracing.IsNetworkPacketTraced(value.(*tracingCacheEntry).direction) {
		return
	} else if !msg.network && !packettracing.IsApplicationPacketTraced(value.(*tracingCacheEntry).direction) {
		return
	}

	report.TCPFlags = int(msg.p.GetTCPFlags())
	report.Protocol = int(packet.IPProtocolTCP)
	report.DestinationIP = msg.p.DestinationAddress().String()
	report.SourceIP = msg.p.SourceAddress().String()
	report.DestinationPort = int(msg.p.DestPort())
	report.SourcePort = int(msg.p.SourcePort())
	if msg.err != nil {
		report.DropReason = msg.err.Error()
		report.Event = packettracing.PacketDropped
	} else {
		report.DropReason = ""
		report.Event = packettracing.PacketReceived
	}
	report.Length = int(msg.p.IPTotalLen())
	report.Mark = msg.Mark
	report.PacketID, _ = strconv.Atoi(msg.p.ID())
	report.TriremePacket = true
	// Memory allocation must be done only if we are sure we transmitting
	// the report. Leads to unnecessary memory operations otherwise
	// that affect performance
	report.Payload = make([]byte, 64)
	buf := msg.p.GetBuffer(0)
	if len(buf) > 64 {
		copy(report.Payload, msg.p.GetBuffer(0)[0:64])
	} else {
		copy(report.Payload, msg.p.GetBuffer(0))
	}

	d.collector.CollectPacketEvent(report)
}

// Ping runs ping to the given config.
func (d *Datapath) Ping(ctx context.Context, contextID string, pingConfig *policy.PingConfig) error {

	if pingConfig == nil {
		return nil
	}

	item, err := d.puFromContextID.Get(contextID)
	if err != nil {
		return fmt.Errorf("unable to find context with ID %s in cache: %v", contextID, err)
	}

	context, ok := item.(*pucontext.PUContext)
	if !ok {
		return fmt.Errorf("invalid pu context: %v", contextID)
	}

	return d.initiatePingHandshake(ctx, context, pingConfig)
}

// tcpConnectionExpirationNotifier handles processing the expiration of an element
func (d *Datapath) tcpConnectionExpirationFunc(conn *connection.TCPConnection) {

	if conn.PingEnabled() {

		if !conn.PingConfig.SocketClosed() {
			if err := close(conn); err != nil {
				zap.L().Warn("unable to close socket", zap.Reflect("fd", conn.PingConfig.SocketFd()), zap.Error(err))
			}
		}

		if d.collector != nil && conn.PingConfig.PingReport() != nil {
			d.collector.CollectPingEvent(conn.PingConfig.PingReport())
		}

		return
	}

	if conn.GetState() == connection.TCPSynSend || conn.GetState() == connection.TCPSynAckSend {

		reason := conn.GetReportReason()
		if reason == "" {
			reason = "expired"
		}

		connectionReport := &collector.ConnectionExceptionReport{
			Timestamp:       time.Now(),
			PUID:            conn.Context.ManagementID(),
			Namespace:       conn.Context.ManagementNamespace(),
			Protocol:        tpacket.IPProtocolTCP,
			SourceIP:        conn.TCPtuple.SourceAddress.String(),
			DestinationIP:   conn.TCPtuple.DestinationAddress.String(),
			DestinationPort: conn.TCPtuple.DestinationPort,
			Reason:          reason,
			Value:           conn.GetCounterAndReset(),
			State:           conn.GetStateString(),
		}

		d.collector.CollectConnectionExceptionReport(connectionReport)
	}

	conn.Cleanup()
}

// GetServiceMeshType gets the service mesh that is enabled on this datapath
func (d *Datapath) GetServiceMeshType() policy.ServiceMesh {
	return d.serviceMeshType
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/datapath_common_test.go
================================================
package nfqdatapath

import (
	"context"
	"crypto/ecdsa"
	"time"

	"github.com/blang/semver"
	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/collector/mockcollector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	enforcerconstants "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/dnsproxy/mockdnsproxy"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/afinetrawsocket"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/tokenaccessor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/tokenaccessor/mocktokenaccessor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/flowtracking/mockflowclient"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/mocksecrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

const (
	testSrcIP = "10.1.10.76"
	testDstIP = "164.67.228.152"
)

var (
	debug bool
)

func procSetValueMock(procName string, value int) error {
	return nil
}

// NewWithDefaults create a new data path with most things used by default
func newWithDefaults(
	ctrl *gomock.Controller,
	serverID string,
	collector collector.EventCollector,
	secrets secrets.Secrets,
	mode constants.ModeType,
	targetNetworks []string,
	testExpirationNotifier bool,
) *Datapath {

	// Override so that you don't have to run as root
	procSetValuePtr = procSetValueMock

	mockTokenAccessor := mocktokenaccessor.NewMockTokenAccessor(ctrl)
	flowclient := mockflowclient.NewMockFlowClient(ctrl)
	puFromContextID := cache.NewCache("puFromContextID")
	mockDNS := mockdnsproxy.NewMockDNSProxy(ctrl)

	mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
	mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
	mockTokenAccessor.EXPECT().CreateSynAckPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
	mockTokenAccessor.EXPECT().Randomize(gomock.Any(), gomock.Any()).AnyTimes()
	mockTokenAccessor.EXPECT().ParseAckToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil).AnyTimes()
	mockTokenAccessor.EXPECT().ParsePacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Do(
		func(privateKey, data, secrets, c, b interface{}) interface{} {

			claims := c.(*tokens.ConnectionClaims)
			claims.T = policy.NewTagStore()
			claims.T.AppendKeyValue(enforcerconstants.TransmitterLabel, "value")
			return nil
		},
	).Return(nil, &claimsheader.ClaimsHeader{}, &pkiverifier.PKIControllerInfo{}, []byte("remoteNonce"), "", false, nil).AnyTimes()

	mockDNS.EXPECT().StartDNSServer(gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes()
	mockDNS.EXPECT().Enforce(gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes()
	mockDNS.EXPECT().SyncWithPlatformCache(gomock.Any(), gomock.Any()).AnyTimes()

	e := New(
		false,
		nil,
		collector,
		serverID,
		10*time.Minute,
		secrets,
		mode,
		"/proc",
		500*time.Millisecond,
		false,
		mockTokenAccessor,
		puFromContextID,
		&runtime.Configuration{TCPTargetNetworks: targetNetworks},
		false,
		semver.Version{},
		policy.None,
	)

	e.conntrack = flowclient
	e.dnsProxy = mockDNS

	if testExpirationNotifier {
		e.tcpConnectionExpirationNotifier = testConnectionExpirationNotifier
	}

	return e
}

// NewWithMocks create a new data path using mock objects
func NewWithMocks(
	ctrl *gomock.Controller,
	serverID string,
	mode constants.ModeType,
	targetNetworks []string,
	testExpirationNotifier bool,
) (*Datapath, *mocksecrets.MockSecrets, *mocktokenaccessor.MockTokenAccessor,
	*mockcollector.MockEventCollector, *mockdnsproxy.MockDNSProxy) {

	// Override so that you don't have to run as root
	procSetValuePtr = procSetValueMock

	secrets := mocksecrets.NewMockSecrets(ctrl)
	tokenAccessor := mocktokenaccessor.NewMockTokenAccessor(ctrl)
	collector := mockcollector.NewMockEventCollector(ctrl)
	flowclient := mockflowclient.NewMockFlowClient(ctrl)
	puFromContextID := cache.NewCache("puFromContextID")
	dnsproxy := mockdnsproxy.NewMockDNSProxy(ctrl)

	secrets.EXPECT().AckSize().Return(uint32(300)).Times(1)

	e := New(
		false,
		nil,
		collector,
		serverID,
		10*time.Minute,
		secrets,
		mode,
		"/proc",
		500*time.Millisecond,
		false,
		tokenAccessor,
		puFromContextID,
		&runtime.Configuration{TCPTargetNetworks: targetNetworks},
		false,
		semver.Version{},
		policy.None,
	)

	e.conntrack = flowclient
	e.dnsProxy = dnsproxy

	if testExpirationNotifier {
		e.tcpConnectionExpirationNotifier = testConnectionExpirationNotifier
	}

	return e, secrets, tokenAccessor, collector, dnsproxy
}

func testConnectionExpirationNotifier(conn *connection.TCPConnection) {

	conn.Cleanup()
}

// MockGetUDPRawSocket mocks the GetUDPRawSocket function. Usage "defer MockGetUDPRawSocket()()"
func MockGetUDPRawSocket() func() {
	prevRawSocket := GetUDPRawSocket
	GetUDPRawSocket = func(mark int, device string) (afinetrawsocket.SocketWriter, error) {
		return nil, nil
	}
	return func() {
		GetUDPRawSocket = prevRawSocket
	}
}

// CreatePUContext creates a policy
func CreatePUContext(enforcer *Datapath, contextID, namespace string, puType common.PUType, tokenAccessor tokenaccessor.TokenAccessor) (*pucontext.PUContext, error) {
	puInfo := policy.NewPUInfo(contextID, namespace, puType)
	context, err := pucontext.NewPU(contextID, puInfo, tokenAccessor, 10*time.Second)
	if err != nil {
		return nil, err
	}
	enforcer.puFromContextID.AddOrUpdate(contextID, context) // nolint
	return context, nil
}

// CreatePortPolicy creates a port range policy
func CreatePortPolicy(enforcer *Datapath, contextID, namespace string, puType common.PUType, tokenAccessor tokenaccessor.TokenAccessor, mark string, portMin, portMax uint16) error {

	context, err := CreatePUContext(enforcer, contextID, namespace, puType, tokenAccessor)
	if err != nil {
		return err
	}

	err = enforcer.puFromMark.Add(mark, context)
	if err != nil {
		return err
	}

	portspec, err := portspec.NewPortSpec(portMin, portMax, contextID)
	if err != nil {
		return err
	}
	enforcer.contextIDFromTCPPort.AddPortSpec(portspec)
	return nil
}

// CreateFlowRecord creates a basic flow report
func CreateFlowRecord(count int, srcIP, destIP string, srcPort, destPort uint16, action policy.ActionType, dropReason string) collector.FlowRecord {
	var flowRecord collector.FlowRecord
	var srcEndPoint collector.EndPoint
	var dstEndPoint collector.EndPoint

	srcEndPoint.IP = srcIP
	srcEndPoint.Port = srcPort

	dstEndPoint.IP = destIP
	dstEndPoint.Port = destPort

	flowRecord.Count = count
	flowRecord.Source = srcEndPoint
	flowRecord.Destination = dstEndPoint
	flowRecord.Action = action
	flowRecord.DropReason = dropReason
	return flowRecord
}

func createEnforcerWithPolicy(ctrl *gomock.Controller, mode constants.ModeType) (*Datapath, *mockcollector.MockEventCollector) {

	puInfo1, puInfo2 := createPolicies(testSrcIP, testDstIP)
	So(puInfo1, ShouldNotBeNil)
	So(puInfo2, ShouldNotBeNil)

	enforcer, mockTokenAccessor := createEnforcer(ctrl, mode)

	err := enforcer.Enforce(context.Background(), puInfo1.ContextID, puInfo1)
	So(err, ShouldBeNil)

	err = enforcer.Enforce(context.Background(), puInfo2.ContextID, puInfo2)
	So(err, ShouldBeNil)

	return enforcer, mockTokenAccessor
}

func createEnforcer(ctrl *gomock.Controller, mode constants.ModeType) (*Datapath, *mockcollector.MockEventCollector) {

	enforcer, secrets, mockTokenAccessor, mockCollector, mockDNS := NewWithMocks(ctrl, "serverID", mode, []string{"0.0.0.0/0"}, true)
	So(enforcer != nil, ShouldBeTrue)

	secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
	mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
	mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
	mockTokenAccessor.EXPECT().CreateSynAckPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
	mockTokenAccessor.EXPECT().Randomize(gomock.Any(), gomock.Any()).AnyTimes()
	mockTokenAccessor.EXPECT().ParseAckToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil).AnyTimes()
	mockTokenAccessor.EXPECT().ParsePacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Do(
		func(privateKey, data, secrets, c, b interface{}) interface{} {

			claims := c.(*tokens.ConnectionClaims)
			claims.T = policy.NewTagStore()
			claims.T.AppendKeyValue(enforcerconstants.TransmitterLabel, "value")
			return nil
		},
	).Return(nil, &claimsheader.ClaimsHeader{}, &pkiverifier.PKIControllerInfo{}, []byte("remoteNonce"), "", false, nil).AnyTimes()

	mockDNS.EXPECT().StartDNSServer(gomock.Any(), gomock.Any(), gomock.Any()).Times(2)
	mockDNS.EXPECT().Enforce(gomock.Any(), gomock.Any(), gomock.Any()).Times(2)
	mockDNS.EXPECT().SyncWithPlatformCache(gomock.Any(), gomock.Any()).Times(2)
	return enforcer, mockCollector
}

func createPolicies(srcIP, dstIP string) (*policy.PUInfo, *policy.PUInfo) {
	tagSelector := policy.TagSelector{
		Clause: []policy.KeyValueOperator{
			{
				Key:      enforcerconstants.TransmitterLabel,
				Value:    []string{"value"},
				Operator: policy.Equal,
			},
		},
		Policy: &policy.FlowPolicy{Action: policy.Accept},
	}

	puID1 := "SomeProcessingUnitId1"
	puID2 := "SomeProcessingUnitId2"

	puIP1 := dstIP
	puIP2 := srcIP

	// Create ProcessingUnit 1
	puInfo1 := policy.NewPUInfo(puID1, "/ns1", common.ContainerPU)

	ip1 := policy.ExtendedMap{}
	ip1["bridge"] = puIP1
	puInfo1.Runtime.SetIPAddresses(ip1)
	ipl1 := policy.ExtendedMap{policy.DefaultNamespace: puIP1}
	puInfo1.Policy.SetIPAddresses(ipl1)
	puInfo1.Policy.AddIdentityTag(enforcerconstants.TransmitterLabel, "value")
	puInfo1.Policy.AddReceiverRules(tagSelector)

	// Create processing unit 2
	puInfo2 := policy.NewPUInfo(puID2, "/ns2", common.ContainerPU)
	ip2 := policy.ExtendedMap{"bridge": puIP2}
	puInfo2.Runtime.SetIPAddresses(ip2)
	ipl2 := policy.ExtendedMap{policy.DefaultNamespace: puIP2}
	puInfo2.Policy.SetIPAddresses(ipl2)
	puInfo2.Policy.AddIdentityTag(enforcerconstants.TransmitterLabel, "value")
	puInfo2.Policy.AddReceiverRules(tagSelector)

	return puInfo1, puInfo2
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/datapath_darwin.go
================================================
// +build darwin

package nfqdatapath

import (
	"context"
	"net"
	"syscall"

	gpacket "github.com/ghedo/go.pkt/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
)

func adjustConntrack(mode constants.ModeType) {
}

func (d *Datapath) setMark(pkt *packet.Packet, mark uint32) error {
	return nil
}

func (d *Datapath) reverseFlow(pkt *packet.Packet) error {
	return nil
}

func (d *Datapath) drop(pkt *packet.Packet) error {
	return nil
}

func (d *Datapath) dropFlow(pkt *packet.Packet) error {
	return nil
}

func (d *Datapath) ignoreFlow(pkt *packet.Packet) error {
	return nil
}

func (d *Datapath) setFlowState(pkt *packet.Packet, accepted bool) error {
	return nil
}

func (d *Datapath) startInterceptors(ctx context.Context) {
}

type pingConn struct {
}

func dialIP(srcIP, dstIP net.IP) (PingConn, error) {

	return &pingConn{}, nil
}

// Close not implemented.
func (p *pingConn) Close() error {
	return nil
}

// Write not implemented.
func (p *pingConn) Write(data []byte) (int, error) {
	return 0, nil
}

// ConstructWirePacket not implemented.
func (p *pingConn) ConstructWirePacket(srcIP, dstIP net.IP, transport gpacket.Packet, payload gpacket.Packet) ([]byte, error) {
	return nil, nil
}

func bindRandomPort(tcpConn *connection.TCPConnection) (uint16, error) {
	return 0, nil
}

func closeRandomPort(tcpConn *connection.TCPConnection) error {
	return nil
}

func isAddrInUseErrno(errNo syscall.Errno) bool {
	return false
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/datapath_icmp.go
================================================
// +build linux

package nfqdatapath

import (
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
)

type icmpActionType int

const (
	icmpAccept icmpActionType = iota
	icmpDrop
)

func (d *Datapath) processNetworkICMPPacket(context *pucontext.PUContext, packet *packet.Packet, icmpType int8, icmpCode int8) icmpActionType {

	srcAddr := packet.SourceAddress()
	dstAddr := packet.DestinationAddress()

	report, pkt, err := context.NetworkICMPACLPolicy(srcAddr, icmpType, icmpCode)

	d.reportExternalServiceFlowCommon(context, report, pkt, false, packet, &collector.EndPoint{IP: srcAddr.String()}, &collector.EndPoint{IP: dstAddr.String()})
	if err != nil || pkt.Action.Rejected() {
		return icmpDrop
	}

	return icmpAccept
}

func (d *Datapath) processApplicationICMPPacket(context *pucontext.PUContext, packet *packet.Packet, icmpType int8, icmpCode int8) icmpActionType {

	srcAddr := packet.SourceAddress()
	dstAddr := packet.DestinationAddress()

	report, pkt, err := context.ApplicationICMPACLPolicy(dstAddr, icmpType, icmpCode)

	d.reportExternalServiceFlowCommon(context, report, pkt, true, packet, &collector.EndPoint{IP: srcAddr.String()}, &collector.EndPoint{IP: dstAddr.String()})

	if err != nil || pkt.Action.Rejected() {
		return icmpDrop
	}

	return icmpAccept
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/datapath_linux.go
================================================
// +build linux

package nfqdatapath

import (
	"context"
	"fmt"
	"net"
	"os"
	"strconv"
	"syscall"
	"time"

	"github.com/ghedo/go.pkt/layers"
	gpacket "github.com/ghedo/go.pkt/packet"
	"github.com/ghedo/go.pkt/packet/ipv4"
	"go.aporeto.io/enforcerd/internal/utils"
	"go.aporeto.io/enforcerd/trireme-lib/buildflags"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/applicationproxy/markedconn"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.uber.org/zap"
	"golang.org/x/sys/unix"
)

func procSetValue(procName string, value int) error {
	file, err := os.OpenFile(procName, os.O_RDWR|os.O_TRUNC, 0644)
	if err != nil {
		return err
	}
	defer file.Close() // nolint: errcheck
	_, err = file.WriteString(strconv.Itoa(value))
	if err != nil {
		return err
	}
	return nil
}

// Declare function pointer so that it can be overridden by unit test
var procSetValuePtr func(procName string, value int) error = procSetValue

func adjustConntrack(mode constants.ModeType) {
	// As the pods in k8s is RO, we need to use the Host Proc to write into the proc FS.
	err := procSetValuePtr(utils.GetPathOnHostViaProcRoot("/proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal"), 1)
	if err != nil {
		zap.L().Fatal("Failed to set conntrack options", zap.Error(err))
	}

	if mode == constants.LocalServer && !buildflags.IsLegacyKernel() {
		err := procSetValuePtr(utils.GetPathOnHostViaProcRoot("/proc/sys/net/ipv4/ip_early_demux"), 0)
		if err != nil {
			zap.L().Fatal("Failed to set early demux options", zap.Error(err))
		}
	}
}

func (d *Datapath) setMark(pkt *packet.Packet, mark uint32) error {
	return nil
}

func (d *Datapath) reverseFlow(pkt *packet.Packet) error {
	return nil
}

func (d *Datapath) drop(pkt *packet.Packet) error {
	return nil
}

func (d *Datapath) dropFlow(pkt *packet.Packet) error {
	return nil
}

func (d *Datapath) ignoreFlow(pkt *packet.Packet) error {
	return nil
}

func (d *Datapath) setFlowState(pkt *packet.Packet, accepted bool) error {
	return nil
}

func (d *Datapath) startInterceptors(ctx context.Context) {
	d.startInterceptor(ctx)
}

type pingConn struct {
	conn net.Conn
}

func dialIP(srcIP, dstIP net.IP) (PingConn, error) {

	d := net.Dialer{
		Timeout:   5 * time.Second,
		KeepAlive: -1, // keepalive disabled.
		LocalAddr: &net.IPAddr{IP: srcIP},
		Control:   markedconn.ControlFunc(constants.ProxyMarkInt, false, nil),
	}

	conn, err := d.Dial("ip4:tcp", dstIP.String())
	if err != nil {
		return nil, err
	}

	return &pingConn{conn: conn}, nil
}

// Close closes the connection.
func (p *pingConn) Close() error {
	return p.conn.Close()
}

// Write writes to the connection.
func (p *pingConn) Write(data []byte) (int, error) {

	n, err := p.conn.Write(data)
	if err != nil {
		return n, err
	}

	if n != len(data) {
		return n, fmt.Errorf("partial data written, total: %v, written: %v", len(data), n)
	}

	return n, nil
}

// ConstructWirePacket returns TCP packet with the given payload in wire format.
func (p *pingConn) ConstructWirePacket(srcIP, dstIP net.IP, transport gpacket.Packet, payload gpacket.Packet) ([]byte, error) {
	return packLayers(srcIP, dstIP, transport, payload)
}

func bindRandomPort(tcpConn *connection.TCPConnection) (uint16, error) {

	fd, err := unix.Socket(unix.AF_INET, unix.SOCK_STREAM, unix.IPPROTO_TCP)
	if err != nil || fd <= -1 {
		return 0, fmt.Errorf("unable to open socket, fd: %d : %s", fd, err)
	}

	addr := unix.SockaddrInet4{Port: 0}
	copy(addr.Addr[:], net.ParseIP("127.0.0.1").To4())
	if err = unix.Bind(fd, &addr); err != nil {
		unix.Close(fd) // nolint: errcheck
		return 0, fmt.Errorf("unable to bind socket: %s", err)
	}

	sockAddr, err := unix.Getsockname(fd)
	if err != nil {
		unix.Close(fd) // nolint: errcheck
		return 0, fmt.Errorf("unable to get socket address: %s", err)
	}

	ip4Addr, ok := sockAddr.(*unix.SockaddrInet4)
	if !ok {
		unix.Close(fd) // nolint: errcheck
		return 0, fmt.Errorf("invalid socket address: %T", sockAddr)
	}

	tcpConn.PingConfig.SetSocketFd(uintptr(fd))
	return uint16(ip4Addr.Port), nil
}

func closeRandomPort(tcpConn *connection.TCPConnection) error {

	fd := tcpConn.PingConfig.SocketFd()
	tcpConn.PingConfig.SetSocketClosed(true)

	return unix.Close(int(fd))
}

func packLayers(srcIP, dstIP net.IP, transport gpacket.Packet, payload gpacket.Packet) ([]byte, error) {

	// pseudo header.
	ipPacket := ipv4.Make()
	ipPacket.SrcAddr = srcIP
	ipPacket.DstAddr = dstIP
	ipPacket.Protocol = ipv4.TCP

	transport.SetPayload(payload)  // nolint:errcheck
	ipPacket.SetPayload(transport) // nolint:errcheck

	// pack the layers together.
	buf, err := layers.Pack(transport, payload)
	if err != nil {
		return nil, fmt.Errorf("unable to encode packet to wire format: %v", err)
	}

	return buf, nil
}

func isAddrInUseErrno(errNo syscall.Errno) bool {
	return errNo == unix.EADDRINUSE
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/datapath_tcp.go
================================================
package nfqdatapath

// Go libraries
import (
	"bytes"
	"fmt"
	"strconv"

	"github.com/pkg/errors"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	enforcerconstants "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

var (
	errNonPUTraffic     = errors.New("not a pu traffic")
	errNonPUUDPTraffic  = errors.New("not a pu udp traffic")
	errOutOfOrderSynAck = errors.New("out of order syn ack packet")
	errRstPacket        = errors.New("rst packet")
	errNoConnection     = errors.New("no connection found")

	// Custom ping error types
	errDropPingNetSynAck = errors.New("net synack dropped")
	errDropPingNetSyn    = errors.New("net syn dropped") // nolint: varcheck

	rstIdentity = []byte("enforcerrstidentity")
)

// processNetworkPackets processes packets arriving from network and are destined to the application
func (d *Datapath) processNetworkTCPPackets(p *packet.Packet) (*connection.TCPConnection, func(), error) {
	var conn *connection.TCPConnection
	var err error
	var f func()

	debugLogs := func(debugString string) {

		if d.PacketLogsEnabled() {
			zap.L().Debug(debugString,
				zap.String("flow", p.L4FlowHash()),
				zap.String("Flags", packet.TCPFlagsToStr(p.GetTCPFlags())),
				zap.Error(err))
		}
	}

	// Retrieve connection state of SynAck packets and
	// skip processing for SynAck packets that we don't have state
	switch p.GetTCPFlags() & packet.TCPSynAckMask {
	case packet.TCPSynMask:
		conn, err = d.netSynRetrieveState(p)
		if err != nil {
			switch err {
			// Non PU Traffic let it through
			case errNonPUTraffic:
				return conn, nil, nil
			default:
				debugLogs("Packet rejected")
				return conn, nil, err
			}
		}

	case packet.TCPSynAckMask:
		conn, err = d.netSynAckRetrieveState(p)
		if err != nil {
			switch err {
			case errOutOfOrderSynAck:
				// Drop this synack it is for a flow we know which is marked for deletion.
				// We saw a FINACK and this synack has come without we seeing an appsyn for this flow again
				return conn, nil, counters.CounterError(counters.ErrOutOfOrderSynAck, fmt.Errorf("ErrOutOfOrderSynAck"))
			default:
				d.releaseUnmonitoredFlow(p)
				return conn, nil, nil
			}
		}

	default:
		conn, err = d.netRetrieveState(p)
		switch err {
		case nil:
			// Do nothing.
		case errRstPacket:
			return conn, nil, nil
		default:
			debugLogs("Packet rejected")
			return conn, nil, err
		}
	}

	conn.Lock()
	defer conn.Unlock()

	if conn.GetState() == connection.TCPSynSend && p.GetTCPFlags()&packet.TCPRstMask != 0 && !conn.PingEnabled() {
		p.TCPDataDetach(0)
		d.cacheRemove(d.tcpClient, p.L4ReverseFlowHash())
		return conn, f, nil
	}

	f, err = d.processNetworkTCPPacket(p, conn.Context, conn)
	if err != nil {
		debugLogs("Rejecting packet")
		return conn, nil, err
	}
	return conn, f, nil
}

// processApplicationPackets processes packets arriving from an application and are destined to the network
func (d *Datapath) processApplicationTCPPackets(p *packet.Packet) (conn *connection.TCPConnection, err error) {

	debugLogs := func(debugString string) {
		if d.PacketLogsEnabled() {
			zap.L().Debug(debugString,
				zap.String("flow", p.L4FlowHash()),
				zap.String("Flags", packet.TCPFlagsToStr(p.GetTCPFlags())),
				zap.Error(err),
			)
		}
	}

	switch p.GetTCPFlags() & packet.TCPSynAckMask {
	case packet.TCPSynMask:
		conn, err = d.appSynRetrieveState(p)
		if err != nil {
			debugLogs("Packet rejected")
			return conn, err
		}
	case packet.TCPSynAckMask:
		conn, err = d.appSynAckRetrieveState(p)
		if err != nil {
			debugLogs("SynAckPacket Ignored")
			cid, err := d.contextIDFromTCPPort.GetSpecValueFromPort(p.SourcePort())

			if err == nil {
				item, err := d.puFromContextID.Get(cid.(string))
				if err != nil {
					// Let the packet through if the context is not found
					return conn, nil
				}

				ctx := item.(*pucontext.PUContext)

				// Syn was not seen and this synack packet is coming from a PU
				// we monitor. This is possible only if IP is in the external
				// networks or excluded networks. Let this packet go through
				// for any of these cases. Drop for everything else.
				_, policy, perr := ctx.NetworkACLPolicyFromAddr(p.DestinationAddress(), p.SourcePort(), p.IPProto())
				if perr == nil && policy.Action.Accepted() {
					ctx.Counters().IncrementCounter(counters.ErrSynAckToExtNetAccept)
					return conn, nil
				}

				// Drop this synack as it belongs to PU
				// for which we didn't see syn

				// FYI.  This can happen when the enforcer is starting. The syn packet gets by the enforcer but is then caught here.
				zap.L().Debug("Network Syn was not seen, and we are monitoring this PU. Dropping the syn ack packet", zap.String("contextID", cid.(string)), zap.Uint16("port", p.SourcePort()))
				return conn, counters.CounterError(counters.ErrNetSynNotSeen, fmt.Errorf("Network Syn was not seen"))
			}

			// syn ack for non aporeto traffic can be let through
			return conn, nil
		}
	default:
		conn, err = d.appRetrieveState(p)
		if err == errRstPacket {
			return nil, nil
		}

		if err != nil {
			debugLogs("Packet rejected")
			return conn, err
		}
	}

	conn.Lock()
	defer conn.Unlock()

	if conn.GetState() == connection.TCPSynReceived && p.GetTCPFlags()&packet.TCPRstMask != 0 && !conn.PingEnabled() {
		// Seen a RST packet. Remove cache entries related to this connection
		p.TCPDataDetach(0)
		d.cacheRemove(d.tcpServer, p.L4ReverseFlowHash())
		return conn, nil
	}

	err = d.processApplicationTCPPacket(p, conn.Context, conn)
	if err != nil {
		debugLogs("Dropping packet")
		return conn, err
	}

	return conn, nil
}

// processApplicationTCPPacket processes a TCP packet and dispatches it to other methods based on the flags
func (d *Datapath) processApplicationTCPPacket(tcpPacket *packet.Packet, context *pucontext.PUContext, conn *connection.TCPConnection) error {

	// State machine based on the flags
	switch tcpPacket.GetTCPFlags() & packet.TCPSynAckMask {
	case packet.TCPSynMask: //Processing SYN packet from Application
		return d.processApplicationSynPacket(tcpPacket, context, conn)

	case packet.TCPAckMask:
		if tcpPacket.GetTCPFlags()&packet.TCPFinMask != 0 {
			conn.MarkForDeletion = true
		}
		return d.processApplicationAckPacket(tcpPacket, context, conn)

	case packet.TCPSynAckMask:
		return d.processApplicationSynAckPacket(tcpPacket, context, conn)
	default:
		return nil
	}
}

// processApplicationSynPacket processes a single Syn Packet
func (d *Datapath) processApplicationSynPacket(tcpPacket *packet.Packet, context *pucontext.PUContext, conn *connection.TCPConnection) error {
	// Increment the counter.
	conn.IncrementCounter()

	if err := tcpPacket.CheckTCPAuthenticationOption(enforcerconstants.TCPAuthenticationOptionBaseLen); err == nil {
		conn.Context.Counters().IncrementCounter(counters.ErrAppSynAuthOptionSet)
	}

	var tcpData []byte

	conn.Secrets, conn.Auth.LocalDatapathPrivateKey, tcpData = context.GetSynToken(nil, conn.Auth.Nonce, nil)

	buffer := append(tcpPacket.GetBuffer(0), []byte{packet.TCPAuthenticationOption, enforcerconstants.TCPAuthenticationOptionBaseLen, 0, 0}...)
	buffer = append(buffer, tcpData...)
	// Attach the tags to the packet and accept the packet
	if err := tcpPacket.UpdatePacketBuffer(buffer, enforcerconstants.TCPAuthenticationOptionBaseLen); err != nil {
		return err
	}

	// Set the state indicating that we send out a Syn packet
	conn.SetState(connection.TCPSynSend)
	d.cachePut(d.tcpClient, tcpPacket.L4FlowHash(), conn)

	// Attach the tags to the packet and accept the packet
	return nil
}

// processApplicationSynAckPacket processes an application SynAck packet
func (d *Datapath) processApplicationSynAckPacket(tcpPacket *packet.Packet, _ *pucontext.PUContext, conn *connection.TCPConnection) error {
	// if the traffic belongs to the same pu, let it go
	if conn.GetState() == connection.TCPData && conn.IsLoopbackConnection() {
		return nil
	}

	// If we are already in the connection.TCPData, it means that this is an external flow
	// At this point we can release the flow to the kernel by updating conntrack
	// We can also clean up the state since we are not going to see any more
	// packets from this connection.
	if conn.GetState() == connection.TCPData {
		// remove from our tcp server cache
		d.cacheRemove(d.tcpServer, tcpPacket.L4ReverseFlowHash())

		if err := d.ignoreFlow(tcpPacket); err != nil {
			zap.L().Error("Failed to ignore flow", zap.Error(err))
		}
		tcpPacket.SetConnmark = true
		return nil
	}

	if err := tcpPacket.CheckTCPAuthenticationOption(enforcerconstants.TCPAuthenticationOptionBaseLen); err == nil {
		conn.Context.Counters().IncrementCounter(counters.ErrAppSynAckAuthOptionSet)
	}

	buffer := append(tcpPacket.GetBuffer(0), []byte{packet.TCPAuthenticationOption, enforcerconstants.TCPAuthenticationOptionBaseLen, 0, 0}...)
	buffer = append(buffer, conn.Auth.SynAckToken...)
	if err := tcpPacket.UpdatePacketBuffer(buffer, enforcerconstants.TCPAuthenticationOptionBaseLen); err != nil {
		return err
	}

	conn.SetState(connection.TCPSynAckSend)
	return nil
}

// processApplicationAckPacket processes an application ack packet
func (d *Datapath) processApplicationAckPacket(tcpPacket *packet.Packet, context *pucontext.PUContext, conn *connection.TCPConnection) error {
	// Only process the first Ack of a connection. This means that we have received
	// as SynAck packet and we can now process the ACK.
	if conn.GetState() == connection.TCPSynAckReceived {

		// Special case. We are handling an AP packet with data, but the ACK has been lost
		// somewhere. In this case, we drop the payload and send our authorization data.
		// The TCP stack will try again.
		if !tcpPacket.IsEmptyTCPPayload() {
			tcpPacket.TCPDataDetach(0)
		}

		buffer := append(tcpPacket.GetBuffer(0), []byte{packet.TCPAuthenticationOption, enforcerconstants.TCPAuthenticationOptionBaseLen, 0, 0}...)
		buffer = append(buffer, conn.Auth.AckToken...)
		if err := tcpPacket.UpdatePacketBuffer(buffer, enforcerconstants.TCPAuthenticationOptionBaseLen); err != nil {
			return err
		}

		conn.SetState(connection.TCPAckSend)

		return nil
	}

	// If we are already in the connection.TCPData connection just forward the packet
	if conn.GetState() == connection.TCPData {
		return nil
	}

	if conn.GetState() == connection.UnknownState {
		// Check if the destination is in the external services approved cache
		// and if yes, allow the packet to go and release the flow.
		_, policy, perr := context.ApplicationACLPolicyFromAddr(tcpPacket.DestinationAddress(), tcpPacket.DestPort(), tcpPacket.IPProto())

		if perr != nil {
			conn.Context.Counters().CounterError(counters.ErrAckInUnknownState, nil) //nolint
			zap.L().Debug("converting to rst app",
				zap.String("SourceIP", tcpPacket.SourceAddress().String()),
				zap.String("DestinationIP", tcpPacket.DestinationAddress().String()),
				zap.Int("SourcePort", int(tcpPacket.SourcePort())),
				zap.Int("DestinationPort", int(tcpPacket.DestPort())),
				zap.String("Flags", packet.TCPFlagsToStr(tcpPacket.GetTCPFlags())),
			)
			tcpPacket.ConvertToRst()
			tcpPacket.SetConnmark = true
			return nil
		}

		if policy.Action.Rejected() {
			return conn.Context.Counters().CounterError(counters.ErrRejectPacket, fmt.Errorf("Rejected due to policy %s", policy.PolicyID))
		}
		if err := d.ignoreFlow(tcpPacket); err != nil {
			zap.L().Error("Failed to ignore flow", zap.Error(err))
		}
		tcpPacket.SetConnmark = true
		return nil
	}

	// Here we capture the first data packet after an ACK packet by modyfing the
	// state. We will not release the caches though to deal with re-transmissions.
	// We will let the caches expire.
	if conn.GetState() == connection.TCPAckSend {
		if tcpPacket.SourceAddress().String() != tcpPacket.DestinationAddress().String() &&
			!(tcpPacket.SourceAddress().IsLoopback() && tcpPacket.DestinationAddress().IsLoopback()) {

			if err := d.ignoreFlow(tcpPacket); err != nil {
				zap.L().Error("Failed to ignore flow", zap.Error(err))
			}

			conn.ResetTimer(waitBeforeRemovingConn)
			tcpPacket.SetConnmark = true
			counters.IncrementCounter(counters.ErrConnectionsProcessed)
		}
		conn.SetState(connection.TCPData)
		return nil
	}

	return fmt.Errorf("received application ack packet in the wrong state: %d", conn.GetState())
}

// processNetworkTCPPacket processes a network TCP packet and dispatches it to different methods based on the flags
func (d *Datapath) processNetworkTCPPacket(tcpPacket *packet.Packet, context *pucontext.PUContext, conn *connection.TCPConnection) (func(), error) {

	// Update connection state in the internal state machine tracker
	switch tcpPacket.GetTCPFlags() & packet.TCPSynAckMask {

	case packet.TCPSynMask:
		return d.processNetworkSynPacket(context, conn, tcpPacket)

	case packet.TCPAckMask:
		if tcpPacket.GetTCPFlags()&packet.TCPFinMask == packet.TCPFinMask {
			conn.MarkForDeletion = true
		}
		return nil, d.processNetworkAckPacket(context, conn, tcpPacket)
	case packet.TCPSynAckMask:
		return d.processNetworkSynAckPacket(context, conn, tcpPacket)

	default: // Ignore any other packet
		return nil, nil
	}
}

func (d *Datapath) clientIdentityAllowed(context *pucontext.PUContext, token []byte, tcpPacket *packet.Packet, conn *connection.TCPConnection, networkReport *policy.FlowPolicy) error {

	claims := &conn.Auth.ConnectionClaims
	secretKey, claimsHeader, controller, remoteNonce, remoteContextID, proto314, err := d.tokenAccessor.ParsePacketToken(conn.Auth.LocalDatapathPrivateKey, token, conn.Secrets, claims, false)

	if err != nil {
		zap.L().Error("Syn token Parse Error", zap.String("flow", tcpPacket.L4FlowHash()), zap.Error(err))
		d.reportRejectedFlow(tcpPacket, conn, collector.DefaultEndPoint, context.ManagementID(), context, collector.InvalidToken, nil, nil, false)
		return conn.Context.Counters().CounterError(netSynCounterFromError(err), err)
	}

	conn.Auth.SecretKey = secretKey
	conn.Auth.RemoteNonce = remoteNonce
	conn.Auth.RemoteContextID = remoteContextID
	conn.Auth.Proto314 = proto314

	if controller != nil &&
		((!controller.SameController) ||
			(claimsHeader != nil && claimsHeader.Ping())) {
		conn.SourceController = controller.Controller
	}

	txLabel, ok := claims.T.Get(enforcerconstants.TransmitterLabel)
	if !ok {
		d.reportRejectedFlow(tcpPacket, conn, txLabel, context.ManagementID(), context, collector.InvalidFormat, nil, nil, false)
		return conn.Context.Counters().CounterError(counters.ErrSynDroppedTCPOption, fmt.Errorf("ErrSynDroppedTCPOption"))
	}

	// Add the port as a label with an @ prefix. These labels are invalid otherwise
	// If all policies are restricted by port numbers this will allow port-specific policies
	tags := claims.T.Copy()
	tags.AppendKeyValue(constants.PortNumberLabelString, fmt.Sprintf("%s/%s", constants.TCPProtoString, strconv.Itoa(int(tcpPacket.DestPort()))))

	// Add the controller to the claims
	if controller != nil && len(controller.Controller) > 0 {
		tags.AppendKeyValue(constants.ControllerLabelString, controller.Controller)
	}

	report, pkt := context.SearchRcvRules(tags)

	// If we have an ObserveContinue Rejected ACL, then report this as the observed flow.
	if networkReport != nil && networkReport.Action.Rejected() && networkReport.ObserveAction.ObserveContinue() {
		report = networkReport
	}

	conn.ReportFlowPolicy = report
	conn.PacketFlowPolicy = pkt

	if claimsHeader != nil && claimsHeader.Ping() && claims.P != nil {
		err := d.processPingNetSynPacket(context, conn, tcpPacket, len(token), pkt, claims)
		if err != nil && err != errDropPingNetSyn {
			zap.L().Error("unable to process ping network syn", zap.Error(err))
		}
		return err
	}

	allow := false
	if txLabel == context.ManagementID() {
		zap.L().Debug("Traffic to the same pu", zap.String("flow", tcpPacket.L4FlowHash()))
		conn.SetLoopbackConnection(true)
		allow = true
	}

	if !pkt.Action.Rejected() || allow {
		return nil
	}

	// TODO: Support ipv6
	if tcpPacket.IPversion() == packet.V4 {
		go func() {
			if err := respondWithRstPacket(tcpPacket, rstIdentity); err != nil {
				zap.L().Warn("unable to send rst packet", zap.Error(err))
			}
		}()
	}

	d.reportRejectedFlow(tcpPacket, conn, txLabel, context.ManagementID(), context, collector.PolicyDrop, report, pkt, false)
	return conn.Context.Counters().CounterError(counters.ErrSynRejectPacket, fmt.Errorf("PolicyDrop %s", pkt.PolicyID))
}

// processNetworkSynPacket processes a syn packet arriving from the network
func (d *Datapath) processNetworkSynPacket(context *pucontext.PUContext, conn *connection.TCPConnection, tcpPacket *packet.Packet) (func(), error) {
	var err error
	conn.IncrementCounter()

	createSynAckToken := func() {
		var pingPayload *policy.PingPayload
		claimsHeader := claimsheader.NewClaimsHeader()

		// This means we got syn with ping header set and passthrough enabled.
		// The application responds with synack.
		if conn.PingEnabled() {
			pingPayload = &policy.PingPayload{}
			conn.PingConfig.SetApplicationListening(true)
			pingPayload.PingID = conn.PingConfig.PingID()
			pingPayload.IterationID = conn.PingConfig.IterationID()
			pingPayload.ApplicationListening = true
			pingPayload.NamespaceHash = context.ManagementNamespaceHash()
			claimsHeader.SetPing(true)
		}

		claims := &tokens.ConnectionClaims{
			CT:       context.CompressedTags(),
			LCL:      conn.Auth.Nonce[:],
			RMT:      conn.Auth.RemoteNonce,
			DEKV1:    conn.Auth.LocalDatapathPublicKeyV1,
			SDEKV1:   conn.Auth.LocalDatapathPublicKeySignV1,
			DEKV2:    conn.Auth.LocalDatapathPublicKeyV2,
			SDEKV2:   conn.Auth.LocalDatapathPublicKeySignV2,
			ID:       context.ManagementID(),
			RemoteID: conn.Auth.RemoteContextID,
			P:        pingPayload,
		}

		if conn.Auth.SynAckToken, err = d.tokenAccessor.CreateSynAckPacketToken(conn.Auth.Proto314, claims, conn.EncodedBuf[:], conn.Auth.Nonce[:], claimsHeader, conn.Secrets, conn.Auth.SecretKey); err != nil {
			zap.L().Error("Syn/Ack token create failed", zap.String("flow", tcpPacket.L4FlowHash()), zap.Error(err))
			conn.Context.Counters().CounterError(appSynCounterFromError(err), err) //nolint
		}
	}

	allowPkt := func() {
		tcpPacket.TCPDataDetach(enforcerconstants.TCPAuthenticationOptionBaseLen) //nolint
		conn.SetState(connection.TCPSynReceived)
		d.cachePut(d.tcpServer, tcpPacket.L4FlowHash(), conn)
	}

	// We should only be here if we have identity
	if err = tcpPacket.CheckTCPAuthenticationOption(enforcerconstants.TCPAuthenticationOptionBaseLen); err != nil || (err == nil && tcpPacket.IsEmptyTCPPayload()) {
		// This is not a normal case and should never happen because Linux/Windows rules are checking for this before sending the packet to NFQ.
		if err == nil {
			err = fmt.Errorf("identity payload empty: incoming connection dropped")
		} else {
			err = fmt.Errorf("invalid identity: incoming connection dropped: %s", err)
		}
		d.reportRejectedFlow(tcpPacket, conn, collector.DefaultEndPoint, context.ManagementID(), context, collector.MissingToken, nil, nil, false)
		return nil, context.Counters().CounterError(counters.ErrSynMissingTCPOption, err)
	}

	rejected := false
	networkReport, pkt, perr := context.NetworkACLPolicy(tcpPacket)
	if perr == nil {
		rejected = pkt.Action.Rejected()
		if rejected {
			perr = fmt.Errorf("rejected by ACL policy %s", pkt.PolicyID)
		}
	} else {
		// We got an error, but ensure it isn't the catch all policy
		if !(pkt != nil && pkt.Action.Rejected() && pkt.PolicyID == "default") {
			rejected = true
		}
	}

	if rejected {
		d.reportExternalServiceFlow(context, networkReport, pkt, false, tcpPacket)
		return nil, context.Counters().CounterError(counters.ErrSynFromExtNetReject, fmt.Errorf("packet had identity: incoming connection dropped: %s", perr))
	}

	token := tcpPacket.ReadTCPData()

	if err = d.clientIdentityAllowed(context, token, tcpPacket, conn, networkReport); err == nil {
		processAfterVerdict := func() {
			createSynAckToken()
		}

		allowPkt()
		return processAfterVerdict, nil
	}

	return nil, err
}

// policyPair stores both reporting and actual action taken on packet.
type policyPair struct {
	report *policy.FlowPolicy
	packet *policy.FlowPolicy
}

// processNetworkSynAckPacket processes a SynAck packet arriving from the network
func (d *Datapath) processNetworkSynAckPacket(context *pucontext.PUContext, conn *connection.TCPConnection, tcpPacket *packet.Packet) (func(), error) {
	var err error

	allowPkt := func() {
		// Remove any of our data
		conn.SetState(connection.TCPSynAckReceived)
		tcpPacket.TCPDataDetach(enforcerconstants.TCPAuthenticationOptionBaseLen) //nolint
	}

	createAckToken := func() {
		claims := &tokens.ConnectionClaims{
			ID:       context.ManagementID(),
			RMT:      conn.Auth.RemoteNonce,
			RemoteID: conn.Auth.RemoteContextID,
		}

		// Create a new token that includes the source and destinatio nonce
		// These are both challenges signed by the secret key and random for every
		// connection minimizing the chances of a replay attack
		if conn.Auth.AckToken, err = d.tokenAccessor.CreateAckPacketToken(conn.Auth.Proto314, conn.Auth.SecretKey, claims, conn.EncodedBuf[:]); err != nil {
			zap.L().Error("Ack token create failed", zap.String("flow", tcpPacket.L4FlowHash()), zap.Error(err))
			conn.Context.Counters().CounterError(appAckCounterFromError(err), err) //nolint
		}
	}

	// Packets with no authorization are processed as external services based on the ACLS
	if err = tcpPacket.CheckTCPAuthenticationOption(enforcerconstants.TCPAuthenticationOptionBaseLen); err != nil || (err == nil && tcpPacket.IsEmptyTCPPayload()) {

		if _, err := d.puFromContextID.Get(conn.Context.ID()); err != nil {
			// PU has been deleted. Ignore these packets
			return nil, conn.Context.Counters().CounterError(counters.ErrInvalidSynAck, fmt.Errorf("Pu with ID delete %s", conn.Context.ID()))
		}

		flowHash := tcpPacket.SourceAddress().String() + ":" + strconv.Itoa(int(tcpPacket.SourcePort()))
		if plci, plerr := context.RetrieveCachedExternalFlowPolicy(flowHash); plerr == nil {
			plc := plci.(*policyPair)
			d.releaseExternalFlow(context, plc.report, plc.packet, tcpPacket)
			conn.Context.Counters().IncrementCounter(counters.ErrSynAckFromExtNetAccept)
			return nil, nil
		}

		// Never seen this IP before, let's parse them.
		report, pkt, perr := context.ApplicationACLPolicyFromAddr(tcpPacket.SourceAddress(), tcpPacket.SourcePort(), tcpPacket.IPProto())

		// Ping packet from an external network.
		if conn.PingEnabled() {
			err := d.processPingNetSynAckPacket(context, conn, tcpPacket, 0, pkt, nil, true)
			if err != nil && err != errDropPingNetSynAck {
				zap.L().Error("unable to process ping network synack (externalnetwork)", zap.Error(err))
			}
			return nil, err
		}

		if perr != nil || pkt.Action.Rejected() {
			d.reportReverseExternalServiceFlow(context, report, pkt, true, tcpPacket)
			return nil, conn.Context.Counters().CounterError(counters.ErrSynAckFromExtNetReject, fmt.Errorf("ErrSynAckFromExtNetReject"))
		}

		// Added to the cache if we can accept it
		context.CacheExternalFlowPolicy(
			tcpPacket,
			&policyPair{
				report: report,
				packet: pkt,
			},
		)

		// Set the state to Data so the other state machines ignore subsequent packets
		conn.SetState(connection.TCPData)
		d.releaseExternalFlow(context, report, pkt, tcpPacket)
		conn.Context.Counters().IncrementCounter(counters.ErrSynAckFromExtNetAccept)

		return nil, nil
	}

	// This is a corner condition. We are receiving a SynAck packet and we are in
	// a state that indicates that we have already processed one. This means that
	// our ack packet was lost. We need to revert conntrack in this case and get
	// back into the picture.
	if conn.GetState() != connection.TCPSynSend {
		// Revert the connmarks - dealing with retransmissions
		if cerr := d.conntrack.UpdateApplicationFlowMark(
			tcpPacket.DestinationAddress(),
			tcpPacket.SourceAddress(),
			tcpPacket.IPProto(),
			tcpPacket.DestPort(),
			tcpPacket.SourcePort(),
			uint32(1), // We cannot put it back to zero. We need something other value.
		); cerr != nil {
			zap.L().Debug("Failed to update conntrack table for flow after synack packet",
				zap.String("app-conn", tcpPacket.L4ReverseFlowHash()),
				zap.String("state", fmt.Sprintf("%d", conn.GetState())),
				zap.Error(err),
			)
		}

		conn.SetState(connection.TCPSynAckReceived)
	}

	if !d.mutualAuthorization {
		allowPkt()
		return nil, nil
	}

	token := tcpPacket.ReadTCPData()
	if err = d.serverIdentityAllowed(context, token, tcpPacket, conn); err == nil {
		processAfterVerdict := func() {
			createAckToken()
		}
		allowPkt()
		return processAfterVerdict, nil
	}

	return nil, err
}

func (d *Datapath) serverIdentityAllowed(context *pucontext.PUContext, token []byte, tcpPacket *packet.Packet, conn *connection.TCPConnection) error {

	claims := &conn.Auth.ConnectionClaims
	secretKey, claimsHeader, controller, remoteNonce, remoteContextID, proto314, err := d.tokenAccessor.ParsePacketToken(conn.Auth.LocalDatapathPrivateKey, token, conn.Secrets, claims, true)

	if err != nil {
		zap.L().Error("Syn/Ack token parse error", zap.String("flow", tcpPacket.L4FlowHash()), zap.Error(err))
		d.reportRejectedFlow(tcpPacket, conn, collector.DefaultEndPoint, context.ManagementID(), context, collector.InvalidToken, nil, nil, true)
		return context.Counters().CounterError(netSynAckCounterFromError(err), err)
	}

	conn.Auth.SecretKey = secretKey
	conn.Auth.RemoteNonce = remoteNonce
	conn.Auth.RemoteContextID = remoteContextID
	conn.Auth.Proto314 = proto314

	if controller != nil && ((conn.PingEnabled()) || (!controller.SameController)) {
		conn.DestinationController = controller.Controller
	}

	// Add the port as a label with an @ prefix. These labels are invalid otherwise
	// If all policies are restricted by port numbers this will allow port-specific policies
	tags := claims.T.Copy()
	tags.AppendKeyValue(constants.PortNumberLabelString, constants.TCPProtoString+"/"+strconv.Itoa(int(tcpPacket.SourcePort())))

	// Add the controller to the claims
	if controller != nil && len(controller.Controller) > 0 {
		tags.AppendKeyValue(constants.ControllerLabelString, controller.Controller)
	}

	report, pkt := context.SearchTxtRules(tags, !d.mutualAuthorization)

	// Ping packet from remote enforcer.
	if claimsHeader != nil {
		if claimsHeader.Ping() && claims.P != nil {
			payloadSize := len(token)
			err := d.processPingNetSynAckPacket(context, conn, tcpPacket, payloadSize, pkt, claims, false)
			if err != nil && err != errDropPingNetSynAck {
				zap.L().Error("unable to process ping network synack", zap.Error(err))
			}
			return err
		}
	}

	// Report and release traffic belonging to the same pu
	if conn.Auth.RemoteContextID == context.ManagementID() {
		conn.SetState(connection.TCPData)
		conn.SetLoopbackConnection(true)
		d.reportAcceptedFlow(tcpPacket, conn, conn.Auth.RemoteContextID, context.ManagementID(), context, nil, nil, true)
		d.releaseUnmonitoredFlow(tcpPacket)
		return nil
	}

	if pkt.Action.Rejected() {
		d.reportRejectedFlow(tcpPacket, conn, conn.Auth.RemoteContextID, context.ManagementID(), context, collector.PolicyDrop, report, pkt, true)
		return context.Counters().CounterError(counters.ErrSynAckRejected, fmt.Errorf("ErrSynAckRejected"))
	}

	return nil
}

// processNetworkAckPacket processes an Ack packet arriving from the network
func (d *Datapath) processNetworkAckPacket(context *pucontext.PUContext, conn *connection.TCPConnection, tcpPacket *packet.Packet) error {

	var err error

	if conn.GetState() == connection.TCPData || conn.GetState() == connection.TCPAckSend {

		// This rule is required as network packets are being duplicated by the middle box in google. Our ack packets contain payload and that will be sent to the tcp stack,
		// if we don't drop them here.
		if err := tcpPacket.CheckTCPAuthenticationOption(enforcerconstants.TCPAuthenticationOptionBaseLen); err == nil {
			return conn.Context.Counters().CounterError(counters.ErrDuplicateAckDrop, fmt.Errorf("ErrDuplicateAckDrop"))
		}

		conn.ResetTimer(waitBeforeRemovingConn)
		tcpPacket.SetConnmark = true
		return nil
	}

	if conn.IsLoopbackConnection() {
		conn.SetState(connection.TCPData)
		d.releaseUnmonitoredFlow(tcpPacket)
		return nil
	}

	// Validate that the source/destination nonse matches. The signature has validated both directions
	if conn.GetState() == connection.TCPSynAckSend || conn.GetState() == connection.TCPSynReceived {

		if err := tcpPacket.CheckTCPAuthenticationOption(enforcerconstants.TCPAuthenticationOptionBaseLen); err != nil {
			return conn.Context.Counters().CounterError(counters.ErrAckTCPNoTCPAuthOption, fmt.Errorf("ErrAckTCPNoTCPAuthOption"))
		}

		if err = d.tokenAccessor.ParseAckToken(conn.Auth.Proto314, conn.Auth.SecretKey, conn.Auth.Nonce[:], tcpPacket.ReadTCPData(), &conn.Auth.ConnectionClaims); err != nil {
			zap.L().Error("Ack Packet dropped because signature validation failed", zap.String("flow", tcpPacket.L4FlowHash()), zap.Error(err))
			d.reportRejectedFlow(tcpPacket, conn, collector.DefaultEndPoint, context.ManagementID(), context, collector.InvalidToken, nil, nil, false)
			return conn.Context.Counters().CounterError(netAckCounterFromError(err), err)
		}

		tcpPacket.TCPDataDetach(enforcerconstants.TCPAuthenticationOptionBaseLen)

		if conn.PacketFlowPolicy != nil && conn.PacketFlowPolicy.Action.Rejected() {
			if !conn.PacketFlowPolicy.ObserveAction.Observed() {
				zap.L().Error("Flow rejected but not observed", zap.String("conn", context.ManagementID()))
			}
			// Flow has been allowed because we are observing a deny rule's impact on the system. Packets are forwarded, reported as dropped + observed.
			d.reportRejectedFlow(tcpPacket, conn, conn.Auth.RemoteContextID, context.ManagementID(), context, collector.PolicyDrop, conn.ReportFlowPolicy, conn.PacketFlowPolicy, false)
		} else {
			// We accept the packet as a new flow
			d.reportAcceptedFlow(tcpPacket, conn, conn.Auth.RemoteContextID, context.ManagementID(), context, conn.ReportFlowPolicy, conn.PacketFlowPolicy, false)
		}

		conn.SetState(connection.TCPData)

		if err := d.ignoreFlow(tcpPacket); err != nil {
			zap.L().Error("Failed to ignore flow", zap.Error(err))
		}
		conn.Context.Counters().IncrementCounter(counters.ErrConnectionsProcessed)
		// Accept the packet
		return nil
	}

	if conn.GetState() == connection.UnknownState {
		// Check if the destination is in the external servicess approved cache
		// and if yes, allow the packet to go and release the flow.
		_, plcy, perr := context.NetworkACLPolicy(tcpPacket)

		// Ignore FIN packets. Let them go through.
		if tcpPacket.GetTCPFlags()&packet.TCPFinMask != 0 {
			conn.Context.Counters().IncrementCounter(counters.ErrIgnoreFin)
			return nil
		}

		if perr != nil {
			conn.Context.Counters().CounterError(counters.ErrAckInUnknownState, nil) //nolint
			zap.L().Debug("converting to rst network",
				zap.String("SourceIP", tcpPacket.SourceAddress().String()),
				zap.String("DestinationIP", tcpPacket.DestinationAddress().String()),
				zap.Int("SourcePort", int(tcpPacket.SourcePort())),
				zap.Int("DestinationPort", int(tcpPacket.DestPort())),
				zap.String("Flags", packet.TCPFlagsToStr(tcpPacket.GetTCPFlags())),
			)
			tcpPacket.ConvertToRst()

			tcpPacket.SetConnmark = true
			return nil
		}

		if plcy.Action.Rejected() {
			return conn.Context.Counters().CounterError(counters.ErrAckFromExtNetReject, fmt.Errorf("ErrAckFromExtNetReject"))
		}

		if err := d.ignoreFlow(tcpPacket); err != nil {
			zap.L().Error("Failed to ignore flow", zap.Error(err))
		}

		tcpPacket.SetConnmark = true

		conn.Context.Counters().IncrementCounter(counters.ErrAckFromExtNetAccept)
		return nil
	}

	hash := tcpPacket.L4FlowHash()

	// Everything else is dropped - ACK received in the Syn state without a SynAck
	zap.L().Debug("Invalid state reached",
		zap.String("state", fmt.Sprintf("%d", conn.GetState())),
		zap.String("context", context.ManagementID()),
		zap.String("net-conn", hash),
	)

	return conn.Context.Counters().CounterError(counters.ErrInvalidNetAckState, fmt.Errorf("ErrInvalidNetAckState"))
}

// appSynRetrieveState retrieves state for the the application Syn packet.
// It creates a new connection by default
func (d *Datapath) appSynRetrieveState(p *packet.Packet) (*connection.TCPConnection, error) {
	var err error
	var context *pucontext.PUContext

	// If PU context doesn't exist for this syn, return error.
	if context, err = d.contextFromIP(true, p.Mark, p.SourcePort(), packet.IPProtocolTCP); err != nil {
		return nil, counters.CounterError(counters.ErrSynUnexpectedPacket, err)
	}

	// check if app syn has been seen?
	if conn, exists := d.cacheGet(d.tcpClient, p.L4FlowHash()); exists {
		if !conn.GetMarkForDeletion() && conn.GetInitialSequenceNumber() == p.TCPSequenceNumber() {
			// return this connection only if we are not deleting this
			// this is marked only when we see a FINACK for this l4flowhash
			// this should not have happened for a connection while we are processing a appSyn for this connection
			// The addorupdate for this cache will happen outside in processtcppacket
			return conn, nil
		} else { //nolint
			//stale app syn. We remove from the cache
			d.cacheRemove(d.tcpClient, p.L4FlowHash())
		}
	}
	return connection.NewTCPConnection(context, p), nil
}

// appSynAckRetrieveState retrieves the state for application syn/ack packet.
func (d *Datapath) appSynAckRetrieveState(p *packet.Packet) (*connection.TCPConnection, error) {
	hash := p.L4ReverseFlowHash()

	// We must have seen a network syn.
	if conn, exists := d.cacheGet(d.tcpServer, hash); exists {
		return conn, nil
	}

	return nil, counters.CounterError(counters.ErrNetSynNotSeen, errors.New("Network Syn not seen"))
}

// appRetrieveState retrieves the state for the rest of the application packets. It
// returns an error if it cannot find the state
func (d *Datapath) appRetrieveState(p *packet.Packet) (*connection.TCPConnection, error) {

	// Is this ack generated from a PU, a tcp client.
	if conn, exists := d.cacheGet(d.tcpClient, p.L4FlowHash()); exists {
		return conn, nil
	}

	// is this ack generated from a PU, a tcp server.
	if conn, exists := d.cacheGet(d.tcpServer, p.L4ReverseFlowHash()); exists {
		return conn, nil
	}

	counters.CounterError(counters.ErrNoConnFound, nil) //nolint

	zap.L().Debug("Application ACK Packet received with no state",
		zap.String("flow", p.L4FlowHash()),
		zap.String("Flags", packet.TCPFlagsToStr(p.GetTCPFlags())))

	if p.GetTCPFlags()&packet.TCPSynAckMask == packet.TCPAckMask {
		// Let's try if its an existing connection
		context, err := d.contextFromIP(true, p.Mark, p.SourcePort(), packet.IPProtocolTCP)
		if err != nil {
			return nil, errors.New("No context in app processing")
		}
		conn := connection.NewTCPConnection(context, p)
		conn.SetState(connection.UnknownState)
		return conn, nil
	}

	if p.GetTCPFlags()&packet.TCPRstMask != 0 && p.GetTCPFlags()&packet.TCPAckMask == 0 {
		return nil, errRstPacket
	}

	return nil, errNoConnection
}

// netSynRetrieveState retrieves the state for the Syn packets on the network.
// Obviously if no state is found, it generates a new connection record.
func (d *Datapath) netSynRetrieveState(p *packet.Packet) (*connection.TCPConnection, error) {

	var conn *connection.TCPConnection
	var context *pucontext.PUContext
	var err error

	if context, err = d.contextFromIP(false, p.Mark, p.DestPort(), packet.IPProtocolTCP); err != nil {
		return nil, counters.CounterError(counters.ErrInvalidNetSynState, err)
	}

	if conn, exists := d.cacheGet(d.tcpServer, p.L4FlowHash()); exists {
		if !conn.GetMarkForDeletion() && conn.GetInitialSequenceNumber() == p.TCPSequenceNumber() {
			// Only if we havent seen FINACK on this connection
			return conn, nil
		} else { //nolint
			// remove stale net syn entry
			d.cacheRemove(d.tcpServer, p.L4FlowHash())
		}
	}

	conn = connection.NewTCPConnection(context, p)

	conn.Secrets, conn.Auth.LocalDatapathPrivateKey, conn.Auth.LocalDatapathPublicKeyV1, conn.Auth.LocalDatapathPublicKeySignV1, conn.Auth.LocalDatapathPublicKeyV2, conn.Auth.LocalDatapathPublicKeySignV2 = context.GetSecrets()
	return conn, nil
}

// netSynAckRetrieveState retrieves the state for SynAck packets at the network
// It relies on the source port cache for that
func (d *Datapath) netSynAckRetrieveState(p *packet.Packet) (*connection.TCPConnection, error) {

	// We must have seen App Syn
	if conn, exists := d.cacheGet(d.tcpClient, p.L4ReverseFlowHash()); exists {
		if conn.GetMarkForDeletion() {
			return nil, errOutOfOrderSynAck
		}
		return conn, nil
	}

	return nil, counters.CounterError(counters.ErrNonPUTraffic, errNonPUTraffic)
}

// netRetrieveState retrieves the state of a network connection. Use the flow caches for that
func (d *Datapath) netRetrieveState(p *packet.Packet) (*connection.TCPConnection, error) {
	// Is the ack received by a tcp client
	if conn, exists := d.cacheGet(d.tcpClient, p.L4ReverseFlowHash()); exists {
		if p.GetTCPFlags()&packet.TCPRstMask != 0 && p.GetTCPFlags()&packet.TCPAckMask == 0 {
			if !bytes.Equal(p.ReadTCPData(), rstIdentity) {
				conn.SetReportReason("reset")
			}
			return conn, errRstPacket
		}
		return conn, nil
	}

	// Is the ack received by a tcp server
	if conn, exists := d.cacheGet(d.tcpServer, p.L4FlowHash()); exists {
		return conn, nil
	}

	if p.GetTCPFlags()&packet.TCPSynAckMask == packet.TCPAckMask {
		// Let's try if its an existing connection
		context, cerr := d.contextFromIP(false, p.Mark, p.DestPort(), packet.IPProtocolTCP)
		if cerr != nil {
			return nil, cerr
		}
		conn := connection.NewTCPConnection(context, p)
		conn.SetState(connection.UnknownState)
		return conn, nil
	}

	if p.GetTCPFlags()&packet.TCPRstMask != 0 && p.GetTCPFlags()&packet.TCPAckMask == 0 {
		return nil, errRstPacket
	}

	return nil, errNoConnection
}

// releaseExternalFlow releases the flow and updates the conntrack table
func (d *Datapath) releaseExternalFlow(context *pucontext.PUContext, report *policy.FlowPolicy, action *policy.FlowPolicy, tcpPacket *packet.Packet) {

	d.cacheRemove(d.tcpClient, tcpPacket.L4ReverseFlowHash())

	if err := d.ignoreFlow(tcpPacket); err != nil {
		zap.L().Error("Failed to ignore flow", zap.Error(err))
	}

	tcpPacket.SetConnmark = true
	d.reportReverseExternalServiceFlow(context, report, action, true, tcpPacket)
}

// releaseUnmonitoredFlow releases the flow and updates the conntrack table
func (d *Datapath) releaseUnmonitoredFlow(tcpPacket *packet.Packet) {

	if err := d.ignoreFlow(tcpPacket); err != nil {
		zap.L().Error("Failed to ignore flow", zap.Error(err))
	}

	tcpPacket.SetConnmark = true
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/datapath_test.go
================================================
// +build linux

package nfqdatapath

import (
	"context"
	"crypto/ecdsa"
	"encoding/binary"
	"errors"
	"fmt"
	"math/rand"
	"net"
	"reflect"
	"strconv"
	"testing"
	"time"

	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	enforcerconstants "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/packetgen"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/flowtracking/mockflowclient"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
	"gotest.tools/assert"
)

func TestEnforcerExternalNetworks(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	testThePackets := func(enforcer *Datapath) {

		PacketFlow := packetgen.NewTemplateFlow()

		_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
		So(err, ShouldBeNil)

		synackPacket, err := PacketFlow.GetFirstSynAckPacket().ToBytes()
		So(err, ShouldBeNil)

		tcpPacket, _ := packet.New(0, synackPacket, "0", true)
		_, err1 := enforcer.processApplicationTCPPackets(tcpPacket)
		So(err1, ShouldBeNil)

	}

	Convey("When the mode is RemoteConainter", t, func() {

		enforcer, secrets, mockTokenAccessor, _, _ := NewWithMocks(ctrl, "serverID1", constants.RemoteContainer, []string{"0.0.0.0/0"}, true)

		secrets.EXPECT().TransmittedKey().Return([]byte("dummy")).AnyTimes()
		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

		iprules := policy.IPRuleList{policy.IPRule{
			Addresses: []string{"10.1.10.76/32"},
			Ports:     []string{"80"},
			Protocols: []string{constants.TCPProtoNum},
			Policy: &policy.FlowPolicy{
				Action:   policy.Accept,
				PolicyID: "tcp172/8"},
		}}

		contextID := "123456"
		puInfo := policy.NewPUInfo(contextID, "/ns1", common.LinuxProcessPU)

		context, err := pucontext.NewPU(contextID, puInfo, mockTokenAccessor, 10*time.Second)
		So(err, ShouldBeNil)
		enforcer.puFromContextID.AddOrUpdate(contextID, context)
		s, _ := portspec.NewPortSpec(80, 80, contextID)
		enforcer.contextIDFromTCPPort.AddPortSpec(s)

		err = context.UpdateNetworkACLs(iprules)
		So(err, ShouldBeNil)

		testThePackets(enforcer)
	})
}

func TestInvalidContext(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	defer MockGetUDPRawSocket()()

	Convey("Given I create a new enforcer instance", t, func() {

		enforcer, _, _, _, _ := NewWithMocks(ctrl, "serverID", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		PacketFlow := packetgen.NewTemplateFlow()
		_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
		So(err, ShouldBeNil)
		synPacket, err := PacketFlow.GetFirstSynPacket().ToBytes()
		So(err, ShouldBeNil)
		tcpPacket, err := packet.New(0, synPacket, "0", true)
		Convey("When I run a TCP Syn packet through a non existing context", func() {

			_, err1 := enforcer.processApplicationTCPPackets(tcpPacket)
			_, _, err2 := enforcer.processNetworkTCPPackets(tcpPacket)

			Convey("Then I should see an error for non existing context", func() {

				So(err, ShouldBeNil)
				So(err1, ShouldNotBeNil)
				So(err2, ShouldNotBeNil)
			})
		})
	})
}

func TestPacketHandlingFirstThreePacketsHavePayload(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	testThePackets := func(enforcer *Datapath) {
		SIP := net.IPv4zero
		firstSynAckProcessed := false
		PacketFlow := packetgen.NewTemplateFlow()
		_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
		So(err, ShouldBeNil)
		for i := 0; i < PacketFlow.GetNumPackets(); i++ {
			oldPacketFromFlow, err := PacketFlow.GetNthPacket(i).ToBytes()
			So(err, ShouldBeNil)
			oldPacket, err := packet.New(0, oldPacketFromFlow, "0", true)
			if err == nil && oldPacket != nil {
				oldPacket.UpdateIPv4Checksum()
				oldPacket.UpdateTCPChecksum()
			}
			tcpPacketFromFlow, err := PacketFlow.GetNthPacket(i).ToBytes()
			So(err, ShouldBeNil)
			tcpPacket, err := packet.New(0, tcpPacketFromFlow, "0", true)
			if err == nil && tcpPacket != nil {
				tcpPacket.UpdateIPv4Checksum()
				tcpPacket.UpdateTCPChecksum()
			}
			if debug {
				fmt.Println("Input packet", i)
				tcpPacket.Print(0, false)
			}

			So(err, ShouldBeNil)
			So(tcpPacket, ShouldNotBeNil)

			if reflect.DeepEqual(SIP, net.IPv4zero) {
				SIP = tcpPacket.SourceAddress()
			}
			if !reflect.DeepEqual(SIP, tcpPacket.DestinationAddress()) &&
				!reflect.DeepEqual(SIP, tcpPacket.SourceAddress()) {
				t.Error("Invalid Test Packet")
			}

			_, err = enforcer.processApplicationTCPPackets(tcpPacket)
			So(err, ShouldBeNil)

			if debug {
				fmt.Println("Intermediate packet", i)
				tcpPacket.Print(0, false)
			}

			if tcpPacket.GetTCPFlags()&packet.TCPSynMask != 0 {
				Convey("When I pass a packet with SYN or SYN/ACK flags for packet "+strconv.Itoa(i), func() {
					Convey("Then I expect some data payload to exist on the packet "+strconv.Itoa(i), func() {
						// In our 3 way security handshake syn and syn-ack packet should grow in length
						So(tcpPacket.IPTotalLen(), ShouldBeGreaterThan, oldPacket.IPTotalLen())
					})
				})
			}

			if !firstSynAckProcessed && tcpPacket.GetTCPFlags()&packet.TCPSynAckMask == packet.TCPAckMask {
				firstSynAckProcessed = true
				Convey("When I pass the first packet with ACK flag for packet "+strconv.Itoa(i), func() {
					Convey("Then I expect some data payload to exist on the packet "+strconv.Itoa(i), func() {
						// In our 3 way security handshake first ack packet should grow in length
						So(tcpPacket.IPTotalLen(), ShouldBeGreaterThan, oldPacket.IPTotalLen())
					})
				})
			}

			output := make([]byte, len(tcpPacket.GetTCPBytes()))
			copy(output, tcpPacket.GetTCPBytes())

			outPacket, errp := packet.New(0, output, "0", true)
			So(len(tcpPacket.GetTCPBytes()), ShouldBeLessThanOrEqualTo, len(outPacket.GetTCPBytes()))
			So(errp, ShouldBeNil)

			_, f, err := enforcer.processNetworkTCPPackets(outPacket)
			if f != nil {
				f()
			}

			So(err, ShouldBeNil)

			if debug {
				fmt.Println("Output packet", i)
				outPacket.Print(0, false)
			}
		}
	}

	flowRecord := CreateFlowRecord(1, testSrcIP, testDstIP, 666, 80, policy.Accept, "")

	Convey("When the mode is RemoteConainter", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.RemoteContainer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)
		testThePackets(enforcer)

	})

	Convey("When the mode is LocalServer", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.LocalServer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)
		testThePackets(enforcer)

	})
}

func TestInvalidIPContext(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	defer MockGetUDPRawSocket()()

	Convey("Given I create a new enforcer instance", t, func() {

		enforcer, secrets, mockTokenAccessor, mockCollector, mockDNS := NewWithMocks(ctrl, "serverID", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		secrets.EXPECT().TransmittedKey().Return([]byte("dummy")).AnyTimes()
		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)
		mockDNS.EXPECT().StartDNSServer(gomock.Any(), gomock.Any(), gomock.Any()).Times(1)
		mockDNS.EXPECT().Enforce(gomock.Any(), gomock.Any(), gomock.Any()).Times(1)
		mockDNS.EXPECT().Unenforce(gomock.Any(), gomock.Any()).Times(1)
		mockDNS.EXPECT().SyncWithPlatformCache(gomock.Any(), gomock.Any()).Times(1)

		puInfo := policy.NewPUInfo("SomeProcessingUnitId", "/ns2", common.LinuxProcessPU)

		CounterReport := &collector.CounterReport{
			PUID:      puInfo.Policy.ManagementID(),
			Namespace: puInfo.Policy.ManagementNamespace(),
		}
		mockCollector.EXPECT().CollectCounterEvent(MyCounterMatcher(CounterReport)).MinTimes(1)

		enforcer.Enforce(context.Background(), "serverID", puInfo) // nolint
		defer func() {
			if err := enforcer.Unenforce(context.Background(), "serverID"); err != nil {
				fmt.Println("Error", err.Error())
			}
		}()

		PacketFlow := packetgen.NewTemplateFlow()
		_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeMultipleGoodFlow)
		So(err, ShouldBeNil)
		synPacket, err := PacketFlow.GetFirstSynPacket().ToBytes()
		So(err, ShouldBeNil)
		tcpPacket, err := packet.New(0, synPacket, "0", true)

		Convey("When I run a TCP Syn packet through an invalid existing context (missing IP)", func() {

			_, err1 := enforcer.processApplicationTCPPackets(tcpPacket)
			_, _, err2 := enforcer.processNetworkTCPPackets(tcpPacket)

			Convey("Then I should see an error for missing IP", func() {

				So(err, ShouldBeNil)
				So(err1, ShouldNotBeNil)
				So(err2, ShouldNotBeNil)
			})
		})
	})
}

// TestEnforcerConnUnknownState test ensures that enforcer closes the
// connection by converting packets to rst when it finds connection
// to be in unknown state. This happens when enforcer has not seen the
// 3way handshake for a connection.
func TestEnforcerConnUnknownState(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	testThePackets := func(enforcer *Datapath) {
		Convey("If I send an ack packet from either PU to the other, it is converted into a Fin/Ack", func() {
			PacketFlow := packetgen.NewTemplateFlow()
			_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
			So(err, ShouldBeNil)

			input, err := PacketFlow.GetFirstAckPacket().ToBytes()
			So(err, ShouldBeNil)

			tcpPacket, err := packet.New(0, input, "0", true)
			// create a copy of the ack packet
			tcpPacketCopy := *tcpPacket

			if err == nil && tcpPacket != nil {
				tcpPacket.UpdateIPv4Checksum()
				tcpPacket.UpdateTCPChecksum()
			}

			_, err1 := enforcer.processApplicationTCPPackets(tcpPacket)

			// Test whether the packet is modified with Fin/Ack
			if tcpPacket.GetTCPFlags() != 0x04 {
				t.Fail()
			}

			_, _, err2 := enforcer.processNetworkTCPPackets(&tcpPacketCopy)

			if tcpPacket.GetTCPFlags() != 0x04 {
				t.Fail()
			}

			So(err1, ShouldBeNil)
			So(err2, ShouldBeNil)
		})
	}

	Convey("When the mode is RemoteConainter", t, func() {

		enforcer, _ := createEnforcerWithPolicy(ctrl, constants.RemoteContainer)
		testThePackets(enforcer)

	})

	Convey("When the mode is LocalServer", t, func() {

		enforcer, _ := createEnforcerWithPolicy(ctrl, constants.LocalServer)
		testThePackets(enforcer)

	})
}

func TestInvalidTokenContext(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	defer MockGetUDPRawSocket()()

	testThePackets := func(enforcer *Datapath) {

		PacketFlow := packetgen.NewTemplateFlow()
		_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
		So(err, ShouldBeNil)
		synPacket, err := PacketFlow.GetFirstSynPacket().ToBytes()
		So(err, ShouldBeNil)
		tcpPacket, err := packet.New(0, synPacket, "0", true)

		Convey("When I run a TCP Syn packet through an invalid existing context (missing IP)", func() {

			_, err1 := enforcer.processApplicationTCPPackets(tcpPacket)
			_, _, err2 := enforcer.processNetworkTCPPackets(tcpPacket)

			Convey("Then I should see an error for missing Token", func() {

				So(err, ShouldBeNil)
				So(err1, ShouldNotBeNil)
				So(err2, ShouldNotBeNil)
			})
		})
	}

	Convey("Given I create a new enforcer instance", t, func() {

		puInfo := policy.NewPUInfo("SomeProcessingUnitId", "/ns2", common.LinuxProcessPU)

		ip := policy.ExtendedMap{
			"brige": testDstIP,
		}
		puInfo.Runtime.SetIPAddresses(ip)

		enforcer, secrets, mockTokenAccessor, _, mockDNS := NewWithMocks(ctrl, "serverID", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		secrets.EXPECT().TransmittedKey().Return([]byte("dummy")).AnyTimes()
		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)
		mockDNS.EXPECT().StartDNSServer(gomock.Any(), gomock.Any(), gomock.Any()).Times(1)
		mockDNS.EXPECT().Enforce(gomock.Any(), gomock.Any(), gomock.Any()).Times(1)
		mockDNS.EXPECT().SyncWithPlatformCache(gomock.Any(), gomock.Any()).Times(1)

		enforcer.Enforce(context.Background(), "serverID", puInfo) // nolint

		testThePackets(enforcer)
	})
}

func TestPacketHandlingDstPortCacheBehavior(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	testThePackets := func(enforcer *Datapath) {

		SIP := net.IPv4zero

		Convey("When I pass multiple packets through the enforcer", func() {

			PacketFlow := packetgen.NewTemplateFlow()
			_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
			So(err, ShouldBeNil)
			for i := 0; i < PacketFlow.GetNumPackets(); i++ {
				oldPacketFromFlow, err := PacketFlow.GetNthPacket(i).ToBytes()
				So(err, ShouldBeNil)
				oldPacket, err := packet.New(0, oldPacketFromFlow, "0", true)
				if err == nil && oldPacket != nil {
					oldPacket.UpdateIPv4Checksum()
					oldPacket.UpdateTCPChecksum()
				}
				tcpPacketFromFlow, err := PacketFlow.GetNthPacket(i).ToBytes()
				So(err, ShouldBeNil)
				tcpPacket, err := packet.New(0, tcpPacketFromFlow, "0", true)
				if err == nil && tcpPacket != nil {
					tcpPacket.UpdateIPv4Checksum()
					tcpPacket.UpdateTCPChecksum()
				}

				if debug {
					fmt.Println("Input packet", i)
					tcpPacket.Print(0, false)
				}

				So(err, ShouldBeNil)
				So(tcpPacket, ShouldNotBeNil)

				if reflect.DeepEqual(SIP, net.IPv4zero) {
					SIP = tcpPacket.SourceAddress()
				}
				if !reflect.DeepEqual(SIP, tcpPacket.DestinationAddress()) &&
					!reflect.DeepEqual(SIP, tcpPacket.SourceAddress()) {
					t.Error("Invalid Test Packet")
				}

				_, err = enforcer.processApplicationTCPPackets(tcpPacket)
				So(err, ShouldBeNil)

				if debug {
					fmt.Println("Intermediate packet", i)
					tcpPacket.Print(0, false)
				}

				output := make([]byte, len(tcpPacket.GetTCPBytes()))
				copy(output, tcpPacket.GetTCPBytes())

				outPacket, errp := packet.New(0, output, "0", true)
				So(len(tcpPacket.GetTCPBytes()), ShouldBeLessThanOrEqualTo, len(outPacket.GetTCPBytes()))
				So(errp, ShouldBeNil)
				_, f, err := enforcer.processNetworkTCPPackets(outPacket)
				if f != nil {
					f()
				}

				So(err, ShouldBeNil)

				if debug {
					fmt.Println("Output packet", i)
					outPacket.Print(0, false)
				}
			}
		})
	}

	flowRecord := CreateFlowRecord(1, testSrcIP, testDstIP, 666, 80, policy.Accept, "")

	Convey("When the mode is RemoteConainter", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.RemoteContainer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)
		testThePackets(enforcer)

	})

	Convey("When the mode is LocalServer", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.LocalServer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)
		testThePackets(enforcer)

	})
}

func TestAckLost(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	testThePackets := func(enforcer *Datapath) {
		PacketFlow := packetgen.NewTemplateFlow()
		_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
		So(err, ShouldBeNil)

		synPacket, err := PacketFlow.GetFirstSynPacket().ToBytes()
		So(err, ShouldBeNil)
		tcpPacket, err := packet.New(0, synPacket, "0", true)
		if err == nil && tcpPacket != nil {
			tcpPacket.UpdateIPv4Checksum()
			tcpPacket.UpdateTCPChecksum()
		}

		_, err = enforcer.processApplicationTCPPackets(tcpPacket)
		So(err, ShouldBeNil)

		output := make([]byte, len(tcpPacket.GetTCPBytes()))
		copy(output, tcpPacket.GetTCPBytes())

		outPacket, errp := packet.New(0, output, "0", true)
		So(len(tcpPacket.GetTCPBytes()), ShouldBeLessThanOrEqualTo, len(outPacket.GetTCPBytes()))
		So(errp, ShouldBeNil)

		_, f, err := enforcer.processNetworkTCPPackets(outPacket)
		if f != nil {
			f()
		}

		So(err, ShouldBeNil)

		input, _ := PacketFlow.GetFirstSynAckPacket().ToBytes()

		tcpPacket, _ = packet.New(0, input, "0", true)
		if tcpPacket != nil {
			tcpPacket.UpdateIPv4Checksum()
			tcpPacket.UpdateTCPChecksum()
		}

		_, err = enforcer.processApplicationTCPPackets(tcpPacket)
		So(err, ShouldBeNil)

		output = make([]byte, len(tcpPacket.GetTCPBytes()))
		copy(output, tcpPacket.GetTCPBytes())

		outPacket, _ = packet.New(0, output, "0", true)
		_, f, err = enforcer.processNetworkTCPPackets(outPacket)
		if f != nil {
			f()
		}
		So(err, ShouldBeNil)

		input, _ = PacketFlow.GetFirstAckPacket().ToBytes()
		tcpPacket, _ = packet.New(0, input, "0", true)
		if tcpPacket != nil {
			tcpPacket.UpdateIPv4Checksum()
			tcpPacket.UpdateTCPChecksum()
		}

		_, err = enforcer.processApplicationTCPPackets(tcpPacket)
		So(err, ShouldBeNil)
		//simulate drop, and re-transmit packets.

		input, _ = PacketFlow.GetFirstSynAckPacket().ToBytes()

		tcpPacket, _ = packet.New(0, input, "0", true)
		if tcpPacket != nil {
			tcpPacket.UpdateIPv4Checksum()
			tcpPacket.UpdateTCPChecksum()
		}

		_, err = enforcer.processApplicationTCPPackets(tcpPacket)
		assert.Equal(t, err, nil, "error should be nil")

		output = make([]byte, len(tcpPacket.GetTCPBytes()))
		copy(output, tcpPacket.GetTCPBytes())

		outPacket, _ = packet.New(0, output, "0", true)
		_, f, err = enforcer.processNetworkTCPPackets(outPacket)
		if f != nil {
			f()
		}
		assert.Equal(t, err, nil, "error should be nil")

		input, _ = PacketFlow.GetFirstAckPacket().ToBytes()

		tcpPacket, _ = packet.New(0, input, "0", true)
		if tcpPacket != nil {
			tcpPacket.UpdateIPv4Checksum()
			tcpPacket.UpdateTCPChecksum()
		}

		_, err = enforcer.processApplicationTCPPackets(tcpPacket)
		assert.Equal(t, err, nil, "error should be nil")

		output = make([]byte, len(tcpPacket.GetTCPBytes()))
		copy(output, tcpPacket.GetTCPBytes())

		outPacket, _ = packet.New(0, output, "0", true)

		_, f, err = enforcer.processNetworkTCPPackets(outPacket)
		if f != nil {
			f()
		}

		assert.Equal(t, err, nil, "error should be nil")

	}

	flowRecord := CreateFlowRecord(1, testSrcIP, testDstIP, 666, 80, policy.Accept, "")

	Convey("When the mode is RemoteConainter", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.RemoteContainer)
		flowclient := mockflowclient.NewMockFlowClient(ctrl)
		flowclient.EXPECT().UpdateApplicationFlowMark(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return(nil).AnyTimes()
		enforcer.conntrack = flowclient
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

		testThePackets(enforcer)

	})
}

func TestConnectionTrackerStateLocalContainer(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	testThePackets := func(enforcer *Datapath) {

		PacketFlow := packetgen.NewTemplateFlow()
		_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
		So(err, ShouldBeNil)
		/*first packet in TCPFLOW slice is a syn packet*/
		Convey("When i pass a syn packet through the enforcer", func() {

			input, err := PacketFlow.GetFirstSynPacket().ToBytes()
			So(err, ShouldBeNil)

			tcpPacket, err := packet.New(0, input, "0", true)
			if err == nil && tcpPacket != nil {
				tcpPacket.UpdateIPv4Checksum()
				tcpPacket.UpdateTCPChecksum()
			}

			_, err = enforcer.processApplicationTCPPackets(tcpPacket)
			//After sending syn packet
			CheckAfterAppSynPacket(enforcer, tcpPacket)
			So(err, ShouldBeNil)
			output := make([]byte, len(tcpPacket.GetTCPBytes()))
			copy(output, tcpPacket.GetTCPBytes())

			outPacket, err := packet.New(0, output, "0", true)
			So(err, ShouldBeNil)
			_, f, err := enforcer.processNetworkTCPPackets(outPacket)
			if f != nil {
				f()
			}
			So(err, ShouldBeNil)
			//Check after processing networksyn packet
			CheckAfterNetSynPacket(enforcer, tcpPacket, outPacket)

		})
		Convey("When i pass a SYN and SYN ACK packet through the enforcer", func() {

			input, err := PacketFlow.GetFirstSynPacket().ToBytes()
			So(err, ShouldBeNil)

			tcpPacket, err := packet.New(0, input, "0", true)
			if err == nil && tcpPacket != nil {
				tcpPacket.UpdateIPv4Checksum()
				tcpPacket.UpdateTCPChecksum()
			}
			_, err = enforcer.processApplicationTCPPackets(tcpPacket)
			So(err, ShouldBeNil)

			output := make([]byte, len(tcpPacket.GetTCPBytes()))
			copy(output, tcpPacket.GetTCPBytes())

			outPacket, err := packet.New(0, output, "0", true)
			So(err, ShouldBeNil)
			outPacket.Print(0, false)
			_, f, err := enforcer.processNetworkTCPPackets(outPacket)
			if f != nil {
				f()
			}
			So(err, ShouldBeNil)

			//Now lets send the synack packet from the server in response
			input, err = PacketFlow.GetFirstSynAckPacket().ToBytes()
			So(err, ShouldBeNil)

			tcpPacket, err = packet.New(0, input, "0", true)
			if err == nil && tcpPacket != nil {
				tcpPacket.UpdateIPv4Checksum()
				tcpPacket.UpdateTCPChecksum()
			}
			_, err = enforcer.processApplicationTCPPackets(tcpPacket)
			So(err, ShouldBeNil)

			output = make([]byte, len(tcpPacket.GetTCPBytes()))
			copy(output, tcpPacket.GetTCPBytes())

			outPacket, err = packet.New(0, output, "0", true)
			So(err, ShouldBeNil)
			outPacketcopy, _ := packet.New(0, output, "0", true)
			_, f, err = enforcer.processNetworkTCPPackets(outPacket)
			if f != nil {
				f()
			}
			So(err, ShouldBeNil)

			CheckAfterNetSynAckPacket(t, enforcer, outPacketcopy, outPacket)
		})

		Convey("When i pass a SYN and SYNACK and another ACK packet through the enforcer", func() {

			input, err := PacketFlow.GetFirstSynPacket().ToBytes()
			So(err, ShouldBeNil)
			tcpPacket, err := packet.New(0, input, "0", true)
			if err == nil && tcpPacket != nil {
				tcpPacket.UpdateIPv4Checksum()
				tcpPacket.UpdateTCPChecksum()
			}
			_, err = enforcer.processApplicationTCPPackets(tcpPacket)
			So(err, ShouldBeNil)

			output := make([]byte, len(tcpPacket.GetTCPBytes()))
			copy(output, tcpPacket.GetTCPBytes())

			outPacket, err := packet.New(0, output, "0", true)
			So(err, ShouldBeNil)
			_, f, err := enforcer.processNetworkTCPPackets(outPacket)
			if f != nil {
				f()
			}
			So(err, ShouldBeNil)

			//Now lets send the synack packet from the server in response
			input, err = PacketFlow.GetFirstSynAckPacket().ToBytes()
			So(err, ShouldBeNil)

			tcpPacket, err = packet.New(0, input, "0", true)
			if err == nil && tcpPacket != nil {
				tcpPacket.UpdateIPv4Checksum()
				tcpPacket.UpdateTCPChecksum()
			}
			_, err = enforcer.processApplicationTCPPackets(tcpPacket)
			So(err, ShouldBeNil)

			output = make([]byte, len(tcpPacket.GetTCPBytes()))
			copy(output, tcpPacket.GetTCPBytes())

			outPacket, err = packet.New(0, output, "0", true)
			So(err, ShouldBeNil)
			_, f, err = enforcer.processNetworkTCPPackets(outPacket)
			if f != nil {
				f()
			}
			So(err, ShouldBeNil)

			input, err = PacketFlow.GetFirstAckPacket().ToBytes()
			So(err, ShouldBeNil)

			tcpPacket, err = packet.New(0, input, "0", true)
			if err == nil && tcpPacket != nil {
				tcpPacket.UpdateIPv4Checksum()
				tcpPacket.UpdateTCPChecksum()
			}
			_, err = enforcer.processApplicationTCPPackets(tcpPacket)
			CheckAfterAppAckPacket(enforcer, tcpPacket)
			So(err, ShouldBeNil)

			output = make([]byte, len(tcpPacket.GetTCPBytes()))
			copy(output, tcpPacket.GetTCPBytes())

			outPacket, err = packet.New(0, output, "0", true)
			So(err, ShouldBeNil)
			CheckBeforeNetAckPacket(enforcer, tcpPacket, outPacket, false)
			_, f, err = enforcer.processNetworkTCPPackets(outPacket)
			if f != nil {
				f()
			}
			So(err, ShouldBeNil)
		})
	}

	flowRecord := CreateFlowRecord(1, testSrcIP, testDstIP, 666, 80, policy.Accept, "")

	Convey("When the mode is RemoteConainter", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.RemoteContainer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).AnyTimes()
		testThePackets(enforcer)

	})

	Convey("When the mode is LocalServer", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.LocalServer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).AnyTimes()
		testThePackets(enforcer)

	})
}

func CheckAfterAppSynPacket(enforcer *Datapath, tcpPacket *packet.Packet) {

	appConn, _ := enforcer.tcpClient.Get(tcpPacket.L4FlowHash())
	So(appConn.GetState(), ShouldEqual, connection.TCPSynSend)
}

func CheckAfterNetSynPacket(enforcer *Datapath, tcpPacket, outPacket *packet.Packet) {

	appConn, _ := enforcer.tcpServer.Get(tcpPacket.L4FlowHash())
	So(appConn.GetState(), ShouldEqual, connection.TCPSynReceived)
}

func CheckAfterNetSynAckPacket(t *testing.T, enforcer *Datapath, tcpPacket, outPacket *packet.Packet) {

	netconn, _ := enforcer.tcpClient.Get(outPacket.L4ReverseFlowHash())
	So(netconn.GetState(), ShouldEqual, connection.TCPSynAckReceived)
}

func CheckAfterAppAckPacket(enforcer *Datapath, tcpPacket *packet.Packet) {

	appConn, _ := enforcer.tcpClient.Get(tcpPacket.L4FlowHash())
	So(appConn.GetState(), ShouldEqual, connection.TCPAckSend)
}

func CheckBeforeNetAckPacket(enforcer *Datapath, tcpPacket, outPacket *packet.Packet, isReplay bool) {

	appConn, _ := enforcer.tcpServer.Get(tcpPacket.L4FlowHash())
	if !isReplay {
		So(appConn.GetState(), ShouldEqual, connection.TCPSynAckSend)
	} else {
		So(appConn.GetState(), ShouldBeGreaterThan, connection.TCPSynAckSend)
	}
}

func TestCacheState(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	defer MockGetUDPRawSocket()()

	Convey("Given I create a new enforcer instance", t, func() {

		enforcer, secrets, mockTokenAccessor, mockCollector, mockDNS := NewWithMocks(ctrl, "serverID", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(2).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).Times(2)
		mockDNS.EXPECT().StartDNSServer(gomock.Any(), gomock.Any(), gomock.Any()).Times(1)
		mockDNS.EXPECT().Enforce(gomock.Any(), gomock.Any(), gomock.Any()).Times(2)
		mockDNS.EXPECT().Unenforce(gomock.Any(), gomock.Any()).Times(1)
		mockDNS.EXPECT().SyncWithPlatformCache(gomock.Any(), gomock.Any()).Times(2)

		contextID := "123"

		puInfo := policy.NewPUInfo(contextID, "/ns1", common.ContainerPU)

		CounterReport := &collector.CounterReport{
			PUID:      puInfo.Policy.ManagementID(),
			Namespace: puInfo.Policy.ManagementNamespace(),
		}
		mockCollector.EXPECT().CollectCounterEvent(MyCounterMatcher(CounterReport)).Times(2)

		// Should fail: Not in cache
		err := enforcer.Unenforce(context.Background(), contextID)
		if err == nil {
			t.Errorf("Expected failure, no contextID in cache")
		}

		ip := policy.ExtendedMap{"bridge": "127.0.0.1"}
		puInfo.Runtime.SetIPAddresses(ip)
		ipl := policy.ExtendedMap{"bridge": "127.0.0.1"}
		puInfo.Policy.SetIPAddresses(ipl)

		ip = policy.ExtendedMap{"bridge": "127.0.0.1"}
		puInfo.Runtime.SetIPAddresses(ip)

		ipl = policy.ExtendedMap{"bridge": "127.0.0.1"}
		puInfo.Policy.SetIPAddresses(ipl)

		// Should  not fail:  IP is valid
		err = enforcer.Enforce(context.Background(), contextID, puInfo)
		if err != nil {
			t.Errorf("Expected no failure %s", err)
		}

		// Should  not fail:  Update
		err = enforcer.Enforce(context.Background(), contextID, puInfo)
		if err != nil {
			t.Errorf("Expected no failure %s", err)
		}

		// Should  not fail:  IP is valid
		err = enforcer.Unenforce(context.Background(), contextID)
		if err != nil {
			t.Errorf("Expected failure, no IP but passed %s", err)
		}
	})
}

func TestDoCreatePU(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	defer MockGetUDPRawSocket()()

	Convey("Given an initialized enforcer for Linux Processes", t, func() {

		defer MockGetUDPRawSocket()()

		enforcer, secrets, mockTokenAccessor, _, mockDNS := NewWithMocks(ctrl, "serverID", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)
		mockDNS.EXPECT().StartDNSServer(gomock.Any(), gomock.Any(), gomock.Any()).Times(1)
		mockDNS.EXPECT().Enforce(gomock.Any(), gomock.Any(), gomock.Any()).Times(1)
		mockDNS.EXPECT().SyncWithPlatformCache(gomock.Any(), gomock.Any()).Times(1)

		contextID := "124"
		puInfo := policy.NewPUInfo(contextID, "/ns1", common.LinuxProcessPU)

		spec, _ := portspec.NewPortSpecFromString("80", nil)
		puInfo.Runtime.SetOptions(policy.OptionsType{
			CgroupMark: "100",
			Services: []common.Service{
				{
					Protocol: uint8(6),
					Ports:    spec,
				},
			},
		})

		Convey("When I create a new PU", func() {
			err := enforcer.Enforce(context.Background(), contextID, puInfo)

			Convey("It should succeed", func() {
				So(err, ShouldBeNil)
				_, err := enforcer.puFromContextID.Get(contextID)
				So(err, ShouldBeNil)
				_, err1 := enforcer.puFromMark.Get("100")
				So(err1, ShouldBeNil)
				_, err2 := enforcer.contextIDFromTCPPort.GetSpecValueFromPort(80)
				So(err2, ShouldBeNil)
				So(enforcer.puFromIP, ShouldBeNil)
			})
		})
	})

	Convey("Given an initialized enforcer for Linux Processes", t, func() {

		enforcer, secrets, mockTokenAccessor, _, mockDNS := NewWithMocks(ctrl, "serverID", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)
		mockDNS.EXPECT().StartDNSServer(gomock.Any(), gomock.Any(), gomock.Any()).Times(1)
		mockDNS.EXPECT().Enforce(gomock.Any(), gomock.Any(), gomock.Any()).Times(1)
		mockDNS.EXPECT().SyncWithPlatformCache(gomock.Any(), gomock.Any()).Times(1)

		contextID := "125"
		puInfo := policy.NewPUInfo(contextID, "/ns1", common.LinuxProcessPU)

		Convey("When I create a new PU without ports or mark", func() {
			err := enforcer.Enforce(context.Background(), contextID, puInfo)

			Convey("It should succeed", func() {
				So(err, ShouldBeNil)
				_, err := enforcer.puFromContextID.Get(contextID)
				So(err, ShouldBeNil)
				So(enforcer.puFromIP, ShouldBeNil)
			})
		})
	})

	Convey("Given an initialized enforcer for remote Linux Containers", t, func() {

		enforcer, secrets, mockTokenAccessor, _, mockDNS := NewWithMocks(ctrl, "serverID", constants.RemoteContainer, []string{"0.0.0.0/0"}, true)

		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)
		mockDNS.EXPECT().StartDNSServer(gomock.Any(), gomock.Any(), gomock.Any()).Times(1)
		mockDNS.EXPECT().Enforce(gomock.Any(), gomock.Any(), gomock.Any()).Times(1)
		mockDNS.EXPECT().SyncWithPlatformCache(gomock.Any(), gomock.Any()).Times(1)

		contextID := "126"
		puInfo := policy.NewPUInfo(contextID, "/ns1", common.ContainerPU)

		Convey("When I create a new PU without an IP", func() {
			err := enforcer.Enforce(context.Background(), contextID, puInfo)

			Convey("It should succeed ", func() {
				So(err, ShouldBeNil)
				So(enforcer.puFromIP, ShouldNotBeNil)
			})
		})
	})
}

func TestContextFromIP(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given an initialized enforcer for Linux Processes", t, func() {

		enforcer, _, _, _, _ := NewWithMocks(ctrl, "serverID", constants.RemoteContainer, []string{"0.0.0.0/0"}, true)

		puInfo := policy.NewPUInfo("SomePU", "/ns", common.ContainerPU)

		context, err := pucontext.NewPU("SomePU", puInfo, nil, 10*time.Second)
		contextID := "AporetoContext"
		So(err, ShouldBeNil)

		Convey("If I try to get context based on IP and its  not there and its a local container it should fail ", func() {
			_, err := enforcer.contextFromIP(true, "", 0, packet.IPProtocolTCP)
			So(err, ShouldNotBeNil)
		})

		Convey("If there is no IP match, it should try the mark for app packets ", func() {
			enforcer.puFromMark.AddOrUpdate("100", context)
			enforcer.mode = constants.LocalServer
			Convey("If the mark exists", func() {
				markVal := strconv.Itoa(100)
				ctx, err := enforcer.contextFromIP(true, markVal, 0, packet.IPProtocolTCP)
				So(err, ShouldBeNil)
				So(ctx, ShouldNotBeNil)
				So(ctx, ShouldEqual, context)
			})

			Convey("If the mark doesn't exist", func() {
				_, err := enforcer.contextFromIP(true, "2000", 0, packet.IPProtocolTCP)
				So(err, ShouldNotBeNil)
			})
		})

		Convey("If there is no IP match, it should try the port for net packets ", func() {
			s, _ := portspec.NewPortSpec(8000, 8000, contextID)
			enforcer.contextIDFromTCPPort.AddPortSpec(s)
			enforcer.puFromContextID.AddOrUpdate(contextID, context)
			enforcer.mode = constants.LocalServer

			Convey("If the port exists", func() {
				ctx, err := enforcer.contextFromIP(false, "", 8000, packet.IPProtocolTCP)
				So(err, ShouldBeNil)
				So(ctx, ShouldNotBeNil)
				So(ctx, ShouldEqual, context)
			})

			Convey("If the port doesn't exist", func() {
				_, err := enforcer.contextFromIP(false, "", 9000, packet.IPProtocolTCP)
				So(err, ShouldNotBeNil)
			})
		})

	})

	Convey("Given an initialized enforcer for HostPU", t, func() {

		enforcer, _, _, _, _ := NewWithMocks(ctrl, "serverID", constants.RemoteContainer, []string{"0.0.0.0/0"}, true)

		puInfo := policy.NewPUInfo("SomeHostPU", "/ns", common.HostPU)

		context, err := pucontext.NewPU("SomeHostPU", puInfo, nil, 10*time.Second)
		So(err, ShouldBeNil)

		enforcer.hostPU = context

		Convey("If I try to get context for app ICMP for HostPU it should succeed ", func() {
			ctx, err := enforcer.contextFromIP(true, "", 0, packet.IPProtocolICMP)
			So(err, ShouldBeNil)
			So(ctx, ShouldNotBeNil)
			So(ctx, ShouldEqual, context)
		})
		Convey("If I try to get context for net ICMP for HostPU it should succeed ", func() {
			ctx, err := enforcer.contextFromIP(false, "", 0, packet.IPProtocolICMP)
			So(err, ShouldBeNil)
			So(ctx, ShouldNotBeNil)
			So(ctx, ShouldEqual, context)
		})
		Convey("If I try to get context for another protocol it should not return host context ", func() {
			_, err := enforcer.contextFromIP(true, "", 0, packet.IPProtocolTCP)
			So(err, ShouldNotBeNil)
		})

	})
}

func TestInvalidPacket(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	testThePackets := func(enforcer *Datapath) {

		InvalidTCPFlow := [][]byte{
			{ /*0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00,*/ 0x45, 0x00, 0x00, 0x40, 0xf4, 0x1f, 0x44, 0x00, 0x40, 0x06, 0xa9, 0x6f, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xac, 0x48, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff, 0x6b, 0x6c, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, 0x01, 0x03, 0x03, 0x05, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0x38, 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x4a, 0x1d, 0x70, 0xcf},
		}

		for _, p := range InvalidTCPFlow {
			tcpPacket, err := packet.New(0, p, "0", true)
			So(err, ShouldBeNil)
			_, err = enforcer.processApplicationTCPPackets(tcpPacket)
			So(err, ShouldBeNil)
			output := make([]byte, len(tcpPacket.GetTCPBytes()))
			copy(output, tcpPacket.GetTCPBytes())
			outpacket, err := packet.New(0, output, "0", true)
			So(err, ShouldBeNil)
			//Detach the data and parse token should fail
			outpacket.TCPDataDetach(binary.BigEndian.Uint16([]byte{0x0, p[32]})/4 - 20)
			So(err, ShouldBeNil)
			_, _, err = enforcer.processNetworkTCPPackets(outpacket)
			So(err, ShouldNotBeNil)
		}

	}

	flowRecord := CreateFlowRecord(1, testSrcIP, testDstIP, 666, 80, policy.Reject|policy.Log, collector.MissingToken)

	Convey("When the mode is RemoteConainter", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.RemoteContainer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)
		testThePackets(enforcer)

	})

	Convey("When the mode is LocalServer", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.LocalServer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)
		testThePackets(enforcer)

	})
}

func TestFlowReportingInvalidSyn(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	testThePackets := func(enforcer *Datapath) {

		SIP := net.IPv4zero
		packetDiffers := false

		PacketFlow := packetgen.NewTemplateFlow()
		_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
		So(err, ShouldBeNil)
		for i := 0; i < PacketFlow.GetSynPackets().GetNumPackets(); i++ {

			start, err := PacketFlow.GetSynPackets().GetNthPacket(i).ToBytes()
			So(err, ShouldBeNil)
			oldPacket, err := packet.New(0, start, "0", true)
			if err == nil && oldPacket != nil {
				oldPacket.UpdateIPv4Checksum()
				oldPacket.UpdateTCPChecksum()
			}

			input, err := PacketFlow.GetSynPackets().GetNthPacket(i).ToBytes()
			So(err, ShouldBeNil)
			tcpPacket, err := packet.New(0, input, "0", true)
			if err == nil && tcpPacket != nil {
				tcpPacket.UpdateIPv4Checksum()
				tcpPacket.UpdateTCPChecksum()
			}

			if debug {
				fmt.Println("Input packet", i)
				tcpPacket.Print(0, false)
			}

			So(err, ShouldBeNil)
			So(tcpPacket, ShouldNotBeNil)

			if reflect.DeepEqual(SIP, net.IPv4zero) {
				SIP = tcpPacket.SourceAddress()
			}
			if !reflect.DeepEqual(SIP, tcpPacket.DestinationAddress()) &&
				!reflect.DeepEqual(SIP, tcpPacket.SourceAddress()) {
				t.Error("Invalid Test Packet")
			}

			if debug {
				fmt.Println("Intermediate packet", i)
				tcpPacket.Print(0, false)
			}

			output := make([]byte, len(tcpPacket.GetTCPBytes()))
			copy(output, tcpPacket.GetTCPBytes())

			outPacket, errp := packet.New(0, output, "0", true)
			So(len(tcpPacket.GetTCPBytes()), ShouldBeLessThanOrEqualTo, len(outPacket.GetTCPBytes()))
			So(errp, ShouldBeNil)
			_, _, err = enforcer.processNetworkTCPPackets(outPacket)
			So(err, ShouldNotBeNil)

			if debug {
				fmt.Println("Output packet", i)
				outPacket.Print(0, false)
			}

			if !reflect.DeepEqual(oldPacket.GetTCPBytes(), outPacket.GetTCPBytes()) {
				packetDiffers = true
				fmt.Println("Error: packets dont match")
				fmt.Println("Input Packet")
				oldPacket.Print(0, false)
				fmt.Println("Output Packet")
				outPacket.Print(0, false)
				t.Errorf("Packet %d Input and output packet do not match", i)
				t.FailNow()
			}
		}

		Convey("Then I expect all the input and output packets (after encoding and decoding) to be same", func() {

			So(packetDiffers, ShouldEqual, false)
		})
	}

	flowRecord := CreateFlowRecord(1, testSrcIP, testDstIP, 666, 80, policy.Reject|policy.Log, collector.MissingToken)

	Convey("When the mode is RemoteConainter", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.RemoteContainer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)
		testThePackets(enforcer)

	})

	Convey("When the mode is LocalServer", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.LocalServer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)
		testThePackets(enforcer)

	})
}

func TestFlowReportingUptoInvalidSynAck(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	testThePackets := func(enforcer *Datapath) {

		SIP := net.IPv4zero
		packetDiffers := false

		PacketFlow := packetgen.NewTemplateFlow()
		_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
		So(err, ShouldBeNil)
		for i := 0; i < PacketFlow.GetUptoFirstSynAckPacket().GetNumPackets(); i++ {
			start, err := PacketFlow.GetUptoFirstSynAckPacket().GetNthPacket(i).ToBytes()
			So(err, ShouldBeNil)

			oldPacket, err := packet.New(0, start, "0", true)
			if err == nil && oldPacket != nil {
				oldPacket.UpdateIPv4Checksum()
				oldPacket.UpdateTCPChecksum()
			}
			input, err := PacketFlow.GetUptoFirstSynAckPacket().GetNthPacket(i).ToBytes()
			So(err, ShouldBeNil)
			tcpPacket, err := packet.New(0, input, "0", true)
			if err == nil && tcpPacket != nil {
				tcpPacket.UpdateIPv4Checksum()
				tcpPacket.UpdateTCPChecksum()
			}

			if debug {
				fmt.Println("Input packet", i)
				tcpPacket.Print(0, false)
			}

			So(err, ShouldBeNil)
			So(tcpPacket, ShouldNotBeNil)

			if reflect.DeepEqual(SIP, net.IPv4zero) {
				SIP = tcpPacket.SourceAddress()
			}

			if !reflect.DeepEqual(SIP, tcpPacket.DestinationAddress()) &&
				!reflect.DeepEqual(SIP, tcpPacket.SourceAddress()) {
				t.Error("Invalid Test Packet")
			}
			if PacketFlow.GetNthPacket(i).GetTCPSyn() && !PacketFlow.GetNthPacket(i).GetTCPAck() {
				_, err = enforcer.processApplicationTCPPackets(tcpPacket)

				So(err, ShouldBeNil)
			}

			if debug {
				fmt.Println("Intermediate packet", i)
				tcpPacket.Print(0, false)
			}

			output := make([]byte, len(tcpPacket.GetTCPBytes()))
			copy(output, tcpPacket.GetTCPBytes())

			outPacket, errp := packet.New(0, output, "0", true)
			So(len(tcpPacket.GetTCPBytes()), ShouldBeLessThanOrEqualTo, len(outPacket.GetTCPBytes()))
			So(errp, ShouldBeNil)

			if PacketFlow.GetNthPacket(i).GetTCPSyn() && !PacketFlow.GetNthPacket(i).GetTCPAck() {
				_, _, err = enforcer.processNetworkTCPPackets(outPacket)
				So(err, ShouldBeNil)
			}
			if PacketFlow.GetNthPacket(i).GetTCPSyn() && PacketFlow.GetNthPacket(i).GetTCPAck() {
				_, _, err = enforcer.processNetworkTCPPackets(outPacket)
				So(err, ShouldNotBeNil)
			}

			if debug {
				fmt.Println("Output packet", i)
				outPacket.Print(0, false)
			}

			if !reflect.DeepEqual(oldPacket.GetTCPBytes(), outPacket.GetTCPBytes()) {
				packetDiffers = true
				fmt.Println("Error: packets dont match")
				fmt.Println("Input Packet")
				oldPacket.Print(0, false)
				fmt.Println("Output Packet")
				outPacket.Print(0, false)
				t.Errorf("Packet %d Input and output packet do not match", i)
				t.FailNow()
			}
		}

		Convey("Then I expect all the input and output packets (after encoding and decoding) to be same", func() {

			So(packetDiffers, ShouldEqual, false)
		})
	}

	flowRecord := CreateFlowRecord(1, testSrcIP, testDstIP, 666, 80, policy.Reject|policy.Log, "policy")

	Convey("When the mode is RemoteConainter", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.RemoteContainer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)
		testThePackets(enforcer)

	})

	Convey("When the mode is LocalServer", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.LocalServer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)
		testThePackets(enforcer)

	})
}

func TestForPacketsWithRandomFlags(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	debug = true

	defer MockGetUDPRawSocket()()

	testThePackets := func(enforcer *Datapath) {

		PacketFlow := packetgen.NewPacketFlow("aa:ff:aa:ff:aa:ff", "ff:aa:ff:aa:ff:aa", testSrcIP, testDstIP, 666, 80)
		_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGenerateGoodFlow)
		So(err, ShouldBeNil)

		count := PacketFlow.GetNumPackets()
		for i := 0; i < count; i++ {
			//Setting random TCP flags for all the packets
			PacketFlow.GetNthPacket(i).SetTCPCwr()
			PacketFlow.GetNthPacket(i).SetTCPPsh()
			PacketFlow.GetNthPacket(i).SetTCPEce()
			input, err := PacketFlow.GetNthPacket(i).ToBytes()
			So(err, ShouldBeNil)
			tcpPacket, err := packet.New(0, input, "0", true)
			if err == nil && tcpPacket != nil {
				tcpPacket.UpdateIPv4Checksum()
				tcpPacket.UpdateTCPChecksum()
			}

			if debug {
				fmt.Println("Input packet", i)
				tcpPacket.Print(0, false)
			}

			So(err, ShouldBeNil)
			So(tcpPacket, ShouldNotBeNil)

			SIP := tcpPacket.SourceAddress()

			if !reflect.DeepEqual(SIP, tcpPacket.DestinationAddress()) &&
				!reflect.DeepEqual(SIP, tcpPacket.SourceAddress()) {
				t.Error("Invalid Test Packet")
			}

			_, err = enforcer.processApplicationTCPPackets(tcpPacket)
			So(err, ShouldBeNil)

			if debug {
				fmt.Println("Intermediate packet", i)
				tcpPacket.Print(0, false)
			}

			output := make([]byte, len(tcpPacket.GetTCPBytes()))
			copy(output, tcpPacket.GetTCPBytes())

			outPacket, errp := packet.New(0, output, "0", true)
			So(len(tcpPacket.GetTCPBytes()), ShouldBeLessThanOrEqualTo, len(outPacket.GetTCPBytes()))
			So(errp, ShouldBeNil)

			_, f, err := enforcer.processNetworkTCPPackets(outPacket)
			if f != nil {
				f()
			}

			So(err, ShouldBeNil)

			if debug {
				fmt.Println("Output packet ", i)
				outPacket.Print(0, false)
			}
		}
	}

	flowRecord := CreateFlowRecord(1, testSrcIP, testDstIP, 666, 80, policy.Accept, "")

	Convey("When the mode is RemoteConainter", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.RemoteContainer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)
		testThePackets(enforcer)

	})

	Convey("When the mode is LocalServer", t, func() {

		enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.LocalServer)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)
		testThePackets(enforcer)
	})
}

func TestPUPortCreation(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given I setup an enforcer", t, func() {

		defer MockGetUDPRawSocket()()

		enforcer, secrets, mockTokenAccessor, _, mockDNS := NewWithMocks(ctrl, "serverID1", constants.LocalServer, []string{"0.0.0.0/0"}, true)
		if enforcer == nil { // This avoids lint error SA5011: possible nil pointer dereference (staticcheck)
			So(enforcer != nil, ShouldBeTrue)
			return
		}

		enforcer.packetLogs = true

		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

		contextID := "1001"
		puInfo := policy.NewPUInfo(contextID, "/ns1", common.LinuxProcessPU)
		puInfo.Runtime.SetOptions(policy.OptionsType{
			CgroupMark: "100",
		})

		mockDNS.EXPECT().StartDNSServer(gomock.Any(), contextID, gomock.Any()).Times(1)
		mockDNS.EXPECT().Enforce(gomock.Any(), contextID, puInfo)
		mockDNS.EXPECT().SyncWithPlatformCache(gomock.Any(), gomock.Any()).Times(1)

		enforcer.Enforce(context.Background(), contextID, puInfo) // nolint
	})
}

func TestCollectTCPPacket(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given I setup an enforcer", t, func() {

		enforcer, secrets, mockTokenAccessor, mockCollector, _ := NewWithMocks(ctrl, "serverID1", constants.RemoteContainer, []string{"0.0.0.0/0"}, true)
		So(enforcer != nil, ShouldBeTrue)

		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

		contextID := "dummy"
		_, err := CreatePUContext(enforcer, contextID, "/ns1", common.ContainerPU, mockTokenAccessor)
		So(err, ShouldBeNil)

		tcpPacket, err := newPacket(1, packet.TCPSynMask, testSrcIP, testDstIP, srcPort, dstPort, true, false)
		So(err, ShouldBeNil)

		Convey("We setup tcp network packet tracing for this pu with incomplete state", func() {
			interval := 10 * time.Second
			err := enforcer.EnableDatapathPacketTracing(context.TODO(), contextID, packettracing.NetworkOnly, interval)
			So(err, ShouldBeNil)
			packetreport := collector.PacketReport{
				DestinationIP: tcpPacket.DestinationAddress().String(),
				SourceIP:      tcpPacket.SourceAddress().String(),
			}
			mockCollector.EXPECT().CollectPacketEvent(PacketEventMatcher(&packetreport)).Times(0)
			enforcer.collectTCPPacket(&debugpacketmessage{
				Mark:    10,
				p:       tcpPacket,
				tcpConn: nil,
				udpConn: nil,
				err:     nil,
				network: true,
			})
		})
		Convey("We setup tcp network packet tracing for this pu with tcpConn != nil state", func() {
			interval := 10 * time.Second
			err := enforcer.EnableDatapathPacketTracing(context.TODO(), contextID, packettracing.NetworkOnly, interval)
			So(err, ShouldBeNil)
			packetreport := collector.PacketReport{
				DestinationIP: tcpPacket.DestinationAddress().String(),
				SourceIP:      tcpPacket.SourceAddress().String(),
			}
			context, _ := enforcer.puFromContextID.Get(contextID)
			tcpConn := connection.NewTCPConnection(context.(*pucontext.PUContext), nil)

			mockCollector.EXPECT().CollectPacketEvent(PacketEventMatcher(&packetreport)).Times(1)
			enforcer.collectTCPPacket(&debugpacketmessage{
				Mark:    10,
				p:       tcpPacket,
				tcpConn: tcpConn,
				udpConn: nil,
				err:     nil,
				network: true,
			})
		})
		Convey("We setup tcp network packet tracing for this pu with tcpConn != nil and inject application packet", func() {
			interval := 10 * time.Second
			err := enforcer.EnableDatapathPacketTracing(context.TODO(), contextID, packettracing.NetworkOnly, interval)
			So(err, ShouldBeNil)
			packetreport := collector.PacketReport{
				DestinationIP: tcpPacket.DestinationAddress().String(),
				SourceIP:      tcpPacket.SourceAddress().String(),
			}
			context, _ := enforcer.puFromContextID.Get(contextID)
			tcpConn := connection.NewTCPConnection(context.(*pucontext.PUContext), nil)
			mockCollector.EXPECT().CollectPacketEvent(PacketEventMatcher(&packetreport)).Times(0)
			enforcer.collectTCPPacket(&debugpacketmessage{
				Mark:    10,
				p:       tcpPacket,
				tcpConn: tcpConn,
				udpConn: nil,
				err:     nil,
				network: false,
			})
		})

	})
}

func TestEnableDatapathPacketTracing(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given I setup an enforcer", t, func() {

		enforcer, secrets, mockTokenAccessor, _, _ := NewWithMocks(ctrl, "serverID1", constants.RemoteContainer, []string{"0.0.0.0/0"}, true)
		if enforcer == nil { // This avoids lint error SA5011: possible nil pointer dereference (staticcheck)
			So(enforcer != nil, ShouldBeTrue)
			return
		}

		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

		contextID := "dummy"
		_, err := CreatePUContext(enforcer, contextID, "/ns1", common.ContainerPU, mockTokenAccessor)
		So(err, ShouldBeNil)

		err = enforcer.EnableDatapathPacketTracing(context.TODO(), contextID, packettracing.ApplicationOnly, 10*time.Second)
		So(err, ShouldBeNil)
		_, err = enforcer.packetTracingCache.Get(contextID)
		So(err, ShouldBeNil)
	})
}

func Test_CheckCounterCollection(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()
	collectCounterInterval = 1 * time.Second
	Convey("Given I setup an enforcer", t, func() {

		Convey("So When enforcer exits", func() {

			enforcer, secrets, mockTokenAccessor, mockCollector, _ := NewWithMocks(ctrl, "serverID1", constants.RemoteContainer, []string{"0.0.0.0/0"}, true)
			So(enforcer != nil, ShouldBeTrue)

			secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
			mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
			mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

			puContext, err := CreatePUContext(enforcer, "dummy", "/ns1", common.ContainerPU, mockTokenAccessor)
			So(err, ShouldBeNil)

			CounterReport := &collector.CounterReport{
				PUID:      puContext.ManagementID(),
				Namespace: puContext.ManagementNamespace(),
			}
			mockCollector.EXPECT().CollectCounterEvent(MyCounterMatcher(CounterReport)).MinTimes(1)

			ctx, cancel := context.WithCancel(context.Background())
			go enforcer.counterCollector(ctx)

			puErr := puContext.Counters().CounterError((counters.ErrNonPUTraffic), fmt.Errorf("error"))

			So(puErr, ShouldNotBeNil)
			cancel()
		})

		Convey("So When enforer exits and waits for stuff to exit", func() {
			enforcer, secrets, mockTokenAccessor, mockCollector, _ := NewWithMocks(ctrl, "serverID1", constants.RemoteContainer, []string{"0.0.0.0/0"}, true)
			So(enforcer != nil, ShouldBeTrue)

			secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
			mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
			mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

			puContext, err := CreatePUContext(enforcer, "dummy", "/ns1", common.ContainerPU, mockTokenAccessor)
			So(err, ShouldBeNil)

			c := &collector.CounterReport{
				PUID:      puContext.ManagementID(),
				Namespace: puContext.ManagementNamespace(),
			}

			mockCollector.EXPECT().CollectCounterEvent(MyCounterMatcher(c)).MinTimes(1)

			ctx, cancel := context.WithCancel(context.Background())
			go enforcer.counterCollector(ctx)

			puErr := puContext.Counters().CounterError(counters.ErrNonPUTraffic, fmt.Errorf("error"))

			So(puErr, ShouldNotBeNil)
			cancel()
			<-time.After(5 * time.Second)

		})
		Convey("So When an error is reported and the enforcer waits for collection interval", func() {
			enforcer, secrets, mockTokenAccessor, mockCollector, _ := NewWithMocks(ctrl, "serverID1", constants.RemoteContainer, []string{"0.0.0.0/0"}, true)
			So(enforcer != nil, ShouldBeTrue)

			secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
			mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
			mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

			puContext, err := CreatePUContext(enforcer, "dummy", "/ns1", common.ContainerPU, mockTokenAccessor)
			So(err, ShouldBeNil)

			c := &collector.CounterReport{
				PUID:      puContext.ManagementID(),
				Namespace: puContext.ManagementNamespace(),
			}

			mockCollector.EXPECT().CollectCounterEvent(MyCounterMatcher(c)).MinTimes(1)

			ctx, cancel := context.WithCancel(context.Background())
			go enforcer.counterCollector(ctx)
			puErr := puContext.Counters().CounterError(counters.ErrNonPUTraffic, fmt.Errorf("error"))
			So(puErr, ShouldNotBeNil)
			<-time.After(5 * collectCounterInterval)
			cancel()

		})

	})
}

func Test_CounterReportedOnAuthSetAppSyn(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given I setup an enforcer", t, func() {

		enforcer, secrets, mockTokenAccessor, _, _ := NewWithMocks(ctrl, "serverID1", constants.RemoteContainer, []string{"0.0.0.0/0"}, true)
		So(enforcer != nil, ShouldBeTrue)

		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)
		mockTokenAccessor.EXPECT().Randomize(gomock.Any(), gomock.Any()).Times(2)

		context, err := CreatePUContext(enforcer, "dummy", "/ns1", common.ContainerPU, mockTokenAccessor)
		So(err, ShouldBeNil)

		p, err := newPacket(packet.PacketTypeApplication, packet.TCPSynMask, "1.1.1.1", "2.2.2.2", srcPort, dstPort, false, false)
		So(err, ShouldBeNil)
		conn := connection.NewTCPConnection(context, p)
		err = enforcer.processApplicationSynPacket(p, context, conn)
		So(err, ShouldBeNil)

		c := conn.Context.Counters().GetErrorCounters()
		So(c[counters.ErrAppSynAuthOptionSet], ShouldBeZeroValue)

		p, err = newPacket(packet.PacketTypeApplication, packet.TCPSynMask, "1.1.1.1", "2.2.2.2", srcPort, dstPort, true, false)
		So(err, ShouldBeNil)
		conn = connection.NewTCPConnection(context, p)
		err = enforcer.processApplicationSynPacket(p, context, conn)
		So(err, ShouldBeNil)

		c = conn.Context.Counters().GetErrorCounters()
		So(c[counters.ErrAppSynAuthOptionSet], ShouldEqual, 1)
	})
}

func Test_CounterOnSynCacheTimeout(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given I setup an enforcer", t, func() {

		enforcer, secrets, mockTokenAccessor, _, _ := NewWithMocks(ctrl, "serverID1", constants.RemoteContainer, []string{"0.0.0.0/0"}, true)
		if enforcer == nil { // This avoids lint error SA5011: possible nil pointer dereference (staticcheck)
			So(enforcer != nil, ShouldBeTrue)
			return
		}

		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)
		mockTokenAccessor.EXPECT().Randomize(gomock.Any(), gomock.Any()).Times(1)

		context, err := CreatePUContext(enforcer, "dummy", "/ns1", common.ContainerPU, mockTokenAccessor)
		So(err, ShouldBeNil)

		p, err := newPacket(packet.PacketTypeApplication, packet.TCPSynMask, "1.1.1.1", "2.2.2.2", srcPort, dstPort, false, false)
		So(err, ShouldBeNil)

		// Update the connection timer for testing.
		conn := connection.NewTCPConnection(context, p)
		conn.ChangeConnectionTimeout(2 * time.Second)

		err = enforcer.processApplicationSynPacket(p, context, conn)
		So(err, ShouldBeNil)

		c := conn.Context.Counters().GetErrorCounters()
		So(c[counters.ErrTCPConnectionsExpired], ShouldBeZeroValue)

		// Wait for the connection to expire.
		time.Sleep(3 * time.Second)
		_, exists := enforcer.tcpClient.Get(p.L4FlowHash())
		if exists {
			t.Fail()
		}

		c = conn.Context.Counters().GetErrorCounters()
		So(c[counters.ErrTCPConnectionsExpired], ShouldEqual, 1)
	})
}

func Test_NOClaims(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given I setup an enforcer", t, func() {

		enforcer, _, _, mockCollector, _ := NewWithMocks(ctrl, "serverID1", constants.RemoteContainer, []string{"0.0.0.0/0"}, true)
		So(enforcer != nil, ShouldBeTrue)

		flowRecord := CreateFlowRecord(1, "1.1.1.1", "2.2.2.2", 2000, 80, policy.Reject|policy.Log, collector.PolicyDrop)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

		context, err := CreatePUContext(enforcer, "dummy", "/ns1", common.ContainerPU, nil)
		So(err, ShouldBeNil)

		p, err := newPacket(packet.PacketTypeNetwork, packet.TCPSynAckMask, "2.2.2.2", "1.1.1.1", dstPort, srcPort, true, false)
		So(err, ShouldBeNil)

		conn := connection.NewTCPConnection(context, p)

		_, err = enforcer.processNetworkSynAckPacket(context, conn, p)
		So(err, ShouldNotBeNil)
	})
}

func newPacket(context uint64, tcpFlags uint8, src, dst string, srcPort, desPort uint16, addOptions bool, addPayload bool) (*packet.Packet, error) { //nolint

	p, err := packet.NewIpv4TCPPacket(context, tcpFlags, src, dst, srcPort, dstPort)
	if err != nil {
		return nil, err
	}

	p.SetTCPSeq(rand.Uint32())

	if addOptions {
		options := []byte{2 /*Maximum Segment Size*/, 4, 0x05, 0x8C, 34, enforcerconstants.TCPAuthenticationOptionBaseLen, 0, 0}
		buffer := append(p.GetBuffer(0), options...)
		err = p.UpdatePacketBuffer(buffer, uint16(len(options)))
	}

	if addPayload {
		buffer := append(p.GetBuffer(0), []byte("dummy payload")...)
		err = p.UpdatePacketBuffer(buffer, 0)
	}

	return p, err
}

func TestCheckConnectionDeletion(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given I setup an enforcer", t, func() {

		enforcer, secrets, mockTokenAccessor, _, _ := NewWithMocks(ctrl, "serverID1", constants.RemoteContainer, []string{"0.0.0.0/0"}, true)

		secrets.EXPECT().TransmittedKey().Return([]byte("dummy")).AnyTimes()
		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

		err := CreatePortPolicy(enforcer, "dummy", "/ns1", common.ContainerPU, mockTokenAccessor, "2", dstPort, dstPort)
		So(err, ShouldBeNil)

		tcpPacket, err := newPacket(1, packet.TCPSynMask, testSrcIP, testDstIP, srcPort, dstPort, true, false)
		So(err, ShouldBeNil)

		conn := &connection.TCPConnection{
			ServiceConnection: true,
			MarkForDeletion:   true,
		}

		hash := tcpPacket.L4FlowHash()
		enforcer.tcpClient.Put(hash, conn)

		tcpPacket.Mark = "2"

		conn1, err := enforcer.appSynRetrieveState(tcpPacket)
		So(err, ShouldBeNil)
		So(conn1.MarkForDeletion, ShouldBeFalse)

		enforcer.tcpServer.Put(hash, conn)
		_, err = enforcer.netSynRetrieveState(tcpPacket)
		So(err, ShouldBeNil)

		tcpSynAckPacket, err := newPacket(1, packet.TCPSynAckMask, testDstIP, testSrcIP, dstPort, srcPort, true, false)
		So(err, ShouldBeNil)

		_, err = enforcer.netSynAckRetrieveState(tcpSynAckPacket)
		So(err, ShouldNotBeNil)
		ShouldEqual(err, errNonPUTraffic)
	})
}

func TestNetSynRetrieveState(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	// Testing datapath.netSynRetrieveState
	// There are 4 different code branches in this functions

	Convey("Given I setup an enforcer", t, func() {

		defer MockGetUDPRawSocket()()

		enforcer, secrets, mockTokenAccessor, _, _ := NewWithMocks(ctrl, "serverID1", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		secrets.EXPECT().TransmittedKey().Return([]byte("dummy")).AnyTimes()
		secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
		mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil).AnyTimes()
		mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

		err := CreatePortPolicy(enforcer, "123456", "/ns1", common.LinuxProcessPU, mockTokenAccessor, "2", 9000, 9000)
		So(err, ShouldBeNil)

		// Test the error case
		p, err := packet.NewIpv4TCPPacket(1, 0x2, "127.0.0.1", "127.0.0.1", 43758, 8000)
		So(err, ShouldBeNil)
		_, err = enforcer.netSynRetrieveState(p)
		So(err, ShouldNotBeNil)

		p, err = packet.NewIpv4TCPPacket(1, 0x2, "127.0.0.1", "127.0.0.1", 43758, 9000)
		So(err, ShouldBeNil)

		conn, err := enforcer.netSynRetrieveState(p)
		So(err, ShouldBeNil)

		enforcer.tcpServer.Put(p.L4FlowHash(), conn)

		So(conn.GetInitialSequenceNumber(), ShouldEqual, p.TCPSequenceNumber())
		Convey("I retry the same packet", func() {
			retryconn, err := enforcer.netSynRetrieveState(p)
			assert.Equal(t, err, nil, "error should be nil")
			assert.Equal(t, retryconn, conn, "connection should be same")
		})
		Convey("Then i modify the sequence number and retry the packet", func() {
			p.IncreaseTCPSeq(10)
			conn1, err := enforcer.netSynRetrieveState(p)
			So(err, ShouldBeNil)
			So(conn1.GetInitialSequenceNumber(), ShouldNotEqual, conn.GetInitialSequenceNumber())
			_, exists := enforcer.tcpServer.Get(p.L4FlowHash())
			if exists {
				t.Fail()
			}
		})

	})
}

func TestAppSynRetrieveState(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	// Testing datapath.appSynRetrieveState
	// There are 4 different code branches in the function

	Convey("Given I setup an enforcer", t, func() {

		defer MockGetUDPRawSocket()()

		enforcer, _, _, _, _ := NewWithMocks(ctrl, "serverID1", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		err := CreatePortPolicy(enforcer, "testContextID", "/ns1", common.LinuxProcessPU, nil, "2", 9000, 9000)
		So(err, ShouldBeNil)

		// Create a Syn packet
		p, err := packet.NewIpv4TCPPacket(1, 0x2, "127.0.0.1", "127.0.0.1", 43758, 9000)
		So(err, ShouldBeNil)

		// The error case "PU context doesn't exist for this syn, return error"
		_, err = enforcer.appSynRetrieveState(p)
		So(err, ShouldNotBeNil)

		p.Mark = "2"

		conn, err := enforcer.appSynRetrieveState(p)
		So(err, ShouldBeNil)

		enforcer.tcpClient.Put(p.L4FlowHash(), conn)

		Convey("I replay the same packet", func() {
			retryconn, err := enforcer.appSynRetrieveState(p)
			So(err, ShouldBeNil)
			So(retryconn, ShouldNotBeNil)

		})
		Convey("I modify the sequence number and retransmit the packet", func() {
			p.IncreaseTCPSeq(10)
			retryconn, err := enforcer.appSynRetrieveState(p)
			So(retryconn, ShouldNotBeNil)
			So(err, ShouldBeNil)
			_, exists := enforcer.tcpClient.Get(p.L4FlowHash())
			if exists {
				t.Fail()
			}
		})
	})
}

func TestAppSynAckRetrieveState(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	// Testing datapath.appSynAckRetrieveState
	// There are 2 different code branches in this functions

	Convey("Given I setup an enforcer", t, func() {

		defer MockGetUDPRawSocket()()

		enforcer, _, _, _, _ := NewWithMocks(ctrl, "serverID1", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		// Create a SynAck packet
		p, err := packet.NewIpv4TCPPacket(1, packet.TCPSynAckMask, "127.0.0.1", "127.0.0.1", 43758, 9000)
		So(err, ShouldBeNil)

		// The error case when nothing is in the cache
		_, err = enforcer.appSynAckRetrieveState(p)
		So(err, ShouldNotBeNil)

		// add connection to the cache
		enforcer.tcpServer.Put(p.L4ReverseFlowHash(), &connection.TCPConnection{})

		// Should be in the cache
		conn, err := enforcer.appSynAckRetrieveState(p)
		So(err, ShouldBeNil)
		So(conn, ShouldNotBeNil)
	})
}

func TestNetSynAckRetrieveState(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	// Testing datapath.netSynAckRetrieveState
	// There are 3 different code branches in this functions

	Convey("Given I setup an enforcer", t, func() {

		defer MockGetUDPRawSocket()()

		enforcer, _, _, _, _ := NewWithMocks(ctrl, "serverID1", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		// Create a SynAck packet
		p, err := packet.NewIpv4TCPPacket(1, packet.TCPSynAckMask, "127.0.0.1", "127.0.0.1", 43758, 9000)
		So(err, ShouldBeNil)

		// The error case when nothing is in the cache
		_, err = enforcer.netSynAckRetrieveState(p)
		ShouldEqual(err, errNonPUTraffic)

		// add connection to the cache
		enforcer.tcpClient.Put(p.L4ReverseFlowHash(), &connection.TCPConnection{})

		// Should be in the cache
		conn, err := enforcer.netSynAckRetrieveState(p)
		So(err, ShouldBeNil)
		So(conn, ShouldNotBeNil)

		// Mark the connection as deleted
		conn.MarkForDeletion = true

		// We should get an error
		_, err = enforcer.netSynAckRetrieveState(p)
		ShouldEqual(err, errOutOfOrderSynAck)
	})
}

func TestAppRetrieveState(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	// Testing datapath.appRetrieveState
	// There are 6 branch conditions in this function.

	Convey("Given I setup an enforcer", t, func() {

		defer MockGetUDPRawSocket()()

		enforcer, _, _, _, _ := NewWithMocks(ctrl, "serverID1", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		// Create a Rst packet
		p, err := packet.NewIpv4TCPPacket(1, packet.TCPRstMask, "127.0.0.1", "127.0.0.1", 43758, 9000)
		So(err, ShouldBeNil)

		// 1. We should get the errRstPacket error
		_, err = enforcer.appRetrieveState(p)
		ShouldEqual(err, errRstPacket)

		// Create a Syn packet
		p, err = packet.NewIpv4TCPPacket(1, packet.TCPSynMask, "127.0.0.1", "127.0.0.1", 43758, 9000)
		So(err, ShouldBeNil)

		// 2. We should get errNoConnection error
		_, err = enforcer.appRetrieveState(p)
		ShouldEqual(err, errNoConnection)

		// Create a Ack packet
		p, err = packet.NewIpv4TCPPacket(1, packet.TCPAckMask, "127.0.0.1", "127.0.0.1", 43758, 9000)
		So(err, ShouldBeNil)

		// 3. We should get error "No context in app processing"
		_, err = enforcer.appRetrieveState(p)
		ShouldResemble(err, errors.New("No context in app processing"))

		// Create port policy
		err = CreatePortPolicy(enforcer, "testContextID", "/ns1", common.LinuxProcessPU, nil, "2", 43758, 43758)
		So(err, ShouldBeNil)

		p.Mark = "2"

		// 4. We should get a connection object with UnknownState
		conn, err := enforcer.appRetrieveState(p)
		So(err, ShouldBeNil)
		So(conn, ShouldNotBeNil)
		ShouldEqual(conn.GetState(), connection.UnknownState)

		// add connection to the server cache
		connServer := &connection.TCPConnection{}
		enforcer.tcpServer.Put(p.L4ReverseFlowHash(), connServer)

		// 5. Should be in the cache
		conn, err = enforcer.appRetrieveState(p)
		So(err, ShouldBeNil)
		ShouldEqual(conn, connServer)

		// add connection to the client cache
		connClient := &connection.TCPConnection{}
		enforcer.tcpClient.Put(p.L4FlowHash(), connClient)

		// 6. Should be in the cache
		conn, err = enforcer.appRetrieveState(p)
		So(err, ShouldBeNil)
		ShouldEqual(conn, connClient)
	})
}

func TestNetRetrieveState(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	// Testing datapath.netRetrieveState
	// There are 7 branch conditions in this function.

	Convey("Given I setup an enforcer", t, func() {

		defer MockGetUDPRawSocket()()

		enforcer, _, _, _, _ := NewWithMocks(ctrl, "serverID1", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		// Create a Rst packet
		p, err := packet.NewIpv4TCPPacket(1, packet.TCPRstMask, "127.0.0.1", "127.0.0.1", 43758, 9000)
		So(err, ShouldBeNil)

		// 1. We should get the errRstPacket error
		_, err = enforcer.netRetrieveState(p)
		ShouldEqual(err, errRstPacket)

		// Create a Syn packet
		p, err = packet.NewIpv4TCPPacket(1, packet.TCPSynMask, "127.0.0.1", "127.0.0.1", 43758, 9000)
		So(err, ShouldBeNil)

		// 2. We should get errNoConnection error
		_, err = enforcer.netRetrieveState(p)
		ShouldEqual(err, errNoConnection)

		// Create a Ack packet
		p, err = packet.NewIpv4TCPPacket(1, packet.TCPAckMask, "127.0.0.1", "127.0.0.1", 43758, 9000)
		So(err, ShouldBeNil)

		// 3. We should get error " TCP Port Not Found 9000"
		_, err = enforcer.netRetrieveState(p)
		ShouldResemble(err, errors.New(" TCP Port Not Found 9000"))

		// Create port policy
		err = CreatePortPolicy(enforcer, "testContextID", "/ns1", common.LinuxProcessPU, nil, "2", 9000, 9000)
		So(err, ShouldBeNil)

		p.Mark = "2"

		// 4. We should get a connection object with UnknownState
		conn, err := enforcer.netRetrieveState(p)
		So(err, ShouldBeNil)
		So(conn, ShouldNotBeNil)
		ShouldEqual(conn.GetState(), connection.UnknownState)

		// add connection to the server cache
		connServer := &connection.TCPConnection{}
		enforcer.tcpServer.Put(p.L4FlowHash(), connServer)

		// 5. Should be in the cache
		conn, err = enforcer.netRetrieveState(p)
		So(err, ShouldBeNil)
		ShouldEqual(conn, connServer)

		// add connection to the client cache
		connClient := &connection.TCPConnection{}
		enforcer.tcpClient.Put(p.L4ReverseFlowHash(), connClient)

		// 6. Should be in the cache
		conn, err = enforcer.netRetrieveState(p)
		So(err, ShouldBeNil)
		ShouldEqual(conn, connClient)

		// Change to a Rst packet
		p.SetTCPFlags(packet.TCPRstMask)

		// 7. Should be in the cache, but should get error errRstPacket
		_, err = enforcer.netRetrieveState(p)
		So(err, ShouldNotBeNil)
		ShouldEqual(err, errRstPacket)
	})
}

// This is to ensure that if we get tcp fo packet with no identity payload that we drop the packet
func TestProcessNetworkSynPacket(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I setup an enforcer", t, func() {

		defer MockGetUDPRawSocket()()

		enforcer, _, _, mockCollector, _ := NewWithMocks(ctrl, "serverID1", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		flowRecord := CreateFlowRecord(1, testSrcIP, testDstIP, 43758, 80, policy.Reject|policy.Log, collector.MissingToken)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

		Convey("So I received a packet with tcp fast open option set but no payload", func() {

			p, err := packet.NewIpv4TCPPacket(1, 0x2, testSrcIP, testDstIP, 43758, 80)
			So(err, ShouldBeNil)
			So(p, ShouldNotBeNil)

			// Add the fast open option
			buffer := append(p.GetBuffer(0), []byte{packet.TCPAuthenticationOption, enforcerconstants.TCPAuthenticationOptionBaseLen, 0, 0}...)
			err = p.UpdatePacketBuffer(buffer, 4)
			So(err, ShouldBeNil)

			err = p.CheckTCPAuthenticationOption(enforcerconstants.TCPAuthenticationOptionBaseLen)
			So(err, ShouldBeNil)
			So(p.IsEmptyTCPPayload(), ShouldBeTrue)

			context, err := CreatePUContext(enforcer, "dummyContext", "/ns1", common.LinuxProcessPU, nil)
			So(err, ShouldBeNil)
			So(context, ShouldNotBeNil)

			_, err = enforcer.processNetworkSynPacket(context, connection.NewTCPConnection(context, p), p)
			So(err, ShouldNotBeNil)
		})
	})
}

func TestProcessNetworkSynAckPacket(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I setup an enforcer", t, func() {

		defer MockGetUDPRawSocket()()

		enforcer, _, _, mockCollector, _ := NewWithMocks(ctrl, "serverID1", constants.LocalServer, []string{"0.0.0.0/0"}, true)

		flowRecord1 := CreateFlowRecord(1, testDstIP, testSrcIP, 80, 43758, policy.Reject|policy.Log, collector.PolicyDrop)
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord1)).Times(1)

		flowRecord2 := CreateFlowRecord(1, testDstIP, testSrcIP, 80, 43758, policy.Accept, "")
		mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord2)).Times(1)

		Convey("So I received a packet with tcp fast open option set but no payload", func() {

			p, err := packet.NewIpv4TCPPacket(1, 0x2, testSrcIP, testDstIP, 43758, 80)
			So(err, ShouldBeNil)
			So(p, ShouldNotBeNil)

			// Add the fast open option
			buffer := append(p.GetBuffer(0), []byte{packet.TCPAuthenticationOption, enforcerconstants.TCPAuthenticationOptionBaseLen, 0, 0}...)

			err = p.UpdatePacketBuffer(buffer, 4)
			So(err, ShouldBeNil)

			err = p.CheckTCPAuthenticationOption(enforcerconstants.TCPAuthenticationOptionBaseLen)
			So(err, ShouldBeNil)
			So(p.IsEmptyTCPPayload(), ShouldBeTrue)

			context, err := CreatePUContext(enforcer, "dummyContext", "/ns1", common.LinuxProcessPU, nil)
			So(err, ShouldBeNil)
			So(context, ShouldNotBeNil)

			_, err = enforcer.processNetworkSynAckPacket(context, connection.NewTCPConnection(context, p), p)
			So(err, ShouldNotBeNil)

			Convey("Then i add ip acl rule.", func() {
				iprules := policy.IPRuleList{policy.IPRule{
					Addresses: []string{"10.1.10.76/32"},
					Ports:     []string{"43758"},
					Protocols: []string{constants.TCPProtoNum},
					Policy: &policy.FlowPolicy{
						Action:   policy.Accept,
						PolicyID: "tcp172/8"},
				}}
				err = context.UpdateApplicationACLs(iprules)
				So(err, ShouldBeNil)

				_, err = enforcer.processNetworkSynAckPacket(context, connection.NewTCPConnection(context, p), p)
				So(err, ShouldBeNil)
			})
		})

	})
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/datapath_udp.go
================================================
package nfqdatapath

// Go libraries
import (
	"errors"
	"fmt"
	"strconv"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
	markconstants "go.aporeto.io/enforcerd/trireme-lib/utils/constants"
	"go.uber.org/zap"
)

const (
	// Default retransmit delay for first packet
	retransmitDelay = 200
	// rentrasmitRetries is the number of times we will retry
	retransmitRetries = 3
	// ACLCheckMultipler is the multiplie on delay that is used to attempt and fallbackto acls
	ACLCheckMultipler = retransmitDelay * 12
)

// DropReason is used to indicate the drop reason for a packet
type DropReason string

// DropReason is the reason a packet is dropped and fin packets are generated
const (
	InvalidUDPState DropReason = "invalidUDPState"
	PolicyDrop      DropReason = "policyDrop"
)

var errHandshakePacket = errors.New("handshake packet")
var errDropQueuedPacket = errors.New("dropping queued packet")

func calculatedelay(retransmitDelay uint32, multiplier uint32) time.Duration {
	return time.Duration(retransmitDelay * (multiplier + 1))
}

// ProcessNetworkUDPPacket processes packets arriving from network and are destined to the application.
func (d *Datapath) ProcessNetworkUDPPacket(p *packet.Packet) (conn *connection.UDPConnection, err error) {

	if d.PacketLogsEnabled() {
		zap.L().Debug("Processing network packet ",
			zap.String("flow", p.L4FlowHash()),
		)
		defer zap.L().Debug("Finished Processing network packet ",
			zap.String("flow", p.L4FlowHash()),
			zap.Error(err),
		)
	}
	udpPacketType := p.GetUDPType()

	switch udpPacketType {
	case packet.UDPSynMask:
		conn, err = d.netSynUDPRetrieveState(p)
		if err != nil {
			if d.PacketLogsEnabled() {
				zap.L().Debug("Packet rejected",
					zap.String("flow", p.L4FlowHash()),
					zap.Error(err),
				)
			}
			return nil, err
		}
	case packet.UDPSynAckMask, packet.UDPPolicyRejectMask:
		conn, err = d.netSynAckUDPRetrieveState(p)
		if err != nil {
			if d.PacketLogsEnabled() {
				zap.L().Debug("Syn ack Packet Rejected/ignored",
					zap.String("flow", p.L4FlowHash()),
				)
			}
			return nil, err
		}

	case packet.UDPFinAckMask:
		if err := d.processUDPFinPacket(p); err != nil {
			zap.L().Debug("unable to process udp fin ack",
				zap.String("flowhash", p.L4FlowHash()), zap.Error(err))
			return nil, err
		}
		// drop control packets
		return conn, fmt.Errorf("dropping udp fin ack control packet")

	default:
		// Process packets that don't have the control header. These are data packets.
		conn, err = d.netUDPAckRetrieveState(p)
		if err != nil {
			// Retrieve the context from the packet information.
			context, err := d.contextFromIP(false, p.Mark, p.DestPort(), packet.IPProtocolUDP)
			if err != nil {
				return nil, counters.CounterError(counters.ErrNonPUUDPTraffic, errNonPUUDPTraffic)
			}
			// Check if a network acl allows this traffic traffic coming from external network
			_, packetPolicy, err := context.NetworkACLPolicy(p)

			if err == nil && packetPolicy.Action.Accepted() {
				context.Counters().IncrementCounter(counters.ErrSynAckToExtNetAccept)
				if err = d.conntrack.UpdateApplicationFlowMark(
					p.SourceAddress(),
					p.DestinationAddress(),
					p.IPProto(),
					p.SourcePort(),
					p.DestPort(),
					markconstants.DefaultConnMark,
				); err != nil {
					zap.L().Error("Failed to update conntrack table for UDP flow at transmitter",
						zap.String("net-data-acl", p.L4FlowHash()),
						zap.Error(err),
					)

				}
				return conn, nil
			}

			if err := d.sendUDPFinPacket(p); err != nil {
				return nil, fmt.Errorf("net state not found, unable to send fin ack packets: %s", err)
			}
			if d.PacketLogsEnabled() {
				zap.L().Debug("No connection found for the flow, Dropping it",
					zap.String("flow", p.L4FlowHash()),
					zap.Error(err),
				)
			}
			return nil, err
		}
	}

	// We are processing only one connection at a time.
	conn.Lock()
	defer conn.Unlock()

	p.Print(packet.PacketStageIncoming, d.PacketLogsEnabled())

	if d.service != nil {
		if !d.service.PreProcessUDPNetPacket(p, conn.Context, conn) {
			p.Print(packet.PacketFailureService, d.PacketLogsEnabled())
			return conn, conn.Context.Counters().CounterError(counters.ErrUDPNetPreProcessingFailed, errors.New("pre  processing failed for network packet"))
		}
	}

	// handle handshake packets and do not deliver to application.
	action, claims, err := d.processNetUDPPacket(p, conn.Context, conn)
	if err != nil && err != errHandshakePacket && err != errDropQueuedPacket {
		zap.L().Debug("Rejecting packet because of policy decision",
			zap.String("flow", p.L4FlowHash()),
			zap.Error(err),
		)
		return conn, fmt.Errorf("packet processing failed for network packet: %s", err)
	}

	// Process the packet by any external services.
	if d.service != nil {
		if !d.service.PostProcessUDPNetPacket(p, action, claims, conn.Context, conn) {
			p.Print(packet.PacketFailureService, d.PacketLogsEnabled())
			return conn, conn.Context.Counters().CounterError(counters.ErrUDPNetPostProcessingFailed, errors.New("post service processing failed for network packet"))
		}
	}

	// If reached the final state, drain the queue.
	if conn.GetState() == connection.UDPClientSendAck {
		conn.SetState(connection.UDPData)
		for udpPacket := conn.ReadPacket(); udpPacket != nil; udpPacket = conn.ReadPacket() {
			if d.service != nil {
				// PostProcessServiceInterface
				// We call it for all outgoing packets.
				if !d.service.PostProcessUDPAppPacket(udpPacket, nil, conn.Context, conn) {
					udpPacket.Print(packet.PacketFailureService, d.PacketLogsEnabled())
					zap.L().Error("Failed to encrypt queued packet")
				}
			}

			err = d.ignoreFlow(udpPacket)
			if err != nil {
				zap.L().Error("Unable to ignore the flow", zap.Error(err))
			}

			err = d.writeUDPSocket(udpPacket.GetBuffer(0), udpPacket)
			if err != nil {
				zap.L().Error("Unable to transmit Queued UDP packets", zap.Error(err))
			}
		}
		return conn, fmt.Errorf("Drop the packet")
	}

	if conn.GetState() != connection.UDPData {
		// handshake packets are not to be delivered to application.

		return conn, errHandshakePacket

	}

	return conn, nil
}

func (d *Datapath) netSynUDPRetrieveState(p *packet.Packet) (*connection.UDPConnection, error) {

	// Retrieve the context from the packet information.
	context, err := d.contextFromIP(false, p.Mark, p.DestPort(), packet.IPProtocolUDP)
	if err != nil {
		return nil, counters.CounterError(counters.ErrNonPUTraffic, errNonPUTraffic)
	}

	// Check if a connection already exists for this flow. This can happen
	// in the case of retransmissions. If there is no connection, create
	// a new one.
	conn, cerr := d.udpNetOrigConnectionTracker.Get(p.L4FlowHash())
	if cerr != nil {
		conn := connection.NewUDPConnection(context, d.udpSocketWriter)
		conn.Secrets, conn.Auth.LocalDatapathPrivateKey, conn.Auth.LocalDatapathPublicKeyV1, conn.Auth.LocalDatapathPublicKeySignV1, conn.Auth.LocalDatapathPublicKeyV2, conn.Auth.LocalDatapathPublicKeySignV2 = context.GetSecrets()
		return conn, nil
	}
	return conn.(*connection.UDPConnection), nil
}

func (d *Datapath) netSynAckUDPRetrieveState(p *packet.Packet) (*connection.UDPConnection, error) {
	conn, err := d.udpSourcePortConnectionCache.GetReset(p.SourcePortHash(packet.PacketTypeNetwork), 0)
	if err != nil {
		return nil, counters.CounterError(counters.ErrUDPSynAckNoConnection, errors.New("No connection.Drop the syn ack packet"))
	}

	return conn.(*connection.UDPConnection), nil
}

func (d *Datapath) netUDPAckRetrieveState(p *packet.Packet) (*connection.UDPConnection, error) {

	hash := p.L4FlowHash()
	conn, err := d.udpNetReplyConnectionTracker.GetReset(hash, 0)
	if err != nil {
		conn, err = d.udpNetOrigConnectionTracker.GetReset(hash, 0)
		if err != nil {
			// This might be an existing udp connection.
			// Send FinAck to reauthorize the connection.

			return nil, fmt.Errorf("net state not found: %s", err)
		}
	}
	return conn.(*connection.UDPConnection), nil
}

// processNetUDPPacket processes a network UDP packet and dispatches it to different methods based on the flags.
// This applies only to control packets.
func (d *Datapath) processNetUDPPacket(udpPacket *packet.Packet, context *pucontext.PUContext, conn *connection.UDPConnection) (action interface{}, claims *tokens.ConnectionClaims, err error) {

	// Extra check, just in case the caller didn't provide a connection.
	if conn == nil {
		return nil, nil, fmt.Errorf("no connection provided")
	}

	udpPacketType := udpPacket.GetUDPType()

	// Update connection state in the internal state machine tracker
	switch udpPacketType {
	case packet.UDPSynMask:

		// Parse the packet for the identity information.
		action, claims, err = d.processNetworkUDPSynPacket(context, conn, udpPacket)
		if err != nil {
			if err = d.sendUDPRstPacket(udpPacket, conn); err != nil {
				zap.L().Error("Unable to send rst packet", zap.Error(err), zap.String("FlowHash", udpPacket.L4FlowHash()))
			}

			return nil, nil, err
		}
		// Send the return packet.
		if err = d.sendUDPSynAckPacket(udpPacket, context, conn); err != nil {
			return nil, nil, err
		}

		// Mark the state that we have transmitted a SynAck packet.
		conn.SetState(connection.UDPReceiverSendSynAck)
		return action, claims, errHandshakePacket

	case packet.UDPAckMask:
		// Retrieve the header and parse the signatures.
		if err = d.processNetworkUDPAckPacket(udpPacket, context, conn); err != nil {
			return nil, nil, err
		}

		// Set the connection to
		conn.SetState(connection.UDPReceiverProcessedAck)
		return nil, nil, errHandshakePacket

	case packet.UDPSynAckMask:
		// Process the synack header and claims of the other side.
		action, claims, err = d.processNetworkUDPSynAckPacket(udpPacket, context, conn)
		if err != nil {
			return nil, nil, err
		}
		// Send back the acknowledgement.
		err = d.sendUDPAckPacket(udpPacket, context, conn)
		if err != nil {
			return nil, nil, err
		}

		conn.SetState(connection.UDPClientSendAck)

		return action, claims, errHandshakePacket
	case packet.UDPPolicyRejectMask:

		if err := d.processUDPPolicyRstPacket(udpPacket, context, conn); err != nil {
			zap.L().Debug("unable to process udp policy rst",
				zap.String("flowhash", udpPacket.L4FlowHash()), zap.Error(err))
			return conn, nil, err
		}
		return conn, nil, fmt.Errorf("dropping udp rst control packet")
	default:
		state := conn.GetState()
		if state == connection.UDPReceiverProcessedAck || state == connection.UDPClientSendAck || state == connection.UDPData {
			conn.SetState(connection.UDPData)
			return nil, nil, nil
		}
		return nil, nil, fmt.Errorf("invalid packet at state: %d", state)
	}
}

// ProcessApplicationUDPPacket processes packets arriving from an application and are destined to the network
func (d *Datapath) ProcessApplicationUDPPacket(p *packet.Packet) (conn *connection.UDPConnection, err error) {

	if d.PacketLogsEnabled() {
		zap.L().Debug("Processing application UDP packet ",
			zap.String("flow", p.L4FlowHash()),
		)
		defer zap.L().Debug("Finished Processing UDP application packet ",
			zap.String("flow", p.L4FlowHash()),
			zap.Error(err),
		)
	}
	// First retrieve the connection state.
	conn, err = d.appUDPRetrieveState(p)
	if err != nil {
		zap.L().Debug("Connection not found", zap.Error(err))
		return nil, counters.CounterError(counters.ErrNonPUTraffic, errNonPUTraffic)
	}

	// We are processing only one packet from a given connection at a time.
	conn.Lock()
	defer conn.Unlock()

	// do some pre processing.
	if d.service != nil {
		// PreProcessServiceInterface
		if !d.service.PreProcessUDPAppPacket(p, conn.Context, conn, packet.UDPSynMask) {
			p.Print(packet.PacketFailureService, d.PacketLogsEnabled())
			return nil, conn.Context.Counters().CounterError(counters.ErrUDPAppPreProcessingFailed, errors.New("pre service processing failed for UDP application packet"))
		}
	}

	triggerControlProtocol := false
	switch conn.GetState() {
	case connection.UDPStart:
		// Queue the packet. We will send it after we authorize the session.
		if err = conn.QueuePackets(p); err != nil {
			// unable to queue packets, perhaps queue is full. if start
			// machine is still in start state, we can start authorisation
			// again. A drop counter is incremented.
			zap.L().Debug("udp queue full for connection", zap.String("flow", p.L4FlowHash()))
		}

		// Set the state indicating that we send out a Syn packet
		conn.SetState(connection.UDPClientSendSyn)
		// Drop the packet. We stored it in the queue.
		triggerControlProtocol = true

	case connection.UDPReceiverProcessedAck, connection.UDPClientSendAck, connection.UDPData:
		conn.SetState(connection.UDPData)

	default:
		if err = conn.QueuePackets(p); err != nil {
			return conn, conn.Context.Counters().CounterError(counters.ErrUDPDropQueueFull, fmt.Errorf("Unable to queue packets:%s", err))
		}
		return conn, conn.Context.Counters().CounterError(counters.ErrUDPDropInNfQueue, errDropQueuedPacket)
	}

	if d.service != nil {
		// PostProcessServiceInterface
		if !d.service.PostProcessUDPAppPacket(p, nil, conn.Context, conn) {
			p.Print(packet.PacketFailureService, d.PacketLogsEnabled())
			return conn, conn.Context.Counters().CounterError(counters.ErrUDPAppPostProcessingFailed, errors.New("Encryption failed for application packet"))
		}
	}

	if triggerControlProtocol {
		err = d.triggerNegotiation(p, conn.Context, conn)
		if err != nil {
			return conn, conn.Context.Counters().CounterError(counters.ErrUDPDropInNfQueue, errDropQueuedPacket)
		}
		return conn, errDropQueuedPacket
	}

	return conn, nil
}

func (d *Datapath) appUDPRetrieveState(p *packet.Packet) (*connection.UDPConnection, error) {

	hash := p.L4FlowHash()

	if conn, err := d.udpAppReplyConnectionTracker.GetReset(hash, 0); err == nil {
		return conn.(*connection.UDPConnection), nil
	}

	if conn, err := d.udpAppOrigConnectionTracker.GetReset(hash, 0); err == nil {
		return conn.(*connection.UDPConnection), nil
	}

	context, err := d.contextFromIP(true, p.Mark, p.SourcePort(), packet.IPProtocolUDP)
	if err != nil {
		return nil, counters.CounterError(counters.ErrNonPUTraffic, errors.New("No context in app processing"))
	}

	return connection.NewUDPConnection(context, d.udpSocketWriter), nil
}

// processApplicationUDPSynPacket processes a single Syn Packet
func (d *Datapath) triggerNegotiation(udpPacket *packet.Packet, context *pucontext.PUContext, conn *connection.UDPConnection) (err error) {
	newPacket, err := d.clonePacketHeaders(udpPacket)
	if err != nil {
		return fmt.Errorf("Unable to clone packet: %s", err)
	}
	var udpData []byte
	conn.Secrets, conn.Auth.LocalDatapathPrivateKey, udpData = context.GetSynToken(nil, conn.Auth.Nonce, nil)
	udpOptions := packet.CreateUDPAuthMarker(packet.UDPSynMask, uint16(len(udpData)))
	// Attach the UDP data and token
	newPacket.UDPTokenAttach(udpOptions, udpData)
	if udpPacket.PlatformMetadata != nil {
		newPacket.PlatformMetadata = udpPacket.PlatformMetadata.Clone()
	}
	statusChannel := make(chan bool)

	go func() {
		// We started a handhsake drop reverse packets automatically
		// Assert connmark before relaseing packets if response is receied
		if err = d.conntrack.UpdateApplicationFlowMark(
			udpPacket.SourceAddress(),
			udpPacket.DestinationAddress(),
			udpPacket.IPProto(),
			udpPacket.SourcePort(),
			udpPacket.DestPort(),
			markconstants.HandshakeConnmark,
		); err != nil {
			zap.L().Error("Failed to update conntrack table for UDP flow at transmitter",
				zap.String("app-conn", udpPacket.L4FlowHash()),
				zap.String("state", fmt.Sprintf("%d", conn.GetState())),
				zap.Error(err),
			)

		}
	loop:
		for {
			select {
			case <-statusChannel:
				break loop
			case <-time.After(ACLCheckMultipler * time.Millisecond):
				return
			}
		}
		conn.Lock()
		defer conn.Unlock()
		if conn.GetState() == connection.UDPStart {
			// We did not receive any response from the remote.
			// It is most likely an external network lets evaluate acls at this point to see if we are allowed to talk to this ip
			report, pkt, perr := context.ApplicationACLPolicyFromAddr(udpPacket.DestinationAddress(), udpPacket.DestPort(), udpPacket.IPProto())
			if perr != nil && pkt.Action.Rejected() {
				d.reportExternalServiceFlow(context, report, pkt, true, udpPacket)
				return
			}
			<-time.After(50 * time.Millisecond) //Arbitrary number to ensure last handshake packet is dropped in our tables
			// Assert connmark before relaseing packets if response is receied
			if err = d.conntrack.UpdateApplicationFlowMark(
				udpPacket.SourceAddress(),
				udpPacket.DestinationAddress(),
				udpPacket.IPProto(),
				udpPacket.SourcePort(),
				udpPacket.DestPort(),
				markconstants.DefaultExternalConnMark,
			); err != nil {
				zap.L().Error("Failed to update conntrack table for UDP flow at transmitter",
					zap.String("app-conn", udpPacket.L4FlowHash()),
					zap.String("state", fmt.Sprintf("%d", conn.GetState())),
					zap.Error(err),
				)

			}
			for udpPacket := conn.ReadPacket(); udpPacket != nil; udpPacket = conn.ReadPacket() {
				if d.service != nil {
					// PostProcessServiceInterface
					// We call it for all outgoing packets.
					if !d.service.PostProcessUDPAppPacket(udpPacket, nil, conn.Context, conn) {
						udpPacket.Print(packet.PacketFailureService, d.PacketLogsEnabled())
						zap.L().Error("Failed to encrypt queued packet")
					}
				}

				err = d.ignoreFlow(udpPacket)
				if err != nil {
					zap.L().Error("Unable to ignore the flow", zap.Error(err))
				}

				err = d.writeUDPSocket(udpPacket.GetBuffer(0), udpPacket)
				if err != nil {
					zap.L().Error("Unable to transmit Queued UDP packets", zap.Error(err))
				}
			}
			conn.SetState(connection.UDPData)
			d.reportExternalServiceFlow(context, report, pkt, true, udpPacket)
			return
		}

	}()

	// send packet
	err = d.writeWithRetransmit(newPacket, conn, conn.SynChannel(), statusChannel)
	if err != nil {
		zap.L().Error("Unable to send syn token on raw socket", zap.Error(err), zap.Time("time", time.Now()))
		return fmt.Errorf("unable to transmit syn packet")
	}

	// Populate the caches to track the connection
	hash := udpPacket.L4FlowHash()
	d.udpAppOrigConnectionTracker.AddOrUpdate(hash, conn)
	d.udpSourcePortConnectionCache.AddOrUpdate(newPacket.SourcePortHash(packet.PacketTypeApplication), conn)

	return nil

}

func (d *Datapath) writeWithRetransmit(udpPacket *packet.Packet, conn *connection.UDPConnection, stop chan bool, statusChan chan bool) error {
	buffer := udpPacket.GetBuffer(0)
	localBuffer := make([]byte, len(buffer))
	copy(localBuffer, buffer)
	zap.L().Debug("TRYINGT to send control packet", zap.String("FlowHash", udpPacket.L4FlowHash()))
	if err := d.writeUDPSocket(localBuffer, udpPacket); err != nil {
		zap.L().Error("Failed to write control packet to socket", zap.Error(err), zap.String("FlowHash", udpPacket.L4FlowHash()))
		return err
	}

	go func() {

		for retries := 0; retries < retransmitRetries; retries++ {
			delay := time.Millisecond * time.Duration((retransmitDelay * (retries + 1)))
			select {
			case <-stop:
				return
			case <-time.After(delay):
				if err := d.writeUDPSocket(localBuffer, udpPacket); err != nil {
					zap.L().Error("Failed to write control packet to socket", zap.Error(err), zap.String("FlowHash", udpPacket.L4FlowHash()))
				}
			}
		}
		// We did not get a synack maybe this dest is an external network
		if statusChan != nil {
			zap.L().Debug("Timedout should start acl")
			statusChan <- true
		}
		// retransmits did not succeed. Reset the state machine so that
		// next packet can try again.
		conn.SetState(connection.UDPStart)

	}()
	return nil
}

func (d *Datapath) clonePacketHeaders(p *packet.Packet) (*packet.Packet, error) {
	// copy the ip and udp headers.
	newSize := uint16(p.IPHeaderLen() + packet.UDPDataPos)
	newPacket := make([]byte, newSize)
	p.FixupIPHdrOnDataModify(p.IPTotalLen(), newSize)

	origBuffer := p.GetBuffer(0)
	_ = copy(newPacket, origBuffer[:newSize])

	return packet.New(packet.PacketTypeApplication, newPacket, p.Mark, true)
}

// sendUDPSynAckPacket processes a UDP SynAck packet
func (d *Datapath) sendUDPSynAckPacket(udpPacket *packet.Packet, context *pucontext.PUContext, conn *connection.UDPConnection) (err error) {

	claimsHeader := claimsheader.NewClaimsHeader()
	claims := &tokens.ConnectionClaims{
		CT:       context.CompressedTags(),
		LCL:      conn.Auth.Nonce[:],
		RMT:      conn.Auth.RemoteNonce,
		DEKV1:    conn.Auth.LocalDatapathPublicKeyV1,
		SDEKV1:   conn.Auth.LocalDatapathPublicKeySignV1,
		DEKV2:    conn.Auth.LocalDatapathPublicKeyV2,
		SDEKV2:   conn.Auth.LocalDatapathPublicKeySignV2,
		ID:       context.ManagementID(),
		RemoteID: conn.Auth.RemoteContextID,
	}

	var udpData []byte

	udpData, err = d.tokenAccessor.CreateSynAckPacketToken(conn.Auth.Proto314, claims, conn.EncodedBuf[:], conn.Auth.Nonce[:], claimsHeader, conn.Secrets, conn.Auth.SecretKey)
	if err != nil {
		return counters.CounterError(appUDPSynAckCounterFromError(err), err)
	}

	// Create UDP Option

	udpPacket.CreateReverseFlowPacket()

	// This for Windows and isn't necessary, but helps when driver is logging
	err = d.reverseFlow(udpPacket)
	if err != nil {
		return counters.CounterError(appUDPSynAckCounterFromError(err), err)
	}
	// Create UDP Option
	udpOptions := packet.CreateUDPAuthMarker(packet.UDPSynAckMask, uint16(len(udpData)))
	// Attach the UDP data and token
	udpPacket.UDPTokenAttach(udpOptions, udpData)

	// If we have already a backgroun re-transmit session, stop it at this point. We will
	// start from the beginning.
	if conn.GetState() == connection.UDPReceiverSendSynAck {
		conn.SynAckStop()
	}

	// Only start the retransmission timer once. Not on every packet.
	if err := d.writeWithRetransmit(udpPacket, conn, conn.SynAckChannel(), nil); err != nil {
		zap.L().Debug("Unable to send synack token on raw socket", zap.Error(err))
		return err
	}

	return nil
}

func (d *Datapath) sendUDPAckPacket(udpPacket *packet.Packet, context *pucontext.PUContext, conn *connection.UDPConnection) (err error) {
	// This for Windows and isn't necessary, but helps when driver is logging
	err = d.reverseFlow(udpPacket)
	if err != nil {
		return counters.CounterError(appUDPAckCounterFromError(err), err)
	}

	udpPacket.CreateReverseFlowPacket()

	claims := &tokens.ConnectionClaims{
		ID:       context.ManagementID(),
		RMT:      conn.Auth.RemoteNonce,
		RemoteID: conn.Auth.RemoteContextID,
	}

	udpData, err := d.tokenAccessor.CreateAckPacketToken(conn.Auth.Proto314, conn.Auth.SecretKey, claims, conn.EncodedBuf[:])
	if err != nil {
		return counters.CounterError(appUDPAckCounterFromError(err), err)
	}
	// Create UDP Option
	udpOptions := packet.CreateUDPAuthMarker(packet.UDPAckMask, uint16(len(udpData)))
	// Attach the UDP data and token
	udpPacket.UDPTokenAttach(udpOptions, udpData)

	// send packet
	err = d.writeUDPSocket(udpPacket.GetBuffer(0), udpPacket)
	if err != nil {
		return err
	}
	// We reached final state drain the queue here

	<-time.After(40 * time.Millisecond) //Arbitrary number give receiver chance to plumb conntrack
	for udpPacket := conn.ReadPacket(); udpPacket != nil; udpPacket = conn.ReadPacket() {
		if d.service != nil {
			// PostProcessServiceInterface
			// We call it for all outgoing packets.
			if !d.service.PostProcessUDPAppPacket(udpPacket, nil, conn.Context, conn) {
				udpPacket.Print(packet.PacketFailureService, d.PacketLogsEnabled())
				zap.L().Error("Failed to encrypt queued packet")
			}
		}

		err = d.ignoreFlow(udpPacket)
		if err != nil {
			zap.L().Error("Unable to ignore the flow", zap.Error(err))
		}

		err = d.writeUDPSocket(udpPacket.GetBuffer(0), udpPacket)
		if err != nil {
			zap.L().Error("Unable to transmit Queued UDP packets", zap.Error(err))
		}
	}

	// When server and client are the same machine, we can't ignore the
	// flow until the server side receives the Ack packet
	if !udpPacket.SourceAddress().Equal(udpPacket.DestinationAddress()) {
		if err := d.ignoreFlow(udpPacket); err != nil {
			zap.L().Error("Failed to ignore flow", zap.Error(err))
		}
	}
	if err = d.conntrack.UpdateApplicationFlowMark(
		udpPacket.SourceAddress(),
		udpPacket.DestinationAddress(),
		udpPacket.IPProto(),
		udpPacket.SourcePort(),
		udpPacket.DestPort(),
		markconstants.DefaultConnMark,
	); err != nil {
		zap.L().Error("Failed to update conntrack table for UDP flow at transmitter",
			zap.String("app-conn", udpPacket.L4FlowHash()),
			zap.String("state", fmt.Sprintf("%d", conn.GetState())),
			zap.Error(err),
		)
		return err
	}

	conn.SetState(connection.UDPData)
	zap.L().Debug("Clearing fin packet entry in cache", zap.String("flowhash", udpPacket.L4FlowHash()))
	if err := d.udpFinPacketTracker.Remove(udpPacket.L4FlowHash()); err != nil {
		zap.L().Debug("Unable to remove entry from udp finack cache")
	}
	return nil
}

// processNetworkUDPSynPacket processes a syn packet arriving from the network
func (d *Datapath) processNetworkUDPSynPacket(context *pucontext.PUContext, conn *connection.UDPConnection, udpPacket *packet.Packet) (action interface{}, claims *tokens.ConnectionClaims, err error) {

	rejected := false
	networkReport, pkt, perr := context.NetworkACLPolicy(udpPacket)
	if perr == nil {
		rejected = pkt.Action.Rejected()
		if rejected {
			perr = fmt.Errorf("rejected by ACL policy %s", pkt.PolicyID)
		}
	} else {
		// We got an error, but ensure it isn't the catch all policy
		if !(pkt != nil && pkt.Action.Rejected() && pkt.PolicyID == "default") {
			rejected = true
		}
	}

	if rejected {
		d.reportExternalServiceFlow(context, networkReport, pkt, false, udpPacket)
		return nil, nil, context.Counters().CounterError(counters.ErrUDPSynDroppedPolicy, fmt.Errorf("packet had identity: incoming connection dropped:due to reject acl %s", perr))
	}
	claims = &conn.Auth.ConnectionClaims
	secretKey, _, controller, remoteNonce, remoteContextID, proto314, err := d.tokenAccessor.ParsePacketToken(conn.Auth.LocalDatapathPrivateKey, udpPacket.ReadUDPToken(), conn.Secrets, claims, false)

	if err != nil {
		d.reportUDPRejectedFlow(udpPacket, conn, collector.DefaultEndPoint, context.ManagementID(), context, collector.InvalidToken, nil, nil, false)
		return nil, nil, conn.Context.Counters().CounterError(netUDPSynCounterFromError(err), fmt.Errorf("UDP Syn packet dropped because of invalid token: %s", err))
	}

	if controller != nil && !controller.SameController {
		conn.SourceController = controller.Controller
	}

	// Why is this required. Take a look.
	//txLabel, _ := claims.T.Get(enforcerconstants.TransmitterLabel)

	// Add the port as a label with an @ prefix. These labels are invalid otherwise
	// If all policies are restricted by port numbers this will allow port-specific policies
	tags := claims.T.Copy()
	tags.AppendKeyValue(constants.PortNumberLabelString, fmt.Sprintf("%s/%s", constants.UDPProtoString, strconv.Itoa(int(udpPacket.DestPort()))))

	// Add the controller to the claims
	if controller != nil && len(controller.Controller) > 0 {
		tags.AppendKeyValue(constants.ControllerLabelString, controller.Controller)
	}

	report, pkt := context.SearchRcvRules(tags)
	if pkt.Action.Rejected() {
		d.reportUDPRejectedFlow(udpPacket, conn, remoteContextID, context.ManagementID(), context, collector.PolicyDrop, report, pkt, false)
		return nil, nil, conn.Context.Counters().CounterError(counters.ErrUDPSynDroppedPolicy, fmt.Errorf("connection rejected because of policy: %s", claims.T.String()))
	}

	hash := udpPacket.L4FlowHash()

	// conntrack
	d.udpNetOrigConnectionTracker.AddOrUpdate(hash, conn)
	d.udpAppReplyConnectionTracker.AddOrUpdate(udpPacket.L4ReverseFlowHash(), conn)

	conn.Auth.SecretKey = secretKey
	conn.Auth.RemoteNonce = remoteNonce
	conn.Auth.RemoteContextID = remoteContextID
	conn.Auth.Proto314 = proto314

	// Record actions
	conn.ReportFlowPolicy = report
	conn.PacketFlowPolicy = pkt

	return pkt, claims, nil
}

func (d *Datapath) processNetworkUDPSynAckPacket(udpPacket *packet.Packet, context *pucontext.PUContext, conn *connection.UDPConnection) (action interface{}, claims *tokens.ConnectionClaims, err error) {
	conn.SynStop()
	claims = &conn.Auth.ConnectionClaims
	secretKey, _, controller, remoteNonce, remoteContextID, proto314, err := d.tokenAccessor.ParsePacketToken(conn.Auth.LocalDatapathPrivateKey, udpPacket.ReadUDPToken(), conn.Secrets, claims, true)
	if err != nil {
		d.reportUDPRejectedFlow(udpPacket, conn, context.ManagementID(), collector.DefaultEndPoint, context, collector.MissingToken, nil, nil, true)
		return nil, nil, conn.Context.Counters().CounterError(netUDPSynAckCounterFromError(err), errors.New("SynAck packet dropped because of bad claims"))
	}

	if controller != nil && !controller.SameController {
		conn.DestinationController = controller.Controller
	}
	// Add the port as a label with an @ prefix. These labels are invalid otherwise
	// If all policies are restricted by port numbers this will allow port-specific policies
	tags := claims.T.Copy()
	tags.AppendKeyValue(constants.PortNumberLabelString, fmt.Sprintf("%s/%s", constants.UDPProtoString, strconv.Itoa(int(udpPacket.SourcePort()))))

	// Add the controller to the claims
	if controller != nil && len(controller.Controller) > 0 {
		tags.AppendKeyValue(constants.ControllerLabelString, controller.Controller)
	}

	report, pkt := context.SearchTxtRules(tags, !d.mutualAuthorization)
	if pkt.Action.Rejected() {
		d.reportUDPRejectedFlow(udpPacket, conn, remoteContextID, context.ManagementID(), context, collector.PolicyDrop, report, pkt, true)
		return nil, nil, conn.Context.Counters().CounterError(counters.ErrUDPSynAckPolicy, fmt.Errorf("dropping because of reject rule on transmitter: %s", claims.T.String()))
	}

	// conntrack
	d.udpNetReplyConnectionTracker.AddOrUpdate(udpPacket.L4FlowHash(), conn)
	conn.Auth.SecretKey = secretKey
	conn.Auth.RemoteNonce = remoteNonce
	conn.Auth.RemoteContextID = remoteContextID
	conn.Auth.Proto314 = proto314

	return pkt, claims, nil
}

func (d *Datapath) processNetworkUDPAckPacket(udpPacket *packet.Packet, context *pucontext.PUContext, conn *connection.UDPConnection) (err error) {
	conn.SynAckStop()
	if err = d.tokenAccessor.ParseAckToken(conn.Auth.Proto314, conn.Auth.SecretKey, conn.Auth.Nonce[:], udpPacket.ReadUDPToken(), &conn.Auth.ConnectionClaims); err != nil {
		d.reportUDPRejectedFlow(udpPacket, conn, conn.Auth.RemoteContextID, context.ManagementID(), context, collector.InvalidToken, conn.ReportFlowPolicy, conn.PacketFlowPolicy, false)
		return conn.Context.Counters().CounterError(netUDPAckCounterFromError(err), fmt.Errorf("ack packet dropped because signature validation failed: %s", err))
	}

	// For Windows, we allow the flow
	if err := d.setFlowState(udpPacket, true); err != nil {
		zap.L().Error("Failed to ignore flow", zap.Error(err))
	}

	// Plumb connmark rule here.
	if err := d.conntrack.UpdateNetworkFlowMark(
		udpPacket.SourceAddress(),
		udpPacket.DestinationAddress(),
		udpPacket.IPProto(),
		udpPacket.SourcePort(),
		udpPacket.DestPort(),
		markconstants.DefaultConnMark,
	); err != nil {
		zap.L().Error("Failed to update conntrack table after ack packet")
	}

	d.reportUDPAcceptedFlow(udpPacket, conn, conn.Auth.RemoteContextID, context.ManagementID(), context, conn.ReportFlowPolicy, conn.PacketFlowPolicy, false)

	conn.Context.Counters().IncrementCounter(counters.ErrUDPConnectionsProcessed)
	return nil
}

// sendUDPFinPacket sends a Fin packet to Peer.
func (d *Datapath) sendUDPFinPacket(udpPacket *packet.Packet) (err error) {
	// Create UDP Option
	udpOptions := packet.CreateUDPAuthMarker(packet.UDPFinAckMask, 0)
	udpPacket.CreateReverseFlowPacket()

	err = d.reverseFlow(udpPacket)
	if err != nil {

		return counters.CounterError(counters.ErrUDPDropFin, err)
	}
	// Attach the UDP data and token
	udpPacket.UDPTokenAttach(udpOptions, []byte{})

	// no need for retransmits here.
	err = d.writeUDPSocket(udpPacket.GetBuffer(0), udpPacket)
	if err != nil {
		zap.L().Debug("Unable to send fin packet on raw socket:", zap.Error(err))
		return counters.CounterError(counters.ErrUDPDropFin, fmt.Errorf("Unable to send fin packet on raw socket: %s", err.Error()))
	}

	return nil
}

// sendUDPRstPacket sends a rst packet to Peer.
func (d *Datapath) sendUDPRstPacket(udpPacket *packet.Packet, conn *connection.UDPConnection) (err error) {
	// Create UDP Option
	udpOptions := packet.CreateUDPAuthMarker(packet.UDPPolicyRejectMask, 0)
	udpPacket.CreateReverseFlowPacket()
	// TODO ::: Have a signed payload this packets will force remote end to process acls
	// So we have to be sure someone we trust send this
	err = d.reverseFlow(udpPacket)
	if err != nil {
		return conn.Context.Counters().CounterError(counters.ErrUDPDropRst, err)
	}

	// Attach the UDP data and token
	udpPacket.UDPTokenAttach(udpOptions, []byte{})

	// For Windows, this mark udpPacket packet so that when writeUDPSocket is called,
	// it will send the packet but will drop additional packets for this flow.
	if err := d.dropFlow(udpPacket); err != nil {
		zap.L().Error("Failed to drop flow", zap.Error(err))
	}

	// no need for retransmits here.
	err = d.writeUDPSocket(udpPacket.GetBuffer(0), udpPacket)
	if err != nil {
		zap.L().Debug("Unable to send fin packet on raw socket", zap.Error(err))
		return conn.Context.Counters().CounterError(counters.ErrUDPDropRst, fmt.Errorf("Unable to send rst packet on raw socket: %s", err.Error()))
	}

	// conn.SynStop()
	// conn.SynAckStop()
	// Plumb connmark rule here. drop packet on this flow. Till we see a acceptable handshake packet again
	if err := d.conntrack.UpdateNetworkFlowMark(
		udpPacket.SourceAddress(),
		udpPacket.DestinationAddress(),
		udpPacket.IPProto(),
		udpPacket.SourcePort(),
		udpPacket.DestPort(),
		markconstants.DropConnmark,
	); err != nil {
		zap.L().Error("Failed to update conntrack table after ack packet")
	}
	return nil
}

func (d *Datapath) processUDPPolicyRstPacket(udpPacket *packet.Packet, context *pucontext.PUContext, conn *connection.UDPConnection) (err error) { // nolint
	conn.SetState(connection.UDPRST)
	conn.SynStop()
	conn.SynAckStop()
	if err := d.udpAppOrigConnectionTracker.Remove(udpPacket.L4ReverseFlowHash()); err != nil {
		zap.L().Debug("Failed to clean cache udpappOrigConnectionTracker", zap.Error(err))
	}
	if err := d.udpSourcePortConnectionCache.Remove(udpPacket.SourcePortHash(packet.PacketTypeNetwork)); err != nil {
		zap.L().Debug("Failed to clean cache udpsourcePortConnectionCache", zap.Error(err))
	}
	if err := d.setFlowState(udpPacket, false); err != nil {
		zap.L().Error("Failed to drop flow", zap.Error(err))
	}
	if err := d.conntrack.UpdateNetworkFlowMark(
		udpPacket.SourceAddress(),
		udpPacket.DestinationAddress(),
		udpPacket.IPProto(),
		udpPacket.SourcePort(),
		udpPacket.DestPort(),
		markconstants.DropConnmark,
	); err != nil {
		zap.L().Error("Failed to update conntrack table after ack packet")
	}
	return nil
}

// Update the udp fin cache and delete the connmark.
func (d *Datapath) processUDPFinPacket(udpPacket *packet.Packet) (err error) { // nolint

	// add it to the udp fin cache. If we have already received the fin packet
	// for this flow. There is no need to change the connmark label again.
	if d.udpFinPacketTracker.AddOrUpdate(udpPacket.L4ReverseFlowHash(), true) {
		return nil
	}

	// clear cache entries.
	if err := d.udpAppOrigConnectionTracker.Remove(udpPacket.L4ReverseFlowHash()); err != nil {
		zap.L().Debug("Failed to clean cache udpappOrigConnectionTracker", zap.Error(err))
	}
	if err := d.udpSourcePortConnectionCache.Remove(udpPacket.SourcePortHash(packet.PacketTypeNetwork)); err != nil {
		zap.L().Debug("Failed to clean cache udpsourcePortConnectionCache", zap.Error(err))
	}
	if err := d.setFlowState(udpPacket, false); err != nil {
		zap.L().Error("Failed to drop flow", zap.Error(err))
	}
	if err = d.conntrack.UpdateNetworkFlowMark(
		udpPacket.SourceAddress(),
		udpPacket.DestinationAddress(),
		udpPacket.IPProto(),
		udpPacket.SourcePort(),
		udpPacket.DestPort(),
		markconstants.DeleteConnmark,
	); err != nil {
		zap.L().Error("Failed to update conntrack table for flow to terminate connection",
			zap.String("app-conn", udpPacket.L4FlowHash()),
			zap.Error(err),
		)
	}

	return nil
}

// note: for platforms that need it (Windows), please ensure that udpPacket.PlatformMetadata is set.
// thus, for any Packets created outside of the driver packet callback, the originating metadata must be
// propagated to the udpPacket argument before this call.
func (d *Datapath) writeUDPSocket(buf []byte, udpPacket *packet.Packet) error {
	return d.udpSocketWriter.WriteSocket(buf, udpPacket.IPversion(), udpPacket.PlatformMetadata)
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/datapath_windows.go
================================================
// +build windows

package nfqdatapath

import (
	"context"
	"fmt"
	"net"
	"syscall"
	"unsafe"

	"github.com/ghedo/go.pkt/layers"
	gpacket "github.com/ghedo/go.pkt/packet"
	"github.com/ghedo/go.pkt/packet/ipv4"
	"github.com/ghedo/go.pkt/packet/tcp"
	"github.com/pkg/errors"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/afinetrawsocket"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
	"go.uber.org/zap"
	"golang.org/x/sys/windows"
)

func adjustConntrack(mode constants.ModeType) {
}

func (d *Datapath) reverseFlow(pkt *packet.Packet) error {
	windata, ok := pkt.PlatformMetadata.(*afinetrawsocket.WindowPlatformMetadata)
	if !ok {
		return errors.New("no WindowPlatformMetadata for reverseFlow")
	}

	address := windata.PacketInfo.RemoteAddr
	windata.PacketInfo.RemoteAddr = windata.PacketInfo.LocalAddr
	windata.PacketInfo.LocalAddr = address

	port := windata.PacketInfo.RemotePort
	windata.PacketInfo.RemotePort = windata.PacketInfo.LocalPort
	windata.PacketInfo.LocalPort = port

	return nil
}

func (d *Datapath) drop(pkt *packet.Packet) error {
	windata, ok := pkt.PlatformMetadata.(*afinetrawsocket.WindowPlatformMetadata)
	if !ok {
		return errors.New("no WindowPlatformMetadata for drop")
	}
	windata.Drop = true
	return nil
}

func (d *Datapath) setMark(pkt *packet.Packet, mark uint32) error {
	windata, ok := pkt.PlatformMetadata.(*afinetrawsocket.WindowPlatformMetadata)
	if !ok {
		return errors.New("no WindowPlatformMetadata for setMark")
	}
	windata.SetMark = mark
	return nil
}

// ignoreFlow is for Windows, because we need a way to explicitly notify of an 'ignore flow' condition,
// without going through flowtracking, to be called synchronously in datapath processing
func (d *Datapath) ignoreFlow(pkt *packet.Packet) error {
	windata, ok := pkt.PlatformMetadata.(*afinetrawsocket.WindowPlatformMetadata)
	if !ok {
		return errors.New("no WindowPlatformMetadata for ignoreFlow")
	}
	windata.IgnoreFlow = true
	return nil
}

// dropFlow will tell the windows driver to continue to drop packets for this flow.
func (d *Datapath) dropFlow(pkt *packet.Packet) error {
	windata, ok := pkt.PlatformMetadata.(*afinetrawsocket.WindowPlatformMetadata)
	if !ok {
		return errors.New("no WindowPlatformMetadata for dropFlow")
	}
	windata.DropFlow = true
	return nil
}

// setFlowState will not send the packet but will tell the Windows driver to either accept or drop the flow.
func (d *Datapath) setFlowState(pkt *packet.Packet, accepted bool) error {
	windata, ok := pkt.PlatformMetadata.(*afinetrawsocket.WindowPlatformMetadata)
	if !ok {
		return errors.New("no WindowPlatformMetadata for setFlowState")
	}

	buf := pkt.GetBuffer(0)
	packetInfo := windata.PacketInfo
	packetInfo.NewPacket = 1
	packetInfo.Drop = 1
	packetInfo.IgnoreFlow = 0
	packetInfo.DropFlow = 0
	if accepted {
		packetInfo.IgnoreFlow = 1
	} else {
		packetInfo.DropFlow = 1
	}
	packetInfo.PacketSize = uint32(len(buf))
	if err := frontman.Wrapper.PacketFilterForward(&packetInfo, buf); err != nil {
		return err
	}
	return nil
}

func (d *Datapath) startInterceptors(ctx context.Context) {
	err := d.startFrontmanPacketFilter(ctx, d.nflogger)
	if err != nil {
		zap.L().Fatal("Unable to initialize windows packet proxy", zap.Error(err))
	}
}

type pingConn struct {
	SourceIP   net.IP
	DestIP     net.IP
	SourcePort uint16
	DestPort   uint16
}

func dialIP(srcIP, dstIP net.IP) (PingConn, error) {
	return &pingConn{}, nil
}

// Close not implemented.
func (p *pingConn) Close() error {
	return nil
}

// Write sends the packet to network.
func (p *pingConn) Write(data []byte) (int, error) {

	ipv4 := uint8(0)
	if len(p.SourceIP) == net.IPv4len {
		ipv4 = 1
	}

	packetInfo := frontman.PacketInfo{
		Ipv4:             ipv4,
		Protocol:         windows.IPPROTO_TCP,
		Outbound:         1,
		NewPacket:        1,
		NoPidMatchOnFlow: 1,
		LocalPort:        p.SourcePort,
		RemotePort:       p.DestPort,
		LocalAddr:        convertToDriverFormat(p.SourceIP),
		RemoteAddr:       convertToDriverFormat(p.DestIP),
		PacketSize:       uint32(len(data)),
	}

	dllRet, err := frontman.Driver.PacketFilterForward(uintptr(unsafe.Pointer(&packetInfo)), uintptr(unsafe.Pointer(&data[0])))
	if dllRet == 0 && err != nil {
		return 0, err
	}

	return len(data), nil
}

// ConstructWirePacket returns IP packet with given TCP and payload in wire format.
func (p *pingConn) ConstructWirePacket(srcIP, dstIP net.IP, transport gpacket.Packet, payload gpacket.Packet) ([]byte, error) {

	ipPacket := ipv4.Make()
	ipPacket.SrcAddr = srcIP
	ipPacket.DstAddr = dstIP
	ipPacket.Protocol = ipv4.TCP

	// pack the layers together.
	buf, err := layers.Pack(ipPacket, transport, payload)
	if err != nil {
		return nil, fmt.Errorf("unable to encode packet to wire format: %v", err)
	}

	tcpPacket := transport.(*tcp.Packet)

	p.SourceIP = srcIP
	p.DestIP = dstIP
	p.SourcePort = tcpPacket.SrcPort
	p.DestPort = tcpPacket.DstPort

	return buf, nil
}

func bindRandomPort(tcpConn *connection.TCPConnection) (uint16, error) {

	fd, err := windows.Socket(windows.AF_INET, windows.SOCK_STREAM, windows.IPPROTO_TCP)
	if err != nil {
		return 0, fmt.Errorf("unable to open socket, fd: %d : %s", fd, err)
	}

	addr := windows.SockaddrInet4{Port: 0}
	copy(addr.Addr[:], net.ParseIP("127.0.0.1").To4())
	if err = windows.Bind(fd, &addr); err != nil {
		windows.CloseHandle(fd) // nolint: errcheck
		return 0, fmt.Errorf("unable to bind socket: %s", err)
	}

	sockAddr, err := windows.Getsockname(fd)
	if err != nil {
		windows.CloseHandle(fd) // nolint: errcheck
		return 0, fmt.Errorf("unable to get socket address: %s", err)
	}

	ip4Addr, ok := sockAddr.(*windows.SockaddrInet4)
	if !ok {
		windows.CloseHandle(fd) // nolint: errcheck
		return 0, fmt.Errorf("invalid socket address: %T", sockAddr)
	}

	tcpConn.PingConfig.SetSocketFd(uintptr(fd))
	return uint16(ip4Addr.Port), nil
}

func closeRandomPort(tcpConn *connection.TCPConnection) error {

	fd := tcpConn.PingConfig.SocketFd()
	tcpConn.PingConfig.SetSocketClosed(true)

	return windows.CloseHandle(windows.Handle(fd))
}

func convertToDriverFormat(ip net.IP) [4]uint32 {
	var addr [4]uint32
	byteAddr := (*[16]byte)(unsafe.Pointer(&addr))
	copy(byteAddr[:], ip)
	return addr
}

func isAddrInUseErrno(errNo syscall.Errno) bool {
	return errNo == windows.WSAEADDRINUSE
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/diagnostics_tcp.go
================================================
// +build !windows

package nfqdatapath

import (
	"context"
	"fmt"
	"math/rand"
	"net"
	"strconv"
	"syscall"
	"time"

	"github.com/aporeto-inc/gopkt/layers"
	"github.com/aporeto-inc/gopkt/packet/ipv4"
	"github.com/aporeto-inc/gopkt/packet/raw"
	"github.com/aporeto-inc/gopkt/packet/tcp"
	"github.com/aporeto-inc/gopkt/routing"
	"github.com/phayes/freeport"
	"github.com/vmihailenco/msgpack"
	"go.aporeto.io/trireme-lib/collector"
	enforcerconstants "go.aporeto.io/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/trireme-lib/controller/pkg/connection"
	tpacket "go.aporeto.io/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/trireme-lib/controller/pkg/tokens"
	"go.aporeto.io/trireme-lib/policy"
	"go.aporeto.io/trireme-lib/utils/crypto"
	"go.uber.org/zap"
)

func (d *Datapath) initiateDiagnostics(_ context.Context, contextID string, pingConfig *policy.PingConfig) error {

	if pingConfig == nil {
		return nil
	}

	zap.L().Debug("Initiating diagnostics (syn)")

	srcIP, err := getSrcIP(pingConfig.IP)
	if err != nil {
		return fmt.Errorf("unable to get source ip: %v", err)
	}

	conn, err := dialWithMark(srcIP, pingConfig.IP)
	if err != nil {
		return fmt.Errorf("unable to dial on app syn: %v", err)
	}
	defer conn.Close() // nolint:errcheck

	item, err := d.puFromContextID.Get(contextID)
	if err != nil {
		return fmt.Errorf("unable to find context with ID %s in cache: %v", contextID, err)
	}

	context, ok := item.(*pucontext.PUContext)
	if !ok {
		return fmt.Errorf("invalid pu context: %v", contextID)
	}

	for i := 1; i <= pingConfig.Requests; i++ {
		for _, ports := range pingConfig.Ports {
			for dstPort := ports.Min; dstPort <= ports.Max; dstPort++ {
				if err := d.sendSynPacket(context, pingConfig, conn, srcIP, dstPort, i); err != nil {
					return err
				}
			}
		}
	}

	return nil
}

// sendSynPacket sends tcp syn packet to the socket. It also dispatches a report.
func (d *Datapath) sendSynPacket(context *pucontext.PUContext, pingConfig *policy.PingConfig, conn net.Conn, srcIP net.IP, dstPort uint16, request int) error {

	tcpConn := connection.NewTCPConnection(context, nil)
	tcpConn.Secrets = d.secrets()

	claimsHeader := claimsheader.NewClaimsHeader(
		claimsheader.OptionPingType(pingConfig.Type),
	)

	tcpData, err := d.tokenAccessor.CreateSynPacketToken(context, &tcpConn.Auth, claimsHeader, d.secrets())
	if err != nil {
		return fmt.Errorf("unable to create syn token: %v", err)
	}

	srcPort, err := freeport.GetFreePort()
	if err != nil {
		return fmt.Errorf("unable to get free source port: %v", err)
	}

	p, err := constructTCPPacket(srcIP, pingConfig.IP, uint16(srcPort), dstPort, tcp.Syn, tcpData)
	if err != nil {
		return fmt.Errorf("unable to construct syn packet: %v", err)
	}

	sessionID, err := crypto.GenerateRandomString(20)
	if err != nil {
		return err
	}

	if err := write(conn, p); err != nil {
		return fmt.Errorf("unable to send syn packet: %v", err)
	}

	tcpConn.PingConfig = &connection.PingConfig{
		StartTime: time.Now(),
		Type:      pingConfig.Type,
		SessionID: sessionID,
		Request:   request,
	}

	d.sendOriginPingReport(
		sessionID,
		d.agentVersion.String(),
		flowTuple(
			tpacket.PacketTypeApplication,
			srcIP.String(),
			pingConfig.IP.String(),
			uint16(srcPort),
			dstPort,
		),
		context,
		pingConfig.Type,
		len(tcpData),
		request,
	)

	tcpConn.SetState(connection.TCPSynSend)
	d.sourcePortConnectionCache.AddOrUpdate(
		packetTuple(tpacket.PacketTypeApplication, srcIP.String(), pingConfig.IP.String(), uint16(srcPort), dstPort),
		tcpConn,
	)

	return nil
}

// processDiagnosticNetSynPacket should only be called when the packet is recognized as a diagnostic syn packet.
func (d *Datapath) processDiagnosticNetSynPacket(
	context *pucontext.PUContext,
	tcpConn *connection.TCPConnection,
	tcpPacket *tpacket.Packet,
	claims *tokens.ConnectionClaims,
) error {

	ch := claims.H.ToClaimsHeader()
	tcpConn.PingConfig.Type = ch.PingType()
	tcpConn.SetState(connection.TCPSynReceived)

	zap.L().Debug("Processing diagnostic network syn packet",
		zap.String("pingType", ch.PingType().String()),
	)

	if ch.PingType() == claimsheader.PingTypeDefaultIdentityPassthrough {
		zap.L().Debug("Processing diagnostic network syn packet: defaultpassthrough")

		tcpConn.PingConfig.Passthrough = true
		d.appReplyConnectionTracker.AddOrUpdate(tcpPacket.L4ReverseFlowHash(), tcpConn)
		return nil
	}

	conn, err := dialWithMark(tcpPacket.DestinationAddress(), tcpPacket.SourceAddress())
	if err != nil {
		return fmt.Errorf("unable to dial on net syn: %v", err)
	}
	defer conn.Close() // nolint:errcheck

	var tcpData []byte
	// If diagnostic type is custom, we add custom payload.
	// Else, we add default payload.
	if ch.PingType() == claimsheader.PingTypeCustomIdentity {
		ci := &customIdentity{
			AgentVersion:         d.agentVersion.String(),
			TransmitterID:        context.ManagementID(),
			TransmitterNamespace: context.ManagementNamespace(),
			FlowTuple: flowTuple(
				tpacket.PacketTypeApplication,
				tcpPacket.SourceAddress().String(),
				tcpPacket.DestinationAddress().String(),
				tcpPacket.SourcePort(),
				tcpPacket.DestPort(),
			),
		}
		tcpData, err = ci.encode()
		if err != nil {
			return err
		}
	} else {
		tcpData, err = d.tokenAccessor.CreateSynAckPacketToken(context, &tcpConn.Auth, ch, d.secrets())
		if err != nil {
			return fmt.Errorf("unable to create default synack token: %v", err)
		}
	}

	p, err := constructTCPPacket(
		tcpPacket.DestinationAddress(),
		tcpPacket.SourceAddress(),
		tcpPacket.DestPort(),
		tcpPacket.SourcePort(),
		tcp.Syn|tcp.Ack,
		tcpData,
	)
	if err != nil {
		return fmt.Errorf("unable to construct synack packet: %v", err)
	}

	if err := write(conn, p); err != nil {
		return fmt.Errorf("unable to send synack packet: %v", err)
	}

	tcpConn.SetState(connection.TCPSynAckSend)
	return nil
}

// processDiagnosticNetSynAckPacket should only be called when the packet is recognized as a diagnostic synack packet.
func (d *Datapath) processDiagnosticNetSynAckPacket(
	context *pucontext.PUContext,
	tcpConn *connection.TCPConnection,
	tcpPacket *tpacket.Packet,
	claims *tokens.ConnectionClaims,
	ext bool,
	custom bool,
) error {
	zap.L().Debug("Processing diagnostic network synack packet",
		zap.Bool("externalNetwork", ext),
		zap.Bool("customPayload", custom),
		zap.String("pingType", tcpConn.PingConfig.Type.String()),
	)

	if tcpConn.GetState() == connection.TCPSynAckReceived {
		zap.L().Debug("Ignoring duplicate synack packets")
		return nil
	}

	receiveTime := time.Since(tcpConn.PingConfig.StartTime)
	tcpConn.SetState(connection.TCPSynAckReceived)

	// Synack from externalnetwork.
	if ext {
		tcpConn.PingConfig.Passthrough = true
		d.sendReplyPingReport(&customIdentity{}, tcpConn, context, receiveTime.String(), len(tcpPacket.ReadTCPData()))
		return nil
	}

	// Synack from an endpoint with custom identity enabled.
	if custom {
		ci := &customIdentity{}
		if err := ci.decode(tcpPacket.ReadTCPData()); err != nil {
			return err
		}

		d.sendReplyPingReport(ci, tcpConn, context, receiveTime.String(), len(tcpPacket.ReadTCPData()))
		return nil
	}

	txtID, ok := claims.T.Get(enforcerconstants.TransmitterLabel)
	if !ok {
		return fmt.Errorf("missing transmitter label")
	}

	ci := &customIdentity{
		TransmitterID: txtID,
	}

	d.sendReplyPingReport(ci, tcpConn, context, receiveTime.String(), len(tcpPacket.ReadTCPData()))

	if tcpConn.PingConfig.Type == claimsheader.PingTypeDefaultIdentityPassthrough {
		zap.L().Debug("Processing diagnostic network synack packet: defaultpassthrough")
		tcpConn.PingConfig.Passthrough = true
		return nil
	}

	return nil
}

// constructTCPPacket constructs a valid tcp packet that can be sent on wire.
func constructTCPPacket(srcIP, dstIP net.IP, srcPort, dstPort uint16, flag tcp.Flags, tcpData []byte) ([]byte, error) {

	// pseudo header.
	// NOTE: Used only for computing checksum.
	ipPacket := ipv4.Make()
	ipPacket.SrcAddr = srcIP
	ipPacket.DstAddr = dstIP
	ipPacket.Protocol = ipv4.TCP

	// tcp.
	tcpPacket := tcp.Make()
	tcpPacket.SrcPort = srcPort
	tcpPacket.DstPort = dstPort
	tcpPacket.Flags = flag
	tcpPacket.Seq = rand.Uint32()
	tcpPacket.WindowSize = 0xAAAA
	tcpPacket.Options = []tcp.Option{
		{
			Type: tcp.MSS,
			Len:  4,
			Data: []byte{0x05, 0x8C},
		}, {
			Type: 34, // tfo
			Len:  enforcerconstants.TCPAuthenticationOptionBaseLen,
			Data: make([]byte, 2),
		},
	}
	tcpPacket.DataOff = uint8(7) // 5 (header size) + 2 * (4 byte options)

	// payload.
	payload := raw.Make()
	payload.Data = tcpData

	tcpPacket.SetPayload(payload)  // nolint:errcheck
	ipPacket.SetPayload(tcpPacket) // nolint:errcheck

	// pack the layers together.
	buf, err := layers.Pack(tcpPacket, payload)
	if err != nil {
		return nil, fmt.Errorf("unable to encode packet to wire format: %v", err)
	}

	return buf, nil
}

// getSrcIP returns the interface ip that can reach the destination.
func getSrcIP(dstIP net.IP) (net.IP, error) {

	route, err := routing.RouteTo(dstIP)
	if err != nil || route == nil {
		return nil, fmt.Errorf("no route found for destination %s: %v", dstIP.String(), err)
	}

	ip, err := route.GetIfaceIPv4Addr()
	if err != nil {
		return nil, fmt.Errorf("unable to get interface ip address: %v", err)
	}

	return ip, nil
}

// flowTuple returns the tuple based on the stage in format <sip:dip:spt:dpt> or <dip:sip:dpt:spt>
func flowTuple(stage uint64, srcIP, dstIP string, srcPort, dstPort uint16) string {

	if stage == tpacket.PacketTypeNetwork {
		return fmt.Sprintf("%s:%s:%s:%s", dstIP, srcIP, strconv.Itoa(int(dstPort)), strconv.Itoa(int(srcPort)))
	}

	return fmt.Sprintf("%s:%s:%s:%s", srcIP, dstIP, strconv.Itoa(int(srcPort)), strconv.Itoa(int(dstPort)))
}

// packetTuple returns the tuple based on the stage in format <sip:spt> or <dip:dpt>
func packetTuple(stage uint64, srcIP, dstIP string, srcPort, dstPort uint16) string {

	if stage == tpacket.PacketTypeNetwork {
		return dstIP + ":" + strconv.Itoa(int(dstPort))
	}

	return srcIP + ":" + strconv.Itoa(int(srcPort))
}

// dialWithMark opens raw ipv4:tcp socket and connects to the remote network.
func dialWithMark(srcIP, dstIP net.IP) (net.Conn, error) {

	d := net.Dialer{
		Timeout:   5 * time.Second,
		KeepAlive: -1, // keepalive disabled.
		LocalAddr: &net.IPAddr{IP: srcIP},
		Control: func(_, _ string, c syscall.RawConn) error {
			return c.Control(func(fd uintptr) {
				if err := syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, 0x24, 0x40); err != nil {
					zap.L().Error("unable to assign mark", zap.Error(err))
				}
			})
		},
	}

	return d.Dial("ip4:tcp", dstIP.String())
}

// write writes the given data to the conn.
func write(conn net.Conn, data []byte) error {

	n, err := conn.Write(data)
	if err != nil {
		return err
	}

	if n != len(data) {
		return fmt.Errorf("partial data written, total: %v, written: %v", len(data), n)
	}

	return nil
}

// sendOriginPingReport sends a report on syn sent state.
func (d *Datapath) sendOriginPingReport(
	sessionID,
	agentVersion,
	flowTuple string,
	context *pucontext.PUContext,
	pingType claimsheader.PingType,
	payloadSize,
	request int,
) {
	d.sendPingReport(
		sessionID,
		agentVersion,
		flowTuple,
		"",
		context.ManagementID(),
		context.ManagementNamespace(),
		"",
		"",
		pingType,
		collector.Origin,
		payloadSize,
		request,
	)
}

// sendOriginPingReport sends a report on synack recv state.
func (d *Datapath) sendReplyPingReport(
	ci *customIdentity,
	tcpConn *connection.TCPConnection,
	context *pucontext.PUContext,
	rtt string,
	payloadSize int,
) {
	d.sendPingReport(
		tcpConn.PingConfig.SessionID,
		ci.AgentVersion,
		ci.FlowTuple,
		rtt,
		context.ManagementID(),
		context.ManagementNamespace(),
		ci.TransmitterID,
		ci.TransmitterNamespace,
		tcpConn.PingConfig.Type,
		collector.Reply,
		payloadSize,
		tcpConn.PingConfig.Request,
	)
}

func (d *Datapath) sendPingReport(
	sessionID,
	agentVersion,
	flowTuple,
	rtt,
	srcID,
	srcNS,
	dstID,
	dstNS string,
	PingType claimsheader.PingType,
	stage collector.Stage,
	payloadSize,
	request int,
) {

	report := &collector.PingReport{
		AgentVersion:         agentVersion,
		FlowTuple:            flowTuple,
		Latency:              rtt,
		PayloadSize:          payloadSize,
		Type:                 PingType,
		Stage:                stage,
		SourceID:             srcID,
		SourceNamespace:      srcNS,
		DestinationNamespace: dstNS,
		DestinationID:        dstID,
		SessionID:            sessionID,
		Protocol:             tpacket.IPProtocolTCP,
		ServiceType:          "L3",
		Request:              request,
	}

	d.collector.CollectPingEvent(report)
}

// customIdentity holds data that needs to be passed on wire.
type customIdentity struct {
	AgentVersion         string
	TransmitterID        string
	TransmitterNamespace string
	FlowTuple            string
}

// encode returns bytes of c, returns error on nil.
func (c *customIdentity) encode() ([]byte, error) {

	if c == nil {
		return nil, fmt.Errorf("cannot encode nil custom identity")
	}

	b, err := msgpack.Marshal(c)
	if err != nil {
		return nil, fmt.Errorf("unable to encode custom identity: %v", err)
	}

	return b, nil
}

// decode returns customIdentity, returns error on nil.
func (c *customIdentity) decode(b []byte) error {

	if c == nil {
		return fmt.Errorf("cannot decode nil custom identity")
	}

	if err := msgpack.Unmarshal(b, c); err != nil {
		return fmt.Errorf("unable to decode custom identity: %v", err)
	}

	return nil
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/interfaces.go
================================================
package nfqdatapath

import (
	"net"

	"github.com/ghedo/go.pkt/packet"
)

// ContextProcessor is an interface to provide context checks
type ContextProcessor interface {
	DoesContextExist(contextID string) bool
	IsContextServer(contextID string, backendip string) bool
}

// RuleProcessor is an interface to access rules
type RuleProcessor interface {
	CheckRejectRecvRules(contextID string) (int, bool)
	CheckAcceptRecvRules(contextID string) (int, bool)
	CheckRejectTxRules(contextID string) (int, bool)
	CheckAcceptTxRules(contextID string) (int, bool)
}

// Accessor is an interface for datapth to access contexts/rules/tokens
type Accessor interface {
	ContextProcessor
	RuleProcessor
}

// PingConn is an interface to send ping packets/data to network.
// Also implements io.Writer interface.
type PingConn interface {
	ConstructWirePacket(srcIP, dstIP net.IP, transport packet.Packet, payload packet.Packet) ([]byte, error)
	Write(data []byte) (int, error)
	Close() error
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/nflog/nflog_common.go
================================================
package nflog

import (
	"context"
	"fmt"
	"net"
	"strconv"
	"strings"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.uber.org/zap"
)

// NFLogger provides an interface for NFLog
type NFLogger interface {
	Run(ctx context.Context)
}

// GetPUContextFunc provides PU information given the id
type GetPUContextFunc func(hash string) (*pucontext.PUContext, error)

func recordCounters(protocol uint8, dstport uint16, srcport uint16, pu *pucontext.PUContext, puIsSource bool) {
	switch protocol {
	case packet.IPProtocolTCP:
		pu.Counters().IncrementCounter(counters.ErrDroppedTCPPackets)
	case packet.IPProtocolUDP:
		pu.Counters().IncrementCounter(counters.ErrDroppedUDPPackets)
		if puIsSource {
			switch dstport {
			case 53:
				pu.Counters().IncrementCounter(counters.ErrDroppedDNSPackets)
			case 67, 68:
				pu.Counters().IncrementCounter(counters.ErrDroppedDHCPPackets)
			case 123:
				pu.Counters().IncrementCounter(counters.ErrDroppedNTPPackets)
			}
		} else {
			switch srcport {
			case 53:
				pu.Counters().IncrementCounter(counters.ErrDroppedDNSPackets)
			case 67, 68:
				pu.Counters().IncrementCounter(counters.ErrDroppedDHCPPackets)
			case 123:
				pu.Counters().IncrementCounter(counters.ErrDroppedNTPPackets)
			}
		}

	case packet.IPProtocolICMP:
		pu.Counters().IncrementCounter(counters.ErrDroppedICMPPackets)

	}
}

func recordDroppedPacket(payload []byte, protocol uint8, srcIP, dstIP net.IP, srcPort, dstPort uint16, pu *pucontext.PUContext, puIsSource bool) (*collector.PacketReport, error) {

	report := &collector.PacketReport{}

	report.PUID = pu.ManagementID()
	report.Namespace = pu.ManagementNamespace()
	ipPacket, err := packet.New(packet.PacketTypeNetwork, payload, "", false)
	if err == nil {
		report.Length = int(ipPacket.GetIPLength())
		report.PacketID, _ = strconv.Atoi(ipPacket.ID())

	} else {
		zap.L().Debug("payload not valid", zap.Error(err))
		return nil, err
	}
	recordCounters(protocol, dstPort, srcPort, pu, puIsSource)
	if protocol == packet.IPProtocolTCP || protocol == packet.IPProtocolUDP {
		report.SourcePort = int(srcPort)
		report.DestinationPort = int(dstPort)
	}
	if protocol == packet.IPProtocolTCP {
		report.TCPFlags = int(ipPacket.GetTCPFlags())
	}
	report.Protocol = int(protocol)
	report.DestinationIP = dstIP.String()
	report.SourceIP = srcIP.String()
	report.TriremePacket = false
	report.DropReason = collector.PacketDrop

	if payload == nil {
		report.Payload = []byte{}
		return report, nil
	}
	if len(payload) <= 64 {
		report.Payload = make([]byte, len(payload))
		copy(report.Payload, payload)

	} else {
		report.Payload = make([]byte, 64)
		copy(report.Payload, payload[0:64])
	}

	return report, nil
}

func recordFromNFLogData(payload []byte, prefix string, protocol uint8, srcIP, dstIP net.IP, srcPort, dstPort uint16, getPUContext GetPUContextFunc, puIsSource bool) (*collector.FlowRecord, *collector.PacketReport, error) {

	var packetReport *collector.PacketReport
	var err error

	var hashID string
	var policyID string
	var extNetworkID string
	var ruleName string
	var encodedAction string

	parts := strings.Split(prefix, ":")
	switch len(parts) {
	case 4:
		// hashID:policyID:extNetworkID:action
		hashID, policyID, extNetworkID, encodedAction = parts[0], parts[1], parts[2], parts[3]
	case 5:
		// hashID:policyID:extNetworkID:ruleName:action
		hashID, policyID, extNetworkID, ruleName, encodedAction = parts[0], parts[1], parts[2], parts[3], parts[4]
	default:
		return nil, nil, fmt.Errorf("nflog: prefix doesn't contain sufficient information: %s", prefix)
	}

	pu, err := getPUContext(hashID)
	if err != nil {
		return nil, nil, err
	}

	// If we have a rule name, then look up the long version of logging prefix
	if len(ruleName) > 0 {
		realPrefix, ok := pu.LookupLogPrefix(policyID + ":" + extNetworkID + ":" + ruleName)
		if !ok {
			return nil, nil, fmt.Errorf("nflog: prefix not found in pucontext mapping: %s", prefix)
		}
		parts = strings.SplitN(realPrefix, ":", 3)
		if len(parts) != 3 {
			return nil, nil, fmt.Errorf("nflog: realPrefix doesn't contain sufficient information: %s", realPrefix)
		}
		policyID, extNetworkID, ruleName = parts[0], parts[1], parts[2]
	}

	if encodedAction == "10" {
		packetReport, err = recordDroppedPacket(payload, protocol, srcIP, dstIP, srcPort, dstPort, pu, puIsSource)
		return nil, packetReport, err
	}

	action, observedActionType, err := policy.EncodedStringToAction(encodedAction)
	if err != nil {
		return nil, packetReport, fmt.Errorf("nflog: unable to decode action for context id: %s (%s)", pu.ID(), encodedAction)
	}

	dropReason := ""
	if action.Rejected() {
		dropReason = collector.PolicyDrop
	}

	// point fix for now.
	var destination collector.EndPoint
	if protocol == packet.IPProtocolUDP || protocol == packet.IPProtocolTCP {
		destination = collector.EndPoint{
			IP:   dstIP.String(),
			Port: dstPort,
		}
	} else {
		destination = collector.EndPoint{
			IP: dstIP.String(),
		}
	}

	record := &collector.FlowRecord{
		ContextID: pu.ID(),
		Source: collector.EndPoint{
			IP: srcIP.String(),
		},
		Destination: destination,
		DropReason:  dropReason,
		PolicyID:    policyID,
		Tags:        pu.Annotations().GetSlice(),
		Action:      action | policy.Log, // Add the logging flag back
		L4Protocol:  protocol,
		Namespace:   pu.ManagementNamespace(),
		Count:       1,
		RuleName:    ruleName,
	}

	if action.Observed() {
		record.ObservedAction = action
		record.ObservedPolicyID = policyID
		record.ObservedActionType = observedActionType
	}

	if puIsSource {
		record.Source.Type = collector.EndPointTypePU
		record.Source.ID = pu.ManagementID()
		record.Destination.Type = collector.EndPointTypeExternalIP
		record.Destination.ID = extNetworkID
	} else {
		record.Source.Type = collector.EndPointTypeExternalIP
		record.Source.ID = extNetworkID
		record.Destination.Type = collector.EndPointTypePU
		record.Destination.ID = pu.ManagementID()
	}

	return record, packetReport, nil
}

func handleFlowReport(flowReportCache cache.DataStore, eventCollector collector.EventCollector, record *collector.FlowRecord, puIsSource bool) {

	if record == nil {
		return
	}

	uniqueKey := fmt.Sprintf("%d:%s:%d:%s:%d",
		record.L4Protocol, record.Source.IP, record.Source.Port, record.Destination.IP, record.Destination.Port)

	// If the flow record is ObserveContinue
	if record.ObservedActionType.ObserveContinue() {

		// If another observed continue policy is reported, then we ignore it.
		if _, err := flowReportCache.Get(uniqueKey); err == nil {
			return
		}

		// Add the observed policy report to the cache
		err := flowReportCache.Add(uniqueKey, record)
		if err != nil {
			eventCollector.CollectFlowEvent(record)
			zap.L().Error("handleFlowReport: unable to add flow record to cache", zap.Error(err))
		}
		return
	}

	// See if there was an ObserveContinue policy
	value, err := flowReportCache.Get(uniqueKey)
	if err == nil {
		report := value.(*collector.FlowRecord)
		record.ObservedAction = report.ObservedAction
		record.ObservedPolicyID = report.ObservedPolicyID
		record.ObservedActionType = report.ObservedActionType
		if puIsSource {
			record.Destination.ID = report.Destination.ID
			record.Destination.Type = report.Destination.Type
		} else {
			record.Source.ID = report.Source.ID
			record.Source.Type = report.Source.Type
		}
		err = flowReportCache.Remove(uniqueKey)
		if err != nil {
			zap.L().Error("handleFlowReport: failed to remove flow from cache", zap.Error(err))
		}
	}
	eventCollector.CollectFlowEvent(record)
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/nflog/nflog_darwin.go
================================================
// +build darwin

package nflog

import (
	"context"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
)

// nfLog TODO
type nfLog struct {
	getPUContext GetPUContextFunc // not called
}

// NewNFLogger provides an NFLog instance
func NewNFLogger(ipv4groupSource, ipv4groupDest uint16, getPUContext GetPUContextFunc, collector collector.EventCollector) NFLogger {
	return &nfLog{getPUContext: getPUContext}
}

func (n *nfLog) Run(ctx context.Context) {}


================================================
FILE: controller/internal/enforcer/nfqdatapath/nflog/nflog_linux.go
================================================
// +build linux

package nflog

import (
	"context"
	"sync"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.aporeto.io/netlink-go/nflog"
	"go.uber.org/zap"
)

type nfLog struct {
	getPUContext    GetPUContextFunc
	ipv4groupSource uint16
	ipv4groupDest   uint16
	collector       collector.EventCollector
	srcNflogHandle  nflog.NFLog
	dstNflogHandle  nflog.NFLog
	flowReportCache cache.DataStore
	sync.Mutex
}

// NewNFLogger provides an NFLog instance
func NewNFLogger(ipv4groupSource, ipv4groupDest uint16, getPUContext GetPUContextFunc, collector collector.EventCollector) NFLogger {
	nfLog := &nfLog{
		ipv4groupSource: ipv4groupSource,
		ipv4groupDest:   ipv4groupDest,
		collector:       collector,
		getPUContext:    getPUContext,
	}
	nfLog.flowReportCache = cache.NewCacheWithExpirationNotifier("flowReportCache", time.Second*5, nfLog.logExpirationNotifier)
	return nfLog
}

// Run runs the Nf Logger
func (a *nfLog) Run(ctx context.Context) {
	a.Lock()
	a.srcNflogHandle, _ = nflog.BindAndListenForLogs([]uint16{a.ipv4groupSource}, 64, a.sourceNFLogsHanlder, a.nflogErrorHandler)
	a.dstNflogHandle, _ = nflog.BindAndListenForLogs([]uint16{a.ipv4groupDest}, 64, a.destNFLogsHandler, a.nflogErrorHandler)
	a.Unlock()

	go func() {
		<-ctx.Done()
		a.Lock()
		a.srcNflogHandle.NFlogClose()
		a.dstNflogHandle.NFlogClose()
		a.Unlock()

	}()
}

func (a *nfLog) sourceNFLogsHanlder(buf *nflog.NfPacket, _ interface{}) {

	record, packetEvent, err := a.recordFromNFLogBuffer(buf, false)
	if err != nil {
		zap.L().Error("sourceNFLogsHanlder: create flow record", zap.Error(err))
		return
	}

	handleFlowReport(a.flowReportCache, a.collector, record, false)

	if packetEvent != nil {
		a.collector.CollectPacketEvent(packetEvent)
	}
}

func (a *nfLog) destNFLogsHandler(buf *nflog.NfPacket, _ interface{}) {

	record, packetEvent, err := a.recordFromNFLogBuffer(buf, true)
	if err != nil {
		zap.L().Error("destNFLogsHandler: create flow record", zap.Error(err))
		return
	}

	handleFlowReport(a.flowReportCache, a.collector, record, true)

	if packetEvent != nil {
		a.collector.CollectPacketEvent(packetEvent)
	}
}

func (a *nfLog) nflogErrorHandler(err error) {
	counters.IncrementCounter(counters.ErrNfLogError)
	zap.L().Debug("Error while processing nflog packet", zap.Error(err))
}

func (a *nfLog) recordFromNFLogBuffer(buf *nflog.NfPacket, puIsSource bool) (*collector.FlowRecord, *collector.PacketReport, error) {
	return recordFromNFLogData(buf.Payload, buf.Prefix, buf.Protocol, buf.SrcIP, buf.DstIP, buf.SrcPort, buf.DstPort, a.getPUContext, puIsSource)
}

func (a *nfLog) logExpirationNotifier(_ interface{}, item interface{}) {
	if item != nil {
		// Basically we had an observed flow report that didn't get reported yet.
		record := item.(*collector.FlowRecord)
		a.collector.CollectFlowEvent(record)
	}
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/nflog/nflog_test.go
================================================
// +build linux

package nflog

import (
	"errors"
	"strconv"
	"testing"
	"time"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/packetgen"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/netlink-go/nflog"
)

func TestRecordDroppedPacket(t *testing.T) {
	Convey("I report a dropped packet", t, func() {
		puID := "SomeProcessingUnitId"
		puInfo := policy.NewPUInfo(puID, "/ns", common.ContainerPU)

		pu, err := pucontext.NewPU("contextID", puInfo, nil, 5*time.Second)
		So(err, ShouldBeNil)

		Convey("I report a packet with length less than 64 bytes", func() {
			//	packetbuf := make([]byte, 40)
			PacketFlow := packetgen.NewTemplateFlow()

			_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
			So(err, ShouldBeNil)
			pkt := PacketFlow.GetNthPacket(0)
			payloadBuf, _ := pkt.ToBytes()
			nfPacket := &nflog.NfPacket{
				Payload: payloadBuf,
			}
			ipPacket, err := packet.New(packet.PacketTypeNetwork, nfPacket.Payload, "", false)
			So(err, ShouldBeNil)
			nfPacket.Protocol = ipPacket.IPProto()
			report, err := recordDroppedPacket(nfPacket.Payload, nfPacket.Protocol, nfPacket.SrcIP, nfPacket.DstIP, nfPacket.SrcPort, nfPacket.DstPort, pu, true)
			So(report.TriremePacket, ShouldBeFalse)
			So(err, ShouldBeNil)
			So(len(report.Payload), ShouldEqual, len(nfPacket.Payload))

		})
		Convey("I report a packet with length greater than 64 bytes", func() {
			PacketFlow := packetgen.NewTemplateFlow()
			_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
			So(err, ShouldBeNil)
			pkt := PacketFlow.GetAckPackets().GetNthPacket(1)
			err = pkt.NewTCPPayload("abcdedghijklmnopqrstuvwxyz")
			So(err, ShouldBeNil)
			payloadBuf, err := pkt.ToBytes()
			So(err, ShouldBeNil)
			nfPacket := &nflog.NfPacket{
				Payload: payloadBuf,
			}

			ipPacket, err := packet.New(packet.PacketTypeNetwork, nfPacket.Payload, "", false)
			nfPacket.Protocol = ipPacket.IPProto()
			nfPacket.SrcIP = ipPacket.SourceAddress()
			nfPacket.DstIP = ipPacket.DestinationAddress()
			So(err, ShouldBeNil)
			report, err := recordDroppedPacket(nfPacket.Payload, nfPacket.Protocol, nfPacket.SrcIP, nfPacket.DstIP, nfPacket.SrcPort, nfPacket.DstPort, pu, true)
			So(err, ShouldBeNil)
			So(report.TriremePacket, ShouldBeFalse)
			So(report.Protocol, ShouldEqual, int(packet.IPProtocolTCP))
			So(len(report.Payload), ShouldEqual, 64)
			id, _ := strconv.Atoi(ipPacket.ID())
			So(report.PacketID, ShouldEqual, id)
			So(report.SourceIP, ShouldEqual, ipPacket.SourceAddress().String())
			So(report.DestinationIP, ShouldEqual, ipPacket.DestinationAddress().String())

			So(report.Payload, ShouldResemble, payloadBuf[:64])
		})

	})
}

func dummyPUContext(string) (*pucontext.PUContext, error) {
	return nil, errors.New("Unknown Context")
}
func TestRecordFromNFLogBuffer(t *testing.T) {
	// puID := "SomeProcessingUnitId"
	// puInfo := policy.NewPUInfo(puID, "/ns", common.ContainerPU)
	// pu, err := pucontext.NewPU("contextID", puInfo, 5*time.Second)
	// So(err, ShouldBeNil)
	nflogger := NewNFLogger(10, 11, nil, nil)
	Convey("I get a nfpacket from nflog library", t, func() {
		Convey("If Packet does not contain valid format prefix", func() {
			PacketFlow := packetgen.NewTemplateFlow()

			_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
			So(err, ShouldBeNil)
			pkt := PacketFlow.GetNthPacket(0)
			payloadBuf, _ := pkt.ToBytes()
			nfPacket := &nflog.NfPacket{
				Payload: payloadBuf,
			}
			nfPacket.Prefix = "p1:p2"
			flowreport, packetreport, err := nflogger.(*nfLog).recordFromNFLogBuffer(nfPacket, false)
			So(flowreport, ShouldBeNil)
			So(packetreport, ShouldBeNil)
			So(err, ShouldNotBeNil)
		})
		Convey("nfPacket with hashID that is not for a valid PU", func() {

			nflogger.(*nfLog).getPUContext = dummyPUContext
			PacketFlow := packetgen.NewTemplateFlow()

			_, err := PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
			So(err, ShouldBeNil)
			pkt := PacketFlow.GetNthPacket(0)
			payloadBuf, _ := pkt.ToBytes()
			nfPacket := &nflog.NfPacket{
				Payload: payloadBuf,
			}
			nfPacket.Prefix = "p1:p2:p4:p5"
			flowreport, packetreport, err := nflogger.(*nfLog).recordFromNFLogBuffer(nfPacket, false)
			So(flowreport, ShouldBeNil)
			So(packetreport, ShouldBeNil)
			So(err, ShouldNotBeNil)

		})

	})
}

func Test_RecordCounters(t *testing.T) {
	Convey("I report a dropped packet", t, func() {
		puID := "SomeProcessingUnitId"
		puInfo := policy.NewPUInfo(puID, "/ns", common.ContainerPU)
		pu, err := pucontext.NewPU("contextID", puInfo, nil, 5*time.Second)
		So(err, ShouldBeNil)

		Convey("I call record counters", func() {
			recordCounters(6, 80, 2333, pu, true)
			So(pu.Counters().GetErrorCounters()[counters.ErrDroppedTCPPackets], ShouldEqual, 1)

			recordCounters(17, 80, 2333, pu, true)
			c := pu.Counters().GetErrorCounters()
			So(c[counters.ErrDroppedUDPPackets], ShouldEqual, 1)
			recordCounters(17, 53, 2333, pu, true)
			c = pu.Counters().GetErrorCounters()
			So(c[counters.ErrDroppedUDPPackets], ShouldEqual, 1)
			So(c[counters.ErrDroppedDNSPackets], ShouldEqual, 1)
			recordCounters(17, 67, 2333, pu, true)
			c = pu.Counters().GetErrorCounters()
			So(c[counters.ErrDroppedUDPPackets], ShouldEqual, 1)
			So(c[counters.ErrDroppedDHCPPackets], ShouldEqual, 1)
			recordCounters(17, 68, 2333, pu, true)
			c = pu.Counters().GetErrorCounters()
			So(c[counters.ErrDroppedUDPPackets], ShouldEqual, 1)
			So(c[counters.ErrDroppedDHCPPackets], ShouldEqual, 1)
			recordCounters(17, 123, 2333, pu, true)
			c = pu.Counters().GetErrorCounters()
			So(c[counters.ErrDroppedUDPPackets], ShouldEqual, 1)
			So(c[counters.ErrDroppedNTPPackets], ShouldEqual, 1)

			recordCounters(17, 2333, 53, pu, false)
			c = pu.Counters().GetErrorCounters()
			So(c[counters.ErrDroppedUDPPackets], ShouldEqual, 1)
			So(c[counters.ErrDroppedDNSPackets], ShouldEqual, 1)
			recordCounters(17, 2333, 67, pu, false)
			recordCounters(17, 2333, 67, pu, false)
			c = pu.Counters().GetErrorCounters()
			So(c[counters.ErrDroppedUDPPackets], ShouldEqual, 2)
			So(c[counters.ErrDroppedDHCPPackets], ShouldEqual, 2)
			recordCounters(17, 2333, 68, pu, false)
			c = pu.Counters().GetErrorCounters()
			So(c[counters.ErrDroppedUDPPackets], ShouldEqual, 1)
			So(c[counters.ErrDroppedDHCPPackets], ShouldEqual, 1)
			recordCounters(17, 2333, 123, pu, false)
			c = pu.Counters().GetErrorCounters()
			So(c[counters.ErrDroppedUDPPackets], ShouldEqual, 1)
			So(c[counters.ErrDroppedNTPPackets], ShouldEqual, 1)

			recordCounters(1, 80, 2333, pu, true)
			So(pu.Counters().GetErrorCounters()[counters.ErrDroppedICMPPackets], ShouldEqual, 1)
		})
	})
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/nflog/nflog_windows.go
================================================
// +build windows

package nflog

import (
	"context"
	"fmt"
	"syscall"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
	"go.uber.org/zap"
)

// NfLogWindows has nflog data for windows
type NfLogWindows struct { // nolint:golint // ignore type name stutters
	getPUContext    GetPUContextFunc
	ipv4groupSource uint16
	ipv4groupDest   uint16
	collector       collector.EventCollector
	flowReportCache cache.DataStore
}

// NewNFLogger provides an NFLog instance
func NewNFLogger(ipv4groupSource, ipv4groupDest uint16, getPUContext GetPUContextFunc, collector collector.EventCollector) NFLogger {
	nfLog := &NfLogWindows{
		ipv4groupSource: ipv4groupSource,
		ipv4groupDest:   ipv4groupDest,
		collector:       collector,
		getPUContext:    getPUContext,
	}
	nfLog.flowReportCache = cache.NewCacheWithExpirationNotifier("flowReportCache", time.Second*5, nfLog.logExpirationNotifier)
	return nfLog
}

// Run does nothing for Windows
func (n *NfLogWindows) Run(ctx context.Context) {
}

// NfLogHandler handles log info from our Windows driver
func (n *NfLogWindows) NfLogHandler(logPacketInfo *frontman.LogPacketInfo, packetHeaderBytes []byte) error {
	var puIsSource bool
	switch uint16(logPacketInfo.GroupID) {
	case n.ipv4groupSource:
		puIsSource = false
	case n.ipv4groupDest:
		puIsSource = true
	default:
		return fmt.Errorf("unrecognized log group id: %d", logPacketInfo.GroupID)
	}

	ipPacket, err := packet.New(packet.PacketTypeNetwork, packetHeaderBytes, "", false)
	if err != nil {
		counters.IncrementCounter(counters.ErrNfLogError)
		zap.L().Debug("Error while processing nflog packet", zap.Error(err))
		return nil
	}

	record, packetEvent, err := recordFromNFLogData(packetHeaderBytes, syscall.UTF16ToString(logPacketInfo.LogPrefix[:]),
		ipPacket.IPProto(), ipPacket.SourceAddress(), ipPacket.DestinationAddress(), ipPacket.SourcePort(), ipPacket.DestPort(),
		n.getPUContext, puIsSource)
	if err != nil {
		return err
	}

	if record != nil {
		handleFlowReport(n.flowReportCache, n.collector, record, puIsSource)
	}
	if packetEvent != nil {
		n.collector.CollectPacketEvent(packetEvent)
	}

	return nil
}

func (n *NfLogWindows) logExpirationNotifier(_ interface{}, item interface{}) {
	if item != nil {
		// Basically we had an observed flow report that didn't get reported yet.
		record := item.(*collector.FlowRecord)
		n.collector.CollectFlowEvent(record)
	}
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/nfq_darwin.go
================================================
// +build darwin

package nfqdatapath

func (d *Datapath) cleanupPlatform() {}


================================================
FILE: controller/internal/enforcer/nfqdatapath/nfq_linux.go
================================================
// +build linux

package nfqdatapath

// Go libraries
import (
	"context"
	"fmt"
	"strconv"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/constants"
	markconstants "go.aporeto.io/enforcerd/trireme-lib/utils/constants"
	nfqueue "go.aporeto.io/netlink-go/nfqueue"
	"go.uber.org/zap"
)

const (
	// nfq actions.
	allow  = 1
	drop   = 0
	repeat = 4
)

const (
	// max
	maxTriesNfq = 5
)

func (d *Datapath) errorCallback(err error, _ interface{}) {
	zap.L().Error("Error while processing packets on queue", zap.Error(err))
}

func (d *Datapath) callback(packet *nfqueue.NFPacket, _ interface{}) {
	packet.Mark = packet.Mark - int(packet.QueueHandle.QueueNum)*constants.QueueBalanceFactor

	if packet.Mark == int(constants.DefaultInputMark) {
		d.processNetworkPacketsFromNFQ(packet)
		return
	}

	packet.Mark = packet.Mark / d.filterQueue.GetNumQueues()
	d.processApplicationPacketsFromNFQ(packet)
}

func (d *Datapath) startInterceptor(ctx context.Context) {

	var err error
LOOP:
	for i := 0; i < d.filterQueue.GetNumQueues(); i++ {
		// Initialize all the queues
		for tries := 0; tries < maxTriesNfq; tries++ {
			if _, err = nfqueue.CreateAndStartNfQueue(ctx, uint16(i), 4096, nfqueue.NfDefaultPacketSize, d.callback, d.errorCallback, nil); err == nil {
				continue LOOP
			}

			time.Sleep(1 * time.Second)
		}

		zap.L().Fatal("Unable to initialize netfilter queue", zap.Error(err))
	}
}

// processNetworkPacketsFromNFQ processes packets arriving from the network in an NF queue
func (d *Datapath) processNetworkPacketsFromNFQ(p *nfqueue.NFPacket) {
	var processError error
	var tcpConn *connection.TCPConnection
	var udpConn *connection.UDPConnection
	var processAfterVerdict func()

	netPacket := &packet.Packet{}
	err := netPacket.NewPacket(packet.PacketTypeNetwork, p.Buffer, strconv.Itoa(p.Mark), true)
	if err != nil {
		counters.CounterError(counters.ErrCorruptPacket, err) //nolint
		zap.L().Debug("Dropping corrupted packet on network path", zap.Error(err))
		p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), drop, 0, 0, uint32(p.ID), []byte{0})
		return
	} else if netPacket.IPProto() == packet.IPProtocolTCP {
		tcpConn, processAfterVerdict, processError = d.processNetworkTCPPackets(netPacket)
	} else if netPacket.IPProto() == packet.IPProtocolUDP {
		udpConn, processError = d.ProcessNetworkUDPPacket(netPacket)
	} else if netPacket.IPProto() == packet.IPProtocolICMP {
		icmpType, icmpCode := netPacket.GetICMPTypeCode()
		context, err := d.contextFromIP(false, netPacket.Mark, 0, packet.IPProtocolICMP)

		if err == nil {
			action := d.processNetworkICMPPacket(context, netPacket, icmpType, icmpCode)
			if action == icmpAccept {
				p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), allow, 0, uint32(len(netPacket.GetBuffer(0))), uint32(p.ID), netPacket.GetBuffer(0))
				return
			}
		}

		p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), drop, 0, uint32(len(netPacket.GetBuffer(0))), uint32(p.ID), netPacket.GetBuffer(0))
		zap.L().Debug("dropping Network ICMP Packet",
			zap.Error(err),
			zap.String("SourceIP", netPacket.SourceAddress().String()),
			zap.String("DestinationIP", netPacket.DestinationAddress().String()),
			zap.Int8("icmp type", icmpType),
			zap.Int8("icmp code", icmpCode))

		return
	} else {
		processError = counters.CounterError(counters.ErrInvalidProtocol, fmt.Errorf("Invalid Protocol %d", int(netPacket.IPProto())))
	}

	// TODO: Use error types and handle it in switch case here

	if processError != nil {
		if processError != errDropPingNetSynAck && processError != errHandshakePacket && processError != errDropQueuedPacket {
			zap.L().Debug("Dropping packet on network path",
				zap.Error(processError),
				zap.String("SourceIP", netPacket.SourceAddress().String()),
				zap.String("DestinationIP", netPacket.DestinationAddress().String()),
				zap.Int("SourcePort", int(netPacket.SourcePort())),
				zap.Int("DestinationPort", int(netPacket.DestPort())),
				zap.Int("Protocol", int(netPacket.IPProto())),
				zap.String("Flags", packet.TCPFlagsToStr(netPacket.GetTCPFlags())),
			)
		}

		p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), drop, uint32(p.Mark), 0, uint32(p.ID), []byte{0})

		if processError != errDropPingNetSynAck {
			if netPacket.IPProto() == packet.IPProtocolTCP {
				d.collectTCPPacket(&debugpacketmessage{
					Mark:    p.Mark,
					p:       netPacket,
					tcpConn: tcpConn,
					udpConn: nil,
					err:     processError,
					network: true,
				})
			} else if netPacket.IPProto() == packet.IPProtocolUDP {
				d.collectUDPPacket(&debugpacketmessage{
					Mark:    p.Mark,
					p:       netPacket,
					tcpConn: nil,
					udpConn: udpConn,
					err:     processError,
					network: true,
				})
			}
		}

		return
	}

	if netPacket.IPProto() == packet.IPProtocolTCP {
		if netPacket.SetConnmark {
			p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), repeat, markconstants.PacketMarkToSetConnmark, uint32(len(netPacket.GetBuffer(0))), uint32(p.ID), netPacket.GetBuffer(0))
		} else {
			if d.serviceMeshType == policy.Istio {
				p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), allow, markconstants.IstioPacketMark, uint32(len(netPacket.GetBuffer(0))), uint32(p.ID), netPacket.GetBuffer(0))
			} else {
				p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), allow, 0, uint32(len(netPacket.GetBuffer(0))), uint32(p.ID), netPacket.GetBuffer(0))
			}
		}
	} else {
		p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), allow, 0, uint32(len(netPacket.GetBuffer(0))), uint32(p.ID), netPacket.GetBuffer(0))
	}

	if processAfterVerdict != nil {
		processAfterVerdict()
	}

	if netPacket.IPProto() == packet.IPProtocolTCP {
		d.collectTCPPacket(&debugpacketmessage{
			Mark:    p.Mark,
			p:       netPacket,
			tcpConn: tcpConn,
			udpConn: nil,
			err:     nil,
			network: true,
		})
	} else if netPacket.IPProto() == packet.IPProtocolUDP {
		d.collectUDPPacket(&debugpacketmessage{
			Mark:    p.Mark,
			p:       netPacket,
			tcpConn: nil,
			udpConn: udpConn,
			err:     nil,
			network: true,
		})
	}

}

// processApplicationPackets processes packets arriving from an application and are destined to the network
func (d *Datapath) processApplicationPacketsFromNFQ(p *nfqueue.NFPacket) {

	var processError error
	var tcpConn *connection.TCPConnection
	var udpConn *connection.UDPConnection

	appPacket := &packet.Packet{}
	err := appPacket.NewPacket(packet.PacketTypeApplication, p.Buffer, strconv.Itoa(p.Mark), true)

	if err != nil {
		zap.L().Debug("Dropping corrupted packet on application path", zap.Error(err))
		counters.CounterError(counters.ErrCorruptPacket, err) //nolint
		p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), drop, 0, 0, uint32(p.ID), []byte{0})
		return
	} else if appPacket.IPProto() == packet.IPProtocolTCP {
		tcpConn, processError = d.processApplicationTCPPackets(appPacket)
	} else if appPacket.IPProto() == packet.IPProtocolUDP {
		udpConn, processError = d.ProcessApplicationUDPPacket(appPacket)
	} else if appPacket.IPProto() == packet.IPProtocolICMP {
		icmpType, icmpCode := appPacket.GetICMPTypeCode()
		context, err := d.contextFromIP(true, appPacket.Mark, 0, packet.IPProtocolICMP)

		if err == nil {
			action := d.processApplicationICMPPacket(context, appPacket, icmpType, icmpCode)
			if action == icmpAccept {
				p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), allow, 0, uint32(len(appPacket.GetBuffer(0))), uint32(p.ID), appPacket.GetBuffer(0))
				return
			}
		}

		p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), drop, 0, uint32(len(appPacket.GetBuffer(0))), uint32(p.ID), appPacket.GetBuffer(0))
		zap.L().Debug("dropping Application ICMP Packet",
			zap.Error(err),
			zap.String("SourceIP", appPacket.SourceAddress().String()),
			zap.String("DestinationIP", appPacket.DestinationAddress().String()),
			zap.Int8("icmp type", icmpType),
			zap.Int8("icmp code", icmpCode))

		return
	} else {
		processError = counters.CounterError(counters.ErrInvalidProtocol, fmt.Errorf("Invalid Protocol %d", int(appPacket.IPProto())))
	}

	if processError != nil {
		if processError != errHandshakePacket && processError != errDropQueuedPacket {

			zap.L().Debug("Dropping packet on app path",
				zap.Error(processError),
				zap.String("SourceIP", appPacket.SourceAddress().String()),
				zap.String("DestinationIP", appPacket.DestinationAddress().String()),
				zap.Int("SourcePort", int(appPacket.SourcePort())),
				zap.Int("DestinationPort", int(appPacket.DestPort())),
				zap.Int("Protocol", int(appPacket.IPProto())),
				zap.String("Flags", packet.TCPFlagsToStr(appPacket.GetTCPFlags())),
			)
		}
		p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), drop, uint32(p.Mark), 0, uint32(p.ID), []byte{0})

		if appPacket.IPProto() == packet.IPProtocolTCP {
			d.collectTCPPacket(&debugpacketmessage{
				Mark:    p.Mark,
				p:       appPacket,
				tcpConn: tcpConn,
				udpConn: nil,
				err:     processError,
				network: false,
			})

		} else if appPacket.IPProto() == packet.IPProtocolUDP {
			d.collectUDPPacket(&debugpacketmessage{
				Mark:    p.Mark,
				p:       appPacket,
				tcpConn: nil,
				udpConn: udpConn,
				err:     processError,
				network: false,
			})
		}
		return
	}

	if appPacket.IPProto() == packet.IPProtocolTCP {
		if appPacket.SetConnmark {
			p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), repeat, markconstants.PacketMarkToSetConnmark, uint32(len(appPacket.GetBuffer(0))), uint32(p.ID), appPacket.GetBuffer(0))
		} else {
			if d.serviceMeshType == policy.Istio {
				p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), allow, markconstants.IstioPacketMark, uint32(len(appPacket.GetBuffer(0))), uint32(p.ID), appPacket.GetBuffer(0))
			} else {
				p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), allow, 0, uint32(len(appPacket.GetBuffer(0))), uint32(p.ID), appPacket.GetBuffer(0))
			}
		}
	} else {
		p.QueueHandle.SetVerdict2(uint32(p.QueueHandle.QueueNum), allow, 0, uint32(len(appPacket.GetBuffer(0))), uint32(p.ID), appPacket.GetBuffer(0))
	}

	if appPacket.IPProto() == packet.IPProtocolTCP {
		var id string
		if tcpConn != nil {
			id = tcpConn.Context.ID()
		} else if d.puFromIP != nil {
			id = d.puFromIP.ID()
		}

		if _, err = d.packetTracingCache.Get(id); err == nil {
			d.collectTCPPacket(&debugpacketmessage{
				Mark:    p.Mark,
				p:       appPacket,
				tcpConn: tcpConn,
				udpConn: nil,
				err:     nil,
				network: false,
			})
		}

	} else if appPacket.IPProto() == packet.IPProtocolUDP {
		d.collectUDPPacket(&debugpacketmessage{
			Mark:    p.Mark,
			p:       appPacket,
			tcpConn: nil,
			udpConn: udpConn,
			err:     nil,
			network: false,
		})
	}
}

func (d *Datapath) cleanupPlatform() {}


================================================
FILE: controller/internal/enforcer/nfqdatapath/nfq_windows.go
================================================
// +build windows

package nfqdatapath

import (
	"context"
	"fmt"
	"strconv"
	"unsafe"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/afinetrawsocket"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/nflog"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
	"go.uber.org/zap"
)

func (d *Datapath) startFrontmanPacketFilter(_ context.Context, nflogger nflog.NFLogger) error {

	nflogWin := nflogger.(*nflog.NfLogWindows)

	packetCallback := func(packetInfoPtr, dataPtr uintptr) uintptr {

		packetInfo := *(*frontman.PacketInfo)(unsafe.Pointer(packetInfoPtr))                                   // nolint:govet
		packetBytes := (*[1 << 30]byte)(unsafe.Pointer(dataPtr))[:packetInfo.PacketSize:packetInfo.PacketSize] // nolint:govet

		var packetType int
		if packetInfo.Outbound != 0 {
			packetType = packet.PacketTypeApplication
		} else {
			packetType = packet.PacketTypeNetwork
		}

		// Parse the packet
		mark := int(packetInfo.Mark)
		parsedPacket, err := packet.New(uint64(packetType), packetBytes, strconv.Itoa(mark), true)

		if parsedPacket.IPProto() == packet.IPProtocolUDP && parsedPacket.SourcePort() == 53 {
			// notify PUs of DNS results
			err := d.dnsProxy.HandleDNSResponsePacket(parsedPacket.GetUDPData(), parsedPacket.SourceAddress(), parsedPacket.SourcePort(), parsedPacket.DestinationAddress(), parsedPacket.DestPort(), func(id string) (*pucontext.PUContext, error) {
				puCtx, err1 := d.puFromContextID.Get(id)
				if err1 != nil {
					return nil, err1
				}
				return puCtx.(*pucontext.PUContext), nil
			})
			if err != nil {
				zap.L().Debug("Failed to handle DNS response", zap.Error(err))
			}
			// forward packet
			err = frontman.Wrapper.PacketFilterForward(&packetInfo, packetBytes)
			if err != nil {
				zap.L().Error("failed to forward packet", zap.Error(err))
			}
			return 0
		}

		parsedPacket.PlatformMetadata = &afinetrawsocket.WindowPlatformMetadata{
			PacketInfo: packetInfo,
			IgnoreFlow: false,
			Drop:       false,
			SetMark:    0,
		}

		var processError error
		var tcpConn *connection.TCPConnection
		var udpConn *connection.UDPConnection
		var f func()

		if err != nil {
			parsedPacket.Print(packet.PacketFailureCreate, d.packetLogs)
		} else if parsedPacket.IPProto() == packet.IPProtocolTCP {
			if packetType == packet.PacketTypeNetwork {
				tcpConn, f, processError = d.processNetworkTCPPackets(parsedPacket)
				if f != nil {
					f()
				}
			} else {
				tcpConn, processError = d.processApplicationTCPPackets(parsedPacket)
			}
		} else if parsedPacket.IPProto() == packet.IPProtocolUDP {
			// process udp packet
			if packetType == packet.PacketTypeNetwork {
				udpConn, processError = d.ProcessNetworkUDPPacket(parsedPacket)
			} else {
				udpConn, processError = d.ProcessApplicationUDPPacket(parsedPacket)
			}
		} else {
			processError = fmt.Errorf("invalid ip protocol: %d", parsedPacket.IPProto())
		}

		if processError != nil {
			if parsedPacket.IPProto() == packet.IPProtocolTCP {
				d.collectTCPPacket(&debugpacketmessage{
					Mark:    mark,
					p:       parsedPacket,
					tcpConn: tcpConn,
					udpConn: nil,
					err:     processError,
					network: packetType == packet.PacketTypeNetwork,
				})
			} else if parsedPacket.IPProto() == packet.IPProtocolUDP {
				d.collectUDPPacket(&debugpacketmessage{
					Mark:    mark,
					p:       parsedPacket,
					tcpConn: nil,
					udpConn: udpConn,
					err:     processError,
					network: packetType == packet.PacketTypeNetwork,
				})
			}
			// drop packet by not forwarding it
			return 0
		}

		// accept the (modified) packet by forwarding it
		modifiedPacketBytes := parsedPacket.GetBuffer(0)
		packetInfo.PacketSize = uint32(parsedPacket.IPTotalLen())

		platformMetadata := parsedPacket.PlatformMetadata.(*afinetrawsocket.WindowPlatformMetadata)
		if platformMetadata.IgnoreFlow {
			packetInfo.IgnoreFlow = 1
		} else if platformMetadata.DropFlow {
			packetInfo.DropFlow = 1
		}
		if platformMetadata.Drop {
			packetInfo.Drop = 1
		}
		if platformMetadata.SetMark != 0 {
			packetInfo.SetMark = 1
			packetInfo.SetMarkValue = platformMetadata.SetMark
		}

		if err := frontman.Wrapper.PacketFilterForward(&packetInfo, modifiedPacketBytes); err != nil {
			zap.L().Error("failed to forward packet", zap.Error(err))
		}

		if parsedPacket.IPProto() == packet.IPProtocolTCP {
			d.collectTCPPacket(&debugpacketmessage{
				Mark:    mark,
				p:       parsedPacket,
				tcpConn: tcpConn,
				udpConn: nil,
				err:     nil,
				network: packetType == packet.PacketTypeNetwork,
			})
		} else if parsedPacket.IPProto() == packet.IPProtocolUDP {
			d.collectUDPPacket(&debugpacketmessage{
				Mark:    mark,
				p:       parsedPacket,
				tcpConn: nil,
				udpConn: udpConn,
				err:     nil,
				network: packetType == packet.PacketTypeNetwork,
			})
		}

		return 0
	}

	logCallback := func(logPacketInfoPtr, dataPtr uintptr) uintptr {

		logPacketInfo := *(*frontman.LogPacketInfo)(unsafe.Pointer(logPacketInfoPtr)) // nolint:govet
		packetHeaderBytes := (*[1 << 30]byte)(unsafe.Pointer(dataPtr))[:logPacketInfo.PacketSize:logPacketInfo.PacketSize]

		err := nflogWin.NfLogHandler(&logPacketInfo, packetHeaderBytes)
		if err != nil {
			zap.L().Error("error in log callback", zap.Error(err))
		}

		return 0
	}

	if err := frontman.Wrapper.PacketFilterStart("Aporeto Enforcer", packetCallback, logCallback); err != nil {
		return err
	}

	return nil
}

// cleanupPlatform for windows is needed to stop the frontman threads and permit the enforcerd app to shut down
func (d *Datapath) cleanupPlatform() {

	if err := frontman.Wrapper.PacketFilterClose(); err != nil {
		zap.L().Error("Failed to close packet proxy", zap.Error(err))
	}

}


================================================
FILE: controller/internal/enforcer/nfqdatapath/nfq_windows_test.go
================================================
// +build windows

package nfqdatapath

import (
	"context"
	"encoding/hex"
	"fmt"
	"strconv"
	"sync"
	"syscall"
	"testing"
	"unsafe"

	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/packetgen"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
)

// Declare function pointer so that it can be overridden by unit test.
// This is not actually needed in Windows, but we need the declaration and the empty function for tests.
var procSetValuePtr func(procName string, value int) error = procSetValueMock

type forwardedPacket struct {
	outbound, drop, ignoreFlow bool
	mark                       int
	packetBytes                []byte
}

// fakeWrapper is the mock for frontman.Wrapper.
// We mock frontman.Wrapper and not frontman.Driver because we need to save the go funcs passed to PacketFilterStart.
type fakeWrapper struct {
	receiveCallback, loggingCallback func(uintptr, uintptr) uintptr
	forwardedPackets                 []*forwardedPacket
	sync.Mutex
}

func (w *fakeWrapper) queuePacket(p *forwardedPacket) {
	w.Lock()
	defer w.Unlock()
	w.forwardedPackets = append(w.forwardedPackets, p)
}

func (w *fakeWrapper) GetForwardedPackets() []*forwardedPacket {
	w.Lock()
	defer w.Unlock()
	result := w.forwardedPackets
	w.forwardedPackets = nil
	return result
}

func (w *fakeWrapper) PacketFilterStart(firewallName string, receiveCallback, loggingCallback func(uintptr, uintptr) uintptr) error {
	w.receiveCallback = receiveCallback
	w.loggingCallback = loggingCallback
	return nil
}

func (w *fakeWrapper) PacketFilterForward(info *frontman.PacketInfo, packetBytes []byte) error {
	p := &forwardedPacket{
		outbound:    info.Outbound != 0,
		drop:        info.Drop != 0,
		ignoreFlow:  info.IgnoreFlow != 0,
		mark:        int(info.Mark),
		packetBytes: make([]byte, info.PacketSize),
	}
	if n := copy(p.packetBytes, packetBytes); n != int(info.PacketSize) {
		return fmt.Errorf("%d bytes copied for packet, but expected %d", n, info.PacketSize)
	}
	w.queuePacket(p)
	return nil
}

func Test_WindowsPacketCallbacks(t *testing.T) {

	// unused in Windows
	_ = testDstIP
	_ = debug

	Convey("Given I create a new enforcer instance for Windows and have a valid processing unit context", t, func() {

		wrapper := &fakeWrapper{}
		frontman.Wrapper = wrapper

		Convey("Given I create a two processing unit instances", func() {

			ctrl := gomock.NewController(t)
			defer ctrl.Finish()

			enforcer, mockCollector := createEnforcerWithPolicy(ctrl, constants.LocalServer)

			err := enforcer.startFrontmanPacketFilter(context.Background(), enforcer.nflogger)
			So(err, ShouldBeNil)

			Convey("When I pass a syn packet through the enforcer", func() {

				PacketFlow := packetgen.NewTemplateFlow()
				_, err = PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
				So(err, ShouldBeNil)
				tcpPacketFromFlow, err := PacketFlow.GetFirstSynPacket().ToBytes()
				So(err, ShouldBeNil)
				mark := 12345
				tcpPacket, err := packet.New(0, tcpPacketFromFlow, strconv.Itoa(mark), true)
				if err == nil && tcpPacket != nil {
					tcpPacket.UpdateIPv4Checksum()
					tcpPacket.UpdateTCPChecksum()
				}
				So(err, ShouldBeNil)
				So(tcpPacket.Mark, ShouldEqual, strconv.Itoa(mark))

				packetBytes := tcpPacket.GetTCPBytes()
				packetInfo := &frontman.PacketInfo{
					Ipv4:       1,
					Protocol:   tcpPacket.IPProto(),
					PacketSize: uint32(len(packetBytes)),
					Mark:       uint32(mark),
				}
				if tcpPacket.SourceAddress().String() == testSrcIP {
					packetInfo.Outbound = 1
				}
				ret := wrapper.receiveCallback(uintptr(unsafe.Pointer(packetInfo)), uintptr(unsafe.Pointer(&packetBytes[0])))
				So(ret, ShouldBeZeroValue)

				oldPacket := tcpPacket
				forwardedPackets := wrapper.GetForwardedPackets()
				So(forwardedPackets, ShouldHaveLength, 1)
				tcpPacket, err = packet.New(0, forwardedPackets[0].packetBytes, strconv.Itoa(mark), true)
				So(err, ShouldBeNil)

				// In our 3 way security handshake syn and syn-ack packet should grow in length
				So(tcpPacket.GetTCPFlags()&packet.TCPSynMask, ShouldNotBeZeroValue)
				So(tcpPacket.IPTotalLen(), ShouldBeGreaterThan, oldPacket.IPTotalLen())

				// reverse it and strip identity
				packetInfo.Outbound ^= 1
				packetBytes = tcpPacket.GetTCPBytes()
				packetInfo.PacketSize = uint32(len(packetBytes))
				ret = wrapper.receiveCallback(uintptr(unsafe.Pointer(packetInfo)), uintptr(unsafe.Pointer(&packetBytes[0])))
				So(ret, ShouldBeZeroValue)
				forwardedPackets = wrapper.GetForwardedPackets()
				So(forwardedPackets, ShouldHaveLength, 1)
				tcpPacket, err = packet.New(0, forwardedPackets[0].packetBytes, strconv.Itoa(mark), true)
				So(err, ShouldBeNil)
				So(tcpPacket.IPTotalLen(), ShouldEqual, oldPacket.IPTotalLen())
			})

			Convey("When I pass a synack packet for non-PU traffic", func() {

				PacketFlow := packetgen.NewTemplateFlow()
				_, err = PacketFlow.GenerateTCPFlow(packetgen.PacketFlowTypeGoodFlowTemplate)
				So(err, ShouldBeNil)
				tcpPacketFromFlow, err := PacketFlow.GetFirstSynAckPacket().ToBytes()
				So(err, ShouldBeNil)
				mark := 12345
				tcpPacket, err := packet.New(0, tcpPacketFromFlow, strconv.Itoa(mark), true)
				if err == nil && tcpPacket != nil {
					tcpPacket.UpdateIPv4Checksum()
					tcpPacket.UpdateTCPChecksum()
				}
				So(err, ShouldBeNil)
				So(tcpPacket.Mark, ShouldEqual, strconv.Itoa(mark))

				packetBytes := tcpPacket.GetTCPBytes()
				packetInfo := &frontman.PacketInfo{
					Ipv4:       1,
					Protocol:   tcpPacket.IPProto(),
					PacketSize: uint32(len(packetBytes)),
					Mark:       uint32(mark),
				}
				if tcpPacket.SourceAddress().String() == testSrcIP {
					packetInfo.Outbound = 1
				}
				ret := wrapper.receiveCallback(uintptr(unsafe.Pointer(packetInfo)), uintptr(unsafe.Pointer(&packetBytes[0])))
				So(ret, ShouldBeZeroValue)

				forwardedPackets := wrapper.GetForwardedPackets()
				So(forwardedPackets, ShouldHaveLength, 1)
				tcpPacket, err = packet.New(0, forwardedPackets[0].packetBytes, strconv.Itoa(mark), true)
				So(err, ShouldBeNil)
				So(tcpPacket, ShouldNotBeNil)
				// IgnoreFlow flag should be set
				So(forwardedPackets[0].ignoreFlow, ShouldNotBeZeroValue)
			})

			Convey("When I say to log that a packet is rejected", func() {

				puHash, err := policy.Fnv32Hash("SomeProcessingUnitId1")
				So(err, ShouldBeNil)

				dnsRequestPacket, err := hex.DecodeString("450000380542000080110000c0a8446dc0a84401ebe60035002409f5df510100000100000000000006676f6f676c6503636f6d0000010001")
				So(err, ShouldBeNil)
				dnsPacket, err := packet.New(0, dnsRequestPacket, "0", true)
				So(err, ShouldBeNil)

				packetHeaderBytes := dnsPacket.GetBuffer(0)[:dnsPacket.IPHeaderLen()+packet.UDPDataPos]
				logPacketInfo := &frontman.LogPacketInfo{
					Ipv4:       1,
					Protocol:   dnsPacket.IPProto(),
					PacketSize: uint32(len(packetHeaderBytes)),
					GroupID:    11,
				}

				copy(logPacketInfo.LogPrefix[:], syscall.StringToUTF16(puHash+":5d6044b9e99572000149d650:5d60448a884e46000145cf67:6")) // nolint:staticcheck

				flowRecord := CreateFlowRecord(1, "192.168.68.109", "192.168.68.1", 0, 53, policy.Reject|policy.Log, collector.PolicyDrop)
				mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

				ret := wrapper.loggingCallback(uintptr(unsafe.Pointer(logPacketInfo)), uintptr(unsafe.Pointer(&packetHeaderBytes[0])))
				So(ret, ShouldBeZeroValue)
			})
		})
	})
}

// Empty interface implementations

func (w *fakeWrapper) GetDestInfo(socket uintptr, destInfo *frontman.DestInfo) error {
	return nil
}

func (w *fakeWrapper) ApplyDestHandle(socket, destHandle uintptr) error {
	return nil
}

func (w *fakeWrapper) FreeDestHandle(destHandle uintptr) error {
	return nil
}

func (w *fakeWrapper) NewIpset(name, ipsetType string) (uintptr, error) {
	return 1, nil
}

func (w *fakeWrapper) GetIpset(name string) (uintptr, error) {
	return 1, nil
}

func (w *fakeWrapper) DestroyAllIpsets(prefix string) error {
	return nil
}

func (w *fakeWrapper) ListIpsets() ([]string, error) {
	return nil, nil
}

func (w *fakeWrapper) ListIpsetsDetail(format int) (string, error) {
	return "", nil
}

func (w *fakeWrapper) IpsetAdd(ipsetHandle uintptr, entry string, timeout int) error {
	return nil
}

func (w *fakeWrapper) IpsetAddOption(ipsetHandle uintptr, entry, option string, timeout int) error {
	return nil
}

func (w *fakeWrapper) IpsetDelete(ipsetHandle uintptr, entry string) error {
	return nil
}

func (w *fakeWrapper) IpsetDestroy(ipsetHandle uintptr, name string) error {
	return nil
}

func (w *fakeWrapper) IpsetFlush(ipsetHandle uintptr) error {
	return nil
}

func (w *fakeWrapper) IpsetTest(ipsetHandle uintptr, entry string) (bool, error) {
	return true, nil
}

func (w *fakeWrapper) AppendFilter(outbound bool, filterName string, isGotoFilter bool) error {
	return nil
}

func (w *fakeWrapper) InsertFilter(outbound bool, priority int, filterName string, isGotoFilter bool) error {
	return nil
}

func (w *fakeWrapper) DestroyFilter(filterName string) error {
	return nil
}

func (w *fakeWrapper) EmptyFilter(filterName string) error {
	return nil
}

func (w *fakeWrapper) GetFilterList(outbound bool) ([]string, error) {
	return nil, nil
}

func (w *fakeWrapper) AppendFilterCriteria(filterName, criteriaName string, ruleSpec *frontman.RuleSpec, ipsetRuleSpecs []frontman.IpsetRuleSpec) error {
	return nil
}

func (w *fakeWrapper) DeleteFilterCriteria(filterName, criteriaName string) error {
	return nil
}

func (w *fakeWrapper) GetCriteriaList(format int) (string, error) {
	return "", nil
}

func (w *fakeWrapper) PacketFilterClose() error {
	return nil
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/ping_tcp.go
================================================
package nfqdatapath

import (
	"context"
	"fmt"
	"io"
	"math/rand"
	"net"
	"os"
	"strconv"
	"syscall"
	"time"

	"github.com/ghedo/go.pkt/packet/raw"
	"github.com/ghedo/go.pkt/packet/tcp"
	"github.com/ghedo/go.pkt/routing"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	enforcerconstants "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	tpacket "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pingconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/gaia"
	"go.uber.org/zap"
)

var (
	// For unit tests.
	srcip          = getSrcIP
	dial           = dialIP
	bind           = bindRandomPort
	close          = closeRandomPort
	randUint32     = rand.Uint32
	since          = time.Since
	isAppListening = isAppListeningInPort

	removeDelay = 10 * time.Second
	synAckDelay = 3 * time.Second

	_ io.Writer = &pingConn{}
)

func (d *Datapath) initiatePingHandshake(_ context.Context, context *pucontext.PUContext, pingConfig *policy.PingConfig) error {

	zap.L().Debug("Initiating ping (syn)")

	srcIP, err := srcip(pingConfig.IP)
	if err != nil {
		return fmt.Errorf("unable to get source ip: %v", err)
	}

	conn, err := dial(srcIP, pingConfig.IP)
	if err != nil {
		return fmt.Errorf("unable to dial on app syn: %v", err)
	}
	defer conn.Close() // nolint: errcheck

	for i := 0; i < pingConfig.Iterations; i++ {
		if err := d.sendSynPacket(context, pingConfig, conn, srcIP, i); err != nil {
			return err
		}
	}

	return nil
}

// sendSynPacket sends tcp syn packet to the socket. It also dispatches a report.
func (d *Datapath) sendSynPacket(context *pucontext.PUContext, pingConfig *policy.PingConfig, conn PingConn, srcIP net.IP, iterationID int) error {

	tcpConn := connection.NewTCPConnection(context, nil)
	tcpConn.PingConfig = pingconfig.New()

	srcPort, err := bind(tcpConn)
	if err != nil {
		return fmt.Errorf("unable to bind free source port: %v", err)
	}

	claimsHeader := claimsheader.NewClaimsHeader(
		claimsheader.OptionPing(true),
	)

	pingPayload := &policy.PingPayload{
		PingID:        pingConfig.ID,
		IterationID:   iterationID,
		NamespaceHash: context.ManagementNamespaceHash(),
	}

	var tcpData []byte
	tcpConn.Secrets, tcpConn.Auth.LocalDatapathPrivateKey, tcpData = context.GetSynToken(pingPayload, tcpConn.Auth.Nonce, claimsHeader)

	seqNum := randUint32()
	p, err := constructTCPPacket(conn, srcIP, pingConfig.IP, srcPort, pingConfig.Port, seqNum, 0, tcp.Syn, tcpData)
	if err != nil {
		return fmt.Errorf("unable to construct syn packet: %v", err)
	}

	// We always get a default policy.
	_, pkt, _ := context.ApplicationACLPolicyFromAddr(pingConfig.IP, pingConfig.Port, packet.IPProtocolTCP)

	pingErr := "timeout"
	if e := pingConfig.Error(); e != "" {
		pingErr = e
	}

	// RequestTimeout report cached in the connection. This will be sent on
	// expiration timeout for this connection.
	tcpConn.PingConfig.SetPingReport(&collector.PingReport{
		PingID:          pingConfig.ID,
		IterationID:     iterationID,
		AgentVersion:    d.agentVersion.String(),
		PayloadSize:     len(tcpData),
		PayloadSizeType: gaia.PingProbePayloadSizeTypeTransmitted,
		Type:            gaia.PingProbeTypeRequest,
		Error:           pingErr,
		PUID:            context.ManagementID(),
		Namespace:       context.ManagementNamespace(),
		Protocol:        tpacket.IPProtocolTCP,
		ServiceType:     "L3",
		FourTuple: flowTuple(
			tpacket.PacketTypeApplication,
			srcIP,
			pingConfig.IP,
			srcPort,
			pingConfig.Port,
		),
		SeqNum:              seqNum,
		TargetTCPNetworks:   pingConfig.TargetTCPNetworks,
		ExcludedNetworks:    pingConfig.ExcludedNetworks,
		RemoteNamespaceType: gaia.PingProbeRemoteNamespaceTypeHash,
		Claims:              context.Identity().GetSlice(),
		ClaimsType:          gaia.PingProbeClaimsTypeTransmitted,
		ACLPolicyID:         pkt.PolicyID,
		ACLPolicyAction:     pkt.Action,
	})
	tcpConn.TCPtuple = &connection.TCPTuple{
		SourceAddress:      srcIP,
		DestinationAddress: pingConfig.IP,
		SourcePort:         srcPort,
		DestinationPort:    pingConfig.Port,
	}
	tcpConn.PingConfig.StartTime = time.Now()
	tcpConn.PingConfig.SetPingID(pingConfig.ID)
	tcpConn.PingConfig.SetIterationID(iterationID)
	tcpConn.PingConfig.SetSeqNum(seqNum)
	tcpConn.SetState(connection.TCPSynSend)
	key := flowTuple(tpacket.PacketTypeApplication, srcIP, pingConfig.IP, srcPort, pingConfig.Port)

	d.cachePut(d.tcpClient, key, tcpConn)

	if _, err := conn.Write(p); err != nil {
		return fmt.Errorf("unable to send syn packet: %v", err)
	}

	return nil
}

// processPingNetSynPacket should only be called when the packet is recognized as a ping syn packet.
func (d *Datapath) processPingNetSynPacket(
	context *pucontext.PUContext,
	tcpConn *connection.TCPConnection,
	tcpPacket *tpacket.Packet,
	payloadSize int,
	pkt *policy.FlowPolicy,
	claims *tokens.ConnectionClaims,
) error {
	zap.L().Debug("Processing ping network syn packet", zap.String("conn", tcpPacket.L4FlowHash()))

	if tcpConn.GetState() == connection.TCPSynReceived || tcpConn.GetState() == connection.TCPSynAckSend {
		zap.L().Debug("Dropping duplicate ping syn packets")
		return errDropPingNetSyn
	}

	defer func() {
		tcpConn.SetState(connection.TCPSynReceived)
		tcpConn.PingConfig.SetSocketClosed(true)
		tcpConn.PingConfig.SetPingID(claims.P.PingID)
		tcpConn.PingConfig.SetIterationID(claims.P.IterationID)

		txtID, ok := claims.T.Get(enforcerconstants.TransmitterLabel)
		if !ok {
			zap.L().Warn("missing transmitter label")
		}

		d.cachePut(d.tcpServer, tcpPacket.L4FlowHash(), tcpConn)
		d.sendRequestRecvReport(txtID, claims.P, tcpPacket, context, pkt, payloadSize, tcpConn.SourceController)
	}()

	if tcpConn.PingConfig == nil {
		tcpConn.PingConfig = pingconfig.New()
	}

	listening, err := isAppListening(tcpPacket.DestPort())
	if listening && !pkt.Action.Rejected() {
		zap.L().Debug("Appplication listening", zap.String("conn", tcpPacket.L4FlowHash()), zap.Error(err))

		time.AfterFunc(synAckDelay, func() {

			if tcpConn.PingConfig.ApplicationListening() {
				return
			}

			if err := d.sendSynAckPacket(context, tcpConn, tcpPacket, claims); err != nil {
				zap.L().Error("unable to send synack paket", zap.Error(err))
			}
		})

		return nil
	}

	if err := d.sendSynAckPacket(context, tcpConn, tcpPacket, claims); err != nil {
		return err
	}

	return errDropPingNetSyn
}

func (d *Datapath) sendSynAckPacket(
	context *pucontext.PUContext,
	tcpConn *connection.TCPConnection,
	tcpPacket *tpacket.Packet,
	claims *tokens.ConnectionClaims,
) error {

	claimsHeader := claimsheader.NewClaimsHeader(
		claimsheader.OptionPing(true),
	)

	pingPayload := &policy.PingPayload{
		PingID:        claims.P.PingID,
		IterationID:   claims.P.IterationID,
		NamespaceHash: context.ManagementNamespaceHash(),
	}

	claimsNew := &tokens.ConnectionClaims{
		CT:       context.CompressedTags(),
		LCL:      tcpConn.Auth.Nonce[:],
		RMT:      tcpConn.Auth.RemoteNonce,
		DEKV1:    tcpConn.Auth.LocalDatapathPublicKeyV1,
		SDEKV1:   tcpConn.Auth.LocalDatapathPublicKeySignV1,
		DEKV2:    tcpConn.Auth.LocalDatapathPublicKeyV2,
		SDEKV2:   tcpConn.Auth.LocalDatapathPublicKeySignV2,
		ID:       context.ManagementID(),
		RemoteID: tcpConn.Auth.RemoteContextID,
		P:        pingPayload,
	}

	tcpData, err := d.tokenAccessor.CreateSynAckPacketToken(tcpConn.Auth.Proto314, claimsNew, tcpConn.EncodedBuf[:], tcpConn.Auth.Nonce[:], claimsHeader, tcpConn.Secrets, tcpConn.Auth.SecretKey) //nolint
	if err != nil {
		return fmt.Errorf("unable to create ping synack token: %w", err)
	}

	conn, err := dial(tcpPacket.DestinationAddress(), tcpPacket.SourceAddress())
	if err != nil {
		return fmt.Errorf("unable to construct synack packet %w", err)
	}
	defer conn.Close() // nolint: errcheck

	p, err := constructTCPPacket(
		conn,
		tcpPacket.DestinationAddress(),
		tcpPacket.SourceAddress(),
		tcpPacket.DestPort(),
		tcpPacket.SourcePort(),
		randUint32(),
		tcpPacket.TCPSeqNum()+1,
		tcp.Syn|tcp.Ack,
		tcpData,
	)
	if err != nil {
		return fmt.Errorf("unable to construct synack packet: %w", err)
	}

	if _, err := conn.Write(p); err != nil {
		return fmt.Errorf("unable to send synack packet: %w", err)
	}

	tcpConn.SetState(connection.TCPSynAckSend)

	return nil
}

// processPingNetSynAckPacket should only be called when the packet is recognized as a ping synack packet.
func (d *Datapath) processPingNetSynAckPacket(
	context *pucontext.PUContext,
	tcpConn *connection.TCPConnection,
	tcpPacket *tpacket.Packet,
	payloadSize int,
	pkt *policy.FlowPolicy,
	claims *tokens.ConnectionClaims,
	ext bool,
) error {
	zap.L().Debug("Processing ping network synack packet",
		zap.Bool("externalNetwork", ext),
		zap.String("conn", tcpPacket.SourcePortHash(packet.PacketTypeNetwork)),
	)

	if tcpConn.PingConfig == nil {
		return errDropPingNetSynAck
	}

	receiveTime := since(tcpConn.PingConfig.StartTime).String()

	defer func() {
		tcpConn.SetState(connection.TCPSynAckReceived)

		if !tcpConn.PingConfig.SocketClosed() {
			defer func() {
				if err := close(tcpConn); err != nil {
					zap.L().Warn("unable to close socket", zap.Reflect("fd", tcpConn.PingConfig.SocketFd()), zap.Error(err))
				}
			}()
		}

		time.AfterFunc(removeDelay, func() {
			d.cacheRemove(d.tcpClient, tcpPacket.SourcePortHash(packet.PacketTypeNetwork))
		})

		if err := respondWithRstPacket(tcpPacket, nil); err != nil {
			zap.L().Warn("unable to send rst packet", zap.Error(err))
		}
	}()

	// Drop duplicate synack packets.
	if tcpConn.GetState() == connection.TCPSynAckReceived {
		return errDropPingNetSynAck
	}

	// Synack from externalnetwork.
	if ext {
		d.sendExtResponseRecvReport(
			context,
			receiveTime,
			pkt,
			payloadSize,
			tcpConn,
		)
		return errDropPingNetSynAck
	}

	txtID, ok := claims.T.Get(enforcerconstants.TransmitterLabel)
	if !ok {
		return fmt.Errorf("missing transmitter label")
	}

	d.sendResponseRecvReport(
		txtID,
		claims.P,
		context,
		receiveTime,
		pkt,
		payloadSize,
		tcpConn,
		tcpConn.DestinationController,
	)

	return errDropPingNetSynAck
}

// respondWithRstPacket sends a rst packet in response to tcpPacket.
func respondWithRstPacket(tcpPacket *tpacket.Packet, payload []byte) error {

	conn, err := dial(tcpPacket.DestinationAddress(), tcpPacket.SourceAddress())
	if err != nil {
		return fmt.Errorf("unable to dial: %w", err)
	}
	defer conn.Close() // nolint: errcheck

	p, err := constructTCPPacket(
		conn,
		tcpPacket.DestinationAddress(),
		tcpPacket.SourceAddress(),
		tcpPacket.DestPort(),
		tcpPacket.SourcePort(),
		tcpPacket.TCPAckNum(),
		tcpPacket.TCPSeqNum()+1,
		tcp.Rst,
		payload,
	)
	if err != nil {
		return fmt.Errorf("unable to construct rst packet: %w", err)
	}

	if _, err := conn.Write(p); err != nil {
		return fmt.Errorf("unable to send rst packet: %w", err)
	}

	return nil
}

// sendRequestRecvReport sends a report on syn recv state.
func (d *Datapath) sendRequestRecvReport(
	srcPUID string,
	pingPayload *policy.PingPayload,
	tcpPacket *tpacket.Packet,
	context *pucontext.PUContext,
	pkt *policy.FlowPolicy,
	payloadSize int,
	controller string,
) {

	err := ""
	if pkt.Action.Rejected() {
		err = collector.PolicyDrop
	}

	d.sendPingReport(
		pingPayload.PingID,
		pingPayload.IterationID,
		d.agentVersion.String(),
		tcpPacket.L4FlowHash(),
		"",
		srcPUID,
		context.ManagementID(),
		context.ManagementNamespace(),
		pingPayload.NamespaceHash,
		gaia.PingProbeTypeRequest,
		payloadSize,
		pkt.PolicyID,
		pkt.Action,
		false,
		collector.EndPointTypePU,
		tcpPacket.TCPSeqNum(),
		controller,
		true,
		false,
		context.Identity().GetSlice(),
		"",
		policy.ActionType(0),
		true,
		err,
	)
}

// sendResponseRecvReport sends a report on synack recv state.
func (d *Datapath) sendResponseRecvReport(
	srcPUID string,
	pingPayload *policy.PingPayload,
	context *pucontext.PUContext,
	rtt string,
	pkt *policy.FlowPolicy,
	payloadSize int,
	tcpConn *connection.TCPConnection,
	controller string,
) {

	pingErr := ""
	if !tcpConn.PingConfig.PingReport().TargetTCPNetworks {
		pingErr = policy.ErrTargetTCPNetworks
	}

	if tcpConn.PingConfig.PingReport().ExcludedNetworks {
		pingErr = policy.ErrExcludedNetworks
	}

	if pkt.Action.Rejected() {
		pingErr = collector.PolicyDrop
	}

	d.sendPingReport(
		pingPayload.PingID,
		pingPayload.IterationID,
		d.agentVersion.String(),
		flowTuple(
			tpacket.PacketTypeNetwork,
			tcpConn.TCPtuple.SourceAddress,
			tcpConn.TCPtuple.DestinationAddress,
			tcpConn.TCPtuple.SourcePort,
			tcpConn.TCPtuple.DestinationPort,
		),
		rtt,
		srcPUID,
		context.ManagementID(),
		context.ManagementNamespace(),
		pingPayload.NamespaceHash,
		gaia.PingProbeTypeResponse,
		payloadSize,
		pkt.PolicyID,
		pkt.Action,
		pingPayload.ApplicationListening,
		collector.EndPointTypePU,
		tcpConn.PingConfig.SeqNum(),
		controller,
		tcpConn.PingConfig.PingReport().TargetTCPNetworks,
		tcpConn.PingConfig.PingReport().ExcludedNetworks,
		tcpConn.PingConfig.PingReport().Claims,
		tcpConn.PingConfig.PingReport().ACLPolicyID,
		tcpConn.PingConfig.PingReport().ACLPolicyAction,
		false,
		pingErr,
	)
}

// sendExtResponseRecvReport sends a report on synack from ext net.
func (d *Datapath) sendExtResponseRecvReport(
	context *pucontext.PUContext,
	rtt string,
	pkt *policy.FlowPolicy,
	payloadSize int,
	tcpConn *connection.TCPConnection,
) {
	d.sendPingReport(
		tcpConn.PingConfig.PingID(),
		tcpConn.PingConfig.IterationID(),
		d.agentVersion.String(),
		flowTuple(
			tpacket.PacketTypeNetwork,
			tcpConn.TCPtuple.SourceAddress,
			tcpConn.TCPtuple.DestinationAddress,
			tcpConn.TCPtuple.SourcePort,
			tcpConn.TCPtuple.DestinationPort,
		),
		rtt,
		"",
		context.ManagementID(),
		context.ManagementNamespace(),
		"",
		gaia.PingProbeTypeResponse,
		payloadSize,
		pkt.PolicyID,
		pkt.Action,
		true,
		collector.EndPointTypeExternalIP,
		tcpConn.PingConfig.SeqNum(),
		"",
		tcpConn.PingConfig.PingReport().TargetTCPNetworks,
		tcpConn.PingConfig.PingReport().ExcludedNetworks,
		tcpConn.PingConfig.PingReport().Claims,
		tcpConn.PingConfig.PingReport().ACLPolicyID,
		tcpConn.PingConfig.PingReport().ACLPolicyAction,
		false,
		"",
	)
}

func (d *Datapath) sendPingReport(
	pingID string,
	iterationID int,
	agentVersion,
	fourTuple,
	rtt,
	remoteID,
	puid,
	ns string,
	nsHash string,
	ptype gaia.PingProbeTypeValue,
	payloadSize int,
	policyID string,
	policyAction policy.ActionType,
	appListening bool,
	txType collector.EndPointType,
	seqNum uint32,
	controller string,
	tn,
	en bool,
	claims []string,
	aclPolicyID string,
	aclPolicyAction policy.ActionType,
	isServer bool,
	err string,
) {

	report := &collector.PingReport{
		PingID:               pingID,
		IterationID:          iterationID,
		AgentVersion:         agentVersion,
		FourTuple:            fourTuple,
		RTT:                  rtt,
		PayloadSize:          payloadSize,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeReceived,
		Type:                 ptype,
		PUID:                 puid,
		RemotePUID:           remoteID,
		Namespace:            ns,
		RemoteNamespace:      nsHash,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypeHash,
		Protocol:             tpacket.IPProtocolTCP,
		ServiceType:          "L3",
		PolicyID:             policyID,
		PolicyAction:         policyAction,
		ApplicationListening: appListening,
		RemoteEndpointType:   txType,
		SeqNum:               seqNum,
		RemoteController:     controller,
		TargetTCPNetworks:    tn,
		ExcludedNetworks:     en,
		Claims:               claims,
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		ACLPolicyID:          aclPolicyID,
		ACLPolicyAction:      aclPolicyAction,
		IsServer:             isServer,
		Error:                err,
	}

	d.collector.CollectPingEvent(report)
}

// constructTCPPacket constructs a valid tcp packet that can be sent on wire.
func constructTCPPacket(conn PingConn, srcIP, dstIP net.IP, srcPort, dstPort uint16, seqNum, ackNum uint32, flag tcp.Flags, tcpData []byte) ([]byte, error) {

	// tcp.
	tcpPacket := tcp.Make()
	tcpPacket.SrcPort = srcPort
	tcpPacket.DstPort = dstPort
	tcpPacket.Flags = flag
	tcpPacket.Seq = seqNum
	tcpPacket.Ack = ackNum
	tcpPacket.WindowSize = 0xAAAA
	tcpPacket.Options = []tcp.Option{
		{
			Type: tcp.MSS,
			Len:  4,
			Data: []byte{0x05, 0x8C},
		},
	}
	tcpPacket.DataOff = uint8(6) // 5 (header size) + 1 * (4 byte options)

	if len(tcpData) != 0 {
		tcpPacket.Options = append(
			tcpPacket.Options,
			tcp.Option{
				Type: 34, // tfo
				Len:  enforcerconstants.TCPAuthenticationOptionBaseLen,
				Data: make([]byte, 2),
			},
		)
		tcpPacket.DataOff += uint8(1) // 6 + 1 * (4 byte options)
	}

	// payload.
	payload := raw.Make()
	payload.Data = tcpData

	// construct the wire packet
	buf, err := conn.ConstructWirePacket(srcIP, dstIP, tcpPacket, payload)
	if err != nil {
		return nil, fmt.Errorf("unable to encode packet to wire format: %v", err)
	}

	return buf, nil
}

// getSrcIP returns the interface ip that can reach the destination.
func getSrcIP(dstIP net.IP) (net.IP, error) {

	route, err := routing.RouteTo(dstIP)
	if err != nil || route == nil {
		return nil, fmt.Errorf("no route found for destination %s: %v", dstIP.String(), err)
	}

	ip, err := route.GetIfaceIPv4Addr()
	if err != nil {
		return nil, fmt.Errorf("unable to get interface ip address: %v", err)
	}

	return ip, nil
}

// flowTuple returns the tuple based on the stage in format <sip:dip:spt:dpt> or <dip:sip:dpt:spt>
func flowTuple(stage uint64, srcIP, dstIP net.IP, srcPort, dstPort uint16) string {

	if stage == tpacket.PacketTypeNetwork {
		return fmt.Sprintf("%s:%s:%s:%s", dstIP.String(), srcIP.String(), strconv.Itoa(int(dstPort)), strconv.Itoa(int(srcPort)))
	}

	return fmt.Sprintf("%s:%s:%s:%s", srcIP.String(), dstIP.String(), strconv.Itoa(int(srcPort)), strconv.Itoa(int(dstPort)))
}

// isAppListeningInPort returns true if the port is in use by IPv4:TCP app.
// It immediately closes the listener socket.
// Also returns the actual error for further scrutiny.
func isAppListeningInPort(port uint16) (bool, error) {

	addr := fmt.Sprintf(":%d", port)
	listener, err := net.Listen("tcp4", addr)
	if listener != nil {
		listener.Close() // nolint:errcheck
	}

	return isAddressInUse(err), err
}

// isAddressInUse returns true for and unix.EADDRINUSE or windows.WSAEADDRINUSE errors.
func isAddressInUse(err error) bool {

	opErr, ok := err.(*net.OpError)
	if !ok {
		return false
	}

	syscallErr, ok := opErr.Unwrap().(*os.SyscallError)
	if !ok {
		return false
	}

	errNo, ok := syscallErr.Unwrap().(syscall.Errno)
	if !ok {
		return false
	}

	return isAddrInUseErrno(errNo)
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/ping_test.go
================================================
// +build linux

package nfqdatapath

import (
	"context"
	"errors"
	"fmt"
	"net"
	"sync/atomic"
	"testing"
	"time"

	"github.com/ghedo/go.pkt/layers"
	gpacket "github.com/ghedo/go.pkt/packet"
	"github.com/ghedo/go.pkt/packet/ipv4"
	"github.com/ghedo/go.pkt/packet/tcp"
	"github.com/golang/mock/gomock"
	"github.com/mitchellh/copystructure"
	"github.com/stretchr/testify/require"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/collector/mockcollector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	enforcerconstants "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/tokenaccessor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/tokenaccessor/mocktokenaccessor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/gaia"
	"go.aporeto.io/underwater/core/tagutils"
)

var (
	testPU1CtxID  = "pu1abc"
	testPU1NS     = "/ns1"
	testPU1NSHash = ""
	testPU2CtxID  = "pu2abc"
	testPU2NS     = "/ns2"
	testPU2NSHash = ""
	srcCtrl       = "srcctrl"
	dstCtrl       = "dstctrl"

	sip                 = net.ParseIP("192.168.100.1").To4()
	dip                 = net.ParseIP("172.17.0.2").To4()
	spt          uint16 = 2020
	dpt          uint16 = 80
	seqnum       uint32 = 123456
	duration            = "20ms"
	c                   = &fakeConn{}
	appListening int32  = 0
)

func switchAppListening(enable bool) {

	var state int32
	if enable {
		state = 1
	}

	atomic.StoreInt32(&appListening, state)
}

func init() {
	if hash, err := tagutils.Hash(testPU1NS); err == nil {
		testPU1NSHash = hash
	}

	if hash, err := tagutils.Hash(testPU2NS); err == nil {
		testPU2NSHash = hash
	}

	srcip = func(_ net.IP) (net.IP, error) {
		return sip, nil
	}
	dial = func(_, _ net.IP) (PingConn, error) {
		return c, nil
	}
	bind = func(tcpConn *connection.TCPConnection) (uint16, error) {
		tcpConn.PingConfig.SetSocketFd(8)
		return spt, nil
	}
	close = func(tcpConn *connection.TCPConnection) error {
		tcpConn.PingConfig.SetSocketClosed(true)
		return nil
	}
	randUint32 = func() uint32 {
		return seqnum
	}
	since = func(_ time.Time) time.Duration {
		d, _ := time.ParseDuration(duration)
		return d
	}

	isAppListening = func(port uint16) (bool, error) {
		if atomic.LoadInt32(&appListening) == 1 {
			return true, nil
		}
		return false, nil
	}
}

func setupDatapathAndPUs(ctrl *gomock.Controller, collector collector.EventCollector, tokenAccessor tokenaccessor.TokenAccessor) (*Datapath, *fakeConn, error) {

	dp := setupDatapath(ctrl, collector)
	dp.tokenAccessor = tokenAccessor

	pu1info := policy.NewPUInfo(testPU1CtxID, testPU1NS, common.ContainerPU)
	pu1info.Policy = policy.NewPUPolicy(
		testPU1CtxID,
		testPU1NS,
		policy.Police,
		nil,
		nil,
		nil,
		nil,
		nil,
		policy.NewTagStoreFromSlice([]string{"x=y"}),
		nil,
		nil,
		nil,
		0,
		0,
		nil,
		nil,
		nil,
		policy.EnforcerMapping,
		policy.Reject|policy.Log,
		policy.Reject|policy.Log,
	)

	if err := dp.Enforce(context.Background(), testPU1CtxID, pu1info); err != nil {
		return nil, nil, err
	}

	pu2info := policy.NewPUInfo(testPU2CtxID, testPU2NS, common.ContainerPU)
	pu2info.Policy = policy.NewPUPolicy(
		testPU2CtxID,
		testPU2NS,
		policy.Police,
		nil,
		nil,
		nil,
		nil,
		nil,
		policy.NewTagStoreFromSlice([]string{"a=b"}),
		nil,
		nil,
		nil,
		0,
		0,
		nil,
		nil,
		nil,
		policy.EnforcerMapping,
		policy.Reject|policy.Log,
		policy.Reject|policy.Log,
	)

	if err := dp.Enforce(context.Background(), testPU2CtxID, pu2info); err != nil {
		return nil, nil, err
	}

	return dp, c, nil
}

func wrapIP(d []byte, swap bool, changeSeqNum bool, flags tcp.Flags) ([]byte, error) {

	ipPacket := ipv4.Make()
	ipPacket.SrcAddr = sip
	ipPacket.DstAddr = dip
	if swap {
		ipPacket.SrcAddr = dip
		ipPacket.DstAddr = sip
	}
	ipPacket.Protocol = ipv4.TCP

	p, err := layers.UnpackAll(d, gpacket.TCP)
	if err != nil {
		return nil, err
	}

	tcpPacket, ok := p.(*tcp.Packet)
	if !ok {
		return nil, errors.New("not a tcp packet")
	}

	if flags != 0 {
		if flags != tcpPacket.Flags {
			return nil, fmt.Errorf("Expected: %s, Actual: %s", flags.String(), tcpPacket.Flags.String())
		}
	}

	if swap {
		tcpPacket.SrcPort = dpt
		tcpPacket.DstPort = spt
	}

	if changeSeqNum {
		tcpPacket.Seq = 111111
	}

	// pack the layers together.
	buf, err := layers.Pack(ipPacket, tcpPacket)
	if err != nil {
		return nil, err
	}

	return buf, nil
}

func Test_ValidPing(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	mockCollector := mockcollector.NewMockEventCollector(ctrl)
	mockTokenAccessor := mocktokenaccessor.NewMockTokenAccessor(ctrl)
	mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(3).Return([]byte("token"), nil).AnyTimes()
	mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(3).Return([]byte("token"), nil)
	dp, conn, err := setupDatapathAndPUs(ctrl, mockCollector, mockTokenAccessor)
	require.Nil(t, err)
	require.NotNil(t, dp)

	item, err := dp.puFromContextID.Get(testPU1CtxID)
	require.Nil(t, err)
	require.NotNil(t, item)
	puctx1 := item.(*pucontext.PUContext)

	item, err = dp.puFromContextID.Get(testPU2CtxID)
	require.Nil(t, err)
	require.NotNil(t, item)
	puctx2 := item.(*pucontext.PUContext)

	pc := &policy.PingConfig{
		ID:                "5e9e38ad39483e772044095e",
		IP:                dip,
		Port:              dpt,
		Iterations:        1,
		TargetTCPNetworks: true,
		ExcludedNetworks:  false,
	}

	pingPayload := &policy.PingPayload{
		PingID:               pc.ID,
		IterationID:          0,
		ApplicationListening: false,
		NamespaceHash:        testPU1NSHash,
	}

	puctx1.UpdateApplicationACLs( // nolint: errcheck
		policy.IPRuleList{
			policy.IPRule{
				Addresses: []string{"0.0.0.0/0"},
				Ports:     []string{"1:65535"},
				Protocols: []string{"6", "17"},
				Policy: &policy.FlowPolicy{
					Action:   policy.Accept,
					PolicyID: "extnetidabc",
				},
			},
		},
	)

	//	mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

	err = dp.Ping(context.Background(), testPU1CtxID, pc)
	require.Nil(t, err)

	// NetSyn
	ipPacket, err := wrapIP(conn.data(), false, false, tcp.Syn)
	require.Nil(t, err)

	p, err := packet.New(packet.PacketTypeNetwork, ipPacket, "0", false)
	require.Nil(t, err)
	require.NotNil(t, p)
	payloadSize := len(p.ReadTCPData())
	tcpConn := connection.NewTCPConnection(puctx2, p)
	tcpConn.SourceController = srcCtrl
	pkt := &policy.FlowPolicy{Action: policy.Accept, PolicyID: "abc"}

	ts := policy.NewTagStore()
	ts.AppendKeyValue(enforcerconstants.TransmitterLabel, testPU1CtxID)
	claims := &tokens.ConnectionClaims{
		P: pingPayload,
		T: ts,
	}

	pr := &collector.PingReport{
		PingID:               pc.ID,
		IterationID:          0,
		Type:                 gaia.PingProbeTypeRequest,
		PUID:                 testPU2CtxID,
		RemotePUID:           testPU1CtxID,
		Namespace:            testPU2NS,
		FourTuple:            "192.168.100.1:172.17.0.2:2020:80",
		RTT:                  "",
		Protocol:             6,
		ServiceType:          "L3",
		PayloadSize:          payloadSize,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeReceived,
		PolicyID:             "abc",
		PolicyAction:         policy.Accept,
		AgentVersion:         "0.0.0",
		ApplicationListening: false,
		RemoteEndpointType:   collector.EndPointTypePU,
		SeqNum:               seqnum,
		TargetTCPNetworks:    true,
		ExcludedNetworks:     false,
		Claims:               []string{"a=b"},
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		RemoteNamespace:      testPU1NSHash,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypeHash,
		ACLPolicyID:          "",
		ACLPolicyAction:      policy.ActionType(0),
		RemoteController:     srcCtrl,
		IsServer:             true,
	}

	mockCollector.EXPECT().CollectPingEvent(pr).Times(1)
	copiedData, err := copystructure.Copy(pingPayload)
	synAckPayload := copiedData.(*policy.PingPayload)
	synAckPayload.NamespaceHash = testPU2NSHash
	require.Nil(t, err)
	mockTokenAccessor.EXPECT().CreateSynAckPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

	oldsynAckDelay := synAckDelay
	synAckDelay = 1 * time.Second
	defer func() {
		synAckDelay = oldsynAckDelay
	}()

	err = dp.processPingNetSynPacket(puctx2, tcpConn, p, payloadSize, pkt, claims)
	require.Equal(t, errDropPingNetSyn, err)

	time.Sleep(2 * time.Second)

	// NetSynAck
	ipPacket, err = wrapIP(conn.data(), true, false, tcp.Syn|tcp.Ack)
	require.Nil(t, err)

	p, err = packet.New(packet.PacketTypeNetwork, ipPacket, "0", false)
	require.Nil(t, err)
	require.NotNil(t, p)

	item1, exists := dp.tcpClient.Get(p.L4ReverseFlowHash())
	if !exists {
		t.Fail()
	}

	tcpConn = item1
	tcpConn.DestinationController = dstCtrl

	pkt = &policy.FlowPolicy{Action: policy.Accept, PolicyID: "abc"}

	ts = policy.NewTagStore()
	ts.AppendKeyValue(enforcerconstants.TransmitterLabel, testPU2CtxID)
	claims = &tokens.ConnectionClaims{
		P: pingPayload,
		T: ts,
	}

	pr = &collector.PingReport{
		PingID:               pc.ID,
		IterationID:          0,
		Type:                 gaia.PingProbeTypeResponse,
		PUID:                 testPU1CtxID,
		RemotePUID:           testPU2CtxID,
		Namespace:            testPU1NS,
		FourTuple:            "172.17.0.2:192.168.100.1:80:2020",
		RTT:                  duration,
		Protocol:             6,
		ServiceType:          "L3",
		PayloadSize:          payloadSize,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeReceived,
		PolicyID:             "abc",
		PolicyAction:         policy.Accept,
		AgentVersion:         "0.0.0",
		ApplicationListening: false,
		RemoteEndpointType:   collector.EndPointTypePU,
		SeqNum:               seqnum,
		TargetTCPNetworks:    true,
		ExcludedNetworks:     false,
		Claims:               []string{"x=y"},
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		RemoteNamespace:      testPU2NSHash,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypeHash,
		ACLPolicyID:          "extnetidabc",
		ACLPolicyAction:      policy.Accept,
		RemoteController:     dstCtrl,
	}

	mockCollector.EXPECT().CollectPingEvent(pr).Times(1)

	claims.P.NamespaceHash = testPU2NSHash
	err = dp.processPingNetSynAckPacket(puctx1, tcpConn, p, payloadSize, pkt, claims, false)
	require.Equal(t, errDropPingNetSynAck, err)
}

func Test_ValidPingAppListening(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer func() {
		switchAppListening(false)
		ctrl.Finish()
	}()

	mockCollector := mockcollector.NewMockEventCollector(ctrl)
	mockTokenAccessor := mocktokenaccessor.NewMockTokenAccessor(ctrl)

	mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(3).Return([]byte("token"), nil).AnyTimes()
	mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(3).Return([]byte("token"), nil)

	dp, conn, err := setupDatapathAndPUs(ctrl, mockCollector, mockTokenAccessor)
	require.Nil(t, err)
	require.NotNil(t, dp)

	item, err := dp.puFromContextID.Get(testPU1CtxID)
	require.Nil(t, err)
	require.NotNil(t, item)
	puctx1 := item.(*pucontext.PUContext)

	item, err = dp.puFromContextID.Get(testPU2CtxID)
	require.Nil(t, err)
	require.NotNil(t, item)
	puctx2 := item.(*pucontext.PUContext)

	pc := &policy.PingConfig{
		ID:                "5e9e38ad39483e772044095e",
		IP:                dip,
		Port:              dpt,
		Iterations:        1,
		TargetTCPNetworks: true,
		ExcludedNetworks:  false,
	}

	pingPayload := &policy.PingPayload{
		PingID:               pc.ID,
		IterationID:          0,
		ApplicationListening: false,
		NamespaceHash:        testPU1NSHash,
	}

	puctx1.UpdateApplicationACLs( // nolint: errcheck
		policy.IPRuleList{
			policy.IPRule{
				Addresses: []string{"0.0.0.0/0"},
				Ports:     []string{"1:65535"},
				Protocols: []string{"6", "17"},
				Policy: &policy.FlowPolicy{
					Action:   policy.Accept,
					PolicyID: "extnetidabc",
				},
			},
		},
	)

	err = dp.Ping(context.Background(), testPU1CtxID, pc)
	require.Nil(t, err)

	// NetSyn
	ipPacket, err := wrapIP(conn.data(), false, false, tcp.Syn)
	require.Nil(t, err)

	p, err := packet.New(packet.PacketTypeNetwork, ipPacket, "0", false)
	require.Nil(t, err)
	require.NotNil(t, p)
	payloadSize := len(p.ReadTCPData())
	tcpConn := connection.NewTCPConnection(puctx2, p)
	tcpConn.SourceController = srcCtrl
	pkt := &policy.FlowPolicy{Action: policy.Accept, PolicyID: "abc"}

	ts := policy.NewTagStore()
	ts.AppendKeyValue(enforcerconstants.TransmitterLabel, testPU1CtxID)
	claims := &tokens.ConnectionClaims{
		P: pingPayload,
		T: ts,
	}

	pr := &collector.PingReport{
		PingID:               pc.ID,
		IterationID:          0,
		Type:                 gaia.PingProbeTypeRequest,
		PUID:                 testPU2CtxID,
		RemotePUID:           testPU1CtxID,
		Namespace:            testPU2NS,
		FourTuple:            "192.168.100.1:172.17.0.2:2020:80",
		RTT:                  "",
		Protocol:             6,
		ServiceType:          "L3",
		PayloadSize:          payloadSize,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeReceived,
		PolicyID:             "abc",
		PolicyAction:         policy.Accept,
		AgentVersion:         "0.0.0",
		ApplicationListening: false,
		RemoteEndpointType:   collector.EndPointTypePU,
		SeqNum:               seqnum,
		TargetTCPNetworks:    true,
		ExcludedNetworks:     false,
		Claims:               []string{"a=b"},
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		RemoteNamespace:      testPU1NSHash,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypeHash,
		ACLPolicyID:          "",
		ACLPolicyAction:      policy.ActionType(0),
		RemoteController:     srcCtrl,
		IsServer:             true,
	}

	mockCollector.EXPECT().CollectPingEvent(pr).Times(1)

	oldsynAckDelay := synAckDelay
	synAckDelay = 1 * time.Second
	defer func() {
		synAckDelay = oldsynAckDelay
	}()

	switchAppListening(true)
	err = dp.processPingNetSynPacket(puctx2, tcpConn, p, payloadSize, pkt, claims)
	require.Nil(t, err)

	tcpConn.PingConfig.SetApplicationListening(true)

	time.Sleep(2 * time.Second)

	// NetSynAck
	ipPacket, err = wrapIP(conn.data(), true, false, 0)
	require.Nil(t, err)

	p, err = packet.New(packet.PacketTypeNetwork, ipPacket, "0", false)
	require.Nil(t, err)
	require.NotNil(t, p)

	item1, exists := dp.tcpClient.Get(p.L4ReverseFlowHash())
	if !exists {
		t.Fail()
	}

	tcpConn = item1
	tcpConn.DestinationController = dstCtrl

	pkt = &policy.FlowPolicy{Action: policy.Accept, PolicyID: "abc"}

	ts = policy.NewTagStore()
	ts.AppendKeyValue(enforcerconstants.TransmitterLabel, testPU2CtxID)
	claims = &tokens.ConnectionClaims{
		P: pingPayload,
		T: ts,
	}

	pr = &collector.PingReport{
		PingID:               pc.ID,
		IterationID:          0,
		Type:                 gaia.PingProbeTypeResponse,
		PUID:                 testPU1CtxID,
		RemotePUID:           testPU2CtxID,
		Namespace:            testPU1NS,
		FourTuple:            "172.17.0.2:192.168.100.1:80:2020",
		RTT:                  duration,
		Protocol:             6,
		ServiceType:          "L3",
		PayloadSize:          payloadSize,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeReceived,
		PolicyID:             "abc",
		PolicyAction:         policy.Accept,
		AgentVersion:         "0.0.0",
		ApplicationListening: true,
		RemoteEndpointType:   collector.EndPointTypePU,
		SeqNum:               seqnum,
		TargetTCPNetworks:    true,
		ExcludedNetworks:     false,
		Claims:               []string{"x=y"},
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		RemoteNamespace:      testPU2NSHash,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypeHash,
		ACLPolicyID:          "extnetidabc",
		ACLPolicyAction:      policy.Accept,
		RemoteController:     dstCtrl,
	}

	mockCollector.EXPECT().CollectPingEvent(pr).Times(1)

	claims.P.ApplicationListening = true
	claims.P.NamespaceHash = testPU2NSHash
	err = dp.processPingNetSynAckPacket(puctx1, tcpConn, p, payloadSize, pkt, claims, false)
	require.Equal(t, errDropPingNetSynAck, err)
}

func Test_ValidPingAppListeningNoReply(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer func() {
		switchAppListening(false)
		ctrl.Finish()
	}()

	mockCollector := mockcollector.NewMockEventCollector(ctrl)
	mockTokenAccessor := mocktokenaccessor.NewMockTokenAccessor(ctrl)
	mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(3).Return([]byte("token"), nil).AnyTimes()
	mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(2).Return([]byte("token"), nil)

	dp, conn, err := setupDatapathAndPUs(ctrl, mockCollector, mockTokenAccessor)
	require.Nil(t, err)
	require.NotNil(t, dp)

	item, err := dp.puFromContextID.Get(testPU1CtxID)
	require.Nil(t, err)
	require.NotNil(t, item)
	puctx1 := item.(*pucontext.PUContext)

	item, err = dp.puFromContextID.Get(testPU2CtxID)
	require.Nil(t, err)
	require.NotNil(t, item)
	puctx2 := item.(*pucontext.PUContext)

	pc := &policy.PingConfig{
		ID:                "5e9e38ad39483e772044095e",
		IP:                dip,
		Port:              dpt,
		Iterations:        1,
		TargetTCPNetworks: true,
		ExcludedNetworks:  false,
	}

	pingPayload := &policy.PingPayload{
		PingID:               pc.ID,
		IterationID:          0,
		ApplicationListening: false,
		NamespaceHash:        testPU1NSHash,
	}

	puctx1.UpdateApplicationACLs( // nolint: errcheck
		policy.IPRuleList{
			policy.IPRule{
				Addresses: []string{"0.0.0.0/0"},
				Ports:     []string{"1:65535"},
				Protocols: []string{"6", "17"},
				Policy: &policy.FlowPolicy{
					Action:   policy.Accept,
					PolicyID: "extnetidabc",
				},
			},
		},
	)

	mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

	err = dp.Ping(context.Background(), testPU1CtxID, pc)
	require.Nil(t, err)

	// NetSyn
	ipPacket, err := wrapIP(conn.data(), false, false, tcp.Syn)
	require.Nil(t, err)

	p, err := packet.New(packet.PacketTypeNetwork, ipPacket, "0", false)
	require.Nil(t, err)
	require.NotNil(t, p)
	payloadSize := len(p.ReadTCPData())
	tcpConn := connection.NewTCPConnection(puctx2, p)
	tcpConn.SourceController = srcCtrl
	pkt := &policy.FlowPolicy{Action: policy.Accept, PolicyID: "abc"}

	ts := policy.NewTagStore()
	ts.AppendKeyValue(enforcerconstants.TransmitterLabel, testPU1CtxID)
	claims := &tokens.ConnectionClaims{
		P: pingPayload,
		T: ts,
	}

	pr := &collector.PingReport{
		PingID:               pc.ID,
		IterationID:          0,
		Type:                 gaia.PingProbeTypeRequest,
		PUID:                 testPU2CtxID,
		RemotePUID:           testPU1CtxID,
		Namespace:            testPU2NS,
		FourTuple:            "192.168.100.1:172.17.0.2:2020:80",
		RTT:                  "",
		Protocol:             6,
		ServiceType:          "L3",
		PayloadSize:          payloadSize,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeReceived,
		PolicyID:             "abc",
		PolicyAction:         policy.Accept,
		AgentVersion:         "0.0.0",
		ApplicationListening: false,
		RemoteEndpointType:   collector.EndPointTypePU,
		SeqNum:               seqnum,
		TargetTCPNetworks:    true,
		ExcludedNetworks:     false,
		Claims:               []string{"a=b"},
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		RemoteNamespace:      testPU1NSHash,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypeHash,
		ACLPolicyID:          "",
		ACLPolicyAction:      policy.ActionType(0),
		RemoteController:     srcCtrl,
		IsServer:             true,
	}

	mockCollector.EXPECT().CollectPingEvent(pr).Times(1)
	copiedData, err := copystructure.Copy(pingPayload)
	synAckPayload := copiedData.(*policy.PingPayload)
	synAckPayload.NamespaceHash = testPU2NSHash
	require.Nil(t, err)
	mockTokenAccessor.EXPECT().CreateSynAckPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

	oldsynAckDelay := synAckDelay
	synAckDelay = 1 * time.Second
	defer func() {
		synAckDelay = oldsynAckDelay
	}()

	switchAppListening(true)
	err = dp.processPingNetSynPacket(puctx2, tcpConn, p, payloadSize, pkt, claims)
	require.Nil(t, err)

	time.Sleep(2 * time.Second)

	// NetSynAck
	ipPacket, err = wrapIP(conn.data(), true, false, tcp.Syn|tcp.Ack)
	require.Nil(t, err)

	p, err = packet.New(packet.PacketTypeNetwork, ipPacket, "0", false)
	require.Nil(t, err)
	require.NotNil(t, p)

	item1, exists := dp.tcpClient.Get(p.L4ReverseFlowHash())
	if !exists {
		t.Fail()
	}

	tcpConn = item1
	tcpConn.DestinationController = dstCtrl

	pkt = &policy.FlowPolicy{Action: policy.Accept, PolicyID: "abc"}

	ts = policy.NewTagStore()
	ts.AppendKeyValue(enforcerconstants.TransmitterLabel, testPU2CtxID)
	claims = &tokens.ConnectionClaims{
		P: pingPayload,
		T: ts,
	}

	pr = &collector.PingReport{
		PingID:               pc.ID,
		IterationID:          0,
		Type:                 gaia.PingProbeTypeResponse,
		PUID:                 testPU1CtxID,
		RemotePUID:           testPU2CtxID,
		Namespace:            testPU1NS,
		FourTuple:            "172.17.0.2:192.168.100.1:80:2020",
		RTT:                  duration,
		Protocol:             6,
		ServiceType:          "L3",
		PayloadSize:          payloadSize,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeReceived,
		PolicyID:             "abc",
		PolicyAction:         policy.Accept,
		AgentVersion:         "0.0.0",
		ApplicationListening: false,
		RemoteEndpointType:   collector.EndPointTypePU,
		SeqNum:               seqnum,
		TargetTCPNetworks:    true,
		ExcludedNetworks:     false,
		Claims:               []string{"x=y"},
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		RemoteNamespace:      testPU2NSHash,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypeHash,
		ACLPolicyID:          "extnetidabc",
		ACLPolicyAction:      policy.Accept,
		RemoteController:     dstCtrl,
	}

	mockCollector.EXPECT().CollectPingEvent(pr).Times(1)

	claims.P.NamespaceHash = testPU2NSHash
	err = dp.processPingNetSynAckPacket(puctx1, tcpConn, p, payloadSize, pkt, claims, false)
	require.Equal(t, errDropPingNetSynAck, err)
}

func Test_ValidPingReject(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	mockCollector := mockcollector.NewMockEventCollector(ctrl)
	mockTokenAccessor := mocktokenaccessor.NewMockTokenAccessor(ctrl)
	mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(3).Return([]byte("token"), nil).AnyTimes()
	mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(3).Return([]byte("token"), nil)

	dp, conn, err := setupDatapathAndPUs(ctrl, mockCollector, mockTokenAccessor)
	require.Nil(t, err)
	require.NotNil(t, dp)

	item, err := dp.puFromContextID.Get(testPU1CtxID)
	require.Nil(t, err)
	require.NotNil(t, item)
	puctx1 := item.(*pucontext.PUContext)

	item, err = dp.puFromContextID.Get(testPU2CtxID)
	require.Nil(t, err)
	require.NotNil(t, item)
	puctx2 := item.(*pucontext.PUContext)

	pc := &policy.PingConfig{
		ID:                "5e9e38ad39483e772044095e",
		IP:                dip,
		Port:              dpt,
		Iterations:        1,
		TargetTCPNetworks: true,
		ExcludedNetworks:  false,
	}

	pingPayload := &policy.PingPayload{
		PingID:               pc.ID,
		IterationID:          0,
		ApplicationListening: false,
		NamespaceHash:        testPU1NSHash,
	}

	puctx1.UpdateApplicationACLs( // nolint: errcheck
		policy.IPRuleList{
			policy.IPRule{
				Addresses: []string{"0.0.0.0/0"},
				Ports:     []string{"1:65535"},
				Protocols: []string{"6", "17"},
				Policy: &policy.FlowPolicy{
					Action:   policy.Accept,
					PolicyID: "extnetidabc",
				},
			},
		},
	)

	err = dp.Ping(context.Background(), testPU1CtxID, pc)
	require.Nil(t, err)

	// NetSyn
	ipPacket, err := wrapIP(conn.data(), false, false, tcp.Syn)
	require.Nil(t, err)

	p, err := packet.New(packet.PacketTypeNetwork, ipPacket, "0", false)
	require.Nil(t, err)
	require.NotNil(t, p)
	payloadSize := len(p.ReadTCPData())
	tcpConn := connection.NewTCPConnection(puctx2, p)
	tcpConn.SourceController = srcCtrl
	pkt := &policy.FlowPolicy{Action: policy.Reject, PolicyID: "xyz"}

	ts := policy.NewTagStore()
	ts.AppendKeyValue(enforcerconstants.TransmitterLabel, testPU1CtxID)
	claims := &tokens.ConnectionClaims{
		P: pingPayload,
		T: ts,
	}

	pr := &collector.PingReport{
		PingID:               pc.ID,
		IterationID:          0,
		Type:                 gaia.PingProbeTypeRequest,
		PUID:                 testPU2CtxID,
		RemotePUID:           testPU1CtxID,
		Namespace:            testPU2NS,
		FourTuple:            "192.168.100.1:172.17.0.2:2020:80",
		RTT:                  "",
		Protocol:             6,
		ServiceType:          "L3",
		PayloadSize:          payloadSize,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeReceived,
		PolicyID:             "xyz",
		PolicyAction:         policy.Reject,
		AgentVersion:         "0.0.0",
		ApplicationListening: false,
		RemoteEndpointType:   collector.EndPointTypePU,
		SeqNum:               seqnum,
		TargetTCPNetworks:    true,
		ExcludedNetworks:     false,
		Claims:               []string{"a=b"},
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		RemoteNamespace:      testPU1NSHash,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypeHash,
		ACLPolicyID:          "",
		ACLPolicyAction:      policy.ActionType(0),
		RemoteController:     srcCtrl,
		IsServer:             true,
		Error:                collector.PolicyDrop,
	}

	mockCollector.EXPECT().CollectPingEvent(pr).Times(1)
	copiedData, err := copystructure.Copy(pingPayload)
	synAckPayload := copiedData.(*policy.PingPayload)
	synAckPayload.NamespaceHash = testPU2NSHash
	require.Nil(t, err)
	mockTokenAccessor.EXPECT().CreateSynAckPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

	oldsynAckDelay := synAckDelay
	synAckDelay = 1 * time.Second
	defer func() {
		synAckDelay = oldsynAckDelay
	}()

	err = dp.processPingNetSynPacket(puctx2, tcpConn, p, payloadSize, pkt, claims)
	require.Equal(t, errDropPingNetSyn, err)

	time.Sleep(2 * time.Second)

	// NetSynAck
	ipPacket, err = wrapIP(conn.data(), true, false, tcp.Syn|tcp.Ack)
	require.Nil(t, err)

	p, err = packet.New(packet.PacketTypeNetwork, ipPacket, "0", false)
	require.Nil(t, err)
	require.NotNil(t, p)

	item1, exists := dp.tcpClient.Get(p.L4ReverseFlowHash())
	if !exists {
		t.Fail()
	}
	tcpConn = item1
	tcpConn.DestinationController = dstCtrl

	pkt = &policy.FlowPolicy{Action: policy.Accept, PolicyID: "abc"}

	ts = policy.NewTagStore()
	ts.AppendKeyValue(enforcerconstants.TransmitterLabel, testPU2CtxID)
	claims = &tokens.ConnectionClaims{
		P: pingPayload,
		T: ts,
	}

	pr = &collector.PingReport{
		PingID:               pc.ID,
		IterationID:          0,
		Type:                 gaia.PingProbeTypeResponse,
		PUID:                 testPU1CtxID,
		RemotePUID:           testPU2CtxID,
		Namespace:            testPU1NS,
		FourTuple:            "172.17.0.2:192.168.100.1:80:2020",
		RTT:                  duration,
		Protocol:             6,
		ServiceType:          "L3",
		PayloadSize:          payloadSize,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeReceived,
		PolicyID:             "abc",
		PolicyAction:         policy.Accept,
		AgentVersion:         "0.0.0",
		ApplicationListening: false,
		RemoteEndpointType:   collector.EndPointTypePU,
		SeqNum:               seqnum,
		TargetTCPNetworks:    true,
		ExcludedNetworks:     false,
		Claims:               []string{"x=y"},
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		RemoteNamespace:      testPU2NSHash,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypeHash,
		ACLPolicyID:          "extnetidabc",
		ACLPolicyAction:      policy.Accept,
		RemoteController:     dstCtrl,
	}

	mockCollector.EXPECT().CollectPingEvent(pr).Times(1)

	claims.P.NamespaceHash = testPU2NSHash
	err = dp.processPingNetSynAckPacket(puctx1, tcpConn, p, payloadSize, pkt, claims, false)
	require.Equal(t, errDropPingNetSynAck, err)
}

func Test_ValidPingUnequalSeqNum(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	mockCollector := mockcollector.NewMockEventCollector(ctrl)
	mockTokenAccessor := mocktokenaccessor.NewMockTokenAccessor(ctrl)

	mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(3).Return([]byte("token"), nil).AnyTimes()
	mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(3).Return([]byte("token"), nil)

	dp, conn, err := setupDatapathAndPUs(ctrl, mockCollector, mockTokenAccessor)
	require.Nil(t, err)
	require.NotNil(t, dp)

	item, err := dp.puFromContextID.Get(testPU1CtxID)
	require.Nil(t, err)
	require.NotNil(t, item)
	puctx1 := item.(*pucontext.PUContext)

	item, err = dp.puFromContextID.Get(testPU2CtxID)
	require.Nil(t, err)
	require.NotNil(t, item)
	puctx2 := item.(*pucontext.PUContext)

	pc := &policy.PingConfig{
		ID:                "5e9e38ad39483e772044095e",
		IP:                dip,
		Port:              dpt,
		Iterations:        1,
		TargetTCPNetworks: true,
		ExcludedNetworks:  false,
	}

	pingPayload := &policy.PingPayload{
		PingID:               pc.ID,
		IterationID:          0,
		ApplicationListening: false,
		NamespaceHash:        testPU1NSHash,
	}

	err = dp.Ping(context.Background(), testPU1CtxID, pc)
	require.Nil(t, err)

	// NetSyn
	ipPacket, err := wrapIP(conn.data(), false, true, tcp.Syn)
	require.Nil(t, err)

	p, err := packet.New(packet.PacketTypeNetwork, ipPacket, "0", false)
	require.Nil(t, err)
	require.NotNil(t, p)
	payloadSize := len(p.ReadTCPData())
	tcpConn := connection.NewTCPConnection(puctx2, p)
	pkt := &policy.FlowPolicy{Action: policy.Accept, PolicyID: "abc"}

	ts := policy.NewTagStore()
	ts.AppendKeyValue(enforcerconstants.TransmitterLabel, testPU1CtxID)
	claims := &tokens.ConnectionClaims{
		P: pingPayload,
		T: ts,
	}

	pr := &collector.PingReport{
		PingID:               pc.ID,
		IterationID:          0,
		Type:                 gaia.PingProbeTypeRequest,
		PUID:                 testPU2CtxID,
		RemotePUID:           testPU1CtxID,
		Namespace:            testPU2NS,
		FourTuple:            "192.168.100.1:172.17.0.2:2020:80",
		RTT:                  "",
		Protocol:             6,
		ServiceType:          "L3",
		PayloadSize:          payloadSize,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeReceived,
		PolicyID:             "abc",
		PolicyAction:         policy.Accept,
		AgentVersion:         "0.0.0",
		ApplicationListening: false,
		RemoteEndpointType:   collector.EndPointTypePU,
		SeqNum:               111111,
		TargetTCPNetworks:    true,
		ExcludedNetworks:     false,
		Claims:               []string{"a=b"},
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		RemoteNamespace:      testPU1NSHash,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypeHash,
		ACLPolicyID:          "",
		ACLPolicyAction:      policy.ActionType(0),
		IsServer:             true,
	}

	mockCollector.EXPECT().CollectPingEvent(pr).Times(1)
	copiedData, err := copystructure.Copy(pingPayload)
	synAckPayload := copiedData.(*policy.PingPayload)
	synAckPayload.NamespaceHash = testPU2NSHash
	require.Nil(t, err)
	mockTokenAccessor.EXPECT().CreateSynAckPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return([]byte("token"), nil)

	oldsynAckDelay := synAckDelay
	synAckDelay = 1 * time.Second
	defer func() {
		synAckDelay = oldsynAckDelay
	}()

	err = dp.processPingNetSynPacket(puctx2, tcpConn, p, payloadSize, pkt, claims)
	require.Equal(t, errDropPingNetSyn, err)

	time.Sleep(2 * time.Second)

	// NetSynAck
	ipPacket, err = wrapIP(conn.data(), true, false, tcp.Syn|tcp.Ack)
	require.Nil(t, err)

	p, err = packet.New(packet.PacketTypeNetwork, ipPacket, "0", false)
	require.Nil(t, err)
	require.NotNil(t, p)
	payloadSize = len(p.ReadTCPData())

	item1, _ := dp.tcpClient.Get(p.L4ReverseFlowHash())
	tcpConn = item1

	pkt = &policy.FlowPolicy{Action: policy.Reject, PolicyID: "cde"}

	ts = policy.NewTagStore()
	ts.AppendKeyValue(enforcerconstants.TransmitterLabel, testPU2CtxID)
	claims = &tokens.ConnectionClaims{
		P: pingPayload,
		T: ts,
	}

	pr = &collector.PingReport{
		PingID:               pc.ID,
		IterationID:          0,
		Type:                 gaia.PingProbeTypeResponse,
		PUID:                 testPU1CtxID,
		RemotePUID:           testPU2CtxID,
		Namespace:            testPU1NS,
		FourTuple:            "172.17.0.2:192.168.100.1:80:2020",
		RTT:                  duration,
		Protocol:             6,
		ServiceType:          "L3",
		PayloadSize:          payloadSize,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeReceived,
		PolicyID:             "cde",
		PolicyAction:         policy.Reject,
		AgentVersion:         "0.0.0",
		ApplicationListening: false,
		RemoteEndpointType:   collector.EndPointTypePU,
		SeqNum:               seqnum,
		TargetTCPNetworks:    true,
		ExcludedNetworks:     false,
		RemoteNamespace:      testPU2NSHash,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypeHash,
		Claims:               []string{"x=y"},
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		ACLPolicyID:          "default",
		ACLPolicyAction:      policy.Reject | policy.Log,
		Error:                collector.PolicyDrop,
	}

	mockCollector.EXPECT().CollectPingEvent(pr).Times(1)
	claims.P.NamespaceHash = testPU2NSHash
	err = dp.processPingNetSynAckPacket(puctx1, tcpConn, p, payloadSize, pkt, claims, false)
	require.Equal(t, errDropPingNetSynAck, err)
}

func Test_ValidPingExtNet(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	mockCollector := mockcollector.NewMockEventCollector(ctrl)
	mockTokenAccessor := mocktokenaccessor.NewMockTokenAccessor(ctrl)

	mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(3).Return([]byte("token"), nil).AnyTimes()
	mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(3).Return([]byte("token"), nil)

	dp, conn, err := setupDatapathAndPUs(ctrl, mockCollector, mockTokenAccessor)
	require.Nil(t, err)
	require.NotNil(t, dp)

	item, err := dp.puFromContextID.Get(testPU1CtxID)
	require.Nil(t, err)
	require.NotNil(t, item)
	puctx1 := item.(*pucontext.PUContext)

	pc := &policy.PingConfig{
		ID:                "5e9e38ad39483e772044095e",
		IP:                dip,
		Port:              dpt,
		Iterations:        1,
		TargetTCPNetworks: true,
		ExcludedNetworks:  false,
	}

	err = dp.Ping(context.Background(), testPU1CtxID, pc)
	require.Nil(t, err)

	// NetSynAck
	ipPacket, err := wrapIP(conn.data(), true, false, tcp.Syn)
	require.Nil(t, err)

	p, err := packet.New(packet.PacketTypeNetwork, ipPacket, "0", false)
	require.Nil(t, err)
	require.NotNil(t, p)
	payloadSize := len(p.ReadTCPData())

	item1, _ := dp.tcpClient.Get(p.L4ReverseFlowHash())
	tcpConn := item1

	pkt := &policy.FlowPolicy{Action: policy.Accept, PolicyID: "abc"}

	pr := &collector.PingReport{
		PingID:               pc.ID,
		IterationID:          0,
		Type:                 gaia.PingProbeTypeResponse,
		PUID:                 testPU1CtxID,
		Namespace:            testPU1NS,
		FourTuple:            "172.17.0.2:192.168.100.1:80:2020",
		RTT:                  duration,
		Protocol:             6,
		ServiceType:          "L3",
		PayloadSize:          payloadSize,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeReceived,
		PolicyID:             "abc",
		PolicyAction:         policy.Accept,
		AgentVersion:         "0.0.0",
		ApplicationListening: true,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypeHash,
		RemoteEndpointType:   collector.EndPointTypeExternalIP,
		SeqNum:               seqnum,
		TargetTCPNetworks:    true,
		ExcludedNetworks:     false,
		Claims:               []string{"x=y"},
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		ACLPolicyID:          "default",
		ACLPolicyAction:      policy.Reject | policy.Log,
	}

	mockCollector.EXPECT().CollectPingEvent(pr).Times(1)

	// NOTE: Overriding the default conn timeout of 15s to 3s.
	oldremoveDelay := removeDelay
	removeDelay = 2 * time.Second
	defer func() {
		removeDelay = oldremoveDelay
	}()

	tcpConn.ChangeConnectionTimeout(3 * time.Second)
	err = dp.processPingNetSynAckPacket(puctx1, tcpConn, p, payloadSize, pkt, nil, true)
	require.Equal(t, errDropPingNetSynAck, err)

	require.Equal(t, connection.TCPSynAckReceived, tcpConn.GetState())

	time.Sleep(4 * time.Second)

	_, exists := dp.tcpClient.Get(p.L4ReverseFlowHash())
	if exists {
		t.Fail()
	}
}

func Test_PingRequestTimeout(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	mockCollector := mockcollector.NewMockEventCollector(ctrl)
	mockTokenAccessor := mocktokenaccessor.NewMockTokenAccessor(ctrl)

	mockTokenAccessor.EXPECT().Sign(gomock.Any(), gomock.Any()).Times(3).Return([]byte("token"), nil).AnyTimes()
	mockTokenAccessor.EXPECT().CreateSynPacketToken(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(3).Return([]byte("token"), nil)

	dp, _, err := setupDatapathAndPUs(ctrl, mockCollector, mockTokenAccessor)
	require.Nil(t, err)
	require.NotNil(t, dp)

	pc := &policy.PingConfig{
		ID:                "5e9e38ad39483e772044095e",
		IP:                dip,
		Port:              dpt,
		Iterations:        1,
		TargetTCPNetworks: true,
		ExcludedNetworks:  true,
	}

	pr := &collector.PingReport{
		PingID:               pc.ID,
		IterationID:          0,
		Type:                 gaia.PingProbeTypeRequest,
		PUID:                 testPU1CtxID,
		Namespace:            testPU1NS,
		FourTuple:            "192.168.100.1:172.17.0.2:2020:80",
		RTT:                  "",
		Protocol:             6,
		ServiceType:          "L3",
		PayloadSize:          5,
		PayloadSizeType:      gaia.PingProbePayloadSizeTypeTransmitted,
		PolicyID:             "",
		PolicyAction:         policy.ActionType(0), // Not a valid action, defaults to "unknown"
		AgentVersion:         "0.0.0",
		ApplicationListening: false,
		SeqNum:               seqnum,
		RemoteNamespaceType:  gaia.PingProbeRemoteNamespaceTypeHash,
		TargetTCPNetworks:    true,
		ExcludedNetworks:     true,
		Claims:               []string{"x=y"},
		ClaimsType:           gaia.PingProbeClaimsTypeTransmitted,
		ACLPolicyID:          "default",
		ACLPolicyAction:      policy.Reject | policy.Log,
		Error:                policy.ErrExcludedNetworks,
	}

	mockCollector.EXPECT().CollectPingEvent(pr).Times(1)

	oldconnTimeout := connection.DefaultConnectionTimeout
	connection.DefaultConnectionTimeout = 3 * time.Second
	defer func() {
		connection.DefaultConnectionTimeout = oldconnTimeout
	}()

	err = dp.Ping(context.Background(), testPU1CtxID, pc)
	require.Nil(t, err)
	time.Sleep(4 * time.Second)

	list := dp.tcpClient.Len()
	if list != 0 {
		t.Fail()
	}
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/test_utils.go
================================================
package nfqdatapath

import (
	"encoding/json"
	"fmt"

	"github.com/golang/mock/gomock"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/mocksecrets"
)

type endpointTypeMatcher struct {
	x           interface{}
	baseMatcher *myMatcher
}

func (m *endpointTypeMatcher) Matches(x interface{}) bool {
	f1 := m.x.(*collector.FlowRecord)
	f2 := x.(*collector.FlowRecord)

	defaultChecks := f1.Destination.Type == f2.Destination.Type &&
		f1.Destination.ID == f2.Destination.ID &&
		f1.Source.Type == f2.Source.Type &&
		f1.Source.ID == f2.Source.ID

	if m.baseMatcher != nil {
		return defaultChecks && m.baseMatcher.Matches(x)
	}

	return defaultChecks
}

func (m *endpointTypeMatcher) String() string {

	out, err := json.Marshal(m.x)
	if err != nil {
		panic(err)
	}

	return fmt.Sprintf("is equal to %v", string(out))
}

// EndpointTypeMatcher extends MyMatcher to match endpoint Type and ID
func EndpointTypeMatcher(x interface{}) gomock.Matcher {
	return gomock.GotFormatterAdapter(&myGotFormatter{}, &endpointTypeMatcher{x: x, baseMatcher: &myMatcher{x: x}})
}

type myMatcher struct {
	x interface{}
}

func (m *myMatcher) Matches(x interface{}) bool {
	f1 := m.x.(*collector.FlowRecord)
	f2 := x.(*collector.FlowRecord)

	defaultChecks := f1.Destination.IP == f2.Destination.IP &&
		f1.Source.IP == f2.Source.IP &&
		f1.Destination.Port == f2.Destination.Port &&
		f1.Action == f2.Action &&
		f1.Count == f2.Count &&
		f1.DropReason == f2.DropReason

	return defaultChecks
}

func (m *myMatcher) String() string {

	f := m.x.(*collector.FlowRecord)
	return fmt.Sprintf("%d, %v, %v, %d, %d, %s", f.Count, f.Source.IP, f.Destination.IP, f.Destination.Port, f.Action, f.DropReason)
}

type myGotFormatter struct{}

func (g *myGotFormatter) Got(got interface{}) string {

	f := got.(*collector.FlowRecord)
	return fmt.Sprintf("%d, %v, %v, %d, %d, %s", f.Count, f.Source.IP, f.Destination.IP, f.Destination.Port, f.Action, f.DropReason)
}

// MyMatcher returns gomock matcher
func MyMatcher(x interface{}) gomock.Matcher {
	return gomock.GotFormatterAdapter(&myGotFormatter{}, &myMatcher{x: x})
}

type packetEventMatcher struct {
	x interface{}
}

func (p *packetEventMatcher) Matches(x interface{}) bool {
	f1 := p.x.(*collector.PacketReport)
	f2 := x.(*collector.PacketReport)
	return f1.DestinationIP == f2.DestinationIP
}

func (p *packetEventMatcher) String() string {
	return fmt.Sprintf("is equal to %v", p.x)
}

// PacketEventMatcher return gomock matcher
func PacketEventMatcher(x interface{}) gomock.Matcher {
	return &packetEventMatcher{x: x}
}

type myCounterMatcher struct {
	x *collector.CounterReport
}

func (m *myCounterMatcher) Matches(x interface{}) bool {

	f := x.(*collector.CounterReport)
	if f.Namespace != "/ns1" {
		return true
	}
	return m.x.PUID == f.PUID && m.x.Namespace == f.Namespace
}

func (m *myCounterMatcher) String() string {
	return fmt.Sprintf("is equal to %v", m.x)
}

// MyCounterMatcher custom matcher for counter record
func MyCounterMatcher(x *collector.CounterReport) gomock.Matcher {
	return &myCounterMatcher{x: x}
}

type fakeSecrets struct {
	id string
	*mocksecrets.MockSecrets
}

func (f *fakeSecrets) setID(id string) {
	f.id = id
}

func (f *fakeSecrets) getID() string {
	return f.id
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/test_utils_linux.go
================================================
// +build linux

package nfqdatapath

import (
	"net"
	"sync"

	"github.com/ghedo/go.pkt/packet"
)

type fakeConn struct {
	b []byte

	sync.RWMutex
}

func (f *fakeConn) Close() error {
	return nil
}

func (f *fakeConn) Write(b []byte) (int, error) {
	f.Lock()
	defer f.Unlock()

	f.b = b
	return len(b), nil
}

func (f *fakeConn) data() []byte {
	f.RLock()
	defer f.RUnlock()

	return f.b
}

func (f *fakeConn) ConstructWirePacket(srcIP, dstIP net.IP, transport packet.Packet, payload packet.Packet) ([]byte, error) {
	return packLayers(srcIP, dstIP, transport, payload)
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/tokenaccessor/interfaces.go
================================================
package tokenaccessor

import (
	"crypto/ecdsa"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/ephemeralkeys"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
)

// TokenAccessor define an interface to access LockedTokenEngine
type TokenAccessor interface {
	GetTokenValidity() time.Duration
	GetTokenServerID() string

	// Token creation methods.
	CreateAckPacketToken(proto314 bool, secretKey []byte, claims *tokens.ConnectionClaims, encodedBuf []byte) ([]byte, error)
	CreateSynPacketToken(claims *tokens.ConnectionClaims, encodedBuf []byte, nonce []byte, claimsHeader *claimsheader.ClaimsHeader, secrets secrets.Secrets) ([]byte, error)

	CreateSynAckPacketToken(proto314 bool, claims *tokens.ConnectionClaims, encodedBuf []byte, nonce []byte, claimsHeader *claimsheader.ClaimsHeader, secrets secrets.Secrets, secretKey []byte) ([]byte, error)
	// Token parsing methods.
	ParsePacketToken(privateKey *ephemeralkeys.PrivateKey, data []byte, secrets secrets.Secrets, c *tokens.ConnectionClaims, b bool) ([]byte, *claimsheader.ClaimsHeader, *pkiverifier.PKIControllerInfo, []byte, string, bool, error)
	ParseAckToken(proto314 bool, secretKey []byte, nonce []byte, data []byte, connClaims *tokens.ConnectionClaims) error

	Randomize([]byte, []byte) error
	Sign([]byte, *ecdsa.PrivateKey) ([]byte, error)
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/tokenaccessor/mocktokenaccessor/mocktokenaccessor.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/internal/enforcer/nfqdatapath/tokenaccessor/interfaces.go

// Package mocktokenaccessor is a generated GoMock package.
package mocktokenaccessor

import (
	ecdsa "crypto/ecdsa"
	reflect "reflect"
	time "time"

	gomock "github.com/golang/mock/gomock"
	ephemeralkeys "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/ephemeralkeys"
	claimsheader "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	pkiverifier "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	secrets "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	tokens "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
)

// MockTokenAccessor is a mock of TokenAccessor interface
type MockTokenAccessor struct {
	ctrl     *gomock.Controller
	recorder *MockTokenAccessorMockRecorder
}

// MockTokenAccessorMockRecorder is the mock recorder for MockTokenAccessor
type MockTokenAccessorMockRecorder struct {
	mock *MockTokenAccessor
}

// NewMockTokenAccessor creates a new mock instance
func NewMockTokenAccessor(ctrl *gomock.Controller) *MockTokenAccessor {
	mock := &MockTokenAccessor{ctrl: ctrl}
	mock.recorder = &MockTokenAccessorMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockTokenAccessor) EXPECT() *MockTokenAccessorMockRecorder {
	return m.recorder
}

// GetTokenValidity mocks base method
func (m *MockTokenAccessor) GetTokenValidity() time.Duration {
	ret := m.ctrl.Call(m, "GetTokenValidity")
	ret0, _ := ret[0].(time.Duration)
	return ret0
}

// GetTokenValidity indicates an expected call of GetTokenValidity
func (mr *MockTokenAccessorMockRecorder) GetTokenValidity() *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTokenValidity", reflect.TypeOf((*MockTokenAccessor)(nil).GetTokenValidity))
}

// GetTokenServerID mocks base method
func (m *MockTokenAccessor) GetTokenServerID() string {
	ret := m.ctrl.Call(m, "GetTokenServerID")
	ret0, _ := ret[0].(string)
	return ret0
}

// GetTokenServerID indicates an expected call of GetTokenServerID
func (mr *MockTokenAccessorMockRecorder) GetTokenServerID() *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTokenServerID", reflect.TypeOf((*MockTokenAccessor)(nil).GetTokenServerID))
}

// CreateAckPacketToken mocks base method
func (m *MockTokenAccessor) CreateAckPacketToken(proto314 bool, secretKey []byte, claims *tokens.ConnectionClaims, encodedBuf []byte) ([]byte, error) {
	ret := m.ctrl.Call(m, "CreateAckPacketToken", proto314, secretKey, claims, encodedBuf)
	ret0, _ := ret[0].([]byte)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// CreateAckPacketToken indicates an expected call of CreateAckPacketToken
func (mr *MockTokenAccessorMockRecorder) CreateAckPacketToken(proto314, secretKey, claims, encodedBuf interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateAckPacketToken", reflect.TypeOf((*MockTokenAccessor)(nil).CreateAckPacketToken), proto314, secretKey, claims, encodedBuf)
}

// CreateSynPacketToken mocks base method
func (m *MockTokenAccessor) CreateSynPacketToken(claims *tokens.ConnectionClaims, encodedBuf, nonce []byte, claimsHeader *claimsheader.ClaimsHeader, secrets secrets.Secrets) ([]byte, error) {
	ret := m.ctrl.Call(m, "CreateSynPacketToken", claims, encodedBuf, nonce, claimsHeader, secrets)
	ret0, _ := ret[0].([]byte)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// CreateSynPacketToken indicates an expected call of CreateSynPacketToken
func (mr *MockTokenAccessorMockRecorder) CreateSynPacketToken(claims, encodedBuf, nonce, claimsHeader, secrets interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateSynPacketToken", reflect.TypeOf((*MockTokenAccessor)(nil).CreateSynPacketToken), claims, encodedBuf, nonce, claimsHeader, secrets)
}

// CreateSynAckPacketToken mocks base method
func (m *MockTokenAccessor) CreateSynAckPacketToken(proto314 bool, claims *tokens.ConnectionClaims, encodedBuf, nonce []byte, claimsHeader *claimsheader.ClaimsHeader, secrets secrets.Secrets, secretKey []byte) ([]byte, error) {
	ret := m.ctrl.Call(m, "CreateSynAckPacketToken", proto314, claims, encodedBuf, nonce, claimsHeader, secrets, secretKey)
	ret0, _ := ret[0].([]byte)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// CreateSynAckPacketToken indicates an expected call of CreateSynAckPacketToken
func (mr *MockTokenAccessorMockRecorder) CreateSynAckPacketToken(proto314, claims, encodedBuf, nonce, claimsHeader, secrets, secretKey interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateSynAckPacketToken", reflect.TypeOf((*MockTokenAccessor)(nil).CreateSynAckPacketToken), proto314, claims, encodedBuf, nonce, claimsHeader, secrets, secretKey)
}

// ParsePacketToken mocks base method
func (m *MockTokenAccessor) ParsePacketToken(privateKey *ephemeralkeys.PrivateKey, data []byte, secrets secrets.Secrets, c *tokens.ConnectionClaims, b bool) ([]byte, *claimsheader.ClaimsHeader, *pkiverifier.PKIControllerInfo, []byte, string, bool, error) {
	ret := m.ctrl.Call(m, "ParsePacketToken", privateKey, data, secrets, c, b)
	ret0, _ := ret[0].([]byte)
	ret1, _ := ret[1].(*claimsheader.ClaimsHeader)
	ret2, _ := ret[2].(*pkiverifier.PKIControllerInfo)
	ret3, _ := ret[3].([]byte)
	ret4, _ := ret[4].(string)
	ret5, _ := ret[5].(bool)
	ret6, _ := ret[6].(error)
	return ret0, ret1, ret2, ret3, ret4, ret5, ret6
}

// ParsePacketToken indicates an expected call of ParsePacketToken
func (mr *MockTokenAccessorMockRecorder) ParsePacketToken(privateKey, data, secrets, c, b interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ParsePacketToken", reflect.TypeOf((*MockTokenAccessor)(nil).ParsePacketToken), privateKey, data, secrets, c, b)
}

// ParseAckToken mocks base method
func (m *MockTokenAccessor) ParseAckToken(proto314 bool, secretKey, nonce, data []byte, connClaims *tokens.ConnectionClaims) error {
	ret := m.ctrl.Call(m, "ParseAckToken", proto314, secretKey, nonce, data, connClaims)
	ret0, _ := ret[0].(error)
	return ret0
}

// ParseAckToken indicates an expected call of ParseAckToken
func (mr *MockTokenAccessorMockRecorder) ParseAckToken(proto314, secretKey, nonce, data, connClaims interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ParseAckToken", reflect.TypeOf((*MockTokenAccessor)(nil).ParseAckToken), proto314, secretKey, nonce, data, connClaims)
}

// Randomize mocks base method
func (m *MockTokenAccessor) Randomize(arg0, arg1 []byte) error {
	ret := m.ctrl.Call(m, "Randomize", arg0, arg1)
	ret0, _ := ret[0].(error)
	return ret0
}

// Randomize indicates an expected call of Randomize
func (mr *MockTokenAccessorMockRecorder) Randomize(arg0, arg1 interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Randomize", reflect.TypeOf((*MockTokenAccessor)(nil).Randomize), arg0, arg1)
}

// Sign mocks base method
func (m *MockTokenAccessor) Sign(arg0 []byte, arg1 *ecdsa.PrivateKey) ([]byte, error) {
	ret := m.ctrl.Call(m, "Sign", arg0, arg1)
	ret0, _ := ret[0].([]byte)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Sign indicates an expected call of Sign
func (mr *MockTokenAccessorMockRecorder) Sign(arg0, arg1 interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Sign", reflect.TypeOf((*MockTokenAccessor)(nil).Sign), arg0, arg1)
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/tokenaccessor/tokenaccessor.go
================================================
package tokenaccessor

import (
	"bytes"
	"crypto/ecdsa"
	"errors"
	"fmt"
	"time"

	enforcerconstants "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/ephemeralkeys"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
)

// tokenAccessor is a wrapper around tokenEngine to provide locks for accessing
type tokenAccessor struct {
	tokens   tokens.TokenEngine
	serverID string
	validity time.Duration
}

// New creates a new instance of TokenAccessor interface
func New(serverID string, validity time.Duration, secret secrets.Secrets) (TokenAccessor, error) {

	var tokenEngine tokens.TokenEngine
	var err error

	tokenEngine, err = tokens.NewBinaryJWT(validity, serverID)
	if err != nil {
		return nil, err
	}

	return &tokenAccessor{
		tokens:   tokenEngine,
		serverID: serverID,
		validity: validity,
	}, nil
}

// GetTokenValidity returns the duration the token is valid for
func (t *tokenAccessor) GetTokenValidity() time.Duration {
	return t.validity
}

// GetTokenServerID returns the server ID which is used the generate the token.
func (t *tokenAccessor) GetTokenServerID() string {
	return t.serverID
}

// CreateAckPacketToken creates the authentication token
func (t *tokenAccessor) CreateAckPacketToken(proto314 bool, secretKey []byte, claims *tokens.ConnectionClaims, encodedBuf []byte) ([]byte, error) {

	token, err := t.tokens.CreateAckToken(proto314, secretKey, claims, encodedBuf, claimsheader.NewClaimsHeader())
	if err != nil {
		return nil, fmt.Errorf("unable to create ack token: %v", err)
	}

	return token, nil
}

func (t *tokenAccessor) Randomize(token []byte, nonce []byte) error {
	return t.tokens.Randomize(token, nonce)
}

func (t *tokenAccessor) Sign(buf []byte, key *ecdsa.PrivateKey) ([]byte, error) {
	return t.tokens.Sign(buf, key)
}

// createSynPacketToken creates the authentication token
func (t *tokenAccessor) CreateSynPacketToken(claims *tokens.ConnectionClaims, encodedBuf []byte, nonce []byte, claimsHeader *claimsheader.ClaimsHeader, secrets secrets.Secrets) ([]byte, error) {
	token, err := t.tokens.CreateSynToken(claims, encodedBuf, nonce, claimsHeader, secrets)
	if err != nil {
		return nil, fmt.Errorf("unable to create syn token: %v", err)
	}

	return token, nil
}

// createSynAckPacketToken  creates the authentication token for SynAck packets
// We need to sign the received token. No caching possible here
func (t *tokenAccessor) CreateSynAckPacketToken(proto314 bool, claims *tokens.ConnectionClaims, encodedBuf []byte, nonce []byte, claimsHeader *claimsheader.ClaimsHeader, secrets secrets.Secrets, secretKey []byte) ([]byte, error) {
	token, err := t.tokens.CreateSynAckToken(proto314, claims, encodedBuf, nonce, claimsHeader, secrets, secretKey)
	if err != nil {
		return nil, fmt.Errorf("unable to create synack token: %v", err)
	}

	return token, nil
}

// parsePacketToken parses the packet token and populates the right state.
// Returns an error if the token cannot be parsed or the signature fails
func (t *tokenAccessor) ParsePacketToken(privateKey *ephemeralkeys.PrivateKey, data []byte, secrets secrets.Secrets, claims *tokens.ConnectionClaims, isSynAck bool) ([]byte, *claimsheader.ClaimsHeader, *pkiverifier.PKIControllerInfo, []byte, string, bool, error) {

	// Validate the certificate and parse the token
	secretKey, header, nonce, controller, proto314, err := t.tokens.DecodeSyn(isSynAck, data, privateKey, secrets, claims)
	if err != nil {
		return nil, nil, nil, nil, "", false, err
	}

	// We always a need a valid remote context ID
	if claims.T == nil {
		return nil, nil, nil, nil, "", false, errors.New("no claims found")
	}

	remoteContextID, ok := claims.T.Get(enforcerconstants.TransmitterLabel)
	if !ok {
		return nil, nil, nil, nil, "", false, errors.New("no transmitter label")
	}

	return secretKey, header, controller, nonce, remoteContextID, proto314, nil
}

// parseAckToken parses the tokens in Ack packets. They don't carry all the state context
// and it needs to be recovered
func (t *tokenAccessor) ParseAckToken(proto314 bool, secretKey []byte, nonce []byte, data []byte, connClaims *tokens.ConnectionClaims) error {

	// Validate the certificate and parse the token
	if err := t.tokens.DecodeAck(proto314, secretKey, data, connClaims); err != nil {
		return err
	}

	if !bytes.Equal(connClaims.RMT, nonce) {
		return errors.New("failed to match context in ack packet")
	}

	return nil
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/tokenaccessor/tokenaccessor_test.go
================================================
// +build !windows

package tokenaccessor

import (
	"testing"

	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/mocksecrets"
)

func Test_NewTokenAccessor(t *testing.T) {
	Convey("Given I create new token accessor", t, func() {
		ctrl := gomock.NewController(t)
		defer ctrl.Finish()

		tok, err := New("serverID", 2, &mocksecrets.MockSecrets{})
		So(err, ShouldBeNil)
		So(tok, ShouldNotBeNil)

		tok, err = New("serverID", 2, &mocksecrets.MockSecrets{})
		So(err, ShouldBeNil)
		So(tok, ShouldNotBeNil)
	})
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/utils.go
================================================
package nfqdatapath

import (
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

func (d *Datapath) reportAcceptedFlow(p *packet.Packet, conn *connection.TCPConnection, sourceID string, destID string, context *pucontext.PUContext, report *policy.FlowPolicy, packet *policy.FlowPolicy, reverse bool) { // nolint:unparam

	if sourceID == destID {
		report = &policy.FlowPolicy{
			Action:   policy.Accept | policy.Log,
			PolicyID: "local",
		}
		packet = report
	}

	sourceController, destinationController := getTCPConnectionInfo(conn)

	src, dst := d.generateEndpoints(p, sourceID, destID, reverse)

	d.reportFlow(p, src, dst, context, "", report, packet, sourceController, destinationController)
}

func (d *Datapath) reportRejectedFlow(p *packet.Packet, conn *connection.TCPConnection, sourceID string, destID string, context *pucontext.PUContext, mode string, report *policy.FlowPolicy, packet *policy.FlowPolicy, reverse bool) { // nolint:unparam

	if report == nil {
		report = &policy.FlowPolicy{
			Action:   policy.Reject | policy.Log,
			PolicyID: "default",
		}
	}
	if packet == nil {
		packet = report
	}

	sourceController, destinationController := getTCPConnectionInfo(conn)

	src, dst := d.generateEndpoints(p, sourceID, destID, reverse)

	d.reportFlow(p, src, dst, context, mode, report, packet, sourceController, destinationController)
}

func (d *Datapath) reportUDPAcceptedFlow(p *packet.Packet, conn *connection.UDPConnection, sourceID string, destID string, context *pucontext.PUContext, report *policy.FlowPolicy, packet *policy.FlowPolicy, reverse bool) { // nolint:unparam

	sourceController, destinationController := getUDPConnectionInfo(conn)

	src, dst := d.generateEndpoints(p, sourceID, destID, reverse)

	d.reportFlow(p, src, dst, context, "", report, packet, sourceController, destinationController)
}

func (d *Datapath) reportUDPRejectedFlow(p *packet.Packet, conn *connection.UDPConnection, sourceID string, destID string, context *pucontext.PUContext, mode string, report *policy.FlowPolicy, packet *policy.FlowPolicy, reverse bool) { // nolint:unparam
	if report == nil {
		report = &policy.FlowPolicy{
			Action:   policy.Reject | policy.Log,
			PolicyID: "default",
		}
	}
	if packet == nil {
		packet = report
	}

	sourceController, destinationController := getUDPConnectionInfo(conn)

	src, dst := d.generateEndpoints(p, sourceID, destID, reverse)
	d.reportFlow(p, src, dst, context, mode, report, packet, sourceController, destinationController)
}

func (d *Datapath) reportExternalServiceFlowCommon(context *pucontext.PUContext, report *policy.FlowPolicy, actual *policy.FlowPolicy, app bool, p *packet.Packet, src, dst *collector.EndPoint) {
	if app {
		// If you have an observe policy then its external network gets reported as the dest or src ID.
		// Really we should has an oSrc and oDest ID but currently we don't.
		src.ID = context.ManagementID()
		src.Type = collector.EndPointTypePU
		dst.ID = report.ServiceID
		dst.Type = collector.EndPointTypeExternalIP
	} else {
		src.ID = report.ServiceID
		src.Type = collector.EndPointTypeExternalIP
		dst.ID = context.ManagementID()
		dst.Type = collector.EndPointTypePU
	}

	dropReason := ""
	if report.Action.Rejected() || actual.Action.Rejected() {
		dropReason = collector.PolicyDrop
	}

	record := &collector.FlowRecord{
		ContextID:   context.ID(),
		Source:      *src,
		Destination: *dst,
		DropReason:  dropReason,
		Action:      actual.Action,
		PolicyID:    actual.PolicyID,
		L4Protocol:  p.IPProto(),
		Namespace:   context.ManagementNamespace(),
		Count:       1,
		RuleName:    actual.RuleName,
	}

	if context.Annotations() != nil {
		record.Tags = context.Annotations().GetSlice()
	}

	if report.ObserveAction.Observed() {
		record.ObservedAction = report.Action
		record.ObservedPolicyID = report.PolicyID
		record.ObservedActionType = report.ObserveAction
	}

	d.collector.CollectFlowEvent(record)
}

func (d *Datapath) reportExternalServiceFlow(context *pucontext.PUContext, report *policy.FlowPolicy, packet *policy.FlowPolicy, app bool, p *packet.Packet) {

	src := &collector.EndPoint{
		IP:   p.SourceAddress().String(),
		Port: p.SourcePort(),
	}

	dst := &collector.EndPoint{
		IP:   p.DestinationAddress().String(),
		Port: p.DestPort(),
	}

	d.reportExternalServiceFlowCommon(context, report, packet, app, p, src, dst)
}

func (d *Datapath) reportReverseExternalServiceFlow(context *pucontext.PUContext, report *policy.FlowPolicy, packet *policy.FlowPolicy, app bool, p *packet.Packet) {

	src := &collector.EndPoint{
		IP:   p.DestinationAddress().String(),
		Port: p.DestPort(),
	}

	dst := &collector.EndPoint{
		IP:   p.SourceAddress().String(),
		Port: p.SourcePort(),
	}

	d.reportExternalServiceFlowCommon(context, report, packet, app, p, src, dst)
}

func (d *Datapath) generateEndpoints(p *packet.Packet, sourceID string, destID string, reverse bool) (*collector.EndPoint, *collector.EndPoint) {

	src := &collector.EndPoint{
		ID:   sourceID,
		IP:   p.SourceAddress().String(),
		Port: p.SourcePort(),
		Type: collector.EndPointTypePU,
	}

	dst := &collector.EndPoint{
		ID:   destID,
		IP:   p.DestinationAddress().String(),
		Port: p.DestPort(),
		Type: collector.EndPointTypePU,
	}

	if src.ID == collector.DefaultEndPoint {
		src.Type = collector.EndPointTypeExternalIP
	}
	if dst.ID == collector.DefaultEndPoint {
		dst.Type = collector.EndPointTypeExternalIP
	}

	if reverse {
		return dst, src
	}

	return src, dst
}

func getTCPConnectionInfo(conn *connection.TCPConnection) (string, string) {
	sourceController, destinationController := "", ""
	if conn != nil {
		sourceController, destinationController = conn.SourceController, conn.DestinationController
	}
	return sourceController, destinationController
}

func getUDPConnectionInfo(conn *connection.UDPConnection) (string, string) {
	sourceController, destinationController := "", ""
	if conn != nil {
		sourceController, destinationController = conn.SourceController, conn.DestinationController
	}
	return sourceController, destinationController
}


================================================
FILE: controller/internal/enforcer/nfqdatapath/utils_test.go
================================================
// +build linux

package nfqdatapath

import (
	"crypto/ecdsa"
	"net"
	"testing"

	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/collector/mockcollector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/mocksecrets"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

var (
	srcAddress        = net.ParseIP("1.1.1.1")
	srcPort    uint16 = 2000
	srcID             = "src5454"
	dstAddress        = net.ParseIP("2.2.2.2")
	dstPort    uint16 = 80
	dstID             = "dst4545"
)

func setupDatapath(ctrl *gomock.Controller, collector collector.EventCollector) *Datapath {

	defer MockGetUDPRawSocket()()

	secrets := mocksecrets.NewMockSecrets(ctrl)
	secrets.EXPECT().AckSize().Return(uint32(300)).AnyTimes()
	secrets.EXPECT().EncodingKey().Return(&ecdsa.PrivateKey{}).AnyTimes()
	secrets.EXPECT().TransmittedKey().Return([]byte("dummy")).AnyTimes()

	return newWithDefaults(ctrl, "serverID", collector, secrets, constants.RemoteContainer, []string{"1._,1.1.1/31"}, false)
}

func generateCommonTestData(action policy.ActionType, oaction policy.ObserveActionType) (*packet.Packet, *connection.TCPConnection, *connection.UDPConnection, *pucontext.PUContext, *policy.FlowPolicy) { // nolint

	p := packet.TestGetTCPPacket(srcAddress, dstAddress, srcPort, dstPort)

	tcpConn := &connection.TCPConnection{}
	udpConn := &connection.UDPConnection{}
	puContext := &pucontext.PUContext{}
	policy := &policy.FlowPolicy{Action: action}

	return p, tcpConn, udpConn, puContext, policy
}

func generateTestEndpoints(reverse bool) (*collector.EndPoint, *collector.EndPoint) {

	src := &collector.EndPoint{
		IP:   srcAddress.String(),
		Port: srcPort,
		ID:   srcID,
	}
	dst := &collector.EndPoint{
		IP:   dstAddress.String(),
		Port: dstPort,
		ID:   dstID,
	}

	if reverse {
		return dst, src
	}

	return src, dst
}

func TestReportAcceptedFlow(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	mockCollector := mockcollector.NewMockEventCollector(ctrl)

	Convey("Given I setup datapath", t, func() {
		dp := setupDatapath(ctrl, mockCollector)

		Convey("Then datapath should not be nil", func() {
			So(dp, ShouldNotBeNil)
		})

		Convey("Then check reportAcceptedFlow", func() {

			src, dst := generateTestEndpoints(false)

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Accept,
			}

			mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

			p, conn, _, context, policy := generateCommonTestData(policy.Accept, policy.ObserveNone)

			dp.reportAcceptedFlow(p, conn, srcID, dstID, context, policy, policy, false)
		})

		Convey("Then check reportAcceptedFlow with same src dst ID", func() {

			src, dst := generateTestEndpoints(false)

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Accept | policy.Log,
			}

			mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

			p, conn, _, context, policy := generateCommonTestData(policy.Accept|policy.Log, policy.ObserveNone)

			dp.reportAcceptedFlow(p, conn, srcID, srcID, context, policy, policy, false)
		})

		Convey("Then check reportAcceptedFlow with reverse", func() {

			src, dst := generateTestEndpoints(true)

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Accept,
			}

			mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

			p, conn, _, context, policy := generateCommonTestData(policy.Accept, policy.ObserveNone)

			dp.reportAcceptedFlow(p, conn, srcID, dstID, context, policy, policy, true)
		})
	})
}

func TestReportExternalServiceFlow(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	mockCollector := mockcollector.NewMockEventCollector(ctrl)

	Convey("Given I setup datapath", t, func() {
		dp := setupDatapath(ctrl, mockCollector)

		Convey("Then datapath should not be nil", func() {
			So(dp, ShouldNotBeNil)
		})

		Convey("Then check reportAcceptedFlow", func() {

			src, dst := generateTestEndpoints(false)

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Accept,
			}

			mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

			p, _, _, context, policy := generateCommonTestData(policy.Accept, policy.ObserveNone)

			dp.reportExternalServiceFlow(context, policy, policy, true, p)
		})

		Convey("Then check reportAcceptedFlow reverse", func() {

			src, dst := generateTestEndpoints(false)

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *dst,
				Destination: *src,
				Action:      policy.Reject,
				DropReason:  collector.PolicyDrop,
			}

			mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

			p, _, _, context, policy := generateCommonTestData(policy.Reject, policy.ObserveContinue)

			dp.reportReverseExternalServiceFlow(context, policy, policy, false, p)
		})
	})
}

func TestReportUDPAcceptedFlow(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	mockCollector := mockcollector.NewMockEventCollector(ctrl)

	Convey("Given I setup datapath", t, func() {
		dp := setupDatapath(ctrl, mockCollector)

		Convey("Then datapath should not be nil", func() {
			So(dp, ShouldNotBeNil)
		})

		Convey("Then check reportAcceptedFlow", func() {

			src, dst := generateTestEndpoints(false)

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Accept,
			}

			mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

			p, _, conn, context, policy := generateCommonTestData(policy.Accept, policy.ObserveNone)

			dp.reportUDPAcceptedFlow(p, conn, srcID, dstID, context, policy, policy, false)
		})

		Convey("Then check reportAcceptedFlow with reverse", func() {

			src, dst := generateTestEndpoints(true)

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Accept,
			}

			mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

			p, _, conn, context, policy := generateCommonTestData(policy.Accept, policy.ObserveNone)

			dp.reportUDPAcceptedFlow(p, conn, srcID, dstID, context, policy, policy, true)
		})
	})
}

func TestReportRejectedFlow(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	mockCollector := mockcollector.NewMockEventCollector(ctrl)

	Convey("Given I setup datapath", t, func() {
		dp := setupDatapath(ctrl, mockCollector)

		Convey("Then datapath should not be nil", func() {
			So(dp, ShouldNotBeNil)
		})

		Convey("Then check reportRejectedFlow", func() {

			src, dst := generateTestEndpoints(false)

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Reject,
				DropReason:  collector.PolicyDrop,
			}

			mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

			p, conn, _, context, policy := generateCommonTestData(policy.Reject, policy.ObserveNone)

			dp.reportRejectedFlow(p, conn, srcID, dstID, context, collector.PolicyDrop, policy, policy, false)
		})

		Convey("Then check reportRejectedFlow with report and packet policy nil", func() {

			src, dst := generateTestEndpoints(false)

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Reject | policy.Log,
				DropReason:  collector.PolicyDrop,
			}

			mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

			p, conn, _, context, _ := generateCommonTestData(policy.Reject|policy.Log, policy.ObserveNone)

			dp.reportRejectedFlow(p, conn, srcID, dstID, context, collector.PolicyDrop, nil, nil, false)
		})

		Convey("Then check reportRejectedFlow with reverse", func() {

			src, dst := generateTestEndpoints(true)

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Reject,
				DropReason:  collector.PolicyDrop,
			}

			mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

			p, conn, _, context, policy := generateCommonTestData(policy.Reject, policy.ObserveNone)

			dp.reportRejectedFlow(p, conn, srcID, dstID, context, collector.PolicyDrop, policy, policy, true)
		})
	})
}

func TestReportUDPRejectedFlow(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	mockCollector := mockcollector.NewMockEventCollector(ctrl)

	Convey("Given I setup datapath", t, func() {
		dp := setupDatapath(ctrl, mockCollector)

		Convey("Then datapath should not be nil", func() {
			So(dp, ShouldNotBeNil)
		})

		Convey("Then check reportRejectedFlow", func() {

			src, dst := generateTestEndpoints(false)

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Reject,
				DropReason:  collector.PolicyDrop,
			}

			mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

			p, _, conn, context, policy := generateCommonTestData(policy.Reject, policy.ObserveNone)

			dp.reportUDPRejectedFlow(p, conn, srcID, dstID, context, collector.PolicyDrop, policy, policy, false)
		})

		Convey("Then check reportRejectedFlow with policy and packet policy nil", func() {

			src, dst := generateTestEndpoints(false)

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Reject | policy.Log,
				DropReason:  collector.PolicyDrop,
			}

			mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

			p, _, conn, context, _ := generateCommonTestData(policy.Reject|policy.Log, policy.ObserveNone)

			dp.reportUDPRejectedFlow(p, conn, srcID, dstID, context, collector.PolicyDrop, nil, nil, false)
		})

		Convey("Then check reportRejectedFlow with reverse", func() {

			src, dst := generateTestEndpoints(true)

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Reject,
				DropReason:  collector.PolicyDrop,
			}

			mockCollector.EXPECT().CollectFlowEvent(MyMatcher(&flowRecord)).Times(1)

			p, _, conn, context, policy := generateCommonTestData(policy.Reject, policy.ObserveNone)

			dp.reportUDPRejectedFlow(p, conn, srcID, dstID, context, collector.PolicyDrop, policy, policy, true)
		})
	})
}

func TestReportDefaultEndpoint(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	mockCollector := mockcollector.NewMockEventCollector(ctrl)

	Convey("Given I setup datapath", t, func() {
		dp := setupDatapath(ctrl, mockCollector)

		Convey("Then datapath should not be nil", func() {
			So(dp, ShouldNotBeNil)
		})

		Convey("Then check reportRejectedFlow with dest ID set to default", func() {

			src, dst := generateTestEndpoints(false)
			src.Type = collector.EndPointTypePU
			dst.ID = collector.DefaultEndPoint
			dst.Type = collector.EndPointTypeExternalIP

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Reject,
				DropReason:  collector.PolicyDrop,
			}

			mockCollector.EXPECT().CollectFlowEvent(EndpointTypeMatcher(&flowRecord)).Times(1)

			p, conn, _, context, policy := generateCommonTestData(policy.Reject, policy.ObserveNone)

			dp.reportRejectedFlow(p, conn, src.ID, dst.ID, context, collector.PolicyDrop, policy, policy, false)
		})

		Convey("Then check reportAcceptedFlow with src ID set to default", func() {

			src, dst := generateTestEndpoints(false)
			dst.Type = collector.EndPointTypePU
			src.ID = collector.DefaultEndPoint
			src.Type = collector.EndPointTypeExternalIP

			flowRecord := collector.FlowRecord{
				Count:       1,
				Source:      *src,
				Destination: *dst,
				Action:      policy.Accept,
			}

			mockCollector.EXPECT().CollectFlowEvent(EndpointTypeMatcher(&flowRecord)).Times(1)

			p, conn, _, context, policy := generateCommonTestData(policy.Accept, policy.ObserveNone)

			dp.reportAcceptedFlow(p, conn, src.ID, dst.ID, context, policy, policy, false)
		})
	})
}


================================================
FILE: controller/internal/enforcer/proxy/enforcerproxy.go
================================================
// Package enforcerproxy :: This is the implementation of the RPC client
// It implements the interface of Trireme Enforcer and forwards these
// requests to the actual remote enforcer instead of implementing locally
package enforcerproxy

import (
	"context"
	"fmt"
	"strconv"
	"sync"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/processmon"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ebpf"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/env"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/crypto"
	"go.uber.org/zap"
)

// ProxyInfo is the struct used to hold state about active enforcers in the system
type ProxyInfo struct {
	mutualAuth             bool
	packetLogs             bool
	Secrets                secrets.Secrets
	serverID               string
	validity               time.Duration
	prochdl                processmon.ProcessManager
	rpchdl                 rpcwrapper.RPCClient
	filterQueue            fqconfig.FilterQueue
	commandArg             string
	statsServerSecret      string
	procMountPoint         string
	ExternalIPCacheTimeout time.Duration
	collector              collector.EventCollector
	cfg                    *runtime.Configuration
	tokenIssuer            common.ServiceTokenIssuer
	binaryTokens           bool
	isBPFEnabled           bool
	ipv6Enabled            bool
	serviceMeshType        policy.ServiceMesh
	rpcServer              rpcwrapper.RPCServer
	iptablesLockfile       string
	sync.RWMutex
}

// Enforce method makes a RPC call for the remote enforcer enforce method
func (s *ProxyInfo) Enforce(ctx context.Context, contextID string, puInfo *policy.PUInfo) error {

	initEnforcer, err := s.prochdl.LaunchRemoteEnforcer(
		contextID,
		puInfo.Runtime.Pid(),
		puInfo.Runtime.NSPath(),
		s.commandArg,
		s.statsServerSecret,
		s.procMountPoint,
		puInfo.Policy.EnforcerType(),
	)

	if err != nil {
		return err
	}

	zap.L().Debug("Called enforce and launched remote process", zap.String("contextID", contextID),
		zap.String("enforcer type", puInfo.Policy.EnforcerType().String()),
		zap.String("serviceMeshType", puInfo.Runtime.ServiceMeshType.String()),
		zap.String("name", puInfo.Runtime.Name()))

	s.serviceMeshType = puInfo.Runtime.ServiceMeshType
	if initEnforcer {
		if err := s.initRemoteEnforcer(contextID); err != nil {
			s.prochdl.KillRemoteEnforcer(contextID, true) // nolint errcheck
			return err
		}
	}

	enforcerPayload := &rpcwrapper.EnforcePayload{
		ContextID: contextID,
		Policy:    puInfo.Policy.ToPublicPolicy(),
	}

	//Only the secrets need to be under lock. They can change async to the enforce call from Updatesecrets
	s.RLock()
	enforcerPayload.Secrets = s.Secrets.RPCSecrets()
	s.RUnlock()
	request := &rpcwrapper.Request{
		Payload: enforcerPayload,
	}

	if err := s.rpchdl.RemoteCall(contextID, remoteenforcer.Enforce, request, &rpcwrapper.Response{}); err != nil {
		s.prochdl.KillRemoteEnforcer(contextID, true) // nolint errcheck
		return fmt.Errorf("failed to send message to remote enforcer: %s", err)
	}

	return nil
}

// Unenforce stops enforcing policy for the given contextID.
func (s *ProxyInfo) Unenforce(ctx context.Context, contextID string) error {

	request := &rpcwrapper.Request{
		Payload: &rpcwrapper.UnEnforcePayload{
			ContextID: contextID,
		},
	}

	if err := s.rpchdl.RemoteCall(contextID, remoteenforcer.Unenforce, request, &rpcwrapper.Response{}); err != nil {
		zap.L().Error("failed to send message to remote enforcer", zap.Error(err))
	}

	return s.prochdl.KillRemoteEnforcer(contextID, true)
}

// UpdateSecrets updates the secrets used for signing communication between trireme instances
func (s *ProxyInfo) UpdateSecrets(token secrets.Secrets) error {
	s.Lock()
	s.Secrets = token
	s.Unlock()

	var allErrors string

	resp := &rpcwrapper.Response{}
	request := &rpcwrapper.Request{
		Payload: &rpcwrapper.UpdateSecretsPayload{
			Secrets: s.Secrets.RPCSecrets(),
		},
	}

	for _, contextID := range s.rpchdl.ContextList() {
		if err := s.rpchdl.RemoteCall(contextID, remoteenforcer.UpdateSecrets, request, resp); err != nil {
			allErrors = allErrors + " contextID " + contextID + ":" + err.Error()
		}
	}

	if len(allErrors) > 0 {
		return fmt.Errorf("unable to update secrets for some remotes: %s", allErrors)
	}

	return nil
}

// SetLogLevel sets log level.
func (s *ProxyInfo) SetLogLevel(level constants.LogLevel) error {

	resp := &rpcwrapper.Response{}
	request := &rpcwrapper.Request{
		Payload: &rpcwrapper.SetLogLevelPayload{
			Level: level,
		},
	}

	var allErrors string

	for _, contextID := range s.rpchdl.ContextList() {
		if err := s.rpchdl.RemoteCall(contextID, remoteenforcer.SetLogLevel, request, resp); err != nil {
			allErrors = allErrors + " contextID " + contextID + ":" + err.Error()
		}
	}

	if len(allErrors) > 0 {
		return fmt.Errorf("unable to set log level: %s", allErrors)
	}

	return nil
}

// CleanUp sends a cleanup command to all the remotes forcing them to exit and clean their state.
func (s *ProxyInfo) CleanUp() error {
	var synch sync.Mutex
	var wg sync.WaitGroup

	contextList := s.rpchdl.ContextList()
	lenCids := len(contextList)

	if lenCids == 0 {
		return nil
	}

	zap.L().Info(strconv.Itoa(lenCids) + " remote enforcers waiting to be exited")

	var chs []chan string

	wg.Add(lenCids)
	for i := 0; i < 4; i++ {
		ch := make(chan string)
		chs = append(chs, ch)

		go func(ch chan string) {
			var cid string
			for {
				cid = <-ch
				if err := s.prochdl.KillRemoteEnforcer(cid, false); err != nil {
					zap.L().Error("enforcer with contextID "+cid+"failed to exit", zap.Error(err))
				}
				synch.Lock()
				lenCids = lenCids - 1
				m := 0
				switch {
				case lenCids >= 500:
					m = 250
				case lenCids >= 100:
					m = 100
				case lenCids >= 10:
					m = 10
				default:
					m = 1
				}

				if lenCids%m == 0 {
					zap.L().Info(strconv.Itoa(lenCids) + " remote enforcers waiting to be exited")
				}
				synch.Unlock()
				wg.Done()
			}
		}(ch)
	}

	for i, contextID := range contextList {
		chs[i%4] <- contextID
	}

	wg.Wait()
	zap.L().Info("All remote enforcers have exited...")

	return nil
}

// EnableDatapathPacketTracing enable nfq packet tracing in remote container
func (s *ProxyInfo) EnableDatapathPacketTracing(ctx context.Context, contextID string, direction packettracing.TracingDirection, interval time.Duration) error {

	resp := &rpcwrapper.Response{}

	request := &rpcwrapper.Request{
		Payload: &rpcwrapper.EnableDatapathPacketTracingPayLoad{
			Direction: direction,
			Interval:  interval,
			ContextID: contextID,
		},
	}

	if err := s.rpchdl.RemoteCall(contextID, remoteenforcer.EnableDatapathPacketTracing, request, resp); err != nil {
		return fmt.Errorf("unable to enable datapath packet tracing %s -- %s", err, resp.Status)
	}

	return nil
}

// EnableIPTablesPacketTracing enable iptables tracing
func (s *ProxyInfo) EnableIPTablesPacketTracing(ctx context.Context, contextID string, interval time.Duration) error {

	request := &rpcwrapper.Request{
		Payload: &rpcwrapper.EnableIPTablesPacketTracingPayLoad{
			IPTablesPacketTracing: true,
			Interval:              interval,
			ContextID:             contextID,
		},
	}

	if err := s.rpchdl.RemoteCall(contextID, remoteenforcer.EnableIPTablesPacketTracing, request, &rpcwrapper.Response{}); err != nil {
		return fmt.Errorf("Unable to enable iptables tracing for contextID %s: %s", contextID, err)
	}

	return nil
}

// SetTargetNetworks does the RPC call for SetTargetNetworks to the corresponding
// remote enforcers
func (s *ProxyInfo) SetTargetNetworks(cfg *runtime.Configuration) error {
	resp := &rpcwrapper.Response{}
	request := &rpcwrapper.Request{
		Payload: &rpcwrapper.SetTargetNetworksPayload{
			Configuration: cfg,
		},
	}

	var allErrors string

	for _, contextID := range s.rpchdl.ContextList() {
		if err := s.rpchdl.RemoteCall(contextID, remoteenforcer.SetTargetNetworks, request, resp); err != nil {
			allErrors = allErrors + " contextID " + contextID + ":" + err.Error()
		}
	}

	s.Lock()
	s.cfg = cfg
	s.Unlock()

	if len(allErrors) > 0 {
		return fmt.Errorf("Remote enforcers failed: %s", allErrors)
	}

	return nil
}

// GetBPFObject returns the bpf object
func (s *ProxyInfo) GetBPFObject() ebpf.BPFModule {
	return nil
}

// GetServiceMeshType is unimplemented in the envoy authorizer
func (s *ProxyInfo) GetServiceMeshType() policy.ServiceMesh {
	return policy.None
}

// GetFilterQueue returns the current FilterQueueConfig.
func (s *ProxyInfo) GetFilterQueue() fqconfig.FilterQueue {
	return s.filterQueue
}

// Run starts the the remote enforcer proxy.
func (s *ProxyInfo) Run(ctx context.Context) error {

	handler := &ProxyRPCServer{
		rpchdl:      s.rpcServer,
		collector:   s.collector,
		secret:      s.statsServerSecret,
		tokenIssuer: s.tokenIssuer,
		ctx:         ctx,
	}

	// Start the server for statistics collection.
	go s.rpcServer.StartServer(ctx, "unix", constants.StatsChannel, handler) // nolint

	return nil
}

// Ping runs ping from the given config.
func (s *ProxyInfo) Ping(ctx context.Context, contextID string, pingConfig *policy.PingConfig) error {

	resp := &rpcwrapper.Response{}

	request := &rpcwrapper.Request{
		Payload: &rpcwrapper.PingPayload{
			ContextID:  contextID,
			PingConfig: pingConfig,
		},
	}

	if err := s.rpchdl.RemoteCall(contextID, remoteenforcer.Ping, request, resp); err != nil {
		return fmt.Errorf("unable to run ping %s -- %s", err, resp.Status)
	}

	return nil
}

// DebugCollect tells remote enforcer to start collecting debug info (pcap or misc commands).
// It does not wait for pcap collection to complete: the pid of tcpdump is returned.
// If another command is meant to be executed in remote enforcer, it should be quick, and its output is returned.
func (s *ProxyInfo) DebugCollect(ctx context.Context, contextID string, debugConfig *policy.DebugConfig) error {
	resp := &rpcwrapper.Response{}

	request := &rpcwrapper.Request{
		Payload: &rpcwrapper.DebugCollectPayload{
			ContextID:    contextID,
			PcapFilePath: debugConfig.FilePath,
			PcapFilter:   debugConfig.PcapFilter,
			CommandExec:  debugConfig.CommandExec,
		},
	}

	if err := s.rpchdl.RemoteCall(contextID, remoteenforcer.DebugCollect, request, resp); err != nil {
		return fmt.Errorf("unable to run debug collect %s -- %s", err, resp.Status)
	}

	responsePayload := resp.Payload.(rpcwrapper.DebugCollectResponsePayload)
	debugConfig.PID = responsePayload.PID
	debugConfig.CommandOutput = responsePayload.CommandOutput

	return nil
}

// initRemoteEnforcer method makes a RPC call to the remote enforcer
func (s *ProxyInfo) initRemoteEnforcer(contextID string) error {

	resp := &rpcwrapper.Response{}

	request := &rpcwrapper.Request{
		Payload: &rpcwrapper.InitRequestPayload{
			MutualAuth:             s.mutualAuth,
			Validity:               s.validity,
			ServerID:               s.serverID,
			ExternalIPCacheTimeout: s.ExternalIPCacheTimeout,
			PacketLogs:             s.packetLogs,
			Secrets:                s.Secrets.RPCSecrets(),
			Configuration:          s.cfg,
			BinaryTokens:           s.binaryTokens,
			IsBPFEnabled:           s.isBPFEnabled,
			ServiceMeshType:        s.serviceMeshType,
			IPv6Enabled:            s.ipv6Enabled,
			IPTablesLockfile:       s.iptablesLockfile,
		},
	}

	return s.rpchdl.RemoteCall(contextID, remoteenforcer.InitEnforcer, request, resp)
}

// NewProxyEnforcer creates a new proxy to remote enforcers.
func NewProxyEnforcer(
	ctx context.Context,
	mutualAuth bool,
	filterQueue fqconfig.FilterQueue,
	collector collector.EventCollector,
	secrets secrets.Secrets,
	serverID string,
	validity time.Duration,
	cmdArg string,
	procMountPoint string,
	ExternalIPCacheTimeout time.Duration,
	packetLogs bool,
	cfg *runtime.Configuration,
	runtimeError chan *policy.RuntimeError,
	remoteParameters *env.RemoteParameters,
	tokenIssuer common.ServiceTokenIssuer,
	isBPFEnabled bool,
	ipv6Enabled bool,
	iptablesLockfile string,
	rpcServer rpcwrapper.RPCServer,
) enforcer.Enforcer {

	statsServersecret, err := crypto.GenerateRandomString(32)
	if err != nil {
		// There is a very small chance of this happening we will log an error here.
		zap.L().Error("Failed to generate random secret for stats reporting", zap.Error(err))
		// We will use current time as the secret
		statsServersecret = time.Now().String()
	}

	rpcClient := rpcwrapper.NewRPCWrapper()

	return &ProxyInfo{
		mutualAuth:             mutualAuth,
		Secrets:                secrets,
		serverID:               serverID,
		validity:               validity,
		prochdl:                processmon.New(ctx, remoteParameters, runtimeError, rpcClient, filterQueue.GetNumQueues()),
		rpchdl:                 rpcClient,
		filterQueue:            filterQueue,
		commandArg:             cmdArg,
		statsServerSecret:      statsServersecret,
		procMountPoint:         procMountPoint,
		ExternalIPCacheTimeout: ExternalIPCacheTimeout,
		packetLogs:             packetLogs,
		collector:              collector,
		cfg:                    cfg,
		tokenIssuer:            tokenIssuer,
		isBPFEnabled:           isBPFEnabled,
		ipv6Enabled:            ipv6Enabled,
		iptablesLockfile:       iptablesLockfile,
		rpcServer:              rpcServer,
	}
}


================================================
FILE: controller/internal/enforcer/proxy/enforcerproxy_test.go
================================================
package enforcerproxy

import (
	"context"
	"fmt"
	"testing"
	"time"

	gomock "github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper/mockrpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/processmon/mockprocessmon"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/env"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/testhelper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

const procMountPoint = "/proc"

var (
	keypem, caPool, certPEM string
	token                   []byte
)

func init() {
	keypem = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPkiHqtH372JJdAG/IxJlE1gv03cdwa8Lhg2b3m/HmbyoAoGCCqGSM49
AwEHoUQDQgAEAfAL+AfPj/DnxrU6tUkEyzEyCxnflOWxhouy1bdzhJ7vxMb1vQ31
8ZbW/WvMN/ojIXqXYrEpISoojznj46w64w==
-----END EC PRIVATE KEY-----`

	caPool = `-----BEGIN CERTIFICATE-----
MIIBhTCCASwCCQC8b53yGlcQazAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABJxneTUqhbtgEIwpKUUzwz3h92SqcOdIw3mfQkMjg3Vobvr6JKlpXYe9xhsN
rygJmLhMAN9gjF9qM9ybdbe+m3owCgYIKoZIzj0EAwIDRwAwRAIgC1fVMqdBy/o3
jNUje/Hx0fZF9VDyUK4ld+K/wF3QdK4CID1ONj/Kqinrq2OpjYdkgIjEPuXoOoR1
tCym8dnq4wtH
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB3jCCAYOgAwIBAgIJALsW7pyC2ERQMAoGCCqGSM49BAMCMEsxCzAJBgNVBAYT
AlVTMQswCQYDVQQIDAJDQTEMMAoGA1UEBwwDU0pDMRAwDgYDVQQKDAdUcmlyZW1l
MQ8wDQYDVQQDDAZ1YnVudHUwHhcNMTYwOTI3MjI0OTAwWhcNMjYwOTI1MjI0OTAw
WjBLMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4G
A1UECgwHVHJpcmVtZTEPMA0GA1UEAwwGdWJ1bnR1MFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAE4c2Fd7XeIB1Vfs51fWwREfLLDa55J+NBalV12CH7YEAnEXjl47aV
cmNqcAtdMUpf2oz9nFVI81bgO+OSudr3CqNQME4wHQYDVR0OBBYEFOBftuI09mmu
rXjqDyIta1gT8lqvMB8GA1UdIwQYMBaAFOBftuI09mmurXjqDyIta1gT8lqvMAwG
A1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMylAHhbFA0KqhXIFiXNpEbH
JKaELL6UXXdeQ5yup8q+AiEAh5laB9rbgTymjaANcZ2YzEZH4VFS3CKoSdVqgnwC
dW4=
-----END CERTIFICATE-----`

	certPEM = `-----BEGIN CERTIFICATE-----
MIIBhjCCASwCCQCPCdgp39gHJTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABAHwC/gHz4/w58a1OrVJBMsxMgsZ35TlsYaLstW3c4Se78TG9b0N9fGW1v1r
zDf6IyF6l2KxKSEqKI854+OsOuMwCgYIKoZIzj0EAwIDSAAwRQIgQwQn0jnK/XvD
KxgQd/0pW5FOAaB41cMcw4/XVlphO1oCIQDlGie+WlOMjCzrV0Xz+XqIIi1pIgPT
IG7Nv+YlTVp5qA==
-----END CERTIFICATE-----`

	token = []byte{0x65, 0x79, 0x4A, 0x68, 0x62, 0x47, 0x63, 0x69, 0x4F, 0x69, 0x4A, 0x46, 0x55, 0x7A, 0x49, 0x31, 0x4E, 0x69, 0x49, 0x73, 0x49, 0x6E, 0x52, 0x35, 0x63, 0x43, 0x49, 0x36, 0x49, 0x6B, 0x70, 0x58, 0x56, 0x43, 0x4A, 0x39, 0x2E, 0x65, 0x79, 0x4A, 0x59, 0x49, 0x6A, 0x6F, 0x78, 0x4F, 0x44, 0x51, 0x32, 0x4E, 0x54, 0x6B, 0x78, 0x4D, 0x7A, 0x63, 0x33, 0x4E, 0x44, 0x41, 0x35, 0x4D, 0x7A, 0x4D, 0x35, 0x4D, 0x7A, 0x51, 0x33, 0x4D, 0x54, 0x4D, 0x77, 0x4D, 0x6A, 0x4D, 0x35, 0x4E, 0x6A, 0x45, 0x79, 0x4E, 0x6A, 0x55, 0x79, 0x4D, 0x7A, 0x45, 0x77, 0x4E, 0x44, 0x51, 0x30, 0x4F, 0x44, 0x63, 0x34, 0x4D, 0x7A, 0x45, 0x78, 0x4E, 0x6A, 0x4D, 0x30, 0x4E, 0x7A, 0x6B, 0x32, 0x4D, 0x6A, 0x4D, 0x32, 0x4D, 0x7A, 0x67, 0x30, 0x4E, 0x54, 0x59, 0x30, 0x4E, 0x6A, 0x51, 0x78, 0x4E, 0x7A, 0x67, 0x78, 0x4E, 0x44, 0x41, 0x78, 0x4F, 0x44, 0x63, 0x35, 0x4F, 0x44, 0x4D, 0x30, 0x4D, 0x44, 0x51, 0x78, 0x4E, 0x53, 0x77, 0x69, 0x57, 0x53, 0x49, 0x36, 0x4F, 0x44, 0x59, 0x78, 0x4F, 0x44, 0x41, 0x7A, 0x4E, 0x6A, 0x45, 0x33, 0x4D, 0x6A, 0x67, 0x34, 0x4D, 0x54, 0x6B, 0x79, 0x4D, 0x44, 0x41, 0x30, 0x4D, 0x6A, 0x41, 0x33, 0x4D, 0x44, 0x63, 0x30, 0x4D, 0x44, 0x6B, 0x78, 0x4D, 0x54, 0x41, 0x33, 0x4D, 0x54, 0x49, 0x33, 0x4D, 0x7A, 0x49, 0x78, 0x4F, 0x54, 0x45, 0x34, 0x4D, 0x54, 0x45, 0x77, 0x4F, 0x44, 0x41, 0x77, 0x4E, 0x54, 0x41, 0x79, 0x4F, 0x54, 0x59, 0x79, 0x4D, 0x6A, 0x49, 0x78, 0x4D, 0x54, 0x41, 0x32, 0x4E, 0x44, 0x41, 0x30, 0x4D, 0x54, 0x6B, 0x32, 0x4F, 0x54, 0x49, 0x34, 0x4D, 0x54, 0x55, 0x78, 0x4D, 0x6A, 0x55, 0x31, 0x4E, 0x54, 0x55, 0x30, 0x4F, 0x54, 0x63, 0x73, 0x49, 0x6D, 0x56, 0x34, 0x63, 0x43, 0x49, 0x36, 0x4D, 0x54, 0x55, 0x7A, 0x4D, 0x7A, 0x49, 0x30, 0x4D, 0x54, 0x6B, 0x78, 0x4D, 0x6E, 0x30, 0x2E, 0x56, 0x43, 0x44, 0x30, 0x54, 0x61, 0x4C, 0x69, 0x66, 0x74, 0x35, 0x63, 0x6A, 0x6E, 0x66, 0x74, 0x73, 0x7A, 0x57, 0x63, 0x43, 0x74, 0x56, 0x64, 0x59, 0x49, 0x63, 0x5A, 0x44, 0x58, 0x63, 0x73, 0x67, 0x66, 0x47, 0x41, 0x69, 0x33, 0x42, 0x77, 0x6F, 0x73, 0x4A, 0x50, 0x68, 0x6F, 0x76, 0x6A, 0x57, 0x65, 0x56, 0x65, 0x74, 0x6E, 0x55, 0x44, 0x44, 0x46, 0x69, 0x45, 0x37, 0x4E, 0x78, 0x76, 0x4E, 0x6A, 0x32, 0x52, 0x43, 0x53, 0x79, 0x4A, 0x76, 0x2D, 0x52, 0x6F, 0x71, 0x72, 0x6F, 0x78, 0x4E, 0x48, 0x4B, 0x4B, 0x37, 0x77}
}

func eventCollector() collector.EventCollector {
	newEvent := &collector.DefaultCollector{}
	return newEvent
}

func secretGen() secrets.Secrets {

	_, newSecret, _ := testhelper.NewTestCompactPKISecrets()
	return newSecret
}

func createPUInfo() *policy.PUInfo {

	rules := policy.IPRuleList{
		policy.IPRule{
			Addresses: []string{"192.30.253.0/24"},
			Ports:     []string{"80"},
			Protocols: []string{"TCP"},
			Policy:    &policy.FlowPolicy{Action: policy.Reject},
		},

		policy.IPRule{
			Addresses: []string{"192.30.253.0/24"},
			Ports:     []string{"443"},
			Protocols: []string{"TCP"},
			Policy:    &policy.FlowPolicy{Action: policy.Accept},
		},
	}

	ips := policy.ExtendedMap{
		policy.DefaultNamespace: "172.17.0.1",
	}

	runtime := policy.NewPURuntimeWithDefaults()
	runtime.SetIPAddresses(ips)
	plc := policy.NewPUPolicy("testServerID", "/ns1", policy.Police, rules, rules, nil, nil, nil, nil, nil, nil, ips, 0, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log)

	return policy.PUInfoFromPolicyAndRuntime("testServerID", plc, runtime)

}

func setupProxyEnforcer() enforcer.Enforcer {
	mutualAuthorization := false
	defaultExternalIPCacheTimeout := time.Second * 40

	fqConfig := fqconfig.NewFilterQueue(
		1,
		[]string{},
	)

	policyEnf := NewProxyEnforcer(
		context.Background(),
		mutualAuthorization,
		fqConfig,
		eventCollector(),
		secretGen(),
		"testServerID",
		10*time.Minute,
		constants.DefaultRemoteArg,
		procMountPoint,
		defaultExternalIPCacheTimeout,
		false,
		&runtime.Configuration{TCPTargetNetworks: []string{"0.0.0.0/0"}},
		make(chan *policy.RuntimeError),
		&env.RemoteParameters{},
		nil,
		false,
		false,
		"",
		rpcwrapper.NewRPCServer(),
	)
	return policyEnf
}

func TestNewDefaultProxyEnforcer(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to start a proxy enforcer with defaults", t, func() {
		policyEnf := setupProxyEnforcer()

		e, ok := policyEnf.(*ProxyInfo)
		So(ok, ShouldBeTrue)
		Convey("Then policyEnf should be correct", func() {
			So(e, ShouldNotBeNil)
			So(e.rpchdl, ShouldNotBeNil)
			So(e.statsServerSecret, ShouldNotEqual, "")
		})
	})
}

func TestInitRemoteEnforcer(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to start a proxy enforcer with defaults", t, func() {
		rpchdl := mockrpcwrapper.NewMockRPCClient(ctrl)
		policyEnf := setupProxyEnforcer()
		e := policyEnf.(*ProxyInfo)
		e.rpchdl = rpchdl

		Convey("When I try to initiate a remote enforcer", func() {
			rpchdl.EXPECT().RemoteCall("testServerID", remoteenforcer.InitEnforcer, gomock.Any(), gomock.Any()).Times(1).Return(nil)
			err := e.initRemoteEnforcer("testServerID")

			Convey("Then I should not get any error", func() {
				So(err, ShouldBeNil)
			})
		})
	})
}

func TestEnforce(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to start a proxy enforcer with defaults", t, func() {
		rpchdl := mockrpcwrapper.NewMockRPCClient(ctrl)
		prochdl := mockprocessmon.NewMockProcessManager(ctrl)
		policyEnf := setupProxyEnforcer()
		e := policyEnf.(*ProxyInfo)
		e.rpchdl = rpchdl
		e.prochdl = prochdl

		pu := createPUInfo()

		Convey("When launching the remote fails, it should error", func() {
			prochdl.EXPECT().LaunchRemoteEnforcer("pu", gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(false, fmt.Errorf("error"))
			err := e.Enforce(context.Background(), "pu", pu)
			So(err, ShouldNotBeNil)
		})

		Convey("When launching the remote succeeds, and init is false, but the rpc calls fails, it should work", func() {
			prochdl.EXPECT().LaunchRemoteEnforcer("pu", gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(false, nil)
			rpchdl.EXPECT().RemoteCall("pu", remoteenforcer.Enforce, gomock.Any(), gomock.Any()).Return(fmt.Errorf("error"))
			prochdl.EXPECT().KillRemoteEnforcer("pu", true)
			err := e.Enforce(context.Background(), "pu", pu)
			So(err, ShouldNotBeNil)
		})

		Convey("When launching the remote succeeds, and init is false, and rpc succeeds, it should work", func() {
			prochdl.EXPECT().LaunchRemoteEnforcer("pu", gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(false, nil)
			rpchdl.EXPECT().RemoteCall("pu", remoteenforcer.Enforce, gomock.Any(), gomock.Any()).Return(nil)
			err := e.Enforce(context.Background(), "pu", pu)
			So(err, ShouldBeNil)
		})

		Convey("When launching the remote succeeds, and init is true, and init of remote fails, it should error", func() {
			prochdl.EXPECT().LaunchRemoteEnforcer("pu", gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(true, nil)
			rpchdl.EXPECT().RemoteCall("pu", remoteenforcer.InitEnforcer, gomock.Any(), gomock.Any()).Times(1).Return(fmt.Errorf("error"))
			prochdl.EXPECT().KillRemoteEnforcer("pu", true)
			err := e.Enforce(context.Background(), "pu", pu)
			So(err, ShouldNotBeNil)
		})

		Convey("When launching succeeds with init true, it should not error", func() {
			prochdl.EXPECT().LaunchRemoteEnforcer("pu", gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(true, nil)
			rpchdl.EXPECT().RemoteCall("pu", remoteenforcer.InitEnforcer, gomock.Any(), gomock.Any()).Times(1).Return(nil)
			rpchdl.EXPECT().RemoteCall("pu", remoteenforcer.Enforce, gomock.Any(), gomock.Any()).Return(nil)
			err := e.Enforce(context.Background(), "pu", pu)
			So(err, ShouldBeNil)
		})
	})
}

func TestUnenforce(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to start a proxy enforcer with defaults", t, func() {
		rpchdl := mockrpcwrapper.NewMockRPCClient(ctrl)
		prochdl := mockprocessmon.NewMockProcessManager(ctrl)
		policyEnf := setupProxyEnforcer()
		e := policyEnf.(*ProxyInfo)
		e.rpchdl = rpchdl
		e.prochdl = prochdl

		Convey("When I try to call unenforce", func() {
			rpchdl.EXPECT().RemoteCall("testServerID", remoteenforcer.Unenforce, gomock.Any(), gomock.Any()).Times(1).Return(nil)
			prochdl.EXPECT().KillRemoteEnforcer("testServerID", true)
			err := e.Unenforce(context.Background(), "testServerID")
			So(err, ShouldBeNil)
		})

		Convey("When I try to call unenforce and there is a failure", func() {
			rpchdl.EXPECT().RemoteCall("testServerID", remoteenforcer.Unenforce, gomock.Any(), gomock.Any()).Times(1).Return(fmt.Errorf("error"))
			prochdl.EXPECT().KillRemoteEnforcer("testServerID", true)
			err := e.Unenforce(context.Background(), "testServerID")

			Convey("Then I should not get an error", func() {
				So(err, ShouldBeNil)
			})
		})
	})
}

func TestUpdateSecrets(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I update the secrets", t, func() {
		rpchdl := mockrpcwrapper.NewMockRPCClient(ctrl)
		prochdl := mockprocessmon.NewMockProcessManager(ctrl)
		policyEnf := setupProxyEnforcer()
		e := policyEnf.(*ProxyInfo)
		e.rpchdl = rpchdl
		e.prochdl = prochdl

		Convey("When there is no container, I should get no error", func() {
			rpchdl.EXPECT().ContextList().Return([]string{})
			err := e.UpdateSecrets(secretGen())
			So(err, ShouldBeNil)
		})

		Convey("When I get a set of PUs, I should update all of them", func() {
			rpchdl.EXPECT().ContextList().Return([]string{"pu1", "pu2"})
			rpchdl.EXPECT().RemoteCall("pu1", remoteenforcer.UpdateSecrets, gomock.Any(), gomock.Any())
			rpchdl.EXPECT().RemoteCall("pu2", remoteenforcer.UpdateSecrets, gomock.Any(), gomock.Any())

			err := e.UpdateSecrets(secretGen())
			So(err, ShouldBeNil)
		})

		Convey("When I get a set of PUs, and one of them fails, I should get an error", func() {
			rpchdl.EXPECT().ContextList().Return([]string{"pu1", "pu2"})
			rpchdl.EXPECT().RemoteCall("pu1", remoteenforcer.UpdateSecrets, gomock.Any(), gomock.Any()).Return(fmt.Errorf("error"))
			rpchdl.EXPECT().RemoteCall("pu2", remoteenforcer.UpdateSecrets, gomock.Any(), gomock.Any())

			err := e.UpdateSecrets(secretGen())
			So(err, ShouldNotBeNil)
		})
	})
}
func TestCleanup(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I request a cleanup", t, func() {
		rpchdl := mockrpcwrapper.NewMockRPCClient(ctrl)
		prochdl := mockprocessmon.NewMockProcessManager(ctrl)
		policyEnf := setupProxyEnforcer()
		e := policyEnf.(*ProxyInfo)
		e.rpchdl = rpchdl
		e.prochdl = prochdl

		Convey("When there is no container, I should get no error", func() {
			rpchdl.EXPECT().ContextList().Return([]string{})
			err := e.CleanUp()
			So(err, ShouldBeNil)
		})

		Convey("When I get a set of PUs, I should call kill for all of them", func() {
			rpchdl.EXPECT().ContextList().Return([]string{"pu1", "pu2"})
			prochdl.EXPECT().KillRemoteEnforcer("pu1", false)
			prochdl.EXPECT().KillRemoteEnforcer("pu2", false)
			err := e.CleanUp()
			So(err, ShouldBeNil)
		})
	})
}

func TestEnableDatapathPacketTracing(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to start a proxy enforcer with defaults", t, func() {
		rpchdl := mockrpcwrapper.NewMockRPCClient(ctrl)
		prochdl := mockprocessmon.NewMockProcessManager(ctrl)
		policyEnf := setupProxyEnforcer()
		e := policyEnf.(*ProxyInfo)
		e.rpchdl = rpchdl
		e.prochdl = prochdl

		Convey("When I try to call unenforce", func() {
			rpchdl.EXPECT().RemoteCall("testServerID", remoteenforcer.EnableDatapathPacketTracing, gomock.Any(), gomock.Any()).Times(1).Return(nil)
			err := e.EnableDatapathPacketTracing(context.TODO(), "testServerID", packettracing.NetworkOnly, 10*time.Second)
			So(err, ShouldBeNil)
		})

		Convey("When I try to call unenforce and there is a failure", func() {
			rpchdl.EXPECT().RemoteCall("testServerID", remoteenforcer.EnableDatapathPacketTracing, gomock.Any(), gomock.Any()).Times(1).Return(fmt.Errorf("error"))
			err := e.EnableDatapathPacketTracing(context.TODO(), "testServerID", packettracing.NetworkOnly, 10*time.Second)

			Convey("Then I should get an error", func() {
				So(err, ShouldNotBeNil)
			})
		})
	})
}

func TestEnableIPTablesPacketTracing(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to start a proxy enforcer with defaults", t, func() {
		rpchdl := mockrpcwrapper.NewMockRPCClient(ctrl)
		prochdl := mockprocessmon.NewMockProcessManager(ctrl)
		policyEnf := setupProxyEnforcer()
		e := policyEnf.(*ProxyInfo)
		e.rpchdl = rpchdl
		e.prochdl = prochdl

		Convey("When I try to call unenforce", func() {
			rpchdl.EXPECT().RemoteCall("testServerID", remoteenforcer.EnableIPTablesPacketTracing, gomock.Any(), gomock.Any()).Times(1).Return(nil)
			err := e.EnableIPTablesPacketTracing(context.TODO(), "testServerID", 10*time.Second)
			So(err, ShouldBeNil)
		})

		Convey("When I try to call unenforce and there is a failure", func() {
			rpchdl.EXPECT().RemoteCall("testServerID", remoteenforcer.EnableIPTablesPacketTracing, gomock.Any(), gomock.Any()).Times(1).Return(fmt.Errorf("error"))
			err := e.EnableIPTablesPacketTracing(context.TODO(), "testServerID", 10*time.Second)

			Convey("Then I should get an error", func() {
				So(err, ShouldNotBeNil)
			})
		})
	})
}

func TestSetTargetNetworks(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When update the target networks", t, func() {
		rpchdl := mockrpcwrapper.NewMockRPCClient(ctrl)
		prochdl := mockprocessmon.NewMockProcessManager(ctrl)
		policyEnf := setupProxyEnforcer()
		e := policyEnf.(*ProxyInfo)
		e.rpchdl = rpchdl
		e.prochdl = prochdl

		Convey("When there is no container, I should get no error", func() {
			rpchdl.EXPECT().ContextList().Return([]string{})
			err := e.SetTargetNetworks(&runtime.Configuration{})
			So(err, ShouldBeNil)
		})

		Convey("When I get a set of PUs, I should call kill for all of them", func() {
			rpchdl.EXPECT().ContextList().Return([]string{"pu1", "pu2"})
			rpchdl.EXPECT().RemoteCall("pu1", remoteenforcer.SetTargetNetworks, gomock.Any(), gomock.Any())
			rpchdl.EXPECT().RemoteCall("pu2", remoteenforcer.SetTargetNetworks, gomock.Any(), gomock.Any())
			err := e.SetTargetNetworks(&runtime.Configuration{})
			So(err, ShouldBeNil)
		})

		Convey("When I get a set of PUs, and one of them fails, I should get an error", func() {
			rpchdl.EXPECT().ContextList().Return([]string{"pu1", "pu2"})
			rpchdl.EXPECT().RemoteCall("pu1", remoteenforcer.SetTargetNetworks, gomock.Any(), gomock.Any()).Return(fmt.Errorf("error"))
			rpchdl.EXPECT().RemoteCall("pu2", remoteenforcer.SetTargetNetworks, gomock.Any(), gomock.Any())
			err := e.SetTargetNetworks(&runtime.Configuration{})
			So(err, ShouldNotBeNil)
		})
	})
}

func TestPostReportEvent(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()
	rpchdl := mockrpcwrapper.NewMockRPCServer(ctrl)
	c := eventCollector()

	request := rpcwrapper.Request{
		PayloadType: rpcwrapper.PacketReport,
		Payload: &collector.PacketReport{
			DestinationIP: "12.12.12.12",
			SourceIP:      "1.1.1.1",
		},
	}
	statsserver := &ProxyRPCServer{
		rpchdl:    rpchdl,
		collector: c,
		secret:    "test",
		ctx:       context.Background(),
	}
	response := &rpcwrapper.Response{}

	Convey("Given i receive a invalid message from the remote enforcer ", t, func() {
		rpchdl.EXPECT().ProcessMessage(gomock.Any(), gomock.Any()).Times(1).Return(false)
		err := statsserver.PostReportEvent(request, response)
		So(err, ShouldNotBeNil)
	})

	Convey("Given i receive a valid message from the remote enforcer ", t, func() {
		rpchdl.EXPECT().ProcessMessage(gomock.Any(), gomock.Any()).Times(1).Return(true)
		err := statsserver.PostReportEvent(request, response)
		So(err, ShouldBeNil)
	})
}


================================================
FILE: controller/internal/enforcer/proxy/rpcserver.go
================================================
package enforcerproxy

import (
	"context"
	"errors"
	"fmt"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
)

// ProxyRPCServer This struct is a receiver for Statsserver and maintains a handle to the RPC ProxyRPCServer.
type ProxyRPCServer struct {
	collector   collector.EventCollector
	rpchdl      rpcwrapper.RPCServer
	secret      string
	tokenIssuer common.ServiceTokenIssuer
	ctx         context.Context
}

// PostStats is the function called from the remoteenforcer when it has new flow events to publish.
func (r *ProxyRPCServer) PostStats(req rpcwrapper.Request, resp *rpcwrapper.Response) error {

	if !r.rpchdl.ProcessMessage(&req, r.secret) {
		return errors.New("message sender cannot be verified")
	}

	payload := req.Payload.(rpcwrapper.StatsPayload)

	for _, record := range payload.Flows {
		r.collector.CollectFlowEvent(record)
	}
	payload.Flows = nil

	for _, record := range payload.Users {
		r.collector.CollectUserEvent(record)
	}
	payload.Users = nil

	return nil
}

// RetrieveToken propagates the master request to the token retriever and returns a token.
func (r *ProxyRPCServer) RetrieveToken(req rpcwrapper.Request, resp *rpcwrapper.Response) error {

	if !r.rpchdl.ProcessMessage(&req, r.secret) {
		return errors.New("message sender cannot be verified")
	}

	payload, ok := req.Payload.(rpcwrapper.TokenRequestPayload)
	if !ok {
		return errors.New("invalid request payload for token request")
	}

	subctx, cancel := context.WithTimeout(r.ctx, time.Second*60)
	defer cancel()

	token, err := r.tokenIssuer.Issue(subctx, payload.ContextID, payload.ServiceTokenType, payload.Audience, payload.Validity)
	if err != nil {
		resp.Status = "error"
		return fmt.Errorf("control plane failed to issue token: %s", err)
	}

	resp.Status = "ok"
	resp.Payload = &rpcwrapper.TokenResponsePayload{
		Token: token,
	}

	return nil
}

// PostReportEvent posts report events to the listener.
func (r *ProxyRPCServer) PostReportEvent(req rpcwrapper.Request, resp *rpcwrapper.Response) error {

	if !r.rpchdl.ProcessMessage(&req, r.secret) {
		return errors.New("message sender cannot be verified")
	}

	switch req.PayloadType {
	case rpcwrapper.PingReport:
		pingReport := req.Payload.(*collector.PingReport)
		r.collector.CollectPingEvent(pingReport)

	case rpcwrapper.PacketReport:
		debugReport := req.Payload.(*collector.PacketReport)
		r.collector.CollectPacketEvent(debugReport)

	case rpcwrapper.CounterReport:
		counterReport := req.Payload.(*collector.CounterReport)
		r.collector.CollectCounterEvent(counterReport)

	case rpcwrapper.DNSReport:
		dnsReport := req.Payload.(*collector.DNSRequestReport)
		r.collector.CollectDNSRequests(dnsReport)

	case rpcwrapper.ConnectionExceptionReport:
		connectionReport := req.Payload.(*collector.ConnectionExceptionReport)
		r.collector.CollectConnectionExceptionReport(connectionReport)

	default:
		return fmt.Errorf("unsupported report type: %v", req.PayloadType)
	}

	req.Payload = nil
	return nil
}


================================================
FILE: controller/internal/enforcer/secretsproxy/secretsproxy.go
================================================
// +build !windows

package secretsproxy

import (
	"bufio"
	"context"
	"fmt"
	"net"
	"net/http"
	"os"
	"strconv"
	"strings"
	"sync"

	"github.com/aporeto-inc/oxy/forward"
	"github.com/shirou/gopsutil/process"
	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/controller/constants"
	"go.aporeto.io/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/trireme-lib/controller/pkg/urisearch"
	"go.aporeto.io/trireme-lib/monitor/remoteapi/server"
	"go.aporeto.io/trireme-lib/policy"
	"go.aporeto.io/trireme-lib/utils/cache"
	"go.uber.org/zap"
)

// SecretsProxy holds all state information for applying policy
// in the secrets socket API.
type SecretsProxy struct {
	socketPath      string
	apiCacheMapping cache.DataStore
	drivers         cache.DataStore
	cgroupCache     cache.DataStore
	policyCache     cache.DataStore

	server *http.Server
	sync.Mutex
}

// NewSecretsProxy creates a new secrets proxy.
func NewSecretsProxy() *SecretsProxy {

	return &SecretsProxy{
		socketPath:      constants.DefaultSecretsPath,
		drivers:         cache.NewCache("secrets driver cache"),
		apiCacheMapping: cache.NewCache("secrets api cache"),
		cgroupCache:     cache.NewCache("secrets pu cache"),
		policyCache:     cache.NewCache("policy cache"),
	}
}

// Run implements the run method of the CtrlInterface. It starts the proxy
// server and initializes the data structures.
func (s *SecretsProxy) Run(ctx context.Context) error {
	s.Lock()
	defer s.Unlock()

	var err error

	// Start a custom listener
	addr, _ := net.ResolveUnixAddr("unix", s.socketPath)
	nl, err := net.ListenUnix("unix", addr)
	if err != nil {
		return fmt.Errorf("Unable to start API server: %s", err)
	}

	s.server = &http.Server{
		Handler: http.HandlerFunc(s.apiProcessor),
	}

	go func() {
		<-ctx.Done()
		s.server.Close() // nolint errcheck
	}()

	go s.server.Serve(server.NewUIDListener(nl)) // nolint errcheck

	return nil
}

// Enforce implements the corresponding interface of enforcers.
func (s *SecretsProxy) Enforce(puInfo *policy.PUInfo) error {
	return s.updateService(puInfo)
}

// Unenforce implements the corresponding interface of the enforcers.
func (s *SecretsProxy) Unenforce(contextID string) error {
	return s.deleteService(contextID)
}

// GetFilterQueue is a stub for TCP proxy
func (s *SecretsProxy) GetFilterQueue() *fqconfig.FilterQueue {
	return nil
}

// UpdateSecrets updates the secrets of running enforcers managed by trireme. Remote enforcers will
// get the secret updates with the next policy push.
func (s *SecretsProxy) UpdateSecrets(secret secrets.Secrets) error {
	return nil
}

// apiProcessor is called for every request. It processes the request
// and forwards to the originator of the secrets service after
// authenticating that the client can access the service.
func (s *SecretsProxy) apiProcessor(w http.ResponseWriter, r *http.Request) {
	zap.L().Info("Processing secrets call",
		zap.String("URI", r.RequestURI),
		zap.String("Host", r.Host),
		zap.String("Remote address", r.RemoteAddr),
	)

	// The remote address will contain the uid, gid and pid of the calling process.
	// This is because of the specific socket listener we are uing.
	parts := strings.Split(r.RemoteAddr, ":")
	if len(parts) != 3 {
		httpError(w, fmt.Errorf("Bad Remote Address"), "Unauthorized request", http.StatusUnauthorized)
		return
	}

	// We only care about the originating PID.
	pid := parts[2]
	cgroup, err := findParentCgroup(pid)
	if err != nil {
		httpError(w, err, "Unauthorized client - not the first process", http.StatusUnauthorized)
		return
	}

	data, err := s.apiCacheMapping.Get(cgroup)
	if err != nil {
		httpError(w, err, "Unauthorized client", http.StatusUnauthorized)
		return
	}

	// Find the corresponding API cache with the access permissions for
	// this particular client.
	apiCache, ok := data.(*urisearch.APICache)
	if !ok {
		httpError(w, fmt.Errorf("Invalid data types"), "Internal server error - invalid type", http.StatusInternalServerError)
		return
	}

	// Find the identity of the PU
	policyData, err := s.policyCache.Get(cgroup)
	if err != nil {
		httpError(w, err, "Unauthorized client", http.StatusUnauthorized)
		return
	}

	scopes, ok := policyData.([]string)
	if !ok {
		httpError(w, fmt.Errorf("Invalid data types"), "Internal server error - invalid type", http.StatusInternalServerError)
		return
	}

	// Search the API cache for matching rules.
	found, _ := apiCache.FindAndMatchScope(r.Method, r.RequestURI, scopes)
	if !found {
		httpError(w, fmt.Errorf("Unauthorized service"), "Unauthorized access", http.StatusUnauthorized)
		return
	}

	// Retrieve the secrets driver data and information.
	driverData, err := s.drivers.Get(cgroup)
	if err != nil {
		httpError(w, err, "No secrets driver for this client", http.StatusBadRequest)
		return
	}
	driver, ok := driverData.(SecretsDriver)
	if !ok {
		httpError(w, fmt.Errorf("driver not found"), "Bad driver", http.StatusInternalServerError)
		return
	}

	// Transfor the request based on the driver.
	if err := driver.Transform(r); err != nil {
		httpError(w, err, "Secrets driver error", http.StatusInternalServerError)
		return
	}

	// Forward the request. TODO .. we need to massage the return here.
	forwarder, err := forward.New(forward.RoundTripper(driver.Transport()))
	if err != nil {
		httpError(w, err, "Failed to configure forwarder", http.StatusInternalServerError)
		return
	}

	forwarder.ServeHTTP(w, r)
}

func (s *SecretsProxy) updateService(puInfo *policy.PUInfo) error {
	var cgroup string

	// Only supporting secrets for containers PUs at this time.
	if puInfo.Runtime.PUType() != common.ContainerPU {
		return nil
	}
	// First we need to determine the corresponding cgroup. We will look at the
	// cache since this might be an update event. If that fails, we will look
	// at the runtime. If it is not found we abort. If we find the cgroup
	// we add it to the cache for future reference.
	cgroupData, err := s.cgroupCache.Get(puInfo.ContextID)
	if err == nil {
		cgroup = cgroupData.(string)
	} else {
		if puInfo.Runtime == nil {
			return fmt.Errorf("Unable to find cgroup")
		}
		var found bool
		cgroup, found = puInfo.Policy.Annotations().Get("@sys:cgroupparent")
		if !found {
			// This is not Kubernetes. We will associate the cgroup with the enforcer.
			cgroup = puInfo.ContextID
		}
		s.cgroupCache.AddOrUpdate(puInfo.ContextID, cgroup)
	}

	scopes := append(puInfo.Policy.Identity().Copy().Tags, puInfo.Policy.Scopes()...)
	s.policyCache.AddOrUpdate(cgroup, scopes)

	// Scan through the dependent services for secrets distribution services.
	for _, service := range puInfo.Policy.DependentServices() {
		// Ignore all other services
		if service.Type != policy.ServiceSecretsProxy {
			continue
		}

		uriCache := urisearch.NewAPICache(service.HTTPRules, service.ID, true)
		s.apiCacheMapping.AddOrUpdate(cgroup, uriCache)
		// Parse the service definition and instantiate the transform driver.

		d, err := NewGenericSecretsDriver(service.CACert, service.AuthToken, service.NetworkInfo)
		if err != nil {
			return fmt.Errorf("Failed to create secrets driver: %s", err)
		}
		s.drivers.AddOrUpdate(cgroup, d)
	}
	return nil
}

func (s *SecretsProxy) deleteService(contextID string) error {

	cgroupData, err := s.cgroupCache.Get(contextID)
	if err != nil {
		// Returning nil here. Nothing anyone can do about it.
		zap.L().Debug("PU not found in secrets controller - unable to clean state")
		return nil
	}
	s.cgroupCache.Remove(contextID)               // nolint errcheck
	s.apiCacheMapping.Remove(cgroupData.(string)) // nolint errcheck
	s.drivers.Remove(cgroupData.(string))         // nolint errcheck
	s.policyCache.Remove(cgroupData.(string))     // nolint errcheck

	return nil
}

func httpError(w http.ResponseWriter, err error, msg string, number int) {
	zap.L().Error(msg, zap.Error(err))
	http.Error(w, msg, number)
}

// ValidateOriginProcess implements a strict validation of the origin process. We might add later.
func ValidateOriginProcess(pid string) (string, error) {

	pidNumber, err := strconv.Atoi(pid)
	if err != nil {
		return "", fmt.Errorf("Invalid PID %s", pid)
	}
	process, err := process.NewProcess(int32(pidNumber))
	if err != nil {
		return "", fmt.Errorf("Process not found: %s", err)
	}
	ppid, err := process.Ppid()
	if err != nil {
		return "", fmt.Errorf("Parent process not found: %s", err)
	}
	parentPidCgroup, err := processCgroups(strconv.Itoa(int(ppid)), "net_cls,net_prio")
	if err != nil {
		return "", fmt.Errorf("Parent cgroup not found: %s", err)
	}
	if parentPidCgroup != "/" {
		return "", fmt.Errorf("Parent is not root cgroup - authorization fail")
	}
	return findParentCgroup(pid)
}

func processCgroups(pid string, cgroupType string) (string, error) {
	path := fmt.Sprintf("/aporetoproc/%s/cgroup", pid)

	f, err := os.Open(path)
	if err != nil {
		return "", err
	}
	defer f.Close() // nolint

	scanner := bufio.NewScanner(f)
	for scanner.Scan() {
		if err := scanner.Err(); err != nil {
			return "", err
		}
		text := scanner.Text()
		if !strings.Contains(text, cgroupType) {
			continue
		}
		parts := strings.SplitN(text, ":", 3)
		if len(parts) < 3 {
			continue
		}
		return parts[2], nil
	}
	return "", fmt.Errorf("cgroup not found")
}

// findParentCgroup returns the parent cgroup of the process caller
func findParentCgroup(pid string) (string, error) {

	cgroup, err := processCgroups(pid, "net_cls,net_prio")
	if err != nil {
		return "", fmt.Errorf("Invalid cgroup: %s", err)
	}
	for i := len(cgroup) - 1; i > 0; i-- {
		if cgroup[i:i+1] == "/" {
			return cgroup[:i], nil
		}
	}
	if strings.HasPrefix(cgroup, "/docker/") && len(cgroup) > 8 {
		return cgroup[8:20], nil
	}
	return "", fmt.Errorf("Cannot find parent cgroup: %s", pid)
}


================================================
FILE: controller/internal/enforcer/secretsproxy/secretsproxy_windows.go
================================================
// +build windows

package secretsproxy

import (
	"context"

	"go.aporeto.io/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/trireme-lib/policy"
)

// SecretsProxy holds all state information for applying policy
// in the secrets socket API.
type SecretsProxy struct {
}

// NewSecretsProxy creates a new secrets proxy.
func NewSecretsProxy() *SecretsProxy {
	return &SecretsProxy{}
}

// Run implements the run method of the CtrlInterface. It starts the proxy
// server and initializes the data structures.
func (s *SecretsProxy) Run(ctx context.Context) error {
	return nil
}

// Enforce implements the corresponding interface of enforcers.
func (s *SecretsProxy) Enforce(puInfo *policy.PUInfo) error {
	return nil
}

// Unenforce implements the corresponding interface of the enforcers.
func (s *SecretsProxy) Unenforce(contextID string) error {
	return nil
}

// GetFilterQueue is a stub for TCP proxy
func (s *SecretsProxy) GetFilterQueue() *fqconfig.FilterQueue {
	return nil
}

// UpdateSecrets updates the secrets of running enforcers managed by trireme. Remote enforcers will
// get the secret updates with the next policy push.
func (s *SecretsProxy) UpdateSecrets(secret secrets.Secrets) error {
	return nil
}


================================================
FILE: controller/internal/enforcer/secretsproxy/transformer.go
================================================
package secretsproxy

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"net/http"
	"net/url"
	"strconv"

	"go.aporeto.io/trireme-lib/common"
)

// SecretsDriver is a generic interface that the secrets driver must implement.
type SecretsDriver interface {
	Transport() http.RoundTripper
	Transform(r *http.Request) error
}

// GenericSecretsDriver holds the configuration information for the driver and implements
// the SecretsDriver interface.
type GenericSecretsDriver struct {
	transport *http.Transport
	token     string
	targetURL *url.URL
}

// NewGenericSecretsDriver creates a new Kubernetes Secrets Driver. It
// always uses the incluster config to automatically derive all the
// necessary values.
func NewGenericSecretsDriver(ca []byte, token string, network *common.Service) (SecretsDriver, error) {

	caPool := x509.NewCertPool()
	if !caPool.AppendCertsFromPEM(ca) {
		return nil, fmt.Errorf("No valid CA provided")
	}

	targetAddress := ""
	if len(network.FQDNs) > 0 {
		targetAddress = network.FQDNs[0]
	} else if len(network.Addresses) > 0 {
		targetAddress = network.Addresses[0].IP.String()
	} else {
		return nil, fmt.Errorf("No valid target")
	}

	if network.Ports.Min == 0 {
		return nil, fmt.Errorf("Invalid port specification")
	}

	targetURL, err := url.Parse("https://" + targetAddress + ":" + strconv.Itoa(int(network.Ports.Min)))
	if err != nil {
		return nil, fmt.Errorf("Invalid URL for secrets service")
	}

	return &GenericSecretsDriver{
		transport: &http.Transport{
			TLSClientConfig: &tls.Config{
				RootCAs: caPool,
			},
		},
		token:     token,
		targetURL: targetURL,
	}, nil
}

// Transport implements the transport interface of the SecretsDriver.
func (k *GenericSecretsDriver) Transport() http.RoundTripper {
	return k.transport
}

// Transform transforms the request of the SecretsDriver
func (k *GenericSecretsDriver) Transform(r *http.Request) error {

	r.Host = k.targetURL.Host
	r.URL = k.targetURL
	r.Header.Add("Authorization", "Bearer "+k.token)

	return nil
}


================================================
FILE: controller/internal/enforcer/utils/ephemeralkeys/ephemeralkeys.go
================================================
package ephemeralkeys

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"sync"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/utils/crypto"
)

//PrivateKey struct holds the ecdsa private key and its encoded string
type PrivateKey struct {
	*ecdsa.PrivateKey
	PrivateKeyString string
}

type ephemeralKey struct {
	privateKey  *PrivateKey
	publicKeyV1 []byte
	publicKeyV2 []byte
	sync.RWMutex
}

const keyInterval = 5 * time.Minute

// New creates a new key accessor
func New() (KeyAccessor, error) {
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		return nil, err
	}

	publicKeyBytesV1 := crypto.EncodePublicKeyV1(&privateKey.PublicKey)
	publicKeyBytesV2 := crypto.EncodePublicKeyV2(&privateKey.PublicKey)
	pvtKeyBytes := crypto.EncodePrivateKey(privateKey)

	keys := &ephemeralKey{
		privateKey:  &PrivateKey{privateKey, string(pvtKeyBytes)},
		publicKeyV1: publicKeyBytesV1,
		publicKeyV2: publicKeyBytesV2,
	}

	return keys, nil
}

// NewWithRenewal creates a new key accessor and renews it every keyInterval
func NewWithRenewal() (KeyAccessor, error) {
	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		return nil, err
	}

	publicKeyBytesV1 := crypto.EncodePublicKeyV1(&privateKey.PublicKey)
	publicKeyBytesV2 := crypto.EncodePublicKeyV2(&privateKey.PublicKey)
	pvtKeyBytes := crypto.EncodePrivateKey(privateKey)

	keys := &ephemeralKey{
		privateKey:  &PrivateKey{privateKey, string(pvtKeyBytes)},
		publicKeyV1: publicKeyBytesV1,
		publicKeyV2: publicKeyBytesV2,
	}

	go func() {
		for {
			<-time.After(keyInterval)
			for i := 0; i < 5; i++ {
				privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
				if err != nil {
					continue
				}
				publicKeyBytesV1 := crypto.EncodePublicKeyV1(&privateKey.PublicKey)
				publicKeyBytesV2 := crypto.EncodePublicKeyV2(&privateKey.PublicKey)
				pvtKeyBytes := crypto.EncodePrivateKey(privateKey)

				keys.Lock()
				keys.privateKey = &PrivateKey{privateKey, string(pvtKeyBytes)}
				keys.publicKeyV1 = publicKeyBytesV1
				keys.publicKeyV2 = publicKeyBytesV2
				keys.Unlock()
				break
			}
		}
	}()

	return keys, nil
}

// PrivateKey return the private key of the keypair
func (k *ephemeralKey) PrivateKey() *PrivateKey {
	k.RLock()
	defer k.RUnlock()
	return k.privateKey
}

func (k *ephemeralKey) DecodingKeyV1() []byte {
	k.RLock()
	defer k.RUnlock()
	return k.publicKeyV1
}

func (k *ephemeralKey) DecodingKeyV2() []byte {
	k.RLock()
	defer k.RUnlock()
	return k.publicKeyV2
}

var secret secrets.Secrets
var lock sync.RWMutex

//GetDatapathSecret returns the secrets
func GetDatapathSecret() secrets.Secrets {
	lock.RLock()
	defer lock.RUnlock()
	return secret
}

//UpdateDatapathSecrets updates the secrets
func UpdateDatapathSecrets(s secrets.Secrets) {
	lock.Lock()
	secret = s
	lock.Unlock()
}


================================================
FILE: controller/internal/enforcer/utils/ephemeralkeys/interfaces.go
================================================
package ephemeralkeys

// KeyAccessor holds the ephemeral key functions
type KeyAccessor interface {
	PrivateKey() *PrivateKey
	DecodingKeyV1() []byte
	DecodingKeyV2() []byte
}


================================================
FILE: controller/internal/enforcer/utils/ephemeralkeys/mockephemeralkeys/mockephemeralkeys.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/internal/enforcer/utils/ephemeralkeys/interfaces.go

// Package mockephemeralkeys is a generated GoMock package.
package mockephemeralkeys

import (
	ecdsa "crypto/ecdsa"
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
)

// MockKeyAccessor is a mock of KeyAccessor interface
// nolint
type MockKeyAccessor struct {
	ctrl     *gomock.Controller
	recorder *MockKeyAccessorMockRecorder
}

// MockKeyAccessorMockRecorder is the mock recorder for MockKeyAccessor
// nolint
type MockKeyAccessorMockRecorder struct {
	mock *MockKeyAccessor
}

// NewMockKeyAccessor creates a new mock instance
// nolint
func NewMockKeyAccessor(ctrl *gomock.Controller) *MockKeyAccessor {
	mock := &MockKeyAccessor{ctrl: ctrl}
	mock.recorder = &MockKeyAccessorMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockKeyAccessor) EXPECT() *MockKeyAccessorMockRecorder {
	return m.recorder
}

// PrivateKey mocks base method
// nolint
func (m *MockKeyAccessor) PrivateKey() *ecdsa.PrivateKey {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PrivateKey")
	ret0, _ := ret[0].(*ecdsa.PrivateKey)
	return ret0
}

// PrivateKey indicates an expected call of PrivateKey
// nolint
func (mr *MockKeyAccessorMockRecorder) PrivateKey() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PrivateKey", reflect.TypeOf((*MockKeyAccessor)(nil).PrivateKey))
}

// DecodingKey mocks base method
// nolint
func (m *MockKeyAccessor) DecodingKey() []byte {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DecodingKey")
	ret0, _ := ret[0].([]byte)
	return ret0
}

// DecodingKey indicates an expected call of DecodingKey
// nolint
func (mr *MockKeyAccessorMockRecorder) DecodingKey() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DecodingKey", reflect.TypeOf((*MockKeyAccessor)(nil).DecodingKey))
}


================================================
FILE: controller/internal/enforcer/utils/nsenter/nsenter.c
================================================
// +build linux !darwin
// +build !windows

#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>

#define STRBUF_SIZE     128
void nsexec(void) {

  int fd = 0;
  char path[STRBUF_SIZE*2]={0};
  char msg[STRBUF_SIZE*4];
  char mountpoint[STRBUF_SIZE] = {0};
  char *container_pid_env = getenv("TRIREME_ENV_CONTAINER_PID");
  char *netns_path_env = getenv("TRIREME_ENV_NS_PATH");
  char *proc_mountpoint = getenv("TRIREME_ENV_PROC_MOUNTPOINT");
  if(container_pid_env == NULL){
    // We are not running as remote enforcer
    setenv("TRIREME_ENV_NSENTER_LOGS", "no container pid", 1);
    return;
  }
  if(netns_path_env == NULL){
    // This means the PID Needs to be used to determine the NetNsPath.
    if(proc_mountpoint == NULL){
      strncpy(mountpoint, "/proc", strlen("/proc")+1);
    }else{
      strncpy(mountpoint, proc_mountpoint, STRBUF_SIZE-1);
    }
    // Setup proc symlink
    snprintf(path, sizeof(path), "%s/%s/ns/net", mountpoint, container_pid_env);
  } else {
    // We use the env variable as the Path.
    strncpy(path, netns_path_env, STRBUF_SIZE);
  }

  // Setup FD to symlink
  fd = open(path, O_RDONLY);
  if(fd < 0) {
    snprintf(msg, sizeof(msg), "path:%s fd:%d", path, fd);
    setenv("TRIREME_ENV_NSENTER_ERROR_STATE",strerror(-ENOENT), 1);
    setenv("TRIREME_ENV_NSENTER_LOGS", path, 1);
    return;
  }

  // Set namespace
  int retval =syscall(308,fd,CLONE_NEWNET);
  snprintf(msg, sizeof(msg), "path:%s fd:%d retval:%d", path, fd, retval);
  setenv("TRIREME_ENV_NSENTER_LOGS",msg,1);
  if(retval < 0){
    setenv("TRIREME_ENV_NSENTER_ERROR_STATE",strerror(errno),1); 		
  }
}


================================================
FILE: controller/internal/enforcer/utils/nsenter/nsenter.go
================================================
// +build !linux

//Package nsenter for switching namespaces
package nsenter

//This package should only run on linux
//Don't test functionality of this package on non linux platforms as
//the setns call is not available there


================================================
FILE: controller/internal/enforcer/utils/nsenter/nsenter_linux.go
================================================
// +build linux

package nsenter

/*
#cgo CFLAGS: -Wall
extern void nsexec();
void __attribute__((constructor)) init(void) {
	nsexec();
}
*/
import "C"


================================================
FILE: controller/internal/enforcer/utils/packetgen/interfaces.go
================================================
package packetgen

import (
	"github.com/google/gopacket"
	"github.com/google/gopacket/layers"
)

//PacketFlowType type  for different types of flows
type PacketFlowType uint8

const (
	//PacketFlowTypeGenerateGoodFlow is used to generate a good floe
	PacketFlowTypeGenerateGoodFlow PacketFlowType = iota
	//PacketFlowTypeGoodFlowTemplate will have a good flow from a hardcoded template
	PacketFlowTypeGoodFlowTemplate
	//PacketFlowTypeMultipleGoodFlow will have two flows
	PacketFlowTypeMultipleGoodFlow
	//PacketFlowTypeMultipleIntervenedFlow will have two flows intervened to eachothers
	PacketFlowTypeMultipleIntervenedFlow
)

//EthernetPacketManipulator interface is used to create/manipulate Ethernet packet
type EthernetPacketManipulator interface {
	//Used to create an Ethernet layer
	AddEthernetLayer(srcMACstr string, dstMACstr string) error
	//Used to return Ethernet packet created
	GetEthernetPacket() layers.Ethernet
}

//IPPacketManipulator interface is used to create/manipulate IP packet
type IPPacketManipulator interface {
	//Used to create an IP layer
	AddIPLayer(srcIPstr string, dstIPstr string) error
	//Used to return IP packet created
	GetIPPacket() layers.IPv4
	//Used to return IP checksum
	GetIPChecksum() uint16
}

//TCPPacketManipulator interface is used to create/manipulate TCP packet
type TCPPacketManipulator interface {
	//Used to create a TCP layer
	AddTCPLayer(srcPort layers.TCPPort, dstPort layers.TCPPort) error
	//Used to return TCP packet
	GetTCPPacket() layers.TCP
	//Used to return TCP Sequence number
	GetTCPSequenceNumber() uint32
	//Used to return TCP Acknowledgement number number
	GetTCPAcknowledgementNumber() uint32
	//Used to return TCP window
	GetTCPWindow() uint16
	//Used to return TCP Syn flag
	GetTCPSyn() bool
	//Used to return TCP Ack flag
	GetTCPAck() bool
	//Used to return TCP Fin flag
	GetTCPFin() bool
	//Used to return TCP Checksum
	GetTCPChecksum() uint16
	//Used to set TCP Sequence number
	SetTCPSequenceNumber(seqNum uint32)
	//Used to set TCP Acknowledgement number
	SetTCPAcknowledgementNumber(ackNum uint32)
	//Used to set TCP Window
	SetTCPWindow(window uint16)
	//Used to set TCP Syn flag to true
	SetTCPSyn()
	//Used to set TCP Syn and Ack flag to true
	SetTCPSynAck()
	//Used to set TCP Ack flag to true
	SetTCPAck()
	//Used to set TCP Cwr flag to true
	SetTCPCwr()
	//Used to set TCP Ece flag to true
	SetTCPEce()
	//Used to set TCP Urg flag to true
	SetTCPUrg()
	//Used to set TCP Psh flag to true
	SetTCPPsh()
	//Used to set TCP Rst flag to true
	SetTCPRst()
	//Used to set TCP Fin flag to true
	SetTCPFin()
	//Used to add TCP Payload
	NewTCPPayload(newPayload string) error
}

//PacketHelper interface is a helper for packets and packet flows
//Optional: not needed for actual usage
type PacketHelper interface {
	ToBytes() ([]byte, error)
	AddPacket(packet gopacket.Packet)
	DecodePacket() PacketManipulator
}

//PacketManipulator is an interface for packet manipulations
//Composition of Ethernet, IP and TCP Manipulator interface
type PacketManipulator interface {
	EthernetPacketManipulator
	IPPacketManipulator
	TCPPacketManipulator
	PacketHelper
}

//PacketFlowManipulator is an interface for packet flow manipulations
//Used to create/manipulate packet flows
type PacketFlowManipulator interface {
	//Used to create a flow of TCP packets
	GenerateTCPFlow(pt PacketFlowType) (PacketFlowManipulator, error)
	//Used to return first TCP Syn packet
	GetFirstSynPacket() PacketManipulator
	//Used to return first TCP SynAck packet
	GetFirstSynAckPacket() PacketManipulator
	//Used to return first TCP Ack packet
	GetFirstAckPacket() PacketManipulator
	//Used to return all the TCP Syn packets from the flow
	GetSynPackets() PacketFlowManipulator
	//Used to return all the TCP SynAck packets from the flow
	GetSynAckPackets() PacketFlowManipulator
	//Used to return all the TCP Ack packets from the flow
	GetAckPackets() PacketFlowManipulator
	//Used to return all the packets upto first TCP SynAck packet from the flow
	GetUptoFirstSynAckPacket() PacketFlowManipulator
	//Used to return all the packets upto first TCP Ack packet from the flow
	GetUptoFirstAckPacket() PacketFlowManipulator
	//Used to return Nth packet from the flow
	GetNthPacket(index int) PacketManipulator
	//Used to return length of the flow
	GetNumPackets() int
	//Used to add a new packet to the flow
	AppendPacket(p PacketManipulator) int
}

//Packet is a custom type which holds the packets and implements PacketManipulator
type Packet struct {
	ethernetLayer *layers.Ethernet
	ipLayer       *layers.IPv4
	tcpLayer      *layers.TCP
	packet        gopacket.Packet
}

//PacketFlow is a custom type which holds the packet attributes and the flow
//Implements PacketFlowManipulator interface
type PacketFlow struct {
	sMAC, dMAC   string
	sIP, dIP     string
	sPort, dPort layers.TCPPort
	flow         []PacketManipulator
}


================================================
FILE: controller/internal/enforcer/utils/packetgen/packet_gen.go
================================================
//Package packetgen "PacketGen" is a Packet Generator library
//Current version: V1.0, Updates are coming soon
package packetgen

//Go libraries
import (
	"errors"
	"fmt"
	"net"

	"github.com/google/gopacket"
	"github.com/google/gopacket/layers"
)

//NewPacket returns a packet strut which implements PacketManipulator
func NewPacket() PacketManipulator {

	return &Packet{}
}

//AddEthernetLayer creates an Ethernet layer
func (p *Packet) AddEthernetLayer(srcMACstr string, dstMACstr string) error {

	if p.ethernetLayer != nil {
		return errors.New("ethernet layer already exists")
	}

	var srcMAC, dstMAC net.HardwareAddr

	//MAC address of the source
	srcMAC, _ = net.ParseMAC(srcMACstr)

	if srcMAC == nil {
		return errors.New("no source mac given")
	}

	//MAC address of the destination
	dstMAC, _ = net.ParseMAC(dstMACstr)

	if dstMAC == nil {
		return errors.New("no destination mac given")
	}

	//Ethernet packet header
	p.ethernetLayer = &layers.Ethernet{
		SrcMAC:       srcMAC,
		DstMAC:       dstMAC,
		EthernetType: layers.EthernetTypeIPv4,
	}

	return nil
}

//GetEthernetPacket returns the ethernet layer created
func (p *Packet) GetEthernetPacket() layers.Ethernet {

	return *p.ethernetLayer
}

//AddIPLayer creates an IP layer
func (p *Packet) AddIPLayer(srcIPstr string, dstIPstr string) error {

	if p.ipLayer != nil {
		return errors.New("ip layer already exists")
	}

	var srcIP, dstIP net.IP

	//IP address of the source
	srcIP = net.ParseIP(srcIPstr)

	if srcIP == nil {
		return errors.New("no source ip given")
	}

	//IP address of the destination
	dstIP = net.ParseIP(dstIPstr)

	if dstIP == nil {
		return errors.New("no destination ip given")
	}

	//IP packet header
	p.ipLayer = &layers.IPv4{
		SrcIP:    srcIP,
		DstIP:    dstIP,
		Version:  4,
		TTL:      64,
		Protocol: layers.IPProtocolTCP,
	}

	return nil
}

//GetIPChecksum returns IP cheksum
func (p *Packet) GetIPChecksum() uint16 {

	return p.ipLayer.Checksum
}

//GetIPPacket returns IP checksum
func (p *Packet) GetIPPacket() layers.IPv4 {

	return *p.ipLayer
}

//AddTCPLayer creates a TCP layer
func (p *Packet) AddTCPLayer(srcPort layers.TCPPort, dstPort layers.TCPPort) error {

	if p.tcpLayer != nil {
		return errors.New("tcp layer already exists")
	}

	if srcPort == 0 {
		return errors.New("no source tcp port given")
	}

	if dstPort == 0 {
		return errors.New("no destination tcp port given")
	}

	//TCP packet header
	p.tcpLayer = &layers.TCP{
		SrcPort: srcPort,
		DstPort: dstPort,
		Window:  0,
		Urgent:  0,
		Seq:     0,
		Ack:     0,
		ACK:     false,
		SYN:     false,
		FIN:     false,
		RST:     false,
		URG:     false,
		ECE:     false,
		CWR:     false,
		NS:      false,
		PSH:     false,
	}

	return p.tcpLayer.SetNetworkLayerForChecksum(p.ipLayer)
}

//GetTCPPacket returns created TCP packet
func (p *Packet) GetTCPPacket() layers.TCP {

	return *p.tcpLayer
}

//GetTCPSequenceNumber returns TCP Sequence number
func (p *Packet) GetTCPSequenceNumber() uint32 {

	return p.tcpLayer.Seq
}

//GetTCPAcknowledgementNumber returns TCP Acknowledgement number
func (p *Packet) GetTCPAcknowledgementNumber() uint32 {

	return p.tcpLayer.Ack
}

//GetTCPWindow returns TCP Window
func (p *Packet) GetTCPWindow() uint16 {

	return p.tcpLayer.Window
}

//GetTCPSyn returns TCP SYN flag
func (p *Packet) GetTCPSyn() bool {

	return p.tcpLayer.SYN
}

//GetTCPAck returns TCP ACK flag
func (p *Packet) GetTCPAck() bool {

	return p.tcpLayer.ACK
}

//GetTCPFin returns TCP FIN flag
func (p *Packet) GetTCPFin() bool {

	return p.tcpLayer.FIN
}

//GetTCPChecksum returns TCP checksum
func (p *Packet) GetTCPChecksum() uint16 {

	return p.tcpLayer.Checksum
}

//SetTCPSequenceNumber changes TCP sequence number
func (p *Packet) SetTCPSequenceNumber(seqNum uint32) {

	p.tcpLayer.Seq = seqNum

}

//SetTCPAcknowledgementNumber changes TCP Acknowledgement number
func (p *Packet) SetTCPAcknowledgementNumber(ackNum uint32) {

	p.tcpLayer.Ack = ackNum

}

//SetTCPWindow changes the TCP window
func (p *Packet) SetTCPWindow(window uint16) {

	p.tcpLayer.Window = window

}

//SetTCPSyn changes the TCP SYN flag to true
func (p *Packet) SetTCPSyn() {

	p.tcpLayer.SYN = true
	p.tcpLayer.ACK = false
	p.tcpLayer.FIN = false
}

//SetTCPSynAck changes the TCP SYN and ACK flag to true
func (p *Packet) SetTCPSynAck() {

	p.tcpLayer.SYN = true
	p.tcpLayer.ACK = true
	p.tcpLayer.FIN = false
}

//SetTCPAck changes the TCP ACK flag to true
func (p *Packet) SetTCPAck() {

	p.tcpLayer.SYN = false
	p.tcpLayer.ACK = true
	p.tcpLayer.FIN = false
}

//SetTCPCwr changes the TCP CWR flag to true
func (p *Packet) SetTCPCwr() {
	p.tcpLayer.CWR = true
}

//SetTCPEce changes the TCP ECE flag to true
func (p *Packet) SetTCPEce() {
	p.tcpLayer.ECE = true
}

//SetTCPUrg changes the TCP URG flag to true
func (p *Packet) SetTCPUrg() {
	p.tcpLayer.URG = true
}

//SetTCPPsh changes the TCP PSH flag to true
func (p *Packet) SetTCPPsh() {
	p.tcpLayer.PSH = true
}

//SetTCPRst changes the TCP RST flag to true
func (p *Packet) SetTCPRst() {
	p.tcpLayer.RST = true
}

//SetTCPFin changes the TCP FIN flag to true
func (p *Packet) SetTCPFin() {
	p.tcpLayer.FIN = true
}

//NewTCPPayload adds new payload to TCP layer
func (p *Packet) NewTCPPayload(newPayload string) error {

	if p.tcpLayer.Payload != nil {
		return errors.New("payload already exists")
	}

	p.tcpLayer.Payload = []byte(newPayload)

	return nil
}

//ToBytes creates a packet buffer and converts it into a complete packet with ethernet, IP and TCP (with options)
func (p *Packet) ToBytes() ([]byte, error) {

	opts := gopacket.SerializeOptions{
		FixLengths:       true, //fix lengths based on the payload (data)
		ComputeChecksums: true, //compute checksum based on the payload during serialization
	}

	if err := p.tcpLayer.SetNetworkLayerForChecksum(p.ipLayer); err != nil {
		return nil, fmt.Errorf("unable to compute checksum: %s", err)
	}

	//Creating a packet buffer by serializing the ethernet, IP and TCP layers/packets
	packetBuf := gopacket.NewSerializeBuffer()
	tcpPayload := gopacket.Payload(p.tcpLayer.Payload)
	if err := gopacket.SerializeLayers(packetBuf, opts, p.ethernetLayer, p.ipLayer, p.tcpLayer, tcpPayload); err != nil {
		return nil, fmt.Errorf("unable to serialize layers: %s", err)
	}
	//Converting into bytes and removing the ethernet from the layers
	bytes := packetBuf.Bytes()
	bytesWithoutEthernet := bytes[14:]

	var finalBytes []byte
	finalBytes = append(finalBytes, bytesWithoutEthernet...)

	return finalBytes, nil
}

//NewTemplateFlow will return flow of packets which implements PacketManipulator
func NewTemplateFlow() PacketFlowManipulator {

	return &PacketFlow{}
}

//AddPacket is a helper method to add the packet from the template to the struct internal struct field
func (p *Packet) AddPacket(packet gopacket.Packet) {

	p.packet = packet

}

//DecodePacket returns decoded packet which implements PacketManipulator
func (p *Packet) DecodePacket() PacketManipulator {

	packetData := &Packet{
		ethernetLayer: &layers.Ethernet{},
		ipLayer:       &layers.IPv4{},
		tcpLayer:      &layers.TCP{},
	}

	newEthernetPacket := packetData.GetEthernetPacket()
	newIPPacket := packetData.GetIPPacket()
	newTCPPacket := packetData.GetTCPPacket()

	if ethernetLayer := p.packet.Layer(layers.LayerTypeEthernet); ethernetLayer != nil {
		ethernet, _ := ethernetLayer.(*layers.Ethernet)
		newEthernetPacket.SrcMAC = ethernet.SrcMAC
		newEthernetPacket.DstMAC = ethernet.DstMAC
		newEthernetPacket.EthernetType = ethernet.EthernetType
	}

	if ipLayer := p.packet.Layer(layers.LayerTypeIPv4); ipLayer != nil {
		ip, _ := ipLayer.(*layers.IPv4)

		newIPPacket.SrcIP = ip.SrcIP
		newIPPacket.DstIP = ip.DstIP
		newIPPacket.Version = ip.Version
		newIPPacket.Length = ip.Length
		newIPPacket.Protocol = ip.Protocol
		newIPPacket.TTL = ip.TTL
	}

	if tcpLayer := p.packet.Layer(layers.LayerTypeTCP); tcpLayer != nil {
		tcp, _ := tcpLayer.(*layers.TCP)

		newTCPPacket.SrcPort = tcp.SrcPort
		newTCPPacket.DstPort = tcp.DstPort
		newTCPPacket.Seq = tcp.Seq
		newTCPPacket.Ack = tcp.Ack
		newTCPPacket.SYN = tcp.SYN
		newTCPPacket.FIN = tcp.FIN
		newTCPPacket.RST = tcp.RST
		newTCPPacket.PSH = tcp.PSH
		newTCPPacket.ACK = tcp.ACK
		newTCPPacket.URG = tcp.URG
		newTCPPacket.ECE = tcp.ECE
		newTCPPacket.CWR = tcp.CWR
		newTCPPacket.NS = tcp.NS
		newTCPPacket.Checksum = tcp.Checksum
		newTCPPacket.Window = tcp.Window
	}

	packetData = &Packet{
		ethernetLayer: &newEthernetPacket,
		ipLayer:       &newIPPacket,
		tcpLayer:      &newTCPPacket,
	}

	return packetData
}

//NewPacketFlow returns PacketFlow struct which implements PacketFlowManipulator
func NewPacketFlow(smac string, dmac string, sip string, dip string, sport layers.TCPPort, dport layers.TCPPort) PacketFlowManipulator {

	initialTupules := &PacketFlow{
		sMAC:  smac,
		dMAC:  dmac,
		sIP:   sip,
		dIP:   dip,
		sPort: sport,
		dPort: dport,
		flow:  make([]PacketManipulator, 0),
	}

	return initialTupules
}

//GenerateTCPFlow returns an array of PacketFlowManipulator interface
func (p *PacketFlow) GenerateTCPFlow(pt PacketFlowType) (PacketFlowManipulator, error) {

	if pt == 0 {
		//Create a SYN packet to initialize the flow
		firstPacket := NewPacket()
		if err := firstPacket.AddEthernetLayer(p.sMAC, p.dMAC); err != nil {
			return nil, fmt.Errorf("unable tp add ethernet layer: %s", err)
		}
		if err := firstPacket.AddIPLayer(p.sIP, p.dIP); err != nil {
			return nil, fmt.Errorf("unable to add ip layer: %s", err)
		}
		if err := firstPacket.AddTCPLayer(p.sPort, p.dPort); err != nil {
			return nil, fmt.Errorf("unable to add tcp layer: %s", err)
		}
		firstPacket.SetTCPSyn()
		firstPacket.SetTCPSequenceNumber(firstPacket.GetTCPSequenceNumber())
		firstPacket.SetTCPAcknowledgementNumber(firstPacket.GetTCPAcknowledgementNumber())
		synPacket, _ := firstPacket.(*Packet)

		p.flow = append(p.flow, synPacket)

		//Create a SynAck packet
		secondPacket := NewPacket()
		if err := secondPacket.AddEthernetLayer(p.sMAC, p.dMAC); err != nil {
			return nil, fmt.Errorf("unable to add ethernet layer: %s", err)
		}
		if err := secondPacket.AddIPLayer(p.dIP, p.sIP); err != nil {
			return nil, fmt.Errorf("unable to add ip layer: %s", err)
		}
		if err := secondPacket.AddTCPLayer(p.dPort, p.sPort); err != nil {
			return nil, fmt.Errorf("unable to add tcp layer: %s", err)
		}
		secondPacket.SetTCPSynAck()
		secondPacket.SetTCPSequenceNumber(0)
		secondPacket.SetTCPAcknowledgementNumber(firstPacket.GetTCPSequenceNumber() + 1)
		synackPacket, _ := secondPacket.(*Packet)

		p.flow = append(p.flow, synackPacket)

		//Create an Ack Packet
		thirdPacket := NewPacket()
		if err := thirdPacket.AddEthernetLayer(p.sMAC, p.dMAC); err != nil {
			return nil, fmt.Errorf("unable tp add ethernet layer: %s", err)
		}
		if err := thirdPacket.AddIPLayer(p.sIP, p.dIP); err != nil {
			return nil, fmt.Errorf("unable to add ip layer: %s", err)
		}
		if err := thirdPacket.AddTCPLayer(p.sPort, p.dPort); err != nil {
			return nil, fmt.Errorf("unable to add tcp layer: %s", err)
		}
		thirdPacket.SetTCPAck()
		thirdPacket.SetTCPSequenceNumber(secondPacket.GetTCPAcknowledgementNumber())
		thirdPacket.SetTCPAcknowledgementNumber(secondPacket.GetTCPSequenceNumber() + 1)
		ackPacket, _ := thirdPacket.(*Packet)

		p.flow = append(p.flow, ackPacket)

		return p, nil

	} else if pt == 1 {

		for i := 0; i < len(PacketFlowTemplate1); i++ {
			//Create a Packet type variable to store decoded packet
			newPacket := NewPacket()
			packet := gopacket.NewPacket(PacketFlowTemplate1[i], layers.LayerTypeEthernet, gopacket.Default)
			newPacket.AddPacket(packet)

			p.flow = append(p.flow, newPacket.DecodePacket())

		}

		return p, nil
	} else if pt == 2 {

		for i := 0; i < len(PacketFlowTemplate2); i++ {

			//Create a Packet type variable to store decoded packet
			newPacket := NewPacket()
			packet := gopacket.NewPacket(PacketFlowTemplate2[i], layers.LayerTypeEthernet, gopacket.Default)
			newPacket.AddPacket(packet)

			p.flow = append(p.flow, newPacket.DecodePacket())

		}

		return p, nil
	} else if pt == 3 {

		for i := 0; i < len(PacketFlowTemplate3); i++ {

			//Create a Packet type variable to store decoded packet
			newPacket := NewPacket()
			packet := gopacket.NewPacket(PacketFlowTemplate3[i], layers.LayerTypeEthernet, gopacket.Default)
			newPacket.AddPacket(packet)

			p.flow = append(p.flow, newPacket.DecodePacket())

		}

		return p, nil
	}

	return nil, nil
}

//GenerateTCPFlowPayload Coming soon...
func (p *PacketFlow) GenerateTCPFlowPayload(newPayload string) PacketFlowManipulator {

	return nil
}

//AppendPacket adds the packet to Flow field of PacketFlowManipulator interface
func (p *PacketFlow) AppendPacket(pm PacketManipulator) int {

	p.flow = append(p.flow, pm)

	return p.GetNumPackets()
}

//GetMatchPackets implicitly returns the matching packets requested by the user
func (p *PacketFlow) getMatchPackets(syn, ack, fin bool) PacketFlowManipulator {

	packetsInFlow := NewPacketFlow(p.sMAC, p.dMAC, p.sIP, p.dIP, p.sPort, p.dPort)

	for j := 0; j < len(p.flow); j++ {
		if p.flow[j].GetTCPSyn() == syn && p.flow[j].GetTCPAck() == ack && p.flow[j].GetTCPFin() == fin {
			packetsInFlow.AppendPacket(p.flow[j])
		}
	}

	return packetsInFlow
}

//GetFirstSynPacket return first Syn packet from the flow
func (p *PacketFlow) GetFirstSynPacket() PacketManipulator {

	return p.GetSynPackets().GetNthPacket(0)
}

//GetFirstSynAckPacket return first SynAck packet from the flow
func (p *PacketFlow) GetFirstSynAckPacket() PacketManipulator {

	return p.GetSynAckPackets().GetNthPacket(0)
}

//GetFirstAckPacket return first Ack packet from the flow
func (p *PacketFlow) GetFirstAckPacket() PacketManipulator {

	return p.GetAckPackets().GetNthPacket(0)
}

//GetSynPackets returns the SYN packets
func (p *PacketFlow) GetSynPackets() PacketFlowManipulator {

	return p.getMatchPackets(true, false, false)
}

//GetSynAckPackets returns the SynAck packets
func (p *PacketFlow) GetSynAckPackets() PacketFlowManipulator {

	return p.getMatchPackets(true, true, false)
}

//GetAckPackets returns the Ack Packets
func (p *PacketFlow) GetAckPackets() PacketFlowManipulator {

	return p.getMatchPackets(false, true, false)
}

//GetUptoFirstSynAckPacket will return packets upto first SynAck packet
func (p *PacketFlow) GetUptoFirstSynAckPacket() PacketFlowManipulator {

	packetsInFlow := NewPacketFlow(p.sMAC, p.dMAC, p.sIP, p.dIP, p.sPort, p.dPort)
	flag := false

	for j := 0; j < len(p.flow); j++ {
		if !flag {
			packetsInFlow.AppendPacket(p.flow[j])
			if p.flow[j].GetTCPSyn() && p.flow[j].GetTCPAck() && !p.flow[j].GetTCPFin() {
				flag = true
			}
		}
	}

	return packetsInFlow
}

//GetUptoFirstAckPacket will return packets upto first Ack packet
func (p *PacketFlow) GetUptoFirstAckPacket() PacketFlowManipulator {

	packetsInFlow := NewPacketFlow(p.sMAC, p.dMAC, p.sIP, p.dIP, p.sPort, p.dPort)
	flag := false

	for j := 0; j < len(p.flow); j++ {
		if !flag {
			packetsInFlow.AppendPacket(p.flow[j])
			if !p.flow[j].GetTCPSyn() && p.flow[j].GetTCPAck() && !p.flow[j].GetTCPFin() {
				flag = true
			}
		}
	}

	return packetsInFlow
}

//GetNthPacket returns the packet requested by the user from the array
func (p *PacketFlow) GetNthPacket(index int) PacketManipulator {

	for i := 0; i < len(p.flow); i++ {
		if index == i {
			return p.flow[i]
		}
	}

	panic("Index out of range")
}

//GetNumPackets returns an array of packets
func (p *PacketFlow) GetNumPackets() int {

	return len(p.flow)
}


================================================
FILE: controller/internal/enforcer/utils/packetgen/packet_gen_test.go
================================================
//+build !test

//PacketGen tester
//Still in beta version, Currently used for debugging
//Updates are coming soon with more test cases
package packetgen

import "testing"

//TestTypeInterface: to check if the type implements interface
func TestTypeInterface(t *testing.T) {
	t.Parallel()

	var PktInterface PacketManipulator = (*Packet)(nil)

	if PktInterface != (*Packet)(nil) {

		t.Error("Packet struct does not implement PacketManipulator Interface")
	}

	var PktFlowInterface PacketFlowManipulator = (*PacketFlow)(nil)
	if PktFlowInterface != (*PacketFlow)(nil) {

		t.Error("PacketFlow struct does not implement PacketFlowManipulator Interface")
	}
}


================================================
FILE: controller/internal/enforcer/utils/packetgen/packet_templates.go
================================================
package packetgen

//PacketFlowTemplate1 is a good hardcoded template
var PacketFlowTemplate1 [][]byte

//PacketFlowTemplate2 has a two complete TCP flow
var PacketFlowTemplate2 [][]byte

//PacketFlowTemplate3 has a two intervened TCP flows
var PacketFlowTemplate3 [][]byte

func init() {
	PacketFlowTemplate1 = [][]byte{
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x40, 0xf4, 0x1f, 0x40, 0x00, 0x40, 0x06, 0xa9, 0x6f, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xac, 0x48, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff, 0x6b, 0x6c, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, 0x01, 0x03, 0x03, 0x05, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0x38, 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x00, 0x3c, 0xf4, 0x1f, 0x40, 0x00, 0x70, 0x06, 0x79, 0x53, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xaa, 0xf0, 0x0c, 0x4d, 0xa6, 0xac, 0x49, 0xa0, 0x12, 0x38, 0x90, 0x3b, 0xba, 0x00, 0x00, 0x02, 0x04, 0x05, 0x64, 0x01, 0x03, 0x03, 0x00, 0x04, 0x02, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x11, 0x1b, 0x4f, 0x37, 0x38},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0x7a, 0x12, 0x40, 0x00, 0x40, 0x06, 0x23, 0x89, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xac, 0x49, 0xfe, 0xaa, 0xf0, 0x0d, 0x80, 0x10, 0x10, 0x08, 0x92, 0x82, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0x6d, 0xb3, 0xa1, 0x66, 0x11},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x02, 0x21, 0xeb, 0x50, 0x40, 0x00, 0x40, 0x06, 0xb0, 0x5d, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xac, 0x49, 0xfe, 0xaa, 0xf0, 0x0d, 0x80, 0x18, 0x10, 0x08, 0xe1, 0xdc, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0x6d, 0xb3, 0xa1, 0x66, 0x11, 0x47, 0x45, 0x54, 0x20, 0x2f, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, 0x31, 0x36, 0x34, 0x2e, 0x36, 0x37, 0x2e, 0x32, 0x32, 0x38, 0x2e, 0x31, 0x35, 0x32, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x6b, 0x65, 0x65, 0x70, 0x2d, 0x61, 0x6c, 0x69, 0x76, 0x65, 0x0d, 0x0a, 0x55, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x2d, 0x49, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x2d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x3a, 0x20, 0x31, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x35, 0x2e, 0x30, 0x20, 0x28, 0x4d, 0x61, 0x63, 0x69, 0x6e, 0x74, 0x6f, 0x73, 0x68, 0x3b, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x6c, 0x20, 0x4d, 0x61, 0x63, 0x20, 0x4f, 0x53, 0x20, 0x58, 0x20, 0x31, 0x30, 0x5f, 0x31, 0x31, 0x5f, 0x36, 0x29, 0x20, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x57, 0x65, 0x62, 0x4b, 0x69, 0x74, 0x2f, 0x35, 0x33, 0x37, 0x2e, 0x33, 0x36, 0x20, 0x28, 0x4b, 0x48, 0x54, 0x4d, 0x4c, 0x2c, 0x20, 0x6c, 0x69, 0x6b, 0x65, 0x20, 0x47, 0x65, 0x63, 0x6b, 0x6f, 0x29, 0x20, 0x43, 0x68, 0x72, 0x6f, 0x6d, 0x65, 0x2f, 0x35, 0x33, 0x2e, 0x30, 0x2e, 0x32, 0x37, 0x38, 0x35, 0x2e, 0x31, 0x34, 0x33, 0x20, 0x53, 0x61, 0x66, 0x61, 0x72, 0x69, 0x2f, 0x35, 0x33, 0x37, 0x2e, 0x33, 0x36, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x2c, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x78, 0x68, 0x74, 0x6d, 0x6c, 0x2b, 0x78, 0x6d, 0x6c, 0x2c, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x78, 0x6d, 0x6c, 0x3b, 0x71, 0x3d, 0x30, 0x2e, 0x39, 0x2c, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x2f, 0x77, 0x65, 0x62, 0x70, 0x2c, 0x2a, 0x2f, 0x2a, 0x3b, 0x71, 0x3d, 0x30, 0x2e, 0x38, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x67, 0x7a, 0x69, 0x70, 0x2c, 0x20, 0x64, 0x65, 0x66, 0x6c, 0x61, 0x74, 0x65, 0x2c, 0x20, 0x73, 0x64, 0x63, 0x68, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x4c, 0x61, 0x6e, 0x67, 0x75, 0x61, 0x67, 0x65, 0x3a, 0x20, 0x65, 0x6e, 0x2d, 0x55, 0x53, 0x2c, 0x65, 0x6e, 0x3b, 0x71, 0x3d, 0x30, 0x2e, 0x38, 0x0d, 0x0a, 0x43, 0x6f, 0x6f, 0x6b, 0x69, 0x65, 0x3a, 0x20, 0x50, 0x48, 0x50, 0x53, 0x45, 0x53, 0x53, 0x49, 0x44, 0x3d, 0x64, 0x38, 0x69, 0x61, 0x63, 0x62, 0x69, 0x65, 0x34, 0x38, 0x63, 0x74, 0x73, 0x32, 0x76, 0x70, 0x30, 0x36, 0x39, 0x64, 0x61, 0x62, 0x63, 0x74, 0x6d, 0x34, 0x3b, 0x20, 0x5f, 0x67, 0x61, 0x74, 0x3d, 0x31, 0x3b, 0x20, 0x5f, 0x67, 0x61, 0x74, 0x5f, 0x67, 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x54, 0x72, 0x61, 0x63, 0x6b, 0x65, 0x72, 0x3d, 0x31, 0x3b, 0x20, 0x5f, 0x67, 0x61, 0x3d, 0x47, 0x41, 0x31, 0x2e, 0x31, 0x2e, 0x31, 0x35, 0x35, 0x38, 0x30, 0x37, 0x37, 0x34, 0x31, 0x36, 0x2e, 0x31, 0x34, 0x37, 0x36, 0x33, 0x38, 0x34, 0x34, 0x30, 0x35, 0x0d, 0x0a, 0x0d, 0x0a},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x00, 0x34, 0x3c, 0x55, 0x00, 0x00, 0xef, 0x06, 0xf2, 0x25, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xaa, 0xf0, 0x0d, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x10, 0x1f, 0x68, 0x81, 0x26, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x20, 0x1b, 0x4f, 0x37, 0x6d},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x05, 0x8c, 0x3c, 0x56, 0x00, 0x00, 0xef, 0x06, 0xec, 0xcc, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xaa, 0xf0, 0x0d, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0x34, 0xda, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x25, 0x1b, 0x4f, 0x37, 0x6d, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3b, 0x20, 0x63, 0x68, 0x61, 0x72, 0x73, 0x65, 0x74, 0x3d, 0x55, 0x54, 0x46, 0x2d, 0x38, 0x0d, 0x0a, 0x56, 0x61, 0x72, 0x79, 0x3a, 0x20, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x0d, 0x0a, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x31, 0x39, 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x31, 0x39, 0x38, 0x31, 0x20, 0x30, 0x38, 0x3a, 0x35, 0x32, 0x3a, 0x30, 0x30, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x43, 0x61, 0x63, 0x68, 0x65, 0x2d, 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x3a, 0x20, 0x6e, 0x6f, 0x2d, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2c, 0x20, 0x6e, 0x6f, 0x2d, 0x63, 0x61, 0x63, 0x68, 0x65, 0x2c, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x2d, 0x72, 0x65, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2c, 0x20, 0x70, 0x6f, 0x73, 0x74, 0x2d, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x3d, 0x30, 0x2c, 0x20, 0x70, 0x72, 0x65, 0x2d, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x3d, 0x30, 0x2c, 0x20, 0x6d, 0x61, 0x78, 0x2d, 0x61, 0x67, 0x65, 0x3d, 0x38, 0x36, 0x34, 0x30, 0x30, 0x2c, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x2d, 0x72, 0x65, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2c, 0x20, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2d, 0x72, 0x65, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x0d, 0x0a, 0x50, 0x72, 0x61, 0x67, 0x6d, 0x61, 0x3a, 0x20, 0x6e, 0x6f, 0x2d, 0x63, 0x61, 0x63, 0x68, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x67, 0x7a, 0x69, 0x70, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x36, 0x37, 0x39, 0x38, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x31, 0x33, 0x20, 0x4f, 0x63, 0x74, 0x20, 0x32, 0x30, 0x31, 0x36, 0x20, 0x31, 0x38, 0x3a, 0x34, 0x38, 0x3a, 0x31, 0x30, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x41, 0x67, 0x65, 0x3a, 0x20, 0x30, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x6b, 0x65, 0x65, 0x70, 0x2d, 0x61, 0x6c, 0x69, 0x76, 0x65, 0x0d, 0x0a, 0x58, 0x2d, 0x43, 0x61, 0x63, 0x68, 0x65, 0x3a, 0x20, 0x4d, 0x49, 0x53, 0x53, 0x0d, 0x0a, 0x0d, 0x0a, 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0xd5, 0x3d, 0xdb, 0x72, 0x1b, 0xbb, 0x91, 0xcf, 0x56, 0x55, 0xfe, 0x01, 0x61, 0xb2, 0x76, 0xb2, 0xd2, 0x90, 0xba, 0xda, 0x92, 0x2d, 0xf1, 0x14, 0x45, 0xd1, 0x96, 0x4e, 0x74, 0x3b, 0x22, 0x65, 0xc7, 0x49, 0xa5, 0x5c, 0xe0, 0x0c, 0xc8, 0x81, 0x35, 0xb7, 0x33, 0x98, 0x11, 0x45, 0x3f, 0xed, 0x6f, 0xec, 0xef, 0xed, 0x97, 0x6c, 0x37, 0x6e, 0x73, 0x21, 0x29, 0x4a, 0x96, 0x62, 0xef, 0xba, 0x2a, 0x47, 0x43, 0x0c, 0xd0, 0x68, 0xf4, 0xbd, 0x81, 0xc6, 0x64, 0xff, 0x8f, 0x5e, 0xec, 0x66, 0xd3, 0x84, 0x11, 0x3f, 0x0b, 0x83, 0xf6, 0xca, 0xfe, 0x1f, 0x1d, 0xe7, 0x9f, 0x7c, 0x44, 0x4e, 0x7a, 0xe4, 0xcd, 0xbf, 0xda, 0x64, 0x1f, 0x5b, 0x89, 0x1b, 0x50, 0x21, 0x0e, 0x1a, 0x41, 0xe6, 0x70, 0xb6, 0x47, 0xe4, 0x9f, 0xdd, 0x06, 0x09, 0x68, 0x34, 0x3e, 0x68, 0xb0, 0xa8, 0x01, 0xdd, 0xfe, 0xf8, 0x4f, 0x16, 0x79, 0x7c, 0xf4, 0x2f, 0xc7, 0xa9, 0x80, 0xd8, 0x9d, 0x0f, 0x62, 0xf9, 0xd8, 0x71, 0xa6, 0x87, 0x63, 0x43, 0x0d, 0x46, 0x14, 0x3b, 0x5f, 0x05, 0xf1, 0x98, 0xb8, 0xc9, 0xe2, 0xa4, 0x0a, 0xc9, 0x71, 0x2a, 0xd0, 0x56, 0xf6, 0x7d, 0x46, 0xbd, 0x52, 0x97, 0x95, 0x17, 0xfb, 0x21, 0xcb, 0x28, 0x71, 0x7d, 0x9a, 0x0a, 0x96, 0x1d, 0x34, 0xf2, 0x6c, 0xe4, 0xec, 0x16, 0xed, 0x7e, 0x96, 0x25, 0x0e, 0xfb, 0x3d, 0xe7, 0xb7, 0x07, 0x8d, 0xbf, 0x3b, 0xd7, 0x1d, 0xa7, 0x1b, 0x87, 0x09, 0xcd, 0xf8, 0x30, 0x60, 0x0d, 0xe2, 0xc6, 0x51, 0xc6, 0x22, 0x18, 0x74, 0xd2, 0x3b, 0x60, 0xde, 0x98, 0xad, 0xb9, 0x7e, 0x1a, 0x87, 0xec, 0x60, 0xa3, 0x18, 0x1f, 0x51, 0xf8, 0xdd, 0xb8, 0xe5, 0x6c, 0x92, 0xc4, 0x69, 0x56, 0x1a, 0x32, 0xe1, 0x5e, 0xe6, 0x1f, 0x78, 0xec, 0x96, 0xbb, 0xcc, 0x91, 0x3f, 0xd6, 0x48, 0x2e, 0x58, 0xea, 0x08, 0x97, 0x06, 0x14, 0xc0, 0x1f, 0x4c, 0x99, 0x58, 0x23, 0x3c, 0xe2, 0x19, 0xa7, 0x81, 0x6c, 0x05, 0xc0, 0xcd, 0xf5, 0x35, 0x12, 0x42, 0x5b, 0x98, 0x87, 0x95, 0x26, 0x7a, 0x57, 0x6a, 0xda, 0x6c, 0xae, 0x03, 0x02, 0x80, 0x41, 0xc6, 0xb3, 0x80, 0xb5, 0xaf, 0xbb, 0xa7, 0x9d, 0xfd, 0x96, 0x7a, 0xae, 0xa2, 0x05, 0x14, 0x73, 0x53, 0x9e, 0x64, 0x3c, 0x8e, 0x4a, 0x98, 0x61, 0x7f, 0x42, 0xbd, 0x5b, 0x1a, 0xb9, 0x4c, 0x90, 0x9b, 0x28, 0x9e, 0x04, 0x72, 0x71, 0xd0, 0xe6, 0xa5, 0x4c, 0x08, 0x68, 0x4c, 0xf0, 0x2f, 0x8f, 0xc6, 0x44, 0xc4, 0x2e, 0x07, 0x78, 0x01, 0x89, 0x18, 0xf3, 0x04, 0xa1, 0x91, 0x47, 0xdc, 0x94, 0xd1, 0x0c, 0xfa, 0x50, 0x92, 0x47, 0xfc, 0x96, 0xa5, 0x82, 0x67, 0x53, 0xc2, 0xa2, 0x94, 0xbb, 0x3e, 0xf3, 0xc8, 0x70, 0x4a, 0x3c, 0xd9, 0xca, 0x48, 0x02, 0xff, 0x4d, 0x98, 0x9b, 0xc1, 0x4f, 0x41, 0x26, 0x3e, 0x4b, 0x19, 0xa1, 0x41, 0x00, 0x2b, 0x86, 0x0e, 0xdc, 0xcb, 0x69, 0x20, 0x88, 0x4b, 0x23, 0x32, 0x0a, 0xe2, 0x3c, 0xe5, 0xc2, 0x6f, 0xd6, 0x89, 0x7a, 0xc3, 0xa6, 0x93, 0x38, 0xf5, 0x44, 0x0d, 0xf5, 0x35, 0x72, 0x5d, 0xcc, 0x1b, 0x8f, 0x48, 0x97, 0x06, 0x7c, 0x14, 0xa7, 0x11, 0xa7, 0xe4, 0x34, 0x16, 0xa4, 0x13, 0x8d, 0x59, 0x80, 0x94, 0x3d, 0x4c, 0x73, 0x1e, 0xc1, 0x5f, 0x64, 0x6e, 0x36, 0x5d, 0xd3, 0x68, 0xc9, 0x47, 0x1e, 0xb9, 0x41, 0x2e, 0x80, 0x2a, 0xb0, 0xe6, 0x34, 0x13, 0xf2, 0xbf, 0x6b, 0x30, 0x4b, 0x10, 0x30, 0xa4, 0x03, 0x0c, 0x03, 0x6a, 0xe6, 0x99, 0xee, 0xe0, 0xfa, 0x3c, 0x83, 0x65, 0xe4, 0x29, 0xbc, 0x62, 0xd1, 0x98, 0x03, 0x29, 0x52, 0xa0, 0xcd, 0x1a, 0xf1, 0x41, 0x89, 0xd2, 0x20, 0x8e, 0x93, 0x35, 0x82, 0x62, 0x11, 0xd0, 0x35, 0x32, 0x4c, 0x29, 0x87, 0x41, 0x89, 0xcf, 0x41, 0x04, 0x33, 0x90, 0x96, 0x04, 0xa6, 0xeb, 0x0f, 0x7a, 0x67, 0x6b, 0x48, 0x3b, 0x98, 0x1f, 0x41, 0x06, 0x74, 0x82, 0x2c, 0x1d, 0xd3, 0x6f, 0x00, 0x0b, 0x5e, 0x04, 0x79, 0x18, 0x71, 0x9c, 0x3f, 0x0c, 0x81, 0xa4, 0x88, 0x60, 0x0c, 0x3c, 0x0b, 0xb9, 0xc8, 0x8a, 0x27, 0x61, 0x1f, 0xc3, 0x46, 0xfb, 0x45, 0x95, 0x50, 0xe3, 0x38, 0x1e, 0x07, 0xcc, 0x81, 0xb5, 0x31, 0x07, 0xd6, 0xc8, 0x47, 0xdc, 0xa5, 0x35, 0x9e, 0xff, 0xd6, 0xdf, 0x19, 0xd3, 0xe9, 0xe5, 0x78, 0x6b, 0xf7, 0x5b, 0x77, 0xfb, 0xf5, 0x67, 0xd1, 0xb9, 0xdb, 0xa6, 0x7b, 0xee, 0xd6, 0xed, 0xf6, 0xef, 0x83, 0xc3, 0x9b, 0xc8, 0xb9, 0x7a, 0xbd, 0x37, 0xde, 0x5b, 0x4f, 0x7e, 0x1b, 0x27, 0x87, 0xeb, 0x0d, 0xd2, 0xb2, 0x8c, 0x48, 0x60, 0x01, 0x2c, 0xcd, 0xa6, 0x07, 0x8d, 0x6c, 0xc2, 0xb3, 0x8c, 0xa5, 0x6f, 0xa9, 0xeb, 0xc6, 0x79, 0x94, 0x7d, 0xe1, 0x5e, 0x09, 0xfa, 0xc6, 0xee, 0xde, 0xc6, 0xee, 0xf6, 0xee, 0x96, 0x1a, 0x4a, 0xe0, 0x1f, 0x4a, 0x67, 0xc0, 0xa3, 0x1b, 0x92, 0xb2, 0xe0, 0xa0, 0x21, 0x7c, 0xd0, 0x0d, 0x37, 0xcf, 0x08, 0x77, 0x11, 0x2b, 0x3f, 0x65, 0xa3, 0x83, 0x46, 0x8b, 0x87, 0xe3, 0xd6, 0x88, 0xde, 0x62, 0x5b, 0x13, 0xfe, 0x23, 0xd9, 0x5f, 0x8c, 0xa1, 0x49, 0x02, 0x6b, 0xca, 0xe2, 0xdc, 0xf5, 0x9d, 0x99, 0x61, 0xf5, 0x97, 0xcd, 0x24, 0x1a, 0xe3, 0xf8, 0x95, 0x17, 0x2f, 0xd0, 0x24, 0x90, 0xf2, 0xdc, 0xd9, 0x14, 0xc4, 0xc1, 0x67, 0x2c, 0xb3, 0x10, 0x5c, 0x21, 0x5a, 0x2c, 0x64, 0xe9, 0x98, 0x45, 0xee, 0xd4, 0xc9, 0x58, 0x98, 0x04, 0x20, 0xd1, 0x4d, 0x68, 0x06, 0x93, 0x82, 0x56, 0xe4, 0x85, 0x04, 0xb4, 0x14, 0x46, 0x08, 0xbc, 0x56, 0xa3, 0x56, 0x70, 0xcd, 0xcb, 0x07, 0x80, 0x56, 0x25, 0x71, 0x24, 0x40, 0x10, 0x1f, 0x35, 0x2c, 0x01, 0x71, 0xcb, 0xe4, 0x08, 0x12, 0x32, 0x8f, 0xd3, 0x83, 0x86, 0x6c, 0x51, 0x36, 0x00, 0x96, 0x7b, 0xda, 0x1b, 0x90, 0xc1, 0x71, 0xef, 0xaa, 0x47, 0x0e, 0x7b, 0x64, 0xd0, 0xf9, 0x5b, 0x8f, 0x5c, 0x7c, 0xec, 0x5d, 0x91, 0x6e, 0xbf, 0x8f, 0x8b, 0x21, 0xfa, 0xdf, 0xf2, 0x79, 0x5c, 0x86, 0xfc, 0x8c, 0xd0, 0x1c, 0x65, 0xf4, 0x86, 0xc5, 0x20, 0x4b, 0x1a, 0x4f, 0x14, 0x38, 0x65, 0x4a, 0x88, 0x48, 0x5d, 0xe8, 0xfe, 0x15, 0x56, 0x1f, 0x83, 0x3c, 0x47, 0xfc, 0x5b, 0xda, 0xfc, 0x0a, 0x5d, 0xf6, 0x5b, 0xea, 0xbd, 0x5e, 0x53, 0xb9, 0x33, 0x9a, 0x58, 0xf1, 0xb6, 0xd5, 0xa2, 0x5f, 0xe9, 0x5d, 0x53, 0xc9, 0x2a, 0x4d, 0xb8, 0x68, 0x82, 0xbc, 0xcb, 0xb6, 0x56, 0xc0, 0x87, 0xa2, 0xf5, 0xf5, 0xf7, 0x9c, 0xa5, 0xd3, 0xd6, 0x46, 0xf3, 0x4d, 0x73, 0x43, 0xff},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x05, 0x8c, 0x3c, 0x57, 0x00, 0x00, 0xef, 0x06, 0xec, 0xcb, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xaa, 0xf5, 0x65, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0x15, 0xc0, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x25, 0x1b, 0x4f, 0x37, 0x6d, 0x68, 0x82, 0x25, 0x5c, 0x06, 0x1c, 0x31, 0xa1, 0x11, 0x0d, 0xa6, 0x19, 0x77, 0x45, 0xad, 0xf3, 0x0b, 0xe3, 0x5b, 0x82, 0x8c, 0xa1, 0x73, 0x79, 0x0d, 0xce, 0xa5, 0x3e, 0x96, 0xb3, 0xd7, 0xf8, 0x3f, 0x27, 0x4f, 0xc6, 0x29, 0xf5, 0xd8, 0xec, 0x94, 0x15, 0xf7, 0x22, 0x45, 0x5b, 0xe2, 0x00, 0x90, 0x4f, 0xce, 0x3a, 0x1f, 0x7a, 0xa4, 0xdb, 0xe9, 0x1e, 0xf7, 0x2a, 0x74, 0x6e, 0xa1, 0x0b, 0x02, 0xde, 0xc0, 0xbf, 0xfd, 0x61, 0xec, 0x4d, 0x8d, 0x17, 0xf3, 0xc1, 0x46, 0x24, 0x74, 0xcc, 0x90, 0x6f, 0x38, 0x7e, 0xa5, 0x9f, 0x81, 0xdd, 0x41, 0x13, 0x76, 0x14, 0xe7, 0xe0, 0x10, 0xba, 0x01, 0x77, 0x6f, 0xc8, 0x7b, 0x30, 0x28, 0x5e, 0xc0, 0xc7, 0x7e, 0x46, 0x06, 0x74, 0xfc, 0x96, 0x5c, 0x02, 0xb5, 0xc0, 0x98, 0x7a, 0x31, 0x89, 0xe2, 0x0c, 0xd8, 0x17, 0x02, 0x5b, 0x56, 0x3a, 0x68, 0x55, 0xd1, 0xfe, 0xa1, 0x01, 0x40, 0x08, 0x99, 0xcf, 0x05, 0xc9, 0xb0, 0x3f, 0x9a, 0xc8, 0x26, 0xf3, 0xf2, 0x95, 0xeb, 0xab, 0x53, 0xf5, 0x86, 0x91, 0x09, 0x1b, 0xe2, 0xc4, 0xda, 0x08, 0x63, 0x0b, 0x74, 0x25, 0x30, 0x82, 0xdd, 0xa1, 0x81, 0x06, 0xb3, 0x9d, 0xc5, 0x64, 0x08, 0x16, 0x3b, 0xa0, 0x2e, 0xf3, 0xde, 0x4a, 0xa7, 0x08, 0x0c, 0x9b, 0x4c, 0x26, 0xcd, 0x1c, 0x90, 0x47, 0x70, 0xad, 0x95, 0x81, 0x9e, 0x82, 0x84, 0xb9, 0xc8, 0x8a, 0xde, 0xf0, 0x94, 0x4d, 0x18, 0x8b, 0x24, 0x58, 0xb9, 0xde, 0xb6, 0x74, 0x13, 0xfb, 0x2d, 0xf5, 0x0c, 0x23, 0xd0, 0xc0, 0x82, 0xad, 0x0f, 0x62, 0x58, 0x07, 0x3c, 0x24, 0x31, 0xf8, 0x16, 0x58, 0x2f, 0x4e, 0x8a, 0x83, 0xc0, 0xc4, 0x44, 0xe8, 0x6b, 0xa0, 0x67, 0x73, 0xa5, 0x8b, 0xde, 0x05, 0x6c, 0x17, 0x39, 0x02, 0x95, 0x7c, 0x4b, 0xd6, 0x77, 0x5a, 0x1b, 0x5b, 0xad, 0xcd, 0xf5, 0x8d, 0xed, 0x15, 0x19, 0x2c, 0x68, 0xf6, 0x61, 0xf8, 0x02, 0x36, 0x89, 0xdd, 0x65, 0xad, 0xaf, 0xf4, 0x96, 0xaa, 0x56, 0xa0, 0xeb, 0x2d, 0x4d, 0x09, 0xbd, 0x63, 0x01, 0x39, 0x20, 0x67, 0x34, 0xf3, 0x9b, 0x29, 0x60, 0x12, 0x87, 0x7f, 0xf9, 0x2b, 0x59, 0x25, 0x8d, 0xc6, 0x3b, 0xf5, 0x1a, 0xde, 0xc9, 0x2e, 0xff, 0x49, 0x36, 0xd6, 0xcb, 0xff, 0xde, 0xad, 0x40, 0x5c, 0x94, 0x87, 0xa0, 0x03, 0xcd, 0x49, 0x0a, 0xa6, 0xf4, 0x2f, 0xaf, 0xf6, 0xf9, 0x28, 0x45, 0xfa, 0x5a, 0x29, 0x06, 0x9a, 0x6c, 0x6f, 0xed, 0x6d, 0xbd, 0x7e, 0xbd, 0xd3, 0x1c, 0x05, 0xa2, 0xe9, 0x49, 0xb6, 0xb9, 0xc8, 0xb6, 0x66, 0xc4, 0xb2, 0x16, 0xd5, 0x5c, 0xe1, 0xef, 0x70, 0x84, 0xee, 0xf9, 0x4e, 0xe2, 0x7a, 0x99, 0xf2, 0x90, 0xae, 0xbf, 0x03, 0xbb, 0x7c, 0x80, 0x0c, 0x62, 0xeb, 0xef, 0xc0, 0xb3, 0x1d, 0xbc, 0x02, 0xbc, 0x28, 0xfc, 0xef, 0xd5, 0x2f, 0x0d, 0xa2, 0xe2, 0x85, 0xc6, 0x06, 0x68, 0x24, 0x43, 0xee, 0xcb, 0x47, 0x39, 0xff, 0x10, 0xba, 0xb2, 0xf4, 0xa0, 0x01, 0x96, 0x59, 0x2a, 0x2e, 0xf8, 0x75, 0x2e, 0x80, 0xf8, 0xd3, 0xb7, 0x51, 0x1c, 0x31, 0x14, 0x55, 0x85, 0x67, 0xfb, 0xd5, 0x5f, 0xdf, 0xad, 0x14, 0xd2, 0xbf, 0x1f, 0xc5, 0xf6, 0xf1, 0xdf, 0xbd, 0x90, 0x8d, 0xa7, 0x2c, 0x80, 0xc8, 0xd0, 0xe5, 0xa0, 0x51, 0x92, 0xfc, 0x8e, 0xd1, 0xe8, 0xd2, 0xea, 0x60, 0x69, 0xa5, 0x15, 0xa1, 0x95, 0xef, 0x81, 0x98, 0x7d, 0x87, 0xf6, 0x10, 0x15, 0x28, 0x82, 0x1f, 0xa9, 0xd9, 0x27, 0x4f, 0x34, 0xa7, 0xd4, 0x8f, 0x63, 0x69, 0x99, 0x12, 0x0e, 0x42, 0xf2, 0x0b, 0xf7, 0x0e, 0x36, 0xb7, 0x77, 0x77, 0xde, 0xac, 0xef, 0xbd, 0xcc, 0x0e, 0x36, 0x17, 0x2c, 0x92, 0x06, 0xf0, 0xf7, 0x33, 0x8e, 0x24, 0x83, 0x94, 0xba, 0x37, 0x28, 0xcc, 0x97, 0x38, 0x5c, 0xfa, 0xc3, 0xfb, 0x65, 0xb6, 0xc2, 0x13, 0xda, 0xa4, 0x5e, 0x06, 0x13, 0x2b, 0x04, 0xee, 0x5a, 0x38, 0xfd, 0xc6, 0xfa, 0xf6, 0xee, 0xee, 0x4e, 0xd9, 0xac, 0xe9, 0x7f, 0xfb, 0x10, 0xd0, 0x10, 0xe8, 0xd0, 0x00, 0xf3, 0xf5, 0x89, 0xa6, 0xa8, 0x42, 0xd8, 0x0b, 0x5a, 0xb1, 0x8b, 0x24, 0xd0, 0x25, 0x2a, 0xfd, 0xa7, 0x94, 0x26, 0x72, 0xc9, 0x76, 0x00, 0xda, 0x02, 0x67, 0x02, 0xcd, 0x68, 0x89, 0x94, 0x95, 0x24, 0xfd, 0x1b, 0x9e, 0x90, 0x73, 0x7a, 0xab, 0xfc, 0xdf, 0x7e, 0x6e, 0x63, 0x6f, 0x9f, 0x7b, 0xc0, 0x22, 0x1c, 0x26, 0xa0, 0x8b, 0x13, 0xd1, 0xdb, 0x86, 0xf6, 0xf1, 0xe0, 0x50, 0xda, 0xfb, 0x54, 0x3b, 0x90, 0x3f, 0xd1, 0xdc, 0xe3, 0xe0, 0x4f, 0x99, 0xea, 0x21, 0xc1, 0x81, 0x7e, 0x03, 0x44, 0x3e, 0x96, 0x0a, 0xbd, 0xdf, 0xa2, 0x80, 0x1d, 0x0c, 0x99, 0x37, 0x58, 0x30, 0x0c, 0xb3, 0x86, 0xf1, 0x5d, 0x31, 0xb2, 0x2f, 0x9b, 0xee, 0x1d, 0x85, 0xfe, 0xd7, 0xd1, 0x41, 0x48, 0x31, 0xf0, 0x0c, 0x5a, 0x49, 0x57, 0xb5, 0x96, 0x86, 0xef, 0xb7, 0xf2, 0x40, 0xbb, 0x04, 0x29, 0x38, 0x95, 0x05, 0xeb, 0xf6, 0x01, 0x64, 0x17, 0x87, 0x60, 0x23, 0x14, 0x0d, 0x0c, 0xb9, 0x20, 0xe7, 0x70, 0x86, 0x34, 0xc5, 0x65, 0xcf, 0x34, 0x16, 0xd3, 0x03, 0x0c, 0x1d, 0x7c, 0x7c, 0x02, 0x0b, 0x06, 0x86, 0x56, 0x47, 0x12, 0x2f, 0x4c, 0x33, 0x4e, 0x5a, 0x7e, 0x65, 0xfb, 0x77, 0x34, 0xe5, 0x0a, 0xf2, 0xcf, 0x99, 0x07, 0xa9, 0x0a, 0x51, 0x26, 0xea, 0x49, 0x64, 0x69, 0x0a, 0xfc, 0x06, 0x46, 0x61, 0xb7, 0x2a, 0xf5, 0xd5, 0xb4, 0x15, 0x62, 0xb5, 0x44, 0x96, 0x7b, 0x80, 0x28, 0x46, 0x13, 0xb1, 0x09, 0xcb, 0x1d, 0xd3, 0xd8, 0x20, 0xed, 0xcb, 0xa2, 0x99, 0xf4, 0x75, 0xb3, 0x25, 0xdf, 0x02, 0x50, 0x6e, 0x9e, 0xa6, 0xf0, 0x50, 0x06, 0xd3, 0x55, 0x4d, 0xcb, 0x40, 0x8c, 0xa8, 0x9b, 0x07, 0xd9, 0x14, 0x06, 0xbc, 0x57, 0x4f, 0x0b, 0xa7, 0xa2, 0xa3, 0x11, 0xf4, 0xea, 0xe3, 0xdf, 0x05, 0x7d, 0x54, 0xfc, 0x0c, 0x9d, 0x3a, 0xf2, 0x61, 0x41, 0xaf, 0x84, 0x22, 0x5e, 0xc2, 0x01, 0x8f, 0xe0, 0x8c, 0x68, 0xc8, 0x03, 0xce, 0xe4, 0xb2, 0x55, 0x33, 0x79, 0x49, 0xc3, 0xe4, 0x1d, 0x79, 0xaf, 0x5f, 0x94, 0xe4, 0x06, 0xfe, 0xa1, 0x4f, 0x07, 0xe1, 0xd1, 0xba, 0x25, 0x5b, 0xca, 0x4c, 0x9d, 0xe1, 0x1f, 0xca, 0x89, 0xee, 0x6b, 0xff, 0x9a, 0xce, 0x65, 0x11, 0xdb, 0x17, 0x09, 0xe4, 0x3f, 0x52, 0x23, 0x31, 0x9e, 0x73, 0x82, 0x78, 0x0c, 0x51, 0x70, 0x61, 0x98, 0x64, 0xa8, 0x8b, 0x8d, 0x8e, 0x8a, 0x00, 0xc7, 0x7c, 0xa4, 0x8d, 0x8d, 0x4c, 0xe1, 0x74, 0xf7, 0x16, 0x42, 0xd1, 0x21, 0x05, 0x39, 0x86, 0xd0, 0x43, 0xcb, 0x97, 0x15, 0x21, 0x5f, 0xb6, 0x19, 0xe9, 0x19, 0xd2, 0x28, 0x62, 0x28, 0xcc, 0x36, 0x8e, 0x31, 0x83, 0xb4, 0xce, 0x10, 0x13, 0xcc, 0xd4, 0x00, 0x94, 0x45, 0xdd, 0xc6, 0x3a, 0x38, 0x5c, 0x22, 0x53, 0x89, 0x80, 0xfc, 0x0d, 0x39, 0x4e, 0x23, 0x68, 0x59, 0xd0, 0xd0, 0xa9, 0x2a, 0xd2, 0xd6, 0xdf, 0x28, 0x81, 0xa9, 0x80, 0xbb, 0xb2, 0x41, 0x32, 0x39, 0xcc, 0xb3, 0x0c, 0x1e, 0xab, 0xc0, 0x0d, 0x56, 0x61, 0x3c, 0xe4, 0x90, 0x04, 0x0c, 0x55, 0x9f, 0x79, 0xca, 0x21, 0x15, 0xc9, 0xcc, 0xae, 0x4d, 0x6c, 0x58, 0x44, 0x34, 0xbf, 0xe4, 0x59, 0xf8, 0x45, 0x40, 0xf2, 0xe9, 0xb2, 0x03, 0xd3, 0xf8, 0x1f, 0x9b, 0x87, 0x45, 0x90, 0x0e, 0x3f, 0x4c, 0xcc, 0xf6, 0x12, 0xfb, 0x62, 0xf0, 0x9d, 0x87, 0x07, 0x9d, 0x24, 0x11, 0xf0, 0x4a, 0x4d, 0x2c, 0x5f, 0xb8, 0x20, 0x3c, 0x94, 0x8f, 0x23, 0xe9, 0x12, 0xe1, 0x95, 0x42, 0x4d, 0xc2, 0x1a, 0xb1, 0x34, 0xa5, 0x01, 0x3c, 0x8e, 0x20, 0x45, 0x84, 0x3f, 0x80, 0x1b, 0x9b, 0xd0, 0x69, 0xa3, 0xb4, 0x84, 0x46, 0x1b, 0x21, 0x4a, 0x61, 0x30, 0xdc, 0x44, 0x1a, 0xad, 0x48, 0xc9, 0x2b, 0x11, 0xc7, 0xda, 0x3d, 0x35, 0x18, 0x56, 0x2a, 0x59, 0x02, 0xeb, 0x6e, 0xb4, 0xcf, 0x58, 0x94, 0xcf, 0x42, 0x28, 0x0f, 0x2f, 0x64, 0xf2, 0xc5, 0x1c, 0xc2, 0xd7, 0x58, 0x6d, 0xad, 0x88, 0xf2, 0x0d, 0xd2, 0x14, 0x93, 0xc3, 0xf8, 0x6e, 0xc6, 0x3c, 0x95, 0x0c, 0x37, 0x4a, 0x3d, 0xe4, 0xe1, 0x61, 0xa9, 0x1d, 0x7f, 0x36, 0x74, 0x92, 0x5a, 0x6e, 0x51, 0xac, 0x52, 0x2d, 0x98, 0xd3, 0x64, 0x7e, 0x0c, 0x63, 0xc6, 0x98, 0x8e, 0x60, 0xe8, 0x11, 0x47, 0xb8, 0x48, 0x09, 0x90, 0x47, 0x49, 0xae, 0x5d, 0xe7, 0x2b, 0xf0, 0x44, 0x60, 0x52, 0x5e, 0x29, 0x78, 0xaf, 0x30, 0xdb, 0x7d, 0x45, 0x6e, 0x41, 0xf9, 0xe1, 0x07, 0xd2, 0xfd, 0x55, 0x6b, 0xc9, 0x08, 0x88, 0x6f, 0x40, 0x7c, 0x2b, 0x63, 0xbe, 0x74, 0x55, 0xce, 0xad, 0xf2, 0xe5, 0xa5, 0x10, 0xc0, 0x74, 0xde, 0x4d, 0x8b, 0xe4, 0xe9, 0x29, 0xa0, 0xe2, 0x3c, 0x83, 0x57, 0x16, 0xc2, 0x5d, 0x18, 0x7c, 0x89, 0xe2, 0x2f, 0x5e, 0xe6, 0x55, 0x46, 0x56, 0x48, 0xec, 0xc8, 0xb6, 0x86, 0x71, 0xcc, 0x26, 0xeb, 0x57, 0xcc, 0x29, 0x7a, 0x0d, 0x21, 0x02, 0x19, 0xa7, 0x90, 0xa4, 0x7b, 0x36, 0xb2, 0xd2, 0x0c, 0x34, 0xa9, 0x81, 0x61, 0xc9, 0xef, 0x8d, 0x52, 0x50, 0x02, 0x91, 0x08, 0xff, 0x06, 0xcf, 0x9b, 0x10, 0xa5, 0xe1, 0x7e, 0x53, 0xc0, 0xa2, 0x31, 0x86, 0x3a, 0x9b, 0x3b, 0x3b, 0x0d, 0x8d, 0x65, 0x43, 0xf1, 0x44, 0x09, 0x7e, 0x0d, 0xb7, 0x61, 0x16, 0x19, 0x68, 0x22, 0x1f, 0x86, 0x3c, 0xd3, 0x96, 0x4a, 0x85, 0x65, 0x2a, 0xef, 0x88, 0x35, 0x96, 0x68, 0xb4, 0x14, 0x10, 0x69, 0x21, 0x51, 0x26, 0x0a, 0x53, 0x59, 0x95, 0x4d, 0x29, 0x7f, 0xd2, 0xa3, 0x1b, 0xe3, 0x3a, 0x57, 0x6c, 0x65, 0x24, 0x80, 0x0a, 0x81, 0x51, 0x4d, 0x52, 0x18, 0xbb, 0x79, 0xae, 0xd2, 0xf4, 0x6d, 0xd4, 0xdd},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x05, 0x8c, 0x3c, 0x58, 0x00, 0x00, 0xef, 0x06, 0xec, 0xca, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xaa, 0xfa, 0xbd, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0x64, 0x1e, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x25, 0x1b, 0x4f, 0x37, 0x6d, 0xc8, 0x30, 0x2e, 0x51, 0xd7, 0x4b, 0xe3, 0xc4, 0x8b, 0x27, 0x91, 0x83, 0x59, 0x33, 0x68, 0xe8, 0xe1, 0xc5, 0xf5, 0x40, 0x5a, 0xae, 0x22, 0x32, 0xb2, 0x5d, 0x6a, 0x93, 0xa6, 0x6c, 0x2c, 0x37, 0x5f, 0x68, 0xca, 0x29, 0x0c, 0xbf, 0x85, 0xa6, 0x24, 0x0e, 0x40, 0x5c, 0x8d, 0x63, 0x36, 0xbe, 0xb9, 0x00, 0xa5, 0x74, 0x19, 0xdd, 0xd7, 0x5c, 0xac, 0xc0, 0x72, 0x5e, 0x40, 0x32, 0x8e, 0xbb, 0x8c, 0x8b, 0x7c, 0xa0, 0xec, 0x16, 0x72, 0x81, 0xbb, 0x5a, 0xd2, 0xc7, 0x49, 0x96, 0x41, 0xfc, 0x7c, 0xa6, 0xda, 0xb4, 0x83, 0xfb, 0x28, 0x5b, 0xef, 0x05, 0x02, 0xae, 0xd9, 0xb8, 0x49, 0x3e, 0xce, 0x53, 0x84, 0xf1, 0x1e, 0x9b, 0x8c, 0x8b, 0x54, 0x8d, 0x05, 0x08, 0xe9, 0x1a, 0x1f, 0xbe, 0x14, 0x3a, 0xa1, 0xa9, 0xa7, 0xe0, 0xfb, 0x71, 0x14, 0xa7, 0x00, 0xbe, 0x23, 0x9b, 0x34, 0xfc, 0x63, 0xd9, 0x78, 0x2f, 0x86, 0x90, 0x88, 0x66, 0x71, 0x3a, 0x6d, 0xb4, 0x8f, 0xd5, 0xc3, 0xbd, 0x9d, 0x39, 0x98, 0x66, 0x37, 0x93, 0xf3, 0xe1, 0xde, 0x55, 0x98, 0x04, 0x5c, 0xf8, 0xa1, 0x8c, 0x56, 0xda, 0x27, 0xf2, 0x9d, 0x9e, 0xb8, 0x53, 0x7d, 0xfb, 0xdd, 0x0b, 0xc4, 0xfd, 0x28, 0xee, 0xca, 0x09, 0x79, 0x34, 0x02, 0x72, 0x47, 0x72, 0x83, 0x57, 0x47, 0x29, 0xed, 0x13, 0xf9, 0x5a, 0xcf, 0x79, 0x52, 0x74, 0x20, 0xf7, 0x46, 0x2f, 0x0a, 0x34, 0xa4, 0xb3, 0x98, 0x5c, 0x00, 0xe6, 0x57, 0xfa, 0xe9, 0xde, 0xee, 0x72, 0x3f, 0x27, 0x15, 0x1a, 0x15, 0xb5, 0xa7, 0x89, 0xec, 0xec, 0xaa, 0x76, 0x8b, 0x83, 0x79, 0xf3, 0xdd, 0x4b, 0x0e, 0xa4, 0xd7, 0x10, 0x3e, 0x87, 0x8c, 0xe2, 0xd4, 0x3e, 0xdf, 0x8f, 0x1b, 0xc4, 0x5d, 0x0c, 0x99, 0xdf, 0x55, 0x0f, 0xb5, 0xb9, 0x4d, 0x6f, 0xab, 0x8f, 0x72, 0xf7, 0x00, 0x7a, 0xcb, 0x4d, 0x84, 0xbf, 0xfc, 0xfd, 0xaf, 0xd8, 0x9f, 0x14, 0xea, 0x64, 0x63, 0x35, 0x74, 0x9a, 0x3a, 0xd4, 0x2f, 0xbd, 0xfa, 0x43, 0x0d, 0x05, 0x17, 0x70, 0x0c, 0x31, 0xbd, 0x5c, 0xa4, 0xee, 0xdd, 0xce, 0x51, 0xef, 0xec, 0xa4, 0xdb, 0xff, 0x29, 0x2a, 0x6f, 0xb0, 0x7b, 0x80, 0xda, 0xdb, 0xae, 0x39, 0xee, 0x2e, 0xe3, 0x16, 0x56, 0x0e, 0x01, 0x86, 0x03, 0x46, 0x5e, 0x6f, 0x01, 0xb7, 0xaf, 0xcb, 0x2f, 0x48, 0xcf, 0xbc, 0x58, 0x0a, 0xd0, 0xc2, 0x42, 0xe9, 0x01, 0xc7, 0x37, 0x62, 0xd2, 0x8e, 0x80, 0x24, 0x97, 0x80, 0x7f, 0x30, 0x70, 0x95, 0x28, 0x5d, 0x96, 0xba, 0xcd, 0x9b, 0xea, 0xe1, 0x62, 0x65, 0xd1, 0xc0, 0x08, 0x87, 0x47, 0x39, 0xc8, 0x7a, 0x79, 0xde, 0xae, 0x6d, 0x7d, 0xc4, 0x8a, 0xcc, 0x93, 0x13, 0x27, 0x78, 0x56, 0x83, 0x5b, 0xed, 0x98, 0x03, 0xb4, 0x3b, 0xba, 0x9d, 0x5c, 0x94, 0xdb, 0x97, 0x82, 0x33, 0x29, 0xcc, 0x6c, 0x06, 0xf3, 0x1d, 0xcb, 0xf4, 0x20, 0xca, 0x4c, 0xb3, 0xd0, 0x66, 0x28, 0x40, 0x70, 0x60, 0x40, 0x08, 0xd8, 0x1d, 0x15, 0x6f, 0x0a, 0x2a, 0xcb, 0x77, 0x4b, 0x31, 0x0c, 0xf8, 0x30, 0x05, 0x89, 0xc4, 0x35, 0x9e, 0x9a, 0xc7, 0x1f, 0xab, 0x67, 0x9e, 0xf6, 0x48, 0x0b, 0xf5, 0xec, 0xe8, 0xec, 0xa4, 0xdf, 0x3f, 0xb9, 0x38, 0xff, 0x29, 0x7a, 0x66, 0xb0, 0x03, 0x3d, 0xeb, 0x98, 0x67, 0xb2, 0x4c, 0xe3, 0xec, 0xa0, 0xaa, 0xc6, 0x15, 0x4b, 0xad, 0x69, 0x9c, 0x85, 0xbc, 0x14, 0xe0, 0x3c, 0x58, 0x1f, 0xee, 0x01, 0xf3, 0x70, 0x31, 0xb3, 0x53, 0x40, 0x9c, 0xc7, 0x22, 0x19, 0x22, 0xb0, 0x08, 0x28, 0x1a, 0x84, 0x32, 0x9f, 0xeb, 0x99, 0x56, 0xc8, 0x50, 0x4d, 0xeb, 0x52, 0x6c, 0x39, 0xfa, 0x90, 0x48, 0x6a, 0x1e, 0x7a, 0xb7, 0x02, 0xe5, 0x93, 0xf2, 0x8b, 0x47, 0x2c, 0x3f, 0x03, 0xef, 0x26, 0x20, 0x5d, 0x2a, 0xc3, 0x1a, 0xe8, 0xb6, 0x67, 0x5a, 0x3e, 0x1d, 0x41, 0xac, 0xe9, 0x51, 0x48, 0xba, 0x38, 0x2a, 0x6e, 0xa7, 0xfc, 0xd3, 0x86, 0x37, 0x11, 0x8d, 0x5c, 0xe9, 0x8f, 0xb9, 0xf7, 0x43, 0x95, 0x05, 0x53, 0x50, 0x70, 0xd3, 0x4e, 0xe6, 0x33, 0xc7, 0x1e, 0x05, 0x2e, 0x52, 0x1c, 0x99, 0x73, 0x9f, 0x9c, 0xe3, 0xb1, 0x0f, 0xe9, 0x5e, 0x9c, 0x9d, 0x5d, 0x9f, 0x9f, 0x0c, 0x3e, 0xff, 0x0c, 0x25, 0x9a, 0x8b, 0xf5, 0x72, 0xc7, 0x35, 0x7f, 0x98, 0x7d, 0xb2, 0xf6, 0x4f, 0x19, 0x43, 0x30, 0x80, 0x91, 0x8a, 0x29, 0x30, 0x60, 0x30, 0x9d, 0xac, 0x21, 0x34, 0x76, 0xb1, 0xd4, 0xed, 0x51, 0xd3, 0xde, 0x38, 0x1b, 0x9b, 0x85, 0x77, 0xa9, 0xce, 0x0d, 0xa1, 0xae, 0xdc, 0x21, 0x80, 0x89, 0xff, 0x06, 0xdd, 0x0a, 0x77, 0x53, 0x9f, 0xfd, 0xca, 0x74, 0xfc, 0x0e, 0x09, 0x9d, 0x8f, 0x96, 0xf5, 0x57, 0x85, 0x33, 0xb0, 0xae, 0x6a, 0x89, 0x0f, 0x98, 0x0f, 0x10, 0x92, 0xfb, 0x20, 0xf3, 0x1d, 0x0c, 0xbd, 0x20, 0x76, 0x96, 0x3f, 0x08, 0x86, 0x5f, 0x8f, 0x02, 0x82, 0x07, 0xe6, 0x92, 0x32, 0xe8, 0xf4, 0x72, 0x84, 0xd4, 0x49, 0xad, 0x6b, 0xea, 0xaa, 0xb6, 0x1f, 0xaa, 0x37, 0x88, 0x1e, 0x22, 0xb5, 0x48, 0x55, 0x50, 0x45, 0x3a, 0x57, 0x83, 0x9f, 0x12, 0xca, 0x19, 0xdc, 0x5a, 0x9a, 0x4a, 0x4b, 0xb4, 0xc2, 0x76, 0x17, 0xae, 0x1f, 0xc7, 0x81, 0x13, 0x8f, 0x1c, 0xd3, 0xa4, 0x12, 0x98, 0x52, 0x2d, 0x42, 0xa3, 0xdd, 0x97, 0x9d, 0xcc, 0x19, 0x9f, 0x84, 0x8f, 0x07, 0x6f, 0x9d, 0x52, 0xa7, 0x87, 0xcf, 0x13, 0xe6, 0x82, 0xbb, 0x28, 0x15, 0xe9, 0x10, 0x32, 0x11, 0x3c, 0xf4, 0x27, 0x05, 0xfc, 0x33, 0x7c, 0xf9, 0x1d, 0x72, 0x3d, 0x7f, 0x3d, 0xe0, 0xce, 0x52, 0xc8, 0x2d, 0x83, 0x50, 0xae, 0x29, 0x63, 0x01, 0xbb, 0xe5, 0xca, 0xdc, 0x17, 0x33, 0x0e, 0x54, 0xb7, 0x35, 0xb0, 0xc7, 0x41, 0x28, 0x97, 0x35, 0xb0, 0xfd, 0x96, 0x2d, 0x0a, 0x90, 0xc7, 0x2d, 0x05, 0x0c, 0x19, 0xa5, 0x5c, 0xb4, 0x2f, 0x6d, 0x83, 0xa4, 0xd2, 0xb2, 0xf1, 0x40, 0x0a, 0x96, 0xa3, 0xb6, 0x9d, 0xa9, 0x87, 0xa7, 0x2c, 0x5c, 0xb2, 0x6e, 0xc6, 0xa8, 0x2b, 0x61, 0x38, 0x89, 0x70, 0x99, 0xc4, 0xda, 0xb3, 0x1f, 0xaa, 0x35, 0xb8, 0x65, 0x99, 0x0b, 0x10, 0xf0, 0x11, 0x5b, 0xa4, 0x38, 0xdd, 0xce, 0xd9, 0xe5, 0x75, 0x9f, 0x9c, 0x9e, 0xbc, 0xef, 0xfd, 0x0c, 0xdd, 0x29, 0x61, 0xb8, 0xdc, 0x9f, 0x94, 0x3b, 0x9b, 0x9d, 0x8f, 0x7b, 0xf7, 0x3a, 0xca, 0x03, 0xfc, 0x38, 0x17, 0x52, 0x5a, 0x40, 0x1c, 0x3d, 0xae, 0x0e, 0xd2, 0x8e, 0x55, 0x9b, 0xb6, 0x6b, 0x47, 0xb2, 0xf5, 0x3b, 0x04, 0xa1, 0x3c, 0x4d, 0x40, 0xe5, 0x5f, 0xb9, 0x7f, 0x08, 0x11, 0x79, 0x87, 0x9c, 0x9a, 0x5f, 0x0f, 0xc1, 0x51, 0xd9, 0x6e, 0x44, 0x51, 0xd0, 0x11, 0x43, 0x21, 0xd2, 0x16, 0x5c, 0x61, 0xd8, 0x97, 0x8d, 0x0f, 0x00, 0xe4, 0x06, 0xf9, 0x50, 0x38, 0x71, 0x3a, 0xa6, 0x11, 0xff, 0x26, 0x3d, 0x99, 0x71, 0x74, 0xae, 0x3e, 0x7a, 0x47, 0x11, 0x83, 0x3e, 0x6b, 0xe4, 0xa2, 0xdc, 0xc9, 0xba, 0x39, 0xd3, 0xed, 0x89, 0xd4, 0xd0, 0x67, 0x46, 0x8e, 0xc8, 0x65, 0xd6, 0x05, 0xca, 0xaf, 0x1a, 0x48, 0x5f, 0x35, 0xfc, 0x50, 0x6d, 0xd0, 0xd4, 0x15, 0x53, 0x91, 0xb1, 0x70, 0x91, 0x3e, 0x1c, 0xf7, 0x3a, 0xa7, 0x83, 0x63, 0xd2, 0xff, 0x8c, 0xf5, 0x5c, 0x3f, 0x43, 0x23, 0x2a, 0x58, 0x2e, 0xd7, 0x89, 0x6a, 0x77, 0xb0, 0x80, 0x0e, 0x16, 0x36, 0xaa, 0x9d, 0xaf, 0xf7, 0x71, 0x0a, 0xf1, 0x92, 0xfa, 0xf5, 0xe0, 0xe1, 0xaa, 0x05, 0xc3, 0x87, 0xca, 0x86, 0x80, 0x06, 0x77, 0x6c, 0xdf, 0x56, 0xf6, 0x01, 0xbe, 0xc7, 0x7c, 0x56, 0xa7, 0x2e, 0xe5, 0xfd, 0xcb, 0x92, 0xfd, 0xea, 0xc0, 0x27, 0xef, 0x1d, 0x54, 0xc1, 0x8d, 0xf9, 0x2d, 0x82, 0xc2, 0xfd, 0x75, 0x27, 0x8b, 0x1d, 0x0c, 0x8f, 0x20, 0x41, 0x93, 0x8d, 0xe4, 0x10, 0x1a, 0x71, 0x83, 0xbb, 0x38, 0xe0, 0xfa, 0x41, 0x92, 0x0b, 0xf1, 0xa9, 0x3e, 0x46, 0x99, 0x2f, 0xb4, 0x57, 0xbd, 0x7e, 0xaf, 0x73, 0xd5, 0x3d, 0xfe, 0x19, 0xf2, 0x6a, 0x70, 0x5b, 0x2e, 0xaa, 0xb6, 0x67, 0x65, 0x6b, 0xc6, 0x51, 0x32, 0x5b, 0x0e, 0xfe, 0x2b, 0x5b, 0x34, 0x44, 0x49, 0xf1, 0xd2, 0xa8, 0xdf, 0x42, 0xaf, 0xa6, 0xec, 0x96, 0x74, 0xb5, 0x8c, 0xfd, 0x4a, 0xb7, 0x7f, 0x87, 0xe0, 0xda, 0x99, 0xe6, 0x4c, 0xf2, 0x61, 0x31, 0xfc, 0xf9, 0x30, 0xcc, 0x83, 0xb3, 0x68, 0x1f, 0xd7, 0x00, 0x22, 0xcb, 0x37, 0x74, 0xe7, 0xcf, 0xf0, 0x80, 0x0d, 0xa2, 0x47, 0xad, 0x1a, 0x33, 0xed, 0x88, 0x0b, 0xc8, 0xe4, 0x65, 0x22, 0x15, 0x6b, 0xa6, 0xab, 0xed, 0x95, 0xe2, 0xc5, 0x9c, 0x30, 0xf8, 0x47, 0x6c, 0x46, 0x65, 0x7e, 0xc0, 0x54, 0x4d, 0x51, 0x67, 0x70, 0x7c, 0xda, 0x1b, 0x98, 0xed, 0x5d, 0xd5, 0x57, 0x62, 0x60, 0xce, 0x93, 0xac, 0x7a, 0x88, 0x84, 0xba, 0x78, 0x5a, 0xae, 0x0e, 0xa7, 0xf4, 0x11, 0xd5, 0xcc, 0x01, 0x55, 0x97, 0x06, 0x41, 0x9c, 0x67, 0xf3, 0xcf, 0xa8, 0xf4, 0xb1, 0x93, 0xab, 0xfa, 0xe8, 0xa3, 0xd5, 0x99, 0x03, 0xd8, 0x0a, 0xaa, 0x18, 0xe7, 0x66, 0x0d, 0xd2, 0xfe, 0x88, 0x7f, 0x8b, 0x5a, 0x84, 0xfb, 0x07, 0x61, 0x4d, 0x2c, 0x16, 0x54, 0x74, 0xf0, 0xef, 0xbd, 0x83, 0xea, 0xf8, 0x38, 0x63, 0xac, 0x05, 0x89, 0xe2, 0x49, 0xe9, 0xb0, 0x5e, 0x1f, 0x97, 0xe3, 0x9b, 0x2c, 0xae, 0x9d, 0x99, 0xdb, 0xe3, 0xee, 0xae, 0x2d, 0x18, 0x5d, 0xed, 0xea, 0xb6, 0xd5, 0x53, 0x9a, 0x47, 0xae, 0xff, 0xb2, 0x74, 0xb6, 0xfe, 0x41, 0x1d, 0x79, 0xaf, 0x0e, 0x74, 0x4d, 0x69, 0xf9, 0x2c, 0x7d, 0xc2, 0x86, 0x78, 0x90, 0xab, 0x4e, 0xd1, 0x75, 0x39, 0x31, 0x98, 0x54, 0xb6, 0x7a, 0x1e, 0x4f, 0x56, 0xd5, 0xf1},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x05, 0x8c, 0x3c, 0x59, 0x00, 0x00, 0xef, 0x06, 0xec, 0xc9, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x00, 0x15, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0xf6, 0x67, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x25, 0x1b, 0x4f, 0x37, 0x6d, 0xbf, 0xb4, 0xb1, 0x6c, 0x7f, 0x98, 0xb6, 0xda, 0xd0, 0x38, 0x7f, 0x61, 0x8a, 0xf9, 0xc5, 0xaf, 0x0a, 0x9b, 0x56, 0x6a, 0x6d, 0xb6, 0x16, 0x63, 0x4e, 0xdd, 0xc3, 0x8a, 0xee, 0x57, 0xef, 0x23, 0x0b, 0x2a, 0xa8, 0xaa, 0x6a, 0x60, 0x19, 0x86, 0xf3, 0xe0, 0x04, 0x87, 0xcc, 0x19, 0x05, 0x53, 0x79, 0x6a, 0x58, 0x21, 0x5a, 0xa5, 0x6e, 0xd2, 0x16, 0x70, 0xd7, 0x68, 0x67, 0xdb, 0x9d, 0x11, 0x70, 0xc2, 0xd9, 0x5c, 0xdf, 0x78, 0xfd, 0x72, 0x4e, 0x41, 0x42, 0x99, 0x58, 0x74, 0x04, 0x59, 0x13, 0xa7, 0x35, 0x72, 0x29, 0x14, 0x9c, 0x89, 0x4f, 0xe1, 0x3f, 0x1c, 0x40, 0xc1, 0x4f, 0xc7, 0xf5, 0x69, 0xa4, 0xab, 0x16, 0xe4, 0xb1, 0xee, 0xf6, 0xc6, 0xf6, 0xdd, 0xde, 0xeb, 0x99, 0xe2, 0x12, 0x0d, 0xc3, 0xe1, 0x21, 0x1d, 0x33, 0x51, 0xe0, 0xea, 0x60, 0xdd, 0x83, 0x33, 0xcc, 0xc7, 0xcd, 0xaf, 0xc9, 0x58, 0x9f, 0xe4, 0x7e, 0x82, 0x09, 0x08, 0x4e, 0x40, 0x60, 0x02, 0xa2, 0x26, 0xf8, 0x85, 0x9c, 0x01, 0x53, 0x09, 0xc5, 0x22, 0x50, 0xb0, 0x40, 0x64, 0x12, 0xa7, 0x81, 0xd7, 0x54, 0x15, 0x21, 0x17, 0x06, 0x58, 0x93, 0x9c, 0x82, 0x79, 0x88, 0xc8, 0x59, 0x9c, 0xca, 0x6a, 0x45, 0xaa, 0xeb, 0x61, 0xb0, 0x52, 0x59, 0x16, 0x2a, 0x0f, 0x2e, 0x2e, 0x4b, 0x25, 0x57, 0x5a, 0xf7, 0x4d, 0x05, 0x32, 0xb8, 0xda, 0x44, 0x9d, 0x3b, 0x97, 0x87, 0x1c, 0x5e, 0x0c, 0x06, 0x17, 0x67, 0xaa, 0x1a, 0x61, 0xee, 0xa8, 0x61, 0x0c, 0xb2, 0x13, 0x36, 0x6c, 0x29, 0x1c, 0x32, 0x99, 0xf2, 0xa8, 0x5e, 0x1b, 0xe3, 0x9a, 0x66, 0x5b, 0x4c, 0x4d, 0xfa, 0x01, 0xf7, 0x98, 0xf0, 0xe3, 0x49, 0xad, 0x0c, 0x4c, 0x9e, 0x1b, 0x0b, 0xf3, 0xb2, 0x51, 0x9f, 0x79, 0x14, 0xb0, 0x3b, 0xf9, 0x56, 0x15, 0x8a, 0x19, 0xd5, 0xd7, 0x6f, 0xd5, 0x38, 0xfb, 0xe6, 0x85, 0x35, 0x62, 0xd2, 0x9b, 0x9a, 0x32, 0xb1, 0x9a, 0xf2, 0x49, 0x19, 0xe0, 0x51, 0x6b, 0xd3, 0xfd, 0x47, 0x18, 0xfc, 0xe3, 0x78, 0x19, 0xf7, 0x44, 0x12, 0x67, 0xb2, 0xf4, 0xb1, 0xb5, 0xe1, 0x7c, 0xa4, 0xb7, 0x10, 0xd0, 0xdf, 0x94, 0xd8, 0x77, 0x3a, 0x8d, 0x22, 0xa2, 0x9b, 0x89, 0x43, 0x2e, 0xc1, 0x0e, 0xab, 0x7b, 0x0c, 0x44, 0x3a, 0x78, 0x0e, 0xf6, 0x80, 0x08, 0x17, 0x03, 0x42, 0xe0, 0x99, 0x61, 0x93, 0x42, 0x2b, 0x29, 0xaf, 0xd1, 0x71, 0x69, 0xa2, 0x0f, 0xd4, 0x97, 0xa2, 0x0b, 0x06, 0x3f, 0x8e, 0xc6, 0xed, 0xf2, 0xd4, 0xfb, 0x2d, 0xdd, 0x28, 0x15, 0x5a, 0x55, 0x40, 0xcd, 0x81, 0xee, 0x88, 0x10, 0xb4, 0x02, 0x52, 0xf7, 0x7b, 0xd1, 0x2c, 0xd5, 0xba, 0xec, 0xb7, 0x12, 0x53, 0xf6, 0x56, 0x76, 0x0b, 0x0f, 0xa3, 0xaf, 0x97, 0x0e, 0x47, 0xbf, 0xfd, 0xfa, 0x70, 0xfa, 0x6e, 0x3a, 0xa7, 0xb9, 0xb8, 0xe1, 0x51, 0xb7, 0x5b, 0x22, 0xf0, 0xe1, 0xf5, 0xc9, 0xe9, 0x80, 0xbc, 0xbf, 0x00, 0xe1, 0xbc, 0xea, 0x75, 0xfe, 0x36, 0x38, 0xbe, 0xba, 0xb8, 0xfe, 0x70, 0xdc, 0x07, 0x5a, 0x63, 0x96, 0x2f, 0x55, 0xe2, 0x8c, 0x4d, 0x41, 0x00, 0x4d, 0x22, 0x05, 0x0b, 0x23, 0x0a, 0x0e, 0x4a, 0xe7, 0x08, 0x2c, 0x0a, 0x16, 0x91, 0x29, 0x5f, 0xfe, 0x34, 0x06, 0xd8, 0xf5, 0x68, 0x5a, 0x1f, 0xe6, 0x3c, 0xc8, 0x08, 0x44, 0x53, 0xe4, 0x10, 0x92, 0xb7, 0x1b, 0xbc, 0x97, 0x92, 0x8f, 0x7d, 0xf1, 0x48, 0x5e, 0x7c, 0xc7, 0x32, 0x9e, 0x8d, 0x41, 0x7c, 0xfd, 0xea, 0x1f, 0xe7, 0x0f, 0x67, 0xd0, 0x96, 0x73, 0x98, 0x07, 0x41, 0xd9, 0x78, 0x1d, 0x5f, 0x90, 0xcf, 0x17, 0xd7, 0xe4, 0xc3, 0xc5, 0xf9, 0x79, 0x87, 0x5c, 0x9e, 0x76, 0x3e, 0xff, 0x42, 0x74, 0xe5, 0x9a, 0x4a, 0x85, 0x45, 0x46, 0xba, 0x7e, 0x8a, 0xf5, 0x04, 0x89, 0x4f, 0x70, 0xf0, 0x2b, 0x41, 0xe4, 0x9e, 0x18, 0x49, 0xd1, 0xd0, 0x09, 0x82, 0xf5, 0x5b, 0x8a, 0x3a, 0x52, 0x06, 0x21, 0xd6, 0xff, 0xe0, 0xc7, 0x22, 0x1b, 0xe6, 0x22, 0x93, 0xe7, 0xd8, 0x4f, 0xe2, 0x97, 0x59, 0x9e, 0xe6, 0xc7, 0x27, 0x3f, 0x96, 0x46, 0x76, 0x1c, 0x47, 0x11, 0xc5, 0x3a, 0xfb, 0xe9, 0x2f, 0x8f, 0xe4, 0xd5, 0x7d, 0x2b, 0x7b, 0xf9, 0xa7, 0xad, 0xbd, 0x77, 0x8f, 0x5a, 0xdd, 0xf3, 0xe9, 0x99, 0x9b, 0xff, 0xb6, 0xd4, 0x0b, 0x15, 0x6c, 0xdc, 0x76, 0x2e, 0xf3, 0x61, 0xc0, 0xdd, 0xce, 0x68, 0x44, 0x79, 0x2a, 0x4a, 0xfc, 0x3c, 0xeb, 0x0c, 0xba, 0xc7, 0x27, 0xe7, 0x1f, 0xc8, 0x59, 0xef, 0x7c, 0x70, 0x71, 0xd5, 0x27, 0x9d, 0xf3, 0x23, 0xd0, 0xbb, 0xeb, 0x93, 0x73, 0x54, 0x38, 0x0c, 0x18, 0xcc, 0xed, 0x02, 0x49, 0x09, 0x2d, 0x9f, 0x7a, 0x7f, 0xb1, 0xcf, 0x22, 0x0e, 0xba, 0xf0, 0x9e, 0x41, 0x04, 0x34, 0x11, 0x66, 0x2f, 0xfd, 0xa9, 0x2a, 0xa7, 0x97, 0xa6, 0xd9, 0x74, 0x46, 0x33, 0xd7, 0x47, 0xb3, 0x85, 0x87, 0x69, 0x71, 0xaa, 0xb6, 0x66, 0xd5, 0x95, 0xb4, 0x47, 0xb2, 0xf2, 0xbb, 0x16, 0xb3, 0x94, 0x63, 0x45, 0xd4, 0x54, 0x2a, 0x0c, 0x2c, 0xdc, 0xa2, 0x46, 0x41, 0x16, 0xf6, 0x2d, 0xac, 0x65, 0xad, 0x7a, 0x4a, 0xfd, 0x42, 0x16, 0x6b, 0xcd, 0xf1, 0x9c, 0xa6, 0x7a, 0x54, 0x27, 0x9a, 0xd8, 0xd6, 0x30, 0x37, 0xad, 0xe8, 0xff, 0x9b, 0xf8, 0x49, 0x16, 0x3f, 0xa2, 0xf4, 0xd6, 0x23, 0xc1, 0xc6, 0xcf, 0x8d, 0xaa, 0x24, 0x17, 0xa9, 0x2a, 0x3d, 0x46, 0x2e, 0xbc, 0x67, 0x14, 0xf7, 0xff, 0x81, 0x47, 0x20, 0x7c, 0x98, 0x2a, 0x97, 0x42, 0x25, 0x44, 0x7d, 0xa4, 0xdf, 0x3b, 0x42, 0xbd, 0x07, 0x2e, 0xfb, 0x5b, 0xed, 0xfa, 0xa8, 0xfd, 0x16, 0x34, 0x96, 0x83, 0x1c, 0x7b, 0xcf, 0xb5, 0x9c, 0x18, 0x16, 0x69, 0x1e, 0xe6, 0x16, 0x26, 0xe0, 0x51, 0x15, 0x5a, 0x8b, 0xf5, 0xe5, 0xe3, 0x71, 0x7c, 0xf1, 0xfb, 0x8c, 0x29, 0xd0, 0x78, 0x89, 0xd6, 0x27, 0x26, 0x02, 0x36, 0x95, 0x69, 0xc5, 0x10, 0x44, 0x7b, 0x6d, 0xf5, 0xef, 0x39, 0x4b, 0x40, 0x9f, 0x56, 0x4f, 0x41, 0x73, 0xd6, 0x56, 0x3b, 0x91, 0x97, 0xb2, 0xc9, 0xea, 0xaf, 0x74, 0xca, 0x5d, 0x7f, 0x35, 0xf1, 0xe3, 0x2c, 0xfe, 0x12, 0x72, 0xaf, 0x44, 0x58, 0x49, 0xad, 0xc4, 0x9f, 0x82, 0x41, 0x43, 0x72, 0xd9, 0x9c, 0x52, 0xf6, 0x2d, 0xeb, 0x7a, 0x25, 0x7c, 0xc4, 0x42, 0x48, 0x6b, 0x03, 0xfc, 0xed, 0xe5, 0xf8, 0x77, 0x20, 0xca, 0x04, 0x33, 0xda, 0x05, 0x55, 0xd4, 0x85, 0xcd, 0xdb, 0x85, 0x0d, 0x69, 0xd7, 0x90, 0x00, 0xfe, 0x22, 0xa7, 0x29, 0x8c, 0x11, 0x24, 0x02, 0xf6, 0x05, 0x53, 0xd4, 0x6c, 0x3a, 0x14, 0x90, 0x57, 0x67, 0x8c, 0x7c, 0x63, 0x69, 0xdc, 0x84, 0x94, 0x23, 0x65, 0xaf, 0xf0, 0xc6, 0xec, 0xb4, 0x49, 0x50, 0x79, 0x89, 0xd1, 0x5e, 0x5b, 0x7e, 0x5e, 0x28, 0xf2, 0x63, 0x28, 0x7e, 0x7a, 0xf4, 0x29, 0xd9, 0x5a, 0x4c, 0xf1, 0x8f, 0x34, 0x80, 0x40, 0x8b, 0xad, 0xf6, 0x43, 0x9e, 0xf9, 0x35, 0x62, 0xea, 0x77, 0x44, 0xbe, 0x7b, 0x76, 0x52, 0x6a, 0xc4, 0xce, 0xd9, 0x04, 0x77, 0x74, 0x72, 0xa0, 0xcd, 0x45, 0x44, 0x8e, 0xec, 0x1d, 0x5f, 0x95, 0x51, 0xce, 0xa1, 0x6e, 0x05, 0xab, 0x35, 0x69, 0x20, 0xf1, 0xe2, 0x32, 0x97, 0xdb, 0xc8, 0xf1, 0x88, 0xf4, 0x27, 0x34, 0xcd, 0xfc, 0x10, 0x14, 0x04, 0xf8, 0xa3, 0xef, 0xf6, 0xba, 0x1c, 0xef, 0x2e, 0xe3, 0x1d, 0x8c, 0x29, 0xd0, 0x5f, 0x90, 0x8c, 0x51, 0x65, 0xa7, 0x41, 0x0d, 0xd5, 0xe6, 0xdd, 0xf3, 0x11, 0xfc, 0x03, 0xdf, 0xf8, 0x8d, 0x2d, 0x26, 0x78, 0x9f, 0x05, 0x23, 0xa0, 0xf7, 0x04, 0x90, 0x5f, 0x3d, 0x03, 0x41, 0x0e, 0x57, 0x0f, 0x21, 0x93, 0xe6, 0x37, 0x6b, 0xab, 0xc3, 0x69, 0xa5, 0xe1, 0xcb, 0x96, 0xb7, 0xf7, 0xfa, 0xcd, 0xde, 0xd6, 0xa6, 0xf3, 0x7a, 0x77, 0xe7, 0x8d, 0xb3, 0xbd, 0xb9, 0x3e, 0x72, 0xf6, 0x36, 0xd7, 0xb7, 0x9d, 0x8d, 0x37, 0x5b, 0x6f, 0x46, 0x2e, 0xdb, 0xa0, 0x8c, 0x6d, 0x3b, 0x49, 0x7a, 0x5b, 0x76, 0x90, 0x38, 0x9e, 0xa8, 0xf1, 0xd2, 0xf7, 0xe0, 0x11, 0x5c, 0x00, 0x2b, 0x7e, 0x76, 0xee, 0xe9, 0x55, 0x9a, 0x0b, 0x1f, 0xe4, 0x03, 0xcb, 0x60, 0x5e, 0xdc, 0x12, 0x05, 0xaa, 0xbe, 0xc7, 0xb8, 0xa2, 0xaf, 0xa7, 0x2e, 0xb6, 0xe8, 0x2a, 0x6c, 0x9c, 0x41, 0x15, 0x19, 0xd9, 0xc0, 0x68, 0xd3, 0x82, 0x81, 0x1f, 0x48, 0x6b, 0xbc, 0x22, 0x0d, 0x6e, 0x6d, 0x4a, 0xf4, 0xa1, 0x81, 0x32, 0x89, 0xe6, 0xf6, 0xc9, 0x72, 0x65, 0x29, 0x6e, 0x71, 0x94, 0xd7, 0xea, 0x52, 0x08, 0x87, 0x05, 0x0b, 0x74, 0x51, 0x70, 0xd9, 0x1f, 0xeb, 0xcb, 0x05, 0x28, 0x56, 0xb7, 0xc4, 0xe3, 0x02, 0xef, 0xed, 0x7b, 0x26, 0xdb, 0xff, 0x13, 0xa4, 0x27, 0xd0, 0xce, 0x61, 0xf0, 0x8c, 0xbd, 0x35, 0xfe, 0x77, 0x1e, 0xb0, 0x48, 0x56, 0x5b, 0x5b, 0x18, 0xe7, 0xf0, 0x73, 0xe1, 0xf8, 0xf2, 0xb6, 0x93, 0xa9, 0xc6, 0x57, 0x6b, 0x47, 0x99, 0x2d, 0xef, 0x5c, 0x94, 0x8b, 0xf2, 0x6d, 0x8f, 0xc2, 0xeb, 0xda, 0x1d, 0x35, 0x90, 0x7a, 0x67, 0xc4, 0xef, 0x1a, 0xd5, 0x3a, 0x7e, 0xe9, 0x99, 0x22, 0x36, 0x11, 0x9a, 0xe9, 0xe8, 0x0d, 0x40, 0x1f, 0x45, 0x1a, 0xc7, 0xa1, 0xf4, 0x02, 0xaa, 0x15, 0xe8, 0xf7, 0x87, 0xfd, 0x72, 0xd8, 0x47, 0x4a, 0xf7, 0x12, 0xb4, 0x64, 0x44, 0x7a, 0x58, 0xe1, 0xc2, 0x53, 0x26, 0x6f, 0xe1, 0x09, 0x7c, 0xe5, 0x78, 0x11, 0x75, 0x42, 0x9a, 0xa0, 0x2d, 0x87, 0xd4, 0x3e, 0x0e, 0x1c, 0x9f, 0x05, 0x89, 0x70, 0x6c, 0x4e, 0x27, 0x1c, 0xe5, 0xf5, 0x1c, 0xb9, 0x59, 0x2b, 0x32, 0x55, 0x28, 0x3c, 0x71, 0xc6, 0x90, 0x68, 0x08, 0x07, 0xcf, 0x1e, 0x52, 0x36, 0xce, 0xf1, 0xc2, 0xb6, 0xd7, 0x68},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0x38, 0x2d, 0x40, 0x00, 0x40, 0x06, 0x65, 0x6e, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xaa, 0xf5, 0x65, 0x80, 0x10, 0x0f, 0xdd, 0x8b, 0x18, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xa9, 0xb3, 0xa1, 0x66, 0x25},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0x18, 0x50, 0x40, 0x00, 0x40, 0x06, 0x85, 0x4b, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xaa, 0xfa, 0xbd, 0x80, 0x10, 0x0f, 0xd5, 0x85, 0xc8, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xa9, 0xb3, 0xa1, 0x66, 0x25},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0xf1, 0x50, 0x40, 0x00, 0x40, 0x06, 0xac, 0x4a, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x00, 0x15, 0x80, 0x10, 0x0f, 0xaa, 0x80, 0x9b, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xa9, 0xb3, 0xa1, 0x66, 0x25},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0x9f, 0x83, 0x40, 0x00, 0x40, 0x06, 0xfe, 0x17, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x05, 0x6d, 0x80, 0x10, 0x0f, 0x7f, 0x7b, 0x6e, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xa9, 0xb3, 0xa1, 0x66, 0x25},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0x9e, 0x4e, 0x40, 0x00, 0x40, 0x06, 0xff, 0x4c, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x05, 0x6d, 0x80, 0x10, 0x10, 0x00, 0x7a, 0xec, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xaa, 0xb3, 0xa1, 0x66, 0x25},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x05, 0x8c, 0x3c, 0x5a, 0x00, 0x00, 0xef, 0x06, 0xec, 0xc8, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x05, 0x6d, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0xde, 0x6c, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x2b, 0x1b, 0x4f, 0x37, 0xa9, 0x1f, 0x41, 0x30, 0xaf, 0x81, 0x11, 0x04, 0x46, 0x24, 0xb0, 0x22, 0x41, 0x14, 0xc6, 0x85, 0x16, 0xc0, 0x08, 0xc6, 0x2b, 0x12, 0x18, 0xc1, 0xa3, 0x0a, 0x0b, 0x8c, 0x94, 0xa2, 0x3f, 0xb9, 0x9d, 0x68, 0x76, 0x10, 0x1f, 0xb7, 0x56, 0xed, 0x4f, 0x55, 0xf1, 0x44, 0x88, 0x89, 0x92, 0x3e, 0x5d, 0x83, 0x34, 0xc9, 0x09, 0x64, 0xe4, 0x86, 0x4c, 0xd1, 0x69, 0x92, 0xde, 0xda, 0x75, 0xf0, 0x0a, 0xac, 0xd0, 0x51, 0xbb, 0xca, 0xae, 0x10, 0xd3, 0xfb, 0x73, 0x2b, 0x79, 0x6f, 0x56, 0x3c, 0x0f, 0xd6, 0x96, 0x43, 0x29, 0x1e, 0xd9, 0x78, 0xa6, 0x80, 0x1c, 0xad, 0xab, 0x23, 0xf2, 0x31, 0x88, 0x8c, 0xdc, 0x22, 0xdc, 0x71, 0x42, 0xf0, 0x5f, 0x18, 0x18, 0x8e, 0xf9, 0x28, 0x33, 0x87, 0x20, 0x4e, 0xe9, 0xa3, 0x08, 0x8d, 0xf6, 0x95, 0x84, 0x20, 0xf1, 0xb7, 0xf6, 0x19, 0x21, 0x10, 0x84, 0x40, 0xfe, 0xbc, 0x43, 0x34, 0x08, 0x82, 0x20, 0xcc, 0x91, 0x09, 0x84, 0x93, 0x16, 0xc4, 0x33, 0xaf, 0x48, 0xf0, 0xd4, 0xf9, 0xea, 0x8c, 0x52, 0x2a, 0xbf, 0xbd, 0x91, 0xc5, 0x9e, 0x07, 0x4e, 0x01, 0x02, 0xbd, 0x48, 0xc8, 0x98, 0xd1, 0x89, 0x62, 0x88, 0x2f, 0xf0, 0x82, 0xd5, 0x37, 0x86, 0x07, 0xf5, 0xae, 0xcf, 0x30, 0xbc, 0x42, 0xc3, 0xae, 0x4f, 0xb1, 0x20, 0xb8, 0xc6, 0x8f, 0x05, 0xf0, 0x0c, 0xd4, 0xfc, 0xd7, 0x26, 0x58, 0x34, 0x84, 0x84, 0x7a, 0x2a, 0x21, 0x11, 0x84, 0x44, 0xce, 0x11, 0x08, 0xc4, 0xde, 0x00, 0x84, 0x00, 0xaf, 0x2c, 0x90, 0x67, 0x5e, 0x0b, 0x04, 0x82, 0x58, 0xf5, 0xed, 0x60, 0xbc, 0x8a, 0xd1, 0x2a, 0xfc, 0x74, 0x84, 0x13, 0x63, 0x0c, 0x0a, 0x5a, 0x13, 0xb1, 0x11, 0x07, 0xa3, 0xfd, 0x49, 0x75, 0x22, 0xb8, 0x21, 0x8d, 0xb1, 0x25, 0xfc, 0xfc, 0x9f, 0xff, 0xfa, 0x6f, 0x41, 0x64, 0x37, 0xa2, 0xbb, 0x3d, 0x33, 0x62, 0x34, 0x72, 0xa8, 0xe7, 0xe3, 0xe9, 0x39, 0x1d, 0x47, 0xb1, 0xe0, 0xc2, 0x49, 0x72, 0xd0, 0xe4, 0x31, 0x4f, 0x03, 0x81, 0x98, 0x86, 0xf8, 0xa1, 0x06, 0x1f, 0x72, 0x3a, 0x40, 0x14, 0x52, 0xd1, 0x1b, 0x79, 0xb2, 0xa3, 0xf0, 0xc6, 0xfc, 0x88, 0x06, 0xfa, 0x6c, 0x11, 0xcf, 0x15, 0xc1, 0xc4, 0xca, 0x52, 0xa7, 0xa3, 0xe3, 0x23, 0x62, 0xe1, 0x11, 0x84, 0x47, 0x24, 0x3c, 0x5c, 0x94, 0x02, 0x45, 0xd4, 0x58, 0xa2, 0xc6, 0x12, 0x04, 0xfc, 0xcc, 0xeb, 0x92, 0xe2, 0x1d, 0xe4, 0x68, 0xaa, 0xb0, 0x12, 0x31, 0xc1, 0x8f, 0x7a, 0x98, 0x72, 0x2c, 0x47, 0xd7, 0x99, 0x08, 0x07, 0x5a, 0xbd, 0x90, 0x02, 0x2f, 0xf0, 0x42, 0x39, 0x9e, 0x17, 0xe6, 0xe9, 0x98, 0xa1, 0x04, 0xa9, 0x6b, 0x7a, 0x39, 0x1a, 0x27, 0x3b, 0x9c, 0xe8, 0xe1, 0xc4, 0x0c, 0x27, 0x66, 0x38, 0x51, 0xc3, 0x89, 0x1e, 0x3e, 0x77, 0x29, 0xf6, 0x90, 0x63, 0xf9, 0x22, 0x1a, 0x85, 0xdf, 0x81, 0xd8, 0x07, 0xcb, 0x3c, 0xa5, 0xd5, 0x28, 0xac, 0xba, 0x02, 0x5f, 0x78, 0xca, 0xaa, 0x33, 0x60, 0xb7, 0xea, 0xa4, 0xd8, 0xba, 0x83, 0x63, 0x3c, 0x28, 0x8c, 0xd4, 0xa5, 0x83, 0x8a, 0x43, 0x58, 0xd1, 0x18, 0x2e, 0xde, 0x00, 0xf0, 0xed, 0xd0, 0x02, 0x3d, 0x48, 0xda, 0x5a, 0x72, 0x8e, 0xd6, 0xe6, 0xfa, 0xce, 0xeb, 0xf5, 0x37, 0x33, 0x71, 0x52, 0x31, 0xa8, 0xb5, 0xb9, 0xf5, 0xe6, 0x0d, 0x78, 0x08, 0xac, 0x4d, 0x65, 0x69, 0x29, 0xc8, 0xe9, 0x79, 0x78, 0x73, 0x84, 0x9c, 0x35, 0xc9, 0x11, 0x23, 0x57, 0xa0, 0x83, 0xe0, 0xf4, 0xc4, 0x1a, 0x39, 0x3b, 0xb2, 0x17, 0xb5, 0x37, 0x37, 0x5e, 0xe3, 0x25, 0xec, 0x72, 0x66, 0xff, 0x5d, 0xb8, 0x0d, 0x2e, 0x8e, 0x3a, 0x9f, 0xdf, 0x92, 0x85, 0x13, 0x16, 0x13, 0x68, 0x4e, 0x3d, 0x9d, 0x28, 0xbb, 0x1b, 0x3b, 0x7b, 0xf7, 0x13, 0x65, 0x77, 0x2e, 0x51, 0xba, 0xc0, 0x6e, 0x40, 0x0c, 0x23, 0x27, 0xc9, 0xf7, 0xe7, 0x23, 0x85, 0xc2, 0x68, 0x63, 0xbd, 0xb5, 0xb1, 0x43, 0x48, 0x6d, 0x9a, 0x7f, 0x07, 0x01, 0xf6, 0xd6, 0x37, 0x96, 0x10, 0x60, 0x77, 0x1e, 0x01, 0x2e, 0x4d, 0x0e, 0x80, 0x55, 0xbc, 0x47, 0x6c, 0x08, 0xde, 0xfd, 0x39, 0x89, 0x20, 0xb1, 0x42, 0x22, 0xec, 0x11, 0x32, 0x67, 0xaa, 0x19, 0x42, 0x48, 0x9d, 0xfd, 0xc3, 0x43, 0xa7, 0x5a, 0xa0, 0xb5, 0x65, 0xe5, 0xbb, 0x5f, 0x6f, 0xf1, 0x8b, 0x4d, 0x60, 0x4f, 0xe5, 0x87, 0x62, 0x2c, 0x30, 0x16, 0x79, 0x25, 0x4d, 0x86, 0x50, 0x22, 0x62, 0x2e, 0xba, 0xae, 0xcc, 0xd7, 0x49, 0x4f, 0x59, 0xa1, 0x75, 0x04, 0x5d, 0x3e, 0x5c, 0x2c, 0x6d, 0xcc, 0x8c, 0xa8, 0xcb, 0x86, 0x71, 0x7c, 0x23, 0xbf, 0x51, 0x80, 0x68, 0x0f, 0xe5, 0xa6, 0x56, 0x2d, 0x70, 0x36, 0xbd, 0xe4, 0xed, 0x08, 0xf9, 0x24, 0xbf, 0xfd, 0xa3, 0xc3, 0x5a, 0xd3, 0x56, 0xbd, 0x66, 0x3d, 0x77, 0x4a, 0xfd, 0xdd, 0x21, 0x3b, 0x5b, 0x6d, 0x1e, 0xfd, 0x1a, 0x14, 0x54, 0x3d, 0x94, 0x67, 0xd1, 0x4d, 0x0f, 0x98, 0x04, 0x37, 0x80, 0xf2, 0x21, 0xb3, 0x5c, 0xa8, 0x4d, 0xa2, 0x5f, 0x37, 0xda, 0x9f, 0xd5, 0x43, 0x79, 0x12, 0x68, 0x1a, 0x40, 0xd3, 0x03, 0x26, 0x41, 0xe2, 0xe1, 0xe9, 0x3d, 0x45, 0xeb, 0xbf, 0x68, 0x3d, 0xb6, 0x03, 0xd6, 0xd1, 0xeb, 0xc7, 0xf2, 0x74, 0xb6, 0x71, 0xd9, 0x84, 0x42, 0xcf, 0x28, 0x22, 0x9a, 0xb8, 0x3e, 0xcd, 0xd4, 0xd7, 0x76, 0x3c, 0x4f, 0x4e, 0x1a, 0x8f, 0x46, 0x1c, 0xa5, 0xa4, 0x36, 0xb9, 0xe9, 0x0b, 0xc9, 0x9c, 0x7e, 0x2a, 0x4f, 0x6d, 0xda, 0xaa, 0x33, 0x5b, 0x8f, 0x54, 0x24, 0x29, 0x95, 0x6c, 0x45, 0xee, 0x13, 0x2e, 0xc8, 0x58, 0x66, 0x36, 0x14, 0x8b, 0xbd, 0xc3, 0x9f, 0xbe, 0x2b, 0xa8, 0xae, 0xc9, 0x3b, 0xb8, 0xf7, 0x2e, 0x4b, 0x03, 0x87, 0x31, 0xc4, 0xbf, 0x58, 0xc5, 0x99, 0xf2, 0xb0, 0xd8, 0x16, 0x84, 0x2c, 0xfc, 0x0e, 0xbc, 0xb6, 0xb6, 0x52, 0x72, 0xe7, 0xb4, 0xf8, 0x86, 0x92, 0x41, 0xca, 0xd1, 0xb0, 0xf6, 0xf0, 0x6a, 0xed, 0x03, 0x76, 0x09, 0x47, 0x14, 0xc2, 0xd2, 0x62, 0x4c, 0xe9, 0xda, 0xff, 0xa5, 0xc2, 0x86, 0x48, 0x6c, 0x64, 0x9a, 0x0c, 0xd8, 0xac, 0x91, 0x89, 0xcf, 0x03, 0xcc, 0x64, 0x70, 0x4f, 0x15, 0x5f, 0x4f, 0x18, 0x2c, 0x5d, 0x5d, 0x01, 0x66, 0x33, 0xfb, 0x86, 0xc4, 0x99, 0x73, 0x1c, 0xfb, 0x62, 0xf6, 0xe0, 0xbb, 0x7a, 0x60, 0x5a, 0xd9, 0x3b, 0x8c, 0x63, 0xcc, 0x59, 0x92, 0x5c, 0xf8, 0xc5, 0x07, 0x47, 0x34, 0x33, 0xc9, 0x9c, 0x53, 0x5a, 0xd2, 0x3b, 0x3f, 0x92, 0x9f, 0xf4, 0x9b, 0xd3, 0x03, 0x8f, 0x7e, 0xd5, 0x6b, 0xf5, 0x4d, 0x93, 0x1a, 0x12, 0xd5, 0x0f, 0x98, 0xa8, 0x76, 0x65, 0xe0, 0xd4, 0x97, 0xb0, 0xaa, 0x87, 0xb9, 0x15, 0xd3, 0xa7, 0xcf, 0xfa, 0x1f, 0x61, 0xc1, 0xcc, 0x6d, 0x69, 0x75, 0x76, 0x12, 0x11, 0x63, 0xa5, 0x1a, 0xb3, 0x46, 0xad, 0xde, 0xc5, 0xde, 0xb6, 0x5f, 0x6a, 0xbe, 0xea, 0x93, 0x68, 0x23, 0xd5, 0x98, 0x31, 0x68, 0xb5, 0x0e, 0x0b, 0x67, 0x98, 0xb1, 0x5d, 0xf5, 0x19, 0xb4, 0x85, 0x6a, 0xcc, 0x58, 0xb3, 0x5a, 0x87, 0x85, 0x33, 0x2c, 0x30, 0x5c, 0xf5, 0x79, 0xac, 0x69, 0x6a, 0xcc, 0x31, 0x66, 0x33, 0x9d, 0xe6, 0xcf, 0xf6, 0x30, 0xab, 0x55, 0x9f, 0xd9, 0x58, 0xa6, 0xc6, 0xac, 0x21, 0xab, 0x77, 0x91, 0xd3, 0x1a, 0x99, 0x55, 0x3b, 0xe5, 0x52, 0x9a, 0xab, 0x82, 0xa4, 0x24, 0xbc, 0xe0, 0xbb, 0xfa, 0x59, 0xfb, 0x2a, 0x86, 0x56, 0x83, 0xe2, 0xab, 0x18, 0xa5, 0x3b, 0xe9, 0x95, 0x81, 0xb6, 0xc6, 0xce, 0x5e, 0x6e, 0xaf, 0x7e, 0xcc, 0xc2, 0x6c, 0xa3, 0xcb, 0x74, 0x08, 0xab, 0xf6, 0x44, 0xa5, 0x40, 0xa8, 0xdc, 0xa7, 0x80, 0x54, 0xa9, 0x7e, 0x29, 0xf5, 0x48, 0xe3, 0x89, 0x33, 0x0a, 0x72, 0xee, 0xcd, 0x14, 0x19, 0x95, 0x7b, 0xa1, 0x41, 0x77, 0x36, 0xe7, 0xd5, 0x21, 0x51, 0xd3, 0x45, 0xa5, 0x3e, 0xf8, 0x05, 0x8f, 0xe2, 0xf3, 0x1d, 0x33, 0xdd, 0x61, 0x00, 0x9f, 0x19, 0xe0, 0x4c, 0x7c, 0x59, 0x30, 0xb8, 0xdf, 0x9a, 0x57, 0x7e, 0x54, 0xff, 0x2e, 0x85, 0x2d, 0xcd, 0xa9, 0x7f, 0x95, 0x62, 0x16, 0x5f, 0xa2, 0xe9, 0xb9, 0xa0, 0x84, 0x8a, 0x85, 0x76, 0x97, 0x4b, 0x96, 0xa9, 0x39, 0xfa, 0xc3, 0x27, 0xe0, 0x34, 0x31, 0xd1, 0xd2, 0x85, 0x9e, 0x2c, 0x9c, 0x33, 0xb4, 0x38, 0xcc, 0x28, 0xa6, 0x98, 0xc3, 0x0a, 0xdb, 0x7f, 0x5e, 0x61, 0x95, 0x26, 0xdf, 0xdc, 0x5b, 0xce, 0xe5, 0x6d, 0x55, 0x5d, 0x98, 0x39, 0x77, 0x3c, 0x7e, 0xdc, 0x0e, 0x7d, 0xad, 0xbd, 0x14, 0xad, 0xbe, 0xed, 0x32, 0xb7, 0xe3, 0x2c, 0x21, 0x55, 0xf3, 0x7c, 0xdc, 0x96, 0xa3, 0x5c, 0xd2, 0x76, 0x8f, 0xa7, 0x10, 0x1f, 0xc6, 0xe9, 0x74, 0x4e, 0x5c, 0xfa, 0xd0, 0x25, 0x1c, 0x19, 0x18, 0xdf, 0xbd, 0x08, 0x95, 0xae, 0x3f, 0x80, 0xd6, 0xb2, 0x88, 0xc7, 0xcd, 0x1e, 0x4f, 0x65, 0x35, 0xee, 0xdf, 0x8e, 0x60, 0x89, 0xb2, 0x58, 0x5f, 0x8b, 0x65, 0x90, 0x69, 0x41, 0xd9, 0x2e, 0x0d, 0x20, 0x3c, 0xa7, 0xa9, 0x68, 0x99, 0xb2, 0xc8, 0x47, 0x2f, 0xc4, 0x5e, 0x0b, 0x33, 0xb0, 0x7e, 0xa8, 0xe0, 0xb4, 0x42, 0x9a, 0x08, 0x47, 0xc9, 0x8c, 0xbc, 0x4e, 0x90, 0x50, 0xb9, 0x03, 0xf5, 0x78, 0x99, 0x39, 0x03, 0x40, 0x6b, 0xe4, 0xc8, 0x42, 0xfa, 0xe1, 0xf2, 0x8f, 0xfe, 0x47, 0x7e, 0xd5, 0x53, 0xed, 0xd7, 0x40, 0xd0, 0x2a, 0xad, 0x46, 0xc1, 0x2c, 0x7d, 0x83, 0x41, 0xaf, 0xf0, 0xd1, 0x0b, 0xbc, 0x54, 0xe3, 0x74, 0xed, 0xcc, 0xa0, 0x32, 0xc9, 0x13, 0xc5, 0xf0, 0x51, 0xd2, 0x68, 0xfc, 0xac, 0xfd, 0x0a, 0xea, 0x13, 0x14, 0xbd, 0x67, 0x60, 0x3c, 0x1b, 0xb7, 0xaa, 0xd5, 0x9c, 0xa6, 0x6d},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x01, 0xb7, 0x3c, 0x5b, 0x00, 0x00, 0xef, 0x06, 0xf0, 0x9c, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x0a, 0xc5, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0x13, 0x1f, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x2b, 0x1b, 0x4f, 0x37, 0xa9, 0xce, 0xd7, 0x61, 0xe6, 0xf9, 0x88, 0x31, 0x83, 0x90, 0x3a, 0xba, 0x8d, 0x83, 0x5b, 0x36, 0xeb, 0x03, 0xef, 0xf3, 0x12, 0x5d, 0xc9, 0x5a, 0xfb, 0x85, 0x94, 0x25, 0x7e, 0xa2, 0x3c, 0xcd, 0x93, 0x3c, 0x85, 0x61, 0x87, 0xfa, 0x4c, 0xf1, 0x53, 0xf8, 0xa0, 0xbf, 0x73, 0x5c, 0x1c, 0x9c, 0x9a, 0x72, 0x70, 0xfd, 0xb1, 0xe3, 0x9f, 0xe5, 0x4d, 0x44, 0x2e, 0x30, 0x93, 0x78, 0xc2, 0xd2, 0xfa, 0x0a, 0x82, 0xbe, 0xa9, 0xfd, 0xb3, 0xd6, 0x91, 0xa5, 0x39, 0x93, 0xa9, 0xc2, 0x13, 0x56, 0x32, 0x00, 0x18, 0xaa, 0x0c, 0x88, 0xf4, 0x41, 0xed, 0x99, 0xba, 0x6a, 0xff, 0xe3, 0xd7, 0x03, 0x82, 0x9b, 0x43, 0xdc, 0xca, 0xd2, 0x27, 0xac, 0xe5, 0xa3, 0x81, 0xc1, 0x45, 0xf8, 0x7f, 0x43, 0xf7, 0x41, 0x4a, 0xa6, 0xf8, 0xd1, 0x1d, 0x88, 0xf6, 0x1e, 0xa9, 0xfc, 0x3d, 0xdc, 0xdd, 0x23, 0x1f, 0x59, 0xf4, 0x10, 0xdd, 0xaf, 0x4c, 0xf3, 0x64, 0xe5, 0x07, 0x6e, 0xa8, 0x73, 0xc1, 0xe2, 0x58, 0x50, 0x9d, 0x0a, 0x96, 0x52, 0xba, 0x47, 0x72, 0x66, 0x49, 0x39, 0xe6, 0x8f, 0xf5, 0xa7, 0xd2, 0xcf, 0xc8, 0xc3, 0x84, 0xa7, 0x18, 0x37, 0xc9, 0x9f, 0xcb, 0x80, 0x46, 0xea, 0x22, 0xe6, 0x8f, 0x89, 0xd8, 0x10, 0x5f, 0x8d, 0x3a, 0x26, 0xa2, 0x78, 0x67, 0xd9, 0xdc, 0x13, 0x95, 0xd5, 0x13, 0x90, 0xc8, 0x26, 0xfe, 0xf4, 0xf1, 0xab, 0x91, 0x97, 0x9a, 0x2f, 0xd3, 0xd8, 0xcb, 0xdd, 0x27, 0x79, 0xfe, 0xd9, 0xd6, 0x85, 0xca, 0x73, 0x6f, 0x53, 0xad, 0xa1, 0xae, 0x6f, 0x65, 0x4d, 0x0b, 0xd8, 0x18, 0xf7, 0x0d, 0x1f, 0x97, 0x9f, 0x96, 0x37, 0x19, 0xdd, 0x38, 0x99, 0xa6, 0x58, 0xdd, 0xd9, 0x68, 0xbf, 0xc4, 0xe7, 0x77, 0xb8, 0x47, 0x47, 0xae, 0xd8, 0x58, 0x96, 0x70, 0xe8, 0xcb, 0xec, 0x73, 0xf7, 0xfe, 0xec, 0x57, 0xff, 0xe3, 0x91, 0x6b, 0xbf, 0xf9, 0xaf, 0xb6, 0x6b, 0x17, 0xfd, 0x3f, 0x02, 0xa8, 0xbd, 0xca, 0x59, 0xea, 0x16, 0x69, 0x2e, 0x68, 0x45, 0x28, 0x6c, 0x8a, 0x2b, 0x7f, 0xe1, 0x35, 0xf5, 0x1c, 0xef, 0x1d, 0x0d, 0xf0, 0x17, 0x02, 0xbc, 0x16, 0xac, 0xc6, 0x87, 0x7b, 0x29, 0xb6, 0x32, 0xd3, 0xc7, 0xec, 0x6b, 0xd5, 0xb6, 0xb7, 0x4a, 0x7b, 0x0f, 0xaa, 0xb1, 0x2f, 0x3f, 0xf1, 0x2b, 0x48, 0xf9, 0x5b, 0xd7, 0xf6, 0x53, 0xe5, 0xea, 0xc3, 0x94, 0x5e, 0xed, 0x23, 0xe7, 0x33, 0xdd, 0x92, 0x20, 0x1f, 0xf3, 0xa8, 0xfe, 0x2d, 0xf4, 0x99, 0x6e, 0xe3, 0x20, 0x1e, 0xd2, 0x60, 0x59, 0xaf, 0xd2, 0x17, 0xeb, 0x97, 0xf4, 0x54, 0x57, 0xc0, 0x6a, 0xbd, 0x56, 0xf4, 0x57, 0xc0, 0xe1, 0xaf, 0xfa, 0x3f, 0x1b, 0xf9, 0x5f, 0xa8, 0xe7, 0x2a, 0x0d, 0x7d, 0x64, 0x00, 0x00},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0x35, 0xdd, 0x40, 0x00, 0x40, 0x06, 0x67, 0xbe, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x0a, 0xc5, 0x80, 0x10, 0x0f, 0xd5, 0x75, 0xa7, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xbc, 0xb3, 0xa1, 0x66, 0x2b},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0xea, 0x8c, 0x40, 0x00, 0x40, 0x06, 0xb3, 0x0e, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x0c, 0x48, 0x80, 0x10, 0x0f, 0xf3, 0x74, 0x06, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xbc, 0xb3, 0xa1, 0x66, 0x2b},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x00, 0x34, 0x38, 0x2d, 0x40, 0x00, 0xef, 0x06, 0xb6, 0x4d, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x0c, 0x48, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0x64, 0x9b, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x2b, 0x1b, 0x4f, 0x37, 0xaa},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x00, 0x34, 0x18, 0x50, 0x40, 0x00, 0xef, 0x06, 0xd6, 0x2a, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x0c, 0x48, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0x64, 0x9b, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x2b, 0x1b, 0x4f, 0x37, 0xaa},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x00, 0x28, 0x1b, 0xf7, 0x40, 0x00, 0x30, 0x06, 0x91, 0x90, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x0c, 0x48, 0x4d, 0xa6, 0xae, 0x36, 0x50, 0x11, 0x00, 0x7a, 0x29, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0xfd, 0x9b, 0x40, 0x00, 0x40, 0x06, 0x9f, 0xff, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x0c, 0x49, 0x80, 0x10, 0x10, 0x00, 0x60, 0x9c, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x4b, 0x18, 0xb3, 0xa1, 0x66, 0x2b},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x28, 0xab, 0x91, 0x00, 0x00, 0x40, 0x06, 0x32, 0x16, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x35, 0xfe, 0xab, 0x0c, 0x49, 0x50, 0x10, 0x10, 0x00, 0x19, 0xe9, 0x00, 0x00},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0xaf, 0x96, 0x40, 0x00, 0x40, 0x06, 0xee, 0x04, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x0c, 0x49, 0x80, 0x11, 0x10, 0x00, 0x9a, 0xcb, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x51, 0x10, 0xe6, 0xb3, 0xa1, 0x66, 0x2b},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x00, 0x28, 0x00, 0x00, 0x40, 0x00, 0x30, 0x06, 0xad, 0x87, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x0c, 0x49, 0x13, 0x1c, 0x26, 0x5c, 0x50, 0x04, 0x00, 0x00, 0xec, 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
	}
	PacketFlowTemplate2 = [][]byte{
		{0x00, 0x26, 0x62, 0x2f, 0x47, 0x87, 0x00, 0x1d, 0x60, 0xb3, 0x01, 0x84, 0x08, 0x00, 0x45, 0x00,
			0x00, 0x3c, 0x47, 0x65, 0x40, 0x00, 0x40, 0x06, 0xad, 0x64, 0xc0, 0xa8, 0x01, 0x02, 0xae, 0x8f,
			0xd5, 0xb8, 0xd6, 0x39, 0x00, 0x50, 0xf6, 0x1c, 0x6c, 0xbe, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02,
			0x16, 0xd0, 0x85, 0xf0, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x00, 0x0d,
			0x2b, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x07},
		{0x00, 0x1d, 0x60, 0xb3, 0x01, 0x84, 0x00, 0x26, 0x62, 0x2f, 0x47, 0x87, 0x08, 0x00, 0x45, 0x00,
			0x00, 0x3c, 0x00, 0x00, 0x40, 0x00, 0x34, 0x06, 0x00, 0xca, 0xae, 0x8f, 0xd5, 0xb8, 0xc0, 0xa8,
			0x01, 0x02, 0x00, 0x50, 0xd6, 0x39, 0xfa, 0x58, 0x9c, 0x88, 0xf6, 0x1c, 0x6c, 0xbf, 0xa0, 0x12,
			0x16, 0xa0, 0x4f, 0xf1, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x12, 0xcc,
			0x8c, 0x71, 0x00, 0x0d, 0x2b, 0xdb, 0x01, 0x03, 0x03, 0x06},
		{0x00, 0x26, 0x62, 0x2f, 0x47, 0x87, 0x00, 0x1d, 0x60, 0xb3, 0x01, 0x84, 0x08, 0x00, 0x45, 0x00,
			0x00, 0x34, 0x47, 0x66, 0x40, 0x00, 0x40, 0x06, 0xad, 0x6b, 0xc0, 0xa8, 0x01, 0x02, 0xae, 0x8f,
			0xd5, 0xb8, 0xd6, 0x39, 0x00, 0x50, 0xf6, 0x1c, 0x6c, 0xbf, 0xfa, 0x58, 0x9c, 0x89, 0x80, 0x10,
			0x00, 0x2e, 0x95, 0x29, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x0d, 0x2b, 0xe0, 0x12, 0xcc,
			0x8c, 0x71},
		{0x00, 0x1d, 0x60, 0xb3, 0x01, 0x84, 0x00, 0x26, 0x62, 0x2f, 0x47, 0x87, 0x08, 0x00, 0x45, 0x00,
			0x00, 0x34, 0x10, 0xf4, 0x40, 0x00, 0x34, 0x06, 0xef, 0xdd, 0xae, 0x8f, 0xd5, 0xb8, 0xc0, 0xa8,
			0x01, 0x02, 0x00, 0x50, 0xd6, 0x39, 0xfa, 0x58, 0x9c, 0x89, 0xf6, 0x1c, 0x6f, 0x94, 0x80, 0x10,
			0x00, 0x72, 0x92, 0x04, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x12, 0xcc, 0x8c, 0x7d, 0x00, 0x0d,
			0x2b, 0xe0},
		{0x00, 0x26, 0x62, 0x2f, 0x47, 0x87, 0x00, 0x1d, 0x60, 0xb3, 0x01, 0x84, 0x08, 0x00, 0x45, 0x00,
			0x00, 0x34, 0x47, 0x68, 0x40, 0x00, 0x40, 0x06, 0xad, 0x69, 0xc0, 0xa8, 0x01, 0x02, 0xae, 0x8f,
			0xd5, 0xb8, 0xd6, 0x39, 0x00, 0x50, 0xf6, 0x1c, 0x6f, 0x94, 0xfa, 0x58, 0xa2, 0x31, 0x80, 0x10,
			0x00, 0x45, 0x8c, 0x84, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x0d, 0x2b, 0xe5, 0x12, 0xcc,
			0x8c, 0x7d},
		{0x00, 0x26, 0x62, 0x2f, 0x47, 0x87, 0x00, 0x1d, 0x60, 0xb3, 0x01, 0x84, 0x08, 0x00, 0x45, 0x00,
			0x00, 0x34, 0x47, 0x78, 0x40, 0x00, 0x40, 0x06, 0xad, 0x59, 0xc0, 0xa8, 0x01, 0x02, 0xae, 0x8f,
			0xd5, 0xb8, 0xd6, 0x39, 0x00, 0x50, 0xf6, 0x1c, 0x6f, 0x94, 0xfa, 0x58, 0xf6, 0x2f, 0x80, 0x11,
			0x01, 0x98, 0x34, 0xfd, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x0d, 0x2e, 0x00, 0x12, 0xcc,
			0x8c, 0x97},
	}
	PacketFlowTemplate3 = [][]byte{{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x40, 0xf4, 0x1f, 0x40, 0x00, 0x40, 0x06, 0xa9, 0x6f, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xac, 0x48, 0x00, 0x00, 0x00, 0x00, 0xb0, 0x02, 0xff, 0xff, 0x6b, 0x6c, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, 0x01, 0x03, 0x03, 0x05, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0x38, 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x00, 0x3c, 0xf4, 0x1f, 0x40, 0x00, 0x70, 0x06, 0x79, 0x53, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xaa, 0xf0, 0x0c, 0x4d, 0xa6, 0xac, 0x49, 0xa0, 0x12, 0x38, 0x90, 0x3b, 0xba, 0x00, 0x00, 0x02, 0x04, 0x05, 0x64, 0x01, 0x03, 0x03, 0x00, 0x04, 0x02, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x11, 0x1b, 0x4f, 0x37, 0x38},
		{0x00, 0x26, 0x62, 0x2f, 0x47, 0x87, 0x00, 0x1d, 0x60, 0xb3, 0x01, 0x84, 0x08, 0x00, 0x45, 0x00,
			0x00, 0x3c, 0x47, 0x65, 0x40, 0x00, 0x40, 0x06, 0xad, 0x64, 0xc0, 0xa8, 0x01, 0x02, 0xae, 0x8f,
			0xd5, 0xb8, 0xd6, 0x39, 0x00, 0x50, 0xf6, 0x1c, 0x6c, 0xbe, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02,
			0x16, 0xd0, 0x85, 0xf0, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x00, 0x0d,
			0x2b, 0xdb, 0x00, 0x00, 0x00, 0x00, 0x01, 0x03, 0x03, 0x07},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0x7a, 0x12, 0x40, 0x00, 0x40, 0x06, 0x23, 0x89, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xac, 0x49, 0xfe, 0xaa, 0xf0, 0x0d, 0x80, 0x10, 0x10, 0x08, 0x92, 0x82, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0x6d, 0xb3, 0xa1, 0x66, 0x11},
		{0x00, 0x1d, 0x60, 0xb3, 0x01, 0x84, 0x00, 0x26, 0x62, 0x2f, 0x47, 0x87, 0x08, 0x00, 0x45, 0x00,
			0x00, 0x3c, 0x00, 0x00, 0x40, 0x00, 0x34, 0x06, 0x00, 0xca, 0xae, 0x8f, 0xd5, 0xb8, 0xc0, 0xa8,
			0x01, 0x02, 0x00, 0x50, 0xd6, 0x39, 0xfa, 0x58, 0x9c, 0x88, 0xf6, 0x1c, 0x6c, 0xbf, 0xa0, 0x12,
			0x16, 0xa0, 0x4f, 0xf1, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, 0x04, 0x02, 0x08, 0x0a, 0x12, 0xcc,
			0x8c, 0x71, 0x00, 0x0d, 0x2b, 0xdb, 0x01, 0x03, 0x03, 0x06},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x02, 0x21, 0xeb, 0x50, 0x40, 0x00, 0x40, 0x06, 0xb0, 0x5d, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xac, 0x49, 0xfe, 0xaa, 0xf0, 0x0d, 0x80, 0x18, 0x10, 0x08, 0xe1, 0xdc, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0x6d, 0xb3, 0xa1, 0x66, 0x11, 0x47, 0x45, 0x54, 0x20, 0x2f, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, 0x0d, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x3a, 0x20, 0x31, 0x36, 0x34, 0x2e, 0x36, 0x37, 0x2e, 0x32, 0x32, 0x38, 0x2e, 0x31, 0x35, 0x32, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x6b, 0x65, 0x65, 0x70, 0x2d, 0x61, 0x6c, 0x69, 0x76, 0x65, 0x0d, 0x0a, 0x55, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x2d, 0x49, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x2d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x3a, 0x20, 0x31, 0x0d, 0x0a, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x35, 0x2e, 0x30, 0x20, 0x28, 0x4d, 0x61, 0x63, 0x69, 0x6e, 0x74, 0x6f, 0x73, 0x68, 0x3b, 0x20, 0x49, 0x6e, 0x74, 0x65, 0x6c, 0x20, 0x4d, 0x61, 0x63, 0x20, 0x4f, 0x53, 0x20, 0x58, 0x20, 0x31, 0x30, 0x5f, 0x31, 0x31, 0x5f, 0x36, 0x29, 0x20, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x57, 0x65, 0x62, 0x4b, 0x69, 0x74, 0x2f, 0x35, 0x33, 0x37, 0x2e, 0x33, 0x36, 0x20, 0x28, 0x4b, 0x48, 0x54, 0x4d, 0x4c, 0x2c, 0x20, 0x6c, 0x69, 0x6b, 0x65, 0x20, 0x47, 0x65, 0x63, 0x6b, 0x6f, 0x29, 0x20, 0x43, 0x68, 0x72, 0x6f, 0x6d, 0x65, 0x2f, 0x35, 0x33, 0x2e, 0x30, 0x2e, 0x32, 0x37, 0x38, 0x35, 0x2e, 0x31, 0x34, 0x33, 0x20, 0x53, 0x61, 0x66, 0x61, 0x72, 0x69, 0x2f, 0x35, 0x33, 0x37, 0x2e, 0x33, 0x36, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x2c, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x78, 0x68, 0x74, 0x6d, 0x6c, 0x2b, 0x78, 0x6d, 0x6c, 0x2c, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x78, 0x6d, 0x6c, 0x3b, 0x71, 0x3d, 0x30, 0x2e, 0x39, 0x2c, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x2f, 0x77, 0x65, 0x62, 0x70, 0x2c, 0x2a, 0x2f, 0x2a, 0x3b, 0x71, 0x3d, 0x30, 0x2e, 0x38, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x67, 0x7a, 0x69, 0x70, 0x2c, 0x20, 0x64, 0x65, 0x66, 0x6c, 0x61, 0x74, 0x65, 0x2c, 0x20, 0x73, 0x64, 0x63, 0x68, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x4c, 0x61, 0x6e, 0x67, 0x75, 0x61, 0x67, 0x65, 0x3a, 0x20, 0x65, 0x6e, 0x2d, 0x55, 0x53, 0x2c, 0x65, 0x6e, 0x3b, 0x71, 0x3d, 0x30, 0x2e, 0x38, 0x0d, 0x0a, 0x43, 0x6f, 0x6f, 0x6b, 0x69, 0x65, 0x3a, 0x20, 0x50, 0x48, 0x50, 0x53, 0x45, 0x53, 0x53, 0x49, 0x44, 0x3d, 0x64, 0x38, 0x69, 0x61, 0x63, 0x62, 0x69, 0x65, 0x34, 0x38, 0x63, 0x74, 0x73, 0x32, 0x76, 0x70, 0x30, 0x36, 0x39, 0x64, 0x61, 0x62, 0x63, 0x74, 0x6d, 0x34, 0x3b, 0x20, 0x5f, 0x67, 0x61, 0x74, 0x3d, 0x31, 0x3b, 0x20, 0x5f, 0x67, 0x61, 0x74, 0x5f, 0x67, 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x54, 0x72, 0x61, 0x63, 0x6b, 0x65, 0x72, 0x3d, 0x31, 0x3b, 0x20, 0x5f, 0x67, 0x61, 0x3d, 0x47, 0x41, 0x31, 0x2e, 0x31, 0x2e, 0x31, 0x35, 0x35, 0x38, 0x30, 0x37, 0x37, 0x34, 0x31, 0x36, 0x2e, 0x31, 0x34, 0x37, 0x36, 0x33, 0x38, 0x34, 0x34, 0x30, 0x35, 0x0d, 0x0a, 0x0d, 0x0a},
		{0x00, 0x26, 0x62, 0x2f, 0x47, 0x87, 0x00, 0x1d, 0x60, 0xb3, 0x01, 0x84, 0x08, 0x00, 0x45, 0x00,
			0x00, 0x34, 0x47, 0x66, 0x40, 0x00, 0x40, 0x06, 0xad, 0x6b, 0xc0, 0xa8, 0x01, 0x02, 0xae, 0x8f,
			0xd5, 0xb8, 0xd6, 0x39, 0x00, 0x50, 0xf6, 0x1c, 0x6c, 0xbf, 0xfa, 0x58, 0x9c, 0x89, 0x80, 0x10,
			0x00, 0x2e, 0x95, 0x29, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x00, 0x0d, 0x2b, 0xe0, 0x12, 0xcc,
			0x8c, 0x71},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x00, 0x34, 0x3c, 0x55, 0x00, 0x00, 0xef, 0x06, 0xf2, 0x25, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xaa, 0xf0, 0x0d, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x10, 0x1f, 0x68, 0x81, 0x26, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x20, 0x1b, 0x4f, 0x37, 0x6d},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x05, 0x8c, 0x3c, 0x56, 0x00, 0x00, 0xef, 0x06, 0xec, 0xcc, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xaa, 0xf0, 0x0d, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0x34, 0xda, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x25, 0x1b, 0x4f, 0x37, 0x6d, 0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, 0x20, 0x32, 0x30, 0x30, 0x20, 0x4f, 0x4b, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x54, 0x79, 0x70, 0x65, 0x3a, 0x20, 0x74, 0x65, 0x78, 0x74, 0x2f, 0x68, 0x74, 0x6d, 0x6c, 0x3b, 0x20, 0x63, 0x68, 0x61, 0x72, 0x73, 0x65, 0x74, 0x3d, 0x55, 0x54, 0x46, 0x2d, 0x38, 0x0d, 0x0a, 0x56, 0x61, 0x72, 0x79, 0x3a, 0x20, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x0d, 0x0a, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x31, 0x39, 0x20, 0x4e, 0x6f, 0x76, 0x20, 0x31, 0x39, 0x38, 0x31, 0x20, 0x30, 0x38, 0x3a, 0x35, 0x32, 0x3a, 0x30, 0x30, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x43, 0x61, 0x63, 0x68, 0x65, 0x2d, 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x3a, 0x20, 0x6e, 0x6f, 0x2d, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2c, 0x20, 0x6e, 0x6f, 0x2d, 0x63, 0x61, 0x63, 0x68, 0x65, 0x2c, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x2d, 0x72, 0x65, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2c, 0x20, 0x70, 0x6f, 0x73, 0x74, 0x2d, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x3d, 0x30, 0x2c, 0x20, 0x70, 0x72, 0x65, 0x2d, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x3d, 0x30, 0x2c, 0x20, 0x6d, 0x61, 0x78, 0x2d, 0x61, 0x67, 0x65, 0x3d, 0x38, 0x36, 0x34, 0x30, 0x30, 0x2c, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x2d, 0x72, 0x65, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2c, 0x20, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2d, 0x72, 0x65, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x0d, 0x0a, 0x50, 0x72, 0x61, 0x67, 0x6d, 0x61, 0x3a, 0x20, 0x6e, 0x6f, 0x2d, 0x63, 0x61, 0x63, 0x68, 0x65, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x45, 0x6e, 0x63, 0x6f, 0x64, 0x69, 0x6e, 0x67, 0x3a, 0x20, 0x67, 0x7a, 0x69, 0x70, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x2d, 0x4c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x3a, 0x20, 0x36, 0x37, 0x39, 0x38, 0x0d, 0x0a, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x2d, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x3a, 0x20, 0x62, 0x79, 0x74, 0x65, 0x73, 0x0d, 0x0a, 0x44, 0x61, 0x74, 0x65, 0x3a, 0x20, 0x54, 0x68, 0x75, 0x2c, 0x20, 0x31, 0x33, 0x20, 0x4f, 0x63, 0x74, 0x20, 0x32, 0x30, 0x31, 0x36, 0x20, 0x31, 0x38, 0x3a, 0x34, 0x38, 0x3a, 0x31, 0x30, 0x20, 0x47, 0x4d, 0x54, 0x0d, 0x0a, 0x41, 0x67, 0x65, 0x3a, 0x20, 0x30, 0x0d, 0x0a, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x20, 0x6b, 0x65, 0x65, 0x70, 0x2d, 0x61, 0x6c, 0x69, 0x76, 0x65, 0x0d, 0x0a, 0x58, 0x2d, 0x43, 0x61, 0x63, 0x68, 0x65, 0x3a, 0x20, 0x4d, 0x49, 0x53, 0x53, 0x0d, 0x0a, 0x0d, 0x0a, 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0xd5, 0x3d, 0xdb, 0x72, 0x1b, 0xbb, 0x91, 0xcf, 0x56, 0x55, 0xfe, 0x01, 0x61, 0xb2, 0x76, 0xb2, 0xd2, 0x90, 0xba, 0xda, 0x92, 0x2d, 0xf1, 0x14, 0x45, 0xd1, 0x96, 0x4e, 0x74, 0x3b, 0x22, 0x65, 0xc7, 0x49, 0xa5, 0x5c, 0xe0, 0x0c, 0xc8, 0x81, 0x35, 0xb7, 0x33, 0x98, 0x11, 0x45, 0x3f, 0xed, 0x6f, 0xec, 0xef, 0xed, 0x97, 0x6c, 0x37, 0x6e, 0x73, 0x21, 0x29, 0x4a, 0x96, 0x62, 0xef, 0xba, 0x2a, 0x47, 0x43, 0x0c, 0xd0, 0x68, 0xf4, 0xbd, 0x81, 0xc6, 0x64, 0xff, 0x8f, 0x5e, 0xec, 0x66, 0xd3, 0x84, 0x11, 0x3f, 0x0b, 0x83, 0xf6, 0xca, 0xfe, 0x1f, 0x1d, 0xe7, 0x9f, 0x7c, 0x44, 0x4e, 0x7a, 0xe4, 0xcd, 0xbf, 0xda, 0x64, 0x1f, 0x5b, 0x89, 0x1b, 0x50, 0x21, 0x0e, 0x1a, 0x41, 0xe6, 0x70, 0xb6, 0x47, 0xe4, 0x9f, 0xdd, 0x06, 0x09, 0x68, 0x34, 0x3e, 0x68, 0xb0, 0xa8, 0x01, 0xdd, 0xfe, 0xf8, 0x4f, 0x16, 0x79, 0x7c, 0xf4, 0x2f, 0xc7, 0xa9, 0x80, 0xd8, 0x9d, 0x0f, 0x62, 0xf9, 0xd8, 0x71, 0xa6, 0x87, 0x63, 0x43, 0x0d, 0x46, 0x14, 0x3b, 0x5f, 0x05, 0xf1, 0x98, 0xb8, 0xc9, 0xe2, 0xa4, 0x0a, 0xc9, 0x71, 0x2a, 0xd0, 0x56, 0xf6, 0x7d, 0x46, 0xbd, 0x52, 0x97, 0x95, 0x17, 0xfb, 0x21, 0xcb, 0x28, 0x71, 0x7d, 0x9a, 0x0a, 0x96, 0x1d, 0x34, 0xf2, 0x6c, 0xe4, 0xec, 0x16, 0xed, 0x7e, 0x96, 0x25, 0x0e, 0xfb, 0x3d, 0xe7, 0xb7, 0x07, 0x8d, 0xbf, 0x3b, 0xd7, 0x1d, 0xa7, 0x1b, 0x87, 0x09, 0xcd, 0xf8, 0x30, 0x60, 0x0d, 0xe2, 0xc6, 0x51, 0xc6, 0x22, 0x18, 0x74, 0xd2, 0x3b, 0x60, 0xde, 0x98, 0xad, 0xb9, 0x7e, 0x1a, 0x87, 0xec, 0x60, 0xa3, 0x18, 0x1f, 0x51, 0xf8, 0xdd, 0xb8, 0xe5, 0x6c, 0x92, 0xc4, 0x69, 0x56, 0x1a, 0x32, 0xe1, 0x5e, 0xe6, 0x1f, 0x78, 0xec, 0x96, 0xbb, 0xcc, 0x91, 0x3f, 0xd6, 0x48, 0x2e, 0x58, 0xea, 0x08, 0x97, 0x06, 0x14, 0xc0, 0x1f, 0x4c, 0x99, 0x58, 0x23, 0x3c, 0xe2, 0x19, 0xa7, 0x81, 0x6c, 0x05, 0xc0, 0xcd, 0xf5, 0x35, 0x12, 0x42, 0x5b, 0x98, 0x87, 0x95, 0x26, 0x7a, 0x57, 0x6a, 0xda, 0x6c, 0xae, 0x03, 0x02, 0x80, 0x41, 0xc6, 0xb3, 0x80, 0xb5, 0xaf, 0xbb, 0xa7, 0x9d, 0xfd, 0x96, 0x7a, 0xae, 0xa2, 0x05, 0x14, 0x73, 0x53, 0x9e, 0x64, 0x3c, 0x8e, 0x4a, 0x98, 0x61, 0x7f, 0x42, 0xbd, 0x5b, 0x1a, 0xb9, 0x4c, 0x90, 0x9b, 0x28, 0x9e, 0x04, 0x72, 0x71, 0xd0, 0xe6, 0xa5, 0x4c, 0x08, 0x68, 0x4c, 0xf0, 0x2f, 0x8f, 0xc6, 0x44, 0xc4, 0x2e, 0x07, 0x78, 0x01, 0x89, 0x18, 0xf3, 0x04, 0xa1, 0x91, 0x47, 0xdc, 0x94, 0xd1, 0x0c, 0xfa, 0x50, 0x92, 0x47, 0xfc, 0x96, 0xa5, 0x82, 0x67, 0x53, 0xc2, 0xa2, 0x94, 0xbb, 0x3e, 0xf3, 0xc8, 0x70, 0x4a, 0x3c, 0xd9, 0xca, 0x48, 0x02, 0xff, 0x4d, 0x98, 0x9b, 0xc1, 0x4f, 0x41, 0x26, 0x3e, 0x4b, 0x19, 0xa1, 0x41, 0x00, 0x2b, 0x86, 0x0e, 0xdc, 0xcb, 0x69, 0x20, 0x88, 0x4b, 0x23, 0x32, 0x0a, 0xe2, 0x3c, 0xe5, 0xc2, 0x6f, 0xd6, 0x89, 0x7a, 0xc3, 0xa6, 0x93, 0x38, 0xf5, 0x44, 0x0d, 0xf5, 0x35, 0x72, 0x5d, 0xcc, 0x1b, 0x8f, 0x48, 0x97, 0x06, 0x7c, 0x14, 0xa7, 0x11, 0xa7, 0xe4, 0x34, 0x16, 0xa4, 0x13, 0x8d, 0x59, 0x80, 0x94, 0x3d, 0x4c, 0x73, 0x1e, 0xc1, 0x5f, 0x64, 0x6e, 0x36, 0x5d, 0xd3, 0x68, 0xc9, 0x47, 0x1e, 0xb9, 0x41, 0x2e, 0x80, 0x2a, 0xb0, 0xe6, 0x34, 0x13, 0xf2, 0xbf, 0x6b, 0x30, 0x4b, 0x10, 0x30, 0xa4, 0x03, 0x0c, 0x03, 0x6a, 0xe6, 0x99, 0xee, 0xe0, 0xfa, 0x3c, 0x83, 0x65, 0xe4, 0x29, 0xbc, 0x62, 0xd1, 0x98, 0x03, 0x29, 0x52, 0xa0, 0xcd, 0x1a, 0xf1, 0x41, 0x89, 0xd2, 0x20, 0x8e, 0x93, 0x35, 0x82, 0x62, 0x11, 0xd0, 0x35, 0x32, 0x4c, 0x29, 0x87, 0x41, 0x89, 0xcf, 0x41, 0x04, 0x33, 0x90, 0x96, 0x04, 0xa6, 0xeb, 0x0f, 0x7a, 0x67, 0x6b, 0x48, 0x3b, 0x98, 0x1f, 0x41, 0x06, 0x74, 0x82, 0x2c, 0x1d, 0xd3, 0x6f, 0x00, 0x0b, 0x5e, 0x04, 0x79, 0x18, 0x71, 0x9c, 0x3f, 0x0c, 0x81, 0xa4, 0x88, 0x60, 0x0c, 0x3c, 0x0b, 0xb9, 0xc8, 0x8a, 0x27, 0x61, 0x1f, 0xc3, 0x46, 0xfb, 0x45, 0x95, 0x50, 0xe3, 0x38, 0x1e, 0x07, 0xcc, 0x81, 0xb5, 0x31, 0x07, 0xd6, 0xc8, 0x47, 0xdc, 0xa5, 0x35, 0x9e, 0xff, 0xd6, 0xdf, 0x19, 0xd3, 0xe9, 0xe5, 0x78, 0x6b, 0xf7, 0x5b, 0x77, 0xfb, 0xf5, 0x67, 0xd1, 0xb9, 0xdb, 0xa6, 0x7b, 0xee, 0xd6, 0xed, 0xf6, 0xef, 0x83, 0xc3, 0x9b, 0xc8, 0xb9, 0x7a, 0xbd, 0x37, 0xde, 0x5b, 0x4f, 0x7e, 0x1b, 0x27, 0x87, 0xeb, 0x0d, 0xd2, 0xb2, 0x8c, 0x48, 0x60, 0x01, 0x2c, 0xcd, 0xa6, 0x07, 0x8d, 0x6c, 0xc2, 0xb3, 0x8c, 0xa5, 0x6f, 0xa9, 0xeb, 0xc6, 0x79, 0x94, 0x7d, 0xe1, 0x5e, 0x09, 0xfa, 0xc6, 0xee, 0xde, 0xc6, 0xee, 0xf6, 0xee, 0x96, 0x1a, 0x4a, 0xe0, 0x1f, 0x4a, 0x67, 0xc0, 0xa3, 0x1b, 0x92, 0xb2, 0xe0, 0xa0, 0x21, 0x7c, 0xd0, 0x0d, 0x37, 0xcf, 0x08, 0x77, 0x11, 0x2b, 0x3f, 0x65, 0xa3, 0x83, 0x46, 0x8b, 0x87, 0xe3, 0xd6, 0x88, 0xde, 0x62, 0x5b, 0x13, 0xfe, 0x23, 0xd9, 0x5f, 0x8c, 0xa1, 0x49, 0x02, 0x6b, 0xca, 0xe2, 0xdc, 0xf5, 0x9d, 0x99, 0x61, 0xf5, 0x97, 0xcd, 0x24, 0x1a, 0xe3, 0xf8, 0x95, 0x17, 0x2f, 0xd0, 0x24, 0x90, 0xf2, 0xdc, 0xd9, 0x14, 0xc4, 0xc1, 0x67, 0x2c, 0xb3, 0x10, 0x5c, 0x21, 0x5a, 0x2c, 0x64, 0xe9, 0x98, 0x45, 0xee, 0xd4, 0xc9, 0x58, 0x98, 0x04, 0x20, 0xd1, 0x4d, 0x68, 0x06, 0x93, 0x82, 0x56, 0xe4, 0x85, 0x04, 0xb4, 0x14, 0x46, 0x08, 0xbc, 0x56, 0xa3, 0x56, 0x70, 0xcd, 0xcb, 0x07, 0x80, 0x56, 0x25, 0x71, 0x24, 0x40, 0x10, 0x1f, 0x35, 0x2c, 0x01, 0x71, 0xcb, 0xe4, 0x08, 0x12, 0x32, 0x8f, 0xd3, 0x83, 0x86, 0x6c, 0x51, 0x36, 0x00, 0x96, 0x7b, 0xda, 0x1b, 0x90, 0xc1, 0x71, 0xef, 0xaa, 0x47, 0x0e, 0x7b, 0x64, 0xd0, 0xf9, 0x5b, 0x8f, 0x5c, 0x7c, 0xec, 0x5d, 0x91, 0x6e, 0xbf, 0x8f, 0x8b, 0x21, 0xfa, 0xdf, 0xf2, 0x79, 0x5c, 0x86, 0xfc, 0x8c, 0xd0, 0x1c, 0x65, 0xf4, 0x86, 0xc5, 0x20, 0x4b, 0x1a, 0x4f, 0x14, 0x38, 0x65, 0x4a, 0x88, 0x48, 0x5d, 0xe8, 0xfe, 0x15, 0x56, 0x1f, 0x83, 0x3c, 0x47, 0xfc, 0x5b, 0xda, 0xfc, 0x0a, 0x5d, 0xf6, 0x5b, 0xea, 0xbd, 0x5e, 0x53, 0xb9, 0x33, 0x9a, 0x58, 0xf1, 0xb6, 0xd5, 0xa2, 0x5f, 0xe9, 0x5d, 0x53, 0xc9, 0x2a, 0x4d, 0xb8, 0x68, 0x82, 0xbc, 0xcb, 0xb6, 0x56, 0xc0, 0x87, 0xa2, 0xf5, 0xf5, 0xf7, 0x9c, 0xa5, 0xd3, 0xd6, 0x46, 0xf3, 0x4d, 0x73, 0x43, 0xff},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x05, 0x8c, 0x3c, 0x57, 0x00, 0x00, 0xef, 0x06, 0xec, 0xcb, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xaa, 0xf5, 0x65, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0x15, 0xc0, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x25, 0x1b, 0x4f, 0x37, 0x6d, 0x68, 0x82, 0x25, 0x5c, 0x06, 0x1c, 0x31, 0xa1, 0x11, 0x0d, 0xa6, 0x19, 0x77, 0x45, 0xad, 0xf3, 0x0b, 0xe3, 0x5b, 0x82, 0x8c, 0xa1, 0x73, 0x79, 0x0d, 0xce, 0xa5, 0x3e, 0x96, 0xb3, 0xd7, 0xf8, 0x3f, 0x27, 0x4f, 0xc6, 0x29, 0xf5, 0xd8, 0xec, 0x94, 0x15, 0xf7, 0x22, 0x45, 0x5b, 0xe2, 0x00, 0x90, 0x4f, 0xce, 0x3a, 0x1f, 0x7a, 0xa4, 0xdb, 0xe9, 0x1e, 0xf7, 0x2a, 0x74, 0x6e, 0xa1, 0x0b, 0x02, 0xde, 0xc0, 0xbf, 0xfd, 0x61, 0xec, 0x4d, 0x8d, 0x17, 0xf3, 0xc1, 0x46, 0x24, 0x74, 0xcc, 0x90, 0x6f, 0x38, 0x7e, 0xa5, 0x9f, 0x81, 0xdd, 0x41, 0x13, 0x76, 0x14, 0xe7, 0xe0, 0x10, 0xba, 0x01, 0x77, 0x6f, 0xc8, 0x7b, 0x30, 0x28, 0x5e, 0xc0, 0xc7, 0x7e, 0x46, 0x06, 0x74, 0xfc, 0x96, 0x5c, 0x02, 0xb5, 0xc0, 0x98, 0x7a, 0x31, 0x89, 0xe2, 0x0c, 0xd8, 0x17, 0x02, 0x5b, 0x56, 0x3a, 0x68, 0x55, 0xd1, 0xfe, 0xa1, 0x01, 0x40, 0x08, 0x99, 0xcf, 0x05, 0xc9, 0xb0, 0x3f, 0x9a, 0xc8, 0x26, 0xf3, 0xf2, 0x95, 0xeb, 0xab, 0x53, 0xf5, 0x86, 0x91, 0x09, 0x1b, 0xe2, 0xc4, 0xda, 0x08, 0x63, 0x0b, 0x74, 0x25, 0x30, 0x82, 0xdd, 0xa1, 0x81, 0x06, 0xb3, 0x9d, 0xc5, 0x64, 0x08, 0x16, 0x3b, 0xa0, 0x2e, 0xf3, 0xde, 0x4a, 0xa7, 0x08, 0x0c, 0x9b, 0x4c, 0x26, 0xcd, 0x1c, 0x90, 0x47, 0x70, 0xad, 0x95, 0x81, 0x9e, 0x82, 0x84, 0xb9, 0xc8, 0x8a, 0xde, 0xf0, 0x94, 0x4d, 0x18, 0x8b, 0x24, 0x58, 0xb9, 0xde, 0xb6, 0x74, 0x13, 0xfb, 0x2d, 0xf5, 0x0c, 0x23, 0xd0, 0xc0, 0x82, 0xad, 0x0f, 0x62, 0x58, 0x07, 0x3c, 0x24, 0x31, 0xf8, 0x16, 0x58, 0x2f, 0x4e, 0x8a, 0x83, 0xc0, 0xc4, 0x44, 0xe8, 0x6b, 0xa0, 0x67, 0x73, 0xa5, 0x8b, 0xde, 0x05, 0x6c, 0x17, 0x39, 0x02, 0x95, 0x7c, 0x4b, 0xd6, 0x77, 0x5a, 0x1b, 0x5b, 0xad, 0xcd, 0xf5, 0x8d, 0xed, 0x15, 0x19, 0x2c, 0x68, 0xf6, 0x61, 0xf8, 0x02, 0x36, 0x89, 0xdd, 0x65, 0xad, 0xaf, 0xf4, 0x96, 0xaa, 0x56, 0xa0, 0xeb, 0x2d, 0x4d, 0x09, 0xbd, 0x63, 0x01, 0x39, 0x20, 0x67, 0x34, 0xf3, 0x9b, 0x29, 0x60, 0x12, 0x87, 0x7f, 0xf9, 0x2b, 0x59, 0x25, 0x8d, 0xc6, 0x3b, 0xf5, 0x1a, 0xde, 0xc9, 0x2e, 0xff, 0x49, 0x36, 0xd6, 0xcb, 0xff, 0xde, 0xad, 0x40, 0x5c, 0x94, 0x87, 0xa0, 0x03, 0xcd, 0x49, 0x0a, 0xa6, 0xf4, 0x2f, 0xaf, 0xf6, 0xf9, 0x28, 0x45, 0xfa, 0x5a, 0x29, 0x06, 0x9a, 0x6c, 0x6f, 0xed, 0x6d, 0xbd, 0x7e, 0xbd, 0xd3, 0x1c, 0x05, 0xa2, 0xe9, 0x49, 0xb6, 0xb9, 0xc8, 0xb6, 0x66, 0xc4, 0xb2, 0x16, 0xd5, 0x5c, 0xe1, 0xef, 0x70, 0x84, 0xee, 0xf9, 0x4e, 0xe2, 0x7a, 0x99, 0xf2, 0x90, 0xae, 0xbf, 0x03, 0xbb, 0x7c, 0x80, 0x0c, 0x62, 0xeb, 0xef, 0xc0, 0xb3, 0x1d, 0xbc, 0x02, 0xbc, 0x28, 0xfc, 0xef, 0xd5, 0x2f, 0x0d, 0xa2, 0xe2, 0x85, 0xc6, 0x06, 0x68, 0x24, 0x43, 0xee, 0xcb, 0x47, 0x39, 0xff, 0x10, 0xba, 0xb2, 0xf4, 0xa0, 0x01, 0x96, 0x59, 0x2a, 0x2e, 0xf8, 0x75, 0x2e, 0x80, 0xf8, 0xd3, 0xb7, 0x51, 0x1c, 0x31, 0x14, 0x55, 0x85, 0x67, 0xfb, 0xd5, 0x5f, 0xdf, 0xad, 0x14, 0xd2, 0xbf, 0x1f, 0xc5, 0xf6, 0xf1, 0xdf, 0xbd, 0x90, 0x8d, 0xa7, 0x2c, 0x80, 0xc8, 0xd0, 0xe5, 0xa0, 0x51, 0x92, 0xfc, 0x8e, 0xd1, 0xe8, 0xd2, 0xea, 0x60, 0x69, 0xa5, 0x15, 0xa1, 0x95, 0xef, 0x81, 0x98, 0x7d, 0x87, 0xf6, 0x10, 0x15, 0x28, 0x82, 0x1f, 0xa9, 0xd9, 0x27, 0x4f, 0x34, 0xa7, 0xd4, 0x8f, 0x63, 0x69, 0x99, 0x12, 0x0e, 0x42, 0xf2, 0x0b, 0xf7, 0x0e, 0x36, 0xb7, 0x77, 0x77, 0xde, 0xac, 0xef, 0xbd, 0xcc, 0x0e, 0x36, 0x17, 0x2c, 0x92, 0x06, 0xf0, 0xf7, 0x33, 0x8e, 0x24, 0x83, 0x94, 0xba, 0x37, 0x28, 0xcc, 0x97, 0x38, 0x5c, 0xfa, 0xc3, 0xfb, 0x65, 0xb6, 0xc2, 0x13, 0xda, 0xa4, 0x5e, 0x06, 0x13, 0x2b, 0x04, 0xee, 0x5a, 0x38, 0xfd, 0xc6, 0xfa, 0xf6, 0xee, 0xee, 0x4e, 0xd9, 0xac, 0xe9, 0x7f, 0xfb, 0x10, 0xd0, 0x10, 0xe8, 0xd0, 0x00, 0xf3, 0xf5, 0x89, 0xa6, 0xa8, 0x42, 0xd8, 0x0b, 0x5a, 0xb1, 0x8b, 0x24, 0xd0, 0x25, 0x2a, 0xfd, 0xa7, 0x94, 0x26, 0x72, 0xc9, 0x76, 0x00, 0xda, 0x02, 0x67, 0x02, 0xcd, 0x68, 0x89, 0x94, 0x95, 0x24, 0xfd, 0x1b, 0x9e, 0x90, 0x73, 0x7a, 0xab, 0xfc, 0xdf, 0x7e, 0x6e, 0x63, 0x6f, 0x9f, 0x7b, 0xc0, 0x22, 0x1c, 0x26, 0xa0, 0x8b, 0x13, 0xd1, 0xdb, 0x86, 0xf6, 0xf1, 0xe0, 0x50, 0xda, 0xfb, 0x54, 0x3b, 0x90, 0x3f, 0xd1, 0xdc, 0xe3, 0xe0, 0x4f, 0x99, 0xea, 0x21, 0xc1, 0x81, 0x7e, 0x03, 0x44, 0x3e, 0x96, 0x0a, 0xbd, 0xdf, 0xa2, 0x80, 0x1d, 0x0c, 0x99, 0x37, 0x58, 0x30, 0x0c, 0xb3, 0x86, 0xf1, 0x5d, 0x31, 0xb2, 0x2f, 0x9b, 0xee, 0x1d, 0x85, 0xfe, 0xd7, 0xd1, 0x41, 0x48, 0x31, 0xf0, 0x0c, 0x5a, 0x49, 0x57, 0xb5, 0x96, 0x86, 0xef, 0xb7, 0xf2, 0x40, 0xbb, 0x04, 0x29, 0x38, 0x95, 0x05, 0xeb, 0xf6, 0x01, 0x64, 0x17, 0x87, 0x60, 0x23, 0x14, 0x0d, 0x0c, 0xb9, 0x20, 0xe7, 0x70, 0x86, 0x34, 0xc5, 0x65, 0xcf, 0x34, 0x16, 0xd3, 0x03, 0x0c, 0x1d, 0x7c, 0x7c, 0x02, 0x0b, 0x06, 0x86, 0x56, 0x47, 0x12, 0x2f, 0x4c, 0x33, 0x4e, 0x5a, 0x7e, 0x65, 0xfb, 0x77, 0x34, 0xe5, 0x0a, 0xf2, 0xcf, 0x99, 0x07, 0xa9, 0x0a, 0x51, 0x26, 0xea, 0x49, 0x64, 0x69, 0x0a, 0xfc, 0x06, 0x46, 0x61, 0xb7, 0x2a, 0xf5, 0xd5, 0xb4, 0x15, 0x62, 0xb5, 0x44, 0x96, 0x7b, 0x80, 0x28, 0x46, 0x13, 0xb1, 0x09, 0xcb, 0x1d, 0xd3, 0xd8, 0x20, 0xed, 0xcb, 0xa2, 0x99, 0xf4, 0x75, 0xb3, 0x25, 0xdf, 0x02, 0x50, 0x6e, 0x9e, 0xa6, 0xf0, 0x50, 0x06, 0xd3, 0x55, 0x4d, 0xcb, 0x40, 0x8c, 0xa8, 0x9b, 0x07, 0xd9, 0x14, 0x06, 0xbc, 0x57, 0x4f, 0x0b, 0xa7, 0xa2, 0xa3, 0x11, 0xf4, 0xea, 0xe3, 0xdf, 0x05, 0x7d, 0x54, 0xfc, 0x0c, 0x9d, 0x3a, 0xf2, 0x61, 0x41, 0xaf, 0x84, 0x22, 0x5e, 0xc2, 0x01, 0x8f, 0xe0, 0x8c, 0x68, 0xc8, 0x03, 0xce, 0xe4, 0xb2, 0x55, 0x33, 0x79, 0x49, 0xc3, 0xe4, 0x1d, 0x79, 0xaf, 0x5f, 0x94, 0xe4, 0x06, 0xfe, 0xa1, 0x4f, 0x07, 0xe1, 0xd1, 0xba, 0x25, 0x5b, 0xca, 0x4c, 0x9d, 0xe1, 0x1f, 0xca, 0x89, 0xee, 0x6b, 0xff, 0x9a, 0xce, 0x65, 0x11, 0xdb, 0x17, 0x09, 0xe4, 0x3f, 0x52, 0x23, 0x31, 0x9e, 0x73, 0x82, 0x78, 0x0c, 0x51, 0x70, 0x61, 0x98, 0x64, 0xa8, 0x8b, 0x8d, 0x8e, 0x8a, 0x00, 0xc7, 0x7c, 0xa4, 0x8d, 0x8d, 0x4c, 0xe1, 0x74, 0xf7, 0x16, 0x42, 0xd1, 0x21, 0x05, 0x39, 0x86, 0xd0, 0x43, 0xcb, 0x97, 0x15, 0x21, 0x5f, 0xb6, 0x19, 0xe9, 0x19, 0xd2, 0x28, 0x62, 0x28, 0xcc, 0x36, 0x8e, 0x31, 0x83, 0xb4, 0xce, 0x10, 0x13, 0xcc, 0xd4, 0x00, 0x94, 0x45, 0xdd, 0xc6, 0x3a, 0x38, 0x5c, 0x22, 0x53, 0x89, 0x80, 0xfc, 0x0d, 0x39, 0x4e, 0x23, 0x68, 0x59, 0xd0, 0xd0, 0xa9, 0x2a, 0xd2, 0xd6, 0xdf, 0x28, 0x81, 0xa9, 0x80, 0xbb, 0xb2, 0x41, 0x32, 0x39, 0xcc, 0xb3, 0x0c, 0x1e, 0xab, 0xc0, 0x0d, 0x56, 0x61, 0x3c, 0xe4, 0x90, 0x04, 0x0c, 0x55, 0x9f, 0x79, 0xca, 0x21, 0x15, 0xc9, 0xcc, 0xae, 0x4d, 0x6c, 0x58, 0x44, 0x34, 0xbf, 0xe4, 0x59, 0xf8, 0x45, 0x40, 0xf2, 0xe9, 0xb2, 0x03, 0xd3, 0xf8, 0x1f, 0x9b, 0x87, 0x45, 0x90, 0x0e, 0x3f, 0x4c, 0xcc, 0xf6, 0x12, 0xfb, 0x62, 0xf0, 0x9d, 0x87, 0x07, 0x9d, 0x24, 0x11, 0xf0, 0x4a, 0x4d, 0x2c, 0x5f, 0xb8, 0x20, 0x3c, 0x94, 0x8f, 0x23, 0xe9, 0x12, 0xe1, 0x95, 0x42, 0x4d, 0xc2, 0x1a, 0xb1, 0x34, 0xa5, 0x01, 0x3c, 0x8e, 0x20, 0x45, 0x84, 0x3f, 0x80, 0x1b, 0x9b, 0xd0, 0x69, 0xa3, 0xb4, 0x84, 0x46, 0x1b, 0x21, 0x4a, 0x61, 0x30, 0xdc, 0x44, 0x1a, 0xad, 0x48, 0xc9, 0x2b, 0x11, 0xc7, 0xda, 0x3d, 0x35, 0x18, 0x56, 0x2a, 0x59, 0x02, 0xeb, 0x6e, 0xb4, 0xcf, 0x58, 0x94, 0xcf, 0x42, 0x28, 0x0f, 0x2f, 0x64, 0xf2, 0xc5, 0x1c, 0xc2, 0xd7, 0x58, 0x6d, 0xad, 0x88, 0xf2, 0x0d, 0xd2, 0x14, 0x93, 0xc3, 0xf8, 0x6e, 0xc6, 0x3c, 0x95, 0x0c, 0x37, 0x4a, 0x3d, 0xe4, 0xe1, 0x61, 0xa9, 0x1d, 0x7f, 0x36, 0x74, 0x92, 0x5a, 0x6e, 0x51, 0xac, 0x52, 0x2d, 0x98, 0xd3, 0x64, 0x7e, 0x0c, 0x63, 0xc6, 0x98, 0x8e, 0x60, 0xe8, 0x11, 0x47, 0xb8, 0x48, 0x09, 0x90, 0x47, 0x49, 0xae, 0x5d, 0xe7, 0x2b, 0xf0, 0x44, 0x60, 0x52, 0x5e, 0x29, 0x78, 0xaf, 0x30, 0xdb, 0x7d, 0x45, 0x6e, 0x41, 0xf9, 0xe1, 0x07, 0xd2, 0xfd, 0x55, 0x6b, 0xc9, 0x08, 0x88, 0x6f, 0x40, 0x7c, 0x2b, 0x63, 0xbe, 0x74, 0x55, 0xce, 0xad, 0xf2, 0xe5, 0xa5, 0x10, 0xc0, 0x74, 0xde, 0x4d, 0x8b, 0xe4, 0xe9, 0x29, 0xa0, 0xe2, 0x3c, 0x83, 0x57, 0x16, 0xc2, 0x5d, 0x18, 0x7c, 0x89, 0xe2, 0x2f, 0x5e, 0xe6, 0x55, 0x46, 0x56, 0x48, 0xec, 0xc8, 0xb6, 0x86, 0x71, 0xcc, 0x26, 0xeb, 0x57, 0xcc, 0x29, 0x7a, 0x0d, 0x21, 0x02, 0x19, 0xa7, 0x90, 0xa4, 0x7b, 0x36, 0xb2, 0xd2, 0x0c, 0x34, 0xa9, 0x81, 0x61, 0xc9, 0xef, 0x8d, 0x52, 0x50, 0x02, 0x91, 0x08, 0xff, 0x06, 0xcf, 0x9b, 0x10, 0xa5, 0xe1, 0x7e, 0x53, 0xc0, 0xa2, 0x31, 0x86, 0x3a, 0x9b, 0x3b, 0x3b, 0x0d, 0x8d, 0x65, 0x43, 0xf1, 0x44, 0x09, 0x7e, 0x0d, 0xb7, 0x61, 0x16, 0x19, 0x68, 0x22, 0x1f, 0x86, 0x3c, 0xd3, 0x96, 0x4a, 0x85, 0x65, 0x2a, 0xef, 0x88, 0x35, 0x96, 0x68, 0xb4, 0x14, 0x10, 0x69, 0x21, 0x51, 0x26, 0x0a, 0x53, 0x59, 0x95, 0x4d, 0x29, 0x7f, 0xd2, 0xa3, 0x1b, 0xe3, 0x3a, 0x57, 0x6c, 0x65, 0x24, 0x80, 0x0a, 0x81, 0x51, 0x4d, 0x52, 0x18, 0xbb, 0x79, 0xae, 0xd2, 0xf4, 0x6d, 0xd4, 0xdd},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x05, 0x8c, 0x3c, 0x58, 0x00, 0x00, 0xef, 0x06, 0xec, 0xca, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xaa, 0xfa, 0xbd, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0x64, 0x1e, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x25, 0x1b, 0x4f, 0x37, 0x6d, 0xc8, 0x30, 0x2e, 0x51, 0xd7, 0x4b, 0xe3, 0xc4, 0x8b, 0x27, 0x91, 0x83, 0x59, 0x33, 0x68, 0xe8, 0xe1, 0xc5, 0xf5, 0x40, 0x5a, 0xae, 0x22, 0x32, 0xb2, 0x5d, 0x6a, 0x93, 0xa6, 0x6c, 0x2c, 0x37, 0x5f, 0x68, 0xca, 0x29, 0x0c, 0xbf, 0x85, 0xa6, 0x24, 0x0e, 0x40, 0x5c, 0x8d, 0x63, 0x36, 0xbe, 0xb9, 0x00, 0xa5, 0x74, 0x19, 0xdd, 0xd7, 0x5c, 0xac, 0xc0, 0x72, 0x5e, 0x40, 0x32, 0x8e, 0xbb, 0x8c, 0x8b, 0x7c, 0xa0, 0xec, 0x16, 0x72, 0x81, 0xbb, 0x5a, 0xd2, 0xc7, 0x49, 0x96, 0x41, 0xfc, 0x7c, 0xa6, 0xda, 0xb4, 0x83, 0xfb, 0x28, 0x5b, 0xef, 0x05, 0x02, 0xae, 0xd9, 0xb8, 0x49, 0x3e, 0xce, 0x53, 0x84, 0xf1, 0x1e, 0x9b, 0x8c, 0x8b, 0x54, 0x8d, 0x05, 0x08, 0xe9, 0x1a, 0x1f, 0xbe, 0x14, 0x3a, 0xa1, 0xa9, 0xa7, 0xe0, 0xfb, 0x71, 0x14, 0xa7, 0x00, 0xbe, 0x23, 0x9b, 0x34, 0xfc, 0x63, 0xd9, 0x78, 0x2f, 0x86, 0x90, 0x88, 0x66, 0x71, 0x3a, 0x6d, 0xb4, 0x8f, 0xd5, 0xc3, 0xbd, 0x9d, 0x39, 0x98, 0x66, 0x37, 0x93, 0xf3, 0xe1, 0xde, 0x55, 0x98, 0x04, 0x5c, 0xf8, 0xa1, 0x8c, 0x56, 0xda, 0x27, 0xf2, 0x9d, 0x9e, 0xb8, 0x53, 0x7d, 0xfb, 0xdd, 0x0b, 0xc4, 0xfd, 0x28, 0xee, 0xca, 0x09, 0x79, 0x34, 0x02, 0x72, 0x47, 0x72, 0x83, 0x57, 0x47, 0x29, 0xed, 0x13, 0xf9, 0x5a, 0xcf, 0x79, 0x52, 0x74, 0x20, 0xf7, 0x46, 0x2f, 0x0a, 0x34, 0xa4, 0xb3, 0x98, 0x5c, 0x00, 0xe6, 0x57, 0xfa, 0xe9, 0xde, 0xee, 0x72, 0x3f, 0x27, 0x15, 0x1a, 0x15, 0xb5, 0xa7, 0x89, 0xec, 0xec, 0xaa, 0x76, 0x8b, 0x83, 0x79, 0xf3, 0xdd, 0x4b, 0x0e, 0xa4, 0xd7, 0x10, 0x3e, 0x87, 0x8c, 0xe2, 0xd4, 0x3e, 0xdf, 0x8f, 0x1b, 0xc4, 0x5d, 0x0c, 0x99, 0xdf, 0x55, 0x0f, 0xb5, 0xb9, 0x4d, 0x6f, 0xab, 0x8f, 0x72, 0xf7, 0x00, 0x7a, 0xcb, 0x4d, 0x84, 0xbf, 0xfc, 0xfd, 0xaf, 0xd8, 0x9f, 0x14, 0xea, 0x64, 0x63, 0x35, 0x74, 0x9a, 0x3a, 0xd4, 0x2f, 0xbd, 0xfa, 0x43, 0x0d, 0x05, 0x17, 0x70, 0x0c, 0x31, 0xbd, 0x5c, 0xa4, 0xee, 0xdd, 0xce, 0x51, 0xef, 0xec, 0xa4, 0xdb, 0xff, 0x29, 0x2a, 0x6f, 0xb0, 0x7b, 0x80, 0xda, 0xdb, 0xae, 0x39, 0xee, 0x2e, 0xe3, 0x16, 0x56, 0x0e, 0x01, 0x86, 0x03, 0x46, 0x5e, 0x6f, 0x01, 0xb7, 0xaf, 0xcb, 0x2f, 0x48, 0xcf, 0xbc, 0x58, 0x0a, 0xd0, 0xc2, 0x42, 0xe9, 0x01, 0xc7, 0x37, 0x62, 0xd2, 0x8e, 0x80, 0x24, 0x97, 0x80, 0x7f, 0x30, 0x70, 0x95, 0x28, 0x5d, 0x96, 0xba, 0xcd, 0x9b, 0xea, 0xe1, 0x62, 0x65, 0xd1, 0xc0, 0x08, 0x87, 0x47, 0x39, 0xc8, 0x7a, 0x79, 0xde, 0xae, 0x6d, 0x7d, 0xc4, 0x8a, 0xcc, 0x93, 0x13, 0x27, 0x78, 0x56, 0x83, 0x5b, 0xed, 0x98, 0x03, 0xb4, 0x3b, 0xba, 0x9d, 0x5c, 0x94, 0xdb, 0x97, 0x82, 0x33, 0x29, 0xcc, 0x6c, 0x06, 0xf3, 0x1d, 0xcb, 0xf4, 0x20, 0xca, 0x4c, 0xb3, 0xd0, 0x66, 0x28, 0x40, 0x70, 0x60, 0x40, 0x08, 0xd8, 0x1d, 0x15, 0x6f, 0x0a, 0x2a, 0xcb, 0x77, 0x4b, 0x31, 0x0c, 0xf8, 0x30, 0x05, 0x89, 0xc4, 0x35, 0x9e, 0x9a, 0xc7, 0x1f, 0xab, 0x67, 0x9e, 0xf6, 0x48, 0x0b, 0xf5, 0xec, 0xe8, 0xec, 0xa4, 0xdf, 0x3f, 0xb9, 0x38, 0xff, 0x29, 0x7a, 0x66, 0xb0, 0x03, 0x3d, 0xeb, 0x98, 0x67, 0xb2, 0x4c, 0xe3, 0xec, 0xa0, 0xaa, 0xc6, 0x15, 0x4b, 0xad, 0x69, 0x9c, 0x85, 0xbc, 0x14, 0xe0, 0x3c, 0x58, 0x1f, 0xee, 0x01, 0xf3, 0x70, 0x31, 0xb3, 0x53, 0x40, 0x9c, 0xc7, 0x22, 0x19, 0x22, 0xb0, 0x08, 0x28, 0x1a, 0x84, 0x32, 0x9f, 0xeb, 0x99, 0x56, 0xc8, 0x50, 0x4d, 0xeb, 0x52, 0x6c, 0x39, 0xfa, 0x90, 0x48, 0x6a, 0x1e, 0x7a, 0xb7, 0x02, 0xe5, 0x93, 0xf2, 0x8b, 0x47, 0x2c, 0x3f, 0x03, 0xef, 0x26, 0x20, 0x5d, 0x2a, 0xc3, 0x1a, 0xe8, 0xb6, 0x67, 0x5a, 0x3e, 0x1d, 0x41, 0xac, 0xe9, 0x51, 0x48, 0xba, 0x38, 0x2a, 0x6e, 0xa7, 0xfc, 0xd3, 0x86, 0x37, 0x11, 0x8d, 0x5c, 0xe9, 0x8f, 0xb9, 0xf7, 0x43, 0x95, 0x05, 0x53, 0x50, 0x70, 0xd3, 0x4e, 0xe6, 0x33, 0xc7, 0x1e, 0x05, 0x2e, 0x52, 0x1c, 0x99, 0x73, 0x9f, 0x9c, 0xe3, 0xb1, 0x0f, 0xe9, 0x5e, 0x9c, 0x9d, 0x5d, 0x9f, 0x9f, 0x0c, 0x3e, 0xff, 0x0c, 0x25, 0x9a, 0x8b, 0xf5, 0x72, 0xc7, 0x35, 0x7f, 0x98, 0x7d, 0xb2, 0xf6, 0x4f, 0x19, 0x43, 0x30, 0x80, 0x91, 0x8a, 0x29, 0x30, 0x60, 0x30, 0x9d, 0xac, 0x21, 0x34, 0x76, 0xb1, 0xd4, 0xed, 0x51, 0xd3, 0xde, 0x38, 0x1b, 0x9b, 0x85, 0x77, 0xa9, 0xce, 0x0d, 0xa1, 0xae, 0xdc, 0x21, 0x80, 0x89, 0xff, 0x06, 0xdd, 0x0a, 0x77, 0x53, 0x9f, 0xfd, 0xca, 0x74, 0xfc, 0x0e, 0x09, 0x9d, 0x8f, 0x96, 0xf5, 0x57, 0x85, 0x33, 0xb0, 0xae, 0x6a, 0x89, 0x0f, 0x98, 0x0f, 0x10, 0x92, 0xfb, 0x20, 0xf3, 0x1d, 0x0c, 0xbd, 0x20, 0x76, 0x96, 0x3f, 0x08, 0x86, 0x5f, 0x8f, 0x02, 0x82, 0x07, 0xe6, 0x92, 0x32, 0xe8, 0xf4, 0x72, 0x84, 0xd4, 0x49, 0xad, 0x6b, 0xea, 0xaa, 0xb6, 0x1f, 0xaa, 0x37, 0x88, 0x1e, 0x22, 0xb5, 0x48, 0x55, 0x50, 0x45, 0x3a, 0x57, 0x83, 0x9f, 0x12, 0xca, 0x19, 0xdc, 0x5a, 0x9a, 0x4a, 0x4b, 0xb4, 0xc2, 0x76, 0x17, 0xae, 0x1f, 0xc7, 0x81, 0x13, 0x8f, 0x1c, 0xd3, 0xa4, 0x12, 0x98, 0x52, 0x2d, 0x42, 0xa3, 0xdd, 0x97, 0x9d, 0xcc, 0x19, 0x9f, 0x84, 0x8f, 0x07, 0x6f, 0x9d, 0x52, 0xa7, 0x87, 0xcf, 0x13, 0xe6, 0x82, 0xbb, 0x28, 0x15, 0xe9, 0x10, 0x32, 0x11, 0x3c, 0xf4, 0x27, 0x05, 0xfc, 0x33, 0x7c, 0xf9, 0x1d, 0x72, 0x3d, 0x7f, 0x3d, 0xe0, 0xce, 0x52, 0xc8, 0x2d, 0x83, 0x50, 0xae, 0x29, 0x63, 0x01, 0xbb, 0xe5, 0xca, 0xdc, 0x17, 0x33, 0x0e, 0x54, 0xb7, 0x35, 0xb0, 0xc7, 0x41, 0x28, 0x97, 0x35, 0xb0, 0xfd, 0x96, 0x2d, 0x0a, 0x90, 0xc7, 0x2d, 0x05, 0x0c, 0x19, 0xa5, 0x5c, 0xb4, 0x2f, 0x6d, 0x83, 0xa4, 0xd2, 0xb2, 0xf1, 0x40, 0x0a, 0x96, 0xa3, 0xb6, 0x9d, 0xa9, 0x87, 0xa7, 0x2c, 0x5c, 0xb2, 0x6e, 0xc6, 0xa8, 0x2b, 0x61, 0x38, 0x89, 0x70, 0x99, 0xc4, 0xda, 0xb3, 0x1f, 0xaa, 0x35, 0xb8, 0x65, 0x99, 0x0b, 0x10, 0xf0, 0x11, 0x5b, 0xa4, 0x38, 0xdd, 0xce, 0xd9, 0xe5, 0x75, 0x9f, 0x9c, 0x9e, 0xbc, 0xef, 0xfd, 0x0c, 0xdd, 0x29, 0x61, 0xb8, 0xdc, 0x9f, 0x94, 0x3b, 0x9b, 0x9d, 0x8f, 0x7b, 0xf7, 0x3a, 0xca, 0x03, 0xfc, 0x38, 0x17, 0x52, 0x5a, 0x40, 0x1c, 0x3d, 0xae, 0x0e, 0xd2, 0x8e, 0x55, 0x9b, 0xb6, 0x6b, 0x47, 0xb2, 0xf5, 0x3b, 0x04, 0xa1, 0x3c, 0x4d, 0x40, 0xe5, 0x5f, 0xb9, 0x7f, 0x08, 0x11, 0x79, 0x87, 0x9c, 0x9a, 0x5f, 0x0f, 0xc1, 0x51, 0xd9, 0x6e, 0x44, 0x51, 0xd0, 0x11, 0x43, 0x21, 0xd2, 0x16, 0x5c, 0x61, 0xd8, 0x97, 0x8d, 0x0f, 0x00, 0xe4, 0x06, 0xf9, 0x50, 0x38, 0x71, 0x3a, 0xa6, 0x11, 0xff, 0x26, 0x3d, 0x99, 0x71, 0x74, 0xae, 0x3e, 0x7a, 0x47, 0x11, 0x83, 0x3e, 0x6b, 0xe4, 0xa2, 0xdc, 0xc9, 0xba, 0x39, 0xd3, 0xed, 0x89, 0xd4, 0xd0, 0x67, 0x46, 0x8e, 0xc8, 0x65, 0xd6, 0x05, 0xca, 0xaf, 0x1a, 0x48, 0x5f, 0x35, 0xfc, 0x50, 0x6d, 0xd0, 0xd4, 0x15, 0x53, 0x91, 0xb1, 0x70, 0x91, 0x3e, 0x1c, 0xf7, 0x3a, 0xa7, 0x83, 0x63, 0xd2, 0xff, 0x8c, 0xf5, 0x5c, 0x3f, 0x43, 0x23, 0x2a, 0x58, 0x2e, 0xd7, 0x89, 0x6a, 0x77, 0xb0, 0x80, 0x0e, 0x16, 0x36, 0xaa, 0x9d, 0xaf, 0xf7, 0x71, 0x0a, 0xf1, 0x92, 0xfa, 0xf5, 0xe0, 0xe1, 0xaa, 0x05, 0xc3, 0x87, 0xca, 0x86, 0x80, 0x06, 0x77, 0x6c, 0xdf, 0x56, 0xf6, 0x01, 0xbe, 0xc7, 0x7c, 0x56, 0xa7, 0x2e, 0xe5, 0xfd, 0xcb, 0x92, 0xfd, 0xea, 0xc0, 0x27, 0xef, 0x1d, 0x54, 0xc1, 0x8d, 0xf9, 0x2d, 0x82, 0xc2, 0xfd, 0x75, 0x27, 0x8b, 0x1d, 0x0c, 0x8f, 0x20, 0x41, 0x93, 0x8d, 0xe4, 0x10, 0x1a, 0x71, 0x83, 0xbb, 0x38, 0xe0, 0xfa, 0x41, 0x92, 0x0b, 0xf1, 0xa9, 0x3e, 0x46, 0x99, 0x2f, 0xb4, 0x57, 0xbd, 0x7e, 0xaf, 0x73, 0xd5, 0x3d, 0xfe, 0x19, 0xf2, 0x6a, 0x70, 0x5b, 0x2e, 0xaa, 0xb6, 0x67, 0x65, 0x6b, 0xc6, 0x51, 0x32, 0x5b, 0x0e, 0xfe, 0x2b, 0x5b, 0x34, 0x44, 0x49, 0xf1, 0xd2, 0xa8, 0xdf, 0x42, 0xaf, 0xa6, 0xec, 0x96, 0x74, 0xb5, 0x8c, 0xfd, 0x4a, 0xb7, 0x7f, 0x87, 0xe0, 0xda, 0x99, 0xe6, 0x4c, 0xf2, 0x61, 0x31, 0xfc, 0xf9, 0x30, 0xcc, 0x83, 0xb3, 0x68, 0x1f, 0xd7, 0x00, 0x22, 0xcb, 0x37, 0x74, 0xe7, 0xcf, 0xf0, 0x80, 0x0d, 0xa2, 0x47, 0xad, 0x1a, 0x33, 0xed, 0x88, 0x0b, 0xc8, 0xe4, 0x65, 0x22, 0x15, 0x6b, 0xa6, 0xab, 0xed, 0x95, 0xe2, 0xc5, 0x9c, 0x30, 0xf8, 0x47, 0x6c, 0x46, 0x65, 0x7e, 0xc0, 0x54, 0x4d, 0x51, 0x67, 0x70, 0x7c, 0xda, 0x1b, 0x98, 0xed, 0x5d, 0xd5, 0x57, 0x62, 0x60, 0xce, 0x93, 0xac, 0x7a, 0x88, 0x84, 0xba, 0x78, 0x5a, 0xae, 0x0e, 0xa7, 0xf4, 0x11, 0xd5, 0xcc, 0x01, 0x55, 0x97, 0x06, 0x41, 0x9c, 0x67, 0xf3, 0xcf, 0xa8, 0xf4, 0xb1, 0x93, 0xab, 0xfa, 0xe8, 0xa3, 0xd5, 0x99, 0x03, 0xd8, 0x0a, 0xaa, 0x18, 0xe7, 0x66, 0x0d, 0xd2, 0xfe, 0x88, 0x7f, 0x8b, 0x5a, 0x84, 0xfb, 0x07, 0x61, 0x4d, 0x2c, 0x16, 0x54, 0x74, 0xf0, 0xef, 0xbd, 0x83, 0xea, 0xf8, 0x38, 0x63, 0xac, 0x05, 0x89, 0xe2, 0x49, 0xe9, 0xb0, 0x5e, 0x1f, 0x97, 0xe3, 0x9b, 0x2c, 0xae, 0x9d, 0x99, 0xdb, 0xe3, 0xee, 0xae, 0x2d, 0x18, 0x5d, 0xed, 0xea, 0xb6, 0xd5, 0x53, 0x9a, 0x47, 0xae, 0xff, 0xb2, 0x74, 0xb6, 0xfe, 0x41, 0x1d, 0x79, 0xaf, 0x0e, 0x74, 0x4d, 0x69, 0xf9, 0x2c, 0x7d, 0xc2, 0x86, 0x78, 0x90, 0xab, 0x4e, 0xd1, 0x75, 0x39, 0x31, 0x98, 0x54, 0xb6, 0x7a, 0x1e, 0x4f, 0x56, 0xd5, 0xf1},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x05, 0x8c, 0x3c, 0x59, 0x00, 0x00, 0xef, 0x06, 0xec, 0xc9, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x00, 0x15, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0xf6, 0x67, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x25, 0x1b, 0x4f, 0x37, 0x6d, 0xbf, 0xb4, 0xb1, 0x6c, 0x7f, 0x98, 0xb6, 0xda, 0xd0, 0x38, 0x7f, 0x61, 0x8a, 0xf9, 0xc5, 0xaf, 0x0a, 0x9b, 0x56, 0x6a, 0x6d, 0xb6, 0x16, 0x63, 0x4e, 0xdd, 0xc3, 0x8a, 0xee, 0x57, 0xef, 0x23, 0x0b, 0x2a, 0xa8, 0xaa, 0x6a, 0x60, 0x19, 0x86, 0xf3, 0xe0, 0x04, 0x87, 0xcc, 0x19, 0x05, 0x53, 0x79, 0x6a, 0x58, 0x21, 0x5a, 0xa5, 0x6e, 0xd2, 0x16, 0x70, 0xd7, 0x68, 0x67, 0xdb, 0x9d, 0x11, 0x70, 0xc2, 0xd9, 0x5c, 0xdf, 0x78, 0xfd, 0x72, 0x4e, 0x41, 0x42, 0x99, 0x58, 0x74, 0x04, 0x59, 0x13, 0xa7, 0x35, 0x72, 0x29, 0x14, 0x9c, 0x89, 0x4f, 0xe1, 0x3f, 0x1c, 0x40, 0xc1, 0x4f, 0xc7, 0xf5, 0x69, 0xa4, 0xab, 0x16, 0xe4, 0xb1, 0xee, 0xf6, 0xc6, 0xf6, 0xdd, 0xde, 0xeb, 0x99, 0xe2, 0x12, 0x0d, 0xc3, 0xe1, 0x21, 0x1d, 0x33, 0x51, 0xe0, 0xea, 0x60, 0xdd, 0x83, 0x33, 0xcc, 0xc7, 0xcd, 0xaf, 0xc9, 0x58, 0x9f, 0xe4, 0x7e, 0x82, 0x09, 0x08, 0x4e, 0x40, 0x60, 0x02, 0xa2, 0x26, 0xf8, 0x85, 0x9c, 0x01, 0x53, 0x09, 0xc5, 0x22, 0x50, 0xb0, 0x40, 0x64, 0x12, 0xa7, 0x81, 0xd7, 0x54, 0x15, 0x21, 0x17, 0x06, 0x58, 0x93, 0x9c, 0x82, 0x79, 0x88, 0xc8, 0x59, 0x9c, 0xca, 0x6a, 0x45, 0xaa, 0xeb, 0x61, 0xb0, 0x52, 0x59, 0x16, 0x2a, 0x0f, 0x2e, 0x2e, 0x4b, 0x25, 0x57, 0x5a, 0xf7, 0x4d, 0x05, 0x32, 0xb8, 0xda, 0x44, 0x9d, 0x3b, 0x97, 0x87, 0x1c, 0x5e, 0x0c, 0x06, 0x17, 0x67, 0xaa, 0x1a, 0x61, 0xee, 0xa8, 0x61, 0x0c, 0xb2, 0x13, 0x36, 0x6c, 0x29, 0x1c, 0x32, 0x99, 0xf2, 0xa8, 0x5e, 0x1b, 0xe3, 0x9a, 0x66, 0x5b, 0x4c, 0x4d, 0xfa, 0x01, 0xf7, 0x98, 0xf0, 0xe3, 0x49, 0xad, 0x0c, 0x4c, 0x9e, 0x1b, 0x0b, 0xf3, 0xb2, 0x51, 0x9f, 0x79, 0x14, 0xb0, 0x3b, 0xf9, 0x56, 0x15, 0x8a, 0x19, 0xd5, 0xd7, 0x6f, 0xd5, 0x38, 0xfb, 0xe6, 0x85, 0x35, 0x62, 0xd2, 0x9b, 0x9a, 0x32, 0xb1, 0x9a, 0xf2, 0x49, 0x19, 0xe0, 0x51, 0x6b, 0xd3, 0xfd, 0x47, 0x18, 0xfc, 0xe3, 0x78, 0x19, 0xf7, 0x44, 0x12, 0x67, 0xb2, 0xf4, 0xb1, 0xb5, 0xe1, 0x7c, 0xa4, 0xb7, 0x10, 0xd0, 0xdf, 0x94, 0xd8, 0x77, 0x3a, 0x8d, 0x22, 0xa2, 0x9b, 0x89, 0x43, 0x2e, 0xc1, 0x0e, 0xab, 0x7b, 0x0c, 0x44, 0x3a, 0x78, 0x0e, 0xf6, 0x80, 0x08, 0x17, 0x03, 0x42, 0xe0, 0x99, 0x61, 0x93, 0x42, 0x2b, 0x29, 0xaf, 0xd1, 0x71, 0x69, 0xa2, 0x0f, 0xd4, 0x97, 0xa2, 0x0b, 0x06, 0x3f, 0x8e, 0xc6, 0xed, 0xf2, 0xd4, 0xfb, 0x2d, 0xdd, 0x28, 0x15, 0x5a, 0x55, 0x40, 0xcd, 0x81, 0xee, 0x88, 0x10, 0xb4, 0x02, 0x52, 0xf7, 0x7b, 0xd1, 0x2c, 0xd5, 0xba, 0xec, 0xb7, 0x12, 0x53, 0xf6, 0x56, 0x76, 0x0b, 0x0f, 0xa3, 0xaf, 0x97, 0x0e, 0x47, 0xbf, 0xfd, 0xfa, 0x70, 0xfa, 0x6e, 0x3a, 0xa7, 0xb9, 0xb8, 0xe1, 0x51, 0xb7, 0x5b, 0x22, 0xf0, 0xe1, 0xf5, 0xc9, 0xe9, 0x80, 0xbc, 0xbf, 0x00, 0xe1, 0xbc, 0xea, 0x75, 0xfe, 0x36, 0x38, 0xbe, 0xba, 0xb8, 0xfe, 0x70, 0xdc, 0x07, 0x5a, 0x63, 0x96, 0x2f, 0x55, 0xe2, 0x8c, 0x4d, 0x41, 0x00, 0x4d, 0x22, 0x05, 0x0b, 0x23, 0x0a, 0x0e, 0x4a, 0xe7, 0x08, 0x2c, 0x0a, 0x16, 0x91, 0x29, 0x5f, 0xfe, 0x34, 0x06, 0xd8, 0xf5, 0x68, 0x5a, 0x1f, 0xe6, 0x3c, 0xc8, 0x08, 0x44, 0x53, 0xe4, 0x10, 0x92, 0xb7, 0x1b, 0xbc, 0x97, 0x92, 0x8f, 0x7d, 0xf1, 0x48, 0x5e, 0x7c, 0xc7, 0x32, 0x9e, 0x8d, 0x41, 0x7c, 0xfd, 0xea, 0x1f, 0xe7, 0x0f, 0x67, 0xd0, 0x96, 0x73, 0x98, 0x07, 0x41, 0xd9, 0x78, 0x1d, 0x5f, 0x90, 0xcf, 0x17, 0xd7, 0xe4, 0xc3, 0xc5, 0xf9, 0x79, 0x87, 0x5c, 0x9e, 0x76, 0x3e, 0xff, 0x42, 0x74, 0xe5, 0x9a, 0x4a, 0x85, 0x45, 0x46, 0xba, 0x7e, 0x8a, 0xf5, 0x04, 0x89, 0x4f, 0x70, 0xf0, 0x2b, 0x41, 0xe4, 0x9e, 0x18, 0x49, 0xd1, 0xd0, 0x09, 0x82, 0xf5, 0x5b, 0x8a, 0x3a, 0x52, 0x06, 0x21, 0xd6, 0xff, 0xe0, 0xc7, 0x22, 0x1b, 0xe6, 0x22, 0x93, 0xe7, 0xd8, 0x4f, 0xe2, 0x97, 0x59, 0x9e, 0xe6, 0xc7, 0x27, 0x3f, 0x96, 0x46, 0x76, 0x1c, 0x47, 0x11, 0xc5, 0x3a, 0xfb, 0xe9, 0x2f, 0x8f, 0xe4, 0xd5, 0x7d, 0x2b, 0x7b, 0xf9, 0xa7, 0xad, 0xbd, 0x77, 0x8f, 0x5a, 0xdd, 0xf3, 0xe9, 0x99, 0x9b, 0xff, 0xb6, 0xd4, 0x0b, 0x15, 0x6c, 0xdc, 0x76, 0x2e, 0xf3, 0x61, 0xc0, 0xdd, 0xce, 0x68, 0x44, 0x79, 0x2a, 0x4a, 0xfc, 0x3c, 0xeb, 0x0c, 0xba, 0xc7, 0x27, 0xe7, 0x1f, 0xc8, 0x59, 0xef, 0x7c, 0x70, 0x71, 0xd5, 0x27, 0x9d, 0xf3, 0x23, 0xd0, 0xbb, 0xeb, 0x93, 0x73, 0x54, 0x38, 0x0c, 0x18, 0xcc, 0xed, 0x02, 0x49, 0x09, 0x2d, 0x9f, 0x7a, 0x7f, 0xb1, 0xcf, 0x22, 0x0e, 0xba, 0xf0, 0x9e, 0x41, 0x04, 0x34, 0x11, 0x66, 0x2f, 0xfd, 0xa9, 0x2a, 0xa7, 0x97, 0xa6, 0xd9, 0x74, 0x46, 0x33, 0xd7, 0x47, 0xb3, 0x85, 0x87, 0x69, 0x71, 0xaa, 0xb6, 0x66, 0xd5, 0x95, 0xb4, 0x47, 0xb2, 0xf2, 0xbb, 0x16, 0xb3, 0x94, 0x63, 0x45, 0xd4, 0x54, 0x2a, 0x0c, 0x2c, 0xdc, 0xa2, 0x46, 0x41, 0x16, 0xf6, 0x2d, 0xac, 0x65, 0xad, 0x7a, 0x4a, 0xfd, 0x42, 0x16, 0x6b, 0xcd, 0xf1, 0x9c, 0xa6, 0x7a, 0x54, 0x27, 0x9a, 0xd8, 0xd6, 0x30, 0x37, 0xad, 0xe8, 0xff, 0x9b, 0xf8, 0x49, 0x16, 0x3f, 0xa2, 0xf4, 0xd6, 0x23, 0xc1, 0xc6, 0xcf, 0x8d, 0xaa, 0x24, 0x17, 0xa9, 0x2a, 0x3d, 0x46, 0x2e, 0xbc, 0x67, 0x14, 0xf7, 0xff, 0x81, 0x47, 0x20, 0x7c, 0x98, 0x2a, 0x97, 0x42, 0x25, 0x44, 0x7d, 0xa4, 0xdf, 0x3b, 0x42, 0xbd, 0x07, 0x2e, 0xfb, 0x5b, 0xed, 0xfa, 0xa8, 0xfd, 0x16, 0x34, 0x96, 0x83, 0x1c, 0x7b, 0xcf, 0xb5, 0x9c, 0x18, 0x16, 0x69, 0x1e, 0xe6, 0x16, 0x26, 0xe0, 0x51, 0x15, 0x5a, 0x8b, 0xf5, 0xe5, 0xe3, 0x71, 0x7c, 0xf1, 0xfb, 0x8c, 0x29, 0xd0, 0x78, 0x89, 0xd6, 0x27, 0x26, 0x02, 0x36, 0x95, 0x69, 0xc5, 0x10, 0x44, 0x7b, 0x6d, 0xf5, 0xef, 0x39, 0x4b, 0x40, 0x9f, 0x56, 0x4f, 0x41, 0x73, 0xd6, 0x56, 0x3b, 0x91, 0x97, 0xb2, 0xc9, 0xea, 0xaf, 0x74, 0xca, 0x5d, 0x7f, 0x35, 0xf1, 0xe3, 0x2c, 0xfe, 0x12, 0x72, 0xaf, 0x44, 0x58, 0x49, 0xad, 0xc4, 0x9f, 0x82, 0x41, 0x43, 0x72, 0xd9, 0x9c, 0x52, 0xf6, 0x2d, 0xeb, 0x7a, 0x25, 0x7c, 0xc4, 0x42, 0x48, 0x6b, 0x03, 0xfc, 0xed, 0xe5, 0xf8, 0x77, 0x20, 0xca, 0x04, 0x33, 0xda, 0x05, 0x55, 0xd4, 0x85, 0xcd, 0xdb, 0x85, 0x0d, 0x69, 0xd7, 0x90, 0x00, 0xfe, 0x22, 0xa7, 0x29, 0x8c, 0x11, 0x24, 0x02, 0xf6, 0x05, 0x53, 0xd4, 0x6c, 0x3a, 0x14, 0x90, 0x57, 0x67, 0x8c, 0x7c, 0x63, 0x69, 0xdc, 0x84, 0x94, 0x23, 0x65, 0xaf, 0xf0, 0xc6, 0xec, 0xb4, 0x49, 0x50, 0x79, 0x89, 0xd1, 0x5e, 0x5b, 0x7e, 0x5e, 0x28, 0xf2, 0x63, 0x28, 0x7e, 0x7a, 0xf4, 0x29, 0xd9, 0x5a, 0x4c, 0xf1, 0x8f, 0x34, 0x80, 0x40, 0x8b, 0xad, 0xf6, 0x43, 0x9e, 0xf9, 0x35, 0x62, 0xea, 0x77, 0x44, 0xbe, 0x7b, 0x76, 0x52, 0x6a, 0xc4, 0xce, 0xd9, 0x04, 0x77, 0x74, 0x72, 0xa0, 0xcd, 0x45, 0x44, 0x8e, 0xec, 0x1d, 0x5f, 0x95, 0x51, 0xce, 0xa1, 0x6e, 0x05, 0xab, 0x35, 0x69, 0x20, 0xf1, 0xe2, 0x32, 0x97, 0xdb, 0xc8, 0xf1, 0x88, 0xf4, 0x27, 0x34, 0xcd, 0xfc, 0x10, 0x14, 0x04, 0xf8, 0xa3, 0xef, 0xf6, 0xba, 0x1c, 0xef, 0x2e, 0xe3, 0x1d, 0x8c, 0x29, 0xd0, 0x5f, 0x90, 0x8c, 0x51, 0x65, 0xa7, 0x41, 0x0d, 0xd5, 0xe6, 0xdd, 0xf3, 0x11, 0xfc, 0x03, 0xdf, 0xf8, 0x8d, 0x2d, 0x26, 0x78, 0x9f, 0x05, 0x23, 0xa0, 0xf7, 0x04, 0x90, 0x5f, 0x3d, 0x03, 0x41, 0x0e, 0x57, 0x0f, 0x21, 0x93, 0xe6, 0x37, 0x6b, 0xab, 0xc3, 0x69, 0xa5, 0xe1, 0xcb, 0x96, 0xb7, 0xf7, 0xfa, 0xcd, 0xde, 0xd6, 0xa6, 0xf3, 0x7a, 0x77, 0xe7, 0x8d, 0xb3, 0xbd, 0xb9, 0x3e, 0x72, 0xf6, 0x36, 0xd7, 0xb7, 0x9d, 0x8d, 0x37, 0x5b, 0x6f, 0x46, 0x2e, 0xdb, 0xa0, 0x8c, 0x6d, 0x3b, 0x49, 0x7a, 0x5b, 0x76, 0x90, 0x38, 0x9e, 0xa8, 0xf1, 0xd2, 0xf7, 0xe0, 0x11, 0x5c, 0x00, 0x2b, 0x7e, 0x76, 0xee, 0xe9, 0x55, 0x9a, 0x0b, 0x1f, 0xe4, 0x03, 0xcb, 0x60, 0x5e, 0xdc, 0x12, 0x05, 0xaa, 0xbe, 0xc7, 0xb8, 0xa2, 0xaf, 0xa7, 0x2e, 0xb6, 0xe8, 0x2a, 0x6c, 0x9c, 0x41, 0x15, 0x19, 0xd9, 0xc0, 0x68, 0xd3, 0x82, 0x81, 0x1f, 0x48, 0x6b, 0xbc, 0x22, 0x0d, 0x6e, 0x6d, 0x4a, 0xf4, 0xa1, 0x81, 0x32, 0x89, 0xe6, 0xf6, 0xc9, 0x72, 0x65, 0x29, 0x6e, 0x71, 0x94, 0xd7, 0xea, 0x52, 0x08, 0x87, 0x05, 0x0b, 0x74, 0x51, 0x70, 0xd9, 0x1f, 0xeb, 0xcb, 0x05, 0x28, 0x56, 0xb7, 0xc4, 0xe3, 0x02, 0xef, 0xed, 0x7b, 0x26, 0xdb, 0xff, 0x13, 0xa4, 0x27, 0xd0, 0xce, 0x61, 0xf0, 0x8c, 0xbd, 0x35, 0xfe, 0x77, 0x1e, 0xb0, 0x48, 0x56, 0x5b, 0x5b, 0x18, 0xe7, 0xf0, 0x73, 0xe1, 0xf8, 0xf2, 0xb6, 0x93, 0xa9, 0xc6, 0x57, 0x6b, 0x47, 0x99, 0x2d, 0xef, 0x5c, 0x94, 0x8b, 0xf2, 0x6d, 0x8f, 0xc2, 0xeb, 0xda, 0x1d, 0x35, 0x90, 0x7a, 0x67, 0xc4, 0xef, 0x1a, 0xd5, 0x3a, 0x7e, 0xe9, 0x99, 0x22, 0x36, 0x11, 0x9a, 0xe9, 0xe8, 0x0d, 0x40, 0x1f, 0x45, 0x1a, 0xc7, 0xa1, 0xf4, 0x02, 0xaa, 0x15, 0xe8, 0xf7, 0x87, 0xfd, 0x72, 0xd8, 0x47, 0x4a, 0xf7, 0x12, 0xb4, 0x64, 0x44, 0x7a, 0x58, 0xe1, 0xc2, 0x53, 0x26, 0x6f, 0xe1, 0x09, 0x7c, 0xe5, 0x78, 0x11, 0x75, 0x42, 0x9a, 0xa0, 0x2d, 0x87, 0xd4, 0x3e, 0x0e, 0x1c, 0x9f, 0x05, 0x89, 0x70, 0x6c, 0x4e, 0x27, 0x1c, 0xe5, 0xf5, 0x1c, 0xb9, 0x59, 0x2b, 0x32, 0x55, 0x28, 0x3c, 0x71, 0xc6, 0x90, 0x68, 0x08, 0x07, 0xcf, 0x1e, 0x52, 0x36, 0xce, 0xf1, 0xc2, 0xb6, 0xd7, 0x68},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0x38, 0x2d, 0x40, 0x00, 0x40, 0x06, 0x65, 0x6e, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xaa, 0xf5, 0x65, 0x80, 0x10, 0x0f, 0xdd, 0x8b, 0x18, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xa9, 0xb3, 0xa1, 0x66, 0x25},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0x18, 0x50, 0x40, 0x00, 0x40, 0x06, 0x85, 0x4b, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xaa, 0xfa, 0xbd, 0x80, 0x10, 0x0f, 0xd5, 0x85, 0xc8, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xa9, 0xb3, 0xa1, 0x66, 0x25},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0xf1, 0x50, 0x40, 0x00, 0x40, 0x06, 0xac, 0x4a, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x00, 0x15, 0x80, 0x10, 0x0f, 0xaa, 0x80, 0x9b, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xa9, 0xb3, 0xa1, 0x66, 0x25},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0x9f, 0x83, 0x40, 0x00, 0x40, 0x06, 0xfe, 0x17, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x05, 0x6d, 0x80, 0x10, 0x0f, 0x7f, 0x7b, 0x6e, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xa9, 0xb3, 0xa1, 0x66, 0x25},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0x9e, 0x4e, 0x40, 0x00, 0x40, 0x06, 0xff, 0x4c, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x05, 0x6d, 0x80, 0x10, 0x10, 0x00, 0x7a, 0xec, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xaa, 0xb3, 0xa1, 0x66, 0x25},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x05, 0x8c, 0x3c, 0x5a, 0x00, 0x00, 0xef, 0x06, 0xec, 0xc8, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x05, 0x6d, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0xde, 0x6c, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x2b, 0x1b, 0x4f, 0x37, 0xa9, 0x1f, 0x41, 0x30, 0xaf, 0x81, 0x11, 0x04, 0x46, 0x24, 0xb0, 0x22, 0x41, 0x14, 0xc6, 0x85, 0x16, 0xc0, 0x08, 0xc6, 0x2b, 0x12, 0x18, 0xc1, 0xa3, 0x0a, 0x0b, 0x8c, 0x94, 0xa2, 0x3f, 0xb9, 0x9d, 0x68, 0x76, 0x10, 0x1f, 0xb7, 0x56, 0xed, 0x4f, 0x55, 0xf1, 0x44, 0x88, 0x89, 0x92, 0x3e, 0x5d, 0x83, 0x34, 0xc9, 0x09, 0x64, 0xe4, 0x86, 0x4c, 0xd1, 0x69, 0x92, 0xde, 0xda, 0x75, 0xf0, 0x0a, 0xac, 0xd0, 0x51, 0xbb, 0xca, 0xae, 0x10, 0xd3, 0xfb, 0x73, 0x2b, 0x79, 0x6f, 0x56, 0x3c, 0x0f, 0xd6, 0x96, 0x43, 0x29, 0x1e, 0xd9, 0x78, 0xa6, 0x80, 0x1c, 0xad, 0xab, 0x23, 0xf2, 0x31, 0x88, 0x8c, 0xdc, 0x22, 0xdc, 0x71, 0x42, 0xf0, 0x5f, 0x18, 0x18, 0x8e, 0xf9, 0x28, 0x33, 0x87, 0x20, 0x4e, 0xe9, 0xa3, 0x08, 0x8d, 0xf6, 0x95, 0x84, 0x20, 0xf1, 0xb7, 0xf6, 0x19, 0x21, 0x10, 0x84, 0x40, 0xfe, 0xbc, 0x43, 0x34, 0x08, 0x82, 0x20, 0xcc, 0x91, 0x09, 0x84, 0x93, 0x16, 0xc4, 0x33, 0xaf, 0x48, 0xf0, 0xd4, 0xf9, 0xea, 0x8c, 0x52, 0x2a, 0xbf, 0xbd, 0x91, 0xc5, 0x9e, 0x07, 0x4e, 0x01, 0x02, 0xbd, 0x48, 0xc8, 0x98, 0xd1, 0x89, 0x62, 0x88, 0x2f, 0xf0, 0x82, 0xd5, 0x37, 0x86, 0x07, 0xf5, 0xae, 0xcf, 0x30, 0xbc, 0x42, 0xc3, 0xae, 0x4f, 0xb1, 0x20, 0xb8, 0xc6, 0x8f, 0x05, 0xf0, 0x0c, 0xd4, 0xfc, 0xd7, 0x26, 0x58, 0x34, 0x84, 0x84, 0x7a, 0x2a, 0x21, 0x11, 0x84, 0x44, 0xce, 0x11, 0x08, 0xc4, 0xde, 0x00, 0x84, 0x00, 0xaf, 0x2c, 0x90, 0x67, 0x5e, 0x0b, 0x04, 0x82, 0x58, 0xf5, 0xed, 0x60, 0xbc, 0x8a, 0xd1, 0x2a, 0xfc, 0x74, 0x84, 0x13, 0x63, 0x0c, 0x0a, 0x5a, 0x13, 0xb1, 0x11, 0x07, 0xa3, 0xfd, 0x49, 0x75, 0x22, 0xb8, 0x21, 0x8d, 0xb1, 0x25, 0xfc, 0xfc, 0x9f, 0xff, 0xfa, 0x6f, 0x41, 0x64, 0x37, 0xa2, 0xbb, 0x3d, 0x33, 0x62, 0x34, 0x72, 0xa8, 0xe7, 0xe3, 0xe9, 0x39, 0x1d, 0x47, 0xb1, 0xe0, 0xc2, 0x49, 0x72, 0xd0, 0xe4, 0x31, 0x4f, 0x03, 0x81, 0x98, 0x86, 0xf8, 0xa1, 0x06, 0x1f, 0x72, 0x3a, 0x40, 0x14, 0x52, 0xd1, 0x1b, 0x79, 0xb2, 0xa3, 0xf0, 0xc6, 0xfc, 0x88, 0x06, 0xfa, 0x6c, 0x11, 0xcf, 0x15, 0xc1, 0xc4, 0xca, 0x52, 0xa7, 0xa3, 0xe3, 0x23, 0x62, 0xe1, 0x11, 0x84, 0x47, 0x24, 0x3c, 0x5c, 0x94, 0x02, 0x45, 0xd4, 0x58, 0xa2, 0xc6, 0x12, 0x04, 0xfc, 0xcc, 0xeb, 0x92, 0xe2, 0x1d, 0xe4, 0x68, 0xaa, 0xb0, 0x12, 0x31, 0xc1, 0x8f, 0x7a, 0x98, 0x72, 0x2c, 0x47, 0xd7, 0x99, 0x08, 0x07, 0x5a, 0xbd, 0x90, 0x02, 0x2f, 0xf0, 0x42, 0x39, 0x9e, 0x17, 0xe6, 0xe9, 0x98, 0xa1, 0x04, 0xa9, 0x6b, 0x7a, 0x39, 0x1a, 0x27, 0x3b, 0x9c, 0xe8, 0xe1, 0xc4, 0x0c, 0x27, 0x66, 0x38, 0x51, 0xc3, 0x89, 0x1e, 0x3e, 0x77, 0x29, 0xf6, 0x90, 0x63, 0xf9, 0x22, 0x1a, 0x85, 0xdf, 0x81, 0xd8, 0x07, 0xcb, 0x3c, 0xa5, 0xd5, 0x28, 0xac, 0xba, 0x02, 0x5f, 0x78, 0xca, 0xaa, 0x33, 0x60, 0xb7, 0xea, 0xa4, 0xd8, 0xba, 0x83, 0x63, 0x3c, 0x28, 0x8c, 0xd4, 0xa5, 0x83, 0x8a, 0x43, 0x58, 0xd1, 0x18, 0x2e, 0xde, 0x00, 0xf0, 0xed, 0xd0, 0x02, 0x3d, 0x48, 0xda, 0x5a, 0x72, 0x8e, 0xd6, 0xe6, 0xfa, 0xce, 0xeb, 0xf5, 0x37, 0x33, 0x71, 0x52, 0x31, 0xa8, 0xb5, 0xb9, 0xf5, 0xe6, 0x0d, 0x78, 0x08, 0xac, 0x4d, 0x65, 0x69, 0x29, 0xc8, 0xe9, 0x79, 0x78, 0x73, 0x84, 0x9c, 0x35, 0xc9, 0x11, 0x23, 0x57, 0xa0, 0x83, 0xe0, 0xf4, 0xc4, 0x1a, 0x39, 0x3b, 0xb2, 0x17, 0xb5, 0x37, 0x37, 0x5e, 0xe3, 0x25, 0xec, 0x72, 0x66, 0xff, 0x5d, 0xb8, 0x0d, 0x2e, 0x8e, 0x3a, 0x9f, 0xdf, 0x92, 0x85, 0x13, 0x16, 0x13, 0x68, 0x4e, 0x3d, 0x9d, 0x28, 0xbb, 0x1b, 0x3b, 0x7b, 0xf7, 0x13, 0x65, 0x77, 0x2e, 0x51, 0xba, 0xc0, 0x6e, 0x40, 0x0c, 0x23, 0x27, 0xc9, 0xf7, 0xe7, 0x23, 0x85, 0xc2, 0x68, 0x63, 0xbd, 0xb5, 0xb1, 0x43, 0x48, 0x6d, 0x9a, 0x7f, 0x07, 0x01, 0xf6, 0xd6, 0x37, 0x96, 0x10, 0x60, 0x77, 0x1e, 0x01, 0x2e, 0x4d, 0x0e, 0x80, 0x55, 0xbc, 0x47, 0x6c, 0x08, 0xde, 0xfd, 0x39, 0x89, 0x20, 0xb1, 0x42, 0x22, 0xec, 0x11, 0x32, 0x67, 0xaa, 0x19, 0x42, 0x48, 0x9d, 0xfd, 0xc3, 0x43, 0xa7, 0x5a, 0xa0, 0xb5, 0x65, 0xe5, 0xbb, 0x5f, 0x6f, 0xf1, 0x8b, 0x4d, 0x60, 0x4f, 0xe5, 0x87, 0x62, 0x2c, 0x30, 0x16, 0x79, 0x25, 0x4d, 0x86, 0x50, 0x22, 0x62, 0x2e, 0xba, 0xae, 0xcc, 0xd7, 0x49, 0x4f, 0x59, 0xa1, 0x75, 0x04, 0x5d, 0x3e, 0x5c, 0x2c, 0x6d, 0xcc, 0x8c, 0xa8, 0xcb, 0x86, 0x71, 0x7c, 0x23, 0xbf, 0x51, 0x80, 0x68, 0x0f, 0xe5, 0xa6, 0x56, 0x2d, 0x70, 0x36, 0xbd, 0xe4, 0xed, 0x08, 0xf9, 0x24, 0xbf, 0xfd, 0xa3, 0xc3, 0x5a, 0xd3, 0x56, 0xbd, 0x66, 0x3d, 0x77, 0x4a, 0xfd, 0xdd, 0x21, 0x3b, 0x5b, 0x6d, 0x1e, 0xfd, 0x1a, 0x14, 0x54, 0x3d, 0x94, 0x67, 0xd1, 0x4d, 0x0f, 0x98, 0x04, 0x37, 0x80, 0xf2, 0x21, 0xb3, 0x5c, 0xa8, 0x4d, 0xa2, 0x5f, 0x37, 0xda, 0x9f, 0xd5, 0x43, 0x79, 0x12, 0x68, 0x1a, 0x40, 0xd3, 0x03, 0x26, 0x41, 0xe2, 0xe1, 0xe9, 0x3d, 0x45, 0xeb, 0xbf, 0x68, 0x3d, 0xb6, 0x03, 0xd6, 0xd1, 0xeb, 0xc7, 0xf2, 0x74, 0xb6, 0x71, 0xd9, 0x84, 0x42, 0xcf, 0x28, 0x22, 0x9a, 0xb8, 0x3e, 0xcd, 0xd4, 0xd7, 0x76, 0x3c, 0x4f, 0x4e, 0x1a, 0x8f, 0x46, 0x1c, 0xa5, 0xa4, 0x36, 0xb9, 0xe9, 0x0b, 0xc9, 0x9c, 0x7e, 0x2a, 0x4f, 0x6d, 0xda, 0xaa, 0x33, 0x5b, 0x8f, 0x54, 0x24, 0x29, 0x95, 0x6c, 0x45, 0xee, 0x13, 0x2e, 0xc8, 0x58, 0x66, 0x36, 0x14, 0x8b, 0xbd, 0xc3, 0x9f, 0xbe, 0x2b, 0xa8, 0xae, 0xc9, 0x3b, 0xb8, 0xf7, 0x2e, 0x4b, 0x03, 0x87, 0x31, 0xc4, 0xbf, 0x58, 0xc5, 0x99, 0xf2, 0xb0, 0xd8, 0x16, 0x84, 0x2c, 0xfc, 0x0e, 0xbc, 0xb6, 0xb6, 0x52, 0x72, 0xe7, 0xb4, 0xf8, 0x86, 0x92, 0x41, 0xca, 0xd1, 0xb0, 0xf6, 0xf0, 0x6a, 0xed, 0x03, 0x76, 0x09, 0x47, 0x14, 0xc2, 0xd2, 0x62, 0x4c, 0xe9, 0xda, 0xff, 0xa5, 0xc2, 0x86, 0x48, 0x6c, 0x64, 0x9a, 0x0c, 0xd8, 0xac, 0x91, 0x89, 0xcf, 0x03, 0xcc, 0x64, 0x70, 0x4f, 0x15, 0x5f, 0x4f, 0x18, 0x2c, 0x5d, 0x5d, 0x01, 0x66, 0x33, 0xfb, 0x86, 0xc4, 0x99, 0x73, 0x1c, 0xfb, 0x62, 0xf6, 0xe0, 0xbb, 0x7a, 0x60, 0x5a, 0xd9, 0x3b, 0x8c, 0x63, 0xcc, 0x59, 0x92, 0x5c, 0xf8, 0xc5, 0x07, 0x47, 0x34, 0x33, 0xc9, 0x9c, 0x53, 0x5a, 0xd2, 0x3b, 0x3f, 0x92, 0x9f, 0xf4, 0x9b, 0xd3, 0x03, 0x8f, 0x7e, 0xd5, 0x6b, 0xf5, 0x4d, 0x93, 0x1a, 0x12, 0xd5, 0x0f, 0x98, 0xa8, 0x76, 0x65, 0xe0, 0xd4, 0x97, 0xb0, 0xaa, 0x87, 0xb9, 0x15, 0xd3, 0xa7, 0xcf, 0xfa, 0x1f, 0x61, 0xc1, 0xcc, 0x6d, 0x69, 0x75, 0x76, 0x12, 0x11, 0x63, 0xa5, 0x1a, 0xb3, 0x46, 0xad, 0xde, 0xc5, 0xde, 0xb6, 0x5f, 0x6a, 0xbe, 0xea, 0x93, 0x68, 0x23, 0xd5, 0x98, 0x31, 0x68, 0xb5, 0x0e, 0x0b, 0x67, 0x98, 0xb1, 0x5d, 0xf5, 0x19, 0xb4, 0x85, 0x6a, 0xcc, 0x58, 0xb3, 0x5a, 0x87, 0x85, 0x33, 0x2c, 0x30, 0x5c, 0xf5, 0x79, 0xac, 0x69, 0x6a, 0xcc, 0x31, 0x66, 0x33, 0x9d, 0xe6, 0xcf, 0xf6, 0x30, 0xab, 0x55, 0x9f, 0xd9, 0x58, 0xa6, 0xc6, 0xac, 0x21, 0xab, 0x77, 0x91, 0xd3, 0x1a, 0x99, 0x55, 0x3b, 0xe5, 0x52, 0x9a, 0xab, 0x82, 0xa4, 0x24, 0xbc, 0xe0, 0xbb, 0xfa, 0x59, 0xfb, 0x2a, 0x86, 0x56, 0x83, 0xe2, 0xab, 0x18, 0xa5, 0x3b, 0xe9, 0x95, 0x81, 0xb6, 0xc6, 0xce, 0x5e, 0x6e, 0xaf, 0x7e, 0xcc, 0xc2, 0x6c, 0xa3, 0xcb, 0x74, 0x08, 0xab, 0xf6, 0x44, 0xa5, 0x40, 0xa8, 0xdc, 0xa7, 0x80, 0x54, 0xa9, 0x7e, 0x29, 0xf5, 0x48, 0xe3, 0x89, 0x33, 0x0a, 0x72, 0xee, 0xcd, 0x14, 0x19, 0x95, 0x7b, 0xa1, 0x41, 0x77, 0x36, 0xe7, 0xd5, 0x21, 0x51, 0xd3, 0x45, 0xa5, 0x3e, 0xf8, 0x05, 0x8f, 0xe2, 0xf3, 0x1d, 0x33, 0xdd, 0x61, 0x00, 0x9f, 0x19, 0xe0, 0x4c, 0x7c, 0x59, 0x30, 0xb8, 0xdf, 0x9a, 0x57, 0x7e, 0x54, 0xff, 0x2e, 0x85, 0x2d, 0xcd, 0xa9, 0x7f, 0x95, 0x62, 0x16, 0x5f, 0xa2, 0xe9, 0xb9, 0xa0, 0x84, 0x8a, 0x85, 0x76, 0x97, 0x4b, 0x96, 0xa9, 0x39, 0xfa, 0xc3, 0x27, 0xe0, 0x34, 0x31, 0xd1, 0xd2, 0x85, 0x9e, 0x2c, 0x9c, 0x33, 0xb4, 0x38, 0xcc, 0x28, 0xa6, 0x98, 0xc3, 0x0a, 0xdb, 0x7f, 0x5e, 0x61, 0x95, 0x26, 0xdf, 0xdc, 0x5b, 0xce, 0xe5, 0x6d, 0x55, 0x5d, 0x98, 0x39, 0x77, 0x3c, 0x7e, 0xdc, 0x0e, 0x7d, 0xad, 0xbd, 0x14, 0xad, 0xbe, 0xed, 0x32, 0xb7, 0xe3, 0x2c, 0x21, 0x55, 0xf3, 0x7c, 0xdc, 0x96, 0xa3, 0x5c, 0xd2, 0x76, 0x8f, 0xa7, 0x10, 0x1f, 0xc6, 0xe9, 0x74, 0x4e, 0x5c, 0xfa, 0xd0, 0x25, 0x1c, 0x19, 0x18, 0xdf, 0xbd, 0x08, 0x95, 0xae, 0x3f, 0x80, 0xd6, 0xb2, 0x88, 0xc7, 0xcd, 0x1e, 0x4f, 0x65, 0x35, 0xee, 0xdf, 0x8e, 0x60, 0x89, 0xb2, 0x58, 0x5f, 0x8b, 0x65, 0x90, 0x69, 0x41, 0xd9, 0x2e, 0x0d, 0x20, 0x3c, 0xa7, 0xa9, 0x68, 0x99, 0xb2, 0xc8, 0x47, 0x2f, 0xc4, 0x5e, 0x0b, 0x33, 0xb0, 0x7e, 0xa8, 0xe0, 0xb4, 0x42, 0x9a, 0x08, 0x47, 0xc9, 0x8c, 0xbc, 0x4e, 0x90, 0x50, 0xb9, 0x03, 0xf5, 0x78, 0x99, 0x39, 0x03, 0x40, 0x6b, 0xe4, 0xc8, 0x42, 0xfa, 0xe1, 0xf2, 0x8f, 0xfe, 0x47, 0x7e, 0xd5, 0x53, 0xed, 0xd7, 0x40, 0xd0, 0x2a, 0xad, 0x46, 0xc1, 0x2c, 0x7d, 0x83, 0x41, 0xaf, 0xf0, 0xd1, 0x0b, 0xbc, 0x54, 0xe3, 0x74, 0xed, 0xcc, 0xa0, 0x32, 0xc9, 0x13, 0xc5, 0xf0, 0x51, 0xd2, 0x68, 0xfc, 0xac, 0xfd, 0x0a, 0xea, 0x13, 0x14, 0xbd, 0x67, 0x60, 0x3c, 0x1b, 0xb7, 0xaa, 0xd5, 0x9c, 0xa6, 0x6d},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x01, 0xb7, 0x3c, 0x5b, 0x00, 0x00, 0xef, 0x06, 0xf0, 0x9c, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x0a, 0xc5, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0x13, 0x1f, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x2b, 0x1b, 0x4f, 0x37, 0xa9, 0xce, 0xd7, 0x61, 0xe6, 0xf9, 0x88, 0x31, 0x83, 0x90, 0x3a, 0xba, 0x8d, 0x83, 0x5b, 0x36, 0xeb, 0x03, 0xef, 0xf3, 0x12, 0x5d, 0xc9, 0x5a, 0xfb, 0x85, 0x94, 0x25, 0x7e, 0xa2, 0x3c, 0xcd, 0x93, 0x3c, 0x85, 0x61, 0x87, 0xfa, 0x4c, 0xf1, 0x53, 0xf8, 0xa0, 0xbf, 0x73, 0x5c, 0x1c, 0x9c, 0x9a, 0x72, 0x70, 0xfd, 0xb1, 0xe3, 0x9f, 0xe5, 0x4d, 0x44, 0x2e, 0x30, 0x93, 0x78, 0xc2, 0xd2, 0xfa, 0x0a, 0x82, 0xbe, 0xa9, 0xfd, 0xb3, 0xd6, 0x91, 0xa5, 0x39, 0x93, 0xa9, 0xc2, 0x13, 0x56, 0x32, 0x00, 0x18, 0xaa, 0x0c, 0x88, 0xf4, 0x41, 0xed, 0x99, 0xba, 0x6a, 0xff, 0xe3, 0xd7, 0x03, 0x82, 0x9b, 0x43, 0xdc, 0xca, 0xd2, 0x27, 0xac, 0xe5, 0xa3, 0x81, 0xc1, 0x45, 0xf8, 0x7f, 0x43, 0xf7, 0x41, 0x4a, 0xa6, 0xf8, 0xd1, 0x1d, 0x88, 0xf6, 0x1e, 0xa9, 0xfc, 0x3d, 0xdc, 0xdd, 0x23, 0x1f, 0x59, 0xf4, 0x10, 0xdd, 0xaf, 0x4c, 0xf3, 0x64, 0xe5, 0x07, 0x6e, 0xa8, 0x73, 0xc1, 0xe2, 0x58, 0x50, 0x9d, 0x0a, 0x96, 0x52, 0xba, 0x47, 0x72, 0x66, 0x49, 0x39, 0xe6, 0x8f, 0xf5, 0xa7, 0xd2, 0xcf, 0xc8, 0xc3, 0x84, 0xa7, 0x18, 0x37, 0xc9, 0x9f, 0xcb, 0x80, 0x46, 0xea, 0x22, 0xe6, 0x8f, 0x89, 0xd8, 0x10, 0x5f, 0x8d, 0x3a, 0x26, 0xa2, 0x78, 0x67, 0xd9, 0xdc, 0x13, 0x95, 0xd5, 0x13, 0x90, 0xc8, 0x26, 0xfe, 0xf4, 0xf1, 0xab, 0x91, 0x97, 0x9a, 0x2f, 0xd3, 0xd8, 0xcb, 0xdd, 0x27, 0x79, 0xfe, 0xd9, 0xd6, 0x85, 0xca, 0x73, 0x6f, 0x53, 0xad, 0xa1, 0xae, 0x6f, 0x65, 0x4d, 0x0b, 0xd8, 0x18, 0xf7, 0x0d, 0x1f, 0x97, 0x9f, 0x96, 0x37, 0x19, 0xdd, 0x38, 0x99, 0xa6, 0x58, 0xdd, 0xd9, 0x68, 0xbf, 0xc4, 0xe7, 0x77, 0xb8, 0x47, 0x47, 0xae, 0xd8, 0x58, 0x96, 0x70, 0xe8, 0xcb, 0xec, 0x73, 0xf7, 0xfe, 0xec, 0x57, 0xff, 0xe3, 0x91, 0x6b, 0xbf, 0xf9, 0xaf, 0xb6, 0x6b, 0x17, 0xfd, 0x3f, 0x02, 0xa8, 0xbd, 0xca, 0x59, 0xea, 0x16, 0x69, 0x2e, 0x68, 0x45, 0x28, 0x6c, 0x8a, 0x2b, 0x7f, 0xe1, 0x35, 0xf5, 0x1c, 0xef, 0x1d, 0x0d, 0xf0, 0x17, 0x02, 0xbc, 0x16, 0xac, 0xc6, 0x87, 0x7b, 0x29, 0xb6, 0x32, 0xd3, 0xc7, 0xec, 0x6b, 0xd5, 0xb6, 0xb7, 0x4a, 0x7b, 0x0f, 0xaa, 0xb1, 0x2f, 0x3f, 0xf1, 0x2b, 0x48, 0xf9, 0x5b, 0xd7, 0xf6, 0x53, 0xe5, 0xea, 0xc3, 0x94, 0x5e, 0xed, 0x23, 0xe7, 0x33, 0xdd, 0x92, 0x20, 0x1f, 0xf3, 0xa8, 0xfe, 0x2d, 0xf4, 0x99, 0x6e, 0xe3, 0x20, 0x1e, 0xd2, 0x60, 0x59, 0xaf, 0xd2, 0x17, 0xeb, 0x97, 0xf4, 0x54, 0x57, 0xc0, 0x6a, 0xbd, 0x56, 0xf4, 0x57, 0xc0, 0xe1, 0xaf, 0xfa, 0x3f, 0x1b, 0xf9, 0x5f, 0xa8, 0xe7, 0x2a, 0x0d, 0x7d, 0x64, 0x00, 0x00},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0x35, 0xdd, 0x40, 0x00, 0x40, 0x06, 0x67, 0xbe, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x0a, 0xc5, 0x80, 0x10, 0x0f, 0xd5, 0x75, 0xa7, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xbc, 0xb3, 0xa1, 0x66, 0x2b},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0xea, 0x8c, 0x40, 0x00, 0x40, 0x06, 0xb3, 0x0e, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x0c, 0x48, 0x80, 0x10, 0x0f, 0xf3, 0x74, 0x06, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x37, 0xbc, 0xb3, 0xa1, 0x66, 0x2b},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x00, 0x34, 0x38, 0x2d, 0x40, 0x00, 0xef, 0x06, 0xb6, 0x4d, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x0c, 0x48, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0x64, 0x9b, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x2b, 0x1b, 0x4f, 0x37, 0xaa},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x00, 0x34, 0x18, 0x50, 0x40, 0x00, 0xef, 0x06, 0xd6, 0x2a, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x0c, 0x48, 0x4d, 0xa6, 0xae, 0x36, 0x80, 0x18, 0x1f, 0x68, 0x64, 0x9b, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0xb3, 0xa1, 0x66, 0x2b, 0x1b, 0x4f, 0x37, 0xaa},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x00, 0x28, 0x1b, 0xf7, 0x40, 0x00, 0x30, 0x06, 0x91, 0x90, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x0c, 0x48, 0x4d, 0xa6, 0xae, 0x36, 0x50, 0x11, 0x00, 0x7a, 0x29, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0xfd, 0x9b, 0x40, 0x00, 0x40, 0x06, 0x9f, 0xff, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x0c, 0x49, 0x80, 0x10, 0x10, 0x00, 0x60, 0x9c, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x4f, 0x4b, 0x18, 0xb3, 0xa1, 0x66, 0x2b},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x28, 0xab, 0x91, 0x00, 0x00, 0x40, 0x06, 0x32, 0x16, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x35, 0xfe, 0xab, 0x0c, 0x49, 0x50, 0x10, 0x10, 0x00, 0x19, 0xe9, 0x00, 0x00},
		{0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x08, 0x00, 0x45, 0x00, 0x00, 0x34, 0xaf, 0x96, 0x40, 0x00, 0x40, 0x06, 0xee, 0x04, 0x0a, 0x01, 0x0a, 0x4c, 0xa4, 0x43, 0xe4, 0x98, 0xe1, 0xa1, 0x00, 0x50, 0x4d, 0xa6, 0xae, 0x36, 0xfe, 0xab, 0x0c, 0x49, 0x80, 0x11, 0x10, 0x00, 0x9a, 0xcb, 0x00, 0x00, 0x01, 0x01, 0x08, 0x0a, 0x1b, 0x51, 0x10, 0xe6, 0xb3, 0xa1, 0x66, 0x2b},
		{0xb8, 0xe8, 0x56, 0x32, 0x0b, 0xde, 0x4a, 0x1d, 0x70, 0xcf, 0xa6, 0xe5, 0x08, 0x00, 0x45, 0x20, 0x00, 0x28, 0x00, 0x00, 0x40, 0x00, 0x30, 0x06, 0xad, 0x87, 0xa4, 0x43, 0xe4, 0x98, 0x0a, 0x01, 0x0a, 0x4c, 0x00, 0x50, 0xe1, 0xa1, 0xfe, 0xab, 0x0c, 0x49, 0x13, 0x1c, 0x26, 0x5c, 0x50, 0x04, 0x00, 0x00, 0xec, 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}
}


================================================
FILE: controller/internal/enforcer/utils/rpcwrapper/interfaces.go
================================================
package rpcwrapper

import "context"

// RPCClient is the client interface
type RPCClient interface {
	NewRPCClient(contextID string, channel string, rpcSecret string) error
	GetRPCClient(contextID string) (*RPCHdl, error)
	RemoteCall(contextID string, methodName string, req *Request, resp *Response) error
	DestroyRPCClient(contextID string)
	ContextList() []string
	CheckValidity(req *Request, secret string) bool
}

// RPCServer is the server interface
type RPCServer interface {
	StartServer(ctx context.Context, protocol string, path string, handler interface{}) error
	ProcessMessage(req *Request, secret string) bool
	CheckValidity(req *Request, secret string) bool
}


================================================
FILE: controller/internal/enforcer/utils/rpcwrapper/mockrpcwrapper/mockrpcwrapper.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/internal/enforcer/utils/rpcwrapper/interfaces.go

// Package mockrpcwrapper is a generated GoMock package.
package mockrpcwrapper

import (
	context "context"
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	rpcwrapper "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
)

// MockRPCClient is a mock of RPCClient interface
// nolint
type MockRPCClient struct {
	ctrl     *gomock.Controller
	recorder *MockRPCClientMockRecorder
}

// MockRPCClientMockRecorder is the mock recorder for MockRPCClient
// nolint
type MockRPCClientMockRecorder struct {
	mock *MockRPCClient
}

// NewMockRPCClient creates a new mock instance
// nolint
func NewMockRPCClient(ctrl *gomock.Controller) *MockRPCClient {
	mock := &MockRPCClient{ctrl: ctrl}
	mock.recorder = &MockRPCClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockRPCClient) EXPECT() *MockRPCClientMockRecorder {
	return m.recorder
}

// NewRPCClient mocks base method
// nolint
func (m *MockRPCClient) NewRPCClient(contextID, channel, rpcSecret string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NewRPCClient", contextID, channel, rpcSecret)
	ret0, _ := ret[0].(error)
	return ret0
}

// NewRPCClient indicates an expected call of NewRPCClient
// nolint
func (mr *MockRPCClientMockRecorder) NewRPCClient(contextID, channel, rpcSecret interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewRPCClient", reflect.TypeOf((*MockRPCClient)(nil).NewRPCClient), contextID, channel, rpcSecret)
}

// GetRPCClient mocks base method
// nolint
func (m *MockRPCClient) GetRPCClient(contextID string) (*rpcwrapper.RPCHdl, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetRPCClient", contextID)
	ret0, _ := ret[0].(*rpcwrapper.RPCHdl)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// GetRPCClient indicates an expected call of GetRPCClient
// nolint
func (mr *MockRPCClientMockRecorder) GetRPCClient(contextID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetRPCClient", reflect.TypeOf((*MockRPCClient)(nil).GetRPCClient), contextID)
}

// RemoteCall mocks base method
// nolint
func (m *MockRPCClient) RemoteCall(contextID, methodName string, req *rpcwrapper.Request, resp *rpcwrapper.Response) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "RemoteCall", contextID, methodName, req, resp)
	ret0, _ := ret[0].(error)
	return ret0
}

// RemoteCall indicates an expected call of RemoteCall
// nolint
func (mr *MockRPCClientMockRecorder) RemoteCall(contextID, methodName, req, resp interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoteCall", reflect.TypeOf((*MockRPCClient)(nil).RemoteCall), contextID, methodName, req, resp)
}

// DestroyRPCClient mocks base method
// nolint
func (m *MockRPCClient) DestroyRPCClient(contextID string) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "DestroyRPCClient", contextID)
}

// DestroyRPCClient indicates an expected call of DestroyRPCClient
// nolint
func (mr *MockRPCClientMockRecorder) DestroyRPCClient(contextID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DestroyRPCClient", reflect.TypeOf((*MockRPCClient)(nil).DestroyRPCClient), contextID)
}

// ContextList mocks base method
// nolint
func (m *MockRPCClient) ContextList() []string {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContextList")
	ret0, _ := ret[0].([]string)
	return ret0
}

// ContextList indicates an expected call of ContextList
// nolint
func (mr *MockRPCClientMockRecorder) ContextList() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContextList", reflect.TypeOf((*MockRPCClient)(nil).ContextList))
}

// CheckValidity mocks base method
// nolint
func (m *MockRPCClient) CheckValidity(req *rpcwrapper.Request, secret string) bool {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CheckValidity", req, secret)
	ret0, _ := ret[0].(bool)
	return ret0
}

// CheckValidity indicates an expected call of CheckValidity
// nolint
func (mr *MockRPCClientMockRecorder) CheckValidity(req, secret interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CheckValidity", reflect.TypeOf((*MockRPCClient)(nil).CheckValidity), req, secret)
}

// MockRPCServer is a mock of RPCServer interface
// nolint
type MockRPCServer struct {
	ctrl     *gomock.Controller
	recorder *MockRPCServerMockRecorder
}

// MockRPCServerMockRecorder is the mock recorder for MockRPCServer
// nolint
type MockRPCServerMockRecorder struct {
	mock *MockRPCServer
}

// NewMockRPCServer creates a new mock instance
// nolint
func NewMockRPCServer(ctrl *gomock.Controller) *MockRPCServer {
	mock := &MockRPCServer{ctrl: ctrl}
	mock.recorder = &MockRPCServerMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockRPCServer) EXPECT() *MockRPCServerMockRecorder {
	return m.recorder
}

// StartServer mocks base method
// nolint
func (m *MockRPCServer) StartServer(ctx context.Context, protocol, path string, handler interface{}) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "StartServer", ctx, protocol, path, handler)
	ret0, _ := ret[0].(error)
	return ret0
}

// StartServer indicates an expected call of StartServer
// nolint
func (mr *MockRPCServerMockRecorder) StartServer(ctx, protocol, path, handler interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StartServer", reflect.TypeOf((*MockRPCServer)(nil).StartServer), ctx, protocol, path, handler)
}

// ProcessMessage mocks base method
// nolint
func (m *MockRPCServer) ProcessMessage(req *rpcwrapper.Request, secret string) bool {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ProcessMessage", req, secret)
	ret0, _ := ret[0].(bool)
	return ret0
}

// ProcessMessage indicates an expected call of ProcessMessage
// nolint
func (mr *MockRPCServerMockRecorder) ProcessMessage(req, secret interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProcessMessage", reflect.TypeOf((*MockRPCServer)(nil).ProcessMessage), req, secret)
}

// CheckValidity mocks base method
// nolint
func (m *MockRPCServer) CheckValidity(req *rpcwrapper.Request, secret string) bool {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CheckValidity", req, secret)
	ret0, _ := ret[0].(bool)
	return ret0
}

// CheckValidity indicates an expected call of CheckValidity
// nolint
func (mr *MockRPCServerMockRecorder) CheckValidity(req, secret interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CheckValidity", reflect.TypeOf((*MockRPCServer)(nil).CheckValidity), req, secret)
}


================================================
FILE: controller/internal/enforcer/utils/rpcwrapper/rpc_handle.go
================================================
package rpcwrapper

import (
	"context"
	"crypto/hmac"
	"crypto/sha256"
	"encoding/binary"
	"encoding/gob"
	"fmt"
	"net"
	"net/http"
	"net/rpc"
	"os"
	"strconv"
	"sync"
	"time"

	"github.com/mitchellh/hashstructure"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/usertokens/oidc"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/usertokens/pkitokens"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.uber.org/zap"
)

// RPCHdl is a per client handle
type RPCHdl struct {
	Client  *rpc.Client
	Channel string
	Secret  string
}

// RPCWrapper  is a struct which holds stats for all rpc sesions
type RPCWrapper struct {
	rpcClientMap *cache.Cache
	server       *rpc.Server
	sync.Mutex
}

// NewRPCWrapper creates a new rpcwrapper
func NewRPCWrapper() *RPCWrapper {

	RegisterTypes()

	return &RPCWrapper{
		rpcClientMap: cache.NewCache("RPCWrapper"),
	}
}

const (
	maxRetries     = 10000
	envRetryString = "REMOTE_RPCRETRIES"
)

// NewRPCClient exported
func (r *RPCWrapper) NewRPCClient(contextID string, channel string, sharedsecret string) error {

	r.Lock()
	defer r.Unlock()

	max := maxRetries
	retries := os.Getenv(envRetryString)
	if len(retries) > 0 {
		max, _ = strconv.Atoi(retries)
	}

	numRetries := 0
	client, err := rpc.DialHTTP("unix", channel)
	for err != nil {
		numRetries++
		if numRetries >= max {
			return err
		}

		time.Sleep(5 * time.Millisecond)
		client, err = rpc.DialHTTP("unix", channel)
	}

	r.rpcClientMap.AddOrUpdate(contextID, &RPCHdl{Client: client, Channel: channel, Secret: sharedsecret})

	return nil

}

// GetRPCClient gets a handle to the rpc client for the contextID( enforcer in the container)
func (r *RPCWrapper) GetRPCClient(contextID string) (*RPCHdl, error) {

	r.Lock()
	defer r.Unlock()

	val, err := r.rpcClientMap.Get(contextID)
	if err != nil {
		return nil, err
	}

	return val.(*RPCHdl), nil
}

// RemoteCall is a wrapper around rpc.Call and also ensure message integrity by adding a hmac
func (r *RPCWrapper) RemoteCall(contextID string, methodName string, req *Request, resp *Response) error {

	rpcClient, err := r.GetRPCClient(contextID)
	if err != nil {
		return err
	}

	digest := hmac.New(sha256.New, []byte(rpcClient.Secret))
	hash, err := payloadHash(req.Payload)
	if err != nil {
		return err
	}

	if _, err := digest.Write(hash); err != nil {
		return err
	}

	req.HashAuth = digest.Sum(nil)

	return rpcClient.Client.Call(methodName, req, resp)
}

// CheckValidity checks if the received message is valid
func (r *RPCWrapper) CheckValidity(req *Request, secret string) bool {

	digest := hmac.New(sha256.New, []byte(secret))

	hash, err := payloadHash(req.Payload)
	if err != nil {
		return false
	}

	if _, err := digest.Write(hash); err != nil {
		return false
	}

	return hmac.Equal(req.HashAuth, digest.Sum(nil))
}

//NewRPCServer returns an interface RPCServer
func NewRPCServer() RPCServer {

	return &RPCWrapper{
		server: rpc.NewServer(),
	}
}

// StartServer Starts a server and waits for new connections this function never returns
func (r *RPCWrapper) StartServer(ctx context.Context, protocol string, path string, handler interface{}) error {

	if len(path) == 0 {
		zap.L().Fatal("Sock param not passed in environment")
	}

	// Register RPC Type
	RegisterTypes()

	// Register handlers
	if err := r.server.Register(handler); err != nil {
		return err
	}

	r.server.HandleHTTP(rpc.DefaultRPCPath, rpc.DefaultDebugPath)

	// removing old path in case it exists already - error if we can't remove it
	if _, err := os.Stat(path); err == nil {

		zap.L().Debug("Socket path already exists: removing", zap.String("path", path))

		if rerr := os.Remove(path); rerr != nil {
			return fmt.Errorf("unable to delete existing socket path %s: %s", path, rerr)
		}
	}

	// Get listener
	listen, err := net.Listen(protocol, path)
	if err != nil {
		return err
	}

	go http.Serve(listen, nil) // nolint

	<-ctx.Done()

	if merr := listen.Close(); merr != nil {
		zap.L().Warn("Connection already closed", zap.Error(merr))
	}

	if _, err = os.Stat(path); !os.IsNotExist(err) {
		if err := os.Remove(path); err != nil {
			zap.L().Warn("failed to remove old path", zap.Error(err))
		}
	}

	return nil
}

// DestroyRPCClient calls close on the rpc and cleans up the connection
func (r *RPCWrapper) DestroyRPCClient(contextID string) {
	r.Lock()
	defer r.Unlock()

	rpcHdl, err := r.rpcClientMap.Get(contextID)
	if err != nil {
		return
	}

	if err = rpcHdl.(*RPCHdl).Client.Close(); err != nil {
		zap.L().Warn("Failed to close channel",
			zap.String("contextID", contextID),
			zap.Error(err),
		)
	}

	if err = os.Remove(rpcHdl.(*RPCHdl).Channel); err != nil {
		zap.L().Debug("Failed to remove channel - already closed",
			zap.String("contextID", contextID),
			zap.Error(err),
		)
	}

	if err = r.rpcClientMap.Remove(contextID); err != nil {
		zap.L().Warn("Failed to remove item from cache",
			zap.String("contextID", contextID),
			zap.Error(err),
		)
	}
}

// ContextList returns the list of active context managed by the rpcwrapper
func (r *RPCWrapper) ContextList() []string {
	keylist := r.rpcClientMap.KeyList()
	contextArray := []string{}
	for _, key := range keylist {
		if kstring, ok := key.(string); ok {
			contextArray = append(contextArray, kstring)
		}
	}
	return contextArray
}

// ProcessMessage checks if the given request is valid
func (r *RPCWrapper) ProcessMessage(req *Request, secret string) bool {

	return r.CheckValidity(req, secret)
}

// payloadHash returns the has of the payload
func payloadHash(payload interface{}) ([]byte, error) {
	hash, err := hashstructure.Hash(payload, nil)
	if err != nil {
		return []byte{}, err
	}

	buf := make([]byte, 8)
	binary.BigEndian.PutUint64(buf, hash)
	return buf, nil
}

// RegisterTypes  registers types that are exchanged between the controller and remoteenforcer
func RegisterTypes() {
	// TODO: figure out why the RegisterName() calls are written as *(&x{}) when the Register() calls are just &x{}
	gob.Register(&secrets.RPCSecrets{})
	gob.Register(&pkitokens.PKIJWTVerifier{})
	gob.Register(&oidc.TokenVerifier{})
	gob.Register(&collector.CounterReport{})
	gob.Register(&collector.PingReport{})
	gob.Register(&collector.DNSRequestReport{})
	gob.Register(&collector.PacketReport{})
	gob.Register(&collector.ConnectionExceptionReport{})
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.Init_Request_Payload", *(&InitRequestPayload{}))                                // nolint:staticcheck // SA4001: *&x will be simplified to x. It will not copy x.
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.Enforce_Payload", *(&EnforcePayload{}))                                         // nolint:staticcheck
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.UnEnforce_Payload", *(&UnEnforcePayload{}))                                     // nolint:staticcheck
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.Stats_Payload", *(&StatsPayload{}))                                             // nolint:staticcheck
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.UpdateSecrets_Payload", *(&UpdateSecretsPayload{}))                             // nolint:staticcheck
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.SetTargetNetworks_Payload", *(&SetTargetNetworksPayload{}))                     // nolint:staticcheck
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.EnableIPTablesPacketTracing_PayLoad", *(&EnableIPTablesPacketTracingPayLoad{})) // nolint:staticcheck
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.EnableDatapathPacketTracing_PayLoad", *(&EnableDatapathPacketTracingPayLoad{})) // nolint:staticcheck
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.Report_Payload", *(&ReportPayload{}))                                           // nolint:staticcheck
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.SetLogLevel_Payload", *(&SetLogLevelPayload{}))                                 // nolint:staticcheck
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.TokenRequest_Payload", *(&TokenRequestPayload{}))                               // nolint:staticcheck
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.TokenResponse_Payload", *(&TokenResponsePayload{}))                             // nolint:staticcheck
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.Ping_Payload", *(&PingPayload{}))                                               // nolint:staticcheck
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.DebugCollect_Payload", *(&DebugCollectPayload{}))                               // nolint:staticcheck
	gob.RegisterName("go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper.DebugCollectResponse_Payload", *(&DebugCollectResponsePayload{}))               // nolint:staticcheck
}


================================================
FILE: controller/internal/enforcer/utils/rpcwrapper/rpc_handlemock.go
================================================
package rpcwrapper

import (
	"context"
	"net/rpc"
	"sync"
	"testing"
)

// MockRPCHdl is mock of rpchdl
type MockRPCHdl struct {
	Client  *rpc.Client
	Channel string
}

type mockedMethods struct {
	NewRPCClientMock     func(contextID string, channel string, secret string) error
	GetRPCClientMock     func(contextID string) (*RPCHdl, error)
	RemoteCallMock       func(contextID string, methodName string, req *Request, resp *Response) error
	DestroyRPCClientMock func(contextID string)
	StartServerMock      func(ctx context.Context, protocol string, path string, handler interface{}) error
	ProcessMessageMock   func(req *Request, secret string) bool
	ContextListMock      func() []string
	CheckValidityMock    func(req *Request, secret string) bool
}

// TestRPCClient is a RPC Client used for test
type TestRPCClient interface {
	RPCClient
	MockNewRPCClient(t *testing.T, impl func(contextID string, channel string, secret string) error)
	MockGetRPCClient(t *testing.T, impl func(contextID string) (*RPCHdl, error))
	MockRemoteCall(t *testing.T, impl func(contextID string, methodName string, req *Request, resp *Response) error)
	MockDestroyRPCClient(t *testing.T, impl func(contextID string))
	MockContextList(t *testing.T, impl func() []string)
	MockCheckValidity(t *testing.T, impl func(req *Request, secret string) bool)
}

// TestRPCServer is a RPC Server used for test
type TestRPCServer interface {
	RPCServer
	MockStartServer(t *testing.T, impl func(ctx context.Context, protocol string, path string, handler interface{}) error)
	MockProcessMessage(t *testing.T, impl func(req *Request, secret string) bool)
	MockCheckValidity(t *testing.T, impl func(req *Request, secret string) bool)
}

type testRPC struct {
	mocks       map[*testing.T]*mockedMethods
	lock        *sync.Mutex
	currentTest *testing.T
}

// NewTestRPCServer is a Test RPC Server
func NewTestRPCServer() TestRPCServer {
	return &testRPC{
		lock:  &sync.Mutex{},
		mocks: map[*testing.T]*mockedMethods{},
	}
}

// NewTestRPCClient is a Test RPC Client
func NewTestRPCClient() TestRPCClient {
	return &testRPC{
		lock:  &sync.Mutex{},
		mocks: map[*testing.T]*mockedMethods{},
	}
}

// MockNewRPCClient mocks the NewRPCClient function
func (m *testRPC) MockNewRPCClient(t *testing.T, impl func(contextID string, channel string, secret string) error) {
	m.currentMocks(t).NewRPCClientMock = impl
}

// MockGetRPCClient mocks the GetRPCClient function
func (m *testRPC) MockGetRPCClient(t *testing.T, impl func(contextID string) (*RPCHdl, error)) {
	m.currentMocks(t).GetRPCClientMock = impl
}

// MockRemoteCall mocks the RemoteCall function
func (m *testRPC) MockRemoteCall(t *testing.T, impl func(contextID string, methodName string, req *Request, resp *Response) error) {
	m.currentMocks(t).RemoteCallMock = impl
}

// MockDestroyRPCClient mocks the DestroyRPCClient function
func (m *testRPC) MockDestroyRPCClient(t *testing.T, impl func(contextID string)) {
	m.currentMocks(t).DestroyRPCClientMock = impl
}

// MockStartServer mocks the StartServer function
func (m *testRPC) MockStartServer(t *testing.T, impl func(ctx context.Context, protocol string, path string, handler interface{}) error) {
	m.currentMocks(t).StartServerMock = impl

}

// MockProcessMessage mocks the ProcessMessage function
func (m *testRPC) MockProcessMessage(t *testing.T, impl func(req *Request, secret string) bool) {
	m.currentMocks(t).ProcessMessageMock = impl
}

// MockContextList mocks the ContextList function
func (m *testRPC) MockContextList(t *testing.T, impl func() []string) {
	m.currentMocks(t).ContextListMock = impl
}

// MockCheckValidity mocks the CheckValidity function
func (m *testRPC) MockCheckValidity(t *testing.T, impl func(req *Request, secret string) bool) {
	m.currentMocks(t).CheckValidityMock = impl
}

// NewRPCClient implements the new interface
func (m *testRPC) NewRPCClient(contextID string, channel string, secret string) error {
	if mock := m.currentMocks(nil); mock != nil && mock.NewRPCClientMock != nil {
		return mock.NewRPCClientMock(contextID, channel, secret)
	}
	return nil
}

// GetRPCClient implements the interface with a mock
func (m *testRPC) GetRPCClient(contextID string) (*RPCHdl, error) {
	if mock := m.currentMocks(nil); mock != nil && mock.GetRPCClientMock != nil {
		return mock.GetRPCClientMock(contextID)
	}
	return nil, nil
}

// RemoteCall implements the interface with a mock
func (m *testRPC) RemoteCall(contextID string, methodName string, req *Request, resp *Response) error {
	if mock := m.currentMocks(nil); mock != nil && mock.RemoteCallMock != nil {
		return mock.RemoteCallMock(contextID, methodName, req, resp)
	}
	return nil
}

// DestroyRPCClient implements the interface with a Mock
func (m *testRPC) DestroyRPCClient(contextID string) {
	if mock := m.currentMocks(nil); mock != nil && mock.DestroyRPCClientMock != nil {
		mock.DestroyRPCClientMock(contextID)
		return
	}
}

// CheckValidity implements the interface with a mock
func (m *testRPC) CheckValidity(req *Request, secret string) bool {
	if mock := m.currentMocks(nil); mock != nil && mock.DestroyRPCClientMock != nil {
		return mock.CheckValidityMock(req, secret)
	}
	return false
}

// StartServer implements the interface with a mock
func (m *testRPC) StartServer(ctx context.Context, protocol string, path string, handler interface{}) error {
	if mock := m.currentMocks(nil); mock != nil && mock.StartServerMock != nil {
		return mock.StartServerMock(ctx, protocol, path, handler)
	}
	return nil
}

// ProcessMessage implements the interface with a mock
func (m *testRPC) ProcessMessage(req *Request, secret string) bool {
	if mock := m.currentMocks(nil); mock != nil && mock.ProcessMessageMock != nil {
		return mock.ProcessMessageMock(req, secret)
	}
	return true
}

// ContextList implements the interface with a mock
func (m *testRPC) ContextList() []string {
	if mock := m.currentMocks(m.currentTest); mock != nil && mock.ContextListMock != nil {
		return mock.ContextListMock()
	}
	return []string{}
}

// currentMocks returns the list of current mocks
func (m *testRPC) currentMocks(t *testing.T) *mockedMethods {
	m.lock.Lock()
	defer m.lock.Unlock()

	if t == nil {
		t = m.currentTest
	} else {
		m.currentTest = t
	}

	mocks := m.mocks[t]
	if mocks == nil {
		mocks = &mockedMethods{}
		m.mocks[t] = mocks
	}

	return mocks
}


================================================
FILE: controller/internal/enforcer/utils/rpcwrapper/rpc_handletest.go
================================================
package rpcwrapper

import (
	"testing"
	"time"
)

//Not mocking system libraries
//Will create actual rpc client server without using wrapper to test our implementations

const (
	defaultchannel = "/tmp/test.sock"
)

// TestNewRPCClient mocks an RPC client test
func TestNewRPCClient(t *testing.T) {

	//Test without  a rpc server
	rpchdl := NewRPCWrapper()
	resp := make(chan error, 1)
	go asyncRpcclient(resp, rpchdl)
	select {
	case r := <-resp:
		if r == nil {
			t.Errorf("SUCCESS in the absence of rpc server")
		}
	case <-time.After(1 * time.Second):
		t.Errorf("RPCClient blocked and does not return")

	}
	err := rpchdl.NewRPCClient("12345", defaultchannel, "mysecret")
	if err == nil {
		t.Errorf("No error returned when there is not server")
	}

}


================================================
FILE: controller/internal/enforcer/utils/rpcwrapper/rpc_testhelper.go
================================================
package rpcwrapper

func asyncRpcclient(resp chan<- error, rpchdl *RPCWrapper) {
	err := rpchdl.NewRPCClient("12345", defaultchannel, "mysecret")
	resp <- err
}


================================================
FILE: controller/internal/enforcer/utils/rpcwrapper/types.go
================================================
package rpcwrapper

import (
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// CaptureType identifies the type of iptables implementation that should be used
type CaptureType int

const (
	// IPTables forces an IPTables implementation
	IPTables CaptureType = iota
	// IPSets forces an IPSet implementation
	IPSets
)

// PayloadType is the type of payload in the request.
type PayloadType int

// Payload report types.
const (
	PacketReport PayloadType = iota
	DNSReport
	CounterReport
	PingReport
	ConnectionExceptionReport
)

//Request exported
type Request struct {
	HashAuth    []byte
	PayloadType PayloadType
	Payload     interface{}
}

//exported consts from the package
const (
	SUCCESS = 0
)

//Response is the response for every RPC call. This is used to carry the status of the actual function call
//made on the remote end
type Response struct {
	Status  string
	Payload interface{} `json:",omitempty"`
}

//InitRequestPayload Payload for enforcer init request
type InitRequestPayload struct {
	MutualAuth             bool                   `json:",omitempty"`
	PacketLogs             bool                   `json:",omitempty"`
	Validity               time.Duration          `json:",omitempty"`
	ServerID               string                 `json:",omitempty"`
	ExternalIPCacheTimeout time.Duration          `json:",omitempty"`
	Secrets                secrets.RPCSecrets     `json:",omitempty"`
	Configuration          *runtime.Configuration `json:",omitempty"`
	BinaryTokens           bool                   `json:",omitempty"`
	IsBPFEnabled           bool                   `json:",omitempty"`
	IPv6Enabled            bool                   `json:",omitempty"`
	IPTablesLockfile       string                 `json:",omitempty"`
	ServiceMeshType        policy.ServiceMesh     `json:",omitempty"`
}

// UpdateSecretsPayload payload for the update secrets to remote enforcers
type UpdateSecretsPayload struct {
	Secrets secrets.RPCSecrets `json:",omitempty"`
}

// EnforcePayload Payload for enforce request
type EnforcePayload struct {
	ContextID string                 `json:",omitempty"`
	Policy    *policy.PUPolicyPublic `json:",omitempty"`
	Secrets   secrets.RPCSecrets     `json:",omitempty"`
}

//UnEnforcePayload payload for unenforce request
type UnEnforcePayload struct {
	ContextID string `json:",omitempty"`
}

//SetLogLevelPayload payload for set log level request
type SetLogLevelPayload struct {
	Level constants.LogLevel `json:",omitempty"`
}

//StatsPayload is the payload carries by the stats reporting form the remote enforcer
type StatsPayload struct {
	Flows map[uint64]*collector.FlowRecord `json:",omitempty"`
	Users map[string]*collector.UserRecord `json:",omitempty"`
}

// ReportPayload is the generic report from remote enforcer
type ReportPayload struct {
	Type    PayloadType
	Payload interface{}
}

//SetTargetNetworksPayload carries the payload for target networks
type SetTargetNetworksPayload struct {
	Configuration *runtime.Configuration `json:",omitempty"`
}

// EnableIPTablesPacketTracingPayLoad is the payload message to enable iptable trace in remote containers
type EnableIPTablesPacketTracingPayLoad struct {
	IPTablesPacketTracing bool          `json:",omitempty"`
	Interval              time.Duration `json:",omitempty"`
	ContextID             string        `json:",omitempty"`
}

// EnableDatapathPacketTracingPayLoad is the payload to enable nfq packet tracing in the remote container
type EnableDatapathPacketTracingPayLoad struct {
	Direction packettracing.TracingDirection `json:",omitempty"`
	Interval  time.Duration                  `json:",omitempty"`
	ContextID string                         `json:",omitempty"`
}

// TokenRequestPayload carries the payload for issuing tokens.
type TokenRequestPayload struct {
	ContextID        string                  `json:",omitempty"`
	Audience         string                  `json:",omitempty"`
	Validity         time.Duration           `json:",omitempty"`
	ServiceTokenType common.ServiceTokenType `json:",omitempty"`
}

// TokenResponsePayload returns the issued token.
type TokenResponsePayload struct {
	Token string `json:",omitempty"`
}

// PingPayload represents the payload for ping config.
type PingPayload struct {
	ContextID  string
	PingConfig *policy.PingConfig
}

// DebugCollectPayload is the payload for the DebugCollect request.
type DebugCollectPayload struct {
	ContextID    string
	PcapFilePath string
	PcapFilter   string
	CommandExec  string
}

// DebugCollectResponsePayload is the payload for the DebugCollect response.
type DebugCollectResponsePayload struct {
	ContextID     string
	PID           int
	CommandOutput string
}


================================================
FILE: controller/internal/processmon/interfaces.go
================================================
package processmon

import (
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// ProcessManager interface exposes methods implemented by a processmon
type ProcessManager interface {
	KillRemoteEnforcer(contextID string, force bool) error
	LaunchRemoteEnforcer(contextID string, refPid int, refNsPath string, arg string, statssecret string, procMountPoint string, enforcerType policy.EnforcerType) (bool, error)
}


================================================
FILE: controller/internal/processmon/mockprocessmon/mockprocessmon.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/internal/processmon/interfaces.go

// Package mockprocessmon is a generated GoMock package.
package mockprocessmon

import (
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	policy "go.aporeto.io/enforcerd/trireme-lib/policy"
)

// MockProcessManager is a mock of ProcessManager interface
// nolint
type MockProcessManager struct {
	ctrl     *gomock.Controller
	recorder *MockProcessManagerMockRecorder
}

// MockProcessManagerMockRecorder is the mock recorder for MockProcessManager
// nolint
type MockProcessManagerMockRecorder struct {
	mock *MockProcessManager
}

// NewMockProcessManager creates a new mock instance
// nolint
func NewMockProcessManager(ctrl *gomock.Controller) *MockProcessManager {
	mock := &MockProcessManager{ctrl: ctrl}
	mock.recorder = &MockProcessManagerMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockProcessManager) EXPECT() *MockProcessManagerMockRecorder {
	return m.recorder
}

// KillRemoteEnforcer mocks base method
// nolint
func (m *MockProcessManager) KillRemoteEnforcer(contextID string, force bool) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "KillRemoteEnforcer", contextID, force)
	ret0, _ := ret[0].(error)
	return ret0
}

// KillRemoteEnforcer indicates an expected call of KillRemoteEnforcer
// nolint
func (mr *MockProcessManagerMockRecorder) KillRemoteEnforcer(contextID, force interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "KillRemoteEnforcer", reflect.TypeOf((*MockProcessManager)(nil).KillRemoteEnforcer), contextID, force)
}

// LaunchRemoteEnforcer mocks base method
// nolint
func (m *MockProcessManager) LaunchRemoteEnforcer(contextID string, refPid int, refNsPath, arg, statssecret, procMountPoint string, enforcerType policy.EnforcerType) (bool, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "LaunchRemoteEnforcer", contextID, refPid, refNsPath, arg, statssecret, procMountPoint, enforcerType)
	ret0, _ := ret[0].(bool)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// LaunchRemoteEnforcer indicates an expected call of LaunchRemoteEnforcer
// nolint
func (mr *MockProcessManagerMockRecorder) LaunchRemoteEnforcer(contextID, refPid, refNsPath, arg, statssecret, procMountPoint, enforcerType interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LaunchRemoteEnforcer", reflect.TypeOf((*MockProcessManager)(nil).LaunchRemoteEnforcer), contextID, refPid, refNsPath, arg, statssecret, procMountPoint, enforcerType)
}


================================================
FILE: controller/internal/processmon/processmon.go
================================================
// +build linux darwin

// Package processmon is to manage and monitor remote enforcers.
package processmon

import (
	"context"
	"fmt"
	"io"
	"os"
	"os/exec"
	"path/filepath"
	"strconv"
	"strings"
	"sync"
	"syscall"
	"time"

	"go.aporeto.io/enforcerd/internal/logging/masterlog"
	"go.aporeto.io/enforcerd/internal/utils"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/env"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.aporeto.io/enforcerd/trireme-lib/utils/crypto"
	"go.uber.org/zap"
)

const (
	processMonitorCacheName = "ProcessMonitorCache"
	secretLength            = 32
)

var (
	// netNSPath holds the directory to ensure ip netns command works
	netNSPath = "/var/run/netns/"

	// execCommand is to used to fake exec commands in tests.
	execCommand = exec.Command
)

// RemoteMonitor is an instance of processMonitor
type RemoteMonitor struct {
	// netNSPath made configurable to enable running tests
	netNSPath string
	// activeProcesses holds a cache of the currently active processes.
	activeProcesses *cache.Cache
	// childExitStatus is a channel to monitor the exit status of processes.
	childExitStatus chan exitStatus
	// logWithID is the ID for for log files if logging to file.
	logWithID bool
	// logLevel is the level of logs for remote command.
	logLevel string
	// logFormat selects the format of the logs for the remote.
	logFormat string
	// compressedTags instructs the remotes to use compressed tags.
	compressedTags claimsheader.CompressionType
	// numQueues is the number of nfqueus
	numQueues string
	// runtimeErrorChannel is the channel to communicate errors to the policy engine.
	runtimeErrorChannel chan *policy.RuntimeError
	// rpc is the rpc client to communicate with the remotes.
	rpc rpcwrapper.RPCClient

	sync.Mutex
}

// processInfo stores per process information
type processInfo struct {
	contextID string
	process   *os.Process
	sync.Mutex
}

// exitStatus captures the exit status of a process
type exitStatus struct {
	pid int // exitted PID
	// The contextID is optional and is primarily used by remote enforcer
	// processes to represent the namespace in which the process was running
	contextID  string
	exitStatus error
}

// New is a method to create a new remote process monitor.
func New(ctx context.Context, p *env.RemoteParameters, c chan *policy.RuntimeError, r rpcwrapper.RPCClient, numQueues int) ProcessManager {

	numQueuesStr := strconv.Itoa(numQueues)

	m := &RemoteMonitor{
		netNSPath:           netNSPath,
		activeProcesses:     cache.NewCache(processMonitorCacheName),
		childExitStatus:     make(chan exitStatus, 100),
		logWithID:           p.LogWithID,
		logLevel:            p.LogLevel,
		logFormat:           p.LogFormat,
		compressedTags:      p.CompressedTags,
		numQueues:           numQueuesStr,
		runtimeErrorChannel: c,
		rpc:                 r,
	}

	go m.collectChildExitStatus(ctx)

	return m
}

// LaunchRemoteEnforcer prepares the environment and launches the process. If the process
// is already launched, it will notify the caller, so that it can avoid any
// new initialization.
func (p *RemoteMonitor) LaunchRemoteEnforcer(
	contextID string,
	refPid int,
	refNSPath string,
	arg string,
	statsServerSecret string,
	procMountPoint string,
	enforcerType policy.EnforcerType,
) (bool, error) {
	// Locking here to get the procesinfo to avoid race conditions
	// where multiple LaunchProcess happen for the same context.
	p.Lock()
	if _, err := p.activeProcesses.Get(contextID); err == nil {
		p.Unlock()
		return false, nil
	}

	procInfo := &processInfo{
		contextID: contextID,
	}
	p.activeProcesses.AddOrUpdate(contextID, procInfo)
	p.Unlock()

	// We will lock the procInfo here, so a kill will have to wait and avoid any race.
	procInfo.Lock()
	defer procInfo.Unlock()

	var err error
	defer func() {
		// If we encoutered an error we remove it from the cache. We will
		// not be monitoring it any more. Caller is responsible for re-launching.
		if err != nil {
			p.Lock()
			defer p.Unlock()
			p.activeProcesses.Remove(contextID) // nolint errcheck
		}
	}()

	// We check if the NetNsPath was given as parameter.
	// If it was we will use it. Otherwise we will determine it based on the PID.
	nsPath := refNSPath
	if refNSPath == "" {
		nsPath = filepath.Join(procMountPoint, strconv.Itoa(refPid), "ns", "net")
	}

	var hoststat os.FileInfo
	if hoststat, err = os.Stat(filepath.Join(procMountPoint, "1", "ns", "net")); err != nil {
		return false, err
	}

	var pidstat os.FileInfo
	if pidstat, err = os.Stat(nsPath); err != nil {
		return false, fmt.Errorf("container pid %d not found: %s", refPid, err)
	}

	if pidstat.Sys().(*syscall.Stat_t).Ino == hoststat.Sys().(*syscall.Stat_t).Ino {
		err = fmt.Errorf("refused to launch a remote enforcer in host namespace")
		return false, err
	}

	if _, err = os.Stat(p.netNSPath); err != nil {
		err = os.MkdirAll(p.netNSPath, os.ModeDir)
		if err != nil {
			zap.L().Warn("could not create directory netns directory", zap.Error(err))
		}
	}

	// A symlink is created from /var/run/netns/<context> to the NetNSPath
	contextFile := filepath.Join(p.netNSPath, strings.Replace(contextID, "/", "_", -1))
	// Remove the context file if it already exists.
	if removeErr := os.RemoveAll(contextFile); err != nil {
		zap.L().Warn("Failed to remove namespace link",
			zap.Error(removeErr))
	}

	// NOTE: This is used by 'enforcer cleanup' command.
	if err = os.Symlink(nsPath, contextFile); err != nil {
		zap.L().Warn("Failed to create symlink for use by ip netns", zap.Error(err))
	}

	var randomkeystring string
	randomkeystring, err = crypto.GenerateRandomString(secretLength)
	if err != nil {
		// This is a more serious failure. We can't reliably control the remote enforcer
		return false, fmt.Errorf("unable to generate secret: %s", err)
	}

	newEnvVars := p.getLaunchProcessEnvVars(
		procMountPoint,
		contextID,
		randomkeystring,
		statsServerSecret,
		refPid,
		refNSPath,
		enforcerType,
	)

	cmd, cmdName, cmdArgs := getLaunchProcessCmd(arg)
	cmd.Env = append(os.Environ(), newEnvVars...)

	if reader, err := getCmdReader(cmd); err == nil {
		masterlog.HandleRemoteLog(reader)
	} else {
		zap.L().Error("Failed to get reader for remote logs")
	}

	if err = cmd.Start(); err != nil {
		// Cleanup resources
		if err1 := os.Remove(contextFile); err1 != nil {
			zap.L().Warn("Failed to clean up netns path", zap.Error(err1))
		}
		zap.L().Error("Unable to start remote enforcer binary", zap.Error(err))
		return false, fmt.Errorf("Unable to start remote enforcer binary: %s", err)
	}

	zap.L().Debug("Remote enforcer launched",
		zap.String("command", cmdName),
		zap.Strings("args", cmdArgs),
		zap.Int("remotePid", cmd.Process.Pid),
	)

	procInfo.process = cmd.Process
	go func() {
		status := cmd.Wait()
		p.childExitStatus <- exitStatus{
			pid:        cmd.Process.Pid,
			contextID:  contextID,
			exitStatus: status,
		}
	}()
	if err = p.rpc.NewRPCClient(contextID, contextID2SocketPath(contextID), randomkeystring); err != nil {
		return false, fmt.Errorf("failed to established rpc channel: %s", err)
	}

	return true, nil
}

// KillRemoteEnforcer sends a rpc to the process to exit failing which it will kill the process
func (p *RemoteMonitor) KillRemoteEnforcer(contextID string, force bool) error {

	p.Lock()
	s, err := p.activeProcesses.Get(contextID)
	if err != nil {
		p.Unlock()
		return fmt.Errorf("unable to find process for context: %s", contextID)
	}

	p.activeProcesses.Remove(contextID) // nolint errcheck
	p.Unlock()

	procInfo, ok := s.(*processInfo)
	if !ok {
		return fmt.Errorf("internal error - invalid type for process")
	}

	procInfo.Lock()
	defer procInfo.Unlock()

	if procInfo.process == nil {
		return fmt.Errorf("cannot find process for context: %s", contextID)
	}

	req := &rpcwrapper.Request{
		Payload: procInfo.process.Pid,
	}
	resp := &rpcwrapper.Response{}

	c := make(chan error, 1)
	go func() {
		c <- p.rpc.RemoteCall(contextID, remoteenforcer.EnforcerExit, req, resp)
	}()

	select {
	case err := <-c:
		if err != nil && force {
			zap.L().Error("Failed to stop gracefully - forcing kill",
				zap.Error(err))
			procInfo.process.Kill() // nolint
		}
	case <-time.After(5 * time.Second):
		if force {
			zap.L().Error("Time out on terminating remote enforcer - forcing kill")
			procInfo.process.Kill() // nolint
		}
	}

	p.rpc.DestroyRPCClient(contextID)

	return nil
}

// collectChildExitStatus is an async function which collects status for all launched child processes
func (p *RemoteMonitor) collectChildExitStatus(ctx context.Context) {

	defer func() {
		if r := recover(); r != nil {
			zap.L().Error("Policy engine has possibly closed the channel")
			return
		}
	}()

	for {
		select {
		case <-ctx.Done():
			return

		case es := <-p.childExitStatus:

			// if we've already been removed from the activeProcesses then it's an expected exit.
			if err := p.activeProcesses.Remove(es.contextID); err != nil {
				continue
			}

			// ... otherwise the exit was unexpected. Stop the RPC client connection to
			// the remote enforcer and generate a runtime alarm
			p.rpc.DestroyRPCClient(es.contextID)

			if p.runtimeErrorChannel != nil {
				if es.exitStatus != nil {
					zap.L().Error("Remote enforcer exited with an error",
						zap.String("nativeContextID", es.contextID),
						zap.Int("childPid", es.pid),
						zap.Error(es.exitStatus),
					)
					p.runtimeErrorChannel <- &policy.RuntimeError{
						ContextID: es.contextID,
						Error:     fmt.Errorf("remote enforcer terminated: childPid: %d, contextID: %s, exitStatus: %s", es.pid, es.contextID, es.exitStatus.Error()),
					}
				} else {
					zap.L().Warn("Remote enforcer exited",
						zap.String("nativeContextID", es.contextID),
						zap.Int("childPid", es.pid),
					)
					p.runtimeErrorChannel <- &policy.RuntimeError{
						ContextID: es.contextID,
						Error:     fmt.Errorf("remote enforcer terminated: childPid: %d, contextID: %s", es.pid, es.contextID),
					}
				}
			}
		}
	}
}

func getCmdReader(cmd *exec.Cmd) (io.ReadCloser, error) {

	reader, err := cmd.StdoutPipe()
	if err != nil {
		return nil, err
	}

	cmd.Stderr = cmd.Stdout

	return reader, nil
}

// getLaunchProcessCmd returns the os.exec object used to launch the remote enforcerd
func getLaunchProcessCmd(arg string) (cmd *exec.Cmd, cmdName string, cmdArgs []string) {
	cmdArgs = strings.Fields(arg)
	cmdName = constants.RemoteEnforcerPath
	return execCommand(cmdName, cmdArgs...), cmdName, cmdArgs
}

// getLaunchProcessEnvVars returns a slice of env variable strings where each string is in the form of key=value
func (p *RemoteMonitor) getLaunchProcessEnvVars(
	procMountPoint string,
	contextID string,
	randomkeystring string,
	statsServerSecret string,
	refPid int,
	refNSPath string,
	enforcerType policy.EnforcerType,
) []string {

	newEnvVars := []string{
		constants.EnvMountPoint + "=" + procMountPoint,
		constants.EnvContextSocket + "=" + contextID2SocketPath(contextID),
		constants.EnvStatsChannel + "=" + constants.StatsChannel,
		constants.EnvDebugChannel + "=" + constants.DebugChannel,
		constants.EnvRPCClientSecret + "=" + randomkeystring,
		constants.EnvStatsSecret + "=" + statsServerSecret,
		constants.EnvContainerPID + "=" + strconv.Itoa(refPid),
		constants.EnvLogLevel + "=" + p.logLevel,
		constants.EnvLogFormat + "=" + p.logFormat,
		constants.EnvEnforcerType + "=" + enforcerType.String(),
		constants.EnvEnforcerdToolsDir + "=" + utils.GetEnforcerdStartupDir(),
		constants.EnvEnforcerdNFQueues + "=" + p.numQueues,
	}

	newEnvVars = append(newEnvVars, constants.EnvCompressedTags+"="+strconv.Itoa(int(p.compressedTags)))

	if p.logWithID {
		newEnvVars = append(newEnvVars, constants.EnvLogID+"="+contextID)
	}

	// If the PURuntime Specified a NSPath, then it is added as a new env var also.
	if refNSPath != "" {
		newEnvVars = append(newEnvVars, constants.EnvNSPath+"="+refNSPath)
	}

	return newEnvVars
}

// contextID2SocketPath returns the socket path to use for a givent context
func contextID2SocketPath(contextID string) string {

	if contextID == "" {
		zap.L().Fatal("contextID is empty")
	}

	hash, err := policy.Fnv32Hash(contextID)
	if err != nil {
		zap.L().Fatal("unable to hash contextID", zap.Error(err))
	}

	path := filepath.Join(constants.SocketsPath, strings.Replace(hash, "/", "_", -1)+".sock")

	// Validation enforced by Linux.
	// Ref https://man7.org/linux/man-pages/man7/unix.7.html.
	if len(path) > 107 {
		zap.L().Fatal("socket path too long", zap.String("path", path))
	}

	return path
}


================================================
FILE: controller/internal/processmon/processmon_linux_test.go
================================================
// +build linux,!rhel6

package processmon

import (
	"context"
	"fmt"
	"os"
	"os/exec"
	"path/filepath"
	"runtime"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/env"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

const (
	testDirBase = "/tmp"
)

func TestLaunchProcess(t *testing.T) {

	Convey("Given a test setup for launch", t, func() {
		//Will use refPid to be 1 (init) guaranteed to be there
		//Normal case should launch a process

		refPid := 1
		dir, _ := os.Getwd()
		refNSPath := ""

		err := os.MkdirAll("/tmp/1/ns/net", os.ModePerm)
		So(err, ShouldBeNil)
		defer func() {
			os.RemoveAll("/tmp/1/ns/net") // nolint errcheck
		}()

		err = os.Chdir("testbinary")
		So(err, ShouldBeNil)
		defer os.Chdir(dir) // nolint

		buildCmd := fmt.Sprintf("GOOS=%s GOARCH=%s go build", runtime.GOOS, runtime.GOARCH)

		err = exec.Command("bash", "-c", buildCmd).Run()
		So(err, ShouldBeNil)

		err = exec.Command("cp", "-p", filepath.Join(dir, "testbinary/testbinary"), testDirBase).Run()
		So(err, ShouldBeNil)

		ctx, cancel := context.WithCancel(context.TODO())
		defer cancel()

		errChannel := make(chan *policy.RuntimeError)
		defer cleanupErrChannel(errChannel)

		rpchdl := rpcwrapper.NewTestRPCClient()
		contextID := "pu1"

		pm := New(ctx, &env.RemoteParameters{}, errChannel, rpchdl, 0)
		p, ok := pm.(*RemoteMonitor)
		So(ok, ShouldBeTrue)

		Convey("if the process is already activated, then it should return with initialize false and no error", func() {
			p.activeProcesses.AddOrUpdate(contextID, &processInfo{})

			initialize, err := p.LaunchRemoteEnforcer(contextID, refPid, refNSPath, "", "mysecret", testDirBase, policy.EnforcerMapping)
			So(err, ShouldBeNil)
			So(initialize, ShouldBeFalse)
		})

		Convey("if the process is not already activated and stat fails, it should error and cleanup", func() {
			initialize, err := p.LaunchRemoteEnforcer(contextID, refPid, "", "", "my secret", "/badpath", policy.EnforcerMapping)
			So(err, ShouldNotBeNil)
			So(initialize, ShouldBeFalse)

			_, err = p.activeProcesses.Get(contextID)
			So(err, ShouldNotBeNil)

		})

		Convey("if the process is not already activated and pid stat fails, it should error and cleanup", func() {
			initialize, err := p.LaunchRemoteEnforcer(contextID, 10000, refNSPath, "", "my secret", "/badpath", policy.EnforcerMapping)
			So(err, ShouldNotBeNil)
			So(initialize, ShouldBeFalse)

			_, err = p.activeProcesses.Get(contextID)
			So(err, ShouldNotBeNil)

		})

		Convey("if the process is not already activated and this is the host namespace, it should fail and cleanup", func() {
			rpchdl.MockGetRPCClient(t, func(string) (*rpcwrapper.RPCHdl, error) {
				return nil, nil
			})
			initialize, err := p.LaunchRemoteEnforcer(contextID, refPid, refNSPath, "", "my secret", testDirBase, policy.EnforcerMapping)
			So(err, ShouldNotBeNil)
			So(initialize, ShouldBeFalse)

			_, err = p.activeProcesses.Get(contextID)
			So(err, ShouldNotBeNil)

		})

		Convey("if the process is not already activated and the namespace is there", func() {
			rpchdl.MockGetRPCClient(t, func(string) (*rpcwrapper.RPCHdl, error) {
				return nil, nil
			})
			pid := launchContainer(testDirBase)
			defer killContainer()

			execCommand = fakeExecCommand
			initialize, err := p.LaunchRemoteEnforcer(contextID, pid, refNSPath, "", "my secret", testDirBase, policy.EnforcerMapping)
			So(err, ShouldBeNil)
			So(initialize, ShouldBeTrue)

			_, err = p.activeProcesses.Get(contextID)
			So(err, ShouldBeNil)

		})

	})

}


================================================
FILE: controller/internal/processmon/processmon_test.go
================================================
// +build !windows

package processmon

import (
	"bufio"
	"bytes"
	"context"
	"fmt"
	"math/rand"
	"os"
	"os/exec"
	"path/filepath"
	"strconv"
	"strings"
	"testing"
	"time"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/env"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

func launchContainer(path string) int {

	var out, out2 bytes.Buffer
	runcmd := exec.Command("docker", "run", "-d", "--name=testprocessmon", "nginx")
	runcmd.Stdout = &out
	runcmd.Run() // nolint: errcheck
	runcmd1 := exec.Command("docker", "inspect", "testprocessmon")
	runcmd1.Stdout = &out2
	runcmd1.Run() // nolint: errcheck
	reader := bytes.NewReader(out2.Bytes())
	scanner := bufio.NewScanner(reader)
	for scanner.Scan() {
		if strings.Contains(scanner.Text(), "Pid") {
			a := strings.Split(scanner.Text(), ":")[1]
			pid, _ := strconv.Atoi(strings.TrimSpace(a[:len(a)-1]))
			if err := os.MkdirAll(filepath.Join(path, fmt.Sprintf("%d/ns/net", pid)), os.ModePerm); err != nil {
				return 0
			}
			return pid
		}
	}
	return 0
}

func killContainer() {

	killcmd := exec.Command("docker", "rm", "-f", "testprocessmon")
	killcmd.Run() // nolint: errcheck
}

func fakeExecCommand(command string, args ...string) *exec.Cmd {
	cs := []string{"-test.run=TestCmdHelper", "--", command}
	cs = append(cs, args...)
	cmd := exec.Command(os.Args[0], cs...)
	cmd.Env = []string{"GO_WANT_HELPER_PROCESS=1"}
	return cmd
}

// cleanup and close the errChannel properly to prevent data race
func cleanupErrChannel(errChannel chan *policy.RuntimeError) {
forLoop:
	for {
		select {
		case <-errChannel:
			break forLoop
		case <-time.After(2 * time.Second):
			break forLoop
		}
	}
	close(errChannel)
}

func TestCmdHelper(t *testing.T) {
	if os.Getenv("GO_WANT_HELPER_PROCESS") != "1" {
		return
	}

	os.Exit(0)
}

func Test_KillRemoteEnforcer(t *testing.T) {
	Convey("Given a test setup for kill ", t, func() {
		ctx, cancel := context.WithCancel(context.TODO())
		defer cancel()

		errChannel := make(chan *policy.RuntimeError)
		defer cleanupErrChannel(errChannel)

		rpchdl := rpcwrapper.NewTestRPCClient()
		contextID := "abcd"

		pm := New(ctx, &env.RemoteParameters{}, errChannel, rpchdl, 0)
		p, ok := pm.(*RemoteMonitor)
		So(ok, ShouldBeTrue)

		Convey("if the process is not already activated, I should get an error", func() {
			err := p.KillRemoteEnforcer(contextID, false)
			So(err, ShouldNotBeNil)
		})

		Convey("if the process info is empty, it should error and should remove it from cache", func() {
			p.activeProcesses.AddOrUpdate(contextID, &processInfo{
				contextID: contextID,
			})

			err := p.KillRemoteEnforcer(contextID, false)
			So(err, ShouldNotBeNil)
			_, err = p.activeProcesses.Get(contextID)
			So(err, ShouldNotBeNil)
		})

		Convey("if the RPC call succeeds, it should complete with no errors", func() {
			p.activeProcesses.AddOrUpdate(contextID, &processInfo{
				contextID: contextID,
				process:   &os.Process{},
			})

			rpchdl.MockRemoteCall(t, func(contextID string, name string, req *rpcwrapper.Request, resp *rpcwrapper.Response) error {
				return nil
			})
			rpchdl.MockDestroyRPCClient(t, func(string) {
			})

			err := p.KillRemoteEnforcer(contextID, false)
			So(err, ShouldBeNil)
			_, err = p.activeProcesses.Get(contextID)
			So(err, ShouldNotBeNil)
		})

		Convey("if the RPC call fails, it should complete with no errors after issuing a kill and its not force", func() {
			p.activeProcesses.AddOrUpdate(contextID, &processInfo{
				contextID: contextID,
				process:   &os.Process{},
			})

			rpchdl.MockRemoteCall(t, func(contextID string, name string, req *rpcwrapper.Request, resp *rpcwrapper.Response) error {
				return fmt.Errorf("some error")
			})
			rpchdl.MockDestroyRPCClient(t, func(string) {
			})

			err := p.KillRemoteEnforcer(contextID, false)
			So(err, ShouldBeNil)
			_, err = p.activeProcesses.Get(contextID)
			So(err, ShouldNotBeNil)
		})

		Convey("if the RPC call fails, it should complete with no errors after issuing a kill and  it is force", func() {
			p.activeProcesses.AddOrUpdate(contextID, &processInfo{
				contextID: contextID,
				process:   &os.Process{},
			})

			rpchdl.MockRemoteCall(t, func(contextID string, name string, req *rpcwrapper.Request, resp *rpcwrapper.Response) error {
				return fmt.Errorf("some error")
			})
			rpchdl.MockDestroyRPCClient(t, func(string) {
			})

			err := p.KillRemoteEnforcer(contextID, false)
			So(err, ShouldBeNil)
			_, err = p.activeProcesses.Get(contextID)
			So(err, ShouldNotBeNil)
		})

		Convey("if the RPC call timesout it should complete with no errors", func() {
			p.activeProcesses.AddOrUpdate(contextID, &processInfo{
				contextID: contextID,
				process:   &os.Process{},
			})

			rpchdl.MockRemoteCall(t, func(contextID string, name string, req *rpcwrapper.Request, resp *rpcwrapper.Response) error {
				time.Sleep(10 * time.Second)
				return fmt.Errorf("time-out-error")
			})
			rpchdl.MockDestroyRPCClient(t, func(string) {
			})

			err := p.KillRemoteEnforcer(contextID, false)
			So(err, ShouldBeNil)
			_, err = p.activeProcesses.Get(contextID)
			So(err, ShouldNotBeNil)
		})
	})
}

func Test_CollectExitStatus(t *testing.T) {
	Convey("Given a test setup for kill ", t, func() {
		ctx, cancel := context.WithCancel(context.TODO())
		defer cancel()

		errChannel := make(chan *policy.RuntimeError)
		defer cleanupErrChannel(errChannel)

		rand.Seed(time.Now().UnixNano())

		rpchdl := rpcwrapper.NewTestRPCClient()
		pid := rand.Intn(299999) + 1
		contextID := strconv.Itoa(rand.Intn(1000000000) + 1)

		pm := New(ctx, &env.RemoteParameters{}, errChannel, rpchdl, 0)
		p, ok := pm.(*RemoteMonitor)
		So(ok, ShouldBeTrue)

		Convey("When I call collectExistStatus in the background, I should get the errors in the channel", func() {
			ctx, cancel := context.WithCancel(context.TODO())
			defer cancel()
			p.activeProcesses.AddOrUpdate(contextID, &processInfo{
				contextID: contextID,
				process:   &os.Process{},
			})

			go p.collectChildExitStatus(ctx)

			p.childExitStatus <- exitStatus{
				pid:        pid,
				contextID:  contextID,
				exitStatus: fmt.Errorf("process error"),
			}

			recievedError := <-errChannel

			So(recievedError, ShouldNotBeNil)
			So(recievedError.ContextID, ShouldEqual, contextID)
			So(recievedError.Error, ShouldNotBeNil)
			So(recievedError.Error.Error(), ShouldResemble, "remote enforcer terminated: childPid: "+strconv.Itoa(pid)+", contextID: "+contextID+", exitStatus: process error")
			_, err := p.activeProcesses.Get(contextID)
			So(err, ShouldNotBeNil)
		})

	})
}


================================================
FILE: controller/internal/processmon/processmon_windows.go
================================================
// +build windows

// Package processmon is to manage and monitor remote enforcers.
package processmon

import (
	"context"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/env"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

type remoteMonitor struct {
}

// New is a method to create a new remote process monitor.
func New(ctx context.Context, p *env.RemoteParameters, c chan *policy.RuntimeError, r rpcwrapper.RPCClient, numNfqueues int) ProcessManager {
	return &remoteMonitor{}
}

// LaunchRemoteEnforcer for Windows: does nothing right now
func (p *remoteMonitor) LaunchRemoteEnforcer(
	contextID string,
	refPid int,
	refNSPath string,
	arg string,
	statsServerSecret string,
	procMountPoint string,
	enforcerType policy.EnforcerType,
) (bool, error) {
	return true, nil
}

// KillRemoteEnforcer for Windows: does nothing right now
func (p *remoteMonitor) KillRemoteEnforcer(contextID string, force bool) error {
	return nil
}


================================================
FILE: controller/internal/processmon/testbinary/testbinary.go
================================================
package main

import "fmt"

func main() {
	fmt.Println("Test Binary Executed")
}


================================================
FILE: controller/internal/supervisor/interfaces.go
================================================
package supervisor

import (
	"context"
	"time"

	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// A Supervisor is implementing the node control plane that captures the packets.
type Supervisor interface {

	// Supervise adds a new supervised processing unit.
	Supervise(contextID string, puInfo *policy.PUInfo) error

	// Unsupervise unsupervises the given PU
	Unsupervise(contextID string) error

	// Start starts the Supervisor.
	Run(ctx context.Context) error

	// SetTargetNetworks sets the target networks of the supervisor
	SetTargetNetworks(cfg *runtime.Configuration) error

	// CleanUp requests the supervisor to clean up all ACLs
	CleanUp() error

	// EnableIPTablesPacketTracing enables ip tables packet tracing
	EnableIPTablesPacketTracing(ctx context.Context, contextID string, interval time.Duration) error
}

// Implementor is the interface of the implementation based on iptables, ipsets, remote etc
type Implementor interface {

	// ConfigureRules configures the rules in the ACLs and datapath
	ConfigureRules(version int, contextID string, containerInfo *policy.PUInfo) error

	// UpdateRules updates the rules with a new version
	UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, oldContainerInfo *policy.PUInfo) error

	// DeleteRules
	DeleteRules(version int, context string, tcpPorts, udpPorts string, mark string, uid string, containerInfo *policy.PUInfo) error

	// SetTargetNetworks sets the target networks of the supervisor
	SetTargetNetworks(cfg *runtime.Configuration) error

	// Start initializes any defaults
	Run(ctx context.Context) error

	// CleanUp requests the implementor to clean up all ACLs
	CleanUp() error

	// ACLProvider returns the ACL provider used by the implementor
	ACLProvider() []provider.IptablesProvider

	// CreateCustomRulesChain creates a custom rules chain if it doesnt exist
	CreateCustomRulesChain() error
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/acls.go
================================================
package iptablesctrl

import (
	"errors"
	"fmt"
	"os"
	"strconv"
	"strings"
	"text/template"

	"github.com/kballard/go-shellquote"
	"github.com/mattn/go-shellwords"
	mgrconstants "go.aporeto.io/cns-agent-mgr/pkg/constants"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	markconstants "go.aporeto.io/enforcerd/trireme-lib/utils/constants"
	"go.aporeto.io/gaia/protocols"
	"go.uber.org/zap"
)

const (
	numPackets   = "100"
	initialCount = "99"
)

var (
	cnsAgentBootPid    int
	cnsAgentMgrPid     int
	getEnforcerPID     = func() int { return os.Getpid() }
	getCnsAgentMgrPID  = func() int { return cnsAgentMgrPid }
	getCnsAgentBootPID = func() int { return cnsAgentBootPid }
)

func init() {
	cnsAgentBootPid = -1
	if mgrconstants.IsManagedByCnsAgentManager() {
		cnsAgentBootPid = discoverCnsAgentBootPID()
	}
	cnsAgentMgrPid = -1
	if mgrconstants.IsManagedByCnsAgentManager() {
		cnsAgentMgrPid = os.Getppid()
	}
}

type rulesInfo struct {
	RejectObserveApply    [][]string
	RejectNotObserved     [][]string
	RejectObserveContinue [][]string

	AcceptObserveApply    [][]string
	AcceptNotObserved     [][]string
	AcceptObserveContinue [][]string
	ReverseRules          [][]string
}

// cgroupChainRules provides the rules for redirecting to a processing unit
// specific chain based for Linux processed and based on the cgroups and net_cls
// configuration.
func (i *iptables) cgroupChainRules(cfg *ACLInfo) [][]string {

	if legacyRules, ok := i.legacyPuChainRules(cfg); ok {
		return legacyRules
	}

	tmpl := template.Must(template.New(cgroupCaptureTemplate).Funcs(template.FuncMap{
		"isUDPPorts": func() bool {
			return cfg.UDPPorts != "0"
		},
		"isTCPPorts": func() bool {
			return cfg.TCPPorts != "0"
		},
		"isHostPU": func() bool {
			return cfg.AppSection == HostModeOutput && cfg.NetSection == HostModeInput
		},
		"isProcessPU": func() bool {
			return cfg.PUType == common.LinuxProcessPU || cfg.PUType == common.WindowsProcessPU
		},
		"isIPV6Enabled": func() bool {
			// icmpv6 rules are needed for ipv6
			return cfg.needICMPRules
		},
	}).Parse(cgroupCaptureTemplate))

	rules, err := extractRulesFromTemplate(tmpl, cfg)
	if err != nil {
		zap.L().Warn("unable to extract rules", zap.Error(err))
	}
	rules = append(rules, i.proxyRules(cfg)...)
	rules = append(rules, i.proxyDNSRules(cfg)...)
	return rules
}

// containerChainRules provides the list of rules that are used to send traffic to
// a particular chain
func (i *iptables) containerChainRules(cfg *ACLInfo) [][]string {
	tmpl := template.Must(template.New(containerChainTemplate).Parse(containerChainTemplate))

	rules, err := extractRulesFromTemplate(tmpl, cfg)
	if err != nil {
		zap.L().Warn("unable to extract rules", zap.Error(err))
	}
	rules = append(rules, i.istioRules(cfg)...)
	if i.serviceMeshType == policy.None {
		rules = append(rules, i.proxyRules(cfg)...)
	}
	rules = append(rules, i.proxyDNSRules(cfg)...)
	return rules
}

func (i *iptables) istioRules(cfg *ACLInfo) [][]string {
	if i.serviceMeshType == policy.Istio {
		tmpl := template.Must(template.New(istioChainTemplate).Funcs(template.FuncMap{
			"IstioUID": func() string {
				return IstioUID
			},
		}).Parse(istioChainTemplate))
		rules, err := extractRulesFromTemplate(tmpl, cfg)
		if err != nil {
			zap.L().Warn("unable to extract rules", zap.Error(err))
		}
		zap.L().Debug("configured Istio: ", zap.Any(" rules ", rules))
		return rules
	}
	return nil
}

// proxyRules creates the rules that allow traffic to go through if it is handled
// by the services.
func (i *iptables) proxyRules(cfg *ACLInfo) [][]string {

	tmpl := template.Must(template.New(proxyChainTemplate).Funcs(template.FuncMap{
		"isCgroupSet": func() bool {
			return cfg.CgroupMark != ""
		},
		"enableDNSProxy": func() bool {
			return cfg.DNSServerIP != ""
		},
	}).Parse(proxyChainTemplate))

	rules, err := extractRulesFromTemplate(tmpl, cfg)
	if err != nil {
		zap.L().Warn("unable to extract rules", zap.Error(err))
	}
	return rules
}

func (i *iptables) proxyDNSRules(cfg *ACLInfo) [][]string {
	tmpl := template.Must(template.New(proxyDNSChainTemplate).Funcs(template.FuncMap{
		"isCgroupSet": func() bool {
			return cfg.CgroupMark != ""
		},
		"enableDNSProxy": func() bool {
			return cfg.DNSServerIP != ""
		},
	}).Parse(proxyDNSChainTemplate))

	rules, err := extractRulesFromTemplate(tmpl, cfg)
	if err != nil {
		zap.L().Warn("proxyDNSRules unable to extract rules", zap.Error(err))
	}
	return rules
}

// extractPreNetworkACLRules creates the rules that come before ACL rules.
func (i *iptables) extractPreNetworkACLRules(cfg *ACLInfo) [][]string {

	tmpl := template.Must(template.New(preNetworkACLRuleTemplate).Funcs(template.FuncMap{
		"Increment": func(i int) int {
			return i + 1
		},
	}).Parse(preNetworkACLRuleTemplate))

	rules, err := extractRulesFromTemplate(tmpl, cfg)
	if err != nil {
		zap.L().Warn("unable to extract rules", zap.Error(err))
	}
	return rules
}

// trapRules provides the packet capture rules that are defined for each processing unit.
func (i *iptables) trapRules(cfg *ACLInfo, isHostPU bool, appAnyRules, netAnyRules [][]string) [][]string {

	outputMark, _ := strconv.Atoi(cfg.PacketMark)
	outputMark = outputMark * cfg.NumNFQueues

	tmpl := template.Must(template.New(packetCaptureTemplate).Funcs(template.FuncMap{
		"windowsAllIpsetName": func() string {
			return i.ipsetmanager.GetIPsetPrefix() + "WindowsAllIPs"
		},
		"packetMark": func() string {
			outputMark, _ := strconv.Atoi(cfg.PacketMark)
			outputMark = outputMark * cfg.NumNFQueues
			return strconv.Itoa(outputMark)
		},
		"getOutputMark": func() string {
			m := strconv.Itoa(outputMark)
			outputMark++
			return m
		},
		"queueBalance": func() string {
			return fmt.Sprintf("0:%d", cfg.NumNFQueues-1)
		},
		"isNotContainerPU": func() bool {
			return cfg.PUType != common.ContainerPU
		},
		"needDnsRules": func() bool {
			return isHostPU
		},
		"needICMP": func() bool {
			return cfg.needICMPRules
		},
		"appAnyRules": func() [][]string {
			return appAnyRules
		},
		"netAnyRules": func() [][]string {
			return netAnyRules
		},
		"joinRule": func(rule []string) string {
			return strings.Join(rule, " ")
		},
		"isBPFEnabled": func() bool {
			return i.bpf != nil
		},
		"isHostPU": func() bool {
			return isHostPU
		},
		"Increment": func(i int) int {
			return i + 1
		},
		"isAppDrop": func() bool {
			return strings.EqualFold(cfg.AppDefaultAction, "DROP")
		},
		"isNetDrop": func() bool {
			return strings.EqualFold(cfg.NetDefaultAction, "DROP")
		},
	}).Parse(packetCaptureTemplate))

	rules, err := extractRulesFromTemplate(tmpl, cfg)
	if err != nil {
		zap.L().Warn("unable to extract rules", zap.Error(err))
	}

	return rules
}

// getProtocolAnyRules returns app any acls and net any acls.
func (i *iptables) getProtocolAnyRules(cfg *ACLInfo, appRules, netRules []aclIPset) ([][]string, [][]string, error) {

	appAnyRules, _ := extractProtocolAnyRules(appRules)
	netAnyRules, _ := extractProtocolAnyRules(netRules)

	sortedAppAnyRulesBuckets := i.sortACLsInBuckets(cfg, cfg.AppChain, cfg.NetChain, appAnyRules, true)
	sortedNetAnyRulesBuckets := i.sortACLsInBuckets(cfg, cfg.NetChain, cfg.AppChain, netAnyRules, false)

	sortedAppAnyRules, err := extractACLsFromTemplate(sortedAppAnyRulesBuckets)
	if err != nil {
		return nil, nil, fmt.Errorf("unable extract app protocol any rules: %v", err)
	}

	sortedNetAnyRules, err := extractACLsFromTemplate(sortedNetAnyRulesBuckets)
	if err != nil {
		return nil, nil, fmt.Errorf("unable extract net protocol any rules: %v", err)
	}

	sortedAppAnyRules = transformACLRules(sortedAppAnyRules, cfg, sortedAppAnyRulesBuckets, true)
	sortedNetAnyRules = transformACLRules(sortedNetAnyRules, cfg, sortedNetAnyRulesBuckets, false)

	return sortedAppAnyRules, sortedNetAnyRules, nil
}

func extractACLsFromTemplate(rulesBucket *rulesInfo) ([][]string, error) {

	tmpl := template.Must(template.New(acls).Funcs(template.FuncMap{
		"joinRule": func(rule []string) string {
			return shellquote.Join(rule...)
		},
	}).Parse(acls))

	aclRules, err := extractRulesFromTemplate(tmpl, *rulesBucket)
	if err != nil {
		return nil, fmt.Errorf("unable to extract rules from template: %s", err)
	}

	return aclRules, nil
}

// extractProtocolAnyRules extracts protocol any rules from the set and returns
// protocol any rules and all other rules without any.
func extractProtocolAnyRules(rules []aclIPset) (anyRules []aclIPset, otherRules []aclIPset) {

	for _, rule := range rules {
		for _, proto := range rule.Protocols {

			if proto != constants.AllProtoString {
				otherRules = append(otherRules, rule)
				continue
			}

			anyRules = append(anyRules, rule)
		}
	}

	return anyRules, otherRules
}

// processRulesFromList is a generic helper that parses a set of rules and sends the corresponding
// ACL commands.
func (i *iptables) processRulesFromList(rulelist [][]string, methodType string) error {
	var err error
	for _, cr := range rulelist {
		// HACK: Adding a retry loop to avoid iptables error of "invalid argument"
		// Once in a while iptables
	L:
		for retry := 0; retry < 3; retry++ {
			switch methodType {
			case "Append":
				if err = i.impl.Append(cr[0], cr[1], cr[2:]...); err == nil {
					break L
				}
			case "Insert":
				order, err := strconv.Atoi(cr[2])
				if err != nil {
					zap.L().Error("Incorrect format for iptables insert")
					return errors.New("invalid format")
				}
				if err = i.impl.Insert(cr[0], cr[1], order, cr[3:]...); err == nil {
					break L
				}

			case "Delete":
				if err = i.impl.Delete(cr[0], cr[1], cr[2:]...); err == nil {
					break L
				}

			default:
				return errors.New("invalid method type")
			}
		}
		if err != nil && methodType != "Delete" {
			return fmt.Errorf("unable to %s rule for table %s and chain %s with error %s", methodType, cr[0], cr[1], err)
		}
	}

	return nil
}

// addChainrules implements all the iptable rules that redirect traffic to a chain
func (i *iptables) addChainRules(cfg *ACLInfo) error {
	if i.mode != constants.LocalServer {
		return i.processRulesFromList(i.containerChainRules(cfg), "Append")
	}

	return i.processRulesFromList(i.cgroupChainRules(cfg), "Append")
}

// addPacketTrap adds the necessary iptables rules to capture control packets to user space
func (i *iptables) addPacketTrap(cfg *ACLInfo, isHostPU bool, appAnyRules, netAnyRules [][]string) error {

	return i.processRulesFromList(i.trapRules(cfg, isHostPU, appAnyRules, netAnyRules), "Append")
}

// programExtensionsRules programs iptable rules for the given extensions
func (i *iptables) programExtensionsRules(contextID string, rule *aclIPset, chain, proto, ipMatchDirection, nfLogGroup string) error {

	rulesspec := []string{
		"-p", proto,
		"-m", "set", "--match-set", rule.ipset, ipMatchDirection,
	}

	for _, ext := range rule.Extensions {
		if rule.Policy.Action&policy.Log > 0 {
			if err := i.programNflogExtensionRule(contextID, rule, rulesspec, ext, chain, nfLogGroup); err != nil {
				return fmt.Errorf("unable to program nflog extension: %v", err)
			}
		}

		args, err := shellwords.Parse(ext)
		if err != nil {
			return fmt.Errorf("unable to parse extension %s: %v", ext, err)
		}

		extRulesSpec := append(rulesspec, args...)
		if err := i.impl.Append(appPacketIPTableContext, chain, extRulesSpec...); err != nil {
			return fmt.Errorf("unable to program extension rules: %v", err)
		}
	}

	return nil
}

// WARNING: The extension should always contain the action at the end else,
// the function returns error.
func (i *iptables) programNflogExtensionRule(contextID string, rule *aclIPset, rulesspec []string, ext string, chain, nfLogGroup string) error {

	parts := strings.SplitN(ext, " -j ", 2)
	if len(parts) != 2 {
		return fmt.Errorf("invalid extension format: %s", ext)
	}
	filter, target := parts[0], parts[1]

	if filter == "" || target == "" {
		return fmt.Errorf("filter or target is empty: %s", ext)
	}

	filterArgs, err := shellwords.Parse(filter)
	if err != nil {
		return fmt.Errorf("unable to parse extension %s: %v", ext, err)
	}

	action := "3"
	if target == "DROP" {
		action = "6"
	}

	defaultNflogSuffix := []string{"-m", "state", "--state", "NEW",
		"-j", "NFLOG", "--nflog-group", nfLogGroup, "--nflog-prefix", rule.Policy.LogPrefixAction(contextID, action)}
	filterArgs = append(filterArgs, defaultNflogSuffix...)

	nflogRulesspec := append(rulesspec, filterArgs...)
	return i.impl.Append(appPacketIPTableContext, chain, nflogRulesspec...)
}

// sortACLsInBuckets will process all the rules and add them in a list of buckets
// based on their priority. We need an explicit order of these buckets
// in order to support observation only of ACL actions. The parameters
// must provide the chain and whether it is App or Net ACLs so that the rules
// can be created accordingly.
func (i *iptables) sortACLsInBuckets(cfg *ACLInfo, chain string, reverseChain string, rules []aclIPset, isAppACLs bool) *rulesInfo {

	rulesBucket := &rulesInfo{
		RejectObserveApply:    [][]string{},
		RejectNotObserved:     [][]string{},
		RejectObserveContinue: [][]string{},
		AcceptObserveApply:    [][]string{},
		AcceptNotObserved:     [][]string{},
		AcceptObserveContinue: [][]string{},
		ReverseRules:          [][]string{},
	}

	direction := "src"
	reverse := "dst"
	nflogGroup := "11"
	if isAppACLs {
		direction = "dst"
		reverse = "src"
		nflogGroup = "10"
	}

	for _, rule := range rules {

		for _, proto := range rule.Protocols {

			if !i.impl.ProtocolAllowed(proto) {
				continue
			}

			if i.aclSkipProto(proto) {
				continue
			}

			acls, r := i.generateACLRules(cfg, &rule, chain, reverseChain, nflogGroup, proto, direction, reverse, isAppACLs)
			rulesBucket.ReverseRules = append(rulesBucket.ReverseRules, r...)

			if testReject(rule.Policy) && testObserveApply(rule.Policy) {
				rulesBucket.RejectObserveApply = append(rulesBucket.RejectObserveApply, acls...)
			}

			if testReject(rule.Policy) && testNotObserved(rule.Policy) {
				rulesBucket.RejectNotObserved = append(rulesBucket.RejectNotObserved, acls...)
			}

			if testReject(rule.Policy) && testObserveContinue(rule.Policy) {
				rulesBucket.RejectObserveContinue = append(rulesBucket.RejectObserveContinue, acls...)
			}

			if testAccept(rule.Policy) && testObserveContinue(rule.Policy) {
				rulesBucket.AcceptObserveContinue = append(rulesBucket.AcceptObserveContinue, acls...)
			}

			if testAccept(rule.Policy) && testNotObserved(rule.Policy) {
				rulesBucket.AcceptNotObserved = append(rulesBucket.AcceptNotObserved, acls...)
			}

			if testAccept(rule.Policy) && testObserveApply(rule.Policy) {
				rulesBucket.AcceptObserveApply = append(rulesBucket.AcceptObserveApply, acls...)
			}
		}
	}

	return rulesBucket
}

// addExternalACLs adds a set of rules to the external services that are initiated
// by an application. The allow rules are inserted with highest priority.
func (i *iptables) addExternalACLs(cfg *ACLInfo, chain string, reverseChain string, rules []aclIPset, isAppAcls bool) error {

	_, rules = extractProtocolAnyRules(rules)

	rulesBucket := i.sortACLsInBuckets(cfg, chain, reverseChain, rules, isAppAcls)

	aclRules, err := extractACLsFromTemplate(rulesBucket)
	if err != nil {
		return fmt.Errorf("unable to extract rules from template: %s", err)
	}

	aclRules = transformACLRules(aclRules, cfg, rulesBucket, isAppAcls)

	if err := i.processRulesFromList(aclRules, "Append"); err != nil {
		return fmt.Errorf("unable to install rules - mode :%s %v", err, isAppAcls)
	}

	return nil
}

func (i *iptables) addPreNetworkACLRules(cfg *ACLInfo) error {

	rules := i.extractPreNetworkACLRules(cfg)

	if err := i.processRulesFromList(rules, "Append"); err != nil {
		return fmt.Errorf("unable to install networkd SYN rule : %s", err)
	}

	return nil
}

// deleteChainRules deletes the rules that send traffic to our chain
func (i *iptables) deleteChainRules(cfg *ACLInfo) error {

	if i.mode != constants.LocalServer {
		return i.processRulesFromList(i.containerChainRules(cfg), "Delete")
	}

	return i.processRulesFromList(i.cgroupChainRules(cfg), "Delete")
}

// setGlobalRules installs the global rules
func (i *iptables) setGlobalRules() error {
	cfg, err := i.newACLInfo(0, "", nil, 0)
	if err != nil {
		return err
	}

	_, _, excludedNetworkName := i.ipsetmanager.GetIPsetNamesForTargetAndExcludedNetworks()

	inputMark, _ := strconv.Atoi(cfg.DefaultInputMark) //nolint
	outputMark := 0

	tmpl := template.Must(template.New(globalRules).Funcs(template.FuncMap{
		"isIstioEnabled": func() bool {
			return i.serviceMeshType == policy.Istio
		},
		"IstioRedirPort": func() string {
			return IstioRedirPort
		},
		"getInputMark": func() string {
			m := strconv.Itoa(inputMark)
			inputMark++
			return m
		},
		"getOutputMark": func() string {
			m := strconv.Itoa(outputMark)
			outputMark++
			return m
		},
		"queueBalance": func() string {
			return fmt.Sprintf("0:%d", cfg.NumNFQueues-1)
		},
		"isLocalServer": func() bool {
			return i.mode == constants.LocalServer
		},
		"isBPFEnabled": func() bool {
			return i.bpf != nil
		},
		"enableDNSProxy": func() bool {
			return cfg.DNSServerIP != ""
		},
		"Increment": func(i int) int {
			return i + 1
		},
		"EnforcerPID": func() string {
			return strconv.Itoa(getEnforcerPID())
		},
		"CnsAgentMgrPID": func() string {
			return strconv.Itoa(getCnsAgentMgrPID())
		},
		"CnsAgentBootPID": func() string {
			return strconv.Itoa(getCnsAgentBootPID())
		},
		"isManagedByCnsAgentManager": func() bool {
			return getCnsAgentBootPID() > 0
		},
		"isIPv4": func() bool {
			return i.impl.IPVersion() == IPV4
		},
		"windowsDNSServerName": func() string {
			return i.ipsetmanager.GetIPsetPrefix() + "WindowsDNSServer"
		},
		"isKubernetesPU": func() bool {
			return cfg.PUType == common.KubernetesPU
		},
		"needICMP": func() bool {
			return cfg.needICMPRules
		},
	}).Parse(globalRules))

	rules, err := extractRulesFromTemplate(tmpl, cfg)
	if err != nil {
		zap.L().Warn("unable to extract rules", zap.Error(err))
	}

	if err := i.processRulesFromList(rules, "Append"); err != nil {
		return fmt.Errorf("unable to install global rules:%s", err)
	}

	// Insert the Istio nat rules into the ISTIO_OUTPUT table
	// the following is done so that there is no loop in the dataPath.
	// basically, the envoy packets which are already processed by us, we should
	// accept the packets.
	if i.serviceMeshType == policy.Istio {
		err = i.impl.Insert(appProxyIPTableContext,
			ipTableSectionOutput, 1,
			"-p", "tcp",
			"-m", "mark", "--mark", strconv.Itoa(markconstants.IstioPacketMark),
			"-j", "ACCEPT")
		if err != nil {
			return fmt.Errorf("unable to add Istio accept for marked packets : %s", err)
		}
	}

	// nat rules cannot be templated, since they interfere with Docker.
	err = i.impl.Insert(appProxyIPTableContext,
		ipTableSectionPreRouting, 1,
		"-p", "tcp",
		"-m", "addrtype", "--dst-type", "LOCAL",
		"-m", "set", "!", "--match-set", excludedNetworkName, "src",
		"-j", natProxyInputChain)
	if err != nil {
		return fmt.Errorf("unable to add default allow for marked packets at net: %s", err)
	}

	err = i.impl.Insert(appProxyIPTableContext,
		ipTableSectionOutput, 1,
		"-m", "set", "!", "--match-set", excludedNetworkName, "dst",
		"-j", natProxyOutputChain)
	if err != nil {
		return fmt.Errorf("unable to add default allow for marked packets at net: %s", err)
	}

	return nil
}

func (i *iptables) removeGlobalHooks(cfg *ACLInfo) error {

	tmpl := template.Must(template.New(globalHooks).Funcs(template.FuncMap{
		"isLocalServer": func() bool {
			return i.mode == constants.LocalServer
		},
	}).Parse(globalHooks))

	rules, err := extractRulesFromTemplate(tmpl, cfg)
	if err != nil {
		return fmt.Errorf("unable to create trireme chains:%s", err)
	}

	i.processRulesFromList(rules, "Delete") // nolint
	return nil
}

func (i *iptables) generateACLRules(cfg *ACLInfo, rule *aclIPset, chain string, reverseChain string, nfLogGroup, proto, ipMatchDirection string, reverseDirection string, isAppACLs bool) ([][]string, [][]string) {

	iptRules := [][]string{}
	reverseRules := [][]string{}

	targetTCPName, targetUDPName, _ := i.ipsetmanager.GetIPsetNamesForTargetAndExcludedNetworks()

	observeContinue := rule.Policy.ObserveAction.ObserveContinue()
	contextID := cfg.ContextID

	baseRule := func(proto string) []string {

		iptRule := []string{appPacketIPTableContext, chain}

		if splits := strings.Split(proto, "/"); strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP || strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP6 {
			iptRule = append(iptRule, icmpRule(proto, rule.Ports)...)

			if strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP6 {
				proto = "icmpv6"
			} else {
				proto = "icmp"
			}
		}

		iptRule = append(iptRule, []string{
			"-p", proto,
			"-m", "set", "--match-set", rule.ipset, ipMatchDirection,
		}...)

		if proto == constants.UDPProtoNum || proto == constants.UDPProtoString {
			udpRule := generateUDPACLRule()
			iptRule = append(iptRule, udpRule...)
		}

		if proto == constants.TCPProtoNum || proto == constants.TCPProtoString {
			stateMatch := []string{"-m", "state", "--state", "NEW"}
			iptRule = append(iptRule, stateMatch...)
		}

		// add the target network condition if tcp and not a reject action and is the app chain
		if (rule.Policy.Action&policy.Reject == 0 && isAppACLs) && (proto == constants.TCPProtoNum || proto == constants.TCPProtoString) {
			targetNet := []string{"-m", "set", "!", "--match-set", targetTCPName, ipMatchDirection}
			iptRule = append(iptRule, targetNet...)
		}

		// add the target network condition if tcp and not a reject action and is the app chain
		if (rule.Policy.Action&policy.Reject == 0 && isAppACLs) && (proto == constants.UDPProtoNum || proto == constants.UDPProtoString) {

			targetUDPClause := targetUDPNetworkClause(rule, targetUDPName, ipMatchDirection)
			if len(targetUDPClause) > 0 {
				iptRule = append(iptRule, targetUDPClause...)
			}

		}
		// port match is required only for tcp and udp protocols
		if proto == constants.TCPProtoNum || proto == constants.UDPProtoNum || proto == constants.TCPProtoString || proto == constants.UDPProtoString {

			portMatchSet := []string{"--match", "multiport", "--dports", strings.Join(rule.Ports, ",")}
			iptRule = append(iptRule, portMatchSet...)
		}

		return iptRule
	}

	if err := i.programExtensionsRules(contextID, rule, chain, proto, ipMatchDirection, nfLogGroup); err != nil {
		zap.L().Warn("unable to program extension rules",
			zap.Error(err),
		)
	}

	// If log or observeContinue
	if rule.Policy.Action&policy.Log != 0 || observeContinue {
		state := []string{}
		if proto == constants.TCPProtoNum || proto == constants.UDPProtoNum || proto == constants.TCPProtoString || proto == constants.UDPProtoString {
			state = []string{"-m", "state", "--state", "NEW"}
		}

		nflog := append(state, []string{"-j", "NFLOG", "--nflog-group", nfLogGroup, "--nflog-prefix", rule.Policy.LogPrefix(contextID)}...)
		nfLogRule := append(baseRule(proto), nflog...)

		iptRules = append(iptRules, nfLogRule)
	}

	if !observeContinue {
		if (rule.Policy.Action & policy.Accept) != 0 {
			if proto == constants.UDPProtoNum || proto == constants.UDPProtoString {
				connmarkClause := connmarkUDPConnmarkClause()
				if len(connmarkClause) > 0 {
					connmarkRule := append(baseRule(proto), connmarkClause...)
					iptRules = append(iptRules, connmarkRule)
				}
			}
			acceptRule := append(baseRule(proto), []string{"-j", "ACCEPT"}...)
			iptRules = append(iptRules, acceptRule)
		}

		if rule.Policy.Action&policy.Reject != 0 {
			reject := []string{"-j", "DROP"}
			rejectRule := append(baseRule(proto), reject...)
			iptRules = append(iptRules, rejectRule)
		}

		if rule.Policy.Action&policy.Accept != 0 && (proto == constants.UDPProtoNum || proto == constants.UDPProtoString) {
			reverseRules = append(reverseRules, []string{
				appPacketIPTableContext,
				reverseChain,
				"-p", proto,
				"-m", "set", "--match-set", rule.ipset, reverseDirection,
				"-m", "state", "--state", "ESTABLISHED",
				"-m", "connmark", "--mark", strconv.Itoa(int(markconstants.DefaultExternalConnMark)),
				"-j", "ACCEPT",
			})
		}
	}

	return iptRules, reverseRules
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/acls_darwin.go
================================================
package iptablesctrl

func (i *iptables) aclSkipProto(proto string) bool {
	return false
}

func (i *iptables) legacyPuChainRules(cfg *ACLInfo) ([][]string, bool) {
	return nil, false
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/acls_linux.go
================================================
// +build !rhel6

package iptablesctrl

func (i *iptables) aclSkipProto(proto string) bool {
	return false
}

func (i *iptables) legacyPuChainRules(cfg *ACLInfo) ([][]string, bool) {
	return nil, false
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/acls_nonwindows.go
================================================
// +build !windows

package iptablesctrl

import (
	"fmt"
	"strconv"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	markconstants "go.aporeto.io/enforcerd/trireme-lib/utils/constants"
	"go.uber.org/zap"
)

// discoverCnsAgentBootPID is only used in Windows rules
var discoverCnsAgentBootPID = func() int {
	return -1
}

// addContainerChain adds a chain for the specific container and redirects traffic there
// This simplifies significantly the management and makes the iptable rules more readable
// All rules related to a container are contained within the dedicated chain
func (i *iptables) addContainerChain(cfg *ACLInfo) error {

	appChain := cfg.AppChain
	netChain := cfg.NetChain
	if err := i.impl.NewChain(appPacketIPTableContext, appChain); err != nil {
		return fmt.Errorf("unable to add chain %s of context %s: %s", appChain, appPacketIPTableContext, err)
	}

	// if err := i.impl.NewChain(appProxyIPTableContext, appChain); err != nil {
	// 	return fmt.Errorf("unable to add chain %s of context %s: %s", appChain, appPacketIPTableContext, err)
	// }

	if err := i.impl.NewChain(netPacketIPTableContext, netChain); err != nil {
		return fmt.Errorf("unable to add netchain %s of context %s: %s", netChain, netPacketIPTableContext, err)
	}

	return nil
}

// deletePUChains removes all the container specific chains and basic rules
func (i *iptables) deletePUChains(cfg *ACLInfo) error {

	if err := i.impl.ClearChain(appPacketIPTableContext, cfg.AppChain); err != nil {
		zap.L().Warn("Failed to clear the container ack packets chain",
			zap.String("appChain", cfg.AppChain),
			zap.String("context", appPacketIPTableContext),
			zap.Error(err),
		)
	}

	if err := i.impl.DeleteChain(appPacketIPTableContext, cfg.AppChain); err != nil {
		zap.L().Warn("Failed to delete the container ack packets chain",
			zap.String("appChain", cfg.AppChain),
			zap.String("context", appPacketIPTableContext),
			zap.Error(err),
		)
	}

	if err := i.impl.ClearChain(netPacketIPTableContext, cfg.NetChain); err != nil {
		zap.L().Warn("Failed to clear the container net packets chain",
			zap.String("netChain", cfg.NetChain),
			zap.String("context", netPacketIPTableContext),
			zap.Error(err),
		)
	}

	if err := i.impl.DeleteChain(netPacketIPTableContext, cfg.NetChain); err != nil {
		zap.L().Warn("Failed to delete the container net packets chain",
			zap.String("netChain", cfg.NetChain),
			zap.String("context", netPacketIPTableContext),
			zap.Error(err),
		)
	}

	return nil
}

func transformACLRules(aclRules [][]string, cfg *ACLInfo, rulesBucket *rulesInfo, isAppAcls bool) [][]string {
	// pass through on linux
	return aclRules
}

func (i *iptables) platformInit() error {
	return nil
}

func (i *iptables) cleanACLs() error { // nolint
	cfg, err := i.newACLInfo(0, "", nil, 0)
	if err != nil {
		return err
	}

	// First clear the nat rules
	if err := i.removeGlobalHooks(cfg); err != nil {
		zap.L().Error("unable to remove nat proxy rules")
	}

	// Clean all rules with TRI- sub
	i.impl.ResetRules("TRI-") // nolint: errcheck
	// Always return nil here. No reason to block anything if cleans fail.
	return nil
}

func generateUDPACLRule() []string {
	return []string{"-m", "string", "!", "--string", packet.UDPAuthMarker, "--algo", "bm", "--to", "128"}
}

func targetUDPNetworkClause(rule *aclIPset, targetUDPName string, ipMatchDirection string) []string {
	return []string{"-m", "set", "!", "--match-set", targetUDPName, ipMatchDirection}
}

func connmarkUDPConnmarkClause() []string {
	return []string{"-j", "CONNMARK", "--set-mark", strconv.Itoa(int(markconstants.DefaultExternalConnMark))}
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/acls_rhel6.go
================================================
// +build rhel6

package iptablesctrl

import (
	"strings"
	"text/template"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/gaia/protocols"
	"go.uber.org/zap"
)

const (
	tcpProto  = "tcp"
	icmpProto = "icmp"
	udpProto  = "udp"
)

func (i *iptables) aclSkipProto(proto string) bool {
	if splits := strings.Split(proto, "/"); strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP || strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP6 {
		return true
	}
	return false
}

// This refers to the pu chain rules for pus in older distros like RH 6.9/Ubuntu 14.04. The rules
// consider source ports to identify packets from the process.
func (i *iptables) legacyPuChainRules(cfg *ACLInfo) ([][]string, bool) {
	if !(cfg.PUType == common.HostNetworkPU || cfg.PUType == common.HostPU) {
		return nil, false
	}

	iptableCgroupSection := cfg.AppSection
	iptableNetSection := cfg.NetSection
	rules := [][]string{}
	if cfg.TCPPorts != "0" {
		rules = append(rules, [][]string{
			{
				appPacketIPTableContext,
				iptableCgroupSection,
				"-p", icmpProto,
				"-m", "comment", "--comment", "Server-specific-chain",
				"-j", "MARK", "--set-mark", cfg.PacketMark,
			},
			{
				appPacketIPTableContext,
				iptableCgroupSection,
				"-p", tcpProto,
				"-m", "multiport",
				"--source-ports", cfg.TCPPorts,
				"-m", "comment", "--comment", "Server-specific-chain",
				"-j", "MARK", "--set-mark", cfg.PacketMark,
			},
			{
				appPacketIPTableContext,
				iptableCgroupSection,
				"-p", tcpProto,
				"-m", "multiport",
				"--source-ports", cfg.TCPPorts,
				"-m", "comment", "--comment", "Server-specific-chain",
				"-j", cfg.AppChain,
			},
			{
				netPacketIPTableContext,
				iptableNetSection,
				"-p", tcpProto,
				"-m", "multiport",
				"--destination-ports", cfg.TCPPorts,
				"-m", "comment", "--comment", "Container-specific-chain",
				"-j", cfg.NetChain,
			}}...)
	}

	if cfg.UDPPorts != "0" {
		rules = append(rules, [][]string{
			{
				appPacketIPTableContext,
				iptableCgroupSection,
				"-p", udpProto,
				"-m", "multiport",
				"--source-ports", cfg.UDPPorts,
				"-m", "comment", "--comment", "Server-specific-chain",
				"-j", "MARK", "--set-mark", cfg.PacketMark,
			},
			{
				appPacketIPTableContext,
				iptableCgroupSection,
				"-p", udpProto, "-m", "mark", "--mark", cfg.PacketMark,
				"-m", "addrtype", "--src-type", "LOCAL",
				"-m", "addrtype", "--dst-type", "LOCAL",
				"-m", "state", "--state", "NEW",
				"-j", "NFLOG", "--nflog-group", "10",
				"--nflog-prefix", policy.DefaultLogPrefix(cfg.ContextID, policy.Accept),
			},
			{
				appPacketIPTableContext,
				iptableCgroupSection,
				"-m", "comment", "--comment", "traffic-same-pu",
				"-p", udpProto, "-m", "mark", "--mark", cfg.PacketMark,
				"-m", "addrtype", "--src-type", "LOCAL",
				"-m", "addrtype", "--dst-type", "LOCAL",
				"-j", "ACCEPT",
			},
			{
				appPacketIPTableContext,
				iptableCgroupSection,
				"-p", udpProto,
				"-m", "multiport",
				"--source-ports", cfg.UDPPorts,
				"-m", "comment", "--comment", "Server-specific-chain",
				"-j", cfg.AppChain,
			},
			{
				netPacketIPTableContext,
				iptableNetSection,
				"-m", "comment", "--comment", "traffic-same-pu",
				"-p", udpProto, "-m", "mark", "--mark", cfg.PacketMark,
				"-m", "addrtype", "--src-type", "LOCAL",
				"-m", "addrtype", "--dst-type", "LOCAL",
				"-j", "ACCEPT",
			},
			{
				netPacketIPTableContext,
				iptableNetSection,
				"-p", udpProto,
				"-m", "multiport",
				"--destination-ports", cfg.UDPPorts,
				"-m", "comment", "--comment", "Container-specific-chain",
				"-j", cfg.NetChain,
			}}...)
	}

	if cfg.PUType == common.HostPU {
		// Add a capture all traffic rule for host pu. This traps all traffic going out
		// of the box.

		rules = append(rules, []string{
			appPacketIPTableContext,
			iptableCgroupSection,
			"-m", "comment", "--comment", "capture all outgoing traffic",
			"-j", cfg.AppChain,
		})
		rules = append(rules, []string{
			netPacketIPTableContext,
			iptableNetSection,
			"-m", "comment", "--comment", "capture all outgoing traffic",
			"-j", cfg.NetChain,
		})
	}

	return append(rules, i.legacyProxyRules(cfg.TCPPorts, cfg.ProxyPort, cfg.DestIPSet, cfg.SrvIPSet, cfg.PacketMark, cfg.DNSProxyPort, cfg.DNSServerIP)...), true
}

func (i *iptables) legacyProxyRules(tcpPorts, proxyPort, destSetName, srvSetName, cgroupMark, dnsProxyPort, dnsServerIP string) [][]string {

	aclInfo := ACLInfo{
		MangleTable:         appPacketIPTableContext,
		NatTable:            appProxyIPTableContext,
		MangleProxyAppChain: proxyOutputChain,
		MangleProxyNetChain: proxyInputChain,
		NatProxyNetChain:    natProxyInputChain,
		NatProxyAppChain:    natProxyOutputChain,
		CgroupMark:          cgroupMark,
		DestIPSet:           destSetName,
		SrvIPSet:            srvSetName,
		ProxyPort:           proxyPort,
		ProxyMark:           constants.ProxyMark,
		TCPPorts:            tcpPorts,
		DNSProxyPort:        dnsProxyPort,
		DNSServerIP:         dnsServerIP,
	}

	tmpl := template.Must(template.New(legacyProxyRules).Funcs(template.FuncMap{
		"isCgroupSet": func() bool {
			return cgroupMark != ""
		},
		"enableDNSProxy": func() bool {
			return dnsServerIP != ""
		},
	}).Parse(legacyProxyRules))

	rules, err := extractRulesFromTemplate(tmpl, aclInfo)
	if err != nil {
		zap.L().Warn("unable to extract rules", zap.Error(err))
	}
	return rules
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/acls_windows.go
================================================
// +build windows

package iptablesctrl

import (
	"fmt"
	"os"
	"strings"
	"syscall"
	"unsafe"

	"github.com/kballard/go-shellquote"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	winipt "go.aporeto.io/enforcerd/trireme-lib/controller/internal/windows"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.uber.org/zap"
)

// discoverCnsAgentBootPID finds parent's parent pid on Windows.
// needs to happen early, in case our mgr parent is relaunched.
var discoverCnsAgentBootPID = func() int {
	pppid, err := getGrandparentPid()
	if err != nil {
		zap.L().Error("Could not get CnsAgentBootPID", zap.Error(err))
		return -1
	}
	return pppid
}

func getGrandparentPid() (int, error) {
	ppid := os.Getppid()
	if ppid <= 0 {
		return -1, fmt.Errorf("getGrandparentPid failed to get ppid")
	}
	// from getProcessEntry in syscall_windows.go
	snapshot, err := syscall.CreateToolhelp32Snapshot(syscall.TH32CS_SNAPPROCESS, 0)
	if err != nil {
		return -1, err
	}
	defer syscall.CloseHandle(snapshot) // nolint: errcheck
	var procEntry syscall.ProcessEntry32
	procEntry.Size = uint32(unsafe.Sizeof(procEntry))
	if err = syscall.Process32First(snapshot, &procEntry); err != nil {
		return -1, err
	}
	for {
		if procEntry.ProcessID == uint32(ppid) {
			return int(procEntry.ParentProcessID), nil
		}
		err = syscall.Process32Next(snapshot, &procEntry)
		if err != nil {
			return -1, err
		}
	}
}

func (i *iptables) aclSkipProto(proto string) bool {
	return false
}

func (i *iptables) legacyPuChainRules(cfg *ACLInfo) ([][]string, bool) {
	return nil, false
}

// create ipsets needed for Windows rules
func (i *iptables) platformInit() error {

	ipset := ipsetmanager.IPsetProvider()

	cfg, err := i.newACLInfo(0, "", nil, 0)
	if err != nil {
		return err
	}

	existingSets, err := ipset.ListIPSets()
	if err != nil {
		return err
	}

	setExists := func(s string) bool {
		for _, existing := range existingSets {
			if existing == s {
				return true
			}
		}
		return false
	}

	if !setExists("TRI-v4-WindowsAllIPs") {
		allIPsV4, err := ipset.NewIpset("TRI-v4-WindowsAllIPs", "hash:net", nil)
		if err != nil {
			return err
		}
		err = allIPsV4.Add("0.0.0.0/0", 0)
		if err != nil {
			return err
		}
	}

	if !setExists("TRI-v6-WindowsAllIPs") {
		allIPsV6, err := ipset.NewIpset("TRI-v6-WindowsAllIPs", "hash:net", nil)
		if err != nil {
			return err
		}
		err = allIPsV6.Add("::/0", 0)
		if err != nil {
			return err
		}
	}

	if cfg.DNSServerIP != "" {
		// TRI-v4-WindowsDNSServer is used in a global rule that applies to both IPv4/IPv6,
		// but we need the TRI-v4 prefix on the name so that it is properly cleaned up
		if !setExists("TRI-v4-WindowsDNSServer") {
			dnsIPSet, err := ipset.NewIpset("TRI-v4-WindowsDNSServer", "hash:net", nil)
			if err != nil {
				return err
			}
			switch cfg.DNSServerIP {
			case IPv4DefaultIP, IPv6DefaultIP:
				// in the case of an all-network range (which is the default value), we need to allow all for ipv4+ipv6
				err = dnsIPSet.Add(IPv4DefaultIP, 0)
				if err != nil {
					return err
				}
				err = dnsIPSet.Add(IPv6DefaultIP, 0)
				if err != nil {
					return err
				}
			default:
				// for now, we add
				err = dnsIPSet.Add(cfg.DNSServerIP, 0)
				if err != nil {
					return err
				}
			}
		}
	}

	return nil
}

// addContainerChain for Windows
func (i *iptables) addContainerChain(cfg *ACLInfo) error {
	appChain := cfg.AppChain
	netChain := cfg.NetChain
	if err := i.impl.NewChain(appPacketIPTableContext, appChain); err != nil {
		return fmt.Errorf("unable to add chain %s of context %s: %s", appChain, appPacketIPTableContext, err)
	}
	if err := i.impl.NewChain(netPacketIPTableContext, netChain); err != nil {
		return fmt.Errorf("unable to add netchain %s of context %s: %s", netChain, netPacketIPTableContext, err)
	}
	return nil
}

// deletePUChains removes all the container specific chains and basic rules
func (i *iptables) deletePUChains(cfg *ACLInfo) error {

	if err := i.impl.ClearChain(appPacketIPTableContext, cfg.AppChain); err != nil {
		zap.L().Warn("Failed to clear the container ack packets chain",
			zap.String("appChain", cfg.AppChain),
			zap.String("context", appPacketIPTableContext),
			zap.Error(err),
		)
	}

	if err := i.impl.DeleteChain(appPacketIPTableContext, cfg.AppChain); err != nil {
		zap.L().Warn("Failed to delete the container ack packets chain",
			zap.String("appChain", cfg.AppChain),
			zap.String("context", appPacketIPTableContext),
			zap.Error(err),
		)
	}

	if err := i.impl.ClearChain(netPacketIPTableContext, cfg.NetChain); err != nil {
		zap.L().Warn("Failed to clear the container net packets chain",
			zap.String("netChain", cfg.NetChain),
			zap.String("context", netPacketIPTableContext),
			zap.Error(err),
		)
	}

	if err := i.impl.DeleteChain(netPacketIPTableContext, cfg.NetChain); err != nil {
		zap.L().Warn("Failed to delete the container net packets chain",
			zap.String("netChain", cfg.NetChain),
			zap.String("context", netPacketIPTableContext),
			zap.Error(err),
		)
	}

	return nil
}

// try to merge two acl rules (one log and one accept/drop) into one for Windows
func makeTerminatingRuleFromPair(aclRule1, aclRule2 []string) *winipt.WindowsRuleSpec {

	if aclRule1 == nil || aclRule2 == nil {
		return nil
	}
	winRuleSpec1, err := winipt.ParseRuleSpec(aclRule1[2:]...)
	if err != nil {
		return nil
	}
	winRuleSpec2, err := winipt.ParseRuleSpec(aclRule2[2:]...)
	if err != nil {
		return nil
	}

	// save action/log properties, as long as one rule is an action and the other is nflog
	action := 0
	logPrefix := ""
	groupID := 0
	if action == 0 && winRuleSpec1.Action != 0 && winRuleSpec2.Log {
		action = winRuleSpec1.Action
		logPrefix = winRuleSpec2.LogPrefix
		groupID = winRuleSpec2.GroupID
	}
	if action == 0 && winRuleSpec2.Action != 0 && winRuleSpec1.Log {
		action = winRuleSpec2.Action
		logPrefix = winRuleSpec1.LogPrefix
		groupID = winRuleSpec1.GroupID
	}
	if action == 0 {
		return nil
	}

	// if one is nflog and one is another action, and they are otherwise equal, then combine into one rule
	winRuleSpec1.Log = false
	winRuleSpec1.LogPrefix = ""
	winRuleSpec1.GroupID = 0
	winRuleSpec1.Action = 0
	winRuleSpec2.Log = false
	winRuleSpec2.LogPrefix = ""
	winRuleSpec2.GroupID = 0
	winRuleSpec2.Action = 0
	if winRuleSpec1.Equal(winRuleSpec2) {
		winRuleSpec1.Log = true
		winRuleSpec1.LogPrefix = logPrefix
		winRuleSpec1.GroupID = groupID
		winRuleSpec1.Action = action
		return winRuleSpec1
	}
	return nil
}

// take a parsed acl rule and clean it up, returning an acl rule in []string format
func processWindowsACLRule(table, _ string, winRuleSpec *winipt.WindowsRuleSpec, cfg *ACLInfo, isAppAcls bool) ([]string, error) {
	var chain string
	if isAppAcls {
		chain = cfg.AppChain
	} else {
		chain = cfg.NetChain
	}
	switch cfg.PUType {
	case common.HostPU:
	case common.HostNetworkPU:
		if isAppAcls {
			return nil, nil
		}
		switch winRuleSpec.Protocol {
		case packet.IPProtocolTCP:
		case packet.IPProtocolUDP:
		default:
			return nil, nil
		}
	case common.WindowsProcessPU:
	default:
		return nil, fmt.Errorf("unexpected Windows PU: %v", cfg.PUType)
	}
	rulespec, _ := winipt.MakeRuleSpecText(winRuleSpec, false)

	rule, err := shellquote.Split(rulespec)
	if err != nil {
		return nil, err
	}

	return append([]string{table, chain}, rule...), nil
}

// while not strictly necessary now for Windows, we still try to combine a log (non-terminating rule) and another terminating rule.
func transformACLRules(aclRules [][]string, cfg *ACLInfo, rulesBucket *rulesInfo, isAppAcls bool) [][]string {

	// find the reverse rules and remove them.
	// note: we assume that reverse rules are the ones we add for UDP established reverse flows.
	// we handle this in the windows driver so we don't need a rule for it.
	// again: our driver assumes that all UDP acl rules will have a reverse flow added.
	if rulesBucket != nil {
		for _, rr := range rulesBucket.ReverseRules {
			revTable, revChain := rr[0], rr[1]
			revRule, err := winipt.ParseRuleSpec(rr[2:]...)
			if err != nil {
				zap.L().Error("transformACLRules failed to parse reverse rule", zap.Error(err))
				continue
			}
			found := false
			for i, r := range aclRules {
				rule, err := winipt.ParseRuleSpec(r[2:]...)
				if err != nil {
					zap.L().Error("transformACLRules failed to parse rule", zap.Error(err))
					continue
				}
				table, chain := r[0], r[1]
				if table == revTable && chain == revChain && rule.Equal(revRule) {
					found = true
					aclRules = append(aclRules[:i], aclRules[i+1:]...)
					break
				}
			}
			if !found {
				zap.L().Warn("transformACLRules could not find reverse rule")
			}
		}
	}

	var result [][]string

	// now in the loop, compare successive rules to see if they are equal, disregarding their action or log properties.
	// if they are, then combine them into one rule.
	var aclRule1, aclRule2 []string
	for i := 0; i < len(aclRules) || aclRule1 != nil; i++ {
		if aclRule1 == nil {
			aclRule1 = aclRules[i]
			i++
		}
		if i < len(aclRules) {
			aclRule2 = aclRules[i]
		}
		table, chain := aclRule1[0], aclRule1[1]
		winRule := makeTerminatingRuleFromPair(aclRule1, aclRule2)
		if winRule == nil {
			// not combinable, so work on rule 1
			var err error
			winRule, err = winipt.ParseRuleSpec(aclRule1[2:]...)
			aclRule1 = aclRule2
			aclRule2 = nil
			if err != nil {
				zap.L().Error("transformACLRules failed", zap.Error(err))
				continue
			}
		} else {
			aclRule1 = nil
			aclRule2 = nil
		}
		// process rule
		xformedRule, err := processWindowsACLRule(table, chain, winRule, cfg, isAppAcls)
		if err != nil {
			zap.L().Error("transformACLRules failed", zap.Error(err))
			continue
		}
		if xformedRule != nil {
			result = append(result, xformedRule)
		}
	}

	if result == nil {
		result = [][]string{}
	}
	return result
}

func (i *iptables) cleanACLs() error { // nolint
	cfg, err := i.newACLInfo(0, "", nil, 0)
	if err != nil {
		return err
	}

	// First clear the nat rules
	if err := i.removeGlobalHooks(cfg); err != nil {
		zap.L().Error("unable to remove nat proxy rules")
	}

	// Clean Application Rules/Chains
	i.cleanACLSection(appPacketIPTableContext, constants.ChainPrefix)
	i.cleanACLSection(appProxyIPTableContext, constants.ChainPrefix)

	i.impl.Commit() // nolint

	// Always return nil here. No reason to block anything if cleans fail.
	return nil
}

// cleanACLSection flushes and deletes all chains with Prefix - Trireme
func (i *iptables) cleanACLSection(context, chainPrefix string) {

	rules, err := i.impl.ListChains(context)
	if err != nil {
		zap.L().Warn("Failed to list chains",
			zap.String("context", context),
			zap.Error(err),
		)
	}

	for _, rule := range rules {
		if strings.Contains(rule, chainPrefix) {
			if err := i.impl.ClearChain(context, rule); err != nil {
				zap.L().Warn("Can not clear the chain",
					zap.String("context", context),
					zap.String("section", rule),
					zap.Error(err),
				)
			}
		}
	}

	for _, rule := range rules {
		if strings.Contains(rule, chainPrefix) {
			if err := i.impl.DeleteChain(context, rule); err != nil {
				zap.L().Warn("Can not delete the chain",
					zap.String("context", context),
					zap.String("section", rule),
					zap.Error(err),
				)
			}
		}
	}
}

func generateUDPACLRule() []string {
	//-m", "string", "!", "--string", packet.UDPAuthMarker, "--offset", "4"
	return []string{"-m", "string", "--string", "!", packet.UDPAuthMarker, "--offset", "6"}
}

func targetUDPNetworkClause(rule *aclIPset, targetUDPName string, ipMatchDirection string) []string {
	if !strings.Contains(strings.Join(rule.Ports, ","), "53") {
		return []string{"-m", "set", "!", "--match-set", targetUDPName, ipMatchDirection}
	}
	return []string{}
}

func connmarkUDPConnmarkClause() []string {
	return []string{}
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/acls_windows_test.go
================================================
// +build windows

package iptablesctrl

import (
	"strings"
	"testing"

	"github.com/kballard/go-shellquote"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/windows"
	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
)

const (
	sampleTCPPorts = "80,443"
	sampleUDPPorts = ""
)

func TestTransformACLRuleHost(t *testing.T) {

	Convey("When I parse some acl rules", t, func() {

		var aclRules [][]string
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 1:65535 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 1:65535 -j DROP", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 17 -m set --match-set TRI-v4-TargetUDP src --match multiport --dports 80,443,8080:8443 -j ACCEPT", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 6 -m set --match-set TRI-v4-ext-z4QRD1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 2323 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d9e2e2d8431510001bcc931:5d61b8f4884e46000146bcd9:3", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 6 -m set --match-set TRI-v4-ext-z4QRD1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 2323 -j ACCEPT", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 6 -m state --state NEW -m set --match-set TRI-v4-TargetTCP dst --match multiport --dports 2323 -j ACCEPT", " "))

		aclInfo := &ACLInfo{}
		aclInfo.TCPPorts = sampleTCPPorts
		aclInfo.UDPPorts = sampleUDPPorts
		aclInfo.PUType = common.HostPU

		xformedRules := transformACLRules(aclRules, aclInfo, nil, true)

		Convey("Adjacent like ones should be merged", func() {

			So(xformedRules, ShouldHaveLength, 4)

			// check combined rule 1 and 2
			// OUTPUT HostSvcRules-OUTPUT -p 6 --dports 1:65535 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd dstIP,dstPort -m set ! --match-set TRI-v4-TargetTCP dstIP,dstPort -j DROP -j NFLOG --nflog-group 0 --nflog-prefix 531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6
			rs, err := windows.ParseRuleSpec(xformedRules[0][2:]...)

			So(err, ShouldBeNil)
			So(rs.Protocol, ShouldEqual, 6)
			So(rs.Action, ShouldEqual, frontman.FilterActionBlock)
			So(rs.Log, ShouldBeTrue)
			So(rs.TCPFlagsSpecified, ShouldBeTrue)
			So(rs.TCPFlags, ShouldEqual, 2)
			So(rs.TCPFlagsMask, ShouldEqual, 18)
			So(rs.LogPrefix, ShouldEqual, "531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6")
			So(rs.MatchDstPort, ShouldHaveLength, 1)
			So(rs.MatchDstPort[0].Start, ShouldEqual, 1)
			So(rs.MatchDstPort[0].End, ShouldEqual, 65535)
			So(rs.MatchSet, ShouldHaveLength, 2)
			So(rs.MatchSet[0].MatchSetName, ShouldEqual, "TRI-v4-ext-cUDEx1114Z2xd")
			So(rs.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(rs.MatchSet[0].MatchSetSrcIP, ShouldBeFalse)
			So(rs.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
			So(rs.MatchSet[0].MatchSetDstIP, ShouldBeTrue)
			So(rs.MatchSet[0].MatchSetDstPort, ShouldBeTrue)
			So(rs.MatchSet[1].MatchSetName, ShouldEqual, "TRI-v4-TargetTCP")
			So(rs.MatchSet[1].MatchSetNegate, ShouldBeTrue)
			So(rs.MatchSet[1].MatchSetSrcIP, ShouldBeFalse)
			So(rs.MatchSet[1].MatchSetSrcPort, ShouldBeFalse)
			So(rs.MatchSet[1].MatchSetDstIP, ShouldBeTrue)
			So(rs.MatchSet[1].MatchSetDstPort, ShouldBeTrue)

			// check singular rule 3
			// OUTPUT TRI-App-hostZ7PbqL-0 -p 17 -m set --match-set TRI-v4-TargetUDP src --match multiport --dports 80,443,8080:8443 -j ACCEPT
			rs, err = windows.ParseRuleSpec(xformedRules[1][2:]...)

			So(err, ShouldBeNil)
			So(rs.Protocol, ShouldEqual, 17)
			So(rs.Action, ShouldEqual, frontman.FilterActionAllow)
			So(rs.Log, ShouldBeFalse)
			So(rs.MatchDstPort, ShouldHaveLength, 3)
			So(rs.MatchDstPort[0].Start, ShouldEqual, 80)
			So(rs.MatchDstPort[0].End, ShouldEqual, 80)
			So(rs.MatchDstPort[1].Start, ShouldEqual, 443)
			So(rs.MatchDstPort[1].End, ShouldEqual, 443)
			So(rs.MatchDstPort[2].Start, ShouldEqual, 8080)
			So(rs.MatchDstPort[2].End, ShouldEqual, 8443)
			So(rs.MatchSet, ShouldHaveLength, 1)

			// check combined rule 4 and 5
			// OUTPUT HostSvcRules-OUTPUT -p 6 --dports 2323 -m set --match-set TRI-v4-ext-z4QRD1114Z2xd dstIP,dstPort -m set ! --match-set TRI-v4-TargetTCP dstIP,dstPort -j ACCEPT -j NFLOG --nflog-group 0 --nflog-prefix 531138568:5d9e2e2d8431510001bcc931:5d61b8f4884e46000146bcd9:3
			rs, err = windows.ParseRuleSpec(xformedRules[2][2:]...)

			So(err, ShouldBeNil)
			So(rs.Protocol, ShouldEqual, 6)
			So(rs.Action, ShouldEqual, frontman.FilterActionAllow)
			So(rs.Log, ShouldBeTrue)
			So(rs.LogPrefix, ShouldEqual, "531138568:5d9e2e2d8431510001bcc931:5d61b8f4884e46000146bcd9:3")
			So(rs.MatchDstPort, ShouldHaveLength, 1)
			So(rs.MatchDstPort[0].Start, ShouldEqual, 2323)
			So(rs.MatchDstPort[0].End, ShouldEqual, 2323)
			So(rs.MatchSet, ShouldHaveLength, 2)
			So(rs.MatchSet[0].MatchSetName, ShouldEqual, "TRI-v4-ext-z4QRD1114Z2xd")
			So(rs.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(rs.MatchSet[0].MatchSetSrcIP, ShouldBeFalse)
			So(rs.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
			So(rs.MatchSet[0].MatchSetDstIP, ShouldBeTrue)
			So(rs.MatchSet[0].MatchSetDstPort, ShouldBeTrue)
			So(rs.MatchSet[1].MatchSetName, ShouldEqual, "TRI-v4-TargetTCP")
			So(rs.MatchSet[1].MatchSetNegate, ShouldBeTrue)
			So(rs.MatchSet[1].MatchSetSrcIP, ShouldBeFalse)
			So(rs.MatchSet[1].MatchSetSrcPort, ShouldBeFalse)
			So(rs.MatchSet[1].MatchSetDstIP, ShouldBeTrue)
			So(rs.MatchSet[1].MatchSetDstPort, ShouldBeTrue)

			// check last rule 6
			// OUTPUT TRI-App-hostZ7PbqL-0 -p 6 -m state --state NEW -m set --match-set TRI-v4-TargetTCP dst --match multiport --dports 2323 -j ACCEPT
			rs, err = windows.ParseRuleSpec(xformedRules[3][2:]...)

			So(err, ShouldBeNil)
			So(rs.Protocol, ShouldEqual, 6)
			So(rs.Action, ShouldEqual, frontman.FilterActionAllow)
			So(rs.Log, ShouldBeFalse)
			So(rs.TCPFlagsSpecified, ShouldBeTrue)
			So(rs.TCPFlags, ShouldEqual, 2)
			So(rs.TCPFlagsMask, ShouldEqual, 18)
			So(rs.MatchDstPort, ShouldHaveLength, 1)
			So(rs.MatchDstPort[0].Start, ShouldEqual, 2323)
			So(rs.MatchDstPort[0].End, ShouldEqual, 2323)
			So(rs.MatchSet, ShouldHaveLength, 1)

		})

	})

}

func TestTransformACLRuleHostNet(t *testing.T) {

	Convey("When I parse a set of net acl rules for host pu", t, func() {

		var aclRules [][]string
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-hostZ7PbqL-0 -p 6 -m set --match-set TRI-v6-ext-cUDEx1114Z2xd src -m state --state NEW -m set ! --match-set TRI-v6-TargetTCP src --match multiport --dports 1:65535 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-hostZ7PbqL-0 -p 6 -m set --match-set TRI-v6-ext-cUDEx1114Z2xd src -m state --state NEW -m set ! --match-set TRI-v6-TargetTCP src --match multiport --dports 1:65535 -j ACCEPT", " "))

		aclInfo := &ACLInfo{}
		aclInfo.TCPPorts = sampleTCPPorts
		aclInfo.UDPPorts = sampleUDPPorts
		aclInfo.PUType = common.HostPU

		xformedRules := transformACLRules(aclRules, aclInfo, nil, false)

		Convey("They should be merged to one rule for the HostPU-INPUT chain", func() {

			So(xformedRules, ShouldHaveLength, 1)

			// check combined rule 1 and 2
			// OUTPUT HostPU-INPUT -p 6 --dports 1:65535 -m set --match-set TRI-v6-ext-cUDEx1114Z2xd srcIP,srcPort -m set ! --match-set TRI-v6-TargetTCP srcIP,srcPort -j ACCEPT -j NFLOG --nflog-group 0 --nflog-prefix 3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3
			rs, err := windows.ParseRuleSpec(xformedRules[0][2:]...)

			So(err, ShouldBeNil)
			So(rs.Protocol, ShouldEqual, 6)
			So(rs.Action, ShouldEqual, frontman.FilterActionAllow)
			So(rs.Log, ShouldBeTrue)
			So(rs.LogPrefix, ShouldEqual, "3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3")
			So(rs.TCPFlagsSpecified, ShouldBeTrue)
			So(rs.TCPFlags, ShouldEqual, 2)
			So(rs.TCPFlagsMask, ShouldEqual, 18)
			So(rs.MatchDstPort, ShouldHaveLength, 1)
			So(rs.MatchDstPort[0].Start, ShouldEqual, 1)
			So(rs.MatchDstPort[0].End, ShouldEqual, 65535)
			So(rs.MatchSet, ShouldHaveLength, 2)
			So(rs.MatchSet[0].MatchSetName, ShouldEqual, "TRI-v6-ext-cUDEx1114Z2xd")
			So(rs.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(rs.MatchSet[0].MatchSetSrcIP, ShouldBeTrue)
			So(rs.MatchSet[0].MatchSetSrcPort, ShouldBeTrue)
			So(rs.MatchSet[0].MatchSetDstIP, ShouldBeFalse)
			So(rs.MatchSet[0].MatchSetDstPort, ShouldBeFalse)
			So(rs.MatchSet[1].MatchSetName, ShouldEqual, "TRI-v6-TargetTCP")
			So(rs.MatchSet[1].MatchSetNegate, ShouldBeTrue)
			So(rs.MatchSet[1].MatchSetSrcIP, ShouldBeTrue)
			So(rs.MatchSet[1].MatchSetSrcPort, ShouldBeTrue)
			So(rs.MatchSet[1].MatchSetDstIP, ShouldBeFalse)
			So(rs.MatchSet[1].MatchSetDstPort, ShouldBeFalse)

		})
	})

}

func TestTransformACLRuleHostSvc(t *testing.T) {

	Convey("When I parse some acl rules for a host service", t, func() {

		var aclRules [][]string
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-1114oqLQAD-0 -p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 1:65535 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-1114oqLQAD-0 -p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 1:65535 -j DROP", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-1114oqLQAD-0 -p 17 -m set --match-set TRI-v4-TargetUDP src --match multiport --dports 80,443,8080:8443 -j ACCEPT", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-1114oqLQAD-0 -m set --match-set TRI-v4-ext-z4QRD1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 2323 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d9e2e2d8431510001bcc931:5d61b8f4884e46000146bcd9:3", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-1114oqLQAD-0 -m set --match-set TRI-v4-ext-z4QRD1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 2323 -j ACCEPT", " "))

		aclInfo := &ACLInfo{}
		aclInfo.TCPPorts = sampleTCPPorts
		aclInfo.UDPPorts = sampleUDPPorts
		aclInfo.PUType = common.HostNetworkPU

		xformedRules := transformACLRules(aclRules, aclInfo, nil, true)

		Convey("No outgoing rules are kept for host-service PU", func() {

			So(xformedRules, ShouldHaveLength, 0)

		})

	})

}

func TestTransformACLRuleHostSvcNet(t *testing.T) {

	Convey("When I parse a set of net acl rules for a host svc pu", t, func() {

		var aclRules [][]string
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-1114oqLQAD-0 -p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd src -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP src --match multiport --dports 1:65535 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 531138568:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-1114oqLQAD-0 -p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd src -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP src --match multiport --dports 1:65535 -j ACCEPT", " "))
		// protocol any rules for input on host-svc should be dropped
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-1114oqLQAD-0 -m set --match-set TRI-v4-ext-dxxgXBWCQy0= src -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP src --match multiport --dports 1:65535 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 187906336:5e2b46b82e67d60001766eda:5dfd1e479facec0001e5936b:3", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-1114oqLQAD-0 -m set --match-set TRI-v4-ext-dxxgXBWCQy0= src -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP src --match multiport --dports 1:65535 -j ACCEPT", " "))

		aclInfo := &ACLInfo{}
		aclInfo.TCPPorts = sampleTCPPorts
		aclInfo.UDPPorts = sampleUDPPorts
		aclInfo.PUType = common.HostNetworkPU

		xformedRules := transformACLRules(aclRules, aclInfo, nil, false)

		Convey("They should be merged to one rule for the HostSvcRules-INPUT chain and should have the PU's ports", func() {

			So(xformedRules, ShouldHaveLength, 1)

			// check combined rule 1 and 2
			// dports should be replaced with PU's ports
			// OUTPUT HostSvcRules-INPUT -p 6 --dports 80,443 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd srcIP,srcPort -m set ! --match-set TRI-v4-TargetTCP srcIP,srcPort -j ACCEPT -j NFLOG --nflog-group 0 --nflog-prefix 531138568:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3
			rs, err := windows.ParseRuleSpec(xformedRules[0][2:]...)

			So(err, ShouldBeNil)
			So(rs.Protocol, ShouldEqual, 6)
			So(rs.Action, ShouldEqual, frontman.FilterActionAllow)
			So(rs.Log, ShouldBeTrue)
			So(rs.LogPrefix, ShouldEqual, "531138568:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3")
			So(rs.TCPFlagsSpecified, ShouldBeTrue)
			So(rs.TCPFlags, ShouldEqual, 2)
			So(rs.TCPFlagsMask, ShouldEqual, 18)
			So(rs.MatchSet, ShouldHaveLength, 2)
			So(rs.MatchSet[0].MatchSetName, ShouldEqual, "TRI-v4-ext-cUDEx1114Z2xd")
			So(rs.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(rs.MatchSet[0].MatchSetSrcIP, ShouldBeTrue)
			So(rs.MatchSet[0].MatchSetSrcPort, ShouldBeTrue)
			So(rs.MatchSet[0].MatchSetDstIP, ShouldBeFalse)
			So(rs.MatchSet[0].MatchSetDstPort, ShouldBeFalse)
			So(rs.MatchSet[1].MatchSetName, ShouldEqual, "TRI-v4-TargetTCP")
			So(rs.MatchSet[1].MatchSetNegate, ShouldBeTrue)
			So(rs.MatchSet[1].MatchSetSrcIP, ShouldBeTrue)
			So(rs.MatchSet[1].MatchSetSrcPort, ShouldBeTrue)
			So(rs.MatchSet[1].MatchSetDstIP, ShouldBeFalse)
			So(rs.MatchSet[1].MatchSetDstPort, ShouldBeFalse)

		})

	})

}

func TestTransformACLRuleIcmp(t *testing.T) {

	Convey("When I parse a set of net acl rules with an icmp rule", t, func() {

		var aclRules [][]string

		rule, err := shellquote.Split("OUTPUT TRI-Net-hostZ7PbqL-0 -p 1 --icmp-type 3/0:2,6 -j NFLOG --nflog-group 11 --nflog-prefix \"3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:incoming n_3484738895:3\"")
		So(err, ShouldBeNil)

		aclRules = append(aclRules, rule)
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-hostZ7PbqL-0 -p 1 --icmp-type 3/0:2,6 -j ACCEPT", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-hostZ7PbqL-0 -p 1 --icmp-type 8/0:3,5 -j NFLOG --nflog-group 11 --nflog-prefix 3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-hostZ7PbqL-0 -p 1 --icmp-type 8/0:3 -j ACCEPT", " "))

		aclInfo := &ACLInfo{}
		aclInfo.TCPPorts = sampleTCPPorts
		aclInfo.UDPPorts = sampleUDPPorts
		aclInfo.PUType = common.HostPU

		xformedRules := transformACLRules(aclRules, aclInfo, nil, false)

		Convey("They should be merged to one rule for the HostPU-INPUT chain", func() {

			So(xformedRules, ShouldHaveLength, 3)

			// check combined rule 1 and 2
			// OUTPUT HostPU-INPUT -p 1 --icmp-type 3/0:2,6 -j ACCEPT -j NFLOG --nflog-group 11 --nflog-prefix 3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3
			rs, err := windows.ParseRuleSpec(xformedRules[0][2:]...)

			So(err, ShouldBeNil)
			So(rs.Protocol, ShouldEqual, 1)
			So(rs.Action, ShouldEqual, frontman.FilterActionAllow)
			So(rs.IcmpMatch, ShouldHaveLength, 2)
			So(rs.IcmpMatch[0].IcmpType, ShouldEqual, 3)
			So(rs.IcmpMatch[0].IcmpCodeRange.Start, ShouldEqual, 0)
			So(rs.IcmpMatch[0].IcmpCodeRange.End, ShouldEqual, 2)
			So(rs.IcmpMatch[1].IcmpType, ShouldEqual, 3)
			So(rs.IcmpMatch[1].IcmpCodeRange.Start, ShouldEqual, 6)
			So(rs.IcmpMatch[1].IcmpCodeRange.End, ShouldEqual, 6)
			So(rs.Log, ShouldBeTrue)
			So(rs.LogPrefix, ShouldEqual, "3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:incoming n_3484738895:3")

			// rules 3 and 4 should not be combined (they differ by icmp code)
			rs, err = windows.ParseRuleSpec(xformedRules[1][2:]...)
			So(err, ShouldBeNil)
			So(rs.Protocol, ShouldEqual, 1)
			So(rs.Action, ShouldEqual, frontman.FilterActionContinue)
			So(rs.IcmpMatch, ShouldHaveLength, 2)
			So(rs.IcmpMatch[0].IcmpType, ShouldEqual, 8)
			So(rs.IcmpMatch[0].IcmpCodeRange.Start, ShouldEqual, 0)
			So(rs.IcmpMatch[0].IcmpCodeRange.End, ShouldEqual, 3)
			So(rs.IcmpMatch[1].IcmpType, ShouldEqual, 8)
			So(rs.IcmpMatch[1].IcmpCodeRange.Start, ShouldEqual, 5)
			So(rs.IcmpMatch[1].IcmpCodeRange.End, ShouldEqual, 5)
			So(rs.Log, ShouldBeTrue)
			So(rs.LogPrefix, ShouldEqual, "3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3")

			rs, err = windows.ParseRuleSpec(xformedRules[2][2:]...)
			So(err, ShouldBeNil)
			So(rs.Protocol, ShouldEqual, 1)
			So(rs.Action, ShouldEqual, frontman.FilterActionAllow)
			So(rs.IcmpMatch, ShouldHaveLength, 1)
			So(rs.IcmpMatch[0].IcmpType, ShouldEqual, 8)
			So(rs.IcmpMatch[0].IcmpCodeRange.Start, ShouldEqual, 0)
			So(rs.IcmpMatch[0].IcmpCodeRange.End, ShouldEqual, 3)
			So(rs.Log, ShouldBeFalse)
			So(rs.LogPrefix, ShouldEqual, "")

		})
	})

	Convey("When I parse a set of app acl rules with an icmp rule", t, func() {

		var aclRules [][]string
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 1 --icmp-type 8/1:3 -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6", " "))
		aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 1 --icmp-type 8/1:3 -j DROP", " "))

		aclInfo := &ACLInfo{}
		aclInfo.TCPPorts = sampleTCPPorts
		aclInfo.UDPPorts = sampleUDPPorts
		aclInfo.PUType = common.HostPU

		xformedRules := transformACLRules(aclRules, aclInfo, nil, true)

		Convey("They should be merged to one rule for the HostPU-OUTPUT chain", func() {

			So(xformedRules, ShouldHaveLength, 1)

			// check combined rule 1 and 2
			// OUTPUT HostPU-OUTPUT -p 1 --icmp-type 8/1:3 -j DROP -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6
			rs, err := windows.ParseRuleSpec(xformedRules[0][2:]...)

			So(err, ShouldBeNil)
			So(rs.Protocol, ShouldEqual, 1)
			So(rs.Action, ShouldEqual, frontman.FilterActionBlock)
			So(rs.IcmpMatch, ShouldHaveLength, 1)
			So(rs.IcmpMatch[0].IcmpType, ShouldEqual, 8)
			So(rs.IcmpMatch[0].IcmpCodeRange.Start, ShouldEqual, 1)
			So(rs.IcmpMatch[0].IcmpCodeRange.End, ShouldEqual, 3)
			So(rs.Log, ShouldBeTrue)
			So(rs.LogPrefix, ShouldEqual, "531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6")

		})
	})

}


================================================
FILE: controller/internal/supervisor/iptablesctrl/comparators.go
================================================
package iptablesctrl

import "go.aporeto.io/enforcerd/trireme-lib/policy"

func testObserveContinue(p *policy.FlowPolicy) bool {
	return p.ObserveAction.ObserveContinue()
}

func testNotObserved(p *policy.FlowPolicy) bool {
	return !p.ObserveAction.Observed()
}

func testObserveApply(p *policy.FlowPolicy) bool {
	return p.ObserveAction.ObserveApply()
}

func testReject(p *policy.FlowPolicy) bool {
	return (p.Action&policy.Reject != 0)
}

func testAccept(p *policy.FlowPolicy) bool {
	return (p.Action&policy.Accept != 0)
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/constants_nonwindows.go
================================================
// +build !windows

package iptablesctrl

const (
	ipTableSectionOutput     = "OUTPUT"
	ipTableSectionPreRouting = "PREROUTING"
	appPacketIPTableContext  = "mangle"
	netPacketIPTableContext  = "mangle"
	appProxyIPTableContext   = "nat"

	customQOSChainNFHook = "POSTROUTING"
	customQOSChainTable  = "mangle"
	// CustomQOSChain is the name of the chain where users can install custom QOS rules
	CustomQOSChain = "POST-CUSTOM-QOS"
)


================================================
FILE: controller/internal/supervisor/iptablesctrl/constants_windows.go
================================================
// +build windows

package iptablesctrl

const (
	ipTableSectionOutput     = "OUTPUT"
	ipTableSectionPreRouting = "PREROUTING"
	appPacketIPTableContext  = "OUTPUT"
	appProxyIPTableContext   = "OUTPUT"
	customQOSChainNFHook     = "POSTROUTING"
	customQOSChainTable      = "mangle"
	// CustomQOSChain is the name of the chain where users can install custom QOS rules
	CustomQOSChain          = "POST-CUSTOM-QOS"
	netPacketIPTableContext = "INPUT"
)


================================================
FILE: controller/internal/supervisor/iptablesctrl/icmp_linux.go
================================================
// +build !rhel6

package iptablesctrl

/*
#cgo linux LDFLAGS: -L/tmp -lpcap
#include<string.h>
#include<stdlib.h>
#include<pcap.h>

char bpf_program[1500];

char *compileBPF(const char *expr) {
	struct bpf_program program;
	struct bpf_insn *ins;
        char buf[100];
	int i, dlt = DLT_RAW;

	if (pcap_compile_nopcap(65535, dlt, &program, expr, 1,
				PCAP_NETMASK_UNKNOWN)) {
		return NULL;
	}

        if (program.bf_len > 63) {
               return NULL;
        }

	sprintf(bpf_program, "%d,", program.bf_len);
	ins = program.bf_insns;


	for (i = 0; i < program.bf_len-1; ++ins, ++i) {
                sprintf(buf, "%u %u %u %u,", ins->code, ins->jt, ins->jf, ins->k);
                strcat(bpf_program, buf);
        }

        sprintf(buf, "%u %u %u %u", ins->code, ins->jt, ins->jf, ins->k);
        strcat(bpf_program, buf);
	pcap_freecode(&program);
	return bpf_program;
}
*/
import "C"
import (
	"strings"
	"sync"
	"unsafe"

	"go.aporeto.io/gaia/protocols"
)

func icmpRule(icmpTypeCode string, policyRestrictions []string) []string {
	bytecode := getBPFCode(icmpTypeCode, policyRestrictions)
	return []string{"-m", "bpf", "--bytecode", bytecode}
}

func getICMPv6() string {

	genString := func(icmpType string, icmpCode string) string {
		return "(icmp6[0] == " + icmpType + " and icmp6[1] == " + icmpCode + ")"
	}

	routerSolicitation := genString("133", "0")
	routerAdvertisement := genString("134", "0")
	neighborSolicitation := genString("135", "0")
	neighborAdvertisement := genString("136", "0")
	inverseNeighborSolicitation := genString("141", "0")
	inverseNeighborAdvertisement := genString("142", "0")

	s := []string{routerSolicitation,
		routerAdvertisement,
		neighborSolicitation,
		neighborAdvertisement,
		inverseNeighborSolicitation,
		inverseNeighborAdvertisement}

	return strings.Join(s, " or ")
}

var lock sync.Mutex

func compileExprToBPF(expr string) string {
	lock.Lock()
	defer lock.Unlock()

	cExpr := C.CString(expr)
	defer C.free(unsafe.Pointer(cExpr))

	bpfString := C.compileBPF(cExpr)

	return C.GoString(bpfString)
}

func getBPFCode(icmpTypeCode string, policyRestriction []string) string {
	bytecode := compileExprToBPF(generateExpr(icmpTypeCode, policyRestriction))

	// bpf can return empty bytecodes as it is smart to know the expression
	// doesn't have a match. eg. 'icmp and icmp6'. In that case generate
	// and expression which doesn't match anything but bpf still generates byte code for.
	if bytecode == "" {
		bytecode = compileExprToBPF("icmp[0] > 5 and icmp[0] < 5")
	}

	return bytecode
}

func generateExpr(icmpTypeCode string, policyRestriction []string) string {

	processList := func(vs []string, f func(string) string) []string {
		vals := make([]string, len(vs))

		for i, v := range vs {
			vals[i] = f(v)
		}

		return vals
	}

	leafProcessElement := func(f func() string) string {
		return "(" + f() + ")"
	}

	genProto := func(val string) string {
		return leafProcessElement(func() string { return val })
	}

	genType := func(proto, icmpType string) string {

		switch strings.ToUpper(proto) {
		case protocols.L4ProtocolICMP:
			return leafProcessElement(func() string { return "icmp[0] == " + icmpType })
		default:
			return leafProcessElement(func() string { return "icmp6[0] == " + icmpType })
		}
	}

	genCodes := func(proto, val string) string {

		genCode := func(v string) string {

			switch splits := strings.Split(v, ":"); len(splits) {
			case 1:
				switch strings.ToUpper(proto) {
				case protocols.L4ProtocolICMP:
					return leafProcessElement(func() string { return "icmp[1] == " + v })
				default:
					return leafProcessElement(func() string { return "icmp6[1] == " + v })
				}
			default:
				min := splits[0]
				max := splits[1]

				switch strings.ToUpper(proto) {
				case protocols.L4ProtocolICMP:
					minExpr := leafProcessElement(func() string { return "icmp[1] >= " + min })
					maxExpr := leafProcessElement(func() string { return "icmp[1] <= " + max })
					return leafProcessElement(func() string { return minExpr + " and " + maxExpr })
				default:
					minExpr := leafProcessElement(func() string { return "icmp6[1] >= " + min })
					maxExpr := leafProcessElement(func() string { return "icmp6[1] <= " + max })
					return leafProcessElement(func() string { return minExpr + " and " + maxExpr })
				}
			}
		}

		splits := strings.Split(val, ",")
		vals := processList(splits, genCode)

		return leafProcessElement(func() string { return strings.Join(vals, "or") })
	}

	processSingleTypeCode := func(icmpTypeCode string) string {
		expr := ""
		splits := strings.Split(icmpTypeCode, "/")
		proto := splits[0]

		for i, val := range splits {
			switch i {
			case 0:
				expr = genProto(val)
			case 1:
				expr = leafProcessElement(func() string { return expr + " and " + genType(proto, val) })
			case 2:
				expr = leafProcessElement(func() string { return expr + " and " + genCodes(proto, val) })
			}
		}

		return expr
	}

	combined := []string{}
	bpfExprForPolicyRestriction := strings.Join(processList(policyRestriction, processSingleTypeCode), " or ")

	if bpfExprForPolicyRestriction != "" {
		bpfExprForPolicyRestriction = leafProcessElement(func() string { return bpfExprForPolicyRestriction })
		combined = []string{bpfExprForPolicyRestriction}
	}

	bpfExprForExtNet := processSingleTypeCode(icmpTypeCode)

	combined = append(combined, bpfExprForExtNet)
	return leafProcessElement(func() string { return strings.Join(combined, " and ") })
}

var icmpAllow = func() string {
	return compileExprToBPF(getICMPv6())
}

func allowICMPv6(cfg *ACLInfo) {
	cfg.ICMPv6Allow = icmpAllow()
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/icmp_linux_test.go
================================================
// +build !windows,!rhel6

package iptablesctrl

import "testing"

func Test_getICMPv6(t *testing.T) {
	tests := []struct {
		name string
		want string
	}{
		{"icmpv6DefaultAllow", "(icmp6[0] == 133 and icmp6[1] == 0) or (icmp6[0] == 134 and icmp6[1] == 0) or (icmp6[0] == 135 and icmp6[1] == 0) or (icmp6[0] == 136 and icmp6[1] == 0) or (icmp6[0] == 141 and icmp6[1] == 0) or (icmp6[0] == 142 and icmp6[1] == 0)"},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := getICMPv6(); got != tt.want {
				t.Errorf("getICMPv6() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_generateExpr(t *testing.T) {
	type args struct {
		icmpTypeCode      string
		policyRestriction []string
	}
	tests := []struct {
		name string
		args args
		want string
	}{
		{"1", args{"icmp", []string{}}, "((icmp))"},
		{"2", args{"icmp6", []string{}}, "((icmp6))"},
		{"3", args{"icmp/1", []string{}}, "(((icmp) and (icmp[0] == 1)))"},
		{"4", args{"icmp6/1", []string{}}, "(((icmp6) and (icmp6[0] == 1)))"},
		{"5", args{"icmp/255", []string{}}, "(((icmp) and (icmp[0] == 255)))"},
		{"6", args{"icmp/1/2", []string{}}, "((((icmp) and (icmp[0] == 1)) and ((icmp[1] == 2))))"},
		{"7", args{"icmp/1/2,3,4", []string{}}, "((((icmp) and (icmp[0] == 1)) and ((icmp[1] == 2)or(icmp[1] == 3)or(icmp[1] == 4))))"},
		{"8", args{"icmp/1/0:255", []string{}}, "((((icmp) and (icmp[0] == 1)) and (((icmp[1] >= 0) and (icmp[1] <= 255)))))"},
		{"9", args{"icmp/1/1,2,3:255", []string{}}, "((((icmp) and (icmp[0] == 1)) and ((icmp[1] == 1)or(icmp[1] == 2)or((icmp[1] >= 3) and (icmp[1] <= 255)))))"},
		{"10", args{"icmp6/255", []string{}}, "(((icmp6) and (icmp6[0] == 255)))"},
		{"11", args{"icmp6/1/2", []string{}}, "((((icmp6) and (icmp6[0] == 1)) and ((icmp6[1] == 2))))"},
		{"12", args{"icmp6/1/2,3,4", []string{}}, "((((icmp6) and (icmp6[0] == 1)) and ((icmp6[1] == 2)or(icmp6[1] == 3)or(icmp6[1] == 4))))"},
		{"13", args{"icmp6/1/0:255", []string{}}, "((((icmp6) and (icmp6[0] == 1)) and (((icmp6[1] >= 0) and (icmp6[1] <= 255)))))"},
		{"14", args{"icmp6/1/1,2,3:255", []string{}}, "((((icmp6) and (icmp6[0] == 1)) and ((icmp6[1] == 1)or(icmp6[1] == 2)or((icmp6[1] >= 3) and (icmp6[1] <= 255)))))"},
		{"15", args{"icmp", []string{"icmp/1/1"}}, "(((((icmp) and (icmp[0] == 1)) and ((icmp[1] == 1)))) and (icmp))"},
		{"16", args{"icmp6", []string{"icmp6/1/0:255"}}, "(((((icmp6) and (icmp6[0] == 1)) and (((icmp6[1] >= 0) and (icmp6[1] <= 255))))) and (icmp6))"},
		{"17", args{"icmp/1", []string{"icmp", "icmp6"}}, "(((icmp) or (icmp6)) and ((icmp) and (icmp[0] == 1)))"},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := generateExpr(tt.args.icmpTypeCode, tt.args.policyRestriction); got != tt.want {
				t.Errorf("generateExpr() = %v, want %v", got, tt.want)
			}
		})
	}
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/icmp_rhel6.go
================================================
// +build rhel6 darwin

package iptablesctrl

func icmpRule(icmpTypeCode string, policyRestrictions []string) []string {
	return []string{}
}

func allowICMPv6(cfg *ACLInfo) {
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/icmp_windows.go
================================================
// +build windows

package iptablesctrl

import (
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/windows"
	"go.uber.org/zap"
)

func allowICMPv6(cfg *ACLInfo) {
	// appropriate rules are in rules_windows.go already
}

func icmpRule(icmpTypeCode string, policyRestrictions []string) []string {
	ruleSub, err := windows.ReduceIcmpProtoString(icmpTypeCode, policyRestrictions)
	if err != nil {
		zap.L().Debug("could not formulate ICMP rule", zap.Error(err))
		// we cannot return empty because it will match all icmp
		ruleSub = windows.GetIcmpNoMatch()
	}
	return ruleSub
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/instance.go
================================================
package iptablesctrl

import (
	"context"
	"fmt"
	"os"
	"strings"

	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ebpf"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

const (
	//IPV4 version for ipv4
	IPV4 = iota
	//IPV6 version for ipv6
	IPV6
)

//Instance is the structure holding the ipv4 and ipv6 handles
type Instance struct {
	iptv4 *iptables
	iptv6 *iptables
}

// SetTargetNetworks updates ths target networks. There are three different
// types of target networks:
//   - TCPTargetNetworks for TCP traffic (by default 0.0.0.0/0)
//   - UDPTargetNetworks for UDP traffic (by default empty)
//   - ExcludedNetworks that are always ignored (by default empty)
func (i *Instance) SetTargetNetworks(c *runtime.Configuration) error {

	if err := i.iptv4.SetTargetNetworks(c); err != nil {
		return err
	}

	if err := i.iptv6.SetTargetNetworks(c); err != nil {
		return err
	}

	return nil
}

// Run starts the iptables controller
func (i *Instance) Run(ctx context.Context) error {

	if err := i.iptv4.Run(ctx); err != nil {
		return err
	}

	if err := i.iptv6.Run(ctx); err != nil {
		return err
	}

	return nil
}

// ConfigureRules implments the ConfigureRules interface. It will create the
// port sets and then it will call install rules to create all the ACLs for
// the given chains. PortSets are only created here. Updates will use the
// exact same logic.
func (i *Instance) ConfigureRules(version int, contextID string, pu *policy.PUInfo) error {
	if err := i.iptv4.ConfigureRules(version, contextID, pu); err != nil {
		return err
	}

	if err := i.iptv6.ConfigureRules(version, contextID, pu); err != nil {
		return err
	}

	return nil
}

// DeleteRules implements the DeleteRules interface. This is responsible
// for cleaning all ACLs and associated chains, as well as ll the sets
// that we have created. Note, that this only clears up the state
// for a given processing unit.
func (i *Instance) DeleteRules(version int, contextID string, tcpPorts, udpPorts string, mark string, username string, containerInfo *policy.PUInfo) error {

	if err := i.iptv4.DeleteRules(version, contextID, tcpPorts, udpPorts, mark, username, containerInfo); err != nil {
		zap.L().Warn("Delete rules for iptables v4 returned error")
	}

	if err := i.iptv6.DeleteRules(version, contextID, tcpPorts, udpPorts, mark, username, containerInfo); err != nil {
		zap.L().Warn("Delete rules for iptables v6 returned error")
	}

	return nil
}

// UpdateRules implements the update part of the interface. Update will call
// installrules to install the new rules and then it will delete the old rules.
// For installations that do not have latests iptables-restore we time
// the operations so that the switch is almost atomic, by creating the new rules
// first. For latest kernel versions iptables-restorce will update all the rules
// in one shot.
func (i *Instance) UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, oldContainerInfo *policy.PUInfo) error {

	if err := i.iptv4.UpdateRules(version, contextID, containerInfo, oldContainerInfo); err != nil {
		return err
	}

	if err := i.iptv6.UpdateRules(version, contextID, containerInfo, oldContainerInfo); err != nil {
		return err
	}

	return nil
}

// CleanUp requires the implementor to clean up all ACLs and destroy all
// the IP sets.
func (i *Instance) CleanUp() error {

	if err := i.iptv4.CleanUp(); err != nil {
		zap.L().Error("Failed to cleanup ipv4 rules")
	}

	if err := i.iptv6.CleanUp(); err != nil {
		zap.L().Error("Failed to cleanup ipv6 rules")
	}

	return nil
}

// CreateCustomRulesChain creates a custom rules chain if it doesnt exist
func (i *Instance) CreateCustomRulesChain() error {
	nonbatchedv4tableprovider, _ := provider.NewGoIPTablesProviderV4([]string{}, CustomQOSChain)
	nonbatchedv6tableprovider, _ := provider.NewGoIPTablesProviderV6([]string{}, CustomQOSChain)
	err := nonbatchedv4tableprovider.NewChain(customQOSChainTable, CustomQOSChain)
	if err != nil {
		zap.L().Debug("Chain already exists", zap.Error(err))

	}
	postroutingchainrulesv4, err := nonbatchedv4tableprovider.ListRules(customQOSChainTable, customQOSChainNFHook)
	if err != nil {
		zap.L().Error("ListRules returned error", zap.Error(err))
		return err
	}
	checkCustomRulesv4 := func() bool {
		for _, rule := range postroutingchainrulesv4 {
			if strings.Contains(rule, CustomQOSChain) {
				return true
			}
		}
		return false
	}
	if !checkCustomRulesv4() {
		if err := nonbatchedv4tableprovider.Insert(customQOSChainTable, customQOSChainNFHook, 1,
			"-m", "addrtype",
			"--src-type", "LOCAL",
			"-j", CustomQOSChain,
		); err != nil {
			zap.L().Debug("Unable to create ipv4 custom rule", zap.Error(err))
		}
	}

	err = nonbatchedv6tableprovider.NewChain(customQOSChainTable, CustomQOSChain)
	if err != nil {
		zap.L().Debug("Chain already exists", zap.Error(err))
	}
	postroutingchainrulesv6, err := nonbatchedv6tableprovider.ListRules(customQOSChainTable, customQOSChainNFHook)
	if err != nil {
		return err
	}
	checkCustomRulesv6 := func() bool {
		for _, rule := range postroutingchainrulesv6 {
			if strings.Contains(rule, CustomQOSChain) {
				return true
			}
		}
		return false
	}
	if !checkCustomRulesv6() {
		if err := nonbatchedv6tableprovider.Append(customQOSChainTable, customQOSChainNFHook,
			"-m", "addrtype",
			"--src-type", "LOCAL",
			"-j", CustomQOSChain,
		); err != nil {
			zap.L().Debug("Unable to create ipv6 custom rule", zap.Error(err))
		}
	}

	return nil
}

// NewInstance creates a new iptables controller instance
func NewInstance(fqc fqconfig.FilterQueue, mode constants.ModeType, ipv6Enabled bool, ebpf ebpf.BPFModule, iptablesLockfile string, serviceMeshType policy.ServiceMesh) (*Instance, error) {

	// our iptables binary `aporeto-iptables` uses the environment variable XT_LOCK_NAME
	// to set the iptables lockfile. Standard iptables does not look at this environment variable
	if iptablesLockfile != "" {
		if err := os.Setenv("XT_LOCK_NAME", iptablesLockfile); err != nil {
			return nil, fmt.Errorf("unable to set XT_LOCK_NAME: %s", err)
		}
	}

	ipv4Impl, err := GetIPv4Impl()
	if err != nil {
		return nil, fmt.Errorf("unable to create ipv4 instance: %s", err)
	}

	ipsetV4 := ipsetmanager.V4()
	iptInstanceV4 := createIPInstance(ipv4Impl, ipsetV4, fqc, mode, ebpf, serviceMeshType)

	ipv6Impl, err := GetIPv6Impl(ipv6Enabled)
	if err != nil {
		return nil, fmt.Errorf("unable to create ipv6 instance: %s", err)
	}

	ipsetV6 := ipsetmanager.V6()
	iptInstanceV6 := createIPInstance(ipv6Impl, ipsetV6, fqc, mode, ebpf, serviceMeshType)

	return newInstanceWithProviders(iptInstanceV4, iptInstanceV6)
}

// newInstanceWithProviders is called after ipt and ips have been created. This helps
// with all the unit testing to be able to mock the providers.
func newInstanceWithProviders(iptv4 *iptables, iptv6 *iptables) (*Instance, error) {

	i := &Instance{
		iptv4: iptv4,
		iptv6: iptv6,
	}

	return i, nil
}

// ACLProvider returns the current ACL provider that can be re-used by other entities.
func (i *Instance) ACLProvider() []provider.IptablesProvider {
	return []provider.IptablesProvider{i.iptv4.impl, i.iptv6.impl}
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/ipsets.go
================================================
package iptablesctrl

import (
	"fmt"
	"strconv"

	provider "go.aporeto.io/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/trireme-lib/policy"
	"go.uber.org/zap"
)

// updateTargetNetworks updates the set of target networks. Tries to minimize
// read/writes to the ipset structures
func (i *iptables) updateTargetNetworks(set provider.Ipset, old, new []string) error {

	deleteMap := map[string]bool{}
	for _, net := range old {
		deleteMap[net] = true
	}

	for _, net := range new {
		if _, ok := deleteMap[net]; ok {
			deleteMap[net] = false
			continue
		}
		if err := i.aclmanager.AddToIPset(set, net); err != nil {
			return fmt.Errorf("unable to update target set: %s", err)
		}
	}

	for net, delete := range deleteMap {
		if delete {
			if err := i.aclmanager.DelFromIPset(set, net); err != nil {
				zap.L().Debug("unable to remove network from set", zap.Error(err))
			}
		}
	}
	return nil
}

// createProxySet creates a new target set -- ipportset is a list of {ip,port}
func (i *iptables) createProxySets(portSetName string) error {
	destSetName, srvSetName := i.getSetNames(portSetName)

	_, err := i.ipset.NewIpset(destSetName, "hash:net,port", i.impl.GetIPSetParam())
	if err != nil {
		return fmt.Errorf("unable to create ipset for %s: %s", destSetName, err)
	}

	// create ipset for port match
	_, err = i.ipset.NewIpset(srvSetName, proxySetPortIpsetType, nil)
	if err != nil {
		return fmt.Errorf("unable to create ipset for %s: %s", srvSetName, err)
	}

	return nil
}

func (i *iptables) updateProxySet(policy *policy.PUPolicy, portSetName string) error {

	ipFilter := i.impl.IPFilter()
	dstSetName, srvSetName := i.getSetNames(portSetName)
	vipTargetSet := i.ipset.GetIpset(dstSetName)
	if ferr := vipTargetSet.Flush(); ferr != nil {
		zap.L().Warn("Unable to flush the vip proxy set")
	}

	for _, dependentService := range policy.DependentServices() {
		addresses := dependentService.NetworkInfo.Addresses
		min, max := dependentService.NetworkInfo.Ports.Range()
		for _, addr := range addresses {
			if ipFilter(addr.IP) {
				for i := int(min); i <= int(max); i++ {
					pair := addr.String() + "," + strconv.Itoa(i)
					if err := vipTargetSet.Add(pair, 0); err != nil {
						return fmt.Errorf("unable to add dependent ip %s to target networks ipset: %s", pair, err)
					}
				}
			}
		}
	}

	srvTargetSet := i.ipset.GetIpset(srvSetName)
	if ferr := srvTargetSet.Flush(); ferr != nil {
		zap.L().Warn("Unable to flush the pip proxy set")
	}

	for _, exposedService := range policy.ExposedServices() {
		min, max := exposedService.PrivateNetworkInfo.Ports.Range()
		for i := int(min); i <= int(max); i++ {
			if err := srvTargetSet.Add(strconv.Itoa(i), 0); err != nil {
				zap.L().Error("Failed to add vip", zap.Error(err))
				return fmt.Errorf("unable to add ip %d to target ports ipset: %s", i, err)
			}
		}
		if exposedService.PublicNetworkInfo != nil {
			min, max := exposedService.PublicNetworkInfo.Ports.Range()
			for i := int(min); i <= int(max); i++ {
				if err := srvTargetSet.Add(strconv.Itoa(i), 0); err != nil {
					zap.L().Error("Failed to VIP for public network", zap.Error(err))
					return fmt.Errorf("Failed to program VIP: %s", err)
				}
			}
		}
	}
	return nil
}

//getSetNamePair returns a pair of strings represent proxySetNames
func (i *iptables) getSetNames(portSetName string) (string, string) {
	return portSetName + "-dst", portSetName + "-srv"
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/iptables.go
================================================
package iptablesctrl

import (
	"context"
	"errors"
	"fmt"
	"net"
	"strconv"
	"text/template"

	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ebpf"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

const (
	mainAppChain        = constants.ChainPrefix + "App"
	mainNetChain        = constants.ChainPrefix + "Net"
	appChainPrefix      = constants.ChainPrefix + "App-"
	netChainPrefix      = constants.ChainPrefix + "Net-"
	natProxyOutputChain = constants.ChainPrefix + "Redir-App"
	natProxyInputChain  = constants.ChainPrefix + "Redir-Net"
	proxyOutputChain    = constants.ChainPrefix + "Prx-App"
	proxyInputChain     = constants.ChainPrefix + "Prx-Net"
	istioChain          = constants.ChainPrefix + "Istio"

	// TriremeInput represent the chain that contains pu input rules.
	TriremeInput = constants.ChainPrefix + "Pid-Net"
	// TriremeOutput represent the chain that contains pu output rules.
	TriremeOutput = constants.ChainPrefix + "Pid-App"

	// NetworkSvcInput represent the chain that contains NetworkSvc input rules.
	NetworkSvcInput = constants.ChainPrefix + "Svc-Net"

	// NetworkSvcOutput represent the chain that contains NetworkSvc output rules.
	NetworkSvcOutput = constants.ChainPrefix + "Svc-App"

	// HostModeInput represent the chain that contains Hostmode input rules.
	HostModeInput = constants.ChainPrefix + "Hst-Net"

	// HostModeOutput represent the chain that contains Hostmode output rules.
	HostModeOutput = constants.ChainPrefix + "Hst-App"
	// NfqueueOutput represents the chain that contains the nfqueue output rules
	NfqueueOutput = constants.ChainPrefix + "Nfq-OUT"
	// NfqueueInput represents the chain that contains the nfqueue input rules
	NfqueueInput = constants.ChainPrefix + "Nfq-IN"
	// IstioUID is the UID of the istio-proxy(envoy) that is used in the iptables to identify the
	// envoy generated traffic
	IstioUID = "1337"
	// IstioRedirPort is the port where the App traffic from the output chain
	// is redirected into Istio-proxy, we need to accept this traffic as we don't to come in between
	// APP --> Envoy traffic.
	IstioRedirPort = "15001"
)

type iptables struct {
	impl            IPImpl
	fqc             fqconfig.FilterQueue
	mode            constants.ModeType
	ipsetmanager    ipsetmanager.IPSetManager
	bpf             ebpf.BPFModule
	serviceMeshType policy.ServiceMesh
}

// IPImpl interface is to be used by the iptable implentors like ipv4 and ipv6.
type IPImpl interface {
	provider.IptablesProvider
	IPVersion() int
	ProtocolAllowed(proto string) bool
	IPFilter() func(net.IP) bool
	GetDefaultIP() string
	NeedICMP() bool
}

type ipFilter func(net.IP) bool

func createIPInstance(impl IPImpl, ipsetmanager ipsetmanager.IPSetManager, fqc fqconfig.FilterQueue, mode constants.ModeType, ebpf ebpf.BPFModule, ServiceMeshType policy.ServiceMesh) *iptables {

	return &iptables{
		impl:            impl,
		fqc:             fqc,
		mode:            mode,
		ipsetmanager:    ipsetmanager,
		bpf:             ebpf,
		serviceMeshType: ServiceMeshType,
	}
}

func (i *iptables) SetTargetNetworks(c *runtime.Configuration) error {
	if c == nil {
		return nil
	}

	tcp := c.TCPTargetNetworks
	udp := c.UDPTargetNetworks
	excluded := c.ExcludedNetworks

	// If there are no target networks, capture all traffic
	if len(tcp) == 0 {
		tcp = []string{IPv4DefaultIP, IPv6DefaultIP}
	}

	return i.ipsetmanager.UpdateIPsetsForTargetAndExcludedNetworks(tcp, udp, excluded)
}

func (i *iptables) Run(ctx context.Context) error {

	// Clean any previous ACLs. This is needed in case we crashed at some
	// earlier point or there are other ACLs that create conflicts. We
	// try to clean only ACLs related to Trireme.
	if err := i.cleanACLs(); err != nil {
		return fmt.Errorf("Unable to clean previous acls while starting the supervisor: %s", err)
	}

	if err := i.ipsetmanager.DestroyAllIPsets(); err != nil {
		zap.L().Debug("ipset destroy all ipset returned error", zap.Error(err))
	}

	if err := i.ipsetmanager.CreateIPsetsForTargetAndExcludedNetworks(); err != nil {
		if err1 := i.ipsetmanager.DestroyAllIPsets(); err1 != nil {
			zap.L().Debug("ipset destroy all ipset returned error", zap.Error(err1))
		}
		return fmt.Errorf("unable to create target network ipsets: %s", err)
	}

	// Windows needs to initialize some ipsets
	if err := i.platformInit(); err != nil {
		return err
	}

	// Initialize all the global Trireme chains. There are several global chaims
	// that apply to all PUs:
	// Tri-App/Tri-Net are the main chains for the egress/ingress directions
	// UID related chains for any UID PUs.
	// Host, Service, Pid chains for the different modes of operation (host mode, pu mode, host service).
	// The priority is explicit (Pid activations take precedence of Service activations and Host Services)
	if err := i.initializeChains(); err != nil {
		return fmt.Errorf("Unable to initialize chains: %s", err)
	}

	// Insert the global ACLS. These are the main ACLs that will direct traffic from
	// the INPUT/OUTPUT chains to the Trireme chains. They also includes the main
	// rules of the main chains. These rules are never touched again, unless
	// if we gracefully terminate.
	if err := i.setGlobalRules(); err != nil {
		return fmt.Errorf("failed to update synack networks: %s", err)
	}

	if err := i.impl.Commit(); err != nil {
		return err
	}

	return nil
}

func (i *iptables) ConfigureRules(version int, contextID string, pu *policy.PUInfo) error {
	var err error
	var cfg *ACLInfo

	// First we create an IPSet for destination matching ports. This only
	// applies to Linux type PUs. A port set is associated with every PU,
	// and packets matching this destination get associated with the context
	// of the PU.
	if i.mode != constants.RemoteContainer {
		if err = i.ipsetmanager.CreateServerPortSet(contextID); err != nil {
			return err
		}
	}

	// Create the proxy sets. These are the target sets that will match
	// traffic towards the L4 and L4 services. There are two sets created
	// for every PU in this context (for outgoing and incoming traffic).
	// The outgoing sets capture all traffic towards specific destinations
	// as proxied traffic. Incoming sets correspond to the listening
	// services.
	// create proxySets only if there is no serviceMesh.
	if i.serviceMeshType == policy.None {
		if err := i.ipsetmanager.CreateProxySets(contextID); err != nil {
			return err
		}
	}

	// We create the generic ACL object that is used for all the templates.
	cfg, err = i.newACLInfo(version, contextID, pu, pu.Runtime.PUType())
	if err != nil {
		return err
	}

	// At this point we can install all the ACL rules that will direct
	// traffic to user space, allow for external access or direct
	// traffic towards the proxies
	if err = i.installRules(cfg, pu); err != nil {
		return err
	}

	// We commit the ACLs at the end. Note, that some of the ACLs in the
	// NAT table are not committed as a group. The commit function only
	// applies when newer versions of tables are installed (1.6.2 and above).
	if err = i.impl.Commit(); err != nil {
		zap.L().Error("unable to configure rules", zap.Error(err))
		return err
	}

	return nil
}

func (i *iptables) DeleteRules(version int, contextID string, tcpPorts, udpPorts string, mark string, username string, containerInfo *policy.PUInfo) error {
	cfg, err := i.newACLInfo(version, contextID, nil, containerInfo.Runtime.PUType())
	if err != nil {
		zap.L().Error("unable to create cleanup configuration", zap.Error(err))
		return err
	}
	if i.mode == constants.LocalServer {
		cfg.PacketMark = mark
	}
	cfg.UDPPorts = udpPorts
	cfg.TCPPorts = tcpPorts
	cfg.CgroupMark = mark
	cfg.Mark = mark

	cfg.PUType = containerInfo.Runtime.PUType()
	cfg.ProxyPort = containerInfo.Policy.ServicesListeningPort()
	cfg.DNSProxyPort = containerInfo.Policy.DNSProxyPort()
	// We clean up the chain rules first, so that we can delete the chains.
	// If any rule is not deleted, then the chain will show as busy.
	if err := i.deleteChainRules(cfg); err != nil {
		zap.L().Warn("Failed to clean rules", zap.Error(err))
	}

	// We can now delete the chains we have created for this PU. Note that
	// in every case we only create two chains for every PU. All other
	// chains are global.
	if err = i.deletePUChains(cfg); err != nil {
		zap.L().Warn("Failed to clean container chains while deleting the rules", zap.Error(err))
	}

	// We call commit to update all the changes, before destroying the ipsets.
	// References must be deleted for ipset deletion to succeed.
	if err := i.impl.Commit(); err != nil {
		zap.L().Warn("Failed to commit ACL changes", zap.Error(err))
	}

	if i.mode != constants.RemoteContainer {
		// We delete the set that captures all destination ports of the
		// PU. This only holds for Linux PUs.
		if err := i.ipsetmanager.DestroyServerPortSet(contextID); err != nil {
			zap.L().Warn("Failed to remove port set")
		}
	}

	// if serviceMesh is enabled then don't detroy the proxySets as we have not create them.
	if i.serviceMeshType == policy.None {
		// We delete the proxy port sets that were created for this PU.
		i.ipsetmanager.DestroyProxySets(contextID)
	}
	return nil
}

func (i *iptables) UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, oldContainerInfo *policy.PUInfo) error {
	policyrules := containerInfo.Policy
	if policyrules == nil {
		return errors.New("policy rules cannot be nil")
	}

	// We cache the old config and we use it to delete the previous
	// rules. Every time we update the policy the version changes to
	// its binary complement.
	newCfg, err := i.newACLInfo(version, contextID, containerInfo, containerInfo.Runtime.PUType())
	if err != nil {
		return err
	}

	oldCfg, err := i.newACLInfo(version^1, contextID, oldContainerInfo, containerInfo.Runtime.PUType())
	if err != nil {
		return err
	}

	// Install all the new rules. The hooks to the new chains are appended
	// and do not take effect yet.
	if err := i.installRules(newCfg, containerInfo); err != nil {
		return err
	}

	// Remove mapping from old chain. By removing the old hooks the new
	// hooks take priority.
	if err := i.deleteChainRules(oldCfg); err != nil {
		return err
	}

	// Delete the old chains, since there are not references any more.
	if err := i.deletePUChains(oldCfg); err != nil {
		return err
	}

	// Commit all actions in on iptables-restore function.
	if err := i.impl.Commit(); err != nil {
		return err
	}

	return nil
}

func (i *iptables) CleanUp() error {

	if err := i.cleanACLs(); err != nil {
		zap.L().Error("Failed to clean acls while stopping the supervisor", zap.Error(err))
	}

	if err := i.ipsetmanager.DestroyAllIPsets(); err != nil {
		zap.L().Error("Failed to clean up ipsets", zap.Error(err))
	}

	i.ipsetmanager.Reset()

	return nil
}

// InitializeChains initializes the chains.
func (i *iptables) initializeChains() error {

	cfg, err := i.newACLInfo(0, "", nil, 0)
	if err != nil {
		return err
	}
	tmpl := template.Must(template.New(triremChains).Funcs(template.FuncMap{
		"isLocalServer": func() bool {
			return i.mode == constants.LocalServer
		},
		"isIstioEnabled": func() bool {
			return i.serviceMeshType == policy.Istio
		},
	}).Parse(triremChains))

	rules, err := extractRulesFromTemplate(tmpl, cfg)
	if err != nil {
		return fmt.Errorf("unable to create trireme chains:%s", err)
	}
	for _, rule := range rules {
		if len(rule) != 4 {
			continue
		}
		if err := i.impl.NewChain(rule[1], rule[3]); err != nil {
			return err
		}
	}

	return nil
}

// configureContainerRules adds the chain rules for a container.
// We separate in different methods to keep track of the changes
// independently.
func (i *iptables) configureContainerRules(cfg *ACLInfo) error {
	return i.addChainRules(cfg)
}

// configureLinuxRules adds the chain rules for a linux process or a UID process.
func (i *iptables) configureLinuxRules(cfg *ACLInfo) error {

	// These checks are for rather unusal error scenarios. We should
	// never see errors here. But better safe than sorry.
	if cfg.CgroupMark == "" {
		return errors.New("no mark value found")
	}

	if cfg.TCPPortSet == "" {
		return fmt.Errorf("port set was not found for the contextID. This should not happen")
	}

	return i.addChainRules(cfg)
}

type aclIPset struct {
	ipset string
	*policy.IPRule
}

func (i *iptables) getACLIPSets(ipRules policy.IPRuleList) []aclIPset {

	ipsets := i.ipsetmanager.GetACLIPsetsNames(ipRules)

	aclIPsets := make([]aclIPset, 0)

	for i, ipset := range ipsets {
		if len(ipset) > 0 {
			aclIPsets = append(aclIPsets, aclIPset{ipset, &ipRules[i]})
		}
	}

	return aclIPsets
}

// Install rules will install all the rules and update the port sets.
func (i *iptables) installRules(cfg *ACLInfo, containerInfo *policy.PUInfo) error {

	policyrules := containerInfo.Policy

	// update the proxy set only if there is no serviceMesh enabled.
	if i.serviceMeshType == policy.None {
		if err := i.updateProxySet(cfg.ContextID, containerInfo.Policy); err != nil {
			return err
		}
	}

	appACLIPset := i.getACLIPSets(policyrules.ApplicationACLs())
	netACLIPset := i.getACLIPSets(policyrules.NetworkACLs())

	// Install the PU specific chain first.
	if err := i.addContainerChain(cfg); err != nil {
		return err
	}

	// If its a remote and thus container, configure container rules.
	if i.mode == constants.RemoteContainer {
		if err := i.configureContainerRules(cfg); err != nil {
			return err
		}
	}

	// If its a Linux process configure the Linux rules.
	if i.mode == constants.LocalServer {
		if err := i.configureLinuxRules(cfg); err != nil {
			return err
		}
	}

	isHostPU := extractors.IsHostPU(containerInfo.Runtime, i.mode)

	if err := i.addPreNetworkACLRules(cfg); err != nil {
		return err
	}

	if err := i.addExternalACLs(cfg, cfg.AppChain, cfg.NetChain, appACLIPset, true); err != nil {
		return err
	}

	if err := i.addExternalACLs(cfg, cfg.NetChain, cfg.AppChain, netACLIPset, false); err != nil {
		return err
	}

	appAnyRules, netAnyRules, err := i.getProtocolAnyRules(cfg, appACLIPset, netACLIPset)
	if err != nil {
		return err
	}

	return i.addPacketTrap(cfg, isHostPU, appAnyRules, netAnyRules)
}

func (i *iptables) updateProxySet(contextID string, policy *policy.PUPolicy) error {
	i.ipsetmanager.FlushProxySets(contextID)

	for _, dependentService := range policy.DependentServices() {
		addresses := dependentService.NetworkInfo.Addresses
		min, max := dependentService.NetworkInfo.Ports.Range()

		for addrS := range addresses {
			_, addr, _ := net.ParseCIDR(addrS)
			for port := int(min); port <= int(max); port++ {
				if err := i.ipsetmanager.AddIPPortToDependentService(contextID, addr, strconv.Itoa(port)); err != nil {
					return fmt.Errorf("unable to add dependent ip %v to dependent networks ipset: %v", port, err)
				}
			}
		}
	}

	for _, exposedService := range policy.ExposedServices() {
		min, max := exposedService.PrivateNetworkInfo.Ports.Range()
		for port := int(min); port <= int(max); port++ {
			if err := i.ipsetmanager.AddPortToExposedService(contextID, strconv.Itoa(port)); err != nil {
				zap.L().Error("Failed to add vip", zap.Error(err))
				return fmt.Errorf("unable to add port %d to exposed ports ipset: %s", port, err)
			}
		}

		if exposedService.PublicNetworkInfo != nil {
			min, max := exposedService.PublicNetworkInfo.Ports.Range()
			for port := int(min); port <= int(max); port++ {
				if err := i.ipsetmanager.AddPortToExposedService(contextID, strconv.Itoa(port)); err != nil {
					zap.L().Error("Failed to VIP for public network", zap.Error(err))
					return fmt.Errorf("Failed to program VIP: %s", err)
				}
			}
		}
	}

	return nil
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/iptablesV4_test.go
================================================
// +build !windows,!rhel6

package iptablesctrl

import (
	"bytes"
	"context"
	"fmt"
	"net"
	"os"
	"testing"

	"github.com/aporeto-inc/go-ipset/ipset"
	"github.com/magiconair/properties/assert"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	tacls "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/acls"
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

func TestNewInstanceV4(t *testing.T) {
	Convey("When I create a new iptables instance", t, func() {
		Convey("If I create a remote implemenetation and iptables exists", func() {
			ips := ipsetmanager.NewTestIpsetProvider()
			iptv4 := provider.NewTestIptablesProvider()
			iptv6 := provider.NewTestIptablesProvider()

			i, err := createTestInstance(ips, iptv4, iptv6, constants.RemoteContainer, policy.None)
			Convey("It should succeed", func() {
				So(i, ShouldNotBeNil)
				So(err, ShouldBeNil)
			})
		})
	})

	Convey("When I create a new iptables instance", t, func() {
		Convey("If I create a Linux server implemenetation and iptables exists", func() {
			ips := ipsetmanager.NewTestIpsetProvider()
			iptv4 := provider.NewTestIptablesProvider()
			iptv6 := provider.NewTestIptablesProvider()

			i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
			Convey("It should succeed", func() {
				So(i, ShouldNotBeNil)
				So(err, ShouldBeNil)
			})
		})
	})
	Convey("When I create a new iptables instance, with Istio serviceMeshType", t, func() {
		Convey("If I create a Linux server implemenetation and iptables exists with Istio", func() {
			ips := ipsetmanager.NewTestIpsetProvider()
			iptv4 := provider.NewTestIptablesProvider()
			iptv6 := provider.NewTestIptablesProvider()

			i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.Istio)
			Convey("It should succeed", func() {
				So(i, ShouldNotBeNil)
				So(err, ShouldBeNil)
				So(i.iptv4.serviceMeshType, ShouldEqual, policy.Istio)
			})
		})
	})
}

func Test_NegativeConfigureRulesV4(t *testing.T) {
	Convey("Given a valid instance", t, func() {
		ips := ipsetmanager.NewTestIpsetProvider()
		iptv4 := provider.NewTestIptablesProvider()
		iptv6 := provider.NewTestIptablesProvider()

		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
		So(err, ShouldBeNil)
		ctx, cancel := context.WithCancel(context.Background())
		defer cancel()

		err = i.Run(ctx)
		So(err, ShouldBeNil)

		cfg := &runtime.Configuration{}
		i.SetTargetNetworks(cfg) // nolint
		So(err, ShouldBeNil)

		ipl := policy.ExtendedMap{}
		policyrules := policy.NewPUPolicy(
			"Context",
			"/ns1",
			policy.Police,
			nil,
			nil,
			nil,
			nil,
			nil,
			nil,
			nil,
			nil,
			ipl,
			0,
			0,
			nil,
			nil,
			[]string{},
			policy.EnforcerMapping,
			policy.Reject|policy.Log,
			policy.Reject|policy.Log,
		)
		containerinfo := policy.NewPUInfo("Context",
			"/ns1", common.ContainerPU)
		containerinfo.Policy = policyrules
		containerinfo.Runtime = policy.NewPURuntimeWithDefaults()
		containerinfo.Runtime.SetOptions(policy.OptionsType{
			CgroupMark: "10",
		})

		Convey("When I configure the rules with no errors, it should succeed", func() {
			err := i.iptv4.ConfigureRules(1,
				"ID", containerinfo)
			So(err, ShouldBeNil)
		})

		Convey("When I configure the rules and the proxy set fails, it should error", func() {
			ips.MockNewIpset(t, func(name, hash string, p *ipset.Params) (ipsetmanager.Ipset, error) {
				return nil, fmt.Errorf("error")
			})
			err := i.iptv4.ConfigureRules(1,
				"ID", containerinfo)
			So(err, ShouldNotBeNil)
		})

		Convey("When I configure the rules and acls fail, it should error", func() {
			iptv4.MockAppend(t, func(table, chain string, rulespec ...string) error {
				return fmt.Errorf("error")
			})
			err := i.iptv4.ConfigureRules(1,
				"ID", containerinfo)
			So(err, ShouldNotBeNil)
		})

		Convey("When I configure the rules and commit fails, it should error", func() {
			iptv4.MockCommit(t, func() error {
				return fmt.Errorf("error")
			})
			err := i.iptv4.ConfigureRules(1,
				"ID", containerinfo)
			So(err, ShouldNotBeNil)
		})
	})
}

var (
	expectedGlobalMangleChainsV4 = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},

		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167",
			"-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167",
			"-j TRI-Prx-App",
			"-m connmark --mark 61167 -j ACCEPT",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", "-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App",
		},
		"TRI-Net": {
			"-j TRI-Prx-Net",
			"-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"},
		"TRI-Pid-App": {},
		"TRI-Pid-Net": {},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},
	}

	expectedGlobalMangleChainsV4Istio = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-j TRI-Istio",
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},
		"TRI-Istio": {},

		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT",
			"-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT",
			"-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net",
			"-p tcp --dport 15001 -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j ACCEPT"},
		"TRI-Pid-App": {},
		"TRI-Pid-Net": {},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},
	}

	expectedGlobalNATChainsV4Istio = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App",
			"-p tcp -m mark --mark 68 -j ACCEPT",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j RETURN",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
	}
	expectedMangleAfterPUInsertV4Istio = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-j TRI-Istio",
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},
		"TRI-Istio": {},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT",
			"-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p udp -j ACCEPT",
			"-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net", "-p tcp --dport 15001 -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j ACCEPT"},
		"TRI-Pid-App": {
			"-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10",
			"-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--0"},
		"TRI-Pid-Net": {
			"-p tcp -m multiport --destination-ports 9000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0",
			"-p udp -m multiport --destination-ports 5000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0",
		},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},

		"TRI-Net-pu1N7uS6--0": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT",
			"-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j NFLOG --nflog-group 11 --nflog-prefix 913787369:123a:a3:6",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j DROP",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j NFLOG --nflog-group 11 --nflog-prefix 913787369:123a:a3:3",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j ACCEPT",
			"-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s 0.0.0.0/0 -j DROP",
		},
		"TRI-App-pu1N7uS6--0": {
			"-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-m bpf --bytecode 7,48 0 0 0,84 0 0 240,21 0 3 64,48 0 0 9,21 0 1 1,6 0 0 65535,6 0 0 0 -p icmp -m set --match-set TRI-v4-ext-w5frVvhsnpU= dst -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass", "-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass", "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j NFLOG --nflog-group 10 --nflog-prefix 913787369:123a:a3:6", "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j DROP", "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j NFLOG --nflog-group 10 --nflog-prefix 913787369:123a:a3:3",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j ACCEPT", "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"},
	}
	expectedGlobalNATChainsV4 = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j RETURN",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
	}

	expectedMangleAfterPUInsertV4 = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167",
			"-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT",
			"-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"},
		"TRI-Pid-App": {
			"-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10",
			"-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--0"},
		"TRI-Pid-Net": {
			"-p tcp -m multiport --destination-ports 9000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0",
			"-p udp -m multiport --destination-ports 5000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0",
		},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},

		"TRI-Net-pu1N7uS6--0": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT",
			"-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j NFLOG --nflog-group 11 --nflog-prefix 913787369:123a:a3:6",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j DROP",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j NFLOG --nflog-group 11 --nflog-prefix 913787369:123a:a3:3",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j ACCEPT",
			"-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s 0.0.0.0/0 -j DROP",
		},
		"TRI-App-pu1N7uS6--0": {
			"-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-m bpf --bytecode 7,48 0 0 0,84 0 0 240,21 0 3 64,48 0 0 9,21 0 1 1,6 0 0 65535,6 0 0 0 -p icmp -m set --match-set TRI-v4-ext-w5frVvhsnpU= dst -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass", "-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass", "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j NFLOG --nflog-group 10 --nflog-prefix 913787369:123a:a3:rockstars _4090221238:6",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j DROP", "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j NFLOG --nflog-group 10 --nflog-prefix 913787369:123a:a3:3", "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j ACCEPT",
			"-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"},
	}

	expectedMangleAfterPUInsertWithLogV4 = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT",
			"-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT",
			"-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"},
		"TRI-Pid-App": {
			"-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10",
			"-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--0"},
		"TRI-Pid-Net": {
			"-p tcp -m multiport --destination-ports 9000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0",
			"-p udp -m multiport --destination-ports 5000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0",
		},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},

		"TRI-Net-pu1N7uS6--0": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT",
			"-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s 0.0.0.0/0 -j DROP",
		},

		"TRI-App-pu1N7uS6--0": {
			"-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:2:s2:3", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-m bpf --bytecode 7,48 0 0 0,84 0 0 240,21 0 3 64,48 0 0 9,21 0 1 1,6 0 0 65535,6 0 0 0 -p icmp -m set --match-set TRI-v4-ext-w5frVvhsnpU= dst -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass", "-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6",
			"-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"},
	}

	expectedMangleAfterPUInsertWithExtensionsV4 = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT",
			"-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"},
		"TRI-Pid-App": {
			"-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10",
			"-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--0"},
		"TRI-Pid-Net": {
			"-p tcp -m multiport --destination-ports 9000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0",
			"-p udp -m multiport --destination-ports 5000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0",
		},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},

		"TRI-Net-pu1N7uS6--0": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT",
			"-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s 0.0.0.0/0 -j DROP",
		},
		"TRI-App-pu1N7uS6--0": {
			"-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst --match multiport --dports 443 -m bpf --bytecode 20,0 0 0 0,177 0 0 0,12 0 0 0,7 0 0 0,72 0 0 4,53 0 13 29,135 0 0 0,4 0 0 8,7 0 0 0,72 0 0 2,84 0 0 64655,21 0 7 0,72 0 0 4,21 0 5 1,64 0 0 6,21 0 3 0,72 0 0 10,37 1 0 1,6 0 0 0,6 0 0 65535 -j DROP", "-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-m bpf --bytecode 7,48 0 0 0,84 0 0 240,21 0 3 64,48 0 0 9,21 0 1 1,6 0 0 65535,6 0 0 0 -p icmp -m set --match-set TRI-v4-ext-w5frVvhsnpU= dst -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass", "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT",
			"-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"},
	}

	expectedMangleAfterPUInsertWithExtensionsAndLogV4 = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT",
			"-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT",
			"-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"},
		"TRI-Pid-App": {
			"-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10",
			"-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--0"},
		"TRI-Pid-Net": {
			"-p tcp -m multiport --destination-ports 9000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0",
			"-p udp -m multiport --destination-ports 5000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0",
		},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},

		"TRI-Net-pu1N7uS6--0": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT",
			"-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s 0.0.0.0/0 -j DROP",
		},
		"TRI-App-pu1N7uS6--0": {
			"-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst --match multiport --dports 443 -m bpf --bytecode 20,0 0 0 0,177 0 0 0,12 0 0 0,7 0 0 0,72 0 0 4,53 0 13 29,135 0 0 0,4 0 0 8,7 0 0 0,72 0 0 2,84 0 0 64655,21 0 7 0,72 0 0 4,21 0 5 1,64 0 0 6,21 0 3 0,72 0 0 10,37 1 0 1,6 0 0 0,6 0 0 65535 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:2:s2:6", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst --match multiport --dports 443 -m bpf --bytecode 20,0 0 0 0,177 0 0 0,12 0 0 0,7 0 0 0,72 0 0 4,53 0 13 29,135 0 0 0,4 0 0 8,7 0 0 0,72 0 0 2,84 0 0 64655,21 0 7 0,72 0 0 4,21 0 5 1,64 0 0 6,21 0 3 0,72 0 0 10,37 1 0 1,6 0 0 0,6 0 0 65535 -j DROP", "-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:2:s2:3", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-m bpf --bytecode 7,48 0 0 0,84 0 0 240,21 0 3 64,48 0 0 9,21 0 1 1,6 0 0 65535,6 0 0 0 -p icmp -m set --match-set TRI-v4-ext-w5frVvhsnpU= dst -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass", "-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6",
			"-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"},
	}

	expectedNATAfterPUInsertV4 = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j RETURN",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0",
			"-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j CONNMARK --save-mark",
			"-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv dst -m mark ! --mark 0x40 -j REDIRECT --to-ports 0",
		},
		"POSTROUTING": {
			"-p udp -m addrtype --src-type LOCAL -m multiport --source-ports 5000 -j ACCEPT",
		},
	}
	expectedNATAfterPUInsertV4Istio = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App",
			"-p tcp -m mark --mark 68 -j ACCEPT",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j RETURN",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0",
			"-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j CONNMARK --save-mark",
			"-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv dst -m mark ! --mark 0x40 -j REDIRECT --to-ports 0",
		},
		"POSTROUTING": {
			"-p udp -m addrtype --src-type LOCAL -m multiport --source-ports 5000 -j ACCEPT",
		},
	}
	expectedMangleAfterPUUpdateV4 = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT",
			"-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"},
		"TRI-Pid-App": {
			"-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10",
			"-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--1"},
		"TRI-Pid-Net": {
			"-p tcp -m set --match-set TRI-v4-ProcPort-pu19gtV dst -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--1",
		},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},

		"TRI-Net-pu1N7uS6--1": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s 0.0.0.0/0 -j DROP"},

		"TRI-App-pu1N7uS6--1": {
			"-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass", "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT",
			"-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"},
	}
)

func Test_OperationWithLinuxServicesV4(t *testing.T) {
	Convey("Given an iptables controller with a memory backend ", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"0.0.0.0/0"},
			UDPTargetNetworks: []string{"10.0.0.0/8"},
			ExcludedNetworks:  []string{"127.0.0.1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}
		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right global chains and ipsets", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint
			So(err, ShouldBeNil)

			t := i.iptv4.impl.RetrieveTable()
			So(t, ShouldNotBeNil)
			So(len(t), ShouldEqual, 2)
			So(t["mangle"], ShouldNotBeNil)
			So(t["nat"], ShouldNotBeNil)
			for chain, rules := range t["mangle"] {
				So(expectedGlobalMangleChainsV4, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain])
			}

			for chain, rules := range t["nat"] {
				So(expectedGlobalNATChainsV4, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain])
			}

			Convey("When I configure a new set of rules, the ACLs must be correct", func() {
				appACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"60.0.0.0/24"},
						Ports:     nil,
						Protocols: []string{constants.AllProtoString},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept | policy.Log,
							ServiceID: "a3",
							PolicyID:  "123a",
						},
					},
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s1",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s2",
							PolicyID:  "2",
						},
					},
					policy.IPRule{
						Addresses: []string{"50.0.0.0/24"},
						Ports:     []string{},
						Protocols: []string{"icmp"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s3",
							PolicyID:  "3",
						},
					},
					policy.IPRule{
						Addresses: []string{"60.0.0.0/24"},
						Ports:     nil,
						Protocols: []string{constants.AllProtoString},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject | policy.Log,
							ServiceID: "a3",
							PolicyID:  "123a",
							RuleName:  "rockstars forev",
						},
					},
				}
				netACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"60.0.0.0/24"},
						Ports:     nil,
						Protocols: []string{constants.AllProtoString},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept | policy.Log,
							ServiceID: "a3",
							PolicyID:  "123a",
						},
					},
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s3",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s4",
							PolicyID:  "2",
						},
					},
					policy.IPRule{
						Addresses: []string{"60.0.0.0/24"},
						Ports:     nil,
						Protocols: []string{constants.AllProtoString},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject | policy.Log,
							ServiceID: "a3",
							PolicyID:  "123a",
						},
					},
				}
				ipl := policy.ExtendedMap{}
				policyrules := policy.NewPUPolicy(
					"Context",
					"/ns1",
					policy.Police,
					appACLs,
					netACLs,
					nil,
					nil,
					nil,
					nil,
					nil,
					nil,
					ipl,
					0,
					0,
					nil,
					nil,
					[]string{},
					policy.EnforcerMapping,
					policy.Reject|policy.Log,
					policy.Reject|policy.Log,
				)
				puInfo := policy.NewPUInfo("Context",
					"/ns1", common.LinuxProcessPU)
				puInfo.Policy = policyrules
				puInfo.Runtime.SetOptions(policy.OptionsType{
					CgroupMark: "10",
				})

				udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil)
				So(err, ShouldBeNil)
				tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil)
				So(err, ShouldBeNil)

				puInfo.Runtime.SetServices([]common.Service{
					{
						Ports:    udpPortSpec,
						Protocol: 17,
					},
					{
						Ports:    tcpPortSpec,
						Protocol: 6,
					},
				})

				var iprules policy.IPRuleList

				iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
				iprules = append(iprules, puInfo.Policy.NetworkACLs()...)
				i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint
				err = i.iptv4.ConfigureRules(0,
					"pu1", puInfo)
				So(err, ShouldBeNil)
				err = i.iptv4.ipsetmanager.AddPortToServerPortSet("pu1",
					"8080")
				So(err, ShouldBeNil)
				t := i.iptv4.impl.RetrieveTable()

				for chain, rules := range t["mangle"] {
					So(expectedMangleAfterPUInsertV4, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedMangleAfterPUInsertV4[chain])
				}

				for chain, rules := range t["nat"] {
					So(expectedNATAfterPUInsertV4, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedNATAfterPUInsertV4[chain])
				}

				Convey("When I update the policy, the update must result in correct state", func() {
					appACLs := policy.IPRuleList{
						policy.IPRule{
							Addresses: []string{"30.0.0.0/24"},
							Ports:     []string{"80"},
							Protocols: []string{"TCP"},
							Policy: &policy.FlowPolicy{
								Action:    policy.Reject,
								ServiceID: "s1",
								PolicyID:  "1",
							},
						},
					}
					netACLs := policy.IPRuleList{
						policy.IPRule{
							Addresses: []string{"40.0.0.0/24"},
							Ports:     []string{"80"},
							Protocols: []string{"TCP"},
							Policy: &policy.FlowPolicy{
								Action:    policy.Reject,
								ServiceID: "s3",
								PolicyID:  "1",
							},
						},
					}
					ipl := policy.ExtendedMap{}
					policyrules := policy.NewPUPolicy(
						"Context",
						"/ns1",
						policy.Police,
						appACLs,
						netACLs,
						nil,
						nil,
						nil,
						nil,
						nil,
						nil,
						ipl,
						0,
						0,
						nil,
						nil,
						[]string{},
						policy.EnforcerMapping,
						policy.Reject|policy.Log,
						policy.Reject|policy.Log,
					)
					puInfoUpdated := policy.NewPUInfo("Context",
						"/ns1", common.LinuxProcessPU)
					puInfoUpdated.Policy = policyrules
					puInfoUpdated.Runtime.SetOptions(policy.OptionsType{
						CgroupMark: "10",
					})

					var iprules policy.IPRuleList

					iprules = append(iprules, puInfoUpdated.Policy.ApplicationACLs()...)
					iprules = append(iprules, puInfoUpdated.Policy.NetworkACLs()...)

					i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint

					err := i.iptv4.UpdateRules(1,
						"pu1", puInfoUpdated, puInfo)
					So(err, ShouldBeNil)

					i.iptv4.ipsetmanager.DestroyUnusedIPsets()

					t := i.iptv4.impl.RetrieveTable()
					for chain, rules := range t["mangle"] {
						So(expectedMangleAfterPUUpdateV4, ShouldContainKey, chain)
						So(rules, ShouldResemble, expectedMangleAfterPUUpdateV4[chain])
					}

					Convey("When I delete the same rule, the chains must be restored in the global state", func() {
						err = i.iptv4.ipsetmanager.DeletePortFromServerPortSet("pu1",
							"8080")
						err := i.iptv4.DeleteRules(1,
							"pu1",
							"0",
							"5000",
							"10",
							"", puInfoUpdated)
						i.iptv4.ipsetmanager.RemoveExternalNets("pu1")
						So(err, ShouldBeNil)
						So(err, ShouldBeNil)
						t := i.iptv4.impl.RetrieveTable()
						So(t["mangle"], ShouldNotBeNil)
						So(t["nat"], ShouldNotBeNil)
						for chain, rules := range t["mangle"] {
							So(expectedGlobalMangleChainsV4, ShouldContainKey, chain)
							So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain])
						}

						for chain, rules := range t["nat"] {
							if len(rules) > 0 {
								So(expectedGlobalNATChainsV4, ShouldContainKey, chain)
								So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain])
							}
						}
					})
				})
			})
		})
	})
}

func Test_OperationWithLinuxServicesV4Istio(t *testing.T) {
	Convey("Given an iptables controller with a memory backend ", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"0.0.0.0/0"},
			UDPTargetNetworks: []string{"10.0.0.0/8"},
			ExcludedNetworks:  []string{"127.0.0.1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}
		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.Istio)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right global chains and ipsets", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint
			So(err, ShouldBeNil)

			t := i.iptv4.impl.RetrieveTable()
			So(t, ShouldNotBeNil)
			So(len(t), ShouldEqual, 2)
			So(t["mangle"], ShouldNotBeNil)
			So(t["nat"], ShouldNotBeNil)
			for chain, rules := range t["mangle"] {
				So(expectedGlobalMangleChainsV4Istio, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalMangleChainsV4Istio[chain])
			}

			for chain, rules := range t["nat"] {
				So(expectedGlobalNATChainsV4Istio, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalNATChainsV4Istio[chain])
			}
			Convey("When I configure a new PU with ISTIO and new ACLs, all rules must be correct", func() {
				appACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"60.0.0.0/24"},
						Ports:     nil,
						Protocols: []string{constants.AllProtoString},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept | policy.Log,
							ServiceID: "a3",
							PolicyID:  "123a",
						},
					},
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s1",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s2",
							PolicyID:  "2",
						},
					},
					policy.IPRule{
						Addresses: []string{"50.0.0.0/24"},
						Ports:     []string{},
						Protocols: []string{"icmp"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s3",
							PolicyID:  "3",
						},
					},
					policy.IPRule{
						Addresses: []string{"60.0.0.0/24"},
						Ports:     nil,
						Protocols: []string{constants.AllProtoString},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject | policy.Log,
							ServiceID: "a3",
							PolicyID:  "123a",
						},
					},
				}
				netACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"60.0.0.0/24"},
						Ports:     nil,
						Protocols: []string{constants.AllProtoString},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept | policy.Log,
							ServiceID: "a3",
							PolicyID:  "123a",
						},
					},
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s3",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s4",
							PolicyID:  "2",
						},
					},
					policy.IPRule{
						Addresses: []string{"60.0.0.0/24"},
						Ports:     nil,
						Protocols: []string{constants.AllProtoString},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject | policy.Log,
							ServiceID: "a3",
							PolicyID:  "123a",
						},
					},
				}
				ipl := policy.ExtendedMap{}
				policyrules := policy.NewPUPolicy(
					"Context",
					"/ns1",
					policy.Police,
					appACLs,
					netACLs,
					nil,
					nil,
					nil,
					nil,
					nil,
					nil,
					ipl,
					0,
					0,
					nil,
					nil,
					[]string{},
					policy.EnforcerMapping,
					policy.Reject|policy.Log,
					policy.Reject|policy.Log,
				)
				puInfo := policy.NewPUInfo("Context",
					"/ns1", common.LinuxProcessPU)
				puInfo.Policy = policyrules
				puInfo.Runtime.SetOptions(policy.OptionsType{
					CgroupMark: "10",
				})

				udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil)
				So(err, ShouldBeNil)
				tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil)
				So(err, ShouldBeNil)

				puInfo.Runtime.SetServices([]common.Service{
					{
						Ports:    udpPortSpec,
						Protocol: 17,
					},
					{
						Ports:    tcpPortSpec,
						Protocol: 6,
					},
				})

				var iprules policy.IPRuleList

				iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
				iprules = append(iprules, puInfo.Policy.NetworkACLs()...)
				i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint

				err = i.iptv4.ConfigureRules(0,
					"pu1", puInfo)
				So(err, ShouldBeNil)
				err = i.iptv4.ipsetmanager.AddPortToServerPortSet("pu1",
					"8080")
				So(err, ShouldBeNil)
				t := i.iptv4.impl.RetrieveTable()

				for chain, rules := range t["mangle"] {
					So(expectedMangleAfterPUInsertV4Istio, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedMangleAfterPUInsertV4Istio[chain])
				}

				for chain, rules := range t["nat"] {
					So(expectedNATAfterPUInsertV4Istio, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedNATAfterPUInsertV4Istio[chain])
				}
			})
		})
	})
}
func Test_Extensions1V4(t *testing.T) {
	Convey("Given an iptables controller with a memory backend with extensions in policy and log disabled", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"0.0.0.0/0"},
			UDPTargetNetworks: []string{"10.0.0.0/8"},
			ExcludedNetworks:  []string{"127.0.0.1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}

		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right global chains and ipsets and proper extensions should be configured", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint
			So(err, ShouldBeNil)

			t := i.iptv4.impl.RetrieveTable()
			So(t, ShouldNotBeNil)
			So(len(t), ShouldEqual, 2)
			So(t["mangle"], ShouldNotBeNil)
			So(t["nat"], ShouldNotBeNil)

			for chain, rules := range t["mangle"] {
				So(expectedGlobalMangleChainsV4, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain])
			}

			for chain, rules := range t["nat"] {
				So(expectedGlobalNATChainsV4, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain])
			}

			Convey("When I configure a new set of rules, the ACLs must be correct", func() {
				appACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s1",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s2",
							PolicyID:  "2",
						},
						Extensions: []string{"--match multiport --dports 443 -m bpf --bytecode 20,0 0 0 0,177 0 0 0,12 0 0 0,7 0 0 0,72 0 0 4,53 0 13 29,135 0 0 0,4 0 0 8,7 0 0 0,72 0 0 2,84 0 0 64655,21 0 7 0,72 0 0 4,21 0 5 1,64 0 0 6,21 0 3 0,72 0 0 10,37 1 0 1,6 0 0 0,6 0 0 65535 -j DROP"},
					},
					policy.IPRule{
						Addresses: []string{"50.0.0.0/24"},
						Ports:     []string{},
						Protocols: []string{"icmp"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s3",
							PolicyID:  "3",
						},
					},
				}
				netACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s3",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s4",
							PolicyID:  "2",
						},
					},
				}
				ipl := policy.ExtendedMap{}
				policyrules := policy.NewPUPolicy(
					"Context",
					"/ns1",
					policy.Police,
					appACLs,
					netACLs,
					nil,
					nil,
					nil,
					nil,
					nil,
					nil,
					ipl,
					0,
					0,
					nil,
					nil,
					[]string{},
					policy.EnforcerMapping,
					policy.Reject|policy.Log,
					policy.Reject|policy.Log,
				)
				puInfo := policy.NewPUInfo("Context",
					"/ns1", common.LinuxProcessPU)
				puInfo.Policy = policyrules
				puInfo.Runtime.SetOptions(policy.OptionsType{
					CgroupMark: "10",
				})

				udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil)
				So(err, ShouldBeNil)
				tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil)
				So(err, ShouldBeNil)

				puInfo.Runtime.SetServices([]common.Service{
					{
						Ports:    udpPortSpec,
						Protocol: 17,
					},
					{
						Ports:    tcpPortSpec,
						Protocol: 6,
					},
				})

				var iprules policy.IPRuleList
				iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
				iprules = append(iprules, puInfo.Policy.NetworkACLs()...)

				i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint

				err = i.iptv4.ConfigureRules(0,
					"pu1", puInfo)
				So(err, ShouldBeNil)
				err = i.iptv4.ipsetmanager.AddPortToServerPortSet("pu1",
					"8080")
				So(err, ShouldBeNil)
				t := i.iptv4.impl.RetrieveTable()

				for chain, rules := range t["mangle"] {
					So(expectedMangleAfterPUInsertWithExtensionsV4, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedMangleAfterPUInsertWithExtensionsV4[chain])
				}

				for chain, rules := range t["nat"] {
					So(expectedNATAfterPUInsertV4, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedNATAfterPUInsertV4[chain])
				}

			})
		})
	})
}

func Test_Extensions2V4(t *testing.T) {

	Convey("Given an iptables controller with a memory backend with bad extensions in policy and log enabled", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"0.0.0.0/0"},
			UDPTargetNetworks: []string{"10.0.0.0/8"},
			ExcludedNetworks:  []string{"127.0.0.1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}

		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right global chains and ipsets and proper drop extension should be configured", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint
			So(err, ShouldBeNil)

			t := i.iptv4.impl.RetrieveTable()
			So(t, ShouldNotBeNil)
			So(len(t), ShouldEqual, 2)
			So(t["mangle"], ShouldNotBeNil)
			So(t["nat"], ShouldNotBeNil)

			for chain, rules := range t["mangle"] {
				So(expectedGlobalMangleChainsV4, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain])
			}

			for chain, rules := range t["nat"] {
				So(expectedGlobalNATChainsV4, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain])
			}

			Convey("When I configure a new set of rules, the ACLs must be correct", func() {
				appACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s1",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept | policy.Log,
							ServiceID: "s2",
							PolicyID:  "2",
						},
						Extensions: []string{" -j DROP"},
					},
					policy.IPRule{
						Addresses: []string{"50.0.0.0/24"},
						Ports:     []string{},
						Protocols: []string{"icmp"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s3",
							PolicyID:  "3",
						},
					},
				}
				netACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s3",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s4",
							PolicyID:  "2",
						},
					},
				}
				ipl := policy.ExtendedMap{}
				policyrules := policy.NewPUPolicy(
					"Context",
					"/ns1",
					policy.Police,
					appACLs,
					netACLs,
					nil,
					nil,
					nil,
					nil,
					nil,
					nil,
					ipl,
					0,
					0,
					nil,
					nil,
					[]string{},
					policy.EnforcerMapping,
					policy.Reject|policy.Log,
					policy.Reject|policy.Log,
				)
				puInfo := policy.NewPUInfo("Context",
					"/ns1", common.LinuxProcessPU)
				puInfo.Policy = policyrules
				puInfo.Runtime.SetOptions(policy.OptionsType{
					CgroupMark: "10",
				})

				udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil)
				So(err, ShouldBeNil)
				tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil)
				So(err, ShouldBeNil)

				puInfo.Runtime.SetServices([]common.Service{
					{
						Ports:    udpPortSpec,
						Protocol: 17,
					},
					{
						Ports:    tcpPortSpec,
						Protocol: 6,
					},
				})

				var iprules policy.IPRuleList
				iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
				iprules = append(iprules, puInfo.Policy.NetworkACLs()...)
				i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint

				err = i.iptv4.ConfigureRules(0,
					"pu1", puInfo)
				So(err, ShouldBeNil)
				err = i.iptv4.ipsetmanager.AddPortToServerPortSet("pu1",
					"8080")
				So(err, ShouldBeNil)
				t := i.iptv4.impl.RetrieveTable()

				for chain, rules := range t["mangle"] {
					So(expectedMangleAfterPUInsertWithLogV4, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedMangleAfterPUInsertWithLogV4[chain])
				}

				for chain, rules := range t["nat"] {
					So(expectedNATAfterPUInsertV4, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedNATAfterPUInsertV4[chain])
				}

			})
		})
	})
}

func Test_Extensions3V4(t *testing.T) {

	Convey("Given an iptables controller with a memory backend with extensions in policy and log enabled", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"0.0.0.0/0"},
			UDPTargetNetworks: []string{"10.0.0.0/8"},
			ExcludedNetworks:  []string{"127.0.0.1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}
		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right global chains and ipsets and proper drop extension should be configured", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint
			So(err, ShouldBeNil)

			t := i.iptv4.impl.RetrieveTable()
			So(t, ShouldNotBeNil)
			So(len(t), ShouldEqual, 2)
			So(t["mangle"], ShouldNotBeNil)
			So(t["nat"], ShouldNotBeNil)

			for chain, rules := range t["mangle"] {
				So(expectedGlobalMangleChainsV4, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain])
			}

			for chain, rules := range t["nat"] {
				So(expectedGlobalNATChainsV4, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain])
			}

			Convey("When I configure a new set of rules, the ACLs must be correct", func() {
				appACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s1",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							// Log enabled.
							Action:    policy.Accept | policy.Log,
							ServiceID: "s2",
							PolicyID:  "2",
						},
						Extensions: []string{"--match multiport --dports 443  -m bpf --bytecode 20,0 0 0 0,177 0 0 0,12 0 0 0,7 0 0 0,72 0 0 4,53 0 13 29,135 0 0 0,4 0 0 8,7 0 0 0,72 0 0 2,84 0 0 64655,21 0 7 0,72 0 0 4,21 0 5 1,64 0 0 6,21 0 3 0,72 0 0 10,37 1 0 1,6 0 0 0,6 0 0 65535 -j DROP"},
					},
					policy.IPRule{
						Addresses: []string{"50.0.0.0/24"},
						Ports:     []string{},
						Protocols: []string{"icmp"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s3",
							PolicyID:  "3",
						},
					},
				}
				netACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s3",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s4",
							PolicyID:  "2",
						},
					},
				}
				ipl := policy.ExtendedMap{}
				policyrules := policy.NewPUPolicy(
					"Context",
					"/ns1",
					policy.Police,
					appACLs,
					netACLs,
					nil,
					nil,
					nil,
					nil,
					nil,
					nil,
					ipl,
					0,
					0,
					nil,
					nil,
					[]string{},
					policy.EnforcerMapping,
					policy.Reject|policy.Log,
					policy.Reject|policy.Log,
				)
				puInfo := policy.NewPUInfo("Context",
					"/ns1", common.LinuxProcessPU)
				puInfo.Policy = policyrules
				puInfo.Runtime.SetOptions(policy.OptionsType{
					CgroupMark: "10",
				})

				udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil)
				So(err, ShouldBeNil)
				tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil)
				So(err, ShouldBeNil)

				puInfo.Runtime.SetServices([]common.Service{
					{
						Ports:    udpPortSpec,
						Protocol: 17,
					},
					{
						Ports:    tcpPortSpec,
						Protocol: 6,
					},
				})

				var iprules policy.IPRuleList
				iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
				iprules = append(iprules, puInfo.Policy.NetworkACLs()...)
				i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint

				err = i.iptv4.ConfigureRules(0,
					"pu1", puInfo)
				So(err, ShouldBeNil)
				err = i.iptv4.ipsetmanager.AddPortToServerPortSet("pu1",
					"8080")
				So(err, ShouldBeNil)
				t := i.iptv4.impl.RetrieveTable()

				for chain, rules := range t["mangle"] {
					So(expectedMangleAfterPUInsertWithExtensionsAndLogV4, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedMangleAfterPUInsertWithExtensionsAndLogV4[chain])
				}

				for chain, rules := range t["nat"] {
					So(expectedNATAfterPUInsertV4, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedNATAfterPUInsertV4[chain])
				}

			})
		})
	})
}

func Test_OperationNomatchIpsetsV4(t *testing.T) {
	Convey("Given an iptables controller with a memory backend ", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"0.0.0.0/0",
				"!10.10.10.0/24",
				"!10.0.0.0/8",
				"10.10.0.0/16"},
			UDPTargetNetworks: []string{"10.0.0.0/8"},
			ExcludedNetworks:  []string{"127.0.0.1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}
		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right ipsets", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint
			So(err, ShouldBeNil)

			So(ips.sets, ShouldContainKey,
				"TRI-v4-TargetTCP")
			So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey,
				"10.0.0.0/8")
			So(ips.sets["TRI-v4-TargetTCP"].set["10.0.0.0/8"], ShouldBeTrue)
			So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey,
				"10.10.0.0/16")
			So(ips.sets["TRI-v4-TargetTCP"].set["10.10.0.0/16"], ShouldBeFalse)
			So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey,
				"0.0.0.0/1")
			So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey,
				"128.0.0.0/1")

			// update target networks
			cfgNew := &runtime.Configuration{
				TCPTargetNetworks: []string{"0.0.0.0/0",
					"!10.10.0.0/16"},
				UDPTargetNetworks: []string{},
				ExcludedNetworks:  []string{"127.0.0.1"},
			}
			i.SetTargetNetworks(cfgNew) // nolint
			So(err, ShouldBeNil)

			So(ips.sets, ShouldContainKey,
				"TRI-v4-TargetTCP")
			So(ips.sets["TRI-v4-TargetTCP"].set, ShouldNotContainKey,
				"10.0.0.0/8")
			So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey,
				"10.10.0.0/16")
			So(ips.sets["TRI-v4-TargetTCP"].set["10.10.0.0/16"], ShouldBeTrue)
			So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey,
				"0.0.0.0/1")
			So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey,
				"128.0.0.0/1")

		})
	})
}

func Test_OperationNomatchIpsetsInExternalNetworksV4(t *testing.T) {
	Convey("Given an iptables controller with a memory backend ", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"0.0.0.0/0",
				"!10.10.10.0/24",
				"!10.0.0.0/8",
				"10.10.0.0/16"},
			UDPTargetNetworks: []string{"10.0.0.0/8"},
			ExcludedNetworks:  []string{"127.0.0.1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}
		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right ipsets", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint
			So(err, ShouldBeNil)

			// Setup external networks
			appACLs := policy.IPRuleList{
				policy.IPRule{
					Addresses: []string{"10.0.0.0/8",
						"!10.0.0.0/16",
						"!10.0.2.0/24",
						"10.0.2.7"},
					Ports:     []string{"80"},
					Protocols: []string{constants.TCPProtoNum},
					Policy: &policy.FlowPolicy{
						Action:    policy.Accept | policy.Log,
						ServiceID: "a1",
						PolicyID:  "123a",
					},
				},
			}
			netACLs := policy.IPRuleList{
				policy.IPRule{
					Addresses: []string{"0.0.0.0/0",
						"!10.0.0.0/8",
						"10.0.0.0/16",
						"!10.0.2.8"},
					Ports:     []string{"80"},
					Protocols: []string{constants.TCPProtoNum},
					Policy: &policy.FlowPolicy{
						Action:    policy.Accept | policy.Log,
						ServiceID: "a2",
						PolicyID:  "123b",
					},
				},
			}

			policyRules := policy.NewPUPolicy("Context",
				"/ns1", policy.Police, appACLs, netACLs, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log)

			puInfo := policy.NewPUInfo("Context",
				"/ns1", common.HostPU)
			puInfo.Policy = policyRules
			puInfo.Runtime = policy.NewPURuntimeWithDefaults()
			puInfo.Runtime.SetPUType(common.HostPU)
			puInfo.Runtime.SetOptions(policy.OptionsType{
				CgroupMark: "10",
			})

			// configure rules
			var iprules policy.IPRuleList
			iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
			iprules = append(iprules, puInfo.Policy.NetworkACLs()...)
			err = i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules)
			So(err, ShouldBeNil)

			err = i.ConfigureRules(0,
				"pu1", puInfo)
			So(err, ShouldBeNil)

			// Check ipsets
			setName := i.iptv4.ipsetmanager.GetACLIPsetsNames(appACLs[0:1])[0]
			So(ips.sets[setName].set, ShouldContainKey,
				"10.0.0.0/8")
			So(ips.sets[setName].set, ShouldContainKey,
				"10.0.0.0/16")
			So(ips.sets[setName].set, ShouldContainKey,
				"10.0.2.0/24")
			So(ips.sets[setName].set, ShouldContainKey,
				"10.0.2.7")
			So(ips.sets[setName].set["10.0.0.0/8"], ShouldBeFalse)
			So(ips.sets[setName].set["10.0.0.0/16"], ShouldBeTrue)
			So(ips.sets[setName].set["10.0.2.0/24"], ShouldBeTrue)
			So(ips.sets[setName].set["10.0.2.7"], ShouldBeFalse)

			setName = i.iptv4.ipsetmanager.GetACLIPsetsNames(netACLs[0:1])[0]
			So(ips.sets[setName].set, ShouldContainKey,
				"0.0.0.0/1")
			So(ips.sets[setName].set, ShouldContainKey,
				"128.0.0.0/1")
			So(ips.sets[setName].set, ShouldContainKey,
				"10.0.0.0/8")
			So(ips.sets[setName].set, ShouldContainKey,
				"10.0.0.0/16")
			So(ips.sets[setName].set, ShouldContainKey,
				"10.0.2.8")
			So(ips.sets[setName].set["0.0.0.0/1"], ShouldBeFalse)
			So(ips.sets[setName].set["128.0.0.0/1"], ShouldBeFalse)
			So(ips.sets[setName].set["10.0.0.0/8"], ShouldBeTrue)
			So(ips.sets[setName].set["10.0.0.0/16"], ShouldBeFalse)
			So(ips.sets[setName].set["10.0.2.8"], ShouldBeTrue)

			// Reconfigure external networks
			appACLs = policy.IPRuleList{
				policy.IPRule{
					Addresses: []string{"10.0.0.0/8",
						"!10.0.0.0/16",
						"10.0.2.0/24",
						"!10.0.2.7"},
					Ports:     []string{"80"},
					Protocols: []string{constants.TCPProtoNum},
					Policy: &policy.FlowPolicy{
						Action:    policy.Accept | policy.Log,
						ServiceID: "a1",
						PolicyID:  "123a",
					},
				},
			}
			netACLs = policy.IPRuleList{
				policy.IPRule{
					Addresses: []string{"0.0.0.0/0",
						"10.0.0.0/8",
						"!10.0.2.0/24"},
					Ports:     []string{"80"},
					Protocols: []string{constants.TCPProtoNum},
					Policy: &policy.FlowPolicy{
						Action:    policy.Accept | policy.Log,
						ServiceID: "a2",
						PolicyID:  "123b",
					},
				},
			}

			policyRules = policy.NewPUPolicy("Context",
				"/ns1", policy.Police, appACLs, netACLs, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log)

			puInfoUpdated := policy.NewPUInfo("Context",
				"/ns1", common.HostPU)
			puInfoUpdated.Policy = policyRules
			puInfoUpdated.Runtime = policy.NewPURuntimeWithDefaults()
			puInfoUpdated.Runtime.SetPUType(common.HostPU)
			puInfoUpdated.Runtime.SetOptions(policy.OptionsType{
				CgroupMark: "10",
			})

			// Reconfigure rules
			iprules = nil
			iprules = append(iprules, puInfoUpdated.Policy.ApplicationACLs()...)
			iprules = append(iprules, puInfoUpdated.Policy.NetworkACLs()...)
			err = i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules)
			So(err, ShouldBeNil)

			err = i.UpdateRules(1,
				"pu1", puInfoUpdated, puInfo)
			So(err, ShouldBeNil)

			i.iptv4.ipsetmanager.DestroyUnusedIPsets()

			// Check ipsets again
			setName = i.iptv4.ipsetmanager.GetACLIPsetsNames(appACLs[0:1])[0]
			So(ips.sets[setName].set, ShouldContainKey,
				"10.0.0.0/8")
			So(ips.sets[setName].set, ShouldContainKey,
				"10.0.0.0/16")
			So(ips.sets[setName].set, ShouldContainKey,
				"10.0.2.0/24")
			So(ips.sets[setName].set, ShouldContainKey,
				"10.0.2.7")
			So(ips.sets[setName].set["10.0.0.0/8"], ShouldBeFalse)
			So(ips.sets[setName].set["10.0.0.0/16"], ShouldBeTrue)
			So(ips.sets[setName].set["10.0.2.0/24"], ShouldBeFalse)
			So(ips.sets[setName].set["10.0.2.7"], ShouldBeTrue)

			setName = i.iptv4.ipsetmanager.GetACLIPsetsNames(netACLs[0:1])[0]
			So(ips.sets[setName].set, ShouldContainKey,
				"0.0.0.0/1")
			So(ips.sets[setName].set, ShouldContainKey,
				"128.0.0.0/1")
			So(ips.sets[setName].set, ShouldContainKey,
				"10.0.0.0/8")
			So(ips.sets[setName].set, ShouldContainKey,
				"10.0.2.0/24")
			So(ips.sets[setName].set, ShouldNotContainKey,
				"10.0.2.8")
			So(ips.sets[setName].set["0.0.0.0/1"], ShouldBeFalse)
			So(ips.sets[setName].set["128.0.0.0/1"], ShouldBeFalse)
			So(ips.sets[setName].set["10.0.0.0/8"], ShouldBeFalse)
			So(ips.sets[setName].set["10.0.2.0/24"], ShouldBeTrue)

			// Configure and check acl cache
			aclCache := tacls.NewACLCache()
			err = aclCache.AddRuleList(puInfoUpdated.Policy.ApplicationACLs())
			So(err, ShouldBeNil)

			defaultFlowPolicy := &policy.FlowPolicy{Action: policy.Reject | policy.Log, PolicyID: "default", ServiceID: "default"}

			report, _, err := aclCache.GetMatchingAction(net.ParseIP("10.0.2.7"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
			So(err, ShouldNotBeNil)
			So(report.Action, ShouldEqual, policy.Reject|policy.Log)

			report, _, err = aclCache.GetMatchingAction(net.ParseIP("10.0.2.8"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
			So(err, ShouldBeNil)
			So(report.Action, ShouldEqual, policy.Accept|policy.Log)

			report, _, err = aclCache.GetMatchingAction(net.ParseIP("10.0.3.1"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
			So(err, ShouldNotBeNil)
			So(report.Action, ShouldEqual, policy.Reject|policy.Log)

			report, _, err = aclCache.GetMatchingAction(net.ParseIP("10.1.3.1"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
			So(err, ShouldBeNil)
			So(report.Action, ShouldEqual, policy.Accept|policy.Log)

			report, _, err = aclCache.GetMatchingAction(net.ParseIP("11.1.3.1"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
			So(err, ShouldNotBeNil)
			So(report.Action, ShouldEqual, policy.Reject|policy.Log)

		})
	})
}

var (
	expectedContainerGlobalMangleChainsV4Istio = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-j TRI-Istio",
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},
		"TRI-Istio": {},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p udp -j ACCEPT", "-p tcp --dport 15001 -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j ACCEPT",
		},

		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
	}

	expectedContainerGlobalMangleChainsV4 = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT",
			"-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p udp -j ACCEPT"},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
	}

	expectedContainerGlobalNATChainsV4 = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j RETURN",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
	}

	expectedContainerGlobalNATChainsV4Istio = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App",
			"-p tcp -m mark --mark 68 -j ACCEPT",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j RETURN",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
	}

	expectedContainerMangleAfterPUInsertV4 = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", "-m comment --comment Container-specific-chain -j TRI-App-pu1N7uS6--0"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-m comment --comment Container-specific-chain -j TRI-Net-pu1N7uS6--0"},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Net-pu1N7uS6--0": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT",
			"-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s 0.0.0.0/0 -j DROP",
		},
		"TRI-App-pu1N7uS6--0": {
			"-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j TRI-Nfq-OUT", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j TRI-Nfq-OUT", "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6",
			"-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"},
	}

	expectedContainerMangleAfterPUInsertV4Istio = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-j TRI-Istio",
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},
		"TRI-Istio": {
			"-p tcp -m owner ! --uid-owner 1337 -j ACCEPT",
			"-p tcp -m owner --uid-owner 1337 -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j CONNMARK --set-mark 61167",
			"-p tcp -m owner --uid-owner 1337 -m addrtype --dst-type LOCAL -j ACCEPT",
		},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", "-m comment --comment Container-specific-chain -j TRI-App-pu1N7uS6--0"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-p tcp --dport 15001 -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j ACCEPT", "-m comment --comment Container-specific-chain -j TRI-Net-pu1N7uS6--0"},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Net-pu1N7uS6--0": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT",
			"-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s 0.0.0.0/0 -j DROP",
		},
		"TRI-App-pu1N7uS6--0": {
			"-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j TRI-Nfq-OUT", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j TRI-Nfq-OUT", "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6",
			"-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"},
	}
	expectedContainerNATAfterPUInsertV4 = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j RETURN",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0",
			"-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j CONNMARK --save-mark",
			"-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv dst -m mark ! --mark 0x40 -j REDIRECT --to-ports 0",
		},
	}
	expectedContainerNATAfterPUInsertV4Istio = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App",
			"-p tcp -m mark --mark 68 -j ACCEPT",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j RETURN",
			"-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j CONNMARK --save-mark",
			"-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
	}
)

func Test_OperationWithContainersV4(t *testing.T) {
	Convey("Given an iptables controller with a memory backend for containers ", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"0.0.0.0/0"},
			UDPTargetNetworks: []string{"10.0.0.0/8"},
			ExcludedNetworks:  []string{"127.0.0.1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}
		i, err := createTestInstance(ips, iptv4, iptv6, constants.RemoteContainer, policy.None)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right global chains and sets", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint
			So(err, ShouldBeNil)

			t := i.iptv4.impl.RetrieveTable()
			So(t, ShouldNotBeNil)
			So(len(t), ShouldEqual, 2)
			So(t["mangle"], ShouldNotBeNil)
			So(t["nat"], ShouldNotBeNil)

			for chain, rules := range t["mangle"] {
				So(expectedContainerGlobalMangleChainsV4, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedContainerGlobalMangleChainsV4[chain])
			}

			for chain, rules := range t["nat"] {
				So(expectedContainerGlobalNATChainsV4, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedContainerGlobalNATChainsV4[chain])
			}

			Convey("When I configure a new set of rules, the ACLs must be correct", func() {
				appACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s1",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s2",
							PolicyID:  "2",
						},
					},
				}
				netACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s3",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s4",
							PolicyID:  "2",
						},
					},
				}
				ipl := policy.ExtendedMap{}
				policyrules := policy.NewPUPolicy(
					"Context",
					"/ns1",
					policy.Police,
					appACLs,
					netACLs,
					nil,
					nil,
					nil,
					nil,
					nil,
					nil,
					ipl,
					0,
					0,
					nil,
					nil,
					[]string{},
					policy.EnforcerMapping,
					policy.Reject|policy.Log,
					policy.Reject|policy.Log,
				)
				puInfo := policy.NewPUInfo("Context",
					"/ns1", common.ContainerPU)
				puInfo.Policy = policyrules
				puInfo.Runtime.SetOptions(policy.OptionsType{
					CgroupMark: "10",
				})

				var iprules policy.IPRuleList
				iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
				iprules = append(iprules, puInfo.Policy.NetworkACLs()...)
				i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint

				err := i.iptv4.ConfigureRules(0,
					"pu1", puInfo)
				So(err, ShouldBeNil)
				t := i.iptv4.impl.RetrieveTable()

				for chain, rules := range t["mangle"] {
					So(expectedContainerMangleAfterPUInsertV4, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedContainerMangleAfterPUInsertV4[chain])
				}

				for chain, rules := range t["nat"] {
					So(expectedContainerNATAfterPUInsertV4, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedContainerNATAfterPUInsertV4[chain])
				}

				Convey("When I delete the same rule, the chains must be restored in the global state", func() {
					err := i.iptv4.DeleteRules(0,
						"pu1",
						"0",
						"0",
						"10",
						"", puInfo)
					So(err, ShouldBeNil)

					t := i.iptv4.impl.RetrieveTable()
					if err != nil {
						printTable(t)
					}

					So(t["mangle"], ShouldNotBeNil)
					So(t["nat"], ShouldNotBeNil)

					for chain, rules := range t["mangle"] {
						So(expectedContainerGlobalMangleChainsV4, ShouldContainKey, chain)
						So(rules, ShouldResemble, expectedContainerGlobalMangleChainsV4[chain])
					}

					for chain, rules := range t["nat"] {
						So(expectedContainerGlobalNATChainsV4, ShouldContainKey, chain)
						So(rules, ShouldResemble, expectedContainerGlobalNATChainsV4[chain])
					}
				})

			})
		})
	})
}

func Test_OperationWithContainersV4Istio(t *testing.T) {
	Convey("Given an iptables controller with a memory backend for containers ", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"0.0.0.0/0"},
			UDPTargetNetworks: []string{"10.0.0.0/8"},
			ExcludedNetworks:  []string{"127.0.0.1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}
		i, err := createTestInstance(ips, iptv4, iptv6, constants.RemoteContainer, policy.Istio)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right global chains and sets of Istio", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint
			So(err, ShouldBeNil)

			t := i.iptv4.impl.RetrieveTable()
			So(t, ShouldNotBeNil)
			So(len(t), ShouldEqual, 2)
			So(t["mangle"], ShouldNotBeNil)
			So(t["nat"], ShouldNotBeNil)

			for chain, rules := range t["mangle"] {
				So(expectedContainerGlobalMangleChainsV4Istio, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedContainerGlobalMangleChainsV4Istio[chain])
			}

			for chain, rules := range t["nat"] {
				So(expectedContainerGlobalNATChainsV4Istio, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedContainerGlobalNATChainsV4Istio[chain])
			}

			Convey("When I configure a new set of rules, the ACLs must be correct", func() {
				appACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s1",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s2",
							PolicyID:  "2",
						},
					},
				}
				netACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s3",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s4",
							PolicyID:  "2",
						},
					},
				}
				ipl := policy.ExtendedMap{}
				policyrules := policy.NewPUPolicy(
					"Context",
					"/ns1",
					policy.Police,
					appACLs,
					netACLs,
					nil,
					nil,
					nil,
					nil,
					nil,
					nil,
					ipl,
					0,
					0,
					nil,
					nil,
					[]string{},
					policy.EnforcerMapping,
					policy.Reject|policy.Log,
					policy.Reject|policy.Log,
				)
				puInfo := policy.NewPUInfo("Context",
					"/ns1", common.ContainerPU)
				puInfo.Policy = policyrules
				puInfo.Runtime.SetOptions(policy.OptionsType{
					CgroupMark: "10",
				})

				var iprules policy.IPRuleList
				iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
				iprules = append(iprules, puInfo.Policy.NetworkACLs()...)
				i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint

				err := i.iptv4.ConfigureRules(0,
					"pu1", puInfo)
				So(err, ShouldBeNil)
				t := i.iptv4.impl.RetrieveTable()

				for chain, rules := range t["mangle"] {
					So(expectedContainerMangleAfterPUInsertV4Istio, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedContainerMangleAfterPUInsertV4Istio[chain])
				}

				for chain, rules := range t["nat"] {
					So(expectedContainerNATAfterPUInsertV4Istio, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedContainerNATAfterPUInsertV4Istio[chain])
				}

				Convey("When I delete the same rule, the chains must be restored in the global state of Istio", func() {
					err := i.iptv4.DeleteRules(0,
						"pu1",
						"0",
						"0",
						"10",
						"", puInfo)
					So(err, ShouldBeNil)

					t := i.iptv4.impl.RetrieveTable()
					if err != nil {
						printTable(t)
					}

					So(t["mangle"], ShouldNotBeNil)
					So(t["nat"], ShouldNotBeNil)

					for chain, rules := range t["mangle"] {
						So(expectedContainerGlobalMangleChainsV4Istio, ShouldContainKey, chain)
						So(rules, ShouldResemble, expectedContainerGlobalMangleChainsV4Istio[chain])
					}

					for chain, rules := range t["nat"] {
						So(expectedContainerGlobalNATChainsV4Istio, ShouldContainKey, chain)
						So(rules, ShouldResemble, expectedContainerGlobalNATChainsV4Istio[chain])
					}
				})

			})
		})
	})
}

func TestImplDefaultLock(t *testing.T) {
	instance, err := NewInstance(nil, constants.LocalServer, true, nil,
		"", policy.None)
	assert.Equal(t, instance != nil, true,
		"instance should not be nil")
	assert.Equal(t, err == nil, true,
		"err should be nil")
}

func TestImplWithLock(t *testing.T) {
	instance, err := NewInstance(nil, constants.LocalServer, true, nil,
		"/tmp/xtables.lock", policy.None)
	assert.Equal(t, instance != nil, true,
		"instance should not be nil")
	assert.Equal(t, err == nil, true,
		"err should be nil")
	assert.Equal(t, os.Getenv("XT_LOCK_NAME") == "/tmp/xtables.lock", true,
		"err env var XT_LOCK_NAME is not set")
}

func printTable(t map[string]map[string][]string) {
	fmt.Printf("\n")
	for table, chains := range t {
		fmt.Println(table)
		for chain, rules := range chains {
			fmt.Println(chain)
			for _, rule := range rules {
				fmt.Println(rule)
			}
		}
	}
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/iptablesV6_test.go
================================================
// +build !windows,!rhel6

package iptablesctrl

import (
	"bytes"
	"context"
	"fmt"
	"net"
	"testing"

	"github.com/aporeto-inc/go-ipset/ipset"
	"github.com/magiconair/properties/assert"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	tacls "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/acls"
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

func testICMPAllow() string {
	return "16,48 0 0 0,84 0 0 240,21 0 12 96,48 0 0 6,21 0 10 58,48 0 0 40,21 5 0 133,21 4 0 134,21 3 0 135,21 2 0 136,21 1 0 141,21 0 3 142,48 0 0 41,21 0 1 0,6 0 0 65535,6 0 0 0"
}

func TestNewInstanceV6(t *testing.T) {

	Convey("When I create a new iptables instance", t, func() {
		Convey("If I create a remote implemenetation and iptables exists", func() {
			ips := ipsetmanager.NewTestIpsetProvider()
			iptv4 := provider.NewTestIptablesProvider()
			iptv6 := provider.NewTestIptablesProvider()

			i, err := createTestInstance(ips, iptv4, iptv6, constants.RemoteContainer, policy.None)
			Convey("It should succeed", func() {
				So(i, ShouldNotBeNil)
				So(err, ShouldBeNil)
			})
		})
	})

	Convey("When I create a new iptables instance", t, func() {
		Convey("If I create a Linux server implemenetation and iptables exists", func() {
			ips := ipsetmanager.NewTestIpsetProvider()
			iptv4 := provider.NewTestIptablesProvider()
			iptv6 := provider.NewTestIptablesProvider()

			i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
			Convey("It should succeed", func() {
				So(i, ShouldNotBeNil)
				So(err, ShouldBeNil)
			})
		})
	})
}

func Test_NegativeConfigureRulesV6(t *testing.T) {

	Convey("Given a valid instance", t, func() {
		ips := ipsetmanager.NewTestIpsetProvider()
		iptv4 := provider.NewTestIptablesProvider()
		iptv6 := provider.NewTestIptablesProvider()

		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
		So(err, ShouldBeNil)

		ctx, cancel := context.WithCancel(context.Background())
		defer cancel()

		err = i.Run(ctx)
		So(err, ShouldBeNil)
		cfg := &runtime.Configuration{}
		i.SetTargetNetworks(cfg) // nolint

		ipl := policy.ExtendedMap{}
		policyrules := policy.NewPUPolicy(
			"Context",
			"/ns1",
			policy.Police,
			nil,
			nil,
			nil,
			nil,
			nil,
			nil,
			nil,
			nil,
			ipl,
			0,
			0,
			nil,
			nil,
			[]string{},
			policy.EnforcerMapping,
			policy.Reject|policy.Log,
			policy.Reject|policy.Log,
		)
		containerinfo := policy.NewPUInfo("Context",
			"/ns1", common.ContainerPU)
		containerinfo.Policy = policyrules
		containerinfo.Runtime = policy.NewPURuntimeWithDefaults()
		containerinfo.Runtime.SetOptions(policy.OptionsType{
			CgroupMark: "10",
		})

		Convey("When I configure the rules with no errors, it should succeed", func() {
			err := i.ConfigureRules(1,
				"ID", containerinfo)
			So(err, ShouldBeNil)
		})

		Convey("When I configure the rules and the proxy set fails, it should error", func() {
			ips.MockNewIpset(t, func(name, hash string, p *ipset.Params) (ipsetmanager.Ipset, error) {
				return nil, fmt.Errorf("error")
			})
			err := i.ConfigureRules(1,
				"ID", containerinfo)
			So(err, ShouldNotBeNil)
		})

		Convey("When I configure the rules and acls fail, it should error", func() {
			iptv6.MockAppend(t, func(table, chain string, rulespec ...string) error {
				return fmt.Errorf("error")
			})
			err := i.ConfigureRules(1,
				"ID", containerinfo)
			So(err, ShouldNotBeNil)
		})

		Convey("When I configure the rules and commit fails, it should error", func() {
			iptv6.MockCommit(t, func() error {
				return fmt.Errorf("error")
			})
			err := i.iptv6.ConfigureRules(1,
				"ID", containerinfo)
			So(err, ShouldNotBeNil)
		})
	})
}

var (
	expectedGlobalMangleChainsV6 = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v6-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", "-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v6-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"},
		"TRI-Pid-App": {},
		"TRI-Pid-Net": {},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},
	}

	expectedGlobalNATChainsV6 = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v6-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-Redir-App",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j RETURN",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
	}

	expectedMangleAfterPUInsertV6 = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v6-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", "-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v6-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"},
		"TRI-Pid-App": {
			"-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10",
			"-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--0"},
		"TRI-Pid-Net": {
			"-p tcp -m multiport --destination-ports 9000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0",
			"-p udp -m multiport --destination-ports 5000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0",
		},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},

		"TRI-Net-pu1N7uS6--0": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p UDP -m set --match-set TRI-v6-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT",
			"-p TCP -m set --match-set TRI-v6-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p UDP -m set --match-set TRI-v6-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167",
			"-p UDP -m set --match-set TRI-v6-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT",
			"-p icmpv6 -m bpf --bytecode 16,48 0 0 0,84 0 0 240,21 0 12 96,48 0 0 6,21 0 10 58,48 0 0 40,21 5 0 133,21 4 0 134,21 3 0 135,21 2 0 136,21 1 0 141,21 0 3 142,48 0 0 41,21 0 1 0,6 0 0 65535,6 0 0 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v6-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-s ::/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s ::/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s ::/0 -j DROP",
		},
		"TRI-App-pu1N7uS6--0": {
			"-p TCP -m set --match-set TRI-v6-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v6-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v6-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v6-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v6-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-p icmpv6 -m set --match-set TRI-v6-ext-w5frVvhsnpU= dst -j ACCEPT", "-p UDP -m set --match-set TRI-v6-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-p icmpv6 -m bpf --bytecode 16,48 0 0 0,84 0 0 240,21 0 12 96,48 0 0 6,21 0 10 58,48 0 0 40,21 5 0 133,21 4 0 134,21 3 0 135,21 2 0 136,21 1 0 141,21 0 3 142,48 0 0 41,21 0 1 0,6 0 0 65535,6 0 0 0 -j ACCEPT", "-m set --match-set TRI-v6-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v6-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v6-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass", "-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT",
			"-d ::/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", "-d ::/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d ::/0 -j DROP"},
	}

	expectedNATAfterPUInsertV6 = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v6-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-Redir-App",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j RETURN",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0",
			"-d ::/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j CONNMARK --save-mark",
			"-d ::/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv dst -m mark ! --mark 0x40 -j REDIRECT --to-ports 0",
		},
		"POSTROUTING": {
			"-p udp -m addrtype --src-type LOCAL -m multiport --source-ports 5000 -j ACCEPT",
		},
	}

	expectedMangleAfterPUUpdateV6 = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v6-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", "-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v6-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"},
		"TRI-Pid-App": {
			"-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10",
			"-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--1"},
		"TRI-Pid-Net": {
			"-p tcp -m set --match-set TRI-v6-ProcPort-pu19gtV dst -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--1",
		},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},

		"TRI-Net-pu1N7uS6--1": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p TCP -m set --match-set TRI-v6-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p icmpv6 -m bpf --bytecode 16,48 0 0 0,84 0 0 240,21 0 12 96,48 0 0 6,21 0 10 58,48 0 0 40,21 5 0 133,21 4 0 134,21 3 0 135,21 2 0 136,21 1 0 141,21 0 3 142,48 0 0 41,21 0 1 0,6 0 0 65535,6 0 0 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v6-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-s ::/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s ::/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s ::/0 -j DROP"},
		"TRI-App-pu1N7uS6--1": {
			"-p TCP -m set --match-set TRI-v6-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p icmpv6 -m bpf --bytecode 16,48 0 0 0,84 0 0 240,21 0 12 96,48 0 0 6,21 0 10 58,48 0 0 40,21 5 0 133,21 4 0 134,21 3 0 135,21 2 0 136,21 1 0 141,21 0 3 142,48 0 0 41,21 0 1 0,6 0 0 65535,6 0 0 0 -j ACCEPT", "-m set --match-set TRI-v6-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v6-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v6-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass", "-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT",
			"-d ::/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", "-d ::/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d ::/0 -j DROP"},
	}
)

func Test_OperationWithLinuxServicesV6(t *testing.T) {

	Convey("Given an iptables controller with a memory backend ", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"::/0"},
			UDPTargetNetworks: []string{"1120::/64"},
			ExcludedNetworks:  []string{"::1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}
		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right global chains and ipsets", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint

			So(err, ShouldBeNil)

			t := i.iptv6.impl.RetrieveTable()
			So(t, ShouldNotBeNil)
			So(len(t), ShouldEqual, 2)
			So(t["mangle"], ShouldNotBeNil)
			So(t["nat"], ShouldNotBeNil)

			for chain, rules := range t["mangle"] {
				So(expectedGlobalMangleChainsV6, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalMangleChainsV6[chain])
			}

			for chain, rules := range t["nat"] {
				So(expectedGlobalNATChainsV6, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalNATChainsV6[chain])
			}

			Convey("When I configure a new set of rules, the ACLs must be correct", func() {

				appACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"1120::/64"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s1",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"1120::/64"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s2",
							PolicyID:  "2",
						},
					},
					policy.IPRule{
						Addresses: []string{"1122::/64"},
						Ports:     []string{"443"},
						Protocols: []string{"icmpv6"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s3",
							PolicyID:  "3",
						},
					},
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"icmp"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s3",
							PolicyID:  "3",
						},
					},
				}
				netACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"1122::/64"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s3",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"1122::/64"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s4",
							PolicyID:  "2",
						},
					},
				}
				ipl := policy.ExtendedMap{}
				policyrules := policy.NewPUPolicy(
					"Context",
					"/ns1",
					policy.Police,
					appACLs,
					netACLs,
					nil,
					nil,
					nil,
					nil,
					nil,
					nil,
					ipl,
					0,
					0,
					nil,
					nil,
					[]string{},
					policy.EnforcerMapping,
					policy.Reject|policy.Log,
					policy.Reject|policy.Log,
				)
				puInfo := policy.NewPUInfo("Context",
					"/ns1", common.LinuxProcessPU)
				puInfo.Policy = policyrules
				puInfo.Runtime.SetOptions(policy.OptionsType{
					CgroupMark: "10",
				})

				udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil)
				So(err, ShouldBeNil)
				tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil)
				So(err, ShouldBeNil)

				puInfo.Runtime.SetServices([]common.Service{
					{
						Ports:    udpPortSpec,
						Protocol: 17,
					},
					{
						Ports:    tcpPortSpec,
						Protocol: 6,
					},
				})

				var iprules policy.IPRuleList
				iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
				iprules = append(iprules, puInfo.Policy.NetworkACLs()...)
				i.iptv6.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint

				err = i.ConfigureRules(0,
					"pu1", puInfo)
				So(err, ShouldBeNil)
				t := i.iptv6.impl.RetrieveTable()

				for chain, rules := range t["mangle"] {
					So(expectedMangleAfterPUInsertV6, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedMangleAfterPUInsertV6[chain])
				}

				for chain, rules := range t["nat"] {
					So(expectedNATAfterPUInsertV6, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedNATAfterPUInsertV6[chain])
				}

				Convey("When I update the policy, the update must result in correct state", func() {
					appACLs := policy.IPRuleList{
						policy.IPRule{
							Addresses: []string{"1120::/64"},
							Ports:     []string{"80"},
							Protocols: []string{"TCP"},
							Policy: &policy.FlowPolicy{
								Action:    policy.Reject,
								ServiceID: "s1",
								PolicyID:  "1",
							},
						},
					}
					netACLs := policy.IPRuleList{
						policy.IPRule{
							Addresses: []string{"1122::/64"},
							Ports:     []string{"80"},
							Protocols: []string{"TCP"},
							Policy: &policy.FlowPolicy{
								Action:    policy.Reject,
								ServiceID: "s3",
								PolicyID:  "1",
							},
						},
					}
					ipl := policy.ExtendedMap{}
					policyrules := policy.NewPUPolicy(
						"Context",
						"/ns1",
						policy.Police,
						appACLs,
						netACLs,
						nil,
						nil,
						nil,
						nil,
						nil,
						nil,
						ipl,
						0,
						0,
						nil,
						nil,
						[]string{},
						policy.EnforcerMapping,
						policy.Reject|policy.Log,
						policy.Reject|policy.Log,
					)
					puInfoUpdated := policy.NewPUInfo("Context",
						"/ns1", common.LinuxProcessPU)
					puInfoUpdated.Policy = policyrules
					puInfoUpdated.Runtime.SetOptions(policy.OptionsType{
						CgroupMark: "10",
					})

					err := i.UpdateRules(1,
						"pu1", puInfoUpdated, puInfo)
					So(err, ShouldBeNil)

					t := i.iptv6.impl.RetrieveTable()
					for chain, rules := range t["mangle"] {
						So(expectedMangleAfterPUUpdateV6, ShouldContainKey, chain)
						So(rules, ShouldResemble, expectedMangleAfterPUUpdateV6[chain])
					}

					Convey("When I delete the same rule, the chains must be restored in the global state", func() {
						err := i.DeleteRules(1,
							"pu1",
							"0",
							"5000",
							"10",
							"", puInfoUpdated)
						So(err, ShouldBeNil)

						t := i.iptv6.impl.RetrieveTable()

						So(t["mangle"], ShouldNotBeNil)
						So(t["nat"], ShouldNotBeNil)

						for chain, rules := range t["mangle"] {
							So(expectedGlobalMangleChainsV6, ShouldContainKey, chain)
							So(rules, ShouldResemble, expectedGlobalMangleChainsV6[chain])
						}

						for chain, rules := range t["nat"] {
							if len(rules) > 0 {
								So(expectedGlobalNATChainsV6, ShouldContainKey, chain)
								So(rules, ShouldResemble, expectedGlobalNATChainsV6[chain])
							}
						}
					})
				})
			})
		})
	})
}

func Test_OperationNomatchIpsetsV6(t *testing.T) {

	Convey("Given an iptables controller with a memory backend ", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"::/0",
				"!2001:db8:1234::/48"},
			UDPTargetNetworks: []string{"1120::/64"},
			ExcludedNetworks:  []string{"::1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}
		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right global chains and ipsets", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint

			So(err, ShouldBeNil)

			So(ips.sets, ShouldContainKey,
				"TRI-v6-TargetTCP")
			So(ips.sets["TRI-v6-TargetTCP"].set, ShouldContainKey,
				"2001:db8:1234::/48")
			So(ips.sets["TRI-v6-TargetTCP"].set["2001:db8:1234::/48"], ShouldBeTrue)
			So(ips.sets["TRI-v6-TargetTCP"].set, ShouldContainKey,
				"::/1")
			So(ips.sets["TRI-v6-TargetTCP"].set["::/1"], ShouldBeFalse)
			So(ips.sets["TRI-v6-TargetTCP"].set, ShouldContainKey,
				"8000::/1")
			So(ips.sets["TRI-v6-TargetTCP"].set["8000::/1"], ShouldBeFalse)
		})
	})
}

func Test_OperationNomatchIpsetsInExternalNetworksV6(t *testing.T) {

	Convey("Given an iptables controller with a memory backend ", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"::/0",
				"!2001:db8:1234::/48"},
			UDPTargetNetworks: []string{"1120::/64"},
			ExcludedNetworks:  []string{"::1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}
		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right global chains and ipsets", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint

			So(err, ShouldBeNil)

			// Setup external networks
			appACLs := policy.IPRuleList{
				policy.IPRule{
					Addresses: []string{"::/0",
						"!2001:db8:1234::/48"},
					Ports:     []string{"80"},
					Protocols: []string{constants.TCPProtoNum},
					Policy: &policy.FlowPolicy{
						Action:    policy.Accept | policy.Log,
						ServiceID: "a3",
						PolicyID:  "1234a",
					},
				},
			}
			netACLs := policy.IPRuleList{}

			policyRules := policy.NewPUPolicy("Context",
				"/ns1", policy.Police, appACLs, netACLs, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log)

			puInfo := policy.NewPUInfo("Context",
				"/ns1", common.HostPU)
			puInfo.Policy = policyRules
			puInfo.Runtime = policy.NewPURuntimeWithDefaults()
			puInfo.Runtime.SetPUType(common.HostPU)
			puInfo.Runtime.SetOptions(policy.OptionsType{
				CgroupMark: "10",
			})

			// configure rules
			var iprules policy.IPRuleList
			iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
			iprules = append(iprules, puInfo.Policy.NetworkACLs()...)
			err = i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules)
			So(err, ShouldBeNil)
			err = i.iptv6.ipsetmanager.RegisterExternalNets("pu1", iprules)
			So(err, ShouldBeNil)

			err = i.ConfigureRules(0,
				"pu1", puInfo)
			So(err, ShouldBeNil)

			// Check ipsets
			setName := i.iptv6.ipsetmanager.GetACLIPsetsNames(appACLs[0:1])[0]
			So(ips.sets[setName].set, ShouldContainKey,
				"::/1")
			So(ips.sets[setName].set, ShouldContainKey,
				"8000::/1")
			So(ips.sets[setName].set, ShouldContainKey,
				"2001:db8:1234::/48")
			So(ips.sets[setName].set["::/1"], ShouldBeFalse)
			So(ips.sets[setName].set["8000::/1"], ShouldBeFalse)
			So(ips.sets[setName].set["2001:db8:1234::/48"], ShouldBeTrue)

			// Configure and check acl cache
			aclCache := tacls.NewACLCache()
			err = aclCache.AddRuleList(puInfo.Policy.ApplicationACLs())
			So(err, ShouldBeNil)
			defaultFlowPolicy := &policy.FlowPolicy{Action: policy.Reject | policy.Log, PolicyID: "default", ServiceID: "default"}

			report, _, err := aclCache.GetMatchingAction(net.ParseIP("2001:db8:5678::"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
			So(err, ShouldBeNil)
			So(report.Action, ShouldEqual, policy.Accept|policy.Log)

			report, _, err = aclCache.GetMatchingAction(net.ParseIP("2001:db8:1234:5678::"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
			So(err, ShouldNotBeNil)
			So(report.Action, ShouldEqual, policy.Reject|policy.Log)
		})
	})
}

var (
	expectedContainerGlobalMangleChainsV6 = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v6-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT",
			"-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m set --match-set TRI-v6-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p udp -j ACCEPT",
		},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
	}

	expectedContainerGlobalNATChainsV6 = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v6-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-Redir-App",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j RETURN",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
	}

	expectedContainerMangleAfterPUInsertV6 = map[string][]string{
		"TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef",
			"-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass",
			"-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass",
			"-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass",
			"-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"},
		"INPUT": {
			"-m set ! --match-set TRI-v6-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", "-m comment --comment Container-specific-chain -j TRI-App-pu1N7uS6--0"},
		"TRI-Net": {
			"-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v6-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p udp -j ACCEPT", "-m comment --comment Container-specific-chain -j TRI-Net-pu1N7uS6--0",
		},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Net-pu1N7uS6--0": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p UDP -m set --match-set TRI-v6-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT",
			"-p TCP -m set --match-set TRI-v6-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p UDP -m set --match-set TRI-v6-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167",
			"-p UDP -m set --match-set TRI-v6-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT",
			"-p icmpv6 -m bpf --bytecode 16,48 0 0 0,84 0 0 240,21 0 12 96,48 0 0 6,21 0 10 58,48 0 0 40,21 5 0 133,21 4 0 134,21 3 0 135,21 2 0 136,21 1 0 141,21 0 3 142,48 0 0 41,21 0 1 0,6 0 0 65535,6 0 0 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v6-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-s ::/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s ::/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s ::/0 -j DROP",
		},
		"TRI-App-pu1N7uS6--0": {
			"-p TCP -m set --match-set TRI-v6-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v6-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v6-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v6-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v6-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-p UDP -m set --match-set TRI-v6-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-p icmpv6 -m bpf --bytecode 16,48 0 0 0,84 0 0 240,21 0 12 96,48 0 0 6,21 0 10 58,48 0 0 40,21 5 0 133,21 4 0 134,21 3 0 135,21 2 0 136,21 1 0 141,21 0 3 142,48 0 0 41,21 0 1 0,6 0 0 65535,6 0 0 0 -j ACCEPT", "-m set --match-set TRI-v6-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v6-TargetTCP dst -p tcp -j TRI-Nfq-OUT",
			"-p udp -m set --match-set TRI-v6-TargetUDP dst -j TRI-Nfq-OUT", "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", "-d ::/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6",
			"-d ::/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d ::/0 -j DROP"},
	}

	expectedContainerNATAfterPUInsertV6 = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v6-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-Redir-App",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j RETURN",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0",
			"-d ::/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j CONNMARK --save-mark",
			"-d ::/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv dst -m mark ! --mark 0x40 -j REDIRECT --to-ports 0",
		},
	}
)

func Test_OperationWithContainersV6(t *testing.T) {

	Convey("Given an iptables controller with a memory backend for containers ", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"::/0"},
			UDPTargetNetworks: []string{"1120::/64"},
			ExcludedNetworks:  []string{"::1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}
		i, err := createTestInstance(ips, iptv4, iptv6, constants.RemoteContainer, policy.None)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right global chains and sets", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			So(err, ShouldBeNil)
			i.SetTargetNetworks(cfg) // nolint

			t := i.iptv6.impl.RetrieveTable()
			So(t, ShouldNotBeNil)
			So(len(t), ShouldEqual, 2)
			So(t["mangle"], ShouldNotBeNil)
			So(t["nat"], ShouldNotBeNil)

			for chain, rules := range t["mangle"] {
				So(expectedContainerGlobalMangleChainsV6, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedContainerGlobalMangleChainsV6[chain])
			}

			for chain, rules := range t["nat"] {
				So(expectedContainerGlobalNATChainsV6, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedContainerGlobalNATChainsV6[chain])
			}

			Convey("When I configure a new set of rules, the ACLs must be correct", func() {
				appACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"1120::/64"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s1",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"1120::/64"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s2",
							PolicyID:  "2",
						},
					},
				}
				netACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"1122::/64"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s3",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"1122::/64"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s4",
							PolicyID:  "2",
						},
					},
				}
				ipl := policy.ExtendedMap{}
				policyrules := policy.NewPUPolicy(
					"Context",
					"/ns1",
					policy.Police,
					appACLs,
					netACLs,
					nil,
					nil,
					nil,
					nil,
					nil,
					nil,
					ipl,
					0,
					0,
					nil,
					nil,
					[]string{},
					policy.EnforcerMapping,
					policy.Reject|policy.Log,
					policy.Reject|policy.Log,
				)
				puInfo := policy.NewPUInfo("Context",
					"/ns1", common.ContainerPU)
				puInfo.Policy = policyrules
				puInfo.Runtime.SetOptions(policy.OptionsType{
					CgroupMark: "10",
				})

				var iprules policy.IPRuleList
				iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
				iprules = append(iprules, puInfo.Policy.NetworkACLs()...)
				i.iptv6.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint

				err := i.ConfigureRules(0,
					"pu1", puInfo)
				So(err, ShouldBeNil)
				t := i.iptv6.impl.RetrieveTable()

				for chain, rules := range t["mangle"] {
					So(expectedContainerMangleAfterPUInsertV6, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedContainerMangleAfterPUInsertV6[chain])
				}

				for chain, rules := range t["nat"] {
					So(expectedContainerNATAfterPUInsertV6, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedContainerNATAfterPUInsertV6[chain])
				}

				Convey("When I delete the same rule, the chains must be restored in the global state",
					func() {
						err := i.iptv6.DeleteRules(0,
							"pu1",
							"0",
							"0",
							"10",
							"", puInfo)
						So(err, ShouldBeNil)

						t := i.iptv6.impl.RetrieveTable()
						if err != nil {
							printTable(t)
						}

						So(t["mangle"], ShouldNotBeNil)
						So(t["nat"], ShouldNotBeNil)

						for chain, rules := range t["mangle"] {
							So(expectedContainerGlobalMangleChainsV6, ShouldContainKey, chain)
							So(rules, ShouldResemble, expectedContainerGlobalMangleChainsV6[chain])
						}

						for chain, rules := range t["nat"] {
							So(expectedContainerGlobalNATChainsV6, ShouldContainKey, chain)
							So(rules, ShouldResemble, expectedContainerGlobalNATChainsV6[chain])
						}
					})

			})
		})
	})
}

func TestIpv6Disable(t *testing.T) {
	ipv6Instance := &ipv6{ipv6Enabled: false}

	assert.Equal(t, ipv6Instance.Append("", "") == nil, true, "error should be nil")
	assert.Equal(t, ipv6Instance.Insert("", "", 0) == nil, true, "error should be nil")
	assert.Equal(t, ipv6Instance.ClearChain("", "") == nil, true, "error should be nil")
	assert.Equal(t, ipv6Instance.DeleteChain("", "") == nil, true, "error should be nil")
	assert.Equal(t, ipv6Instance.NewChain("", "") == nil, true, "error should be nil")
	assert.Equal(t, ipv6Instance.Commit() == nil, true, "error should be nil")
	chains, err := ipv6Instance.ListChains("")

	assert.Equal(t, chains == nil, true, "chains should be nil")
	assert.Equal(t, err == nil, true, "error should be nil")
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/iptables_linux_test.go
================================================
package iptablesctrl

import (
	"fmt"
	"strings"

	"github.com/aporeto-inc/go-ipset/ipset"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// This file contains shared implementation for Linux iptables tests

func createTestInstance(ips ipsetmanager.IpsetProvider, iptv4 provider.IptablesProvider, iptv6 provider.IptablesProvider, mode constants.ModeType, ServiceMeshType policy.ServiceMesh) (*Instance, error) {

	ipv4Impl := &ipv4{ipt: iptv4}
	ipv6Impl := &ipv6{ipt: iptv6, ipv6Enabled: true}

	fq := fqconfig.NewFilterQueue(4, []string{"0.0.0.0/0",
		"::/0"})

	ipsetmanager.SetIpsetTestInstance(ips)
	ipsv4 := ipsetmanager.V4test()
	ipsv6 := ipsetmanager.V6test()

	iptInstanceV4 := createIPInstance(ipv4Impl, ipsv4, fq, mode, nil, ServiceMeshType)
	iptInstanceV6 := createIPInstance(ipv6Impl, ipsv6, fq, mode, nil, ServiceMeshType)
	icmpAllow = testICMPAllow

	return newInstanceWithProviders(iptInstanceV4, iptInstanceV6)
}

// Fake iptables controller that always returns succes.
type baseIpt struct{}

// Append apends a rule to chain of table
func (b *baseIpt) Append(table, chain string, rulespec ...string) error { return nil }

// Insert inserts a rule to a chain of table at the required pos
func (b *baseIpt) Insert(table, chain string, pos int, rulespec ...string) error { return nil }

// Delete deletes a rule of a chain in the given table
func (b *baseIpt) Delete(table, chain string, rulespec ...string) error { return nil }

// ListChains lists all the chains associated with a table
func (b *baseIpt) ListChains(table string) ([]string, error) { return nil, nil }

// ClearChain clears a chain in a table
func (b *baseIpt) ClearChain(table, chain string) error { return nil }

// DeleteChain deletes a chain in the table. There should be no references to this chain
func (b *baseIpt) DeleteChain(table, chain string) error { return nil }

// NewChain creates a new chain
func (b *baseIpt) NewChain(table, chain string) error { return nil }

// ListRules lists the rules in a table/chain
func (b *baseIpt) ListRules(table, chain string) ([]string, error) { return []string{}, nil }

// Fake memory IPset that will tell us if we are deleting or installing
// bad things.
type memoryIPSet struct {
	set map[string]bool
}

func (m *memoryIPSet) Add(entry string, timeout int) error {
	m.set[entry] = false
	return nil
}

func (m *memoryIPSet) AddOption(entry string, option string, timeout int) error {
	if option == "nomatch" {
		m.set[entry] = true
		return nil
	}
	return m.Add(entry, timeout)
}

func (m *memoryIPSet) Del(entry string) error {
	if _, ok := m.set[entry]; !ok {
		return fmt.Errorf("not found")
	}
	delete(m.set, entry)
	return nil
}

func (m *memoryIPSet) Destroy() error {
	m.set = map[string]bool{}
	return nil
}

func (m *memoryIPSet) Flush() error {
	m.set = map[string]bool{}
	return nil
}

func (m *memoryIPSet) Test(entry string) (bool, error) {
	_, ok := m.set[entry]
	// TODO nomatch
	return ok, nil
}

// Fake IpSetProvider that will use memory and allow us to
// to simulate the system.
type memoryIPSetProvider struct {
	sets map[string]*memoryIPSet
}

func (m *memoryIPSetProvider) NewIpset(name string, hasht string, p *ipset.Params) (ipsetmanager.Ipset, error) {

	if m.sets == nil {
		return nil, fmt.Errorf("error")
	}

	_, ok := m.sets[name]
	if ok {
		return nil, fmt.Errorf("set exists")
	}

	newSet := &memoryIPSet{set: map[string]bool{}}
	m.sets[name] = newSet
	return newSet, nil
}

func (m *memoryIPSetProvider) GetIpset(name string) ipsetmanager.Ipset {
	return m.sets[name]
}

func (m *memoryIPSetProvider) DestroyAll(prefix string) error {

	for set := range m.sets {
		if strings.HasPrefix(set, prefix) {
			delete(m.sets, set)
		}
	}
	return nil
}

func (m *memoryIPSetProvider) ListIPSets() ([]string, error) {
	allSets := []string{}
	for set := range m.sets {
		allSets = append(allSets, set)
	}
	return allSets, nil
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/iptables_rhel6_test.go
================================================
// +build rhel6

package iptablesctrl

import (
	"bytes"
	"context"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

var icmpAllow = testICMPAllow

func testICMPAllow() string {
	panic("icmp implementation for rhel6 should not call this")
}

var (
	expectedGlobalMangleChainsV4 = map[string][]string{
		"TRI-Nfq-IN": {
			"-j MARK --set-mark 67",
			"-m mark --mark 67 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
		},
		"TRI-Nfq-OUT": {
			"-j MARK --set-mark 0",
			"-m mark --mark 0 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
		},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},

		"TRI-App": {
			"-p udp --dport 53 -j ACCEPT",
			"-m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167",
			"-j TRI-Prx-App",
			"-m connmark --mark 61167 -j ACCEPT",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m connmark --mark 61166 -p udp -j ACCEPT",
			"-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT",
			"-j TRI-Pid-App",
			"-j TRI-Svc-App",
			"-j TRI-Hst-App",
		},
		"TRI-Net": {
			"-p udp --sport 53 -j ACCEPT",
			"-j TRI-Prx-Net",
			"-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT",
			"-j TRI-Pid-Net",
			"-j TRI-Svc-Net",
			"-j TRI-Hst-Net"},
		"TRI-Pid-App": {},
		"TRI-Pid-Net": {},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},
	}

	expectedGlobalNATChainsV4 = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
	}

	expectedMangleAfterPUInsertV4 = map[string][]string{
		"TRI-Nfq-IN": {
			"-j MARK --set-mark 67",
			"-m mark --mark 67 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
		},
		"TRI-Nfq-OUT": {
			"-j MARK --set-mark 0",
			"-m mark --mark 0 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
		},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-p udp --dport 53 -j ACCEPT",
			"-m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167",
			"-j TRI-Prx-App",
			"-m connmark --mark 61167 -j ACCEPT",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m connmark --mark 61166 -p udp -j ACCEPT",
			"-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT",
			"-j TRI-Pid-App",
			"-j TRI-Svc-App",
			"-j TRI-Hst-App",
		},
		"TRI-Net": {
			"-p udp --sport 53 -j ACCEPT",
			"-j TRI-Prx-Net",
			"-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT",
			"-j TRI-Pid-Net",
			"-j TRI-Svc-Net",
			"-j TRI-Hst-Net",
		},
		"TRI-Pid-App": {},
		"TRI-Pid-Net": {},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {
			"-p icmp -m comment --comment Server-specific-chain -j MARK --set-mark 10",
			"-p tcp -m multiport --source-ports 9000 -m comment --comment Server-specific-chain -j MARK --set-mark 10",
			"-p tcp -m multiport --source-ports 9000 -m comment --comment Server-specific-chain -j TRI-App-pu1N7uS6--0",
			"-p udp -m multiport --source-ports 5000 -m comment --comment Server-specific-chain -j MARK --set-mark 10",
			"-p udp -m mark --mark 10 -m addrtype --src-type LOCAL -m addrtype --dst-type LOCAL -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:3",
			"-m comment --comment traffic-same-pu -p udp -m mark --mark 10 -m addrtype --src-type LOCAL -m addrtype --dst-type LOCAL -j ACCEPT",
			"-p udp -m multiport --source-ports 5000 -m comment --comment Server-specific-chain -j TRI-App-pu1N7uS6--0",
		},
		"TRI-Svc-Net": {
			"-p tcp -m multiport --destination-ports 9000 -m comment --comment Container-specific-chain -j TRI-Net-pu1N7uS6--0",
			"-m comment --comment traffic-same-pu -p udp -m mark --mark 10 -m addrtype --src-type LOCAL -m addrtype --dst-type LOCAL -j ACCEPT",
			"-p udp -m multiport --destination-ports 5000 -m comment --comment Container-specific-chain -j TRI-Net-pu1N7uS6--0",
		},

		"TRI-Net-pu1N7uS6--0": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT",
			"-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT",
			"-p icmp -j NFQUEUE --queue-balance 0:3",
			"-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j NFLOG --nflog-group 11 --nflog-prefix 913787369:123a:a3:6",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j DROP",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j NFLOG --nflog-group 11 --nflog-prefix 913787369:123a:a3:3",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j ACCEPT",
			"-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s 0.0.0.0/0 -j DROP",
		},
		"TRI-App-pu1N7uS6--0": {
			"-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167",
			"-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT",
			"-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT",
			"-p icmp -j NFQUEUE --queue-balance 0:3",
			"-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT",
			"-m set --match-set TRI-v4-TargetTCP dst -p tcp -j MARK --set-mark 40",
			"-p udp -m set --match-set TRI-v4-TargetUDP dst -j MARK --set-mark 40",
			"-m mark --mark 40 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j NFLOG --nflog-group 10 --nflog-prefix 913787369:123a:a3:rockstars _4090221238:6",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j DROP",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j NFLOG --nflog-group 10 --nflog-prefix 913787369:123a:a3:3",
			"-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j ACCEPT",
			"-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6",
			"-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10",
			"-d 0.0.0.0/0 -j DROP",
		},
	}

	expectedNATAfterPUInsertV4 = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -m multiport --source-ports 9000 -j REDIRECT --to-ports 0",
			"-p udp --dport 53 -m mark ! --mark 0x40 -j REDIRECT --to-ports 0",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv dst -m mark ! --mark 0x40 -j REDIRECT --to-ports 0",
		},
		"POSTROUTING": {
			"-p udp -m addrtype --src-type LOCAL -m multiport --source-ports 5000 -j ACCEPT",
		},
	}

	expectedMangleAfterPUUpdateV4 = map[string][]string{
		"TRI-Nfq-IN": {
			"-j MARK --set-mark 67",
			"-m mark --mark 67 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
		},
		"TRI-Nfq-OUT": {
			"-j MARK --set-mark 0",
			"-m mark --mark 0 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
		},
		"INPUT": {
			"-m set ! --match-set TRI-v4-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v4-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-p udp --dport 53 -j ACCEPT",
			"-m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167",
			"-j TRI-Prx-App",
			"-m connmark --mark 61167 -j ACCEPT",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m connmark --mark 61166 -p udp -j ACCEPT",
			"-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT",
			"-j TRI-Pid-App",
			"-j TRI-Svc-App",
			"-j TRI-Hst-App"},
		"TRI-Net": {
			"-p udp --sport 53 -j ACCEPT",
			"-j TRI-Prx-Net",
			"-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT",
			"-j TRI-Pid-Net",
			"-j TRI-Svc-Net",
			"-j TRI-Hst-Net",
		},
		"TRI-Pid-App": {},
		"TRI-Pid-Net": {},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},

		"TRI-Net-pu1N7uS6--1": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p icmp -j NFQUEUE --queue-balance 0:3",
			"-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s 0.0.0.0/0 -j DROP",
		},

		"TRI-App-pu1N7uS6--1": {
			"-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p icmp -j NFQUEUE --queue-balance 0:3",
			"-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT",
			"-m set --match-set TRI-v4-TargetTCP dst -p tcp -j MARK --set-mark 40",
			"-p udp -m set --match-set TRI-v4-TargetUDP dst -j MARK --set-mark 40",
			"-m mark --mark 40 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT",
			"-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6",
			"-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10",
			"-d 0.0.0.0/0 -j DROP",
		},
	}
)

func Test_Rhel6ConfigureRulesV4(t *testing.T) {
	Convey("Given an iptables controller with a memory backend ", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"0.0.0.0/0"},
			UDPTargetNetworks: []string{"10.0.0.0/8"},
			ExcludedNetworks:  []string{"127.0.0.1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}
		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right global chains and ipsets", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint
			So(err, ShouldBeNil)

			t := i.iptv4.impl.RetrieveTable()
			So(t, ShouldNotBeNil)
			So(len(t), ShouldEqual, 2)
			So(t["mangle"], ShouldNotBeNil)
			So(t["nat"], ShouldNotBeNil)
			for chain, rules := range t["mangle"] {
				So(expectedGlobalMangleChainsV4, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain])
			}

			for chain, rules := range t["nat"] {
				So(expectedGlobalNATChainsV4, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain])
			}

			Convey("When I configure a new set of rules, the ACLs must be correct", func() {
				appACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"60.0.0.0/24"},
						Ports:     nil,
						Protocols: []string{constants.AllProtoString},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept | policy.Log,
							ServiceID: "a3",
							PolicyID:  "123a",
						},
					},
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s1",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"30.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s2",
							PolicyID:  "2",
						},
					},
					policy.IPRule{
						Addresses: []string{"50.0.0.0/24"},
						Ports:     []string{},
						Protocols: []string{"icmp"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s3",
							PolicyID:  "3",
						},
					},
					policy.IPRule{
						Addresses: []string{"60.0.0.0/24"},
						Ports:     nil,
						Protocols: []string{constants.AllProtoString},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject | policy.Log,
							ServiceID: "a3",
							PolicyID:  "123a",
							RuleName:  "rockstars forev",
						},
					},
				}
				netACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"60.0.0.0/24"},
						Ports:     nil,
						Protocols: []string{constants.AllProtoString},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept | policy.Log,
							ServiceID: "a3",
							PolicyID:  "123a",
						},
					},
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s3",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s4",
							PolicyID:  "2",
						},
					},
					policy.IPRule{
						Addresses: []string{"60.0.0.0/24"},
						Ports:     nil,
						Protocols: []string{constants.AllProtoString},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject | policy.Log,
							ServiceID: "a3",
							PolicyID:  "123a",
						},
					},
				}
				ipl := policy.ExtendedMap{}
				policyrules := policy.NewPUPolicy(
					"Context",
					"/ns1",
					policy.Police,
					appACLs,
					netACLs,
					nil,
					nil,
					nil,
					nil,
					nil,
					nil,
					ipl,
					0,
					0,
					nil,
					nil,
					[]string{},
					policy.EnforcerMapping,
					policy.Reject|policy.Log,
					policy.Reject|policy.Log,
				)
				puInfo := policy.NewPUInfo("Context",
					//"/ns1", common.HostPU)
					"/ns1", common.HostNetworkPU)
				puInfo.Policy = policyrules
				puInfo.Runtime.SetOptions(policy.OptionsType{
					CgroupMark: "10",
				})

				udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil)
				So(err, ShouldBeNil)
				tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil)
				So(err, ShouldBeNil)

				puInfo.Runtime.SetServices([]common.Service{
					{
						Ports:    udpPortSpec,
						Protocol: 17,
					},
					{
						Ports:    tcpPortSpec,
						Protocol: 6,
					},
				})

				var iprules policy.IPRuleList

				iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
				iprules = append(iprules, puInfo.Policy.NetworkACLs()...)
				i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint
				err = i.iptv4.ConfigureRules(0,
					"pu1", puInfo)
				So(err, ShouldBeNil)
				err = i.iptv4.ipsetmanager.AddPortToServerPortSet("pu1",
					"8080")
				So(err, ShouldBeNil)
				t := i.iptv4.impl.RetrieveTable()

				for chain, rules := range t["mangle"] {
					So(expectedMangleAfterPUInsertV4, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedMangleAfterPUInsertV4[chain])
				}

				for chain, rules := range t["nat"] {
					So(expectedNATAfterPUInsertV4, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedNATAfterPUInsertV4[chain])
				}

				Convey("When I update the policy, the update must result in correct state", func() {
					appACLs := policy.IPRuleList{
						policy.IPRule{
							Addresses: []string{"30.0.0.0/24"},
							Ports:     []string{"80"},
							Protocols: []string{"TCP"},
							Policy: &policy.FlowPolicy{
								Action:    policy.Reject,
								ServiceID: "s1",
								PolicyID:  "1",
							},
						},
					}
					netACLs := policy.IPRuleList{
						policy.IPRule{
							Addresses: []string{"40.0.0.0/24"},
							Ports:     []string{"80"},
							Protocols: []string{"TCP"},
							Policy: &policy.FlowPolicy{
								Action:    policy.Reject,
								ServiceID: "s3",
								PolicyID:  "1",
							},
						},
					}
					ipl := policy.ExtendedMap{}
					policyrules := policy.NewPUPolicy(
						"Context",
						"/ns1",
						policy.Police,
						appACLs,
						netACLs,
						nil,
						nil,
						nil,
						nil,
						nil,
						nil,
						ipl,
						0,
						0,
						nil,
						nil,
						[]string{},
						policy.EnforcerMapping,
						policy.Reject|policy.Log,
						policy.Reject|policy.Log,
					)
					puInfoUpdated := policy.NewPUInfo("Context",
						//"/ns1", common.HostPU)
						"/ns1", common.HostNetworkPU)
					puInfoUpdated.Policy = policyrules
					puInfoUpdated.Runtime.SetOptions(policy.OptionsType{
						CgroupMark: "10",
					})

					var iprules policy.IPRuleList

					iprules = append(iprules, puInfoUpdated.Policy.ApplicationACLs()...)
					iprules = append(iprules, puInfoUpdated.Policy.NetworkACLs()...)

					i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint

					err := i.iptv4.UpdateRules(1,
						"pu1", puInfoUpdated, puInfo)
					So(err, ShouldBeNil)

					i.iptv4.ipsetmanager.DestroyUnusedIPsets()

					t := i.iptv4.impl.RetrieveTable()
					for chain, rules := range t["mangle"] {
						So(expectedMangleAfterPUUpdateV4, ShouldContainKey, chain)
						So(rules, ShouldResemble, expectedMangleAfterPUUpdateV4[chain])
					}

					Convey("When I delete the same rule, the chains must be restored in the global state", func() {
						err = i.iptv4.ipsetmanager.DeletePortFromServerPortSet("pu1",
							"8080")
						err := i.iptv4.DeleteRules(1,
							"pu1",
							"0",
							"5000",
							"10",
							"", puInfoUpdated)
						i.iptv4.ipsetmanager.RemoveExternalNets("pu1")
						So(err, ShouldBeNil)
						So(err, ShouldBeNil)
						t := i.iptv4.impl.RetrieveTable()
						So(t["mangle"], ShouldNotBeNil)
						So(t["nat"], ShouldNotBeNil)
						for chain, rules := range t["mangle"] {
							So(expectedGlobalMangleChainsV4, ShouldContainKey, chain)
							So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain])
						}

						for chain, rules := range t["nat"] {
							if len(rules) > 0 {
								So(expectedGlobalNATChainsV4, ShouldContainKey, chain)
								So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain])
							}
						}
					})
				})
			})
		})
	})
}

var (
	expectedGlobalMangleChainsV6 = map[string][]string{
		"TRI-Nfq-IN": {
			"-j MARK --set-mark 67",
			"-m mark --mark 67 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
		},
		"TRI-Nfq-OUT": {
			"-j MARK --set-mark 0",
			"-m mark --mark 0 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
		},
		"INPUT": {
			"-m set ! --match-set TRI-v6-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-p udp --dport 53 -j ACCEPT",
			"-m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167",
			"-j TRI-Prx-App",
			"-m connmark --mark 61167 -j ACCEPT",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m connmark --mark 61166 -p udp -j ACCEPT",
			"-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT",
			"-j TRI-Pid-App",
			"-j TRI-Svc-App",
			"-j TRI-Hst-App",
		},
		"TRI-Net": {
			"-p udp --sport 53 -j ACCEPT",
			"-j TRI-Prx-Net",
			"-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m set --match-set TRI-v6-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT",
			"-j TRI-Pid-Net",
			"-j TRI-Svc-Net",
			"-j TRI-Hst-Net",
		},
		"TRI-Pid-App": {},
		"TRI-Pid-Net": {},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},
	}

	expectedGlobalNATChainsV6 = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v6-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-Redir-App",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
		},
	}

	expectedMangleAfterPUInsertV6 = map[string][]string{
		"TRI-Nfq-IN": {
			"-j MARK --set-mark 67",
			"-m mark --mark 67 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
		},
		"TRI-Nfq-OUT": {
			"-j MARK --set-mark 0",
			"-m mark --mark 0 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
		},
		"INPUT": {
			"-m set ! --match-set TRI-v6-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-p udp --dport 53 -j ACCEPT",
			"-m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167",
			"-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m connmark --mark 61166 -p udp -j ACCEPT",
			"-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT",
			"-j TRI-Pid-App",
			"-j TRI-Svc-App",
			"-j TRI-Hst-App",
		},
		"TRI-Net": {
			"-p udp --sport 53 -j ACCEPT",
			"-j TRI-Prx-Net",
			"-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m set --match-set TRI-v6-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT",
			"-j TRI-Pid-Net",
			"-j TRI-Svc-Net",
			"-j TRI-Hst-Net",
		},
		"TRI-Pid-App": {},
		"TRI-Pid-Net": {},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {
			"-p icmp -m comment --comment Server-specific-chain -j MARK --set-mark 10",
			"-p tcp -m multiport --source-ports 9000 -m comment --comment Server-specific-chain -j MARK --set-mark 10",
			"-p tcp -m multiport --source-ports 9000 -m comment --comment Server-specific-chain -j TRI-App-pu1N7uS6--0",
			"-p udp -m multiport --source-ports 5000 -m comment --comment Server-specific-chain -j MARK --set-mark 10",
			"-p udp -m mark --mark 10 -m addrtype --src-type LOCAL -m addrtype --dst-type LOCAL -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:3",
			"-m comment --comment traffic-same-pu -p udp -m mark --mark 10 -m addrtype --src-type LOCAL -m addrtype --dst-type LOCAL -j ACCEPT",
			"-p udp -m multiport --source-ports 5000 -m comment --comment Server-specific-chain -j TRI-App-pu1N7uS6--0",
		},
		"TRI-Svc-Net": {
			"-p tcp -m multiport --destination-ports 9000 -m comment --comment Container-specific-chain -j TRI-Net-pu1N7uS6--0",
			"-m comment --comment traffic-same-pu -p udp -m mark --mark 10 -m addrtype --src-type LOCAL -m addrtype --dst-type LOCAL -j ACCEPT",
			"-p udp -m multiport --destination-ports 5000 -m comment --comment Container-specific-chain -j TRI-Net-pu1N7uS6--0",
		},

		"TRI-Net-pu1N7uS6--0": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p UDP -m set --match-set TRI-v6-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT",
			"-p TCP -m set --match-set TRI-v6-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p UDP -m set --match-set TRI-v6-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167",
			"-p UDP -m set --match-set TRI-v6-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT",
			"-p icmp -j NFQUEUE --queue-balance 0:3",
			"-p tcp -m set --match-set TRI-v6-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v6-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-s ::/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s ::/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s ::/0 -j DROP",
		},
		"TRI-App-pu1N7uS6--0": {
			"-p TCP -m set --match-set TRI-v6-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p UDP -m set --match-set TRI-v6-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v6-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167",
			"-p UDP -m set --match-set TRI-v6-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v6-TargetUDP dst --match multiport --dports 443 -j ACCEPT",
			"-p icmpv6 -m set --match-set TRI-v6-ext-w5frVvhsnpU= dst -j ACCEPT",
			"-p UDP -m set --match-set TRI-v6-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT",
			"-p icmp -j NFQUEUE --queue-balance 0:3",
			"-m set --match-set TRI-v6-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT",
			"-m set --match-set TRI-v6-TargetTCP dst -p tcp -j MARK --set-mark 40",
			"-p udp -m set --match-set TRI-v6-TargetUDP dst -j MARK --set-mark 40",
			"-m mark --mark 40 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT",
			"-d ::/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6",
			"-d ::/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10",
			"-d ::/0 -j DROP",
		},
	}

	expectedNATAfterPUInsertV6 = map[string][]string{
		"PREROUTING": {
			"-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v6-Excluded src -j TRI-Redir-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-Redir-App",
		},
		"TRI-Redir-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -m multiport --source-ports 9000 -j REDIRECT --to-ports 0",
			"-p udp --dport 53 -m mark ! --mark 0x40 -j REDIRECT --to-ports 0",
		},
		"TRI-Redir-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv dst -m mark ! --mark 0x40 -j REDIRECT --to-ports 0",
		},
		"POSTROUTING": {
			"-p udp -m addrtype --src-type LOCAL -m multiport --source-ports 5000 -j ACCEPT",
		},
	}

	expectedMangleAfterPUUpdateV6 = map[string][]string{
		"TRI-Nfq-IN": {
			"-j MARK --set-mark 67",
			"-m mark --mark 67 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
		},
		"TRI-Nfq-OUT": {
			"-j MARK --set-mark 0",
			"-m mark --mark 0 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
		},
		"INPUT": {
			"-m set ! --match-set TRI-v6-Excluded src -j TRI-Net",
		},
		"OUTPUT": {
			"-m set ! --match-set TRI-v6-Excluded dst -j TRI-App",
		},
		"TRI-App": {
			"-p udp --dport 53 -j ACCEPT",
			"-m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167",
			"-j TRI-Prx-App",
			"-m connmark --mark 61167 -j ACCEPT",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m connmark --mark 61166 -p udp -j ACCEPT",
			"-m mark --mark 1073741922 -j ACCEPT",
			"-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT",
			"-j TRI-Pid-App",
			"-j TRI-Svc-App",
			"-j TRI-Hst-App",
		},
		"TRI-Net": {
			"-p udp --sport 53 -j ACCEPT",
			"-j TRI-Prx-Net",
			"-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167",
			"-p tcp -m mark --mark 66 -j ACCEPT",
			"-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT",
			"-m set --match-set TRI-v6-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN",
			"-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN",
			"-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP",
			"-m connmark --mark 61166 -p udp -j ACCEPT",
			"-j TRI-Pid-Net",
			"-j TRI-Svc-Net",
			"-j TRI-Hst-Net",
		},
		"TRI-Pid-App": {},
		"TRI-Pid-Net": {},
		"TRI-Prx-App": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m tcp --sport 0 -j ACCEPT",
			"-p udp -m udp --sport 0 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT",
		},
		"TRI-Prx-Net": {
			"-m mark --mark 0x40 -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst src,src -j ACCEPT",
			"-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT",
			"-p tcp -m tcp --dport 0 -j ACCEPT",
			"-p udp -m udp --dport 0 -j ACCEPT",
		},
		"TRI-Hst-App": {},
		"TRI-Hst-Net": {},
		"TRI-Svc-App": {},
		"TRI-Svc-Net": {},

		"TRI-Net-pu1N7uS6--1": {
			"-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN",
			"-p TCP -m set --match-set TRI-v6-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p icmp -j NFQUEUE --queue-balance 0:3",
			"-p tcp -m set --match-set TRI-v6-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN",
			"-p udp -m set --match-set TRI-v6-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-s ::/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6",
			"-s ::/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10",
			"-s ::/0 -j DROP",
		},
		"TRI-App-pu1N7uS6--1": {
			"-p TCP -m set --match-set TRI-v6-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP",
			"-p icmp -j NFQUEUE --queue-balance 0:3",
			"-m set --match-set TRI-v6-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT",
			"-m set --match-set TRI-v6-TargetTCP dst -p tcp -j MARK --set-mark 40",
			"-p udp -m set --match-set TRI-v6-TargetUDP dst -j MARK --set-mark 40",
			"-m mark --mark 40 -j NFQUEUE --queue-balance 0:3 --queue-bypass",
			"-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT",
			"-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT",
			"-d ::/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6",
			"-d ::/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10",
			"-d ::/0 -j DROP",
		},
	}
)

func Test_Rhel6ConfigureRulesV6(t *testing.T) {

	Convey("Given an iptables controller with a memory backend ", t, func() {
		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"::/0"},
			UDPTargetNetworks: []string{"1120::/64"},
			ExcludedNetworks:  []string{"::1"},
		}

		commitFunc := func(buf *bytes.Buffer) error {
			return nil
		}

		iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv4, ShouldNotBeNil)

		iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat",
			"mangle"})
		So(iptv6, ShouldNotBeNil)

		ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}}
		i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None)
		So(err, ShouldBeNil)
		So(i, ShouldNotBeNil)

		Convey("When I start the controller, I should get the right global chains and ipsets", func() {
			ctx, cancel := context.WithCancel(context.Background())
			defer cancel()
			err := i.Run(ctx)
			i.SetTargetNetworks(cfg) // nolint

			So(err, ShouldBeNil)

			t := i.iptv6.impl.RetrieveTable()
			So(t, ShouldNotBeNil)
			So(len(t), ShouldEqual, 2)
			So(t["mangle"], ShouldNotBeNil)
			So(t["nat"], ShouldNotBeNil)

			for chain, rules := range t["mangle"] {
				So(expectedGlobalMangleChainsV6, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalMangleChainsV6[chain])
			}

			for chain, rules := range t["nat"] {
				So(expectedGlobalNATChainsV6, ShouldContainKey, chain)
				So(rules, ShouldResemble, expectedGlobalNATChainsV6[chain])
			}

			Convey("When I configure a new set of rules, the ACLs must be correct", func() {

				appACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"1120::/64"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s1",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"1120::/64"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s2",
							PolicyID:  "2",
						},
					},
					policy.IPRule{
						Addresses: []string{"1122::/64"},
						Ports:     []string{"443"},
						Protocols: []string{"icmpv6"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s3",
							PolicyID:  "3",
						},
					},
					policy.IPRule{
						Addresses: []string{"40.0.0.0/24"},
						Ports:     []string{"443"},
						Protocols: []string{"icmp"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s3",
							PolicyID:  "3",
						},
					},
				}
				netACLs := policy.IPRuleList{
					policy.IPRule{
						Addresses: []string{"1122::/64"},
						Ports:     []string{"80"},
						Protocols: []string{"TCP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Reject,
							ServiceID: "s3",
							PolicyID:  "1",
						},
					},
					policy.IPRule{
						Addresses: []string{"1122::/64"},
						Ports:     []string{"443"},
						Protocols: []string{"UDP"},
						Policy: &policy.FlowPolicy{
							Action:    policy.Accept,
							ServiceID: "s4",
							PolicyID:  "2",
						},
					},
				}
				ipl := policy.ExtendedMap{}
				policyrules := policy.NewPUPolicy(
					"Context",
					"/ns1",
					policy.Police,
					appACLs,
					netACLs,
					nil,
					nil,
					nil,
					nil,
					nil,
					nil,
					ipl,
					0,
					0,
					nil,
					nil,
					[]string{},
					policy.EnforcerMapping,
					policy.Reject|policy.Log,
					policy.Reject|policy.Log,
				)
				puInfo := policy.NewPUInfo("Context",
					"/ns1", common.HostNetworkPU)
				puInfo.Policy = policyrules
				puInfo.Runtime.SetOptions(policy.OptionsType{
					CgroupMark: "10",
				})

				udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil)
				So(err, ShouldBeNil)
				tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil)
				So(err, ShouldBeNil)

				puInfo.Runtime.SetServices([]common.Service{
					{
						Ports:    udpPortSpec,
						Protocol: 17,
					},
					{
						Ports:    tcpPortSpec,
						Protocol: 6,
					},
				})

				var iprules policy.IPRuleList
				iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
				iprules = append(iprules, puInfo.Policy.NetworkACLs()...)
				i.iptv6.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint

				err = i.ConfigureRules(0,
					"pu1", puInfo)
				So(err, ShouldBeNil)
				t := i.iptv6.impl.RetrieveTable()

				for chain, rules := range t["mangle"] {
					So(expectedMangleAfterPUInsertV6, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedMangleAfterPUInsertV6[chain])
				}

				for chain, rules := range t["nat"] {
					So(expectedNATAfterPUInsertV6, ShouldContainKey, chain)
					So(rules, ShouldResemble, expectedNATAfterPUInsertV6[chain])
				}

				Convey("When I update the policy, the update must result in correct state", func() {
					appACLs := policy.IPRuleList{
						policy.IPRule{
							Addresses: []string{"1120::/64"},
							Ports:     []string{"80"},
							Protocols: []string{"TCP"},
							Policy: &policy.FlowPolicy{
								Action:    policy.Reject,
								ServiceID: "s1",
								PolicyID:  "1",
							},
						},
					}
					netACLs := policy.IPRuleList{
						policy.IPRule{
							Addresses: []string{"1122::/64"},
							Ports:     []string{"80"},
							Protocols: []string{"TCP"},
							Policy: &policy.FlowPolicy{
								Action:    policy.Reject,
								ServiceID: "s3",
								PolicyID:  "1",
							},
						},
					}
					ipl := policy.ExtendedMap{}
					policyrules := policy.NewPUPolicy(
						"Context",
						"/ns1",
						policy.Police,
						appACLs,
						netACLs,
						nil,
						nil,
						nil,
						nil,
						nil,
						nil,
						ipl,
						0,
						0,
						nil,
						nil,
						[]string{},
						policy.EnforcerMapping,
						policy.Reject|policy.Log,
						policy.Reject|policy.Log,
					)
					puInfoUpdated := policy.NewPUInfo("Context",
						"/ns1", common.HostNetworkPU)
					puInfoUpdated.Policy = policyrules
					puInfoUpdated.Runtime.SetOptions(policy.OptionsType{
						CgroupMark: "10",
					})

					err := i.UpdateRules(1,
						"pu1", puInfoUpdated, puInfo)
					So(err, ShouldBeNil)

					t := i.iptv6.impl.RetrieveTable()
					for chain, rules := range t["mangle"] {
						So(expectedMangleAfterPUUpdateV6, ShouldContainKey, chain)
						So(rules, ShouldResemble, expectedMangleAfterPUUpdateV6[chain])
					}

					Convey("When I delete the same rule, the chains must be restored in the global state", func() {
						err := i.DeleteRules(1,
							"pu1",
							"0",
							"5000",
							"10",
							"", puInfoUpdated)
						So(err, ShouldBeNil)

						t := i.iptv6.impl.RetrieveTable()

						So(t["mangle"], ShouldNotBeNil)
						So(t["nat"], ShouldNotBeNil)

						for chain, rules := range t["mangle"] {
							So(expectedGlobalMangleChainsV6, ShouldContainKey, chain)
							So(rules, ShouldResemble, expectedGlobalMangleChainsV6[chain])
						}

						for chain, rules := range t["nat"] {
							if len(rules) > 0 {
								So(expectedGlobalNATChainsV6, ShouldContainKey, chain)
								So(rules, ShouldResemble, expectedGlobalNATChainsV6[chain])
							}
						}
					})
				})
			})
		})
	})
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/iptables_windows_test.go
================================================
// +build windows

package iptablesctrl

import (
	"context"
	"fmt"
	"net"
	"strings"
	"sync"
	"syscall"
	"testing"
	"unsafe"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	tacls "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/acls"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
)

const (
	errInvalidParameter   = syscall.Errno(0xC000000D)
	errInsufficientBuffer = syscall.Errno(122)
	errAlreadyExists      = syscall.Errno(183)
)

type abi struct {
	filters       map[string]map[string]bool
	ipsets        map[string][]string
	ipsetByID     map[int]string
	ipsetsNomatch map[string][]string
	ipsetCount    int
	sync.Mutex
}

func (a *abi) FrontmanOpenShared() (uintptr, error) {
	return 1234, nil
}

func (a *abi) GetDestInfo(driverHandle, socket, destInfo uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) ApplyDestHandle(socket, destHandle uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) FreeDestHandle(destHandle uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) NewIpset(driverHandle, name, ipsetType, ipset uintptr) (uintptr, error) {
	if name == 0 || ipsetType == 0 || ipset == 0 {
		return 0, errInvalidParameter
	}
	a.Lock()
	defer a.Unlock()
	nameStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(name))) // nolint:govet
	ipsetPtr := (*int)(unsafe.Pointer(ipset))                                    // nolint:govet
	a.ipsetCount++
	*ipsetPtr = a.ipsetCount
	a.ipsets[nameStr] = make([]string, 0)
	a.ipsetsNomatch[nameStr] = make([]string, 0)
	a.ipsetByID[a.ipsetCount] = nameStr
	return 1, nil
}

func (a *abi) GetIpset(driverHandle, name, ipset uintptr) (uintptr, error) {
	if name == 0 || ipset == 0 {
		return 0, errInvalidParameter
	}
	a.Lock()
	defer a.Unlock()
	nameStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(name))) // nolint:govet
	ipsetPtr := (*int)(unsafe.Pointer(ipset))                                    // nolint:govet
	for k, v := range a.ipsetByID {
		if v == nameStr {
			*ipsetPtr = k
			return 1, nil
		}
	}
	return 0, errInvalidParameter
}

func (a *abi) DestroyAllIpsets(driverHandle, prefix uintptr) (uintptr, error) {
	if prefix == 0 {
		return 0, errInvalidParameter
	}
	a.Lock()
	defer a.Unlock()
	prefixStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(prefix))) // nolint:govet
	for k := range a.ipsets {
		if strings.HasPrefix(k, prefixStr) {
			for id, name := range a.ipsetByID {
				if name == k {
					delete(a.ipsetByID, id)
					break
				}
			}
			delete(a.ipsets, k)
		}
	}
	return 1, nil
}

func (a *abi) ListIpsets(driverHandle, ipsetNames, ipsetNamesSize, bytesReturned uintptr) (uintptr, error) {
	if bytesReturned == 0 {
		return 0, errInvalidParameter
	}
	a.Lock()
	defer a.Unlock()
	bytesReturnedPtr := (*uint32)(unsafe.Pointer(bytesReturned)) // nolint:govet
	fstr := ""
	for k := range a.ipsets {
		fstr += k + ","
	}
	sizeNeeded := len(fstr) * 2
	if sizeNeeded == 0 {
		*bytesReturnedPtr = 0
		return 1, nil
	}
	if int(ipsetNamesSize) < sizeNeeded {
		*bytesReturnedPtr = uint32(sizeNeeded)
		return 0, errInsufficientBuffer
	}
	if ipsetNames == 0 {
		return 0, errInvalidParameter
	}
	buf := (*[1 << 20]uint16)(unsafe.Pointer(ipsetNames))[: ipsetNamesSize/2 : ipsetNamesSize/2] // nolint:govet
	copy(buf, syscall.StringToUTF16(fstr))                                                       // nolint:staticcheck
	buf[ipsetNamesSize/2-1] = 0
	return 1, nil
}

func (a *abi) IpsetAdd(driverHandle, ipset, entry, timeout uintptr) (uintptr, error) {
	return a.IpsetAddOption(driverHandle, ipset, entry, 0, timeout)
}

func (a *abi) IpsetAddOption(driverHandle, ipset, entry, option, timeout uintptr) (uintptr, error) {
	if entry == 0 {
		return 0, errInvalidParameter
	}
	a.Lock()
	defer a.Unlock()
	entryStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(entry))) // nolint:govet
	id := int(ipset)
	name := a.ipsetByID[id]
	entries, ok := a.ipsets[name]
	if !ok {
		return 0, errInvalidParameter
	}
	for _, e := range entries {
		if e == entryStr {
			return 0, errAlreadyExists
		}
	}
	if option != 0 {
		optionStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(option))) // nolint:govet
		if optionStr == "nomatch" {
			entriesNomatch, ok := a.ipsetsNomatch[name]
			if !ok {
				return 0, errInvalidParameter
			}
			a.ipsetsNomatch[name] = append(entriesNomatch, entryStr)
		}
	}
	a.ipsets[name] = append(entries, entryStr)
	return 1, nil
}

func (a *abi) IpsetDelete(driverHandle, ipset, entry uintptr) (uintptr, error) {
	if entry == 0 {
		return 0, errInvalidParameter
	}
	a.Lock()
	defer a.Unlock()
	entryStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(entry))) // nolint:govet
	id := int(ipset)
	name := a.ipsetByID[id]
	entries, ok := a.ipsets[name]
	if !ok {
		return 0, errInvalidParameter
	}
	for i, e := range entries {
		if e == entryStr {
			a.ipsets[name] = append(entries[:i], entries[i+1:]...)
			break
		}
	}
	if entriesNomatch, ok := a.ipsetsNomatch[name]; ok {
		for i, e := range entriesNomatch {
			if e == entryStr {
				a.ipsetsNomatch[name] = append(entriesNomatch[:i], entriesNomatch[i+1:]...)
				break
			}
		}
	}
	return 1, nil
}

func (a *abi) IpsetDestroy(driverHandle, ipset uintptr) (uintptr, error) {
	a.Lock()
	defer a.Unlock()
	id := int(ipset)
	name := a.ipsetByID[id]
	if _, ok := a.ipsets[name]; !ok {
		return 0, errInvalidParameter
	}
	delete(a.ipsetByID, id)
	delete(a.ipsets, name)
	return 1, nil
}

func (a *abi) IpsetFlush(driverHandle, ipset uintptr) (uintptr, error) {
	a.Lock()
	defer a.Unlock()
	id := int(ipset)
	name := a.ipsetByID[id]
	if _, ok := a.ipsets[name]; !ok {
		return 0, errInvalidParameter
	}
	a.ipsets[name] = nil
	return 1, nil
}

func (a *abi) IpsetTest(driverHandle, ipset, entry uintptr) (uintptr, error) {
	if entry == 0 {
		return 0, errInvalidParameter
	}
	a.Lock()
	defer a.Unlock()
	entryStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(entry))) // nolint:govet
	id := int(ipset)
	name := a.ipsetByID[id]
	entries, ok := a.ipsets[name]
	if !ok {
		return 0, errInvalidParameter
	}
	for _, e := range entries {
		// TODO nomatch
		if e == entryStr {
			return 1, nil
		}
	}
	// not found
	return 0, nil
}

func (a *abi) PacketFilterStart(frontman, firewallName, receiveCallback, loggingCallback uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) PacketFilterClose() (uintptr, error) {
	return 1, nil
}

func (a *abi) PacketFilterForward(info, packet uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) AppendFilter(driverHandle, outbound, filterName, isGotoFilter uintptr) (uintptr, error) {
	return a.InsertFilter(driverHandle, outbound, 1000, filterName, isGotoFilter)
}

func (a *abi) InsertFilter(driverHandle, outbound, priority, filterName, isGotoFilter uintptr) (uintptr, error) {
	if filterName == 0 {
		return 0, errInvalidParameter
	}
	a.Lock()
	defer a.Unlock()
	str := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(filterName))) // nolint:govet
	a.filters[str] = make(map[string]bool)
	return 1, nil
}

func (a *abi) DestroyFilter(driverHandle, filterName uintptr) (uintptr, error) {
	if filterName == 0 {
		return 0, errInvalidParameter
	}
	a.Lock()
	defer a.Unlock()
	str := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(filterName))) // nolint:govet
	delete(a.filters, str)
	return 1, nil
}

func (a *abi) EmptyFilter(driverHandle, filterName uintptr) (uintptr, error) {
	if filterName == 0 {
		return 0, errInvalidParameter
	}
	a.Lock()
	defer a.Unlock()
	str := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(filterName))) // nolint:govet
	a.filters[str] = make(map[string]bool)
	return 1, nil
}

func (a *abi) GetFilterList(driverHandle, outbound, buffer, bufferSize, bytesReturned uintptr) (uintptr, error) {
	if bytesReturned == 0 {
		return 0, errInvalidParameter
	}
	a.Lock()
	defer a.Unlock()
	bytesReturnedPtr := (*uint32)(unsafe.Pointer(bytesReturned)) // nolint:govet
	fstr := ""
	for k := range a.filters {
		fstr += k + ","
	}
	sizeNeeded := len(fstr) * 2
	if sizeNeeded == 0 {
		*bytesReturnedPtr = 0
		return 1, nil
	}
	if int(bufferSize) < sizeNeeded {
		*bytesReturnedPtr = uint32(sizeNeeded)
		return 0, errInsufficientBuffer
	}
	if buffer == 0 {
		return 0, errInvalidParameter
	}
	buf := (*[1 << 20]uint16)(unsafe.Pointer(buffer))[: bufferSize/2 : bufferSize/2] // nolint:govet
	copy(buf, syscall.StringToUTF16(fstr))                                           // nolint:staticcheck
	buf[bufferSize/2-1] = 0
	return 1, nil
}

func (a *abi) AppendFilterCriteria(driverHandle, filterName, criteriaName, ruleSpec, ipsetRuleSpecs, ipsetRuleSpecCount uintptr) (uintptr, error) {
	if filterName == 0 || criteriaName == 0 {
		return 0, errInvalidParameter
	}
	a.Lock()
	defer a.Unlock()
	fstr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(filterName)))   // nolint:govet
	cstr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(criteriaName))) // nolint:govet
	m, ok := a.filters[fstr]
	if !ok {
		return 0, errInvalidParameter
	}
	m[cstr] = true
	return 1, nil
}

func (a *abi) DeleteFilterCriteria(driverHandle, filterName, criteriaName uintptr) (uintptr, error) {
	if filterName == 0 || criteriaName == 0 {
		return 0, errInvalidParameter
	}
	a.Lock()
	defer a.Unlock()
	fstr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(filterName)))   // nolint:govet
	cstr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(criteriaName))) // nolint:govet
	m, ok := a.filters[fstr]
	if !ok {
		return 0, errInvalidParameter
	}
	delete(m, cstr)
	return 1, nil
}

func (a *abi) ListIpsetsDetail(driverHandle, format, ipsetNames, ipsetNamesSize, bytesReturned uintptr) (uintptr, error) {
	return 1, nil
}

func (a *abi) GetCriteriaList(driverHandle, format, criteriaList, criteriaListSize, bytesReturned uintptr) (uintptr, error) {
	return 1, nil
}

func Test_WindowsNomatchIpsets(t *testing.T) {

	a := &abi{
		filters:       make(map[string]map[string]bool),
		ipsets:        make(map[string][]string),
		ipsetsNomatch: make(map[string][]string),
		ipsetByID:     make(map[int]string),
	}
	frontman.Driver = a

	getEnforcerPID = func() int { return 111 }
	getCnsAgentMgrPID = func() int { return 222 }
	getCnsAgentBootPID = func() int { return 333 }

	Convey("Given a valid instance", t, func() {

		fq := newFilterQueueWithDefaults()
		impl, err := NewInstance(fq, constants.LocalServer, false, nil, "", policy.None)
		So(err, ShouldBeNil)

		err = impl.Run(context.Background())
		So(err, ShouldBeNil)

		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"!2001:db8:1234::/48", "!10.10.10.0/24", "::/0", "!10.0.0.0/8", "10.10.0.0/16", "0.0.0.0/0"},
			UDPTargetNetworks: []string{"!10.10.10.0/24", "10.0.0.0/8"},
			ExcludedNetworks:  []string{"!192.168.56.15/32", "127.0.0.1", "192.168.56.0/24"},
		}
		err = impl.SetTargetNetworks(cfg) // nolint
		So(err, ShouldBeNil)

		So(a.ipsets, ShouldContainKey, "TRI-v4-TargetTCP")
		So(a.ipsetsNomatch["TRI-v4-TargetTCP"], ShouldContain, "10.0.0.0/8")
		So(a.ipsetsNomatch["TRI-v4-TargetTCP"], ShouldContain, "10.10.10.0/24")
		So(a.ipsets["TRI-v4-TargetTCP"], ShouldContain, "10.10.0.0/16")
		So(a.ipsetsNomatch["TRI-v4-TargetTCP"], ShouldNotContain, "10.10.0.0/16")
		So(a.ipsets["TRI-v4-TargetTCP"], ShouldContain, "0.0.0.0/1")
		So(a.ipsets["TRI-v4-TargetTCP"], ShouldContain, "128.0.0.0/1")

		So(a.ipsets, ShouldContainKey, "TRI-v6-TargetTCP")
		So(a.ipsetsNomatch["TRI-v6-TargetTCP"], ShouldContain, "2001:db8:1234::/48")
		So(a.ipsets["TRI-v6-TargetTCP"], ShouldContain, "::/1")
		So(a.ipsets["TRI-v6-TargetTCP"], ShouldContain, "8000::/1")
		So(a.ipsetsNomatch["TRI-v6-TargetTCP"], ShouldNotContain, "::/1")
		So(a.ipsetsNomatch["TRI-v6-TargetTCP"], ShouldNotContain, "8000::/1")

		So(a.ipsets, ShouldContainKey, "TRI-v4-TargetUDP")
		So(a.ipsets["TRI-v4-TargetUDP"], ShouldContain, "10.0.0.0/8")
		So(a.ipsetsNomatch["TRI-v4-TargetUDP"], ShouldNotContain, "10.0.0.0/8")
		So(a.ipsets["TRI-v4-TargetUDP"], ShouldContain, "10.10.10.0/24")
		So(a.ipsetsNomatch["TRI-v4-TargetUDP"], ShouldContain, "10.10.10.0/24")

		So(a.ipsets, ShouldContainKey, "TRI-v4-Excluded")
		So(a.ipsets["TRI-v4-Excluded"], ShouldContain, "127.0.0.1")
		So(a.ipsets["TRI-v4-Excluded"], ShouldContain, "192.168.56.0/24")
		So(a.ipsetsNomatch["TRI-v4-Excluded"], ShouldNotContain, "192.168.56.0/24")
		So(a.ipsets["TRI-v4-Excluded"], ShouldContain, "192.168.56.15/32")
		So(a.ipsetsNomatch["TRI-v4-Excluded"], ShouldContain, "192.168.56.15/32")

		// update target networks
		cfgNew := &runtime.Configuration{
			TCPTargetNetworks: []string{"!10.10.0.0/16", "0.0.0.0/0"},
			UDPTargetNetworks: []string{},
			ExcludedNetworks:  []string{"192.168.56.0/24", "!192.168.56.15/32", "127.0.0.1"},
		}
		err = impl.SetTargetNetworks(cfgNew)
		So(err, ShouldBeNil)

		So(a.ipsets["TRI-v4-TargetTCP"], ShouldNotContain, "10.0.0.0/8")
		So(a.ipsets["TRI-v4-TargetTCP"], ShouldContain, "10.10.0.0/16")
		So(a.ipsetsNomatch["TRI-v4-TargetTCP"], ShouldContain, "10.10.0.0/16")
		So(a.ipsets["TRI-v4-TargetTCP"], ShouldContain, "0.0.0.0/1")
		So(a.ipsets["TRI-v4-TargetTCP"], ShouldContain, "128.0.0.0/1")

		So(a.ipsets["TRI-v4-TargetUDP"], ShouldBeEmpty)

		So(a.ipsets["TRI-v4-Excluded"], ShouldContain, "127.0.0.1")
		So(a.ipsets["TRI-v4-Excluded"], ShouldContain, "192.168.56.0/24")
		So(a.ipsetsNomatch["TRI-v4-Excluded"], ShouldNotContain, "192.168.56.0/24")
		So(a.ipsets["TRI-v4-Excluded"], ShouldContain, "192.168.56.15/32")
		So(a.ipsetsNomatch["TRI-v4-Excluded"], ShouldContain, "192.168.56.15/32")
	})
}

func Test_WindowsNomatchIpsetsInExternalNetworks(t *testing.T) {

	a := &abi{
		filters:       make(map[string]map[string]bool),
		ipsets:        make(map[string][]string),
		ipsetsNomatch: make(map[string][]string),
		ipsetByID:     make(map[int]string),
	}
	frontman.Driver = a

	getEnforcerPID = func() int { return 111 }
	getCnsAgentMgrPID = func() int { return 222 }
	getCnsAgentBootPID = func() int { return 333 }

	Convey("Given a valid instance", t, func() {

		fq := newFilterQueueWithDefaults()
		impl, err := NewInstance(fq, constants.LocalServer, false, nil, "", policy.None)
		So(err, ShouldBeNil)

		err = impl.Run(context.Background())
		So(err, ShouldBeNil)

		cfg := &runtime.Configuration{
			TCPTargetNetworks: []string{"!2001:db8:1234::/48", "!10.10.10.0/24", "::/0", "!10.0.0.0/8", "10.10.0.0/16", "0.0.0.0/0"},
			UDPTargetNetworks: []string{"!10.10.10.0/24", "10.0.0.0/8"},
			ExcludedNetworks:  []string{"!192.168.56.15/32", "127.0.0.1", "192.168.56.0/24"},
		}
		err = impl.SetTargetNetworks(cfg) // nolint
		So(err, ShouldBeNil)

		// Setup external networks
		appACLs := policy.IPRuleList{
			policy.IPRule{
				Addresses: []string{"10.0.0.0/8", "!10.0.0.0/16", "!10.0.2.0/24", "10.0.2.7"},
				Ports:     []string{"80"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					Action:    policy.Accept | policy.Log,
					ServiceID: "a1",
					PolicyID:  "123a",
				},
			},
			policy.IPRule{
				Addresses: []string{"::/0", "!2001:db8:1234::/48"},
				Ports:     []string{"80"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					Action:    policy.Accept | policy.Log,
					ServiceID: "a3",
					PolicyID:  "1234a",
				},
			},
		}
		netACLs := policy.IPRuleList{
			policy.IPRule{
				Addresses: []string{"0.0.0.0/0", "!10.0.0.0/8", "10.0.0.0/16", "!10.0.2.8"},
				Ports:     []string{"80"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					Action:    policy.Accept | policy.Log,
					ServiceID: "a2",
					PolicyID:  "123b",
				},
			},
		}

		policyRules := policy.NewPUPolicy("Context", "/ns1", policy.Police, appACLs, netACLs, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log)

		puInfo := policy.NewPUInfo("Context", "/ns1", common.HostPU)
		puInfo.Policy = policyRules
		puInfo.Runtime = policy.NewPURuntimeWithDefaults()
		puInfo.Runtime.SetPUType(common.HostPU)
		puInfo.Runtime.SetOptions(policy.OptionsType{
			CgroupMark: "10",
		})

		// configure rules
		var iprules policy.IPRuleList
		iprules = append(iprules, puInfo.Policy.ApplicationACLs()...)
		iprules = append(iprules, puInfo.Policy.NetworkACLs()...)
		err = impl.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules)
		So(err, ShouldBeNil)
		err = impl.iptv6.ipsetmanager.RegisterExternalNets("pu1", iprules)
		So(err, ShouldBeNil)

		err = impl.ConfigureRules(0, "pu1", puInfo)
		So(err, ShouldBeNil)

		// Check ipsets
		setName := impl.iptv4.ipsetmanager.GetACLIPsetsNames(appACLs[0:1])[0]
		So(a.ipsets[setName], ShouldContain, "10.0.0.0/8")
		So(a.ipsets[setName], ShouldContain, "10.0.0.0/16")
		So(a.ipsets[setName], ShouldContain, "10.0.2.0/24")
		So(a.ipsets[setName], ShouldContain, "10.0.2.7")
		So(a.ipsetsNomatch[setName], ShouldNotContain, "10.0.0.0/8")
		So(a.ipsetsNomatch[setName], ShouldContain, "10.0.0.0/16")
		So(a.ipsetsNomatch[setName], ShouldContain, "10.0.2.0/24")
		So(a.ipsetsNomatch[setName], ShouldNotContain, "10.0.2.7")

		setName = impl.iptv6.ipsetmanager.GetACLIPsetsNames(appACLs[1:2])[0]
		So(a.ipsets[setName], ShouldContain, "::/1")
		So(a.ipsets[setName], ShouldContain, "8000::/1")
		So(a.ipsets[setName], ShouldContain, "2001:db8:1234::/48")
		So(a.ipsetsNomatch[setName], ShouldNotContain, "::/1")
		So(a.ipsetsNomatch[setName], ShouldNotContain, "8000::/1")
		So(a.ipsetsNomatch[setName], ShouldContain, "2001:db8:1234::/48")

		setName = impl.iptv4.ipsetmanager.GetACLIPsetsNames(netACLs[0:1])[0]
		So(a.ipsets[setName], ShouldContain, "0.0.0.0/1")
		So(a.ipsets[setName], ShouldContain, "128.0.0.0/1")
		So(a.ipsets[setName], ShouldContain, "10.0.0.0/8")
		So(a.ipsets[setName], ShouldContain, "10.0.0.0/16")
		So(a.ipsets[setName], ShouldContain, "10.0.2.8")
		So(a.ipsetsNomatch[setName], ShouldNotContain, "0.0.0.0/1")
		So(a.ipsetsNomatch[setName], ShouldNotContain, "128.0.0.0/1")
		So(a.ipsetsNomatch[setName], ShouldContain, "10.0.0.0/8")
		So(a.ipsetsNomatch[setName], ShouldNotContain, "10.0.0.0/16")
		So(a.ipsetsNomatch[setName], ShouldContain, "10.0.2.8")

		// Reconfigure external networks
		appACLs = policy.IPRuleList{
			policy.IPRule{
				Addresses: []string{"10.0.0.0/8", "!10.0.0.0/16", "10.0.2.0/24", "!10.0.2.7"},
				Ports:     []string{"80"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					Action:    policy.Accept | policy.Log,
					ServiceID: "a1",
					PolicyID:  "123a",
				},
			},
		}
		netACLs = policy.IPRuleList{
			policy.IPRule{
				Addresses: []string{"0.0.0.0/0", "10.0.0.0/8", "!10.0.2.0/24"},
				Ports:     []string{"80"},
				Protocols: []string{constants.TCPProtoNum},
				Policy: &policy.FlowPolicy{
					Action:    policy.Accept | policy.Log,
					ServiceID: "a2",
					PolicyID:  "123b",
				},
			},
		}

		policyRules = policy.NewPUPolicy("Context", "/ns1", policy.Police, appACLs, netACLs, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log)

		puInfoUpdated := policy.NewPUInfo("Context", "/ns1", common.HostPU)
		puInfoUpdated.Policy = policyRules
		puInfoUpdated.Runtime = policy.NewPURuntimeWithDefaults()
		puInfoUpdated.Runtime.SetPUType(common.HostPU)
		puInfoUpdated.Runtime.SetOptions(policy.OptionsType{
			CgroupMark: "10",
		})

		// Reconfigure rules
		iprules = nil
		iprules = append(iprules, puInfoUpdated.Policy.ApplicationACLs()...)
		iprules = append(iprules, puInfoUpdated.Policy.NetworkACLs()...)
		err = impl.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules)
		So(err, ShouldBeNil)

		err = impl.UpdateRules(1, "pu1", puInfoUpdated, puInfo)
		So(err, ShouldBeNil)

		impl.iptv4.ipsetmanager.DestroyUnusedIPsets()

		// Check ipsets again
		setName = impl.iptv4.ipsetmanager.GetACLIPsetsNames(appACLs[0:1])[0]
		So(a.ipsets[setName], ShouldContain, "10.0.0.0/8")
		So(a.ipsets[setName], ShouldContain, "10.0.0.0/16")
		So(a.ipsets[setName], ShouldContain, "10.0.2.0/24")
		So(a.ipsets[setName], ShouldContain, "10.0.2.7")
		So(a.ipsetsNomatch[setName], ShouldNotContain, "10.0.0.0/8")
		So(a.ipsetsNomatch[setName], ShouldContain, "10.0.0.0/16")
		So(a.ipsetsNomatch[setName], ShouldNotContain, "10.0.2.0/24")
		So(a.ipsetsNomatch[setName], ShouldContain, "10.0.2.7")

		setName = impl.iptv4.ipsetmanager.GetACLIPsetsNames(netACLs[0:1])[0]
		So(a.ipsets[setName], ShouldContain, "0.0.0.0/1")
		So(a.ipsets[setName], ShouldContain, "128.0.0.0/1")
		So(a.ipsets[setName], ShouldContain, "10.0.0.0/8")
		So(a.ipsets[setName], ShouldContain, "10.0.2.0/24")
		So(a.ipsets[setName], ShouldNotContain, "10.0.2.8")
		So(a.ipsetsNomatch[setName], ShouldNotContain, "0.0.0.0/1")
		So(a.ipsetsNomatch[setName], ShouldNotContain, "128.0.0.0/1")
		So(a.ipsetsNomatch[setName], ShouldNotContain, "10.0.0.0/8")
		So(a.ipsetsNomatch[setName], ShouldContain, "10.0.2.0/24")

		// Configure and check acl cache
		aclCache := tacls.NewACLCache()
		err = aclCache.AddRuleList(puInfoUpdated.Policy.ApplicationACLs())
		So(err, ShouldBeNil)

		defaultFlowPolicy := &policy.FlowPolicy{Action: policy.Reject | policy.Log, PolicyID: "default", ServiceID: "default"}

		report, _, err := aclCache.GetMatchingAction(net.ParseIP("10.0.2.7"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
		So(err, ShouldNotBeNil)
		So(report.Action, ShouldEqual, policy.Reject|policy.Log)

		report, _, err = aclCache.GetMatchingAction(net.ParseIP("10.0.2.8"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
		So(err, ShouldBeNil)
		So(report.Action, ShouldEqual, policy.Accept|policy.Log)

		report, _, err = aclCache.GetMatchingAction(net.ParseIP("10.0.3.1"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
		So(err, ShouldNotBeNil)
		So(report.Action, ShouldEqual, policy.Reject|policy.Log)

		report, _, err = aclCache.GetMatchingAction(net.ParseIP("10.1.3.1"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
		So(err, ShouldBeNil)
		So(report.Action, ShouldEqual, policy.Accept|policy.Log)

		report, _, err = aclCache.GetMatchingAction(net.ParseIP("11.1.3.1"), 80, packet.IPProtocolTCP, defaultFlowPolicy)
		So(err, ShouldNotBeNil)
		So(report.Action, ShouldEqual, policy.Reject|policy.Log)
	})
}

func newFilterQueueWithDefaults() fqconfig.FilterQueue {
	return fqconfig.NewFilterQueue(0, []string{"0.0.0.0/0", "::/0"})
}

func Test_WindowsConfigureRulesV4(t *testing.T) {

	a := &abi{
		filters:       make(map[string]map[string]bool),
		ipsets:        make(map[string][]string),
		ipsetsNomatch: make(map[string][]string),
		ipsetByID:     make(map[int]string),
	}
	frontman.Driver = a

	getEnforcerPID = func() int { return 111 }
	getCnsAgentMgrPID = func() int { return 222 }
	getCnsAgentBootPID = func() int { return 333 }

	Convey("Given a valid instance", t, func() {

		fq := newFilterQueueWithDefaults()
		impl, err := NewInstance(fq, constants.LocalServer, false, nil, "", policy.None)
		So(err, ShouldBeNil)

		err = impl.Run(context.Background())
		So(err, ShouldBeNil)

		// check filters
		So(a.filters, ShouldHaveLength, 8)
		So(a.filters, ShouldContainKey, "GlobalRules-OUTPUT-v4")
		So(a.filters, ShouldContainKey, "GlobalRules-INPUT-v4")
		So(a.filters, ShouldContainKey, "ProcessRules-OUTPUT-v4")
		So(a.filters, ShouldContainKey, "ProcessRules-INPUT-v4")
		So(a.filters, ShouldContainKey, "HostSvcRules-OUTPUT-v4")
		So(a.filters, ShouldContainKey, "HostSvcRules-INPUT-v4")
		So(a.filters, ShouldContainKey, "HostPU-OUTPUT-v4")
		So(a.filters, ShouldContainKey, "HostPU-INPUT-v4")

		// check ipsets
		So(a.ipsets, ShouldHaveLength, 9)
		So(a.ipsets, ShouldContainKey, "TRI-v4-TargetTCP")
		So(a.ipsets, ShouldContainKey, "TRI-v4-TargetUDP")
		So(a.ipsets, ShouldContainKey, "TRI-v4-Excluded")
		So(a.ipsets, ShouldContainKey, "TRI-v6-TargetTCP")
		So(a.ipsets, ShouldContainKey, "TRI-v6-TargetUDP")
		So(a.ipsets, ShouldContainKey, "TRI-v6-Excluded")
		So(a.ipsets, ShouldContainKey, "TRI-v4-WindowsAllIPs")
		So(a.ipsets, ShouldContainKey, "TRI-v6-WindowsAllIPs")
		So(a.ipsets, ShouldContainKey, "TRI-v4-WindowsDNSServer")
		So(a.ipsets["TRI-v4-WindowsAllIPs"], ShouldContain, "0.0.0.0/0")
		So(a.ipsets["TRI-v4-WindowsDNSServer"], ShouldContain, "0.0.0.0/0")
		So(a.ipsets["TRI-v6-WindowsAllIPs"], ShouldContain, "::/0")

		cfg := &runtime.Configuration{}
		impl.SetTargetNetworks(cfg) // nolint
		So(err, ShouldBeNil)

		policyRules := policy.NewPUPolicy("Context", "/ns1", policy.Police, nil, nil, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log)

		puInfo := policy.NewPUInfo("Context", "/ns1", common.HostPU)
		puInfo.Policy = policyRules
		puInfo.Runtime = policy.NewPURuntimeWithDefaults()
		puInfo.Runtime.SetPUType(common.HostPU)
		puInfo.Runtime.SetOptions(policy.OptionsType{
			CgroupMark: "10",
		})

		// configure rules
		err = impl.ConfigureRules(1, "ID", puInfo)
		So(err, ShouldBeNil)

		So(a.filters["GlobalRules-OUTPUT-v4"], ShouldContainKey, "-m set --match-set TRI-v4-Excluded dstIP -j ACCEPT_ONCE")
		So(a.filters["GlobalRules-OUTPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getEnforcerPID()))
		So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, "-m set --match-set TRI-v4-Excluded srcIP -j ACCEPT_ONCE")
		So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getEnforcerPID()))
		So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, "-p udp --sports 53 -m set --match-set TRI-v4-WindowsDNSServer srcIP -j NFQUEUE_FORCE -j MARK 83")
		So(a.filters["ProcessRules-OUTPUT-v4"], ShouldBeEmpty)
		So(a.filters["ProcessRules-INPUT-v4"], ShouldBeEmpty)
		So(a.filters["HostSvcRules-OUTPUT-v4"], ShouldBeEmpty)
		So(a.filters["HostSvcRules-INPUT-v4"], ShouldBeEmpty)
		So(a.filters["HostPU-INPUT-v4"], ShouldContainKey, "-p tcp -m set --match-set TRI-v4-Proxy-IDeCFL-srv dstPort -j REDIRECT --to-ports 20992")
		So(a.filters["TRI-App-IDtxit7H-1-v4"], ShouldContainKey, "-p tcp --tcp-flags 1,1 -m set --match-set TRI-v4-TargetTCP dstIP -j ACCEPT")
		So(a.filters["TRI-App-IDtxit7H-1-v4"], ShouldContainKey, "-p udp -m set --match-set TRI-v4-TargetUDP dstIP -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-App-IDtxit7H-1-v4"], ShouldContainKey, "-p tcp -m set --match-set TRI-v4-TargetTCP dstIP -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-App-IDtxit7H-1-v4"], ShouldContainKey, "-p tcp --tcp-flags 18,18 -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-App-IDtxit7H-1-v4"], ShouldContainKey, "-m set --match-set TRI-v4-WindowsAllIPs dstIP -j NFLOG --nflog-group 10 --nflog-prefix 1215753766:default:default:10")
		So(a.filters["TRI-App-IDtxit7H-1-v4"], ShouldContainKey, "-m set --match-set TRI-v4-WindowsAllIPs dstIP -j DROP -j NFLOG --nflog-group 10 --nflog-prefix 1215753766:default:default:6")
		So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-p tcp --tcp-flags 45,0 --tcp-option 34 -j NFQUEUE MARK 10")
		So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-p udp -m string --string n30njxq7bmiwr6dtxq --offset 4 -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-p udp -m string --string n30njxq7bmiwr6dtxq --offset 6 -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-p tcp --tcp-flags 2,0 -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-p tcp --tcp-flags 18,18 -m set --match-set TRI-v4-TargetTCP srcIP -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-m set --match-set TRI-v4-WindowsAllIPs srcIP -j NFLOG --nflog-group 11 --nflog-prefix 1215753766:default:default:10")
		So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-m set --match-set TRI-v4-WindowsAllIPs srcIP -j DROP -j NFLOG --nflog-group 11 --nflog-prefix 1215753766:default:default:6")

		So(a.ipsets, ShouldContainKey, "TRI-v4-Proxy-IDeCFL-srv")
		So(a.ipsets, ShouldContainKey, "TRI-v4-Proxy-IDeCFL-dst")
		So(a.ipsets, ShouldContainKey, "TRI-v4-ProcPort-IDeCFL")

		// configure rules for process wrap
		puInfo = policy.NewPUInfo("Context", "/ns1", common.WindowsProcessPU)
		puInfo.Policy = policyRules
		puInfo.Runtime = policy.NewPURuntimeWithDefaults()
		puInfo.Runtime.SetPUType(common.WindowsProcessPU)
		puInfo.Runtime.SetOptions(policy.OptionsType{
			CgroupMark: "10",
		})

		err = impl.ConfigureRules(1, "1234", puInfo)
		So(err, ShouldBeNil)

		const pidFilterSubstring = "-m owner --pid-owner 1234 --pid-childrenonly"
		So(len(a.filters["ProcessRules-OUTPUT-v4"]), ShouldNotBeZeroValue)
		So(len(a.filters["ProcessRules-INPUT-v4"]), ShouldNotBeZeroValue)

		for filter := range a.filters {

			if strings.HasPrefix(filter, "ProcessRules") {
				for k := range a.filters["ProcessRules-OUTPUT-v4"] {
					So(k, ShouldContainSubstring, pidFilterSubstring)
				}
				for k := range a.filters["ProcessRules-INPUT-v4"] {
					So(k, ShouldContainSubstring, pidFilterSubstring)
				}
			} else {
				for k := range a.filters[filter] {
					So(k, ShouldNotContainSubstring, pidFilterSubstring)
				}
				for k := range a.filters[filter] {
					So(k, ShouldNotContainSubstring, pidFilterSubstring)
				}
			}
		}
	})

}

func Test_WindowsConfigureRulesV6(t *testing.T) {

	a := &abi{
		filters:       make(map[string]map[string]bool),
		ipsets:        make(map[string][]string),
		ipsetsNomatch: make(map[string][]string),
		ipsetByID:     make(map[int]string),
	}
	frontman.Driver = a

	getEnforcerPID = func() int { return 111 }
	getCnsAgentMgrPID = func() int { return 222 }
	getCnsAgentBootPID = func() int { return 333 }

	Convey("Given a valid instance with ipv6 enabled", t, func() {

		fq := newFilterQueueWithDefaults()
		impl, err := NewInstance(fq, constants.LocalServer, true, nil, "", policy.None)
		So(err, ShouldBeNil)

		err = impl.Run(context.Background())
		So(err, ShouldBeNil)

		// check filters
		So(a.filters, ShouldHaveLength, 16)
		So(a.filters, ShouldContainKey, "GlobalRules-OUTPUT-v4")
		So(a.filters, ShouldContainKey, "GlobalRules-INPUT-v4")
		So(a.filters, ShouldContainKey, "ProcessRules-OUTPUT-v4")
		So(a.filters, ShouldContainKey, "ProcessRules-INPUT-v4")
		So(a.filters, ShouldContainKey, "HostSvcRules-OUTPUT-v4")
		So(a.filters, ShouldContainKey, "HostSvcRules-INPUT-v4")
		So(a.filters, ShouldContainKey, "HostPU-OUTPUT-v4")
		So(a.filters, ShouldContainKey, "HostPU-INPUT-v4")
		So(a.filters, ShouldContainKey, "GlobalRules-OUTPUT-v6")
		So(a.filters, ShouldContainKey, "GlobalRules-INPUT-v6")
		So(a.filters, ShouldContainKey, "ProcessRules-OUTPUT-v6")
		So(a.filters, ShouldContainKey, "ProcessRules-INPUT-v6")
		So(a.filters, ShouldContainKey, "HostSvcRules-OUTPUT-v6")
		So(a.filters, ShouldContainKey, "HostSvcRules-INPUT-v6")
		So(a.filters, ShouldContainKey, "HostPU-OUTPUT-v6")
		So(a.filters, ShouldContainKey, "HostPU-INPUT-v6")

		// check ipsets
		So(a.ipsets, ShouldHaveLength, 9)
		So(a.ipsets, ShouldContainKey, "TRI-v4-TargetTCP")
		So(a.ipsets, ShouldContainKey, "TRI-v4-TargetUDP")
		So(a.ipsets, ShouldContainKey, "TRI-v4-Excluded")
		So(a.ipsets, ShouldContainKey, "TRI-v6-TargetTCP")
		So(a.ipsets, ShouldContainKey, "TRI-v6-TargetUDP")
		So(a.ipsets, ShouldContainKey, "TRI-v6-Excluded")
		So(a.ipsets, ShouldContainKey, "TRI-v4-WindowsAllIPs")
		So(a.ipsets, ShouldContainKey, "TRI-v6-WindowsAllIPs")
		So(a.ipsets, ShouldContainKey, "TRI-v4-WindowsDNSServer")
		So(a.ipsets["TRI-v4-WindowsAllIPs"], ShouldContain, "0.0.0.0/0")
		So(a.ipsets["TRI-v4-WindowsDNSServer"], ShouldContain, "0.0.0.0/0")
		So(a.ipsets["TRI-v6-WindowsAllIPs"], ShouldContain, "::/0")

		cfg := &runtime.Configuration{}
		impl.SetTargetNetworks(cfg) // nolint
		So(err, ShouldBeNil)

		policyRules := policy.NewPUPolicy("Context", "/ns1", policy.Police, nil, nil, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log)

		puInfo := policy.NewPUInfo("Context", "/ns1", common.HostPU)
		puInfo.Policy = policyRules
		puInfo.Runtime = policy.NewPURuntimeWithDefaults()
		puInfo.Runtime.SetPUType(common.HostPU)
		puInfo.Runtime.SetOptions(policy.OptionsType{
			CgroupMark: "10",
		})

		// configure rules
		err = impl.ConfigureRules(1, "ID", puInfo)
		So(err, ShouldBeNil)

		So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-m set --match-set TRI-v6-Excluded dstIP -j ACCEPT_ONCE")
		So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 133/0 -j ACCEPT")
		So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 134/0 -j ACCEPT")
		So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 135/0 -j ACCEPT")
		So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 136/0 -j ACCEPT")
		So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 141/0 -j ACCEPT")
		So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 142/0 -j ACCEPT")

		So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-m set --match-set TRI-v6-Excluded srcIP -j ACCEPT_ONCE")
		So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 133/0 -j ACCEPT")
		So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 134/0 -j ACCEPT")
		So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 135/0 -j ACCEPT")
		So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 136/0 -j ACCEPT")
		So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 141/0 -j ACCEPT")
		So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 142/0 -j ACCEPT")
		So(a.filters["ProcessRules-OUTPUT-v6"], ShouldBeEmpty)
		So(a.filters["ProcessRules-INPUT-v6"], ShouldBeEmpty)
		So(a.filters["HostSvcRules-OUTPUT-v6"], ShouldBeEmpty)
		So(a.filters["HostSvcRules-INPUT-v6"], ShouldBeEmpty)
		So(a.filters["TRI-App-IDtxit7H-1-v6"], ShouldContainKey, "-p tcp --tcp-flags 1,1 -m set --match-set TRI-v6-TargetTCP dstIP -j ACCEPT")
		So(a.filters["TRI-App-IDtxit7H-1-v6"], ShouldContainKey, "-p udp -m set --match-set TRI-v6-TargetUDP dstIP -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-App-IDtxit7H-1-v6"], ShouldContainKey, "-p tcp -m set --match-set TRI-v6-TargetTCP dstIP -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-App-IDtxit7H-1-v6"], ShouldContainKey, "-p tcp --tcp-flags 18,18 -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-App-IDtxit7H-1-v6"], ShouldContainKey, "-m set --match-set TRI-v6-WindowsAllIPs dstIP -j NFLOG --nflog-group 10 --nflog-prefix 1215753766:default:default:10")
		So(a.filters["TRI-App-IDtxit7H-1-v6"], ShouldContainKey, "-m set --match-set TRI-v6-WindowsAllIPs dstIP -j DROP -j NFLOG --nflog-group 10 --nflog-prefix 1215753766:default:default:6")
		So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-p udp -m string --string n30njxq7bmiwr6dtxq --offset 4 -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-p udp -m string --string n30njxq7bmiwr6dtxq --offset 6 -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-p tcp --tcp-flags 45,0 --tcp-option 34 -j NFQUEUE MARK 10")
		So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-p tcp --tcp-flags 2,0 -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-p tcp --tcp-flags 18,18 -m set --match-set TRI-v6-TargetTCP srcIP -j NFQUEUE -j MARK 10")
		So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-m set --match-set TRI-v6-WindowsAllIPs srcIP -j NFLOG --nflog-group 11 --nflog-prefix 1215753766:default:default:10")
		So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-m set --match-set TRI-v6-WindowsAllIPs srcIP -j DROP -j NFLOG --nflog-group 11 --nflog-prefix 1215753766:default:default:6")

		So(a.ipsets, ShouldContainKey, "TRI-v6-Proxy-IDeCFL-srv")
		So(a.ipsets, ShouldContainKey, "TRI-v6-Proxy-IDeCFL-dst")
		So(a.ipsets, ShouldContainKey, "TRI-v6-ProcPort-IDeCFL")
	})

}

func Test_WindowsConfigureRulesManagedByCns(t *testing.T) {

	a := &abi{
		filters:       make(map[string]map[string]bool),
		ipsets:        make(map[string][]string),
		ipsetsNomatch: make(map[string][]string),
		ipsetByID:     make(map[int]string),
	}
	frontman.Driver = a

	getEnforcerPID = func() int { return 111 }

	Convey("Given a valid instance where managed by CNS", t, func() {

		getCnsAgentMgrPID = func() int { return 222 }
		getCnsAgentBootPID = func() int { return 333 }

		fq := newFilterQueueWithDefaults()
		impl, err := NewInstance(fq, constants.LocalServer, false, nil, "", policy.None)
		So(err, ShouldBeNil)

		err = impl.Run(context.Background())
		So(err, ShouldBeNil)

		cfg := &runtime.Configuration{}
		impl.SetTargetNetworks(cfg) // nolint
		So(err, ShouldBeNil)

		policyRules := policy.NewPUPolicy("Context", "/ns1", policy.Police, nil, nil, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log)

		puInfo := policy.NewPUInfo("Context", "/ns1", common.HostPU)
		puInfo.Policy = policyRules
		puInfo.Runtime = policy.NewPURuntimeWithDefaults()
		puInfo.Runtime.SetPUType(common.HostPU)
		puInfo.Runtime.SetOptions(policy.OptionsType{
			CgroupMark: "10",
		})

		// configure rules
		err = impl.ConfigureRules(1, "ID", puInfo)
		So(err, ShouldBeNil)

		So(a.filters["GlobalRules-OUTPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getEnforcerPID()))
		So(a.filters["GlobalRules-OUTPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getCnsAgentMgrPID()))
		So(a.filters["GlobalRules-OUTPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d --pid-children -j ACCEPT", getCnsAgentBootPID()))
		So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getEnforcerPID()))
		So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getCnsAgentMgrPID()))
		So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d --pid-children -j ACCEPT", getCnsAgentBootPID()))
	})

	Convey("Given a valid instance where not managed by CNS", t, func() {

		getCnsAgentMgrPID = func() int { return -1 }
		getCnsAgentBootPID = func() int { return -1 }

		fq := newFilterQueueWithDefaults()
		impl, err := NewInstance(fq, constants.LocalServer, false, nil, "", policy.None)
		So(err, ShouldBeNil)

		err = impl.Run(context.Background())
		So(err, ShouldBeNil)

		cfg := &runtime.Configuration{}
		impl.SetTargetNetworks(cfg) // nolint
		So(err, ShouldBeNil)

		policyRules := policy.NewPUPolicy("Context", "/ns1", policy.Police, nil, nil, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log)

		puInfo := policy.NewPUInfo("Context", "/ns1", common.HostPU)
		puInfo.Policy = policyRules
		puInfo.Runtime = policy.NewPURuntimeWithDefaults()
		puInfo.Runtime.SetPUType(common.HostPU)
		puInfo.Runtime.SetOptions(policy.OptionsType{
			CgroupMark: "10",
		})

		// configure rules
		err = impl.ConfigureRules(1, "ID", puInfo)
		So(err, ShouldBeNil)

		So(a.filters["GlobalRules-OUTPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getEnforcerPID()))
		So(a.filters["GlobalRules-OUTPUT-v4"], ShouldNotContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getCnsAgentMgrPID()))
		So(a.filters["GlobalRules-OUTPUT-v4"], ShouldNotContainKey, fmt.Sprintf("-m owner --pid-owner %d --pid-children -j ACCEPT", getCnsAgentBootPID()))
		So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getEnforcerPID()))
		So(a.filters["GlobalRules-INPUT-v4"], ShouldNotContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getCnsAgentMgrPID()))
		So(a.filters["GlobalRules-INPUT-v4"], ShouldNotContainKey, fmt.Sprintf("-m owner --pid-owner %d --pid-children -j ACCEPT", getCnsAgentBootPID()))
	})

}


================================================
FILE: controller/internal/supervisor/iptablesctrl/ipv4.go
================================================
package iptablesctrl

import (
	"fmt"
	"net"
	"strings"

	"github.com/aporeto-inc/go-ipset/ipset"
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/gaia/protocols"
)

const (
	// IPv4DefaultIP is the default ip address of ipv4 subnets
	IPv4DefaultIP = "0.0.0.0/0"
)

var ipsetV4Param *ipset.Params

type ipv4 struct {
	ipt provider.IptablesProvider
}

func init() {
	ipsetV4Param = &ipset.Params{}
}

// GetIPv4Impl creates the instance of ipv4 struct which implements the interface
// ipImpl
func GetIPv4Impl() (IPImpl, error) {
	ipt, err := provider.NewGoIPTablesProviderV4([]string{"mangle"}, CustomQOSChain)
	if err != nil {
		return nil, fmt.Errorf("unable to initialize iptables provider: %s", err)
	}

	return &ipv4{ipt: ipt}, nil
}

func (i *ipv4) IPVersion() int {
	return IPV4
}

func (i *ipv4) IPFilter() func(net.IP) bool {
	ipv4Filter := func(ip net.IP) bool {
		return (ip.To4() != nil)
	}

	return ipv4Filter
}

func (i *ipv4) GetDefaultIP() string {
	return IPv4DefaultIP
}

func (i *ipv4) NeedICMP() bool {
	return false
}

func (i *ipv4) ProtocolAllowed(proto string) bool {

	return !(strings.ToUpper(proto) == protocols.L4ProtocolICMP6)
}

func (i *ipv4) Append(table, chain string, rulespec ...string) error {
	return i.ipt.Append(table, chain, rulespec...)
}

func (i *ipv4) Insert(table, chain string, pos int, rulespec ...string) error {
	return i.ipt.Insert(table, chain, pos, rulespec...)
}

func (i *ipv4) ListChains(table string) ([]string, error) {
	return i.ipt.ListChains(table)
}

func (i *ipv4) ClearChain(table, chain string) error {
	return i.ipt.ClearChain(table, chain)
}

func (i *ipv4) DeleteChain(table, chain string) error {
	return i.ipt.DeleteChain(table, chain)
}

func (i *ipv4) NewChain(table, chain string) error {
	return i.ipt.NewChain(table, chain)
}

func (i *ipv4) Commit() error {
	return i.ipt.Commit()
}

func (i *ipv4) Delete(table, chain string, rulespec ...string) error {
	return i.ipt.Delete(table, chain, rulespec...)
}

func (i *ipv4) RetrieveTable() map[string]map[string][]string {
	return i.ipt.RetrieveTable()
}

func (i *ipv4) ResetRules(subs string) error {
	return i.ipt.ResetRules(subs)
}

func (i *ipv4) ListRules(table, chain string) ([]string, error) {
	return i.ipt.ListRules(table, chain)
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/ipv6.go
================================================
package iptablesctrl

import (
	"net"
	"strings"

	"github.com/aporeto-inc/go-ipset/ipset"
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/gaia/protocols"
)

const (
	// IPv6DefaultIP is the default IP subnet of ipv6
	IPv6DefaultIP = "::/0"
)

type ipv6 struct {
	ipt         provider.IptablesProvider
	ipv6Enabled bool
}

var ipsetV6Param *ipset.Params

func init() {
	ipsetV6Param = &ipset.Params{HashFamily: "inet6"}
}

func (i *ipv6) IPVersion() int {
	return IPV6
}

func (i *ipv6) IPFilter() func(net.IP) bool {
	ipv6Filter := func(ip net.IP) bool {
		return (ip.To4() == nil)
	}

	return ipv6Filter
}

func (i *ipv6) GetDefaultIP() string {
	return IPv6DefaultIP
}

func (i *ipv6) NeedICMP() bool {
	return true
}

func (i *ipv6) ProtocolAllowed(proto string) bool {
	return !(strings.ToUpper(proto) == protocols.L4ProtocolICMP)
}

func (i *ipv6) Append(table, chain string, rulespec ...string) error {
	if !i.ipv6Enabled || i.ipt == nil {
		return nil
	}

	return i.ipt.Append(table, chain, rulespec...)
}

func (i *ipv6) Insert(table, chain string, pos int, rulespec ...string) error {
	if !i.ipv6Enabled || i.ipt == nil {
		return nil
	}

	return i.ipt.Insert(table, chain, pos, rulespec...)
}

func (i *ipv6) ListChains(table string) ([]string, error) {
	if !i.ipv6Enabled || i.ipt == nil {
		return nil, nil
	}

	return i.ipt.ListChains(table)
}

func (i *ipv6) ClearChain(table, chain string) error {
	if !i.ipv6Enabled || i.ipt == nil {
		return nil
	}

	return i.ipt.ClearChain(table, chain)
}

func (i *ipv6) DeleteChain(table, chain string) error {
	if !i.ipv6Enabled || i.ipt == nil {
		return nil
	}

	return i.ipt.DeleteChain(table, chain)
}

func (i *ipv6) NewChain(table, chain string) error {
	if !i.ipv6Enabled || i.ipt == nil {
		return nil
	}

	return i.ipt.NewChain(table, chain)
}

func (i *ipv6) Commit() error {
	if !i.ipv6Enabled || i.ipt == nil {
		return nil
	}

	return i.ipt.Commit()
}

func (i *ipv6) Delete(table, chain string, rulespec ...string) error {
	if !i.ipv6Enabled || i.ipt == nil {
		return nil
	}

	return i.ipt.Delete(table, chain, rulespec...)
}

func (i *ipv6) RetrieveTable() map[string]map[string][]string {
	return i.ipt.RetrieveTable()
}

func (i *ipv6) ResetRules(subs string) error {
	if !i.ipv6Enabled || i.ipt == nil {
		return nil
	}

	return i.ipt.ResetRules(subs)
}

func (i *ipv6) ListRules(table, chain string) ([]string, error) {
	return i.ipt.ListRules(table, chain)
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/ipv6_nonwindows.go
================================================
// +build !windows

package iptablesctrl

import (
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
)

// GetIPv6Impl creates the instance of ipv6 struct which implements
// the interface ipImpl
func GetIPv6Impl(ipv6Enabled bool) (IPImpl, error) {
	ipt, err := provider.NewGoIPTablesProviderV6([]string{"mangle"}, CustomQOSChain)
	if err == nil {
		// test if the system supports ip6tables
		if _, err = ipt.ListChains("mangle"); err == nil {
			return &ipv6{ipt: ipt, ipv6Enabled: ipv6Enabled}, nil
		}
	}

	return &ipv6{ipt: nil, ipv6Enabled: false}, nil
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/ipv6_windows.go
================================================
// +build windows

package iptablesctrl

import (
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
)

// GetIPv6Impl creates the instance of ipv6 struct which implements
// the interface ipImpl
func GetIPv6Impl(ipv6Enabled bool) (IPImpl, error) {
	if ipt, err := provider.NewGoIPTablesProviderV6(nil, ""); err == nil {
		return &ipv6{ipt: ipt, ipv6Enabled: ipv6Enabled}, nil
	}
	return &ipv6{ipt: nil, ipv6Enabled: false}, nil
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/legacyacls.go
================================================
package iptablesctrl

// legacyProxyRules creates all the proxy specific rules.
import (
	"text/template"

	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/policy"
	"go.uber.org/zap"
)

// This refers to the pu chain rules for pus in older distros like RH 6.9/Ubuntu 14.04. The rules
// consider source ports to identify packets from the process.
func (i *iptables) legacyPuChainRules(contextID, appChain string, netChain string, mark string, tcpPorts, udpPorts string, proxyPort string, proxyPortSetName string,
	appSection, netSection string, puType common.PUType, dnsProxyPort string, dnsServerIP string) [][]string {

	iptableCgroupSection := appSection
	iptableNetSection := netSection
	rules := [][]string{}

	if tcpPorts != "0" {
		rules = append(rules, [][]string{
			{
				appPacketIPTableContext,
				iptableCgroupSection,
				"-p", tcpProto,
				"-m", "multiport",
				"--source-ports", tcpPorts,
				"-m", "comment", "--comment", "Server-specific-chain",
				"-j", "MARK", "--set-mark", mark,
			},
			{
				appPacketIPTableContext,
				iptableCgroupSection,
				"-p", tcpProto,
				"-m", "multiport",
				"--source-ports", tcpPorts,
				"-m", "comment", "--comment", "Server-specific-chain",
				"-j", appChain,
			},
			{
				netPacketIPTableContext,
				iptableNetSection,
				"-p", tcpProto,
				"-m", "multiport",
				"--destination-ports", tcpPorts,
				"-m", "comment", "--comment", "Container-specific-chain",
				"-j", netChain,
			}}...)
	}

	if udpPorts != "0" {
		rules = append(rules, [][]string{
			{
				appPacketIPTableContext,
				iptableCgroupSection,
				"-p", udpProto,
				"-m", "multiport",
				"--source-ports", udpPorts,
				"-m", "comment", "--comment", "Server-specific-chain",
				"-j", "MARK", "--set-mark", mark,
			},
			{
				appPacketIPTableContext,
				iptableCgroupSection,
				"-p", udpProto, "-m", "mark", "--mark", mark,
				"-m", "addrtype", "--src-type", "LOCAL",
				"-m", "addrtype", "--dst-type", "LOCAL",
				"-m", "state", "--state", "NEW",
				"-j", "NFLOG", "--nflog-group", "10",
				"--nflog-prefix", policy.DefaultAcceptLogPrefix(contextID),
			},
			{
				appPacketIPTableContext,
				iptableCgroupSection,
				"-m", "comment", "--comment", "traffic-same-pu",
				"-p", udpProto, "-m", "mark", "--mark", mark,
				"-m", "addrtype", "--src-type", "LOCAL",
				"-m", "addrtype", "--dst-type", "LOCAL",
				"-j", "ACCEPT",
			},
			{
				appPacketIPTableContext,
				iptableCgroupSection,
				"-p", udpProto,
				"-m", "multiport",
				"--source-ports", udpPorts,
				"-m", "comment", "--comment", "Server-specific-chain",
				"-j", appChain,
			},
			{
				netPacketIPTableContext,
				iptableNetSection,
				"-m", "comment", "--comment", "traffic-same-pu",
				"-p", udpProto, "-m", "mark", "--mark", mark,
				"-m", "addrtype", "--src-type", "LOCAL",
				"-m", "addrtype", "--dst-type", "LOCAL",
				"-j", "ACCEPT",
			},
			{
				netPacketIPTableContext,
				iptableNetSection,
				"-p", udpProto,
				"-m", "multiport",
				"--destination-ports", udpPorts,
				"-m", "comment", "--comment", "Container-specific-chain",
				"-j", netChain,
			}}...)
	}

	if puType == common.HostPU {
		// Add a capture all traffic rule for host pu. This traps all traffic going out
		// of the box.

		rules = append(rules, []string{
			appPacketIPTableContext,
			iptableCgroupSection,
			"-m", "comment", "--comment", "capture all outgoing traffic",
			"-j", appChain,
		})
	}

	return append(rules, i.legacyProxyRules(tcpPorts, proxyPort, proxyPortSetName, mark, dnsProxyPort, dnsServerIP)...)
}

func (i *iptables) legacyProxyRules(tcpPorts string, proxyPort string, proxyPortSetName string, cgroupMark string, dnsProxyPort string, dnsServerIP string) [][]string {
	destSetName, srvSetName := i.getSetNames(proxyPortSetName)

	aclInfo := ACLInfo{
		MangleTable:         appPacketIPTableContext,
		NatTable:            appProxyIPTableContext,
		MangleProxyAppChain: proxyOutputChain,
		MangleProxyNetChain: proxyInputChain,
		NatProxyNetChain:    natProxyInputChain,
		NatProxyAppChain:    natProxyOutputChain,
		CgroupMark:          cgroupMark,
		DestIPSet:           destSetName,
		SrvIPSet:            srvSetName,
		ProxyPort:           proxyPort,
		ProxyMark:           proxyMark,
		TCPPorts:            tcpPorts,
		DNSProxyPort:        dnsProxyPort,
		DNSServerIP:         dnsServerIP,
	}

	tmpl := template.Must(template.New(legacyProxyRules).Funcs(template.FuncMap{
		"isCgroupSet": func() bool {
			return cgroupMark != ""
		},
		"enableDNSProxy": func() bool {
			return dnsServerIP != ""
		},
	}).Parse(legacyProxyRules))

	rules, err := extractRulesFromTemplate(tmpl, aclInfo)
	if err != nil {
		zap.L().Warn("unable to extract rules", zap.Error(err))
	}
	return rules
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/portset.go
================================================
package iptablesctrl

import (
	"fmt"

	"go.aporeto.io/trireme-lib/controller/constants"
	"go.uber.org/zap"
)

func (i *iptables) getPortSet(contextID string) string {
	portset, err := i.contextIDToPortSetMap.Get(contextID)
	if err != nil {
		return ""
	}

	return portset.(string)
}

// createPortSets creates either UID or process port sets. This is only
// needed for Linux PUs and it returns immediately for container PUs.
func (i *iptables) createPortSet(contextID string, username string) error {

	if i.mode == constants.RemoteContainer {
		return nil
	}

	ipsetPrefix := i.impl.GetIPSetPrefix()
	prefix := ""
	if username != "" {
		prefix = ipsetPrefix + uidPortSetPrefix
	} else {
		prefix = ipsetPrefix + processPortSetPrefix
	}
	portSetName := puPortSetName(contextID, prefix)

	_, err := i.ipset.NewIpset(portSetName, portSetIpsetType, nil)
	if err != nil {
		return err
	}

	i.contextIDToPortSetMap.AddOrUpdate(contextID, portSetName)
	return nil
}

// deletePortSet delets the ports set that was created for a Linux PU.
// It returns without errors for container PUs.
func (i *iptables) deletePortSet(contextID string) error {

	if i.mode == constants.RemoteContainer {
		return nil
	}

	portSetName := i.getPortSet(contextID)
	if portSetName == "" {
		return fmt.Errorf("Failed to find port set")
	}

	ips := i.ipset.GetIpset(portSetName)
	if err := ips.Destroy(); err != nil {
		return fmt.Errorf("Failed to delete pu port set "+portSetName, zap.Error(err))
	}

	if err := i.contextIDToPortSetMap.Remove(contextID); err != nil {
		zap.L().Debug("portset not found for the contextID", zap.String("contextID", contextID))
	}

	return nil
}

// DeletePortFromPortSet deletes ports from port sets
func (i *iptables) DeletePortFromPortSet(contextID string, port string) error {

	portSetName := i.getPortSet(contextID)
	if portSetName == "" {
		return fmt.Errorf("unable to get portset for contextID %s", contextID)
	}

	ips := i.ipset.GetIpset(portSetName)
	if err := ips.Del(port); err != nil {
		return fmt.Errorf("unable to delete port from portset: %s", err)
	}

	return nil
}

// DeletePortFromPortSet deletes ports from port sets
func (i *Instance) DeletePortFromPortSet(contextID string, port string) error {

	if err := i.iptv4.DeletePortFromPortSet(contextID, port); err != nil {
		zap.L().Warn("Failed to delete port from ipv4 portset ", zap.String("contextID", contextID), zap.String("port", port), zap.Error(err))
	}

	if err := i.iptv6.DeletePortFromPortSet(contextID, port); err != nil {
		zap.L().Warn("Failed to delete port from ipv6 portset ", zap.String("port", port), zap.Error(err))
	}

	return nil
}

// AddPortToPortSet adds ports to the portsets
func (i *iptables) AddPortToPortSet(contextID string, port string) error {

	portSetName := i.getPortSet(contextID)
	if portSetName == "" {
		return fmt.Errorf("unable to get portset for contextID %s", contextID)
	}
	ips := i.ipset.GetIpset(portSetName)
	if err := ips.Add(port, 0); err != nil {
		return fmt.Errorf("unable to add port to portset: %s", err)
	}

	return nil
}

// AddPortToPortSet adds ports to the portsets
func (i *Instance) AddPortToPortSet(contextID string, port string) error {

	if err := i.iptv4.AddPortToPortSet(contextID, port); err != nil {
		zap.L().Warn("Failed to add port to ipv4 portset", zap.String("contextID", contextID), zap.String("port", port), zap.Error(err))
	}

	if err := i.iptv6.AddPortToPortSet(contextID, port); err != nil {
		zap.L().Warn("Failed to add port to ipv6 portset", zap.String("contextID", contextID), zap.String("port", port), zap.Error(err))
	}

	return nil
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/rules.go
================================================
// +build !windows,!rhel6

package iptablesctrl

import (
	"strconv"

	markconstants "go.aporeto.io/enforcerd/trireme-lib/utils/constants"
)

var enforcerCgroupMark = strconv.Itoa(markconstants.EnforcerCgroupMark)

var triremChains = `
{{if isLocalServer}}
-t {{.MangleTable}} -N {{.HostInput}}
-t {{.MangleTable}} -N {{.HostOutput}}
-t {{.MangleTable}} -N {{.NetworkSvcInput}}
-t {{.MangleTable}} -N {{.NetworkSvcOutput}}
-t {{.MangleTable}} -N {{.TriremeInput}}
-t {{.MangleTable}} -N {{.TriremeOutput}}
{{end}}
-t {{.MangleTable}} -N {{.NfqueueOutput}}
-t {{.MangleTable}} -N {{.NfqueueInput}}
-t {{.MangleTable}} -N {{.MangleProxyAppChain}}
-t {{.MangleTable}} -N {{.MainAppChain}}
-t {{.MangleTable}} -N {{.MainNetChain}}
-t {{.MangleTable}} -N {{.MangleProxyNetChain}}
-t {{.NatTable}} -N {{.NatProxyAppChain}}
-t {{.NatTable}} -N {{.NatProxyNetChain}}
{{if isIstioEnabled}}
-t {{.MangleTable}} -N {{.IstioChain}}
{{end}}
`

var globalRules = `

{{.MangleTable}} {{.NfqueueInput}} -j HMARK --hmark-tuple dport,sport --hmark-mod {{.NumNFQueues}} --hmark-offset {{.DefaultInputMark}} --hmark-rnd 0xdeadbeef

{{range $index,$queuenum := .NFQueues}}
{{$.MangleTable}} {{$.NfqueueInput}} -m mark --mark {{getInputMark}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass
{{end}}

{{.MangleTable}} {{.NfqueueOutput}} -j HMARK --hmark-tuple sport,dport --hmark-mod {{.NumNFQueues}} --hmark-offset 0 --hmark-rnd 0xdeadbeef

{{range $index,$queuenum := .NFQueues}}
{{$.MangleTable}} {{$.NfqueueOutput}} -m mark --mark {{getOutputMark}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass
{{end}}

{{.MangleTable}} INPUT -m set ! --match-set {{.ExclusionsSet}} src -j {{.MainNetChain}}
{{.MangleTable}} {{.MainNetChain}} -j {{ .MangleProxyNetChain }}

{{/* tcp rules */}}

{{.MangleTable}} {{.MainNetChain}} -p tcp -m mark --mark {{.PacketMarkToSetConnmark}} -j CONNMARK --set-mark {{.DefaultExternalConnmark}}
{{.MangleTable}} {{.MainNetChain}} -p tcp -m mark --mark {{.PacketMarkToSetConnmark}} -j ACCEPT
{{.MangleTable}} {{.MainNetChain}} -m connmark --mark {{.DefaultExternalConnmark}} -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT
{{.MangleTable}} {{$.MainNetChain}} -m set --match-set {{$.TargetTCPNetSet}} src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j {{.NfqueueInput}}

{{/* tcp rules ends */}}

{{/* udp rules */}}

{{.MangleTable}} {{$.MainNetChain}} -p udp -m string --string {{$.UDPSignature}} --algo bm --to 65535 -j {{.NfqueueInput}}
{{.MangleTable}} {{.MainNetChain}} -p udp -m connmark --mark {{.DefaultDropConnmark}} -m comment --comment "Drop UDP ACL" -j DROP 
{{.MangleTable}} {{.MainNetChain}} -m connmark --mark {{.DefaultConnmark}} -p udp -j ACCEPT

{{/* udp rules ends */}}

{{if isLocalServer}}
{{.MangleTable}} {{.MainNetChain}} -j {{.TriremeInput}}
{{.MangleTable}} {{.MainNetChain}} -j {{.NetworkSvcInput}}
{{.MangleTable}} {{.MainNetChain}} -j {{.HostInput}}
{{end}}

{{if isIstioEnabled}}
{{.MangleTable}} OUTPUT -j {{.IstioChain}}
{{.MangleTable}} {{.MainNetChain}} -p tcp --dport {{IstioRedirPort}} -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j ACCEPT
{{end}}
{{.MangleTable}} OUTPUT -m set ! --match-set {{.ExclusionsSet}} dst -j {{.MainAppChain}}

{{.MangleTable}} {{.MainAppChain}} -m mark --mark {{.PacketMarkToSetConnmark}} -j CONNMARK --set-mark {{.DefaultExternalConnmark}}
{{.MangleTable}} {{.MainAppChain}} -p tcp -m mark --mark {{.PacketMarkToSetConnmark}} -j ACCEPT

{{/* enforcer rules */}}
{{.MangleTable}} {{.MainAppChain}}  -p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup ` + enforcerCgroupMark + ` -j CONNMARK --set-mark {{.DefaultExternalConnmark}}
{{.MangleTable}} {{.MainAppChain}}  -p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark {{.DefaultExternalConnmark}}
{{/* enforcer rules ends */}}


{{.MangleTable}} {{.MainAppChain}} -j {{.MangleProxyAppChain}}
{{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultExternalConnmark}} -j ACCEPT
{{.MangleTable}} {{.MainAppChain}} -p udp -m connmark --mark {{.DefaultDropConnmark}} -m comment --comment "Drop UDP ACL" -j DROP
{{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultConnmark}} -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK  -j ACCEPT
{{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultConnmark}} -p udp -j ACCEPT
{{.MangleTable}} {{.MainAppChain}} -m mark --mark {{.RawSocketMark}} -j ACCEPT
{{$.MangleTable}} {{$.MainAppChain}} -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j {{.NfqueueOutput}}

{{if isLocalServer}}
{{.MangleTable}} {{.MainAppChain}} -j {{.TriremeOutput}}
{{.MangleTable}} {{.MainAppChain}} -j {{.NetworkSvcOutput}}
{{.MangleTable}} {{.MainAppChain}} -j {{.HostOutput}}
{{end}}

{{.MangleTable}} {{.MangleProxyAppChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT
{{.MangleTable}} {{.MangleProxyNetChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT

{{/* Using RETURN instead of ACCEPT because ACCEPT skips k8s DNS NAT rules */}}
{{.NatTable}} {{.NatProxyAppChain}} -m mark --mark {{.ProxyMark}} -j RETURN
{{.NatTable}} {{.NatProxyNetChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT
`

// cgroupCaptureTemplate are the list of iptables commands that will hook traffic and send it to a PU specific
// chain. The hook method depends on the type of PU.
var cgroupCaptureTemplate = `

{{if isTCPPorts}}
{{.MangleTable}} {{.NetSection}} -p tcp -m multiport --destination-ports {{.TCPPorts}} -m comment --comment PU-Chain -j {{.NetChain}}
{{else}}
{{.MangleTable}} {{.NetSection}} -p tcp -m set --match-set {{.TCPPortSet}} dst -m comment --comment PU-Chain -j {{.NetChain}}
{{end}}

{{if isHostPU}}
{{/* UDP response traffic needs to be accepted */}}
{{.MangleTable}} {{.NetSection}} -p udp -m udp -m state --state ESTABLISHED -m connmark ! --mark {{.DefaultHandShakeMark}} -j ACCEPT
{{/* Traffic to systemd resolver/dnsmasq gets accepted */}}
{{.MangleTable}} {{.NetSection}} -p udp -m udp --dport 53 -j ACCEPT
{{.MangleTable}} {{.NetSection}} -m comment --comment PU-Chain -j {{.NetChain}}
{{end}}

{{if isUDPPorts}}
{{.MangleTable}} {{.NetSection}} -p udp -m multiport --destination-ports {{.UDPPorts}} -m comment --comment PU-Chain -j {{.NetChain}}
{{end}}

{{if isHostPU}}
{{.MangleTable}} {{.AppSection}} -m cgroup ! --cgroup ` + enforcerCgroupMark + ` -m comment --comment PU-Chain -j MARK --set-mark {{.Mark}}
{{.MangleTable}} {{.AppSection}} -m mark --mark {{.Mark}} -m comment --comment PU-Chain -j {{.AppChain}}
{{else}}
{{.MangleTable}} {{.AppSection}} -m cgroup --cgroup {{.Mark}} -m comment --comment PU-Chain -j MARK --set-mark {{.Mark}}
{{.MangleTable}} {{.AppSection}} -m mark --mark {{.Mark}} -m comment --comment PU-Chain -j {{.AppChain}}
{{end}}

{{if isHostPU}}
{{if isIPV6Enabled}}
{{.MangleTable}} {{.AppSection}} -p icmpv6 -j {{.AppChain}}
{{else}}
{{.MangleTable}} {{.AppSection}} -p icmp -j {{.AppChain}}
{{end}}
{{end}}
`

// containerChainTemplate will hook traffic towards the container specific chains.
var containerChainTemplate = `
{{.MangleTable}} {{.AppSection}} -m comment --comment Container-specific-chain -j {{.AppChain}}
{{.MangleTable}} {{.NetSection}} -m comment --comment Container-specific-chain -j {{.NetChain}}`

var istioChainTemplate = `
{{.MangleTable}} {{.IstioChain}} -p tcp -m owner ! --uid-owner {{IstioUID}} -j ACCEPT
{{.MangleTable}} {{.IstioChain}} -p tcp -m owner --uid-owner {{IstioUID}} -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j CONNMARK --set-mark {{.DefaultExternalConnmark}}
{{.MangleTable}} {{.IstioChain}} -p tcp -m owner --uid-owner {{IstioUID}} -m addrtype --dst-type LOCAL -j ACCEPT`

var acls = `
{{range .RejectObserveContinue}}
{{joinRule .}}
{{end}}

{{range .RejectNotObserved}}
{{joinRule .}}
{{end}}

{{range .RejectObserveApply}}
{{joinRule .}}
{{end}}

{{range .AcceptObserveContinue}}
{{joinRule .}}
{{end}}

{{range .AcceptNotObserved}}
{{joinRule .}}
{{end}}

{{range .AcceptObserveApply}}
{{joinRule .}}
{{end}}

{{range .ReverseRules}}
{{joinRule .}}
{{end}}
`

var preNetworkACLRuleTemplate = `
{{/* matches syn and ack packets */}}
{{$.MangleTable}} {{$.NetChain}} -p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j {{.NfqueueInput}}
`

// packetCaptureTemplate are the rules that trap traffic towards the user space.
var packetCaptureTemplate = `
{{if needICMP}}
{{.MangleTable}} {{.AppChain}} -p icmpv6 -m bpf --bytecode "{{.ICMPv6Allow}}" -j ACCEPT
{{end}}

{{if isNotContainerPU}}

{{$.MangleTable}} {{$.AppChain}} -m set --match-set {{$.TargetTCPNetSet}} dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT
{{$.MangleTable}} {{$.AppChain}} -m set --match-set {{$.TargetTCPNetSet}} dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod {{.NumNFQueues}} --hmark-offset {{packetMark}} --hmark-rnd 0xdeadbeef
{{$.MangleTable}} {{$.AppChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} dst -j HMARK --hmark-tuple sport,dport --hmark-mod {{.NumNFQueues}} --hmark-offset {{packetMark}} --hmark-rnd 0xdeadbeef

{{range $index,$queuenum := .NFQueues}}
{{$.MangleTable}} {{$.AppChain}} -m mark --mark {{getOutputMark}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass
{{end}}

{{else}}
{{$.MangleTable}} {{$.AppChain}} -m set --match-set {{$.TargetTCPNetSet}} dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT
{{$.MangleTable}} {{$.AppChain}} -m set --match-set {{$.TargetTCPNetSet}} dst -p tcp -j {{.NfqueueOutput}}
{{$.MangleTable}} {{$.AppChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} dst -j {{.NfqueueOutput}}
{{end}}

{{.MangleTable}} {{.AppChain}} -p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT

{{.MangleTable}} {{.AppChain}} -p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT

{{range appAnyRules}}
{{joinRule .}}
{{end}}
{{.MangleTable}} {{.AppChain}} -d {{.DefaultIP}} -m state --state NEW -j NFLOG  --nflog-group 10 --nflog-prefix {{.AppNFLOGPrefix}}
{{if isAppDrop}}
{{.MangleTable}} {{.AppChain}} -d {{.DefaultIP}} -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix {{.AppNFLOGDropPacketLogPrefix}}
{{end}}
{{.MangleTable}} {{.AppChain}} -d {{.DefaultIP}} -j {{.AppDefaultAction}}

{{if needICMP}}
{{.MangleTable}} {{.NetChain}} -p icmpv6 -m bpf --bytecode "{{.ICMPv6Allow}}" -j ACCEPT
{{end}}


{{.MangleTable}} {{.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN NONE -j {{.NfqueueInput}}
{{.MangleTable}} {{.NetChain}} -p udp -m set --match-set {{.TargetUDPNetSet}} src --match limit --limit 1000/s -j {{.NfqueueInput}}

{{.MangleTable}} {{.NetChain}} -p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT

{{range netAnyRules}}
{{joinRule .}}
{{end}}

{{.MangleTable}} {{.NetChain}} -s {{.DefaultIP}} -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix {{.NetNFLOGPrefix}}
{{if isNetDrop}}
{{.MangleTable}} {{.NetChain}} -s {{.DefaultIP}} -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix {{.NetNFLOGDropPacketLogPrefix}}
{{end}}
{{.MangleTable}} {{.NetChain}} -s {{.DefaultIP}} -j {{.NetDefaultAction}}
`

var proxyDNSChainTemplate = `
{{if enableDNSProxy}}
{{.MangleTable}} {{.MangleProxyAppChain}} -p udp -m udp --sport {{.DNSProxyPort}} -j ACCEPT
{{.MangleTable}} {{.MangleProxyNetChain}} -p udp -m udp --dport {{.DNSProxyPort}} -j ACCEPT
{{if isCgroupSet}}
{{.NatTable}} {{.NatProxyAppChain}} -d {{.DNSServerIP}} -p udp --dport 53 -m mark ! --mark {{.ProxyMark}} -m cgroup --cgroup {{.CgroupMark}} -j CONNMARK --save-mark
{{.NatTable}} {{.NatProxyAppChain}} -d {{.DNSServerIP}} -p udp --dport 53 -m mark ! --mark {{.ProxyMark}} -m cgroup --cgroup {{.CgroupMark}} -j REDIRECT --to-ports {{.DNSProxyPort}}
{{else}}
{{.NatTable}} {{.NatProxyAppChain}} -d {{.DNSServerIP}} -p udp --dport 53 -m mark ! --mark {{.ProxyMark}} -j REDIRECT --to-ports {{.DNSProxyPort}}
{{end}}
{{end}}
`
var proxyChainTemplate = `
{{.MangleTable}} {{.MangleProxyAppChain}} -p tcp -m tcp --sport {{.ProxyPort}} -j ACCEPT
{{.MangleTable}} {{.MangleProxyAppChain}} -p tcp -m set --match-set {{.SrvIPSet}} src -j ACCEPT
{{.MangleTable}} {{.MangleProxyAppChain}} -p tcp -m set --match-set {{.DestIPSet}} dst,dst -m mark ! --mark {{.ProxyMark}} -j ACCEPT

{{.MangleTable}} {{.MangleProxyNetChain}} -p tcp -m set --match-set {{.DestIPSet}} src,src -j ACCEPT
{{.MangleTable}} {{.MangleProxyNetChain}} -p tcp -m set --match-set {{.SrvIPSet}} src -m addrtype --src-type LOCAL -j ACCEPT
{{.MangleTable}} {{.MangleProxyNetChain}} -p tcp -m tcp --dport {{.ProxyPort}} -j ACCEPT

{{if isCgroupSet}}
{{.NatTable}} {{.NatProxyAppChain}} -p tcp -m set --match-set {{.DestIPSet}} dst,dst -m mark ! --mark {{.ProxyMark}} -m cgroup --cgroup {{.CgroupMark}} -j REDIRECT --to-ports {{.ProxyPort}}
{{else}}
{{.NatTable}} {{.NatProxyAppChain}} -p tcp -m set --match-set {{.DestIPSet}} dst,dst -m mark ! --mark {{.ProxyMark}} -j REDIRECT --to-ports {{.ProxyPort}}
{{end}}
{{.NatTable}} {{.NatProxyNetChain}} -p tcp -m set --match-set {{.SrvIPSet}} dst -m mark ! --mark {{.ProxyMark}} -j REDIRECT --to-ports {{.ProxyPort}}`

var globalHooks = `
{{.MangleTable}} INPUT -m set ! --match-set {{.ExclusionsSet}} src -j {{.MainNetChain}}
{{.MangleTable}} OUTPUT -m set ! --match-set {{.ExclusionsSet}} dst -j {{.MainAppChain}}
{{.NatTable}} PREROUTING -p tcp -m addrtype --dst-type LOCAL -m set ! --match-set {{.ExclusionsSet}} src -j {{.NatProxyNetChain}}
{{.NatTable}} OUTPUT -m set ! --match-set {{.ExclusionsSet}} dst -j {{.NatProxyAppChain}}
`


================================================
FILE: controller/internal/supervisor/iptablesctrl/rules_rhel6.go
================================================
// +build rhel6

package iptablesctrl

var triremChains = `
{{if isLocalServer}}
-t {{.MangleTable}} -N {{.HostInput}}
-t {{.MangleTable}} -N {{.HostOutput}}
-t {{.MangleTable}} -N {{.NetworkSvcInput}}
-t {{.MangleTable}} -N {{.NetworkSvcOutput}}
-t {{.MangleTable}} -N {{.TriremeInput}}
-t {{.MangleTable}} -N {{.TriremeOutput}}
{{end}}
-t {{.MangleTable}} -N {{.NfqueueOutput}}
-t {{.MangleTable}} -N {{.NfqueueInput}}
-t {{.MangleTable}} -N {{.MangleProxyAppChain}}
-t {{.MangleTable}} -N {{.MainAppChain}}
-t {{.MangleTable}} -N {{.MainNetChain}}
-t {{.MangleTable}} -N {{.MangleProxyNetChain}}
-t {{.NatTable}} -N {{.NatProxyAppChain}}
-t {{.NatTable}} -N {{.NatProxyNetChain}}
`

var globalRules = `

{{$.MangleTable}} {{$.NfqueueInput}} -j MARK --set-mark {{.DefaultInputMark}}
{{$.MangleTable}} {{$.NfqueueInput}} -m mark --mark {{.DefaultInputMark}} -j NFQUEUE --queue-balance {{queueBalance}} --queue-bypass

{{$.MangleTable}} {{$.NfqueueOutput}} -j MARK --set-mark 0
{{$.MangleTable}} {{$.NfqueueOutput}} -m mark --mark 0 -j NFQUEUE --queue-balance {{queueBalance}} --queue-bypass

{{.MangleTable}} INPUT -m set ! --match-set {{.ExclusionsSet}} src -j {{.MainNetChain}}
{{.MangleTable}} {{.MainNetChain}} -p udp --sport 53 -j ACCEPT
{{.MangleTable}} {{.MainNetChain}} -j {{ .MangleProxyNetChain }}

{{/* tcp rules */}}

{{.MangleTable}} {{.MainNetChain}} -p tcp -m mark --mark {{.PacketMarkToSetConnmark}} -j CONNMARK --set-mark {{.DefaultExternalConnmark}}
{{.MangleTable}} {{.MainNetChain}} -p tcp -m mark --mark {{.PacketMarkToSetConnmark}} -j ACCEPT
{{.MangleTable}} {{.MainNetChain}} -m connmark --mark {{.DefaultExternalConnmark}} -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT
{{.MangleTable}} {{$.MainNetChain}} -m set --match-set {{$.TargetTCPNetSet}} src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j {{.NfqueueInput}}

{{/* tcp rules ends */}}

{{/* udp rules */}}

{{.MangleTable}} {{$.MainNetChain}} -p udp -m string --string {{$.UDPSignature}} --algo bm --to 65535 -j {{.NfqueueInput}}
{{.MangleTable}} {{.MainNetChain}} -p udp -m connmark --mark {{.DefaultDropConnmark}} -m comment --comment "Drop UDP ACL" -j DROP 
{{.MangleTable}} {{.MainNetChain}} -m connmark --mark {{.DefaultConnmark}} -p udp -j ACCEPT

{{/* udp rules ends */}}

{{if isLocalServer}}
{{.MangleTable}} {{.MainNetChain}} -j {{.TriremeInput}}
{{.MangleTable}} {{.MainNetChain}} -j {{.NetworkSvcInput}}
{{.MangleTable}} {{.MainNetChain}} -j {{.HostInput}}
{{end}}

{{.MangleTable}} OUTPUT -m set ! --match-set {{.ExclusionsSet}} dst -j {{.MainAppChain}}
{{.MangleTable}} {{.MainAppChain}} -p udp --dport 53 -j ACCEPT

{{.MangleTable}} {{.MainAppChain}} -m mark --mark {{.PacketMarkToSetConnmark}} -j CONNMARK --set-mark {{.DefaultExternalConnmark}}
{{.MangleTable}} {{.MainAppChain}} -p tcp -m mark --mark {{.PacketMarkToSetConnmark}} -j ACCEPT

{{.MangleTable}} {{.MainAppChain}}  -p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark {{.DefaultExternalConnmark}}

{{.MangleTable}} {{.MainAppChain}} -j {{.MangleProxyAppChain}}
{{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultExternalConnmark}} -j ACCEPT
{{.MangleTable}} {{.MainAppChain}} -p udp -m connmark --mark {{.DefaultDropConnmark}} -m comment --comment "Drop UDP ACL" -j DROP
{{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultConnmark}} -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK  -j ACCEPT
{{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultConnmark}} -p udp -j ACCEPT
{{.MangleTable}} {{.MainAppChain}} -m mark --mark {{.RawSocketMark}} -j ACCEPT
{{$.MangleTable}} {{$.MainAppChain}} -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j {{.NfqueueOutput}}

{{if isLocalServer}}
{{.MangleTable}} {{.MainAppChain}} -j {{.TriremeOutput}}
{{.MangleTable}} {{.MainAppChain}} -j {{.NetworkSvcOutput}}
{{.MangleTable}} {{.MainAppChain}} -j {{.HostOutput}}
{{end}}

{{.MangleTable}} {{.MangleProxyAppChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT
{{.MangleTable}} {{.MangleProxyNetChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT

{{.NatTable}} {{.NatProxyAppChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT
{{.NatTable}} {{.NatProxyNetChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT
`

// cgroupCaptureTemplate is not used for rhel6
var cgroupCaptureTemplate = ``

// containerChainTemplate is not used for rhel6
var containerChainTemplate = ``

// istioChainTemplate is not used for rhel6
var istioChainTemplate = ``

var acls = `
{{range .RejectObserveContinue}}
{{joinRule .}}
{{end}}

{{range .RejectNotObserved}}
{{joinRule .}}
{{end}}

{{range .RejectObserveApply}}
{{joinRule .}}
{{end}}

{{range .AcceptObserveContinue}}
{{joinRule .}}
{{end}}

{{range .AcceptNotObserved}}
{{joinRule .}}
{{end}}

{{range .AcceptObserveApply}}
{{joinRule .}}
{{end}}

{{range .ReverseRules}}
{{joinRule .}}
{{end}}
`

var preNetworkACLRuleTemplate = `
{{/* matches syn and ack packets */}}
{{$.MangleTable}} {{$.NetChain}} -p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j {{.NfqueueInput}}
`

// packetCaptureTemplate are the rules that trap traffic towards the user space.
var packetCaptureTemplate = `

{{.MangleTable}} {{.AppChain}} -p icmp -j NFQUEUE --queue-balance {{queueBalance}}
{{.MangleTable}} {{.NetChain}} -p icmp -j NFQUEUE --queue-balance {{queueBalance}}

{{$.MangleTable}} {{$.AppChain}} -m set --match-set {{$.TargetTCPNetSet}} dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT
{{$.MangleTable}} {{$.AppChain}} -m set --match-set {{$.TargetTCPNetSet}} dst -p tcp -j MARK --set-mark {{packetMark}}
{{$.MangleTable}} {{$.AppChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} dst -j MARK --set-mark {{packetMark}}
{{$.MangleTable}} {{$.AppChain}} -m mark --mark {{packetMark}} -j NFQUEUE --queue-balance {{queueBalance}} --queue-bypass

{{.MangleTable}} {{.AppChain}} -p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT

{{.MangleTable}} {{.AppChain}} -p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT

{{range appAnyRules}}
{{joinRule .}}
{{end}}

{{.MangleTable}} {{.AppChain}} -d {{.DefaultIP}} -m state --state NEW -j NFLOG  --nflog-group 10 --nflog-prefix {{.AppNFLOGPrefix}}
{{if isAppDrop}}
{{.MangleTable}} {{.AppChain}} -d {{.DefaultIP}} -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix {{.AppNFLOGDropPacketLogPrefix}}
{{end}}
{{.MangleTable}} {{.AppChain}} -d {{.DefaultIP}} -j {{.AppDefaultAction}}

{{.MangleTable}} {{.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN NONE -j {{.NfqueueInput}}
{{.MangleTable}} {{.NetChain}} -p udp -m set --match-set {{.TargetUDPNetSet}} src --match limit --limit 1000/s -j {{.NfqueueInput}}

{{.MangleTable}} {{.NetChain}} -p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT

{{range netAnyRules}}
{{joinRule .}}
{{end}}

{{.MangleTable}} {{.NetChain}} -s {{.DefaultIP}} -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix {{.NetNFLOGPrefix}}
{{if isNetDrop}}
{{.MangleTable}} {{.NetChain}} -s {{.DefaultIP}} -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix {{.NetNFLOGDropPacketLogPrefix}}
{{end}}
{{.MangleTable}} {{.NetChain}} -s {{.DefaultIP}} -j {{.NetDefaultAction}}
`

// proxyDNSChainTemplate is not used for rhel6
var proxyDNSChainTemplate = ``

// proxyChainTemplate is not used for rhel6
var proxyChainTemplate = ``

var globalHooks = `
{{.MangleTable}} INPUT -m set ! --match-set {{.ExclusionsSet}} src -j {{.MainNetChain}}
{{.MangleTable}} OUTPUT -m set ! --match-set {{.ExclusionsSet}} dst -j {{.MainAppChain}}
{{.NatTable}} PREROUTING -p tcp -m addrtype --dst-type LOCAL -m set ! --match-set {{.ExclusionsSet}} src -j {{.NatProxyNetChain}}
{{.NatTable}} OUTPUT -m set ! --match-set {{.ExclusionsSet}} dst -j {{.NatProxyAppChain}}
`

var legacyProxyRules = `
{{.MangleTable}} {{.MangleProxyAppChain}} -p tcp -m tcp --sport {{.ProxyPort}} -j ACCEPT
{{if enableDNSProxy}}
{{.MangleTable}} {{.MangleProxyAppChain}} -p udp -m udp --sport {{.DNSProxyPort}} -j ACCEPT
{{end}}
{{.MangleTable}} {{.MangleProxyAppChain}} -p tcp -m set --match-set {{.SrvIPSet}} src -j ACCEPT
{{.MangleTable}} {{.MangleProxyAppChain}} -p tcp -m set --match-set {{.DestIPSet}} dst,dst -m mark ! --mark {{.ProxyMark}} -j ACCEPT

{{.MangleTable}} {{.MangleProxyNetChain}} -p tcp -m set --match-set {{.DestIPSet}} src,src -j ACCEPT
{{.MangleTable}} {{.MangleProxyNetChain}} -p tcp -m set --match-set {{.SrvIPSet}} src -m addrtype --src-type LOCAL -j ACCEPT
{{.MangleTable}} {{.MangleProxyNetChain}} -p tcp -m tcp --dport {{.ProxyPort}} -j ACCEPT
{{if enableDNSProxy}}
{{.MangleTable}} {{.MangleProxyNetChain}} -p udp -m udp --dport {{.DNSProxyPort}} -j ACCEPT
{{end}}

{{if isCgroupSet}}
{{.NatTable}} {{.NatProxyAppChain}} -p tcp -m set --match-set {{.DestIPSet}} dst,dst -m mark ! --mark {{.ProxyMark}} -m multiport --source-ports {{.TCPPorts}} -j REDIRECT --to-ports {{.ProxyPort}}
{{else}}
{{.NatTable}} {{.NatProxyAppChain}} -p tcp -m set --match-set {{.DestIPSet}} dst,dst -m mark ! --mark {{.ProxyMark}} -j REDIRECT --to-ports {{.ProxyPort}}
{{end}}

{{if enableDNSProxy}}
{{.NatTable}} {{.NatProxyAppChain}} -p udp --dport 53 -m mark ! --mark {{.ProxyMark}} -j REDIRECT --to-ports {{.DNSProxyPort}}
{{end}}

{{.NatTable}} {{.NatProxyNetChain}} -p tcp -m set --match-set {{.SrvIPSet}} dst -m mark ! --mark {{.ProxyMark}} -j REDIRECT --to-ports {{.ProxyPort}}`


================================================
FILE: controller/internal/supervisor/iptablesctrl/rules_windows.go
================================================
// +build windows

package iptablesctrl

var triremChains = `
-t OUTPUT  -N GlobalRules-OUTPUT
-t INPUT   -N GlobalRules-INPUT
-t OUTPUT  -N ProcessRules-OUTPUT
-t INPUT   -N ProcessRules-INPUT
-t OUTPUT  -N HostSvcRules-OUTPUT
-t INPUT   -N HostSvcRules-INPUT
-t OUTPUT  -N HostPU-OUTPUT
-t INPUT   -N HostPU-INPUT
`

// When enforcerd is managed by cns-agent, its parent is mgr and its grandparent is boot
// -cns-agent-boot
//   |----cns-agent-mgr
//         |----enforcerd
// However, when mgr is updated, it will be respawned with a new pid and enforcerd will no longer
// have a parent
// -cns-agent-boot
//   |----cns-agent-mgr
// -enforcerd
// We need to allow this new mgr to communicate with the API server too, so we can allow
// cns-agent-boot and its children, in order to satisfy this.
// Note also that any currently active mgr pid needs to be explicitly added as its own rule here.

// globalRules are the rules not tied to a PU chain.
var globalRules = `
INPUT  GlobalRules-INPUT  -m set --match-set {{.ExclusionsSet}} srcIP -j ACCEPT_ONCE
OUTPUT GlobalRules-OUTPUT -m set --match-set {{.ExclusionsSet}} dstIP -j ACCEPT_ONCE
{{if isIPv4}}
INPUT  GlobalRules-INPUT  -m owner --pid-owner {{EnforcerPID}} -j ACCEPT
OUTPUT GlobalRules-OUTPUT -m owner --pid-owner {{EnforcerPID}} -j ACCEPT
{{if isManagedByCnsAgentManager}}
INPUT  GlobalRules-INPUT  -m owner --pid-owner {{CnsAgentBootPID}} --pid-children -j ACCEPT
OUTPUT GlobalRules-OUTPUT -m owner --pid-owner {{CnsAgentBootPID}} --pid-children -j ACCEPT
INPUT  GlobalRules-INPUT  -m owner --pid-owner {{CnsAgentMgrPID}} -j ACCEPT
OUTPUT GlobalRules-OUTPUT -m owner --pid-owner {{CnsAgentMgrPID}} -j ACCEPT
{{end}}
{{if enableDNSProxy}}
INPUT  GlobalRules-INPUT  -p udp --sports 53 -m set --match-set {{windowsDNSServerName}} srcIP -j NFQUEUE_FORCE -j MARK 83
{{end}}
{{end}}
{{if needICMP}}
OUTPUT GlobalRules-OUTPUT -p icmpv6 --icmp-type 133/0 -j ACCEPT
OUTPUT GlobalRules-OUTPUT -p icmpv6 --icmp-type 134/0 -j ACCEPT
OUTPUT GlobalRules-OUTPUT -p icmpv6 --icmp-type 135/0 -j ACCEPT
OUTPUT GlobalRules-OUTPUT -p icmpv6 --icmp-type 136/0 -j ACCEPT
OUTPUT GlobalRules-OUTPUT -p icmpv6 --icmp-type 141/0 -j ACCEPT
OUTPUT GlobalRules-OUTPUT -p icmpv6 --icmp-type 142/0 -j ACCEPT
INPUT  GlobalRules-INPUT -p icmpv6 --icmp-type 133/0 -j ACCEPT
INPUT  GlobalRules-INPUT -p icmpv6 --icmp-type 134/0 -j ACCEPT
INPUT  GlobalRules-INPUT -p icmpv6 --icmp-type 135/0 -j ACCEPT
INPUT  GlobalRules-INPUT -p icmpv6 --icmp-type 136/0 -j ACCEPT
INPUT  GlobalRules-INPUT -p icmpv6 --icmp-type 141/0 -j ACCEPT
INPUT  GlobalRules-INPUT -p icmpv6 --icmp-type 142/0 -j ACCEPT
{{end}}

`
var istioChainTemplate = ``
var proxyDNSChainTemplate = ``

// cgroupCaptureTemplate are the list of iptables commands that will hook traffic and send it to a PU specific
// chain. The hook method depends on the type of PU.
var cgroupCaptureTemplate = `

INPUT  {{.NetChain}} -p udp -m string --string {{.UDPSignature}} --offset 4 -j NFQUEUE -j MARK {{.PacketMark}}
INPUT  {{.NetChain}} -p udp -m string --string {{.UDPSignature}} --offset 6 -j NFQUEUE -j MARK {{.PacketMark}}
OUTPUT {{.AppChain}} -p tcp --tcp-flags 18,18 -j NFQUEUE -j MARK {{.PacketMark}}
INPUT  {{.NetChain}} -p tcp --tcp-flags 18,18 -m set --match-set {{.TargetTCPNetSet}} srcIP -j NFQUEUE -j MARK {{.PacketMark}}
{{if isHostPU}}
OUTPUT HostPU-OUTPUT -p tcp -m set --match-set {{.TargetTCPNetSet}} dstIP -m set --match-set {{.DestIPSet}} dstIP,dstPort -j REDIRECT  --to-ports {{.ProxyPort}}
INPUT  HostPU-INPUT  -p tcp -m set --match-set {{.SrvIPSet}} dstPort -j REDIRECT --to-ports {{.ProxyPort}}
OUTPUT HostPU-OUTPUT -j {{.AppChain}}
INPUT  HostPU-INPUT  -j {{.NetChain}}
{{else}}
{{if isProcessPU}}
OUTPUT ProcessRules-OUTPUT -j {{.AppChain}} -m owner --pid-owner {{.ContextID}} --pid-childrenonly
INPUT  ProcessRules-INPUT  -j {{.NetChain}} -m owner --pid-owner {{.ContextID}} --pid-childrenonly
{{else}}
{{if isTCPPorts}}
OUTPUT HostSvcRules-OUTPUT -p tcp --dports {{.TCPPorts}} -j {{.AppChain}}
INPUT  HostSvcRules-INPUT  -p tcp --sports {{.TCPPorts}} -j {{.NetChain}}
{{end}}
{{if isUDPPorts}}
OUTPUT HostSvcRules-OUTPUT -p udp --dports {{.UDPPorts}} -j {{.AppChain}}
INPUT  HostSvcRules-INPUT  -p udp --sports {{.UDPPorts}} -j {{.NetChain}}
{{end}}
{{end}}
{{end}}
`

// containerChainTemplate will hook traffic towards the container specific chains.
var containerChainTemplate = ``

var acls = `
{{range .RejectObserveContinue}}
{{joinRule .}}
{{end}}

{{range .RejectNotObserved}}
{{joinRule .}}
{{end}}

{{range .RejectObserveApply}}
{{joinRule .}}
{{end}}

{{range .AcceptObserveContinue}}
{{joinRule .}}
{{end}}

{{range .AcceptNotObserved}}
{{joinRule .}}
{{end}}

{{range .AcceptObserveApply}}
{{joinRule .}}
{{end}}

{{range .ReverseRules}}
{{joinRule .}}
{{end}}
`

var preNetworkACLRuleTemplate = `
{{/* matches syn and ack packets FIN,RST,URG,PSH NONE */}}
INPUT  {{.NetChain}} -p tcp --tcp-flags 45,0 --tcp-option 34 -j NFQUEUE MARK {{.PacketMark}}
`

// packetCaptureTemplate are the rules that trap traffic towards the user space.
// windows uses it as a final deny-all.
var packetCaptureTemplate = `
OUTPUT {{.AppChain}} -p tcp --tcp-flags 1,1 -m set --match-set {{.TargetTCPNetSet}} dstIP -j ACCEPT
OUTPUT {{.AppChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} dstIP -j NFQUEUE -j MARK {{.PacketMark}}
OUTPUT {{.AppChain}} -p udp -m set --match-set {{.TargetUDPNetSet}} dstIP -j NFQUEUE -j MARK {{.PacketMark}}
INPUT  {{.NetChain}} -p tcp --tcp-flags 2,0 -j NFQUEUE -j MARK {{.PacketMark}}
{{range appAnyRules}}
{{joinRule .}}
{{end}}
{{range netAnyRules}}
{{joinRule .}}
{{end}}
{{range appAnyRules}}
{{joinRule .}}
{{end}}
{{range netAnyRules}}
{{joinRule .}}
{{end}}
{{if isAppDrop}}
OUTPUT {{.AppChain}} -m set --match-set {{windowsAllIpsetName}} dstIP -j NFLOG --nflog-group 10 --nflog-prefix {{.AppNFLOGDropPacketLogPrefix}}
{{end}}
OUTPUT {{.AppChain}} -m set --match-set {{windowsAllIpsetName}} dstIP -j {{.AppDefaultAction}} -j NFLOG --nflog-group 10 --nflog-prefix {{.AppNFLOGPrefix}}
{{if isNetDrop}}
INPUT  {{.NetChain}} -m set --match-set {{windowsAllIpsetName}} srcIP -j NFLOG --nflog-group 11 --nflog-prefix {{.NetNFLOGDropPacketLogPrefix}}
{{end}}
INPUT  {{.NetChain}} -m set --match-set {{windowsAllIpsetName}} srcIP -j {{.NetDefaultAction}} -j NFLOG --nflog-group 11 --nflog-prefix {{.NetNFLOGPrefix}}
`

var proxyChainTemplate = ``

var globalHooks = ``


================================================
FILE: controller/internal/supervisor/iptablesctrl/templates.go
================================================
package iptablesctrl

import (
	"bytes"
	"crypto/md5"
	"encoding/base64"
	"fmt"
	"io"
	"net"
	"strconv"
	"strings"
	"text/template"

	"github.com/kballard/go-shellquote"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	cconstants "go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/afinetrawsocket"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/constants"
)

func extractRulesFromTemplate(tmpl *template.Template, data interface{}) ([][]string, error) {

	buffer := bytes.NewBuffer([]byte{})
	if err := tmpl.Execute(buffer, data); err != nil {
		return [][]string{}, fmt.Errorf("unable to execute template:%s", err)
	}

	rules := [][]string{}

	for _, m := range strings.Split(buffer.String(), "\n") {

		rule, err := shellquote.Split(m)
		if err != nil {
			return [][]string{}, err
		}

		// ignore empty lines in the buffer
		if len(rule) <= 1 {
			continue
		}

		rules = append(rules, rule)
	}
	return rules, nil
}

// ACLInfo keeps track of all information to create ACLs
type ACLInfo struct {
	ContextID string
	PUType    common.PUType

	// Tables
	MangleTable string
	NatTable    string

	// Chains
	MainAppChain        string
	MainNetChain        string
	BPFPath             string
	HostInput           string
	HostOutput          string
	NfqueueOutput       string
	NfqueueInput        string
	NetworkSvcInput     string
	NetworkSvcOutput    string
	TriremeInput        string
	TriremeOutput       string
	NatProxyNetChain    string
	NatProxyAppChain    string
	MangleProxyNetChain string
	MangleProxyAppChain string
	PreRouting          string

	AppChain   string
	NetChain   string
	AppSection string
	NetSection string

	// serviceMesh chains
	IstioChain string

	// common info
	DefaultConnmark         string
	DefaultDropConnmark     string
	DefaultExternalConnmark string
	PacketMarkToSetConnmark string
	DefaultInputMark        string
	DefaultHandShakeMark    string

	RawSocketMark   string
	TargetTCPNetSet string
	TargetUDPNetSet string
	ExclusionsSet   string
	IpsetPrefix     string
	// IPv4 IPv6
	DefaultIP     string
	needICMPRules bool

	// UDP rules
	Numpackets   string
	InitialCount string
	UDPSignature string

	// Linux PUs
	TCPPorts   string
	UDPPorts   string
	TCPPortSet string

	// ProxyRules
	DestIPSet     string
	SrvIPSet      string
	ProxyPort     string
	DNSProxyPort  string
	DNSServerIP   string
	CgroupMark    string
	ProxyMark     string
	AuthPhaseMark string

	PacketMark string
	Mark       string
	PortSet    string

	AppNFLOGPrefix              string
	AppNFLOGDropPacketLogPrefix string
	AppDefaultAction            string

	NetNFLOGPrefix              string
	NetNFLOGDropPacketLogPrefix string
	NetDefaultAction            string

	NFQueues    []int
	NumNFQueues int
	// icmpv6 allow bytecode
	ICMPv6Allow string

	// Istio Iptable rules
	IstioEnabled bool
}

func chainName(contextID string, version int) (app, net string, err error) {
	hash := md5.New()

	if _, err := io.WriteString(hash, contextID); err != nil {
		return "", "", err
	}
	output := base64.URLEncoding.EncodeToString(hash.Sum(nil))
	if len(contextID) > 4 {
		contextID = contextID[:4] + output[:6]
	} else {
		contextID = contextID + output[:6]
	}

	app = appChainPrefix + contextID + "-" + strconv.Itoa(version)
	net = netChainPrefix + contextID + "-" + strconv.Itoa(version)

	return app, net, nil
}

func (i *iptables) newACLInfo(version int, contextID string, p *policy.PUInfo, puType common.PUType) (*ACLInfo, error) {
	var appChain, netChain string
	var err error
	var nfqueues []int

	numQueues := i.fqc.GetNumQueues()

	ipFilter := i.impl.IPFilter()

	if contextID != "" {
		appChain, netChain, err = chainName(contextID, version)
		if err != nil {
			return nil, err
		}
	}

	parseDNSServerIP := func() string {
		for _, ipString := range i.fqc.GetDNSServerAddresses() {
			if ip := net.ParseIP(ipString); ip != nil {
				if ipFilter(ip) {
					return ipString
				}

				continue
			}
			// parseCIDR
			if ip, _, err := net.ParseCIDR(ipString); err == nil {
				if ipFilter(ip) {
					return ipString
				}
			}
		}
		return ""
	}

	appDefaultAction := policy.Reject | policy.Log
	netDefaultAction := policy.Reject | policy.Log

	var tcpPorts, udpPorts string
	var servicePort, mark, dnsProxyPort, packetMark string
	if p != nil {
		tcpPorts, udpPorts = common.ConvertServicesToProtocolPortList(p.Runtime.Options().Services)
		puType = p.Runtime.PUType()
		servicePort = p.Policy.ServicesListeningPort()
		dnsProxyPort = p.Policy.DNSProxyPort()
		mark = p.Runtime.Options().CgroupMark
		packetMark = mark
		appDefaultAction = p.Policy.AppDefaultPolicyAction()
		netDefaultAction = p.Policy.NetDefaultPolicyAction()
	}

	destSetName, srvSetName := i.ipsetmanager.GetProxySetNames(contextID)

	tcpTargetSetName, udpTargetSetName, excludedNetworkSetName := i.ipsetmanager.GetIPsetNamesForTargetAndExcludedNetworks()

	appSection := ""
	netSection := ""
	switch puType {
	case common.LinuxProcessPU, common.WindowsProcessPU:
		appSection = TriremeOutput
		netSection = TriremeInput
	case common.HostNetworkPU:
		appSection = NetworkSvcOutput
		netSection = NetworkSvcInput
	case common.HostPU:
		appSection = HostModeOutput
		netSection = HostModeInput
	default:
		appSection = mainAppChain
		netSection = mainNetChain
	}

	portSetName := i.ipsetmanager.GetServerPortSetName(contextID)

	for i := 0; i < numQueues; i++ {
		nfqueues = append(nfqueues, i)
	}

	cfg := &ACLInfo{
		ContextID: contextID,
		PUType:    puType,
		// Chains
		MangleTable:         "mangle",
		NatTable:            "nat",
		MainAppChain:        mainAppChain,
		MainNetChain:        mainNetChain,
		HostInput:           HostModeInput,
		HostOutput:          HostModeOutput,
		NfqueueOutput:       NfqueueOutput,
		NfqueueInput:        NfqueueInput,
		NFQueues:            nfqueues,
		NumNFQueues:         numQueues,
		NetworkSvcInput:     NetworkSvcInput,
		NetworkSvcOutput:    NetworkSvcOutput,
		TriremeInput:        TriremeInput,
		TriremeOutput:       TriremeOutput,
		NatProxyNetChain:    natProxyInputChain,
		NatProxyAppChain:    natProxyOutputChain,
		MangleProxyNetChain: proxyInputChain,
		MangleProxyAppChain: proxyOutputChain,
		PreRouting:          ipTableSectionPreRouting,

		AppChain:   appChain,
		NetChain:   netChain,
		AppSection: appSection,
		NetSection: netSection,
		IstioChain: istioChain,

		// common info
		DefaultConnmark:         strconv.Itoa(int(constants.DefaultConnMark)),
		DefaultDropConnmark:     strconv.Itoa(int(constants.DropConnmark)),
		DefaultExternalConnmark: strconv.Itoa(int(constants.DefaultExternalConnMark)),
		PacketMarkToSetConnmark: strconv.Itoa(int(constants.PacketMarkToSetConnmark)),
		DefaultInputMark:        strconv.Itoa(int(constants.DefaultInputMark)),
		RawSocketMark:           strconv.Itoa(afinetrawsocket.ApplicationRawSocketMark),
		DefaultHandShakeMark:    strconv.Itoa(int(constants.HandshakeConnmark)),
		CgroupMark:              mark,
		TargetTCPNetSet:         tcpTargetSetName,
		TargetUDPNetSet:         udpTargetSetName,
		ExclusionsSet:           excludedNetworkSetName,
		// IPv4 vs IPv6
		DefaultIP:     i.impl.GetDefaultIP(),
		needICMPRules: i.impl.NeedICMP(),

		// UDP rules
		Numpackets:   numPackets,
		InitialCount: initialCount,
		UDPSignature: packet.UDPAuthMarker,

		// // Linux PUs
		TCPPorts:   tcpPorts,
		UDPPorts:   udpPorts,
		TCPPortSet: portSetName,

		// // ProxyRules
		DestIPSet:    destSetName,
		SrvIPSet:     srvSetName,
		ProxyPort:    servicePort,
		DNSProxyPort: dnsProxyPort,
		DNSServerIP:  parseDNSServerIP(),
		ProxyMark:    cconstants.ProxyMark,

		// PUs
		PacketMark: packetMark,
		Mark:       mark,
		PortSet:    portSetName,

		AppNFLOGPrefix:              policy.DefaultLogPrefix(contextID, appDefaultAction),
		AppNFLOGDropPacketLogPrefix: policy.DefaultDropPacketLogPrefix(contextID),
		AppDefaultAction:            policy.DefaultAction(appDefaultAction),

		NetNFLOGPrefix:              policy.DefaultLogPrefix(contextID, netDefaultAction),
		NetNFLOGDropPacketLogPrefix: policy.DefaultDropPacketLogPrefix(contextID),
		NetDefaultAction:            policy.DefaultAction(netDefaultAction),
	}

	allowICMPv6(cfg)
	if i.bpf != nil {
		cfg.BPFPath = i.bpf.GetBPFPath()
	}

	return cfg, nil
}


================================================
FILE: controller/internal/supervisor/iptablesctrl/templates_test.go
================================================
// +build !windows

package iptablesctrl

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func TestChainName(t *testing.T) {
	Convey("When I test the creation of the name of the chain", t, func() {

		Convey("With a contextID of Context and version of 1", func() {
			app, net, err := chainName("Context", 1)
			So(err, ShouldBeNil)

			Convey("I should get the right names", func() {
				//app, net := i.chainName("Context", 1)

				So(app, ShouldContainSubstring, "TRI-App")
				So(net, ShouldContainSubstring, "TRI-Net")
			})
		})
	})
}


================================================
FILE: controller/internal/supervisor/mocksupervisor/mocksupervisor.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/internal/supervisor/interfaces.go

// Package mocksupervisor is a generated GoMock package.
package mocksupervisor

import (
	context "context"
	reflect "reflect"
	time "time"

	gomock "github.com/golang/mock/gomock"
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	runtime "go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	policy "go.aporeto.io/enforcerd/trireme-lib/policy"
)

// MockSupervisor is a mock of Supervisor interface
// nolint
type MockSupervisor struct {
	ctrl     *gomock.Controller
	recorder *MockSupervisorMockRecorder
}

// MockSupervisorMockRecorder is the mock recorder for MockSupervisor
// nolint
type MockSupervisorMockRecorder struct {
	mock *MockSupervisor
}

// NewMockSupervisor creates a new mock instance
// nolint
func NewMockSupervisor(ctrl *gomock.Controller) *MockSupervisor {
	mock := &MockSupervisor{ctrl: ctrl}
	mock.recorder = &MockSupervisorMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockSupervisor) EXPECT() *MockSupervisorMockRecorder {
	return m.recorder
}

// Supervise mocks base method
// nolint
func (m *MockSupervisor) Supervise(contextID string, puInfo *policy.PUInfo) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Supervise", contextID, puInfo)
	ret0, _ := ret[0].(error)
	return ret0
}

// Supervise indicates an expected call of Supervise
// nolint
func (mr *MockSupervisorMockRecorder) Supervise(contextID, puInfo interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Supervise", reflect.TypeOf((*MockSupervisor)(nil).Supervise), contextID, puInfo)
}

// Unsupervise mocks base method
// nolint
func (m *MockSupervisor) Unsupervise(contextID string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Unsupervise", contextID)
	ret0, _ := ret[0].(error)
	return ret0
}

// Unsupervise indicates an expected call of Unsupervise
// nolint
func (mr *MockSupervisorMockRecorder) Unsupervise(contextID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Unsupervise", reflect.TypeOf((*MockSupervisor)(nil).Unsupervise), contextID)
}

// Run mocks base method
// nolint
func (m *MockSupervisor) Run(ctx context.Context) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Run", ctx)
	ret0, _ := ret[0].(error)
	return ret0
}

// Run indicates an expected call of Run
// nolint
func (mr *MockSupervisorMockRecorder) Run(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Run", reflect.TypeOf((*MockSupervisor)(nil).Run), ctx)
}

// SetTargetNetworks mocks base method
// nolint
func (m *MockSupervisor) SetTargetNetworks(cfg *runtime.Configuration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SetTargetNetworks", cfg)
	ret0, _ := ret[0].(error)
	return ret0
}

// SetTargetNetworks indicates an expected call of SetTargetNetworks
// nolint
func (mr *MockSupervisorMockRecorder) SetTargetNetworks(cfg interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetTargetNetworks", reflect.TypeOf((*MockSupervisor)(nil).SetTargetNetworks), cfg)
}

// CleanUp mocks base method
// nolint
func (m *MockSupervisor) CleanUp() error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CleanUp")
	ret0, _ := ret[0].(error)
	return ret0
}

// CleanUp indicates an expected call of CleanUp
// nolint
func (mr *MockSupervisorMockRecorder) CleanUp() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CleanUp", reflect.TypeOf((*MockSupervisor)(nil).CleanUp))
}

// EnableIPTablesPacketTracing mocks base method
// nolint
func (m *MockSupervisor) EnableIPTablesPacketTracing(ctx context.Context, contextID string, interval time.Duration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "EnableIPTablesPacketTracing", ctx, contextID, interval)
	ret0, _ := ret[0].(error)
	return ret0
}

// EnableIPTablesPacketTracing indicates an expected call of EnableIPTablesPacketTracing
// nolint
func (mr *MockSupervisorMockRecorder) EnableIPTablesPacketTracing(ctx, contextID, interval interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EnableIPTablesPacketTracing", reflect.TypeOf((*MockSupervisor)(nil).EnableIPTablesPacketTracing), ctx, contextID, interval)
}

// MockImplementor is a mock of Implementor interface
// nolint
type MockImplementor struct {
	ctrl     *gomock.Controller
	recorder *MockImplementorMockRecorder
}

// MockImplementorMockRecorder is the mock recorder for MockImplementor
// nolint
type MockImplementorMockRecorder struct {
	mock *MockImplementor
}

// NewMockImplementor creates a new mock instance
// nolint
func NewMockImplementor(ctrl *gomock.Controller) *MockImplementor {
	mock := &MockImplementor{ctrl: ctrl}
	mock.recorder = &MockImplementorMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockImplementor) EXPECT() *MockImplementorMockRecorder {
	return m.recorder
}

// ConfigureRules mocks base method
// nolint
func (m *MockImplementor) ConfigureRules(version int, contextID string, containerInfo *policy.PUInfo) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ConfigureRules", version, contextID, containerInfo)
	ret0, _ := ret[0].(error)
	return ret0
}

// ConfigureRules indicates an expected call of ConfigureRules
// nolint
func (mr *MockImplementorMockRecorder) ConfigureRules(version, contextID, containerInfo interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ConfigureRules", reflect.TypeOf((*MockImplementor)(nil).ConfigureRules), version, contextID, containerInfo)
}

// UpdateRules mocks base method
// nolint
func (m *MockImplementor) UpdateRules(version int, contextID string, containerInfo, oldContainerInfo *policy.PUInfo) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "UpdateRules", version, contextID, containerInfo, oldContainerInfo)
	ret0, _ := ret[0].(error)
	return ret0
}

// UpdateRules indicates an expected call of UpdateRules
// nolint
func (mr *MockImplementorMockRecorder) UpdateRules(version, contextID, containerInfo, oldContainerInfo interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateRules", reflect.TypeOf((*MockImplementor)(nil).UpdateRules), version, contextID, containerInfo, oldContainerInfo)
}

// DeleteRules mocks base method
// nolint
func (m *MockImplementor) DeleteRules(version int, context, tcpPorts, udpPorts, mark, uid string, containerInfo *policy.PUInfo) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DeleteRules", version, context, tcpPorts, udpPorts, mark, uid, containerInfo)
	ret0, _ := ret[0].(error)
	return ret0
}

// DeleteRules indicates an expected call of DeleteRules
// nolint
func (mr *MockImplementorMockRecorder) DeleteRules(version, context, tcpPorts, udpPorts, mark, uid, containerInfo interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteRules", reflect.TypeOf((*MockImplementor)(nil).DeleteRules), version, context, tcpPorts, udpPorts, mark, uid, containerInfo)
}

// SetTargetNetworks mocks base method
// nolint
func (m *MockImplementor) SetTargetNetworks(cfg *runtime.Configuration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SetTargetNetworks", cfg)
	ret0, _ := ret[0].(error)
	return ret0
}

// SetTargetNetworks indicates an expected call of SetTargetNetworks
// nolint
func (mr *MockImplementorMockRecorder) SetTargetNetworks(cfg interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetTargetNetworks", reflect.TypeOf((*MockImplementor)(nil).SetTargetNetworks), cfg)
}

// Run mocks base method
// nolint
func (m *MockImplementor) Run(ctx context.Context) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Run", ctx)
	ret0, _ := ret[0].(error)
	return ret0
}

// Run indicates an expected call of Run
// nolint
func (mr *MockImplementorMockRecorder) Run(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Run", reflect.TypeOf((*MockImplementor)(nil).Run), ctx)
}

// CleanUp mocks base method
// nolint
func (m *MockImplementor) CleanUp() error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CleanUp")
	ret0, _ := ret[0].(error)
	return ret0
}

// CleanUp indicates an expected call of CleanUp
// nolint
func (mr *MockImplementorMockRecorder) CleanUp() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CleanUp", reflect.TypeOf((*MockImplementor)(nil).CleanUp))
}

// ACLProvider mocks base method
// nolint
func (m *MockImplementor) ACLProvider() []provider.IptablesProvider {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ACLProvider")
	ret0, _ := ret[0].([]provider.IptablesProvider)
	return ret0
}

// ACLProvider indicates an expected call of ACLProvider
// nolint
func (mr *MockImplementorMockRecorder) ACLProvider() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ACLProvider", reflect.TypeOf((*MockImplementor)(nil).ACLProvider))
}

// CreateCustomRulesChain mocks base method
// nolint
func (m *MockImplementor) CreateCustomRulesChain() error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CreateCustomRulesChain")
	ret0, _ := ret[0].(error)
	return ret0
}

// CreateCustomRulesChain indicates an expected call of CreateCustomRulesChain
// nolint
func (mr *MockImplementorMockRecorder) CreateCustomRulesChain() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateCustomRulesChain", reflect.TypeOf((*MockImplementor)(nil).CreateCustomRulesChain))
}


================================================
FILE: controller/internal/supervisor/noop/supervisornoop.go
================================================
// Package supervisornoop implements the supervisor interface with no operations. This is currently being used in two places:
// 1. for the supervisor proxy that actually does not need to take any action as a complement to the enforcer proxy
// 2. for enforcer implementations that do not need a supervisor to program the networks (e.g. the remote envoy authorizer enforcer)
package supervisornoop

import (
	"context"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// NoopSupervisor is a struct to hold the implementation of the Supervisor interface
type NoopSupervisor struct{}

// Supervise just keeps track of the active remotes so that it can initiate updates.
func (s *NoopSupervisor) Supervise(contextID string, puInfo *policy.PUInfo) error {

	return nil
}

// Unsupervise just keeps track of the active remotes so
func (s *NoopSupervisor) Unsupervise(contextID string) error {

	return nil
}

// SetTargetNetworks sets the target networks in case of an  update
func (s *NoopSupervisor) SetTargetNetworks(cfg *runtime.Configuration) error {
	return nil
}

// CleanUp implements the cleanup interface, but it doesn't need to do anything.
func (s *NoopSupervisor) CleanUp() error {
	return nil
}

// Run runs the proxy supervisor and initializes the cleaners.
func (s *NoopSupervisor) Run(ctx context.Context) error {
	return nil
}

// EnableIPTablesPacketTracing enable iptables tracing
func (s *NoopSupervisor) EnableIPTablesPacketTracing(ctx context.Context, contextID string, interval time.Duration) error {
	return nil
}

// NewNoopSupervisor creates a new noop supervisor
func NewNoopSupervisor() *NoopSupervisor {

	return &NoopSupervisor{}
}


================================================
FILE: controller/internal/supervisor/supervisor.go
================================================
package supervisor

import (
	"context"
	"errors"
	"fmt"
	"sync"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor/iptablesctrl"
	supervisornoop "go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor/noop"
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.uber.org/zap"
)

type cacheData struct {
	version       int
	ips           policy.ExtendedMap
	mark          string
	tcpPorts      string
	udpPorts      string
	username      string
	containerInfo *policy.PUInfo
}

// Config is the structure holding all information about the supervisor
type Config struct {
	// mode is LocalServer or RemoteContainer
	mode constants.ModeType
	// versionTracker tracks the current version of the ACLs
	versionTracker cache.DataStore
	// impl is the packet filter implementation
	impl Implementor
	// collector is the stats collector implementation
	collector collector.EventCollector
	// filterQueue is the filterqueue parameters
	filterQueue fqconfig.FilterQueue
	// cfg is the mutable configuration
	cfg *runtime.Configuration
	sync.Mutex
}

// NewSupervisor will create a new connection supervisor that uses IPTables
// to redirect specific packets to userspace. It instantiates multiple data stores
// to maintain efficient mappings between contextID, policy and IP addresses. This
// simplifies the lookup operations at the expense of memory.
func NewSupervisor(
	collector collector.EventCollector,
	enforcerInstance enforcer.Enforcer,
	mode constants.ModeType,
	cfg *runtime.Configuration,
	ipv6Enabled bool,
	iptablesLockfile string,
) (Supervisor, error) {

	// for certain modes we do not want to launch a supervisor at all, so we are going to launch a noop supervisor
	// like we do for the supervisor proxy
	if mode == constants.RemoteContainerEnvoyAuthorizer {
		return supervisornoop.NewNoopSupervisor(), nil
	}

	if collector == nil || enforcerInstance == nil {
		return nil, errors.New("Invalid parameters")
	}

	filterQueue := enforcerInstance.GetFilterQueue()
	if filterQueue == nil {
		return nil, errors.New("enforcer filter queues cannot be nil")
	}

	bpf := enforcerInstance.GetBPFObject()
	serviceMeshType := enforcerInstance.GetServiceMeshType()
	impl, err := iptablesctrl.NewInstance(filterQueue, mode, ipv6Enabled, bpf, iptablesLockfile, serviceMeshType)

	if err != nil {
		return nil, fmt.Errorf("unable to initialize supervisor controllers: %s", err)
	}

	return &Config{
		mode:           mode,
		impl:           impl,
		versionTracker: cache.NewCache("SupVersionTracker"),
		collector:      collector,
		filterQueue:    filterQueue,
		cfg:            cfg,
	}, nil
}

// Run starts the supervisor
func (s *Config) Run(ctx context.Context) error {

	s.Lock()
	defer s.Unlock()

	if err := s.impl.Run(ctx); err != nil {
		return fmt.Errorf("unable to start the implementer: %s", err)
	}

	if err := s.impl.SetTargetNetworks(s.cfg); err != nil {
		return err
	}

	if err := s.impl.CreateCustomRulesChain(); err != nil {
		return err
	}

	return nil
}

// Supervise creates a mapping between an IP address and the corresponding labels.
// it invokes the various handlers that process the parameter policy.
func (s *Config) Supervise(contextID string, pu *policy.PUInfo) error {

	if pu == nil || pu.Policy == nil || pu.Runtime == nil {
		return errors.New("Invalid PU or policy info")
	}

	if _, err := s.versionTracker.Get(contextID); err != nil {
		// ContextID is not found in Cache, New PU: Do create.
		return s.doCreatePU(contextID, pu)
	}

	// Context already in the cache. Just run update
	return s.doUpdatePU(contextID, pu)
}

// Unsupervise removes the mapping from cache and cleans up the iptable rules. ALL
// remove operations will print errors by they don't return error. We want to force
// as much cleanup as possible to avoid stale state
func (s *Config) Unsupervise(contextID string) error {
	s.Lock()
	defer s.Unlock()

	data, err := s.versionTracker.Get(contextID)
	if err != nil {
		return fmt.Errorf("cannot find policy version: %s", err)
	}

	cfg := data.(*cacheData)

	// TODO (varks): Similar to configureRules and UpdateRules, DeleteRules should take
	// only contextID and *policy.PUInfo as function parameters.
	if err := s.impl.DeleteRules(cfg.version, contextID, cfg.tcpPorts, cfg.udpPorts, cfg.mark, cfg.username, cfg.containerInfo); err != nil {
		zap.L().Warn("Some rules were not deleted during unsupervise", zap.Error(err))
	}

	if err := s.versionTracker.Remove(contextID); err != nil {
		zap.L().Warn("Failed to clean the rule version cache", zap.Error(err))
	}

	ipsetmanager.V4().RemoveExternalNets(contextID)
	ipsetmanager.V6().RemoveExternalNets(contextID)

	return nil
}

// CleanUp implements the cleanup interface
func (s *Config) CleanUp() error {
	s.Lock()
	defer s.Unlock()

	return s.impl.CleanUp()
}

// SetTargetNetworks sets the target networks of the supervisor
func (s *Config) SetTargetNetworks(cfg *runtime.Configuration) error {

	s.Lock()
	defer s.Unlock()

	s.cfg = cfg.DeepCopy()
	return s.impl.SetTargetNetworks(cfg)
}

// ACLProvider returns the ACL provider used by the supervisor that can be
// shared with other entities.
func (s *Config) ACLProvider() []provider.IptablesProvider {
	return s.impl.ACLProvider()
}

func (s *Config) doCreatePU(contextID string, pu *policy.PUInfo) error {

	s.Lock()

	tcpPorts, udpPorts := common.ConvertServicesToProtocolPortList(pu.Runtime.Options().Services)
	c := &cacheData{
		version:       0,
		ips:           pu.Policy.IPAddresses(),
		mark:          pu.Runtime.Options().CgroupMark,
		tcpPorts:      tcpPorts,
		udpPorts:      udpPorts,
		username:      pu.Runtime.Options().UserID,
		containerInfo: pu,
	}

	// Version the policy so that we can do hitless policy changes
	s.versionTracker.AddOrUpdate(contextID, c)

	var iprules policy.IPRuleList

	iprules = append(iprules, pu.Policy.ApplicationACLs()...)
	iprules = append(iprules, pu.Policy.NetworkACLs()...)

	if err := ipsetmanager.V4().RegisterExternalNets(contextID, iprules); err != nil {
		s.Unlock()
		zap.L().Error("Error creating ipsets for external networks", zap.Error(err))
		return err
	}

	if err := ipsetmanager.V6().RegisterExternalNets(contextID, iprules); err != nil {
		s.Unlock()
		zap.L().Error("Error creating ipsets for external networks", zap.Error(err))
		return err
	}

	// Configure the rules
	if err := s.impl.ConfigureRules(c.version, contextID, pu); err != nil {
		// Revert what you can since we have an error - it will fail most likely
		zap.L().Error("ConfigureRules Failed with error", zap.Error(err))
		s.Unlock()
		s.Unsupervise(contextID) // nolint
		return err
	}

	s.Unlock()

	return nil
}

// UpdatePU creates a mapping between an IP address and the corresponding labels
//and the invokes the various handlers that process all policies.
func (s *Config) doUpdatePU(contextID string, pu *policy.PUInfo) error {

	s.Lock()

	data, err := s.versionTracker.Get(contextID)
	if err != nil {
		s.Unlock()
		return fmt.Errorf("unable to find pu %s in cache: %s", contextID, err)
	}

	var iprules policy.IPRuleList

	iprules = append(iprules, pu.Policy.ApplicationACLs()...)
	iprules = append(iprules, pu.Policy.NetworkACLs()...)

	if err := ipsetmanager.V4().RegisterExternalNets(contextID, iprules); err != nil {
		s.Unlock()
		zap.L().Error("Error creating ipsets for external networks", zap.Error(err))
		return err
	}

	if err := ipsetmanager.V6().RegisterExternalNets(contextID, iprules); err != nil {
		s.Unlock()
		zap.L().Error("Error creating ipsets for external networks", zap.Error(err))
		return err
	}

	c := data.(*cacheData)

	if err := s.impl.UpdateRules(c.version^1, contextID, pu, c.containerInfo); err != nil {
		zap.L().Error("Update rules failed with error...Reconfiguring the system", zap.Error(err))
		counters.IncrementCounter(counters.ErrIPTablesReset)
		s.Unlock()

		s.Unsupervise(contextID)    //nolint
		s.CleanUp()                 //nolint
		s.Run(context.Background()) //nolint
		return s.Supervise(contextID, pu)
	}

	c.version ^= 1

	// Updated the policy in the cached processing unit.
	c.containerInfo.Policy = pu.Policy

	ipsetmanager.V4().DestroyUnusedIPsets()
	ipsetmanager.V6().DestroyUnusedIPsets()

	s.Unlock()
	return nil
}

// EnableIPTablesPacketTracing enables ip tables packet tracing
func (s *Config) EnableIPTablesPacketTracing(ctx context.Context, contextID string, interval time.Duration) error {

	data, err := s.versionTracker.Get(contextID)
	if err != nil {
		return fmt.Errorf("cannot find policy version: %s", err)
	}

	cfg := data.(*cacheData)
	iptablesRules := debugRules(cfg, s.mode)
	ipts := s.impl.ACLProvider()

	for _, ipt := range ipts {
		for _, rule := range iptablesRules {
			if err := ipt.Insert(rule[0], rule[1], 1, rule[2:]...); err != nil {
				zap.L().Error("Unable to install rule", zap.Error(err))
			}
		}

		// anonymous go func to flush debug iptables after interval
		go func(ipt provider.IptablesProvider) {
			for {
				select {
				case <-ctx.Done():
					return
				case <-time.After(interval):
					for _, rule := range iptablesRules {
						if err := ipt.Delete(rule[0], rule[1], rule[2:]...); err != nil {
							zap.L().Debug("Unable to delete trace rules", zap.Error(err))
						}
					}
				}
			}
		}(ipt)
	}
	return nil
}

func debugRules(data *cacheData, mode constants.ModeType) [][]string {
	iptables := [][]string{}
	if mode == constants.RemoteContainer {
		iptables = append(iptables, [][]string{
			{
				"raw",
				"PREROUTING",
				"-j", "TRACE",
			},
			{
				"raw",
				"OUTPUT",
				"-j", "TRACE",
			},
		}...)
	} else {
		if data.tcpPorts != "0" {
			iptables = append(iptables,
				[][]string{
					{
						"raw",
						"PREROUTING",
						"-p", "tcp",
						"--match", "multiport",
						"--destination-ports", data.tcpPorts,
						"-j", "TRACE",
					},
					{
						"raw",
						"OUTPUT",
						"--match", "multiport",
						"--source-ports", data.tcpPorts,
						"-j", "TRACE",
					},
				}...,
			)

		} else {
			iptables = append(iptables, [][]string{
				{
					"raw",
					"PREROUTING",
					"-p", "tcp",
					"-j", "TRACE",
				},
				{
					"raw",
					"OUTPUT",
					"-m", "cgroup",
					"--cgroup", data.mark,
					"-j", "TRACE",
				},
			}...)
		}
		if data.udpPorts != "0" {
			iptables = append(iptables, [][]string{
				{
					"raw",
					"PREROUTING",
					"-p", "udp",
					"--match", "multiport",
					"--destination-ports", data.udpPorts,
					"-j", "TRACE",
				},
				{
					"raw",
					"OUTPUT",
					"--match", "multiport",
					"--source-ports", data.tcpPorts,
					"-j", "TRACE",
				},
			}...)
		} else {
			iptables = append(iptables,
				[][]string{
					{
						"raw",
						"PREROUTING",
						"-p", "tcp",
						"-j", "TRACE",
					},
					{
						"raw",
						"OUTPUT",
						"-m", "cgroup",
						"--cgroup", data.mark,
						"-j", "TRACE",
					},
				}...)
		}
	}
	return iptables
}


================================================
FILE: controller/internal/supervisor/supervisor_test.go
================================================
package supervisor

import (
	"context"
	"errors"
	"strings"
	"testing"
	"time"

	"github.com/blang/semver"
	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
	enforcerconstants "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/afinetrawsocket"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/tokenaccessor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor/mocksupervisor"
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packetprocessor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/testhelper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
)

func newSupervisor(
	collector collector.EventCollector,
	enforcerInstance enforcer.Enforcer,
	mode constants.ModeType,
	cfg *runtime.Configuration,
) (*Config, error) {

	s, err := NewSupervisor(collector, enforcerInstance, mode, cfg, false, "")
	if err != nil {
		return nil, err
	}
	return s.(*Config), nil
}

func createPUInfo() *policy.PUInfo {

	rules := policy.IPRuleList{
		policy.IPRule{
			Addresses: []string{"192.30.253.0/24"},
			Ports:     []string{"80"},
			Protocols: []string{"TCP"},
			Policy:    &policy.FlowPolicy{Action: policy.Reject},
		},

		policy.IPRule{
			Addresses: []string{"192.30.253.0/24"},
			Ports:     []string{"443"},
			Protocols: []string{"TCP"},
			Policy:    &policy.FlowPolicy{Action: policy.Accept},
		},
	}

	ips := policy.ExtendedMap{
		policy.DefaultNamespace: "172.17.0.1",
	}

	runtime := policy.NewPURuntimeWithDefaults()
	runtime.SetIPAddresses(ips)
	plc := policy.NewPUPolicy(
		"context",
		"/ns1",
		policy.Police,
		rules,
		rules,
		nil,
		nil,
		nil,
		nil,
		nil,
		nil,
		ips,
		0,
		0,
		nil,
		nil,
		[]string{},
		policy.EnforcerMapping,
		policy.Reject|policy.Log,
		policy.Reject|policy.Log,
	)

	return policy.PUInfoFromPolicyAndRuntime("context", plc, runtime)

}

func newFilterQueueWithDefaults() fqconfig.FilterQueue {
	return fqconfig.NewFilterQueue(0, nil)
}

// NewWithDefaults create a new data path with most things used by default
func newWithDefaults(
	serverID string, // nolint: unparam
	collector collector.EventCollector,
	service packetprocessor.PacketProcessor, // nolint: unparam
	secrets secrets.Secrets,
	mode constants.ModeType,
	procMountPoint string, // nolint: unparam
	targetNetworks []string,
) enforcer.Enforcer {

	defaultMutualAuthorization := false
	defaultValidity := constants.SynTokenRefreshTime
	defaultExternalIPCacheTimeout, err := time.ParseDuration(enforcerconstants.DefaultExternalIPTimeout)
	if err != nil {
		defaultExternalIPCacheTimeout = time.Second
	}
	defaultPacketLogs := false

	tokenAccessor, _ := tokenaccessor.New(serverID, defaultValidity, secrets)
	puFromContextID := cache.NewCache("puFromContextID")
	fq := newFilterQueueWithDefaults()
	e := nfqdatapath.New(
		defaultMutualAuthorization,
		fq,
		collector,
		serverID,
		defaultValidity,
		secrets,
		mode,
		procMountPoint,
		defaultExternalIPCacheTimeout,
		defaultPacketLogs,
		tokenAccessor,
		puFromContextID,
		&runtime.Configuration{TCPTargetNetworks: targetNetworks},
		false,
		semver.Version{},
		policy.None,
	)

	return e
}

func TestNewSupervisor(t *testing.T) {
	Convey("When I try to instantiate a new supervisor ", t, func() {

		c := &collector.DefaultCollector{}
		_, secrets, _ := testhelper.NewTestCompactPKISecrets()

		prevRawSocket := nfqdatapath.GetUDPRawSocket
		defer func() {
			nfqdatapath.GetUDPRawSocket = prevRawSocket
		}()
		nfqdatapath.GetUDPRawSocket = func(mark int, device string) (afinetrawsocket.SocketWriter, error) {
			return nil, nil
		}

		e := newWithDefaults("serverID", c, nil, secrets, constants.LocalServer, "/proc", []string{"0.0.0.0/0"})
		mode := constants.LocalServer

		Convey("When I provide correct parameters", func() {
			s, err := newSupervisor(c, e, mode, &runtime.Configuration{})
			Convey("I should not get an error ", func() {
				So(err, ShouldBeNil)
				So(s, ShouldNotBeNil)
				So(s.collector, ShouldEqual, c)
			})
		})
		Convey("When I provide a nil  collector", func() {
			s, err := newSupervisor(nil, e, mode, &runtime.Configuration{})
			Convey("I should get an error ", func() {
				So(err, ShouldNotBeNil)
				So(s, ShouldBeNil)
			})
		})

		Convey("When I provide a nil enforcer", func() {
			s, err := newSupervisor(c, nil, mode, &runtime.Configuration{})
			Convey("I should get an error ", func() {
				So(err, ShouldNotBeNil)
				So(s, ShouldBeNil)
			})
		})
	})
}

func TestSupervise(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a valid supervisor", t, func() {
		c := &collector.DefaultCollector{}
		_, scrts, _ := testhelper.NewTestCompactPKISecrets()

		prevRawSocket := nfqdatapath.GetUDPRawSocket
		defer func() {
			nfqdatapath.GetUDPRawSocket = prevRawSocket
		}()
		nfqdatapath.GetUDPRawSocket = func(mark int, device string) (afinetrawsocket.SocketWriter, error) {
			return nil, nil
		}
		e := newWithDefaults("serverID", c, nil, scrts, constants.RemoteContainer, "/proc", []string{"0.0.0.0/0"})

		ips := ipsetmanager.NewTestIpsetProvider()
		ipsetmanager.SetIpsetTestInstance(ips)

		s, _ := newSupervisor(c, e, constants.RemoteContainer, &runtime.Configuration{})
		So(s, ShouldNotBeNil)

		impl := mocksupervisor.NewMockImplementor(ctrl)
		s.impl = impl

		Convey("When I supervise a new PU with invalid policy", func() {
			err := s.Supervise("contextID", nil)
			Convey("I should get an error", func() {
				So(err, ShouldNotBeNil)
			})
		})

		puInfo := createPUInfo()

		Convey("When I supervise a new PU with valid policy", func() {
			impl.EXPECT().ConfigureRules(0, "contextID", puInfo).Return(nil)
			err := s.Supervise("contextID", puInfo)
			Convey("I should not get an error", func() {
				So(err, ShouldBeNil)
			})
		})

		Convey("When I supervise a new PU with valid policy, but there is an error", func() {
			impl.EXPECT().ConfigureRules(0, "errorPU", puInfo).Return(errors.New("error"))
			impl.EXPECT().DeleteRules(0, "errorPU", gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
			err := s.Supervise("errorPU", puInfo)
			Convey("I should  get an error", func() {
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I send supervise command for a second time, it should do an update", func() {
			impl.EXPECT().ConfigureRules(0, "contextID", puInfo).Return(nil)
			impl.EXPECT().UpdateRules(1, "contextID", gomock.Any(), gomock.Any()).Return(nil)
			noerr := s.Supervise("contextID", puInfo)
			So(noerr, ShouldBeNil)
			err := s.Supervise("contextID", puInfo)
			Convey("I should not get an error", func() {
				So(err, ShouldBeNil)
			})
		})

		Convey("When I send supervise command for a second time, and the update fails", func() {
			impl.EXPECT().ConfigureRules(0, "contextID", puInfo).Times(2).Return(nil)
			impl.EXPECT().UpdateRules(1, "contextID", gomock.Any(), gomock.Any()).Return(errors.New("error"))
			impl.EXPECT().DeleteRules(0, "contextID", gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
			impl.EXPECT().CleanUp()
			impl.EXPECT().Run(gomock.Any()).Return(nil)
			impl.EXPECT().SetTargetNetworks(gomock.Any()).Return(nil)
			impl.EXPECT().CreateCustomRulesChain().Return(nil)
			serr := s.Supervise("contextID", puInfo)
			So(serr, ShouldBeNil)
			err := s.Supervise("contextID", puInfo)
			So(err, ShouldBeNil)
		})

	})
}

func TestUnsupervise(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a properly configured  supervisor", t, func() {
		c := &collector.DefaultCollector{}
		_, scrts, _ := testhelper.NewTestCompactPKISecrets()

		prevRawSocket := nfqdatapath.GetUDPRawSocket
		defer func() {
			nfqdatapath.GetUDPRawSocket = prevRawSocket
		}()
		nfqdatapath.GetUDPRawSocket = func(mark int, device string) (afinetrawsocket.SocketWriter, error) {
			return nil, nil
		}

		e := newWithDefaults("serverID", c, nil, scrts, constants.RemoteContainer, "/proc", []string{"0.0.0.0/0"})

		ips := ipsetmanager.NewTestIpsetProvider()
		ipsetmanager.SetIpsetTestInstance(ips)

		s, _ := newSupervisor(c, e, constants.RemoteContainer, &runtime.Configuration{TCPTargetNetworks: []string{"172.17.0.0/16"}})
		So(s, ShouldNotBeNil)

		impl := mocksupervisor.NewMockImplementor(ctrl)
		s.impl = impl

		Convey("When I try to unsupervise a PU that was not see before", func() {
			err := s.Unsupervise("badContext")
			Convey("I should get an error", func() {
				So(err, ShouldNotBeNil)
			})
		})

		puInfo := createPUInfo()

		Convey("When I try to unsupervise a valid PU ", func() {
			impl.EXPECT().ConfigureRules(0, "contextID", puInfo).Return(nil)
			impl.EXPECT().DeleteRules(0, "contextID", gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
			serr := s.Supervise("contextID", puInfo)
			So(serr, ShouldBeNil)
			err := s.Unsupervise("contextID")
			Convey("I should get no errors", func() {
				So(err, ShouldBeNil)
			})
		})
	})
}

func TestStart(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a properly configured supervisor", t, func() {
		c := &collector.DefaultCollector{}
		_, scrts, _ := testhelper.NewTestCompactPKISecrets()

		prevRawSocket := nfqdatapath.GetUDPRawSocket
		defer func() {
			nfqdatapath.GetUDPRawSocket = prevRawSocket
		}()
		nfqdatapath.GetUDPRawSocket = func(mark int, device string) (afinetrawsocket.SocketWriter, error) {
			return nil, nil
		}

		e := newWithDefaults("serverID", c, nil, scrts, constants.RemoteContainer, "/proc", []string{"0.0.0.0/0"})

		s, _ := newSupervisor(c, e,
			constants.RemoteContainer,
			&runtime.Configuration{TCPTargetNetworks: []string{"172.17.0.0/16"}})
		So(s, ShouldNotBeNil)

		impl := mocksupervisor.NewMockImplementor(ctrl)
		s.impl = impl

		Convey("When I try to start it and the implementor works", func() {
			impl.EXPECT().Run(gomock.Any()).Return(nil)
			impl.EXPECT().SetTargetNetworks(&runtime.Configuration{TCPTargetNetworks: []string{"172.17.0.0/16"}}).Return(nil)
			impl.EXPECT().CreateCustomRulesChain().Return(nil)
			err := s.Run(context.Background())
			Convey("I should get no errors", func() {
				So(err, ShouldBeNil)
			})
		})

		Convey("When I try to start it and the implementor returns an error", func() {
			impl.EXPECT().Run(gomock.Any()).Return(errors.New("error"))
			err := s.Run(context.Background())
			Convey("I should get an error ", func() {
				So(err, ShouldNotBeNil)
			})
		})
	})
}

func TestStop(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a properly configured supervisor", t, func() {
		c := &collector.DefaultCollector{}
		_, scrts, _ := testhelper.NewTestCompactPKISecrets()

		prevRawSocket := nfqdatapath.GetUDPRawSocket
		defer func() {
			nfqdatapath.GetUDPRawSocket = prevRawSocket
		}()
		nfqdatapath.GetUDPRawSocket = func(mark int, device string) (afinetrawsocket.SocketWriter, error) {
			return nil, nil
		}

		e := newWithDefaults("serverID", c, nil, scrts, constants.RemoteContainer, "/proc", []string{"0.0.0.0/0"})

		s, _ := newSupervisor(c, e, constants.RemoteContainer, &runtime.Configuration{TCPTargetNetworks: []string{"172.17.0.0/16"}})
		So(s, ShouldNotBeNil)

		impl := mocksupervisor.NewMockImplementor(ctrl)
		s.impl = impl

		Convey("When I try to start it and the implementor works", func() {
			impl.EXPECT().Run(gomock.Any()).Return(nil)
			impl.EXPECT().SetTargetNetworks(&runtime.Configuration{TCPTargetNetworks: []string{"172.17.0.0/16"}}).Return(nil)
			impl.EXPECT().CreateCustomRulesChain().Return(nil)
			err := s.Run(context.Background())
			Convey("I should get no errors", func() {
				So(err, ShouldBeNil)
			})
		})
	})
}

func TestEnableIPTablesPacketTracing(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a properly configured supervisor", t, func() {
		c := &collector.DefaultCollector{}
		_, scrts, _ := testhelper.NewTestCompactPKISecrets()

		prevRawSocket := nfqdatapath.GetUDPRawSocket
		defer func() {
			nfqdatapath.GetUDPRawSocket = prevRawSocket
		}()
		nfqdatapath.GetUDPRawSocket = func(mark int, device string) (afinetrawsocket.SocketWriter, error) {
			return nil, nil
		}

		e := newWithDefaults("serverID", c, nil, scrts, constants.RemoteContainer, "/proc", []string{"0.0.0.0/0"})

		s, _ := newSupervisor(c, e, constants.RemoteContainer, &runtime.Configuration{TCPTargetNetworks: []string{"172.17.0.0/16"}})
		So(s, ShouldNotBeNil)

		impl := mocksupervisor.NewMockImplementor(ctrl)
		s.impl = impl

		Convey("When I try to start it and the implementor works", func() {
			impl.EXPECT().Run(gomock.Any()).Return(nil)
			impl.EXPECT().SetTargetNetworks(&runtime.Configuration{TCPTargetNetworks: []string{"172.17.0.0/16"}}).Return(nil)
			impl.EXPECT().CreateCustomRulesChain().Return(nil)
			err := s.Run(context.Background())
			Convey("I should get no errors", func() {
				So(err, ShouldBeNil)
			})

		})
		Convey("I setup EnableIPTablesTracing on an invalid contextID", func() {
			err := s.EnableIPTablesPacketTracing(context.Background(), "serverID", 10*time.Second)
			So(err, ShouldNotBeNil)
		})
		Convey("I setup EnableIPTablesTracing on an valid contextID", func() {
			puInfo := createPUInfo()
			impl.EXPECT().ConfigureRules(0, "contextID", puInfo).Return(nil)

			serr := s.Supervise("contextID", puInfo)
			So(serr, ShouldBeNil)
			iptProvider := provider.NewTestIptablesProvider()
			iptProviders := []provider.IptablesProvider{iptProvider, iptProvider}
			impl.EXPECT().ACLProvider().Times(1).Return(iptProviders)
			err := s.EnableIPTablesPacketTracing(context.Background(), "contextID", 10*time.Second)
			So(err, ShouldBeNil)
		})
	})
}

func TestDebugRules(t *testing.T) {
	Convey("Given i get debug rules", t, func() {
		Convey("Debug Rules for container", func() {
			rules := debugRules(nil, constants.RemoteContainer)
			So(len(rules), ShouldEqual, 2)
			for _, rule := range rules {
				found := strings.Contains(strings.Join(rule, ","), "multiport")
				So(found, ShouldBeFalse)

			}
		})
		Convey("Debug Rules for linux process with valid tcp port", func() {
			data := &cacheData{
				tcpPorts: "80",
			}
			rules := debugRules(data, constants.LocalServer)
			So(len(rules), ShouldEqual, 4)
			for _, rule := range rules {
				found := strings.Contains(strings.Join(rule, ","), "udp") && strings.Contains(strings.Join(rule, ","), "cgroup")
				So(found, ShouldBeFalse)

			}
		})
		Convey("Debug Rules for linux process with valid udp port", func() {
			data := &cacheData{
				udpPorts: "80",
			}
			rules := debugRules(data, constants.LocalServer)
			So(len(rules), ShouldEqual, 4)
			for _, rule := range rules {
				found := strings.Contains(strings.Join(rule, ","), "tcp") && strings.Contains(strings.Join(rule, ","), "cgroup")
				So(found, ShouldBeFalse)

			}
		})
		Convey("Debug Rules for linux process with valid mark", func() {
			data := &cacheData{
				udpPorts: "80",
			}
			rules := debugRules(data, constants.LocalServer)
			So(len(rules), ShouldEqual, 4)
			for _, rule := range rules {
				found := strings.Contains(strings.Join(rule, ","), "cgroup") && strings.Contains(strings.Join(rule, ","), "multiport")
				So(found, ShouldBeFalse)

			}
		})

	})
}


================================================
FILE: controller/internal/windows/rulespec_windows.go
================================================
// +build windows

package windows

import (
	"bytes"
	"errors"
	"fmt"
	"math"
	"sort"
	"strconv"
	"strings"

	"github.com/DavidGamba/go-getoptions"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
	"golang.org/x/net/ipv6"
)

// WindowsRuleRange represents a range of values for a rule
type WindowsRuleRange struct { // nolint:golint // ignore type name stutters
	Start int
	End   int
}

// WindowsRuleIcmpMatch represents parameters for an ICMP match
type WindowsRuleIcmpMatch struct { // nolint:golint // ignore type name stutters
	IcmpType      int
	IcmpCodeRange *WindowsRuleRange
	Nomatch       bool
}

// WindowsRuleMatchSet represents result of parsed --match-set
type WindowsRuleMatchSet struct { // nolint:golint // ignore type name stutters
	MatchSetName    string
	MatchSetNegate  bool
	MatchSetDstIP   bool
	MatchSetDstPort bool
	MatchSetSrcIP   bool
	MatchSetSrcPort bool
}

// WindowsRuleSpec represents result of parsed iptables rule
type WindowsRuleSpec struct { // nolint:golint // ignore type name stutters
	Protocol                   int
	Action                     int // FilterAction (allow, drop, nfq, proxy)
	ProxyPort                  int
	Mark                       int
	Log                        bool
	LogPrefix                  string
	GroupID                    int
	ProcessID                  int
	ProcessIncludeChildren     bool
	ProcessIncludeChildrenOnly bool
	MatchSrcPort               []*WindowsRuleRange
	MatchDstPort               []*WindowsRuleRange
	MatchBytesNoMatch          bool
	MatchBytes                 []byte
	MatchBytesOffset           int
	MatchSet                   []*WindowsRuleMatchSet
	IcmpMatch                  []*WindowsRuleIcmpMatch
	TCPFlags                   uint8
	TCPFlagsMask               uint8
	TCPFlagsSpecified          bool
	TCPOption                  uint8
	TCPOptionSpecified         bool
	GotoFilterName             string
	FlowMarkNoMatch            bool
	FlowMark                   int
}

// MakeRuleSpecText converts a WindowsRuleSpec back into a string for an iptables rule
func MakeRuleSpecText(winRuleSpec *WindowsRuleSpec, validate bool) (string, error) {

	rulespec := ""

	if winRuleSpec.Protocol > 0 && winRuleSpec.Protocol < math.MaxUint8 {
		rulespec += fmt.Sprintf("-p %d ", winRuleSpec.Protocol)
	}

	if len(winRuleSpec.MatchBytes) > 0 {
		if winRuleSpec.MatchBytesNoMatch {
			rulespec += fmt.Sprintf("-m string --string ! %s --offset %d ", string(winRuleSpec.MatchBytes), winRuleSpec.MatchBytesOffset)
		} else {
			rulespec += fmt.Sprintf("-m string --string %s --offset %d ", string(winRuleSpec.MatchBytes), winRuleSpec.MatchBytesOffset)
		}
	}

	if len(winRuleSpec.MatchSrcPort) > 0 {
		rulespec += "--sports "
		for i, pr := range winRuleSpec.MatchSrcPort {
			rulespec += strconv.Itoa(pr.Start)
			if pr.Start != pr.End {
				rulespec += fmt.Sprintf(":%d", pr.End)
			}
			if i+1 < len(winRuleSpec.MatchSrcPort) {
				rulespec += ","
			}
		}
		rulespec += " "
	}

	if len(winRuleSpec.MatchDstPort) > 0 {
		rulespec += "--dports "
		for i, pr := range winRuleSpec.MatchDstPort {
			rulespec += strconv.Itoa(pr.Start)
			if pr.Start != pr.End {
				rulespec += fmt.Sprintf(":%d", pr.End)
			}
			if i+1 < len(winRuleSpec.MatchDstPort) {
				rulespec += ","
			}
		}
		rulespec += " "
	}

	if len(winRuleSpec.MatchSet) > 0 {
		for _, ms := range winRuleSpec.MatchSet {
			rulespec += "-m set "
			if ms.MatchSetNegate {
				rulespec += "! "
			}
			rulespec += fmt.Sprintf("--match-set %s ", ms.MatchSetName)
			if ms.MatchSetSrcIP {
				rulespec += "srcIP"
				if ms.MatchSetSrcPort || ms.MatchSetDstPort {
					rulespec += ","
				}
			} else if ms.MatchSetDstIP {
				rulespec += "dstIP"
				if ms.MatchSetSrcPort || ms.MatchSetDstPort {
					rulespec += ","
				}
			}
			if ms.MatchSetSrcPort {
				rulespec += "srcPort"
			} else if ms.MatchSetDstPort {
				rulespec += "dstPort"
			}
			rulespec += " "
		}
	}

	if len(winRuleSpec.IcmpMatch) > 0 {
		for _, im := range winRuleSpec.IcmpMatch {
			if im.Nomatch {
				rulespec += "--icmp-type nomatch"
			} else {
				rulespec += fmt.Sprintf("--icmp-type %d", im.IcmpType)
				if im.IcmpCodeRange != nil {
					rulespec += fmt.Sprintf("/%d", im.IcmpCodeRange.Start)
					if im.IcmpCodeRange.Start != im.IcmpCodeRange.End {
						rulespec += fmt.Sprintf(":%d", im.IcmpCodeRange.End)
					}
				}
			}
			rulespec += " "
		}
	}

	if winRuleSpec.TCPFlagsSpecified {
		rulespec += fmt.Sprintf("--tcp-flags %d,%d ", winRuleSpec.TCPFlagsMask, winRuleSpec.TCPFlags)
	}

	if winRuleSpec.TCPOptionSpecified {
		rulespec += fmt.Sprintf("--tcp-option %d ", winRuleSpec.TCPOption)
	}

	if winRuleSpec.FlowMark != 0 {
		if winRuleSpec.FlowMarkNoMatch {
			rulespec += fmt.Sprintf("-m connmark --mark ! %d ", winRuleSpec.FlowMark)
		} else {
			rulespec += fmt.Sprintf("-m connmark --mark %d ", winRuleSpec.FlowMark)
		}
	}

	switch winRuleSpec.Action {
	case frontman.FilterActionAllow:
		rulespec += "-j ACCEPT "
	case frontman.FilterActionAllowOnce:
		rulespec += "-j ACCEPT_ONCE "
	case frontman.FilterActionBlock:
		rulespec += "-j DROP "
	case frontman.FilterActionProxy:
		rulespec += fmt.Sprintf("-j REDIRECT --to-ports %d ", winRuleSpec.ProxyPort)
	case frontman.FilterActionNfq:
		rulespec += fmt.Sprintf("-j NFQUEUE -j MARK %d ", winRuleSpec.Mark)
	case frontman.FilterActionForceNfq:
		rulespec += fmt.Sprintf("-j NFQUEUE_FORCE -j MARK %d ", winRuleSpec.Mark)
	case frontman.FilterActionGotoFilter:
		rulespec += fmt.Sprintf("-j %s ", winRuleSpec.GotoFilterName)
	case frontman.FilterActionSetMark:
		rulespec += fmt.Sprintf("-j CONNMARK --set-mark %d", winRuleSpec.Mark)
	}
	if winRuleSpec.Log {
		rulespec += fmt.Sprintf("-j NFLOG --nflog-group %d --nflog-prefix \"%s\" ", winRuleSpec.GroupID, winRuleSpec.LogPrefix)
	}

	if winRuleSpec.ProcessID > 0 {
		rulespec += fmt.Sprintf("-m owner --pid-owner %d ", winRuleSpec.ProcessID)
		if winRuleSpec.ProcessIncludeChildrenOnly {
			rulespec += "--pid-childrenonly "
		} else if winRuleSpec.ProcessIncludeChildren {
			rulespec += "--pid-children "
		}
	}

	rulespec = strings.TrimSpace(rulespec)
	if validate {
		if _, err := ParseRuleSpec(strings.Split(rulespec, " ")...); err != nil {
			return "", err
		}
	}
	return rulespec, nil
}

// ParsePortString parses comma-separated list of port or port ranges
func ParsePortString(portString string) ([]*WindowsRuleRange, error) {
	var result []*WindowsRuleRange
	if portString != "" {
		portList := strings.Split(portString, ",")
		for _, portListItem := range portList {
			portEnd := 0
			portStart, err := strconv.Atoi(portListItem)
			if err != nil {
				portRange := strings.SplitN(portListItem, ":", 2)
				if len(portRange) != 2 {
					return nil, errors.New("invalid port string")
				}
				portStart, err = strconv.Atoi(portRange[0])
				if err != nil {
					return nil, errors.New("invalid port string")
				}
				portEnd, err = strconv.Atoi(portRange[1])
				if err != nil {
					return nil, errors.New("invalid port string")
				}
			}
			if portEnd == 0 {
				portEnd = portStart
			}
			result = append(result, &WindowsRuleRange{portStart, portEnd})
		}
	}
	return result, nil
}

// ReduceIcmpProtoString will look at policyRestrictions and return a rulespec substring for matching.
// represents the logic: "icmpProtoTypeCode and (policyRestrictions[0] or policyRestrictions[1] or...)"
// can return empty list if there is a proto match with no restriction.
// will return error if there is no intersection.
func ReduceIcmpProtoString(icmpProtoTypeCode string, policyRestrictions []string) ([]string, error) {

	if len(policyRestrictions) == 0 {
		return TransformIcmpProtoString(icmpProtoTypeCode), nil
	}

	splitIt := func(p string) (string, []*WindowsRuleIcmpMatch, error) {
		var c []*WindowsRuleIcmpMatch
		var err error
		parts := strings.SplitN(p, "/", 2)
		switch len(parts) {
		case 2:
			c, err = ParseIcmpTypeCode(parts[1])
			if err != nil {
				return "", nil, err
			}
			fallthrough
		case 1:
			return parts[0], c, nil
		default:
			return "", nil, fmt.Errorf("invalid icmpProtoTypeCode: %s", icmpProtoTypeCode)
		}
	}

	normalizeProto := func(p string) string {
		switch strings.ToLower(p) {
		case "1":
			return "icmp"
		case "58", "icmp6":
			return "icmpv6"
		}
		return p
	}

	proto, criteria, err := splitIt(icmpProtoTypeCode)
	if err != nil {
		return nil, err
	}

	var positiveMatch bool
	result := make([]string, 0, len(policyRestrictions))
	for _, restriction := range policyRestrictions {
		protoR, criteriaR, err := splitIt(restriction)
		if err != nil {
			return nil, err
		}
		// proto should match
		if proto != protoR && normalizeProto(proto) != normalizeProto(protoR) {
			continue
		}
		if len(criteriaR) == 0 {
			// no restriction
			result = append(result, TransformIcmpProtoString(icmpProtoTypeCode)...)
			positiveMatch = true
			continue
		}
		if len(criteria) == 0 {
			// restriction takes effect
			result = append(result, TransformIcmpProtoString(restriction)...)
			positiveMatch = true
			continue
		}

		if criteria[0].IcmpType != criteriaR[0].IcmpType {
			// types don't match
			continue
		}

		var ranges, rangesR []WindowsRuleRange
		for _, c := range criteria {
			if c.IcmpCodeRange != nil {
				ranges = append(ranges, *c.IcmpCodeRange)
			}
		}
		for _, c := range criteriaR {
			if c.IcmpCodeRange != nil {
				rangesR = append(rangesR, *c.IcmpCodeRange)
			}
		}

		if len(rangesR) == 0 {
			// no code restriction
			result = append(result, TransformIcmpProtoString(icmpProtoTypeCode)...)
			positiveMatch = true
			continue
		}
		if len(ranges) == 0 {
			// use restriction
			result = append(result, TransformIcmpProtoString(restriction)...)
			positiveMatch = true
			continue
		}

		// intersect the code restrictions
		combined := make([]*WindowsRuleRange, 0, len(ranges)+len(rangesR))
		sort.Slice(ranges, func(i, j int) bool {
			return ranges[i].Start < ranges[j].Start
		})
		sort.Slice(rangesR, func(i, j int) bool {
			return rangesR[i].Start < rangesR[j].Start
		})
		for i, j := 0, 0; i < len(ranges) && j < len(rangesR); {
			a, b := ranges[i], rangesR[j]
			// find max of the mins
			maxOfMins := a.Start
			if b.Start > maxOfMins {
				maxOfMins = b.Start
			}
			// find smaller max, and check if it's less than the other min.
			// if not then the intersection is [max(min1,min2),smallermax]
			if a.End < b.End {
				if a.End >= b.Start {
					combined = append(combined, &WindowsRuleRange{Start: maxOfMins, End: a.End})
				}
			} else {
				if b.End >= a.Start {
					combined = append(combined, &WindowsRuleRange{Start: maxOfMins, End: b.End})
				}
			}
			// advance
			if a.End <= b.End {
				i++
			}
			if b.End <= a.End {
				j++
			}
		}

		if len(combined) == 0 {
			// no intersection
			continue
		}

		codeString := ""
		for i, c := range combined {
			if i > 0 {
				codeString += ","
			}
			codeString += fmt.Sprintf("%d:%d", c.Start, c.End)
		}
		combinedString := fmt.Sprintf("%s/%d/%s", proto, criteria[0].IcmpType, codeString)
		result = append(result, TransformIcmpProtoString(combinedString)...)
		positiveMatch = true
	}

	if !positiveMatch {
		return nil, errors.New("policy restrictions do not match")
	}
	return result, nil
}

// TransformIcmpProtoString parses icmp/type/code string coming from ACL rule
// and returns a rulespec subsection
func TransformIcmpProtoString(icmpProtoTypeCode string) []string {
	parts := strings.SplitN(icmpProtoTypeCode, "/", 2)
	if len(parts) != 2 {
		return nil
	}
	typeCodeString := strings.TrimSpace(parts[1])
	if typeCodeString == "" {
		return nil
	}
	return []string{"--icmp-type", typeCodeString}
}

// GetIcmpNoMatch returns a rulespec subsection to indicate that there should be no match
func GetIcmpNoMatch() []string {
	return []string{"--icmp-type", "nomatch"}
}

// ParseIcmpTypeCode parses --icmp-type option
// string is of the form type/code:code,code,code:code
func ParseIcmpTypeCode(icmpTypeCode string) ([]*WindowsRuleIcmpMatch, error) {

	if icmpTypeCode == "" {
		return nil, nil
	}

	if strings.EqualFold(icmpTypeCode, "nomatch") {
		return []*WindowsRuleIcmpMatch{{Nomatch: true}}, nil
	}

	var result []*WindowsRuleIcmpMatch

	parts := strings.SplitN(icmpTypeCode, "/", 2)
	if len(parts) == 0 {
		return nil, nil
	}
	icmpType, err := strconv.Atoi(parts[0])
	if err != nil {
		return nil, err
	}
	if icmpType < 0 || icmpType > math.MaxUint8 {
		return nil, errors.New("ICMP type out of range")
	}
	if len(parts) > 1 {
		// parse codes, comma-separated
		for _, code := range strings.Split(parts[1], ",") {
			// parse code range
			codeLower, codeUpper := -1, -1
			codeRange := strings.SplitN(code, ":", 2)
			if len(codeRange) > 0 {
				codeLower, err = strconv.Atoi(codeRange[0])
				if err != nil {
					return nil, err
				}
				codeUpper = codeLower
			}
			if len(codeRange) > 1 {
				codeUpper, err = strconv.Atoi(codeRange[1])
				if err != nil {
					return nil, err
				}
			}
			if codeLower < 0 || codeLower > math.MaxUint8 {
				return nil, errors.New("ICMP code out of range")
			}
			if codeUpper < 0 || codeUpper > math.MaxUint8 || codeUpper < codeLower {
				return nil, errors.New("ICMP code out of range")
			}
			result = append(result, &WindowsRuleIcmpMatch{
				IcmpType:      icmpType,
				IcmpCodeRange: &WindowsRuleRange{codeLower, codeUpper},
			})
		}
	}
	if len(result) == 0 {
		result = append(result, &WindowsRuleIcmpMatch{IcmpType: icmpType})
	}

	return result, nil
}

// ParseRuleSpec parses a windows iptable rule
func ParseRuleSpec(rulespec ...string) (*WindowsRuleSpec, error) {

	opt := getoptions.New()

	protocolOpt := opt.String("p", "")
	sPortOpt := opt.String("sports", "")
	dPortOpt := opt.String("dports", "")
	actionOpt := opt.StringSlice("j", 1, 10, opt.Required())
	modeOpt := opt.StringSlice("m", 1, 10)
	matchSetOpt := opt.StringSlice("match-set", 2, 10)
	matchStringOpt := opt.StringSlice("string", 1, 2)
	matchStringOffsetOpt := opt.Int("offset", 0)
	matchOwnerPidOpt := opt.Int("pid-owner", 0)
	matchOwnerPidChildrenOpt := opt.Bool("pid-children", false)
	matchOwnerPidChildrenOnlyOpt := opt.Bool("pid-childrenonly", false)
	redirectPortOpt := opt.Int("to-ports", 0)
	stateOpt := opt.String("state", "")
	opt.String("match", "") // "--match multiport" ignored
	groupIDOpt := opt.Int("nflog-group", 0)
	logPrefixOpt := opt.String("nflog-prefix", "")
	icmpTypeOpt := opt.StringSlice("icmp-type", 1, 20)
	tcpFlags := opt.StringSlice("tcp-flags", 1, 1)
	tcpOption := opt.StringSlice("tcp-option", 1, 1)
	markOpt := opt.StringSlice("mark", 1, 2)
	setMarkOpt := opt.Int("set-mark", 0)

	_, err := opt.Parse(rulespec)
	if err != nil {
		return nil, err
	}

	result := &WindowsRuleSpec{}

	// protocol
	isProtoAnyRule := false
	switch strings.ToLower(*protocolOpt) {
	case "tcp":
		result.Protocol = packet.IPProtocolTCP
	case "udp":
		result.Protocol = packet.IPProtocolUDP
	case "icmp":
		result.Protocol = 1
	case "icmpv6":
		result.Protocol = ipv6.ICMPType(0).Protocol()
	case "": // not specified = all
		fallthrough
	case "all":
		result.Protocol = -1
		isProtoAnyRule = true
	default:
		result.Protocol, err = strconv.Atoi(*protocolOpt)
		if err != nil {
			return nil, errors.New("rulespec not valid: invalid protocol")
		}
		if result.Protocol < 0 || result.Protocol > math.MaxUint8 {
			return nil, errors.New("rulespec not valid: invalid protocol")
		}
		// iptables man page says protocol zero is equivalent to 'all' (sorry, IPv6 Hop-by-Hop Option)
		if result.Protocol == 0 {
			result.Protocol = -1
		}
	}

	if len(*tcpFlags) == 1 {
		parts := strings.SplitN((*tcpFlags)[0], ",", 2)
		if len(parts) == 0 {
			return nil, errors.New("rulespec not valid: invalid tcp-flags")
		}
		mask, err := strconv.Atoi(parts[0])
		if err != nil {
			return nil, err
		}
		if mask < 0 || mask > math.MaxUint8 {
			return nil, errors.New("TCP mask out of range")
		}
		flags, err := strconv.Atoi(parts[1])
		if err != nil {
			return nil, err
		}
		if flags < 0 || flags > math.MaxUint8 {
			return nil, errors.New("TCP flags out of range")
		}

		result.TCPFlags = uint8(flags)
		result.TCPFlagsMask = uint8(mask)
		result.TCPFlagsSpecified = true
	}

	if len(*tcpOption) == 1 {
		option, err := strconv.Atoi((*tcpOption)[0])
		if err != nil {
			return nil, err
		}
		if option < 0 || option > math.MaxUint8 {
			return nil, errors.New("TCP option out of range")
		}
		result.TCPOption = uint8(option)
		result.TCPOptionSpecified = true
	}

	for i := 0; i < len(*icmpTypeOpt); i++ {
		im, err := ParseIcmpTypeCode((*icmpTypeOpt)[i])
		if err != nil {
			return nil, fmt.Errorf("rulespec not valid: %s", err.Error())
		}
		result.IcmpMatch = append(result.IcmpMatch, im...)
	}

	// src/dest port: either port or port range or list of such
	result.MatchSrcPort, err = ParsePortString(*sPortOpt)
	if err != nil {
		return nil, errors.New("rulespec not valid: invalid match port")
	}
	result.MatchDstPort, err = ParsePortString(*dPortOpt)
	if err != nil {
		return nil, errors.New("rulespec not valid: invalid match port")
	}

	// -m options
	for i, modeOptSetNum := 0, 0; i < len(*modeOpt); i++ {
		switch (*modeOpt)[i] {
		case "set":
			matchSet := &WindowsRuleMatchSet{}
			// see if negate of --match-set occurred
			if i+1 < len(*modeOpt) && (*modeOpt)[i+1] == "!" {
				matchSet.MatchSetNegate = true
				i++
			}
			// now check corresponding match-set by index
			matchSetIndex := 2 * modeOptSetNum
			modeOptSetNum++
			if matchSetIndex+1 >= len(*matchSetOpt) {
				return nil, errors.New("rulespec not valid: --match-set not found for -m set")
			}
			// first part is the ipset name
			matchSet.MatchSetName = (*matchSetOpt)[matchSetIndex]
			// second part is the dst/src match specifier
			ipPortSpecLower := strings.ToLower((*matchSetOpt)[matchSetIndex+1])
			if strings.HasPrefix(ipPortSpecLower, "dstip") {
				matchSet.MatchSetDstIP = true
			} else if strings.HasPrefix(ipPortSpecLower, "srcip") {
				matchSet.MatchSetSrcIP = true
			}
			if strings.HasSuffix(ipPortSpecLower, "dstport") {
				matchSet.MatchSetDstPort = true
				if result.Protocol < 1 {
					return nil, errors.New("rulespec not valid: ipset match on port requires protocol be set")
				}
			} else if strings.HasSuffix(ipPortSpecLower, "srcport") {
				matchSet.MatchSetSrcPort = true
				if result.Protocol < 1 {
					return nil, errors.New("rulespec not valid: ipset match on port requires protocol be set")
				}
			}
			if !matchSet.MatchSetDstIP && !matchSet.MatchSetDstPort && !matchSet.MatchSetSrcIP && !matchSet.MatchSetSrcPort {
				// look for acl-created iptables-conforming match on 'dst' or 'src'.
				// a dst or src by itself we take to mean match both. otherwise, we take it as ip-match,port-match.
				if strings.HasPrefix(ipPortSpecLower, "dst") {
					matchSet.MatchSetDstIP = true
				} else if strings.HasPrefix(ipPortSpecLower, "src") {
					matchSet.MatchSetSrcIP = true
				}
				if strings.HasSuffix(ipPortSpecLower, "dst") && !isProtoAnyRule {
					matchSet.MatchSetDstPort = true
					if result.Protocol < 1 {
						return nil, errors.New("rulespec not valid: ipset match on port requires protocol be set")
					}
				} else if strings.HasSuffix(ipPortSpecLower, "src") && !isProtoAnyRule {
					matchSet.MatchSetSrcPort = true
					if result.Protocol < 1 {
						return nil, errors.New("rulespec not valid: ipset match on port requires protocol be set")
					}
				}
			}
			if !matchSet.MatchSetDstIP && !matchSet.MatchSetDstPort && !matchSet.MatchSetSrcIP && !matchSet.MatchSetSrcPort {
				return nil, errors.New("rulespec not valid: ipset match needs ip/port specifier")
			}
			result.MatchSet = append(result.MatchSet, matchSet)

		case "string":
			nomatch := false
			matchString := ""
			switch len(*matchStringOpt) {
			case 1:
				matchString = (*matchStringOpt)[0]
			case 2:
				if (*matchStringOpt)[0] != "!" {
					return nil, errors.New("rulespec not valid: match string ! option invalid")
				}
				nomatch = true
				matchString = (*matchStringOpt)[1]
			}
			if len(matchString) == 0 {
				return nil, errors.New("rulespec not valid: no match string given")
			}
			result.MatchBytesNoMatch = nomatch
			result.MatchBytes = []byte(matchString)
			result.MatchBytesOffset = *matchStringOffsetOpt

		case "owner":
			if *matchOwnerPidOpt <= 0 {
				return nil, errors.New("rulespec not valid: valid pid-owner needed")
			}
			result.ProcessID = *matchOwnerPidOpt
			if *matchOwnerPidChildrenOnlyOpt {
				result.ProcessIncludeChildrenOnly = true
			}
			if *matchOwnerPidChildrenOpt {
				if *matchOwnerPidChildrenOnlyOpt {
					return nil, errors.New("rulespec not valid: cannot have both --pid-childrenonly and --pid-children")
				}
				result.ProcessIncludeChildren = true
			}

		case "state":
			if result.Protocol == packet.IPProtocolTCP && *stateOpt == "NEW" {
				result.TCPFlags = 2
				result.TCPFlagsMask = 18
				result.TCPFlagsSpecified = true
			}

		case "connmark":
			nomatch := false
			flowMarkString := ""
			switch len(*markOpt) {
			case 1:
				flowMarkString = (*markOpt)[0]
			case 2:
				if (*markOpt)[0] != "!" {
					return nil, errors.New("rulespec not valid: flowmark ! option invalid")
				}
				nomatch = true
				flowMarkString = (*markOpt)[1]
			}
			value, err := strconv.Atoi(flowMarkString)
			if err != nil {
				return nil, errors.New("rulespec not valid: flowmmark should be int")
			}
			result.FlowMarkNoMatch = nomatch
			result.FlowMark = value

		default:
			return nil, errors.New("rulespec not valid: unknown -m option")
		}
	}

	// action: either NFQUEUE, REDIRECT, MARK, ACCEPT, DROP, NFLOG
	for i := 0; i < len(*actionOpt); i++ {
		// CRITICAL: If you add a case here, you need to update fixRuleSpec in iptablesprovider_windows.go
		switch (*actionOpt)[i] {
		case "NFQUEUE":
			result.Action = frontman.FilterActionNfq
		case "NFQUEUE_FORCE":
			result.Action = frontman.FilterActionForceNfq
		case "REDIRECT":
			result.Action = frontman.FilterActionProxy
		case "ACCEPT":
			result.Action = frontman.FilterActionAllow
		case "ACCEPT_ONCE":
			result.Action = frontman.FilterActionAllowOnce
		case "DROP":
			result.Action = frontman.FilterActionBlock
		case "CONNMARK":
			result.Action = frontman.FilterActionSetMark
			result.Mark = *setMarkOpt
		case "MARK":
			i++
			if i >= len(*actionOpt) {
				return nil, errors.New("rulespec not valid: no mark given")
			}
			result.Mark, err = strconv.Atoi((*actionOpt)[i])
			if err != nil {
				return nil, errors.New("rulespec not valid: mark should be int32")
			}
		case "NFLOG":
			// if no other action specified, it will default to 'continue' action (zero)
			result.Log = true
			result.LogPrefix = *logPrefixOpt
			result.GroupID = *groupIDOpt
		default:
			if i >= len(*actionOpt) {
				return nil, errors.New("rulespec not valid: no goto filter given")
			}
			result.Action = frontman.FilterActionGotoFilter
			result.GotoFilterName = (*actionOpt)[i]
		}
	}

	if result.Mark == 0 && (result.Action == frontman.FilterActionNfq || result.Action == frontman.FilterActionForceNfq) {
		return nil, errors.New("rulespec not valid: nfq action needs to set mark")
	}

	if result.Mark == 0 && (result.Action == frontman.FilterActionSetMark) {
		return nil, errors.New("rulespec not valid: setmark action needs to set mark")
	}

	// redirect port
	result.ProxyPort = *redirectPortOpt
	if result.Action == frontman.FilterActionProxy && result.ProxyPort == 0 {
		return nil, errors.New("rulespec not valid: no redirect port given")
	}

	return result, nil
}

// Equal compares a WindowsRuleMatchSet to another for equality
func (w *WindowsRuleMatchSet) Equal(other *WindowsRuleMatchSet) bool {
	if other == nil {
		return false
	}
	return w.MatchSetName == other.MatchSetName &&
		w.MatchSetNegate == other.MatchSetNegate &&
		w.MatchSetDstIP == other.MatchSetDstIP &&
		w.MatchSetDstPort == other.MatchSetDstPort &&
		w.MatchSetSrcIP == other.MatchSetSrcIP &&
		w.MatchSetSrcPort == other.MatchSetSrcPort
}

// Equal compares a WindowsRuleRange to another for equality
func (w *WindowsRuleRange) Equal(other *WindowsRuleRange) bool {
	if other == nil {
		return false
	}
	return w.Start == other.Start && w.End == other.End
}

// Equal compares a WindowsRuleIcmpMatch to another for equality
func (w *WindowsRuleIcmpMatch) Equal(other *WindowsRuleIcmpMatch) bool {
	if other == nil {
		return false
	}
	if w.Nomatch != other.Nomatch {
		return false
	}
	if w.IcmpType != other.IcmpType {
		return false
	}
	if w.IcmpCodeRange != nil {
		if !w.IcmpCodeRange.Equal(other.IcmpCodeRange) {
			return false
		}
	} else if other.IcmpCodeRange != nil {
		return false
	}
	return true
}

// Equal compares a WindowsRuleSpec to another for equality
func (w *WindowsRuleSpec) Equal(other *WindowsRuleSpec) bool {
	if other == nil {
		return false
	}
	equalSoFar := w.Protocol == other.Protocol &&
		w.Action == other.Action &&
		w.ProxyPort == other.ProxyPort &&
		w.Mark == other.Mark &&
		w.Log == other.Log &&
		w.LogPrefix == other.LogPrefix &&
		w.GroupID == other.GroupID &&
		w.ProcessID == other.ProcessID &&
		w.ProcessIncludeChildren == other.ProcessIncludeChildren &&
		w.ProcessIncludeChildrenOnly == other.ProcessIncludeChildrenOnly &&
		w.MatchBytesNoMatch == other.MatchBytesNoMatch &&
		w.MatchBytesOffset == other.MatchBytesOffset &&
		bytes.Equal(w.MatchBytes, other.MatchBytes) &&
		len(w.IcmpMatch) == len(other.IcmpMatch) &&
		len(w.MatchSrcPort) == len(other.MatchSrcPort) &&
		len(w.MatchDstPort) == len(other.MatchDstPort) &&
		len(w.MatchSet) == len(other.MatchSet) &&
		w.TCPFlags == other.TCPFlags &&
		w.TCPFlagsMask == other.TCPFlagsMask &&
		w.TCPFlagsSpecified == other.TCPFlagsSpecified &&
		w.TCPOption == other.TCPOption &&
		w.TCPOptionSpecified == other.TCPOptionSpecified &&
		w.FlowMark == other.FlowMark &&
		w.FlowMarkNoMatch == other.FlowMarkNoMatch
	if !equalSoFar {
		return false
	}
	// we checked lengths above, but now continue to compare slices for equality.
	// note: we assume equal slices have elements in the same order.
	for i := 0; i < len(w.MatchSrcPort); i++ {
		if w.MatchSrcPort[i] == nil {
			if other.MatchSrcPort[i] != nil {
				return false
			}
			continue
		}
		if !w.MatchSrcPort[i].Equal(other.MatchSrcPort[i]) {
			return false
		}
	}
	for i := 0; i < len(w.MatchDstPort); i++ {
		if w.MatchDstPort[i] == nil {
			if other.MatchDstPort[i] != nil {
				return false
			}
			continue
		}
		if !w.MatchDstPort[i].Equal(other.MatchDstPort[i]) {
			return false
		}
	}
	for i := 0; i < len(w.MatchSet); i++ {
		if w.MatchSet[i] == nil {
			if other.MatchSet[i] != nil {
				return false
			}
			continue
		}
		if !w.MatchSet[i].Equal(other.MatchSet[i]) {
			return false
		}
	}
	for i := 0; i < len(w.IcmpMatch); i++ {
		if w.IcmpMatch[i] == nil {
			if other.IcmpMatch[i] != nil {
				return false
			}
			continue
		}
		if !w.IcmpMatch[i].Equal(other.IcmpMatch[i]) {
			return false
		}
	}
	return true
}


================================================
FILE: controller/internal/windows/rulespec_windows_test.go
================================================
// +build windows

package windows

import (
	"strings"
	"testing"

	"github.com/kballard/go-shellquote"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
)

func TestParseRuleSpecMatchSet(t *testing.T) {

	Convey("When I parse a rule with an ipset match", t, func() {
		rsOrig := "-m set --match-set TRI-ipset-1 srcIP -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given ipset", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with more than one ipset match", t, func() {
		rsOrig := "-m set --match-set TRI-ipset-1 srcIP -j ACCEPT -m set --match-set TRI-ipset-2 dstIP"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given ipsets", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 2)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetName, ShouldEqual, "TRI-ipset-2")
			So(ruleSpec.MatchSet[1].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetDstIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[1].MatchSetDstPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetSrcIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetSrcPort, ShouldBeFalse)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with an ipset match without ip or port specifier", t, func() {
		rsOrig := "-m set --match-set TRI-ipset-1 -j ACCEPT"
		_, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		Convey("I should get an error", func() {
			So(err, ShouldNotBeNil)
			So(err.Error(), ShouldContainSubstring, "Missing argument for option 'match-set'")
		})
	})

	Convey("When I parse a rule with an ipset match with invalid ip or port specifier", t, func() {
		rsOrig := "-m set --match-set TRI-ipset-1 both -j ACCEPT"
		_, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		Convey("I should get an error", func() {
			So(err, ShouldNotBeNil)
			So(err.Error(), ShouldContainSubstring, "ipset match needs ip/port specifier")
		})
	})

	Convey("When I parse a rule with an ipset match on port without protocol", t, func() {
		rsOrig := "-m set --match-set TRI-ipset-1 srcPort -j ACCEPT"
		_, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		Convey("I should get an error", func() {
			So(err, ShouldNotBeNil)
			So(err.Error(), ShouldContainSubstring, "ipset match on port requires protocol be set")
		})
	})

	Convey("When I parse a rule with an ipset match on src port", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 srcPort -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given ipset's port", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeTrue)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with an ipset match on dst port", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 dstPort -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given ipset's port", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with an ipset match on ip and port", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 dstIP,dstPort -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given ipset's ip and port", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with an ipset match on ip and port mixed", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 srcIP,dstPort -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given ipset's ip and port", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with an ipset match on ip and port with one specifier (src)", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 src -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given ipset's ip and port", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeTrue)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with an ipset match on ip and port with one specifier (dst)", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 dst -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given ipset's ip and port", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with an ipset match on ip and port with specifier order important", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 src,dst -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given ipset's ip and port", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with no ipset match", t, func() {
		rsOrig := "-j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.MatchSet, ShouldBeNil)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a negative ipset match", t, func() {
		rsOrig := "-p tcp -m set ! --match-set TRI-ipset-1 dstPort -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept except for the given ipset", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

}

func TestParseRuleSpecProtocol(t *testing.T) {

	Convey("When I parse a rule with a protocol match on tcp", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 srcPort -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given ipset/protocol", func() {
			So(ruleSpec.Protocol, ShouldEqual, packet.IPProtocolTCP)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a protocol match on udp", t, func() {
		rsOrig := "-p udp -m set --match-set TRI-ipset-1 srcPort -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given ipset/protocol", func() {
			So(ruleSpec.Protocol, ShouldEqual, packet.IPProtocolUDP)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a protocol match on icmp", t, func() {
		rsOrig := "-p icmp -j DROP"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should reject for the given protocol", func() {
			So(ruleSpec.Protocol, ShouldEqual, 1)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionBlock)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a protocol match on tcp by number", t, func() {
		rsOrig := "-p 6 -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given protocol", func() {
			So(ruleSpec.Protocol, ShouldEqual, packet.IPProtocolTCP)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a protocol match on udp by number", t, func() {
		rsOrig := "-p 17 -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given protocol", func() {
			So(ruleSpec.Protocol, ShouldEqual, packet.IPProtocolUDP)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a protocol match on ICMP for IPv6 by number", t, func() {
		rsOrig := "-p 58 -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given protocol", func() {
			So(ruleSpec.Protocol, ShouldEqual, 58)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with an invalid protocol match", t, func() {
		rsOrig := "-p http -m set --match-set TRI-ipset-1 srcPort -j ACCEPT"
		_, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		Convey("I should get an error", func() {
			So(err, ShouldNotBeNil)
			So(err.Error(), ShouldContainSubstring, "invalid protocol")
		})
	})

}

func TestParseRuleSpecAction(t *testing.T) {

	Convey("When I parse a rule with an accept action", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 dstPort -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a drop action", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 dstPort -j DROP"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should block", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionBlock)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with an nfq action and a given mark", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 srcIP,srcPort -j NFQUEUE -j MARK 100"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should route to nfq and set the mark", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionNfq)
			So(ruleSpec.Mark, ShouldEqual, 100)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with an nfq action without a mark", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 srcIP -j NFQUEUE"
		_, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		Convey("I should get an error", func() {
			So(err, ShouldNotBeNil)
			So(err.Error(), ShouldContainSubstring, "nfq action needs to set mark")
		})
	})

	Convey("When I parse a rule with a force nfq action", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 srcIP,srcPort -j NFQUEUE_FORCE -j MARK 100"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should route to nfq (without honoring ignore-flow) and set the mark", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionForceNfq)
			So(ruleSpec.Mark, ShouldEqual, 100)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a proxy action", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 dstPort -j REDIRECT --to-ports 20992"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should redirect to given port", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionProxy)
			So(ruleSpec.ProxyPort, ShouldEqual, 20992)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a proxy action without a redirect port", t, func() {
		rsOrig := "-p tcp -m set --match-set TRI-ipset-1 srcIP -j REDIRECT"
		_, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		Convey("I should get an error", func() {
			So(err, ShouldNotBeNil)
			So(err.Error(), ShouldContainSubstring, "no redirect port given")
		})
	})

	Convey("When I parse a rule with a log and drop action", t, func() {
		rsOrig := "-p tcp -j DROP -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should drop and log", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionBlock)
			So(ruleSpec.Log, ShouldBeTrue)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a log and accept action", t, func() {
		rsOrig := "-p tcp -j ACCEPT -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept and log", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.Log, ShouldBeTrue)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

}

func TestParseRuleSpecSPortDPort(t *testing.T) {

	Convey("When I parse a rule with a match on source port", t, func() {
		rsOrig := "-p tcp --sport 12345 -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given source port", func() {
			So(ruleSpec.MatchDstPort, ShouldHaveLength, 0)
			So(ruleSpec.MatchSrcPort, ShouldHaveLength, 1)
			So(ruleSpec.MatchSrcPort[0].Start, ShouldEqual, 12345)
			So(ruleSpec.MatchSrcPort[0].End, ShouldEqual, 12345)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a match on source port range", t, func() {
		rsOrig := "-p tcp --sport 80,1024:65535 -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given source port range", func() {
			So(ruleSpec.MatchSrcPort, ShouldHaveLength, 2)
			So(ruleSpec.MatchSrcPort[0].Start, ShouldEqual, 80)
			So(ruleSpec.MatchSrcPort[0].End, ShouldEqual, 80)
			So(ruleSpec.MatchSrcPort[1].Start, ShouldEqual, 1024)
			So(ruleSpec.MatchSrcPort[1].End, ShouldEqual, 65535)
			So(ruleSpec.MatchDstPort, ShouldHaveLength, 0)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a match on dest port", t, func() {
		rsOrig := "-p tcp --dport 80 -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given dest port", func() {
			So(ruleSpec.MatchSrcPort, ShouldHaveLength, 0)
			So(ruleSpec.MatchDstPort, ShouldHaveLength, 1)
			So(ruleSpec.MatchDstPort[0].Start, ShouldEqual, 80)
			So(ruleSpec.MatchDstPort[0].End, ShouldEqual, 80)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a match on dest port range", t, func() {
		rsOrig := "-p tcp --dport 1234,8080:8443,65000:65005,65530 -j ACCEPT"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should accept for the given dest port range", func() {
			So(ruleSpec.MatchDstPort, ShouldHaveLength, 4)
			So(ruleSpec.MatchDstPort[0].Start, ShouldEqual, 1234)
			So(ruleSpec.MatchDstPort[0].End, ShouldEqual, 1234)
			So(ruleSpec.MatchDstPort[1].Start, ShouldEqual, 8080)
			So(ruleSpec.MatchDstPort[1].End, ShouldEqual, 8443)
			So(ruleSpec.MatchDstPort[2].Start, ShouldEqual, 65000)
			So(ruleSpec.MatchDstPort[2].End, ShouldEqual, 65005)
			So(ruleSpec.MatchDstPort[3].Start, ShouldEqual, 65530)
			So(ruleSpec.MatchDstPort[3].End, ShouldEqual, 65530)
			So(ruleSpec.MatchSrcPort, ShouldHaveLength, 0)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

}

func TestParseRuleSpecMatchString(t *testing.T) {

	Convey("When I parse a rule with a string match", t, func() {
		rsOrig := "-p udp -m set --match-set TRI-ipset-udp-1 srcIP -m string --string n30njxq7bmiwr6dtxq --offset 2 -j NFQUEUE -j MARK 1234 -m set --match-set TRI-ipset-udp-2 srcIP"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should forward to nfq if I see the given string at the given offset", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionNfq)
			So(ruleSpec.Mark, ShouldEqual, 1234)
			So(ruleSpec.Protocol, ShouldEqual, packet.IPProtocolUDP)
			So(ruleSpec.MatchBytesOffset, ShouldEqual, 2)
			So(ruleSpec.MatchBytes, ShouldResemble, []byte("n30njxq7bmiwr6dtxq"))
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 2)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-udp-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetName, ShouldEqual, "TRI-ipset-udp-2")
			So(ruleSpec.MatchSet[1].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetDstIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetDstPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetSrcIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[1].MatchSetSrcPort, ShouldBeFalse)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

}

func TestParseRuleSpecNoMatchString(t *testing.T) {

	Convey("When I parse a rule with a string ! match", t, func() {
		rsOrig := "-p udp -m set --match-set TRI-ipset-udp-1 srcIP -m string --string ! n30njxq7bmiwr6dtxq --offset 2 -j NFQUEUE -j MARK 1234 -m set --match-set TRI-ipset-udp-2 srcIP"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should forward to nfq if I see the given string at the given offset", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionNfq)
			So(ruleSpec.Mark, ShouldEqual, 1234)
			So(ruleSpec.Protocol, ShouldEqual, packet.IPProtocolUDP)
			So(ruleSpec.MatchBytesNoMatch, ShouldEqual, true)
			So(ruleSpec.MatchBytesOffset, ShouldEqual, 2)
			So(ruleSpec.MatchBytes, ShouldResemble, []byte("n30njxq7bmiwr6dtxq"))
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 2)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-udp-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetName, ShouldEqual, "TRI-ipset-udp-2")
			So(ruleSpec.MatchSet[1].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetDstIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetDstPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetSrcIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[1].MatchSetSrcPort, ShouldBeFalse)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

}

func TestParseRuleSpecMatchPid(t *testing.T) {

	Convey("When I parse a rule with a process ID match", t, func() {
		ruleSpec, err := ParseRuleSpec(strings.Split("-p tcp -m set --match-set TRI-ipset-tcp-1 dstIP -j NFQUEUE -j MARK 103 -m owner --pid-owner 2438", " ")...)
		So(err, ShouldBeNil)
		Convey("I should forward to nfq for all packets from or to the given process", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionNfq)
			So(ruleSpec.Mark, ShouldEqual, 103)
			So(ruleSpec.Protocol, ShouldEqual, packet.IPProtocolTCP)
			So(ruleSpec.ProcessID, ShouldEqual, 2438)
			So(ruleSpec.ProcessIncludeChildren, ShouldBeFalse)
			So(ruleSpec.ProcessIncludeChildrenOnly, ShouldBeFalse)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-tcp-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
		})

		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a process ID match with include children", t, func() {
		ruleSpec, err := ParseRuleSpec(strings.Split("-p tcp -m set --match-set TRI-ipset-tcp-1 dstIP -j NFQUEUE -j MARK 104 -m owner --pid-owner 2439 --pid-children", " ")...)
		So(err, ShouldBeNil)
		Convey("I should forward to nfq for all packets from or to the given process and its children", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionNfq)
			So(ruleSpec.Mark, ShouldEqual, 104)
			So(ruleSpec.Protocol, ShouldEqual, packet.IPProtocolTCP)
			So(ruleSpec.ProcessID, ShouldEqual, 2439)
			So(ruleSpec.ProcessIncludeChildren, ShouldBeTrue)
			So(ruleSpec.ProcessIncludeChildrenOnly, ShouldBeFalse)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-tcp-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
		})

		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with a process ID match with include children only", t, func() {
		ruleSpec, err := ParseRuleSpec(strings.Split("-p tcp -m set --match-set TRI-ipset-tcp-1 dstIP -j NFQUEUE -j MARK 105 -m owner --pid-owner 2440 --pid-childrenonly", " ")...)
		So(err, ShouldBeNil)
		Convey("I should forward to nfq for all packets from or to the given process' children", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionNfq)
			So(ruleSpec.Mark, ShouldEqual, 105)
			So(ruleSpec.Protocol, ShouldEqual, packet.IPProtocolTCP)
			So(ruleSpec.ProcessID, ShouldEqual, 2440)
			So(ruleSpec.ProcessIncludeChildren, ShouldBeFalse)
			So(ruleSpec.ProcessIncludeChildrenOnly, ShouldBeTrue)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 1)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-ipset-tcp-1")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
		})

		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse a rule with an invalid process ID match", t, func() {
		// invalid flags
		_, err := ParseRuleSpec(strings.Split("-p tcp -m set --match-set TRI-ipset-tcp-1 dstIP -j NFQUEUE -j MARK 105 -m owner --pid-owner 2440 --pid-childrenonly --pid-children", " ")...)
		So(err, ShouldNotBeNil)
		// invalid pid
		_, err = ParseRuleSpec(strings.Split("-p tcp -m set --match-set TRI-ipset-tcp-1 dstIP -j NFQUEUE -j MARK 105 -m owner --pid-owner foobar", " ")...)
		So(err, ShouldNotBeNil)
	})
}

func TestParseRuleSpecMatchIcmp(t *testing.T) {

	Convey("When I parse a rule with an icmp type match", t, func() {
		ruleSpec, err := ParseRuleSpec(strings.Split("-p 1 --icmp-type 8 -j ACCEPT", " ")...)
		So(err, ShouldBeNil)
		Convey("I should recognize the icmp type", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.Protocol, ShouldEqual, 1)
			So(ruleSpec.IcmpMatch, ShouldHaveLength, 1)
			So(ruleSpec.IcmpMatch[0].Nomatch, ShouldBeFalse)
			So(ruleSpec.IcmpMatch[0].IcmpType, ShouldEqual, 8)
			So(ruleSpec.IcmpMatch[0].IcmpCodeRange, ShouldBeNil)
		})

		rulePart := strings.Join(TransformIcmpProtoString("icmp/8"), " ")
		So(rulePart, ShouldEqual, "--icmp-type 8")

		_, err = MakeRuleSpecText(ruleSpec, true)
		So(err, ShouldBeNil)
	})

	Convey("When I parse a rule with an icmp type and code match", t, func() {
		ruleSpec, err := ParseRuleSpec(strings.Split("-p icmp --icmp-type 3/5 -j DROP", " ")...)
		So(err, ShouldBeNil)
		Convey("I should recognize the icmp type and code", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionBlock)
			So(ruleSpec.Protocol, ShouldEqual, 1)
			So(ruleSpec.IcmpMatch, ShouldHaveLength, 1)
			So(ruleSpec.IcmpMatch[0].Nomatch, ShouldBeFalse)
			So(ruleSpec.IcmpMatch[0].IcmpType, ShouldEqual, 3)
			So(ruleSpec.IcmpMatch[0].IcmpCodeRange.Start, ShouldEqual, 5)
			So(ruleSpec.IcmpMatch[0].IcmpCodeRange.End, ShouldEqual, 5)
		})

		rulePart := strings.Join(TransformIcmpProtoString("icmp/3/5"), " ")
		So(rulePart, ShouldEqual, "--icmp-type 3/5")

		_, err = MakeRuleSpecText(ruleSpec, true)
		So(err, ShouldBeNil)
	})

	Convey("When I parse a rule with an icmp type and multiple codes match", t, func() {
		ruleSpec, err := ParseRuleSpec(strings.Split("-p 1 --icmp-type 3/0:4,15,6:7,14 -j ACCEPT", " ")...)
		So(err, ShouldBeNil)
		Convey("I should recognize the icmp type and code ranges", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.Protocol, ShouldEqual, 1)
			So(ruleSpec.IcmpMatch, ShouldHaveLength, 4)
			So(ruleSpec.IcmpMatch[0].Nomatch, ShouldBeFalse)
			So(ruleSpec.IcmpMatch[0].IcmpType, ShouldEqual, 3)
			So(ruleSpec.IcmpMatch[0].IcmpCodeRange.Start, ShouldEqual, 0)
			So(ruleSpec.IcmpMatch[0].IcmpCodeRange.End, ShouldEqual, 4)
			So(ruleSpec.IcmpMatch[1].IcmpType, ShouldEqual, 3)
			So(ruleSpec.IcmpMatch[1].IcmpCodeRange.Start, ShouldEqual, 15)
			So(ruleSpec.IcmpMatch[1].IcmpCodeRange.End, ShouldEqual, 15)
			So(ruleSpec.IcmpMatch[2].IcmpType, ShouldEqual, 3)
			So(ruleSpec.IcmpMatch[2].IcmpCodeRange.Start, ShouldEqual, 6)
			So(ruleSpec.IcmpMatch[2].IcmpCodeRange.End, ShouldEqual, 7)
			So(ruleSpec.IcmpMatch[3].IcmpType, ShouldEqual, 3)
			So(ruleSpec.IcmpMatch[3].IcmpCodeRange.Start, ShouldEqual, 14)
			So(ruleSpec.IcmpMatch[3].IcmpCodeRange.End, ShouldEqual, 14)
		})

		rulePart := strings.Join(TransformIcmpProtoString("icmp/3/0:4,15,6:7,14"), " ")
		So(rulePart, ShouldEqual, "--icmp-type 3/0:4,15,6:7,14")

		_, err = MakeRuleSpecText(ruleSpec, true)
		So(err, ShouldBeNil)
	})

	Convey("When I parse a rule with an icmp v6 type and code match", t, func() {
		ruleSpec, err := ParseRuleSpec(strings.Split("-p 58 --icmp-type 140/1,2 -j ACCEPT", " ")...)
		So(err, ShouldBeNil)
		Convey("I should recognize the icmp v6 type and code", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.Protocol, ShouldEqual, 58)
			So(ruleSpec.IcmpMatch, ShouldHaveLength, 2)
			So(ruleSpec.IcmpMatch[0].Nomatch, ShouldBeFalse)
			So(ruleSpec.IcmpMatch[0].IcmpType, ShouldEqual, 140)
			So(ruleSpec.IcmpMatch[0].IcmpCodeRange.Start, ShouldEqual, 1)
			So(ruleSpec.IcmpMatch[0].IcmpCodeRange.End, ShouldEqual, 1)
			So(ruleSpec.IcmpMatch[1].IcmpCodeRange.Start, ShouldEqual, 2)
			So(ruleSpec.IcmpMatch[1].IcmpCodeRange.End, ShouldEqual, 2)
		})

		rulePart := strings.Join(TransformIcmpProtoString("icmpv6/140/1,2"), " ")
		So(rulePart, ShouldEqual, "--icmp-type 140/1,2")

		_, err = MakeRuleSpecText(ruleSpec, true)
		So(err, ShouldBeNil)
	})

	Convey("When I parse a rule with an icmp nomatch", t, func() {
		ruleSpec, err := ParseRuleSpec(strings.Split("-p icmp --icmp-type nomatch -j ACCEPT", " ")...)
		So(err, ShouldBeNil)
		Convey("I should recognize that it should never match", func() {
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllow)
			So(ruleSpec.Protocol, ShouldEqual, 1)
			So(ruleSpec.IcmpMatch, ShouldHaveLength, 1)
			So(ruleSpec.IcmpMatch[0].Nomatch, ShouldBeTrue)
		})

		_, err = MakeRuleSpecText(ruleSpec, true)
		So(err, ShouldBeNil)
	})

	Convey("When I parse a rule with an invalid icmp type/code", t, func() {
		// invalid range separator
		_, err := ParseRuleSpec(strings.Split("-p 1 --icmp-type 3/0:4,15,6-7,14 -j ACCEPT", " ")...)
		So(err, ShouldNotBeNil)
		// code out of range
		_, err = ParseRuleSpec(strings.Split("-p 1 --icmp-type 3/0:4,15,17:256 -j ACCEPT", " ")...)
		So(err, ShouldNotBeNil)
		// code given but no type
		_, err = ParseRuleSpec(strings.Split("-p 1 --icmp-type /2 -j ACCEPT", " ")...)
		So(err, ShouldNotBeNil)
		// type out of range
		_, err = ParseRuleSpec(strings.Split("-p 1 --icmp-type 2555/1,4 -j ACCEPT", " ")...)
		So(err, ShouldNotBeNil)
	})

	Convey("When I handle a rule with policy restrictions", t, func() {

		rulePart, err := ReduceIcmpProtoString("icmp", []string{"icmp/1/1", "icmp/2/3:4"})
		So(err, ShouldBeNil)
		So(rulePart, ShouldHaveLength, 4)
		So(rulePart[0], ShouldEqual, "--icmp-type")
		So(rulePart[1], ShouldEqual, "1/1")
		So(rulePart[3], ShouldEqual, "2/3:4")

		rulePart, err = ReduceIcmpProtoString("icmp/3", []string{"icmp/2", "icmp", "icmp/3/0"})
		So(err, ShouldBeNil)
		So(rulePart, ShouldHaveLength, 4)
		So(rulePart[1], ShouldEqual, "3")
		So(rulePart[3], ShouldEqual, "3/0")

		rulePart, err = ReduceIcmpProtoString("icmp/3/0:2,3:3,5:7,10:18", []string{"icmp/3/2:4,6:8,11", "icmp/3/1,2,4,6:7,9,14,16,18", "icmp/3/0,10,20:22"})
		So(err, ShouldBeNil)
		So(rulePart, ShouldHaveLength, 6)
		So(rulePart[1], ShouldEqual, "3/2:2,3:3,6:7,11:11")
		So(rulePart[3], ShouldEqual, "3/1:1,2:2,6:7,14:14,16:16,18:18")
		So(rulePart[5], ShouldEqual, "3/0:0,10:10")

		rulePart, err = ReduceIcmpProtoString("icmp/8/10,1:3,7", []string{"icmp/2/10", "icmp/8", "icmp/8/0,4:6,11:20,9,8"})
		So(err, ShouldBeNil)
		So(rulePart, ShouldHaveLength, 2)
		So(rulePart[1], ShouldEqual, "8/10,1:3,7")

		rulePart, err = ReduceIcmpProtoString("icmp", []string{"icmp/1/1"})
		So(err, ShouldBeNil)
		So(rulePart, ShouldHaveLength, 2)
		So(rulePart[1], ShouldEqual, "1/1")

		rulePart, err = ReduceIcmpProtoString("icmp6", []string{"icmp6/1/0:255"})
		So(err, ShouldBeNil)
		So(rulePart, ShouldHaveLength, 2)
		So(rulePart[1], ShouldEqual, "1/0:255")

		rulePart, err = ReduceIcmpProtoString("icmp/1", []string{"icmp", "icmp6"})
		So(err, ShouldBeNil)
		So(rulePart, ShouldHaveLength, 2)
		So(rulePart[1], ShouldEqual, "1")

		// proto match without type/code should return empty
		rulePart, err = ReduceIcmpProtoString("icmp", []string{"icmp"})
		So(err, ShouldBeNil)
		So(rulePart, ShouldHaveLength, 0)

		// proto match with type/code conflict should return error
		_, err = ReduceIcmpProtoString("icmp/0", []string{"icmp/1"})
		So(err, ShouldNotBeNil)
	})
}

// test generated acl rule
func TestParseRuleSpecACLRule(t *testing.T) {

	Convey("When I parse an acl rule for nflog", t, func() {
		rsOrig := "-p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 1:65535 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix \"3617624947:5d6044b9e99572000149d650:5d60448a884e46000145cf67:incoming n_3484738895:6\""

		rule, err := shellquote.Split(rsOrig)
		So(err, ShouldBeNil)

		ruleSpec, err := ParseRuleSpec(rule...)
		So(err, ShouldBeNil)
		Convey("I should be able to interpret it as a windows rule", func() {
			So(ruleSpec.Protocol, ShouldEqual, packet.IPProtocolTCP)
			So(ruleSpec.MatchSrcPort, ShouldHaveLength, 0)
			So(ruleSpec.MatchDstPort, ShouldHaveLength, 1)
			So(ruleSpec.MatchDstPort[0].Start, ShouldEqual, 1)
			So(ruleSpec.MatchDstPort[0].End, ShouldEqual, 65535)
			So(ruleSpec.Action, ShouldEqual, 0) // degenerate log-only rule
			So(ruleSpec.Log, ShouldBeTrue)
			So(ruleSpec.LogPrefix, ShouldEqual, "3617624947:5d6044b9e99572000149d650:5d60448a884e46000145cf67:incoming n_3484738895:6")
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 2)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-v4-ext-cUDEx1114Z2xd")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetName, ShouldEqual, "TRI-v4-TargetTCP")
			So(ruleSpec.MatchSet[1].MatchSetNegate, ShouldBeTrue)
			So(ruleSpec.MatchSet[1].MatchSetDstIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[1].MatchSetDstPort, ShouldBeTrue)
			So(ruleSpec.MatchSet[1].MatchSetSrcIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetSrcPort, ShouldBeFalse)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse an acl rule for drop or accept", t, func() {
		rsOrig := "-p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 1:65535 -j DROP"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should be able to interpret it as a windows rule", func() {
			So(ruleSpec.Protocol, ShouldEqual, packet.IPProtocolTCP)
			So(ruleSpec.MatchSrcPort, ShouldHaveLength, 0)
			So(ruleSpec.MatchDstPort, ShouldHaveLength, 1)
			So(ruleSpec.MatchDstPort[0].Start, ShouldEqual, 1)
			So(ruleSpec.MatchDstPort[0].End, ShouldEqual, 65535)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionBlock)
			So(ruleSpec.Log, ShouldBeFalse)
			So(ruleSpec.MatchSet, ShouldNotBeNil)
			So(ruleSpec.MatchSet, ShouldHaveLength, 2)
			So(ruleSpec.MatchSet[0].MatchSetName, ShouldEqual, "TRI-v4-ext-cUDEx1114Z2xd")
			So(ruleSpec.MatchSet[0].MatchSetNegate, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetDstIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetDstPort, ShouldBeTrue)
			So(ruleSpec.MatchSet[0].MatchSetSrcIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[0].MatchSetSrcPort, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetName, ShouldEqual, "TRI-v4-TargetTCP")
			So(ruleSpec.MatchSet[1].MatchSetNegate, ShouldBeTrue)
			So(ruleSpec.MatchSet[1].MatchSetDstIP, ShouldBeTrue)
			So(ruleSpec.MatchSet[1].MatchSetDstPort, ShouldBeTrue)
			So(ruleSpec.MatchSet[1].MatchSetSrcIP, ShouldBeFalse)
			So(ruleSpec.MatchSet[1].MatchSetSrcPort, ShouldBeFalse)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

}

// test TCP flags and options
func TestParseRuleSpecTCPFlagsAndOptions(t *testing.T) {

	Convey("When I parse tcp flags", t, func() {
		rsOrig := "--tcp-flags 18,10 -j ACCEPT_ONCE"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should be able to interpret it as a windows rule", func() {
			So(ruleSpec.TCPFlags, ShouldEqual, 10)
			So(ruleSpec.TCPFlagsMask, ShouldEqual, 18)
			So(ruleSpec.TCPFlagsSpecified, ShouldEqual, true)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllowOnce)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse tcp options", t, func() {
		rsOrig := "--tcp-option 34 -j ACCEPT_ONCE"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should be able to interpret it as a windows rule", func() {
			So(ruleSpec.TCPOption, ShouldEqual, 34)
			So(ruleSpec.TCPOptionSpecified, ShouldEqual, true)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllowOnce)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})
}

func TestParseRuleSpecConnmark(t *testing.T) {

	Convey("When I parse connmark", t, func() {
		rsOrig := "-m set --match-set TRI-ipset-1 srcIP -m connmark --mark 18 -j ACCEPT_ONCE"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should be able to interpret it as a windows rule", func() {
			So(ruleSpec.FlowMark, ShouldEqual, 18)
			So(ruleSpec.FlowMarkNoMatch, ShouldEqual, false)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllowOnce)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse ! connmark", t, func() {
		rsOrig := "-m connmark --mark ! 18 -j ACCEPT_ONCE"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should be able to interpret it as a windows rule", func() {
			So(ruleSpec.FlowMark, ShouldEqual, 18)
			So(ruleSpec.FlowMarkNoMatch, ShouldEqual, true)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionAllowOnce)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse connmark with invalid !", t, func() {
		rsOrig := "-m connmark --mark x 18 -j ACCEPT_ONCE"
		_, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldNotBeNil)
	})

	Convey("When I parse connmark with invalid mark", t, func() {
		rsOrig := "-m connmark --mark abc -j ACCEPT_ONCE"
		_, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldNotBeNil)
	})
}

func TestParseRuleSpecSetMark(t *testing.T) {

	Convey("When I parse setmark", t, func() {
		rsOrig := "-m connmark --mark 18 -j CONNMARK --set-mark 15"
		ruleSpec, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldBeNil)
		Convey("I should be able to interpret it as a windows rule", func() {
			So(ruleSpec.FlowMark, ShouldEqual, 18)
			So(ruleSpec.FlowMarkNoMatch, ShouldEqual, false)
			So(ruleSpec.Action, ShouldEqual, frontman.FilterActionSetMark)
			So(ruleSpec.Mark, ShouldEqual, 15)
		})
		Convey("I should be able to convert back to a string", func() {
			_, err := MakeRuleSpecText(ruleSpec, true)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I parse setmark without a mark", t, func() {
		rsOrig := "-m connmark --mark 18 -j CONNMARK"
		_, err := ParseRuleSpec(strings.Split(rsOrig, " ")...)
		So(err, ShouldNotBeNil)
	})
}


================================================
FILE: controller/internal/windows/utils.go
================================================
// +build windows

package windows

import (
	"syscall"
	"unsafe"
)

// WideCharPointerToString converts a pointer to a zero-terminated wide character string to a golang string
func WideCharPointerToString(pszWide *uint16) string {

	ptr := uintptr(unsafe.Pointer(pszWide)) //nolint:govet
	buf := make([]uint16, 0, 256)
	for {
		ch := *((*uint16)(unsafe.Pointer(ptr))) //nolint:govet
		buf = append(buf, ch)
		if ch == 0 {
			break
		}

		ptr += 2
	}
	return syscall.UTF16ToString(buf)
}


================================================
FILE: controller/mockcontroller/mocktrireme.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/interfaces.go

// Package mockcontroller is a generated GoMock package.
package mockcontroller

import (
	context "context"
	reflect "reflect"
	time "time"

	gomock "github.com/golang/mock/gomock"
	packettracing "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
	secrets "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	runtime "go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	policy "go.aporeto.io/enforcerd/trireme-lib/policy"
)

// MockTriremeController is a mock of TriremeController interface
// nolint
type MockTriremeController struct {
	ctrl     *gomock.Controller
	recorder *MockTriremeControllerMockRecorder
}

// MockTriremeControllerMockRecorder is the mock recorder for MockTriremeController
// nolint
type MockTriremeControllerMockRecorder struct {
	mock *MockTriremeController
}

// NewMockTriremeController creates a new mock instance
// nolint
func NewMockTriremeController(ctrl *gomock.Controller) *MockTriremeController {
	mock := &MockTriremeController{ctrl: ctrl}
	mock.recorder = &MockTriremeControllerMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockTriremeController) EXPECT() *MockTriremeControllerMockRecorder {
	return m.recorder
}

// Run mocks base method
// nolint
func (m *MockTriremeController) Run(ctx context.Context) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Run", ctx)
	ret0, _ := ret[0].(error)
	return ret0
}

// Run indicates an expected call of Run
// nolint
func (mr *MockTriremeControllerMockRecorder) Run(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Run", reflect.TypeOf((*MockTriremeController)(nil).Run), ctx)
}

// CleanUp mocks base method
// nolint
func (m *MockTriremeController) CleanUp() error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CleanUp")
	ret0, _ := ret[0].(error)
	return ret0
}

// CleanUp indicates an expected call of CleanUp
// nolint
func (mr *MockTriremeControllerMockRecorder) CleanUp() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CleanUp", reflect.TypeOf((*MockTriremeController)(nil).CleanUp))
}

// Enforce mocks base method
// nolint
func (m *MockTriremeController) Enforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Enforce", ctx, puID, policy, runtime)
	ret0, _ := ret[0].(error)
	return ret0
}

// Enforce indicates an expected call of Enforce
// nolint
func (mr *MockTriremeControllerMockRecorder) Enforce(ctx, puID, policy, runtime interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Enforce", reflect.TypeOf((*MockTriremeController)(nil).Enforce), ctx, puID, policy, runtime)
}

// UnEnforce mocks base method
// nolint
func (m *MockTriremeController) UnEnforce(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "UnEnforce", ctx, puID, policy, runtime)
	ret0, _ := ret[0].(error)
	return ret0
}

// UnEnforce indicates an expected call of UnEnforce
// nolint
func (mr *MockTriremeControllerMockRecorder) UnEnforce(ctx, puID, policy, runtime interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UnEnforce", reflect.TypeOf((*MockTriremeController)(nil).UnEnforce), ctx, puID, policy, runtime)
}

// UpdatePolicy mocks base method
// nolint
func (m *MockTriremeController) UpdatePolicy(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "UpdatePolicy", ctx, puID, policy, runtime)
	ret0, _ := ret[0].(error)
	return ret0
}

// UpdatePolicy indicates an expected call of UpdatePolicy
// nolint
func (mr *MockTriremeControllerMockRecorder) UpdatePolicy(ctx, puID, policy, runtime interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdatePolicy", reflect.TypeOf((*MockTriremeController)(nil).UpdatePolicy), ctx, puID, policy, runtime)
}

// UpdateSecrets mocks base method
// nolint
func (m *MockTriremeController) UpdateSecrets(secrets secrets.Secrets) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "UpdateSecrets", secrets)
	ret0, _ := ret[0].(error)
	return ret0
}

// UpdateSecrets indicates an expected call of UpdateSecrets
// nolint
func (mr *MockTriremeControllerMockRecorder) UpdateSecrets(secrets interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateSecrets", reflect.TypeOf((*MockTriremeController)(nil).UpdateSecrets), secrets)
}

// UpdateConfiguration mocks base method
// nolint
func (m *MockTriremeController) UpdateConfiguration(cfg *runtime.Configuration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "UpdateConfiguration", cfg)
	ret0, _ := ret[0].(error)
	return ret0
}

// UpdateConfiguration indicates an expected call of UpdateConfiguration
// nolint
func (mr *MockTriremeControllerMockRecorder) UpdateConfiguration(cfg interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateConfiguration", reflect.TypeOf((*MockTriremeController)(nil).UpdateConfiguration), cfg)
}

// EnableDatapathPacketTracing mocks base method
// nolint
func (m *MockTriremeController) EnableDatapathPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, direction packettracing.TracingDirection, interval time.Duration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "EnableDatapathPacketTracing", ctx, puID, policy, runtime, direction, interval)
	ret0, _ := ret[0].(error)
	return ret0
}

// EnableDatapathPacketTracing indicates an expected call of EnableDatapathPacketTracing
// nolint
func (mr *MockTriremeControllerMockRecorder) EnableDatapathPacketTracing(ctx, puID, policy, runtime, direction, interval interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EnableDatapathPacketTracing", reflect.TypeOf((*MockTriremeController)(nil).EnableDatapathPacketTracing), ctx, puID, policy, runtime, direction, interval)
}

// EnableIPTablesPacketTracing mocks base method
// nolint
func (m *MockTriremeController) EnableIPTablesPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, interval time.Duration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "EnableIPTablesPacketTracing", ctx, puID, policy, runtime, interval)
	ret0, _ := ret[0].(error)
	return ret0
}

// EnableIPTablesPacketTracing indicates an expected call of EnableIPTablesPacketTracing
// nolint
func (mr *MockTriremeControllerMockRecorder) EnableIPTablesPacketTracing(ctx, puID, policy, runtime, interval interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EnableIPTablesPacketTracing", reflect.TypeOf((*MockTriremeController)(nil).EnableIPTablesPacketTracing), ctx, puID, policy, runtime, interval)
}

// Ping mocks base method
// nolint
func (m *MockTriremeController) Ping(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, pingConfig *policy.PingConfig) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Ping", ctx, puID, policy, runtime, pingConfig)
	ret0, _ := ret[0].(error)
	return ret0
}

// Ping indicates an expected call of Ping
// nolint
func (mr *MockTriremeControllerMockRecorder) Ping(ctx, puID, policy, runtime, pingConfig interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Ping", reflect.TypeOf((*MockTriremeController)(nil).Ping), ctx, puID, policy, runtime, pingConfig)
}

// DebugCollect mocks base method
// nolint
func (m *MockTriremeController) DebugCollect(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, debugConfig *policy.DebugConfig) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DebugCollect", ctx, puID, policy, runtime, debugConfig)
	ret0, _ := ret[0].(error)
	return ret0
}

// DebugCollect indicates an expected call of DebugCollect
// nolint
func (mr *MockTriremeControllerMockRecorder) DebugCollect(ctx, puID, policy, runtime, debugConfig interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DebugCollect", reflect.TypeOf((*MockTriremeController)(nil).DebugCollect), ctx, puID, policy, runtime, debugConfig)
}

// MockDebugInfo is a mock of DebugInfo interface
// nolint
type MockDebugInfo struct {
	ctrl     *gomock.Controller
	recorder *MockDebugInfoMockRecorder
}

// MockDebugInfoMockRecorder is the mock recorder for MockDebugInfo
// nolint
type MockDebugInfoMockRecorder struct {
	mock *MockDebugInfo
}

// NewMockDebugInfo creates a new mock instance
// nolint
func NewMockDebugInfo(ctrl *gomock.Controller) *MockDebugInfo {
	mock := &MockDebugInfo{ctrl: ctrl}
	mock.recorder = &MockDebugInfoMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockDebugInfo) EXPECT() *MockDebugInfoMockRecorder {
	return m.recorder
}

// EnableDatapathPacketTracing mocks base method
// nolint
func (m *MockDebugInfo) EnableDatapathPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, direction packettracing.TracingDirection, interval time.Duration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "EnableDatapathPacketTracing", ctx, puID, policy, runtime, direction, interval)
	ret0, _ := ret[0].(error)
	return ret0
}

// EnableDatapathPacketTracing indicates an expected call of EnableDatapathPacketTracing
// nolint
func (mr *MockDebugInfoMockRecorder) EnableDatapathPacketTracing(ctx, puID, policy, runtime, direction, interval interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EnableDatapathPacketTracing", reflect.TypeOf((*MockDebugInfo)(nil).EnableDatapathPacketTracing), ctx, puID, policy, runtime, direction, interval)
}

// EnableIPTablesPacketTracing mocks base method
// nolint
func (m *MockDebugInfo) EnableIPTablesPacketTracing(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, interval time.Duration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "EnableIPTablesPacketTracing", ctx, puID, policy, runtime, interval)
	ret0, _ := ret[0].(error)
	return ret0
}

// EnableIPTablesPacketTracing indicates an expected call of EnableIPTablesPacketTracing
// nolint
func (mr *MockDebugInfoMockRecorder) EnableIPTablesPacketTracing(ctx, puID, policy, runtime, interval interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EnableIPTablesPacketTracing", reflect.TypeOf((*MockDebugInfo)(nil).EnableIPTablesPacketTracing), ctx, puID, policy, runtime, interval)
}

// Ping mocks base method
// nolint
func (m *MockDebugInfo) Ping(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, pingConfig *policy.PingConfig) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Ping", ctx, puID, policy, runtime, pingConfig)
	ret0, _ := ret[0].(error)
	return ret0
}

// Ping indicates an expected call of Ping
// nolint
func (mr *MockDebugInfoMockRecorder) Ping(ctx, puID, policy, runtime, pingConfig interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Ping", reflect.TypeOf((*MockDebugInfo)(nil).Ping), ctx, puID, policy, runtime, pingConfig)
}

// DebugCollect mocks base method
// nolint
func (m *MockDebugInfo) DebugCollect(ctx context.Context, puID string, policy *policy.PUPolicy, runtime *policy.PURuntime, debugConfig *policy.DebugConfig) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DebugCollect", ctx, puID, policy, runtime, debugConfig)
	ret0, _ := ret[0].(error)
	return ret0
}

// DebugCollect indicates an expected call of DebugCollect
// nolint
func (mr *MockDebugInfoMockRecorder) DebugCollect(ctx, puID, policy, runtime, debugConfig interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DebugCollect", reflect.TypeOf((*MockDebugInfo)(nil).DebugCollect), ctx, puID, policy, runtime, debugConfig)
}


================================================
FILE: controller/pkg/aclprovider/ipsetprovider.go
================================================
// +build linux darwin

package provider

import (
	"fmt"
	"os/exec"
	"strings"

	"github.com/aporeto-inc/go-ipset/ipset"
	"go.uber.org/zap"
)

// IpsetProvider returns a fabric for Ipset.
type IpsetProvider interface {
	NewIpset(name string, ipsetType string, p *ipset.Params) (Ipset, error)
	GetIpset(name string) Ipset
	DestroyAll(prefix string) error
	ListIPSets() ([]string, error)
}

// Ipset is an abstraction of all the methods an implementation of userspace
// ipsets need to provide.
type Ipset interface {
	Add(entry string, timeout int) error
	AddOption(entry string, option string, timeout int) error
	Del(entry string) error
	Destroy() error
	Flush() error
	Test(entry string) (bool, error)
}

type goIpsetProvider struct{}

func ipsetCreateBitmapPort(setname string) error {
	//Bitmap type is not supported by the ipset library
	path, _ := exec.LookPath("ipset")
	out, err := exec.Command(path, "create", setname, "bitmap:port", "range", "0-65535", "timeout", "0").CombinedOutput()
	if err != nil {
		if strings.Contains(string(out), "set with the same name already exists") {
			zap.L().Warn("Set already exists - cleaning up", zap.String("set name", setname))
			// Clean up the existing set
			if _, cerr := exec.Command(path, "-F", setname).CombinedOutput(); cerr != nil {
				return fmt.Errorf("Failed to clean up existing ipset: %s", err)
			}
			return nil
		}
		zap.L().Error("Unable to create set", zap.String("set name", setname), zap.String("ipset-output", string(out)))
	}
	return err
}

// NewIpset returns an IpsetProvider interface based on the go-ipset
// external package.
func (i *goIpsetProvider) NewIpset(name string, ipsetType string, p *ipset.Params) (Ipset, error) {
	// Check if hashtype is a type of hash
	if strings.HasPrefix(ipsetType, "hash:") {
		return ipset.New(name, ipsetType, p)
	}

	if err := ipsetCreateBitmapPort(name); err != nil {
		return nil, err
	}

	return &ipset.IPSet{Name: name}, nil
}

// GetIpset gets the ipset object from the name.
func (i *goIpsetProvider) GetIpset(name string) Ipset {
	return &ipset.IPSet{
		Name: name,
	}
}

// DestroyAll destroys all the ipsets - it will fail if there are existing references
func (i *goIpsetProvider) DestroyAll(prefix string) error {

	return ipset.DestroyAll()
}

func (i *goIpsetProvider) ListIPSets() ([]string, error) {

	path, err := exec.LookPath("ipset")
	if err != nil {
		return nil, fmt.Errorf("ipset command not found: %s", err)
	}

	out, err := exec.Command(path, "-L", "-name").CombinedOutput()
	if err != nil {
		return nil, fmt.Errorf("unable to list ipsets:%s", err)
	}

	return strings.Split(string(out), "\n"), nil
}

// NewGoIPsetProvider Return a Go IPSet Provider
func NewGoIPsetProvider() IpsetProvider {
	return &goIpsetProvider{}
}


================================================
FILE: controller/pkg/aclprovider/ipsetprovider_windows.go
================================================
// +build windows

package provider

import (
	"fmt"

	"go.uber.org/zap"

	"github.com/aporeto-inc/go-ipset/ipset"
	"go.aporeto.io/trireme-lib/utils/frontman"
)

// IpsetProvider returns a fabric for Ipset.
type IpsetProvider interface {
	NewIpset(name string, ipsetType string, p *ipset.Params) (Ipset, error)
	GetIpset(name string) Ipset
	DestroyAll(prefix string) error
	ListIPSets() ([]string, error)
}

// Ipset is an abstraction of all the methods an implementation of userspace
// ipsets need to provide.
type Ipset interface {
	Add(entry string, timeout int) error
	AddOption(entry string, option string, timeout int) error
	Del(entry string) error
	Destroy() error
	Flush() error
	Test(entry string) (bool, error)
}

type ipsetProvider struct{}

type winIPSet struct {
	handle uintptr
	name   string // for debugging
}

// NewIpset returns an IpsetProvider interface based on the go-ipset
// external package.
func (i *ipsetProvider) NewIpset(name string, ipsetType string, p *ipset.Params) (Ipset, error) {
	ipsetHandle, err := frontman.Wrapper.NewIpset(name, ipsetType)
	if err != nil {
		return nil, err
	}
	return &winIPSet{ipsetHandle, name}, nil
}

// GetIpset gets the ipset object from the name.
// Note that the interface can't return error here, but since it's possible to fail in Windows,
// we log error and return incomplete object, and expect a failure from Frontman on a later call.
func (i *ipsetProvider) GetIpset(name string) Ipset {
	ipsetHandle, err := frontman.Wrapper.GetIpset(name)
	if err != nil {
		zap.L().Error(fmt.Sprintf("failed to get ipset %s", name), zap.Error(err))
		return &winIPSet{0, name}
	}
	return &winIPSet{ipsetHandle, name}
}

// DestroyAll destroys all the ipsets - it will fail if there are existing references
func (i *ipsetProvider) DestroyAll(prefix string) error {
	return frontman.Wrapper.DestroyAllIpsets(prefix)
}

func (i *ipsetProvider) ListIPSets() ([]string, error) {
	return frontman.Wrapper.ListIpsets()
}

// NewGoIPsetProvider Return a Go IPSet Provider
func NewGoIPsetProvider() IpsetProvider {
	return &ipsetProvider{}
}

func (w *winIPSet) Add(entry string, timeout int) error {
	return frontman.Wrapper.IpsetAdd(w.handle, entry, timeout)
}

func (w *winIPSet) AddOption(entry string, option string, timeout int) error {
	return frontman.Wrapper.IpsetAddOption(w.handle, entry, option, timeout)
}

func (w *winIPSet) Del(entry string) error {
	return frontman.Wrapper.IpsetDelete(w.handle, entry)
}

func (w *winIPSet) Destroy() error {
	return frontman.Wrapper.IpsetDestroy(w.handle)
}

func (w *winIPSet) Flush() error {
	return frontman.Wrapper.IpsetFlush(w.handle)
}

func (w *winIPSet) Test(entry string) (bool, error) {
	return frontman.Wrapper.IpsetTest(w.handle, entry)
}


================================================
FILE: controller/pkg/aclprovider/ipsetprovidermock.go
================================================
package provider

import (
	"sync"
	"testing"

	"github.com/aporeto-inc/go-ipset/ipset"
)

type ipsetProviderMockedMethods struct {
	newMockIPset   func(name string, hasht string, p *ipset.Params) (Ipset, error)
	getMockIPset   func(name string) Ipset
	destroyAllMock func(prefix string) error
	listIPSetsMock func() ([]string, error)
}

// TestIpsetProvider is a test implementation for IpsetProvider
type TestIpsetProvider interface {
	IpsetProvider
	MockNewIpset(t *testing.T, impl func(name string, hasht string, p *ipset.Params) (Ipset, error))
	MockGetIpset(t *testing.T, impl func(name string) Ipset)
	MockDestroyAll(t *testing.T, impl func(string) error)
	MockListIPSets(t *testing.T, impl func() ([]string, error))
}

type testIpsetProvider struct {
	mocks       map[*testing.T]*ipsetProviderMockedMethods
	lock        *sync.Mutex
	currentTest *testing.T
}

// NewTestIpsetProvider returns a new TestManipulator.
func NewTestIpsetProvider() TestIpsetProvider {
	return &testIpsetProvider{
		lock:  &sync.Mutex{},
		mocks: map[*testing.T]*ipsetProviderMockedMethods{},
	}
}

func (m *testIpsetProvider) MockNewIpset(t *testing.T, impl func(name string, hasht string, p *ipset.Params) (Ipset, error)) {

	m.currentMocks(t).newMockIPset = impl
}

func (m *testIpsetProvider) MockGetIpset(t *testing.T, impl func(name string) Ipset) {
	m.currentMocks(t).getMockIPset = impl
}

func (m *testIpsetProvider) MockDestroyAll(t *testing.T, impl func(string) error) {

	m.currentMocks(t).destroyAllMock = impl
}

func (m *testIpsetProvider) MockListIPSets(t *testing.T, impl func() ([]string, error)) {

	m.currentMocks(t).listIPSetsMock = impl
}

func (m *testIpsetProvider) NewIpset(name string, hasht string, p *ipset.Params) (Ipset, error) {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.newMockIPset != nil {
		return mock.newMockIPset(name, hasht, p)
	}

	return NewTestIpset(), nil
}

func (m *testIpsetProvider) GetIpset(name string) Ipset {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.newMockIPset != nil {
		return mock.getMockIPset(name)
	}

	return NewTestIpset()
}

func (m *testIpsetProvider) DestroyAll(prefix string) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.destroyAllMock != nil {
		return mock.destroyAllMock(prefix)
	}

	return nil
}

func (m *testIpsetProvider) ListIPSets() ([]string, error) {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.listIPSetsMock != nil {
		return mock.listIPSetsMock()
	}

	return nil, nil
}

func (m *testIpsetProvider) currentMocks(t *testing.T) *ipsetProviderMockedMethods {
	m.lock.Lock()
	defer m.lock.Unlock()

	mocks := m.mocks[t]

	if mocks == nil {
		mocks = &ipsetProviderMockedMethods{}
		m.mocks[t] = mocks
	}

	m.currentTest = t
	return mocks
}

type ipsetMockedMethods struct {
	addMock       func(entry string, timeout int) error
	addOptionMock func(entry string, option string, timeout int) error
	delMock       func(entry string) error
	destroyMock   func() error
	flushMock     func() error
	testMock      func(entry string) (bool, error)
}

// TestIpset is a test implementation for Ipset
type TestIpset interface {
	Ipset
	MockAdd(t *testing.T, impl func(entry string, timeout int) error)
	MockAddOption(t *testing.T, impl func(entry string, option string, timeout int) error)
	MockDel(t *testing.T, impl func(entry string) error)
	MockDestroy(t *testing.T, impl func() error)
	MockFlush(t *testing.T, impl func() error)
	MockTest(t *testing.T, impl func(entry string) (bool, error))
}

type testIpset struct {
	mocks       map[*testing.T]*ipsetMockedMethods
	lock        *sync.Mutex
	currentTest *testing.T
}

// NewTestIpset returns a new TestManipulator.
func NewTestIpset() TestIpset {
	return &testIpset{
		lock:  &sync.Mutex{},
		mocks: map[*testing.T]*ipsetMockedMethods{},
	}
}

func (m *testIpset) MockAdd(t *testing.T, impl func(entry string, timeout int) error) {

	m.currentMocks(t).addMock = impl
}

func (m *testIpset) MockAddOption(t *testing.T, impl func(entry string, option string, timeout int) error) {

	m.currentMocks(t).addOptionMock = impl
}

func (m *testIpset) MockDel(t *testing.T, impl func(entry string) error) {

	m.currentMocks(t).delMock = impl
}

func (m *testIpset) MockDestroy(t *testing.T, impl func() error) {

	m.currentMocks(t).destroyMock = impl
}

func (m *testIpset) MockFlush(t *testing.T, impl func() error) {

	m.currentMocks(t).flushMock = impl
}

func (m *testIpset) MockTest(t *testing.T, impl func(entry string) (bool, error)) {

	m.currentMocks(t).testMock = impl
}

func (m *testIpset) Add(entry string, timeout int) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.addMock != nil {
		return mock.addMock(entry, timeout)
	}

	return nil
}

func (m *testIpset) AddOption(entry string, option string, timeout int) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.addOptionMock != nil {
		return mock.addOptionMock(entry, option, timeout)
	}

	return nil
}

func (m *testIpset) Del(entry string) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.delMock != nil {
		return mock.delMock(entry)
	}

	return nil
}

func (m *testIpset) Destroy() error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.destroyMock != nil {
		return mock.destroyMock()
	}
	return nil

}

func (m *testIpset) Flush() error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.flushMock != nil {
		return mock.flushMock()
	}

	return nil
}

func (m *testIpset) Test(entry string) (bool, error) {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.testMock != nil {
		return mock.testMock(entry)
	}

	return false, nil
}

func (m *testIpset) currentMocks(t *testing.T) *ipsetMockedMethods {
	m.lock.Lock()
	defer m.lock.Unlock()

	mocks := m.mocks[t]

	if mocks == nil {
		mocks = &ipsetMockedMethods{}
		m.mocks[t] = mocks
	}

	m.currentTest = t
	return mocks
}


================================================
FILE: controller/pkg/aclprovider/iptablesprovider.go
================================================
// +build linux darwin

package provider

import (
	"bytes"
	"errors"
	"fmt"
	"os/exec"
	"strings"
	"sync"

	"go.uber.org/zap"
)

// IptablesProvider is an abstraction of all the methods an implementation of userspace
// iptables need to provide.
type IptablesProvider interface {
	BaseIPTables
	// Commit will commit changes if it is a batch provider.
	Commit() error
	// RetrieveTable allows a caller to retrieve the final table.
	RetrieveTable() map[string]map[string][]string
	// ResetRules resets the rules to a state where rules with the substring subs are removed
	ResetRules(subs string) error
}

// BaseIPTables is the base interface of iptables functions.
type BaseIPTables interface {
	// Append apends a rule to chain of table
	Append(table, chain string, rulespec ...string) error
	// Insert inserts a rule to a chain of table at the required pos
	Insert(table, chain string, pos int, rulespec ...string) error
	// Delete deletes a rule of a chain in the given table
	Delete(table, chain string, rulespec ...string) error
	// ListChains lists all the chains associated with a table
	ListChains(table string) ([]string, error)
	// ClearChain clears a chain in a table
	ClearChain(table, chain string) error
	// DeleteChain deletes a chain in the table. There should be no references to this chain
	DeleteChain(table, chain string) error
	// NewChain creates a new chain
	NewChain(table, chain string) error
	// ListRules lists the rules in the table/chain passed to it
	ListRules(table, chain string) ([]string, error)
}

// BatchProvider uses iptables-restore to program ACLs
type BatchProvider struct {
	ipt BaseIPTables

	//        TABLE      CHAIN    RULES
	rules       map[string]map[string][]string
	batchTables map[string]bool

	// Allowing for custom commit functions for testing
	commitFunc  func(buf *bytes.Buffer) error
	customChain string
	sync.Mutex
	cmd        string
	restoreCmd string
	saveCmd    string
	quote      bool
}

const (
	cmdV4        = "iptables --wait"
	cmdV6        = "ip6tables --wait"
	restoreCmdV4 = "iptables-restore"
	restoreCmdV6 = "ip6tables-restore"
	saveCmdV4    = "iptables-save"
	saveCmdV6    = "ip6tables-save"
)

// TestIptablesPinned returns error if the kernel doesn't support bpf pinning in iptables
func TestIptablesPinned(bpf string) error {
	cmd := exec.Command("aporeto-iptables", strings.Fields("iptables --wait -t mangle -I OUTPUT -m bpf --object-pinned "+bpf+" -j LOG")...)
	if _, err := cmd.CombinedOutput(); err != nil {
		return err
	}

	cmd = exec.Command("aporeto-iptables", strings.Fields("iptables --wait -t mangle -D OUTPUT -m bpf --object-pinned "+bpf+" -j LOG")...)
	if _, err := cmd.CombinedOutput(); err != nil {
		zap.L().Error("Error removing rule", zap.Error(err))
	}

	return nil
}

// NewGoIPTablesProviderV4 returns an IptablesProvider interface based on the go-iptables
// external package.
func NewGoIPTablesProviderV4(batchTables []string, customChain string) (IptablesProvider, error) {

	batchTablesMap := map[string]bool{}
	for _, t := range batchTables {
		batchTablesMap[t] = true
	}

	b := &BatchProvider{
		cmd:         cmdV4,
		rules:       map[string]map[string][]string{},
		batchTables: batchTablesMap,
		restoreCmd:  restoreCmdV4,
		saveCmd:     saveCmdV4,
		customChain: customChain,
		quote:       true,
	}

	b.commitFunc = b.restore

	return b, nil
}

// NewGoIPTablesProviderV6 returns an IptablesProvider interface based on the go-iptables
// external package.
func NewGoIPTablesProviderV6(batchTables []string, customChain string) (IptablesProvider, error) {

	batchTablesMap := map[string]bool{}
	for _, t := range batchTables {
		batchTablesMap[t] = true
	}

	b := &BatchProvider{
		cmd:         cmdV6,
		rules:       map[string]map[string][]string{},
		batchTables: batchTablesMap,
		customChain: customChain,
		restoreCmd:  restoreCmdV6,
		saveCmd:     saveCmdV6,
		quote:       true,
	}

	b.commitFunc = b.restore

	return b, nil
}

// NewCustomBatchProvider is a custom batch provider wher the downstream
// iptables utility is provided by the caller. Very useful for testing
// the ACL functions with a mock.
func NewCustomBatchProvider(ipt BaseIPTables, commit func(buf *bytes.Buffer) error, batchTables []string) *BatchProvider {

	batchTablesMap := map[string]bool{}

	for _, t := range batchTables {
		batchTablesMap[t] = true
	}

	return &BatchProvider{
		ipt:         ipt,
		rules:       map[string]map[string][]string{},
		batchTables: batchTablesMap,
		commitFunc:  commit,
	}
}

func createIPtablesCommand(iptablesCmd, table, chain, action string, rulespec ...string) []string {
	cmd := strings.Fields(iptablesCmd)
	cmd = append(cmd, "-t")
	cmd = append(cmd, table)
	cmd = append(cmd, action)
	cmd = append(cmd, chain)
	cmd = append(cmd, rulespec...)
	return cmd
}

// Append will append the provided rule to the local cache or call
// directly the iptables command depending on the table.
func (b *BatchProvider) Append(table, chain string, rulespec ...string) error {
	b.Lock()
	defer b.Unlock()

	if len(rulespec) == 0 {
		return nil
	}

	if _, ok := b.batchTables[table]; !ok {
		cmd := createIPtablesCommand(b.cmd, table, chain, "-A", rulespec...)
		execCmd := exec.Command("aporeto-iptables", cmd...)
		s, err := execCmd.CombinedOutput()
		if err != nil {
			return errors.New(string(s))
		}

		return nil
	}

	if _, ok := b.rules[table]; !ok {
		b.rules[table] = map[string][]string{}
	}

	if _, ok := b.rules[table][chain]; !ok {
		b.rules[table][chain] = []string{}
	}

	b.quoteRulesSpec(rulespec)

	rule := strings.Join(rulespec, " ")
	b.rules[table][chain] = append(b.rules[table][chain], rule)

	return nil
}

// Insert will insert the rule in the corresponding position in the local
// cache or call the corresponding iptables command, depending on the table.
func (b *BatchProvider) Insert(table, chain string, pos int, rulespec ...string) error {

	b.Lock()
	defer b.Unlock()

	if _, ok := b.batchTables[table]; !ok {
		cmd := createIPtablesCommand(b.cmd, table, chain, "-I", rulespec...)
		execCmd := exec.Command("aporeto-iptables", cmd...)
		s, err := execCmd.CombinedOutput()
		if err != nil {
			return errors.New(string(s))
		}
		return nil
	}

	if _, ok := b.rules[table]; !ok {
		b.rules[table] = map[string][]string{}
	}

	if _, ok := b.rules[table][chain]; !ok {
		b.rules[table][chain] = []string{}
	}

	b.quoteRulesSpec(rulespec)

	rule := strings.Join(rulespec, " ")

	if pos == 1 {
		b.rules[table][chain] = append([]string{rule}, b.rules[table][chain]...)
	} else if pos > len(b.rules[table][chain]) {
		b.rules[table][chain] = append(b.rules[table][chain], rule)
	} else {
		b.rules[table][chain] = append(b.rules[table][chain], "newvalue")
		copy(b.rules[table][chain][pos-1:], b.rules[table][chain][pos-2:])
		b.rules[table][chain][pos-1] = rule
	}

	return nil
}

// Delete will delete the rule from the local cache or the system.
func (b *BatchProvider) Delete(table, chain string, rulespec ...string) error {
	b.Lock()
	defer b.Unlock()

	if _, ok := b.batchTables[table]; !ok {
		cmd := createIPtablesCommand(b.cmd, table, chain, "-D", rulespec...)
		execCmd := exec.Command("aporeto-iptables", cmd...)
		s, err := execCmd.CombinedOutput()
		if err != nil {
			return errors.New(string(s))
		}
		return nil
	}

	if _, ok := b.rules[table]; !ok {
		return nil
	}

	if _, ok := b.rules[table][chain]; !ok {
		return nil
	}

	b.quoteRulesSpec(rulespec)

	rule := strings.Join(rulespec, " ")
	for index, r := range b.rules[table][chain] {
		if rule == r {
			switch index {
			case 0:
				if len(b.rules[table][chain]) == 1 {
					b.rules[table][chain] = []string{}
				} else {
					b.rules[table][chain] = b.rules[table][chain][1:]
				}
			case len(b.rules[table][chain]) - 1:
				b.rules[table][chain] = b.rules[table][chain][:index]
			default:
				b.rules[table][chain] = append(b.rules[table][chain][:index], b.rules[table][chain][index+1:]...)
			}
			break
		}
	}

	return nil
}

// ListChains returns a slice containing the name of each chain in the specified table.
func listChains(iptablesCmd, table string) ([]string, error) {
	cmd := strings.Fields(iptablesCmd)
	cmd = append(cmd, []string{"-t", table, "-S"}...)

	execCmd := exec.Command("aporeto-iptables", cmd...)
	out, err := execCmd.CombinedOutput()
	if err != nil {
		return nil, errors.New(string(out))
	}

	result := strings.Split(string(out), "\n")

	// Iterate over rules to find all default (-P) and user-specified (-N) chains.
	// Chains definition always come before rules.
	// Format is the following:
	// -P OUTPUT ACCEPT
	// -N Custom
	var chains []string
	for _, val := range result {
		if strings.HasPrefix(val, "-P") || strings.HasPrefix(val, "-N") {
			chains = append(chains, strings.Fields(val)[1])
		} else {
			break
		}
	}
	return chains, nil
}

// ListChains will provide a list of the current chains.
func (b *BatchProvider) ListChains(table string) ([]string, error) {
	b.Lock()
	defer b.Unlock()

	chains, err := listChains(b.cmd, table)
	if err != nil {
		return []string{}, err
	}

	if _, ok := b.batchTables[table]; !ok || b.rules[table] == nil {
		return chains, nil
	}

	for _, chain := range chains {
		if _, ok := b.rules[table][chain]; !ok {
			b.rules[table][chain] = []string{}
		}
	}

	allChains := make([]string, len(b.rules[table]))
	i := 0
	for chain := range b.rules[table] {
		allChains[i] = chain
		i++
	}

	return allChains, nil
}

// ClearChain will clear the chains.
func (b *BatchProvider) ClearChain(table, chain string) error {

	b.Lock()
	defer b.Unlock()

	if _, ok := b.batchTables[table]; !ok {
		cmd := strings.Fields(b.cmd)
		cmd = append(cmd, []string{"-t", table, "-F", chain}...)
		execCmd := exec.Command("aporeto-iptables", cmd...)
		s, err := execCmd.CombinedOutput()
		if err != nil {
			return errors.New(string(s))
		}
		return nil
	}

	if _, ok := b.rules[table]; !ok {
		return nil
	}
	if _, ok := b.rules[table][chain]; !ok {
		return nil
	}

	b.rules[table][chain] = []string{}
	return nil
}

// DeleteChain will delete the chains.
func (b *BatchProvider) DeleteChain(table, chain string) error {
	b.Lock()
	defer b.Unlock()

	if _, ok := b.batchTables[table]; !ok {
		cmd := strings.Fields(b.cmd)
		cmd = append(cmd, []string{"-t", table, "-X", chain}...)
		execCmd := exec.Command("aporeto-iptables", cmd...)
		s, err := execCmd.CombinedOutput()
		if err != nil {
			return errors.New(string(s))
		}
		return nil
	}

	if _, ok := b.rules[table]; !ok {
		return nil
	}

	delete(b.rules[table], chain)
	return nil
}

// NewChain creates a new chain.
func (b *BatchProvider) NewChain(table, chain string) error {
	b.Lock()
	defer b.Unlock()

	if _, ok := b.batchTables[table]; !ok {
		cmd := strings.Fields(b.cmd)
		cmd = append(cmd, []string{"-t", table, "-N", chain}...)
		execCmd := exec.Command("aporeto-iptables", cmd...)
		s, err := execCmd.CombinedOutput()
		if err != nil {
			return errors.New(string(s))
		}
		return nil
	}

	if _, ok := b.rules[table]; !ok {
		b.rules[table] = map[string][]string{}
	}

	b.rules[table][chain] = []string{}
	return nil
}

// Commit commits the rules to the system
func (b *BatchProvider) Commit() error {
	b.Lock()
	defer b.Unlock()

	// We don't commit if we don't have any tables. This is old
	// kernel compatibility mode.
	if len(b.batchTables) == 0 {
		return nil
	}

	buf, err := b.createDataBuffer()
	if err != nil {
		return fmt.Errorf("Failed to crete buffer %s", err)
	}

	return b.commitFunc(buf)
}

// RetrieveTable allows a caller to retrieve the final table. Mostly
// needed for debuging and unit tests.
func (b *BatchProvider) RetrieveTable() map[string]map[string][]string {
	b.Lock()
	defer b.Unlock()

	return b.rules
}

func (b *BatchProvider) createDataBuffer() (*bytes.Buffer, error) {

	buf := bytes.NewBuffer([]byte{})

	for table := range b.rules {
		if _, err := fmt.Fprintf(buf, "*%s\n", table); err != nil {
			return nil, err
		}
		for chain := range b.rules[table] {
			if _, err := fmt.Fprintf(buf, ":%s - [0:0]\n", chain); err != nil {
				return nil, err
			}
		}
		for chain := range b.rules[table] {
			for _, rule := range b.rules[table][chain] {
				if _, err := fmt.Fprintf(buf, "-A %s %s\n", chain, rule); err != nil {
					return nil, err
				}
			}
		}
		customChainRules, _ := b.saveCustomChainRules()
		fmt.Fprintf(buf, "%s\n", customChainRules.String())
		if _, err := fmt.Fprintf(buf, "COMMIT\n"); err != nil {
			return nil, err
		}
	}
	return buf, nil
}

// restore will save the current DB to iptables.
func (b *BatchProvider) restore(buf *bytes.Buffer) error {

	cmd := exec.Command("aporeto-iptables", b.restoreCmd, "--wait")
	cmd.Stdin = buf
	out, err := cmd.CombinedOutput()
	if err != nil {
		again, _ := b.createDataBuffer()
		zap.L().Error("Failed to execute command", zap.Error(err),
			zap.ByteString("Output", out),
			zap.String("Output", again.String()),
		)
		return fmt.Errorf("Failed to execute iptables-restore: %s", err)
	}
	return nil
}

func (b *BatchProvider) quoteRulesSpec(rulesspec []string) {

	if !b.quote {
		return
	}

	for i, rule := range rulesspec {
		if len(rulesspec[i]) > 0 && rulesspec[i][0] == '"' {
			continue
		}

		rulesspec[i] = fmt.Sprintf("\"%s\"", rule)
	}
}

// ResetRules resets the rules to the original form.
// It is implemented as "iptables-save | grep "-v" subs | iptables-restore"
func (b *BatchProvider) ResetRules(subs string) error {

	var out []byte
	var err error

	cmd := exec.Command("aporeto-iptables", b.saveCmd)
	if out, err = cmd.CombinedOutput(); err != nil {
		zap.L().Error("Failed to get iptables-save command", zap.Error(err),
			zap.String("Output", string(out)))
		return err
	}

	s := string(out)
	rules := strings.Split(s, "\n")

	var filterRules []string

	for _, rule := range rules {
		if !strings.Contains(rule, subs) {
			filterRules = append(filterRules, rule)
		}
	}

	combineRules := strings.Join(filterRules, "\n")
	buf := bytes.NewBufferString(combineRules)

	return b.commitFunc(buf)
}

func (b *BatchProvider) saveCustomChainRules() (*bytes.Buffer, error) {
	var out []byte
	var err error

	cmd := exec.Command("aporeto-iptables", b.saveCmd)
	if out, err = cmd.CombinedOutput(); err != nil {
		zap.L().Error("Failed to get iptables-save command", zap.Error(err),
			zap.String("Output", string(out)))
		return nil, err
	}

	s := string(out)
	rules := strings.Split(s, "\n")

	var filterRules []string

	for _, rule := range rules {
		if strings.Contains(rule, b.customChain) {
			filterRules = append(filterRules, rule)
		}
	}

	combineRules := strings.Join(filterRules, "\n")
	return bytes.NewBufferString(combineRules), nil

}

// ListRules lists the rules in the table/chain passed to it
func (b *BatchProvider) ListRules(table, chain string) ([]string, error) {
	var cmd *exec.Cmd

	if chain != "" {
		cmd = exec.Command("aporeto-iptables", "iptables", "--wait", "-t", table, "-L", chain)
	} else {
		cmd = exec.Command("aporeto-iptables", "iptables", "-wait", "-t", table, "-L")
	}
	out, err := cmd.CombinedOutput()
	if err != nil {
		zap.L().Error("Failed to get rules", zap.Error(err), zap.String("table", table), zap.String("chain", chain))
		return []string{}, err
	}
	rules := strings.Split(string(out), "\n")
	return rules, nil

}


================================================
FILE: controller/pkg/aclprovider/iptablesprovider_test.go
================================================
// +build !windows

package provider

import (
	"testing"

	"github.com/magiconair/properties/assert"
	. "github.com/smartystreets/goconvey/convey"
)

const (
	mangle      = "mangle"
	inputChain  = "INPUT"
	outputChain = "OUTPUT"
)

func NewTestProvider(batchTables []string, quote bool) *BatchProvider {
	batchTablesMap := map[string]bool{}
	for _, t := range batchTables {
		batchTablesMap[t] = true
	}
	return &BatchProvider{
		rules:       map[string]map[string][]string{},
		batchTables: batchTablesMap,
		quote:       quote,
	}
}

func TestAppend(t *testing.T) {
	Convey("Given a valid batch provider", t, func() {
		p := NewTestProvider([]string{mangle}, true)
		Convey("When I append a first rule, it should create the table", func() {
			err := p.Append(mangle, inputChain, "val1")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 1)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "\"val1\"")
		})

		Convey("When I append two rules in the array, the values should be ordered ", func() {
			err := p.Append(mangle, inputChain, "val1")
			So(err, ShouldBeNil)
			err = p.Append(mangle, inputChain, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 2)
			rules := p.rules[mangle][inputChain]
			So(rules[0], ShouldResemble, "\"val1\"")
			So(rules[1], ShouldResemble, "\"val2\"")
		})

		Convey("When I append two rules in different chains, there should be two chains", func() {
			err := p.Append(mangle, inputChain, "val1")
			So(err, ShouldBeNil)
			err = p.Append(mangle, outputChain, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 2)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 1)
			So(len(p.rules[mangle][outputChain]), ShouldEqual, 1)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "\"val1\"")
			So(p.rules[mangle][outputChain][0], ShouldResemble, "\"val2\"")
		})
	})
}

func TestInsert(t *testing.T) {
	Convey("Given a valid batch provider", t, func() {
		p := NewTestProvider([]string{mangle}, true)
		Convey("When I insert a first rule, it should create the table", func() {
			err := p.Insert(mangle, inputChain, 1, "val1")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 1)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "\"val1\"")
		})

		Convey("When I insert two rules in the first position of the array, the values should be reverse ordered ", func() {
			err := p.Insert(mangle, inputChain, 1, "val1")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 1, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 2)
			rules := p.rules[mangle][inputChain]
			So(rules[1], ShouldResemble, "\"val1\"")
			So(rules[0], ShouldResemble, "\"val2\"")
		})

		Convey("When I insert two rules in the first and last position of the array ", func() {
			err := p.Insert(mangle, inputChain, 1, "val1")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 2, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 2)
			rules := p.rules[mangle][inputChain]
			So(rules[0], ShouldResemble, "\"val1\"")
			So(rules[1], ShouldResemble, "\"val2\"")
		})

		Convey("When I insert two rules in the first and a bad position in the array, the last one should be last ", func() {
			err := p.Insert(mangle, inputChain, 1, "val1")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 6, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 2)
			rules := p.rules[mangle][inputChain]
			So(rules[0], ShouldResemble, "\"val1\"")
			So(rules[1], ShouldResemble, "\"val2\"")
		})

		Convey("When I insert a rule in the midle of the array, it should go in the right place ", func() {
			err := p.Insert(mangle, inputChain, 1, "val3")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 1, "val2")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 1, "val1")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 2, "val1-2")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 4, "val2-3")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 5)
			rules := p.rules[mangle][inputChain]
			So(rules[0], ShouldResemble, "\"val1\"")
			So(rules[1], ShouldResemble, "\"val1-2\"")
			So(rules[2], ShouldResemble, "\"val2\"")
			So(rules[3], ShouldResemble, "\"val2-3\"")
			So(rules[4], ShouldResemble, "\"val3\"")
		})

		Convey("When I Insert two rules in different chains, there should be two chains", func() {
			err := p.Insert(mangle, inputChain, 1, "val1")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, outputChain, 1, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 2)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 1)
			So(len(p.rules[mangle][outputChain]), ShouldEqual, 1)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "\"val1\"")
			So(p.rules[mangle][outputChain][0], ShouldResemble, "\"val2\"")
		})
	})
}

func TestInsertWithQuoteFalse(t *testing.T) {
	Convey("Given a valid batch provider", t, func() {
		p := NewTestProvider([]string{mangle}, false)
		Convey("When I insert a first rule, it should create the table", func() {
			err := p.Insert(mangle, inputChain, 1, "val1")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 1)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "val1")
		})

		Convey("When I insert two rules in the first position of the array, the values should be reverse ordered ", func() {
			err := p.Insert(mangle, inputChain, 1, "val1")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 1, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 2)
			rules := p.rules[mangle][inputChain]
			So(rules[1], ShouldResemble, "val1")
			So(rules[0], ShouldResemble, "val2")
		})

		Convey("When I insert two rules in the first and last position of the array ", func() {
			err := p.Insert(mangle, inputChain, 1, "val1")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 2, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 2)
			rules := p.rules[mangle][inputChain]
			So(rules[0], ShouldResemble, "val1")
			So(rules[1], ShouldResemble, "val2")
		})

		Convey("When I insert two rules in the first and a bad position in the array, the last one should be last ", func() {
			err := p.Insert(mangle, inputChain, 1, "val1")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 6, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 2)
			rules := p.rules[mangle][inputChain]
			So(rules[0], ShouldResemble, "val1")
			So(rules[1], ShouldResemble, "val2")
		})

		Convey("When I insert a rule in the midle of the array, it should go in the right place ", func() {
			err := p.Insert(mangle, inputChain, 1, "val3")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 1, "val2")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 1, "val1")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 2, "val1-2")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, inputChain, 4, "val2-3")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 5)
			rules := p.rules[mangle][inputChain]
			So(rules[0], ShouldResemble, "val1")
			So(rules[1], ShouldResemble, "val1-2")
			So(rules[2], ShouldResemble, "val2")
			So(rules[3], ShouldResemble, "val2-3")
			So(rules[4], ShouldResemble, "val3")
		})

		Convey("When I Insert two rules in different chains, there should be two chains", func() {
			err := p.Insert(mangle, inputChain, 1, "val1")
			So(err, ShouldBeNil)
			err = p.Insert(mangle, outputChain, 1, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 2)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 1)
			So(len(p.rules[mangle][outputChain]), ShouldEqual, 1)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "val1")
			So(p.rules[mangle][outputChain][0], ShouldResemble, "val2")
		})
	})
}

func TestDelete(t *testing.T) {
	Convey("Given a valid batch provider", t, func() {
		p := NewTestProvider([]string{mangle}, true)
		Convey("When I have one rule, I should be able to delete it", func() {
			err := p.Append(mangle, inputChain, "val1")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 1)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "\"val1\"")
			err = p.Delete(mangle, inputChain, "val1")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 0)
		})

		Convey("When I have two rules, I should be able to delete the second one", func() {
			err := p.Append(mangle, inputChain, "val1")
			So(err, ShouldBeNil)
			err = p.Append(mangle, inputChain, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 2)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "\"val1\"")
			So(p.rules[mangle][inputChain][1], ShouldResemble, "\"val2\"")
			err = p.Delete(mangle, inputChain, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 1)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "\"val1\"")
		})

		Convey("When I have two rules, I should be able to delete the first one", func() {
			err := p.Append(mangle, inputChain, "val1")
			So(err, ShouldBeNil)
			err = p.Append(mangle, inputChain, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 2)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "\"val1\"")
			So(p.rules[mangle][inputChain][1], ShouldResemble, "\"val2\"")
			err = p.Delete(mangle, inputChain, "val1")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 1)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "\"val2\"")
		})

		Convey("When I have three rules, I should be able to delete the middle one", func() {
			err := p.Append(mangle, inputChain, "val1")
			So(err, ShouldBeNil)
			err = p.Append(mangle, inputChain, "val2")
			So(err, ShouldBeNil)
			err = p.Append(mangle, inputChain, "val3")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 3)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "\"val1\"")
			So(p.rules[mangle][inputChain][1], ShouldResemble, "\"val2\"")
			So(p.rules[mangle][inputChain][2], ShouldResemble, "\"val3\"")
			err = p.Delete(mangle, inputChain, "val2")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 2)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "\"val1\"")
			So(p.rules[mangle][inputChain][1], ShouldResemble, "\"val3\"")
		})
	})
}

func TestClearChain(t *testing.T) {
	Convey("Given a valid batch provider", t, func() {
		p := NewTestProvider([]string{mangle}, true)
		Convey("If a clear an empty chain, I should get no error", func() {
			err := p.ClearChain(mangle, inputChain)
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 0)
		})
		Convey("After I append a rule, I should be able to delete the chain", func() {
			err := p.Append(mangle, inputChain, "val1")
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 1)
			So(p.rules[mangle][inputChain][0], ShouldResemble, "\"val1\"")
			err = p.ClearChain(mangle, inputChain)
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 0)
		})
	})
}

func TestDeleteChain(t *testing.T) {
	Convey("Given a valid batch provider", t, func() {
		p := NewTestProvider([]string{mangle}, true)
		Convey("If a delete an empty chain, I should get no error", func() {
			err := p.ClearChain(mangle, inputChain)
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 0)
		})
		Convey("After I append a rule, I should be able to delete the chain", func() {
			err := p.NewChain(mangle, inputChain)
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 1)
			So(len(p.rules[mangle][inputChain]), ShouldEqual, 0)

			err = p.DeleteChain(mangle, inputChain)
			So(err, ShouldBeNil)
			So(len(p.rules[mangle]), ShouldEqual, 0)
		})
	})
}

func TestProvider(t *testing.T) {
	b, err := NewGoIPTablesProviderV4([]string{}, "")
	assert.Equal(t, b != nil, true, "go iptables should not be nil")
	assert.Equal(t, err == nil, true, "error should be nil")
	b, err = NewGoIPTablesProviderV6([]string{}, "")
	assert.Equal(t, b != nil, true, "go iptables should not be nil")
	assert.Equal(t, err == nil, true, "error should be nil")
}


================================================
FILE: controller/pkg/aclprovider/iptablesprovider_windows.go
================================================
// +build windows

package provider

import (
	"bytes"
	"fmt"
	"math"
	"strings"
	"syscall"
	"unsafe"

	winipt "go.aporeto.io/enforcerd/trireme-lib/controller/internal/windows"
	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
	"go.uber.org/zap"
)

// IptablesProvider is an abstraction of all the methods an implementation of userspace
// iptables need to provide.
type IptablesProvider interface {
	BaseIPTables
	// Commit will commit changes if it is a batch provider.
	Commit() error
	// RetrieveTable allows a caller to retrieve the final table.
	RetrieveTable() map[string]map[string][]string
	// ResetRules resets the rules to a state where rules with the substring subs are removed
	ResetRules(subs string) error
}

// BaseIPTables is the base interface of iptables functions.
type BaseIPTables interface {
	// Append apends a rule to chain of table
	Append(table, chain string, rulespec ...string) error
	// Insert inserts a rule to a chain of table at the required pos
	Insert(table, chain string, pos int, rulespec ...string) error
	// Delete deletes a rule of a chain in the given table
	Delete(table, chain string, rulespec ...string) error
	// ListChains lists all the chains associated with a table
	ListChains(table string) ([]string, error)
	// ClearChain clears a chain in a table
	ClearChain(table, chain string) error
	// DeleteChain deletes a chain in the table. There should be no references to this chain
	DeleteChain(table, chain string) error
	// NewChain creates a new chain
	NewChain(table, chain string) error
	// ListRules lists the rules in the table/chain passed to it
	ListRules(table, chain string) ([]string, error)
}

// BatchProvider uses iptables-restore to program ACLs
type BatchProvider struct {
	ipv4 bool
}

// NewGoIPTablesProviderV4 returns an IptablesProvider interface based on the go-iptables
// external package.
func NewGoIPTablesProviderV4(batchTables []string, customChain string) (IptablesProvider, error) {
	return &BatchProvider{ipv4: true}, nil
}

// NewGoIPTablesProviderV6 returns an IptablesProvider interface based on the go-iptables
// external package.
func NewGoIPTablesProviderV6(batchTables []string, customChain string) (IptablesProvider, error) {
	return &BatchProvider{ipv4: false}, nil
}

// NewCustomBatchProvider is a custom batch provider wher the downstream
// iptables utility is provided by the caller. Very useful for testing
// the ACL functions with a mock.
func NewCustomBatchProvider(ipt BaseIPTables, commit func(buf *bytes.Buffer) error, batchTables []string) *BatchProvider {
	return &BatchProvider{ipv4: true}
}

// helper function for passing args to frontman api
func boolToUint8(b bool) uint8 {
	if b {
		return 1
	}
	return 0
}

const ipv4ChainSuffix = "-v4"
const ipv6ChainSuffix = "-v6"

func (b *BatchProvider) fixChainName(chain string) string {
	if strings.HasSuffix(chain, ipv4ChainSuffix) || strings.HasSuffix(chain, ipv6ChainSuffix) {
		return chain
	}
	if b.ipv4 {
		chain += ipv4ChainSuffix
	} else {
		chain += ipv6ChainSuffix
	}
	return chain
}

func (b *BatchProvider) fixRuleSpec(rulespec []string) []string {
	// When a rule is referencing another chain, then we need to add the IP version number.
	length := len(rulespec)
	for index, part := range rulespec {
		nextIndex := index + 1
		if part == "-j" && nextIndex < length {
			switch rulespec[nextIndex] {
			case "NFQUEUE":
			case "NFQUEUE_FORCE":
			case "REDIRECT":
			case "ACCEPT":
			case "ACCEPT_ONCE":
			case "DROP":
			case "MARK":
			case "CONNMARK":
			case "NFLOG":
			default:
				rulespec[nextIndex] = b.fixChainName(rulespec[nextIndex])
			}
		}
	}
	return rulespec
}

// Append will append the provided rule to the local cache or call
// directly the iptables command depending on the table.
func (b *BatchProvider) Append(table, chain string, rulespec ...string) error {

	chain = b.fixChainName(chain)
	rulespec = b.fixRuleSpec(rulespec)

	zap.L().Debug(fmt.Sprintf("add rule %s to table/chain %s/%s", strings.Join(rulespec, " "), table, chain))

	winRuleSpec, err := winipt.ParseRuleSpec(rulespec...)
	if err != nil {
		return err
	}

	criteriaID := strings.Join(rulespec, " ")

	argRuleSpec := frontman.RuleSpec{
		Action:    uint8(winRuleSpec.Action),
		Log:       boolToUint8(winRuleSpec.Log),
		GroupID:   uint32(winRuleSpec.GroupID),
		ProxyPort: uint16(winRuleSpec.ProxyPort),
		Mark:      uint32(winRuleSpec.Mark),
		ProcessID: uint64(winRuleSpec.ProcessID),
	}

	if b.ipv4 {
		argRuleSpec.IPVersionMatch = frontman.IPVersion4
	} else {
		argRuleSpec.IPVersionMatch = frontman.IPVersion6
	}

	if winRuleSpec.FlowMark != 0 {
		argRuleSpec.FlowMark = uint32(winRuleSpec.FlowMark)
		if winRuleSpec.FlowMarkNoMatch {
			argRuleSpec.FlowMarkMatchType = frontman.MatchTypeNoMatch
		} else {
			argRuleSpec.FlowMarkMatchType = frontman.MatchTypeMatch
		}
	}

	if winRuleSpec.TCPFlagsSpecified {
		argRuleSpec.TCPFlagsSpecified = 1
		argRuleSpec.TCPFlags = winRuleSpec.TCPFlags
		argRuleSpec.TCPFlagsMask = winRuleSpec.TCPFlagsMask
	}

	if winRuleSpec.TCPOptionSpecified {
		argRuleSpec.TCPOptionSpecified = 1
		argRuleSpec.TCPOption = winRuleSpec.TCPOption
	}

	if winRuleSpec.Protocol > 0 && winRuleSpec.Protocol < math.MaxUint8 {
		argRuleSpec.ProtocolSpecified = 1
		argRuleSpec.Protocol = uint8(winRuleSpec.Protocol)
	}
	if len(winRuleSpec.MatchSrcPort) > 0 {
		argRuleSpec.SrcPortCount = int32(len(winRuleSpec.MatchSrcPort))
		srcPorts := make([]frontman.PortRange, argRuleSpec.SrcPortCount)
		for i, portRange := range winRuleSpec.MatchSrcPort {
			srcPorts[i] = frontman.PortRange{PortStart: uint16(portRange.Start), PortEnd: uint16(portRange.End)}
		}
		argRuleSpec.SrcPorts = &srcPorts[0]
	}
	if len(winRuleSpec.MatchDstPort) > 0 {
		argRuleSpec.DstPortCount = int32(len(winRuleSpec.MatchDstPort))
		dstPorts := make([]frontman.PortRange, argRuleSpec.DstPortCount)
		for i, portRange := range winRuleSpec.MatchDstPort {
			dstPorts[i] = frontman.PortRange{PortStart: uint16(portRange.Start), PortEnd: uint16(portRange.End)}
		}
		argRuleSpec.DstPorts = &dstPorts[0]
	}
	if len(winRuleSpec.MatchBytes) > 0 {
		if winRuleSpec.MatchBytesNoMatch {
			argRuleSpec.BytesNoMatch = 1
		}
		argRuleSpec.BytesMatchStart = frontman.BytesMatchStartPayload
		argRuleSpec.BytesMatchOffset = int32(winRuleSpec.MatchBytesOffset)
		argRuleSpec.BytesMatchSize = int32(len(winRuleSpec.MatchBytes))
		argRuleSpec.BytesMatch = &winRuleSpec.MatchBytes[0]
	}
	if winRuleSpec.LogPrefix != "" {
		argRuleSpec.LogPrefix = uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(winRuleSpec.LogPrefix))) // nolint:staticcheck
	}
	if winRuleSpec.ProcessID > 0 {
		if winRuleSpec.ProcessIncludeChildrenOnly {
			argRuleSpec.ProcessFlags = frontman.ProcessMatchChildren
		} else {
			argRuleSpec.ProcessFlags = frontman.ProcessMatchProcess
			if winRuleSpec.ProcessIncludeChildren {
				argRuleSpec.ProcessFlags |= frontman.ProcessMatchChildren
			}
		}
	}
	if len(winRuleSpec.IcmpMatch) > 0 {
		argRuleSpec.IcmpRangeCount = int32(len(winRuleSpec.IcmpMatch))
		icmpRanges := make([]frontman.IcmpRange, argRuleSpec.IcmpRangeCount)
		for i, im := range winRuleSpec.IcmpMatch {
			r := frontman.IcmpRange{}
			if !im.Nomatch {
				r.IcmpTypeSpecified = 1
				r.IcmpType = uint8(im.IcmpType)
				if im.IcmpCodeRange != nil {
					r.IcmpCodeSpecified = 1
					r.IcmpCodeLower = uint8(im.IcmpCodeRange.Start)
					r.IcmpCodeUpper = uint8(im.IcmpCodeRange.End)
				}
			}
			icmpRanges[i] = r
		}
		argRuleSpec.IcmpRanges = &icmpRanges[0]
	}
	argIpsetRuleSpecs := make([]frontman.IpsetRuleSpec, len(winRuleSpec.MatchSet))
	for i, matchSet := range winRuleSpec.MatchSet {
		argIpsetRuleSpecs[i].NotIpset = boolToUint8(matchSet.MatchSetNegate)
		argIpsetRuleSpecs[i].IpsetDstIP = boolToUint8(matchSet.MatchSetDstIP)
		argIpsetRuleSpecs[i].IpsetDstPort = boolToUint8(matchSet.MatchSetDstPort)
		argIpsetRuleSpecs[i].IpsetSrcIP = boolToUint8(matchSet.MatchSetSrcIP)
		argIpsetRuleSpecs[i].IpsetSrcPort = boolToUint8(matchSet.MatchSetSrcPort)
		argIpsetRuleSpecs[i].IpsetName = uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(matchSet.MatchSetName))) // nolint:staticcheck
	}

	if winRuleSpec.GotoFilterName != "" {
		argRuleSpec.GotoFilterName = uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(winRuleSpec.GotoFilterName))) // nolint:staticcheck
	}

	return frontman.Wrapper.AppendFilterCriteria(chain, criteriaID, &argRuleSpec, argIpsetRuleSpecs)
}

// Insert will insert the rule in the corresponding position in the local
// cache or call the corresponding iptables command, depending on the table.
func (b *BatchProvider) Insert(table, chain string, pos int, rulespec ...string) error {
	chain = b.fixChainName(chain)
	zap.L().Debug(fmt.Sprintf("Insert not expected for table %s and chain %s", table, chain))
	return nil
}

// Delete will delete the rule from the local cache or the system.
func (b *BatchProvider) Delete(table, chain string, rulespec ...string) error {
	chain = b.fixChainName(chain)
	rulespec = b.fixRuleSpec(rulespec)
	criteriaID := strings.Join(rulespec, " ")
	zap.L().Debug(fmt.Sprintf("delete rule %s from table/chain %s/%s", criteriaID, table, chain))
	return frontman.Wrapper.DeleteFilterCriteria(chain, criteriaID)
}

// ListChains will provide a list of the current chains.
func (b *BatchProvider) ListChains(table string) ([]string, error) {
	var outbound bool
	if strings.HasPrefix(table, "O") || strings.HasPrefix(table, "o") {
		outbound = true
	} else if strings.HasPrefix(table, "I") || strings.HasPrefix(table, "i") {
		outbound = false
	} else {
		return nil, fmt.Errorf("'%s' is not a valid table for ListChains", table)
	}

	return frontman.Wrapper.GetFilterList(outbound)
}

// ClearChain will clear the chains.
func (b *BatchProvider) ClearChain(table, chain string) error {
	chain = b.fixChainName(chain)
	return frontman.Wrapper.EmptyFilter(chain)
}

// DeleteChain will delete the chains.
func (b *BatchProvider) DeleteChain(table, chain string) error {
	chain = b.fixChainName(chain)
	return frontman.Wrapper.DestroyFilter(chain)
}

// NewChain creates a new chain.
func (b *BatchProvider) NewChain(table, chain string) error {
	chain = b.fixChainName(chain)
	var outbound bool
	if strings.HasPrefix(table, "O") || strings.HasPrefix(table, "o") {
		outbound = true
	} else if strings.HasPrefix(table, "I") || strings.HasPrefix(table, "i") {
		outbound = false
	} else {
		return fmt.Errorf("'%s' is not a valid table for NewChain", table)
	}

	// A goto filter is outside the normal filters and a rule can jump to a "goto filter"
	// So any filter that has -Net or -App is a goto filter.
	isGotoFilter := false
	if strings.Contains(chain, "-Net") || strings.Contains(chain, "-App") {
		isGotoFilter = true
	}
	return frontman.Wrapper.AppendFilter(outbound, chain, isGotoFilter)
}

// Commit commits the rules to the system
func (b *BatchProvider) Commit() error {
	// does nothing
	return nil
}

// RetrieveTable allows a caller to retrieve the final table. Mostly
// needed for debuging and unit tests.
func (b *BatchProvider) RetrieveTable() map[string]map[string][]string {
	// not applicable for windows
	return map[string]map[string][]string{}
}

// ResetRules returns nil in windows
func (b *BatchProvider) ResetRules(subs string) error {
	// does nothing
	return nil
}

// ListRules lists the rules in the table/chain passed to it
func (b *BatchProvider) ListRules(table, chain string) ([]string, error) {
	// This is is unimplemented on windows
	return []string{}, nil
}


================================================
FILE: controller/pkg/aclprovider/iptablesprovidermock.go
================================================
package provider

import (
	"sync"
	"testing"
)

type iptablesProviderMockedMethods struct {
	appendMock        func(table, chain string, rulespec ...string) error
	insertMock        func(table, chain string, pos int, rulespec ...string) error
	deleteMock        func(table, chain string, rulespec ...string) error
	listChainsMock    func(table string) ([]string, error)
	clearChainMock    func(table, chain string) error
	deleteChainMock   func(table, chain string) error
	newChainMock      func(table, chain string) error
	commitMock        func() error
	retrieveTableMock func() map[string]map[string][]string
	resetMock         func(subs string) error
	listRulesMock     func(table, chain string) ([]string, error)
}

// TestIptablesProvider is a test implementation for IptablesProvider
type TestIptablesProvider interface {
	IptablesProvider
	MockAppend(t *testing.T, impl func(table, chain string, rulespec ...string) error)
	MockInsert(t *testing.T, impl func(table, chain string, pos int, rulespec ...string) error)
	MockDelete(t *testing.T, impl func(table, chain string, rulespec ...string) error)
	MockListChains(t *testing.T, impl func(table string) ([]string, error))
	MockClearChain(t *testing.T, impl func(table, chain string) error)
	MockDeleteChain(t *testing.T, impl func(table, chain string) error)
	MockNewChain(t *testing.T, impl func(table, chain string) error)
	MockCommit(t *testing.T, impl func() error)
	MockReset(t *testing.T, impl func(subs string) error)
	MockListRules(t *testing.T, impl func(table, chain string) ([]string, error))
}

// A testIptablesProvider is an empty TransactionalManipulator that can be easily mocked.
type testIptablesProvider struct {
	mocks       map[*testing.T]*iptablesProviderMockedMethods
	lock        *sync.Mutex
	currentTest *testing.T
}

// NewTestIptablesProvider returns a new TestManipulator.
func NewTestIptablesProvider() TestIptablesProvider {
	return &testIptablesProvider{lock: &sync.Mutex{}, mocks: map[*testing.T]*iptablesProviderMockedMethods{}}
}

func (m *testIptablesProvider) MockListRules(t *testing.T, impl func(table, chain string) ([]string, error)) {
	m.currentMocks(t).listRulesMock = impl
}
func (m *testIptablesProvider) MockAppend(t *testing.T, impl func(table, chain string, rulespec ...string) error) {

	m.currentMocks(t).appendMock = impl
}

func (m *testIptablesProvider) MockReset(t *testing.T, impl func(subs string) error) {
	m.currentMocks(t).resetMock = impl
}

func (m *testIptablesProvider) MockInsert(t *testing.T, impl func(table, chain string, pos int, rulespec ...string) error) {

	m.currentMocks(t).insertMock = impl
}

func (m *testIptablesProvider) MockDelete(t *testing.T, impl func(table, chain string, rulespec ...string) error) {

	m.currentMocks(t).deleteMock = impl
}

func (m *testIptablesProvider) MockListChains(t *testing.T, impl func(table string) ([]string, error)) {

	m.currentMocks(t).listChainsMock = impl
}

func (m *testIptablesProvider) MockClearChain(t *testing.T, impl func(table, chain string) error) {

	m.currentMocks(t).clearChainMock = impl
}

func (m *testIptablesProvider) MockDeleteChain(t *testing.T, impl func(table, chain string) error) {

	m.currentMocks(t).deleteChainMock = impl
}

func (m *testIptablesProvider) MockNewChain(t *testing.T, impl func(table, chain string) error) {

	m.currentMocks(t).newChainMock = impl
}

func (m *testIptablesProvider) MockCommit(t *testing.T, impl func() error) {
	m.currentMocks(t).commitMock = impl
}

func (m *testIptablesProvider) Append(table, chain string, rulespec ...string) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.appendMock != nil {
		return mock.appendMock(table, chain, rulespec...)
	}

	return nil
}

func (m *testIptablesProvider) ListRules(table, chain string) ([]string, error) {
	if mock := m.currentMocks(m.currentTest); mock != nil && mock.listRulesMock != nil {
		return mock.listRulesMock(table, chain)
	}
	return []string{}, nil
}

func (m *testIptablesProvider) Insert(table, chain string, pos int, rulespec ...string) error {
	if mock := m.currentMocks(m.currentTest); mock != nil && mock.insertMock != nil {
		return mock.insertMock(table, chain, pos, rulespec...)

	}

	return nil
}

func (m *testIptablesProvider) ResetRules(subs string) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.resetMock != nil {
		return mock.resetMock(subs)
	}

	return nil
}

func (m *testIptablesProvider) Delete(table, chain string, rulespec ...string) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.deleteMock != nil {
		return mock.deleteMock(table, chain, rulespec...)
	}

	return nil
}

func (m *testIptablesProvider) ListChains(table string) ([]string, error) {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.listChainsMock != nil {
		return mock.listChainsMock(table)
	}

	return nil, nil
}

func (m *testIptablesProvider) ClearChain(table, chain string) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.clearChainMock != nil {
		return mock.clearChainMock(table, chain)
	}

	return nil
}

func (m *testIptablesProvider) DeleteChain(table, chain string) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.deleteChainMock != nil {
		return mock.deleteChainMock(table, chain)
	}

	return nil
}

func (m *testIptablesProvider) NewChain(table, chain string) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.newChainMock != nil {
		return mock.newChainMock(table, chain)
	}

	return nil
}

func (m *testIptablesProvider) Commit() error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.commitMock != nil {
		return mock.commitMock()
	}

	return nil
}

func (m *testIptablesProvider) RetrieveTable() map[string]map[string][]string {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.retrieveTableMock != nil {
		return mock.retrieveTableMock()
	}

	return nil
}

func (m *testIptablesProvider) currentMocks(t *testing.T) *iptablesProviderMockedMethods {
	m.lock.Lock()
	defer m.lock.Unlock()

	mocks := m.mocks[t]

	if mocks == nil {
		mocks = &iptablesProviderMockedMethods{}
		m.mocks[t] = mocks
	}

	m.currentTest = t
	return mocks
}


================================================
FILE: controller/pkg/auth/auth.go
================================================
package auth

import (
	"context"
	"crypto/x509"
	"encoding/json"
	"fmt"
	"net/http"
	"net/url"
	"strings"
	"sync"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/servicetokens"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/urisearch"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/usertokens"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

// CallbackResponse captures all the response data of the call back processing.
type CallbackResponse struct {
	Cookie    *http.Cookie
	Status    int
	OriginURL string
	Data      string
	Message   string
}

// Processor holds all the local data of the authorization engine. A processor
// can handle authorization for multiple services. The goal is to authenticate
// a request based on both service and user credentials.
type Processor struct {
	apis                  *urisearch.APICache
	userTokenHandler      usertokens.Verifier
	userTokenMappings     map[string]string
	userAuthorizationType policy.UserAuthorizationTypeValues
	aporetoJWT            *servicetokens.Verifier
	sync.RWMutex
}

// NewProcessor creates an auth processor with PKI user tokens. The caller
// must provide a valid secrets structure and an optional list of trustedCertificates
// that can be used to validate tokens. If the list is empty, the CA from the secrets
// will be used for token validation.
func NewProcessor(s secrets.Secrets, trustedCertificate *x509.Certificate) *Processor {
	return &Processor{
		aporetoJWT: servicetokens.NewVerifier(s, trustedCertificate),
	}
}

// UpdateSecrets will update the Aporeto secrets for the validation of the
// Aporeto tokens.
func (p *Processor) UpdateSecrets(s secrets.Secrets, trustedCertificate *x509.Certificate) {
	p.aporetoJWT.UpdateSecrets(s, trustedCertificate)
}

// AddOrUpdateService adds or replaces a service in the authorization db.
func (p *Processor) AddOrUpdateService(apis *urisearch.APICache, serviceType policy.UserAuthorizationTypeValues, handler usertokens.Verifier, mappings map[string]string) {
	p.Lock()
	defer p.Unlock()

	p.apis = apis
	p.userTokenMappings = mappings
	p.userTokenHandler = handler
	p.userAuthorizationType = serviceType
}

// UpdateServiceAPIs updates an existing service with a new API definition.
func (p *Processor) UpdateServiceAPIs(apis *urisearch.APICache) error {
	p.Lock()
	defer p.Unlock()

	p.apis = apis
	return nil
}

// DecodeUserClaims decodes the user claims with the user authorization method.
func (p *Processor) DecodeUserClaims(ctx context.Context, name, userToken string, certs []*x509.Certificate) ([]string, bool, string, error) {

	switch p.userAuthorizationType {
	case policy.UserAuthorizationMutualTLS, policy.UserAuthorizationJWT:
		// First parse any incoming certificates and retrieve attributes from them.
		// This is used in case of client authorization with certificates.
		attributes := []string{}
		for _, cert := range certs {
			attributes = append(attributes, "CN="+cert.Subject.CommonName)
			for _, email := range cert.EmailAddresses {
				attributes = append(attributes, "Email="+email)
			}
			for _, org := range cert.Subject.Organization {
				attributes = append(attributes, "O="+org)
			}
			for _, org := range cert.Subject.OrganizationalUnit {
				attributes = append(attributes, "OU="+org)
			}
		}

		if p.userAuthorizationType == policy.UserAuthorizationJWT && p.userTokenHandler != nil {
			jwtAttributes, _, _, err := p.userTokenHandler.Validate(ctx, userToken)
			if err != nil {
				return attributes, false, userToken, fmt.Errorf("Unable to decode JWT: %s", err)
			}
			attributes = append(attributes, jwtAttributes...)
		}

		return attributes, false, userToken, nil

	case policy.UserAuthorizationOIDC:
		// Now we can parse the user claims.
		if p.userTokenHandler == nil {
			zap.L().Error("Internal Server Error: OIDC User Token Handler not configured")
			return []string{}, false, userToken, nil
		}
		return p.userTokenHandler.Validate(ctx, userToken)
	default:
		return []string{}, false, userToken, nil
	}
}

// DecodeAporetoClaims decodes the Aporeto claims
func (p *Processor) DecodeAporetoClaims(aporetoToken string, publicKey string) (string, []string, *policy.PingPayload, error) {
	if len(aporetoToken) == 0 || p.aporetoJWT == nil {
		return "", []string{}, nil, nil
	}

	// Finally we can parse the Aporeto token.
	id, scopes, profile, pingPayload, err := p.aporetoJWT.ParseToken(aporetoToken, publicKey)
	if err != nil {
		return "", []string{}, nil, fmt.Errorf("Invalid Aporeto Token: %s", err)
	}

	return id, append(profile, scopes...), pingPayload, nil
}

// Callback is function called by and IDP auth provider will exchange the provided
// authorization code with a JWT token. This closes the Oauth loop.
func (p *Processor) Callback(ctx context.Context, u *url.URL) (*CallbackResponse, error) {
	p.RLock()
	defer p.RUnlock()

	c := &CallbackResponse{}

	// Validate the JWT token through the handler.
	token, originURL, status, err := p.userTokenHandler.Callback(ctx, u)
	if err != nil {
		c.Status = http.StatusUnauthorized
		c.Message = fmt.Sprintf("Invalid code %s:", err)
		return c, err
	}

	c.OriginURL = originURL
	c.Status = status
	c.Cookie = &http.Cookie{
		Name:     "X-APORETO-AUTH",
		Value:    token,
		HttpOnly: true,
		Secure:   true,
		Path:     "/",
	}

	// We transmit the information in the return payload for applications
	// that choose to use it directly without a cookie.
	data, err := json.MarshalIndent(c.Cookie, " ", " ")
	if err != nil {
		c.Status = http.StatusInternalServerError
		c.Message = "Unable to decode data"
		return c, err
	}

	c.Data = string(data)

	return c, nil
}

// Check is the main method that will search API cache and validate whether the call should
// be allowed. It returns two values. If the access is allowed, and whether the access
// public or not. This allows callers to decide what to do when there is a failure, and
// potentially issue a redirect.
func (p *Processor) Check(method, uri string, claims []string) (bool, bool) {
	p.RLock()
	defer p.RUnlock()

	return p.apis.FindAndMatchScope(method, uri, claims)
}

// RedirectURI returns the redirect URI in order to start the authentication dance.
func (p *Processor) RedirectURI(originURL string) string {
	p.RLock()
	defer p.RUnlock()

	return p.userTokenHandler.IssueRedirect(originURL)
}

// UpdateRequestHeaders will update the request headers based on the user claims
// and the corresponding mappings.
func (p *Processor) UpdateRequestHeaders(h http.Header, claims []string) {
	p.RLock()
	defer p.RUnlock()

	if len(p.userTokenMappings) == 0 {
		return
	}

	for _, claim := range claims {
		parts := strings.SplitN(claim, "=", 2)
		if header, ok := p.userTokenMappings[parts[0]]; ok && len(parts) == 2 {
			h.Add(header, parts[1])
		}
	}
}

// RetrieveServiceHandler will retrieve the service that is stored in the serviceMap
func (p *Processor) RetrieveServiceHandler() (usertokens.Verifier, error) {
	return p.userTokenHandler, nil
}


================================================
FILE: controller/pkg/bufferpool/bufferpool.go
================================================
package bufferpool

import (
	"sync"
)

// BufferPool implements the interface of httputil.BufferPool in order
// to improve memory utilization in the reverse proxy.
type BufferPool struct {
	s sync.Pool
}

// NewPool creates a new BufferPool.
func NewPool(size int) *BufferPool {
	return &BufferPool{
		s: sync.Pool{
			New: func() interface{} {
				return make([]byte, size)
			},
		},
	}
}

// Get gets a buffer from the pool.
func (b *BufferPool) Get() []byte {
	return b.s.Get().([]byte)
}

// Put returns the buffer to the pool.
func (b *BufferPool) Put(buf []byte) {
	b.s.Put(buf) // nolint
}


================================================
FILE: controller/pkg/claimsheader/bytes.go
================================================
package claimsheader

// HeaderBytes is the claimsheader in bytes
type HeaderBytes []byte

// ToClaimsHeader parses the bytes and returns the ClaimsHeader
func (h HeaderBytes) ToClaimsHeader() *ClaimsHeader {

	if h == nil || len(h) != maxHeaderLen {
		return NewClaimsHeader()
	}

	compressionTypeMask := compressionTypeMask(h.extractHeaderAttribute(h[0], compressionTypeBitMask.toUint8()))
	datapathVersionMask := datapathVersionMask(h.extractHeaderAttribute(h[0], datapathVersionBitMask.toUint8()))

	return &ClaimsHeader{
		compressionType: compressionTypeMask.toType(),
		encrypt:         uint8ToBool(encrypt, h.extractHeaderAttribute(h[1], encryptionEnabledBit)),
		ping:            uint8ToBool(ping, h.extractHeaderAttribute(h[1], pingEnabledBit)),
		datapathVersion: datapathVersionMask.toType(),
	}
}

// extractHeaderAttribute returns the attribute from byte
// mask - mask specific to the attribute
func (h HeaderBytes) extractHeaderAttribute(attr byte, mask uint8) uint8 {

	return attr & mask
}


================================================
FILE: controller/pkg/claimsheader/bytes_test.go
================================================
// +build !windows

package claimsheader

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func TestHeaderBytes(t *testing.T) {

	Convey("Given I create a new header bytes", t, func() {
		header := NewClaimsHeader(
			OptionCompressionType(CompressionTypeV1),
			OptionEncrypt(true),
			OptionDatapathVersion(DatapathVersion1),
			OptionPing(true),
		).ToBytes()

		Convey("Then header bytes should not be nil", func() {
			So(header, ShouldNotBeNil)
		})

		Convey("Given I convert bytes to claims header", func() {
			ch := header.ToClaimsHeader()

			Convey("Then it should be equal", func() {
				So(ch.compressionType, ShouldEqual, CompressionTypeV1)
				So(ch.encrypt, ShouldEqual, true)
				So(ch.datapathVersion, ShouldEqual, DatapathVersion1)
				So(ch.ping, ShouldEqual, true)
			})
		})
	})
}


================================================
FILE: controller/pkg/claimsheader/claimsheader.go
================================================
package claimsheader

// NewClaimsHeader returns claims header handler
func NewClaimsHeader(opts ...Option) *ClaimsHeader {

	c := &ClaimsHeader{}

	for _, opt := range opts {
		opt(c)
	}

	return c
}

// ToBytes generates the 32-bit header in bytes
//    0             1              2               3               4
//  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
//  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//  |     D     |CT |E|P|            R (reserved)                   |
//  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//  D  [0:5]   - Datapath version
//  CT [6,7]   - Compressed tag type
//  E  [8]     - Encryption enabled
//  P  [9]     - Ping enabled
//  R  [10:31] - Reserved
func (c *ClaimsHeader) ToBytes() HeaderBytes {

	claimsHeaderData := make([]byte, maxHeaderLen)
	claimsHeaderData[0] |= c.datapathVersion.toMask().toUint8()
	claimsHeaderData[0] |= c.compressionType.toMask().toUint8()
	claimsHeaderData[1] |= boolToUint8(encrypt, c.encrypt)
	claimsHeaderData[1] |= boolToUint8(ping, c.ping)

	return claimsHeaderData
}

// CompressionType is the compression type
func (c *ClaimsHeader) CompressionType() CompressionType {

	return c.compressionType
}

// Encrypt is the encrypt in bool
func (c *ClaimsHeader) Encrypt() bool {

	return c.encrypt
}

// DatapathVersion is the datapath version
func (c *ClaimsHeader) DatapathVersion() DatapathVersion {

	return c.datapathVersion
}

// Ping returns the ping in bool
func (c *ClaimsHeader) Ping() bool {

	return c.ping
}

// SetCompressionType sets the compression type
func (c *ClaimsHeader) SetCompressionType(ct CompressionType) {

	c.compressionType = ct
}

// SetEncrypt sets the encrypt
func (c *ClaimsHeader) SetEncrypt(e bool) {

	c.encrypt = e
}

// SetDatapathVersion sets the datapath version
func (c *ClaimsHeader) SetDatapathVersion(dv DatapathVersion) {

	c.datapathVersion = dv
}

// SetPing sets the ping
func (c *ClaimsHeader) SetPing(ping bool) {

	c.ping = ping
}


================================================
FILE: controller/pkg/claimsheader/claimsheader_test.go
================================================
// +build !windows

package claimsheader

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func TestHeader(t *testing.T) {

	Convey("Given I create a new claims header", t, func() {
		header := NewClaimsHeader(
			OptionEncrypt(true),
			OptionCompressionType(CompressionTypeV1),
			OptionDatapathVersion(DatapathVersion1),
			OptionPing(true),
		).ToBytes()

		Convey("Then claims header should not be nil", func() {
			So(header, ShouldNotBeNil)
		})

		Convey("Given I convert bytes to claims header", func() {
			ch := header.ToClaimsHeader()

			Convey("Then it should be equal", func() {
				So(ch.CompressionType(), ShouldEqual, CompressionTypeV1)
				So(ch.Encrypt(), ShouldEqual, true)
				So(ch.DatapathVersion(), ShouldEqual, DatapathVersion1)
				So(ch.Ping(), ShouldEqual, true)
			})
		})
	})

	Convey("Given I create a new claims header and encrypt false", t, func() {
		header := NewClaimsHeader(
			OptionEncrypt(false),
			OptionPing(true),
			OptionCompressionType(CompressionTypeV1),
			OptionDatapathVersion(DatapathVersion1),
		).ToBytes()

		Convey("Then claims header should not be nil", func() {
			So(header, ShouldNotBeNil)
		})

		Convey("Given I convert bytes to claims header", func() {
			ch := header.ToClaimsHeader()

			Convey("Then it should be equal", func() {
				So(ch.CompressionType(), ShouldEqual, CompressionTypeV1)
				So(ch.Encrypt(), ShouldEqual, false)
				So(ch.Ping(), ShouldEqual, true)
				So(ch.DatapathVersion(), ShouldEqual, DatapathVersion1)
			})
		})
	})

	Convey("Given I create a new claims header and with no ping", t, func() {
		header := NewClaimsHeader(
			OptionEncrypt(false),
			OptionDatapathVersion(DatapathVersion1),
		).ToBytes()

		Convey("Then claims header should not be nil", func() {
			So(header, ShouldNotBeNil)
		})

		Convey("Given I convert bytes to claims header", func() {
			ch := header.ToClaimsHeader()

			Convey("Then it should be equal", func() {
				So(ch.CompressionType(), ShouldEqual, CompressionTypeV1)
				So(ch.Encrypt(), ShouldEqual, false)
				So(ch.Ping(), ShouldEqual, false)
				So(ch.DatapathVersion(), ShouldEqual, DatapathVersion1)
			})
		})
	})

	Convey("Given I create a new claims header and encrypt false", t, func() {
		header := NewClaimsHeader(
			OptionEncrypt(false),
			OptionPing(false),
			OptionCompressionType(CompressionTypeV1),
			OptionDatapathVersion(DatapathVersion1),
		).ToBytes()

		Convey("Then claims header should not be nil", func() {
			So(header, ShouldNotBeNil)
		})

		Convey("Given I convert bytes to claims header", func() {
			ch := header.ToClaimsHeader()

			Convey("Then it should be equal", func() {
				So(ch.CompressionType(), ShouldEqual, CompressionTypeV1)
				So(ch.Encrypt(), ShouldEqual, false)
				So(ch.Ping(), ShouldEqual, false)
				So(ch.DatapathVersion(), ShouldEqual, DatapathVersion1)
			})
		})
	})

	Convey("Given I create a new claims header and change it later", t, func() {
		header := NewClaimsHeader(
			OptionEncrypt(false),
			OptionDatapathVersion(DatapathVersion1),
			OptionPing(false),
		)

		Convey("Then claims header should not be nil", func() {
			So(header, ShouldNotBeNil)
		})

		Convey("Given I convert bytes to claims header", func() {
			ch := header.ToBytes().ToClaimsHeader()

			Convey("Then it should be equal", func() {
				So(ch.CompressionType(), ShouldEqual, CompressionTypeV1)
				So(ch.Encrypt(), ShouldEqual, false)
				So(ch.DatapathVersion(), ShouldEqual, DatapathVersion1)
				So(ch.Ping(), ShouldEqual, false)
			})
		})

		Convey("Given I set different compression type and encrypt", func() {
			header.SetCompressionType(CompressionTypeV1)
			header.SetEncrypt(true)
			header.SetPing(true)
			ch := header.ToBytes().ToClaimsHeader()

			Convey("Then it should be equal", func() {
				So(ch.CompressionType(), ShouldEqual, CompressionTypeV1)
				So(ch.Encrypt(), ShouldEqual, true)
				So(ch.DatapathVersion(), ShouldEqual, DatapathVersion1)
				So(ch.Ping(), ShouldEqual, true)
			})
		})
	})

	Convey("Given I try retrieve fields without any data", t, func() {
		ch := &ClaimsHeader{}

		Convey("Then it should be equal", func() {
			So(ch.CompressionType(), ShouldEqual, 0)
			So(ch.Encrypt(), ShouldEqual, false)
			So(ch.DatapathVersion(), ShouldEqual, DatapathVersion1)
		})
	})
}


================================================
FILE: controller/pkg/claimsheader/constants.go
================================================
package claimsheader

const (
	// maxHeaderLen must be maximimum claims header length
	maxHeaderLen = 4
	// zeroBit is the value 0
	zeroBit = 0x00
	// encryptionEnabledBit that is set in the bytes
	encryptionEnabledBit = 0x01
	// pingEnabledBit that is set in the bytes
	pingEnabledBit = 0x02
)


================================================
FILE: controller/pkg/claimsheader/ct.go
================================================
package claimsheader

import "strconv"

// CompressionType defines the compression used.
type CompressionType int

const (

	// CompressionTypeV1 is version 1 of compression
	CompressionTypeV1 CompressionType = iota
)

const (
	// CompressedTagLengthV1 is version 1 length of tags
	CompressedTagLengthV1 int = 12

	// CompressedTagLengthV2 is version 2 length of tags
	CompressedTagLengthV2 int = 8
)

// toMask returns the mask based on the type
func (ct CompressionType) toMask() compressionTypeMask {

	return compressionTypeV1Mask

}

func (ct CompressionType) toString() string {

	return strconv.Itoa(int(ct))
}

// compressionTypeMask defines the compression mask.
type compressionTypeMask uint8

const (
	// compressionTypeV1Mask mask that identifies compression type v1
	compressionTypeV1Mask compressionTypeMask = 0x80
	// compressionTypeBitMask mask used to check relevant compression types
	compressionTypeBitMask compressionTypeMask = 0xC0
)

// toType returns the type based on mask
func (cm compressionTypeMask) toType() CompressionType {
	return CompressionTypeV1
}

// toUint8 returns uint8 from compressiontypemask
func (cm compressionTypeMask) toUint8() uint8 {

	return uint8(cm)
}

// CompressionTypeToTagLength converts CompressionType to length.
func CompressionTypeToTagLength(t CompressionType) int {

	return CompressedTagLengthV1

}

// String2CompressionType is a helper to convert string to compression type
func String2CompressionType(s string) CompressionType {

	return CompressionTypeV1

}


================================================
FILE: controller/pkg/claimsheader/datapath_version.go
================================================
package claimsheader

// DatapathVersion defines the datapath version
type DatapathVersion int

// DatapathVersion constants
const (
	DatapathVersion1 DatapathVersion = iota
	DatapathVersion2
)

func (dv DatapathVersion) toMask() datapathVersionMask { // nolint

	if dv == DatapathVersion1 {
		return datapathVersion
	}

	return zeroBit
}

// datapathVersion is the enforcer version
// TODO: Enable this in datapath
type datapathVersionMask uint8

const (
	datapathVersion        datapathVersionMask = 0x00
	datapathVersionBitMask datapathVersionMask = 0x3F
)

func (dm datapathVersionMask) toType() DatapathVersion {

	if dm == datapathVersion {
		return DatapathVersion1
	}

	return -1
}

// toUint8 returns uint8 from datapathVersionMask
func (dm datapathVersionMask) toUint8() uint8 {

	return uint8(dm)
}


================================================
FILE: controller/pkg/claimsheader/options.go
================================================
package claimsheader

// Option is used to set claimsheader fields
type Option func(*ClaimsHeader)

// OptionCompressionType sets compression Type
func OptionCompressionType(compressionType CompressionType) Option {

	return func(c *ClaimsHeader) {
		c.compressionType = compressionType
	}
}

// OptionEncrypt sets encryption
func OptionEncrypt(encrypt bool) Option {

	return func(c *ClaimsHeader) {
		c.encrypt = encrypt
	}
}

// OptionDatapathVersion sets handshake version
func OptionDatapathVersion(datapathVersion DatapathVersion) Option {

	return func(c *ClaimsHeader) {
		c.datapathVersion = datapathVersion
	}
}

// OptionPing sets ping
func OptionPing(ping bool) Option {

	return func(c *ClaimsHeader) {
		c.ping = ping
	}
}


================================================
FILE: controller/pkg/claimsheader/ping_type.go
================================================
package claimsheader

// PingType defines the ping type.
type PingType int

// PingType options.
const (
	PingTypeNone PingType = iota
	PingTypeDefaultIdentity
	PingTypeCustomIdentity
	PingTypeDefaultIdentityPassthrough
)

// toMask returns the mask based on the type
func (pt PingType) toMask() pingTypeMask {

	switch pt {
	case PingTypeNone:
		return pingTypeNoneMask
	case PingTypeDefaultIdentity:
		return pingTypeDefaultIdentityMask
	case PingTypeCustomIdentity:
		return pingTypeCustomIdentityMask
	case PingTypeDefaultIdentityPassthrough:
		return pingTypeDefaultIdentityPassthroughMask
	default:
		return pingTypeNoneMask
	}
}

// toMask returns the mask based on the type
func (pt PingType) String() string {

	switch pt {
	case PingTypeNone:
		return "None"
	case PingTypeDefaultIdentity:
		return "DefaultIdentity"
	case PingTypeCustomIdentity:
		return "CustomIdentity"
	case PingTypeDefaultIdentityPassthrough:
		return "DefaultIdentityPassthrough"
	default:
		return "None"
	}
}

// pingTypeMask defines the ping type mask.
type pingTypeMask uint8

// PingTypeMask options.
const (
	pingTypeNoneMask                       pingTypeMask = 0x02
	pingTypeDefaultIdentityMask            pingTypeMask = 0x04
	pingTypeCustomIdentityMask             pingTypeMask = 0x06
	pingTypeDefaultIdentityPassthroughMask pingTypeMask = 0x08
	pingTypeBitMask                        pingTypeMask = 0x3E
)

// toType returns the type based on mask
func (pm pingTypeMask) toType() PingType {

	switch pm {
	case pingTypeNoneMask:
		return PingTypeNone
	case pingTypeDefaultIdentityMask:
		return PingTypeDefaultIdentity
	case pingTypeCustomIdentityMask:
		return PingTypeCustomIdentity
	case pingTypeDefaultIdentityPassthroughMask:
		return PingTypeDefaultIdentityPassthrough
	default:
		return PingTypeNone
	}
}

// toUint8 returns uint8 from PingTypemask
func (pm pingTypeMask) toUint8() uint8 {

	return uint8(pm)
}


================================================
FILE: controller/pkg/claimsheader/types.go
================================================
package claimsheader

// ClaimsHeader holds header sub attributes
type ClaimsHeader struct {
	// CompressionType represents compressed tag mode attribute
	compressionType CompressionType
	// Encrypt represents enryption enabled attribute
	encrypt bool
	// Handshake type represents datapath version
	datapathVersion DatapathVersion
	// Ping represents ping is set
	ping bool
}

type boolType int

const (
	encrypt boolType = iota
	ping
)

// boolToUint8 converts bool to uint8
// to populate the bits based on v
func boolToUint8(t boolType, v bool) uint8 {

	if !v {
		return zeroBit
	}

	switch t {
	case encrypt:
		return encryptionEnabledBit
	case ping:
		return pingEnabledBit
	default:
		return zeroBit
	}
}

// uint8ToBool converts uint8 to bool
// to populate the struct based on n
func uint8ToBool(t boolType, n uint8) bool {

	switch t {
	case encrypt:
		return n == encryptionEnabledBit
	case ping:
		return n == pingEnabledBit
	default:
		return false
	}
}


================================================
FILE: controller/pkg/cleaner/cleaner.go
================================================
package cleaner

import (
	"fmt"

	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor/iptablesctrl"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// CleanAllTriremeACLs cleans up all previous Trireme ACLs. It can be called from
// other packages for housekeeping.
// TODO: fix this, this was ok before, but it's ugly now because we have to
//       injecting iptablesLockfile here..
//       iptables and it's configuration is part of trireme and iptables cleanup should
//       be done when the trireme instance starts up.
func CleanAllTriremeACLs(iptablesLockfile string) error {

	fq := fqconfig.NewFilterQueue(0, nil)

	ipt, err := iptablesctrl.NewInstance(fq, constants.LocalServer, true, nil, iptablesLockfile, policy.None)
	if err != nil {
		return fmt.Errorf("unable to initialize cleaning iptables controller: %s", err)
	}

	return ipt.CleanUp()
}


================================================
FILE: controller/pkg/connection/connection.go
================================================
package connection

import (
	"fmt"
	"net"
	"strconv"
	"sync"
	"sync/atomic"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/afinetrawsocket"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/ephemeralkeys"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pingconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.aporeto.io/enforcerd/trireme-lib/utils/crypto"
	"go.uber.org/zap"
)

// TCPFlowState identifies the constants of the state of a TCP connectioncon
type TCPFlowState int

// UDPFlowState identifies the constants of the state of a UDP connection.
type UDPFlowState int

// ProxyConnState identifies the constants of the state of a proxied connection
type ProxyConnState int

const (

	// TCPSynSend is the state where the Syn packets has been send, but no response has been received
	TCPSynSend TCPFlowState = iota

	// TCPSynReceived indicates that the syn packet has been received
	TCPSynReceived

	// TCPSynAckSend indicates that the SynAck packet has been send
	TCPSynAckSend

	// TCPSynAckReceived is the state where the SynAck has been received
	TCPSynAckReceived

	// TCPAckSend indicates that the ack packets has been sent
	TCPAckSend

	// TCPAckProcessed is the state that the negotiation has been completed
	TCPAckProcessed

	// TCPData indicates that the packets are now data packets
	TCPData

	// UnknownState indicates that this an existing connection in the unknown state.
	UnknownState
)

const (
	// ClientTokenSend Init token send for client
	ClientTokenSend ProxyConnState = iota

	// ServerReceivePeerToken -- waiting to receive peer token
	ServerReceivePeerToken

	// ServerSendToken -- Send our own token and the client tokens
	ServerSendToken

	// ClientPeerTokenReceive -- Receive signed tokens from server
	ClientPeerTokenReceive

	// ClientSendSignedPair -- Sign the (token/nonce pair) and send
	ClientSendSignedPair

	// ServerAuthenticatePair -- Authenticate pair of tokens
	ServerAuthenticatePair
)

const (
	// UDPStart is the state where a syn will be sent.
	UDPStart UDPFlowState = iota

	// UDPClientSendSyn is the state where a syn has been sent.
	UDPClientSendSyn

	// UDPClientSendAck  is the state where application side has send the ACK.
	UDPClientSendAck

	// UDPReceiverSendSynAck is the state where syn ack packet has been sent.
	UDPReceiverSendSynAck

	// UDPReceiverProcessedAck is the state that the negotiation has been completed.
	UDPReceiverProcessedAck

	// UDPData is the state where data is being transmitted.
	UDPData

	// UDPRST is the state when we received rst from peer. This connection is dead
	UDPRST
)

// MaximumUDPQueueLen is the maximum number of UDP packets buffered.
const MaximumUDPQueueLen = 50

// AuthInfo keeps authentication information about a connection
type AuthInfo struct {
	Nonce                        [tokens.NonceLength]byte
	RemoteNonce                  []byte
	RemoteContextID              string
	RemoteIP                     string
	RemotePort                   string
	LocalDatapathPrivateKey      *ephemeralkeys.PrivateKey
	SecretKey                    []byte
	LocalDatapathPublicKeyV1     []byte
	LocalDatapathPublicKeySignV1 []byte
	LocalDatapathPublicKeyV2     []byte
	LocalDatapathPublicKeySignV2 []byte
	ConnectionClaims             tokens.ConnectionClaims
	SynAckToken                  []byte
	AckToken                     []byte
	Proto314                     bool
}

//TCPTuple contains the 4 tuple for tcp connection
type TCPTuple struct {
	SourceAddress      net.IP
	DestinationAddress net.IP
	SourcePort         uint16
	DestinationPort    uint16
}

// TCPConnection is information regarding TCP Connection
type TCPConnection struct {
	sync.RWMutex

	state TCPFlowState
	Auth  AuthInfo

	// ServiceData allows services to associate state with a connection
	ServiceData interface{}

	// Context is the pucontext.PUContext that is associated with this connection
	// Minimizes the number of caches and lookups
	Context *pucontext.PUContext

	// TimeOut signals the timeout to be used by the state machines
	TimeOut time.Duration

	// ServiceConnection indicates that this connection is handled by a service
	ServiceConnection bool

	// LoopbackConnection indicates that this connections is within the same pu context.
	loopbackConnection bool

	// ReportFlowPolicy holds the last matched observed policy
	ReportFlowPolicy *policy.FlowPolicy

	// PacketFlowPolicy holds the last matched actual policy
	PacketFlowPolicy *policy.FlowPolicy

	// MarkForDeletion -- this is is used only in conjunction with serviceconnection. Its a hint for us if we have a fin for an earlier connection
	// and this is reused port flow.
	MarkForDeletion bool

	RetransmittedSynAck bool

	expiredConnection bool

	// TCPtuple is tcp tuple
	TCPtuple *TCPTuple

	// PingConfig is the config that holds ping related information.
	PingConfig *pingconfig.PingConfig

	Secrets secrets.Secrets

	SourceController      string
	DestinationController string
	initialSequenceNumber uint32
	timer                 *time.Timer
	counter               uint32
	reportReason          string
	connectionTimeout     time.Duration
	EncodedBuf            [tokens.ClaimsEncodedBufSize]byte
}

//DefaultConnectionTimeout is used as the timeout for connection in the cache.
var DefaultConnectionTimeout = 24 * time.Second

//StartTimer starts the timer for 24 seconds and
//on expiry will call the function passed in the argument.
func (c *TCPConnection) StartTimer(f func()) {
	if c.timer == nil {
		c.timer = time.AfterFunc(c.connectionTimeout, f)
	} else {
		c.timer.Reset(c.connectionTimeout)
	}
}

//StopTimer will stop the timer in the connection object.
func (c *TCPConnection) StopTimer() {
	if c.timer != nil {
		c.timer.Stop()
	}
}

//ResetTimer resets the timer
func (c *TCPConnection) ResetTimer(newTimeout time.Duration) {
	if c.timer != nil {
		c.timer.Reset(newTimeout)
	}
}

func (tcpTuple *TCPTuple) String() string {
	return "sip: " + tcpTuple.SourceAddress.String() + " dip: " + tcpTuple.DestinationAddress.String() + " sport: " + strconv.Itoa(int(tcpTuple.SourcePort)) + " dport: " + strconv.Itoa(int(tcpTuple.DestinationPort))
}

// String returns a printable version of connection
func (c *TCPConnection) String() string {
	return fmt.Sprintf("state:%d auth: %+v", c.state, c.Auth)
}

// PingEnabled returns true if ping is enabled for this connection
func (c *TCPConnection) PingEnabled() bool {
	return c.PingConfig != nil
}

// GetState is used to return the state
func (c *TCPConnection) GetState() TCPFlowState {
	return c.state
}

// GetStateString is used to return the state as string
func (c *TCPConnection) GetStateString() string {

	switch c.state {
	case TCPSynSend:
		return "TCPSynSend"

	case TCPSynReceived:
		return "TCPSynReceived"

	case TCPSynAckSend:
		return "TCPSynAckSend"

	case TCPSynAckReceived:
		return "TCPSynAckReceived"

	case TCPAckSend:
		return "TCPAckSend"

	case TCPAckProcessed:
		return "TCPAckProcessed"

	case TCPData:
		return "TCPData"

	default:
		return "UnknownState"
	}
}

// GetInitialSequenceNumber returns the initial sequence number that was found on the syn packet
// corresponding to this TCP Connection
func (c *TCPConnection) GetInitialSequenceNumber() uint32 {
	return c.initialSequenceNumber
}

// GetMarkForDeletion returns the state of markForDeletion flag
func (c *TCPConnection) GetMarkForDeletion() bool {
	c.RLock()
	defer c.RUnlock()
	return c.MarkForDeletion
}

// IncrementCounter increments counter for this connection
func (c *TCPConnection) IncrementCounter() {
	atomic.AddUint32(&c.counter, 1)
}

// GetCounterAndReset returns the counter and resets it to zero
func (c *TCPConnection) GetCounterAndReset() uint32 {
	return atomic.SwapUint32(&c.counter, 0)
}

// GetReportReason returns the reason for reporting this connection
func (c *TCPConnection) GetReportReason() string {

	c.RLock()
	defer c.RUnlock()

	return c.reportReason
}

// SetReportReason sets the reason for reporting this connection
func (c *TCPConnection) SetReportReason(reason string) {

	c.Lock()
	c.reportReason = reason
	c.Unlock()
}

// SetState is used to setup the state for the TCP connection
func (c *TCPConnection) SetState(state TCPFlowState) {
	c.state = state
}

// Cleanup will provide information when a connection is removed by a timer.
func (c *TCPConnection) Cleanup() {

	c.Lock()
	if !c.expiredConnection && c.state != TCPData {
		c.expiredConnection = true
		if c.Context != nil {
			c.Context.Counters().IncrementCounter(counters.ErrTCPConnectionsExpired)
		}
	}
	c.Unlock()
}

// SetLoopbackConnection sets LoopbackConnection field.
func (c *TCPConnection) SetLoopbackConnection(isLoopback bool) {
	// Logging information
	c.loopbackConnection = isLoopback
}

// IsLoopbackConnection sets LoopbackConnection field.
func (c *TCPConnection) IsLoopbackConnection() bool {
	// Logging information
	return c.loopbackConnection
}

// SetLoopbackConnection sets LoopbackConnection field.
func (c *UDPConnection) SetLoopbackConnection(isLoopback bool) {
	// Logging information
	c.loopbackConnection = isLoopback
}

// IsLoopbackConnection sets LoopbackConnection field.
func (c *UDPConnection) IsLoopbackConnection() bool {
	// Logging information
	return c.loopbackConnection
}

// NewTCPConnection returns a TCPConnection information struct
func NewTCPConnection(context *pucontext.PUContext, p *packet.Packet) *TCPConnection {

	var initialSeqNumber uint32

	// Default tuple in case the packet is nil.
	tuple := &TCPTuple{}

	if p != nil {
		tuple.SourceAddress = p.SourceAddress()
		tuple.DestinationAddress = p.DestinationAddress()
		tuple.SourcePort = p.SourcePort()
		tuple.DestinationPort = p.DestPort()
		initialSeqNumber = p.TCPSequenceNumber()
	}

	tcp := &TCPConnection{
		state:                 TCPSynSend,
		Context:               context,
		Auth:                  AuthInfo{},
		initialSequenceNumber: initialSeqNumber,
		TCPtuple:              tuple,
		connectionTimeout:     DefaultConnectionTimeout,
	}

	crypto.Nonce().GenerateNonce16Bytes(tcp.Auth.Nonce[:])
	return tcp

}

// ProxyConnection is a record to keep state of proxy auth
type ProxyConnection struct {
	sync.Mutex

	state            ProxyConnState
	Auth             AuthInfo
	ReportFlowPolicy *policy.FlowPolicy
	PacketFlowPolicy *policy.FlowPolicy
	reported         bool
	Secrets          secrets.Secrets
}

// NewProxyConnection returns a new Proxy Connection
func NewProxyConnection(keyPair ephemeralkeys.KeyAccessor) *ProxyConnection {

	p := &ProxyConnection{
		state: ClientTokenSend,
		Auth: AuthInfo{
			LocalDatapathPublicKeyV1: keyPair.DecodingKeyV1(),
			LocalDatapathPrivateKey:  keyPair.PrivateKey(),
		},
	}

	crypto.Nonce().GenerateNonce16Bytes(p.Auth.Nonce[:])

	return p
}

// GetState returns the state of a proxy connection
func (c *ProxyConnection) GetState() ProxyConnState {

	return c.state
}

// SetState is used to setup the state for the Proxy Connection
func (c *ProxyConnection) SetState(state ProxyConnState) {

	c.state = state
}

// SetReported sets the flag to reported when the conn is reported
func (c *ProxyConnection) SetReported(reported bool) {
	c.reported = reported
}

// UDPConnection is information regarding UDP connection.
type UDPConnection struct {
	sync.RWMutex

	state   UDPFlowState
	Context *pucontext.PUContext
	Auth    AuthInfo

	ReportFlowPolicy *policy.FlowPolicy
	PacketFlowPolicy *policy.FlowPolicy
	// ServiceData allows services to associate state with a connection
	ServiceData interface{}

	// PacketQueue indicates app UDP packets queued while authorization is in progress.
	PacketQueue chan *packet.Packet
	Writer      afinetrawsocket.SocketWriter
	// ServiceConnection indicates that this connection is handled by a service
	ServiceConnection bool
	// LoopbackConnection indicates that this connections is within the same pu context.
	loopbackConnection bool
	// Stop channels for restransmissions
	synStop    chan bool
	synAckStop chan bool
	ackStop    chan bool

	TestIgnore           bool
	udpQueueFullDropCntr uint64
	expiredConnection    bool

	Secrets secrets.Secrets

	SourceController      string
	DestinationController string
	EncodedBuf            [tokens.ClaimsEncodedBufSize]byte
}

// NewUDPConnection returns UDPConnection struct.
func NewUDPConnection(context *pucontext.PUContext, writer afinetrawsocket.SocketWriter) *UDPConnection {

	u := &UDPConnection{
		state:       UDPStart,
		Context:     context,
		PacketQueue: make(chan *packet.Packet, MaximumUDPQueueLen),
		Writer:      writer,
		Auth:        AuthInfo{},
		synStop:     make(chan bool),
		synAckStop:  make(chan bool),
		ackStop:     make(chan bool),
		TestIgnore:  true,
	}

	crypto.Nonce().GenerateNonce16Bytes(u.Auth.Nonce[:])
	return u
}

// SynStop issues a stop on the synStop channel.
func (c *UDPConnection) SynStop() {
	select {
	case c.synStop <- true:
	default:
		zap.L().Debug("Packet loss - channel was already done")
	}

}

// SynAckStop issues a stop in the synAckStop channel.
func (c *UDPConnection) SynAckStop() {
	select {
	case c.synAckStop <- true:
	default:
		zap.L().Debug("Packet loss - channel was already done")
	}
}

// AckStop issues a stop in the Ack channel.
func (c *UDPConnection) AckStop() {
	select {
	case c.ackStop <- true:
	default:
		zap.L().Debug("Packet loss - channel was already done")
	}

}

// SynChannel returns the SynStop channel.
func (c *UDPConnection) SynChannel() chan bool {
	return c.synStop

}

// SynAckChannel returns the SynAck stop channel.
func (c *UDPConnection) SynAckChannel() chan bool {
	return c.synAckStop
}

// AckChannel returns the Ack stop channel.
func (c *UDPConnection) AckChannel() chan bool {
	return c.ackStop
}

// GetState is used to get state of UDP Connection.
func (c *UDPConnection) GetState() UDPFlowState {
	return c.state
}

// SetState is used to setup the state for the UDP Connection.
func (c *UDPConnection) SetState(state UDPFlowState) {
	c.state = state
}

// QueuePackets queues UDP packets till the flow is authenticated.
func (c *UDPConnection) QueuePackets(udpPacket *packet.Packet) (err error) {
	buffer := make([]byte, len(udpPacket.GetBuffer(0)))
	copy(buffer, udpPacket.GetBuffer(0))

	copyPacket, err := packet.New(packet.PacketTypeApplication, buffer, udpPacket.Mark, true)
	if err != nil {
		return fmt.Errorf("Unable to copy packets to queue:%s", err)
	}

	if udpPacket.PlatformMetadata != nil {
		copyPacket.PlatformMetadata = udpPacket.PlatformMetadata.Clone()
	}

	select {
	case c.PacketQueue <- copyPacket:
	default:
		// connection object is always locked.
		c.udpQueueFullDropCntr++
		return fmt.Errorf("Queue is full")
	}

	return nil
}

// DropPackets drops packets on errors during Authorization.
func (c *UDPConnection) DropPackets() {
	close(c.PacketQueue)
	c.PacketQueue = make(chan *packet.Packet, MaximumUDPQueueLen)
}

// ReadPacket reads a packet from the queue.
func (c *UDPConnection) ReadPacket() *packet.Packet {
	select {
	case p := <-c.PacketQueue:
		return p
	default:
		return nil
	}
}

// Cleanup is called on cache expiry of the connection to record incomplete connections
func (c *UDPConnection) Cleanup() {

	c.Lock()
	if !c.expiredConnection && c.state != UDPData {
		c.expiredConnection = true
		if c.Context != nil {
			c.Context.Counters().IncrementCounter(counters.ErrUDPConnectionsExpired)
		}
	}
	c.Unlock()
}

// String returns a printable version of connection
func (c *UDPConnection) String() string {

	return fmt.Sprintf("udp-conn state:%d auth: %+v", c.state, c.Auth)
}

// UDPConnectionExpirationNotifier expiration notifier when cache entry expires
func UDPConnectionExpirationNotifier(c cache.DataStore, id interface{}, item interface{}) {

	if conn, ok := item.(*UDPConnection); ok {
		conn.Cleanup()
	}
}

// ChangeConnectionTimeout is used by test code to change the default
// connection timeout
func (c *TCPConnection) ChangeConnectionTimeout(t time.Duration) {
	// Logging information
	c.connectionTimeout = t
}


================================================
FILE: controller/pkg/connection/connection_test.go
================================================
// +build !windows

package connection


================================================
FILE: controller/pkg/connection/connectioncache.go
================================================
package connection

import (
	"sync"
)

//TCPCache is an interface to store tcp connections
//keyed with the string.
type TCPCache interface {
	Put(string, *TCPConnection)
	Get(string) (*TCPConnection, bool)
	Remove(string)
	Len() int
}

type tcpCache struct {
	m map[string]*TCPConnection
	sync.RWMutex
}

//NewTCPConnectionCache initializes the tcp connection cache
func NewTCPConnectionCache() TCPCache {
	return &tcpCache{m: map[string]*TCPConnection{}}
}

//Put stores the connection object with the key string
func (c *tcpCache) Put(key string, conn *TCPConnection) {
	c.Lock()
	c.m[key] = conn
	c.Unlock()
}

//Get gets the tcp connection object keyed with the key string
func (c *tcpCache) Get(key string) (*TCPConnection, bool) {
	c.RLock()
	conn, exists := c.m[key]
	c.RUnlock()

	return conn, exists
}

//Remove remove the connection object keyed with the key string
func (c *tcpCache) Remove(key string) {
	c.Lock()
	delete(c.m, key)
	c.Unlock()
}

func (c *tcpCache) Len() int {
	c.Lock()
	size := len(c.m)
	c.Unlock()

	return size
}


================================================
FILE: controller/pkg/counters/counters.go
================================================
package counters

import (
	"sync/atomic"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
)

// NewCounters initializes new counters handler. Thread safe.
func NewCounters() *Counters {
	return &Counters{}
}

// CounterNames returns an array of names
func CounterNames() []string {
	names := make([]string, errMax+1)
	var ct CounterType
	for ct = 0; ct <= errMax; ct++ {
		names[ct] = ct.String()
	}
	return names[:errMax]
}

// CounterError is a convinence function which returns error as well as increments the counter.
func (c *Counters) CounterError(t CounterType, err error) error {
	c.IncrementCounter(t)
	return err
}

// IncrementCounter increments counters for a given PU
func (c *Counters) IncrementCounter(t CounterType) {
	atomic.AddUint32(&c.counters[int(t)], 1)
}

// GetErrorCounters returns the error counters and resets the counters to zero
func (c *Counters) GetErrorCounters() []collector.Counters {

	c.Lock()

	report := make([]collector.Counters, errMax+1)
	for index := range c.counters {
		report[index] = collector.Counters(atomic.SwapUint32(&c.counters[index], 0))
	}

	c.Unlock()
	return report[:errMax]
}


================================================
FILE: controller/pkg/counters/counters_test.go
================================================
package counters

import (
	"errors"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func Test_NewCounters(t *testing.T) {

	Convey("When I create new error counters", t, func() {
		ec := NewCounters()
		So(ec, ShouldNotBeNil)
		So(len(ec.counters), ShouldEqual, errMax+1)
	})
}

func Test_CounterError(t *testing.T) {

	Convey("When I create new error counters", t, func() {
		ec := NewCounters()
		So(ec, ShouldNotBeNil)
		So(len(ec.counters), ShouldEqual, errMax+1)

		Convey("When I increment counter", func() {
			err := ec.CounterError(ErrInvalidProtocol, errors.New("unknown protocol"))
			ec.IncrementCounter(ErrInvalidProtocol)
			So(err, ShouldResemble, errors.New("unknown protocol"))
			So(ec.counters[ErrInvalidProtocol], ShouldEqual, 2)
		})
	})
}

func Test_GetErrorCounter(t *testing.T) {

	Convey("When I create new error counters", t, func() {
		ec := NewCounters()
		So(ec, ShouldNotBeNil)
		So(len(ec.counters), ShouldEqual, errMax+1)

		Convey("When I increment counter and get error", func() {
			err := ec.CounterError(ErrInvalidProtocol, errors.New("unknown protocol"))
			ec.IncrementCounter(ErrInvalidProtocol)
			ec.IncrementCounter(ErrInvalidProtocol)

			So(err, ShouldResemble, errors.New("unknown protocol"))
			So(ec.counters[ErrInvalidProtocol], ShouldEqual, 3)

			c := ec.GetErrorCounters()

			So(len(c), ShouldEqual, errMax)
			So(c[ErrInvalidProtocol], ShouldEqual, 3)
			So(ec.counters[ErrInvalidProtocol], ShouldEqual, 0)
		})
	})
}


================================================
FILE: controller/pkg/counters/countertype_string.go
================================================
// Code generated by "stringer -type=CounterType -trimprefix Err"; DO NOT EDIT.

package counters

import "strconv"

func _() {
	// An "invalid array index" compiler error signifies that the constant values have changed.
	// Re-run the stringer command to generate them again.
	var x [1]struct{}
	_ = x[ErrUnknownError-0]
	_ = x[ErrNonPUTraffic-1]
	_ = x[ErrNoConnFound-2]
	_ = x[ErrRejectPacket-3]
	_ = x[ErrMarkNotFound-4]
	_ = x[ErrPortNotFound-5]
	_ = x[ErrContextIDNotFound-6]
	_ = x[ErrInvalidProtocol-7]
	_ = x[ErrConnectionsProcessed-8]
	_ = x[ErrEncrConnectionsProcessed-9]
	_ = x[ErrUDPDropFin-10]
	_ = x[ErrUDPSynDroppedInvalidToken-11]
	_ = x[ErrUDPSynAckInvalidToken-12]
	_ = x[ErrUDPAckInvalidToken-13]
	_ = x[ErrUDPConnectionsProcessed-14]
	_ = x[ErrUDPContextIDNotFound-15]
	_ = x[ErrUDPDropQueueFull-16]
	_ = x[ErrUDPDropInNfQueue-17]
	_ = x[ErrAppServicePreProcessorFailed-18]
	_ = x[ErrAppServicePostProcessorFailed-19]
	_ = x[ErrNetServicePreProcessorFailed-20]
	_ = x[ErrNetServicePostProcessorFailed-21]
	_ = x[ErrSynTokenFailed-22]
	_ = x[ErrSynDroppedInvalidToken-23]
	_ = x[ErrSynDroppedTCPOption-24]
	_ = x[ErrSynDroppedInvalidFormat-25]
	_ = x[ErrSynRejectPacket-26]
	_ = x[ErrSynUnexpectedPacket-27]
	_ = x[ErrInvalidNetSynState-28]
	_ = x[ErrNetSynNotSeen-29]
	_ = x[ErrSynToExtNetAccept-30]
	_ = x[ErrSynFromExtNetAccept-31]
	_ = x[ErrSynToExtNetReject-32]
	_ = x[ErrSynFromExtNetReject-33]
	_ = x[ErrSynAckTokenFailed-34]
	_ = x[ErrOutOfOrderSynAck-35]
	_ = x[ErrInvalidSynAck-36]
	_ = x[ErrSynAckInvalidToken-37]
	_ = x[ErrSynAckMissingToken-38]
	_ = x[ErrSynAckNoTCPAuthOption-39]
	_ = x[ErrSynAckInvalidFormat-40]
	_ = x[ErrSynAckEncryptionMismatch-41]
	_ = x[ErrSynAckRejected-42]
	_ = x[ErrSynAckToExtNetAccept-43]
	_ = x[ErrSynAckFromExtNetAccept-44]
	_ = x[ErrSynAckFromExtNetReject-45]
	_ = x[ErrAckTokenFailed-46]
	_ = x[ErrAckRejected-47]
	_ = x[ErrAckTCPNoTCPAuthOption-48]
	_ = x[ErrAckInvalidFormat-49]
	_ = x[ErrAckInvalidToken-50]
	_ = x[ErrAckInUnknownState-51]
	_ = x[ErrAckFromExtNetAccept-52]
	_ = x[ErrAckFromExtNetReject-53]
	_ = x[ErrUDPAppPreProcessingFailed-54]
	_ = x[ErrUDPAppPostProcessingFailed-55]
	_ = x[ErrUDPNetPreProcessingFailed-56]
	_ = x[ErrUDPNetPostProcessingFailed-57]
	_ = x[ErrUDPSynInvalidToken-58]
	_ = x[ErrUDPSynMissingClaims-59]
	_ = x[ErrUDPSynDroppedPolicy-60]
	_ = x[ErrUDPSynAckNoConnection-61]
	_ = x[ErrUDPSynAckPolicy-62]
	_ = x[ErrDroppedTCPPackets-63]
	_ = x[ErrDroppedUDPPackets-64]
	_ = x[ErrDroppedICMPPackets-65]
	_ = x[ErrDroppedDNSPackets-66]
	_ = x[ErrDroppedDHCPPackets-67]
	_ = x[ErrDroppedNTPPackets-68]
	_ = x[ErrTCPConnectionsExpired-69]
	_ = x[ErrUDPConnectionsExpired-70]
	_ = x[ErrSynTokenEncodeFailed-71]
	_ = x[ErrSynTokenHashFailed-72]
	_ = x[ErrSynTokenSignFailed-73]
	_ = x[ErrSynSharedSecretMissing-74]
	_ = x[ErrSynInvalidSecret-75]
	_ = x[ErrSynInvalidTokenLength-76]
	_ = x[ErrSynMissingSignature-77]
	_ = x[ErrSynInvalidSignature-78]
	_ = x[ErrSynCompressedTagMismatch-79]
	_ = x[ErrSynDatapathVersionMismatch-80]
	_ = x[ErrSynTokenDecodeFailed-81]
	_ = x[ErrSynTokenExpired-82]
	_ = x[ErrSynSharedKeyHashFailed-83]
	_ = x[ErrSynPublicKeyFailed-84]
	_ = x[ErrSynAckTokenEncodeFailed-85]
	_ = x[ErrSynAckTokenHashFailed-86]
	_ = x[ErrSynAckTokenSignFailed-87]
	_ = x[ErrSynAckSharedSecretMissing-88]
	_ = x[ErrSynAckInvalidSecret-89]
	_ = x[ErrSynAckInvalidTokenLength-90]
	_ = x[ErrSynAckMissingSignature-91]
	_ = x[ErrSynAckInvalidSignature-92]
	_ = x[ErrSynAckCompressedTagMismatch-93]
	_ = x[ErrSynAckDatapathVersionMismatch-94]
	_ = x[ErrSynAckTokenDecodeFailed-95]
	_ = x[ErrSynAckTokenExpired-96]
	_ = x[ErrSynAckSharedKeyHashFailed-97]
	_ = x[ErrSynAckPublicKeyFailed-98]
	_ = x[ErrAckTokenEncodeFailed-99]
	_ = x[ErrAckTokenHashFailed-100]
	_ = x[ErrAckTokenSignFailed-101]
	_ = x[ErrAckSharedSecretMissing-102]
	_ = x[ErrAckInvalidSecret-103]
	_ = x[ErrAckInvalidTokenLength-104]
	_ = x[ErrAckMissingSignature-105]
	_ = x[ErrAckCompressedTagMismatch-106]
	_ = x[ErrAckDatapathVersionMismatch-107]
	_ = x[ErrAckTokenDecodeFailed-108]
	_ = x[ErrAckTokenExpired-109]
	_ = x[ErrAckSignatureMismatch-110]
	_ = x[ErrUDPSynTokenFailed-111]
	_ = x[ErrUDPSynTokenEncodeFailed-112]
	_ = x[ErrUDPSynTokenHashFailed-113]
	_ = x[ErrUDPSynTokenSignFailed-114]
	_ = x[ErrUDPSynSharedSecretMissing-115]
	_ = x[ErrUDPSynInvalidSecret-116]
	_ = x[ErrUDPSynInvalidTokenLength-117]
	_ = x[ErrUDPSynMissingSignature-118]
	_ = x[ErrUDPSynInvalidSignature-119]
	_ = x[ErrUDPSynCompressedTagMismatch-120]
	_ = x[ErrUDPSynDatapathVersionMismatch-121]
	_ = x[ErrUDPSynTokenDecodeFailed-122]
	_ = x[ErrUDPSynTokenExpired-123]
	_ = x[ErrUDPSynSharedKeyHashFailed-124]
	_ = x[ErrUDPSynPublicKeyFailed-125]
	_ = x[ErrUDPSynAckTokenFailed-126]
	_ = x[ErrUDPSynAckTokenEncodeFailed-127]
	_ = x[ErrUDPSynAckTokenHashFailed-128]
	_ = x[ErrUDPSynAckTokenSignFailed-129]
	_ = x[ErrUDPSynAckSharedSecretMissing-130]
	_ = x[ErrUDPSynAckInvalidSecret-131]
	_ = x[ErrUDPSynAckInvalidTokenLength-132]
	_ = x[ErrUDPSynAckMissingSignature-133]
	_ = x[ErrUDPSynAckInvalidSignature-134]
	_ = x[ErrUDPSynAckCompressedTagMismatch-135]
	_ = x[ErrUDPSynAckDatapathVersionMismatch-136]
	_ = x[ErrUDPSynAckTokenDecodeFailed-137]
	_ = x[ErrUDPSynAckTokenExpired-138]
	_ = x[ErrUDPSynAckSharedKeyHashFailed-139]
	_ = x[ErrUDPSynAckPublicKeyFailed-140]
	_ = x[ErrUDPAckTokenFailed-141]
	_ = x[ErrUDPAckTokenEncodeFailed-142]
	_ = x[ErrUDPAckTokenHashFailed-143]
	_ = x[ErrUDPAckSharedSecretMissing-144]
	_ = x[ErrUDPAckInvalidSecret-145]
	_ = x[ErrUDPAckInvalidTokenLength-146]
	_ = x[ErrUDPAckMissingSignature-147]
	_ = x[ErrUDPAckCompressedTagMismatch-148]
	_ = x[ErrUDPAckDatapathVersionMismatch-149]
	_ = x[ErrUDPAckTokenDecodeFailed-150]
	_ = x[ErrUDPAckTokenExpired-151]
	_ = x[ErrUDPAckSignatureMismatch-152]
	_ = x[ErrAppSynAuthOptionSet-153]
	_ = x[ErrAckToFinAck-154]
	_ = x[ErrIgnoreFin-155]
	_ = x[ErrInvalidNetState-156]
	_ = x[ErrInvalidNetAckState-157]
	_ = x[ErrAppSynAckAuthOptionSet-158]
	_ = x[ErrDuplicateAckDrop-159]
	_ = x[ErrDNSForwardFailed-160]
	_ = x[ErrDNSResponseFailed-161]
	_ = x[ErrNfLogError-162]
	_ = x[ErrSegmentServerContainerEventExceedsProcessingTime-163]
	_ = x[ErrCorruptPacket-164]
	_ = x[ErrSynMissingTCPOption-165]
	_ = x[ErrUDPDropRst-166]
	_ = x[ErrNonPUUDPTraffic-167]
	_ = x[ErrIPTablesReset-168]
	_ = x[ErrDNSInvalidRequest-169]
	_ = x[errMax-170]
}

const _CounterType_name = "UnknownErrorNonPUTrafficNoConnFoundRejectPacketMarkNotFoundPortNotFoundContextIDNotFoundInvalidProtocolConnectionsProcessedEncrConnectionsProcessedUDPDropFinUDPSynDroppedInvalidTokenUDPSynAckInvalidTokenUDPAckInvalidTokenUDPConnectionsProcessedUDPContextIDNotFoundUDPDropQueueFullUDPDropInNfQueueAppServicePreProcessorFailedAppServicePostProcessorFailedNetServicePreProcessorFailedNetServicePostProcessorFailedSynTokenFailedSynDroppedInvalidTokenSynDroppedTCPOptionSynDroppedInvalidFormatSynRejectPacketSynUnexpectedPacketInvalidNetSynStateNetSynNotSeenSynToExtNetAcceptSynFromExtNetAcceptSynToExtNetRejectSynFromExtNetRejectSynAckTokenFailedOutOfOrderSynAckInvalidSynAckSynAckInvalidTokenSynAckMissingTokenSynAckNoTCPAuthOptionSynAckInvalidFormatSynAckEncryptionMismatchSynAckRejectedSynAckToExtNetAcceptSynAckFromExtNetAcceptSynAckFromExtNetRejectAckTokenFailedAckRejectedAckTCPNoTCPAuthOptionAckInvalidFormatAckInvalidTokenAckInUnknownStateAckFromExtNetAcceptAckFromExtNetRejectUDPAppPreProcessingFailedUDPAppPostProcessingFailedUDPNetPreProcessingFailedUDPNetPostProcessingFailedUDPSynInvalidTokenUDPSynMissingClaimsUDPSynDroppedPolicyUDPSynAckNoConnectionUDPSynAckPolicyDroppedTCPPacketsDroppedUDPPacketsDroppedICMPPacketsDroppedDNSPacketsDroppedDHCPPacketsDroppedNTPPacketsTCPConnectionsExpiredUDPConnectionsExpiredSynTokenEncodeFailedSynTokenHashFailedSynTokenSignFailedSynSharedSecretMissingSynInvalidSecretSynInvalidTokenLengthSynMissingSignatureSynInvalidSignatureSynCompressedTagMismatchSynDatapathVersionMismatchSynTokenDecodeFailedSynTokenExpiredSynSharedKeyHashFailedSynPublicKeyFailedSynAckTokenEncodeFailedSynAckTokenHashFailedSynAckTokenSignFailedSynAckSharedSecretMissingSynAckInvalidSecretSynAckInvalidTokenLengthSynAckMissingSignatureSynAckInvalidSignatureSynAckCompressedTagMismatchSynAckDatapathVersionMismatchSynAckTokenDecodeFailedSynAckTokenExpiredSynAckSharedKeyHashFailedSynAckPublicKeyFailedAckTokenEncodeFailedAckTokenHashFailedAckTokenSignFailedAckSharedSecretMissingAckInvalidSecretAckInvalidTokenLengthAckMissingSignatureAckCompressedTagMismatchAckDatapathVersionMismatchAckTokenDecodeFailedAckTokenExpiredAckSignatureMismatchUDPSynTokenFailedUDPSynTokenEncodeFailedUDPSynTokenHashFailedUDPSynTokenSignFailedUDPSynSharedSecretMissingUDPSynInvalidSecretUDPSynInvalidTokenLengthUDPSynMissingSignatureUDPSynInvalidSignatureUDPSynCompressedTagMismatchUDPSynDatapathVersionMismatchUDPSynTokenDecodeFailedUDPSynTokenExpiredUDPSynSharedKeyHashFailedUDPSynPublicKeyFailedUDPSynAckTokenFailedUDPSynAckTokenEncodeFailedUDPSynAckTokenHashFailedUDPSynAckTokenSignFailedUDPSynAckSharedSecretMissingUDPSynAckInvalidSecretUDPSynAckInvalidTokenLengthUDPSynAckMissingSignatureUDPSynAckInvalidSignatureUDPSynAckCompressedTagMismatchUDPSynAckDatapathVersionMismatchUDPSynAckTokenDecodeFailedUDPSynAckTokenExpiredUDPSynAckSharedKeyHashFailedUDPSynAckPublicKeyFailedUDPAckTokenFailedUDPAckTokenEncodeFailedUDPAckTokenHashFailedUDPAckSharedSecretMissingUDPAckInvalidSecretUDPAckInvalidTokenLengthUDPAckMissingSignatureUDPAckCompressedTagMismatchUDPAckDatapathVersionMismatchUDPAckTokenDecodeFailedUDPAckTokenExpiredUDPAckSignatureMismatchAppSynAuthOptionSetAckToFinAckIgnoreFinInvalidNetStateInvalidNetAckStateAppSynAckAuthOptionSetDuplicateAckDropDNSForwardFailedDNSResponseFailedNfLogErrorSegmentServerContainerEventExceedsProcessingTimeCorruptPacketSynMissingTCPOptionUDPDropRstNonPUUDPTrafficIPTablesResetDNSInvalidRequesterrMax"

var _CounterType_index = [...]uint16{0, 12, 24, 35, 47, 59, 71, 88, 103, 123, 147, 157, 182, 203, 221, 244, 264, 280, 296, 324, 353, 381, 410, 424, 446, 465, 488, 503, 522, 540, 553, 570, 589, 606, 625, 642, 658, 671, 689, 707, 728, 747, 771, 785, 805, 827, 849, 863, 874, 895, 911, 926, 943, 962, 981, 1006, 1032, 1057, 1083, 1101, 1120, 1139, 1160, 1175, 1192, 1209, 1227, 1244, 1262, 1279, 1300, 1321, 1341, 1359, 1377, 1399, 1415, 1436, 1455, 1474, 1498, 1524, 1544, 1559, 1581, 1599, 1622, 1643, 1664, 1689, 1708, 1732, 1754, 1776, 1803, 1832, 1855, 1873, 1898, 1919, 1939, 1957, 1975, 1997, 2013, 2034, 2053, 2077, 2103, 2123, 2138, 2158, 2175, 2198, 2219, 2240, 2265, 2284, 2308, 2330, 2352, 2379, 2408, 2431, 2449, 2474, 2495, 2515, 2541, 2565, 2589, 2617, 2639, 2666, 2691, 2716, 2746, 2778, 2804, 2825, 2853, 2877, 2894, 2917, 2938, 2963, 2982, 3006, 3028, 3055, 3084, 3107, 3125, 3148, 3167, 3178, 3187, 3202, 3220, 3242, 3258, 3274, 3291, 3301, 3349, 3362, 3381, 3391, 3406, 3419, 3436, 3442}

func (i CounterType) String() string {
	if i < 0 || i >= CounterType(len(_CounterType_index)-1) {
		return "CounterType(" + strconv.FormatInt(int64(i), 10) + ")"
	}
	return _CounterType_name[_CounterType_index[i]:_CounterType_index[i+1]]
}


================================================
FILE: controller/pkg/counters/default.go
================================================
package counters

import (
	"go.aporeto.io/enforcerd/trireme-lib/collector"
)

// defaultCounters are a global instance of counters.
// These are used when we dont have a PU context.
var defaultCounters = NewCounters()

// CounterError is a convinence function which returns error as well as increments the counter.
func CounterError(t CounterType, err error) error { // nolint
	return defaultCounters.CounterError(t, err)
}

// IncrementCounter increments counters for a given PU
func IncrementCounter(err CounterType) {
	defaultCounters.IncrementCounter(err)
}

// GetErrorCounters returns the error counters and resets the counters to zero
func GetErrorCounters() []collector.Counters {
	return defaultCounters.GetErrorCounters()
}


================================================
FILE: controller/pkg/counters/default_test.go
================================================
package counters

import (
	"errors"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func Test_DefaultCounterError(t *testing.T) {

	Convey("When I increment counter", t, func() {
		err := CounterError(ErrInvalidProtocol, errors.New("unknown protocol"))
		IncrementCounter(ErrInvalidProtocol)
		So(err, ShouldResemble, errors.New("unknown protocol"))
		So(defaultCounters.counters[ErrInvalidProtocol], ShouldEqual, 2)

		// Reset the global counters
		GetErrorCounters() // nolint
	})
}

func Test_DefaultGetErrorCounter(t *testing.T) {

	Convey("When I increment counter", t, func() {
		err := CounterError(ErrInvalidProtocol, errors.New("unknown protocol"))
		IncrementCounter(ErrInvalidProtocol)
		IncrementCounter(ErrInvalidProtocol)
		So(err, ShouldResemble, errors.New("unknown protocol"))
		So(defaultCounters.counters[ErrInvalidProtocol], ShouldEqual, 3)

		Convey("When I get the error counter", func() {
			c := GetErrorCounters()
			So(len(c), ShouldEqual, errMax)
			So(c[ErrInvalidProtocol], ShouldEqual, 3)
			So(defaultCounters.counters[ErrInvalidProtocol], ShouldEqual, 0)
		})
	})
}


================================================
FILE: controller/pkg/counters/types.go
================================================
package counters

import "sync"

// CounterType custom counter error type.
type CounterType int

//go:generate stringer -type=CounterType -trimprefix Err
// Error counters used in the enforcerd
const (
	ErrUnknownError CounterType = iota
	ErrNonPUTraffic
	ErrNoConnFound
	ErrRejectPacket
	ErrMarkNotFound
	ErrPortNotFound
	ErrContextIDNotFound
	ErrInvalidProtocol
	ErrConnectionsProcessed
	ErrEncrConnectionsProcessed
	ErrUDPDropFin
	ErrUDPSynDroppedInvalidToken
	ErrUDPSynAckInvalidToken
	ErrUDPAckInvalidToken
	ErrUDPConnectionsProcessed
	ErrUDPContextIDNotFound
	ErrUDPDropQueueFull
	ErrUDPDropInNfQueue
	ErrAppServicePreProcessorFailed
	ErrAppServicePostProcessorFailed
	ErrNetServicePreProcessorFailed
	ErrNetServicePostProcessorFailed
	ErrSynTokenFailed
	ErrSynDroppedInvalidToken
	ErrSynDroppedTCPOption
	ErrSynDroppedInvalidFormat
	ErrSynRejectPacket
	ErrSynUnexpectedPacket
	ErrInvalidNetSynState
	ErrNetSynNotSeen
	ErrSynToExtNetAccept
	ErrSynFromExtNetAccept
	ErrSynToExtNetReject
	ErrSynFromExtNetReject
	ErrSynAckTokenFailed
	ErrOutOfOrderSynAck
	ErrInvalidSynAck
	ErrSynAckInvalidToken
	ErrSynAckMissingToken
	ErrSynAckNoTCPAuthOption
	ErrSynAckInvalidFormat
	ErrSynAckEncryptionMismatch
	ErrSynAckRejected
	ErrSynAckToExtNetAccept
	ErrSynAckFromExtNetAccept
	ErrSynAckFromExtNetReject
	ErrAckTokenFailed
	ErrAckRejected
	ErrAckTCPNoTCPAuthOption //50
	ErrAckInvalidFormat
	ErrAckInvalidToken
	ErrAckInUnknownState
	ErrAckFromExtNetAccept
	ErrAckFromExtNetReject
	ErrUDPAppPreProcessingFailed
	ErrUDPAppPostProcessingFailed
	ErrUDPNetPreProcessingFailed
	ErrUDPNetPostProcessingFailed
	ErrUDPSynInvalidToken
	ErrUDPSynMissingClaims
	ErrUDPSynDroppedPolicy
	ErrUDPSynAckNoConnection
	ErrUDPSynAckPolicy
	ErrDroppedTCPPackets
	ErrDroppedUDPPackets
	ErrDroppedICMPPackets
	ErrDroppedDNSPackets
	ErrDroppedDHCPPackets
	ErrDroppedNTPPackets
	ErrTCPConnectionsExpired
	ErrUDPConnectionsExpired
	ErrSynTokenEncodeFailed
	ErrSynTokenHashFailed
	ErrSynTokenSignFailed
	ErrSynSharedSecretMissing
	ErrSynInvalidSecret
	ErrSynInvalidTokenLength
	ErrSynMissingSignature
	ErrSynInvalidSignature
	ErrSynCompressedTagMismatch
	ErrSynDatapathVersionMismatch
	ErrSynTokenDecodeFailed
	ErrSynTokenExpired
	ErrSynSharedKeyHashFailed
	ErrSynPublicKeyFailed
	ErrSynAckTokenEncodeFailed
	ErrSynAckTokenHashFailed
	ErrSynAckTokenSignFailed
	ErrSynAckSharedSecretMissing
	ErrSynAckInvalidSecret
	ErrSynAckInvalidTokenLength
	ErrSynAckMissingSignature
	ErrSynAckInvalidSignature
	ErrSynAckCompressedTagMismatch
	ErrSynAckDatapathVersionMismatch
	ErrSynAckTokenDecodeFailed
	ErrSynAckTokenExpired
	ErrSynAckSharedKeyHashFailed
	ErrSynAckPublicKeyFailed //100
	ErrAckTokenEncodeFailed
	ErrAckTokenHashFailed
	ErrAckTokenSignFailed
	ErrAckSharedSecretMissing
	ErrAckInvalidSecret
	ErrAckInvalidTokenLength
	ErrAckMissingSignature
	ErrAckCompressedTagMismatch
	ErrAckDatapathVersionMismatch
	ErrAckTokenDecodeFailed
	ErrAckTokenExpired
	ErrAckSignatureMismatch
	ErrUDPSynTokenFailed
	ErrUDPSynTokenEncodeFailed
	ErrUDPSynTokenHashFailed
	ErrUDPSynTokenSignFailed
	ErrUDPSynSharedSecretMissing
	ErrUDPSynInvalidSecret
	ErrUDPSynInvalidTokenLength
	ErrUDPSynMissingSignature
	ErrUDPSynInvalidSignature
	ErrUDPSynCompressedTagMismatch
	ErrUDPSynDatapathVersionMismatch
	ErrUDPSynTokenDecodeFailed
	ErrUDPSynTokenExpired
	ErrUDPSynSharedKeyHashFailed
	ErrUDPSynPublicKeyFailed
	ErrUDPSynAckTokenFailed
	ErrUDPSynAckTokenEncodeFailed
	ErrUDPSynAckTokenHashFailed
	ErrUDPSynAckTokenSignFailed
	ErrUDPSynAckSharedSecretMissing
	ErrUDPSynAckInvalidSecret
	ErrUDPSynAckInvalidTokenLength
	ErrUDPSynAckMissingSignature
	ErrUDPSynAckInvalidSignature
	ErrUDPSynAckCompressedTagMismatch
	ErrUDPSynAckDatapathVersionMismatch
	ErrUDPSynAckTokenDecodeFailed
	ErrUDPSynAckTokenExpired
	ErrUDPSynAckSharedKeyHashFailed
	ErrUDPSynAckPublicKeyFailed
	ErrUDPAckTokenFailed
	ErrUDPAckTokenEncodeFailed
	ErrUDPAckTokenHashFailed
	ErrUDPAckSharedSecretMissing
	ErrUDPAckInvalidSecret
	ErrUDPAckInvalidTokenLength
	ErrUDPAckMissingSignature
	ErrUDPAckCompressedTagMismatch //150
	ErrUDPAckDatapathVersionMismatch
	ErrUDPAckTokenDecodeFailed
	ErrUDPAckTokenExpired
	ErrUDPAckSignatureMismatch
	ErrAppSynAuthOptionSet
	ErrAckToFinAck
	ErrIgnoreFin
	ErrInvalidNetState
	ErrInvalidNetAckState
	ErrAppSynAckAuthOptionSet
	ErrDuplicateAckDrop
	ErrDNSForwardFailed
	ErrDNSResponseFailed
	ErrNfLogError
	ErrSegmentServerContainerEventExceedsProcessingTime
	ErrCorruptPacket
	ErrSynMissingTCPOption
	ErrUDPDropRst
	ErrNonPUUDPTraffic
	ErrIPTablesReset
	ErrDNSInvalidRequest
	// !!!! ADD NEW ERRORS ABOVE THIS LINE !!!!
	// errMax must be the last error counter defined.
	errMax
)

// Counters holds the counters value.
type Counters struct {
	sync.Mutex
	counters [errMax + 1]uint32
}


================================================
FILE: controller/pkg/dmesgparser/dmesgparser.go
================================================
package dmesgparser

import (
	"fmt"
	"os/exec"
	"strconv"
	"strings"
	"sync"
)

// Dmesg struct handle for the dmesg parser
type Dmesg struct {
	chanSize          int
	lastProcessedTime float64
	sync.Mutex
}

func getEntryTime(line string) float64 {
	leftindex := strings.Index(line, "[")
	rightIndex := strings.Index(line, "]")
	val, _ := strconv.ParseFloat(strings.TrimSpace(line[leftindex+1:rightIndex]), 64)
	return val
}

// TODOD move to Dmesg -w mode later
// func (r *Dmesg) runDmesgCommandFollowMode(outputChan chan string, interval time.Duration) {
// 	cmdCtx,cancel := context.WithTimeout(ctx, interval)
// 	defer cancel()
// 	cmd := exec.CommandContext(, "dmesg", "-w", "-l", "warn")

// }

// RunDmesgCommand runs the Dmesg command to capture raw Dmesg output
func (d *Dmesg) RunDmesgCommand() ([]string, error) {

	output, err := exec.Command("dmesg").CombinedOutput()
	if err != nil {
		return nil, fmt.Errorf("Cannot run Dmesg cmd %s", err)
	}

	return d.ParseDmesgOutput(string(output))
}

// ParseDmesgOutput will parse dmesg output
func (d *Dmesg) ParseDmesgOutput(dmesgOutput string) ([]string, error) {
	lines := strings.Split(strings.TrimSuffix(dmesgOutput, "\n"), "\n")
	outputslice := make([]string, len(lines))
	elementsadded := 0

	for _, line := range lines {
		line = strings.TrimSpace(line)
		if !isTraceOutput(line) {
			continue
		}
		if d.lastProcessedTime < getEntryTime(line) {
			outputslice[elementsadded] = line
			elementsadded++
		}
	}
	return outputslice[:elementsadded], nil
}

func isTraceOutput(line string) bool {
	i := strings.Index(line, "]")
	if i < 0 {
		return false
	}
	substring := strings.TrimSpace(line[:strings.Index(line, "]")+1])
	return strings.HasPrefix(line, substring+" TRACE:")
}

// New return an initialized Dmesg
func New() *Dmesg {
	return &Dmesg{
		chanSize:          10000,
		lastProcessedTime: 0,
	}
}


================================================
FILE: controller/pkg/ebpf/bpfbuild/socket-filter-bpf.go
================================================
// Code generated by go-bindata.
// sources:
// ../dist/socket-filter-bpf.o
// DO NOT EDIT!

package bpfbuild

import (
	"bytes"
	"compress/gzip"
	"fmt"
	"io"
	"io/ioutil"
	"os"
	"path/filepath"
	"strings"
	"time"
)

func bindataRead(data []byte, name string) ([]byte, error) {
	gz, err := gzip.NewReader(bytes.NewBuffer(data))
	if err != nil {
		return nil, fmt.Errorf("Read %q: %v", name, err)
	}

	var buf bytes.Buffer
	_, err = io.Copy(&buf, gz)
	clErr := gz.Close()

	if err != nil {
		return nil, fmt.Errorf("Read %q: %v", name, err)
	}
	if clErr != nil {
		return nil, err
	}

	return buf.Bytes(), nil
}

type asset struct {
	bytes []byte
	info  os.FileInfo
}

type bindataFileInfo struct {
	name    string
	size    int64
	mode    os.FileMode
	modTime time.Time
}

func (fi bindataFileInfo) Name() string {
	return fi.name
}
func (fi bindataFileInfo) Size() int64 {
	return fi.size
}
func (fi bindataFileInfo) Mode() os.FileMode {
	return fi.mode
}
func (fi bindataFileInfo) ModTime() time.Time {
	return fi.modTime
}
func (fi bindataFileInfo) IsDir() bool {
	return false
}
func (fi bindataFileInfo) Sys() interface{} {
	return nil
}

var _socketFilterBpfO = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\xe4\x94\xb1\x8f\x12\x41\x14\xc6\xbf\x61\x41\x16\xa4\xa0\x10\x83\xd1\x82\x92\xc2\x2c\x46\x8d\xb1\x32\x84\x44\x2a\x4c\x8c\xb1\x30\xb1\x20\x2b\x59\x83\x59\x11\xc2\x6c\xa1\xc4\xc4\xca\xc6\x8a\xc6\x86\xd2\xca\xff\xe0\xae\xdb\xf6\xfe\x0c\x8a\x2b\x2e\x57\x51\x5c\x72\x97\x6b\xe6\xb2\x33\x6f\xd8\x65\x76\xd9\xbb\xfe\xbe\x82\xb7\xef\x37\xfb\x76\xde\x7c\x79\xc3\xaf\xd7\x83\x7e\x81\x31\x68\x31\x9c\x23\xce\x62\x1d\x59\xf1\x73\x97\x7e\x2b\x60\x08\xef\x2b\xd6\x02\x50\x03\x10\x96\x55\x3e\x5a\xac\x85\xe6\xf5\x88\xdb\xc4\xff\x1c\x4b\xde\x06\x70\x2f\xe2\x15\xc5\xfd\xd5\xc9\x96\x47\x9f\xf4\xab\xa7\x42\xbd\xbf\x51\x71\x71\x26\xa3\x5f\xbd\x50\x71\x75\x29\x63\xf8\x4f\xd5\x97\x0b\xc0\x5a\x08\xd1\x34\x9a\xff\x2d\xcf\x04\x34\xe8\x54\x25\xa8\x0d\x93\x75\x9b\x9c\xba\x90\x78\x13\x80\x10\x42\xe8\xf5\x06\x79\x76\x40\xf9\xdf\xad\x7f\xca\x07\xb9\x5a\xcf\x30\xf2\x96\x4a\x5b\xc1\x16\xef\x60\xff\xbc\xcb\x1e\x12\x6b\xea\xf5\xac\xa1\x4b\xe8\xbd\xfc\xb5\x70\x68\xf0\x37\xc4\xcd\xa1\xed\x13\xb7\x33\xbe\x6b\xc1\x4a\x31\x35\xa7\x69\x5e\x93\xbc\x94\xe2\x4b\x7d\x1e\x00\x77\xa2\xfb\x61\xe4\x8f\x28\xaf\x02\x28\x46\x0f\x4e\xe0\x7d\x0f\x30\x71\x67\xbc\xc3\x3d\xce\xbf\x4c\xbf\x71\x38\x73\xef\x2b\x9f\x8e\x7c\x2f\xe8\xb8\xb3\xd9\xd0\x1d\xf9\x12\x39\xde\x78\xf8\x79\xee\x4e\x3c\x38\x3c\x98\x07\xee\x27\x38\xfc\xc7\x24\x8a\x83\x5e\xef\xc9\xf0\xb9\x0a\xcf\x54\x78\x9a\xef\xdb\x4d\xf5\x42\xb9\x98\xd2\x98\xe0\x47\x83\x9b\xb6\xb2\xc4\xd9\x93\xea\xee\xd9\xaf\x68\xe4\x0f\xae\xa9\x37\xe7\xc3\x36\xde\x6b\x00\x74\xb3\x77\xf5\x92\xfa\x6f\x25\xea\xac\x44\xbd\x9e\xcb\x32\xed\x6f\x7a\xf0\x56\xdf\x7f\x96\xdf\xff\x63\xaa\x2f\x18\x7c\x4c\xa0\x8d\xfc\xfe\xdb\x7b\xfa\xff\x60\xed\xf6\x69\x93\x47\x66\xff\xaf\x32\xf6\x8e\xb4\x24\xf8\x9f\x72\x26\xff\x03\xe3\x7a\x7d\xff\xae\x02\x00\x00\xff\xff\x2e\x02\xe6\xdc\x08\x06\x00\x00")

func socketFilterBpfOBytes() ([]byte, error) {
	return bindataRead(
		_socketFilterBpfO,
		"socket-filter-bpf.o",
	)
}

func socketFilterBpfO() (*asset, error) {
	bytes, err := socketFilterBpfOBytes()
	if err != nil {
		return nil, err
	}

	info := bindataFileInfo{name: "socket-filter-bpf.o", size: 1544, mode: os.FileMode(420), modTime: time.Unix(1, 0)}
	a := &asset{bytes: bytes, info: info}
	return a, nil
}

// Asset loads and returns the asset for the given name.
// It returns an error if the asset could not be found or
// could not be loaded.
func Asset(name string) ([]byte, error) {
	cannonicalName := strings.Replace(name, "\\", "/", -1)
	if f, ok := _bindata[cannonicalName]; ok {
		a, err := f()
		if err != nil {
			return nil, fmt.Errorf("Asset %s can't read by error: %v", name, err)
		}
		return a.bytes, nil
	}
	return nil, fmt.Errorf("Asset %s not found", name)
}

// MustAsset is like Asset but panics when Asset would return an error.
// It simplifies safe initialization of global variables.
func MustAsset(name string) []byte {
	a, err := Asset(name)
	if err != nil {
		panic("asset: Asset(" + name + "): " + err.Error())
	}

	return a
}

// AssetInfo loads and returns the asset info for the given name.
// It returns an error if the asset could not be found or
// could not be loaded.
func AssetInfo(name string) (os.FileInfo, error) {
	cannonicalName := strings.Replace(name, "\\", "/", -1)
	if f, ok := _bindata[cannonicalName]; ok {
		a, err := f()
		if err != nil {
			return nil, fmt.Errorf("AssetInfo %s can't read by error: %v", name, err)
		}
		return a.info, nil
	}
	return nil, fmt.Errorf("AssetInfo %s not found", name)
}

// AssetNames returns the names of the assets.
func AssetNames() []string {
	names := make([]string, 0, len(_bindata))
	for name := range _bindata {
		names = append(names, name)
	}
	return names
}

// _bindata is a table, holding each asset generator, mapped to its name.
var _bindata = map[string]func() (*asset, error){
	"socket-filter-bpf.o": socketFilterBpfO,
}

// AssetDir returns the file names below a certain
// directory embedded in the file by go-bindata.
// For example if you run go-bindata on data/... and data contains the
// following hierarchy:
//     data/
//       foo.txt
//       img/
//         a.png
//         b.png
// then AssetDir("data") would return []string{"foo.txt", "img"}
// AssetDir("data/img") would return []string{"a.png", "b.png"}
// AssetDir("foo.txt") and AssetDir("notexist") would return an error
// AssetDir("") will return []string{"data"}.
func AssetDir(name string) ([]string, error) {
	node := _bintree
	if len(name) != 0 {
		cannonicalName := strings.Replace(name, "\\", "/", -1)
		pathList := strings.Split(cannonicalName, "/")
		for _, p := range pathList {
			node = node.Children[p]
			if node == nil {
				return nil, fmt.Errorf("Asset %s not found", name)
			}
		}
	}
	if node.Func != nil {
		return nil, fmt.Errorf("Asset %s not found", name)
	}
	rv := make([]string, 0, len(node.Children))
	for childName := range node.Children {
		rv = append(rv, childName)
	}
	return rv, nil
}

type bintree struct {
	Func     func() (*asset, error)
	Children map[string]*bintree
}
var _bintree = &bintree{nil, map[string]*bintree{
	"socket-filter-bpf.o": &bintree{socketFilterBpfO, map[string]*bintree{}},
}}

// RestoreAsset restores an asset under the given directory
func RestoreAsset(dir, name string) error {
	data, err := Asset(name)
	if err != nil {
		return err
	}
	info, err := AssetInfo(name)
	if err != nil {
		return err
	}
	err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755))
	if err != nil {
		return err
	}
	err = ioutil.WriteFile(_filePath(dir, name), data, info.Mode())
	if err != nil {
		return err
	}
	err = os.Chtimes(_filePath(dir, name), info.ModTime(), info.ModTime())
	if err != nil {
		return err
	}
	return nil
}

// RestoreAssets restores an asset under the given directory recursively
func RestoreAssets(dir, name string) error {
	children, err := AssetDir(name)
	// File
	if err != nil {
		return RestoreAsset(dir, name)
	}
	// Dir
	for _, child := range children {
		err = RestoreAssets(dir, filepath.Join(name, child))
		if err != nil {
			return err
		}
	}
	return nil
}

func _filePath(dir, name string) string {
	cannonicalName := strings.Replace(name, "\\", "/", -1)
	return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...)
}



================================================
FILE: controller/pkg/ebpf/ebpf_darwin.go
================================================
// +build darwin

package ebpf

import (
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
)

// BPFPath holds the BPF path
var BPFPath = "/sys/fs/bpf/app-ack"

type ebpfDarwin struct {
}

// IsEBPFSupported returns false for Darwin.
func IsEBPFSupported() bool {
	return false
}

// LoadBPF is not supported on Darwin.
func LoadBPF() BPFModule {
	return nil
}

func (*ebpfDarwin) CreateFlow(*packet.Packet) {
}

func (*ebpfDarwin) RemoveFlow(*packet.Packet) {
}

func (*ebpfDarwin) Cleanup() {
}

func (*ebpfDarwin) GetBPFPath() string {
	return ""
}


================================================
FILE: controller/pkg/ebpf/ebpf_linux.go
================================================
// +build !rhel6

package ebpf

import (
	"bytes"
	"encoding/binary"
	"os"
	"path/filepath"
	"strconv"
	"strings"
	"unsafe"

	bpflib "github.com/iovisor/gobpf/elf"
	"github.com/iovisor/gobpf/pkg/bpffs"
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ebpf/bpfbuild"
	"go.uber.org/zap"
)

type ebpfModule struct {
	m          *bpflib.Module
	sessionMap *bpflib.Map
	bpfPath    string
}

type flow struct {
	srcIP   uint32
	dstIP   uint32
	srcPort uint16
	dstPort uint16
}

const bpfPath = "/sys/fs/bpf/"
const bpfPrefix = "app-ack"

func removeOldBPFFiles() {

	removeFiles := func(path string, info os.FileInfo, err error) error {
		if strings.Contains(path, bpfPrefix) {
			if err := os.Remove(path); err != nil {
				zap.L().Debug("Failed to remove file", zap.String("path", path), zap.Error(err))
			}
		}
		return nil
	}

	filepath.Walk(bpfPath, removeFiles) // nolint
}

// IsEBPFSupported is called once by the master enforcer to test if
// the system supports eBPF.
func IsEBPFSupported() bool {

	if err := bpffs.Mount(); err != nil {
		zap.L().Info("bpf mount failed", zap.Error(err))
		return false
	}

	var bpf BPFModule

	if bpf = LoadBPF(); bpf == nil {
		return false
	}

	if err := provider.TestIptablesPinned(bpf.GetBPFPath()); err != nil {
		zap.L().Info("Kernel doesn't support iptables pinned path", zap.Error(err))
		return false
	}

	removeOldBPFFiles()
	return true
}

// LoadBPF loads the bpf object in the memory and also pins the bpf to the file system.
func LoadBPF() BPFModule {
	bpf := &ebpfModule{}

	bpf.bpfPath = bpfPath + bpfPrefix + strconv.Itoa(os.Getpid())
	if err := os.Remove(bpf.bpfPath); err != nil {
		if !os.IsNotExist(err) {
			zap.L().Debug("Failed to remove bpf file", zap.Error(err))
		}
	}

	buf, err := bpfbuild.Asset("socket-filter-bpf.o")
	if err != nil {
		zap.L().Info("Failed to locate asset socket-filter-bpf", zap.Error(err))
		return nil
	}

	reader := bytes.NewReader(buf)
	m := bpflib.NewModuleFromReader(reader)

	if err := m.Load(nil); err != nil {
		zap.L().Info("Failed to load BPF in kernel", zap.Error(err))
		return nil
	}

	sfAppAck := m.SocketFilter("socket/app_ack")
	if sfAppAck == nil {
		zap.L().Info("Failed to load socket filter app_ack")
		return nil
	}

	if err := bpflib.PinObject(sfAppAck.Fd(), bpf.bpfPath); err != nil {
		zap.L().Info("Failed to pin bpf to file system", zap.Error(err))
		return nil
	}

	sessionMap := m.Map("sessions")
	if sessionMap == nil {
		zap.L().Info("Failed to load sessions map")
		return nil
	}

	bpf.m = m
	bpf.sessionMap = sessionMap

	return bpf
}

func (ebpf *ebpfModule) CreateFlow(tcpTuple *connection.TCPTuple) {
	var key flow
	var val uint8

	key.srcIP = binary.BigEndian.Uint32(tcpTuple.SourceAddress)
	key.dstIP = binary.BigEndian.Uint32(tcpTuple.DestinationAddress)
	key.srcPort = tcpTuple.SourcePort
	key.dstPort = tcpTuple.DestinationPort

	val = 1

	err := ebpf.m.UpdateElement(ebpf.sessionMap, unsafe.Pointer(&key), unsafe.Pointer(&val), 0)
	if err != nil {
		zap.L().Debug("Update bpf map failed",
			zap.String("packet", tcpTuple.String()),
			zap.Error(err))
	}
}

func (ebpf *ebpfModule) RemoveFlow(tcpTuple *connection.TCPTuple) {
	var key flow

	key.srcIP = binary.BigEndian.Uint32(tcpTuple.SourceAddress)
	key.dstIP = binary.BigEndian.Uint32(tcpTuple.DestinationAddress)
	key.srcPort = tcpTuple.SourcePort
	key.dstPort = tcpTuple.DestinationPort

	err := ebpf.m.DeleteElement(ebpf.sessionMap, unsafe.Pointer(&key))
	if err != nil {
		zap.L().Debug("Delete bpf map failed",
			zap.String("packet", tcpTuple.String()),
			zap.Error(err))
	}
}

func (ebpf *ebpfModule) GetBPFPath() string {
	return ebpf.bpfPath
}

func (ebpf *ebpfModule) Cleanup() {
	if err := os.Remove(ebpf.bpfPath); err != nil {
		zap.L().Error("Failed to remove bpf file during cleanup", zap.Error(err))
	}
}


================================================
FILE: controller/pkg/ebpf/ebpf_rhel6.go
================================================
// +build rhel6

package ebpf

import (
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
)

// BPFPath holds the BPF path
var BPFPath = "/sys/fs/bpf/app-ack"

type ebpfRhel6 struct {
}

// IsEBPFSupported returns false for RHEL6.
func IsEBPFSupported() bool {
	return false
}

// LoadBPF is not supported on RHEL6.
func LoadBPF() BPFModule {
	return nil
}

func (*ebpfRhel6) CreateFlow(*packet.Packet) {
}

func (*ebpfRhel6) RemoveFlow(*packet.Packet) {
}

func (*ebpfRhel6) Cleanup() {
}

func (*ebpfRhel6) GetBPFPath() string {
	return ""
}


================================================
FILE: controller/pkg/ebpf/ebpf_windows.go
================================================
package ebpf

// IsEBPFSupported returns false for Windows.
func IsEBPFSupported() bool {
	return false
}

// LoadBPF is not supported on Windows.
func LoadBPF() BPFModule {
	return nil
}


================================================
FILE: controller/pkg/ebpf/interface.go
================================================
package ebpf

import "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"

//BPFModule interface exposes the functionality to datapath
type BPFModule interface {
	GetBPFPath() string
	CreateFlow(*connection.TCPTuple)
	RemoveFlow(*connection.TCPTuple)
	Cleanup()
}


================================================
FILE: controller/pkg/env/parameters.go
================================================
package env

import (
	"os"
	"strconv"

	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
)

// RemoteParameters holds all configuration objects that must be passed
// during the initialization of the monitor.
type RemoteParameters struct {
	LogWithID      bool
	LogLevel       string
	LogFormat      string
	CompressedTags claimsheader.CompressionType
}

// GetParameters retrieves log parameters for Remote Enforcer.
func GetParameters() (string, string, string, claimsheader.CompressionType, int) {

	var logID, logLevel, logFormat string
	var compressedTagsVersion claimsheader.CompressionType
	var numQueues int

	logLevel = os.Getenv(constants.EnvLogLevel)
	if logLevel == "" {
		logLevel = "info"
	}
	logFormat = os.Getenv(constants.EnvLogFormat)
	if logLevel == "" {
		logFormat = "json"
	}

	logID = os.Getenv(constants.EnvLogID)
	compressedTagsVersion = claimsheader.CompressionTypeV1

	if num, err := strconv.Atoi(os.Getenv(constants.EnvEnforcerdNFQueues)); err == nil {
		numQueues = num
	} else {
		numQueues = 4
	}

	return logID, logLevel, logFormat, compressedTagsVersion, numQueues
}


================================================
FILE: controller/pkg/flowtracking/flowtracking.go
================================================
// +build linux

package flowtracking

import (
	"context"
	"fmt"
	"net"

	"github.com/mdlayher/netlink"
	"github.com/ti-mo/conntrack"
)

// Client is a flow update client
type Client struct {
	conn *conntrack.Conn
}

// NewClient creates a new flow tracking client. s
func NewClient(ctx context.Context) (*Client, error) {
	c, err := conntrack.Dial(&netlink.Config{
		// Enable this when the netlink PR is merged.
		DisableNSLockThread: true,
	})
	if err != nil {
		return nil, fmt.Errorf("flow tracker is unable to dial netlink: %s", err)
	}

	client := &Client{conn: c}
	go func() {
		<-ctx.Done()
		client.conn.Close() // nolint errcheck
	}()

	return client, nil
}

// Close will close the connection of the client.
func (c *Client) Close() error {
	return c.conn.Close()
}

// UpdateMark updates the mark of the flow. Caller must indicate if this is an application
// flow or a network flow.
func (c *Client) UpdateMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32, network bool) error {

	if network {
		return c.UpdateNetworkFlowMark(ipSrc, ipDst, protonum, srcport, dstport, newmark)
	}

	return c.UpdateApplicationFlowMark(ipSrc, ipDst, protonum, srcport, dstport, newmark)
}

// GetOriginalDest gets the original destination ip, port and the mark on the packet
func (c *Client) GetOriginalDest(ipSrc, ipDst net.IP, srcport, dstport uint16, protonum uint8) (net.IP, uint16, uint32, error) {

	flow := conntrack.NewFlow(protonum, 0, ipSrc, ipDst, srcport, dstport, 0, 0)
	origFlow, err := c.conn.Get(flow)
	return origFlow.TupleOrig.IP.DestinationAddress, origFlow.TupleOrig.Proto.DestinationPort, origFlow.Mark, err
}

// UpdateNetworkFlowMark will update the mark for a flow based on packet information received
// from the network. It will use the reverse tables in conntrack for that.
func (c *Client) UpdateNetworkFlowMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32) error {

	f := newReplyFlow(protonum, 0, ipSrc, ipDst, srcport, dstport, 0, newmark)

	return c.conn.Update(f)
}

// UpdateApplicationFlowMark will update the mark for a flow based on the packet information
// received from an application. It will use the forward entries of conntrack for that.
func (c *Client) UpdateApplicationFlowMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32) error {

	f := conntrack.NewFlow(protonum, 0, ipSrc, ipDst, srcport, dstport, 0, newmark)

	return c.conn.Update(f)
}

// newReplyFlow will create a flow based on the reply tuple only. This will help us
// update the mark without requiring knowledge of nats.
func newReplyFlow(proto uint8, status conntrack.StatusFlag, srcAddr, destAddr net.IP, srcPort, destPort uint16, timeout, mark uint32) conntrack.Flow {

	var f conntrack.Flow

	f.Status.Value = status

	f.Timeout = timeout
	f.Mark = mark

	// Set up TupleReply with source and destination inverted
	f.TupleReply.IP.SourceAddress = srcAddr
	f.TupleReply.IP.DestinationAddress = destAddr
	f.TupleReply.Proto.SourcePort = srcPort
	f.TupleReply.Proto.DestinationPort = destPort
	f.TupleReply.Proto.Protocol = proto

	return f
}


================================================
FILE: controller/pkg/flowtracking/flowtracking_nonlinux.go
================================================
// +build !linux

package flowtracking

import (
	"context"
	"net"
)

// Client is a flow update client.
// For Windows, we can't use conntrack.
type Client struct {
}

// NewClient creates a new flow tracking client.
func NewClient(ctx context.Context) (*Client, error) {
	return &Client{}, nil
}

// Close will close the connection of the client.
func (c *Client) Close() error {
	return nil
}

// UpdateMark updates the mark of the flow. Caller must indicate if this is an application
// flow or a network flow. Not used in Windows.
func (c *Client) UpdateMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32, network bool) error {
	return nil
}

// UpdateNetworkFlowMark will update the mark for a flow based on packet information received
// from the network. It will use the reverse tables in conntrack for that. Not used in Windows.
func (c *Client) UpdateNetworkFlowMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32) error {
	return nil
}

// UpdateApplicationFlowMark will update the mark for a flow based on the packet information
// received from an application. It will use the forward entries of conntrack for that. Not used in Windows.
func (c *Client) UpdateApplicationFlowMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32) error {
	return nil
}

// GetOriginalDest gets the original destination ip, port and the mark on the packet. Not used in Windows.
// TODO(windows): we may need to support this?
func (c *Client) GetOriginalDest(ipSrc, ipDst net.IP, srcport, dstport uint16, protonum uint8) (net.IP, uint16, uint32, error) {
	return nil, 0, 0, nil
}


================================================
FILE: controller/pkg/flowtracking/interfaces.go
================================================
package flowtracking

import "net"

// FlowClient defines an interface that trireme uses to communicate with the conntrack
type FlowClient interface {
	// Close will close the connection of the client.
	Close() error
	// UpdateMark updates the mark of the flow. Caller must indicate if this is an application
	// flow or a network flow.
	UpdateMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32, network bool) error
	// GetOriginalDest gets the original destination ip, port and the mark on the packet
	GetOriginalDest(ipSrc, ipDst net.IP, srcport, dstport uint16, protonum uint8) (net.IP, uint16, uint32, error)
	// UpdateNetworkFlowMark will update the mark for a flow based on packet information received
	// from the network. It will use the reverse tables in conntrack for that.
	UpdateNetworkFlowMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32) error
	// UpdateApplicationFlowMark will update the mark for a flow based on the packet information
	// received from an application. It will use the forward entries of conntrack for that.
	UpdateApplicationFlowMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32) error
}


================================================
FILE: controller/pkg/flowtracking/mockflowclient/mockflowclient.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/pkg/flowtracking/interfaces.go

// Package mockflowclient is a generated GoMock package.
package mockflowclient

import (
	net "net"
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
)

// MockFlowClient is a mock of FlowClient interface
// nolint
type MockFlowClient struct {
	ctrl     *gomock.Controller
	recorder *MockFlowClientMockRecorder
}

// MockFlowClientMockRecorder is the mock recorder for MockFlowClient
// nolint
type MockFlowClientMockRecorder struct {
	mock *MockFlowClient
}

// NewMockFlowClient creates a new mock instance
// nolint
func NewMockFlowClient(ctrl *gomock.Controller) *MockFlowClient {
	mock := &MockFlowClient{ctrl: ctrl}
	mock.recorder = &MockFlowClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockFlowClient) EXPECT() *MockFlowClientMockRecorder {
	return m.recorder
}

// Close mocks base method
// nolint
func (m *MockFlowClient) Close() error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Close")
	ret0, _ := ret[0].(error)
	return ret0
}

// Close indicates an expected call of Close
// nolint
func (mr *MockFlowClientMockRecorder) Close() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Close", reflect.TypeOf((*MockFlowClient)(nil).Close))
}

// UpdateMark mocks base method
// nolint
func (m *MockFlowClient) UpdateMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32, network bool) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "UpdateMark", ipSrc, ipDst, protonum, srcport, dstport, newmark, network)
	ret0, _ := ret[0].(error)
	return ret0
}

// UpdateMark indicates an expected call of UpdateMark
// nolint
func (mr *MockFlowClientMockRecorder) UpdateMark(ipSrc, ipDst, protonum, srcport, dstport, newmark, network interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateMark", reflect.TypeOf((*MockFlowClient)(nil).UpdateMark), ipSrc, ipDst, protonum, srcport, dstport, newmark, network)
}

// GetOriginalDest mocks base method
// nolint
func (m *MockFlowClient) GetOriginalDest(ipSrc, ipDst net.IP, srcport, dstport uint16, protonum uint8) (net.IP, uint16, uint32, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetOriginalDest", ipSrc, ipDst, srcport, dstport, protonum)
	ret0, _ := ret[0].(net.IP)
	ret1, _ := ret[1].(uint16)
	ret2, _ := ret[2].(uint32)
	ret3, _ := ret[3].(error)
	return ret0, ret1, ret2, ret3
}

// GetOriginalDest indicates an expected call of GetOriginalDest
// nolint
func (mr *MockFlowClientMockRecorder) GetOriginalDest(ipSrc, ipDst, srcport, dstport, protonum interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOriginalDest", reflect.TypeOf((*MockFlowClient)(nil).GetOriginalDest), ipSrc, ipDst, srcport, dstport, protonum)
}

// UpdateNetworkFlowMark mocks base method
// nolint
func (m *MockFlowClient) UpdateNetworkFlowMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "UpdateNetworkFlowMark", ipSrc, ipDst, protonum, srcport, dstport, newmark)
	ret0, _ := ret[0].(error)
	return ret0
}

// UpdateNetworkFlowMark indicates an expected call of UpdateNetworkFlowMark
// nolint
func (mr *MockFlowClientMockRecorder) UpdateNetworkFlowMark(ipSrc, ipDst, protonum, srcport, dstport, newmark interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateNetworkFlowMark", reflect.TypeOf((*MockFlowClient)(nil).UpdateNetworkFlowMark), ipSrc, ipDst, protonum, srcport, dstport, newmark)
}

// UpdateApplicationFlowMark mocks base method
// nolint
func (m *MockFlowClient) UpdateApplicationFlowMark(ipSrc, ipDst net.IP, protonum uint8, srcport, dstport uint16, newmark uint32) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "UpdateApplicationFlowMark", ipSrc, ipDst, protonum, srcport, dstport, newmark)
	ret0, _ := ret[0].(error)
	return ret0
}

// UpdateApplicationFlowMark indicates an expected call of UpdateApplicationFlowMark
// nolint
func (mr *MockFlowClientMockRecorder) UpdateApplicationFlowMark(ipSrc, ipDst, protonum, srcport, dstport, newmark interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateApplicationFlowMark", reflect.TypeOf((*MockFlowClient)(nil).UpdateApplicationFlowMark), ipSrc, ipDst, protonum, srcport, dstport, newmark)
}


================================================
FILE: controller/pkg/fqconfig/fqconfig.go
================================================
package fqconfig

// FilterQueue captures the runtime configuration like the number of queues, dns servers.
type FilterQueue interface {
	GetNumQueues() int
	GetDNSServerAddresses() []string
}

type filterQueue struct {
	//NumNFQueues
	numNFQueues int
	// DNSServerAddress
	DNSServerAddress []string
}

// NewFilterQueue returns an instance of FilterQueue
func NewFilterQueue(numNFQueues int, dnsServerAddress []string) FilterQueue {
	return &filterQueue{
		numNFQueues:      numNFQueues,
		DNSServerAddress: dnsServerAddress,
	}
}

// GetMarkValue returns a mark value to be used by iptables action
func (f *filterQueue) GetNumQueues() int {
	return f.numNFQueues
}

func (f *filterQueue) GetDNSServerAddresses() []string {
	return f.DNSServerAddress
}


================================================
FILE: controller/pkg/fqconfig/fqconfig_test.go
================================================
// +build !windows

package fqconfig

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func TestFqDefaultConfig(t *testing.T) {

	Convey("Given I create a new default filter queue config", t, func() {
		fqc := NewFilterQueueWithDefaults()
		Convey("Then I should see a config", func() {

			So(fqc, ShouldNotBeNil)

			So(fqc.GetMarkValue(), ShouldEqual, DefaultMarkValue)

			So(fqc.GetApplicationQueueSize(), ShouldEqual, DefaultQueueSize)
			So(fqc.GetNumApplicationQueues(), ShouldEqual, DefaultNumberOfQueues*4)
			So(fqc.GetApplicationQueueStart(), ShouldEqual, 0)
			So(fqc.GetApplicationQueueSynStr(), ShouldEqual, "0:3")
			So(fqc.GetApplicationQueueAckStr(), ShouldEqual, "4:7")
			So(fqc.GetApplicationQueueSynAckStr(), ShouldEqual, "8:11")
			So(fqc.GetApplicationQueueSvcStr(), ShouldEqual, "12:15")

			So(fqc.GetNetworkQueueSize(), ShouldEqual, DefaultQueueSize)
			So(fqc.GetNumNetworkQueues(), ShouldEqual, DefaultNumberOfQueues*4)
			So(fqc.GetNetworkQueueStart(), ShouldEqual, fqc.GetNumApplicationQueues())
			So(fqc.GetNetworkQueueSynStr(), ShouldEqual, "16:19")
			So(fqc.GetNetworkQueueAckStr(), ShouldEqual, "20:23")
			So(fqc.GetNetworkQueueSynAckStr(), ShouldEqual, "24:27")
			So(fqc.GetNetworkQueueSvcStr(), ShouldEqual, "28:31")
		})
	})
}


================================================
FILE: controller/pkg/ipsetmanager/constants_nonwindows.go
================================================
// +build !windows

package ipsetmanager

const (
	portSetIpsetType      = ""
	proxySetPortIpsetType = ""
)


================================================
FILE: controller/pkg/ipsetmanager/constants_windows.go
================================================
// +build windows

package ipsetmanager

const (
	portSetIpsetType      = "hash:net"
	proxySetPortIpsetType = "hash:port"
)


================================================
FILE: controller/pkg/ipsetmanager/helpers.go
================================================
package ipsetmanager

import (
	"strings"
)

func addToIPset(set Ipset, data string) error {

	// ipset can not program this rule
	if data == IPv4DefaultIP {
		if err := addToIPset(set, "0.0.0.0/1"); err != nil {
			return err
		}

		return addToIPset(set, "128.0.0.0/1")
	}

	// ipset can not program this rule
	if data == IPv6DefaultIP {
		if err := addToIPset(set, "::/1"); err != nil {
			return err
		}

		return addToIPset(set, "8000::/1")
	}

	if strings.HasPrefix(data, "!") {
		return set.AddOption(data[1:], "nomatch", 0)
	}

	return set.Add(data, 0)
}

func delFromIPset(set Ipset, data string) error {

	if data == IPv4DefaultIP {
		if err := delFromIPset(set, "0.0.0.0/1"); err != nil {
			return err
		}

		return delFromIPset(set, "128.0.0.0/1")
	}

	if data == IPv6DefaultIP {
		if err := delFromIPset(set, "::/1"); err != nil {
			return err
		}

		return delFromIPset(set, "8000::/1")
	}

	return set.Del(strings.TrimPrefix(data, "!"))
}


================================================
FILE: controller/pkg/ipsetmanager/ipsetmanager.go
================================================
package ipsetmanager

import (
	"encoding/base64"
	"fmt"
	"io"
	"net"
	"strings"
	"sync"

	ipsetpackage "github.com/aporeto-inc/go-ipset/ipset"
	"github.com/spaolacci/murmur3"

	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

const (
	//IPv6DefaultIP is the default ip of v6
	IPv6DefaultIP = "::/0"
	//IPv4DefaultIP is the  default ip for v4
	IPv4DefaultIP = "0.0.0.0/0"
	//IPsetV4 version for ipv4
	IPsetV4 = iota
	//IPsetV6 version for ipv6
	IPsetV6

	processPortSetPrefix = "ProcPort-"
	proxyPortSetPrefix   = "Proxy-"
	targetTCPSuffix      = "TargetTCP"
	targetUDPSuffix      = "TargetUDP"
	excludedSuffix       = "Excluded"
)

//TargetAndExcludedNetworks interface is used to interact with target and excluded networks
type TargetAndExcludedNetworks interface {
	//CreateIPsetsForTargetAndExcludedNetworks creates the ipsets for target and excluded networks
	CreateIPsetsForTargetAndExcludedNetworks() error
	//UpdateIPsetsForTargetAndExcludedNetworks updates the ipsets accordingly.
	UpdateIPsetsForTargetAndExcludedNetworks([]string, []string, []string) error
	//GetIPsetNamesForTargetAndExcludedNetworks returns the ipsets names for tcp, udp and excluded networks
	GetIPsetNamesForTargetAndExcludedNetworks() (string, string, string)
}

//ServerL3 interface is used to interact with the ipsets required to program
//ports that the server(PU) listens on in L3 datapath.
type ServerL3 interface {
	//CreateServerPortSet creates the ipset.
	CreateServerPortSet(contextID string) error
	//GetServerPortSetName returns the name of the portset created
	GetServerPortSetName(contextID string) string
	//DestroyServerPortSet destroys the server port set.
	DestroyServerPortSet(contextID string) error
	//AddPortToServerPortSet adds port to the portset.
	AddPortToServerPortSet(contextID string, port string) error
	//DeletePortFromServerPortSet deletes the port from port set.
	DeletePortFromServerPortSet(contextID string, port string) error
}

// ACLL3 interface is used to interact with the ipsets required for
// application and network acl's in L3.
type ACLL3 interface {
	//RegisterExternalNets registers the ipsets corresponding the external networks.
	RegisterExternalNets(contextID string, extnets policy.IPRuleList) error
	//AddACLIPsets adds the IPs in the ipsets corresponding to the external network service ID.
	UpdateACLIPsets([]string, string)
	//DestroyUnusedIPsets will remove the unused ipsets.
	DestroyUnusedIPsets()
	//RemoveExternalNets removes the external networks corresponding to the PU contextID.
	RemoveExternalNets(contextID string)
	//GetACLIPsets returns the ipset string that correspond to the external networks in the argument
	GetACLIPsetsNames(extnets policy.IPRuleList) []string
	// DeleteEntryFromIPset delete an entry from an ipset
	DeleteEntryFromIPset(ips []string, serviceID string)
}

//ProxyL4 interface is used to interact with the ipsets required for
//L4/L7 Services. These include dependent services and exposed Services
type ProxyL4 interface {
	//CreateProxySets creates the ipsets to implement L4/L7 services
	CreateProxySets(contextID string) error
	//GetProxyIPsetNames returns the ipset strings that correspond to the pu
	GetProxySetNames(contextID string) (string, string)
	//DestroyProxySet destroys the ipsets being used for L4/L7 services
	DestroyProxySets(contextID string)
	//FlushProxySets flushes the proxy IPsets
	FlushProxySets(contextID string)
	//AddIPPortToDependentService adds ip port to the dependent service
	AddIPPortToDependentService(contextID string, ip *net.IPNet, port string) error
	//AddPortToExposedService adds the port that this service is exposing
	AddPortToExposedService(contextID string, port string) error
}

//DestroyAll destroys all the ipsets created.
type DestroyAll interface {
	//DestroyAllIPsets destroys the created ipsets.
	DestroyAllIPsets() error
}

//IPsetPrefix returns the prefix used to construct the ipset.
type IPsetPrefix interface {
	//GetIPsetPrefix returns the prefix.
	GetIPsetPrefix() string
}

//IPSetManager interface is used by supervisor. This interface provides the supervisor to
//create ipsets corresponding to service ID.
type IPSetManager interface {
	TargetAndExcludedNetworks
	ServerL3
	ACLL3
	ProxyL4
	DestroyAll
	IPsetPrefix

	Reset()
}

type ipsetInfo struct {
	contextIDs map[string]bool
	name       string
	addresses  map[string]bool
}

type aclHandler struct {
	serviceIDtoACLIPset   map[string]*ipsetInfo
	contextIDtoServiceIDs map[string]map[string]bool
	toDestroy             []string
}

type targetNetwork struct {
	tcp []string
	udp []string
}

type excludedNetwork struct {
	excluded []string
}

type handler struct {
	sync.RWMutex

	ipsetPrefix string
	ipFilter    func(net.IP) bool
	ipsetParams *ipsetpackage.Params

	acl aclHandler
	tn  targetNetwork
	en  excludedNetwork

	dynamicUpdates map[string][]string
}

const (
	ipv4String = "v4-"
	ipv6String = "v6-"
)

var ipv4Handler = &handler{
	ipsetPrefix: constants.ChainPrefix + ipv4String,
	ipFilter: func(ip net.IP) bool {
		return (ip.To4() != nil)
	},
	ipsetParams: &ipsetpackage.Params{},

	acl: aclHandler{
		serviceIDtoACLIPset:   map[string]*ipsetInfo{},
		contextIDtoServiceIDs: map[string]map[string]bool{},
	},
	tn:             targetNetwork{tcp: []string{}, udp: []string{}},
	en:             excludedNetwork{excluded: []string{}},
	dynamicUpdates: map[string][]string{},
}

var ipv6Handler = &handler{
	ipsetPrefix: constants.ChainPrefix + ipv6String,
	ipFilter: func(ip net.IP) bool {
		return (ip.To4() == nil)
	},
	ipsetParams: &ipsetpackage.Params{HashFamily: "inet6"},

	acl: aclHandler{
		serviceIDtoACLIPset:   map[string]*ipsetInfo{},
		contextIDtoServiceIDs: map[string]map[string]bool{},
	},
	tn:             targetNetwork{tcp: []string{}, udp: []string{}},
	en:             excludedNetwork{excluded: []string{}},
	dynamicUpdates: map[string][]string{},
}

//V4 returns the ipv4 instance of ipsetmanager
func V4() IPSetManager {
	return ipv4Handler
}

//V6 returns the ipv6 instance of ipsetmanager
func V6() IPSetManager {
	return ipv6Handler
}

func (ipHandler *handler) DestroyAllIPsets() error {

	if err := destroyAll(ipHandler.ipsetPrefix); err != nil {
		return err
	}

	return nil
}

func (ipHandler *handler) Reset() {
	ipHandler.Lock()

	ipHandler.acl = aclHandler{
		serviceIDtoACLIPset:   map[string]*ipsetInfo{},
		contextIDtoServiceIDs: map[string]map[string]bool{},
	}

	ipHandler.tn = targetNetwork{tcp: []string{}, udp: []string{}}
	ipHandler.en = excludedNetwork{excluded: []string{}}

	ipHandler.Unlock()
}

func (ipHandler *handler) CreateIPsetsForTargetAndExcludedNetworks() error {

	targetTCPName := ipHandler.ipsetPrefix + targetTCPSuffix
	targetUDPName := ipHandler.ipsetPrefix + targetUDPSuffix
	excludedName := ipHandler.ipsetPrefix + excludedSuffix

	existingSets, err := listIPSets()
	if err != nil {
		return fmt.Errorf("unable to read current sets: %s", err)
	}

	setIndex := map[string]struct{}{}
	for _, s := range existingSets {
		setIndex[s] = struct{}{}
	}

	createIPSet := func(name string) error {
		var ipset Ipset
		var err error

		if _, ok := setIndex[name]; !ok {
			ipset, err = newIpset(name, "hash:net", ipHandler.ipsetParams)
			if err != nil {
				return err
			}
		} else {
			ipset = getIpset(name)
		}

		if err = ipset.Flush(); err != nil {
			return err
		}

		return nil
	}

	if err := createIPSet(targetTCPName); err != nil {
		return err
	}

	if err := createIPSet(targetUDPName); err != nil {
		return err
	}

	if err := createIPSet(excludedName); err != nil {
		return err
	}

	return nil
}

func updateIPSets(ipset Ipset, old []string, new []string) error {
	// We need to delete first, because of nomatch.
	// For example, if old has 1.2.3.4 and new has !1.2.3.4, then we delete the 1.2.3.4 first
	// before we can add the 1.2.3.4 with the nomatch option.

	deleteMap := map[string]bool{}
	addMap := map[string]bool{}
	for _, net := range old {
		deleteMap[net] = true
	}
	for _, net := range new {
		if _, ok := deleteMap[net]; ok {
			deleteMap[net] = false
			continue
		}
		addMap[net] = true
	}

	for net, delete := range deleteMap {
		if delete {
			if err := delFromIPset(ipset, net); err != nil {
				zap.L().Debug("unable to remove network from set", zap.Error(err))
			}
		}
	}

	for net, add := range addMap {
		if add {
			if err := addToIPset(ipset, net); err != nil {
				return fmt.Errorf("unable to update target set: %s", err)
			}
		}
	}

	return nil
}

func (ipHandler *handler) UpdateIPsetsForTargetAndExcludedNetworks(tcp []string, udp []string, excluded []string) error {

	filterIPs := func(ips []string) []string {
		var filteredIPs []string

		for _, ip := range ips {
			parsable := ip
			if strings.HasPrefix(ip, "!") {
				parsable = ip[1:]
			}
			netIP := net.ParseIP(parsable)
			if netIP == nil {
				netIP, _, _ = net.ParseCIDR(parsable)
			}

			if ipHandler.ipFilter(netIP) {
				filteredIPs = append(filteredIPs, ip)
			}
		}

		return filteredIPs
	}

	tcpSet := getIpset(ipHandler.ipsetPrefix + targetTCPSuffix)
	udpSet := getIpset(ipHandler.ipsetPrefix + targetUDPSuffix)
	excludedSet := getIpset(ipHandler.ipsetPrefix + excludedSuffix)

	tcpFilterIPs := filterIPs(tcp)
	if err := updateIPSets(tcpSet, ipHandler.tn.tcp, tcpFilterIPs); err != nil {
		return err
	}

	udpFilterIPs := filterIPs(udp)
	if err := updateIPSets(udpSet, ipHandler.tn.udp, udpFilterIPs); err != nil {
		return err
	}

	excludedFilterIPs := filterIPs(excluded)
	if err := updateIPSets(excludedSet, ipHandler.en.excluded, excludedFilterIPs); err != nil {
		return err
	}

	ipHandler.tn.tcp = tcpFilterIPs
	ipHandler.tn.udp = udpFilterIPs
	ipHandler.en.excluded = excludedFilterIPs

	return nil
}

func (ipHandler *handler) GetIPsetNamesForTargetAndExcludedNetworks() (string, string, string) {
	return ipHandler.ipsetPrefix + targetTCPSuffix, ipHandler.ipsetPrefix + targetUDPSuffix, ipHandler.ipsetPrefix + excludedSuffix
}

func (ipHandler *handler) getServerPortSetName(contextID string) string {

	prefix := ipHandler.ipsetPrefix + processPortSetPrefix

	return createName(contextID, prefix)
}

func (ipHandler *handler) getProxyIPSetNames(contextID string) (string, string) {
	prefix := ipHandler.ipsetPrefix + proxyPortSetPrefix
	name := createName(contextID, prefix)

	return name + "-dst", name + "-srv"
}

func (ipHandler *handler) GetProxySetNames(contextID string) (string, string) {
	return ipHandler.getProxyIPSetNames(contextID)
}

func (ipHandler *handler) DestroyProxySets(contextID string) {
	destSetName, srvSetName := ipHandler.getProxyIPSetNames(contextID)

	ips := getIpset(destSetName)
	if err := ips.Destroy(); err != nil {
		zap.L().Warn("Failed to destroy proxyPortSet", zap.String("SetName", destSetName), zap.Error(err))
	}

	ips = getIpset(srvSetName)
	if err := ips.Destroy(); err != nil {
		zap.L().Warn("Failed to clear proxy port set", zap.String("set name", srvSetName), zap.Error(err))
	}
}

//CreateProxySets creates the ipsets for L4/L7 services
func (ipHandler *handler) CreateProxySets(contextID string) error {

	destSetName, srvSetName := ipHandler.getProxyIPSetNames(contextID)

	if _, err := newIpset(destSetName, "hash:net,port", ipHandler.ipsetParams); err != nil {
		return fmt.Errorf("unable to create ipset for %s: %s", destSetName, err)
	}

	// create ipset for port match
	if _, err := newIpset(srvSetName, proxySetPortIpsetType, nil); err != nil {
		return fmt.Errorf("unable to create ipset for %s: %s", srvSetName, err)
	}

	return nil
}

func (ipHandler *handler) FlushProxySets(contextID string) {
	destSetName, srvSetName := ipHandler.getProxyIPSetNames(contextID)

	ips := getIpset(destSetName)
	if err := ips.Flush(); err != nil {
		zap.L().Warn("Failed to flush dest proxy port set", zap.String("SetName", destSetName), zap.Error(err))
	}

	ips = getIpset(srvSetName)
	if err := ips.Flush(); err != nil {
		zap.L().Warn("Failed to flush server proxy port set", zap.String("set name", srvSetName), zap.Error(err))
	}
}

func (ipHandler *handler) AddIPPortToDependentService(contextID string, addr *net.IPNet, port string) error {

	destSetName, _ := ipHandler.getProxyIPSetNames(contextID)
	ips := getIpset(destSetName)

	if ipHandler.ipFilter(addr.IP) {
		pair := addr.String() + "," + port
		if err := ips.Add(pair, 0); err != nil {
			return fmt.Errorf("unable to add dependent ip %s to ipset: %s", pair, err)
		}
	}

	return nil
}

func (ipHandler *handler) AddPortToExposedService(contextID string, port string) error {
	_, srvSetName := ipHandler.getProxyIPSetNames(contextID)
	ips := getIpset(srvSetName)

	if err := ips.Add(port, 0); err != nil {
		return fmt.Errorf("unable to add port %s to exposed service %s", port, err)
	}

	return nil
}

func (ipHandler *handler) GetServerPortSetName(contextID string) string {
	return ipHandler.getServerPortSetName(contextID)
}

func (ipHandler *handler) CreateServerPortSet(contextID string) error {

	if _, err := newIpset(ipHandler.getServerPortSetName(contextID), portSetIpsetType, nil); err != nil {
		return err
	}

	return nil
}

func (ipHandler *handler) DestroyServerPortSet(contextID string) error {

	portSetName := ipHandler.getServerPortSetName(contextID)
	ips := getIpset(portSetName)

	if err := ips.Destroy(); err != nil {
		return fmt.Errorf("Failed to delete pu port set "+portSetName, zap.Error(err))
	}

	return nil
}

func (ipHandler *handler) AddPortToServerPortSet(contextID string, port string) error {

	ips := getIpset(ipHandler.getServerPortSetName(contextID))

	if err := ips.Add(port, 0); err != nil {
		return fmt.Errorf("unable to add port to portset: %s", err)
	}

	return nil
}

func (ipHandler *handler) DeletePortFromServerPortSet(contextID string, port string) error {

	ips := getIpset(ipHandler.getServerPortSetName(contextID))

	if err := ips.Del(port); err != nil {
		return fmt.Errorf("unable to delete port from portset: %s", err)
	}

	return nil
}

// RegisterExternalNets registers the contextID and the corresponding serviceIDs
func (ipHandler *handler) RegisterExternalNets(contextID string, extnets policy.IPRuleList) error {
	ipHandler.Lock()
	defer ipHandler.Unlock()

	processExtnets := func() error {
		for _, extnet := range extnets {
			var ipset *ipsetInfo

			serviceID := extnet.Policy.ServiceID
			if ipset = ipHandler.acl.serviceIDtoACLIPset[serviceID]; ipset == nil {
				var err error
				if ipset, err = ipHandler.createACLIPset(serviceID); err != nil {
					return err
				}
			}

			// make sure to include updates that were added dynamically by the DNS proxy
			addrs := extnet.Addresses
			if dynamicAddrs, ok := ipHandler.dynamicUpdates[serviceID]; ok {
				addrs = append(addrs, dynamicAddrs...)
			}

			ipHandler.synchronizeIPsinIpset(ipset, addrs)
			// have a backreference from serviceID to contextID
			ipset.contextIDs[contextID] = true
		}

		return nil
	}

	processOlderExtnets := func() {
		newExtnets := map[string]bool{}

		for _, extnet := range extnets {

			serviceID := extnet.Policy.ServiceID
			newExtnets[serviceID] = true
			m, ok := ipHandler.acl.contextIDtoServiceIDs[contextID]

			if ok && m[serviceID] {
				delete(m, serviceID)
			}
		}

		for serviceID := range ipHandler.acl.contextIDtoServiceIDs[contextID] {
			ipHandler.reduceReferenceFromServiceID(contextID, serviceID)
		}

		ipHandler.acl.contextIDtoServiceIDs[contextID] = newExtnets
	}

	if err := processExtnets(); err != nil {
		return err
	}

	processOlderExtnets()

	return nil
}

// deleteDynamicAddresses must only be alled by DeleteEntryFromIPset to update the internal map of dyanamic addresses
func (ipHandler *handler) deleteDynamicAddresses(ips []string, serviceID string) {
	if dynAddrs, ok := ipHandler.dynamicUpdates[serviceID]; ok {
		ipMap := make(map[string]struct{}, len(ips))
		for _, ip := range ips {
			ipMap[ip] = struct{}{}
		}

		newAddrs := make([]string, 0, len(dynAddrs))
		for _, dynAddr := range dynAddrs {
			if _, ok := ipMap[dynAddr]; ok {
				continue
			}
			newAddrs = append(newAddrs, dynAddr)
		}

		ipHandler.dynamicUpdates[serviceID] = newAddrs
	}
}

// DeleteEntryFromIPset delete an entry from an ipset
func (ipHandler *handler) DeleteEntryFromIPset(ips []string, serviceID string) {
	ipHandler.Lock()
	defer ipHandler.Unlock()

	ipHandler.deleteDynamicAddresses(ips, serviceID)

	for _, address := range ips {
		parsableAddress := address
		if strings.HasPrefix(address, "!") {
			parsableAddress = address[1:]
		}

		netIP := net.ParseIP(parsableAddress)
		if netIP == nil {
			netIP, _, _ = net.ParseCIDR(parsableAddress)
		}
		if ipset := ipHandler.acl.serviceIDtoACLIPset[serviceID]; ipset != nil {
			ipsetHandler := getIpset(ipset.name)
			delFromIPset(ipsetHandler, netIP.String()) // nolint
			delete(ipset.addresses, address)

		}

	}
}

// updateDynamicAddresses must only be called by UpdateACLIPsets to update the internal map of dynamic addresses
func (ipHandler *handler) updateDynamicAddresses(addresses []string, serviceID string) {
	// no need to lock, already done by the caller
	if dynAddrs, ok := ipHandler.dynamicUpdates[serviceID]; ok {
		ipMap := make(map[string]struct{}, len(dynAddrs))
		for _, ip := range dynAddrs {
			ipMap[ip] = struct{}{}
		}

		newAddrs := make([]string, 0, len(addresses))
		for _, ip := range addresses {
			if _, ok := ipMap[ip]; ok {
				continue
			}
			newAddrs = append(newAddrs, ip)
		}

		ipHandler.dynamicUpdates[serviceID] = append(dynAddrs, newAddrs...)
	} else {
		ipHandler.dynamicUpdates[serviceID] = addresses
	}
}

//UpdateACLIPsets updates the ip addresses in the ipsets corresponding to the serviceID
func (ipHandler *handler) UpdateACLIPsets(addresses []string, serviceID string) {
	ipHandler.Lock()
	defer ipHandler.Unlock()

	ipHandler.updateDynamicAddresses(addresses, serviceID)

	for _, address := range addresses {
		parsableAddress := address
		if strings.HasPrefix(address, "!") {
			parsableAddress = address[1:]
		}

		netIP := net.ParseIP(parsableAddress)
		if netIP == nil {
			netIP, _, _ = net.ParseCIDR(parsableAddress)
		}

		if !ipHandler.ipFilter(netIP) {
			continue
		}

		if ipset := ipHandler.acl.serviceIDtoACLIPset[serviceID]; ipset != nil {
			ipsetHandler := getIpset(ipset.name)
			if err := addToIPset(ipsetHandler, address); err != nil {
				zap.L().Error("Error adding IPs to ipset", zap.String("ipset", ipset.name), zap.String("address", address))
			}

			ipset.addresses[address] = true
		}
	}
}

func hashServiceID(serviceID string) string {
	hash := murmur3.New64()
	if _, err := io.WriteString(hash, serviceID); err != nil {
		return ""
	}

	return base64.URLEncoding.EncodeToString(hash.Sum(nil))
}

func (ipHandler *handler) synchronizeIPsinIpset(ipsetInfo *ipsetInfo, addresses []string) {
	newips := map[string]bool{}
	ipsetHandler := getIpset(ipsetInfo.name)

	var addrToAdd, addrToDelete []string

	for _, address := range addresses {
		parsableAddress := address
		if strings.HasPrefix(address, "!") {
			parsableAddress = address[1:]
		}

		netIP := net.ParseIP(parsableAddress)
		if netIP == nil {
			netIP, _, _ = net.ParseCIDR(parsableAddress)
		}

		if !ipHandler.ipFilter(netIP) {
			continue
		}

		newips[address] = true

		if _, ok := ipsetInfo.addresses[address]; !ok {
			addrToAdd = append(addrToAdd, address)
		}
		delete(ipsetInfo.addresses, address)
	}

	for address, val := range ipsetInfo.addresses {
		if val {
			addrToDelete = append(addrToDelete, address)
		}
	}

	if err := updateIPSets(ipsetHandler, addrToDelete, addrToAdd); err != nil {
		zap.L().Error("Error updating ipset during sync", zap.Error(err))
	}

	ipsetInfo.addresses = newips
}

func (ipHandler *handler) createACLIPset(serviceID string) (*ipsetInfo, error) {
	ipsetName := ipHandler.ipsetPrefix + "ext-" + hashServiceID(serviceID)
	if _, err := newIpset(ipsetName, "hash:net", ipHandler.ipsetParams); err != nil {
		return nil, err
	}

	ipset := &ipsetInfo{contextIDs: map[string]bool{}, name: ipsetName, addresses: map[string]bool{}}
	ipHandler.acl.serviceIDtoACLIPset[serviceID] = ipset

	return ipset, nil
}

func (ipHandler *handler) deleteServiceID(serviceID string) {
	ipsetInfo := ipHandler.acl.serviceIDtoACLIPset[serviceID]
	ipHandler.acl.toDestroy = append(ipHandler.acl.toDestroy, ipsetInfo.name)
	delete(ipHandler.acl.serviceIDtoACLIPset, serviceID)
}

//reduceReferenceFromServiceID reduces the reference for the serviceID.
func (ipHandler *handler) reduceReferenceFromServiceID(contextID string, serviceID string) {
	var ipset *ipsetInfo

	if ipset = ipHandler.acl.serviceIDtoACLIPset[serviceID]; ipset == nil {
		zap.L().Error("Could not find ipset corresponding to serviceID", zap.String("serviceID", serviceID))
		return
	}

	delete(ipset.contextIDs, contextID)

	// there are no references from any pu. safe to destroy now
	if len(ipset.contextIDs) == 0 {
		ipHandler.deleteServiceID(serviceID)
	}
}

// DestroyUnusedIPsets destroys the unused ipsets.
func (ipHandler *handler) DestroyUnusedIPsets() {
	ipHandler.Lock()
	defer ipHandler.Unlock()

	for _, ipsetName := range ipHandler.acl.toDestroy {
		ipsetHandler := getIpset(ipsetName)
		if err := ipsetHandler.Destroy(); err != nil {
			zap.L().Warn("Failed to destroy ipset", zap.String("ipset", ipsetName), zap.Error(err))
		}
	}

	ipHandler.acl.toDestroy = nil
}

// RemoveExternalNets is called when the contextID is being unsupervised such that all the external nets can be deleted.
func (ipHandler *handler) RemoveExternalNets(contextID string) {
	ipHandler.Lock()

	m, ok := ipHandler.acl.contextIDtoServiceIDs[contextID]
	if ok {
		for serviceID := range m {
			ipHandler.reduceReferenceFromServiceID(contextID, serviceID)
		}
	}

	delete(ipHandler.acl.contextIDtoServiceIDs, contextID)

	ipHandler.Unlock()
	ipHandler.DestroyUnusedIPsets()
}

func (ipHandler *handler) GetIPsetPrefix() string {
	return ipHandler.ipsetPrefix
}

// GetACLIPsets returns the ipset names corresponding to the serviceIDs.
func (ipHandler *handler) GetACLIPsetsNames(extnets policy.IPRuleList) []string {

	ipHandler.Lock()
	defer ipHandler.Unlock()

	var ipsets []string

	for _, extnet := range extnets {
		serviceID := extnet.Policy.ServiceID

		ipsetInfo, ok := ipHandler.acl.serviceIDtoACLIPset[serviceID]
		if ok {
			ipsets = append(ipsets, ipsetInfo.name)
		}
	}

	return ipsets
}

//createName takes the contextID and prefix and returns a name after processing
func createName(contextID string, prefix string) string {
	hash := murmur3.New64()

	if _, err := io.WriteString(hash, contextID); err != nil {
		return ""
	}

	output := base64.URLEncoding.EncodeToString(hash.Sum(nil))

	if len(contextID) > 4 {
		contextID = contextID[:4] + output[:4]
	} else {
		contextID = contextID + output[:4]
	}

	if len(prefix) > 16 {
		prefix = prefix[:16]
	}

	return (prefix + contextID)
}

//V4test returns the test handler for ipv4
func V4test() IPSetManager {
	return &handler{
		ipsetPrefix: "TRI-" + ipv4String,
		ipFilter: func(ip net.IP) bool {
			return (ip.To4() != nil)
		},
		ipsetParams: &ipsetpackage.Params{},

		acl: aclHandler{
			serviceIDtoACLIPset:   map[string]*ipsetInfo{},
			contextIDtoServiceIDs: map[string]map[string]bool{},
		},
		tn: targetNetwork{tcp: []string{}, udp: []string{}},
		en: excludedNetwork{excluded: []string{}},
	}
}

//V6test returns the test handler for ipv6
func V6test() IPSetManager {
	return &handler{
		ipsetPrefix: "TRI-" + ipv6String,
		ipFilter: func(ip net.IP) bool {
			return (ip.To4() == nil)
		},
		ipsetParams: &ipsetpackage.Params{HashFamily: "inet6"},

		acl: aclHandler{
			serviceIDtoACLIPset:   map[string]*ipsetInfo{},
			contextIDtoServiceIDs: map[string]map[string]bool{},
		},
		tn: targetNetwork{tcp: []string{}, udp: []string{}},
		en: excludedNetwork{excluded: []string{}},
	}
}


================================================
FILE: controller/pkg/ipsetmanager/ipsetmanager_test.go
================================================
package ipsetmanager

import (
	"reflect"
	"testing"
)

const (
	service     = "blah"
	ip192_0_2_1 = "192.0.2.1"
	ip192_0_2_2 = "192.0.2.2"
	ip192_0_2_3 = "192.0.2.3"
)

func Test_handler_deleteDynamicAddresses(t *testing.T) {
	type args struct {
		ips       []string
		serviceID string
	}

	tests := []struct {
		name                 string
		args                 args
		existingDynamicAddrs map[string][]string
		wantEntry            bool
		wantIPs              []string
	}{
		{
			name: "entry does not exist",
			args: args{
				ips:       []string{ip192_0_2_1},
				serviceID: service,
			},
			existingDynamicAddrs: map[string][]string{},
			wantEntry:            false,
			wantIPs:              nil,
		},
		{
			name: "entry is empty",
			args: args{
				ips:       []string{ip192_0_2_1},
				serviceID: service,
			},
			existingDynamicAddrs: map[string][]string{
				service: {},
			},
			wantEntry: true,
			wantIPs:   []string{},
		},
		{
			name: "entry not in existing set",
			args: args{
				ips:       []string{ip192_0_2_1},
				serviceID: service,
			},
			existingDynamicAddrs: map[string][]string{
				service: {
					ip192_0_2_2,
					ip192_0_2_3,
				},
			},
			wantEntry: true,
			wantIPs:   []string{ip192_0_2_2, ip192_0_2_3},
		},
		{
			name: "entry is removed from set",
			args: args{
				ips:       []string{ip192_0_2_2},
				serviceID: service,
			},
			existingDynamicAddrs: map[string][]string{
				service: {
					ip192_0_2_1,
					ip192_0_2_2,
					ip192_0_2_3,
				},
			},
			wantEntry: true,
			wantIPs:   []string{ip192_0_2_1, ip192_0_2_3},
		},
		{
			name: "entries are removed from set",
			args: args{
				ips:       []string{ip192_0_2_1, ip192_0_2_3},
				serviceID: service,
			},
			existingDynamicAddrs: map[string][]string{
				service: {
					ip192_0_2_1,
					ip192_0_2_2,
					ip192_0_2_3,
				},
			},
			wantEntry: true,
			wantIPs:   []string{ip192_0_2_2},
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ipv4Handler.dynamicUpdates = tt.existingDynamicAddrs
			ipv4Handler.deleteDynamicAddresses(tt.args.ips, tt.args.serviceID)
			have, ok := ipv4Handler.dynamicUpdates[tt.args.serviceID]
			if ok != tt.wantEntry {
				t.Errorf("%q wantEntry: %#v, haveEntry: %#v", tt.args.serviceID, tt.wantEntry, ok)
			}
			if !reflect.DeepEqual(tt.wantIPs, have) {
				t.Errorf("want: %#v, have: %#v", tt.wantIPs, have)
			}
		})
	}
}

func Test_handler_updateDynamicAddresses(t *testing.T) {
	type args struct {
		ips       []string
		serviceID string
	}

	tests := []struct {
		name                 string
		args                 args
		existingDynamicAddrs map[string][]string
		wantIPs              []string
	}{
		{
			name: "nothing to add should create empty service entry",
			args: args{
				ips:       []string{},
				serviceID: service,
			},
			existingDynamicAddrs: map[string][]string{},
			wantIPs:              []string{},
		},
		{
			name: "en empty entry should simply add the IPs",
			args: args{
				ips:       []string{ip192_0_2_1, ip192_0_2_2},
				serviceID: service,
			},
			existingDynamicAddrs: map[string][]string{},
			wantIPs:              []string{ip192_0_2_1, ip192_0_2_2},
		},
		{
			name: "different IPs should always get added to the list",
			args: args{
				ips:       []string{ip192_0_2_2, ip192_0_2_3},
				serviceID: service,
			},
			existingDynamicAddrs: map[string][]string{
				service: {ip192_0_2_1},
			},
			wantIPs: []string{ip192_0_2_1, ip192_0_2_2, ip192_0_2_3},
		},
		{
			name: "existing IPs should not be added",
			args: args{
				ips:       []string{ip192_0_2_2, ip192_0_2_3},
				serviceID: service,
			},
			existingDynamicAddrs: map[string][]string{
				service: {ip192_0_2_2, ip192_0_2_3},
			},
			wantIPs: []string{ip192_0_2_2, ip192_0_2_3},
		},
		{
			name: "mix of existing and new",
			args: args{
				ips:       []string{ip192_0_2_2, ip192_0_2_3},
				serviceID: service,
			},
			existingDynamicAddrs: map[string][]string{
				service: {ip192_0_2_1, ip192_0_2_2},
			},
			wantIPs: []string{ip192_0_2_1, ip192_0_2_2, ip192_0_2_3},
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ipv4Handler.dynamicUpdates = tt.existingDynamicAddrs
			ipv4Handler.updateDynamicAddresses(tt.args.ips, tt.args.serviceID)
			have, ok := ipv4Handler.dynamicUpdates[tt.args.serviceID]
			if !ok {
				t.Errorf("no entry for service %q", tt.args.serviceID)
			}
			if !reflect.DeepEqual(tt.wantIPs, have) {
				t.Errorf("want: %#v, have: %#v", tt.wantIPs, have)
			}
		})
	}
}


================================================
FILE: controller/pkg/ipsetmanager/ipsetprovider.go
================================================
// +build linux darwin

package ipsetmanager

import (
	"fmt"
	"os/exec"
	"strings"

	"github.com/aporeto-inc/go-ipset/ipset"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.uber.org/zap"
)

var (
	// path to aporeto-ipset
	ipsetBinPath string
)

// IpsetProvider returns a fabric for Ipset.
type IpsetProvider interface {
	NewIpset(name string, ipsetType string, p *ipset.Params) (Ipset, error)
	GetIpset(name string) Ipset
	DestroyAll(prefix string) error
	ListIPSets() ([]string, error)
}

// Ipset is an abstraction of all the methods an implementation of userspace
// ipsets need to provide.
type Ipset interface {
	Add(entry string, timeout int) error
	AddOption(entry string, option string, timeout int) error
	Del(entry string) error
	Destroy() error
	Flush() error
	Test(entry string) (bool, error)
}

type goIpsetProvider struct{}

var instance IpsetProvider = &goIpsetProvider{}

func ipsetCreateBitmapPort(setname string) error {
	//Bitmap type is not supported by the ipset library
	out, err := exec.Command(ipsetBinPath, "create", setname, "bitmap:port", "range", "0-65535", "timeout", "0").CombinedOutput()
	if err != nil {
		if strings.Contains(string(out), "set with the same name already exists") {
			zap.L().Warn("Set already exists - cleaning up", zap.String("set name", setname))
			// Clean up the existing set
			if _, cerr := exec.Command(ipsetBinPath, "-F", setname).CombinedOutput(); cerr != nil {
				return fmt.Errorf("Failed to clean up existing ipset: %s", err)
			}
			return nil
		}
		zap.L().Error("Unable to create set", zap.String("set name", setname), zap.String("ipset-output", string(out)))
	}
	return err
}

// NewIpset returns an IpsetProvider interface based on the go-ipset
// external package.
func (i *goIpsetProvider) NewIpset(name string, ipsetType string, p *ipset.Params) (Ipset, error) {

	// Check if hashtype is a type of hash
	if strings.HasPrefix(ipsetType, "hash:") {
		return ipset.New(name, ipsetType, p)
	}

	if err := ipsetCreateBitmapPort(name); err != nil {
		return nil, err
	}

	return &ipset.IPSet{Name: name}, nil
}

// GetIpset gets the ipset object from the name.
func (i *goIpsetProvider) GetIpset(name string) Ipset {
	return &ipset.IPSet{
		Name: name,
	}
}

// DestroyAll destroys all the ipsets with the given prefix
func (i *goIpsetProvider) DestroyAll(prefix string) error {
	return ipset.DestroyAll(prefix)
}

func (i *goIpsetProvider) ListIPSets() ([]string, error) {

	out, err := exec.Command(ipsetBinPath, "-L", "-name").CombinedOutput()
	if err != nil {
		return nil, fmt.Errorf("unable to list ipsets:%s", err)
	}

	return strings.Split(string(out), "\n"), nil
}

func newIpset(name string, ipsetType string, p *ipset.Params) (Ipset, error) {
	return instance.NewIpset(name, ipsetType, p)
}

func getIpset(name string) Ipset {
	return instance.GetIpset(name)
}

func destroyAll(prefix string) error {
	return instance.DestroyAll(prefix)
}

func listIPSets() ([]string, error) {
	return instance.ListIPSets()
}

//SetIpsetTestInstance sets a test instance of ipsetprovider
func SetIpsetTestInstance(ipsetprovider IpsetProvider) {
	instance = ipsetprovider
}

//SetIPsetPath sets the path for aporeto-ipset
func SetIPsetPath() {
	ipsetBinPath, _ = exec.LookPath(constants.IpsetBinaryName) // nolint: errcheck
	// tell the go-ipset package which ipset binary to use
	ipset.Init(ipsetBinPath) // nolint: errcheck
}


================================================
FILE: controller/pkg/ipsetmanager/ipsetprovider_windows.go
================================================
// +build windows

package ipsetmanager

import (
	"fmt"

	"go.uber.org/zap"

	"github.com/aporeto-inc/go-ipset/ipset"
	"go.aporeto.io/enforcerd/trireme-lib/utils/frontman"
)

// IpsetProvider returns a fabric for Ipset.
type IpsetProvider interface {
	NewIpset(name string, ipsetType string, p *ipset.Params) (Ipset, error)
	GetIpset(name string) Ipset
	DestroyAll(prefix string) error
	ListIPSets() ([]string, error)
}

// Ipset is an abstraction of all the methods an implementation of userspace
// ipsets need to provide.
type Ipset interface {
	Add(entry string, timeout int) error
	AddOption(entry string, option string, timeout int) error
	Del(entry string) error
	Destroy() error
	Flush() error
	Test(entry string) (bool, error)
}

type ipsetProvider struct{}

var instance IpsetProvider = &ipsetProvider{}

type winIPSet struct {
	handle uintptr
	name   string
}

// NewIpset returns an IpsetProvider interface based on the go-ipset
// external package.
func (i *ipsetProvider) NewIpset(name string, ipsetType string, p *ipset.Params) (Ipset, error) {
	ipsetHandle, err := frontman.Wrapper.NewIpset(name, ipsetType)
	if err != nil {
		return nil, err
	}
	return &winIPSet{ipsetHandle, name}, nil
}

// GetIpset gets the ipset object from the name.
// Note that the interface can't return error here, but since it's possible to fail in Windows,
// we log error and return incomplete object, and expect a failure from Frontman on a later call.
func (i *ipsetProvider) GetIpset(name string) Ipset {
	ipsetHandle, err := frontman.Wrapper.GetIpset(name)
	if err != nil {
		zap.L().Error(fmt.Sprintf("failed to get ipset %s", name), zap.Error(err))
		return &winIPSet{0, name}
	}
	return &winIPSet{ipsetHandle, name}
}

// DestroyAll destroys all the ipsets - it will fail if there are existing references
func (i *ipsetProvider) DestroyAll(prefix string) error {
	return frontman.Wrapper.DestroyAllIpsets(prefix)
}

func (i *ipsetProvider) ListIPSets() ([]string, error) {
	return frontman.Wrapper.ListIpsets()
}

// IPsetProvider Returns a Go IPSet Provider
func IPsetProvider() IpsetProvider {
	return instance
}

func (w *winIPSet) Add(entry string, timeout int) error {
	return frontman.Wrapper.IpsetAdd(w.handle, entry, timeout)
}

func (w *winIPSet) AddOption(entry string, option string, timeout int) error {
	return frontman.Wrapper.IpsetAddOption(w.handle, entry, option, timeout)
}

func (w *winIPSet) Del(entry string) error {
	return frontman.Wrapper.IpsetDelete(w.handle, entry)
}

func (w *winIPSet) Destroy() error {
	return frontman.Wrapper.IpsetDestroy(w.handle, w.name)
}

func (w *winIPSet) Flush() error {
	return frontman.Wrapper.IpsetFlush(w.handle)
}

func (w *winIPSet) Test(entry string) (bool, error) {
	return frontman.Wrapper.IpsetTest(w.handle, entry)
}

func newIpset(name string, ipsetType string, p *ipset.Params) (Ipset, error) {
	return IPsetProvider().NewIpset(name, ipsetType, p)
}

func getIpset(name string) Ipset {
	return IPsetProvider().GetIpset(name)
}

func destroyAll(prefix string) error {
	return IPsetProvider().DestroyAll(prefix)
}

func listIPSets() ([]string, error) {
	return IPsetProvider().ListIPSets()
}

//SetIpsetTestInstance sets the test instance for ipsets
func SetIpsetTestInstance(ipsetprovider IpsetProvider) {
	instance = ipsetprovider
}

//SetIPsetPath is a no-op for windows
func SetIPsetPath() {
}


================================================
FILE: controller/pkg/ipsetmanager/ipsetprovidermock.go
================================================
package ipsetmanager

import (
	"sync"
	"testing"

	"github.com/aporeto-inc/go-ipset/ipset"
)

type ipsetProviderMockedMethods struct {
	newMockIPset   func(name string, hasht string, p *ipset.Params) (Ipset, error)
	getMockIPset   func(name string) Ipset
	destroyAllMock func(prefix string) error
	listIPSetsMock func() ([]string, error)
}

// TestIpsetProvider is a test implementation for IpsetProvider
type TestIpsetProvider interface {
	IpsetProvider
	MockNewIpset(t *testing.T, impl func(name string, hasht string, p *ipset.Params) (Ipset, error))
	MockGetIpset(t *testing.T, impl func(name string) Ipset)
	MockDestroyAll(t *testing.T, impl func(string) error)
	MockListIPSets(t *testing.T, impl func() ([]string, error))
}

type testIpsetProvider struct {
	mocks       map[*testing.T]*ipsetProviderMockedMethods
	lock        *sync.Mutex
	currentTest *testing.T
}

// NewTestIpsetProvider returns a new TestManipulator.
func NewTestIpsetProvider() TestIpsetProvider {
	return &testIpsetProvider{
		lock:  &sync.Mutex{},
		mocks: map[*testing.T]*ipsetProviderMockedMethods{},
	}
}

func (m *testIpsetProvider) MockNewIpset(t *testing.T, impl func(name string, hasht string, p *ipset.Params) (Ipset, error)) {

	m.currentMocks(t).newMockIPset = impl
}

func (m *testIpsetProvider) MockGetIpset(t *testing.T, impl func(name string) Ipset) {
	m.currentMocks(t).getMockIPset = impl
}

func (m *testIpsetProvider) MockDestroyAll(t *testing.T, impl func(string) error) {

	m.currentMocks(t).destroyAllMock = impl
}

func (m *testIpsetProvider) MockListIPSets(t *testing.T, impl func() ([]string, error)) {

	m.currentMocks(t).listIPSetsMock = impl
}

func (m *testIpsetProvider) NewIpset(name string, hasht string, p *ipset.Params) (Ipset, error) {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.newMockIPset != nil {
		return mock.newMockIPset(name, hasht, p)
	}

	return NewTestIpset(), nil
}

func (m *testIpsetProvider) GetIpset(name string) Ipset {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.newMockIPset != nil {
		return mock.getMockIPset(name)
	}

	return NewTestIpset()
}

func (m *testIpsetProvider) DestroyAll(prefix string) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.destroyAllMock != nil {
		return mock.destroyAllMock(prefix)
	}

	return nil
}

func (m *testIpsetProvider) ListIPSets() ([]string, error) {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.listIPSetsMock != nil {
		return mock.listIPSetsMock()
	}

	return nil, nil
}

func (m *testIpsetProvider) currentMocks(t *testing.T) *ipsetProviderMockedMethods {
	m.lock.Lock()
	defer m.lock.Unlock()

	mocks := m.mocks[t]

	if mocks == nil {
		mocks = &ipsetProviderMockedMethods{}
		m.mocks[t] = mocks
	}

	m.currentTest = t
	return mocks
}

type ipsetMockedMethods struct {
	addMock       func(entry string, timeout int) error
	addOptionMock func(entry string, option string, timeout int) error
	delMock       func(entry string) error
	destroyMock   func() error
	flushMock     func() error
	testMock      func(entry string) (bool, error)
}

// TestIpset is a test implementation for Ipset
type TestIpset interface {
	Ipset
	MockAdd(t *testing.T, impl func(entry string, timeout int) error)
	MockAddOption(t *testing.T, impl func(entry string, option string, timeout int) error)
	MockDel(t *testing.T, impl func(entry string) error)
	MockDestroy(t *testing.T, impl func() error)
	MockFlush(t *testing.T, impl func() error)
	MockTest(t *testing.T, impl func(entry string) (bool, error))
}

type testIpset struct {
	mocks       map[*testing.T]*ipsetMockedMethods
	lock        *sync.Mutex
	currentTest *testing.T
}

// NewTestIpset returns a new TestManipulator.
func NewTestIpset() TestIpset {
	return &testIpset{
		lock:  &sync.Mutex{},
		mocks: map[*testing.T]*ipsetMockedMethods{},
	}
}

func (m *testIpset) MockAdd(t *testing.T, impl func(entry string, timeout int) error) {

	m.currentMocks(t).addMock = impl
}

func (m *testIpset) MockAddOption(t *testing.T, impl func(entry string, option string, timeout int) error) {

	m.currentMocks(t).addOptionMock = impl
}

func (m *testIpset) MockDel(t *testing.T, impl func(entry string) error) {

	m.currentMocks(t).delMock = impl
}

func (m *testIpset) MockDestroy(t *testing.T, impl func() error) {

	m.currentMocks(t).destroyMock = impl
}

func (m *testIpset) MockFlush(t *testing.T, impl func() error) {

	m.currentMocks(t).flushMock = impl
}

func (m *testIpset) MockTest(t *testing.T, impl func(entry string) (bool, error)) {

	m.currentMocks(t).testMock = impl
}

func (m *testIpset) Add(entry string, timeout int) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.addMock != nil {
		return mock.addMock(entry, timeout)
	}

	return nil
}

func (m *testIpset) AddOption(entry string, option string, timeout int) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.addOptionMock != nil {
		return mock.addOptionMock(entry, option, timeout)
	}

	return nil
}

func (m *testIpset) Del(entry string) error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.delMock != nil {
		return mock.delMock(entry)
	}

	return nil
}

func (m *testIpset) Destroy() error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.destroyMock != nil {
		return mock.destroyMock()
	}
	return nil

}

func (m *testIpset) Flush() error {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.flushMock != nil {
		return mock.flushMock()
	}

	return nil
}

func (m *testIpset) Test(entry string) (bool, error) {

	if mock := m.currentMocks(m.currentTest); mock != nil && mock.testMock != nil {
		return mock.testMock(entry)
	}

	return false, nil
}

func (m *testIpset) currentMocks(t *testing.T) *ipsetMockedMethods {
	m.lock.Lock()
	defer m.lock.Unlock()

	mocks := m.mocks[t]

	if mocks == nil {
		mocks = &ipsetMockedMethods{}
		m.mocks[t] = mocks
	}

	m.currentTest = t
	return mocks
}


================================================
FILE: controller/pkg/ipsetmanager/ipsets.go
================================================
package ipsetmanager

import (
	"encoding/base64"
	"io"
	"net"
	"sync"

	ipsetpackage "github.com/aporeto-inc/go-ipset/ipset"
	"github.com/spaolacci/murmur3"
	provider "go.aporeto.io/trireme-lib/controller/pkg/aclprovider"

	"go.aporeto.io/trireme-lib/policy"
	"go.uber.org/zap"
)

const (
	//IPv6DefaultIP is the default ip of v6
	IPv6DefaultIP = "::/0"
	//IPv4DefaultIP is the  default ip for v4
	IPv4DefaultIP = "0.0.0.0/0"
	//IPsetV4 version for ipv4
	IPsetV4 = iota
	//IPsetV6 version for ipv6
	IPsetV6
)

//ACLManager interface is used by supervisor. This interface provides the supervisor to
//create ipsets corresponding to service ID.
type ACLManager interface {
	AddToIPset(set provider.Ipset, data string) error
	DelFromIPset(set provider.Ipset, data string) error

	RegisterExternalNets(contextID string, extnets policy.IPRuleList) error
	DestroyUnusedIPsets()
	RemoveExternalNets(contextID string)
	GetIPsets(extnets policy.IPRuleList, ipver int) []string
	UpdateIPsets([]string, string)
}

type ipsetInfo struct {
	contextIDs map[string]bool
	name       string
	addresses  map[string]bool
}

type handler struct {
	serviceIDtoIPset      map[string]*ipsetInfo
	contextIDtoServiceIDs map[string]map[string]bool
	ipset                 provider.IpsetProvider
	ipsetPrefix           string
	ipFilter              func(net.IP) bool
	ipsetParams           *ipsetpackage.Params
	toDestroy             []string
}

type managerType struct {
	ipv4Handler *handler
	ipv6Handler *handler
	sync.RWMutex
}

const (
	ipv4String = "v4-"
	ipv6String = "v6-"
)

//CreateIPsetManager creates the handle with Interface ACLManager
func CreateIPsetManager(ipsetv4 provider.IpsetProvider, ipsetv6 provider.IpsetProvider) ACLManager {
	return &managerType{
		ipv4Handler: &handler{
			serviceIDtoIPset:      map[string]*ipsetInfo{},
			contextIDtoServiceIDs: map[string]map[string]bool{},
			ipset:                 ipsetv4,
			ipsetPrefix:           ipv4String,
			ipFilter: func(ip net.IP) bool {
				return (ip.To4() != nil)
			},
			ipsetParams: &ipsetpackage.Params{},
		},
		ipv6Handler: &handler{
			serviceIDtoIPset:      map[string]*ipsetInfo{},
			contextIDtoServiceIDs: map[string]map[string]bool{},
			ipset:                 ipsetv6,
			ipsetPrefix:           ipv6String,
			ipFilter: func(ip net.IP) bool {
				return (ip.To4() == nil)
			},
			ipsetParams: &ipsetpackage.Params{HashFamily: "inet6"},
		},
	}

}

func hashServiceID(serviceID string) string {
	hash := murmur3.New64()
	if _, err := io.WriteString(hash, serviceID); err != nil {
		return ""
	}

	return base64.URLEncoding.EncodeToString(hash.Sum(nil))
}

// AddToIPset is called with the ipset provider and the ip address to be added
func (m *managerType) AddToIPset(set provider.Ipset, data string) error {

	// ipset can not program this rule
	if data == IPv4DefaultIP {
		if err := m.AddToIPset(set, "0.0.0.0/1"); err != nil {
			return err
		}

		return m.AddToIPset(set, "128.0.0.0/1")
	}

	// ipset can not program this rule
	if data == IPv6DefaultIP {
		if err := m.AddToIPset(set, "::/1"); err != nil {
			return err
		}

		return m.AddToIPset(set, "8000::/1")
	}

	return set.Add(data, 0)
}

// DelFromIPset is called with the ipset set provider and the ip to be removed from ipset
func (m *managerType) DelFromIPset(set provider.Ipset, data string) error {

	if data == IPv4DefaultIP {
		if err := m.DelFromIPset(set, "0.0.0.0/1"); err != nil {
			return err
		}

		return m.DelFromIPset(set, "128.0.0.0/1")
	}

	if data == IPv6DefaultIP {
		if err := m.DelFromIPset(set, "::/1"); err != nil {
			return err
		}

		return m.DelFromIPset(set, "8000::/1")
	}

	return set.Del(data)
}

func (m *managerType) synchronizeIPsinIpset(ipHandler *handler, ipsetInfo *ipsetInfo, addresses []string) {
	newips := map[string]bool{}
	ipsetHandler := ipHandler.ipset.GetIpset(ipsetInfo.name)

	for _, address := range addresses {
		netIP := net.ParseIP(address)
		if netIP == nil {
			netIP, _, _ = net.ParseCIDR(address)
		}

		if !ipHandler.ipFilter(netIP) {
			continue
		}

		newips[address] = true

		if _, ok := ipsetInfo.addresses[address]; !ok {
			if err := m.AddToIPset(ipsetHandler, address); err != nil {
				zap.L().Error("Error adding IPs to ipset", zap.String("ipset", ipsetInfo.name), zap.String("address", address))
			}
		}
		delete(ipsetInfo.addresses, address)
	}

	// Remove the old entries
	for address, val := range ipsetInfo.addresses {
		if val {
			if err := m.DelFromIPset(ipsetHandler, address); err != nil {
				zap.L().Error("Error removing IPs from ipset", zap.String("ipset", ipsetInfo.name), zap.String("address", address))
			}
		}
	}

	ipsetInfo.addresses = newips
}

func createIPset(ipHandler *handler, serviceID string) (*ipsetInfo, error) {
	ipsetName := "TRI-" + ipHandler.ipsetPrefix + "ext-" + hashServiceID(serviceID)
	_, err := ipHandler.ipset.NewIpset(ipsetName, "hash:net", ipHandler.ipsetParams)
	if err != nil {
		return nil, err
	}

	ipset := &ipsetInfo{contextIDs: map[string]bool{}, name: ipsetName, addresses: map[string]bool{}}
	ipHandler.serviceIDtoIPset[serviceID] = ipset

	return ipset, nil
}

func deleteServiceID(ipHandler *handler, serviceID string) {
	ipsetInfo := ipHandler.serviceIDtoIPset[serviceID]
	ipHandler.toDestroy = append(ipHandler.toDestroy, ipsetInfo.name)
	delete(ipHandler.serviceIDtoIPset, serviceID)
}

func reduceReferenceFromServiceID(ipHandler *handler, contextID string, serviceID string) {
	var ipset *ipsetInfo

	if ipset = ipHandler.serviceIDtoIPset[serviceID]; ipset == nil {
		zap.L().Error("Could not find ipset corresponding to serviceID", zap.String("serviceID", serviceID))
		return
	}

	delete(ipset.contextIDs, contextID)

	// there are no references from any pu. safe to destroy now
	if len(ipset.contextIDs) == 0 {
		deleteServiceID(ipHandler, serviceID)
	}
}

// RegisterExternalNets registers the contextID and the corresponding serviceIDs
func (m *managerType) RegisterExternalNets(contextID string, extnets policy.IPRuleList) error {
	m.Lock()
	defer m.Unlock()

	processExtnets := func(ipHandler *handler) error {
		for _, extnet := range extnets {
			var ipset *ipsetInfo

			serviceID := extnet.Policy.ServiceID
			if ipset = ipHandler.serviceIDtoIPset[serviceID]; ipset == nil {
				var err error
				if ipset, err = createIPset(ipHandler, serviceID); err != nil {
					return err
				}
			}

			m.synchronizeIPsinIpset(ipHandler, ipset, extnet.Addresses)
			// have a backreference from serviceID to contextID
			ipset.contextIDs[contextID] = true
		}

		return nil
	}

	processOlderExtnets := func(ipHandler *handler) {
		newExtnets := map[string]bool{}

		for _, extnet := range extnets {

			serviceID := extnet.Policy.ServiceID
			newExtnets[serviceID] = true
			m, ok := ipHandler.contextIDtoServiceIDs[contextID]

			if ok && m[serviceID] {
				delete(m, serviceID)
			}
		}

		for serviceID := range ipHandler.contextIDtoServiceIDs[contextID] {
			reduceReferenceFromServiceID(ipHandler, contextID, serviceID)
		}

		ipHandler.contextIDtoServiceIDs[contextID] = newExtnets
	}

	if err := processExtnets(m.ipv4Handler); err != nil {
		return err
	}

	if err := processExtnets(m.ipv6Handler); err != nil {
		return err
	}

	processOlderExtnets(m.ipv4Handler)
	processOlderExtnets(m.ipv6Handler)

	return nil
}

// DestroyUnusedIPsets destroys the unused ipsets.
func (m *managerType) DestroyUnusedIPsets() {
	m.Lock()
	defer m.Unlock()

	destroy := func(ipHandler *handler) {
		for _, ipsetName := range ipHandler.toDestroy {
			ipsetHandler := ipHandler.ipset.GetIpset(ipsetName)
			if err := ipsetHandler.Destroy(); err != nil {
				zap.L().Warn("Failed to destroy ipset", zap.String("ipset", ipsetName), zap.Error(err))
			}
		}

		ipHandler.toDestroy = nil
	}

	destroy(m.ipv4Handler)
	destroy(m.ipv6Handler)
}

// RemoveExternalNets is called when the contextID is being unsupervised such that all the external nets can be deleted.
func (m *managerType) RemoveExternalNets(contextID string) {
	m.Lock()

	process := func(ipHandler *handler) {
		m, ok := ipHandler.contextIDtoServiceIDs[contextID]
		if ok {
			for serviceID := range m {
				reduceReferenceFromServiceID(ipHandler, contextID, serviceID)
			}
		}

		delete(ipHandler.contextIDtoServiceIDs, contextID)
	}

	process(m.ipv4Handler)
	process(m.ipv6Handler)

	m.Unlock()
	m.DestroyUnusedIPsets()
}

// GetIPsets returns the ipset names corresponding to the serviceIDs.
func (m *managerType) GetIPsets(extnets policy.IPRuleList, ipver int) []string {
	m.Lock()
	defer m.Unlock()

	var ipHandler *handler

	if ipver == IPsetV4 {
		ipHandler = m.ipv4Handler
	} else {
		ipHandler = m.ipv6Handler
	}

	var ipsets []string

	for _, extnet := range extnets {
		serviceID := extnet.Policy.ServiceID

		ipsetInfo, ok := ipHandler.serviceIDtoIPset[serviceID]
		if ok {
			ipsets = append(ipsets, ipsetInfo.name)
		}
	}

	return ipsets
}

// UpdateIPsets updates the ip addresses in the ipsets corresponding to the serviceID
func (m *managerType) UpdateIPsets(addresses []string, serviceID string) {
	m.Lock()
	defer m.Unlock()

	process := func(ipHandler *handler) {
		for _, address := range addresses {
			netIP := net.ParseIP(address)
			if netIP == nil {
				netIP, _, _ = net.ParseCIDR(address)
			}

			if !ipHandler.ipFilter(netIP) {
				continue
			}

			if ipset := ipHandler.serviceIDtoIPset[serviceID]; ipset != nil {
				ipsetHandler := ipHandler.ipset.GetIpset(ipset.name)
				if err := m.AddToIPset(ipsetHandler, address); err != nil {
					zap.L().Error("Error adding IPs to ipset", zap.String("ipset", ipset.name), zap.String("address", address))
				}
				ipset.addresses[address] = true
			}
		}
	}

	process(m.ipv4Handler)
	process(m.ipv6Handler)
}


================================================
FILE: controller/pkg/ipsetmanager/mock_ipsetmanager/ipsetmanagermock.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: ipsetmanager.go

// Package mock_ipsetmanager is a generated GoMock package.
package mock_ipsetmanager

import (
	gomock "github.com/golang/mock/gomock"
	policy "go.aporeto.io/enforcerd/trireme-lib/policy"
	net "net"
	reflect "reflect"
)

// MockServerL3 is a mock of ServerL3 interface
type MockServerL3 struct {
	ctrl     *gomock.Controller
	recorder *MockServerL3MockRecorder
}

// MockServerL3MockRecorder is the mock recorder for MockServerL3
type MockServerL3MockRecorder struct {
	mock *MockServerL3
}

// NewMockServerL3 creates a new mock instance
func NewMockServerL3(ctrl *gomock.Controller) *MockServerL3 {
	mock := &MockServerL3{ctrl: ctrl}
	mock.recorder = &MockServerL3MockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockServerL3) EXPECT() *MockServerL3MockRecorder {
	return m.recorder
}

// CreateServerPortSet mocks base method
func (m *MockServerL3) CreateServerPortSet(contextID string) error {
	ret := m.ctrl.Call(m, "CreateServerPortSet", contextID)
	ret0, _ := ret[0].(error)
	return ret0
}

// CreateServerPortSet indicates an expected call of CreateServerPortSet
func (mr *MockServerL3MockRecorder) CreateServerPortSet(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateServerPortSet", reflect.TypeOf((*MockServerL3)(nil).CreateServerPortSet), contextID)
}

// GetServerPortSetName mocks base method
func (m *MockServerL3) GetServerPortSetName(contextID string) string {
	ret := m.ctrl.Call(m, "GetServerPortSetName", contextID)
	ret0, _ := ret[0].(string)
	return ret0
}

// GetServerPortSetName indicates an expected call of GetServerPortSetName
func (mr *MockServerL3MockRecorder) GetServerPortSetName(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServerPortSetName", reflect.TypeOf((*MockServerL3)(nil).GetServerPortSetName), contextID)
}

// DestroyServerPortSet mocks base method
func (m *MockServerL3) DestroyServerPortSet(contextID string) error {
	ret := m.ctrl.Call(m, "DestroyServerPortSet", contextID)
	ret0, _ := ret[0].(error)
	return ret0
}

// DestroyServerPortSet indicates an expected call of DestroyServerPortSet
func (mr *MockServerL3MockRecorder) DestroyServerPortSet(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DestroyServerPortSet", reflect.TypeOf((*MockServerL3)(nil).DestroyServerPortSet), contextID)
}

// AddPortToServerPortSet mocks base method
func (m *MockServerL3) AddPortToServerPortSet(contextID, port string) error {
	ret := m.ctrl.Call(m, "AddPortToServerPortSet", contextID, port)
	ret0, _ := ret[0].(error)
	return ret0
}

// AddPortToServerPortSet indicates an expected call of AddPortToServerPortSet
func (mr *MockServerL3MockRecorder) AddPortToServerPortSet(contextID, port interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddPortToServerPortSet", reflect.TypeOf((*MockServerL3)(nil).AddPortToServerPortSet), contextID, port)
}

// DeletePortFromServerPortSet mocks base method
func (m *MockServerL3) DeletePortFromServerPortSet(contextID, port string) error {
	ret := m.ctrl.Call(m, "DeletePortFromServerPortSet", contextID, port)
	ret0, _ := ret[0].(error)
	return ret0
}

// DeletePortFromServerPortSet indicates an expected call of DeletePortFromServerPortSet
func (mr *MockServerL3MockRecorder) DeletePortFromServerPortSet(contextID, port interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeletePortFromServerPortSet", reflect.TypeOf((*MockServerL3)(nil).DeletePortFromServerPortSet), contextID, port)
}

// MockAclL3 is a mock of AclL3 interface
type MockAclL3 struct {
	ctrl     *gomock.Controller
	recorder *MockAclL3MockRecorder
}

// MockAclL3MockRecorder is the mock recorder for MockAclL3
type MockAclL3MockRecorder struct {
	mock *MockAclL3
}

// NewMockAclL3 creates a new mock instance
func NewMockAclL3(ctrl *gomock.Controller) *MockAclL3 {
	mock := &MockAclL3{ctrl: ctrl}
	mock.recorder = &MockAclL3MockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockAclL3) EXPECT() *MockAclL3MockRecorder {
	return m.recorder
}

// RegisterExternalNets mocks base method
func (m *MockAclL3) RegisterExternalNets(contextID string, extnets policy.IPRuleList) error {
	ret := m.ctrl.Call(m, "RegisterExternalNets", contextID, extnets)
	ret0, _ := ret[0].(error)
	return ret0
}

// RegisterExternalNets indicates an expected call of RegisterExternalNets
func (mr *MockAclL3MockRecorder) RegisterExternalNets(contextID, extnets interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RegisterExternalNets", reflect.TypeOf((*MockAclL3)(nil).RegisterExternalNets), contextID, extnets)
}

// UpdateACLIPsets mocks base method
func (m *MockAclL3) UpdateACLIPsets(arg0 []string, arg1 string) {
	m.ctrl.Call(m, "UpdateACLIPsets", arg0, arg1)
}

// UpdateACLIPsets indicates an expected call of UpdateACLIPsets
func (mr *MockAclL3MockRecorder) UpdateACLIPsets(arg0, arg1 interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateACLIPsets", reflect.TypeOf((*MockAclL3)(nil).UpdateACLIPsets), arg0, arg1)
}

// DestroyUnusedIPsets mocks base method
func (m *MockAclL3) DestroyUnusedIPsets() {
	m.ctrl.Call(m, "DestroyUnusedIPsets")
}

// DestroyUnusedIPsets indicates an expected call of DestroyUnusedIPsets
func (mr *MockAclL3MockRecorder) DestroyUnusedIPsets() *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DestroyUnusedIPsets", reflect.TypeOf((*MockAclL3)(nil).DestroyUnusedIPsets))
}

// RemoveExternalNets mocks base method
func (m *MockAclL3) RemoveExternalNets(contextID string) {
	m.ctrl.Call(m, "RemoveExternalNets", contextID)
}

// RemoveExternalNets indicates an expected call of RemoveExternalNets
func (mr *MockAclL3MockRecorder) RemoveExternalNets(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveExternalNets", reflect.TypeOf((*MockAclL3)(nil).RemoveExternalNets), contextID)
}

// GetACLIPsetsNames mocks base method
func (m *MockAclL3) GetACLIPsetsNames(extnets policy.IPRuleList) []string {
	ret := m.ctrl.Call(m, "GetACLIPsetsNames", extnets)
	ret0, _ := ret[0].([]string)
	return ret0
}

// GetACLIPsetsNames indicates an expected call of GetACLIPsetsNames
func (mr *MockAclL3MockRecorder) GetACLIPsetsNames(extnets interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetACLIPsetsNames", reflect.TypeOf((*MockAclL3)(nil).GetACLIPsetsNames), extnets)
}

// MockProxyL4 is a mock of ProxyL4 interface
type MockProxyL4 struct {
	ctrl     *gomock.Controller
	recorder *MockProxyL4MockRecorder
}

// MockProxyL4MockRecorder is the mock recorder for MockProxyL4
type MockProxyL4MockRecorder struct {
	mock *MockProxyL4
}

// NewMockProxyL4 creates a new mock instance
func NewMockProxyL4(ctrl *gomock.Controller) *MockProxyL4 {
	mock := &MockProxyL4{ctrl: ctrl}
	mock.recorder = &MockProxyL4MockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockProxyL4) EXPECT() *MockProxyL4MockRecorder {
	return m.recorder
}

// CreateProxySets mocks base method
func (m *MockProxyL4) CreateProxySets(contextID string) error {
	ret := m.ctrl.Call(m, "CreateProxySets", contextID)
	ret0, _ := ret[0].(error)
	return ret0
}

// CreateProxySets indicates an expected call of CreateProxySets
func (mr *MockProxyL4MockRecorder) CreateProxySets(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProxySets", reflect.TypeOf((*MockProxyL4)(nil).CreateProxySets), contextID)
}

// GetProxySetNames mocks base method
func (m *MockProxyL4) GetProxySetNames(contextID string) (string, string) {
	ret := m.ctrl.Call(m, "GetProxySetNames", contextID)
	ret0, _ := ret[0].(string)
	ret1, _ := ret[1].(string)
	return ret0, ret1
}

// GetProxySetNames indicates an expected call of GetProxySetNames
func (mr *MockProxyL4MockRecorder) GetProxySetNames(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetProxySetNames", reflect.TypeOf((*MockProxyL4)(nil).GetProxySetNames), contextID)
}

// DestroyProxySets mocks base method
func (m *MockProxyL4) DestroyProxySets(contextID string) {
	m.ctrl.Call(m, "DestroyProxySets", contextID)
}

// DestroyProxySets indicates an expected call of DestroyProxySets
func (mr *MockProxyL4MockRecorder) DestroyProxySets(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DestroyProxySets", reflect.TypeOf((*MockProxyL4)(nil).DestroyProxySets), contextID)
}

// FlushProxySets mocks base method
func (m *MockProxyL4) FlushProxySets(contextID string) {
	m.ctrl.Call(m, "FlushProxySets", contextID)
}

// FlushProxySets indicates an expected call of FlushProxySets
func (mr *MockProxyL4MockRecorder) FlushProxySets(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FlushProxySets", reflect.TypeOf((*MockProxyL4)(nil).FlushProxySets), contextID)
}

// AddIPPortToDependentService mocks base method
func (m *MockProxyL4) AddIPPortToDependentService(contextID string, ip *net.IPNet, port string) error {
	ret := m.ctrl.Call(m, "AddIPPortToDependentService", contextID, ip, port)
	ret0, _ := ret[0].(error)
	return ret0
}

// AddIPPortToDependentService indicates an expected call of AddIPPortToDependentService
func (mr *MockProxyL4MockRecorder) AddIPPortToDependentService(contextID, ip, port interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddIPPortToDependentService", reflect.TypeOf((*MockProxyL4)(nil).AddIPPortToDependentService), contextID, ip, port)
}

// AddPortToExposedService mocks base method
func (m *MockProxyL4) AddPortToExposedService(contextID, port string) error {
	ret := m.ctrl.Call(m, "AddPortToExposedService", contextID, port)
	ret0, _ := ret[0].(error)
	return ret0
}

// AddPortToExposedService indicates an expected call of AddPortToExposedService
func (mr *MockProxyL4MockRecorder) AddPortToExposedService(contextID, port interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddPortToExposedService", reflect.TypeOf((*MockProxyL4)(nil).AddPortToExposedService), contextID, port)
}

// MockIPSetManager is a mock of IPSetManager interface
type MockIPSetManager struct {
	ctrl     *gomock.Controller
	recorder *MockIPSetManagerMockRecorder
}

// MockIPSetManagerMockRecorder is the mock recorder for MockIPSetManager
type MockIPSetManagerMockRecorder struct {
	mock *MockIPSetManager
}

// NewMockIPSetManager creates a new mock instance
func NewMockIPSetManager(ctrl *gomock.Controller) *MockIPSetManager {
	mock := &MockIPSetManager{ctrl: ctrl}
	mock.recorder = &MockIPSetManagerMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockIPSetManager) EXPECT() *MockIPSetManagerMockRecorder {
	return m.recorder
}

// CreateServerPortSet mocks base method
func (m *MockIPSetManager) CreateServerPortSet(contextID string) error {
	ret := m.ctrl.Call(m, "CreateServerPortSet", contextID)
	ret0, _ := ret[0].(error)
	return ret0
}

// CreateServerPortSet indicates an expected call of CreateServerPortSet
func (mr *MockIPSetManagerMockRecorder) CreateServerPortSet(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateServerPortSet", reflect.TypeOf((*MockIPSetManager)(nil).CreateServerPortSet), contextID)
}

// GetServerPortSetName mocks base method
func (m *MockIPSetManager) GetServerPortSetName(contextID string) string {
	ret := m.ctrl.Call(m, "GetServerPortSetName", contextID)
	ret0, _ := ret[0].(string)
	return ret0
}

// GetServerPortSetName indicates an expected call of GetServerPortSetName
func (mr *MockIPSetManagerMockRecorder) GetServerPortSetName(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServerPortSetName", reflect.TypeOf((*MockIPSetManager)(nil).GetServerPortSetName), contextID)
}

// DestroyServerPortSet mocks base method
func (m *MockIPSetManager) DestroyServerPortSet(contextID string) error {
	ret := m.ctrl.Call(m, "DestroyServerPortSet", contextID)
	ret0, _ := ret[0].(error)
	return ret0
}

// DestroyServerPortSet indicates an expected call of DestroyServerPortSet
func (mr *MockIPSetManagerMockRecorder) DestroyServerPortSet(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DestroyServerPortSet", reflect.TypeOf((*MockIPSetManager)(nil).DestroyServerPortSet), contextID)
}

// AddPortToServerPortSet mocks base method
func (m *MockIPSetManager) AddPortToServerPortSet(contextID, port string) error {
	ret := m.ctrl.Call(m, "AddPortToServerPortSet", contextID, port)
	ret0, _ := ret[0].(error)
	return ret0
}

// AddPortToServerPortSet indicates an expected call of AddPortToServerPortSet
func (mr *MockIPSetManagerMockRecorder) AddPortToServerPortSet(contextID, port interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddPortToServerPortSet", reflect.TypeOf((*MockIPSetManager)(nil).AddPortToServerPortSet), contextID, port)
}

// DeletePortFromServerPortSet mocks base method
func (m *MockIPSetManager) DeletePortFromServerPortSet(contextID, port string) error {
	ret := m.ctrl.Call(m, "DeletePortFromServerPortSet", contextID, port)
	ret0, _ := ret[0].(error)
	return ret0
}

// DeletePortFromServerPortSet indicates an expected call of DeletePortFromServerPortSet
func (mr *MockIPSetManagerMockRecorder) DeletePortFromServerPortSet(contextID, port interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeletePortFromServerPortSet", reflect.TypeOf((*MockIPSetManager)(nil).DeletePortFromServerPortSet), contextID, port)
}

// RegisterExternalNets mocks base method
func (m *MockIPSetManager) RegisterExternalNets(contextID string, extnets policy.IPRuleList) error {
	ret := m.ctrl.Call(m, "RegisterExternalNets", contextID, extnets)
	ret0, _ := ret[0].(error)
	return ret0
}

// RegisterExternalNets indicates an expected call of RegisterExternalNets
func (mr *MockIPSetManagerMockRecorder) RegisterExternalNets(contextID, extnets interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RegisterExternalNets", reflect.TypeOf((*MockIPSetManager)(nil).RegisterExternalNets), contextID, extnets)
}

// UpdateACLIPsets mocks base method
func (m *MockIPSetManager) UpdateACLIPsets(arg0 []string, arg1 string) {
	m.ctrl.Call(m, "UpdateACLIPsets", arg0, arg1)
}

// UpdateACLIPsets indicates an expected call of UpdateACLIPsets
func (mr *MockIPSetManagerMockRecorder) UpdateACLIPsets(arg0, arg1 interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateACLIPsets", reflect.TypeOf((*MockIPSetManager)(nil).UpdateACLIPsets), arg0, arg1)
}

// DestroyUnusedIPsets mocks base method
func (m *MockIPSetManager) DestroyUnusedIPsets() {
	m.ctrl.Call(m, "DestroyUnusedIPsets")
}

// DestroyUnusedIPsets indicates an expected call of DestroyUnusedIPsets
func (mr *MockIPSetManagerMockRecorder) DestroyUnusedIPsets() *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DestroyUnusedIPsets", reflect.TypeOf((*MockIPSetManager)(nil).DestroyUnusedIPsets))
}

// RemoveExternalNets mocks base method
func (m *MockIPSetManager) RemoveExternalNets(contextID string) {
	m.ctrl.Call(m, "RemoveExternalNets", contextID)
}

// RemoveExternalNets indicates an expected call of RemoveExternalNets
func (mr *MockIPSetManagerMockRecorder) RemoveExternalNets(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveExternalNets", reflect.TypeOf((*MockIPSetManager)(nil).RemoveExternalNets), contextID)
}

// GetACLIPsetsNames mocks base method
func (m *MockIPSetManager) GetACLIPsetsNames(extnets policy.IPRuleList) []string {
	ret := m.ctrl.Call(m, "GetACLIPsetsNames", extnets)
	ret0, _ := ret[0].([]string)
	return ret0
}

// GetACLIPsetsNames indicates an expected call of GetACLIPsetsNames
func (mr *MockIPSetManagerMockRecorder) GetACLIPsetsNames(extnets interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetACLIPsetsNames", reflect.TypeOf((*MockIPSetManager)(nil).GetACLIPsetsNames), extnets)
}

// CreateProxySets mocks base method
func (m *MockIPSetManager) CreateProxySets(contextID string) error {
	ret := m.ctrl.Call(m, "CreateProxySets", contextID)
	ret0, _ := ret[0].(error)
	return ret0
}

// CreateProxySets indicates an expected call of CreateProxySets
func (mr *MockIPSetManagerMockRecorder) CreateProxySets(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProxySets", reflect.TypeOf((*MockIPSetManager)(nil).CreateProxySets), contextID)
}

// GetProxySetNames mocks base method
func (m *MockIPSetManager) GetProxySetNames(contextID string) (string, string) {
	ret := m.ctrl.Call(m, "GetProxySetNames", contextID)
	ret0, _ := ret[0].(string)
	ret1, _ := ret[1].(string)
	return ret0, ret1
}

// GetProxySetNames indicates an expected call of GetProxySetNames
func (mr *MockIPSetManagerMockRecorder) GetProxySetNames(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetProxySetNames", reflect.TypeOf((*MockIPSetManager)(nil).GetProxySetNames), contextID)
}

// DestroyProxySets mocks base method
func (m *MockIPSetManager) DestroyProxySets(contextID string) {
	m.ctrl.Call(m, "DestroyProxySets", contextID)
}

// DestroyProxySets indicates an expected call of DestroyProxySets
func (mr *MockIPSetManagerMockRecorder) DestroyProxySets(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DestroyProxySets", reflect.TypeOf((*MockIPSetManager)(nil).DestroyProxySets), contextID)
}

// FlushProxySets mocks base method
func (m *MockIPSetManager) FlushProxySets(contextID string) {
	m.ctrl.Call(m, "FlushProxySets", contextID)
}

// FlushProxySets indicates an expected call of FlushProxySets
func (mr *MockIPSetManagerMockRecorder) FlushProxySets(contextID interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FlushProxySets", reflect.TypeOf((*MockIPSetManager)(nil).FlushProxySets), contextID)
}

// AddIPPortToDependentService mocks base method
func (m *MockIPSetManager) AddIPPortToDependentService(contextID string, ip *net.IPNet, port string) error {
	ret := m.ctrl.Call(m, "AddIPPortToDependentService", contextID, ip, port)
	ret0, _ := ret[0].(error)
	return ret0
}

// AddIPPortToDependentService indicates an expected call of AddIPPortToDependentService
func (mr *MockIPSetManagerMockRecorder) AddIPPortToDependentService(contextID, ip, port interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddIPPortToDependentService", reflect.TypeOf((*MockIPSetManager)(nil).AddIPPortToDependentService), contextID, ip, port)
}

// AddPortToExposedService mocks base method
func (m *MockIPSetManager) AddPortToExposedService(contextID, port string) error {
	ret := m.ctrl.Call(m, "AddPortToExposedService", contextID, port)
	ret0, _ := ret[0].(error)
	return ret0
}

// AddPortToExposedService indicates an expected call of AddPortToExposedService
func (mr *MockIPSetManagerMockRecorder) AddPortToExposedService(contextID, port interface{}) *gomock.Call {
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddPortToExposedService", reflect.TypeOf((*MockIPSetManager)(nil).AddPortToExposedService), contextID, port)
}


================================================
FILE: controller/pkg/packet/constants.go
================================================
package packet

const (
	// minIPPacketLen is the min ip packet size for TCP packet
	minTCPIPPacketLen = 20

	// minIPPacketLen is the min ip packet size for UDP packet
	minUDPIPPacketLen = 8

	// minICMPPacketLen is the min ip packet size for ICMP packet
	minICMPIPPacketLen = 8

	// minIPHdrSize
	minIPv4HdrSize = 20

	// minTCPHeaderLen is the min TCP header length
	minTCPHeaderLen = 20
)

// IP Header field position constants
const (
	// ipHdrLenPos is location of IP (entire packet) length
	ipv4HdrLenPos = 0

	// ipLengthPos is location of IP (entire packet) length
	ipv4LengthPos = 2

	// ipIDPos is location of IP Identifier
	ipv4IDPos = 4

	// ipProtoPos is the location of the IP Protocol
	ipv4ProtoPos = 9

	// ipChecksumPos is location of IP checksum
	ipv4ChecksumPos = 10

	// ipSourceAddrPos is location of source IP address
	ipv4SourceAddrPos = 12

	// ipDestAddrPos is location of destination IP address
	ipv4DestAddrPos = 16
)

const (
	// ipv6HeaderLen is the length of the ipv6 header
	ipv6HeaderLen = 40

	// ipv6VersionPos is the position in the buffer where the version is stored
	ipv6VersionPos = 0

	// ipv6PayloadLenPos is the position in the buffer where the size of the payload is stored
	ipv6PayloadLenPos = 4

	// ipv6ProtoPos is the position in the buffer where the protocol(tcp/udp) is stored
	ipv6ProtoPos = 6

	// ipv6SourceAddrPos is the position in the buffer where ipv6 source address is stored
	ipv6SourceAddrPos = 8

	// ipv6DestAddrPos is the position in the buffer where ipv6 dest address is stored
	ipv6DestAddrPos = 24
)

// IP Protocol numbers
const (
	// IPProtocolTCP defines the constant for TCP protocol number
	IPProtocolTCP = 6

	// IPProtocolUDP defines the constant for UDP protocol number
	IPProtocolUDP = 17

	// IPProtocolICMP defines the constants for ICMP protocol number
	IPProtocolICMP = 1
)

// IP Header masks
const (
	ipv4HdrLenMask = 0x0F
	ipv4ProtoMask  = 0xF0
)

// TCP Header field position constants
const (
	// tcpSourcePortPos is the location of source port
	tcpSourcePortPos = 0

	// tcpDestPortPos is the location of destination port
	tcpDestPortPos = 2

	// tcpSeqPos is the location of seq
	tcpSeqPos = 4

	// tcpAckPos is the location of seq
	tcpAckPos = 8

	// tcpDataOffsetPos is the location of the TCP data offset
	tcpDataOffsetPos = 12

	//tcpFlagsOfsetPos is the location of the TCP flags
	tcpFlagsOffsetPos = 13

	// TCPChecksumPos is the location of TCP checksum
	tcpChecksumPos = 16
)

// TCP Header masks
const (
	// tcpDataOffsetMask is a mask for TCP data offset field
	tcpDataOffsetMask = 0xF0

	// TCPSynMask is a mask for the TCP Syn flags
	TCPSynMask = 0x2

	// TCPSynAckMask  mask idenitifies a TCP SYN-ACK packet
	TCPSynAckMask = 0x12

	// TCPRstMask mask that identifies RST packets
	TCPRstMask = 0x4

	// TCPAckMask mask that identifies ACK packets
	TCPAckMask = 0x10

	// TCPFinMask mask that identifies FIN packets
	TCPFinMask = 0x1

	// TCPPshMask = 0x8 mask that identifies PSH packets
	TCPPshMask = 0x8
)

// TCP Options Related constants
const (
	// TCPAuthenticationOption is the option number will be using
	TCPAuthenticationOption = uint8(34)

	// TCPMssOption is the type for MSS option
	TCPMssOption = uint8(2)

	// TCPMssOptionLen is the type for MSS option
	TCPMssOptionLen = uint8(4)
)

// UDP related constants.
const (
	// udpSourcePortPos is the location of source port
	udpSourcePortPos = 0
	// udpDestPortPos is the location of destination port
	udpDestPortPos = 2
	// UDPLengthPos is the location of UDP length
	udpLengthPos = 4
	// UDPChecksumPos is the location of UDP checksum
	udpChecksumPos = 6
	// UDPDataPos is the location of UDP data
	UDPDataPos = 8
	// UDPSynMask is a mask for the UDP Syn flags
	UDPSynMask = 0x10
	// UDPSynAckMask  mask idenitifies a UDP SYN-ACK packet
	UDPSynAckMask = 0x20
	// UDPAckMask mask that identifies ACK packets.
	UDPAckMask = 0x30
	// UDPFinAckMask mask that identifies the FinAck packets
	UDPFinAckMask = 0x40
	// UDPPolicyRejectMask mask that identifies a policy reject info from the remote end
	UDPPolicyRejectMask = 0x50
	// UDPDataPacket is a simple data packet
	UDPDataPacket = 0x80
	// UDPPacketMask identifies type of UDP packet.
	UDPPacketMask = 0xF0
)

const (
	// UDPAuthMarker is 18 byte Aporeto signature for UDP
	UDPAuthMarker = "n30njxq7bmiwr6dtxq"
	// UDPAuthMarkerLen is the length of UDP marker.
	UDPAuthMarkerLen = 18
	// UDPSignatureLen is the length of signature on UDP control packet.
	UDPSignatureLen = 20
	// UDPAuthMarkerOffset is the beginning of UDPAuthMarker
	udpAuthMarkerOffset = 10
	// UDPSignatureEnd is the end of UDPSignature.
	udpSignatureEnd = UDPDataPos + UDPSignatureLen
)

const (
	// UDPAporetoOption is the option kind for Aporeto option
	UDPAporetoOption = uint8(34)
	// UDPAporetoOptionLengthFirstByte is the first if length is greater than 255
	UDPAporetoOptionLengthFirstByte = uint8(0xff)
	// UDPAporetoOptionShortLength is the length of the option header if payload length is less than UDPAporetoOptionLengthFirstByte
	UDPAporetoOptionShortLength = 2
	// UDPAporetoOptionLongLength is the length of the option header if payload length is greater than UDPAporetoOptionLengthFirstByte
	UDPAporetoOptionLongLength = 6
)


================================================
FILE: controller/pkg/packet/helpers.go
================================================
package packet

import (
	"bytes"
	"encoding/binary"
	"encoding/hex"
	"fmt"
	"strconv"

	"go.uber.org/zap"
	"golang.org/x/net/ipv4"
)

// Helpher functions for the package, mainly for debugging and validation
// They are not used by the main package

// VerifyIPv4Checksum returns true if the IP header checksum is correct
// for this packet, false otherwise. Note that the checksum is not
// modified.
func (p *Packet) VerifyIPv4Checksum() bool {

	sum := p.computeIPv4Checksum()

	return sum == p.ipHdr.ipChecksum
}

// UpdateIPv4Checksum computes the IP header checksum and updates the
// packet with the value.
func (p *Packet) UpdateIPv4Checksum() {

	p.ipHdr.ipChecksum = p.computeIPv4Checksum()

	binary.BigEndian.PutUint16(p.ipHdr.Buffer[ipv4ChecksumPos:ipv4ChecksumPos+2], p.ipHdr.ipChecksum)
}

// VerifyTCPChecksum returns true if the TCP header checksum is correct
// for this packet, false otherwise. Note that the checksum is not
// modified.
func (p *Packet) VerifyTCPChecksum() bool {

	sum := p.computeTCPChecksum()

	return sum == p.tcpHdr.tcpChecksum
}

// UpdateTCPChecksum computes the TCP header checksum and updates the
// packet with the value.
func (p *Packet) UpdateTCPChecksum() {
	buffer := p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]
	p.tcpHdr.tcpChecksum = p.computeTCPChecksum()
	binary.BigEndian.PutUint16(buffer[tcpChecksumPos:tcpChecksumPos+2], p.tcpHdr.tcpChecksum)
}

// UpdateTCPFlags
func (p *Packet) updateTCPFlags(tcpFlags uint8) {
	buffer := p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]
	buffer[tcpFlagsOffsetPos] = tcpFlags
}

// ConvertAcktoFinAck function removes the data from the packet
// It is called only if the packet is Ack or Psh/Ack
// converts psh/ack to fin/ack packet.
func (p *Packet) ConvertAcktoFinAck() error {
	var tcpFlags uint8

	tcpFlags = tcpFlags | TCPFinMask
	tcpFlags = tcpFlags | TCPAckMask

	p.updateTCPFlags(tcpFlags)
	p.tcpHdr.tcpFlags = tcpFlags

	p.TCPDataDetach(0)

	return nil
}

// ConvertToRst function converts the packet to
// a RST packet
func (p *Packet) ConvertToRst() {
	var tcpFlags uint8

	tcpFlags = tcpFlags | TCPRstMask

	p.updateTCPFlags(tcpFlags)
	p.tcpHdr.tcpFlags = tcpFlags

	p.TCPDataDetach(0)
}

//PacketToStringTCP returns a string representation of fields contained in this packet.
func (p *Packet) PacketToStringTCP() string {

	var buf bytes.Buffer
	buf.WriteString("(error)")

	header, err := ipv4.ParseHeader(p.ipHdr.Buffer)

	if err == nil {
		buf.Reset()
		buf.WriteString(header.String())
		buf.WriteString(" srcport=")
		buf.WriteString(strconv.Itoa(int(p.SourcePort())))
		buf.WriteString(" dstport=")
		buf.WriteString(strconv.Itoa(int(p.DestPort())))
		buf.WriteString(" tcpcksum=")
		buf.WriteString(fmt.Sprintf("0x%0x", p.tcpHdr.tcpChecksum))
		buf.WriteString(" data")
		buf.WriteString(hex.EncodeToString(p.GetTCPBytes()))
	}
	return buf.String()
}

// Computes the IP header checksum. The packet is not modified.
func (p *Packet) computeIPv4Checksum() uint16 {

	// IP packet checksum is computed with the checksum value set to zero
	p.ipHdr.Buffer[ipv4ChecksumPos] = 0
	p.ipHdr.Buffer[ipv4ChecksumPos+1] = 0

	// Compute checksum, over IP header only
	sum := checksum(p.ipHdr.Buffer[:p.ipHdr.ipHeaderLen])

	// Restore the previous checksum (whether correct or not, as this function doesn't change it)
	binary.BigEndian.PutUint16(p.ipHdr.Buffer[ipv4ChecksumPos:ipv4ChecksumPos+2], p.ipHdr.ipChecksum)

	return sum
}

// Computes the TCP header checksum. The packet is not modified.
func (p *Packet) computeTCPChecksum() uint16 {
	var csum uint32
	var buf [2]byte
	buffer := p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]
	tcpBufSize := uint16(len(buffer))

	oldCsumLow := buffer[tcpChecksumPos]
	oldCsumHigh := buffer[tcpChecksumPos+1]

	// Put 0 to calculate the checksum. We will reset it back after the checksum
	buffer[tcpChecksumPos] = 0
	buffer[tcpChecksumPos+1] = 0

	if p.ipHdr.version == V4 {
		csum = partialChecksum(0, p.ipHdr.Buffer[ipv4SourceAddrPos:ipv4SourceAddrPos+4])
		csum = partialChecksum(csum, p.ipHdr.Buffer[ipv4DestAddrPos:ipv4DestAddrPos+4])
	} else {
		csum = partialChecksum(0, p.ipHdr.Buffer[ipv6SourceAddrPos:ipv6SourceAddrPos+16])
		csum = partialChecksum(csum, p.ipHdr.Buffer[ipv6DestAddrPos:ipv6DestAddrPos+16])
	}

	// reserved 0 byte
	buf[0] = 0
	// tcp option 6
	buf[1] = 6

	csum = partialChecksum(csum, buf[:])
	binary.BigEndian.PutUint16(buf[:], tcpBufSize)
	csum = partialChecksum(csum, buf[:])

	csum = partialChecksum(csum, buffer)

	csum16 := finalizeChecksum(csum)

	// restore the checksum
	buffer[tcpChecksumPos] = oldCsumLow
	buffer[tcpChecksumPos+1] = oldCsumHigh

	return csum16
}

// incCsum16 implements rfc1624, equation 3.
func incCsum16(start, old, new uint16) uint16 {

	start = start ^ 0xffff
	old = old ^ 0xffff

	csum := uint32(start) + uint32(old) + uint32(new)
	for (csum >> 16) > 0 {
		csum = (csum & 0xffff) + ((csum >> 16) & 0xffff)
	}
	csum = csum ^ 0xffff
	return uint16(csum)
}

func csumConvert32To16bit(sum uint32) uint16 {
	for sum > 0xffff {
		sum = (sum >> 16) + (sum & 0xffff)
	}

	return uint16(sum)
}

// Computes a sum of 16 bit numbers
func checksumDelta(init uint32, buf []byte) uint32 {

	sum := init

	for ; len(buf) >= 2; buf = buf[2:] {
		sum += uint32(buf[0])<<8 | uint32(buf[1])
	}

	if len(buf) > 0 {
		sum += uint32(buf[0]) << 8
	}

	return sum
}

// Computes a checksum over the given slice.
func checksum(buf []byte) uint16 {
	sum32 := checksumDelta(0, buf)
	sum16 := csumConvert32To16bit(sum32)

	csum := ^sum16
	return csum
}

func partialChecksum(csum uint32, buf []byte) uint32 {
	return checksumDelta(csum, buf)
}

func finalizeChecksum(csum32 uint32) uint16 {
	csum16 := csumConvert32To16bit(csum32)
	csum := ^csum16

	return csum
}

func (p *Packet) updateUDPv6Checksum() {
	var csum uint32
	var tmp [4]byte

	buffer := p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]

	csum = partialChecksum(0, p.ipHdr.sourceAddress)
	csum = partialChecksum(csum, p.ipHdr.destinationAddress)

	binary.BigEndian.PutUint32(tmp[:], uint32(len(buffer)))
	csum = partialChecksum(csum, tmp[:])

	tmp = [4]byte{0, 0, 0, 17}
	csum = partialChecksum(csum, tmp[:])

	buffer[udpChecksumPos] = 0
	buffer[udpChecksumPos+1] = 0
	csum = partialChecksum(csum, buffer[:])

	p.udpHdr.udpChecksum = finalizeChecksum(csum)
	// update checksum
	binary.BigEndian.PutUint16(buffer[udpChecksumPos:udpChecksumPos+2], p.udpHdr.udpChecksum)
}

func (p *Packet) fixupUDPHdr() {
	// checksum set to 0, ignored by the stack
	buffer := p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]
	//binary.BigEndian.PutUint16(buffer[udpLengthPos:udpLengthPos+2], uint16(len(buffer)))
	binary.BigEndian.PutUint16(buffer[udpLengthPos:udpLengthPos+2], 8)
}

func (p *Packet) fixupUDPChecksum() {
	if p.ipHdr.version == V4 {
		buffer := p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]

		buffer[udpChecksumPos] = 0
		buffer[udpChecksumPos+1] = 0
	} else {
		p.updateUDPv6Checksum()
	}
}

// ReadUDPToken Parsing using format specified in https://tools.ietf.org/html/draft-ietf-tsvwg-udp-options-08
// ReadUDPToken return the UDP token. Gets called only during the handshake process.
func (p *Packet) ReadUDPToken() []byte {
	// length of options .. skip udp data
	udpOptions := p.ipHdr.Buffer[uint16(p.ipHdr.ipHeaderLen)+8 : p.ipHdr.ipTotalLength]
	// zap.L().Error("Received Packet", zap.String("IP\n", hex.Dump(p.ipHdr.Buffer)))
	// zap.L().Error("UDP Options", zap.String("UDP\n", hex.Dump(udpOptions)))
	for i := 0; i < len(udpOptions); i++ {
		if udpOptions[i] == 0 || udpOptions[i] == 1 {
			i++
			continue
		}
		if udpOptions[i] != UDPAporetoOption {
			if len(udpOptions) < i+2 {
				return []byte{}
			}
			if udpOptions[i+1] != 0xff {
				i = i + int(udpOptions[i+1])
				continue
			} else {
				i = i + int(binary.LittleEndian.Uint16(udpOptions[i+2:]))
				continue
			}
		} else {
			if len(udpOptions) < i+2 {
				return []byte{}
			}
			if udpOptions[i+1] != 0xff {

				if len(udpOptions[i:]) >= int(udpOptions[i+1]) {
					return udpOptions[i+UDPSignatureLen+2:]
				}
			} else {
				if len(udpOptions[i:]) >= int(binary.LittleEndian.Uint16(udpOptions[i+2:])) {
					return udpOptions[i+4+UDPSignatureLen:]
				}

			}
		}
	}
	return []byte{}
}

// UDPTokenAttach attached udp packet signature and tokens.
func (p *Packet) UDPTokenAttach(udpdata []byte, udptoken []byte) {
	if udpdata[0] == 0x22 && udpdata[1] == 0xff {
		copy(udpdata[4+UDPSignatureLen:], udptoken)
	} else {
		copy(udpdata[2+UDPSignatureLen:], udptoken)
	}
	//p.udpHdr.udpData = append([]byte("APORETO!"), udpdata...)

	p.udpHdr.udpLength = 0
	packetLenIncrease := uint16(len(udpdata))
	// IP Header Processing
	p.FixupIPHdrOnDataModify(p.ipHdr.ipTotalLength, p.ipHdr.ipTotalLength+packetLenIncrease)

	// Attach Data @ the end of current buffer
	p.ipHdr.Buffer = append(p.ipHdr.Buffer, udpdata...)

	p.fixupUDPHdr()
	p.fixupUDPChecksum()

}

// UDPDataAttach Attaches UDP data post encryption.
func (p *Packet) UDPDataAttach(header, udpdata []byte) {

	// Attach Data @ the end of current buffer
	p.ipHdr.Buffer = append(p.ipHdr.Buffer, header...)
	p.ipHdr.Buffer = append(p.ipHdr.Buffer, udpdata...)
	// IP Header Processing
	p.FixupIPHdrOnDataModify(p.ipHdr.ipTotalLength, uint16(len(p.ipHdr.Buffer)))

	p.fixupUDPHdr()
	p.fixupUDPChecksum()
}

// UDPDataDetach detaches UDP payload from the Buffer. Called only during Encrypt/Decrypt.
func (p *Packet) UDPDataDetach() {
	// Create constants for IP header + UDP header. copy ?
	p.ipHdr.Buffer = p.ipHdr.Buffer[:p.ipHdr.ipHeaderLen+UDPDataPos]
}

// CreateReverseFlowPacket modifies the packet for reverse flow.
func (p *Packet) CreateReverseFlowPacket() {

	buffer := p.ipHdr.Buffer

	// reverse ip addresses
	if p.ipHdr.version == V4 {
		copy(buffer[ipv4SourceAddrPos:ipv4SourceAddrPos+4], p.ipHdr.destinationAddress)
		copy(buffer[ipv4DestAddrPos:ipv4DestAddrPos+4], p.ipHdr.sourceAddress)
	} else {
		copy(buffer[ipv6SourceAddrPos:ipv6SourceAddrPos+16], p.ipHdr.destinationAddress)
		copy(buffer[ipv6DestAddrPos:ipv6DestAddrPos+16], p.ipHdr.sourceAddress)
	}

	buffer = buffer[p.ipHdr.ipHeaderLen:]

	// reverse ports
	binary.BigEndian.PutUint16(buffer[udpSourcePortPos:udpSourcePortPos+2], p.udpHdr.destinationPort)
	binary.BigEndian.PutUint16(buffer[udpDestPortPos:udpDestPortPos+2], p.udpHdr.sourcePort)

	// swap in our packet structures
	p.ipHdr.sourceAddress, p.ipHdr.destinationAddress = p.ipHdr.destinationAddress, p.ipHdr.sourceAddress
	p.udpHdr.sourcePort, p.udpHdr.destinationPort = p.udpHdr.destinationPort, p.udpHdr.sourcePort

	// Just get the IP/UDP header. Ignore the rest. No need for packet
	p.ipHdr.Buffer = p.ipHdr.Buffer[:p.ipHdr.ipHeaderLen+UDPDataPos]

	p.FixupIPHdrOnDataModify(p.ipHdr.ipTotalLength, uint16(p.ipHdr.ipHeaderLen+UDPDataPos))

	if p.ipHdr.version == V4 {
		p.UpdateIPv4Checksum()
	}

	p.fixupUDPHdr()
	p.fixupUDPChecksum()
}

// GetUDPType returns udp type of packet.
func (p *Packet) GetUDPType() byte {
	var offset uint8
	// Every UDP control packet has a 20 byte packet signature. The
	// first 2 bytes represent the following control information.
	// Byte 0 : Bits 0,1 are reserved fields.
	//          Bits 2,3,4 represent version information.
	//          Bits 5,6 represent udp packet type,
	//          Bit 7 represents encryption. (currently unused).
	// Byte 1: reserved for future use.
	// Bytes [2:20]: Packet signature.
	//zap.L().Error("Packet", zap.String("P/n", hex.Dump(p.ipHdr.Buffer)))
	if p.ipHdr.ipTotalLength > uint16(p.IPHeaderLen())+8+255 {
		offset = 4
	} else {
		offset = 2
	}

	return GetUDPTypeFromBuffer(p.ipHdr.Buffer[p.ipHdr.ipHeaderLen+offset:])
}

// GetUDPTypeFromBuffer gets the UDP packet from a raw buffer.,
func GetUDPTypeFromBuffer(buffer []byte) byte {
	if len(buffer) < (UDPDataPos + UDPSignatureLen) {
		return 0
	}

	marker := buffer[UDPDataPos:udpSignatureEnd]

	// check for packet signature.
	if !bytes.Equal(buffer[udpAuthMarkerOffset:udpSignatureEnd], []byte(UDPAuthMarker)) {
		zap.L().Debug("Not an Aporeto control Packet")
		return 0
	}
	// control packet. byte 0 has packet type information.
	return marker[0] & UDPPacketMask
}

//GetTCPFlags returns the tcp flags from the packet
func (p *Packet) GetTCPFlags() uint8 {
	return p.tcpHdr.tcpFlags
}

//SetTCPFlags allows to set the tcp flags on the packet
func (p *Packet) SetTCPFlags(flags uint8) {
	p.tcpHdr.tcpFlags = flags
}

// CreateUDPAuthMarker creates a UDP auth marker.
func CreateUDPAuthMarker(packetType uint8, payloadLength uint16) []byte {
	var options []byte
	// Every UDP control packet has a 20 byte packet signature. The
	// first 2 bytes represent the following control information.
	// Byte 0 : Bits 0,1 are reserved fields.
	//          Bits 2,3,4 represent version information.
	//          Bits 5, 6, 7 represent udp packet type,
	// Byte 1: reserved for future use.
	// Bytes [2:20]: Packet signature.

	//marker := make([]byte, UDPSignatureLen)
	// ignore version info as of now.
	if payloadLength < uint16(UDPAporetoOptionLengthFirstByte) {
		options = make([]byte, int(payloadLength)+UDPAporetoOptionShortLength+UDPSignatureLen)
		options[0] = UDPAporetoOption
		options[1] = uint8(payloadLength) + UDPAporetoOptionShortLength + UDPSignatureLen

		options[2] |= packetType // byte 0
		options[3] = 0           // byte 1
		copy(options[4:], []byte(UDPAuthMarker))
	} else {
		options = make([]byte, int(payloadLength)+UDPAporetoOptionLongLength+len(UDPAuthMarker))
		options[0] = UDPAporetoOption
		options[1] = UDPAporetoOptionLengthFirstByte
		binary.LittleEndian.PutUint16(options[2:], payloadLength+20)
		options[4] |= packetType // byte 0
		options[5] = 0           // byte 1
		copy(options[UDPAporetoOptionLongLength:], []byte(UDPAuthMarker))

	}

	return options
}

// GetICMPTypeCode returns the icmp type and icmp code
func (p *Packet) GetICMPTypeCode() (int8, int8) {
	return p.icmpHdr.icmpType, p.icmpHdr.icmpCode
}


================================================
FILE: controller/pkg/packet/packet.go
================================================
// Package packet support for TCP/IP packet manipulations
// needed by the Aporeto infrastructure.
package packet

import (
	"encoding/binary"
	"encoding/hex"
	"errors"
	"fmt"
	"net"
	"strconv"

	"go.uber.org/zap"
)

// printCount prints the debug header for packets every few lines that it prints
var printCount int

var errIPPacketCorrupt = errors.New("IP packet is smaller than min IP size of 20")
var errTCPAuthOption = errors.New("tcp authentication option not found")

//NewPacket is a method called on Packet which decodes the packet into the struct
func (p *Packet) NewPacket(context uint64, bytes []byte, mark string, lengthValidate bool) (err error) {

	// Get the mark value
	p.Mark = mark

	// Set the context
	p.context = context
	if len(bytes) < ipv4HdrLenPos {
		return fmt.Errorf("invalid packet length %d", len(bytes))
	}
	if bytes[ipv4HdrLenPos]&ipv4ProtoMask == 0x40 {
		p.ipHdr.version = V4
		return p.parseIPv4Packet(bytes, lengthValidate)
	}

	p.ipHdr.version = V6
	return p.parseIPv6Packet(bytes, lengthValidate)
}

// New returns a pointer to Packet structure built from the
// provided bytes buffer which is expected to contain valid TCP/IP
// packet bytes.
// WARNING: This package takes control of the bytes buffer passed. The caller has
// to be aware calling any function that returns a slice will NOT be a copy rather
// a sub-slice of the bytes buffer passed. It is the responsibility of the caller
// to copy the slice If and when necessary.
func New(context uint64, bytes []byte, mark string, lengthValidate bool) (packet *Packet, err error) {

	var p Packet

	// Get the mark value
	p.Mark = mark

	// Set the context
	p.context = context
	if len(bytes) < ipv4HdrLenPos {
		return nil, fmt.Errorf("invalid packet length %d", len(bytes))
	}
	if bytes[ipv4HdrLenPos]&ipv4ProtoMask == 0x40 {
		p.ipHdr.version = V4
		return &p, p.parseIPv4Packet(bytes, lengthValidate)
	}

	p.ipHdr.version = V6
	return &p, p.parseIPv6Packet(bytes, lengthValidate)
}

func (p *Packet) parseTCP(bytes []byte) {
	// TCP Header Processing
	tcpBuffer := bytes[p.ipHdr.ipHeaderLen:]

	p.tcpHdr.tcpChecksum = binary.BigEndian.Uint16(tcpBuffer[tcpChecksumPos : tcpChecksumPos+2])
	p.tcpHdr.sourcePort = binary.BigEndian.Uint16(tcpBuffer[tcpSourcePortPos : tcpSourcePortPos+2])
	p.tcpHdr.destinationPort = binary.BigEndian.Uint16(tcpBuffer[tcpDestPortPos : tcpDestPortPos+2])
	p.tcpHdr.tcpAck = binary.BigEndian.Uint32(tcpBuffer[tcpAckPos : tcpAckPos+4])
	p.tcpHdr.tcpSeq = binary.BigEndian.Uint32(tcpBuffer[tcpSeqPos : tcpSeqPos+4])
	p.tcpHdr.tcpDataOffset = (tcpBuffer[tcpDataOffsetPos] & tcpDataOffsetMask) >> 4
	p.tcpHdr.tcpTotalLength = uint16(len(p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]))

	p.SetTCPFlags(tcpBuffer[tcpFlagsOffsetPos])
}

func parseIP(s string, ipv4 bool) (net.IP, error) {
	ip := net.ParseIP(s)
	if ip == nil {
		return nil, fmt.Errorf("invalid IP address : %s", s)
	}
	if ipv4 {
		ip = ip.To4()
		if ip == nil {
			return nil, fmt.Errorf("not a valid IPv4 address : %s", s)
		}
	} else {
		ip = ip.To16()
		if ip == nil {
			return nil, fmt.Errorf("not a valid IPv6 address : %s", s)
		}
	}
	return ip, nil
}

// NewIpv4TCPPacket creates an Ipv4/TCP packet
func NewIpv4TCPPacket(context uint64, tcpFlags uint8, src, dst string, srcPort, desPort uint16) (*Packet, error) {

	var p Packet
	p.context = context
	p.ipHdr.version = V4

	srcIP, err := parseIP(src, true)
	if err != nil {
		return nil, fmt.Errorf("source address : %s", err)
	}
	dstIP, err := parseIP(dst, true)
	if err != nil {
		return nil, fmt.Errorf("destination address : %s", err)
	}

	buffer := make([]byte, minIPv4HdrSize+minTCPHeaderLen)
	buffer[ipv4HdrLenPos] = 0x45
	copy(buffer[ipv4SourceAddrPos:ipv4SourceAddrPos+4], srcIP)
	copy(buffer[ipv4DestAddrPos:ipv4DestAddrPos+4], dstIP)

	buffer[ipv4ProtoPos] = uint8(IPProtocolTCP)
	binary.BigEndian.PutUint16(buffer[ipv4LengthPos:ipv4LengthPos+2], uint16(minIPv4HdrSize+minTCPHeaderLen))

	// TCP data
	tcpBuffer := buffer[minIPv4HdrSize:]
	tcpBuffer[tcpFlagsOffsetPos] = tcpFlags
	binary.BigEndian.PutUint16(tcpBuffer[tcpSourcePortPos:tcpSourcePortPos+2], srcPort)
	binary.BigEndian.PutUint16(tcpBuffer[tcpDestPortPos:tcpDestPortPos+2], desPort)
	tcpBuffer[tcpDataOffsetPos] = 5 << 4

	if err := p.parseIPv4Packet(buffer, true); err != nil {
		return nil, err
	}

	p.UpdateIPv4Checksum()
	p.UpdateTCPChecksum()

	return &p, nil
}

// NewIpv6TCPPacket creates an Ipv6/TCP packet
func NewIpv6TCPPacket(context uint64, tcpFlags uint8, src, dst string, srcPort, desPort uint16) (*Packet, error) {

	var p Packet
	p.context = context
	p.ipHdr.version = V6

	srcIP, err := parseIP(src, false)
	if err != nil {
		return nil, fmt.Errorf("source address : %s", err)
	}
	dstIP, err := parseIP(dst, false)
	if err != nil {
		return nil, fmt.Errorf("destination address : %s", err)
	}

	buffer := make([]byte, ipv6HeaderLen+minTCPHeaderLen)

	buffer[ipv6VersionPos] = 6
	binary.BigEndian.PutUint16(buffer[ipv6PayloadLenPos:ipv6PayloadLenPos+2], minTCPHeaderLen)
	copy(buffer[ipv6SourceAddrPos:ipv6SourceAddrPos+16], srcIP.To16())
	copy(buffer[ipv6DestAddrPos:ipv6DestAddrPos+16], dstIP.To16())

	buffer[ipv6ProtoPos] = uint8(IPProtocolTCP)

	// TCP data
	tcpBuffer := buffer[ipv6HeaderLen:]
	tcpBuffer[tcpFlagsOffsetPos] = tcpFlags
	binary.BigEndian.PutUint16(tcpBuffer[tcpSourcePortPos:tcpSourcePortPos+2], srcPort)
	binary.BigEndian.PutUint16(tcpBuffer[tcpDestPortPos:tcpDestPortPos+2], desPort)
	tcpBuffer[tcpDataOffsetPos] = 5 << 4

	if err := p.parseIPv6Packet(buffer, true); err != nil {
		return nil, err
	}

	p.UpdateTCPChecksum()

	return &p, nil
}

func (p *Packet) parseICMP(bytes []byte) {

	icmpBuffer := bytes[p.ipHdr.ipHeaderLen:]
	p.icmpHdr.icmpType = int8(icmpBuffer[0])
	p.icmpHdr.icmpCode = int8(icmpBuffer[1])
}

func (p *Packet) parseUDP(bytes []byte) {
	// UDP Header Processing
	udpBuffer := bytes[p.ipHdr.ipHeaderLen:]

	p.udpHdr.udpChecksum = binary.BigEndian.Uint16(udpBuffer[udpChecksumPos : udpChecksumPos+2])
	p.udpHdr.udpLength = binary.BigEndian.Uint16(udpBuffer[udpLengthPos : udpLengthPos+2])
	p.udpHdr.udpData = []byte{}

	p.udpHdr.sourcePort = binary.BigEndian.Uint16(udpBuffer[udpSourcePortPos : udpSourcePortPos+2])
	p.udpHdr.destinationPort = binary.BigEndian.Uint16(udpBuffer[udpDestPortPos : udpDestPortPos+2])
}

func (p *Packet) parseIPv4Packet(bytes []byte, lengthValidate bool) (err error) {

	// IP Header Processing
	if len(bytes) < minIPv4HdrSize {
		return errIPPacketCorrupt
	}

	p.ipHdr.ipHeaderLen = (bytes[ipv4HdrLenPos] & ipv4HdrLenMask) * 4
	p.ipHdr.ipProto = bytes[ipv4ProtoPos]
	p.ipHdr.ipTotalLength = binary.BigEndian.Uint16(bytes[ipv4LengthPos : ipv4LengthPos+2])
	p.ipHdr.ipID = binary.BigEndian.Uint16(bytes[ipv4IDPos : ipv4IDPos+2])
	p.ipHdr.ipChecksum = binary.BigEndian.Uint16(bytes[ipv4ChecksumPos : ipv4ChecksumPos+2])
	p.ipHdr.sourceAddress = append([]byte{}, bytes[ipv4SourceAddrPos:ipv4SourceAddrPos+4]...)
	p.ipHdr.destinationAddress = append([]byte{}, bytes[ipv4DestAddrPos:ipv4DestAddrPos+4]...)

	if p.ipHdr.ipHeaderLen != minIPv4HdrSize {
		return fmt.Errorf("packets with ip options not supported: hdrlen=%d", p.ipHdr.ipHeaderLen)
	}

	p.ipHdr.Buffer = bytes

	if lengthValidate && p.ipHdr.ipTotalLength != uint16(len(p.ipHdr.Buffer)) {
		if p.ipHdr.ipTotalLength < uint16(len(p.ipHdr.Buffer)) {
			p.ipHdr.Buffer = p.ipHdr.Buffer[:p.ipHdr.ipTotalLength]
		} else {
			return fmt.Errorf("stated ip packet length %d differs from bytes available %d", p.ipHdr.ipTotalLength, len(p.ipHdr.Buffer))
		}
	}

	// Some sanity checking for TCP.
	if p.ipHdr.ipProto == IPProtocolTCP {
		if p.ipHdr.ipTotalLength-uint16(p.ipHdr.ipHeaderLen) < minTCPIPPacketLen {
			return fmt.Errorf("tcp ip packet too small: hdrlen=%d", p.ipHdr.ipHeaderLen)
		}

		p.parseTCP(bytes)
	}

	// Some sanity checking for UDP.
	if p.ipHdr.ipProto == IPProtocolUDP {
		if p.ipHdr.ipTotalLength-uint16(p.ipHdr.ipHeaderLen) < minUDPIPPacketLen {
			return fmt.Errorf("udp ip packet too small: hdrlen=%d", p.ipHdr.ipHeaderLen)
		}

		p.parseUDP(bytes)
	}

	if p.ipHdr.ipProto == IPProtocolICMP {
		if p.ipHdr.ipTotalLength-uint16(p.ipHdr.ipHeaderLen) < minICMPIPPacketLen {
			return fmt.Errorf("tcp ip packet too small: hdrlen=%d", p.ipHdr.ipHeaderLen)
		}

		p.parseICMP(bytes)
	}

	// Chaching the result of the flow hash for performance optimization.
	// It is called in multiple places.
	p.l4flowhash = p.l4FlowHash()

	return nil
}

func (p *Packet) parseIPv6Packet(bytes []byte, lengthValidate bool) (err error) {
	// IP Header Processing
	p.ipHdr.ipHeaderLen = ipv6HeaderLen
	p.ipHdr.ipProto = bytes[ipv6ProtoPos]
	p.ipHdr.ipTotalLength = ipv6HeaderLen + binary.BigEndian.Uint16(bytes[ipv6PayloadLenPos:ipv6PayloadLenPos+2])
	p.ipHdr.sourceAddress = append([]byte{}, bytes[ipv6SourceAddrPos:ipv6SourceAddrPos+16]...)
	p.ipHdr.destinationAddress = append([]byte{}, bytes[ipv6DestAddrPos:ipv6DestAddrPos+16]...)

	p.ipHdr.Buffer = bytes

	if lengthValidate && p.ipHdr.ipTotalLength != uint16(len(p.ipHdr.Buffer)) {
		if p.ipHdr.ipTotalLength < uint16(len(p.ipHdr.Buffer)) {
			p.ipHdr.Buffer = p.ipHdr.Buffer[:p.ipHdr.ipTotalLength]
		} else {
			return fmt.Errorf("stated ip packet length %d differs from bytes available %d", p.ipHdr.ipTotalLength, len(p.ipHdr.Buffer))
		}

		p.parseTCP(bytes)
	}

	// Some sanity checking for TCP.
	if p.ipHdr.ipProto == IPProtocolTCP {
		if p.ipHdr.ipTotalLength-uint16(p.ipHdr.ipHeaderLen) < minTCPIPPacketLen {
			return fmt.Errorf("tcp ip packet too small: hdrlen=%d", p.ipHdr.ipHeaderLen)
		}

		p.parseTCP(bytes)
	}

	// Some sanity checking for UDP.
	if p.ipHdr.ipProto == IPProtocolUDP {
		if p.ipHdr.ipTotalLength-uint16(p.ipHdr.ipHeaderLen) < minUDPIPPacketLen {
			return fmt.Errorf("udp ip packet too small: hdrlen=%d", p.ipHdr.ipHeaderLen)
		}
		p.parseUDP(bytes)
	}

	// Chaching the result of the flow hash for performance optimization.
	// It is called in multiple places.
	p.l4flowhash = p.l4FlowHash()

	return nil
}

// IsEmptyTCPPayload returns the TCP data offset
func (p *Packet) IsEmptyTCPPayload() bool {
	return p.TCPDataStartBytes() == p.tcpHdr.tcpTotalLength
}

// GetUDPData return additional data in packet
func (p *Packet) GetUDPData() []byte {
	return p.ipHdr.Buffer[p.ipHdr.ipHeaderLen+UDPDataPos:]
}

// GetUDPDataStartBytes return start of UDP data
func (p *Packet) GetUDPDataStartBytes() uint16 {
	return UDPDataPos
}

// TCPDataStartBytes provides the tcp data start offset in bytes
func (p *Packet) TCPDataStartBytes() uint16 {
	return uint16(p.tcpHdr.tcpDataOffset) * 4
}

// GetIPLength returns the IP length
func (p *Packet) GetIPLength() uint16 {
	return p.ipHdr.ipTotalLength
}

// Print is a print helper function
func (p *Packet) Print(context uint64, packetLogLevel bool) {

	if p.ipHdr.ipProto != IPProtocolTCP {
		return
	}

	logPkt := false
	detailed := false

	if packetLogLevel || context == 0 {
		logPkt = true
		detailed = true
	}

	var buf string
	print := false

	if logPkt {
		if printCount%200 == 0 {
			buf += fmt.Sprintf("Packet: %5s %5s %25s %15s %5s %15s %5s %6s %20s %20s %6s %20s %20s %2s %5s %5s\n",
				"IPID", "Dir", "Comment", "SIP", "SP", "DIP", "DP", "Flags", "TCPSeq", "TCPAck", "TCPLen", "ExpAck", "ExpSeq", "DO", "Acsum", "Ccsum")
		}
		printCount++
		offset := 0

		if (p.GetTCPFlags() & TCPSynMask) == TCPSynMask {
			offset = 1
		}

		expAck := p.tcpHdr.tcpSeq + uint32(uint16(len(p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]))-p.TCPDataStartBytes()) + uint32(offset)
		ccsum := p.computeTCPChecksum()
		csumValidationStr := ""

		if p.tcpHdr.tcpChecksum != ccsum {
			csumValidationStr = "Bad Checksum"
		}

		buf += fmt.Sprintf("Packet: %5d %5s %25s %15s %5d %15s %5d %6s %20d %20d %6d %20d %20d %2d %5d %5d %12s\n",
			p.ipHdr.ipID,
			flagsToDir(p.context|context),
			flagsToStr(p.context|context),
			p.ipHdr.sourceAddress.String(), p.tcpHdr.sourcePort,
			p.ipHdr.destinationAddress.String(), p.tcpHdr.destinationPort,
			tcpFlagsToStr(p.GetTCPFlags()),
			p.tcpHdr.tcpSeq, p.tcpHdr.tcpAck, uint16(len(p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]))-p.TCPDataStartBytes(),
			expAck, expAck, p.tcpHdr.tcpDataOffset,
			p.tcpHdr.tcpChecksum, ccsum, csumValidationStr)
		print = true
	}

	if detailed {
		pktBytes := []byte{0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 2, 8, 0}
		pktBytes = append(pktBytes, p.ipHdr.Buffer...)
		buf += fmt.Sprintf("%s\n", hex.Dump(pktBytes))
		print = true
	}

	if print {
		zap.L().Debug(buf)
	}
}

//UpdatePacketBuffer updates the packet with the new updates buffer.
func (p *Packet) UpdatePacketBuffer(buffer []byte, tcpOptionsLen uint16) error {

	if tcpOptionsLen != 0 {
		// If the packet has a payload then we can't insert options
		if p.TCPDataStartBytes() != uint16(len(p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:])) {
			return fmt.Errorf("cannot insert options with existing data: optionlength=%d, iptotallength=%d", tcpOptionsLen, p.ipHdr.ipTotalLength)
		}
	} else {
		// This case is for adding a payload to a packet which may or may not have options
		tcpOptionsLen := p.TCPDataStartBytes() - minTCPHeaderLen
		// Working with unsigned numbers so make sure we didn't go negative basically
		if p.TCPDataStartBytes() < tcpOptionsLen {
			return fmt.Errorf("cannot payload: bad options length: optionlength=%d", tcpOptionsLen)
		}
	}

	packetLenIncrease := uint16(len(buffer) - len(p.ipHdr.Buffer))
	p.ipHdr.Buffer = buffer

	// IP Header Processing
	p.FixupIPHdrOnDataModify(p.ipHdr.ipTotalLength, p.ipHdr.ipTotalLength+packetLenIncrease)

	// TCP Header Processing
	p.FixuptcpHdrOnTCPDataAttach(tcpOptionsLen)

	p.UpdateTCPChecksum()
	return nil
}

//GetTCPBytes returns the bytes in the packet. It consolidates in case of changes as well
func (p *Packet) GetTCPBytes() []byte {

	pktBytes := []byte{}
	pktBytes = append(pktBytes, p.ipHdr.Buffer...)
	return pktBytes
}

// ReadTCPDataString returns ths payload in a string variable
// It does not remove the payload from the packet
func (p *Packet) ReadTCPDataString() string {
	return string(p.ReadTCPData())
}

// ReadTCPData returns ths payload in a string variable
// It does not remove the payload from the packet
func (p *Packet) ReadTCPData() []byte {
	return p.ipHdr.Buffer[uint16(p.ipHdr.ipHeaderLen)+p.TCPDataStartBytes():]
}

// CheckTCPAuthenticationOption ensures authentication option exists at the offset provided
func (p *Packet) CheckTCPAuthenticationOption(iOptionLength int) (err error) {
	tcpDataStart := p.TCPDataStartBytes()

	if tcpDataStart <= minTCPIPPacketLen {
		return errTCPAuthOption
	}
	if len(p.ipHdr.Buffer) < int(p.ipHdr.ipHeaderLen)+20 {
		return errors.New("Invalid IP Packet")
	}
	if int(p.ipHdr.ipHeaderLen)+int(p.tcpHdr.tcpDataOffset*4) > len(p.ipHdr.Buffer) {
		return errors.New("Invalid TCP Packet")
	}
	buffer := p.ipHdr.Buffer[p.ipHdr.ipHeaderLen+20 : int(p.ipHdr.ipHeaderLen)+int(p.tcpHdr.tcpDataOffset*4)]

	for i := 0; i < len(buffer); {
		if buffer[i] == 0 || buffer[i] == 1 {
			i++
			continue
		}

		if buffer[i] != TCPAuthenticationOption {
			if len(buffer) <= i+1 {
				return errTCPAuthOption
			}
			if int(buffer[i+1]) == 0 {
				zap.L().Debug("Bad Packet Option", zap.String("Buffer", hex.Dump(buffer)))
				return errors.New("Invalid TCP Option Packet")
			}
			i = i + int(buffer[i+1])
			continue
		}

		if buffer[i] == TCPAuthenticationOption {
			return nil
		}
		return errTCPAuthOption

	}
	return errTCPAuthOption
}

// FixupIPHdrOnDataModify modifies the IP header fields and checksum
func (p *Packet) FixupIPHdrOnDataModify(old, new uint16) {
	// IP Header Processing
	// IP chekcsum fixup.
	p.ipHdr.ipChecksum = incCsum16(p.ipHdr.ipChecksum, old, new)
	// Update IP Total Length.
	p.ipHdr.ipTotalLength = p.ipHdr.ipTotalLength + new - old

	if p.ipHdr.version == V6 {
		binary.BigEndian.PutUint16(p.ipHdr.Buffer[ipv6PayloadLenPos:ipv6PayloadLenPos+2], p.ipHdr.ipTotalLength-uint16(p.ipHdr.ipHeaderLen))
	} else {
		binary.BigEndian.PutUint16(p.ipHdr.Buffer[ipv4LengthPos:ipv4LengthPos+2], p.ipHdr.ipTotalLength)
		binary.BigEndian.PutUint16(p.ipHdr.Buffer[ipv4ChecksumPos:ipv4ChecksumPos+2], p.ipHdr.ipChecksum)
	}
}

// TCPSequenceNumber return the initial sequence number
func (p *Packet) TCPSequenceNumber() uint32 {
	if p.ipHdr.ipProto != IPProtocolTCP {
		return 0
	}
	return p.tcpHdr.tcpSeq
}

// SetTCPSeq sets the TCP seq number
func (p *Packet) SetTCPSeq(seq uint32) {
	p.tcpHdr.tcpSeq = seq
	buffer := p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]
	binary.BigEndian.PutUint32(buffer[tcpSeqPos:tcpSeqPos+4], p.tcpHdr.tcpSeq)
}

// IncreaseTCPSeq increases TCP seq number by incr
func (p *Packet) IncreaseTCPSeq(incr uint32) {
	p.SetTCPSeq(p.tcpHdr.tcpSeq + incr)
}

// DecreaseTCPSeq decreases TCP seq number by decr
func (p *Packet) DecreaseTCPSeq(decr uint32) {
	p.SetTCPSeq(p.tcpHdr.tcpSeq - decr)
}

// SetTCPAck sets the TCP ack number
func (p *Packet) SetTCPAck(ack uint32) {
	p.tcpHdr.tcpAck = ack
	buffer := p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]
	binary.BigEndian.PutUint32(buffer[tcpAckPos:tcpAckPos+4], p.tcpHdr.tcpAck)
}

// IncreaseTCPAck increases TCP ack number by incr
func (p *Packet) IncreaseTCPAck(incr uint32) {
	p.SetTCPAck(p.tcpHdr.tcpAck + incr)
}

// DecreaseTCPAck decreases TCP ack number by decr
func (p *Packet) DecreaseTCPAck(decr uint32) {
	p.SetTCPAck(p.tcpHdr.tcpAck - decr)
}

// FixuptcpHdrOnTCPDataDetach modifies the TCP header fields and checksum
func (p *Packet) FixuptcpHdrOnTCPDataDetach(optionLength uint16) {

	// Update DataOffset
	buffer := p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]
	p.tcpHdr.tcpDataOffset = p.tcpHdr.tcpDataOffset - uint8(optionLength/4)
	buffer[tcpDataOffsetPos] = p.tcpHdr.tcpDataOffset << 4
}

// tcpDataDetach splits the p.Buffer into p.Buffer (header + some options), p.tcpOptions (optionLength) and p.TCPData (dataLength)
func (p *Packet) tcpDataDetach(optionLength uint16, dataLength uint16) { //nolint
	p.ipHdr.Buffer = p.ipHdr.Buffer[:uint16(p.ipHdr.ipHeaderLen)+p.TCPDataStartBytes()-optionLength]
}

// TCPDataDetach performs the following:
//   - Removes all TCP data from Buffer to TCPData.
//   - Removes "optionLength" bytes of options from TCP header to tcpOptions
//   - Updates IP Hdr (lengths, checksums)
//   - Updates TCP header (checksums)
func (p *Packet) TCPDataDetach(optionLength uint16) {
	// Length
	dataLength := uint16(len(p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:])) - p.TCPDataStartBytes()

	// detach TCP data
	p.tcpDataDetach(optionLength, dataLength)

	// Process TCP Header fields and metadata
	p.FixuptcpHdrOnTCPDataDetach(optionLength)

	// Process IP Header fields
	p.FixupIPHdrOnDataModify(p.ipHdr.ipTotalLength, p.ipHdr.ipTotalLength-(dataLength+optionLength))

	p.UpdateTCPChecksum()
}

// FixuptcpHdrOnTCPDataAttach modifies the TCP header fields and checksum
func (p *Packet) FixuptcpHdrOnTCPDataAttach(tcpOptionsLen uint16) {
	buffer := p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]
	numberOfOptions := tcpOptionsLen / 4

	// Modify the fields
	p.tcpHdr.tcpDataOffset = p.tcpHdr.tcpDataOffset + uint8(numberOfOptions)
	buffer[tcpDataOffsetPos] = p.tcpHdr.tcpDataOffset << 4

	// Modify the tcp header length
	p.tcpHdr.tcpTotalLength = uint16(len(p.ipHdr.Buffer[p.ipHdr.ipHeaderLen:]))
}

// L4FlowHash calculate a hash string based on the 4-tuple. It returns the cached
// value and does not re-calculate it. This leads to performance gains.
func (p *Packet) L4FlowHash() string {
	return p.l4flowhash
}

func (p *Packet) l4FlowHash() string {
	return p.ipHdr.sourceAddress.String() + ":" + p.ipHdr.destinationAddress.String() + ":" + strconv.Itoa(int(p.SourcePort())) + ":" + strconv.Itoa(int(p.DestPort()))
}

// L4ReverseFlowHash calculate a hash string based on the 4-tuple by reversing source and destination information
func (p *Packet) L4ReverseFlowHash() string {
	return p.ipHdr.destinationAddress.String() + ":" + p.ipHdr.sourceAddress.String() + ":" + strconv.Itoa(int(p.DestPort())) + ":" + strconv.Itoa(int(p.SourcePort()))
}

// SourcePortHash calculates a hash based on dest ip/port for net packet and src ip/port for app packet.
func (p *Packet) SourcePortHash(stage uint64) string {
	if stage == PacketTypeNetwork {
		return p.L4ReverseFlowHash()
	}

	return p.L4FlowHash()
}

// ID returns the IP ID of the packet
func (p *Packet) ID() string {
	return strconv.Itoa(int(p.ipHdr.ipID))
}

//SourcePort -- returns the appropriate source port
func (p *Packet) SourcePort() uint16 {
	if p.ipHdr.ipProto == IPProtocolTCP {
		return p.tcpHdr.sourcePort
	}

	return p.udpHdr.sourcePort
}

//DestPort -- returns the appropriate destination port
func (p *Packet) DestPort() uint16 {
	if p.ipHdr.ipProto == IPProtocolTCP {
		return p.tcpHdr.destinationPort
	}

	return p.udpHdr.destinationPort
}

//SourceAddress returns the source IP
func (p *Packet) SourceAddress() net.IP {
	return p.ipHdr.sourceAddress
}

//DestinationAddress returns the destination address
func (p *Packet) DestinationAddress() net.IP {
	return p.ipHdr.destinationAddress
}

//TCPSeqNum returns tcp sequence number
func (p *Packet) TCPSeqNum() uint32 {
	return p.tcpHdr.tcpSeq
}

//TCPAckNum returns tcp ack number
func (p *Packet) TCPAckNum() uint32 {
	return p.tcpHdr.tcpAck
}

//IPProto returns the L4 protocol
func (p *Packet) IPProto() uint8 {
	return p.ipHdr.ipProto
}

//IPTotalLen returns the total length of the packet
func (p *Packet) IPTotalLen() uint16 {
	return p.ipHdr.ipTotalLength
}

//IPHeaderLen returns the ip header length
func (p *Packet) IPHeaderLen() uint8 {
	return p.ipHdr.ipHeaderLen
}

//GetBuffer returns the slice representing the buffer at offset specified
func (p *Packet) GetBuffer(offset int) []byte {
	return p.ipHdr.Buffer[offset:]
}

// IPversion returns the version of ip packet
func (p *Packet) IPversion() IPver {
	return p.ipHdr.version
}

//TestGetTCPPacket is used by other test code when they need to create a packet
func TestGetTCPPacket(srcIP, dstIP net.IP, srcPort, dstPort uint16) *Packet {
	p := &Packet{}

	p.ipHdr.destinationAddress = dstIP
	p.tcpHdr.destinationPort = dstPort
	p.ipHdr.sourceAddress = srcIP
	p.tcpHdr.sourcePort = srcPort
	p.ipHdr.ipProto = IPProtocolTCP

	return p
}


================================================
FILE: controller/pkg/packet/packet_test.go
================================================
// +build !windows

package packet

import (
	"crypto/rand"
	"encoding/hex"
	"testing"

	"github.com/stretchr/testify/assert"
)

type SamplePacketName int

const (
	synBadTCPChecksum SamplePacketName = iota
	synGoodTCPChecksum
	synIHLTooBig
	synIPLenTooSmall
	synMissingBytes
	synBadIPChecksum
	loopbackAddress = "127.0.0.1"
)

var ipv6UDPPacket = "60000000009f113f20010470e5bf10960002009900c1001020010470e5bf10011cc773ff65f5a2f700a1b4d1009fd3c93081940201033011020429cdb180020300ffcf0401030201030441303f041480004f4db1aadcadbc89affa118dbd53824c6b050201030203010a1d040774616368796f6e040c9069a445532f20d9a57844f704088c8c110c5bbf5ed80439aafc5aa6c6c8364b13f14c807562e50793abc31e99170affd717a969b032112f5df9f2a5a9e661243cfa4d37614e0aca880c74881325222831"

var testPackets = [][]byte{
	// SYN packet captured from 'telnet localhost 99'.
	// TCP checksum is wrong.
	{0x45, 0x10, 0x00, 0x3c, 0xaa, 0x2e, 0x40, 0x00, 0x40, 0x06, 0x92,
		0x7b, 0x7f, 0x00, 0x00, 0x01, 0x7f, 0x00, 0x00, 0x01, 0xb2, 0x64, 0x00, 0x63, 0x58, 0xd1,
		0x24, 0xd9, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0xaa, 0xaa, 0xfe, 0x30, 0x00, 0x00, 0x02,
		0x04, 0xff, 0xd7, 0x04, 0x02, 0x08, 0x0a, 0x00, 0xc5, 0x8e, 0xf7, 0x00, 0x00, 0x00, 0x00,
		0x01, 0x03, 0x03, 0x07},

	// SYN packet captured from 'telnet localhost 99'.
	// Everything is correct.
	{0x45, 0x10, 0x00, 0x3c, 0xec, 0x6c, 0x40, 0x00, 0x40, 0x06, 0x50,
		0x3d, 0x7f, 0x00, 0x00, 0x01, 0x7f, 0x00, 0x00, 0x01, 0x8c, 0x80, 0x00, 0x63, 0x2c, 0x32,
		0xa8, 0xd6, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0xaa, 0xaa, 0xfe, 0x88, 0x00, 0x00, 0x02,
		0x04, 0xff, 0xd7, 0x04, 0x02, 0x08, 0x0a, 0xff, 0xff, 0x44, 0xba, 0x00, 0x00, 0x00, 0x00,
		0x01, 0x03, 0x03, 0x07},

	// SYN packet captured from 'telnet localhost 99'.
	// IHL (IP header length) is wrong (too big, value = 6 should be 5)
	{0x46, 0x10, 0x00, 0x3c, 0xaa, 0x2e, 0x40, 0x00, 0x40, 0x06, 0x92,
		0x7b, 0x7f, 0x00, 0x00, 0x01, 0x7f, 0x00, 0x00, 0x01, 0xb2, 0x64, 0x00, 0x63, 0x58, 0xd1,
		0x24, 0xd9, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0xaa, 0xaa, 0xfe, 0x30, 0x00, 0x00, 0x02,
		0x04, 0xff, 0xd7, 0x04, 0x02, 0x08, 0x0a, 0x00, 0xc5, 0x8e, 0xf7, 0x00, 0x00, 0x00, 0x00,
		0x01, 0x03, 0x03, 0x07},

	// The IP packet length is incorrect (too small, value=38, should be 40)
	{0x45, 0x10, 0x00, 0x26, 0xaa, 0x2e, 0x40, 0x00, 0x40, 0x06, 0x92,
		0x7b, 0x7f, 0x00, 0x00, 0x01, 0x7f, 0x00, 0x00, 0x01, 0xb2, 0x64, 0x00, 0x63, 0x58, 0xd1,
		0x24, 0xd9, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0xaa, 0xaa, 0xfe, 0x30},

	// SYN packet captured from 'telnet localhost 99'.
	// Packet is too short, missing two bytes.
	{0x45, 0x10, 0x00, 0x3c, 0xaa, 0x2e, 0x40, 0x00, 0x40, 0x06, 0x92,
		0x7b, 0x7f, 0x00, 0x00, 0x01, 0x7f, 0x00, 0x00, 0x01, 0xb2, 0x64, 0x00, 0x63, 0x58, 0xd1,
		0x24, 0xd9, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0xaa, 0xaa, 0xfe, 0x30, 0x00, 0x00, 0x02,
		0x04, 0xff, 0xd7, 0x04, 0x02, 0x08, 0x0a, 0x00, 0xc5, 0x8e, 0xf7, 0x00, 0x00, 0x00, 0x00,
		0x01, 0x03},

	// SYN packet captured from 'telnet localhost 99'.
	// IP checksum is wrong (set to zero)
	{0x45, 0x10, 0x00, 0x3c, 0xaa, 0x2e, 0x40, 0x00, 0x40, 0x06, 0x00,
		0x00, 0x7f, 0x00, 0x00, 0x01, 0x7f, 0x00, 0x00, 0x01, 0xb2, 0x64, 0x00, 0x63, 0x58, 0xd1,
		0x24, 0xd9, 0x00, 0x00, 0x00, 0x00, 0xa0, 0x02, 0xaa, 0xaa, 0xfe, 0x30, 0x00, 0x00, 0x02,
		0x04, 0xff, 0xd7, 0x04, 0x02, 0x08, 0x0a, 0x00, 0xc5, 0x8e, 0xf7, 0x00, 0x00, 0x00, 0x00,
		0x01, 0x03, 0x03, 0x07}}

func TestGoodPacket(t *testing.T) {

	t.Parallel()
	pkt := getTestPacket(t, synGoodTCPChecksum)
	t.Log(pkt.PacketToStringTCP())

	if !pkt.VerifyIPv4Checksum() {
		t.Error("Test packet IP checksum failed")
	}

	if !pkt.VerifyTCPChecksum() {
		t.Error("TCP checksum failed")
	}

	if pkt.DestPort() != 99 {
		t.Error("Unexpected destination port")
	}

	if pkt.SourcePort() != 35968 {
		t.Error("Unexpected source port")
	}
}

func TestBadTCPChecknum(t *testing.T) {

	t.Parallel()
	pkt := getTestPacket(t, synBadTCPChecksum)
	if !pkt.VerifyIPv4Checksum() {
		t.Error("Test packet IP checksum failed")
	}

	if pkt.VerifyTCPChecksum() {
		t.Error("Expected TCP checksum failure")
	}
}

func TestPartialChecksum(t *testing.T) {
	// Computes a checksum over the given slice.
	checksum := func(buf []byte) uint16 {
		checksumDelta := func(buf []byte) uint16 {

			sum := uint32(0)

			for ; len(buf) >= 2; buf = buf[2:] {
				sum += uint32(buf[0])<<8 | uint32(buf[1])
			}
			if len(buf) > 0 {
				sum += uint32(buf[0]) << 8
			}
			for sum > 0xffff {
				sum = (sum >> 16) + (sum & 0xffff)
			}
			return uint16(sum)
		}

		sum := checksumDelta(buf)
		csum := ^sum
		return csum
	}

	for i := 0; i < 1000; i++ {
		var randBytes [1500]byte

		rand.Read(randBytes[:]) // nolint

		csum := checksum(randBytes[:])

		pCsum := partialChecksum(0, randBytes[:500])
		pCsum = partialChecksum(pCsum, randBytes[500:1000])
		pCsum = partialChecksum(pCsum, randBytes[1000:])
		fCSum := finalizeChecksum(pCsum)

		if csum != fCSum {
			t.Error("Checksum failed")
		}
	}

}

func TestAddresses(t *testing.T) {

	t.Parallel()
	pkt := getTestPacket(t, synBadTCPChecksum)

	src := pkt.SourceAddress().String()
	if src != loopbackAddress {
		t.Errorf("Unexpected source address %s", src)
	}
	dest := pkt.DestinationAddress().String()
	if dest != loopbackAddress {
		t.Errorf("Unexpected destination address %s", src)
	}
}

func TestEmptyPacketNoPayload(t *testing.T) {

	t.Parallel()
	pkt := getTestPacket(t, synBadTCPChecksum)

	data := pkt.ipHdr.Buffer
	if len(data) != 60 {
		t.Error("Test SYN packet should have no TCP payload")
	}
}

/*
func TestEmptyPacketNoTags(t *testing.T) {

	t.Parallel()
	pkt := getTestPacket(t, synBadTCPChecksum)

	labels := pkt.ReadPayloadTags()
	if len(labels) != 0 {
		t.Error("Test SYN packet should have no labels")
	}

	extracted := pkt.ExtractPayloadTags()
	if len(extracted) != 0 {
		t.Error("Test SYN packet should have no extractable labels")
	}

	pkt.connection.TCPDataDetach()
	if len(pkt.Bytes) != 60 {
		t.Error("Test SYN packet should have no TCP data at all")
	}
}
*/

func TestExtractedBytesStillGood(t *testing.T) {

	t.Parallel()
	pkt := getTestPacket(t, synBadTCPChecksum)

	// Extract unmodified bytes and feed them back in
	bytes := pkt.ipHdr.Buffer
	pkt2, err := New(0, bytes, "0", true)
	if err != nil {
		t.Fatal(err)
	}

	if !pkt2.VerifyIPv4Checksum() {
		t.Error("Test packet2 IP checksum failed")
	}
}

func TestLongerIPHeader(t *testing.T) {

	t.Parallel()
	err := getTestPacketWithError(synIHLTooBig)
	t.Log(err)
	if err == nil {
		t.Error("Expected failure given too long IP header length")
	}
}

func TestShortPacketLength(t *testing.T) {

	t.Parallel()
	err := getTestPacketWithError(synIPLenTooSmall)
	t.Log(err)
	if err == nil {
		t.Error("Expected failure given too short IP header length")
	}
}

func TestShortBuffer(t *testing.T) {

	t.Parallel()
	err := getTestPacketWithError(synMissingBytes)
	t.Log(err)
	if err == nil {
		t.Error("Expected failure given short (truncated) packet")
	}
}

func TestSetChecksum(t *testing.T) {

	t.Parallel()
	pkt := getTestPacket(t, synBadIPChecksum)
	t.Log(pkt.PacketToStringTCP())
	if pkt.VerifyIPv4Checksum() {
		t.Error("Expected bad IP checksum given it is wrong")
	}

	pkt.UpdateIPv4Checksum()
	t.Log(pkt.PacketToStringTCP())
	if !pkt.VerifyIPv4Checksum() {
		t.Error("IP checksum is wrong after update")
	}
}

func TestSetTCPChecksum(t *testing.T) {

	t.Parallel()
	pkt := getTestPacket(t, synBadTCPChecksum)
	t.Log(pkt.PacketToStringTCP())
	if pkt.VerifyTCPChecksum() {
		t.Error("Expected bad TCP checksum given it is wrong")
	}

	pkt.UpdateTCPChecksum()
	t.Log(pkt.PacketToStringTCP())
	if !pkt.VerifyTCPChecksum() {
		t.Error("TCP checksum is wrong after update")
	}
}

func TestAddTag(t *testing.T) {

	/*
		t.Parallel()
		labels := []string{"TAG1"}
		pkt := getTestPacket(t, synBadTCPChecksum)
		if !pkt.VerifyIPv4Checksum() {
			t.Error("Test packet IP checksum failed")
		}

		s := pkt.String()
		t.Log(s)

		pkt.AttachPayloadTags(labels)
		if !pkt.VerifyIPv4Checksum() {
			t.Error("Tagged packet IP checksum failed")
		}

		s2 := pkt.String()
		t.Log(s2)

		data := string(pkt.Bytes[pkt.connection.TCPDataStartBytes():])
		t.Log("Tag extracted from payload:", data)
		if data != " "+labels[0] {
			t.Error("Tag extracted from payload data doesn't match input")
		}
	*/
}

func TestExtractTags(t *testing.T) {
	/*
		t.Parallel()
		labels := []string{"TAG1", "TAG2", "TAG3"}
		pkt := getTestPacket(t, synGoodTCPChecksum)
		t.Log("Initial packet", pkt)

		pkt.AttachPayloadTags(labels)
		t.Log("With tags", pkt)

		if !pkt.VerifyIPv4Checksum() {
			t.Error("Tagged packet checksum failed")
		}

		if !pkt.VerifyTCPChecksum() {
			t.Error("Packet TCP checksum failed after adding tags")
		}

		labelsRead := pkt.ExtractPayloadTags()
		t.Log("Tags extracted", pkt)

		if len(labelsRead) != 3 {
			t.Errorf("Wrote 3 labels but read %d", len(labelsRead))
		}

		for i := range labels {
			if labels[i] != labelsRead[i] {
				t.Error("Labels read do not match labels written")
			}
		}

		if !pkt.VerifyIPv4Checksum() {
			t.Error("Packet IP checksum failed after extracting tags")
		}

		if !pkt.VerifyTCPChecksum() {
			t.Error("Packet TCP checksum failed after extracting tags")
		}

		labelsGone := pkt.ReadPayloadTags()
		if len(labelsGone) != 0 {
			t.Error("Labels still present after extraction")
		}
	*/
}

func TestAddTags(t *testing.T) {
	/*
		t.Parallel()
		labels := []string{"TAG1", "TAG2", "TAG3"}
		pkt := getTestPacket(t, synBadTCPChecksum)
		if !pkt.VerifyIPv4Checksum() {
			t.Error("Test packet IP checksum failed")
		}

		t.Log(pkt.String())

		pkt.AttachPayloadTags(labels)
		if !pkt.VerifyIPv4Checksum() {
			t.Error("Tagged packet checksum failed")
		}

		t.Log(pkt.String())

		// Just reading tags does not remove them, so try reading twice to make sure
		for n := 0; n < 2; n++ {
			labelsRead := pkt.ReadPayloadTags()
			if len(labelsRead) != 3 {
				t.Errorf("Wrote 3 labels but read %d", len(labelsRead))
			}

			for i := range labels {
				if labels[i] != labelsRead[i] {
					t.Error("Labels read do not match labels written")
				}
			}
		}
	*/
}

func TestUDP(t *testing.T) {
	udpPacket, _ := hex.DecodeString("4500004b1a294000401108b90a8080800a0c82b400350e1700371e316e4f8180000100010000000003617069066272616e636802696f0000010001c00c000100010000003b00046354e9fa")

	pkt, _ := New(0, udpPacket, "0", true)

	if pkt.SourceAddress().String() != "10.128.128.128" {
		t.Error("source address udp parsing incorrect")
	}

	if pkt.DestinationAddress().String() != "10.12.130.180" {
		t.Error("destination address udp parsing incorrect")
	}

	if pkt.SourcePort() != uint16(53) {
		t.Error("source port incorrect udp")
	}

	if pkt.DestPort() != uint16(3607) {
		t.Error("destination port incorrect udp")
	}
}

func TestRawChecksums(t *testing.T) {

	t.Parallel()
	var buf = []byte{0x01, 0x00, 0xF2, 0x03, 0xF4, 0xF5, 0xF6, 0xF7, 0x00, 0x00}
	c := checksum(buf)
	if c != 0x210E {
		t.Error("First checksum calculation failed")
	}

	var buf2 = []byte{0x01, 0x00, 0xF2, 0x03, 0xF4, 0xF5, 0xF6, 0xF7, 0x00}
	c2 := checksum(buf2)
	if c2 != 0x210E {
		t.Error("Second checksum calculation (odd bytes) failed")
	}

	var buf3 = []byte{0x45, 0x00, 0x00, 0x3c, 0x1c, 0x46, 0x40, 0x00, 0x40, 0x06,
		0x00, 0x00, 0xac, 0x10, 0x0a, 0x63, 0xac, 0x10, 0x0a, 0x0c}
	c3 := checksum(buf3)
	if c3 != 0xB1E6 {
		t.Error("Third checksum calculation failed")
	}
}

func TestAuthOptions(t *testing.T) {

	AuthpacketByte := []byte{0x45, 0x00, 0x00, 0x40, 0x7b, 0xd6, 0x40, 0x00, 0x40, 0x06, 0xcd, 0x9d, 0x0a, 0xb0, 0x48, 0x05, 0x0a, 0xb4, 0x93, 0xdf, 0x01, 0xbb, 0x87, 0x78, 0x2d, 0xa9, 0xaf, 0xf1, 0x4d, 0x89, 0xcc, 0xeb, 0xb0, 0x12, 0xff, 0xff, 0xe7, 0x64, 0x00, 0x00, 0x02, 0x04, 0x05, 0x50, 0x01, 0x03, 0x03, 0x0b, 0x04, 0x02, 0x08, 0x0a, 0xbd, 0x1c, 0x73, 0x43, 0x22, 0x63, 0x9b, 0x9d, 0x22, 0x4, 0x0, 0x0}

	NonAuthpacketByte := []byte{0x45, 0x00, 0x00, 0x40, 0x7b, 0xd6, 0x40, 0x00, 0x40, 0x06, 0xcd, 0x9d, 0x0a, 0xb0, 0x48, 0x05, 0x0b, 0xb4, 0x93, 0xdf, 0x01, 0xbb, 0x87, 0x78, 0x2d, 0xa9, 0xaf, 0xf1, 0x4d, 0x89, 0xcc, 0xeb, 0xb0, 0x12, 0xff, 0xff, 0xe7, 0x64, 0x00, 0x00, 0x02, 0x04, 0x05, 0x50, 0x01, 0x03, 0x03, 0x0b, 0x04, 0x02, 0x08, 0x0a, 0xbd, 0x1c, 0x73, 0x43, 0x22, 0x63, 0x9b, 0x0, 0x2, 0x0, 0x0, 0x0}

	pkt, err := New(1, AuthpacketByte, "2", true)
	if err != nil {
		t.Errorf("Packet not parsed %s", err)
	}
	if err := pkt.CheckTCPAuthenticationOption(4); err != nil {
		t.Errorf("There is no TCP AUTH Option")
	}
	pkt, err = New(1, NonAuthpacketByte, "2", true)
	if err != nil {
		t.Errorf("Packet not parsed %s", err)
	}
	if err = pkt.CheckTCPAuthenticationOption(4); err == nil {
		t.Errorf("There is no TCP AUTH Option but we are reporting it")
	}

}

func TestNewPacketFunctions(t *testing.T) {
	pkt := getTestPacket(t, synGoodTCPChecksum)
	pkt.Print(123456, true)

	if pkt.SourcePort() != 35968 {
		t.Error("Test packet source ip didnt match")
	}

	if pkt.DestPort() != 99 {
		t.Error("Test packet dest port didnt match")
	}

	if pkt.SourceAddress().String() != loopbackAddress {
		t.Error("Test packet source ip didnt match")
	}

	if pkt.DestinationAddress().String() != loopbackAddress {
		t.Error("Test packet dest ip didnt match")
	}

	if pkt.IPProto() != IPProtocolTCP {
		t.Error("Test packet ip proto didnt match")
	}

	if pkt.IPTotalLen() != 60 {
		t.Error("Test packet total length is wrong")
	}

	if pkt.IPHeaderLen() != 20 {
		t.Error("Test packet ip header length should be 20")
	}

	if pkt.GetTCPFlags() != 2 {
		t.Error("test packet tcp flags didnt match")
	}

}

func getTestPacket(t *testing.T, id SamplePacketName) *Packet {

	tmp := make([]byte, len(testPackets[id]))
	copy(tmp, testPackets[id])

	pkt, err := New(0, tmp, "0", true)
	if err != nil {
		t.Fatal(err)
	}
	return pkt
}

func getTestPacketWithError(id SamplePacketName) error {

	tmp := make([]byte, len(testPackets[id]))
	copy(tmp, testPackets[id])

	_, err := New(0, tmp, "0", true)
	return err
}

func TestIPV6PacketParsing(t *testing.T) {
	bytes, _ := hex.DecodeString(ipv6UDPPacket)
	pkt, _ := New(0, bytes, "0", true)

	assert.Equal(t, pkt.SourceAddress().String(), "2001:470:e5bf:1096:2:99:c1:10", "src addr did not match")
	assert.Equal(t, pkt.DestinationAddress().String(), "2001:470:e5bf:1001:1cc7:73ff:65f5:a2f7", "dst addr did not match")
}

func TestReverseFlowPacket(t *testing.T) {
	bytes, _ := hex.DecodeString(ipv6UDPPacket)
	pkt, _ := New(0, bytes, "0", true)

	pkt.CreateReverseFlowPacket()

	assert.Equal(t, pkt.SourceAddress().String(), "2001:470:e5bf:1001:1cc7:73ff:65f5:a2f7", "src addr did not match")
	assert.Equal(t, pkt.DestinationAddress().String(), "2001:470:e5bf:1096:2:99:c1:10", "dst addr did not match")
}

func TestUDPTokenAttach(t *testing.T) {
	bytes, _ := hex.DecodeString(ipv6UDPPacket)
	pkt, _ := New(0, bytes, "0", true)
	data := []byte("helloworld")
	// Create UDP Option
	udpOptions := CreateUDPAuthMarker(UDPSynAckMask, uint16(len(data)))

	pkt.CreateReverseFlowPacket()

	// Attach the UDP data and token
	pkt.UDPTokenAttach(udpOptions, data)

	assert.Equal(t, string(pkt.ReadUDPToken()), "helloworld", "token should match helloworld")

}

func TestNewIpv4TCPPacket(t *testing.T) {

	srcIP := "10.0.0.30"
	dstIP := "10.0.0.25"
	srcPort := uint16(3000)
	dstPort := uint16(80)
	tcpFlags := uint8(0x2)
	context := uint64(100)

	p, err := NewIpv4TCPPacket(context, tcpFlags, srcIP, dstIP, srcPort, dstPort)
	assert.NoError(t, err)
	if p != nil {
		assert.Equal(t, V4, p.ipHdr.version, "Version should equal")
		assert.Equal(t, context, p.context, "Context should equal")
		assert.Equal(t, uint8(IPProtocolTCP), p.ipHdr.ipProto, "Protocol should equal")
		assert.Equal(t, srcIP, p.ipHdr.sourceAddress.String(), "Source address should equal")
		assert.Equal(t, dstIP, p.ipHdr.destinationAddress.String(), "Destination address should equal")
		assert.Equal(t, srcPort, p.tcpHdr.sourcePort, "Source port should equal")
		assert.Equal(t, dstPort, p.tcpHdr.destinationPort, "Destination port should equal")
		assert.Equal(t, tcpFlags, p.tcpHdr.tcpFlags, "TCP flags should equal")
	}
}

func TestNewIpv6TCPPacket(t *testing.T) {

	srcIP := "2001:db8:5002::8a2e:370:7334"
	dstIP := "2002:db9:5002::8a2b:370:7335"
	srcPort := uint16(3000)
	dstPort := uint16(80)
	tcpFlags := uint8(0x2)
	context := uint64(100)

	p, err := NewIpv6TCPPacket(context, tcpFlags, srcIP, dstIP, srcPort, dstPort)
	assert.NoError(t, err)
	if p != nil {
		assert.Equal(t, V6, p.ipHdr.version, "Version should equal")
		assert.Equal(t, context, p.context, "Context should equal")
		assert.Equal(t, uint8(IPProtocolTCP), p.ipHdr.ipProto, "Protocol should equal")
		assert.Equal(t, srcIP, p.ipHdr.sourceAddress.String(), "Source address should equal")
		assert.Equal(t, dstIP, p.ipHdr.destinationAddress.String(), "Destination address should equal")
		assert.Equal(t, srcPort, p.tcpHdr.sourcePort, "Source port should equal")
		assert.Equal(t, dstPort, p.tcpHdr.destinationPort, "Destination port should equal")
		assert.Equal(t, tcpFlags, p.tcpHdr.tcpFlags, "TCP flags should equal")
	}
}


================================================
FILE: controller/pkg/packet/types.go
================================================
package packet

import "net"

const (
	// PacketTypeNetwork is enum for from-network packets
	PacketTypeNetwork = 0x1000
	// PacketTypeApplication is enum for from-application packets
	PacketTypeApplication = 0x2000

	// PacketStageIncoming is an enum for incoming stage
	PacketStageIncoming = 0x0100
	// PacketStageAuth is an enum for authentication stage
	PacketStageAuth = 0x0200
	// PacketStageService is an enum for crypto stage
	PacketStageService = 0x0400
	// PacketStageOutgoing is an enum for outgoing stage
	PacketStageOutgoing = 0x0800

	// PacketFailureCreate is the drop reason for packet
	PacketFailureCreate = 0x0010
	// PacketFailureAuth is a drop reason for packet due to authentication error
	PacketFailureAuth = 0x0020
	// PacketFailureService is a drop reason for packet due to crypto error
	PacketFailureService = 0x00040
)

func flagsToDir(flags uint64) string {

	if flags&PacketTypeApplication != 0 {
		return "<<<<<"
	} else if flags&PacketTypeNetwork != 0 {
		return ">>>>>"
	}
	return "xxxxx"
}

func flagsToStr(flags uint64) string {

	s := ""
	if flags&PacketTypeApplication != 0 {
		s = s + "Application"
	} else if flags&PacketTypeNetwork != 0 {
		s = s + "Network"
	}

	if flags&PacketStageIncoming != 0 {
		s = s + "-Incoming"
	} else if flags&PacketStageOutgoing != 0 {
		s = s + "-Outgoing"
	} else if flags&PacketStageAuth != 0 {
		s = s + "-Auth"
	} else if flags&PacketStageService != 0 {
		s = s + "-Service"
	}

	if flags&PacketFailureCreate != 0 {
		s = s + "-(Fail Create)"
	} else if flags&PacketFailureAuth != 0 {
		s = s + "-(Fail Auth)"
	} else if flags&PacketFailureService != 0 {
		s = s + "-(Fail Service)"
	}
	return s
}

func tcpFlagsToStr(flags uint8) string {
	s := ""
	if flags&0x20 == 0 {
		s = s + "."
	} else {
		s = s + "U"
	}
	if flags&0x10 == 0 {
		s = s + "."
	} else {
		s = s + "A"
	}
	if flags&0x08 == 0 {
		s = s + "."
	} else {
		s = s + "P"
	}
	if flags&0x04 == 0 {
		s = s + "."
	} else {
		s = s + "R"
	}
	if flags&0x02 == 0 {
		s = s + "."
	} else {
		s = s + "S"
	}
	if flags&0x01 == 0 {
		s = s + "."
	} else {
		s = s + "F"
	}
	return s
}

// TCPFlagsToStr converts the TCP Flags to a string value that is human readable
func TCPFlagsToStr(flags uint8) string {
	s := ""
	if flags&0x20 == 0 {
		s = s + "."
	} else {
		s = s + "U"
	}
	if flags&0x10 == 0 {
		s = s + "."
	} else {
		s = s + "A"
	}
	if flags&0x08 == 0 {
		s = s + "."
	} else {
		s = s + "P"
	}
	if flags&0x04 == 0 {
		s = s + "."
	} else {
		s = s + "R"
	}
	if flags&0x02 == 0 {
		s = s + "."
	} else {
		s = s + "S"
	}
	if flags&0x01 == 0 {
		s = s + "."
	} else {
		s = s + "F"
	}
	return s
}

// IPver is the type defined for ip version
type IPver int

const (
	// V4 is the flag for ipv4
	V4 IPver = iota
	// V6 is the flag for ipv6
	V6
)

type iphdr struct {
	Buffer []byte

	// IP Header fields
	ipHeaderLen        uint8
	ipProto            uint8
	ipTotalLength      uint16
	ipID               uint16
	ipChecksum         uint16
	version            IPver
	sourceAddress      net.IP
	destinationAddress net.IP
}

type tcphdr struct {
	sourcePort      uint16
	destinationPort uint16

	tcpSeq         uint32
	tcpAck         uint32
	tcpDataOffset  uint8
	tcpFlags       uint8
	tcpChecksum    uint16
	tcpTotalLength uint16
}

type udphdr struct {
	sourcePort      uint16
	destinationPort uint16
	udpChecksum     uint16
	udpLength       uint16
	udpData         []byte
}

type icmphdr struct {
	icmpType int8
	icmpCode int8
}

// PlatformMetadata structure
type PlatformMetadata interface {
	Clone() PlatformMetadata
}

//Packet structure
type Packet struct {
	// Metadata
	context uint64

	// Mark is the nfqueue Mark
	Mark        string
	SetConnmark bool
	ipHdr       iphdr
	tcpHdr      tcphdr
	udpHdr      udphdr
	icmpHdr     icmphdr
	l4flowhash  string
	// Service Metadata
	SvcMetadata interface{}
	// Connection Metadata
	ConnectionMetadata interface{}
	// Platform Metadata (needed for Windows)
	PlatformMetadata PlatformMetadata
}


================================================
FILE: controller/pkg/packetprocessor/packetprocessor.go
================================================
package packetprocessor

import (
	provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
)

// PacketProcessor is an interface for extending packet processing functions such
// as encryption, deep packet inspection, etc. These functions are run inline during packet
// processing. A services processor must implement this interface.
type PacketProcessor interface {
	// Initialize  initializes any ACLs that the processor requires
	Initialize(fq fqconfig.FilterQueue, p []provider.IptablesProvider)

	// Stop stops the packet processor
	Stop() error

	// PreProcessTCPAppPacket will be called for application packets and return value of false means drop packet.
	PreProcessTCPAppPacket(p *packet.Packet, context *pucontext.PUContext, conn *connection.TCPConnection) bool

	// PostProcessTCPAppPacket will be called for application packets and return value of false means drop packet.
	PostProcessTCPAppPacket(p *packet.Packet, action interface{}, context *pucontext.PUContext, conn *connection.TCPConnection) bool

	// PreProcessTCPNetPacket will be called for network packets and return value of false means drop packet
	PreProcessTCPNetPacket(p *packet.Packet, context *pucontext.PUContext, conn *connection.TCPConnection) bool

	// PostProcessTCPNetPacket will be called for network packets and return value of false means drop packet
	PostProcessTCPNetPacket(p *packet.Packet, action interface{}, claims *tokens.ConnectionClaims, context *pucontext.PUContext, conn *connection.TCPConnection) bool

	// PreProcessUDPAppPacket will be called for application packets and return value of false means drop packet
	PreProcessUDPAppPacket(p *packet.Packet, context *pucontext.PUContext, conn *connection.UDPConnection, packetType uint8) bool

	// PostProcessUDPAppPacket will be called for application packets and return value of false means drop packet.
	PostProcessUDPAppPacket(p *packet.Packet, action interface{}, context *pucontext.PUContext, conn *connection.UDPConnection) bool

	// PreProcessUDPNetPacket will be called for network packets and return value of false means drop packet
	PreProcessUDPNetPacket(p *packet.Packet, context *pucontext.PUContext, conn *connection.UDPConnection) bool

	// PostProcessUDPNetPacket will be called for network packets and return value of false means drop packet
	PostProcessUDPNetPacket(p *packet.Packet, action interface{}, claims *tokens.ConnectionClaims, context *pucontext.PUContext, conn *connection.UDPConnection) bool
}


================================================
FILE: controller/pkg/packettracing/packettracing.go
================================================
package packettracing

// TracingDirection is used to configure the direction for which we want to trace packets
type TracingDirection int

// TracingDirection enum all possible states
const (
	Disabled        TracingDirection = 0
	NetworkOnly     TracingDirection = 1
	ApplicationOnly TracingDirection = 2
	Invalid         TracingDirection = 4
)

// PacketEvent is string for our packet decision
type PacketEvent string

// Enum for all packetevents
const (
	PacketDropped  PacketEvent = "Dropped"
	PacketReceived PacketEvent = "Received"
	PacketSent     PacketEvent = "Transmitted"
)

// IsNetworkPacketTraced checks if network mode packet tracign is enabled
func IsNetworkPacketTraced(direction TracingDirection) bool {
	return (direction&NetworkOnly != 0)
}

// IsApplicationPacketTraced checks if application
func IsApplicationPacketTraced(direction TracingDirection) bool {
	return (direction&ApplicationOnly != 0)
}


================================================
FILE: controller/pkg/pingconfig/pingconfig.go
================================================
package pingconfig

import (
	"sync"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
)

// PingConfig holds ping configuration for this connection.
type PingConfig struct {
	socketFd     uintptr
	socketClosed bool
	pingID       string
	iterationID  int
	appListening bool
	seqNum       uint32
	pingReport   *collector.PingReport

	StartTime time.Time

	sync.RWMutex
}

// New returns a new locked access to PingConfig handle.
func New() *PingConfig {
	return &PingConfig{}
}

// SocketFd returns socket file descriptor.
func (p *PingConfig) SocketFd() uintptr {
	p.RLock()
	defer p.RUnlock()

	return p.socketFd
}

// SetSocketFd sets socket file descriptor.
func (p *PingConfig) SetSocketFd(socketFd uintptr) {
	p.Lock()
	defer p.Unlock()

	p.socketFd = socketFd
}

// SocketClosed returns socket closed.
func (p *PingConfig) SocketClosed() bool {
	p.RLock()
	defer p.RUnlock()

	return p.socketClosed
}

// SetSocketClosed sets socket closed.
func (p *PingConfig) SetSocketClosed(socketClosed bool) {
	p.Lock()
	defer p.Unlock()

	p.socketClosed = socketClosed
}

// PingID returns ping ID.
func (p *PingConfig) PingID() string {
	p.RLock()
	defer p.RUnlock()

	return p.pingID
}

// SetPingID sets ping ID.
func (p *PingConfig) SetPingID(pingID string) {
	p.Lock()
	defer p.Unlock()

	p.pingID = pingID
}

// IterationID returns iteration ID.
func (p *PingConfig) IterationID() int {
	p.RLock()
	defer p.RUnlock()

	return p.iterationID
}

// SetIterationID sets iteration ID.
func (p *PingConfig) SetIterationID(iterationID int) {
	p.Lock()
	defer p.Unlock()

	p.iterationID = iterationID
}

// ApplicationListening returns true if an app is listening.
func (p *PingConfig) ApplicationListening() bool {
	p.RLock()
	defer p.RUnlock()

	return p.appListening
}

// SetApplicationListening sets appListening.
func (p *PingConfig) SetApplicationListening(appListening bool) {
	p.Lock()
	defer p.Unlock()

	p.appListening = appListening
}

// SeqNum returns tcp sequence number.
func (p *PingConfig) SeqNum() uint32 {
	p.RLock()
	defer p.RUnlock()

	return p.seqNum
}

// SetSeqNum sets tcp sequence number.
func (p *PingConfig) SetSeqNum(seqNum uint32) {
	p.Lock()
	defer p.Unlock()

	p.seqNum = seqNum
}

// PingReport returns ping report.
func (p *PingConfig) PingReport() *collector.PingReport {
	p.RLock()
	defer p.RUnlock()

	return p.pingReport
}

// SetPingReport sets ping report.
func (p *PingConfig) SetPingReport(pingReport *collector.PingReport) {
	p.Lock()
	defer p.Unlock()

	p.pingReport = pingReport
}


================================================
FILE: controller/pkg/pingconfig/pingconfig_test.go
================================================
package pingconfig

import (
	"testing"

	"github.com/stretchr/testify/require"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
)

func Test_NewPingConfig(t *testing.T) {

	p := New()
	require.NotNil(t, p)

	p.SetSocketFd(4)
	require.Equal(t, uintptr(4), p.SocketFd())

	p.SetSocketClosed(true)
	require.True(t, p.SocketClosed())

	p.SetPingID("abc")
	require.Equal(t, "abc", p.PingID())

	p.SetIterationID(2)
	require.Equal(t, 2, p.IterationID())

	p.SetApplicationListening(true)
	require.True(t, p.ApplicationListening())

	p.SetSeqNum(2323)
	require.Equal(t, uint32(2323), p.SeqNum())

	pr := &collector.PingReport{PingID: "xyz"}
	p.SetPingReport(pr)
	require.Equal(t, pr, p.PingReport())
}


================================================
FILE: controller/pkg/pkiverifier/pkiverifier.go
================================================
package pkiverifier

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/x509"
	"errors"
	"math/big"
	"time"

	jwt "github.com/dgrijalva/jwt-go"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.uber.org/zap"
)

const (
	// defaultValidity is the default cache validity in seconds
	defaultValidity = 1
)

// PKITokenIssuer is the interface of an object that can issue a PKI token.
type PKITokenIssuer interface {
	CreateTokenFromCertificate(*x509.Certificate, []string) ([]byte, error)
}

// PKITokenVerifier is the interface of an object that can verify a PKI token.
type PKITokenVerifier interface {
	Verify([]byte) (*DatapathKey, error)
}

type verifierClaims struct {
	X    *big.Int
	Y    *big.Int
	Tags []string `json:"tags,omitempty"`
	jwt.StandardClaims
}

// PKIControllerInfo holds the controller information about public keys
type PKIControllerInfo struct {
	Namespace      string // The namespace of the public key.
	Controller     string // The controller or control plane of the public key.
	SameController bool   // Does the public key come from the same controller
}

// PKIPublicKey holds information about public keys
type PKIPublicKey struct {
	PublicKey  *ecdsa.PublicKey
	Controller *PKIControllerInfo
}

type tokenManager struct {
	publicKeys []*PKIPublicKey
	privateKey *ecdsa.PrivateKey
	signMethod jwt.SigningMethod
	keycache   cache.DataStore
	validity   time.Duration
}

// DatapathKey holds the data path key with the corresponding claims.
type DatapathKey struct {
	PublicKey  *ecdsa.PublicKey
	Tags       []string
	Expiration time.Time
	Controller *PKIControllerInfo
}

// NewPKIIssuer initializes a new signer structure
func NewPKIIssuer(privateKey *ecdsa.PrivateKey) PKITokenIssuer {

	return &tokenManager{
		privateKey: privateKey,
		signMethod: jwt.SigningMethodES256,
	}
}

// NewPKIVerifier returns a new PKIConfiguration.
func NewPKIVerifier(publicKeys []*PKIPublicKey, cacheValidity time.Duration) PKITokenVerifier {

	validity := defaultValidity * time.Second
	if cacheValidity > 0 {
		validity = cacheValidity
	}

	return &tokenManager{
		publicKeys: publicKeys,
		signMethod: jwt.SigningMethodES256,
		keycache:   cache.NewCacheWithExpiration("PKIVerifierKey", validity),
		validity:   validity,
	}
}

// Verify verifies a token and returns the public key
func (p *tokenManager) Verify(token []byte) (*DatapathKey, error) {

	tokenString := string(token)
	if pk, err := p.keycache.Get(tokenString); err == nil {
		return pk.(*DatapathKey), err
	}

	claims := &verifierClaims{}
	var t *jwt.Token
	var err error
	for _, pk := range p.publicKeys {

		if pk == nil || pk.PublicKey == nil {
			continue
		}

		t, err = jwt.ParseWithClaims(tokenString, claims, func(*jwt.Token) (interface{}, error) { // nolint
			return pk.PublicKey, nil
		})
		if err != nil || !t.Valid {
			continue
		}

		expTime := time.Unix(claims.ExpiresAt, 0)
		dp := &DatapathKey{
			PublicKey: &ecdsa.PublicKey{
				Curve: elliptic.P256(),
				X:     claims.X,
				Y:     claims.Y,
			},
			Tags:       claims.Tags,
			Expiration: expTime,
			Controller: pk.Controller,
		}

		p.keycache.AddOrUpdate(tokenString, dp)

		// if the token expires before our default validity, update the timer
		// so that we expire it no longer than its validity.
		if time.Now().Add(p.validity).After(expTime) {
			if err := p.keycache.SetTimeOut(tokenString, time.Until(expTime)); err != nil {
				zap.L().Warn("Failed to update cache validity for token", zap.Error(err))
			}
		}

		return dp, nil
	}

	return nil, errors.New("unable to verify token against any available public key")
}

// CreateTokenFromCertificate creates and signs a token
func (p *tokenManager) CreateTokenFromCertificate(cert *x509.Certificate, tags []string) ([]byte, error) {

	// Combine the application claims with the standard claims
	claims := &verifierClaims{
		X:    cert.PublicKey.(*ecdsa.PublicKey).X,
		Y:    cert.PublicKey.(*ecdsa.PublicKey).Y,
		Tags: tags,
	}
	claims.ExpiresAt = cert.NotAfter.Unix()

	// Create the token and sign with our key
	strtoken, err := jwt.NewWithClaims(p.signMethod, claims).SignedString(p.privateKey)
	if err != nil {
		return []byte{}, err
	}

	return []byte(strtoken), nil
}


================================================
FILE: controller/pkg/pkiverifier/pkiverifier_test.go
================================================
// +build !windows

package pkiverifier

import (
	"crypto/ecdsa"
	"testing"
	"time"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/utils/crypto"
)

var (
	keyPEM = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPkiHqtH372JJdAG/IxJlE1gv03cdwa8Lhg2b3m/HmbyoAoGCCqGSM49
AwEHoUQDQgAEAfAL+AfPj/DnxrU6tUkEyzEyCxnflOWxhouy1bdzhJ7vxMb1vQ31
8ZbW/WvMN/ojIXqXYrEpISoojznj46w64w==
-----END EC PRIVATE KEY-----`
	caPool = `-----BEGIN CERTIFICATE-----
MIIBhTCCASwCCQC8b53yGlcQazAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABJxneTUqhbtgEIwpKUUzwz3h92SqcOdIw3mfQkMjg3Vobvr6JKlpXYe9xhsN
rygJmLhMAN9gjF9qM9ybdbe+m3owCgYIKoZIzj0EAwIDRwAwRAIgC1fVMqdBy/o3
jNUje/Hx0fZF9VDyUK4ld+K/wF3QdK4CID1ONj/Kqinrq2OpjYdkgIjEPuXoOoR1
tCym8dnq4wtH
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB3jCCAYOgAwIBAgIJALsW7pyC2ERQMAoGCCqGSM49BAMCMEsxCzAJBgNVBAYT
AlVTMQswCQYDVQQIDAJDQTEMMAoGA1UEBwwDU0pDMRAwDgYDVQQKDAdUcmlyZW1l
MQ8wDQYDVQQDDAZ1YnVudHUwHhcNMTYwOTI3MjI0OTAwWhcNMjYwOTI1MjI0OTAw
WjBLMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4G
A1UECgwHVHJpcmVtZTEPMA0GA1UEAwwGdWJ1bnR1MFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAE4c2Fd7XeIB1Vfs51fWwREfLLDa55J+NBalV12CH7YEAnEXjl47aV
cmNqcAtdMUpf2oz9nFVI81bgO+OSudr3CqNQME4wHQYDVR0OBBYEFOBftuI09mmu
rXjqDyIta1gT8lqvMB8GA1UdIwQYMBaAFOBftuI09mmurXjqDyIta1gT8lqvMAwG
A1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMylAHhbFA0KqhXIFiXNpEbH
JKaELL6UXXdeQ5yup8q+AiEAh5laB9rbgTymjaANcZ2YzEZH4VFS3CKoSdVqgnwC
dW4=
-----END CERTIFICATE-----`

	certPEM = `-----BEGIN CERTIFICATE-----
MIIBhjCCASwCCQCPCdgp39gHJTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABAHwC/gHz4/w58a1OrVJBMsxMgsZ35TlsYaLstW3c4Se78TG9b0N9fGW1v1r
zDf6IyF6l2KxKSEqKI854+OsOuMwCgYIKoZIzj0EAwIDSAAwRQIgQwQn0jnK/XvD
KxgQd/0pW5FOAaB41cMcw4/XVlphO1oCIQDlGie+WlOMjCzrV0Xz+XqIIi1pIgPT
IG7Nv+YlTVp5qA==
-----END CERTIFICATE-----`
)

func TestNewConfig(t *testing.T) {
	Convey("When I create a new PKI configuration", t, func() {
		key, cert, _, err := crypto.LoadAndVerifyECSecrets([]byte(keyPEM), []byte(certPEM), []byte(caPool))
		So(err, ShouldBeNil)

		Convey("When I use NewPKIIssuer with valid keys, it should succeed ", func() {
			p := NewPKIIssuer(key).(*tokenManager)
			So(p, ShouldNotBeNil)
			So(p.validity, ShouldEqual, 0)
			So(p.privateKey, ShouldEqual, key)
			So(p.publicKeys, ShouldBeNil)
		})

		Convey("When I use NewPKIVerifier valid keys, it should succeed ", func() {
			pkiPublicKey := &PKIPublicKey{PublicKey: cert.PublicKey.(*ecdsa.PublicKey)}
			p := NewPKIVerifier([]*PKIPublicKey{pkiPublicKey}, -1).(*tokenManager)
			So(p, ShouldNotBeNil)
			So(p.validity, ShouldEqual, defaultValidity*time.Second)
			So(p.privateKey, ShouldBeNil)
			So(p.publicKeys, ShouldResemble, []*PKIPublicKey{pkiPublicKey})
		})
		Convey("When I use NewPKIVerifier valid keys with a custom validity, it should succeed ", func() {
			pkiPublicKey := &PKIPublicKey{PublicKey: cert.PublicKey.(*ecdsa.PublicKey)}
			p := NewPKIVerifier([]*PKIPublicKey{pkiPublicKey}, 10*time.Second).(*tokenManager)
			So(p, ShouldNotBeNil)
			So(p.validity, ShouldEqual, 10*time.Second)
			So(p.privateKey, ShouldBeNil)
			So(p.publicKeys, ShouldResemble, []*PKIPublicKey{pkiPublicKey})
		})
	})
}

func TestCreateAndVerify(t *testing.T) {
	Convey("Given a valid verifier", t, func() {
		key, cert, _, err := crypto.LoadAndVerifyECSecrets([]byte(keyPEM), []byte(certPEM), []byte(caPool))
		So(err, ShouldBeNil)
		p := NewPKIIssuer(key)
		pkiPublicKey := &PKIPublicKey{PublicKey: cert.PublicKey.(*ecdsa.PublicKey)}
		v := NewPKIVerifier([]*PKIPublicKey{pkiPublicKey}, -1).(*tokenManager)
		So(p, ShouldNotBeNil)
		Convey("When I create a token", func() {
			token, err1 := p.CreateTokenFromCertificate(cert, []string{"sometag"})
			So(err1, ShouldBeNil)
			rxtoken, err2 := v.Verify(token)
			So(err2, ShouldBeNil)
			So(*rxtoken.PublicKey.X, ShouldResemble, *cert.PublicKey.(*ecdsa.PublicKey).X)
			So(*rxtoken.PublicKey.Y, ShouldResemble, *cert.PublicKey.(*ecdsa.PublicKey).Y)
			So(rxtoken.PublicKey.Curve, ShouldResemble, cert.PublicKey.(*ecdsa.PublicKey).Curve)
			So(rxtoken.Tags, ShouldResemble, []string{"sometag"})
		})
	})

	Convey("Given a valid verifier", t, func() {
		key, cert, _, err := crypto.LoadAndVerifyECSecrets([]byte(keyPEM), []byte(certPEM), []byte(caPool))
		So(err, ShouldBeNil)
		p := NewPKIIssuer(key)
		pkiPublicKey := &PKIPublicKey{PublicKey: cert.PublicKey.(*ecdsa.PublicKey)}
		v := NewPKIVerifier([]*PKIPublicKey{pkiPublicKey}, -1).(*tokenManager)
		So(p, ShouldNotBeNil)
		Convey("When I a receive a bad token, I should get an error", func() {
			token, err1 := p.CreateTokenFromCertificate(cert, []string{})
			So(err1, ShouldBeNil)
			token = token[:len(token)-10]
			_, err2 := v.Verify(token)
			So(err2, ShouldNotBeNil)
		})
	})

	Convey("Given an invalid verifier", t, func() {
		key, cert, _, err := crypto.LoadAndVerifyECSecrets([]byte(keyPEM), []byte(certPEM), []byte(caPool))
		So(err, ShouldBeNil)
		p := NewPKIIssuer(key)
		pkiPublicKey := &PKIPublicKey{PublicKey: nil}
		v := NewPKIVerifier([]*PKIPublicKey{pkiPublicKey}, -1).(*tokenManager)
		So(p, ShouldNotBeNil)
		Convey("When I a receive a valid token, I should get an error", func() {
			token, err1 := p.CreateTokenFromCertificate(cert, []string{})
			So(err1, ShouldBeNil)
			_, err2 := v.Verify(token)
			So(err2, ShouldNotBeNil)
		})
	})
}

func TestCaching(t *testing.T) {
	Convey("Given a valid verifier with a zero timer for the cache", t, func() {
		key, cert, _, err := crypto.LoadAndVerifyECSecrets([]byte(keyPEM), []byte(certPEM), []byte(caPool))
		So(err, ShouldBeNil)
		p := NewPKIIssuer(key)
		pkiPublicKey := &PKIPublicKey{PublicKey: cert.PublicKey.(*ecdsa.PublicKey)}
		v := NewPKIVerifier([]*PKIPublicKey{pkiPublicKey}, 1*time.Second).(*tokenManager)

		So(p, ShouldNotBeNil)

		Convey("When I receive a token", func() {
			token, err1 := p.CreateTokenFromCertificate(cert, []string{})
			So(err1, ShouldBeNil)
			_, err2 := v.Verify(token)
			So(err2, ShouldBeNil)

			Convey("The cache should have the token ", func() {
				_, err := v.keycache.Get(string(token))
				So(err, ShouldBeNil)
				_, err2 := v.Verify(token)
				So(err2, ShouldBeNil)
			})

			Convey("The cache should not have the token after 2 seconds ", func() {
				time.Sleep(2 * time.Second)
				_, err := v.keycache.Get(string(token))
				So(err, ShouldNotBeNil)
			})
		})
	})
}


================================================
FILE: controller/pkg/pucontext/pucontext.go
================================================
package pucontext

import (
	"context"
	"crypto/ecdsa"
	"fmt"
	"net"
	"strconv"
	"strings"
	"sync"
	"time"

	"github.com/minio/minio/pkg/wildcard"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/acls"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/lookup"
	"go.aporeto.io/underwater/core/tagutils"
	"go.uber.org/zap"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/tokenaccessor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/ephemeralkeys"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.aporeto.io/enforcerd/trireme-lib/utils/crypto"
)

type policies struct {
	observeRejectRules *lookup.PolicyDB // Packet: Continue       Report:    Drop
	rejectRules        *lookup.PolicyDB // Packet:     Drop       Report:    Drop
	observeAcceptRules *lookup.PolicyDB // Packet: Continue       Report: Forward
	acceptRules        *lookup.PolicyDB // Packet:  Forward       Report: Forward
	observeApplyRules  *lookup.PolicyDB // Packet:  Forward       Report: Forward
	encryptRules       *lookup.PolicyDB // Packet: Encrypt       Report: Encrypt
}

type synTokenInfo struct {
	datapathSecret  secrets.Secrets
	privateKey      *ephemeralkeys.PrivateKey
	publicKeyV1     []byte
	publicKeySignV1 []byte
	publicKeyV2     []byte
	publicKeySignV2 []byte
	token           []byte
}

// PUContext holds data indexed by the PU ID
type PUContext struct {
	id                      string
	hashID                  string
	username                string
	autoport                bool
	managementID            string
	managementNamespace     string
	managementNamespaceHash string
	identity                *policy.TagStore
	annotations             *policy.TagStore
	compressedTags          *policy.TagStore
	txt                     *policies
	rcv                     *policies
	ApplicationACLs         *acls.ACLCache
	networkACLs             *acls.ACLCache
	externalIPCache         cache.DataStore
	DNSACLs                 policy.DNSRuleList
	DNSProxyPort            string
	mark                    string
	tcpPorts                []string
	udpPorts                []string
	puType                  common.PUType
	jwt                     string
	jwtExpiration           time.Time
	scopes                  []string
	Extension               interface{}
	counters                *counters.Counters
	puInfo                  *policy.PUInfo
	synToken                *synTokenInfo
	ctxCancel               context.CancelFunc
	tokenAccessor           tokenaccessor.TokenAccessor
	appDefaultFlowPolicy    *policy.FlowPolicy
	netDefaultFlowPolicy    *policy.FlowPolicy
	sync.RWMutex
}

// NewPU creates a new PU context
func NewPU(contextID string, puInfo *policy.PUInfo, tokenAccessor tokenaccessor.TokenAccessor, timeout time.Duration) (*PUContext, error) {

	hashID, err := policy.Fnv32Hash(contextID)
	if err != nil {
		return nil, fmt.Errorf("unable to hash contextID: %v", err)
	}

	pu := &PUContext{
		id:                   contextID,
		hashID:               hashID,
		username:             puInfo.Runtime.Options().UserID,
		autoport:             puInfo.Runtime.Options().AutoPort,
		managementID:         puInfo.Policy.ManagementID(),
		managementNamespace:  puInfo.Policy.ManagementNamespace(),
		puType:               puInfo.Runtime.PUType(),
		identity:             puInfo.Policy.Identity(),
		annotations:          puInfo.Policy.Annotations(),
		compressedTags:       puInfo.Policy.CompressedTags(),
		externalIPCache:      cache.NewCacheWithExpiration("External IP Cache", timeout),
		ApplicationACLs:      acls.NewACLCache(),
		networkACLs:          acls.NewACLCache(),
		DNSACLs:              puInfo.Policy.DNSNameACLs(),
		mark:                 puInfo.Runtime.Options().CgroupMark,
		scopes:               puInfo.Policy.Scopes(),
		counters:             counters.NewCounters(),
		puInfo:               puInfo,
		tokenAccessor:        tokenAccessor,
		appDefaultFlowPolicy: &policy.FlowPolicy{Action: puInfo.Policy.AppDefaultPolicyAction(), PolicyID: "default", ServiceID: "default"},
		netDefaultFlowPolicy: &policy.FlowPolicy{Action: puInfo.Policy.NetDefaultPolicyAction(), PolicyID: "default", ServiceID: "default"},
	}

	pu.CreateRcvRules(puInfo.Policy.ReceiverRules())

	pu.CreateTxtRules(puInfo.Policy.TransmitterRules())

	tcpPorts, udpPorts := common.ConvertServicesToProtocolPortList(puInfo.Runtime.Options().Services)
	pu.tcpPorts = strings.Split(tcpPorts, ",")
	pu.udpPorts = strings.Split(udpPorts, ",")

	if err := pu.UpdateApplicationACLs(puInfo.Policy.ApplicationACLs()); err != nil {
		return nil, err
	}

	if err := pu.UpdateNetworkACLs(puInfo.Policy.NetworkACLs()); err != nil {
		return nil, err
	}

	nsHash, err := tagutils.Hash(pu.managementNamespace)
	if err != nil {
		return nil, fmt.Errorf("unable to hash namespace: %w", err)
	}
	pu.managementNamespaceHash = nsHash

	ctx, cancel := context.WithCancel(context.Background())
	pu.ctxCancel = cancel

	// tokenAccessor is nil with envoy authorizer enforcer. We
	// don't need our datapath in that case.
	if tokenAccessor != nil {
		pu.synToken = pu.createSynToken(nil, claimsheader.NewClaimsHeader())

		go func() {
			for {
				select {
				case <-ctx.Done():
					return
				case <-time.After(constants.SynTokenRefreshTime):

					synToken := pu.createSynToken(nil, claimsheader.NewClaimsHeader())
					pu.Lock()
					pu.synToken = synToken
					pu.Unlock()
				}
			}
		}()
	}

	return pu, nil
}

func (p *PUContext) createSynToken(pingPayload *policy.PingPayload, claimsHeader *claimsheader.ClaimsHeader) *synTokenInfo {

	var datapathKeyPair ephemeralkeys.KeyAccessor
	var err error
	var nonce []byte

	for {
		datapathKeyPair, err = ephemeralkeys.New()

		if err != nil {
			// can generate errors only when the urandom io read buffer is full. retry till we succeed.
			time.Sleep(10 * time.Millisecond)
			continue
		}

		break
	}

	for {
		// can generate errors only when the urandom io read buffer is full. retry till we succeed.
		nonce, err = crypto.GenerateRandomBytes(16)
		if err != nil {
			continue
		}

		break
	}

	claims := &tokens.ConnectionClaims{
		LCL:   nonce,
		DEKV1: datapathKeyPair.DecodingKeyV1(),
		DEKV2: datapathKeyPair.DecodingKeyV2(),
		CT:    p.CompressedTags(),
		ID:    p.ManagementID(),
		P:     pingPayload,
	}

	datapathSecret := ephemeralkeys.GetDatapathSecret()
	var encodedBuf [tokens.ClaimsEncodedBufSize]byte

	token, err := p.tokenAccessor.CreateSynPacketToken(claims, encodedBuf[:], nonce, claimsHeader, datapathSecret)
	if err != nil {
		zap.L().Error("Can not create syn packet token", zap.Error(err))
		return nil
	}

	ephKeySignV1, err := p.tokenAccessor.Sign(datapathKeyPair.DecodingKeyV1(), datapathSecret.EncodingKey().(*ecdsa.PrivateKey))
	if err != nil {
		zap.L().Error("Can not sign the ephemeral public key", zap.Error(err))
		return nil
	}

	ephKeySignV2, err := p.tokenAccessor.Sign(datapathKeyPair.DecodingKeyV2(), datapathSecret.EncodingKey().(*ecdsa.PrivateKey))
	if err != nil {
		zap.L().Error("Can not sign the ephemeral public key", zap.Error(err))
		return nil
	}

	privateKey := datapathKeyPair.PrivateKey()
	return &synTokenInfo{datapathSecret: datapathSecret,
		privateKey:      privateKey,
		publicKeyV1:     datapathKeyPair.DecodingKeyV1(),
		publicKeySignV1: ephKeySignV1,
		publicKeyV2:     datapathKeyPair.DecodingKeyV2(),
		publicKeySignV2: ephKeySignV2,
		token:           token}
}

//StopProcessing cancels the context such that all the goroutines can return.
func (p *PUContext) StopProcessing() {
	p.ctxCancel()
}

//GetSynToken returns the cached syntoken if the datapath secret has not changed or the ping payload is present.
func (p *PUContext) GetSynToken(pingPayload *policy.PingPayload, nonce [16]byte, claimsHeader *claimsheader.ClaimsHeader) (secrets.Secrets, *ephemeralkeys.PrivateKey, []byte) {

	if pingPayload != nil {
		synToken := p.createSynToken(pingPayload, claimsHeader)
		return synToken.datapathSecret, synToken.privateKey, synToken.token
	}

	p.RLock()
	synToken := p.synToken
	p.RUnlock()

	if synToken.datapathSecret != ephemeralkeys.GetDatapathSecret() {
		synToken = p.createSynToken(nil, claimsheader.NewClaimsHeader())
		p.Lock()
		p.synToken = synToken
		p.Unlock()
	}

	p.tokenAccessor.Randomize(synToken.token, nonce[:]) //nolint

	return synToken.datapathSecret, synToken.privateKey, synToken.token
}

//GetSecrets returns the datapath secret and ephemeral public and private key
func (p *PUContext) GetSecrets() (secrets.Secrets, *ephemeralkeys.PrivateKey, []byte, []byte, []byte, []byte) {
	p.RLock()
	synToken := p.synToken
	p.RUnlock()

	if synToken.datapathSecret != ephemeralkeys.GetDatapathSecret() {
		synToken = p.createSynToken(nil, claimsheader.NewClaimsHeader())
		p.Lock()
		p.synToken = synToken
		p.Unlock()
	}

	return ephemeralkeys.GetDatapathSecret(), synToken.privateKey, synToken.publicKeyV1, synToken.publicKeySignV1, synToken.publicKeyV2, synToken.publicKeySignV2
}

// GetPolicyFromFQDN gets the list of policies that are mapped with the hostname
func (p *PUContext) GetPolicyFromFQDN(fqdn string) ([]policy.PortProtocolPolicy, string, error) {
	p.RLock()
	defer p.RUnlock()

	// If we find a direct match, return policy
	if v, ok := p.DNSACLs[fqdn]; ok {
		return v, fqdn, nil
	}

	// Try if there is a wildcard match
	for policyName, policy := range p.DNSACLs {
		if wildcard.MatchSimple(policyName, fqdn) {
			return policy, policyName, nil
		}
	}

	return nil, "", fmt.Errorf("Policy doesn't exist")
}

// DependentServices searches if the PU has a dependent service on this FQDN. If yes,
// it returns the ports for that service.
func (p *PUContext) DependentServices(fqdn string) []*policy.ApplicationService {
	p.RLock()
	defer p.RUnlock()

	dependentServices := []*policy.ApplicationService{}

	for _, dependentService := range p.puInfo.Policy.DependentServices() {
		for _, name := range dependentService.NetworkInfo.FQDNs {
			if fqdn == name {
				dependentServices = append(dependentServices, dependentService)
			}
		}
	}

	return dependentServices
}

// UsesFQDN indicates whether this PU policy has an ACL or Service that uses an FQDN
func (p *PUContext) UsesFQDN() bool {
	p.RLock()
	defer p.RUnlock()

	if len(p.DNSACLs) > 0 {
		return true
	}

	for _, dependentService := range p.puInfo.Policy.DependentServices() {
		for _, name := range dependentService.NetworkInfo.FQDNs {
			if name != "" {
				return true
			}
		}
	}

	return false
}

// ID returns the ID of the PU
func (p *PUContext) ID() string {
	return p.id
}

// HashID returns the hash of the ID of the PU
func (p *PUContext) HashID() string {
	return p.hashID
}

// Username returns the ID of the PU
func (p *PUContext) Username() string {
	return p.username
}

// Autoport returns if auto port feature is set on the PU
func (p *PUContext) Autoport() bool {
	return p.autoport
}

// ManagementID returns the management ID
func (p *PUContext) ManagementID() string {
	return p.managementID
}

// ManagementNamespace returns the management namespace
func (p *PUContext) ManagementNamespace() string {
	return p.managementNamespace
}

// ManagementNamespaceHash returns the management namespace hash
func (p *PUContext) ManagementNamespaceHash() string {
	return p.managementNamespaceHash
}

// Type return the pu type
func (p *PUContext) Type() common.PUType {
	return p.puType
}

// Identity returns the indentity
func (p *PUContext) Identity() *policy.TagStore {
	return p.identity
}

// Mark returns the PU mark
func (p *PUContext) Mark() string {
	return p.mark
}

// TCPPorts returns the PU TCP ports
func (p *PUContext) TCPPorts() []string {
	return p.tcpPorts
}

// UDPPorts returns the PU UDP ports
func (p *PUContext) UDPPorts() []string {
	return p.udpPorts
}

// Annotations returns the annotations
func (p *PUContext) Annotations() *policy.TagStore {
	return p.annotations
}

// CompressedTags returns the compressed tags.
func (p *PUContext) CompressedTags() *policy.TagStore {
	return p.compressedTags
}

// RetrieveCachedExternalFlowPolicy returns the policy for an external IP
func (p *PUContext) RetrieveCachedExternalFlowPolicy(id string) (interface{}, error) {
	return p.externalIPCache.Get(id)
}

// NetworkACLPolicy retrieves the policy based on ACLs
func (p *PUContext) NetworkACLPolicy(packet *packet.Packet) (report *policy.FlowPolicy, action *policy.FlowPolicy, err error) {
	defer p.RUnlock()
	p.RLock()

	return p.networkACLs.GetMatchingAction(packet.SourceAddress(), packet.DestPort(), packet.IPProto(), p.netDefaultFlowPolicy)
}

// NetworkACLPolicyFromAddr retrieve the policy given an address and port.
func (p *PUContext) NetworkACLPolicyFromAddr(addr net.IP, port uint16, protocol uint8) (report *policy.FlowPolicy, action *policy.FlowPolicy, err error) {
	defer p.RUnlock()
	p.RLock()

	return p.networkACLs.GetMatchingAction(addr, port, protocol, p.netDefaultFlowPolicy)
}

// ApplicationICMPACLPolicy retrieve the policy for ICMP
func (p *PUContext) ApplicationICMPACLPolicy(ip net.IP, icmpType, icmpCode int8) (report *policy.FlowPolicy, action *policy.FlowPolicy, err error) {
	return p.ApplicationACLs.GetMatchingICMPAction(ip, icmpType, icmpCode, p.appDefaultFlowPolicy)
}

// NetworkICMPACLPolicy retrieve the policy for ICMP
func (p *PUContext) NetworkICMPACLPolicy(ip net.IP, icmpType, icmpCode int8) (report *policy.FlowPolicy, action *policy.FlowPolicy, err error) {
	return p.networkACLs.GetMatchingICMPAction(ip, icmpType, icmpCode, p.netDefaultFlowPolicy)
}

// ApplicationACLPolicyFromAddr retrieve the policy given an address and port.
func (p *PUContext) ApplicationACLPolicyFromAddr(addr net.IP, port uint16, protocol uint8) (report *policy.FlowPolicy, action *policy.FlowPolicy, err error) {
	defer p.RUnlock()
	p.RLock()

	return p.ApplicationACLs.GetMatchingAction(addr, port, protocol, p.appDefaultFlowPolicy)
}

// UpdateApplicationACLs updates the application ACL policy
func (p *PUContext) UpdateApplicationACLs(rules policy.IPRuleList) error {
	defer p.Unlock()
	p.Lock()

	return p.ApplicationACLs.AddRuleList(rules)
}

// FlushApplicationACL removes the application ACLs which are indexed with (ip, mask) key for all protocols and ports
func (p *PUContext) FlushApplicationACL(addr net.IP, mask int) {
	defer p.Unlock()
	p.Lock()
	p.ApplicationACLs.RemoveIPMask(addr, mask)
}

// RemoveApplicationACL removes the application ACLs for a specific IP address for all protocols and ports that match a policy.
// NOTE: Rules need to be a full port/policy match in order to get removed. Partial port matches in ranges will not get removed.
func (p *PUContext) RemoveApplicationACL(ipaddress string, protocols, ports []string, policy *policy.FlowPolicy) error {
	defer p.Unlock()
	p.Lock()

	address, err := acls.ParseAddress(ipaddress)
	if err != nil {
		return err
	}

	for _, protocol := range protocols {
		if err := p.ApplicationACLs.RemoveRulesForAddress(address, protocol, ports, policy); err != nil {
			return err
		}
	}
	return nil
}

// UpdateNetworkACLs updates the network ACL policy
func (p *PUContext) UpdateNetworkACLs(rules policy.IPRuleList) error {
	defer p.Unlock()
	p.Lock()
	return p.networkACLs.AddRuleList(rules)
}

// CacheExternalFlowPolicy will cache an external flow
func (p *PUContext) CacheExternalFlowPolicy(packet *packet.Packet, plc interface{}) {
	p.externalIPCache.AddOrUpdate(packet.SourceAddress().String()+":"+strconv.Itoa(int(packet.SourcePort())), plc)
}

// GetProcessKeys returns the cache keys for a process
func (p *PUContext) GetProcessKeys() (string, []string, []string) {
	return p.mark, p.tcpPorts, p.udpPorts
}

// Scopes returns the scopes.
func (p *PUContext) Scopes() []string {
	p.RLock()
	defer p.RUnlock()

	return p.scopes
}

// Counters returns the scopes.
func (p *PUContext) Counters() *counters.Counters {
	p.RLock()
	defer p.RUnlock()

	return p.counters
}

// GetJWT retrieves the JWT if it exists in the cache. Returns error otherwise.
func (p *PUContext) GetJWT() (string, error) {
	p.RLock()
	defer p.RUnlock()

	if p.jwtExpiration.After(time.Now()) && len(p.jwt) > 0 {
		return p.jwt, nil
	}

	return "", fmt.Errorf("expired token")
}

// UpdateJWT updates the JWT and provides a new expiration date.
func (p *PUContext) UpdateJWT(jwt string, expiration time.Time) {
	p.Lock()
	defer p.Unlock()

	p.jwt = jwt
	p.jwtExpiration = expiration
}

// createRuleDBs creates the database of rules from the policy
func (p *PUContext) createRuleDBs(policyRules policy.TagSelectorList) *policies {

	policyDB := &policies{
		rejectRules:        lookup.NewPolicyDB(),
		observeRejectRules: lookup.NewPolicyDB(),
		acceptRules:        lookup.NewPolicyDB(),
		observeAcceptRules: lookup.NewPolicyDB(),
		observeApplyRules:  lookup.NewPolicyDB(),
		encryptRules:       lookup.NewPolicyDB(),
	}

	for _, rule := range policyRules {
		// Add encrypt rule to encrypt table.
		if rule.Policy.Action.Encrypted() {
			policyDB.encryptRules.AddPolicy(rule)
		}

		if rule.Policy.ObserveAction.ObserveContinue() {
			if rule.Policy.Action.Accepted() {
				policyDB.observeAcceptRules.AddPolicy(rule)
			} else if rule.Policy.Action.Rejected() {
				policyDB.observeRejectRules.AddPolicy(rule)
			}
		} else if rule.Policy.ObserveAction.ObserveApply() {
			policyDB.observeApplyRules.AddPolicy(rule)
		} else if rule.Policy.Action.Accepted() {
			policyDB.acceptRules.AddPolicy(rule)
		} else if rule.Policy.Action.Rejected() {
			policyDB.rejectRules.AddPolicy(rule)
		} else {
			continue
		}
	}
	return policyDB
}

// CreateRcvRules create receive rules for this PU based on the update of the policy.
func (p *PUContext) CreateRcvRules(policyRules policy.TagSelectorList) {
	p.rcv = p.createRuleDBs(policyRules)
}

// CreateTxtRules create receive rules for this PU based on the update of the policy.
func (p *PUContext) CreateTxtRules(policyRules policy.TagSelectorList) {
	p.txt = p.createRuleDBs(policyRules)
}

// searchRules searches all reject, accpet and observed rules and returns reporting and packet forwarding action
func (p *PUContext) searchRules(
	policies *policies,
	tags *policy.TagStore,
	skipRejectPolicies bool,
	defaultFlowReport *policy.FlowPolicy,
) (report *policy.FlowPolicy, packet *policy.FlowPolicy) {

	var reportingAction *policy.FlowPolicy
	var packetAction *policy.FlowPolicy

	if !skipRejectPolicies {
		// Look for rejection rules
		observeIndex, observeAction := policies.observeRejectRules.Search(tags)
		if observeIndex >= 0 {
			reportingAction = observeAction.(*policy.FlowPolicy)
		}

		index, action := policies.rejectRules.Search(tags)
		if index >= 0 {
			packetAction = action.(*policy.FlowPolicy)
			if reportingAction == nil {
				reportingAction = packetAction
			}
			return reportingAction, packetAction
		}
	}

	if reportingAction == nil {
		// Look for allow rules
		observeIndex, observeAction := policies.observeAcceptRules.Search(tags)
		if observeIndex >= 0 {
			reportingAction = observeAction.(*policy.FlowPolicy)
		}
	}

	index, action := policies.acceptRules.Search(tags)
	if index >= 0 {
		packetAction = action.(*policy.FlowPolicy)
		// Look for encrypt rules
		encryptIndex, _ := policies.encryptRules.Search(tags)
		if encryptIndex >= 0 {
			// Do not overwrite the action for accept rules.
			finalAction := action.(*policy.FlowPolicy)
			packetAction = &policy.FlowPolicy{
				Action:    policy.Accept | policy.Encrypt,
				PolicyID:  finalAction.PolicyID,
				ServiceID: finalAction.ServiceID,
			}
			if finalAction.Action.Logged() {
				packetAction.Action = packetAction.Action | policy.Log
			}
		}
		if reportingAction == nil {
			reportingAction = packetAction
		}
		return reportingAction, packetAction
	}

	// Look for observe apply rules
	observeIndex, observeAction := policies.observeApplyRules.Search(tags)
	if observeIndex >= 0 {
		packetAction = observeAction.(*policy.FlowPolicy)
		if reportingAction == nil {
			reportingAction = packetAction
		}
		return reportingAction, packetAction
	}

	// Clone the default because someone is changing the returned one
	packetAction = defaultFlowReport.Clone()

	if reportingAction == nil {
		reportingAction = packetAction
	}

	return reportingAction, packetAction
}

// SearchTxtRules searches both receive and observed transmit rules and returns the index and action
func (p *PUContext) SearchTxtRules(
	tags *policy.TagStore,
	skipRejectPolicies bool,
) (report *policy.FlowPolicy, packet *policy.FlowPolicy) {
	return p.searchRules(p.txt, tags, skipRejectPolicies, p.appDefaultFlowPolicy)
}

// SearchRcvRules searches both receive and observed receive rules and returns the index and action
func (p *PUContext) SearchRcvRules(
	tags *policy.TagStore,
) (report *policy.FlowPolicy, packet *policy.FlowPolicy) {
	return p.searchRules(p.rcv, tags, false, p.netDefaultFlowPolicy)
}

// LookupLogPrefix lookup the log prefix from the key
func (p *PUContext) LookupLogPrefix(key string) (string, bool) {
	p.Lock()
	defer p.Unlock()
	if p.puInfo == nil || p.puInfo.Policy == nil {
		return "", false
	}
	return p.puInfo.Policy.LookupLogPrefix(key)
}


================================================
FILE: controller/pkg/pucontext/pucontext_test.go
================================================
// +build !windows

package pucontext

import (
	"crypto/ecdsa"
	"crypto/x509"
	"testing"
	"time"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/nfqdatapath/tokenaccessor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/ephemeralkeys"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/compactpki"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/crypto"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
	"go.uber.org/zap"
	"gotest.tools/assert"
)

func Test_NewPU(t *testing.T) {

	Convey("When I call NewPU with proper data", t, func() {

		fp := &policy.PUInfo{
			Runtime: policy.NewPURuntimeWithDefaults(),
			Policy:  policy.NewPUPolicy("", "/xyz", policy.AllowAll, nil, nil, nil, nil, nil, nil, nil, nil, nil, 0, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject, policy.Reject),
		}

		pu, err := NewPU("pu1", fp, nil, 24*time.Hour)

		Convey("I should not get error", func() {
			So(pu, ShouldNotBeNil)
			So(pu.HashID(), ShouldEqual, pu.hashID)
			So(pu.ManagementNamespaceHash(), ShouldEqual, "JJ0iGN3c9I2d+bx4")
			So(pu.Counters(), ShouldNotBeNil)
			So(err, ShouldBeNil)
		})
	})
}

var (
	keyPEM = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPkiHqtH372JJdAG/IxJlE1gv03cdwa8Lhg2b3m/HmbyoAoGCCqGSM49
AwEHoUQDQgAEAfAL+AfPj/DnxrU6tUkEyzEyCxnflOWxhouy1bdzhJ7vxMb1vQ31
8ZbW/WvMN/ojIXqXYrEpISoojznj46w64w==
-----END EC PRIVATE KEY-----`
	caPool = `-----BEGIN CERTIFICATE-----
MIIBhTCCASwCCQC8b53yGlcQazAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABJxneTUqhbtgEIwpKUUzwz3h92SqcOdIw3mfQkMjg3Vobvr6JKlpXYe9xhsN
rygJmLhMAN9gjF9qM9ybdbe+m3owCgYIKoZIzj0EAwIDRwAwRAIgC1fVMqdBy/o3
jNUje/Hx0fZF9VDyUK4ld+K/wF3QdK4CID1ONj/Kqinrq2OpjYdkgIjEPuXoOoR1
tCym8dnq4wtH
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB3jCCAYOgAwIBAgIJALsW7pyC2ERQMAoGCCqGSM49BAMCMEsxCzAJBgNVBAYT
AlVTMQswCQYDVQQIDAJDQTEMMAoGA1UEBwwDU0pDMRAwDgYDVQQKDAdUcmlyZW1l
MQ8wDQYDVQQDDAZ1YnVudHUwHhcNMTYwOTI3MjI0OTAwWhcNMjYwOTI1MjI0OTAw
WjBLMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4G
A1UECgwHVHJpcmVtZTEPMA0GA1UEAwwGdWJ1bnR1MFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAE4c2Fd7XeIB1Vfs51fWwREfLLDa55J+NBalV12CH7YEAnEXjl47aV
cmNqcAtdMUpf2oz9nFVI81bgO+OSudr3CqNQME4wHQYDVR0OBBYEFOBftuI09mmu
rXjqDyIta1gT8lqvMB8GA1UdIwQYMBaAFOBftuI09mmurXjqDyIta1gT8lqvMAwG
A1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMylAHhbFA0KqhXIFiXNpEbH
JKaELL6UXXdeQ5yup8q+AiEAh5laB9rbgTymjaANcZ2YzEZH4VFS3CKoSdVqgnwC
dW4=
-----END CERTIFICATE-----`

	certPEM = `-----BEGIN CERTIFICATE-----
MIIBhjCCASwCCQCPCdgp39gHJTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABAHwC/gHz4/w58a1OrVJBMsxMgsZ35TlsYaLstW3c4Se78TG9b0N9fGW1v1r
zDf6IyF6l2KxKSEqKI854+OsOuMwCgYIKoZIzj0EAwIDSAAwRQIgQwQn0jnK/XvD
KxgQd/0pW5FOAaB41cMcw4/XVlphO1oCIQDlGie+WlOMjCzrV0Xz+XqIIi1pIgPT
IG7Nv+YlTVp5qA==
-----END CERTIFICATE-----`
)

func createCompactPKISecrets(tags []string) (ephemeralkeys.KeyAccessor, *x509.Certificate, secrets.Secrets, error) { //nolint
	txtKey, cert, _, err := crypto.LoadAndVerifyECSecrets([]byte(keyPEM), []byte(certPEM), []byte(caPool))
	if err != nil {
		return nil, nil, nil, err
	}

	issuer := pkiverifier.NewPKIIssuer(txtKey)
	txtToken, err := issuer.CreateTokenFromCertificate(cert, tags)
	if err != nil {
		return nil, nil, nil, err
	}

	ControllerInfo := &secrets.ControllerInfo{
		PublicKey: []byte(certPEM),
	}

	tokenKeyPEMs := []*secrets.ControllerInfo{ControllerInfo}

	scrts, err := compactpki.NewCompactPKIWithTokenCA([]byte(keyPEM), []byte(certPEM), []byte(caPool), tokenKeyPEMs, txtToken, claimsheader.CompressionTypeV1)
	if err != nil {
		return nil, nil, nil, err
	}
	keyaccessor, _ := ephemeralkeys.New()
	return keyaccessor, cert, scrts, nil
}

func Test_PUsTokenExchanges(t *testing.T) {
	_, _, scrts, _ := createCompactPKISecrets([]string{"kDMRXWckV9k6mGuJ", "xyz", "eJ1s03u72o6i"})
	ephemeralkeys.UpdateDatapathSecrets(scrts)

	setup := func() (*PUContext, *PUContext) {

		fp := &policy.PUInfo{
			Runtime: policy.NewPURuntimeWithDefaults(),
			Policy:  policy.NewPUPolicy("", "/xyz", policy.AllowAll, nil, nil, nil, nil, nil, nil, nil, nil, nil, 0, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject, policy.Reject),
		}
		ta1, _ := tokenaccessor.New("pu1", 1*time.Hour, nil)
		pu1, _ := NewPU("pu1", fp, ta1, 24*time.Hour)
		pu1.managementID = "1newPU1"
		tags1 := policy.NewTagStore()
		tags1.AppendKeyValue("pu", "pu1")
		pu1.compressedTags = tags1

		ta2, _ := tokenaccessor.New("pu2", 1*time.Hour, nil)
		pu2, _ := NewPU("pu2", fp, ta2, 24*time.Hour)
		pu2.managementID = "1newPU2"
		tags2 := policy.NewTagStore()
		tags2.AppendKeyValue("pu", "pu2")
		pu2.compressedTags = tags2

		return pu1, pu2
	}

	pu1, pu2 := setup()
	token := pu1.createSynToken(nil, claimsheader.NewClaimsHeader())

	claimsOnSynRcvd := &tokens.ConnectionClaims{}
	ka, _ := ephemeralkeys.New()
	secretKey, _, _, remoteNonce, remoteContextID, _, err := pu2.tokenAccessor.ParsePacketToken(ka.PrivateKey(), token.token, scrts, claimsOnSynRcvd, false)

	assert.Equal(t, err, nil, "ParsePacketToken should return nil")
	assert.Equal(t, remoteContextID, pu1.managementID, "ParsePacketToken should get the correct remote contextID")
	tags := claimsOnSynRcvd.CT.GetSlice()
	assert.Equal(t, tags[0], "pu=pu1", "Receiver should receive correct tags")

	ephKeySignV1, _ := pu2.tokenAccessor.Sign(ka.DecodingKeyV1(), scrts.EncodingKey().(*ecdsa.PrivateKey)) //nolint
	ephKeySignV2, _ := pu2.tokenAccessor.Sign(ka.DecodingKeyV2(), scrts.EncodingKey().(*ecdsa.PrivateKey)) //nolint

	claimsOnSynAckSend := &tokens.ConnectionClaims{
		CT:       pu2.CompressedTags(),
		LCL:      remoteNonce,
		RMT:      remoteNonce,
		DEKV1:    ka.DecodingKeyV1(),
		DEKV2:    ka.DecodingKeyV2(),
		SDEKV1:   ephKeySignV1,
		SDEKV2:   ephKeySignV2,
		ID:       pu2.ManagementID(),
		RemoteID: pu1.managementID,
	}

	var encodedBuf [tokens.ClaimsEncodedBufSize]byte
	tokenFromSynAck, _ := pu2.tokenAccessor.CreateSynAckPacketToken(false, claimsOnSynAckSend, encodedBuf[:], remoteNonce, claimsheader.NewClaimsHeader(), scrts, secretKey) //nolint

	claimsOnSynAckRcvd := &tokens.ConnectionClaims{}
	secretKey, _, _, remoteNonce, remoteContextID, _, err = pu1.tokenAccessor.ParsePacketToken(token.privateKey, tokenFromSynAck, scrts, claimsOnSynAckRcvd, true)

	assert.Equal(t, err, nil, "ParsePacketToken should return nil")
	assert.Equal(t, remoteContextID, pu2.managementID, "ParsePacketToken should get the correct remote contextID")
	tags = claimsOnSynAckRcvd.CT.GetSlice()
	assert.Equal(t, tags[0], "pu=pu2", "Receiver should receive correct tags")

	claimsOnAckSend := &tokens.ConnectionClaims{
		ID:       pu1.ManagementID(),
		RMT:      remoteNonce,
		RemoteID: remoteContextID,
	}

	ackToken, _ := pu1.tokenAccessor.CreateAckPacketToken(false, secretKey, claimsOnAckSend, encodedBuf[:])
	claimsOnAckRcvd := &tokens.ConnectionClaims{}
	err = pu2.tokenAccessor.ParseAckToken(false, secretKey, remoteNonce, ackToken, claimsOnAckRcvd)
	assert.Equal(t, err, nil, "error should be nil")
}

func create314SynToken(p *PUContext, claimsHeader *claimsheader.ClaimsHeader) *synTokenInfo {

	var datapathKeyPair ephemeralkeys.KeyAccessor
	var err error
	var nonce []byte

	for {
		datapathKeyPair, err = ephemeralkeys.New()

		if err != nil {
			// can generate errors only when the urandom io read buffer is full. retry till we succeed.
			time.Sleep(10 * time.Millisecond)
			continue
		}

		break
	}

	for {
		// can generate errors only when the urandom io read buffer is full. retry till we succeed.
		nonce, err = crypto.GenerateRandomBytes(16)
		if err != nil {
			continue
		}

		break
	}

	claims := &tokens.ConnectionClaims{
		LCL: nonce,
		CT:  p.CompressedTags(),
		ID:  p.ManagementID(),
	}

	datapathSecret := ephemeralkeys.GetDatapathSecret()
	var encodedBuf [tokens.ClaimsEncodedBufSize]byte

	token, err := p.tokenAccessor.CreateSynPacketToken(claims, encodedBuf[:], nonce, claimsHeader, datapathSecret)
	if err != nil {
		zap.L().Error("Can not create syn packet token", zap.Error(err))
		return nil
	}

	ephKeySignV1, err := p.tokenAccessor.Sign(datapathKeyPair.DecodingKeyV1(), datapathSecret.EncodingKey().(*ecdsa.PrivateKey))
	if err != nil {
		zap.L().Error("Can not sign the ephemeral public key", zap.Error(err))
		return nil
	}

	ephKeySignV2, err := p.tokenAccessor.Sign(datapathKeyPair.DecodingKeyV2(), datapathSecret.EncodingKey().(*ecdsa.PrivateKey))

	if err != nil {
		zap.L().Error("Can not sign the ephemeral public key", zap.Error(err))
		return nil
	}

	privateKey := datapathKeyPair.PrivateKey()
	return &synTokenInfo{datapathSecret: datapathSecret,
		privateKey:      privateKey,
		publicKeyV1:     datapathKeyPair.DecodingKeyV1(),
		publicKeyV2:     datapathKeyPair.DecodingKeyV2(),
		publicKeySignV1: ephKeySignV1,
		publicKeySignV2: ephKeySignV2,
		token:           token}
}

func createV1SynToken(p *PUContext, claimsHeader *claimsheader.ClaimsHeader) *synTokenInfo {
	var datapathKeyPair ephemeralkeys.KeyAccessor
	var err error
	var nonce []byte

	for {
		datapathKeyPair, err = ephemeralkeys.New()

		if err != nil {
			// can generate errors only when the urandom io read buffer is full. retry till we succeed.
			time.Sleep(10 * time.Millisecond)
			continue
		}

		break
	}

	for {
		// can generate errors only when the urandom io read buffer is full. retry till we succeed.
		nonce, err = crypto.GenerateRandomBytes(16)
		if err != nil {
			continue
		}

		break
	}

	claims := &tokens.ConnectionClaims{
		LCL:   nonce,
		DEKV1: datapathKeyPair.DecodingKeyV1(),
		CT:    p.CompressedTags(),
		ID:    p.ManagementID(),
	}

	datapathSecret := ephemeralkeys.GetDatapathSecret()
	var encodedBuf [tokens.ClaimsEncodedBufSize]byte

	token, err := p.tokenAccessor.CreateSynPacketToken(claims, encodedBuf[:], nonce, claimsHeader, datapathSecret)
	if err != nil {
		zap.L().Error("Can not create syn packet token", zap.Error(err))
		return nil
	}

	ephKeySignV1, err := p.tokenAccessor.Sign(datapathKeyPair.DecodingKeyV1(), datapathSecret.EncodingKey().(*ecdsa.PrivateKey))
	if err != nil {
		zap.L().Error("Can not sign the ephemeral public key", zap.Error(err))
		return nil
	}

	if err != nil {
		zap.L().Error("Can not sign the ephemeral public key", zap.Error(err))
		return nil
	}

	privateKey := datapathKeyPair.PrivateKey()
	return &synTokenInfo{datapathSecret: datapathSecret,
		privateKey:      privateKey,
		publicKeyV1:     datapathKeyPair.DecodingKeyV1(),
		publicKeySignV1: ephKeySignV1,
		token:           token}
}

func Test_PUsFrom314To500(t *testing.T) {
	_, _, scrts, _ := createCompactPKISecrets([]string{"kDMRXWckV9k6mGuJ", "xyz", "eJ1s03u72o6i"})
	ephemeralkeys.UpdateDatapathSecrets(scrts)

	setup := func() (*PUContext, *PUContext) {

		fp := &policy.PUInfo{
			Runtime: policy.NewPURuntimeWithDefaults(),
			Policy:  policy.NewPUPolicy("", "/xyz", policy.AllowAll, nil, nil, nil, nil, nil, nil, nil, nil, nil, 0, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject, policy.Reject),
		}
		ta1, _ := tokenaccessor.New("pu1", 1*time.Hour, nil)
		pu1, _ := NewPU("pu1", fp, ta1, 24*time.Hour)
		pu1.managementID = "2newPU1"
		tags1 := policy.NewTagStore()
		tags1.AppendKeyValue("pu", "pu1")
		pu1.compressedTags = tags1

		ta2, _ := tokenaccessor.New("pu2", 1*time.Hour, nil)
		pu2, _ := NewPU("pu2", fp, ta2, 24*time.Hour)
		pu2.managementID = "2newPU2"
		tags2 := policy.NewTagStore()
		tags2.AppendKeyValue("pu", "pu2")
		pu2.compressedTags = tags2

		return pu1, pu2
	}

	pu1, pu2 := setup()
	token := create314SynToken(pu1, claimsheader.NewClaimsHeader())

	claimsOnSynRcvd := &tokens.ConnectionClaims{}
	ka, _ := ephemeralkeys.New()
	secretKey, _, _, remoteNonce, remoteContextID, proto314, err := pu2.tokenAccessor.ParsePacketToken(ka.PrivateKey(), token.token, scrts, claimsOnSynRcvd, false)

	assert.Equal(t, proto314, true, "protocol should be 314")
	assert.Equal(t, err, nil, "ParsePacketToken should return nil")
	assert.Equal(t, remoteContextID, pu1.managementID, "ParsePacketToken should get the correct remote contextID")
	tags := claimsOnSynRcvd.CT.GetSlice()
	assert.Equal(t, tags[0], "pu=pu1", "Receiver should receive correct tags")

	claimsOnSynAckSend := &tokens.ConnectionClaims{
		CT:       pu2.CompressedTags(),
		LCL:      remoteNonce,
		RMT:      remoteNonce,
		ID:       pu2.ManagementID(),
		RemoteID: pu1.managementID,
	}

	var encodedBuf [tokens.ClaimsEncodedBufSize]byte
	tokenFromSynAck, _ := pu2.tokenAccessor.CreateSynAckPacketToken(true, claimsOnSynAckSend, encodedBuf[:], remoteNonce, claimsheader.NewClaimsHeader(), scrts, secretKey) //nolint

	claimsOnSynAckRcvd := &tokens.ConnectionClaims{}
	secretKey, _, _, remoteNonce, remoteContextID, proto314, err = pu1.tokenAccessor.ParsePacketToken(token.privateKey, tokenFromSynAck, scrts, claimsOnSynAckRcvd, true)

	assert.Equal(t, proto314, true, "protocol should be 314")
	assert.Equal(t, err, nil, "ParsePacketToken should return nil")
	assert.Equal(t, remoteContextID, pu2.managementID, "ParsePacketToken should get the correct remote contextID")
	tags = claimsOnSynAckRcvd.CT.GetSlice()
	assert.Equal(t, tags[0], "pu=pu2", "Receiver should receive correct tags")

	claimsOnAckSend := &tokens.ConnectionClaims{
		ID:       pu1.ManagementID(),
		RMT:      remoteNonce,
		RemoteID: remoteContextID,
	}

	ackToken, _ := pu1.tokenAccessor.CreateAckPacketToken(true, secretKey, claimsOnAckSend, encodedBuf[:])
	claimsOnAckRcvd := &tokens.ConnectionClaims{}
	err = pu2.tokenAccessor.ParseAckToken(true, secretKey, remoteNonce, ackToken, claimsOnAckRcvd)
	assert.Equal(t, err, nil, "error should be nil")
}

func Test_PUsFromV1ToV2(t *testing.T) {

	_, _, scrts, _ := createCompactPKISecrets([]string{"kDMRXWckV9k6mGuJ", "xyz", "eJ1s03u72o6i"})
	ephemeralkeys.UpdateDatapathSecrets(scrts)

	setup := func() (*PUContext, *PUContext) {

		fp := &policy.PUInfo{
			Runtime: policy.NewPURuntimeWithDefaults(),
			Policy:  policy.NewPUPolicy("", "/xyz", policy.AllowAll, nil, nil, nil, nil, nil, nil, nil, nil, nil, 0, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject, policy.Reject),
		}
		ta1, _ := tokenaccessor.New("pu1", 1*time.Hour, nil)
		pu1, _ := NewPU("pu1", fp, ta1, 24*time.Hour)
		pu1.managementID = "newPU1"
		tags1 := policy.NewTagStore()
		tags1.AppendKeyValue("pu", "pu1")
		pu1.compressedTags = tags1

		ta2, _ := tokenaccessor.New("pu2", 1*time.Hour, nil)
		pu2, _ := NewPU("pu2", fp, ta2, 24*time.Hour)
		pu2.managementID = "newPU2"
		tags2 := policy.NewTagStore()
		tags2.AppendKeyValue("pu", "pu2")
		pu2.compressedTags = tags2

		return pu1, pu2
	}

	pu1, pu2 := setup()
	token := createV1SynToken(pu1, claimsheader.NewClaimsHeader())

	claimsOnSynRcvd := &tokens.ConnectionClaims{}
	ka, _ := ephemeralkeys.New()
	secretKey, _, _, remoteNonce, remoteContextID, _, err := pu2.tokenAccessor.ParsePacketToken(ka.PrivateKey(), token.token, scrts, claimsOnSynRcvd, false)

	assert.Equal(t, err, nil, "ParsePacketToken should return nil")
	assert.Equal(t, remoteContextID, pu1.managementID, "ParsePacketToken should get the correct remote contextID")
	tags := claimsOnSynRcvd.CT.GetSlice()
	assert.Equal(t, tags[0], "pu=pu1", "Receiver should receive correct tags")

	ephKeySignV1, _ := pu2.tokenAccessor.Sign(ka.DecodingKeyV1(), scrts.EncodingKey().(*ecdsa.PrivateKey)) //nolint

	claimsOnSynAckSend := &tokens.ConnectionClaims{
		CT:       pu2.CompressedTags(),
		LCL:      remoteNonce,
		RMT:      remoteNonce,
		DEKV1:    ka.DecodingKeyV1(),
		SDEKV1:   ephKeySignV1,
		ID:       pu2.ManagementID(),
		RemoteID: pu1.managementID,
	}

	var encodedBuf [tokens.ClaimsEncodedBufSize]byte
	tokenFromSynAck, _ := pu2.tokenAccessor.CreateSynAckPacketToken(false, claimsOnSynAckSend, encodedBuf[:], remoteNonce, claimsheader.NewClaimsHeader(), scrts, secretKey) //nolint

	claimsOnSynAckRcvd := &tokens.ConnectionClaims{}
	secretKey, _, _, remoteNonce, remoteContextID, _, err = pu1.tokenAccessor.ParsePacketToken(token.privateKey, tokenFromSynAck, scrts, claimsOnSynAckRcvd, true)

	assert.Equal(t, err, nil, "ParsePacketToken should return nil")
	assert.Equal(t, remoteContextID, pu2.managementID, "ParsePacketToken should get the correct remote contextID")
	tags = claimsOnSynAckRcvd.CT.GetSlice()
	assert.Equal(t, tags[0], "pu=pu2", "Receiver should receive correct tags")

	claimsOnAckSend := &tokens.ConnectionClaims{
		ID:       pu1.ManagementID(),
		RMT:      remoteNonce,
		RemoteID: remoteContextID,
	}

	ackToken, _ := pu1.tokenAccessor.CreateAckPacketToken(false, secretKey, claimsOnAckSend, encodedBuf[:])
	claimsOnAckRcvd := &tokens.ConnectionClaims{}
	err = pu2.tokenAccessor.ParseAckToken(false, secretKey, remoteNonce, ackToken, claimsOnAckRcvd)
	assert.Equal(t, err, nil, "error should be nil")
}

func Test_PUSearch(t *testing.T) {

	Convey("When I call PU Search", t, func() {

		portRange80, _ := portspec.NewPortSpec(80, 85, nil)
		portRange90, _ := portspec.NewPortSpec(90, 100, nil)

		tagSelectorList := policy.TagSelectorList{
			policy.TagSelector{
				Clause: []policy.KeyValueOperator{
					{
						Key:      "app",
						Value:    []string{"web"},
						ID:       "asfasfasdasd",
						Operator: policy.Equal,
					},
					{
						Key:       "@sys:port",
						Value:     []string{"TCP"},
						ID:        "",
						Operator:  policy.Equal,
						PortRange: portRange80,
					},
				},
				Policy: &policy.FlowPolicy{
					PolicyID: "2",
					Action:   policy.Accept,
				},
			},
			policy.TagSelector{
				Clause: []policy.KeyValueOperator{
					{
						Key:      "app",
						Value:    []string{"web"},
						ID:       "asfasfasdasd",
						Operator: policy.Equal,
					},
					{
						Key:       "@sys:port",
						Value:     []string{"TCP"},
						ID:        "",
						Operator:  policy.Equal,
						PortRange: portRange90,
					},
				},
				Policy: &policy.FlowPolicy{
					PolicyID: "2",
					Action:   policy.Accept,
				},
			},
		}

		d := policy.NewPUPolicy(
			"id",
			"/abc",
			policy.AllowAll,
			nil,
			nil,
			nil,
			nil,
			tagSelectorList,
			nil,
			nil,
			nil,
			nil,
			0,
			0,
			nil,
			nil,
			[]string{},
			policy.EnforcerMapping,
			policy.Reject|policy.Log,
			policy.Reject|policy.Log,
		)

		fp := &policy.PUInfo{
			Runtime: policy.NewPURuntimeWithDefaults(),
			Policy:  d,
		}

		pu, _ := NewPU("pu1", fp, nil, 24*time.Hour)

		tags := policy.NewTagStore()
		tags.AppendKeyValue("app", "web")
		tags.AppendKeyValue(constants.PortNumberLabelString, "TCP/85")

		report, flow := pu.SearchRcvRules(tags)

		Convey("The action should be Accept when port is 85", func() {
			So(flow, ShouldNotBeNil)
			So(report, ShouldNotBeNil)
			So(flow.Action, ShouldEqual, policy.Accept)
			So(report.Action, ShouldEqual, policy.Accept)
			So(flow, ShouldNotBeNil)
		})

		tags = policy.NewTagStore()
		tags.AppendKeyValue("app", "web")
		tags.AppendKeyValue(constants.PortNumberLabelString, "TCP/98")

		report, flow = pu.SearchRcvRules(tags)

		Convey("The action should be Accept when port is 98", func() {
			So(flow, ShouldNotBeNil)
			So(report, ShouldNotBeNil)
			So(flow.Action, ShouldEqual, policy.Accept)
			So(report.Action, ShouldEqual, policy.Accept)
			So(flow, ShouldNotBeNil)
		})

		tags = policy.NewTagStore()
		tags.AppendKeyValue("app", "web")
		tags.AppendKeyValue(constants.PortNumberLabelString, "TCP/101")

		report, flow = pu.SearchRcvRules(tags)

		Convey("The action should be Reject when port is 101", func() {
			So(flow, ShouldNotBeNil)
			So(report, ShouldNotBeNil)
			So(flow.Action, ShouldEqual, policy.Reject|policy.Log)
			So(report.Action, ShouldEqual, policy.Reject|policy.Log)
			So(flow, ShouldNotBeNil)
		})

	})
}


================================================
FILE: controller/pkg/remoteenforcer/interfaces.go
================================================
package remoteenforcer

import (
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
)

const (
	// InitEnforcer is string for invoking RPC
	InitEnforcer = "RemoteEnforcer.InitEnforcer"
	//Unenforce is string for invoking RPC
	Unenforce = "RemoteEnforcer.Unenforce"
	//Enforce is string for invoking RPC
	Enforce = "RemoteEnforcer.Enforce"
	// EnforcerExit is string for invoking RPC
	EnforcerExit = "RemoteEnforcer.EnforcerExit"
	// UpdateSecrets is string for invoking updatesecrets RPC
	UpdateSecrets = "RemoteEnforcer.UpdateSecrets"
	// SetTargetNetworks is string for invoking SetTargetNetworks RPC
	SetTargetNetworks = "RemoteEnforcer.SetTargetNetworks"
	// EnableIPTablesPacketTracing enable iptables trace mode
	EnableIPTablesPacketTracing = "RemoteEnforcer.EnableIPTablesPacketTracing"
	// EnableDatapathPacketTracing enable datapath packet tracing
	EnableDatapathPacketTracing = "RemoteEnforcer.EnableDatapathPacketTracing"
	// SetLogLevel is string for invoking set log level RPC
	SetLogLevel = "RemoteEnforcer.SetLogLevel"
	// Ping is the string for invoking ping RPC
	Ping = "RemoteEnforcer.Ping"
	// DebugCollect is the string for invoking DebugCollect RPC
	DebugCollect = "RemoteEnforcer.DebugCollect"
)

// RemoteIntf is the interface implemented by the remote enforcer
type RemoteIntf interface {
	// InitEnforcer is a function called from the controller using RPC.
	// It intializes data structure required by the remote enforcer
	InitEnforcer(req rpcwrapper.Request, resp *rpcwrapper.Response) error

	//Unenforce this method calls the unenforce method on the enforcer created from initenforcer
	Unenforce(req rpcwrapper.Request, resp *rpcwrapper.Response) error

	//Enforce this method calls the enforce method on the enforcer created during initenforcer
	Enforce(req rpcwrapper.Request, resp *rpcwrapper.Response) error

	// EnforcerExit this method is called when  we received a killrpocess message from the controller
	// This allows a graceful exit of the enforcer
	EnforcerExit(req rpcwrapper.Request, resp *rpcwrapper.Response) error
}


================================================
FILE: controller/pkg/remoteenforcer/internal/client/interfaces.go
================================================
package client

import "context"

// Reporter interface provides functions to start/stop a remote client
// A remote client is an active component which is responsible for collecting
// events collected by datapath and ship them to the master enforcer.
type Reporter interface {
	Run(ctx context.Context) error
	Send() error
}


================================================
FILE: controller/pkg/remoteenforcer/internal/client/mockclient/mockclient.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/pkg/remoteenforcer/internal/client/interfaces.go

// Package mockclient is a generated GoMock package.
package mockclient

import (
	context "context"
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
)

// MockReporter is a mock of Reporter interface
// nolint
type MockReporter struct {
	ctrl     *gomock.Controller
	recorder *MockReporterMockRecorder
}

// MockReporterMockRecorder is the mock recorder for MockReporter
// nolint
type MockReporterMockRecorder struct {
	mock *MockReporter
}

// NewMockReporter creates a new mock instance
// nolint
func NewMockReporter(ctrl *gomock.Controller) *MockReporter {
	mock := &MockReporter{ctrl: ctrl}
	mock.recorder = &MockReporterMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockReporter) EXPECT() *MockReporterMockRecorder {
	return m.recorder
}

// Run mocks base method
// nolint
func (m *MockReporter) Run(ctx context.Context) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Run", ctx)
	ret0, _ := ret[0].(error)
	return ret0
}

// Run indicates an expected call of Run
// nolint
func (mr *MockReporterMockRecorder) Run(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Run", reflect.TypeOf((*MockReporter)(nil).Run), ctx)
}

// Send mocks base method
// nolint
func (m *MockReporter) Send() error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Send")
	ret0, _ := ret[0].(error)
	return ret0
}

// Send indicates an expected call of Send
// nolint
func (mr *MockReporterMockRecorder) Send() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Send", reflect.TypeOf((*MockReporter)(nil).Send))
}


================================================
FILE: controller/pkg/remoteenforcer/internal/client/reportsclient/client.go
================================================
package reports

import (
	"context"
	"errors"
	"os"

	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/client"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/statscollector"
	"go.uber.org/zap"
)

const (
	reportContextID  = "UNUSED"
	reportRPCCommand = "ProxyRPCServer.PostReportEvent"
)

// reportClient  This is the struct for storing state for the rpc client
// which reports events back to the controller process
type reportsClient struct {
	collector     statscollector.Collector
	rpchdl        *rpcwrapper.RPCWrapper
	secret        string
	reportChannel string
	stop          chan bool
}

// NewClient initializes a new ping report client
func NewClient(cr statscollector.Collector) (client.Reporter, error) {

	p := &reportsClient{
		collector:     cr,
		rpchdl:        rpcwrapper.NewRPCWrapper(),
		secret:        os.Getenv(constants.EnvStatsSecret),
		reportChannel: os.Getenv(constants.EnvStatsChannel),
		stop:          make(chan bool),
	}

	if p.reportChannel == "" {
		return nil, errors.New("no path to stats socket provided")
	}

	if p.secret == "" {
		return nil, errors.New("no secret provided for stats channel")
	}

	return p, nil
}

func (p *reportsClient) sendStats(ctx context.Context) {

	for {
		select {
		case <-ctx.Done():
			return
		case r := <-p.collector.GetReports():
			p.sendRequest(r)
		}
	}
}

func (p *reportsClient) sendRequest(report *statscollector.Report) {

	request := rpcwrapper.Request{
		PayloadType: reportTypeToPayloadType(report.Type),
		Payload:     report.Payload,
	}

	if err := p.rpchdl.RemoteCall(
		reportContextID,
		reportRPCCommand,
		&request,
		&rpcwrapper.Response{},
	); err != nil {
		zap.L().Error("unable to execute rpc", zap.Error(err))
	}
}

// Start This is an private function called by the remoteenforcer to connect back
// to the controller over a stats channel
func (p *reportsClient) Run(ctx context.Context) error {
	if err := p.rpchdl.NewRPCClient(reportContextID, p.reportChannel, p.secret); err != nil {
		zap.L().Error("unable to create new rpc client", zap.Error(err))
		return err
	}

	go p.sendStats(ctx)

	return nil
}

// Send is unimplemented.
func (p *reportsClient) Send() error {
	return nil
}

func reportTypeToPayloadType(rtype statscollector.ReportType) (ptype rpcwrapper.PayloadType) {

	switch rtype {
	case statscollector.PacketReport:
		ptype = rpcwrapper.PacketReport
	case statscollector.CounterReport:
		ptype = rpcwrapper.CounterReport
	case statscollector.DNSReport:
		ptype = rpcwrapper.DNSReport
	case statscollector.PingReport:
		ptype = rpcwrapper.PingReport
	case statscollector.ConnectionExceptionReport:
		ptype = rpcwrapper.ConnectionExceptionReport
	default:
		return
	}

	return ptype
}


================================================
FILE: controller/pkg/remoteenforcer/internal/client/statsclient/client.go
================================================
package statsclient

import (
	"context"
	"errors"
	"os"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/client"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/statscollector"
	"go.uber.org/zap"
)

const (
	defaultStatsIntervalMiliseconds = 1000
	defaultUserRetention            = 10
	statsContextID                  = "UNUSED"
	statsRPCCommand                 = "ProxyRPCServer.PostStats"
)

// statsClient  This is the struct for storing state for the rpc client
// which reports flow stats back to the controller process
type statsClient struct {
	collector     statscollector.Collector
	rpchdl        *rpcwrapper.RPCWrapper
	secret        string
	statsChannel  string
	statsInterval time.Duration
	userRetention time.Duration
	stop          chan bool
}

// NewStatsClient initializes a new stats client
func NewStatsClient(cr statscollector.Collector) (client.Reporter, error) {

	sc := &statsClient{
		collector:     cr,
		rpchdl:        rpcwrapper.NewRPCWrapper(),
		secret:        os.Getenv(constants.EnvStatsSecret),
		statsChannel:  os.Getenv(constants.EnvStatsChannel),
		statsInterval: defaultStatsIntervalMiliseconds * time.Millisecond,
		userRetention: defaultUserRetention * time.Minute,
		stop:          make(chan bool),
	}

	if sc.statsChannel == "" {
		return nil, errors.New("no path to stats socket provided")
	}

	if sc.secret == "" {
		return nil, errors.New("no secret provided for stats channel")
	}

	return sc, nil
}

// sendStats  async function which makes a rpc call to send stats every STATS_INTERVAL
func (s *statsClient) sendStats(ctx context.Context) {

	ticker := time.NewTicker(s.statsInterval)
	userTicker := time.NewTicker(s.userRetention)
	// nolint: gosimple
	for {
		select {
		case <-ticker.C:

			flows := s.collector.GetFlowRecords()
			users := s.collector.GetUserRecords()
			if flows == nil && users == nil {
				continue
			}

			s.sendRequest(flows, users)
		case <-userTicker.C:
			s.collector.FlushUserCache()
		case <-ctx.Done():
			return
		}
	}

}

func (s *statsClient) sendRequest(flows map[uint64]*collector.FlowRecord, users map[string]*collector.UserRecord) {

	request := rpcwrapper.Request{
		Payload: &rpcwrapper.StatsPayload{
			Flows: flows,
			Users: users,
		},
	}

	if err := s.rpchdl.RemoteCall(
		statsContextID,
		statsRPCCommand,
		&request,
		&rpcwrapper.Response{},
	); err != nil {
		zap.L().Error("RPC failure in sending statistics: Unable to send flows", zap.Error(err))
	}
}

// Send sends all the stats from the cache
func (s *statsClient) Send() error {

	flows := s.collector.GetFlowRecords()
	users := s.collector.GetUserRecords()
	if flows == nil && users == nil {
		zap.L().Debug("Flows and UserRecords are nil while sending stats to collector")
		return nil
	}

	s.sendRequest(flows, users)
	return nil
}

// Start This is an private function called by the remoteenforcer to connect back
// to the controller over a stats channel
func (s *statsClient) Run(ctx context.Context) error {
	if err := s.rpchdl.NewRPCClient(statsContextID, s.statsChannel, s.secret); err != nil {
		zap.L().Error("Stats RPC client cannot connect", zap.Error(err))
		return err
	}

	go s.sendStats(ctx)

	return nil
}


================================================
FILE: controller/pkg/remoteenforcer/internal/statscollector/collector.go
================================================
package statscollector

import (
	"sync"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
)

// NewCollector provides a new collector interface
func NewCollector() Collector {
	return &collectorImpl{
		Flows:          map[uint64]*collector.FlowRecord{},
		Users:          map[string]*collector.UserRecord{},
		ProcessedUsers: map[string]bool{},
		Reports:        make(chan *Report, 1000),
	}
}

// collectorImpl : This object is a stash implements two interfaces.
//
//  collector.EventCollector - so datapath can report flow events
//  CollectorReader - so components can extract information out of this stash
//
// It has a flow entries cache which contains unique flows that are reported
// back to the controller/launcher process
type collectorImpl struct {
	Flows          map[uint64]*collector.FlowRecord
	ProcessedUsers map[string]bool
	Users          map[string]*collector.UserRecord
	Reports        chan *Report

	sync.Mutex
}

// ReportType it the type of report.
type ReportType uint8

// ReportTypes.
const (
	FlowRecord ReportType = iota
	UserRecord
	PacketReport
	CounterReport
	DNSReport
	PingReport
	ConnectionExceptionReport
)

// Report holds the report type and the payload.
type Report struct {
	Type    ReportType
	Payload interface{}
}


================================================
FILE: controller/pkg/remoteenforcer/internal/statscollector/collector_reader.go
================================================
package statscollector

import (
	"go.aporeto.io/enforcerd/trireme-lib/collector"
)

// Count returns the current number of records collected.
func (c *collectorImpl) Count() int {
	c.Lock()
	defer c.Unlock()

	return len(c.Flows)
}

// GetFlowRecords should return all flow records stashed so far.
func (c *collectorImpl) GetFlowRecords() map[uint64]*collector.FlowRecord {
	c.Lock()
	defer c.Unlock()

	if len(c.Flows) == 0 {
		return nil
	}

	retval := c.Flows
	c.Flows = make(map[uint64]*collector.FlowRecord)
	return retval
}

// GetUserRecords retrieves all the user records.
func (c *collectorImpl) GetUserRecords() map[string]*collector.UserRecord {
	c.Lock()
	defer c.Unlock()

	if len(c.Users) == 0 {
		return nil
	}

	retval := c.Users
	c.Users = map[string]*collector.UserRecord{}
	return retval
}

// FlushUserCache flushes the user cache.
func (c *collectorImpl) FlushUserCache() {
	c.Lock()
	defer c.Unlock()

	c.ProcessedUsers = map[string]bool{}
}

// GetReports returns reports channel.
func (c *collectorImpl) GetReports() chan *Report {
	c.Lock()
	defer c.Unlock()

	return c.Reports
}


================================================
FILE: controller/pkg/remoteenforcer/internal/statscollector/collector_test.go
================================================
package statscollector

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet"
)

func TestNewCollector(t *testing.T) {
	Convey("When I create a new collector", t, func() {
		c := NewCollector()
		Convey("The collector should not be nil ", func() {
			So(c, ShouldNotBeNil)
			So(c.GetFlowRecords(), ShouldBeNil)
		})
	})
}

func TestCollectFlowEvent(t *testing.T) {
	Convey("Given a stats collector", t, func() {
		c := &collectorImpl{
			Flows: map[uint64]*collector.FlowRecord{},
		}

		Convey("When I add a flow event", func() {
			r := &collector.FlowRecord{
				ContextID: "1",
				Source: collector.EndPoint{
					ID:   "A",
					IP:   "1.1.1.1",
					Type: collector.EndPointTypePU,
				},
				Destination: collector.EndPoint{
					ID:   "B",
					IP:   "2.2.2.2",
					Type: collector.EndPointTypePU,
					Port: 80,
				},
				Count:      0,
				Tags:       []string{},
				L4Protocol: packet.IPProtocolTCP,
			}
			c.CollectFlowEvent(r)

			Convey("The flow should be in the cache", func() {
				So(len(c.Flows), ShouldEqual, 1)
				So(c.Flows[collector.StatsFlowContentHash(r)], ShouldNotBeNil)
				So(c.Flows[collector.StatsFlowContentHash(r)].Count, ShouldEqual, 1)
			})

			Convey("When I add a second flow that matches", func() {
				r := &collector.FlowRecord{
					ContextID: "1",
					Source: collector.EndPoint{
						ID:   "A",
						IP:   "1.1.1.1",
						Type: collector.EndPointTypePU,
					},
					Destination: collector.EndPoint{
						ID:   "B",
						IP:   "2.2.2.2",
						Type: collector.EndPointTypePU,
						Port: 80,
					},
					Count:      10,
					Tags:       []string{},
					L4Protocol: packet.IPProtocolTCP,
				}
				c.CollectFlowEvent(r)
				Convey("The flow should be in the cache", func() {
					So(len(c.Flows), ShouldEqual, 1)
					So(c.Flows[collector.StatsFlowContentHash(r)], ShouldNotBeNil)
					So(c.Flows[collector.StatsFlowContentHash(r)].Count, ShouldEqual, 11)
				})
			})

			Convey("When I add a third flow that doesn't  matche the previous flows ", func() {
				r := &collector.FlowRecord{
					ContextID: "1",
					Source: collector.EndPoint{
						ID:   "C",
						IP:   "3.3.3.3",
						Type: collector.EndPointTypePU,
					},
					Destination: collector.EndPoint{
						ID:   "D",
						IP:   "4.4.4.4",
						Type: collector.EndPointTypePU,
						Port: 80,
					},
					Count:      33,
					Tags:       []string{},
					L4Protocol: packet.IPProtocolTCP,
				}
				c.CollectFlowEvent(r)
				Convey("The flow should be in the cache", func() {
					So(len(c.Flows), ShouldEqual, 2)
					So(c.Flows[collector.StatsFlowContentHash(r)], ShouldNotBeNil)
					So(c.Flows[collector.StatsFlowContentHash(r)].Count, ShouldEqual, 33)
				})
			})
		})
	})
}

func TestGetAllDataPathPacketRecords(t *testing.T) {
	Convey("Given i collect a new collector", t, func() {
		c := NewCollector()
		Convey("I trace single packet", func() {
			c.CollectPacketEvent(&collector.PacketReport{
				DestinationIP: "1.2.3.4",
			})
			records := c.GetReports()
			So(len(records), ShouldEqual, 1)
		})

	})

}

func TestAllCounterReports(t *testing.T) {
	Convey("Given i collect a new collector", t, func() {
		c := NewCollector()
		c.(*collectorImpl).Reports = make(chan *Report, 1)
		Convey("I trace a single packet", func() {
			c.CollectCounterEvent(&collector.CounterReport{})
			records := c.GetReports()
			So(len(records), ShouldEqual, 1)
			c.CollectCounterEvent(&collector.CounterReport{})
			records = c.GetReports()
			So(len(records), ShouldEqual, 1)
		})
	})
}


================================================
FILE: controller/pkg/remoteenforcer/internal/statscollector/collector_trireme.go
================================================
package statscollector

import (
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.uber.org/zap"
)

// CollectFlowEvent collects a new flow event and adds it to a local list it shares with SendStats
func (c *collectorImpl) CollectFlowEvent(record *collector.FlowRecord) {

	hash := collector.StatsFlowContentHash(record)

	// If flow event doesn't have a count make it equal to 1. At least one flow is collected
	if record.Count == 0 {
		record.Count = 1
	}

	c.Lock()
	defer c.Unlock()

	if r, ok := c.Flows[hash]; ok {
		r.Count = r.Count + record.Count
		return
	}

	c.Flows[hash] = record

	c.Flows[hash].Tags = record.Tags
}

// CollectContainerEvent is called when container events are received
func (c *collectorImpl) CollectContainerEvent(record *collector.ContainerRecord) {
	zap.L().Error("Unexpected call for collecting container event")
}

// CollectUserEvent collects a new user event and adds it to a local cache.
func (c *collectorImpl) CollectUserEvent(record *collector.UserRecord) {

	if err := collector.StatsUserHash(record); err != nil {
		zap.L().Error("Cannot store user record", zap.Error(err))
		return
	}

	c.Lock()
	defer c.Unlock()

	if _, ok := c.ProcessedUsers[record.ID]; !ok {
		c.Users[record.ID] = record
		c.ProcessedUsers[record.ID] = true
	}
}

// CollectTraceEvent collect trace events
func (c *collectorImpl) CollectTraceEvent(records []string) {
	//We will leave this unimplemented
	// trace event collection in done from the main enforcer
}

// CollectTraceEvent collect trace events
func (c *collectorImpl) CollectPacketEvent(report *collector.PacketReport) {
	c.send(PacketReport, report)
}

// CollectCounterEvent collect counters from the datapath
func (c *collectorImpl) CollectCounterEvent(report *collector.CounterReport) {
	c.send(CounterReport, report)
}

// CollectCounterEvent collect counters from the datapath
func (c *collectorImpl) CollectDNSRequests(report *collector.DNSRequestReport) {
	c.send(DNSReport, report)
}

// CollectPingEvent collect ping events from the datapath
func (c *collectorImpl) CollectPingEvent(report *collector.PingReport) {
	c.send(PingReport, report)
}

// CollectConnectionExceptionReport collect collect connection exception reports from the datapath
func (c *collectorImpl) CollectConnectionExceptionReport(report *collector.ConnectionExceptionReport) {
	c.send(ConnectionExceptionReport, report)
}

func (c *collectorImpl) send(rtype ReportType, report interface{}) {

	select {
	case c.Reports <- &Report{rtype, report}:
	default:
		zap.L().Warn("Reports queue full, dropped",
			zap.Reflect("reportType", rtype),
			zap.Reflect("report", report),
		)
	}
}


================================================
FILE: controller/pkg/remoteenforcer/internal/statscollector/interfaces.go
================================================
package statscollector

import (
	"go.aporeto.io/enforcerd/trireme-lib/collector"
)

// CollectorReader interface which provides functions to query pending stats.
type CollectorReader interface {
	Count() int
	FlushUserCache()
	GetFlowRecords() map[uint64]*collector.FlowRecord
	GetUserRecords() map[string]*collector.UserRecord
	GetReports() chan *Report
}

// Collector interface implements event collector.
type Collector interface {
	CollectorReader
	collector.EventCollector
}


================================================
FILE: controller/pkg/remoteenforcer/internal/statscollector/mockstatscollector/mockstatscollector.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/pkg/remoteenforcer/internal/statscollector/interfaces.go

// Package mockstatscollector is a generated GoMock package.
package mockstatscollector

import (
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	collector "go.aporeto.io/enforcerd/trireme-lib/collector"
	statscollector "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/statscollector"
)

// MockCollectorReader is a mock of CollectorReader interface
// nolint
type MockCollectorReader struct {
	ctrl     *gomock.Controller
	recorder *MockCollectorReaderMockRecorder
}

// MockCollectorReaderMockRecorder is the mock recorder for MockCollectorReader
// nolint
type MockCollectorReaderMockRecorder struct {
	mock *MockCollectorReader
}

// NewMockCollectorReader creates a new mock instance
// nolint
func NewMockCollectorReader(ctrl *gomock.Controller) *MockCollectorReader {
	mock := &MockCollectorReader{ctrl: ctrl}
	mock.recorder = &MockCollectorReaderMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockCollectorReader) EXPECT() *MockCollectorReaderMockRecorder {
	return m.recorder
}

// Count mocks base method
// nolint
func (m *MockCollectorReader) Count() int {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Count")
	ret0, _ := ret[0].(int)
	return ret0
}

// Count indicates an expected call of Count
// nolint
func (mr *MockCollectorReaderMockRecorder) Count() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Count", reflect.TypeOf((*MockCollectorReader)(nil).Count))
}

// FlushUserCache mocks base method
// nolint
func (m *MockCollectorReader) FlushUserCache() {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "FlushUserCache")
}

// FlushUserCache indicates an expected call of FlushUserCache
// nolint
func (mr *MockCollectorReaderMockRecorder) FlushUserCache() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FlushUserCache", reflect.TypeOf((*MockCollectorReader)(nil).FlushUserCache))
}

// GetFlowRecords mocks base method
// nolint
func (m *MockCollectorReader) GetFlowRecords() map[uint64]*collector.FlowRecord {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetFlowRecords")
	ret0, _ := ret[0].(map[uint64]*collector.FlowRecord)
	return ret0
}

// GetFlowRecords indicates an expected call of GetFlowRecords
// nolint
func (mr *MockCollectorReaderMockRecorder) GetFlowRecords() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetFlowRecords", reflect.TypeOf((*MockCollectorReader)(nil).GetFlowRecords))
}

// GetUserRecords mocks base method
// nolint
func (m *MockCollectorReader) GetUserRecords() map[string]*collector.UserRecord {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetUserRecords")
	ret0, _ := ret[0].(map[string]*collector.UserRecord)
	return ret0
}

// GetUserRecords indicates an expected call of GetUserRecords
// nolint
func (mr *MockCollectorReaderMockRecorder) GetUserRecords() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserRecords", reflect.TypeOf((*MockCollectorReader)(nil).GetUserRecords))
}

// GetReports mocks base method
// nolint
func (m *MockCollectorReader) GetReports() chan *statscollector.Report {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetReports")
	ret0, _ := ret[0].(chan *statscollector.Report)
	return ret0
}

// GetReports indicates an expected call of GetReports
// nolint
func (mr *MockCollectorReaderMockRecorder) GetReports() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetReports", reflect.TypeOf((*MockCollectorReader)(nil).GetReports))
}

// MockCollector is a mock of Collector interface
// nolint
type MockCollector struct {
	ctrl     *gomock.Controller
	recorder *MockCollectorMockRecorder
}

// MockCollectorMockRecorder is the mock recorder for MockCollector
// nolint
type MockCollectorMockRecorder struct {
	mock *MockCollector
}

// NewMockCollector creates a new mock instance
// nolint
func NewMockCollector(ctrl *gomock.Controller) *MockCollector {
	mock := &MockCollector{ctrl: ctrl}
	mock.recorder = &MockCollectorMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockCollector) EXPECT() *MockCollectorMockRecorder {
	return m.recorder
}

// Count mocks base method
// nolint
func (m *MockCollector) Count() int {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Count")
	ret0, _ := ret[0].(int)
	return ret0
}

// Count indicates an expected call of Count
// nolint
func (mr *MockCollectorMockRecorder) Count() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Count", reflect.TypeOf((*MockCollector)(nil).Count))
}

// FlushUserCache mocks base method
// nolint
func (m *MockCollector) FlushUserCache() {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "FlushUserCache")
}

// FlushUserCache indicates an expected call of FlushUserCache
// nolint
func (mr *MockCollectorMockRecorder) FlushUserCache() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FlushUserCache", reflect.TypeOf((*MockCollector)(nil).FlushUserCache))
}

// GetFlowRecords mocks base method
// nolint
func (m *MockCollector) GetFlowRecords() map[uint64]*collector.FlowRecord {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetFlowRecords")
	ret0, _ := ret[0].(map[uint64]*collector.FlowRecord)
	return ret0
}

// GetFlowRecords indicates an expected call of GetFlowRecords
// nolint
func (mr *MockCollectorMockRecorder) GetFlowRecords() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetFlowRecords", reflect.TypeOf((*MockCollector)(nil).GetFlowRecords))
}

// GetUserRecords mocks base method
// nolint
func (m *MockCollector) GetUserRecords() map[string]*collector.UserRecord {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetUserRecords")
	ret0, _ := ret[0].(map[string]*collector.UserRecord)
	return ret0
}

// GetUserRecords indicates an expected call of GetUserRecords
// nolint
func (mr *MockCollectorMockRecorder) GetUserRecords() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserRecords", reflect.TypeOf((*MockCollector)(nil).GetUserRecords))
}

// GetReports mocks base method
// nolint
func (m *MockCollector) GetReports() chan *statscollector.Report {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetReports")
	ret0, _ := ret[0].(chan *statscollector.Report)
	return ret0
}

// GetReports indicates an expected call of GetReports
// nolint
func (mr *MockCollectorMockRecorder) GetReports() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetReports", reflect.TypeOf((*MockCollector)(nil).GetReports))
}

// CollectFlowEvent mocks base method
// nolint
func (m *MockCollector) CollectFlowEvent(record *collector.FlowRecord) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectFlowEvent", record)
}

// CollectFlowEvent indicates an expected call of CollectFlowEvent
// nolint
func (mr *MockCollectorMockRecorder) CollectFlowEvent(record interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectFlowEvent", reflect.TypeOf((*MockCollector)(nil).CollectFlowEvent), record)
}

// CollectContainerEvent mocks base method
// nolint
func (m *MockCollector) CollectContainerEvent(record *collector.ContainerRecord) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectContainerEvent", record)
}

// CollectContainerEvent indicates an expected call of CollectContainerEvent
// nolint
func (mr *MockCollectorMockRecorder) CollectContainerEvent(record interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectContainerEvent", reflect.TypeOf((*MockCollector)(nil).CollectContainerEvent), record)
}

// CollectUserEvent mocks base method
// nolint
func (m *MockCollector) CollectUserEvent(record *collector.UserRecord) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectUserEvent", record)
}

// CollectUserEvent indicates an expected call of CollectUserEvent
// nolint
func (mr *MockCollectorMockRecorder) CollectUserEvent(record interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectUserEvent", reflect.TypeOf((*MockCollector)(nil).CollectUserEvent), record)
}

// CollectTraceEvent mocks base method
// nolint
func (m *MockCollector) CollectTraceEvent(records []string) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectTraceEvent", records)
}

// CollectTraceEvent indicates an expected call of CollectTraceEvent
// nolint
func (mr *MockCollectorMockRecorder) CollectTraceEvent(records interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectTraceEvent", reflect.TypeOf((*MockCollector)(nil).CollectTraceEvent), records)
}

// CollectPacketEvent mocks base method
// nolint
func (m *MockCollector) CollectPacketEvent(report *collector.PacketReport) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectPacketEvent", report)
}

// CollectPacketEvent indicates an expected call of CollectPacketEvent
// nolint
func (mr *MockCollectorMockRecorder) CollectPacketEvent(report interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectPacketEvent", reflect.TypeOf((*MockCollector)(nil).CollectPacketEvent), report)
}

// CollectCounterEvent mocks base method
// nolint
func (m *MockCollector) CollectCounterEvent(counterReport *collector.CounterReport) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectCounterEvent", counterReport)
}

// CollectCounterEvent indicates an expected call of CollectCounterEvent
// nolint
func (mr *MockCollectorMockRecorder) CollectCounterEvent(counterReport interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectCounterEvent", reflect.TypeOf((*MockCollector)(nil).CollectCounterEvent), counterReport)
}

// CollectDNSRequests mocks base method
// nolint
func (m *MockCollector) CollectDNSRequests(request *collector.DNSRequestReport) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectDNSRequests", request)
}

// CollectDNSRequests indicates an expected call of CollectDNSRequests
// nolint
func (mr *MockCollectorMockRecorder) CollectDNSRequests(request interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectDNSRequests", reflect.TypeOf((*MockCollector)(nil).CollectDNSRequests), request)
}

// CollectPingEvent mocks base method
// nolint
func (m *MockCollector) CollectPingEvent(report *collector.PingReport) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectPingEvent", report)
}

// CollectPingEvent indicates an expected call of CollectPingEvent
// nolint
func (mr *MockCollectorMockRecorder) CollectPingEvent(report interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectPingEvent", reflect.TypeOf((*MockCollector)(nil).CollectPingEvent), report)
}

// CollectConnectionExceptionReport mocks base method
// nolint
func (m *MockCollector) CollectConnectionExceptionReport(report *collector.ConnectionExceptionReport) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "CollectConnectionExceptionReport", report)
}

// CollectConnectionExceptionReport indicates an expected call of CollectConnectionExceptionReport
// nolint
func (mr *MockCollectorMockRecorder) CollectConnectionExceptionReport(report interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CollectConnectionExceptionReport", reflect.TypeOf((*MockCollector)(nil).CollectConnectionExceptionReport), report)
}


================================================
FILE: controller/pkg/remoteenforcer/internal/tokenissuer/mocktokenclient/mocktokenclient.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/pkg/remoteenforcer/internal/tokenissuer/tokenissuer.go

// Package mocktokenclient is a generated GoMock package.
package mocktokenclient

import (
	context "context"
	reflect "reflect"
	time "time"

	gomock "github.com/golang/mock/gomock"
	common "go.aporeto.io/enforcerd/trireme-lib/common"
)

// MockTokenClient is a mock of TokenClient interface
// nolint
type MockTokenClient struct {
	ctrl     *gomock.Controller
	recorder *MockTokenClientMockRecorder
}

// MockTokenClientMockRecorder is the mock recorder for MockTokenClient
// nolint
type MockTokenClientMockRecorder struct {
	mock *MockTokenClient
}

// NewMockTokenClient creates a new mock instance
// nolint
func NewMockTokenClient(ctrl *gomock.Controller) *MockTokenClient {
	mock := &MockTokenClient{ctrl: ctrl}
	mock.recorder = &MockTokenClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockTokenClient) EXPECT() *MockTokenClientMockRecorder {
	return m.recorder
}

// Run mocks base method
// nolint
func (m *MockTokenClient) Run(ctx context.Context) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Run", ctx)
	ret0, _ := ret[0].(error)
	return ret0
}

// Run indicates an expected call of Run
// nolint
func (mr *MockTokenClientMockRecorder) Run(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Run", reflect.TypeOf((*MockTokenClient)(nil).Run), ctx)
}

// Issue mocks base method
// nolint
func (m *MockTokenClient) Issue(ctx context.Context, contextID string, stype common.ServiceTokenType, audience string, validity time.Duration) (string, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Issue", ctx, contextID, stype, audience, validity)
	ret0, _ := ret[0].(string)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Issue indicates an expected call of Issue
// nolint
func (mr *MockTokenClientMockRecorder) Issue(ctx, contextID, stype, audience, validity interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Issue", reflect.TypeOf((*MockTokenClient)(nil).Issue), ctx, contextID, stype, audience, validity)
}


================================================
FILE: controller/pkg/remoteenforcer/internal/tokenissuer/tokenissuer.go
================================================
package tokenissuer

import (
	"context"
	"errors"
	"fmt"
	"os"
	"reflect"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.uber.org/zap"
)

// TokenClient interface provides a start function. the client is used to
// request tokens.
type TokenClient interface {
	Run(ctx context.Context) error
	Issue(ctx context.Context, contextID string, stype common.ServiceTokenType, audience string, validity time.Duration) (string, error)
}

const (
	tokenIssuerContextID = "UNUSED"
	retrieveTokenCommand = "ProxyRPCServer.RetrieveToken"
)

// Client represents the remote API client.
type Client struct {
	rpchdl     rpcwrapper.RPCClient
	secret     string
	socketPath string
	stop       chan bool
}

// NewClient returns a remote API client that can be used for
// issuing API calls to the master enforcer.
func NewClient() (*Client, error) {
	c := &Client{
		rpchdl:     rpcwrapper.NewRPCWrapper(),
		secret:     os.Getenv(constants.EnvStatsSecret),
		socketPath: os.Getenv(constants.EnvStatsChannel),
		stop:       make(chan bool),
	}
	if c.socketPath == "" {
		return nil, errors.New("no path to socket provided")
	}
	if c.secret == "" {
		return nil, errors.New("no secret provided for  channel")
	}

	return c, nil
}

// RetrieveToken will issue a token request to the main over the RPC channnel.
func (c *Client) RetrieveToken(contextID string, stype common.ServiceTokenType, audience string, validity time.Duration) (string, error) {

	request := &rpcwrapper.Request{
		Payload: &rpcwrapper.TokenRequestPayload{
			ContextID:        contextID,
			Audience:         audience,
			Validity:         validity,
			ServiceTokenType: stype,
		},
	}

	response := &rpcwrapper.Response{}

	if err := c.rpchdl.RemoteCall(tokenIssuerContextID, retrieveTokenCommand, request, response); err != nil {
		return "", err
	}

	payload, ok := response.Payload.(rpcwrapper.TokenResponsePayload)
	if !ok {
		return "", fmt.Errorf("unrecognized response payload. Received payload is %s", reflect.TypeOf(response.Payload))
	}

	return payload.Token, nil
}

// Issue implements the ServiceTokenIssuer interface.
func (c *Client) Issue(ctx context.Context, contextID string, stype common.ServiceTokenType, audience string, validity time.Duration) (string, error) {
	return c.RetrieveToken(contextID, stype, audience, validity)
}

// Run will initialize the client.
func (c *Client) Run(ctx context.Context) error {
	if err := c.rpchdl.NewRPCClient(tokenIssuerContextID, c.socketPath, c.secret); err != nil {
		zap.L().Error("CounterClient RPC client cannot connect", zap.Error(err))
		return err
	}
	return nil
}


================================================
FILE: controller/pkg/remoteenforcer/mockremoteenforcer/mockremoteenforcer.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/pkg/remoteenforcer/interfaces.go

// Package mockremoteenforcer is a generated GoMock package.
package mockremoteenforcer

import (
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	rpcwrapper "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
)

// MockRemoteIntf is a mock of RemoteIntf interface
// nolint
type MockRemoteIntf struct {
	ctrl     *gomock.Controller
	recorder *MockRemoteIntfMockRecorder
}

// MockRemoteIntfMockRecorder is the mock recorder for MockRemoteIntf
// nolint
type MockRemoteIntfMockRecorder struct {
	mock *MockRemoteIntf
}

// NewMockRemoteIntf creates a new mock instance
// nolint
func NewMockRemoteIntf(ctrl *gomock.Controller) *MockRemoteIntf {
	mock := &MockRemoteIntf{ctrl: ctrl}
	mock.recorder = &MockRemoteIntfMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockRemoteIntf) EXPECT() *MockRemoteIntfMockRecorder {
	return m.recorder
}

// InitEnforcer mocks base method
// nolint
func (m *MockRemoteIntf) InitEnforcer(req rpcwrapper.Request, resp *rpcwrapper.Response) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "InitEnforcer", req, resp)
	ret0, _ := ret[0].(error)
	return ret0
}

// InitEnforcer indicates an expected call of InitEnforcer
// nolint
func (mr *MockRemoteIntfMockRecorder) InitEnforcer(req, resp interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InitEnforcer", reflect.TypeOf((*MockRemoteIntf)(nil).InitEnforcer), req, resp)
}

// Unenforce mocks base method
// nolint
func (m *MockRemoteIntf) Unenforce(req rpcwrapper.Request, resp *rpcwrapper.Response) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Unenforce", req, resp)
	ret0, _ := ret[0].(error)
	return ret0
}

// Unenforce indicates an expected call of Unenforce
// nolint
func (mr *MockRemoteIntfMockRecorder) Unenforce(req, resp interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Unenforce", reflect.TypeOf((*MockRemoteIntf)(nil).Unenforce), req, resp)
}

// Enforce mocks base method
// nolint
func (m *MockRemoteIntf) Enforce(req rpcwrapper.Request, resp *rpcwrapper.Response) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Enforce", req, resp)
	ret0, _ := ret[0].(error)
	return ret0
}

// Enforce indicates an expected call of Enforce
// nolint
func (mr *MockRemoteIntfMockRecorder) Enforce(req, resp interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Enforce", reflect.TypeOf((*MockRemoteIntf)(nil).Enforce), req, resp)
}

// EnforcerExit mocks base method
// nolint
func (m *MockRemoteIntf) EnforcerExit(req rpcwrapper.Request, resp *rpcwrapper.Response) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "EnforcerExit", req, resp)
	ret0, _ := ret[0].(error)
	return ret0
}

// EnforcerExit indicates an expected call of EnforcerExit
// nolint
func (mr *MockRemoteIntfMockRecorder) EnforcerExit(req, resp interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EnforcerExit", reflect.TypeOf((*MockRemoteIntf)(nil).EnforcerExit), req, resp)
}


================================================
FILE: controller/pkg/remoteenforcer/remoteenforcer_linux.go
================================================
// +build linux

package remoteenforcer

/*
#cgo CFLAGS: -Wall
#include <stdlib.h>
*/
import "C"

import (
	"context"
	"fmt"
	"os"
	"os/exec"
	"os/signal"
	"strings"
	"sync"
	"syscall"

	"github.com/blang/semver"
	"go.aporeto.io/enforcerd/internal/diagnostics"
	"go.aporeto.io/enforcerd/internal/logging/remotelog"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
	_ "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/nsenter" // nolint
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/client"
	reports "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/client/reportsclient"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/client/statsclient"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/statscollector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/tokenissuer"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/rpc"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
	"golang.org/x/sys/unix"
)

// Initialization functions as variables in order to enable testing.
var (
	createEnforcer = enforcer.New

	createSupervisor = supervisor.NewSupervisor
)

var cmdLock sync.Mutex

// newRemoteEnforcer starts a new server
func newRemoteEnforcer(
	ctx context.Context,
	rpcHandle rpcwrapper.RPCServer,
	secret string,
	statsClient client.Reporter,
	collector statscollector.Collector,
	reportsClient client.Reporter,
	tokenIssuer tokenissuer.TokenClient,
	logLevel string,
	logFormat string,
	logID string,
	numQueues int,
	enforcerType policy.EnforcerType,
	agentVersion semver.Version,
) (*RemoteEnforcer, error) {

	var err error

	if collector == nil {
		collector = statscollector.NewCollector()
	}

	if statsClient == nil {
		statsClient, err = statsclient.NewStatsClient(collector)
		if err != nil {
			return nil, err
		}
	}

	if reportsClient == nil {
		reportsClient, err = reports.NewClient(collector)
		if err != nil {
			return nil, err
		}
	}

	if tokenIssuer == nil {
		tokenIssuer, err = tokenissuer.NewClient()
		if err != nil {
			return nil, err
		}

	}

	procMountPoint := os.Getenv(constants.EnvMountPoint)
	if procMountPoint == "" {
		procMountPoint = constants.DefaultProcMountPoint
	}

	fqConfig := fqconfig.NewFilterQueue(
		numQueues,
		[]string{"0.0.0.0/0"},
	)

	return &RemoteEnforcer{
		collector:      collector,
		rpcSecret:      secret,
		rpcHandle:      rpcHandle,
		procMountPoint: procMountPoint,
		statsClient:    statsClient,
		reportsClient:  reportsClient,
		ctx:            ctx,
		exit:           make(chan bool),
		tokenIssuer:    tokenIssuer,
		enforcerType:   enforcerType,
		agentVersion:   agentVersion,
		config:         logConfig{logLevel: logLevel, logFormat: logFormat, logID: logID},
		fqConfig:       fqConfig,
	}, nil
}

// InitEnforcer is a function called from the controller using RPC. It intializes
// data structure required by the remote enforcer
func (s *RemoteEnforcer) InitEnforcer(req rpcwrapper.Request, resp *rpcwrapper.Response) error {

	zap.L().Debug("Configuring remote enforcer")

	if !s.rpcHandle.CheckValidity(&req, s.rpcSecret) {
		resp.Status = fmt.Sprintf("init message authentication failed") // nolint:gosimple
		return fmt.Errorf(resp.Status)
	}
	cmdLock.Lock()
	defer cmdLock.Unlock()

	payload, ok := req.Payload.(rpcwrapper.InitRequestPayload)
	if !ok {
		resp.Status = fmt.Sprintf("invalid request payload") // nolint:gosimple
		return fmt.Errorf(resp.Status)
	}

	if s.supervisor != nil || s.enforcer != nil {
		resp.Status = fmt.Sprintf("remote enforcer is already initialized") // nolint:gosimple
		return fmt.Errorf(resp.Status)
	}

	var err error

	defer func() {
		if err != nil {
			s.cleanup()
		}
	}()

	if err = s.setupEnforcer(&payload); err != nil {
		resp.Status = err.Error()
		return fmt.Errorf(resp.Status)
	}

	if err = s.setupSupervisor(&payload); err != nil {
		resp.Status = err.Error()
		return fmt.Errorf(resp.Status)
	}

	if err = s.enforcer.Run(s.ctx); err != nil {
		resp.Status = err.Error()
		return fmt.Errorf(resp.Status)
	}

	if err = s.statsClient.Run(s.ctx); err != nil {
		resp.Status = err.Error()
		return fmt.Errorf(resp.Status)
	}

	if err = s.supervisor.Run(s.ctx); err != nil {
		resp.Status = err.Error()
		return fmt.Errorf(resp.Status)
	}

	if err = s.reportsClient.Run(s.ctx); err != nil {
		resp.Status = "ReportsClient" + err.Error()
		return fmt.Errorf(resp.Status)
	}

	if err = s.tokenIssuer.Run(s.ctx); err != nil {
		resp.Status = "TokenIssuer" + err.Error()
		return fmt.Errorf(resp.Status)
	}

	resp.Status = ""

	return nil
}

// Enforce this method calls the enforce method on the enforcer created during initenforcer
func (s *RemoteEnforcer) Enforce(req rpcwrapper.Request, resp *rpcwrapper.Response) error {

	if !s.rpcHandle.CheckValidity(&req, s.rpcSecret) {
		resp.Status = "enforce message auth failed"
		return fmt.Errorf(resp.Status)
	}

	cmdLock.Lock()
	defer cmdLock.Unlock()

	payload, ok := req.Payload.(rpcwrapper.EnforcePayload)
	if !ok {
		resp.Status = "invalid enforcer payload"
		return fmt.Errorf(resp.Status)
	}

	plc, err := payload.Policy.ToPrivatePolicy(s.ctx, true)
	if err != nil {
		return err
	}

	runtime := policy.NewPURuntimeWithDefaults()

	puInfo := &policy.PUInfo{
		ContextID: payload.ContextID,
		Policy:    plc,
		Runtime:   runtime,
	}

	if s.enforcer == nil || s.supervisor == nil {
		resp.Status = "enforcer not initialized - cannot enforce"
		return fmt.Errorf(resp.Status)
	}

	// If any error happens, cleanup everything on exit so that we can recover
	// by launcing a new remote.
	defer func() {
		if err != nil {
			s.cleanup()
		}
	}()

	if err = s.supervisor.Supervise(payload.ContextID, puInfo); err != nil {
		resp.Status = err.Error()
		return err
	}

	if err = s.enforcer.Enforce(s.ctx, payload.ContextID, puInfo); err != nil {
		resp.Status = err.Error()
		return err
	}

	resp.Status = ""

	return nil
}

// Unenforce this method calls the unenforce method on the enforcer created from initenforcer
func (s *RemoteEnforcer) Unenforce(req rpcwrapper.Request, resp *rpcwrapper.Response) error {

	if !s.rpcHandle.CheckValidity(&req, s.rpcSecret) {
		resp.Status = "unenforce message auth failed"
		return fmt.Errorf(resp.Status)
	}

	cmdLock.Lock()
	defer cmdLock.Unlock()

	s.statsClient.Send() // nolint: errcheck

	payload, ok := req.Payload.(rpcwrapper.UnEnforcePayload)
	if !ok {
		resp.Status = "invalid unenforcer payload"
		return fmt.Errorf(resp.Status)
	}

	var err error

	// If any error happens, cleanup everything on exit so that we can recover
	// by launcing a new remote.
	defer func() {
		if err != nil {
			s.cleanup()
		}
	}()

	if err = s.supervisor.Unsupervise(payload.ContextID); err != nil {
		resp.Status = err.Error()
		return fmt.Errorf("unable to clean supervisor: %s", err)
	}

	if err = s.enforcer.Unenforce(s.ctx, payload.ContextID); err != nil {
		resp.Status = err.Error()
		return fmt.Errorf("unable to stop enforcer: %s", err)
	}

	return nil
}

// SetTargetNetworks calls the same method on the actual enforcer
func (s *RemoteEnforcer) SetTargetNetworks(req rpcwrapper.Request, resp *rpcwrapper.Response) error {

	var err error
	if !s.rpcHandle.CheckValidity(&req, s.rpcSecret) {
		resp.Status = "SetTargetNetworks message auth failed" // nolint
		return fmt.Errorf(resp.Status)
	}

	cmdLock.Lock()
	defer cmdLock.Unlock()

	if s.enforcer == nil || s.supervisor == nil {
		return fmt.Errorf(resp.Status)
	}

	payload := req.Payload.(rpcwrapper.SetTargetNetworksPayload)

	// If any error happens, cleanup everything on exit so that we can recover
	// by launcing a new remote.
	defer func() {
		if err != nil {
			s.cleanup()
		}
	}()

	if err = s.enforcer.SetTargetNetworks(payload.Configuration); err != nil {
		return err
	}

	err = s.supervisor.SetTargetNetworks(payload.Configuration)

	return err
}

// EnforcerExit is processing messages from the remote that are requesting an exit. In this
// case we simply cancel the context.
func (s *RemoteEnforcer) EnforcerExit(req rpcwrapper.Request, resp *rpcwrapper.Response) error {

	s.cleanup()

	s.exit <- true

	return nil
}

// UpdateSecrets updates the secrets used by the remote enforcer
func (s *RemoteEnforcer) UpdateSecrets(req rpcwrapper.Request, resp *rpcwrapper.Response) error {
	var err error
	if !s.rpcHandle.CheckValidity(&req, s.rpcSecret) {
		resp.Status = "updatesecrets auth failed"
		return fmt.Errorf(resp.Status)
	}

	cmdLock.Lock()
	defer cmdLock.Unlock()
	if s.enforcer == nil {
		return fmt.Errorf(resp.Status)
	}

	// If any error happens, cleanup everything on exit so that we can recover
	// by launcing a new remote.
	defer func() {
		if err != nil {
			s.cleanup()
		}
	}()

	payload := req.Payload.(rpcwrapper.UpdateSecretsPayload)
	s.secrets, err = rpc.NewSecrets(payload.Secrets)
	if err != nil {
		return err
	}

	err = s.enforcer.UpdateSecrets(s.secrets)

	return err
}

// EnableDatapathPacketTracing enable nfq datapath packet tracing
func (s *RemoteEnforcer) EnableDatapathPacketTracing(req rpcwrapper.Request, resp *rpcwrapper.Response) error {

	if !s.rpcHandle.CheckValidity(&req, s.rpcSecret) {
		resp.Status = "enable datapath packet tracing auth failed"
		return fmt.Errorf(resp.Status)
	}

	cmdLock.Lock()
	defer cmdLock.Unlock()

	payload := req.Payload.(rpcwrapper.EnableDatapathPacketTracingPayLoad)

	if err := s.enforcer.EnableDatapathPacketTracing(s.ctx, payload.ContextID, payload.Direction, payload.Interval); err != nil {
		resp.Status = err.Error()
		return err
	}

	resp.Status = ""
	return nil
}

// EnableIPTablesPacketTracing enables iptables trace packet tracing
func (s *RemoteEnforcer) EnableIPTablesPacketTracing(req rpcwrapper.Request, resp *rpcwrapper.Response) error {

	if !s.rpcHandle.CheckValidity(&req, s.rpcSecret) {
		resp.Status = "enable iptable packet tracing auth failed"
		return fmt.Errorf(resp.Status)
	}

	cmdLock.Lock()
	defer cmdLock.Unlock()

	payload := req.Payload.(rpcwrapper.EnableIPTablesPacketTracingPayLoad)

	if err := s.supervisor.EnableIPTablesPacketTracing(s.ctx, payload.ContextID, payload.Interval); err != nil {
		resp.Status = err.Error()
		return err
	}

	resp.Status = ""
	return nil
}

// Ping runs ping to the given config
func (s *RemoteEnforcer) Ping(req rpcwrapper.Request, resp *rpcwrapper.Response) error {

	if !s.rpcHandle.CheckValidity(&req, s.rpcSecret) {
		resp.Status = "ping auth failed"
		return fmt.Errorf(resp.Status)
	}

	cmdLock.Lock()
	defer cmdLock.Unlock()

	payload := req.Payload.(rpcwrapper.PingPayload)

	if err := s.enforcer.Ping(s.ctx, payload.ContextID, payload.PingConfig); err != nil {
		resp.Status = err.Error()
		return err
	}

	resp.Status = ""
	return nil
}

// DebugCollect collects the desired debug information
func (s *RemoteEnforcer) DebugCollect(req rpcwrapper.Request, resp *rpcwrapper.Response) error {

	if !s.rpcHandle.CheckValidity(&req, s.rpcSecret) {
		resp.Status = "debug collect auth failed"
		return fmt.Errorf(resp.Status)
	}

	cmdLock.Lock()
	defer cmdLock.Unlock()

	payload := req.Payload.(rpcwrapper.DebugCollectPayload)

	var commandOutput string
	var pid int

	if payload.CommandExec != "" {
		if values := strings.Split(payload.CommandExec, " "); len(values) >= 1 {
			cmd := exec.CommandContext(s.ctx, values[0], values[1:]...)
			output, err := cmd.CombinedOutput()
			if err != nil {
				resp.Status = err.Error()
				return err
			}
			commandOutput = string(output)
		}
	} else if payload.PcapFilePath != "" {
		cmd, err := diagnostics.StartTcpdump(s.ctx, payload.PcapFilePath, payload.PcapFilter)
		if err != nil {
			resp.Status = err.Error()
			return err
		}

		// spawn goroutine to call Wait() so we don't have defunct child process
		go func() {
			if err := cmd.Wait(); err != nil {
				zap.L().Warn("DebugCollect Wait failed on tcpdump process", zap.Error(err))
			}
		}()

		pid = cmd.Process.Pid
	} else {
		// otherwise, return pid of remote enforcer
		pid = os.Getpid()
	}

	resp.Status = ""
	resp.Payload = rpcwrapper.DebugCollectResponsePayload{
		ContextID:     payload.ContextID,
		PID:           pid,
		CommandOutput: commandOutput,
	}
	return nil
}

// SetLogLevel sets log level.
func (s *RemoteEnforcer) SetLogLevel(req rpcwrapper.Request, resp *rpcwrapper.Response) error {

	if !s.rpcHandle.CheckValidity(&req, s.rpcSecret) {
		resp.Status = "set log level auth failed"
		return fmt.Errorf(resp.Status)
	}

	cmdLock.Lock()
	defer cmdLock.Unlock()
	if s.enforcer == nil {
		return fmt.Errorf(resp.Status)
	}

	payload := req.Payload.(rpcwrapper.SetLogLevelPayload)

	newLevel := triremeLogLevelToString(payload.Level)
	if payload.Level != "" && s.config.logLevel != newLevel {
		remotelog.SetupRemoteLogger(newLevel, s.config.logFormat, s.config.logID) // nolint: errcheck
		s.config.logLevel = newLevel

		if err := s.enforcer.SetLogLevel(payload.Level); err != nil {
			resp.Status = err.Error()
			return err
		}
	}

	resp.Status = ""
	return nil
}

func triremeLogLevelToString(level constants.LogLevel) string {
	switch level {
	case constants.Debug:
		return "debug"
	case constants.Trace:
		return "trace"
	case constants.Error:
		return "error"
	case constants.Info:
		return "info"
	case constants.Warn:
		return "warn"
	default:
		return "info"
	}
}

// setup an enforcer
func (s *RemoteEnforcer) setupEnforcer(payload *rpcwrapper.InitRequestPayload) error {

	var err error

	s.secrets, err = rpc.NewSecrets(payload.Secrets)
	if err != nil {
		return err
	}

	// we are usually always starting RemoteContainer enforcers,
	// however, if envoy is requested, we change the mode to RemoteContainerEnvoyAuthorizer
	mode := constants.RemoteContainer
	if s.enforcerType == policy.EnvoyAuthorizerEnforcer {
		mode = constants.RemoteContainerEnvoyAuthorizer
	}

	if s.enforcer, err = createEnforcer(
		payload.MutualAuth,
		s.fqConfig,
		s.collector,
		s.secrets,
		payload.ServerID,
		payload.Validity,
		mode,
		s.procMountPoint,
		payload.ExternalIPCacheTimeout,
		payload.PacketLogs,
		payload.Configuration,
		s.tokenIssuer,
		payload.IsBPFEnabled,
		s.agentVersion,
		payload.ServiceMeshType,
	); err != nil || s.enforcer == nil {
		return fmt.Errorf("Error while initializing remote enforcer, %s", err)
	}

	return nil
}

func (s *RemoteEnforcer) setupSupervisor(payload *rpcwrapper.InitRequestPayload) error {

	// we are usually always starting RemoteContainer enforcers,
	// however, if envoy is requested, we change the mode to RemoteContainerEnvoyAuthorizer
	mode := constants.RemoteContainer
	if s.enforcerType == policy.EnvoyAuthorizerEnforcer {
		mode = constants.RemoteContainerEnvoyAuthorizer
	}

	h, err := createSupervisor(
		s.collector,
		s.enforcer,
		mode,
		payload.Configuration,
		payload.IPv6Enabled,
		payload.IPTablesLockfile,
	)
	if err != nil {
		return fmt.Errorf("unable to setup supervisor: %s", err)
	}
	s.supervisor = h

	return nil
}

// cleanup cleans all the acls and any state of the local enforcer.
func (s *RemoteEnforcer) cleanup() {

	if s.supervisor != nil {
		if err := s.supervisor.CleanUp(); err != nil {
			zap.L().Error("unable to clean supervisor state", zap.Error(err))
		}
	}

	if s.enforcer != nil {
		if err := s.enforcer.CleanUp(); err != nil {
			zap.L().Error("unable to clean enforcer state", zap.Error(err))
		}
	}

	if s.service != nil {
		if err := s.service.Stop(); err != nil {
			zap.L().Error("unable to clean service state", zap.Error(err))
		}
	}
}

// LaunchRemoteEnforcer launches a remote enforcer
func LaunchRemoteEnforcer(ctx context.Context, logLevel, logFormat, logID string, numQueues int, agentVersion semver.Version) error {

	// Before doing anything validate that we are in the right namespace.
	if err := validateNamespace(); err != nil {
		return err
	}

	namedPipe := os.Getenv(constants.EnvContextSocket)
	secret := os.Getenv(constants.EnvRPCClientSecret)
	if secret == "" {
		zap.L().Fatal("No secret found")
	}
	os.Setenv(constants.EnvRPCClientSecret, "") // nolint: errcheck

	flag := unix.SIGHUP
	if err := unix.Prctl(unix.PR_SET_PDEATHSIG, uintptr(flag), 0, 0, 0); err != nil {
		return err
	}

	enforcerType, err := policy.EnforcerTypeFromString(os.Getenv(constants.EnvEnforcerType))
	if err != nil {
		return err
	}

	rpcHandle := rpcwrapper.NewRPCServer()
	re, err := newRemoteEnforcer(ctx, rpcHandle, secret, nil, nil, nil, nil, logLevel, logFormat, logID, numQueues, enforcerType, agentVersion)
	if err != nil {
		return err
	}

	go func() {
		if err := rpcHandle.StartServer(ctx, "unix", namedPipe, re); err != nil {
			zap.L().Fatal("Failed to start the RPC server", zap.Error(err))
		}
	}()

	c := make(chan os.Signal, 1)
	signal.Notify(c, syscall.SIGTERM, syscall.SIGINT, syscall.SIGQUIT)

	select {

	case <-re.exit:
		zap.L().Info("Remote enforcer exiting ...")

	case sig := <-c:
		zap.L().Warn("Remote enforcer received a signal. exiting ...", zap.Any("signal", sig))
		re.cleanup()
		// TODO would be useful to set and return an exit code (instead of nil) to indicate the signal received

	case <-ctx.Done():
		re.cleanup()
	}

	return nil
}

// getCEnvVariable returns an environment variable set in the c context
func getCEnvVariable(name string) string {

	val := C.getenv(C.CString(name))
	if val == nil {
		return ""
	}

	return C.GoString(val)
}

func validateNamespace() error {
	// Check if successfully switched namespace
	nsEnterState := getCEnvVariable(constants.EnvNsenterErrorState)
	nsEnterLogMsg := getCEnvVariable(constants.EnvNsenterLogs)
	if nsEnterState != "" {
		return fmt.Errorf("nsErr: %s nsLogs: %s", nsEnterState, nsEnterLogMsg)
	}

	return nil
}


================================================
FILE: controller/pkg/remoteenforcer/remoteenforcer_stub.go
================================================
// +build !linux

package remoteenforcer

import (
	"context"

	"github.com/blang/semver"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/client"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/tokenissuer"
	"go.aporeto.io/enforcerd/trireme-lib/policy"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/statscollector"
)

// nolint:unused // seem to be used by the test
var (
	createEnforcer   = enforcer.New
	createSupervisor = supervisor.NewSupervisor
)

// newRemoteEnforcer starts a new server
func newRemoteEnforcer(
	ctx context.Context,
	rpcHandle rpcwrapper.RPCServer,
	secret string,
	statsClient client.Reporter,
	collector statscollector.Collector,
	reportsClient client.Reporter,
	tokenIssuer tokenissuer.TokenClient,
	logLevel string,
	logFormat string,
	logID string,
	numQueues int,
	enforcerType policy.EnforcerType,
	agentVersion semver.Version,
) (*RemoteEnforcer, error) {
	return nil, nil
}

// LaunchRemoteEnforcer is a fake implementation for building on darwin.
func LaunchRemoteEnforcer(ctx context.Context, logLevel, logFormat, logID string, numQueues int, agentVersion semver.Version) error {
	return nil
}

// InitEnforcer is a function called from the controller using RPC. It intializes data structure required by the
// remote enforcer
func (s *RemoteEnforcer) InitEnforcer(req rpcwrapper.Request, resp *rpcwrapper.Response) error {
	return nil
}

// Enforce this method calls the enforce method on the enforcer created during initenforcer
func (s *RemoteEnforcer) Enforce(req rpcwrapper.Request, resp *rpcwrapper.Response) error {
	return nil
}

// Unenforce this method calls the unenforce method on the enforcer created from initenforcer
func (s *RemoteEnforcer) Unenforce(req rpcwrapper.Request, resp *rpcwrapper.Response) error {
	return nil
}

// EnforcerExit this method is called when  we received a killrpocess message from the controller
// This allows a graceful exit of the enforcer
func (s *RemoteEnforcer) EnforcerExit(req rpcwrapper.Request, resp *rpcwrapper.Response) error {
	return nil
}

// EnableDatapathPacketTracing enable nfq datapath packet tracing
func (s *RemoteEnforcer) EnableDatapathPacketTracing(req rpcwrapper.Request, resp *rpcwrapper.Response) error {
	return nil
}

// EnableIPTablesPacketTracing enables iptables trace packet tracing
func (s *RemoteEnforcer) EnableIPTablesPacketTracing(req rpcwrapper.Request, resp *rpcwrapper.Response) error {
	return nil
}


================================================
FILE: controller/pkg/remoteenforcer/remoteenforcer_test.go
================================================
package remoteenforcer

import (
	"context"
	"crypto/hmac"
	"crypto/sha256"
	"encoding/binary"
	"errors"
	"fmt"
	"os"
	"testing"
	"time"

	"github.com/blang/semver"
	"github.com/golang/mock/gomock"
	"github.com/mitchellh/hashstructure"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/mockenforcer"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper/mockrpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor/mocksupervisor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/client/mockclient"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/statscollector/mockstatscollector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/tokenissuer/mocktokenclient"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/testhelper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/runtime"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

const (
	pcchan = "/tmp/test.sock"
)

func initTestEnfReqPayload() rpcwrapper.InitRequestPayload {
	var initEnfPayload rpcwrapper.InitRequestPayload

	initEnfPayload.Validity = constants.SynTokenRefreshTime
	initEnfPayload.MutualAuth = true
	initEnfPayload.ServerID = "598236b81c252c000102665d"

	_, s, err := testhelper.NewTestCompactPKISecrets()
	if err != nil {
		fmt.Println("CompackPKI creation failed with:", err)
	}
	initEnfPayload.Secrets = s.RPCSecrets()
	initEnfPayload.Configuration = &runtime.Configuration{}
	return initEnfPayload
}

func initIdentity(id string) *policy.TagStore {
	initID := policy.NewTagStore()
	initID.AppendKeyValue(id, "")
	return initID
}

func initAnnotations(an string) *policy.TagStore {
	initAnno := policy.NewTagStore()
	initAnno.AppendKeyValue(an, "")
	return initAnno
}

func initTrans() policy.TagSelectorList {

	var tags policy.TagSelectorList
	var tag policy.TagSelector
	var keyval policy.KeyValueOperator
	var action policy.FlowPolicy
	var accept policy.ActionType

	keyval.Key = "@usr:role"
	keyval.Value = []string{"server"}
	keyval.Operator = "="
	accept = policy.Accept
	action.Action = accept
	tag.Clause = []policy.KeyValueOperator{keyval}
	tag.Policy = &action
	tags = []policy.TagSelector{tag}

	return tags
}

func getHash(payload interface{}) []byte {
	hash, err := hashstructure.Hash(payload, nil)
	if err != nil {
		return []byte{}
	}

	buf := make([]byte, 8)
	binary.BigEndian.PutUint64(buf, hash)
	return buf
}

func initTestEnfPayload() rpcwrapper.EnforcePayload {

	var initPayload rpcwrapper.EnforcePayload
	idString := "@usr:role=client $namespace=/sibicentos AporetoContextID=5983bc8c923caa0001337b11"
	anoString := "@app:name=/inspiring_roentgen $namespace=/sibicentos @usr:build-date=20170801 @usr:license=GPLv2 @usr:name=CentOS Base Image @usr:role=client @usr:vendor=CentOS $id=5983bc8c923caa0001337b11 $namespace=/sibicentos $operationalstatus=Running $protected=false $type=Docker $description=centos $enforcerid=5983bba4923caa0001337a19 $name=centos $nativecontextid=b06f47830f64 @app:image=centos @usr:role=client role=client $id=5983bc8c923caa0001337b11 $identity=processingunit $id=5983bc8c923caa0001337b11 $namespace=/sibicentos"

	initPayload.ContextID = "b06f47830f64"
	initPayload.Policy = &policy.PUPolicyPublic{
		ManagementID:     "5983bc8c923caa0001337b11",
		TriremeAction:    2,
		IPs:              policy.ExtendedMap{"bridge": "172.17.0.2"},
		Identity:         initIdentity(idString).GetSlice(),
		Annotations:      initAnnotations(anoString).GetSlice(),
		CompressedTags:   policy.NewTagStore().GetSlice(),
		TransmitterRules: initTrans(),
	}

	return initPayload
}

func initTestUnEnfPayload() rpcwrapper.UnEnforcePayload {

	var initPayload rpcwrapper.UnEnforcePayload

	initPayload.ContextID = "b06f47830f64"

	return initPayload
}

func Test_NewRemoteEnforcer(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to retrieve rpc server handle", t, func() {

		rpcHdl := mockrpcwrapper.NewMockRPCServer(ctrl)
		statsClient := mockclient.NewMockReporter(ctrl)
		reportsClient := mockclient.NewMockReporter(ctrl)
		collector := mockstatscollector.NewMockCollector(ctrl)
		tokenclient := mocktokenclient.NewMockTokenClient(ctrl)
		Convey("When I try to create new server with no env set", func() {
			ctx := context.Background()

			rpcHdl.EXPECT().StartServer(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(0)
			server, err := newRemoteEnforcer(ctx, rpcHdl, "mysecret", statsClient, collector, reportsClient, tokenclient, "", "", "", 1, policy.EnforcerMapping, semver.Version{})

			Convey("Then I should get error for no stats", func() {
				So(err, ShouldBeNil)
				So(server, ShouldNotBeNil)
				So(server.service, ShouldBeNil)
				So(server.rpcHandle, ShouldEqual, rpcHdl)
				So(server.procMountPoint, ShouldResemble, constants.DefaultProcMountPoint)
				So(server.statsClient, ShouldEqual, statsClient)
				So(server.reportsClient, ShouldEqual, reportsClient)
				So(server.ctx, ShouldEqual, ctx)
				So(server.exit, ShouldNotBeNil)
			})
		})
	})
}

func TestInitEnforcer(t *testing.T) {

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to retrieve rpc server handle", t, func() {
		rpcHdl := mockrpcwrapper.NewMockRPCServer(ctrl)
		mockEnf := mockenforcer.NewMockEnforcer(ctrl)
		mockStats := mockclient.NewMockReporter(ctrl)
		mockReports := mockclient.NewMockReporter(ctrl)
		mockCollector := mockstatscollector.NewMockCollector(ctrl)
		mockSupevisor := mocksupervisor.NewMockSupervisor(ctrl)
		mockTokenClient := mocktokenclient.NewMockTokenClient(ctrl)

		// Mock the global functions.
		createEnforcer = func(
			mutualAuthorization bool,
			fqConfig fqconfig.FilterQueue,
			collector collector.EventCollector,
			secrets secrets.Secrets,
			serverID string,
			validity time.Duration,
			mode constants.ModeType,
			procMountPoint string,
			externalIPCacheTimeout time.Duration,
			packetLogs bool,
			cfg *runtime.Configuration,
			tokenIssuer common.ServiceTokenIssuer,
			isBPFEnabled bool,
			agentVersion semver.Version,
			serviceMeshType policy.ServiceMesh,
		) (enforcer.Enforcer, error) {
			return mockEnf, nil
		}

		createSupervisor = func(
			collector collector.EventCollector,
			enforcerInstance enforcer.Enforcer,
			mode constants.ModeType,
			cfg *runtime.Configuration,
			ipv6Enabled bool,
			iptablesLockfile string,
		) (supervisor.Supervisor, error) {
			return mockSupevisor, nil
		}
		defer func() {
			createSupervisor = supervisor.NewSupervisor
			createEnforcer = enforcer.New
		}()

		Convey("When I try to create new server with env set", func() {
			serr := os.Setenv(constants.EnvStatsChannel, pcchan)
			So(serr, ShouldBeNil)
			serr = os.Setenv(constants.EnvStatsSecret, "T6UYZGcKW-aum_vi-XakafF3vHV7F6x8wdofZs7akGU=")
			So(serr, ShouldBeNil)

			secret := "T6UYZGcKW-aum_vi-XakafF3vHV7F6x8wdofZs7akGU="
			server, err := newRemoteEnforcer(context.Background(), rpcHdl, secret, mockStats, mockCollector, mockReports, mockTokenClient, "", "", "", 1, policy.EnforcerMapping, semver.Version{})
			So(err, ShouldBeNil)

			Convey("When I try to initiate an enforcer with invalid secret", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), os.Getenv(constants.EnvStatsSecret)).Times(1).Return(false)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfReqPayload()

				err := server.InitEnforcer(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldResemble, errors.New("init message authentication failed"))
				})
			})

			Convey("When I try to instantiate the enforcer with a bad payload, it should error ", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), os.Getenv(constants.EnvStatsSecret)).Times(1).Return(true)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfPayload()

				err := server.InitEnforcer(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldResemble, errors.New("invalid request payload"))
				})
			})

			Convey("When I try to instantiate the enforcer amd the enforcer is initialized, it should fail ", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), os.Getenv(constants.EnvStatsSecret)).Times(1).Return(true)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfReqPayload()

				server.enforcer = mockEnf

				err := server.InitEnforcer(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldResemble, errors.New("remote enforcer is already initialized"))
				})
			})

			Convey("When I try to instantiate the enforcer and the enforcer fails, it should fail and cleanup", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), os.Getenv(constants.EnvStatsSecret)).Times(1).Return(true)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfReqPayload()

				createEnforcer = func(
					mutualAuthorization bool,
					fqConfig fqconfig.FilterQueue,
					collector collector.EventCollector,
					secrets secrets.Secrets,
					serverID string,
					validity time.Duration,
					mode constants.ModeType,
					procMountPoint string,
					externalIPCacheTimeout time.Duration,
					packetLogs bool,
					cfg *runtime.Configuration,
					tokenIssuer common.ServiceTokenIssuer,
					isBPFEnabled bool,
					agentVersion semver.Version,
					serviceMeshType policy.ServiceMesh,
				) (enforcer.Enforcer, error) {
					return nil, fmt.Errorf("failed enforcer")
				}

				err := server.InitEnforcer(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("Error while initializing remote enforcer, failed enforcer"))
				})
			})

			Convey("When I try to instantiate the enforcer and the supervisor fails, it should fail", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), os.Getenv(constants.EnvStatsSecret)).Times(1).Return(true)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfReqPayload()

				createSupervisor = func(
					collector collector.EventCollector,
					enforcerInstance enforcer.Enforcer,
					mode constants.ModeType,
					cfg *runtime.Configuration,
					ipv6Enabled bool,
					iptablesLockfile string,
				) (supervisor.Supervisor, error) {
					return nil, fmt.Errorf("failed supervisor")
				}

				mockEnf.EXPECT().CleanUp()

				err := server.InitEnforcer(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("unable to setup supervisor: failed supervisor"))
				})
			})

			Convey("When I try to instantiate the enforcer and the controller fails to run, it should clean up", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), os.Getenv(constants.EnvStatsSecret)).Times(1).Return(true)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfReqPayload()

				mockEnf.EXPECT().Run(server.ctx).Return(fmt.Errorf("enforcer run error"))
				mockSupevisor.EXPECT().CleanUp()
				mockEnf.EXPECT().CleanUp()

				err := server.InitEnforcer(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("enforcer run error"))
				})
			})

			Convey("When I try to instantiate the enforcer and the statclient fails to run, it should clean up", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), os.Getenv(constants.EnvStatsSecret)).Times(1).Return(true)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfReqPayload()

				mockEnf.EXPECT().Run(server.ctx).Return(nil)
				mockStats.EXPECT().Run(server.ctx).Return(fmt.Errorf("stats error"))
				mockSupevisor.EXPECT().CleanUp()
				mockEnf.EXPECT().CleanUp()

				err := server.InitEnforcer(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("stats error"))
				})
			})

			Convey("When I try to instantiate the enforcer and the supervisor fails to run, it should clean up", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), os.Getenv(constants.EnvStatsSecret)).Times(1).Return(true)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfReqPayload()

				mockEnf.EXPECT().Run(server.ctx).Return(nil)
				mockStats.EXPECT().Run(server.ctx).Return(nil)
				mockSupevisor.EXPECT().Run(server.ctx).Return(fmt.Errorf("supervisor run"))
				mockSupevisor.EXPECT().CleanUp()
				mockEnf.EXPECT().CleanUp()

				err := server.InitEnforcer(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("supervisor run"))
				})
			})

			Convey("When i try to instantiate the enforcer and reports Client fails to run it should cleanup", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), os.Getenv(constants.EnvStatsSecret)).Times(1).Return(true)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfReqPayload()

				mockEnf.EXPECT().Run(server.ctx).Return(nil)
				mockStats.EXPECT().Run(server.ctx).Return(nil)
				mockSupevisor.EXPECT().Run(server.ctx).Return(nil)
				mockReports.EXPECT().Run(server.ctx).Return(errors.New("failed to run counterclient"))
				mockSupevisor.EXPECT().CleanUp()
				mockEnf.EXPECT().CleanUp()

				err := server.InitEnforcer(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("ReportsClientfailed to run counterclient"))
				})

			})
			Convey("When I try to instantiate the enforcer and it succeeds it should not error", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), os.Getenv(constants.EnvStatsSecret)).Times(1).Return(true)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfReqPayload()

				mockEnf.EXPECT().Run(server.ctx).Return(nil)
				mockStats.EXPECT().Run(server.ctx).Return(nil)
				mockSupevisor.EXPECT().Run(server.ctx).Return(nil)
				mockReports.EXPECT().Run(server.ctx).Return(nil)
				mockTokenClient.EXPECT().Run(server.ctx).Return(nil)
				err := server.InitEnforcer(rpcwrperreq, &rpcwrperres)

				Convey("Then I should not get error", func() {
					So(err, ShouldBeNil)
				})
			})

		})
	})
}

func TestEnforce(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to retrieve rpc server handle", t, func() {
		rpcHdl := mockrpcwrapper.NewMockRPCServer(ctrl)
		mockEnf := mockenforcer.NewMockEnforcer(ctrl)
		mockSup := mocksupervisor.NewMockSupervisor(ctrl)
		ctx, cancel := context.WithCancel(context.TODO())

		Convey("When I try to create new server with env set", func() {

			server := &RemoteEnforcer{
				rpcHandle:  rpcHdl,
				supervisor: mockSup,
				enforcer:   mockEnf,
				ctx:        ctx,
				cancel:     cancel,
			}

			Convey("When I try to send enforce command with invalid secret", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(false)
				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.HashAuth = []byte{0xDE, 0xBD, 0x1C, 0x6A, 0x2A, 0x51, 0xC0, 0x02, 0x4B, 0xD7, 0xD1, 0x82, 0x78, 0x8A, 0xC4, 0xF1, 0xBE, 0xBF, 0x00, 0x89, 0x47, 0x0F, 0x13, 0x71, 0xAB, 0x4C, 0x0D, 0xD9, 0x9D, 0x85, 0x45, 0x04}
				rpcwrperreq.Payload = initTestEnfPayload()
				rpcwrperres.Status = ""

				digest := hmac.New(sha256.New, []byte("InvalidSecret"))
				if _, err := digest.Write(getHash(rpcwrperreq.Payload)); err != nil {
					So(err, ShouldBeNil)
				}
				rpcwrperreq.HashAuth = digest.Sum(nil)
				server.enforcer = mockEnf

				err := server.Enforce(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("enforce message auth failed"))
				})
			})

			Convey("When I try to send enforce command with wrong payload it should fail", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(true)
				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfReqPayload()

				err := server.Enforce(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("invalid enforcer payload"))
				})
			})

			Convey("When I try to send enforce command and the supervisor is nil, it should fail", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(true)
				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfPayload()
				server.supervisor = nil

				err := server.Enforce(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("enforcer not initialized - cannot enforce"))
				})
			})

			Convey("When I try to send enforce command and the supervisor fails, it should fail and cleanup", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(true)
				mockSup.EXPECT().Supervise(gomock.Any(), gomock.Any()).Return(fmt.Errorf("supervisor error"))
				mockSup.EXPECT().CleanUp()
				mockEnf.EXPECT().CleanUp()

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfPayload()

				err := server.Enforce(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("supervisor error"))
				})
			})

			Convey("When I try to send enforce command and the enforcer fails, it should fail and cleanup", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(true)
				mockSup.EXPECT().Supervise(gomock.Any(), gomock.Any()).Return(nil)
				mockEnf.EXPECT().Enforce(gomock.Any(), gomock.Any(), gomock.Any()).Return(fmt.Errorf("enforcer error"))
				mockSup.EXPECT().CleanUp()
				mockEnf.EXPECT().CleanUp()

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfPayload()

				err := server.Enforce(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("enforcer error"))
				})
			})

			Convey("When the enforce command succeeds, I should get no errors", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(true)
				mockSup.EXPECT().Supervise(gomock.Any(), gomock.Any()).Return(nil)
				mockEnf.EXPECT().Enforce(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfPayload()

				err := server.Enforce(rpcwrperreq, &rpcwrperres)

				Convey("Then I should not get an error ", func() {
					So(err, ShouldBeNil)
				})
			})
		})
	})
}

func Test_UnEnforce(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a new server", t, func() {
		rpcHdl := mockrpcwrapper.NewMockRPCServer(ctrl)
		mockEnf := mockenforcer.NewMockEnforcer(ctrl)
		mockSup := mocksupervisor.NewMockSupervisor(ctrl)
		mockStats := mockclient.NewMockReporter(ctrl)
		ctx, cancel := context.WithCancel(context.TODO())

		Convey("With proper initialization", func() {

			server := &RemoteEnforcer{
				rpcHandle:   rpcHdl,
				supervisor:  mockSup,
				enforcer:    mockEnf,
				ctx:         ctx,
				cancel:      cancel,
				statsClient: mockStats,
			}

			Convey("When I try to send unenforce command with invalid secret", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(false)
				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestUnEnfPayload()
				rpcwrperres.Status = ""

				err := server.Unenforce(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("unenforce message auth failed"))
				})
			})

			Convey("When I try to send unenforce command with wrong payload it should fail", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(true)
				mockStats.EXPECT().Send()
				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestEnfReqPayload()

				err := server.Unenforce(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("invalid unenforcer payload"))
				})
			})

			Convey("When I try to send unenforce command and the supervisor fails, it should fail and cleanup", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(true)
				mockStats.EXPECT().Send()
				mockSup.EXPECT().Unsupervise(gomock.Any()).Return(fmt.Errorf("supervisor error"))
				mockSup.EXPECT().CleanUp()
				mockEnf.EXPECT().CleanUp()

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestUnEnfPayload()

				err := server.Unenforce(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("unable to clean supervisor: supervisor error"))
				})
			})

			Convey("When I try to send unenforce command and the enforcer fails, it should fail and cleanup", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(true)
				mockStats.EXPECT().Send()
				mockSup.EXPECT().Unsupervise(gomock.Any()).Return(nil)
				mockEnf.EXPECT().Unenforce(gomock.Any(), gomock.Any()).Return(fmt.Errorf("enforcer error"))
				mockSup.EXPECT().CleanUp()
				mockEnf.EXPECT().CleanUp()

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestUnEnfPayload()

				err := server.Unenforce(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("unable to stop enforcer: enforcer error"))
				})
			})

			Convey("When the enforce command succeeds, I should get no errors", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(true)
				mockStats.EXPECT().Send()
				mockSup.EXPECT().Unsupervise(gomock.Any()).Return(nil)
				mockEnf.EXPECT().Unenforce(gomock.Any(), gomock.Any()).Return(nil)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = initTestUnEnfPayload()

				err := server.Unenforce(rpcwrperreq, &rpcwrperres)

				Convey("Then I should not get an error ", func() {
					So(err, ShouldBeNil)
				})
			})
		})
	})
}

func Test_EnableDatapathPacketTracing(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a new server", t, func() {
		rpcHdl := mockrpcwrapper.NewMockRPCServer(ctrl)
		mockEnf := mockenforcer.NewMockEnforcer(ctrl)
		ctx, cancel := context.WithCancel(context.TODO())

		Convey("With proper initialization", func() {

			server := &RemoteEnforcer{
				rpcHandle: rpcHdl,
				enforcer:  mockEnf,
				ctx:       ctx,
				cancel:    cancel,
			}

			Convey("When I try to enable datapath tracing and the validity fails, it should fail", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(false)
				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = rpcwrapper.EnableDatapathPacketTracingPayLoad{}
				rpcwrperres.Status = ""

				err := server.EnableDatapathPacketTracing(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("enable datapath packet tracing auth failed"))
				})
			})

			Convey("When I try to enable datapath tracing  and the enforcer fails, it should fail and cleanup", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(true)
				mockEnf.EXPECT().EnableDatapathPacketTracing(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(fmt.Errorf("error"))

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = rpcwrapper.EnableDatapathPacketTracingPayLoad{}

				err := server.EnableDatapathPacketTracing(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("error"))
				})
			})

			Convey("When the enforce command succeeds, I should get no errors", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(true)
				mockEnf.EXPECT().EnableDatapathPacketTracing(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = rpcwrapper.EnableDatapathPacketTracingPayLoad{}

				err := server.EnableDatapathPacketTracing(rpcwrperreq, &rpcwrperres)

				Convey("Then I should not get an error ", func() {
					So(err, ShouldBeNil)
				})
			})
		})
	})
}

func Test_EnableIPTablesPacketTracing(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a new server", t, func() {
		rpcHdl := mockrpcwrapper.NewMockRPCServer(ctrl)
		mockSup := mocksupervisor.NewMockSupervisor(ctrl)
		ctx, cancel := context.WithCancel(context.TODO())

		Convey("With proper initialization", func() {

			server := &RemoteEnforcer{
				rpcHandle:  rpcHdl,
				supervisor: mockSup,
				ctx:        ctx,
				cancel:     cancel,
			}

			Convey("When I try to enable datapath tracing and the validity fails, it should fail", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(false)
				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = rpcwrapper.EnableIPTablesPacketTracingPayLoad{}
				rpcwrperres.Status = ""

				err := server.EnableIPTablesPacketTracing(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("enable iptable packet tracing auth failed"))
				})
			})

			Convey("When I try to enable datapath tracing  and the enforcer fails, it should fail and cleanup", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(true)
				mockSup.EXPECT().EnableIPTablesPacketTracing(gomock.Any(), gomock.Any(), gomock.Any()).Return(fmt.Errorf("error"))

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = rpcwrapper.EnableIPTablesPacketTracingPayLoad{}

				err := server.EnableIPTablesPacketTracing(rpcwrperreq, &rpcwrperres)

				Convey("Then I should get error", func() {
					So(err, ShouldNotBeNil)
					So(err, ShouldResemble, errors.New("error"))
				})
			})

			Convey("When the enforce command succeeds, I should get no errors", func() {
				rpcHdl.EXPECT().CheckValidity(gomock.Any(), gomock.Any()).Times(1).Return(true)
				mockSup.EXPECT().EnableIPTablesPacketTracing(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)

				var rpcwrperreq rpcwrapper.Request
				var rpcwrperres rpcwrapper.Response

				rpcwrperreq.Payload = rpcwrapper.EnableIPTablesPacketTracingPayLoad{}

				err := server.EnableIPTablesPacketTracing(rpcwrperreq, &rpcwrperres)

				Convey("Then I should not get an error ", func() {
					So(err, ShouldBeNil)
				})
			})
		})
	})
}


================================================
FILE: controller/pkg/remoteenforcer/type.go
================================================
package remoteenforcer

import (
	"context"

	"github.com/blang/semver"
	"go.aporeto.io/enforcerd/trireme-lib/policy"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/rpcwrapper"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/supervisor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packetprocessor"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/client"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/statscollector"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/tokenissuer"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
)

type logConfig struct {
	logLevel  string // nolint:structcheck,unused
	logFormat string // nolint:structcheck,unused
	logID     string // nolint:structcheck,unused
}

// RemoteEnforcer : This is the structure for maintaining state required by the
// remote enforcer.
// It is a cache of variables passed by the controller to the remote enforcer and
// other handles required by the remote enforcer to talk to the external processes
//
// Why is this public when all members are private ? For golang RPC server requirements
// The lint directives below are for non-linux compiles that use remoteenforcer_stub.go
type RemoteEnforcer struct {
	rpcSecret      string // nolint:structcheck,unused
	rpcHandle      rpcwrapper.RPCServer
	collector      statscollector.Collector // nolint:structcheck,unused
	statsClient    client.Reporter
	reportsClient  client.Reporter
	procMountPoint string
	enforcer       enforcer.Enforcer
	supervisor     supervisor.Supervisor
	service        packetprocessor.PacketProcessor
	secrets        secrets.Secrets // nolint:structcheck,unused
	ctx            context.Context
	cancel         context.CancelFunc
	exit           chan bool
	config         logConfig               // nolint:structcheck,unused
	tokenIssuer    tokenissuer.TokenClient // nolint:structcheck,unused
	enforcerType   policy.EnforcerType     // nolint:structcheck,unused
	agentVersion   semver.Version          // nolint:structcheck,unused
	fqConfig       fqconfig.FilterQueue    // nolint:structcheck,unused
}


================================================
FILE: controller/pkg/secrets/compactpki/compactpki.go
================================================
package compactpki

import (
	"crypto/ecdsa"
	"crypto/x509"
	"errors"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/utils/crypto"
)

const (
	compactPKIAckSize = 300
)

// CompactPKI holds all PKI information
type CompactPKI struct {
	privateKeyPEM      []byte
	publicKeyPEM       []byte
	authorityPEM       []byte
	trustedControllers []*secrets.ControllerInfo
	compressed         claimsheader.CompressionType
	privateKey         *ecdsa.PrivateKey
	publicKey          *x509.Certificate
	txKey              []byte
	verifier           pkiverifier.PKITokenVerifier
}

// NewCompactPKIWithTokenCA creates new secrets for PKI implementation based on compact encoding.
//    keyPEM: is the private key that will be used for signing tokens formated as a PEM file.
//    certPEM: is the public key that will be used formated as a PEM file.
//    trustedControllers: is a list of trusted controllers.
//    txKey: is the public key that is send over the wire.
//    compressionType: is packed with the secrets to indicate compression.
func NewCompactPKIWithTokenCA(keyPEM []byte, certPEM []byte, caPEM []byte, trustedControllers []*secrets.ControllerInfo, txKey []byte, compress claimsheader.CompressionType) (*CompactPKI, error) {

	key, cert, _, err := crypto.LoadAndVerifyECSecrets(keyPEM, certPEM, caPEM)
	if err != nil {
		return nil, err
	}

	tokenKeys := make([]*pkiverifier.PKIPublicKey, len(trustedControllers))
	for _, tokenKey := range trustedControllers {
		caCert, err := crypto.LoadCertificate(tokenKey.PublicKey)
		if err != nil {
			return nil, err
		}

		namespaceKey := &pkiverifier.PKIPublicKey{
			PublicKey:  caCert.PublicKey.(*ecdsa.PublicKey),
			Controller: tokenKey.Controller,
		}

		tokenKeys = append(tokenKeys, namespaceKey)
	}

	if len(txKey) == 0 {
		return nil, errors.New("transmit token missing")
	}

	p := &CompactPKI{
		privateKeyPEM:      keyPEM,
		publicKeyPEM:       certPEM,
		authorityPEM:       caPEM,
		trustedControllers: trustedControllers,
		compressed:         compress,
		privateKey:         key,
		publicKey:          cert,
		txKey:              txKey,
		verifier:           pkiverifier.NewPKIVerifier(tokenKeys, 5*time.Minute),
	}

	return p, nil
}

// EncodingKey returns the private key
func (p *CompactPKI) EncodingKey() interface{} {
	return p.privateKey
}

// PublicKey returns the public key
func (p *CompactPKI) PublicKey() interface{} {
	return p.publicKey
}

// CertAuthority returns the cert authority
func (p *CompactPKI) CertAuthority() []byte {
	return p.authorityPEM
}

//KeyAndClaims returns both the key and any attributes associated with the public key.
func (p *CompactPKI) KeyAndClaims(pkey []byte) (interface{}, []string, time.Time, *pkiverifier.PKIControllerInfo, error) {
	kc, err := p.verifier.Verify(pkey)
	if err != nil {
		return nil, nil, time.Unix(0, 0), nil, err
	}
	return kc.PublicKey, kc.Tags, kc.Expiration, kc.Controller, nil
}

// TransmittedKey returns the PEM of the public key in the case of PKI
// if there is no certificate cache configured
func (p *CompactPKI) TransmittedKey() []byte {
	return p.txKey
}

// AckSize returns the default size of an ACK packet
func (p *CompactPKI) AckSize() uint32 {
	return uint32(compactPKIAckSize)
}

// RPCSecrets returns the secrets that are marshallable over the RPC interface.
func (p *CompactPKI) RPCSecrets() secrets.RPCSecrets {
	return secrets.RPCSecrets{
		Key:                p.privateKeyPEM,
		Certificate:        p.publicKeyPEM,
		CA:                 p.authorityPEM,
		Token:              p.txKey,
		TrustedControllers: p.trustedControllers,
		Compressed:         p.compressed,
	}
}


================================================
FILE: controller/pkg/secrets/compactpki/compactpki_test.go
================================================
// +build !windows

package compactpki

import (
	"crypto/ecdsa"
	"crypto/x509"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/utils/crypto"
)

// Certs
var (
	caPEM = `-----BEGIN CERTIFICATE-----
MIIBmzCCAUCgAwIBAgIRAIbf7tsXeg6vUJ2pe3WXzgwwCgYIKoZIzj0EAwIwPDEQ
MA4GA1UEChMHQXBvcmV0bzEPMA0GA1UECxMGYXBvbXV4MRcwFQYDVQQDEw5BcG9t
dXggUm9vdCBDQTAeFw0xODA1MDExODM3MjNaFw0yODAzMDkxODM3MjNaMDwxEDAO
BgNVBAoTB0Fwb3JldG8xDzANBgNVBAsTBmFwb211eDEXMBUGA1UEAxMOQXBvbXV4
IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcpOm4VAWyNcI4/WZP
qj9EBu5XWQppyG2LoXVYNv1YCfJBFYuVERxVaZEcUJ0ceE/doFyphS1Ohw3QjqDQ
xakeoyMwITAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjO
PQQDAgNJADBGAiEA+OL+qkSyXwLu6P/75kXBPo8fFGvXyX2vYis0hUAyHJcCIQCn
86EFqkJDkeAguDEKvVtORcnxl+rAP924/PJAHLMh6Q==
-----END CERTIFICATE-----`
	caKeyPEM = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEILpUWKqL6Sr+HrKDKLHt/vN6EYi22rJKV2q9xgKmiCqioAoGCCqGSM49
AwEHoUQDQgAEHKTpuFQFsjXCOP1mT6o/RAbuV1kKachti6F1WDb9WAnyQRWLlREc
VWmRHFCdHHhP3aBcqYUtTocN0I6g0MWpHg==
-----END EC PRIVATE KEY-----`
	privateKeyPEM = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGx017ukBSUSddLXefL/5nxxaRXuM1H/tUxQAYxWBrQtoAoGCCqGSM49
AwEHoUQDQgAEZKBbcTmg0hGyVcgsUH7xijvaNOJ3EPM3Oq08VdCBsPNAojAR9wfX
KLO/w0SRKj1DL03a9dl1Gwk0r7F0VnPQyw==
-----END EC PRIVATE KEY-----`
	publicPEM = `-----BEGIN CERTIFICATE-----
MIIBsDCCAVagAwIBAgIRAOmitRugFU+nAhiGsp6fYOwwCgYIKoZIzj0EAwIwPDEQ
MA4GA1UEChMHQXBvcmV0bzEPMA0GA1UECxMGYXBvbXV4MRcwFQYDVQQDEw5BcG9t
dXggUm9vdCBDQTAeFw0xODA1MDExODQwMzFaFw0yODAzMDkxODQwMzFaMDYxETAP
BgNVBAoTCHNvbWUgb3JnMRIwEAYDVQQLEwlzb21lLXVuaXQxDTALBgNVBAMTBHRl
c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARkoFtxOaDSEbJVyCxQfvGKO9o0
4ncQ8zc6rTxV0IGw80CiMBH3B9cos7/DRJEqPUMvTdr12XUbCTSvsXRWc9DLoz8w
PTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
MAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwIDSAAwRQIgBNYmLdmHI2gKy2NqfSXn
MEDF56xWq7son2mcSePvLU8CIQCUxgYfDZDf067Y7vqLw1mWMlSnqECELnq7zel1
fXtpyA==
-----END CERTIFICATE-----`
)

// createTxtToken creates a transmitter token
func createTxtToken() []byte {
	caKey, err := crypto.LoadEllipticCurveKey([]byte(caKeyPEM))
	if err != nil {
		panic("bad ca key ")
	}

	clientCert, err := crypto.LoadCertificate([]byte(publicPEM))
	if err != nil {
		panic("bad client cert ")
	}

	p := pkiverifier.NewPKIIssuer(caKey)
	token, err := p.CreateTokenFromCertificate(clientCert, []string{})
	if err != nil {
		panic("can't create token")
	}
	return token
}

func TestNewCompactPKIWithTokenCA(t *testing.T) {
	txKey := createTxtToken()
	// txkey is a token that has the client public key signed by the CA
	Convey("When I create a new compact PKI, it should succeed ", t, func() {
		tokenKey := &secrets.ControllerInfo{
			PublicKey: []byte(caPEM),
		}
		controllerInfo := []*secrets.ControllerInfo{tokenKey}
		p, err := NewCompactPKIWithTokenCA([]byte(privateKeyPEM), []byte(publicPEM), []byte(caPEM), controllerInfo, txKey, claimsheader.CompressionTypeV1)
		So(err, ShouldBeNil)
		So(p, ShouldNotBeNil)
		So(p.authorityPEM, ShouldResemble, []byte(caPEM))
		So(p.privateKeyPEM, ShouldResemble, []byte(privateKeyPEM))
		So(p.publicKeyPEM, ShouldResemble, []byte(publicPEM))
	})

	Convey("When I create a new compact PKI with invalid certs, it should fail", t, func() {
		tokenKey := &secrets.ControllerInfo{
			PublicKey: []byte(caPEM),
		}
		controllerInfo := []*secrets.ControllerInfo{tokenKey}
		p, err := NewCompactPKIWithTokenCA([]byte(privateKeyPEM)[:20], []byte(publicPEM)[:30], []byte(caPEM), controllerInfo, txKey, claimsheader.CompressionTypeV1)
		So(err, ShouldNotBeNil)
		So(p, ShouldBeNil)
	})

	Convey("When I create a new compact PKI with invalid CA, it should fail", t, func() {
		tokenKey := &secrets.ControllerInfo{
			PublicKey: []byte(caPEM),
		}
		controllerInfo := []*secrets.ControllerInfo{tokenKey}
		p, err := NewCompactPKIWithTokenCA([]byte(privateKeyPEM), []byte(publicPEM), []byte(caPEM)[:10], controllerInfo, txKey, claimsheader.CompressionTypeV1)
		So(err, ShouldNotBeNil)
		So(p, ShouldBeNil)
	})

}

func TestBasicInterfaceFunctions(t *testing.T) {
	txKey := createTxtToken()
	Convey("Given a valid CompactPKI ", t, func() {
		tokenKey := &secrets.ControllerInfo{
			PublicKey: []byte(caPEM),
		}
		controllerInfo := []*secrets.ControllerInfo{tokenKey}
		p, err := NewCompactPKIWithTokenCA([]byte(privateKeyPEM), []byte(publicPEM), []byte(caPEM), controllerInfo, txKey, claimsheader.CompressionTypeV1)
		So(err, ShouldBeNil)
		So(p, ShouldNotBeNil)

		key, cert, _, _ := crypto.LoadAndVerifyECSecrets([]byte(privateKeyPEM), []byte(publicPEM), []byte(caPEM))
		Convey("I should get the right encoding key", func() {
			So(*(p.EncodingKey().(*ecdsa.PrivateKey)), ShouldResemble, *key)
		})

		Convey("I should get the right transmitter key", func() {
			So(p.TransmittedKey(), ShouldResemble, txKey)
		})

		Convey("I should ge the right ack size", func() {
			So(p.AckSize(), ShouldEqual, compactPKIAckSize)
		})

		Convey("I should get the right public key, ", func() {
			So(p.PublicKey().(*x509.Certificate), ShouldResemble, cert)
		})
	})
}


================================================
FILE: controller/pkg/secrets/compactpki.go
================================================
package secrets

import (
	"crypto/ecdsa"
	"crypto/x509"
	"errors"
	"time"

	"go.aporeto.io/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/trireme-lib/utils/crypto"
	"go.uber.org/zap"
)

const (
	compactPKIAckSize = 300
)

// CompactPKI holds all PKI information
type CompactPKI struct {
	PrivateKeyPEM []byte
	PublicKeyPEM  []byte
	AuthorityPEM  []byte
	TokenKeyPEMs  [][]byte
	Compressed    claimsheader.CompressionType
	privateKey    *ecdsa.PrivateKey
	publicKey     *x509.Certificate
	txKey         []byte
	verifier      pkiverifier.PKITokenVerifier
}

// NewCompactPKI creates new secrets for PKI implementation based on compact encoding
func NewCompactPKI(keyPEM []byte, certPEM []byte, caPEM []byte, txKey []byte, compress claimsheader.CompressionType) (*CompactPKI, error) {

	zap.L().Warn("DEPRECATED. secrets.NewCompactPKI is deprecated in favor of secrets.NewCompactPKIWithTokenCA")
	return NewCompactPKIWithTokenCA(keyPEM, certPEM, caPEM, [][]byte{caPEM}, txKey, compress)
}

// NewCompactPKIWithTokenCA creates new secrets for PKI implementation based on compact encoding.
//    keyPEM: is the private key that will be used for signing tokens formated as a PEM file.
//    certPEM: is the public key that will be used formated as a PEM file.
//    tokenKeyPEMs: is a list of public keys that can be used to verify the public token that
//                  that is transmitted over the wire. These are essentially the public CA PEMs
//                  that were used to sign the txtKey
//    txKey: is the public key that is send over the wire.
//    compressionType: is packed with the secrets to indicate compression.
func NewCompactPKIWithTokenCA(keyPEM []byte, certPEM []byte, caPEM []byte, tokenKeyPEMs [][]byte, txKey []byte, compress claimsheader.CompressionType) (*CompactPKI, error) {

	key, cert, _, err := crypto.LoadAndVerifyECSecrets(keyPEM, certPEM, caPEM)
	if err != nil {
		return nil, err
	}

	tokenKeys := make([]*ecdsa.PublicKey, len(tokenKeyPEMs))
	for _, ca := range tokenKeyPEMs {
		caCert, err := crypto.LoadCertificate(ca)
		if err != nil {
			return nil, err
		}
		tokenKeys = append(tokenKeys, caCert.PublicKey.(*ecdsa.PublicKey))
	}

	if len(txKey) == 0 {
		return nil, errors.New("transmit token missing")
	}

	p := &CompactPKI{
		PrivateKeyPEM: keyPEM,
		PublicKeyPEM:  certPEM,
		AuthorityPEM:  caPEM,
		TokenKeyPEMs:  tokenKeyPEMs,
		Compressed:    compress,
		privateKey:    key,
		publicKey:     cert,
		txKey:         txKey,
		verifier:      pkiverifier.NewPKIVerifier(tokenKeys, 5*time.Minute),
	}

	return p, nil
}

// Type implements the interface Secrets
func (p *CompactPKI) Type() PrivateSecretsType {
	return PKICompactType
}

// EncodingKey returns the private key
func (p *CompactPKI) EncodingKey() interface{} {
	return p.privateKey
}

// PublicKey returns the public key
func (p *CompactPKI) PublicKey() interface{} {
	return p.publicKey
}

//KeyAndClaims returns both the key and any attributes associated with the public key.
func (p *CompactPKI) KeyAndClaims(pkey []byte) (interface{}, []string, time.Time, error) {
	kc, err := p.verifier.Verify(pkey)
	if err != nil {
		return nil, nil, time.Unix(0, 0), err
	}
	return kc.PublicKey, kc.Tags, kc.Expiration, nil
}

// TransmittedKey returns the PEM of the public key in the case of PKI
// if there is no certificate cache configured
func (p *CompactPKI) TransmittedKey() []byte {
	return p.txKey
}

// AckSize returns the default size of an ACK packet
func (p *CompactPKI) AckSize() uint32 {
	return uint32(compactPKIAckSize)
}

// PublicSecrets returns the secrets that are marshallable over the RPC interface.
func (p *CompactPKI) PublicSecrets() PublicSecrets {
	return &CompactPKIPublicSecrets{
		Type:        PKICompactType,
		Key:         p.PrivateKeyPEM,
		Certificate: p.PublicKeyPEM,
		CA:          p.AuthorityPEM,
		Token:       p.txKey,
		TokenCAs:    p.TokenKeyPEMs,
		Compressed:  p.Compressed,
	}
}

// CompactPKIPublicSecrets includes all the secrets that can be transmitted over
// the RPC interface.
type CompactPKIPublicSecrets struct {
	Type        PrivateSecretsType
	Key         []byte
	Certificate []byte
	CA          []byte
	TokenCAs    [][]byte
	Token       []byte
	Compressed  claimsheader.CompressionType
}

// SecretsType returns the type of secrets.
func (p *CompactPKIPublicSecrets) SecretsType() PrivateSecretsType {
	return p.Type
}

// CertAuthority returns the cert authority
func (p *CompactPKIPublicSecrets) CertAuthority() []byte {
	return p.CA
}


================================================
FILE: controller/pkg/secrets/compactpki_test.go
================================================
// +build !windows

package secrets

import (
	"crypto/ecdsa"
	"crypto/x509"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/trireme-lib/utils/crypto"
)

func TestNewCompactPKI(t *testing.T) {
	txKey := CreateTxtToken()
	// txkey is a token that has the client public key signed by the CA
	Convey("When I create a new compact PKI, it should succeed ", t, func() {

		p, err := NewCompactPKI([]byte(PrivateKeyPEM), []byte(PublicPEM), []byte(CAPEM), txKey, claimsheader.CompressionTypeNone)
		So(err, ShouldBeNil)
		So(p, ShouldNotBeNil)
		So(p.AuthorityPEM, ShouldResemble, []byte(CAPEM))
		So(p.PrivateKeyPEM, ShouldResemble, []byte(PrivateKeyPEM))
		So(p.PublicKeyPEM, ShouldResemble, []byte(PublicPEM))
	})

	Convey("When I create a new compact PKI with invalid certs, it should fail", t, func() {
		p, err := NewCompactPKI([]byte(PrivateKeyPEM)[:20], []byte(PublicPEM)[:30], []byte(CAPEM), txKey, claimsheader.CompressionTypeNone)
		So(err, ShouldNotBeNil)
		So(p, ShouldBeNil)
	})

	Convey("When I create a new compact PKI with invalid CA, it should fail", t, func() {
		p, err := NewCompactPKI([]byte(PrivateKeyPEM), []byte(PublicPEM), []byte(CAPEM)[:10], txKey, claimsheader.CompressionTypeNone)
		So(err, ShouldNotBeNil)
		So(p, ShouldBeNil)
	})

}

func TestBasicInterfaceFunctions(t *testing.T) {
	txKey := CreateTxtToken()
	Convey("Given a valid CompactPKI ", t, func() {
		p, err := NewCompactPKI([]byte(PrivateKeyPEM), []byte(PublicPEM), []byte(CAPEM), txKey, claimsheader.CompressionTypeNone)
		So(err, ShouldBeNil)
		So(p, ShouldNotBeNil)

		key, cert, _, _ := crypto.LoadAndVerifyECSecrets([]byte(PrivateKeyPEM), []byte(PublicPEM), []byte(CAPEM))
		Convey("I should get the right secrets type ", func() {
			So(p.Type(), ShouldResemble, PKICompactType)
		})

		Convey("I should get the right encoding key", func() {
			So(*(p.EncodingKey().(*ecdsa.PrivateKey)), ShouldResemble, *key)
		})

		Convey("I should get the right transmitter key", func() {
			So(p.TransmittedKey(), ShouldResemble, txKey)
		})

		Convey("I should ge the right ack size", func() {
			So(p.AckSize(), ShouldEqual, compactPKIAckSize)
		})

		Convey("I should get the right public key, ", func() {
			So(p.PublicKey().(*x509.Certificate), ShouldResemble, cert)
		})
	})
}


================================================
FILE: controller/pkg/secrets/interfaces.go
================================================
package secrets

// PublicKeyAdder register a publicKey for a Node.
type PublicKeyAdder interface {

	// PublicKeyAdd adds the given cert for the given host.
	PublicKeyAdd(host string, cert []byte) error
}


================================================
FILE: controller/pkg/secrets/mocksecrets/mocksecrets.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: trireme-lib/controller/pkg/secrets/secrets.go

// Package mocksecrets is a generated GoMock package.
package mocksecrets

import (
	gomock "github.com/golang/mock/gomock"
	pkiverifier "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	secrets "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	reflect "reflect"
	time "time"
)

// MockLockedSecrets is a mock of LockedSecrets interface
type MockLockedSecrets struct {
	ctrl     *gomock.Controller
	recorder *MockLockedSecretsMockRecorder
}

// MockLockedSecretsMockRecorder is the mock recorder for MockLockedSecrets
type MockLockedSecretsMockRecorder struct {
	mock *MockLockedSecrets
}

// NewMockLockedSecrets creates a new mock instance
func NewMockLockedSecrets(ctrl *gomock.Controller) *MockLockedSecrets {
	mock := &MockLockedSecrets{ctrl: ctrl}
	mock.recorder = &MockLockedSecretsMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockLockedSecrets) EXPECT() *MockLockedSecretsMockRecorder {
	return m.recorder
}

// Secrets mocks base method
func (m *MockLockedSecrets) Secrets() (secrets.Secrets, func()) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Secrets")
	ret0, _ := ret[0].(secrets.Secrets)
	ret1, _ := ret[1].(func())
	return ret0, ret1
}

// Secrets indicates an expected call of Secrets
func (mr *MockLockedSecretsMockRecorder) Secrets() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Secrets", reflect.TypeOf((*MockLockedSecrets)(nil).Secrets))
}

// MockSecrets is a mock of Secrets interface
type MockSecrets struct {
	ctrl     *gomock.Controller
	recorder *MockSecretsMockRecorder
}

// MockSecretsMockRecorder is the mock recorder for MockSecrets
type MockSecretsMockRecorder struct {
	mock *MockSecrets
}

// NewMockSecrets creates a new mock instance
func NewMockSecrets(ctrl *gomock.Controller) *MockSecrets {
	mock := &MockSecrets{ctrl: ctrl}
	mock.recorder = &MockSecretsMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockSecrets) EXPECT() *MockSecretsMockRecorder {
	return m.recorder
}

// EncodingKey mocks base method
func (m *MockSecrets) EncodingKey() interface{} {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "EncodingKey")
	ret0, _ := ret[0].(interface{})
	return ret0
}

// EncodingKey indicates an expected call of EncodingKey
func (mr *MockSecretsMockRecorder) EncodingKey() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "EncodingKey", reflect.TypeOf((*MockSecrets)(nil).EncodingKey))
}

// PublicKey mocks base method
func (m *MockSecrets) PublicKey() interface{} {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PublicKey")
	ret0, _ := ret[0].(interface{})
	return ret0
}

// PublicKey indicates an expected call of PublicKey
func (mr *MockSecretsMockRecorder) PublicKey() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PublicKey", reflect.TypeOf((*MockSecrets)(nil).PublicKey))
}

// CertAuthority mocks base method
func (m *MockSecrets) CertAuthority() []byte {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CertAuthority")
	ret0, _ := ret[0].([]byte)
	return ret0
}

// CertAuthority indicates an expected call of CertAuthority
func (mr *MockSecretsMockRecorder) CertAuthority() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CertAuthority", reflect.TypeOf((*MockSecrets)(nil).CertAuthority))
}

// TransmittedKey mocks base method
func (m *MockSecrets) TransmittedKey() []byte {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "TransmittedKey")
	ret0, _ := ret[0].([]byte)
	return ret0
}

// TransmittedKey indicates an expected call of TransmittedKey
func (mr *MockSecretsMockRecorder) TransmittedKey() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TransmittedKey", reflect.TypeOf((*MockSecrets)(nil).TransmittedKey))
}

// KeyAndClaims mocks base method
func (m *MockSecrets) KeyAndClaims(pkey []byte) (interface{}, []string, time.Time, *pkiverifier.PKIControllerInfo, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "KeyAndClaims", pkey)
	ret0, _ := ret[0].(interface{})
	ret1, _ := ret[1].([]string)
	ret2, _ := ret[2].(time.Time)
	ret3, _ := ret[3].(*pkiverifier.PKIControllerInfo)
	ret4, _ := ret[4].(error)
	return ret0, ret1, ret2, ret3, ret4
}

// KeyAndClaims indicates an expected call of KeyAndClaims
func (mr *MockSecretsMockRecorder) KeyAndClaims(pkey interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "KeyAndClaims", reflect.TypeOf((*MockSecrets)(nil).KeyAndClaims), pkey)
}

// AckSize mocks base method
func (m *MockSecrets) AckSize() uint32 {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "AckSize")
	ret0, _ := ret[0].(uint32)
	return ret0
}

// AckSize indicates an expected call of AckSize
func (mr *MockSecretsMockRecorder) AckSize() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AckSize", reflect.TypeOf((*MockSecrets)(nil).AckSize))
}

// RPCSecrets mocks base method
func (m *MockSecrets) RPCSecrets() secrets.RPCSecrets {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "RPCSecrets")
	ret0, _ := ret[0].(secrets.RPCSecrets)
	return ret0
}

// RPCSecrets indicates an expected call of RPCSecrets
func (mr *MockSecretsMockRecorder) RPCSecrets() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RPCSecrets", reflect.TypeOf((*MockSecrets)(nil).RPCSecrets))
}


================================================
FILE: controller/pkg/secrets/null.go
================================================
package secrets

import (
	"time"

	jwt "github.com/dgrijalva/jwt-go"
)

// This is a NULL secrets implementation only for performance testing
// ATTENTION *** ONLY FOR TESTING
// DO NOT USE FOR ANY REAL CODE

// NullPKI holds all PKI information
type NullPKI struct {
	PrivateKeyPEM []byte
	PublicKeyPEM  []byte
	AuthorityPEM  []byte
}

// NewNullPKI creates new secrets for PKI implementation based on compact encoding
func NewNullPKI(keyPEM, certPEM, caPEM []byte) (*NullPKI, error) {

	p := &NullPKI{}
	return p, nil
}

// Type implements the interface Secrets
func (p *NullPKI) Type() PrivateSecretsType {
	return PKINull
}

// EncodingKey returns the private key
func (p *NullPKI) EncodingKey() interface{} {
	return jwt.UnsafeAllowNoneSignatureType
}

// PublicKey returns nil in this case
func (p *NullPKI) PublicKey() interface{} {
	return nil
}

//KeyAndClaims returns both the key and any attributes associated with the public key.
func (p *NullPKI) KeyAndClaims(pkey []byte) (interface{}, []string, time.Time, error) {
	return jwt.UnsafeAllowNoneSignatureType, []string{}, time.Now(), nil
}

// TransmittedKey returns the PEM of the public key in the case of PKI
// if there is no certificate cache configured
func (p *NullPKI) TransmittedKey() []byte {
	return []byte("none")
}

// AckSize returns the default size of an ACK packet
func (p *NullPKI) AckSize() uint32 {
	return uint32(235)
}

// PublicSecrets returns the secrets that are marshallable over the RPC interface.
func (p *NullPKI) PublicSecrets() PublicSecrets {
	return &NullPublicSecrets{
		Type: PKINull,
	}
}

// NullPublicSecrets includes all the secrets that can be transmitted over
// the RPC interface.
type NullPublicSecrets struct {
	Type PrivateSecretsType
}

// SecretsType returns the type of secrets.
func (p *NullPublicSecrets) SecretsType() PrivateSecretsType {
	return p.Type
}

// CertAuthority returns the cert authority - N/A to PSK
func (p *NullPublicSecrets) CertAuthority() []byte {
	return []byte{}
}


================================================
FILE: controller/pkg/secrets/rpc/rpc.go
================================================
package rpc

import (
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/compactpki"
)

// NewSecrets creates a new set of secrets based on the RPCSecrets.
// We support only one type for now, CompactPKI.
func NewSecrets(r secrets.RPCSecrets) (secrets.Secrets, error) {
	return compactpki.NewCompactPKIWithTokenCA(r.Key, r.Certificate, r.CA, r.TrustedControllers, r.Token, r.Compressed)
}


================================================
FILE: controller/pkg/secrets/secrets.go
================================================
package secrets

import (
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
)

// LockedSecrets provides a way to use secrets where shared read access is required. The user becomes
// responsible for unlocking when done using them. The implementation should lock the access to secrets
// for reading, and pass down the function for unlocking.
type LockedSecrets interface {
	Secrets() (Secrets, func())
}

// Secrets is an interface implementing secrets
type Secrets interface {
	// EncodingKey returns the key used to encode the tokens.
	EncodingKey() interface{}
	// PublicKey returns the public ket of the secrets.
	PublicKey() interface{}
	// CertAuthority returns the CA
	CertAuthority() []byte
	// TransmittedKey returns the public key as a byte slice and as it is transmitted
	// on the wire.
	TransmittedKey() []byte
	// KeyAndClaims will verify the public key and return any claims that are part of the key.
	KeyAndClaims(pkey []byte) (interface{}, []string, time.Time, *pkiverifier.PKIControllerInfo, error)
	// AckSize calculates the size of the ACK packet based on the keys.
	AckSize() uint32
	// RPCSecrets returns the PEM formated secrets to be transmitted over the RPC interface.
	RPCSecrets() RPCSecrets
}

// ControllerInfo holds information about public keys
type ControllerInfo struct {
	// PublicKey is the public key for a controller which is used to verify the public token
	// that that is transmitted over the wire. These were used to sign the txtKey.
	PublicKey []byte
	// Controller is information for a given controller.
	Controller *pkiverifier.PKIControllerInfo
}

// RPCSecrets includes all the secrets that can be transmitted over
// the RPC interface.
type RPCSecrets struct {
	Key                []byte
	Certificate        []byte
	CA                 []byte
	TrustedControllers []*ControllerInfo
	Token              []byte
	Compressed         claimsheader.CompressionType
}


================================================
FILE: controller/pkg/secrets/test_utils.go
================================================
package secrets

import (
	"crypto/x509"

	"go.aporeto.io/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/trireme-lib/utils/crypto"
)

// Certs
var (
	CAPEM = `-----BEGIN CERTIFICATE-----
MIIBmzCCAUCgAwIBAgIRAIbf7tsXeg6vUJ2pe3WXzgwwCgYIKoZIzj0EAwIwPDEQ
MA4GA1UEChMHQXBvcmV0bzEPMA0GA1UECxMGYXBvbXV4MRcwFQYDVQQDEw5BcG9t
dXggUm9vdCBDQTAeFw0xODA1MDExODM3MjNaFw0yODAzMDkxODM3MjNaMDwxEDAO
BgNVBAoTB0Fwb3JldG8xDzANBgNVBAsTBmFwb211eDEXMBUGA1UEAxMOQXBvbXV4
IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcpOm4VAWyNcI4/WZP
qj9EBu5XWQppyG2LoXVYNv1YCfJBFYuVERxVaZEcUJ0ceE/doFyphS1Ohw3QjqDQ
xakeoyMwITAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjO
PQQDAgNJADBGAiEA+OL+qkSyXwLu6P/75kXBPo8fFGvXyX2vYis0hUAyHJcCIQCn
86EFqkJDkeAguDEKvVtORcnxl+rAP924/PJAHLMh6Q==
-----END CERTIFICATE-----`
	CAKeyPEM = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEILpUWKqL6Sr+HrKDKLHt/vN6EYi22rJKV2q9xgKmiCqioAoGCCqGSM49
AwEHoUQDQgAEHKTpuFQFsjXCOP1mT6o/RAbuV1kKachti6F1WDb9WAnyQRWLlREc
VWmRHFCdHHhP3aBcqYUtTocN0I6g0MWpHg==
-----END EC PRIVATE KEY-----`
	PrivateKeyPEM = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGx017ukBSUSddLXefL/5nxxaRXuM1H/tUxQAYxWBrQtoAoGCCqGSM49
AwEHoUQDQgAEZKBbcTmg0hGyVcgsUH7xijvaNOJ3EPM3Oq08VdCBsPNAojAR9wfX
KLO/w0SRKj1DL03a9dl1Gwk0r7F0VnPQyw==
-----END EC PRIVATE KEY-----`
	PublicPEM = `-----BEGIN CERTIFICATE-----
MIIBsDCCAVagAwIBAgIRAOmitRugFU+nAhiGsp6fYOwwCgYIKoZIzj0EAwIwPDEQ
MA4GA1UEChMHQXBvcmV0bzEPMA0GA1UECxMGYXBvbXV4MRcwFQYDVQQDEw5BcG9t
dXggUm9vdCBDQTAeFw0xODA1MDExODQwMzFaFw0yODAzMDkxODQwMzFaMDYxETAP
BgNVBAoTCHNvbWUgb3JnMRIwEAYDVQQLEwlzb21lLXVuaXQxDTALBgNVBAMTBHRl
c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARkoFtxOaDSEbJVyCxQfvGKO9o0
4ncQ8zc6rTxV0IGw80CiMBH3B9cos7/DRJEqPUMvTdr12XUbCTSvsXRWc9DLoz8w
PTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
MAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwIDSAAwRQIgBNYmLdmHI2gKy2NqfSXn
MEDF56xWq7son2mcSePvLU8CIQCUxgYfDZDf067Y7vqLw1mWMlSnqECELnq7zel1
fXtpyA==
-----END CERTIFICATE-----`
)

// CreateTxtToken creates a transmitter token
func CreateTxtToken() []byte {
	caKey, err := crypto.LoadEllipticCurveKey([]byte(CAKeyPEM))
	if err != nil {
		panic("bad ca key ")
	}

	clientCert, err := crypto.LoadCertificate([]byte(PublicPEM))
	if err != nil {
		panic("bad client cert ")
	}

	p := pkiverifier.NewPKIIssuer(caKey)
	token, err := p.CreateTokenFromCertificate(clientCert, []string{})
	if err != nil {
		panic("can't create token")
	}
	return token
}

// CreateCompactPKITestSecrets creates test secrets
func CreateCompactPKITestSecrets() (*x509.Certificate, Secrets, error) {
	txtKey, err := crypto.LoadEllipticCurveKey([]byte(PrivateKeyPEM))
	if err != nil {
		return nil, nil, err
	}

	cert, err := crypto.LoadCertificate([]byte(PublicPEM))
	if err != nil {
		return nil, nil, err
	}

	issuer := pkiverifier.NewPKIIssuer(txtKey)
	txtToken, err := issuer.CreateTokenFromCertificate(cert, []string{})
	if err != nil {
		return nil, nil, err
	}

	scrts, err := NewCompactPKIWithTokenCA([]byte(PrivateKeyPEM), []byte(PublicPEM), []byte(CAPEM), [][]byte{[]byte(PublicPEM)}, txtToken, claimsheader.CompressionTypeNone)
	if err != nil {
		return nil, nil, err
	}

	return cert, scrts, nil
}


================================================
FILE: controller/pkg/secrets/testhelper/testhelper.go
================================================
package testhelper

import (
	"crypto/x509"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/compactpki"
	"go.aporeto.io/enforcerd/trireme-lib/utils/crypto"
)

// **** ATTENTION ****
// This package is only to help other packages to do unit tests.
// It's a very valid question, why arent they using a mock !

// Certs
var (
	caPEM = `-----BEGIN CERTIFICATE-----
MIIBmzCCAUCgAwIBAgIRAIbf7tsXeg6vUJ2pe3WXzgwwCgYIKoZIzj0EAwIwPDEQ
MA4GA1UEChMHQXBvcmV0bzEPMA0GA1UECxMGYXBvbXV4MRcwFQYDVQQDEw5BcG9t
dXggUm9vdCBDQTAeFw0xODA1MDExODM3MjNaFw0yODAzMDkxODM3MjNaMDwxEDAO
BgNVBAoTB0Fwb3JldG8xDzANBgNVBAsTBmFwb211eDEXMBUGA1UEAxMOQXBvbXV4
IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcpOm4VAWyNcI4/WZP
qj9EBu5XWQppyG2LoXVYNv1YCfJBFYuVERxVaZEcUJ0ceE/doFyphS1Ohw3QjqDQ
xakeoyMwITAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjO
PQQDAgNJADBGAiEA+OL+qkSyXwLu6P/75kXBPo8fFGvXyX2vYis0hUAyHJcCIQCn
86EFqkJDkeAguDEKvVtORcnxl+rAP924/PJAHLMh6Q==
-----END CERTIFICATE-----`
	caKeyPEM = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEILpUWKqL6Sr+HrKDKLHt/vN6EYi22rJKV2q9xgKmiCqioAoGCCqGSM49
AwEHoUQDQgAEHKTpuFQFsjXCOP1mT6o/RAbuV1kKachti6F1WDb9WAnyQRWLlREc
VWmRHFCdHHhP3aBcqYUtTocN0I6g0MWpHg==
-----END EC PRIVATE KEY-----`
	privateKeyPEM = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGx017ukBSUSddLXefL/5nxxaRXuM1H/tUxQAYxWBrQtoAoGCCqGSM49
AwEHoUQDQgAEZKBbcTmg0hGyVcgsUH7xijvaNOJ3EPM3Oq08VdCBsPNAojAR9wfX
KLO/w0SRKj1DL03a9dl1Gwk0r7F0VnPQyw==
-----END EC PRIVATE KEY-----`
	publicPEM = `-----BEGIN CERTIFICATE-----
MIIBsDCCAVagAwIBAgIRAOmitRugFU+nAhiGsp6fYOwwCgYIKoZIzj0EAwIwPDEQ
MA4GA1UEChMHQXBvcmV0bzEPMA0GA1UECxMGYXBvbXV4MRcwFQYDVQQDEw5BcG9t
dXggUm9vdCBDQTAeFw0xODA1MDExODQwMzFaFw0yODAzMDkxODQwMzFaMDYxETAP
BgNVBAoTCHNvbWUgb3JnMRIwEAYDVQQLEwlzb21lLXVuaXQxDTALBgNVBAMTBHRl
c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARkoFtxOaDSEbJVyCxQfvGKO9o0
4ncQ8zc6rTxV0IGw80CiMBH3B9cos7/DRJEqPUMvTdr12XUbCTSvsXRWc9DLoz8w
PTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
MAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwIDSAAwRQIgBNYmLdmHI2gKy2NqfSXn
MEDF56xWq7son2mcSePvLU8CIQCUxgYfDZDf067Y7vqLw1mWMlSnqECELnq7zel1
fXtpyA==
-----END CERTIFICATE-----`
)

// createTxtToken creates a transmitter token
func createTxtToken() []byte {
	caKey, err := crypto.LoadEllipticCurveKey([]byte(caKeyPEM))
	if err != nil {
		panic("bad ca key ")
	}

	clientCert, err := crypto.LoadCertificate([]byte(publicPEM))
	if err != nil {
		panic("bad client cert ")
	}

	p := pkiverifier.NewPKIIssuer(caKey)
	token, err := p.CreateTokenFromCertificate(clientCert, []string{})
	if err != nil {
		panic("can't create token")
	}
	return token
}

// NewTestCompactPKISecrets creates test secrets
func NewTestCompactPKISecrets() (*x509.Certificate, secrets.Secrets, error) {
	txtKey, err := crypto.LoadEllipticCurveKey([]byte(privateKeyPEM))
	if err != nil {
		return nil, nil, err
	}

	cert, err := crypto.LoadCertificate([]byte(publicPEM))
	if err != nil {
		return nil, nil, err
	}

	issuer := pkiverifier.NewPKIIssuer(txtKey)
	txtToken, err := issuer.CreateTokenFromCertificate(cert, []string{})
	if err != nil {
		return nil, nil, err
	}

	tokenKey := &secrets.ControllerInfo{
		PublicKey: []byte(publicPEM),
	}

	scrts, err := compactpki.NewCompactPKIWithTokenCA([]byte(privateKeyPEM), []byte(publicPEM), []byte(caPEM), []*secrets.ControllerInfo{tokenKey}, txtToken, claimsheader.CompressionTypeV1)
	if err != nil {
		return nil, nil, err
	}

	return cert, scrts, nil
}


================================================
FILE: controller/pkg/servicetokens/servicetokens.go
================================================
package servicetokens

import (
	"crypto/ecdsa"
	"crypto/x509"
	"fmt"
	"sync"
	"time"

	"github.com/bluele/gcache"
	jwt "github.com/dgrijalva/jwt-go"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.uber.org/zap"
)

var (
	localCache = cache.NewCacheWithExpiration("tokens", time.Second*10)
)

// JWTClaims is the structure of the claims we are sending on the wire.
type JWTClaims struct {
	jwt.StandardClaims
	Scopes      []string
	Profile     []string
	Data        map[string]string
	PingPayload *policy.PingPayload `json:",omitempty"`
}

// Verifier keeps all the structures for processing tokens.
type Verifier struct {
	secrets    secrets.Secrets
	globalCert *x509.Certificate
	tokenCache gcache.Cache
	sync.RWMutex
}

// NewVerifier creates a new Aporeto JWT Verifier. The globalCertificate is optional
// and is needed for configurations that do not transmit the token over the wire.
func NewVerifier(s secrets.Secrets, globalCertificate *x509.Certificate) *Verifier {
	return &Verifier{
		secrets:    s,
		globalCert: globalCertificate,
		// tokenCache will cache the token results to accelerate performance
		tokenCache: gcache.New(2048).LRU().Expiration(20 * time.Second).Build(),
	}
}

// ParseToken parses and validates the JWT token, give the publicKey. It returns the scopes
// the identity and the subject of the provided token. These tokens are strictly
// signed with EC.
// TODO: We can be more flexible with the algorithm selection here.
func (p *Verifier) ParseToken(token string, publicKey string) (string, []string, []string, *policy.PingPayload, error) {
	p.RLock()
	defer p.RUnlock()

	if data, _ := p.tokenCache.Get(token); data != nil {
		claims := data.(*JWTClaims)
		return claims.Subject, claims.Scopes, claims.Profile, claims.PingPayload, nil
	}

	// if a public key is transmitted in the wire, we need to verify its validity and use it.
	// Otherwise we use the public key of the stored secrets.
	var key *ecdsa.PublicKey
	var ok bool
	var enforcerclaims []string

	if len(publicKey) > 0 {
		// Public keys are cached and verified and they are the compact keys
		// that we transmit in all other requests signed by the CA. These keys
		// are not full certificates.
		gKey, rootClaims, _, _, err := p.secrets.KeyAndClaims([]byte(publicKey))
		if err != nil {
			return "", nil, nil, nil, fmt.Errorf("Cannot validate public key: %s", err)
		}
		enforcerclaims = rootClaims
		key, ok = gKey.(*ecdsa.PublicKey)
		if !ok {
			return "", nil, nil, nil, fmt.Errorf("Provided public key not supported")
		}
	} else {
		if p.globalCert == nil {
			return "", nil, nil, nil, fmt.Errorf("Cannot validate global public key")
		}
		key, ok = p.globalCert.PublicKey.(*ecdsa.PublicKey)
		if !ok {
			return "", nil, nil, nil, fmt.Errorf("Global public key is not supported")
		}
	}

	claims := &JWTClaims{}
	if _, err := jwt.ParseWithClaims(token, claims, func(*jwt.Token) (interface{}, error) { // nolint
		return key, nil
	}); err != nil {
		return "", nil, nil, nil, err
	}
	claims.Profile = append(claims.Profile, enforcerclaims...)
	if err := p.tokenCache.Set(token, claims); err != nil {
		zap.L().Error("Failed to cache token", zap.Error(err))
	}

	for k, v := range claims.Data {
		claims.Scopes = append(claims.Scopes, "data:"+k+"="+v)
	}
	return claims.Subject, claims.Scopes, claims.Profile, claims.PingPayload, nil
}

// UpdateSecrets updates the secrets of the token Verifier.
func (p *Verifier) UpdateSecrets(s secrets.Secrets, globalCert *x509.Certificate) {
	p.Lock()
	defer p.Unlock()

	p.secrets = s
	p.globalCert = globalCert
}

// CreateAndSign creates a new JWT token based on the Aporeto identities.
func CreateAndSign(server string, profile, scopes []string, id string, validity time.Duration, gkey interface{}, pingPayload *policy.PingPayload) (string, error) {
	key, ok := gkey.(*ecdsa.PrivateKey)
	if !ok {
		return "", fmt.Errorf("Not a valid private key format")
	}
	if token, err := localCache.Get(id); err == nil {
		return token.(string), nil
	}
	claims := &JWTClaims{
		StandardClaims: jwt.StandardClaims{
			Issuer:    server,
			ExpiresAt: time.Now().Add(validity).Unix(),
			Subject:   id,
		},
		Profile:     profile,
		Scopes:      scopes,
		PingPayload: pingPayload,
	}

	token, err := jwt.NewWithClaims(jwt.SigningMethodES256, claims).SignedString(key)
	if err != nil {
		return "", err
	}

	// pingPayload should be nil for non-ping requests. If pingPayload is not nil,
	// we disable the token caching.
	if pingPayload == nil {
		localCache.AddOrUpdate(id, token)
	}
	return token, nil
}


================================================
FILE: controller/pkg/tokens/binarycodec.go
================================================
// +build go1.6

// Code generated by codecgen - DO NOT EDIT.

package tokens

import (
	"errors"
	pkg3_jwt_go "github.com/dgrijalva/jwt-go"
	codec1978 "github.com/ugorji/go/codec"
	pkg2_claimsheader "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	pkg1_policy "go.aporeto.io/enforcerd/trireme-lib/policy"
	"runtime"
	"strconv"
)

const (
	// ----- content types ----
	codecSelferCcUTF88267 = 1
	codecSelferCcRAW8267  = 255
	// ----- value types used ----
	codecSelferValueTypeArray8267     = 10
	codecSelferValueTypeMap8267       = 9
	codecSelferValueTypeString8267    = 6
	codecSelferValueTypeInt8267       = 2
	codecSelferValueTypeUint8267      = 3
	codecSelferValueTypeFloat8267     = 4
	codecSelferValueTypeNil8267       = 1
	codecSelferBitsize8267            = uint8(32 << (^uint(0) >> 63))
	codecSelferDecContainerLenNil8267 = -2147483648
)

var (
	errCodecSelferOnlyMapOrArrayEncodeToStruct8267 = errors.New(`only encoded map or array can be decoded into a struct`)
)

type codecSelfer8267 struct{}

func codecSelfer8267False() bool { return false }
func codecSelfer8267True() bool  { return true }

func init() {
	if codec1978.GenVersion != 21 {
		_, file, _, _ := runtime.Caller(0)
		ver := strconv.FormatInt(int64(codec1978.GenVersion), 10)
		panic(errors.New("codecgen version mismatch: current: 21, need " + ver + ". Re-generate file: " + file))
	}
	if false { // reference the types, but skip this branch at build/run time
		var _ pkg3_jwt_go.StandardClaims
		var _ pkg2_claimsheader.HeaderBytes
		var _ pkg1_policy.PingPayload
	}
}

func (x *BinaryJWTClaims) CodecEncodeSelf(e *codec1978.Encoder) {
	var h codecSelfer8267
	z, r := codec1978.GenHelper().Encoder(e)
	_, _, _ = h, z, r
	if x == nil {
		r.EncodeNil()
	} else {
		yy2arr2 := z.EncBasicHandle().StructToArray
		_ = yy2arr2
		const yyr2 bool = false // struct tag has 'toArray'
		var yyn12 bool = x.P == nil
		var yyq2 = [12]bool{ // should field at this index be written?
			len(x.T) != 0,         // T
			len(x.CT) != 0,        // CT
			len(x.RMT) != 0,       // RMT
			len(x.LCL) != 0,       // LCL
			len(x.DEK) != 0,       // DEK
			len(x.SDEK) != 0,      // SDEK
			x.ID != "",            // ID
			x.ExpiresAt != 0,      // ExpiresAt
			len(x.SignerKey) != 0, // SignerKey
			x.P != nil,            // P
			len(x.DEKV2) != 0,     // DEKV2
			len(x.SDEKV2) != 0,    // SDEKV2
		}
		_ = yyq2
		if yyr2 || yy2arr2 {
			z.EncWriteArrayStart(12)
			z.EncWriteArrayElem()
			if yyq2[0] {
				if x.T == nil {
					r.EncodeNil()
				} else {
					z.F.EncSliceStringV(x.T, e)
				} // end block: if x.T slice == nil
			} else {
				r.EncodeNil()
			}
			z.EncWriteArrayElem()
			if yyq2[1] {
				if x.CT == nil {
					r.EncodeNil()
				} else {
					z.F.EncSliceStringV(x.CT, e)
				} // end block: if x.CT slice == nil
			} else {
				r.EncodeNil()
			}
			z.EncWriteArrayElem()
			if yyq2[2] {
				if x.RMT == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.RMT))
				} // end block: if x.RMT slice == nil
			} else {
				r.EncodeNil()
			}
			z.EncWriteArrayElem()
			if yyq2[3] {
				if x.LCL == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.LCL))
				} // end block: if x.LCL slice == nil
			} else {
				r.EncodeNil()
			}
			z.EncWriteArrayElem()
			if yyq2[4] {
				if x.DEK == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.DEK))
				} // end block: if x.DEK slice == nil
			} else {
				r.EncodeNil()
			}
			z.EncWriteArrayElem()
			if yyq2[5] {
				if x.SDEK == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.SDEK))
				} // end block: if x.SDEK slice == nil
			} else {
				r.EncodeNil()
			}
			z.EncWriteArrayElem()
			if yyq2[6] {
				r.EncodeString(string(x.ID))
			} else {
				r.EncodeString("")
			}
			z.EncWriteArrayElem()
			if yyq2[7] {
				r.EncodeInt(int64(x.ExpiresAt))
			} else {
				r.EncodeInt(0)
			}
			z.EncWriteArrayElem()
			if yyq2[8] {
				if x.SignerKey == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.SignerKey))
				} // end block: if x.SignerKey slice == nil
			} else {
				r.EncodeNil()
			}
			if yyn12 {
				z.EncWriteArrayElem()
				r.EncodeNil()
			} else {
				z.EncWriteArrayElem()
				if yyq2[9] {
					if yyxt24 := z.Extension(x.P); yyxt24 != nil {
						z.EncExtension(x.P, yyxt24)
					} else {
						z.EncFallback(x.P)
					}
				} else {
					r.EncodeNil()
				}
			}
			z.EncWriteArrayElem()
			if yyq2[10] {
				if x.DEKV2 == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.DEKV2))
				} // end block: if x.DEKV2 slice == nil
			} else {
				r.EncodeNil()
			}
			z.EncWriteArrayElem()
			if yyq2[11] {
				if x.SDEKV2 == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.SDEKV2))
				} // end block: if x.SDEKV2 slice == nil
			} else {
				r.EncodeNil()
			}
			z.EncWriteArrayEnd()
		} else {
			var yynn2 int
			for _, b := range yyq2 {
				if b {
					yynn2++
				}
			}
			z.EncWriteMapStart(yynn2)
			yynn2 = 0
			if yyq2[0] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"T\"")
				} else {
					r.EncodeString(`T`)
				}
				z.EncWriteMapElemValue()
				if x.T == nil {
					r.EncodeNil()
				} else {
					z.F.EncSliceStringV(x.T, e)
				} // end block: if x.T slice == nil
			}
			if yyq2[1] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"CT\"")
				} else {
					r.EncodeString(`CT`)
				}
				z.EncWriteMapElemValue()
				if x.CT == nil {
					r.EncodeNil()
				} else {
					z.F.EncSliceStringV(x.CT, e)
				} // end block: if x.CT slice == nil
			}
			if yyq2[2] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"RMT\"")
				} else {
					r.EncodeString(`RMT`)
				}
				z.EncWriteMapElemValue()
				if x.RMT == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.RMT))
				} // end block: if x.RMT slice == nil
			}
			if yyq2[3] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"LCL\"")
				} else {
					r.EncodeString(`LCL`)
				}
				z.EncWriteMapElemValue()
				if x.LCL == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.LCL))
				} // end block: if x.LCL slice == nil
			}
			if yyq2[4] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"DEK\"")
				} else {
					r.EncodeString(`DEK`)
				}
				z.EncWriteMapElemValue()
				if x.DEK == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.DEK))
				} // end block: if x.DEK slice == nil
			}
			if yyq2[5] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"SDEK\"")
				} else {
					r.EncodeString(`SDEK`)
				}
				z.EncWriteMapElemValue()
				if x.SDEK == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.SDEK))
				} // end block: if x.SDEK slice == nil
			}
			if yyq2[6] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"ID\"")
				} else {
					r.EncodeString(`ID`)
				}
				z.EncWriteMapElemValue()
				r.EncodeString(string(x.ID))
			}
			if yyq2[7] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"ExpiresAt\"")
				} else {
					r.EncodeString(`ExpiresAt`)
				}
				z.EncWriteMapElemValue()
				r.EncodeInt(int64(x.ExpiresAt))
			}
			if yyq2[8] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"SignerKey\"")
				} else {
					r.EncodeString(`SignerKey`)
				}
				z.EncWriteMapElemValue()
				if x.SignerKey == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.SignerKey))
				} // end block: if x.SignerKey slice == nil
			}
			if yyq2[9] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"P\"")
				} else {
					r.EncodeString(`P`)
				}
				z.EncWriteMapElemValue()
				if yyn12 {
					r.EncodeNil()
				} else {
					if yyxt36 := z.Extension(x.P); yyxt36 != nil {
						z.EncExtension(x.P, yyxt36)
					} else {
						z.EncFallback(x.P)
					}
				}
			}
			if yyq2[10] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"DEKV2\"")
				} else {
					r.EncodeString(`DEKV2`)
				}
				z.EncWriteMapElemValue()
				if x.DEKV2 == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.DEKV2))
				} // end block: if x.DEKV2 slice == nil
			}
			if yyq2[11] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"SDEKV2\"")
				} else {
					r.EncodeString(`SDEKV2`)
				}
				z.EncWriteMapElemValue()
				if x.SDEKV2 == nil {
					r.EncodeNil()
				} else {
					r.EncodeStringBytesRaw([]byte(x.SDEKV2))
				} // end block: if x.SDEKV2 slice == nil
			}
			z.EncWriteMapEnd()
		}
	}
}

func (x *BinaryJWTClaims) CodecDecodeSelf(d *codec1978.Decoder) {
	var h codecSelfer8267
	z, r := codec1978.GenHelper().Decoder(d)
	_, _, _ = h, z, r
	yyct2 := r.ContainerType()
	if yyct2 == codecSelferValueTypeNil8267 {
		*(x) = BinaryJWTClaims{}
	} else if yyct2 == codecSelferValueTypeMap8267 {
		yyl2 := z.DecReadMapStart()
		if yyl2 == 0 {
		} else {
			x.codecDecodeSelfFromMap(yyl2, d)
		}
		z.DecReadMapEnd()
	} else if yyct2 == codecSelferValueTypeArray8267 {
		yyl2 := z.DecReadArrayStart()
		if yyl2 != 0 {
			x.codecDecodeSelfFromArray(yyl2, d)
		}
		z.DecReadArrayEnd()
	} else {
		panic(errCodecSelferOnlyMapOrArrayEncodeToStruct8267)
	}
}

func (x *BinaryJWTClaims) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
	var h codecSelfer8267
	z, r := codec1978.GenHelper().Decoder(d)
	_, _, _ = h, z, r
	var yyhl3 bool = l >= 0
	for yyj3 := 0; ; yyj3++ {
		if yyhl3 {
			if yyj3 >= l {
				break
			}
		} else {
			if z.DecCheckBreak() {
				break
			}
		}
		z.DecReadMapElemKey()
		yys3 := r.DecodeStringAsBytes()
		z.DecReadMapElemValue()
		switch string(yys3) {
		case "T":
			z.F.DecSliceStringX(&x.T, d)
		case "CT":
			z.F.DecSliceStringX(&x.CT, d)
		case "RMT":
			x.RMT = z.DecodeBytesInto(([]byte)(x.RMT))
		case "LCL":
			x.LCL = z.DecodeBytesInto(([]byte)(x.LCL))
		case "DEK":
			x.DEK = z.DecodeBytesInto(([]byte)(x.DEK))
		case "SDEK":
			x.SDEK = z.DecodeBytesInto(([]byte)(x.SDEK))
		case "ID":
			x.ID = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
		case "ExpiresAt":
			x.ExpiresAt = (int64)(r.DecodeInt64())
		case "SignerKey":
			x.SignerKey = z.DecodeBytesInto(([]byte)(x.SignerKey))
		case "P":
			if r.TryNil() {
				if x.P != nil { // remove the if-true
					x.P = nil
				}
			} else {
				if x.P == nil {
					x.P = new(pkg1_policy.PingPayload)
				}
				if yyxt21 := z.Extension(x.P); yyxt21 != nil {
					z.DecExtension(x.P, yyxt21)
				} else {
					z.DecFallback(x.P, false)
				}
			}
		case "DEKV2":
			x.DEKV2 = z.DecodeBytesInto(([]byte)(x.DEKV2))
		case "SDEKV2":
			x.SDEKV2 = z.DecodeBytesInto(([]byte)(x.SDEKV2))
		default:
			z.DecStructFieldNotFound(-1, string(yys3))
		} // end switch yys3
	} // end for yyj3
}

func (x *BinaryJWTClaims) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
	var h codecSelfer8267
	z, r := codec1978.GenHelper().Decoder(d)
	_, _, _ = h, z, r
	var yyj26 int
	var yyb26 bool
	var yyhl26 bool = l >= 0
	yyj26++
	if yyhl26 {
		yyb26 = yyj26 > l
	} else {
		yyb26 = z.DecCheckBreak()
	}
	if yyb26 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	z.F.DecSliceStringX(&x.T, d)
	yyj26++
	if yyhl26 {
		yyb26 = yyj26 > l
	} else {
		yyb26 = z.DecCheckBreak()
	}
	if yyb26 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	z.F.DecSliceStringX(&x.CT, d)
	yyj26++
	if yyhl26 {
		yyb26 = yyj26 > l
	} else {
		yyb26 = z.DecCheckBreak()
	}
	if yyb26 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.RMT = z.DecodeBytesInto(([]byte)(x.RMT))
	yyj26++
	if yyhl26 {
		yyb26 = yyj26 > l
	} else {
		yyb26 = z.DecCheckBreak()
	}
	if yyb26 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.LCL = z.DecodeBytesInto(([]byte)(x.LCL))
	yyj26++
	if yyhl26 {
		yyb26 = yyj26 > l
	} else {
		yyb26 = z.DecCheckBreak()
	}
	if yyb26 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.DEK = z.DecodeBytesInto(([]byte)(x.DEK))
	yyj26++
	if yyhl26 {
		yyb26 = yyj26 > l
	} else {
		yyb26 = z.DecCheckBreak()
	}
	if yyb26 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.SDEK = z.DecodeBytesInto(([]byte)(x.SDEK))
	yyj26++
	if yyhl26 {
		yyb26 = yyj26 > l
	} else {
		yyb26 = z.DecCheckBreak()
	}
	if yyb26 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.ID = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
	yyj26++
	if yyhl26 {
		yyb26 = yyj26 > l
	} else {
		yyb26 = z.DecCheckBreak()
	}
	if yyb26 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.ExpiresAt = (int64)(r.DecodeInt64())
	yyj26++
	if yyhl26 {
		yyb26 = yyj26 > l
	} else {
		yyb26 = z.DecCheckBreak()
	}
	if yyb26 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.SignerKey = z.DecodeBytesInto(([]byte)(x.SignerKey))
	yyj26++
	if yyhl26 {
		yyb26 = yyj26 > l
	} else {
		yyb26 = z.DecCheckBreak()
	}
	if yyb26 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	if r.TryNil() {
		if x.P != nil { // remove the if-true
			x.P = nil
		}
	} else {
		if x.P == nil {
			x.P = new(pkg1_policy.PingPayload)
		}
		if yyxt44 := z.Extension(x.P); yyxt44 != nil {
			z.DecExtension(x.P, yyxt44)
		} else {
			z.DecFallback(x.P, false)
		}
	}
	yyj26++
	if yyhl26 {
		yyb26 = yyj26 > l
	} else {
		yyb26 = z.DecCheckBreak()
	}
	if yyb26 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.DEKV2 = z.DecodeBytesInto(([]byte)(x.DEKV2))
	yyj26++
	if yyhl26 {
		yyb26 = yyj26 > l
	} else {
		yyb26 = z.DecCheckBreak()
	}
	if yyb26 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.SDEKV2 = z.DecodeBytesInto(([]byte)(x.SDEKV2))
	for {
		yyj26++
		if yyhl26 {
			yyb26 = yyj26 > l
		} else {
			yyb26 = z.DecCheckBreak()
		}
		if yyb26 {
			break
		}
		z.DecReadArrayElem()
		z.DecStructFieldNotFound(yyj26-1, "")
	}
}

func (x *BinaryJWTClaims) IsCodecEmpty() bool {
	return !(len(x.T) != 0 || len(x.CT) != 0 || len(x.RMT) != 0 || len(x.LCL) != 0 || len(x.DEK) != 0 || len(x.SDEK) != 0 || x.ID != "" || x.ExpiresAt != 0 || len(x.SignerKey) != 0 || len(x.DEKV2) != 0 || len(x.SDEKV2) != 0 || false)
}

func (x *JWTClaims) CodecEncodeSelf(e *codec1978.Encoder) {
	var h codecSelfer8267
	z, r := codec1978.GenHelper().Encoder(e)
	_, _, _ = h, z, r
	if x == nil {
		r.EncodeNil()
	} else {
		yy2arr2 := z.EncBasicHandle().StructToArray
		_ = yy2arr2
		const yyr2 bool = false // struct tag has 'toArray'
		var yyn3 bool = x.ConnectionClaims == nil || x.ConnectionClaims.T == nil
		var yyn4 bool = x.ConnectionClaims == nil
		var yyn5 bool = x.ConnectionClaims == nil
		var yyn6 bool = x.ConnectionClaims == nil
		var yyn7 bool = x.ConnectionClaims == nil
		var yyn8 bool = x.ConnectionClaims == nil || x.ConnectionClaims.CT == nil
		var yyn9 bool = x.ConnectionClaims == nil
		var yyn10 bool = x.ConnectionClaims == nil
		var yyn11 bool = x.ConnectionClaims == nil
		var yyn12 bool = x.ConnectionClaims == nil || x.ConnectionClaims.P == nil
		var yyn13 bool = x.ConnectionClaims == nil
		var yyn14 bool = x.ConnectionClaims == nil
		var yyq2 = [19]bool{ // should field at this index be written?
			x.ConnectionClaims != nil && x.T != nil,         // T
			x.ConnectionClaims != nil && len(x.RMT) != 0,    // RMT
			x.ConnectionClaims != nil && len(x.LCL) != 0,    // LCL
			x.ConnectionClaims != nil && len(x.DEKV1) != 0,  // DEKV1
			x.ConnectionClaims != nil && len(x.SDEKV1) != 0, // SDEKV1
			x.ConnectionClaims != nil && x.CT != nil,        // CT
			x.ConnectionClaims != nil && x.ID != "",         // ID
			x.ConnectionClaims != nil && x.RemoteID != "",   // RemoteID
			x.ConnectionClaims != nil && len(x.H) != 0,      // H
			x.ConnectionClaims != nil && x.P != nil,         // P
			x.ConnectionClaims != nil && len(x.DEKV2) != 0,  // DEKV2
			x.ConnectionClaims != nil && len(x.SDEKV2) != 0, // SDEKV2
			x.Audience != "", // aud
			x.ExpiresAt != 0, // exp
			x.Id != "",       // jti
			x.IssuedAt != 0,  // iat
			x.Issuer != "",   // iss
			x.NotBefore != 0, // nbf
			x.Subject != "",  // sub
		}
		_ = yyq2
		if yyr2 || yy2arr2 {
			z.EncWriteArrayStart(19)
			if yyn3 {
				z.EncWriteArrayElem()
				r.EncodeNil()
			} else {
				z.EncWriteArrayElem()
				if yyq2[0] {
					if yyxt22 := z.Extension(x.ConnectionClaims.T); yyxt22 != nil {
						z.EncExtension(x.ConnectionClaims.T, yyxt22)
					} else if !z.EncBinary() && z.IsJSONHandle() {
						z.EncJSONMarshal(x.ConnectionClaims.T)
					} else {
						z.EncFallback(x.ConnectionClaims.T)
					}
				} else {
					r.EncodeNil()
				}
			}
			if yyn4 {
				z.EncWriteArrayElem()
				r.EncodeNil()
			} else {
				z.EncWriteArrayElem()
				if yyq2[1] {
					if x.ConnectionClaims.RMT == nil {
						r.EncodeNil()
					} else {
						r.EncodeStringBytesRaw([]byte(x.ConnectionClaims.RMT))
					} // end block: if x.ConnectionClaims.RMT slice == nil
				} else {
					r.EncodeNil()
				}
			}
			if yyn5 {
				z.EncWriteArrayElem()
				r.EncodeNil()
			} else {
				z.EncWriteArrayElem()
				if yyq2[2] {
					if x.ConnectionClaims.LCL == nil {
						r.EncodeNil()
					} else {
						r.EncodeStringBytesRaw([]byte(x.ConnectionClaims.LCL))
					} // end block: if x.ConnectionClaims.LCL slice == nil
				} else {
					r.EncodeNil()
				}
			}
			if yyn6 {
				z.EncWriteArrayElem()
				r.EncodeNil()
			} else {
				z.EncWriteArrayElem()
				if yyq2[3] {
					if x.ConnectionClaims.DEKV1 == nil {
						r.EncodeNil()
					} else {
						r.EncodeStringBytesRaw([]byte(x.ConnectionClaims.DEKV1))
					} // end block: if x.ConnectionClaims.DEKV1 slice == nil
				} else {
					r.EncodeNil()
				}
			}
			if yyn7 {
				z.EncWriteArrayElem()
				r.EncodeNil()
			} else {
				z.EncWriteArrayElem()
				if yyq2[4] {
					if x.ConnectionClaims.SDEKV1 == nil {
						r.EncodeNil()
					} else {
						r.EncodeStringBytesRaw([]byte(x.ConnectionClaims.SDEKV1))
					} // end block: if x.ConnectionClaims.SDEKV1 slice == nil
				} else {
					r.EncodeNil()
				}
			}
			if yyn8 {
				z.EncWriteArrayElem()
				r.EncodeNil()
			} else {
				z.EncWriteArrayElem()
				if yyq2[5] {
					if yyxt27 := z.Extension(x.ConnectionClaims.CT); yyxt27 != nil {
						z.EncExtension(x.ConnectionClaims.CT, yyxt27)
					} else if !z.EncBinary() && z.IsJSONHandle() {
						z.EncJSONMarshal(x.ConnectionClaims.CT)
					} else {
						z.EncFallback(x.ConnectionClaims.CT)
					}
				} else {
					r.EncodeNil()
				}
			}
			if yyn9 {
				z.EncWriteArrayElem()
				r.EncodeNil()
			} else {
				z.EncWriteArrayElem()
				if yyq2[6] {
					r.EncodeString(string(x.ConnectionClaims.ID))
				} else {
					r.EncodeString("")
				}
			}
			if yyn10 {
				z.EncWriteArrayElem()
				r.EncodeNil()
			} else {
				z.EncWriteArrayElem()
				if yyq2[7] {
					r.EncodeString(string(x.ConnectionClaims.RemoteID))
				} else {
					r.EncodeString("")
				}
			}
			if yyn11 {
				z.EncWriteArrayElem()
				r.EncodeNil()
			} else {
				z.EncWriteArrayElem()
				if yyq2[8] {
					if yyxt30 := z.Extension(x.ConnectionClaims.H); yyxt30 != nil {
						z.EncExtension(x.ConnectionClaims.H, yyxt30)
					} else {
						if x.ConnectionClaims.H == nil {
							r.EncodeNil()
						} else {
							h.encclaimsheader_HeaderBytes((pkg2_claimsheader.HeaderBytes)(x.ConnectionClaims.H), e)
						} // end block: if x.ConnectionClaims.H slice == nil
					}
				} else {
					r.EncodeNil()
				}
			}
			if yyn12 {
				z.EncWriteArrayElem()
				r.EncodeNil()
			} else {
				z.EncWriteArrayElem()
				if yyq2[9] {
					if yyxt31 := z.Extension(x.ConnectionClaims.P); yyxt31 != nil {
						z.EncExtension(x.ConnectionClaims.P, yyxt31)
					} else {
						z.EncFallback(x.ConnectionClaims.P)
					}
				} else {
					r.EncodeNil()
				}
			}
			if yyn13 {
				z.EncWriteArrayElem()
				r.EncodeNil()
			} else {
				z.EncWriteArrayElem()
				if yyq2[10] {
					if x.ConnectionClaims.DEKV2 == nil {
						r.EncodeNil()
					} else {
						r.EncodeStringBytesRaw([]byte(x.ConnectionClaims.DEKV2))
					} // end block: if x.ConnectionClaims.DEKV2 slice == nil
				} else {
					r.EncodeNil()
				}
			}
			if yyn14 {
				z.EncWriteArrayElem()
				r.EncodeNil()
			} else {
				z.EncWriteArrayElem()
				if yyq2[11] {
					if x.ConnectionClaims.SDEKV2 == nil {
						r.EncodeNil()
					} else {
						r.EncodeStringBytesRaw([]byte(x.ConnectionClaims.SDEKV2))
					} // end block: if x.ConnectionClaims.SDEKV2 slice == nil
				} else {
					r.EncodeNil()
				}
			}
			z.EncWriteArrayElem()
			if yyq2[12] {
				r.EncodeString(string(x.StandardClaims.Audience))
			} else {
				r.EncodeString("")
			}
			z.EncWriteArrayElem()
			if yyq2[13] {
				r.EncodeInt(int64(x.StandardClaims.ExpiresAt))
			} else {
				r.EncodeInt(0)
			}
			z.EncWriteArrayElem()
			if yyq2[14] {
				r.EncodeString(string(x.StandardClaims.Id))
			} else {
				r.EncodeString("")
			}
			z.EncWriteArrayElem()
			if yyq2[15] {
				r.EncodeInt(int64(x.StandardClaims.IssuedAt))
			} else {
				r.EncodeInt(0)
			}
			z.EncWriteArrayElem()
			if yyq2[16] {
				r.EncodeString(string(x.StandardClaims.Issuer))
			} else {
				r.EncodeString("")
			}
			z.EncWriteArrayElem()
			if yyq2[17] {
				r.EncodeInt(int64(x.StandardClaims.NotBefore))
			} else {
				r.EncodeInt(0)
			}
			z.EncWriteArrayElem()
			if yyq2[18] {
				r.EncodeString(string(x.StandardClaims.Subject))
			} else {
				r.EncodeString("")
			}
			z.EncWriteArrayEnd()
		} else {
			var yynn2 int
			for _, b := range yyq2 {
				if b {
					yynn2++
				}
			}
			z.EncWriteMapStart(yynn2)
			yynn2 = 0
			if yyq2[0] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"T\"")
				} else {
					r.EncodeString(`T`)
				}
				z.EncWriteMapElemValue()
				if yyn3 {
					r.EncodeNil()
				} else {
					if yyxt41 := z.Extension(x.ConnectionClaims.T); yyxt41 != nil {
						z.EncExtension(x.ConnectionClaims.T, yyxt41)
					} else if !z.EncBinary() && z.IsJSONHandle() {
						z.EncJSONMarshal(x.ConnectionClaims.T)
					} else {
						z.EncFallback(x.ConnectionClaims.T)
					}
				}
			}
			if yyq2[1] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"RMT\"")
				} else {
					r.EncodeString(`RMT`)
				}
				z.EncWriteMapElemValue()
				if yyn4 {
					r.EncodeNil()
				} else {
					if x.ConnectionClaims.RMT == nil {
						r.EncodeNil()
					} else {
						r.EncodeStringBytesRaw([]byte(x.ConnectionClaims.RMT))
					} // end block: if x.ConnectionClaims.RMT slice == nil
				}
			}
			if yyq2[2] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"LCL\"")
				} else {
					r.EncodeString(`LCL`)
				}
				z.EncWriteMapElemValue()
				if yyn5 {
					r.EncodeNil()
				} else {
					if x.ConnectionClaims.LCL == nil {
						r.EncodeNil()
					} else {
						r.EncodeStringBytesRaw([]byte(x.ConnectionClaims.LCL))
					} // end block: if x.ConnectionClaims.LCL slice == nil
				}
			}
			if yyq2[3] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"DEKV1\"")
				} else {
					r.EncodeString(`DEKV1`)
				}
				z.EncWriteMapElemValue()
				if yyn6 {
					r.EncodeNil()
				} else {
					if x.ConnectionClaims.DEKV1 == nil {
						r.EncodeNil()
					} else {
						r.EncodeStringBytesRaw([]byte(x.ConnectionClaims.DEKV1))
					} // end block: if x.ConnectionClaims.DEKV1 slice == nil
				}
			}
			if yyq2[4] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"SDEKV1\"")
				} else {
					r.EncodeString(`SDEKV1`)
				}
				z.EncWriteMapElemValue()
				if yyn7 {
					r.EncodeNil()
				} else {
					if x.ConnectionClaims.SDEKV1 == nil {
						r.EncodeNil()
					} else {
						r.EncodeStringBytesRaw([]byte(x.ConnectionClaims.SDEKV1))
					} // end block: if x.ConnectionClaims.SDEKV1 slice == nil
				}
			}
			if yyq2[5] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"CT\"")
				} else {
					r.EncodeString(`CT`)
				}
				z.EncWriteMapElemValue()
				if yyn8 {
					r.EncodeNil()
				} else {
					if yyxt46 := z.Extension(x.ConnectionClaims.CT); yyxt46 != nil {
						z.EncExtension(x.ConnectionClaims.CT, yyxt46)
					} else if !z.EncBinary() && z.IsJSONHandle() {
						z.EncJSONMarshal(x.ConnectionClaims.CT)
					} else {
						z.EncFallback(x.ConnectionClaims.CT)
					}
				}
			}
			if yyq2[6] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"ID\"")
				} else {
					r.EncodeString(`ID`)
				}
				z.EncWriteMapElemValue()
				if yyn9 {
					r.EncodeNil()
				} else {
					r.EncodeString(string(x.ConnectionClaims.ID))
				}
			}
			if yyq2[7] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"RemoteID\"")
				} else {
					r.EncodeString(`RemoteID`)
				}
				z.EncWriteMapElemValue()
				if yyn10 {
					r.EncodeNil()
				} else {
					r.EncodeString(string(x.ConnectionClaims.RemoteID))
				}
			}
			if yyq2[8] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"H\"")
				} else {
					r.EncodeString(`H`)
				}
				z.EncWriteMapElemValue()
				if yyn11 {
					r.EncodeNil()
				} else {
					if yyxt49 := z.Extension(x.ConnectionClaims.H); yyxt49 != nil {
						z.EncExtension(x.ConnectionClaims.H, yyxt49)
					} else {
						if x.ConnectionClaims.H == nil {
							r.EncodeNil()
						} else {
							h.encclaimsheader_HeaderBytes((pkg2_claimsheader.HeaderBytes)(x.ConnectionClaims.H), e)
						} // end block: if x.ConnectionClaims.H slice == nil
					}
				}
			}
			if yyq2[9] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"P\"")
				} else {
					r.EncodeString(`P`)
				}
				z.EncWriteMapElemValue()
				if yyn12 {
					r.EncodeNil()
				} else {
					if yyxt50 := z.Extension(x.ConnectionClaims.P); yyxt50 != nil {
						z.EncExtension(x.ConnectionClaims.P, yyxt50)
					} else {
						z.EncFallback(x.ConnectionClaims.P)
					}
				}
			}
			if yyq2[10] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"DEKV2\"")
				} else {
					r.EncodeString(`DEKV2`)
				}
				z.EncWriteMapElemValue()
				if yyn13 {
					r.EncodeNil()
				} else {
					if x.ConnectionClaims.DEKV2 == nil {
						r.EncodeNil()
					} else {
						r.EncodeStringBytesRaw([]byte(x.ConnectionClaims.DEKV2))
					} // end block: if x.ConnectionClaims.DEKV2 slice == nil
				}
			}
			if yyq2[11] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"SDEKV2\"")
				} else {
					r.EncodeString(`SDEKV2`)
				}
				z.EncWriteMapElemValue()
				if yyn14 {
					r.EncodeNil()
				} else {
					if x.ConnectionClaims.SDEKV2 == nil {
						r.EncodeNil()
					} else {
						r.EncodeStringBytesRaw([]byte(x.ConnectionClaims.SDEKV2))
					} // end block: if x.ConnectionClaims.SDEKV2 slice == nil
				}
			}
			if yyq2[12] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"aud\"")
				} else {
					r.EncodeString(`aud`)
				}
				z.EncWriteMapElemValue()
				r.EncodeString(string(x.StandardClaims.Audience))
			}
			if yyq2[13] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"exp\"")
				} else {
					r.EncodeString(`exp`)
				}
				z.EncWriteMapElemValue()
				r.EncodeInt(int64(x.StandardClaims.ExpiresAt))
			}
			if yyq2[14] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"jti\"")
				} else {
					r.EncodeString(`jti`)
				}
				z.EncWriteMapElemValue()
				r.EncodeString(string(x.StandardClaims.Id))
			}
			if yyq2[15] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"iat\"")
				} else {
					r.EncodeString(`iat`)
				}
				z.EncWriteMapElemValue()
				r.EncodeInt(int64(x.StandardClaims.IssuedAt))
			}
			if yyq2[16] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"iss\"")
				} else {
					r.EncodeString(`iss`)
				}
				z.EncWriteMapElemValue()
				r.EncodeString(string(x.StandardClaims.Issuer))
			}
			if yyq2[17] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"nbf\"")
				} else {
					r.EncodeString(`nbf`)
				}
				z.EncWriteMapElemValue()
				r.EncodeInt(int64(x.StandardClaims.NotBefore))
			}
			if yyq2[18] {
				z.EncWriteMapElemKey()
				if z.IsJSONHandle() {
					z.WriteStr("\"sub\"")
				} else {
					r.EncodeString(`sub`)
				}
				z.EncWriteMapElemValue()
				r.EncodeString(string(x.StandardClaims.Subject))
			}
			z.EncWriteMapEnd()
		}
	}
}

func (x *JWTClaims) CodecDecodeSelf(d *codec1978.Decoder) {
	var h codecSelfer8267
	z, r := codec1978.GenHelper().Decoder(d)
	_, _, _ = h, z, r
	yyct2 := r.ContainerType()
	if yyct2 == codecSelferValueTypeNil8267 {
		*(x) = JWTClaims{}
	} else if yyct2 == codecSelferValueTypeMap8267 {
		yyl2 := z.DecReadMapStart()
		if yyl2 == 0 {
		} else {
			x.codecDecodeSelfFromMap(yyl2, d)
		}
		z.DecReadMapEnd()
	} else if yyct2 == codecSelferValueTypeArray8267 {
		yyl2 := z.DecReadArrayStart()
		if yyl2 != 0 {
			x.codecDecodeSelfFromArray(yyl2, d)
		}
		z.DecReadArrayEnd()
	} else {
		panic(errCodecSelferOnlyMapOrArrayEncodeToStruct8267)
	}
}

func (x *JWTClaims) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
	var h codecSelfer8267
	z, r := codec1978.GenHelper().Decoder(d)
	_, _, _ = h, z, r
	var yyhl3 bool = l >= 0
	for yyj3 := 0; ; yyj3++ {
		if yyhl3 {
			if yyj3 >= l {
				break
			}
		} else {
			if z.DecCheckBreak() {
				break
			}
		}
		z.DecReadMapElemKey()
		yys3 := r.DecodeStringAsBytes()
		z.DecReadMapElemValue()
		switch string(yys3) {
		case "T":
			if r.TryNil() {
				if x.ConnectionClaims != nil && x.ConnectionClaims.T != nil { // remove the if-true
					x.ConnectionClaims.T = nil
				}
			} else {
				if x.ConnectionClaims == nil {
					x.ConnectionClaims = new(ConnectionClaims)
				}
				if x.ConnectionClaims.T == nil {
					x.ConnectionClaims.T = new(pkg1_policy.TagStore)
				}
				if yyxt5 := z.Extension(x.ConnectionClaims.T); yyxt5 != nil {
					z.DecExtension(x.ConnectionClaims.T, yyxt5)
				} else if !z.DecBinary() && z.IsJSONHandle() {
					z.DecJSONUnmarshal(x.ConnectionClaims.T)
				} else {
					z.DecFallback(x.ConnectionClaims.T, false)
				}
			}
		case "RMT":
			if r.TryNil() {
				if x.ConnectionClaims != nil { // remove the if-true
					x.ConnectionClaims.RMT = nil
				}
			} else {
				if x.ConnectionClaims == nil {
					x.ConnectionClaims = new(ConnectionClaims)
				}
				x.ConnectionClaims.RMT = z.DecodeBytesInto(([]byte)(x.ConnectionClaims.RMT))
			}
		case "LCL":
			if r.TryNil() {
				if x.ConnectionClaims != nil { // remove the if-true
					x.ConnectionClaims.LCL = nil
				}
			} else {
				if x.ConnectionClaims == nil {
					x.ConnectionClaims = new(ConnectionClaims)
				}
				x.ConnectionClaims.LCL = z.DecodeBytesInto(([]byte)(x.ConnectionClaims.LCL))
			}
		case "DEKV1":
			if r.TryNil() {
				if x.ConnectionClaims != nil { // remove the if-true
					x.ConnectionClaims.DEKV1 = nil
				}
			} else {
				if x.ConnectionClaims == nil {
					x.ConnectionClaims = new(ConnectionClaims)
				}
				x.ConnectionClaims.DEKV1 = z.DecodeBytesInto(([]byte)(x.ConnectionClaims.DEKV1))
			}
		case "SDEKV1":
			if r.TryNil() {
				if x.ConnectionClaims != nil { // remove the if-true
					x.ConnectionClaims.SDEKV1 = nil
				}
			} else {
				if x.ConnectionClaims == nil {
					x.ConnectionClaims = new(ConnectionClaims)
				}
				x.ConnectionClaims.SDEKV1 = z.DecodeBytesInto(([]byte)(x.ConnectionClaims.SDEKV1))
			}
		case "CT":
			if r.TryNil() {
				if x.ConnectionClaims != nil && x.ConnectionClaims.CT != nil { // remove the if-true
					x.ConnectionClaims.CT = nil
				}
			} else {
				if x.ConnectionClaims == nil {
					x.ConnectionClaims = new(ConnectionClaims)
				}
				if x.ConnectionClaims.CT == nil {
					x.ConnectionClaims.CT = new(pkg1_policy.TagStore)
				}
				if yyxt15 := z.Extension(x.ConnectionClaims.CT); yyxt15 != nil {
					z.DecExtension(x.ConnectionClaims.CT, yyxt15)
				} else if !z.DecBinary() && z.IsJSONHandle() {
					z.DecJSONUnmarshal(x.ConnectionClaims.CT)
				} else {
					z.DecFallback(x.ConnectionClaims.CT, false)
				}
			}
		case "ID":
			if r.TryNil() {
				if x.ConnectionClaims != nil { // remove the if-true
					x.ConnectionClaims.ID = ""
				}
			} else {
				if x.ConnectionClaims == nil {
					x.ConnectionClaims = new(ConnectionClaims)
				}
				x.ConnectionClaims.ID = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
			}
		case "RemoteID":
			if r.TryNil() {
				if x.ConnectionClaims != nil { // remove the if-true
					x.ConnectionClaims.RemoteID = ""
				}
			} else {
				if x.ConnectionClaims == nil {
					x.ConnectionClaims = new(ConnectionClaims)
				}
				x.ConnectionClaims.RemoteID = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
			}
		case "H":
			if r.TryNil() {
				if x.ConnectionClaims != nil { // remove the if-true
					x.ConnectionClaims.H = nil
				}
			} else {
				if x.ConnectionClaims == nil {
					x.ConnectionClaims = new(ConnectionClaims)
				}
				if yyxt19 := z.Extension(x.ConnectionClaims.H); yyxt19 != nil {
					z.DecExtension(&x.ConnectionClaims.H, yyxt19)
				} else {
					h.decclaimsheader_HeaderBytes((*pkg2_claimsheader.HeaderBytes)(&x.ConnectionClaims.H), d)
				}
			}
		case "P":
			if r.TryNil() {
				if x.ConnectionClaims != nil && x.ConnectionClaims.P != nil { // remove the if-true
					x.ConnectionClaims.P = nil
				}
			} else {
				if x.ConnectionClaims == nil {
					x.ConnectionClaims = new(ConnectionClaims)
				}
				if x.ConnectionClaims.P == nil {
					x.ConnectionClaims.P = new(pkg1_policy.PingPayload)
				}
				if yyxt21 := z.Extension(x.ConnectionClaims.P); yyxt21 != nil {
					z.DecExtension(x.ConnectionClaims.P, yyxt21)
				} else {
					z.DecFallback(x.ConnectionClaims.P, false)
				}
			}
		case "DEKV2":
			if r.TryNil() {
				if x.ConnectionClaims != nil { // remove the if-true
					x.ConnectionClaims.DEKV2 = nil
				}
			} else {
				if x.ConnectionClaims == nil {
					x.ConnectionClaims = new(ConnectionClaims)
				}
				x.ConnectionClaims.DEKV2 = z.DecodeBytesInto(([]byte)(x.ConnectionClaims.DEKV2))
			}
		case "SDEKV2":
			if r.TryNil() {
				if x.ConnectionClaims != nil { // remove the if-true
					x.ConnectionClaims.SDEKV2 = nil
				}
			} else {
				if x.ConnectionClaims == nil {
					x.ConnectionClaims = new(ConnectionClaims)
				}
				x.ConnectionClaims.SDEKV2 = z.DecodeBytesInto(([]byte)(x.ConnectionClaims.SDEKV2))
			}
		case "aud":
			x.StandardClaims.Audience = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
		case "exp":
			x.StandardClaims.ExpiresAt = (int64)(r.DecodeInt64())
		case "jti":
			x.StandardClaims.Id = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
		case "iat":
			x.StandardClaims.IssuedAt = (int64)(r.DecodeInt64())
		case "iss":
			x.StandardClaims.Issuer = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
		case "nbf":
			x.StandardClaims.NotBefore = (int64)(r.DecodeInt64())
		case "sub":
			x.StandardClaims.Subject = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
		default:
			z.DecStructFieldNotFound(-1, string(yys3))
		} // end switch yys3
	} // end for yyj3
}

func (x *JWTClaims) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
	var h codecSelfer8267
	z, r := codec1978.GenHelper().Decoder(d)
	_, _, _ = h, z, r
	var yyj33 int
	var yyb33 bool
	var yyhl33 bool = l >= 0
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	if r.TryNil() {
		if x.ConnectionClaims != nil && x.ConnectionClaims.T != nil { // remove the if-true
			x.ConnectionClaims.T = nil
		}
	} else {
		if x.ConnectionClaims == nil {
			x.ConnectionClaims = new(ConnectionClaims)
		}
		if x.ConnectionClaims.T == nil {
			x.ConnectionClaims.T = new(pkg1_policy.TagStore)
		}
		if yyxt35 := z.Extension(x.ConnectionClaims.T); yyxt35 != nil {
			z.DecExtension(x.ConnectionClaims.T, yyxt35)
		} else if !z.DecBinary() && z.IsJSONHandle() {
			z.DecJSONUnmarshal(x.ConnectionClaims.T)
		} else {
			z.DecFallback(x.ConnectionClaims.T, false)
		}
	}
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	if r.TryNil() {
		if x.ConnectionClaims != nil { // remove the if-true
			x.ConnectionClaims.RMT = nil
		}
	} else {
		if x.ConnectionClaims == nil {
			x.ConnectionClaims = new(ConnectionClaims)
		}
		x.ConnectionClaims.RMT = z.DecodeBytesInto(([]byte)(x.ConnectionClaims.RMT))
	}
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	if r.TryNil() {
		if x.ConnectionClaims != nil { // remove the if-true
			x.ConnectionClaims.LCL = nil
		}
	} else {
		if x.ConnectionClaims == nil {
			x.ConnectionClaims = new(ConnectionClaims)
		}
		x.ConnectionClaims.LCL = z.DecodeBytesInto(([]byte)(x.ConnectionClaims.LCL))
	}
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	if r.TryNil() {
		if x.ConnectionClaims != nil { // remove the if-true
			x.ConnectionClaims.DEKV1 = nil
		}
	} else {
		if x.ConnectionClaims == nil {
			x.ConnectionClaims = new(ConnectionClaims)
		}
		x.ConnectionClaims.DEKV1 = z.DecodeBytesInto(([]byte)(x.ConnectionClaims.DEKV1))
	}
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	if r.TryNil() {
		if x.ConnectionClaims != nil { // remove the if-true
			x.ConnectionClaims.SDEKV1 = nil
		}
	} else {
		if x.ConnectionClaims == nil {
			x.ConnectionClaims = new(ConnectionClaims)
		}
		x.ConnectionClaims.SDEKV1 = z.DecodeBytesInto(([]byte)(x.ConnectionClaims.SDEKV1))
	}
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	if r.TryNil() {
		if x.ConnectionClaims != nil && x.ConnectionClaims.CT != nil { // remove the if-true
			x.ConnectionClaims.CT = nil
		}
	} else {
		if x.ConnectionClaims == nil {
			x.ConnectionClaims = new(ConnectionClaims)
		}
		if x.ConnectionClaims.CT == nil {
			x.ConnectionClaims.CT = new(pkg1_policy.TagStore)
		}
		if yyxt45 := z.Extension(x.ConnectionClaims.CT); yyxt45 != nil {
			z.DecExtension(x.ConnectionClaims.CT, yyxt45)
		} else if !z.DecBinary() && z.IsJSONHandle() {
			z.DecJSONUnmarshal(x.ConnectionClaims.CT)
		} else {
			z.DecFallback(x.ConnectionClaims.CT, false)
		}
	}
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	if r.TryNil() {
		if x.ConnectionClaims != nil { // remove the if-true
			x.ConnectionClaims.ID = ""
		}
	} else {
		if x.ConnectionClaims == nil {
			x.ConnectionClaims = new(ConnectionClaims)
		}
		x.ConnectionClaims.ID = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
	}
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	if r.TryNil() {
		if x.ConnectionClaims != nil { // remove the if-true
			x.ConnectionClaims.RemoteID = ""
		}
	} else {
		if x.ConnectionClaims == nil {
			x.ConnectionClaims = new(ConnectionClaims)
		}
		x.ConnectionClaims.RemoteID = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
	}
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	if r.TryNil() {
		if x.ConnectionClaims != nil { // remove the if-true
			x.ConnectionClaims.H = nil
		}
	} else {
		if x.ConnectionClaims == nil {
			x.ConnectionClaims = new(ConnectionClaims)
		}
		if yyxt49 := z.Extension(x.ConnectionClaims.H); yyxt49 != nil {
			z.DecExtension(&x.ConnectionClaims.H, yyxt49)
		} else {
			h.decclaimsheader_HeaderBytes((*pkg2_claimsheader.HeaderBytes)(&x.ConnectionClaims.H), d)
		}
	}
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	if r.TryNil() {
		if x.ConnectionClaims != nil && x.ConnectionClaims.P != nil { // remove the if-true
			x.ConnectionClaims.P = nil
		}
	} else {
		if x.ConnectionClaims == nil {
			x.ConnectionClaims = new(ConnectionClaims)
		}
		if x.ConnectionClaims.P == nil {
			x.ConnectionClaims.P = new(pkg1_policy.PingPayload)
		}
		if yyxt51 := z.Extension(x.ConnectionClaims.P); yyxt51 != nil {
			z.DecExtension(x.ConnectionClaims.P, yyxt51)
		} else {
			z.DecFallback(x.ConnectionClaims.P, false)
		}
	}
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	if r.TryNil() {
		if x.ConnectionClaims != nil { // remove the if-true
			x.ConnectionClaims.DEKV2 = nil
		}
	} else {
		if x.ConnectionClaims == nil {
			x.ConnectionClaims = new(ConnectionClaims)
		}
		x.ConnectionClaims.DEKV2 = z.DecodeBytesInto(([]byte)(x.ConnectionClaims.DEKV2))
	}
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	if r.TryNil() {
		if x.ConnectionClaims != nil { // remove the if-true
			x.ConnectionClaims.SDEKV2 = nil
		}
	} else {
		if x.ConnectionClaims == nil {
			x.ConnectionClaims = new(ConnectionClaims)
		}
		x.ConnectionClaims.SDEKV2 = z.DecodeBytesInto(([]byte)(x.ConnectionClaims.SDEKV2))
	}
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.StandardClaims.Audience = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.StandardClaims.ExpiresAt = (int64)(r.DecodeInt64())
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.StandardClaims.Id = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.StandardClaims.IssuedAt = (int64)(r.DecodeInt64())
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.StandardClaims.Issuer = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.StandardClaims.NotBefore = (int64)(r.DecodeInt64())
	yyj33++
	if yyhl33 {
		yyb33 = yyj33 > l
	} else {
		yyb33 = z.DecCheckBreak()
	}
	if yyb33 {
		z.DecReadArrayEnd()
		return
	}
	z.DecReadArrayElem()
	x.StandardClaims.Subject = (string)(z.DecStringZC(r.DecodeStringAsBytes()))
	for {
		yyj33++
		if yyhl33 {
			yyb33 = yyj33 > l
		} else {
			yyb33 = z.DecCheckBreak()
		}
		if yyb33 {
			break
		}
		z.DecReadArrayElem()
		z.DecStructFieldNotFound(yyj33-1, "")
	}
}

func (x *JWTClaims) IsCodecEmpty() bool {
	return !(x.ConnectionClaims != nil && x.StandardClaims != pkg3_jwt_go.StandardClaims{} || false)
}

func (x codecSelfer8267) encclaimsheader_HeaderBytes(v pkg2_claimsheader.HeaderBytes, e *codec1978.Encoder) {
	var h codecSelfer8267
	z, r := codec1978.GenHelper().Encoder(e)
	_, _, _ = h, z, r
	if v == nil {
		r.EncodeNil()
		return
	}
	r.EncodeStringBytesRaw([]byte(v))
}

func (x codecSelfer8267) decclaimsheader_HeaderBytes(v *pkg2_claimsheader.HeaderBytes, d *codec1978.Decoder) {
	var h codecSelfer8267
	z, r := codec1978.GenHelper().Decoder(d)
	_, _, _ = h, z, r
	*v = z.DecodeBytesInto(*((*[]byte)(v)))
}


================================================
FILE: controller/pkg/tokens/binaryjwt.go
================================================
package tokens

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"encoding/binary"
	"fmt"
	"math/big"
	"sync"
	"time"

	"github.com/ugorji/go/codec"
	enforcerconstants "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/ephemeralkeys"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	localcrypto "go.aporeto.io/enforcerd/trireme-lib/utils/crypto"
)

// To generate the codecs,
// codecgen -o binarycodec.go binaryjwtclaimtypes.go

// Format of Binary Tokens
//    0             1              2               3               4
//  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
//  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//  |     D     |CT|E| Encoding |    R (reserved)                   |
//  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//  | Signature Position           |    nonce                       |
//  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//  |   ...                                                         |
//  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//  |   token                                                       |
//  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//  |   ...                                                         |
//  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//  | Signature                                                     |
//  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//  |   ...                                                         |
//  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//  D  [0:6]   - Datapath version
//  CT [6:8]   - Compressed tag type
//  E  [8:9]   - Encryption enabled
//  C  [9:12]  - Codec selector
//  R  [12:32] - Reserved
//  L  [32:48] - Token Length
//  Token bytes (equal to token length)
//  Signature bytes

const (
	binaryNoncePosition   = 6
	lengthPosition        = 4
	headerLength          = 4
	sharedKeyCacheTimeout = 5 * time.Minute
)

//ClaimsEncodedBufSize is the size of maximum buffer that is required
//for claims to be serialized into
const ClaimsEncodedBufSize = 1400

// AckPattern is added in SYN and ACK tokens.
var AckPattern = []byte("PANWIDENTITY")
var sha256KeyLength int = 32

type sharedKeyStruct struct {
	sharedKeys map[string][]byte
	sync.RWMutex
}

func (s *sharedKeyStruct) Get(key string) []byte {

	s.RLock()

	if val, ok := s.sharedKeys[key]; ok {
		s.RUnlock()
		return val
	}

	s.RUnlock()
	return nil
}

func (s *sharedKeyStruct) Put(key string, val []byte) {

	s.Lock()
	s.sharedKeys[key] = val
	s.Unlock()

	time.AfterFunc(sharedKeyCacheTimeout, func() {
		s.Lock()
		delete(s.sharedKeys, key)
		s.Unlock()
	})
}

// BinaryJWTConfig configures the JWT token generator with the standard parameters. One
// configuration is assigned to each server
type BinaryJWTConfig struct {
	// ValidityPeriod  period of the JWT
	ValidityPeriod time.Duration
	// Issuer is the server that issues the JWT
	Issuer string
	// cache test
	tokenCache cache.DataStore
	// sharedKey is a cache of pre-shared keys.
	sharedKeys *sharedKeyStruct
}

// NewBinaryJWT creates a new JWT token processor
func NewBinaryJWT(validity time.Duration, issuer string) (*BinaryJWTConfig, error) {

	return &BinaryJWTConfig{
		ValidityPeriod: validity,
		Issuer:         issuer,
		tokenCache:     cache.NewCacheWithExpiration("JWTTokenCache", validity),
		sharedKeys:     &sharedKeyStruct{sharedKeys: map[string][]byte{}},
	}, nil
}

// DecodeSyn takes as argument the JWT token and the certificate of the issuer.
// First it verifies the certificate with the local CA pool, and the decodes
// the JWT if the certificate is trusted
func (c *BinaryJWTConfig) DecodeSyn(isSynAck bool, data []byte, privateKey *ephemeralkeys.PrivateKey, secrets secrets.Secrets, connClaims *ConnectionClaims) ([]byte, *claimsheader.ClaimsHeader, []byte, *pkiverifier.PKIControllerInfo, bool, error) {
	header, nonce, token, sig, err := unpackToken(false, data)
	if err != nil {
		return nil, nil, nil, nil, false, err
	}
	// Parse the claims header.
	claimsHeader := claimsheader.HeaderBytes(header).ToClaimsHeader()

	// Validate the header version.
	if err := c.verifyClaimsHeader(claimsHeader); err != nil {
		return nil, nil, nil, nil, false, err
	}

	// Decode the claims to a data structure.
	binaryClaims, err := decode(token)
	if err != nil {
		return nil, nil, nil, nil, false, err
	}

	//Process 314 Protocol
	if len(binaryClaims.DEK) == 0 {
		secretKey, controller, err := c.process314Protocol(isSynAck, token, secrets, connClaims, binaryClaims, sig)
		return secretKey, claimsHeader, nonce, controller, true, err
	}

	//Process 500 Protocol
	secretKey, controller, err := c.process500Protocol(isSynAck, token, privateKey, secrets, connClaims, binaryClaims, sig)

	return secretKey, claimsHeader, nonce, controller, false, err
}

// DecodeAck decodes the ack packet token
func (c *BinaryJWTConfig) DecodeAck(proto314 bool, secretKey []byte, data []byte, connClaims *ConnectionClaims) error {
	// Unpack the token first.
	header, _, token, sig, err := unpackToken(true, data)
	if err != nil {
		return err
	}

	// Parse the claims header.
	claimsHeader := claimsheader.HeaderBytes(header).ToClaimsHeader()

	// Validate the header.
	if err := c.verifyClaimsHeader(claimsHeader); err != nil {
		return err
	}

	// Decode the claims to a data structure.
	binaryClaims, err := decode(token)
	if err != nil {
		return err
	}

	if proto314 {
		// Calculate the signature on the token and compare it with the incoming
		// signature. Since this is simple symetric hashing this is simple.
		if err := c.verifyWithSharedKey314(token, secretKey, sig); err != nil {
			return err
		}
	} else {
		if err := c.verifyWithSharedKey500(token, secretKey, sig[0:sha256KeyLength]); err != nil {
			return err
		}
	}

	CopyToConnectionClaims(binaryClaims, connClaims)
	return nil
}

//CreateSynToken creates the token which is attached to the tcp syn packet.
func (c *BinaryJWTConfig) CreateSynToken(claims *ConnectionClaims, encodedBuf []byte, nonce []byte, header *claimsheader.ClaimsHeader, secrets secrets.Secrets) ([]byte, error) {
	// Set the appropriate claims header
	header.SetCompressionType(claimsheader.CompressionTypeV1)
	header.SetDatapathVersion(claimsheader.DatapathVersion1)

	// Combine the application claims with the standard claims.
	// In all cases for Syn/SynAck packets we also transmit our
	// public key.
	allclaims := ConvertToBinaryClaims(claims, c.ValidityPeriod)
	allclaims.SignerKey = secrets.TransmittedKey()

	// Encode the claims in a buffer.
	err := encode(allclaims, &encodedBuf)
	if err != nil {
		return nil, logError(ErrTokenEncodeFailed, err.Error())
	}

	var sig []byte

	encodedBuf = append(encodedBuf, AckPattern...)

	sig, err = c.sign(encodedBuf, secrets.EncodingKey().(*ecdsa.PrivateKey))

	if err != nil {
		return nil, err
	}

	// Pack and return the token.
	return packToken(header.ToBytes(), nonce, encodedBuf, sig), nil
}

//CreateSynAckToken creates syn/ack token which is attached to the syn/ack packet.
func (c *BinaryJWTConfig) CreateSynAckToken(proto314 bool, claims *ConnectionClaims, encodedBuf []byte, nonce []byte, header *claimsheader.ClaimsHeader, secrets secrets.Secrets, secretKey []byte) ([]byte, error) {

	// Set the appropriate claims header
	header.SetCompressionType(claimsheader.CompressionTypeV1)
	header.SetDatapathVersion(claimsheader.DatapathVersion1)

	// Combine the application claims with the standard claims.
	// In all cases for Syn/SynAck packets we also transmit our
	// public key.
	allclaims := ConvertToBinaryClaims(claims, c.ValidityPeriod)
	allclaims.SignerKey = secrets.TransmittedKey()

	// Encode the claims in a buffer.
	err := encode(allclaims, &encodedBuf)
	if err != nil {
		return nil, logError(ErrTokenEncodeFailed, err.Error())
	}

	var sig []byte

	encodedBuf = append(encodedBuf, AckPattern...)

	if proto314 {
		sig, err = hash314(encodedBuf, secretKey)
		if err != nil {
			return nil, err
		}
	} else {
		sig, err = hash500(encodedBuf, secretKey)
		if err != nil {
			return nil, err
		}
	}

	// Pack and return the token.
	return packToken(header.ToBytes(), nonce, encodedBuf, sig), nil
}

// Randomize puts the random nonce in the syn token
func (c *BinaryJWTConfig) Randomize(token []byte, nonce []byte) error {

	if len(token) < 6+NonceLength {
		return logError(ErrTokenTooSmall, "token is too small")
	}

	copy(token[6:], nonce)

	return nil
}

//CreateAckToken creates ack token which is attached to the ack packet.
func (c *BinaryJWTConfig) CreateAckToken(proto314 bool, secretKey []byte, claims *ConnectionClaims, encodedBuf []byte, header *claimsheader.ClaimsHeader) ([]byte, error) {

	var pad []byte
	// Combine the application claims with the standard claims
	allclaims := ConvertToBinaryClaims(claims, c.ValidityPeriod)

	// Encode the claims in a buffer.
	err := encode(allclaims, &encodedBuf)
	if err != nil {
		return nil, logError(ErrTokenEncodeFailed, err.Error())
	}
	encodedBuf = append(encodedBuf, AckPattern...)

	var sig []byte
	// Sign the buffer with the pre-shared key.
	if proto314 {
		sig, err = hash314(encodedBuf, secretKey)
		if err != nil {
			return nil, err
		}
		pad = sig
	} else {
		pad = make([]byte, 64)
		sig, err = hash500(encodedBuf, secretKey)
		if err != nil {
			return nil, err
		}
		copy(pad, sig)
	}

	// Pack and return the token.
	return packToken(header.ToBytes(), nil, encodedBuf, pad), nil
}

func (c *BinaryJWTConfig) verifyClaimsHeader(h *claimsheader.ClaimsHeader) error {

	if h.CompressionType() != claimsheader.CompressionTypeV1 {
		return ErrCompressedTagMismatch

	}

	if h.DatapathVersion() != claimsheader.DatapathVersion1 {
		return ErrDatapathVersionMismatch
	}

	return nil
}

// Sign takes in a slice of bytes and a private key, and returns a ecdsa signature.
func (c *BinaryJWTConfig) Sign(buf []byte, key *ecdsa.PrivateKey) ([]byte, error) {
	return c.sign(buf, key)
}

func (c *BinaryJWTConfig) sign(buf []byte, key *ecdsa.PrivateKey) ([]byte, error) {

	// Create the hash and use this for the signature. This is a SHA256 hash
	// of the token.
	h, err := hash500(buf, nil)
	if err != nil {
		return nil, logError(ErrTokenHashFailed, err.Error())
	}

	// Sign the hash with the private key using the ECDSA algorithm
	// and properly format the resulting signature.
	r, s, err := ecdsa.Sign(rand.Reader, key, h)
	if err != nil {
		return nil, logError(ErrTokenSignFailed, err.Error())
	}

	curveBits := key.Curve.Params().BitSize
	keyBytes := curveBits / 8
	if curveBits%8 > 0 {
		keyBytes++
	}

	// We serialize the outpus (r and s) into big-endian byte arrays and pad
	// them with zeros on the left to make sure the sizes work out. Both arrays
	// must be keyBytes long, and the output must be 2*keyBytes long.
	tokenBytes := make([]byte, 2*keyBytes)

	rBytes := r.Bytes()
	copy(tokenBytes[keyBytes-len(rBytes):], rBytes)

	sBytes := s.Bytes()
	copy(tokenBytes[2*keyBytes-len(sBytes):], sBytes)

	return tokenBytes, nil
}

func (c *BinaryJWTConfig) verify(buf []byte, sig []byte, key *ecdsa.PublicKey) error {

	if len(sig) != 64 {
		return ErrInvalidSignature
	}

	r := big.NewInt(0).SetBytes(sig[:32])
	s := big.NewInt(0).SetBytes(sig[32:])

	// Create the hash and use this for the signature. This is a SHA256 hash
	// of the token.
	h, err := hash500(buf, nil)
	if err != nil {
		return logError(ErrTokenHashFailed, err.Error())
	}

	if verifyStatus := ecdsa.Verify(key, h, r, s); verifyStatus {
		return nil
	}

	return ErrInvalidSignature
}

func (c *BinaryJWTConfig) getSecretKey(privateKey *ephemeralkeys.PrivateKey, remotePublicKeyString string, isV1Proto bool) ([]byte, error) {

	var remotePublicKey *ecdsa.PublicKey
	var err error

	hashKey := privateKey.PrivateKeyString + remotePublicKeyString

	secretKey := c.sharedKeys.Get(hashKey)

	if secretKey != nil {
		return secretKey, nil
	}

	if isV1Proto {
		remotePublicKey, err = localcrypto.DecodePublicKeyV1([]byte(remotePublicKeyString))
		if err != nil {
			return nil, err
		}
	} else {
		remotePublicKey, err = localcrypto.DecodePublicKeyV2([]byte(remotePublicKeyString))
		if err != nil {
			return nil, err
		}
	}

	if secretKey, err = symmetricKey(privateKey.PrivateKey, remotePublicKey); err != nil {
		return nil, err
	}

	c.sharedKeys.Put(hashKey, secretKey)

	return secretKey, nil
}

func encode(c *BinaryJWTClaims, buf *[]byte) error {
	// Encode and sign the token
	if cap(*buf) != ClaimsEncodedBufSize {
		return fmt.Errorf("Not enough space in byte slice")
	}

	var h codec.Handle = new(codec.CborHandle)
	enc := codec.NewEncoderBytes(buf, h)
	if err := enc.Encode(c); err != nil {
		return fmt.Errorf("unable to encode message: %s", err)
	}

	return nil
}

func decode(buf []byte) (*BinaryJWTClaims, error) {
	// Decode the token into a structure.
	binaryClaims := &BinaryJWTClaims{}
	var h codec.Handle = new(codec.CborHandle)

	dec := codec.NewDecoderBytes(buf, h)

	if err := dec.Decode(binaryClaims); err != nil {
		return nil, logError(ErrTokenDecodeFailed, err.Error())
	}

	if binaryClaims.ExpiresAt < time.Now().Unix() {
		return nil, logError(ErrTokenExpired, fmt.Sprintf("token is expired since: %s", time.Unix(binaryClaims.ExpiresAt, 0)))
	}

	return binaryClaims, nil
}

func packToken(header, nonce, token, sig []byte) []byte {

	binaryTokenPosition := binaryNoncePosition + len(nonce)
	sigPosition := binaryTokenPosition + len(token)

	// Token is the concatenation of
	// [Position of Signature] [nonce] [token] [signature]
	data := make([]byte, sigPosition+len(sig))

	// Header bytes
	copy(data[0:headerLength], header)
	// Length of token
	binary.BigEndian.PutUint16(data[lengthPosition:], uint16(sigPosition))

	// nonce not required for ack packets
	if len(nonce) > 0 {
		copy(data[binaryNoncePosition:], nonce)
	}

	// token
	copy(data[binaryTokenPosition:], token)

	// signature
	copy(data[sigPosition:], sig)

	return data
}

// unpackToken returns nonce, token, signature or error if something fails
func unpackToken(isAck bool, data []byte) ([]byte, []byte, []byte, []byte, error) {

	// We must have enough data to read the length.
	if len(data) < binaryNoncePosition {
		return nil, nil, nil, nil, ErrInvalidTokenLength
	}

	header := make([]byte, headerLength)
	copy(header, data[:lengthPosition])

	sigPosition := int(binary.BigEndian.Uint16(data[lengthPosition : lengthPosition+2]))
	// The token must be long enough to have at least 1 byte of signature.
	if len(data) < sigPosition+1 || sigPosition == 0 {
		return nil, nil, nil, nil, ErrMissingSignature
	}

	var nonce []byte

	if !isAck {
		nonce = make([]byte, 16)
		copy(nonce, data[binaryNoncePosition:binaryNoncePosition+NonceLength])
	}

	// Only if nonce is found do we need to advance. So, use the
	// actual length of the nonce and not just a constant here.
	token := data[binaryNoncePosition+len(nonce) : sigPosition]

	sig := data[sigPosition:]
	return header, nonce, token, sig, nil
}

// symmetricKey returns a symmetric key for encryption
func symmetricKey(privateKey *ecdsa.PrivateKey, remotePublic *ecdsa.PublicKey) ([]byte, error) {

	c := elliptic.P256()

	x, _ := c.ScalarMult(remotePublic.X, remotePublic.Y, privateKey.D.Bytes())

	return hash500(x.Bytes(), nil)
}

func uncompressTags(binaryClaims *BinaryJWTClaims, publicKeyClaims []string) {

	binaryClaims.T = append(binaryClaims.CT, enforcerconstants.TransmitterLabel+"="+binaryClaims.ID)

	for _, pc := range publicKeyClaims {

		if len(pc) <= claimsheader.CompressedTagLengthV1 {
			binaryClaims.T = append(binaryClaims.T, pc)
			continue
		}

		binaryClaims.T = append(binaryClaims.T, pc[:claimsheader.CompressedTagLengthV1])
	}
}


================================================
FILE: controller/pkg/tokens/binaryjwt314.go
================================================
package tokens

import (
	"bytes"
	"crypto"
	"crypto/ecdsa"
	"fmt"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	localcrypto "go.aporeto.io/enforcerd/trireme-lib/utils/crypto"
)

func (c *BinaryJWTConfig) getSharedKey314(pub interface{}, priv interface{}) ([]byte, error) {

	publicKey := pub.(*ecdsa.PublicKey)
	privateKey := priv.(*ecdsa.PrivateKey)

	hashKey := string(localcrypto.EncodePublicKeyV2(publicKey)) + string(localcrypto.EncodePrivateKey(privateKey))

	secretKey := c.sharedKeys.Get(hashKey)
	if secretKey != nil {
		return secretKey, nil
	}

	secretKey, err := symmetricKey(privateKey, publicKey)
	if err != nil {
		return nil, logError(ErrSharedKeyHashFailed, err.Error())
	}

	// Add it in the cache
	c.sharedKeys.Put(hashKey, secretKey)

	return secretKey, nil
}

func hash314(buf []byte, key []byte) ([]byte, error) {

	hasher := crypto.SHA256.New()
	if _, err := hasher.Write(buf); err != nil {
		return nil, fmt.Errorf("unable to hash data structure: %s", err)
	}

	return hasher.Sum(key), nil
}

func (c *BinaryJWTConfig) verifyWithSharedKey314(buf []byte, key []byte, sig []byte) error {

	ps, err := hash314(buf, key)
	if err != nil {
		return logError(ErrTokenHashFailed, err.Error())
	}

	if !bytes.Equal(ps, sig) {
		return logError(ErrSignatureMismatch, fmt.Sprintf("unable to verify token with shared secret: they don't match %d %d ", len(ps), len(sig)))
	}

	return nil
}

func (c *BinaryJWTConfig) process314Protocol(isSynAck bool, token []byte, secrets secrets.Secrets, connClaims *ConnectionClaims, binaryClaims *BinaryJWTClaims, sig []byte) ([]byte, *pkiverifier.PKIControllerInfo, error) {

	var secretKey []byte
	publicKey, publicKeyClaims, _, controller, err := secrets.KeyAndClaims(binaryClaims.SignerKey)
	if err != nil || publicKey == nil {
		return nil, nil, ErrPublicKeyFailed
	}

	// Since we know that the signature is valid, we check if the token is already in
	// the cache and accept it. We do that after the verification, in case the
	// public key has expired and we still have it in the cache. This is true for syn only
	if !isSynAck {
		if cachedClaims, cerr := c.tokenCache.Get(string(token)); cerr == nil {
			*connClaims = *cachedClaims.(*ConnectionClaims)

			secretKey, err = c.getSharedKey314(publicKey, secrets.EncodingKey())
			if err != nil {
				return nil, nil, err
			}
			return secretKey, controller, nil
		}
	}

	// Uncommpress the tags and add the public key claims to the tags that
	// we return.
	uncompressTags(binaryClaims, publicKeyClaims)
	CopyToConnectionClaims(binaryClaims, connClaims)

	if isSynAck {
		binaryClaims.RMT = nil
		secretKey, err = c.getSharedKey314(publicKey, secrets.EncodingKey())
		if err != nil {
			return nil, nil, err
		}

		if err := c.verifyWithSharedKey314(token, secretKey, sig); err != nil {
			return nil, nil, err
		}

	} else {
		// If the token is not in the cache, we validate the token with the
		// provided and validated public key. We will then add it in the
		// cache for future reference.

		if err := c.verify(token, sig, publicKey.(*ecdsa.PublicKey)); err != nil {
			return nil, nil, err
		}

		secretKey, err = c.getSharedKey314(publicKey, secrets.EncodingKey())
		if err != nil {
			return nil, nil, err
		}
	}

	// create a copy of the connClaims as this conn claims belongs to the original Connection.
	// It would have been fine to store the connclaims in the cache here, but the gc will not be able to
	// reclaim memory of the entire connection.
	if !isSynAck {
		connClaimsCopy := new(ConnectionClaims)
		*connClaimsCopy = *connClaims
		c.tokenCache.AddOrUpdate(string(token), connClaimsCopy)
	}

	return secretKey, controller, nil
}


================================================
FILE: controller/pkg/tokens/binaryjwt500.go
================================================
package tokens

import (
	"bytes"
	"crypto"
	"crypto/ecdsa"
	"fmt"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/ephemeralkeys"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.uber.org/zap"
)

func (c *BinaryJWTConfig) process500Protocol(isSynAck bool, token []byte, privateKey *ephemeralkeys.PrivateKey, secrets secrets.Secrets, connClaims *ConnectionClaims, binaryClaims *BinaryJWTClaims, sig []byte) ([]byte, *pkiverifier.PKIControllerInfo, error) {

	publicKey, publicKeyClaims, _, controller, err := secrets.KeyAndClaims(binaryClaims.SignerKey)
	if err != nil || publicKey == nil {
		return nil, nil, ErrPublicKeyFailed
	}

	var remotePublicKeyString, remotePublicKeySig string
	var isV1Proto bool

	// Since we know that the signature is valid, we check if the token is already in
	// the cache and accept it. We do that after the verification, in case the
	// public key has expired and we still have it in the cache. This is true for syn only
	if !isSynAck {
		if cachedClaims, cerr := c.tokenCache.Get(string(token)); cerr == nil {
			*connClaims = *cachedClaims.(*ConnectionClaims)
			if len(connClaims.DEKV2) == 0 {
				remotePublicKeyString = string(connClaims.DEKV1)
				isV1Proto = true
			} else {
				remotePublicKeyString = string(connClaims.DEKV2)
				isV1Proto = false
			}

			secretKey, err := c.getSecretKey(privateKey, remotePublicKeyString, isV1Proto)
			if err != nil {
				return nil, nil, err
			}
			return secretKey, controller, nil
		}
	}

	// Uncommpress the tags and add the public key claims to the tags that
	// we return.
	uncompressTags(binaryClaims, publicKeyClaims)
	CopyToConnectionClaims(binaryClaims, connClaims)

	if len(connClaims.DEKV2) == 0 {
		remotePublicKeyString = string(connClaims.DEKV1)
		remotePublicKeySig = string(connClaims.SDEKV1)
		isV1Proto = true
	} else {
		remotePublicKeyString = string(connClaims.DEKV2)
		remotePublicKeySig = string(connClaims.SDEKV2)
		isV1Proto = false
	}

	// We haven't seen this token again, so we will validate it with the
	// public key and cache it for future calls.

	// First we check if we know RMT attribute is set. This will indicate
	// that this is SynAck packet that carries the remote nonce, and we
	// can use the shared key approach. In the protocol we mandate
	// that RMT in the SynAck is populated since it carries the nonce
	// of the remote.
	if isSynAck {
		binaryClaims.RMT = nil

		// We don't need to verify the ephemeral key if we have done it already.
		if _, cerr := c.tokenCache.Get(remotePublicKeyString); cerr != nil {
			if err := c.verify([]byte(remotePublicKeyString), []byte(remotePublicKeySig), publicKey.(*ecdsa.PublicKey)); err != nil {
				zap.L().Error("Ephemeral key can not be verified", zap.Error(err))
				return nil, nil, err
			}

			c.tokenCache.AddOrUpdate(remotePublicKeyString, "")
		}
	} else {
		// If the token is not in the cache, we validate the token with the
		// provided and validated public key. We will then add it in the
		// cache for future reference.

		if err := c.verify(token, sig, publicKey.(*ecdsa.PublicKey)); err != nil {
			return nil, nil, err
		}
	}

	secretKey, err := c.getSecretKey(privateKey, remotePublicKeyString, isV1Proto)
	if err != nil {
		return nil, nil, err
	}

	// create a copy of the connClaims as this conn claims belongs to the original Connection.
	// It would have been fine to store the connclaims in the cache here, but the gc will not be able to
	// reclaim memory of the entire connection.
	if !isSynAck {
		connClaimsCopy := new(ConnectionClaims)
		*connClaimsCopy = *connClaims
		c.tokenCache.AddOrUpdate(string(token), connClaimsCopy)
	}

	return secretKey, controller, nil
}

func hash500(buf []byte, key []byte) ([]byte, error) {

	newBuf := make([]byte, 0, len(buf)+len(key))
	newBuf = append(newBuf, buf...)
	newBuf = append(newBuf, key...)

	hasher := crypto.SHA256.New()
	if _, err := hasher.Write(newBuf); err != nil {
		return nil, fmt.Errorf("unable to hash data structure: %s", err)
	}

	return hasher.Sum(nil), nil
}

func (c *BinaryJWTConfig) verifyWithSharedKey500(buf []byte, key []byte, sig []byte) error {

	ps, err := hash500(buf, key)
	if err != nil {
		return logError(ErrTokenHashFailed, err.Error())
	}

	if !bytes.Equal(ps, sig) {
		return logError(ErrSignatureMismatch, fmt.Sprintf("unable to verify token with shared secret: they don't match %d %d ", len(ps), len(sig)))
	}

	return nil
}


================================================
FILE: controller/pkg/tokens/binaryjwt_test.go
================================================
// +build !windows

package tokens

import (
	"bytes"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"encoding/gob"
	"math/big"
	"reflect"
	"strconv"
	"testing"
	"time"

	enforcerconstants "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets/compactpki"
	"go.aporeto.io/enforcerd/trireme-lib/utils/crypto"
	"gotest.tools/assert"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

var (
	rmt       = "1234567890123456"
	lcl       = "098765432109876"
	bvalidity = time.Second * 10

	header = claimsheader.NewClaimsHeader(
		claimsheader.OptionCompressionType(claimsheader.CompressionTypeV1),
	)
)
var (
	keyPEM = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPkiHqtH372JJdAG/IxJlE1gv03cdwa8Lhg2b3m/HmbyoAoGCCqGSM49
AwEHoUQDQgAEAfAL+AfPj/DnxrU6tUkEyzEyCxnflOWxhouy1bdzhJ7vxMb1vQ31
8ZbW/WvMN/ojIXqXYrEpISoojznj46w64w==
-----END EC PRIVATE KEY-----`
	caPool = `-----BEGIN CERTIFICATE-----
MIIBhTCCASwCCQC8b53yGlcQazAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABJxneTUqhbtgEIwpKUUzwz3h92SqcOdIw3mfQkMjg3Vobvr6JKlpXYe9xhsN
rygJmLhMAN9gjF9qM9ybdbe+m3owCgYIKoZIzj0EAwIDRwAwRAIgC1fVMqdBy/o3
jNUje/Hx0fZF9VDyUK4ld+K/wF3QdK4CID1ONj/Kqinrq2OpjYdkgIjEPuXoOoR1
tCym8dnq4wtH
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB3jCCAYOgAwIBAgIJALsW7pyC2ERQMAoGCCqGSM49BAMCMEsxCzAJBgNVBAYT
AlVTMQswCQYDVQQIDAJDQTEMMAoGA1UEBwwDU0pDMRAwDgYDVQQKDAdUcmlyZW1l
MQ8wDQYDVQQDDAZ1YnVudHUwHhcNMTYwOTI3MjI0OTAwWhcNMjYwOTI1MjI0OTAw
WjBLMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4G
A1UECgwHVHJpcmVtZTEPMA0GA1UEAwwGdWJ1bnR1MFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAE4c2Fd7XeIB1Vfs51fWwREfLLDa55J+NBalV12CH7YEAnEXjl47aV
cmNqcAtdMUpf2oz9nFVI81bgO+OSudr3CqNQME4wHQYDVR0OBBYEFOBftuI09mmu
rXjqDyIta1gT8lqvMB8GA1UdIwQYMBaAFOBftuI09mmurXjqDyIta1gT8lqvMAwG
A1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMylAHhbFA0KqhXIFiXNpEbH
JKaELL6UXXdeQ5yup8q+AiEAh5laB9rbgTymjaANcZ2YzEZH4VFS3CKoSdVqgnwC
dW4=
-----END CERTIFICATE-----`

	certPEM = `-----BEGIN CERTIFICATE-----
MIIBhjCCASwCCQCPCdgp39gHJTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABAHwC/gHz4/w58a1OrVJBMsxMgsZ35TlsYaLstW3c4Se78TG9b0N9fGW1v1r
zDf6IyF6l2KxKSEqKI854+OsOuMwCgYIKoZIzj0EAwIDSAAwRQIgQwQn0jnK/XvD
KxgQd/0pW5FOAaB41cMcw4/XVlphO1oCIQDlGie+WlOMjCzrV0Xz+XqIIi1pIgPT
IG7Nv+YlTVp5qA==
-----END CERTIFICATE-----`
)

func createCompactPKISecrets(tags []string) (secrets.Secrets, error) {
	txtKey, cert, _, err := crypto.LoadAndVerifyECSecrets([]byte(keyPEM), []byte(certPEM), []byte(caPool))
	if err != nil {
		return nil, err
	}

	issuer := pkiverifier.NewPKIIssuer(txtKey)
	txtToken, err := issuer.CreateTokenFromCertificate(cert, tags)
	if err != nil {
		return nil, err
	}

	ControllerInfo := &secrets.ControllerInfo{
		PublicKey: []byte(certPEM),
	}

	tokenKeyPEMs := []*secrets.ControllerInfo{ControllerInfo}

	scrts, err := compactpki.NewCompactPKIWithTokenCA([]byte(keyPEM), []byte(certPEM), []byte(caPool), tokenKeyPEMs, txtToken, claimsheader.CompressionTypeV1)
	if err != nil {
		return nil, err
	}

	return scrts, nil
}

func createUncompressedTags(pu string) *policy.TagStore {
	tags := []string{
		enforcerconstants.TransmitterLabel + "=" + pu,
	}

	return policy.NewTagStoreFromSlice(tags)
}

func createCompressedTagArray() *policy.TagStore {
	return policy.NewTagStoreFromSlice([]string{
		"vpdCmPoRCx7k",
		"8wLk0bOXS9w0",
		"GUmf49pmErzC",
		"7J+9IX0dRGog",
		"3BQgvLnKvSUj",
	})
}

func Test_NewBinaryJWT(t *testing.T) {
	Convey("When I try to instantiate a new binary JWT, it should succeed", t, func() {
		b, err := NewBinaryJWT(bvalidity, "0123456789012345678901234567890123456789")
		So(err, ShouldBeNil)
		So(b, ShouldNotBeNil)
		So(b.ValidityPeriod, ShouldEqual, bvalidity)
		So(b.Issuer, ShouldEqual, "0123456789012345678901234567890123456789")
		So(b.tokenCache, ShouldNotBeNil)
		So(b.sharedKeys, ShouldNotBeNil)
	})
}

func Test_EncodeDecode(t *testing.T) {
	Convey("Given a validy binary JWT issuer", t, func() {
		scrts, err := createCompactPKISecrets([]string{"kDMRXWckV9k6mGuJ", "xyz", "eJ1s03u72o6i"})
		So(err, ShouldBeNil)

		b, err := NewBinaryJWT(bvalidity, "0123456789012345678901234567890123456789")
		So(err, ShouldBeNil)

		Convey("When I encode and decode a bad Syn Packet", func() {

			token := make([]byte, 400)
			token = append(token, []byte("abcdefghijklmnopqrstuvwxyz")...)

			Convey("When I decode the token, it should throw error", func() {
				_, _, _, _, _, err := b.DecodeSyn(false, token, nil, scrts, nil)
				So(err, ShouldResemble, ErrMissingSignature)
			})
		})

		Convey("When I encode and decode a nil Syn Packet", func() {

			Convey("When I decode the token, it should be give the original claims", func() {
				_, _, _, _, _, err := b.DecodeSyn(false, nil, nil, scrts, nil)
				So(err, ShouldResemble, ErrInvalidTokenLength)
			})
		})
	})
}

type TestPublicKey struct {
	X *big.Int
	Y *big.Int
}

func testencodeKey() ([]byte, error) {
	var data bytes.Buffer
	remotePrivateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		return []byte{}, err
	}
	p := &TestPublicKey{
		X: remotePrivateKey.PublicKey.X,
		Y: remotePrivateKey.PublicKey.Y,
	}
	enc := gob.NewEncoder(&data)
	if err := enc.Encode(p); err != nil {
		return nil, err
	}
	return data.Bytes(), nil

}

type PublicKeys struct {
	X *big.Int
	Y *big.Int
}

func Test_BinaryTokenLengths(t *testing.T) {
	Convey("Given a JWT valid engine with a valid Compact PKI key ", t, func() {
		scrts, err := createCompactPKISecrets(nil)
		So(err, ShouldBeNil)

		t, err := NewBinaryJWT(bvalidity, "01234567890123456789012345678901234567")
		So(err, ShouldBeNil)

		Convey("When I try with 64 12-byte tags, the max length must not be exceeded", func() {

			privatekey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
			So(err, ShouldBeNil)

			publickey := &PublicKeys{
				X: privatekey.PublicKey.X,
				Y: privatekey.PublicKey.Y,
			}

			var data bytes.Buffer

			enc := gob.NewEncoder(&data)
			err = enc.Encode(publickey)
			So(err, ShouldBeNil)
			msg := "Length of bytes " + strconv.Itoa(len(data.Bytes()))
			Convey(msg, func() {})

			var compressedTags []string
			b := make([]byte, 12)
			for i := 0; i < 56; i++ {
				_, err := rand.Read(b)
				So(err, ShouldBeNil)
				compressedTags = append(compressedTags, string(b))
			}

			claims := &ConnectionClaims{
				ID:  "5c5baa93d5f54a3019bede4e",
				RMT: []byte(rmt),
				LCL: []byte(lcl),
				CT:  policy.NewTagStoreFromSlice(compressedTags),
			}

			var encodedBuf [ClaimsEncodedBufSize]byte

			token, err := t.CreateSynToken(claims, encodedBuf[:], []byte(lcl), claimsheader.NewClaimsHeader(), scrts)
			So(err, ShouldBeNil)
			So(len(token), ShouldBeLessThan, 1420)
		})

	})

	Convey("Given a JWT valid engine with a valid Compact PKI key ", t, func() {
		scrts, err := createCompactPKISecrets(nil)
		So(err, ShouldBeNil)

		t, err := NewBinaryJWT(bvalidity, "0123456789012345678901234567890123456789")
		So(err, ShouldBeNil)

		Convey("When I try with 64 12-byte tags, the max length must not be exceeded", func() {

			privatekey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
			So(err, ShouldBeNil)

			publickey := &PublicKeys{
				X: privatekey.PublicKey.X,
				Y: privatekey.PublicKey.Y,
			}

			var data bytes.Buffer

			enc := gob.NewEncoder(&data)
			err = enc.Encode(publickey)
			So(err, ShouldBeNil)
			msg := "Length of bytes " + strconv.Itoa(len(data.Bytes()))
			Convey(msg, func() {})

			var compressedTags []string
			b := make([]byte, 8)
			for i := 0; i < 80; i++ {
				_, err := rand.Read(b)
				So(err, ShouldBeNil)
				compressedTags = append(compressedTags, string(b))
			}

			claims := &ConnectionClaims{
				ID:  "5c5baa93d5f54a3019bede4e",
				RMT: []byte(rmt),
				LCL: []byte(lcl),
				CT:  policy.NewTagStoreFromSlice(compressedTags),
			}
			var encodedBuf [ClaimsEncodedBufSize]byte
			token, err := t.CreateSynToken(claims, encodedBuf[:], []byte(lcl), claimsheader.NewClaimsHeader(), scrts)
			So(err, ShouldBeNil)
			So(len(token), ShouldBeLessThan, 1420)
		})

	})
}

func Test_PANWIdentitySynToken(t *testing.T) {
	Convey("Given a JWT valid engine with a valid Compact PKI key ", t, func() {
		scrts, err := createCompactPKISecrets(nil)
		So(err, ShouldBeNil)

		t1, err := NewBinaryJWT(bvalidity, "01234567890123456789012345678901234567")
		So(err, ShouldBeNil)

		Convey("PANWIDENTITY string should be there at 64 byte boundary from the end of the token", func() {

			privatekey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
			So(err, ShouldBeNil)

			publickey := &PublicKeys{
				X: privatekey.PublicKey.X,
				Y: privatekey.PublicKey.Y,
			}

			var data bytes.Buffer

			enc := gob.NewEncoder(&data)
			err = enc.Encode(publickey)
			So(err, ShouldBeNil)
			msg := "Length of bytes " + strconv.Itoa(len(data.Bytes()))
			Convey(msg, func() {})

			var compressedTags []string
			b := make([]byte, 12)
			for i := 0; i < 56; i++ {
				_, err := rand.Read(b)
				So(err, ShouldBeNil)
				compressedTags = append(compressedTags, string(b))
			}

			claims := &ConnectionClaims{
				ID:  "5c5baa93d5f54a3019bede4e",
				RMT: []byte(rmt),
				LCL: []byte(lcl),
				CT:  policy.NewTagStoreFromSlice(compressedTags),
			}

			var encodedBuf [ClaimsEncodedBufSize]byte

			synToken, err := t1.CreateSynToken(claims, encodedBuf[:], []byte(lcl), claimsheader.NewClaimsHeader(), scrts)
			So(err, ShouldBeNil)
			startOffset := len(synToken) - 64 - len([]byte("PANWIDENTITY"))
			endOffset := len(synToken) - 64
			assert.Equal(t, string(synToken[startOffset:endOffset]), "PANWIDENTITY", "string should match PANWIDENTITY")
		})

	})
}

func Test_PANWIdentityAckToken(t *testing.T) {

	Convey("Given a JWT valid engine with a valid Compact PKI key ", t, func() {
		t1, err := NewBinaryJWT(bvalidity, "0123456789012345678901234567890123456789")
		So(err, ShouldBeNil)

		var compressedTags []string
		b := make([]byte, 12)
		for i := 0; i < 56; i++ {
			_, err := rand.Read(b)
			So(err, ShouldBeNil)
			compressedTags = append(compressedTags, string(b))
		}

		claims := &ConnectionClaims{
			ID:  "5c5baa93d5f54a3019bede4e",
			RMT: []byte(rmt),
			LCL: []byte(lcl),
			CT:  policy.NewTagStoreFromSlice(compressedTags),
		}

		var encodedBuf [ClaimsEncodedBufSize]byte

		ackToken, err := t1.CreateAckToken(false, []byte("hello"), claims, encodedBuf[:], claimsheader.NewClaimsHeader())
		So(err, ShouldBeNil)
		startOffset := len(ackToken) - 64 - len([]byte("PANWIDENTITY"))
		endOffset := len(ackToken) - 64
		assert.Equal(t, string(ackToken[startOffset:endOffset]), "PANWIDENTITY", "string should match PANWIDENTITY")
	})
}

func Test_EncDecClaims(t *testing.T) {
	var compressedTags []string
	b := make([]byte, 12)
	for i := 0; i < 56; i++ {
		rand.Read(b) //nolint
		compressedTags = append(compressedTags, string(b))
	}

	// Encode the claims in a buffer.

	claims := &ConnectionClaims{
		ID:  "5c5baa93d5f54a3019bede4e",
		RMT: []byte(rmt),
		LCL: []byte(lcl),
		CT:  policy.NewTagStoreFromSlice(compressedTags),
	}
	allclaims := ConvertToBinaryClaims(claims, 1*time.Minute)

	var encodedBuf [ClaimsEncodedBufSize]byte
	encBuf := encodedBuf[:]
	encode(allclaims, &encBuf) //nolint

	decClaims, _ := decode(encBuf)
	eq := reflect.DeepEqual(allclaims, decClaims)

	assert.Equal(t, eq, true, "decoded claims should be equal to original claims which was encoded")
}


================================================
FILE: controller/pkg/tokens/binaryjwtclaimtypes.go
================================================
package tokens

import (
	"time"

	jwt "github.com/dgrijalva/jwt-go"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// BinaryJWTClaims captures all the custom  claims
type BinaryJWTClaims struct {
	// Tags
	T []string `codec:",omitempty"`
	// Compressed tags
	CT []string `codec:",omitempty"`
	// RMT is the nonce of the remote that has to be signed in the JWT
	RMT []byte `codec:",omitempty"`
	// LCL is the nonce of the local node that has to be signed
	LCL []byte `codec:",omitempty"`
	// DEK is the datapath ephemeral keys used to derived shared keys during the handshake
	DEK []byte `codec:",omitempty"`
	// SDEK is the signature of the ephemeral key
	SDEK []byte `codec:",omitempty"`
	// ID is the source PU ID
	ID string `codec:",omitempty"`
	// Expiration time
	ExpiresAt int64 `codec:",omitempty"`
	// SignerKey
	SignerKey []byte `codec:",omitempty"`
	// P holds the ping payload
	P *policy.PingPayload `codec:",omitempty"`
	// DEKV2 is the datapath ephemeral key V2 used to derived shared keys during the handshake
	DEKV2 []byte `codec:",omitempty"`
	// SDEK is the signature of the ephemeral key V2
	SDEKV2 []byte `codec:",omitempty"`
}

// JWTClaims captures all the custom  clains
type JWTClaims struct {
	*ConnectionClaims
	jwt.StandardClaims
}

//CopyToConnectionClaims copies the binary jwt claims to connection claims
func CopyToConnectionClaims(b *BinaryJWTClaims, connClaims *ConnectionClaims) {
	*connClaims = ConnectionClaims{
		T:      policy.NewTagStoreFromSlice(b.T),
		CT:     policy.NewTagStoreFromSlice(b.CT),
		RMT:    b.RMT,
		LCL:    b.LCL,
		SDEKV1: b.SDEK,
		DEKV1:  b.DEK,
		SDEKV2: b.SDEKV2,
		DEKV2:  b.DEKV2,
		ID:     b.ID,
		P:      b.P,
	}
}

// ConvertToJWTClaims converts to old claims
func ConvertToJWTClaims(b *BinaryJWTClaims) *JWTClaims {
	return &JWTClaims{
		ConnectionClaims: &ConnectionClaims{
			T:      policy.NewTagStoreFromSlice(b.T),
			CT:     policy.NewTagStoreFromSlice(b.CT),
			RMT:    b.RMT,
			LCL:    b.LCL,
			SDEKV1: b.SDEK,
			DEKV1:  b.DEK,
			SDEKV2: b.SDEKV2,
			DEKV2:  b.DEKV2,
			ID:     b.ID,
			P:      b.P,
		},
		StandardClaims: jwt.StandardClaims{
			ExpiresAt: b.ExpiresAt,
		},
	}
}

// ConvertToBinaryClaims coverts back,
func ConvertToBinaryClaims(j *ConnectionClaims, validity time.Duration) *BinaryJWTClaims {
	b := &BinaryJWTClaims{
		RMT:       j.RMT,
		LCL:       j.LCL,
		SDEK:      j.SDEKV1,
		DEK:       j.DEKV1,
		SDEKV2:    j.SDEKV2,
		DEKV2:     j.DEKV2,
		ID:        j.ID,
		ExpiresAt: time.Now().Add(validity).Unix(),
		P:         j.P,
	}
	if j.T != nil {
		b.T = j.T.GetSlice()
	}
	if j.CT != nil {
		b.CT = j.CT.GetSlice()
	}

	return b
}


================================================
FILE: controller/pkg/tokens/errors.go
================================================
package tokens

import (
	"errors"
	"fmt"
)

// Custom errors used by this package.
var (
	ErrTokenTooSmall           = errors.New("randomize: token is small")
	ErrTokenEncodeFailed       = errors.New("unable to encode token")
	ErrTokenHashFailed         = errors.New("unable to hash token")
	ErrTokenSignFailed         = errors.New("unable to sign token")
	ErrSharedSecretMissing     = errors.New("secret not found")
	ErrInvalidSecret           = errors.New("invalid secret")
	ErrInvalidTokenLength      = errors.New("not enough data")
	ErrMissingSignature        = errors.New("signature is missing")
	ErrInvalidSignature        = errors.New("invalid signature")
	ErrCompressedTagMismatch   = errors.New("Compressed tag mismatch")
	ErrDatapathVersionMismatch = errors.New("Datapath version mismatch")
	ErrTokenDecodeFailed       = errors.New("unable to decode token")
	ErrTokenExpired            = errors.New("token expired")
	ErrSignatureMismatch       = errors.New("signature mismatch")
	ErrSharedKeyHashFailed     = errors.New("unable to hash shared key")
	ErrPublicKeyFailed         = errors.New("unable to verify public key")
)

// logError is a convinience function which logs the err:msg and returns the error.
func logError(err error, msg string) error {

	if err == nil {
		return nil
	}

	return fmt.Errorf("err = err.Error(), msg = %s", msg)
}


================================================
FILE: controller/pkg/tokens/jwt.go
================================================
package tokens

import (
	"crypto/ecdsa"
	"encoding/binary"
	"errors"
	"fmt"
	"time"

	jwt "github.com/dgrijalva/jwt-go"
	enforcerconstants "go.aporeto.io/trireme-lib/controller/internal/enforcer/constants"
	"go.aporeto.io/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/trireme-lib/policy"
	"go.aporeto.io/trireme-lib/utils/cache"
)

var (
	noncePosition = 2
	tokenPosition = 2 + NonceLength
)

// JWTConfig configures the JWT token generator with the standard parameters. One
// configuration is assigned to each server
type JWTConfig struct {
	// ValidityPeriod  period of the JWT
	ValidityPeriod time.Duration
	// Issuer is the server that issues the JWT
	Issuer string
	// signMethod is the method used to sign the JWT
	signMethod jwt.SigningMethod
	// cache test
	tokenCache cache.DataStore
	// compressionType determines of compression should be used when creating tokens
	compressionType claimsheader.CompressionType
	// compressionTagLength is the length of tags based on compressionType
	compressionTagLength int
	// datapathVersion is the current version of the datapath
	datapathVersion claimsheader.DatapathVersion
}

// JWTClaims captures all the custom  clains
type JWTClaims struct {
	*ConnectionClaims
	jwt.StandardClaims
}

// NewJWT creates a new JWT token processor
func NewJWT(validity time.Duration, issuer string, s secrets.Secrets) (*JWTConfig, error) {

	if len(issuer) > MaxServerName {
		return nil, fmt.Errorf("server id should be max %d chars. got %s", MaxServerName, issuer)
	}

	for i := len(issuer); i < MaxServerName; i++ {
		issuer = issuer + " "
	}

	var signMethod jwt.SigningMethod
	compressionType := claimsheader.CompressionTypeNone

	if s == nil {
		return nil, errors.New("secrets can not be nil")
	}

	switch s.Type() {
	case secrets.PKICompactType:
		signMethod = jwt.SigningMethodES256
		compressionType = s.(*secrets.CompactPKI).Compressed
	default:
		signMethod = jwt.SigningMethodNone
	}

	return &JWTConfig{
		ValidityPeriod:       validity,
		Issuer:               issuer,
		signMethod:           signMethod,
		tokenCache:           cache.NewCacheWithExpiration("JWTTokenCache", time.Millisecond*500),
		compressionType:      compressionType,
		compressionTagLength: claimsheader.CompressionTypeToTagLength(compressionType),
		datapathVersion:      claimsheader.DatapathVersion1,
	}, nil
}

// CreateAndSign  creates a new token, attaches an ephemeral key pair and signs with the issuer
// key. It also randomizes the source nonce of the token. It returns back the token and the private key.
func (c *JWTConfig) CreateAndSign(isAck bool, claims *ConnectionClaims, nonce []byte, claimsHeader *claimsheader.ClaimsHeader, secrets secrets.Secrets) (token []byte, err error) {

	// Set the appropriate claims header
	claimsHeader.SetCompressionType(c.compressionType)
	claimsHeader.SetDatapathVersion(c.datapathVersion)

	// Combine the application claims with the standard claims
	allclaims := &JWTClaims{
		&ConnectionClaims{
			T:   claims.T,
			EK:  claims.EK,
			RMT: claims.RMT,
			H:   claimsHeader.ToBytes(),
			ID:  claims.ID,
			CT:  claims.CT,
		},
		jwt.StandardClaims{
			ExpiresAt: time.Now().Add(c.ValidityPeriod).Unix(),
		},
	}

	// For backward compatibility, keep the issuer in Ack packets.
	if isAck {
		allclaims.Issuer = c.Issuer
		allclaims.LCL = claims.LCL
	}

	// Create the token and sign with our key
	strtoken, err := jwt.NewWithClaims(c.signMethod, allclaims).SignedString(secrets.EncodingKey())
	if err != nil {
		return []byte{}, err
	}

	// Copy the certificate if needed. Note that we don't send the certificate
	// again for Ack packets to reduce overhead
	if !isAck {

		txKey := secrets.TransmittedKey()

		totalLength := len(strtoken) + len(txKey) + noncePosition + NonceLength + 1

		token := make([]byte, totalLength)

		// Offset of public key
		binary.BigEndian.PutUint16(token[0:noncePosition], uint16(len(strtoken)))

		// Attach the nonse
		copy(token[noncePosition:], nonce)

		// Copy the JWT tokenn
		copy(token[tokenPosition:], []byte(strtoken))

		token[tokenPosition+len(strtoken)] = '%'
		// Copy the public key
		if len(txKey) > 0 {
			copy(token[tokenPosition+len(strtoken)+1:], txKey)
		}

		return token, nil
	}

	return []byte(strtoken), nil

}

// Decode  takes as argument the JWT token and the certificate of the issuer.
// First it verifies the certificate with the local CA pool, and the decodes
// the JWT if the certificate is trusted
func (c *JWTConfig) Decode(isAck bool, data []byte, previousCert interface{}, secrets secrets.Secrets) (claims *ConnectionClaims, nonce []byte, publicKey interface{}, err error) {

	var ackCert interface{}
	var certClaims []string

	token := data

	jwtClaims := &JWTClaims{}

	nonce = make([]byte, NonceLength)

	// Get the token and data from the buffer and validate the certificate
	// Ack packets don't have a certificate and it must be provided in the
	// Decode function. If certificates are distributed out of band we
	// will look in the certPool for the certificate
	if !isAck {
		// We must have at least enough data to get the length
		if len(data) < tokenPosition {
			return nil, nil, nil, errors.New("not enough data")
		}

		tokenLength := int(binary.BigEndian.Uint16(data[0:noncePosition]))
		// Data must be enought to accommodate the token
		if len(data) < tokenPosition+tokenLength+1 {
			return nil, nil, nil, errors.New("invalid token length")
		}

		copy(nonce, data[noncePosition:tokenPosition])

		token = data[tokenPosition : tokenPosition+tokenLength]

		certBytes := data[tokenPosition+tokenLength+1:]

		ackCert, certClaims, _, err = secrets.KeyAndClaims(certBytes)
		if err != nil {
			return nil, nil, nil, fmt.Errorf("invalid public key: %s", err)
		}

		if cachedClaims, cerr := c.tokenCache.Get(string(token)); cerr == nil {
			return cachedClaims.(*ConnectionClaims), nonce, ackCert, nil
		}
	}

	// Parse the JWT token with the public key recovered. If it is an Ack packet
	// use the previous cert.
	jwttoken, err := jwt.ParseWithClaims(string(token), jwtClaims, func(token *jwt.Token) (interface{}, error) { // nolint
		if ackCert != nil {
			return ackCert.(*ecdsa.PublicKey), nil
		}
		if previousCert != nil {
			return previousCert.(*ecdsa.PublicKey), nil
		}
		return nil, fmt.Errorf("Unable to find certificate")
	})

	// If error is returned or the token is not valid, reject it
	if err != nil {
		return nil, nil, nil, fmt.Errorf("unable to parse token: %s", err)
	}
	if !jwttoken.Valid {
		return nil, nil, nil, errors.New("invalid token")
	}

	if !isAck {
		tags := []string{enforcerconstants.TransmitterLabel + "=" + jwtClaims.ConnectionClaims.ID}
		if jwtClaims.ConnectionClaims.T != nil {
			tags = jwtClaims.ConnectionClaims.T.Tags
		}

		if certClaims != nil {
			tags = append(tags, certClaims...)
		}

		jwtClaims.ConnectionClaims.T = policy.NewTagStoreFromSlice(tags)
	}

	if jwtClaims.ConnectionClaims.H != nil {
		if err := c.verifyClaimsHeader(jwtClaims.ConnectionClaims.H.ToClaimsHeader()); err != nil {
			return nil, nil, nil, err
		}
	}

	c.tokenCache.AddOrUpdate(string(token), jwtClaims.ConnectionClaims)

	return jwtClaims.ConnectionClaims, nonce, ackCert, nil
}

// Randomize adds a nonce to an existing token. Returns the nonce
func (c *JWTConfig) Randomize(token []byte, nonce []byte) (err error) {

	if len(token) < tokenPosition {
		return errors.New("token is too small")
	}

	copy(token[noncePosition:], nonce)

	return nil
}

func (c *JWTConfig) verifyClaimsHeader(claimsHeader *claimsheader.ClaimsHeader) error {

	switch {
	case claimsHeader.CompressionType() != c.compressionType:
		return ErrCompressedTagMismatch
	case claimsHeader.DatapathVersion() != c.datapathVersion:
		return ErrDatapathVersionMismatch
	}

	return nil
}


================================================
FILE: controller/pkg/tokens/jwt_test.go
================================================
// +build !windows

package tokens

import (
	"crypto/ecdsa"
	"crypto/x509"
	"testing"
	"time"

	jwt "github.com/dgrijalva/jwt-go"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/trireme-lib/policy"
	"go.aporeto.io/trireme-lib/utils/crypto"
)

var (
	tags = policy.NewTagStoreFromMap(map[string]string{
		"label1": "value1",
		"label2": "value2",
	})

	rmt           = "1234567890123456"
	lcl           = "098765432109876"
	defaultClaims = ConnectionClaims{
		T:   tags,
		RMT: []byte(rmt),
		EK:  []byte{},
	}

	ackClaims = ConnectionClaims{
		T:   nil,
		RMT: []byte(rmt),
		LCL: []byte(lcl),
		EK:  []byte{},
	}
	validity = time.Second * 10

	keyPEM = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPkiHqtH372JJdAG/IxJlE1gv03cdwa8Lhg2b3m/HmbyoAoGCCqGSM49
AwEHoUQDQgAEAfAL+AfPj/DnxrU6tUkEyzEyCxnflOWxhouy1bdzhJ7vxMb1vQ31
8ZbW/WvMN/ojIXqXYrEpISoojznj46w64w==
-----END EC PRIVATE KEY-----`
	caPool = `-----BEGIN CERTIFICATE-----
MIIBhTCCASwCCQC8b53yGlcQazAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABJxneTUqhbtgEIwpKUUzwz3h92SqcOdIw3mfQkMjg3Vobvr6JKlpXYe9xhsN
rygJmLhMAN9gjF9qM9ybdbe+m3owCgYIKoZIzj0EAwIDRwAwRAIgC1fVMqdBy/o3
jNUje/Hx0fZF9VDyUK4ld+K/wF3QdK4CID1ONj/Kqinrq2OpjYdkgIjEPuXoOoR1
tCym8dnq4wtH
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB3jCCAYOgAwIBAgIJALsW7pyC2ERQMAoGCCqGSM49BAMCMEsxCzAJBgNVBAYT
AlVTMQswCQYDVQQIDAJDQTEMMAoGA1UEBwwDU0pDMRAwDgYDVQQKDAdUcmlyZW1l
MQ8wDQYDVQQDDAZ1YnVudHUwHhcNMTYwOTI3MjI0OTAwWhcNMjYwOTI1MjI0OTAw
WjBLMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4G
A1UECgwHVHJpcmVtZTEPMA0GA1UEAwwGdWJ1bnR1MFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAE4c2Fd7XeIB1Vfs51fWwREfLLDa55J+NBalV12CH7YEAnEXjl47aV
cmNqcAtdMUpf2oz9nFVI81bgO+OSudr3CqNQME4wHQYDVR0OBBYEFOBftuI09mmu
rXjqDyIta1gT8lqvMB8GA1UdIwQYMBaAFOBftuI09mmurXjqDyIta1gT8lqvMAwG
A1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMylAHhbFA0KqhXIFiXNpEbH
JKaELL6UXXdeQ5yup8q+AiEAh5laB9rbgTymjaANcZ2YzEZH4VFS3CKoSdVqgnwC
dW4=
-----END CERTIFICATE-----`

	certPEM = `-----BEGIN CERTIFICATE-----
MIIBhjCCASwCCQCPCdgp39gHJTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABAHwC/gHz4/w58a1OrVJBMsxMgsZ35TlsYaLstW3c4Se78TG9b0N9fGW1v1r
zDf6IyF6l2KxKSEqKI854+OsOuMwCgYIKoZIzj0EAwIDSAAwRQIgQwQn0jnK/XvD
KxgQd/0pW5FOAaB41cMcw4/XVlphO1oCIQDlGie+WlOMjCzrV0Xz+XqIIi1pIgPT
IG7Nv+YlTVp5qA==
-----END CERTIFICATE-----`
)

func createCompactPKISecrets() (*x509.Certificate, secrets.Secrets, error) {
	txtKey, cert, _, err := crypto.LoadAndVerifyECSecrets([]byte(keyPEM), []byte(certPEM), []byte(caPool))
	if err != nil {
		return nil, nil, err
	}

	issuer := pkiverifier.NewPKIIssuer(txtKey)
	txtToken, err := issuer.CreateTokenFromCertificate(cert, []string{})
	if err != nil {
		return nil, nil, err
	}

	scrts, err := secrets.NewCompactPKIWithTokenCA([]byte(keyPEM), []byte(certPEM), []byte(caPool), [][]byte{[]byte(certPEM)}, txtToken, claimsheader.CompressionTypeNone)
	if err != nil {
		return nil, nil, err
	}

	return cert, scrts, nil
}

// TestConstructorNewPolicyDB tests the NewPolicyDB constructor
func TestConstructorNewJWT(t *testing.T) {
	Convey("Given that I instantiate a new JWT Engine with max server name that violates requirements, it should fail", t, func() {
		scrts, err := secrets.NewNullPKI([]byte(keyPEM), []byte(certPEM), []byte(caPool))
		So(err, ShouldBeNil)
		_, err = NewJWT(validity, "0123456789012345678901234567890123456789", scrts)
		So(err, ShouldNotBeNil)
	})

	Convey("Given that I instantiate a new JWT Engine with nil secrets, it should fail", t, func() {
		_, err := NewJWT(validity, "TEST", nil)
		So(err, ShouldNotBeNil)
	})

	Convey("Given that I instantiate a new JWT Engine with PKI secrets, it should succeed", t, func() {

		j := &JWTConfig{}

		_, scrts, err := createCompactPKISecrets()
		So(err, ShouldBeNil)

		jwtConfig, _ := NewJWT(validity, "TRIREME", scrts)

		So(jwtConfig, ShouldHaveSameTypeAs, j)
		So(jwtConfig.Issuer, ShouldResemble, "TRIREME                 ")
		So(jwtConfig.ValidityPeriod.Seconds(), ShouldEqual, validity.Seconds())
		So(jwtConfig.signMethod, ShouldEqual, jwt.SigningMethodES256)
	})

	Convey("Given that I instantiate a new JWT null encryption, it should succeed", t, func() {

		j := &JWTConfig{}

		scrts, err := secrets.NewNullPKI([]byte(keyPEM), []byte(certPEM), []byte(caPool))
		So(err, ShouldBeNil)

		jwtConfig, _ := NewJWT(validity, "TRIREME", scrts)

		So(jwtConfig, ShouldHaveSameTypeAs, j)
		So(jwtConfig.Issuer, ShouldResemble, "TRIREME                 ")
		So(jwtConfig.ValidityPeriod.Seconds(), ShouldEqual, validity.Seconds())
		So(jwtConfig.signMethod, ShouldEqual, jwt.SigningMethodNone)
	})

}

func TestCreateAndVerifyPKI(t *testing.T) {
	Convey("Given a JWT valid engine with a valid Compact PKI key ", t, func() {
		cert, scrts, err := createCompactPKISecrets()
		So(err, ShouldBeNil)

		jwtConfig, _ := NewJWT(validity, "TRIREME", scrts)

		nonce := []byte("1234567890123456")
		Convey("Given a signature request for a normal packet", func() {
			token, err1 := jwtConfig.CreateAndSign(false, &defaultClaims, nonce, claimsheader.NewClaimsHeader(), scrts)
			recoveredClaims, recoveredNonce, publicKey, err2 := jwtConfig.Decode(false, token, nil, scrts)

			So(err2, ShouldBeNil)
			So(err1, ShouldBeNil)
			So(recoveredClaims, ShouldNotBeNil)
			lclaims, ok1 := recoveredClaims.T.Get("label1")
			dclaims, ok2 := recoveredClaims.T.Get("label1")
			So(ok1, ShouldBeTrue)
			So(ok2, ShouldBeTrue)
			So(lclaims, ShouldResemble, dclaims)
			So(string(recoveredClaims.RMT), ShouldEqual, rmt)
			So(string(recoveredClaims.LCL), ShouldEqual, "")
			So(nonce, ShouldResemble, recoveredNonce)
			So(cert.PublicKey, ShouldResemble, publicKey)
		})

		Convey("Given a signature request that hits the cache ", func() {
			token1, err1 := jwtConfig.CreateAndSign(false, &defaultClaims, nonce, claimsheader.NewClaimsHeader(), scrts)
			recoveredClaims1, recoveredNonce1, key1, err2 := jwtConfig.Decode(false, token1, nil, scrts)
			nonce2 := []byte("9876543210123456")
			err3 := jwtConfig.Randomize(token1, nonce2)
			recoveredClaims2, recoveredNonce2, key2, err4 := jwtConfig.Decode(false, token1, nil, scrts)

			So(err1, ShouldBeNil)
			So(err2, ShouldBeNil)
			So(err3, ShouldBeNil)
			So(err4, ShouldBeNil)
			So(recoveredClaims1, ShouldNotBeNil)
			So(recoveredClaims2, ShouldNotBeNil)
			lclaims1, ok1 := recoveredClaims1.T.Get("label1")
			dclaims1, ok2 := recoveredClaims1.T.Get("label1")
			So(ok1, ShouldBeTrue)
			So(ok2, ShouldBeTrue)
			So(lclaims1, ShouldResemble, dclaims1)
			lclaims2, ok3 := recoveredClaims2.T.Get("label1")
			dclaims2, ok4 := recoveredClaims2.T.Get("label1")
			So(ok3, ShouldBeTrue)
			So(ok4, ShouldBeTrue)
			So(lclaims2, ShouldResemble, dclaims2)
			So(string(recoveredClaims1.RMT), ShouldEqual, rmt)
			So(string(recoveredClaims1.LCL), ShouldEqual, "")
			So(string(recoveredClaims2.RMT), ShouldEqual, rmt)
			So(string(recoveredClaims2.LCL), ShouldEqual, "")
			So(nonce, ShouldResemble, recoveredNonce1)
			So(nonce2, ShouldResemble, recoveredNonce2)
			So(cert.PublicKey, ShouldResemble, key1)
			So(cert.PublicKey, ShouldResemble, key2)
		})

		Convey("Given a signature request for an ACK packet", func() {
			token, err1 := jwtConfig.CreateAndSign(true, &ackClaims, nonce, claimsheader.NewClaimsHeader(), scrts)
			recoveredClaims, _, _, err2 := jwtConfig.Decode(true, token, cert.PublicKey.(*ecdsa.PublicKey), scrts)

			So(err1, ShouldBeNil)
			So(err2, ShouldBeNil)
			So(recoveredClaims, ShouldNotBeNil)
			So(string(recoveredClaims.RMT), ShouldEqual, rmt)
			So(string(recoveredClaims.LCL), ShouldEqual, lcl)
			So(recoveredClaims.T, ShouldBeNil)
		})
	})
}

func TestNegativeConditions(t *testing.T) {
	Convey("Given a JWT valid engine with a PKI  key ", t, func() {
		_, scrts, err := createCompactPKISecrets()
		So(err, ShouldBeNil)

		jwtConfig, _ := NewJWT(validity, "TRIREME", scrts)
		nonce := []byte("012456789123456")

		Convey("Test a token with a bad length ", func() {
			token, err1 := jwtConfig.CreateAndSign(false, &defaultClaims, nonce, claimsheader.NewClaimsHeader(), scrts)
			_, _, _, err2 := jwtConfig.Decode(false, token[:len(token)-len(certPEM)-1], nil, scrts)
			So(err2, ShouldNotBeNil)
			So(err1, ShouldBeNil)
		})

		Convey("Test a token with a bad public key", func() {
			token, err1 := jwtConfig.CreateAndSign(false, &defaultClaims, nonce, claimsheader.NewClaimsHeader(), scrts)
			So(err1, ShouldBeNil)
			token[len(token)-1] = 0
			token[len(token)-2] = 0
			token[len(token)-3] = 0
			token[len(token)-4] = 0
			_, _, _, err2 := jwtConfig.Decode(false, token, nil, scrts)
			So(err2, ShouldNotBeNil)
		})

		Convey("Test an ack token with a bad key", func() {
			token, err1 := jwtConfig.CreateAndSign(false, &ackClaims, nonce, claimsheader.NewClaimsHeader(), scrts)

			_, _, _, err2 := jwtConfig.Decode(true, token, certPEM[:10], scrts)
			So(err2, ShouldNotBeNil)
			So(err1, ShouldBeNil)
		})

	})
}

func TestRamdomize(t *testing.T) {
	Convey("Given a token engine with PKI key and a good token", t, func() {
		nonce := []byte("012456789123456")

		_, scrts, err := createCompactPKISecrets()
		So(err, ShouldBeNil)

		jwtConfig, _ := NewJWT(validity, "TRIREME", scrts)
		token, err := jwtConfig.CreateAndSign(false, &defaultClaims, nonce, claimsheader.NewClaimsHeader(), scrts)
		So(err, ShouldBeNil)

		newNonce := []byte("9876543219123456")
		Convey("I should get a new random nonce", func() {
			err := jwtConfig.Randomize(token, newNonce)
			So(err, ShouldBeNil)
		})

		Convey("I should an error if the token is short ", func() {
			err := jwtConfig.Randomize(token[:noncePosition+NonceLength-1], nonce)
			So(err, ShouldNotBeNil)
		})

	})
}


================================================
FILE: controller/pkg/tokens/mocktokens/mocktokens.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/pkg/tokens/tokens.go

// Package mocktokens is a generated GoMock package.
package mocktokens

import (
	ecdsa "crypto/ecdsa"
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	claimsheader "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	pkiverifier "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	secrets "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	tokens "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/tokens"
)

// MockTokenEngine is a mock of TokenEngine interface
// nolint
type MockTokenEngine struct {
	ctrl     *gomock.Controller
	recorder *MockTokenEngineMockRecorder
}

// MockTokenEngineMockRecorder is the mock recorder for MockTokenEngine
// nolint
type MockTokenEngineMockRecorder struct {
	mock *MockTokenEngine
}

// NewMockTokenEngine creates a new mock instance
// nolint
func NewMockTokenEngine(ctrl *gomock.Controller) *MockTokenEngine {
	mock := &MockTokenEngine{ctrl: ctrl}
	mock.recorder = &MockTokenEngineMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockTokenEngine) EXPECT() *MockTokenEngineMockRecorder {
	return m.recorder
}

// CreateAndSign mocks base method
// nolint
func (m *MockTokenEngine) CreateAndSign(isAck bool, claims *tokens.ConnectionClaims, encodedBuf, nonce []byte, claimsHeader *claimsheader.ClaimsHeader, secrets secrets.Secrets) ([]byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CreateAndSign", isAck, claims, encodedBuf, nonce, claimsHeader, secrets)
	ret0, _ := ret[0].([]byte)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// CreateAndSign indicates an expected call of CreateAndSign
// nolint
func (mr *MockTokenEngineMockRecorder) CreateAndSign(isAck, claims, encodedBuf, nonce, claimsHeader, secrets interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateAndSign", reflect.TypeOf((*MockTokenEngine)(nil).CreateAndSign), isAck, claims, encodedBuf, nonce, claimsHeader, secrets)
}

// DecodeSyn mocks base method
// nolint
func (m *MockTokenEngine) DecodeSyn(isSynAck bool, data []byte, privateKey *ecdsa.PrivateKey, secrets secrets.Secrets, connClaims *tokens.ConnectionClaims) (*claimsheader.ClaimsHeader, []byte, interface{}, *pkiverifier.PKIControllerInfo, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DecodeSyn", isSynAck, data, privateKey, secrets, connClaims)
	ret0, _ := ret[0].(*claimsheader.ClaimsHeader)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(interface{})
	ret3, _ := ret[3].(*pkiverifier.PKIControllerInfo)
	ret4, _ := ret[4].(error)
	return ret0, ret1, ret2, ret3, ret4
}

// DecodeSyn indicates an expected call of DecodeSyn
// nolint
func (mr *MockTokenEngineMockRecorder) DecodeSyn(isSynAck, data, privateKey, secrets, connClaims interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DecodeSyn", reflect.TypeOf((*MockTokenEngine)(nil).DecodeSyn), isSynAck, data, privateKey, secrets, connClaims)
}

// DecodeAck mocks base method
// nolint
func (m *MockTokenEngine) DecodeAck(data []byte, connClaims *tokens.ConnectionClaims) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DecodeAck", data, connClaims)
	ret0, _ := ret[0].(error)
	return ret0
}

// DecodeAck indicates an expected call of DecodeAck
// nolint
func (mr *MockTokenEngineMockRecorder) DecodeAck(data, connClaims interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DecodeAck", reflect.TypeOf((*MockTokenEngine)(nil).DecodeAck), data, connClaims)
}

// Randomize mocks base method
// nolint
func (m *MockTokenEngine) Randomize(arg0, arg1 []byte) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Randomize", arg0, arg1)
	ret0, _ := ret[0].(error)
	return ret0
}

// Randomize indicates an expected call of Randomize
// nolint
func (mr *MockTokenEngineMockRecorder) Randomize(arg0, arg1 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Randomize", reflect.TypeOf((*MockTokenEngine)(nil).Randomize), arg0, arg1)
}

// Sign mocks base method
// nolint
func (m *MockTokenEngine) Sign(arg0 []byte, arg1 *ecdsa.PrivateKey) ([]byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Sign", arg0, arg1)
	ret0, _ := ret[0].([]byte)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Sign indicates an expected call of Sign
// nolint
func (mr *MockTokenEngineMockRecorder) Sign(arg0, arg1 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Sign", reflect.TypeOf((*MockTokenEngine)(nil).Sign), arg0, arg1)
}


================================================
FILE: controller/pkg/tokens/tokens.go
================================================
package tokens

import (
	"crypto/ecdsa"

	"go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/utils/ephemeralkeys"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// ConnectionClaims captures all the claim information
type ConnectionClaims struct {
	T *policy.TagStore `json:",omitempty"`
	// RMT is the nonce of the remote that has to be signed in the JWT
	RMT []byte `json:",omitempty"`
	// LCL is the nonce of the local node that has to be signed
	LCL []byte `json:",omitempty"`
	// DEKV1 is the datapath ephemeral keys used to derived shared keys during the handshake
	DEKV1 []byte `json:",omitempty"`
	// SDEKV1 is the signature of the ephemeral key
	SDEKV1 []byte `json:",omitempty"`
	// C is the compressed tags in one string
	CT *policy.TagStore `json:",omitempty"`
	// ID is the source PU ID
	ID string `json:",omitempty"`
	// RemoteID is the ID of the remote if known.
	RemoteID string `json:",omitempty"`
	// H is the claims header
	H claimsheader.HeaderBytes `json:",omitempty"`
	// P holds the ping payload
	P *policy.PingPayload `codec:",omitempty"`
	// DEKV2 is the datapath ephemeral keys used to derived shared keys during the handshake
	DEKV2 []byte `json:",omitempty"`
	// SDEKV2 is the signature of the ephemeral key
	SDEKV2 []byte `json:",omitempty"`
}

// TokenEngine is the interface to the different implementations of tokens
type TokenEngine interface {
	// CreteAndSign creates a token, signs it and produces the final byte string
	CreateSynToken(claims *ConnectionClaims, encodedBuf []byte, nonce []byte, header *claimsheader.ClaimsHeader, secrets secrets.Secrets) ([]byte, error)
	CreateSynAckToken(proto314 bool, claims *ConnectionClaims, encodedBuf []byte, nonce []byte, header *claimsheader.ClaimsHeader, secrets secrets.Secrets, secretKey []byte) ([]byte, error)
	CreateAckToken(proto314 bool, secretKey []byte, claims *ConnectionClaims, encodedBuf []byte, header *claimsheader.ClaimsHeader) ([]byte, error)

	DecodeSyn(isSynAck bool, data []byte, privateKey *ephemeralkeys.PrivateKey, secrets secrets.Secrets, connClaims *ConnectionClaims) ([]byte, *claimsheader.ClaimsHeader, []byte, *pkiverifier.PKIControllerInfo, bool, error)
	DecodeAck(proto314 bool, secretKey []byte, data []byte, connClaims *ConnectionClaims) error

	// Randomize inserts a source nonce in an existing token - New nonce will be
	// create every time the token is transmitted as a challenge to the other side
	// even when the token is cached. There should be space in the token already.
	// Returns an error if there is no space
	Randomize([]byte, []byte) (err error)
	Sign([]byte, *ecdsa.PrivateKey) ([]byte, error)
}

const (
	// MaxServerName must be of UUID size maximum
	MaxServerName = 24
	// NonceLength is the length of the Nonce to be used in the secrets
	NonceLength = 16
)


================================================
FILE: controller/pkg/urisearch/urisearch.go
================================================
package urisearch

import (
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

type node struct {
	children map[string]*node
	leaf     bool
	data     interface{}
}

// APICache represents an API cache.
type APICache struct {
	methodRoots map[string]*node
	ID          string
	External    bool
}

type scopeRule struct {
	rule *policy.HTTPRule
}

// NewAPICache creates a new API cache
func NewAPICache(rules []*policy.HTTPRule, id string, external bool) *APICache {
	a := &APICache{
		methodRoots: map[string]*node{},
		ID:          id,
		External:    external,
	}

	for _, rule := range rules {
		sc := &scopeRule{
			rule: rule,
		}
		for _, method := range rule.Methods {
			if _, ok := a.methodRoots[method]; !ok {
				a.methodRoots[method] = &node{}
			}
			for _, uri := range rule.URIs {
				insert(a.methodRoots[method], uri, sc)
			}
		}
	}

	return a
}

// FindRule finds a rule in the APICache without validating scopes
func (c *APICache) FindRule(verb, uri string) (bool, *policy.HTTPRule) {
	found, rule := c.Find(verb, uri)
	if rule == nil {
		return found, nil
	}
	if policyRule, ok := rule.(*scopeRule); ok {
		return found, policyRule.rule
	}
	return false, nil
}

// FindAndMatchScope finds the rule and returns true only if the scope matches
// as well. It also returns true of this was a public rule, allowing the callers
// to decide how to present the data or potentially what to do if authorization
// fails.
func (c *APICache) FindAndMatchScope(verb, uri string, attributes []string) (bool, bool) {
	found, rule := c.Find(verb, uri)
	if !found || rule == nil {
		return false, false
	}
	policyRule, ok := rule.(*scopeRule)
	if !ok {
		return false, false
	}
	if policyRule.rule.Public {
		return true, true
	}
	return c.MatchClaims(policyRule.rule.ClaimMatchingRules, attributes), false
}

// MatchClaims receives a set of claim matchibg rules and a set of claims
// and returns true of the claims match the rules.
func (c *APICache) MatchClaims(rules [][]string, claims []string) bool {

	claimsMap := map[string]struct{}{}
	for _, claim := range claims {
		claimsMap[claim] = struct{}{}
	}

	var matched int
	for _, clause := range rules {
		matched = len(clause)
		for _, claim := range clause {
			if _, ok := claimsMap[claim]; ok {
				matched--
			}
			if matched == 0 {
				return true
			}
		}
	}
	return false
}

// Find finds a URI in the cache and returns true and the data if found.
// If not found it returns false.
func (c *APICache) Find(verb, uri string) (bool, interface{}) {
	root, ok := c.methodRoots[verb]
	if !ok {
		return false, nil
	}
	return search(root, uri)
}

// parse parses a URI and splits into prefix, suffix
func parse(s string) (string, string) {
	if s == "/" {
		return s, ""
	}
	for i := 1; i < len(s); i++ {
		if s[i] == '/' {
			return s[0:i], s[i:]
		}
	}

	return s, ""
}

// insert adds an api to the api cache
func insert(n *node, api string, data interface{}) {
	if len(api) == 0 {
		n.data = data
		n.leaf = true
		return
	}

	prefix, suffix := parse(api)

	// root node or terminal node
	if prefix == "/" {
		n.data = data
		n.leaf = true
		return
	}

	if n.children == nil {
		n.children = map[string]*node{}
	}

	// If there is no child, add the new child.
	next, ok := n.children[prefix]
	if !ok {
		next = &node{}
		n.children[prefix] = next
	}

	insert(next, suffix, data)
}

func search(n *node, api string) (found bool, data interface{}) {

	prefix, suffix := parse(api)

	if prefix == "/" {
		if n.leaf {
			return true, n.data
		}
	}

	next, foundPrefix := n.children[prefix]
	// We found either an exact match or a * match
	if foundPrefix {
		matchedChildren, data := search(next, suffix)
		if matchedChildren {
			return true, data
		}
	}

	// If not found, try the ignore operator.
	next, foundPrefix = n.children["/?"]
	if foundPrefix {
		matchedChildren, data := search(next, suffix)
		if matchedChildren {
			return true, data
		}
	}

	// If not found, try the * operator and ignore the rest of path.
	next, foundPrefix = n.children["/*"]
	if foundPrefix {
		for len(suffix) > 0 {
			matchedChildren, data := search(next, suffix)
			if matchedChildren {
				return true, data
			}
			prefix, suffix = parse(suffix)
		}
		matchedChildren, data := search(next, "/")
		if matchedChildren {
			return true, data
		}
	}

	if n.leaf && len(prefix) == 0 {
		return true, n.data
	}

	return false, nil
}


================================================
FILE: controller/pkg/urisearch/urisearch_test.go
================================================
// +build !windows

package urisearch

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

func initTrieRules() []*policy.HTTPRule {

	return []*policy.HTTPRule{
		{
			Methods: []string{"GET", "PUT"},
			URIs: []string{
				"/users/?/name",
				"/things/?",
			},
			ClaimMatchingRules: [][]string{{"policy1"}},
		},
		{
			Methods: []string{"PATCH"},
			URIs: []string{
				"/users/?/name",
				"/things/?",
			},
			ClaimMatchingRules: [][]string{{"policy2"}},
		},
		{
			Methods: []string{"POST"},
			URIs: []string{
				"/v1/users/?/name",
				"/v1/things/?",
			},
			Public:             true,
			ClaimMatchingRules: [][]string{{"policy3"}},
		},
		{
			Methods:            []string{"POST"},
			URIs:               []string{"/"},
			ClaimMatchingRules: [][]string{{"policy4"}},
		},
		{
			Methods:            []string{"PATCH"},
			URIs:               []string{"/?"},
			ClaimMatchingRules: [][]string{{"policy5"}},
		},
		{
			Methods:            []string{"HEAD"},
			URIs:               []string{"/*"},
			ClaimMatchingRules: [][]string{{"policy7"}},
		},
		{
			Methods:            []string{"HEAD"},
			URIs:               []string{"/a/?/c/d"},
			ClaimMatchingRules: [][]string{{"policy8"}},
		},
		{
			Methods:            []string{"HEAD"},
			URIs:               []string{"/a/b/?/e"},
			ClaimMatchingRules: [][]string{{"policy9"}},
		},
		{
			Methods:            []string{"HEAD"},
			URIs:               []string{"/a/*/c/x"},
			ClaimMatchingRules: [][]string{{"policy10"}},
		},
		{
			Methods:            []string{"HEAD"},
			URIs:               []string{"/a/b/?/w"},
			ClaimMatchingRules: [][]string{{"policy11"}},
		},
		{
			Methods:            []string{"HEAD"},
			URIs:               []string{"/a/b/?/y/*"},
			ClaimMatchingRules: [][]string{{"policy12"}, {"policy13"}, {"policy14", "policy15"}},
		},
	}
}

func TestNewAPICache(t *testing.T) {
	Convey("Given a set of valid rules", t, func() {
		rules := initTrieRules()

		Convey("When I insert them in the cache, I should get a valid cache", func() {
			c := NewAPICache(rules, "id", false)
			So(c, ShouldNotBeNil)
			So(c.methodRoots, ShouldNotBeNil)
			So(len(c.methodRoots), ShouldEqual, 5)
			So(c.methodRoots, ShouldContainKey, "GET")
			So(c.methodRoots, ShouldContainKey, "POST")
			So(c.methodRoots, ShouldContainKey, "PUT")
			So(c.methodRoots, ShouldContainKey, "PATCH")
			So(c.methodRoots, ShouldContainKey, "HEAD")
			So(c.methodRoots["GET"], ShouldNotBeNil)
			So(c.methodRoots["POST"], ShouldNotBeNil)
			So(c.methodRoots["PUT"], ShouldNotBeNil)
			So(c.methodRoots["PATCH"], ShouldNotBeNil)
			So(c.methodRoots["POST"].data, ShouldNotBeNil)
			So(len(c.methodRoots["GET"].children), ShouldEqual, 2)
		})
	})
}

func TestInsert(t *testing.T) {

	Convey("When I insert a root node, it should succeed", t, func() {
		n := &node{}
		insert(n, "/", "data")
		So(n.data.(string), ShouldResemble, "data")
		So(n.leaf, ShouldBeTrue)
	})

	Convey("When I insert a one level node, it should succeed", t, func() {
		n := &node{}
		insert(n, "/a", "data")
		So(n.leaf, ShouldEqual, false)
		So(len(n.children), ShouldEqual, 1)
		So(n.children["/a"], ShouldNotBeNil)
		So(n.children["/a"].leaf, ShouldBeTrue)
		So(n.children["/a"].data.(string), ShouldResemble, "data")
	})

	Convey("When I insert two level node, it should succeed", t, func() {
		n := &node{}
		insert(n, "/a/b", "data")
		So(n.leaf, ShouldEqual, false)
		So(len(n.children), ShouldEqual, 1)
		So(n.children["/a"], ShouldNotBeNil)
		So(n.children["/a"].leaf, ShouldBeFalse)
		So(n.children["/a"].children["/b"], ShouldNotBeNil)
		So(n.children["/a"].children["/b"].leaf, ShouldBeTrue)
	})

	Convey("When I insert two level node with a * it should succeed", t, func() {
		n := &node{}
		insert(n, "/a/*", "data")
		So(n.leaf, ShouldEqual, false)
		So(len(n.children), ShouldEqual, 1)
		So(n.children["/a"], ShouldNotBeNil)
		So(n.children["/a"].leaf, ShouldBeFalse)
		So(n.children["/a"].children["/*"], ShouldNotBeNil)
		So(n.children["/a"].children["/*"].leaf, ShouldBeTrue)
	})

	Convey("When I insert a two level node, where the first part is * it should succeed", t, func() {
		n := &node{}
		insert(n, "/*/a", "data")
		So(n.leaf, ShouldEqual, false)
		So(len(n.children), ShouldEqual, 1)
		So(n.children["/*"], ShouldNotBeNil)
		So(n.children["/*"].leaf, ShouldBeFalse)
		So(n.children["/*"].children["/a"], ShouldNotBeNil)
		So(n.children["/*"].children["/a"].leaf, ShouldBeTrue)
	})

}

func TestParse(t *testing.T) {
	Convey("When I parse a root URI, I should get no suffix", t, func() {
		prefix, suffix := parse("/")
		So(prefix, ShouldEqual, "/")
		So(suffix, ShouldEqual, "")
	})

	Convey("When I parse non root URIs with one level", t, func() {
		prefix, suffix := parse("/a")
		So(prefix, ShouldEqual, "/a")
		So(suffix, ShouldEqual, "")
	})

	Convey("When I parse non root URIs with two levels, I should get the right suffix", t, func() {
		prefix, suffix := parse("/a/b")
		So(prefix, ShouldEqual, "/a")
		So(suffix, ShouldEqual, "/b")
	})

	Convey("When I parse non root URIs with three levels, I should get the right suffix", t, func() {
		prefix, suffix := parse("/a/b/c")
		So(prefix, ShouldEqual, "/a")
		So(suffix, ShouldEqual, "/b/c")
	})

	Convey("When I parse non root URIs with a *, I should get * as suffix", t, func() {
		prefix, suffix := parse("/a/*")
		So(prefix, ShouldEqual, "/a")
		So(suffix, ShouldEqual, "/*")
	})
}

func TestAPICacheFind(t *testing.T) {
	Convey("Given valid API cache", t, func() {
		c := NewAPICache(initTrieRules(), "id", false)
		Convey("When I search for correct URIs, I should get the right data", func() {

			// GET and PUT combined rule
			found, rule := c.FindRule("GET", "/users/bob/name")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy1"})

			found, rule = c.FindRule("BADVERB", "/users/bob/name")
			So(found, ShouldBeFalse)
			So(rule, ShouldBeNil)

			found, rule = c.FindRule("PUT", "/users/bob/name")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy1"})

			found, rule = c.FindRule("GET", "/things/something")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy1"})

			found, rule = c.FindRule("GET", "/prefix/things/something")
			So(found, ShouldBeFalse)
			So(rule, ShouldBeNil)

			// PATCH rule
			found, rule = c.FindRule("PATCH", "/things/something")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy2"})

			found, rule = c.FindRule("PATCH", "/users/bob/name")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy2"})

			// POST rule
			found, rule = c.FindRule("POST", "/v1/users/123/name")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy3"})

			found, rule = c.FindRule("POST", "/v1/things/123454656")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy3"})

			found, rule = c.FindRule("POST", "/")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy4"})

			// HEAD Rules
			found, rule = c.FindRule("HEAD", "/users/123/name")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)

			found, rule = c.FindRule("PATCH", "/users/123/name")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy2"})

			found, rule = c.FindRule("HEAD", "/a/b/c/d")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy8"})

			found, rule = c.FindRule("HEAD", "/a/x/c/d")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy8"})

			found, rule = c.FindRule("HEAD", "/a/b/x/e")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy9"})

			found, rule = c.FindRule("HEAD", "/a/b/x")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)

			found, rule = c.FindRule("HEAD", "/a/b/c/d/e/c/x")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy10"})

			found, rule = c.FindRule("HEAD", "/a/b/c/w")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy11"})

			found, rule = c.FindRule("HEAD", "/a/b/c/z")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy7"})

			found, rule = c.FindRule("HEAD", "/a/b/c/d/e/f/w")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy7"})

			found, rule = c.FindRule("HEAD", "/a/b/c/y/d/e/f/g/g")
			So(found, ShouldBeTrue)
			So(rule, ShouldNotBeNil)
			So(rule.ClaimMatchingRules, ShouldContain, []string{"policy12"})
		})

		Convey("When I search for bad URIs, I should get not found", func() {
			found, _ := c.Find("GET", "/users/123/name/targets")
			So(found, ShouldBeFalse)
			found, _ = c.Find("PUT", "/users/name")
			So(found, ShouldBeFalse)
			found, _ = c.Find("GET", "/v1/things/123")
			So(found, ShouldBeFalse)
			found, _ = c.Find("GET", "/v1/v2/v3/v54/12312312/12321312/123123")
			So(found, ShouldBeFalse)
			found, _ = c.Find("GET", "/someapi")
			So(found, ShouldBeFalse)
			found, _ = c.Find("GET", "/")
			So(found, ShouldBeFalse)
		})

		Convey("Test performacen", func() {
			for i := 0; i < 10000; i++ {
				found, _ := c.Find("GET", "/users/123/name")
				So(found, ShouldBeTrue)
			}
		})
	})
}

func TestFindAndMachScope(t *testing.T) {
	Convey("Given a valid API cache", t, func() {
		c := NewAPICache(initTrieRules(), "id", false)

		Convey("When I search for rules matching scopes, it should return true", func() {
			found, _ := c.FindAndMatchScope("GET", "/users/bob/name", []string{"policy1"})
			So(found, ShouldBeTrue)
		})

		Convey("When I search for an invalid URI, it should return false", func() {
			found, _ := c.FindAndMatchScope("GET", "/this/doesnot/exist", []string{"policy1"})
			So(found, ShouldBeFalse)
		})

		Convey("When I search for a valid URI and not matching scopes, it should return false", func() {
			found, _ := c.FindAndMatchScope("GET", "/users/bob/name", []string{"policy10"})
			So(found, ShouldBeFalse)
		})

		Convey("When I search for public rule and bad scopes it should always return true", func() {
			found, _ := c.FindAndMatchScope("POST", "/v1/things/something", []string{"policy10"})
			So(found, ShouldBeTrue)
		})

		Convey("When I search for public rule and good scopes it should always return true", func() {
			found, _ := c.FindAndMatchScope("POST", "/v1/things/something", []string{"policy3"})
			So(found, ShouldBeTrue)
		})

		Convey("When I search for public rule and multiple scopes in an array it should always return true", func() {
			found, _ := c.FindAndMatchScope("HEAD", "/a/b/c/y/z", []string{"policy12", "policy13"})
			So(found, ShouldBeTrue)
		})

		Convey("When I search for public rule and need to match the right and clause it should return true", func() {
			found, _ := c.FindAndMatchScope("HEAD", "/a/b/c/y/z", []string{"policy14", "policy15"})
			So(found, ShouldBeTrue)
		})

		Convey("When I search for public rule at the and clause fails, it should return false", func() {
			found, _ := c.FindAndMatchScope("HEAD", "/a/b/c/y/z", []string{"policy1", "policy15"})
			So(found, ShouldBeFalse)
		})

		Convey("When I search for public rule at the and clause fails with several labels, but it matched it should return true", func() {
			found, _ := c.FindAndMatchScope("HEAD", "/a/b/c/y/z", []string{"x", "y", "z", "policy14", "a", "b", "c", "policy15", "k", "l", "m"})
			So(found, ShouldBeTrue)
		})
	})
}


================================================
FILE: controller/pkg/usertokens/common/common.go
================================================
package common

import (
	"reflect"
	"strconv"
)

// JWTType is the type of user JWTs that must be implemented.
type JWTType int

// Values of JWTType
const (
	PKI JWTType = iota
	OIDC
)

// convert an unknown int type to int64
func toInt64(i interface{}) int64 {
	switch i := i.(type) {
	case int:
		return int64(i)
	case int8:
		return int64(i)
	case int16:
		return int64(i)
	case int32:
		return int64(i)
	case int64:
		return i
	default:
		panic("toInt64(): expected a signed integer type, got " + reflect.TypeOf(i).String() + " instead")
	}
}

// convert an unknown int type to int64
func toUint64(i interface{}) uint64 {
	switch i := i.(type) {
	case uint:
		return uint64(i)
	case uint8:
		return uint64(i)
	case uint16:
		return uint64(i)
	case uint32:
		return uint64(i)
	case uint64:
		return i
	default:
		panic("toUint64(): expected an unsigned integer type, got " + reflect.TypeOf(i).String() + " instead")
	}
}

// FlattenClaim flattens all the generic claims in a flat array for strings.
func FlattenClaim(key string, claim interface{}) []string {
	attributes := []string{}

	switch claim := claim.(type) {
	case bool:
		attributes = append(attributes, key+"="+strconv.FormatBool(claim))
	case int, int8, int16, int32, int64:
		attributes = append(attributes, key+"="+strconv.FormatInt(toInt64(claim), 10))
	case uint, uint8, uint16, uint32, uint64:
		attributes = append(attributes, key+"="+strconv.FormatUint(toUint64(claim), 10))
	case float32:
		attributes = append(attributes, key+"="+strconv.FormatFloat(float64(claim), 'G', -1, 32))
	case float64:
		attributes = append(attributes, key+"="+strconv.FormatFloat(claim, 'G', -1, 64))
	case string:
		attributes = append(attributes, key+"="+claim)
	case []string:
		for _, data := range claim {
			attributes = append(attributes, key+"="+data)
		}
	case map[string]interface{}:
		for ikey, ivalue := range claim {
			for _, v := range FlattenClaim(ikey, ivalue) {
				attributes = append(attributes, key+":"+v)
			}
		}
	case []interface{}:
		for _, value := range claim {
			attributes = append(attributes, FlattenClaim(key, value)...)
		}
	default:
		// do nothing, just return attributes
	}
	return attributes
}


================================================
FILE: controller/pkg/usertokens/common/common_test.go
================================================
package common

import (
	"testing"

	. "github.com/smartystreets/assertions"
)

func TestFlattenClaim(t *testing.T) {
	type args struct {
		key   string
		claim interface{}
	}
	tests := []struct {
		name    string
		args    args
		want    []string
		notwant []string
	}{
		{
			name: "test-slice",
			args: args{
				key:   "slicekey",
				claim: []interface{}{"claim1", "claim2"},
			},
			want: []string{"slicekey=claim1", "slicekey=claim2"},
		},
		{
			name: "test-string",
			args: args{key: "testkey1", claim: "testclaim1"},
			want: []string{"testkey1=testclaim1"},
		},
		{
			name: "test-empty-string",
			args: args{key: "testkey1", claim: ""},
			want: []string{"testkey1="},
		},
		{
			name: "test-bool-true",
			args: args{key: "key", claim: true},
			want: []string{"key=true"},
		},
		{
			name: "test-bool-false",
			args: args{key: "key", claim: false},
			want: []string{"key=false"},
		},
		{
			name:    "test-bool-not-true",
			args:    args{key: "key", claim: true},
			notwant: []string{"key=false"},
		},
		{
			name:    "test-bool-not-false",
			args:    args{key: "key", claim: false},
			notwant: []string{"key=true"},
		},
		{
			name: "test-string-slice-succeed",
			args: args{key: "key", claim: []string{"claim1", "claim2"}},
			want: []string{"key=claim1", "key=claim2"},
		},
		{
			name:    "test-string-slice-fail",
			args:    args{key: "key", claim: []string{"claim1", "claim2"}},
			notwant: []string{"key=claim3", "key=claim4"},
		},
		{
			name: "test-map-string-string",
			args: args{key: "testkey", claim: map[string]interface{}{"key1": "value1", "key2": "value2"}},
			want: []string{"testkey:key1=value1", "testkey:key2=value2"},
		},
		{
			name: "test-map-string-int",
			args: args{key: "testkey", claim: map[string]interface{}{"key1": 1, "key2": 2}},
			want: []string{"testkey:key1=1", "testkey:key2=2"},
		},
		{
			name: "test-map-string-bool",
			args: args{key: "testkey", claim: map[string]interface{}{"key1": true, "key2": false}},
			want: []string{"testkey:key1=true", "testkey:key2=false"},
		},
		{
			name: "test-map-string-slice",
			args: args{key: "rootkey", claim: map[string]interface{}{"key1": []string{"val1", "val2"}}},
			want: []string{"rootkey:key1=val1", "rootkey:key1=val2"},
		},
		{
			name: "test-map-string-map",
			args: args{
				key: "rootkey",
				claim: map[string]interface{}{
					"level1": map[string]interface{}{
						"key1": "val1",
					},
					"level2": map[string]interface{}{
						"key2": "val2",
					},
				},
			},
			want: []string{"rootkey:level1:key1=val1", "rootkey:level2:key2=val2"},
		},
		{
			name: "test-positive-int",
			args: args{key: "key", claim: int(1)},
			want: []string{"key=1"},
		},
		{
			name: "test-positive-int8",
			args: args{key: "key", claim: int8(1)},
			want: []string{"key=1"},
		},
		{
			name: "test-positive-int16",
			args: args{key: "key", claim: int16(1)},
			want: []string{"key=1"},
		},
		{
			name: "test-positive-int32",
			args: args{key: "key", claim: int32(1)},
			want: []string{"key=1"},
		},
		{
			name: "test-positive-int64",
			args: args{key: "key", claim: int64(1)},
			want: []string{"key=1"},
		},
		{
			name: "test-negative-int",
			args: args{key: "key", claim: int(-1)},
			want: []string{"key=-1"},
		},
		{
			name: "test-uint",
			args: args{key: "key", claim: uint(1)},
			want: []string{"key=1"},
		},
		{
			name: "test-uint8",
			args: args{key: "key", claim: uint8(1)},
			want: []string{"key=1"},
		},
		{
			name: "test-uint16",
			args: args{key: "key", claim: uint16(1)},
			want: []string{"key=1"},
		},
		{
			name: "test-uint32",
			args: args{key: "key", claim: uint32(1)},
			want: []string{"key=1"},
		},
		{
			name: "test-uint64",
			args: args{key: "key", claim: uint64(1)},
			want: []string{"key=1"},
		},
		{
			name: "test-float32-small",
			args: args{key: "key", claim: float32(3.14)},
			want: []string{"key=3.14"},
		},
		{
			name: "test-negative-float32-small",
			args: args{key: "key", claim: float32(-3.14)},
			want: []string{"key=-3.14"},
		},
		{
			name: "test-float32-rounding",
			args: args{key: "key", claim: float32(3.141592654)},
			want: []string{"key=3.1415927"},
		},
		{
			name: "test-negative-float32-rounding",
			args: args{key: "key", claim: float32(-3.141592654)},
			want: []string{"key=-3.1415927"},
		},
		{
			name: "test-float32-exponent",
			args: args{key: "key", claim: float32(3.141592654e22)},
			want: []string{"key=3.1415927E+22"},
		},
		{
			name: "test-float32-negative-exponent",
			args: args{key: "key", claim: float32(3.141592654e-22)},
			want: []string{"key=3.1415927E-22"},
		},
		{
			name: "test-negative-float32-exponent",
			args: args{key: "key", claim: float32(-3.141592654e22)},
			want: []string{"key=-3.1415927E+22"},
		},
		{
			name: "test-negative-float32-negative-exponent",
			args: args{key: "key", claim: float32(-3.141592654e-22)},
			want: []string{"key=-3.1415927E-22"},
		},
		{
			name: "test-float64-small",
			args: args{key: "key", claim: float64(3.14)},
			want: []string{"key=3.14"},
		},
		{
			name: "test-negative-float64-small",
			args: args{key: "key", claim: float64(-3.14)},
			want: []string{"key=-3.14"},
		},
		{
			name: "test-float64-rounding",
			args: args{key: "key", claim: float64(1.412135623730950488)},
			want: []string{"key=1.4121356237309506"},
		},
		{
			name: "test-negative-float64-rounding",
			args: args{key: "key", claim: float64(-1.412135623730950488)},
			want: []string{"key=-1.4121356237309506"},
		},
		{
			name: "test-float64-exponent",
			args: args{key: "key", claim: float64(1.41213562373095e22)},
			want: []string{"key=1.41213562373095E+22"},
		},
		{
			name: "test-float64-negative-exponent",
			args: args{key: "key", claim: float64(1.41213562373095e-22)},
			want: []string{"key=1.41213562373095E-22"},
		},
		{
			name: "test-negative-float64-exponent",
			args: args{key: "key", claim: float64(-1.41213562373095e22)},
			want: []string{"key=-1.41213562373095E+22"},
		},
		{
			name: "test-negative-float64-negative-exponent",
			args: args{key: "key", claim: float64(-1.41213562373095e-22)},
			want: []string{"key=-1.41213562373095E-22"},
		},
		{
			name: "test-map-string-float",
			args: args{key: "test", claim: map[string]interface{}{"key1": 3.1415, "key2": -1.21e+33}},
			want: []string{"test:key1=3.1415", "test:key2=-1.21E+33"},
		},
		{
			name: "test-map-string-mixed",
			args: args{key: "test", claim: map[string]interface{}{"key1": true, "key2": -1.21e+33, "key3": "val3"}},
			want: []string{"test:key1=true", "test:key2=-1.21E+33", "test:key3=val3"},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got := FlattenClaim(tt.args.key, tt.args.claim)
			t.Logf("test: %s, got: %v\n", tt.name, got)
			for _, want := range tt.want {
				if ok, errStr := So(got, ShouldContain, want); !ok {
					t.Errorf("%s", errStr)
				}
			}
			for _, notwant := range tt.notwant {
				if ok, errStr := So(got, ShouldNotContain, notwant); !ok {
					t.Errorf("%s", errStr)
				}
			}
		})
	}
}

func Test_toInt64(t *testing.T) {
	type args struct {
		i interface{}
	}
	tests := []struct {
		name      string
		args      args
		want      int64
		wantPanic bool
	}{
		{
			name: "test-toInt64-int",
			args: args{i: int(1)},
			want: int64(1),
		},
		{
			name: "test-toInt64-int8",
			args: args{i: int8(1)},
			want: int64(1),
		},
		{
			name: "test-toInt64-int16",
			args: args{i: int16(1)},
			want: int64(1),
		},
		{
			name: "test-toInt64-int32",
			args: args{i: int32(1)},
			want: int64(1),
		},
		{
			name: "test-toInt64-int64",
			args: args{i: int64(1)},
			want: int64(1),
		},
		{
			name:      "test-toInt64-string",
			args:      args{i: "a string"},
			want:      int64(1),
			wantPanic: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			defer func() {
				r := recover()
				if (r != nil) != tt.wantPanic {
					t.Errorf("toInt64() recover = %v, wantPanic = %v", r, tt.wantPanic)
				}
			}()
			if got := toInt64(tt.args.i); got != tt.want {
				t.Errorf("toInt64() = %v, want %v", got, tt.want)
			} else {
				t.Logf("toInt64(): test: %s PASS, want %v, got: %v\n", tt.name, tt.want, got)
			}
		})
	}
}

func Test_toUint64(t *testing.T) {
	type args struct {
		i interface{}
	}
	tests := []struct {
		name      string
		args      args
		want      uint64
		wantPanic bool
	}{
		{
			name: "test-toUint64-int",
			args: args{i: uint(1)},
			want: uint64(1),
		},
		{
			name: "test-toUint64-int8",
			args: args{i: uint8(1)},
			want: uint64(1),
		},
		{
			name: "test-toUint64-int16",
			args: args{i: uint16(1)},
			want: uint64(1),
		},
		{
			name: "test-toUint64-int32",
			args: args{i: uint32(1)},
			want: uint64(1),
		},
		{
			name: "test-toUint64-int64",
			args: args{i: uint64(1)},
			want: uint64(1),
		},
		{
			name:      "test-toUint64-string",
			args:      args{i: "a string"},
			want:      uint64(1),
			wantPanic: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			defer func() {
				r := recover()
				if (r != nil) != tt.wantPanic {
					t.Errorf("toUint64() recover = %v, wantPanic = %v", r, tt.wantPanic)
				}
			}()
			if got := toUint64(tt.args.i); got != tt.want {
				t.Errorf("toUint64() = %v, want %v", got, tt.want)
			} else {
				t.Logf("toUint64(): test: %s PASS, want %v, got: %v\n", tt.name, tt.want, got)
			}
		})
	}
}


================================================
FILE: controller/pkg/usertokens/mockusertokens/mockusertokens.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: controller/pkg/usertokens/usertokens.go

// Package mockusertokens is a generated GoMock package.
package mockusertokens

import (
	context "context"
	url "net/url"
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	common "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/usertokens/common"
)

// MockVerifier is a mock of Verifier interface
// nolint
type MockVerifier struct {
	ctrl     *gomock.Controller
	recorder *MockVerifierMockRecorder
}

// MockVerifierMockRecorder is the mock recorder for MockVerifier
// nolint
type MockVerifierMockRecorder struct {
	mock *MockVerifier
}

// NewMockVerifier creates a new mock instance
// nolint
func NewMockVerifier(ctrl *gomock.Controller) *MockVerifier {
	mock := &MockVerifier{ctrl: ctrl}
	mock.recorder = &MockVerifierMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockVerifier) EXPECT() *MockVerifierMockRecorder {
	return m.recorder
}

// VerifierType mocks base method
// nolint
func (m *MockVerifier) VerifierType() common.JWTType {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "VerifierType")
	ret0, _ := ret[0].(common.JWTType)
	return ret0
}

// VerifierType indicates an expected call of VerifierType
// nolint
func (mr *MockVerifierMockRecorder) VerifierType() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifierType", reflect.TypeOf((*MockVerifier)(nil).VerifierType))
}

// Validate mocks base method
// nolint
func (m *MockVerifier) Validate(ctx context.Context, token string) ([]string, bool, string, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Validate", ctx, token)
	ret0, _ := ret[0].([]string)
	ret1, _ := ret[1].(bool)
	ret2, _ := ret[2].(string)
	ret3, _ := ret[3].(error)
	return ret0, ret1, ret2, ret3
}

// Validate indicates an expected call of Validate
// nolint
func (mr *MockVerifierMockRecorder) Validate(ctx, token interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Validate", reflect.TypeOf((*MockVerifier)(nil).Validate), ctx, token)
}

// Callback mocks base method
// nolint
func (m *MockVerifier) Callback(ctx context.Context, u *url.URL) (string, string, int, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Callback", ctx, u)
	ret0, _ := ret[0].(string)
	ret1, _ := ret[1].(string)
	ret2, _ := ret[2].(int)
	ret3, _ := ret[3].(error)
	return ret0, ret1, ret2, ret3
}

// Callback indicates an expected call of Callback
// nolint
func (mr *MockVerifierMockRecorder) Callback(ctx, u interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Callback", reflect.TypeOf((*MockVerifier)(nil).Callback), ctx, u)
}

// IssueRedirect mocks base method
// nolint
func (m *MockVerifier) IssueRedirect(arg0 string) string {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "IssueRedirect", arg0)
	ret0, _ := ret[0].(string)
	return ret0
}

// IssueRedirect indicates an expected call of IssueRedirect
// nolint
func (mr *MockVerifierMockRecorder) IssueRedirect(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IssueRedirect", reflect.TypeOf((*MockVerifier)(nil).IssueRedirect), arg0)
}


================================================
FILE: controller/pkg/usertokens/oidc/oidc.go
================================================
package oidc

import (
	"context"
	"crypto/rand"
	"crypto/sha1"
	"encoding/base64"
	"fmt"
	"net/http"
	"net/url"
	"strings"
	"sync"
	"time"

	"github.com/bluele/gcache"
	oidc "github.com/coreos/go-oidc"
	"github.com/rs/xid"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/usertokens/common"
	"golang.org/x/oauth2"
)

var (
	// We maintain two caches. The first maintains the set of states that
	// we issue the redirect requests with. This helps us validate the
	// callbacks and verify the state to avoid any cross-origin violations.
	// Currently providing 60 seconds for the user to authenticate.
	stateCache gcache.Cache
	// The second cache will maintain the validations of the tokens so that
	// we don't go to the authorizer for every request.
	tokenCache gcache.Cache
)

// clientData is the state maintained for a client to improve response
// times and hold the refresh tokens.
type clientData struct {
	attributes  []string
	tokenSource oauth2.TokenSource
	expiry      time.Time
	sync.Mutex
}

// TokenVerifier is an OIDC validator.
type TokenVerifier struct {
	ProviderURL    string
	ClientID       string
	ClientSecret   string
	Scopes         []string
	RedirectURL    string
	NonceSize      int
	CookieDuration time.Duration
	clientConfig   *oauth2.Config
	oauthVerifier  *oidc.IDTokenVerifier
	googleHack     bool
}

// NewClient creates a new validator client
func NewClient(ctx context.Context, v *TokenVerifier) (*TokenVerifier, error) {
	// Initialize caches only once if they are nil.
	if stateCache == nil {
		stateCache = gcache.New(2048).LRU().Expiration(120 * time.Second).Build()
	}
	if tokenCache == nil {
		tokenCache = gcache.New(2048).LRU().Build()
	}

	// Create a new generic OIDC provider based on the provider URL.
	// The library will auto-discover the configuration of the provider.
	// If it is not a compliant provider we should report and error here.
	provider, err := oidc.NewProvider(ctx, v.ProviderURL)
	if err != nil {
		return nil, fmt.Errorf("Failed to initialize provider: %s", err)
	}

	oidConfig := &oidc.Config{
		ClientID:          v.ClientID,
		SkipClientIDCheck: true,
	}
	v.oauthVerifier = provider.Verifier(oidConfig)
	scopes := []string{oidc.ScopeOpenID, "profile", "email"}
	for _, scope := range v.Scopes {
		if scope != oidc.ScopeOpenID && scope != "profile" && scope != "email" {
			scopes = append(scopes, scope)
		}
	}

	v.clientConfig = &oauth2.Config{
		ClientID:     v.ClientID,
		ClientSecret: v.ClientSecret,
		Endpoint:     provider.Endpoint(),
		RedirectURL:  v.RedirectURL,
		Scopes:       scopes,
	}

	// Google does not honor the OIDC standard to refresh tokens
	// with a proper scope. Instead it requires a prompt parameter
	// to be passed. In order to deal wit this, we will have to
	// detect Google as the OIDC and pass the parameters.
	if strings.Contains(v.ProviderURL, "accounts.google.com") {
		v.googleHack = true
	}

	return v, nil
}

// IssueRedirect creates the redirect URL. The URI is created by the provider
// and it includes a state that is random. The state will be remembered
// for the return. There is an assumption here that the LBs in front of
// applications are sticky or the TCP session is re-used. Otherwise, we will
// need a global state that could introduce additional calls to a central
// system.
// TODO: add support for a global state.
func (v *TokenVerifier) IssueRedirect(originURL string) string {
	state, err := randomSha1(v.NonceSize)
	if err != nil {
		state = xid.New().String()
	}
	if err := stateCache.Set(state, originURL); err != nil {
		return ""
	}

	redirectURL := v.clientConfig.AuthCodeURL(state, oauth2.AccessTypeOffline)
	if v.googleHack {
		redirectURL = redirectURL + "&prompt=consent"
	}

	return redirectURL
}

// Callback is the function that is called back by the IDP to catch the token
// and perform all other validations. It will return the resulting token,
// the original URL that was called to initiate the protocol, and the
// http status response.
func (v *TokenVerifier) Callback(ctx context.Context, u *url.URL) (string, string, int, error) {

	// We first validate that the callback state matches the original redirect
	// state. We clean up the cache once it is validated. During this process
	// we recover the original URL that initiated the protocol. This allows
	// us to redirect the client to their original request.
	receivedState := u.Query().Get("state")
	originURL, err := stateCache.Get(receivedState)
	if err != nil {
		return "", "", http.StatusBadRequest, fmt.Errorf("bad state")
	}
	stateCache.Remove(receivedState)

	// We exchange the authorization code with an OAUTH token. This is the main
	// step where the OAUTH provider will match the code to the token.
	oauth2Token, err := v.clientConfig.Exchange(ctx, u.Query().Get("code"), oauth2.AccessTypeOffline)
	if err != nil {
		return "", "", http.StatusInternalServerError, fmt.Errorf("bad code: %s", err)
	}

	// We extract the rawID token.
	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
	if !ok {
		return "", "", http.StatusInternalServerError, fmt.Errorf("bad ID")
	}

	if err := tokenCache.SetWithExpire(
		rawIDToken,
		&clientData{
			tokenSource: v.clientConfig.TokenSource(ctx, oauth2Token),
			expiry:      oauth2Token.Expiry,
		},
		time.Until(oauth2Token.Expiry.Add(3600*time.Second)),
	); err != nil {
		return "", "", http.StatusInternalServerError, fmt.Errorf("failed to insert token in the cache: %s", err)
	}

	return rawIDToken, originURL.(string), http.StatusTemporaryRedirect, nil
}

// Validate checks if the token is valid and returns the claims. The validator
// maintains an internal cache with tokens to accelerate performance. If the
// token is not in the cache, it will validate it with the central authorizer.
func (v *TokenVerifier) Validate(ctx context.Context, token string) ([]string, bool, string, error) {

	if len(token) == 0 {
		return []string{}, true, token, fmt.Errorf("invalid token presented")
	}

	var tokenData *clientData

	// If it is not found in the cache initiate a call back process.
	data, err := tokenCache.Get(token)
	if err == nil {
		var ok bool
		tokenData, ok = data.(*clientData)
		if !ok {
			return nil, true, token, fmt.Errorf("internal server error")
		}

		// If the cached token hasn't expired yet, we can just accept it and not
		// go through a whole verification process. Nothing new.
		if tokenData.expiry.After(time.Now()) && len(tokenData.attributes) > 0 {
			return tokenData.attributes, false, token, nil
		}
	} else { // No token in the cache. Let's try to see if it is valid and we can cache it now.
		//
		tokenData = &clientData{}
	}

	// The token has expired. Let's try to refresh it.
	tokenData.Lock()
	defer tokenData.Unlock()

	// If it is the first time we are verifying the token, let's do
	// it now. This is possible if the token was created earlier
	// but we never had a chance to verify it. In this case, the
	// attributes were empty.
	idToken, err := v.oauthVerifier.Verify(ctx, token)
	if err != nil {
		var ok bool
		// Token is expired. Let's try to refresh it if we have something
		// in the cache. If we don't have a refresh token, we reject it
		// and ask the client to validate again.
		if tokenData.tokenSource == nil {
			return []string{}, true, token, fmt.Errorf("no cached data and expired token - request authorization: %s", err)
		}
		refreshedToken, err := tokenData.tokenSource.Token()
		if err != nil {
			return []string{}, true, token, fmt.Errorf("token validation failed and cannot refresh: %s", err)
		}
		token, ok = refreshedToken.Extra("id_token").(string)
		if !ok {
			return []string{}, true, token, fmt.Errorf("failed to find id_token - initiate re-authorization")
		}
		idToken, err = v.oauthVerifier.Verify(ctx, token)
		if err != nil {
			return []string{}, true, token, fmt.Errorf("invalid token derived from refresh - manual authorization is required: %s", err)
		}
	}

	// Get the claims out of the token. Use the standard data structure for
	// this and ignore the other fields. We are only interested on the ID.
	resp := struct {
		IDTokenClaims map[string]interface{} // ID Token payload is just JSON.
	}{map[string]interface{}{}}
	if err := idToken.Claims(&resp.IDTokenClaims); err != nil {
		return []string{}, true, token, fmt.Errorf("unable to process claims: %s", err)
	}

	// Flatten the claims in a generic format.
	attributes := []string{}
	for k, v := range resp.IDTokenClaims {
		attributes = append(attributes, common.FlattenClaim(k, v)...)
	}

	tokenData.attributes = attributes
	tokenData.expiry = idToken.Expiry

	// Cache the token and attributes to avoid multiple validations and update the
	// expiration time.
	if err := tokenCache.SetWithExpire(token, tokenData, time.Until(idToken.Expiry.Add(3600*time.Second))); err != nil {
		return []string{}, false, token, fmt.Errorf("cannot cache token: %s", err)
	}

	return attributes, false, token, nil
}

// VerifierType returns the type of the TokenVerifier.
func (v *TokenVerifier) VerifierType() common.JWTType {
	return common.OIDC
}

func randomSha1(nonceSourceSize int) (string, error) {
	nonceSource := make([]byte, nonceSourceSize)
	if _, err := rand.Read(nonceSource); err != nil {
		return "", err
	}
	sha := sha1.Sum(nonceSource)
	return base64.StdEncoding.EncodeToString(sha[:]), nil
}


================================================
FILE: controller/pkg/usertokens/pkitokens/jwt.go
================================================
package pkitokens

import (
	"context"
	"crypto"
	"fmt"
	"io/ioutil"
	"net/url"

	jwt "github.com/dgrijalva/jwt-go"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/usertokens/common"
)

// PKIJWTVerifier is a generic JWT PKI verifier. It assumes that the tokens have
// been signed by a private key, and it validates them with the provide public key.
// This is a simple and stateless verifier that doesn't depend on central server
// for validating the tokens. The public key is provided out-of-band.
type PKIJWTVerifier struct {
	JWTCertPEM  []byte
	keys        []crypto.PublicKey
	RedirectURL string
}

// NewVerifierFromFile assumes that the input is provided as file path.
func NewVerifierFromFile(jwtcertPath string, redirectURI string, redirectOnFail, redirectOnNoToken bool) (*PKIJWTVerifier, error) {
	jwtCertPEM, err := ioutil.ReadFile(jwtcertPath)
	if err != nil {
		return nil, fmt.Errorf("failed to read JWT signing certificates or public keys from file: %s", err)
	}
	return NewVerifierFromPEM(jwtCertPEM, redirectURI, redirectOnFail, redirectOnNoToken)
}

// NewVerifierFromPEM assumes that the input is a PEM byte array.
func NewVerifierFromPEM(jwtCertPEM []byte, redirectURI string, redirectOnFail, redirectOnNoToken bool) (*PKIJWTVerifier, error) {
	keys, err := parsePublicKeysFromPEM(jwtCertPEM)
	// pay attention to the return format of parsePublicKeysFromPEM
	// when checking for an error here
	if keys == nil && err != nil {
		return nil, fmt.Errorf("failed to read JWT signing certificates or public keys from PEM: %s", err)
	}
	return &PKIJWTVerifier{
		JWTCertPEM:  jwtCertPEM,
		keys:        keys,
		RedirectURL: redirectURI,
	}, nil
}

// NewVerifier creates a new verifier from the provided configuration.
func NewVerifier(v *PKIJWTVerifier) (*PKIJWTVerifier, error) {
	if len(v.JWTCertPEM) == 0 {
		return v, nil
	}
	keys, err := parsePublicKeysFromPEM(v.JWTCertPEM)
	// pay attention to the return format of parsePublicKeysFromPEM
	// when checking for an error here
	if keys == nil && err != nil {
		return nil, fmt.Errorf("failed to parse JWT signing certificates or public keys from PEM: %s", err)
	}
	v.keys = keys
	return v, nil
}

// Validate parses a generic JWT token and flattens the claims in a normalized form. It
// assumes that any of the JWT signing certs or public keys will validate the token.
func (j *PKIJWTVerifier) Validate(ctx context.Context, tokenString string) ([]string, bool, string, error) {
	if len(tokenString) == 0 {
		return []string{}, false, tokenString, fmt.Errorf("Empty token")
	}
	if len(j.keys) == 0 {
		return []string{}, false, tokenString, fmt.Errorf("No public keys loaded into verifier")
	}

	// iterate over all public keys that we have and try to validate the token
	// the first one to succeed will be used
	var errs []error
	for _, key := range j.keys {
		claims := &jwt.MapClaims{}
		token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
			switch token.Method.(type) {
			case *jwt.SigningMethodECDSA:
				if isECDSAPublicKey(key) {
					return key, nil
				}
			case *jwt.SigningMethodRSA:
				if isRSAPublicKey(key) {
					return key, nil
				}
			default:
				return nil, fmt.Errorf("unsupported signing method '%T'", token.Method)
			}
			return nil, fmt.Errorf("signing method '%T' and public key type '%T' mismatch", token.Method, key)
		})

		// cover all error cases after parsing/verifying
		if err != nil {
			errs = append(errs, err)
			continue
		}
		if token == nil {
			errs = append(errs, fmt.Errorf("no token was parsed"))
			continue
		}
		if !token.Valid {
			errs = append(errs, fmt.Errorf("token failed to verify against public key"))
			continue
		}

		// return successful on match/verification with the first key
		attributes := []string{}
		for k, v := range *claims {
			attributes = append(attributes, common.FlattenClaim(k, v)...)
		}
		return attributes, false, tokenString, nil
	}

	// generate a detailed error
	var detailedError string
	for i, err := range errs {
		detailedError += err.Error()
		if i+1 < len(errs) {
			detailedError += "; "
		}
	}
	return []string{}, false, tokenString, fmt.Errorf("Invalid token - errors: [%s]", detailedError)
}

// VerifierType returns the type of the verifier.
func (j *PKIJWTVerifier) VerifierType() common.JWTType {
	return common.PKI
}

// Callback is called by an IDP. Not implemented here. No central authorizer for the tokens.
func (j *PKIJWTVerifier) Callback(ctx context.Context, u *url.URL) (string, string, int, error) {
	return "", "", 0, nil
}

// IssueRedirect issues a redirect. Not implemented. There is no need for a redirect.
func (j *PKIJWTVerifier) IssueRedirect(originURL string) string {
	return ""
}


================================================
FILE: controller/pkg/usertokens/pkitokens/jwt_test.go
================================================
// +build !windows

package pkitokens

import (
	"context"
	"crypto"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func TestPKIVerifierValidate(t *testing.T) {

	ctx := context.TODO()
	pemBytes := []byte(`
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjDEPJD1Fv1IJIq4mnec
oMlSve0vZOTuzDmKuMB4vfBXalKZgbp4ONL+BvWV9OPs22Smv9SAfnoQ25q8Q9so
ihzUKhaIAY2CI70ll4exbLK9FD4uTi1bqn0FdIh04UIyW6s2EqTGMkSKx9THNvAM
Kx++pPt3US2sQVEC24bWPxRN7RsBBpRjoiEamkA04ioGFhMBbas5MdCLt/fd92aR
QCBISOb6PU08fQiARK8g/wdpBUTxy9/Ud1vUnNaZtWm+eLrwdTXgHM3/LG1M4lc0
ZqHIL3rMxhae5W+j3SL3ApreiUYugv/0bCSypvJZjEXKS7SBR/+rtw0/mQpS8DpI
kwIDAQAB
-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnlK01BDTYbvRBxGM0o3vXNqqvI25
eZ/s3Cq9OXnNpoCI3/DH/tuD3n7cnWcNSfl1qJIH2LVZ0cWUW/L/9i/jPA==
-----END PUBLIC KEY-----
	`)

	// Here are the private keys in case you want to regenerate a new token:
	//
	// -----BEGIN RSA PRIVATE KEY-----
	// MIIEpAIBAAKCAQEAyjDEPJD1Fv1IJIq4mnecoMlSve0vZOTuzDmKuMB4vfBXalKZ
	// gbp4ONL+BvWV9OPs22Smv9SAfnoQ25q8Q9soihzUKhaIAY2CI70ll4exbLK9FD4u
	// Ti1bqn0FdIh04UIyW6s2EqTGMkSKx9THNvAMKx++pPt3US2sQVEC24bWPxRN7RsB
	// BpRjoiEamkA04ioGFhMBbas5MdCLt/fd92aRQCBISOb6PU08fQiARK8g/wdpBUTx
	// y9/Ud1vUnNaZtWm+eLrwdTXgHM3/LG1M4lc0ZqHIL3rMxhae5W+j3SL3ApreiUYu
	// gv/0bCSypvJZjEXKS7SBR/+rtw0/mQpS8DpIkwIDAQABAoIBAQCWkraxfCpp0nn1
	// bLGJp2Ynf4Z1Frvi4XLM+FVMvVmt6dzPu2/CYsHBX6/6Ms5YL51mzZA47+I5TmJb
	// iOKHjiCkqk9+gIUM0vuF7giezljdYEbbWmtVoQXQ84YqgKy6THgAOILuY3OOX+kS
	// ZG1vhlkpjFyHtRXoiKDti40bO1E2a2+O/vpD417hZrezzb97JQ4Cw417jRs3+dpc
	// BaVutFUiIm5HFeVdD0/hqwnYMPeoxxxdj4kiuzI2FZOexPufq9MSrSI0RMnegRGL
	// 8fgg4ZhVuEONtA8eXFI8EpIEhaKOq9CPZuImyKh+Vx4pwcT7NVld70ohqhQaEVqs
	// 6QblHf6hAoGBAOqimWdjGY6PKT6ipF9/6CsNnAAyyG1IRWSLweVDK36DkIxzTKGU
	// fk2uXFw6GlAKu1J0lTfQjxtKoYVljUHjUvfvW9KE/GyuW6eWTxUIrvmpvpcyAV6H
	// gHkt8/A+l8sQS3oMiLJ14c8/W5d4YdB/VBLQHsOi8I5EOGsO7a52fETLAoGBANyZ
	// 3+nq/tyk6hGk+lNJSXnkURydbkONCFhU92iwPC+f/4ILcHdBVjwLOAYa/qUzHvEE
	// H+MtMiuGbDrnjjCytvjmIKmMnJ30BHbXwn0dV+hes1O0EwHoIGtvQyWVH/6zB4ar
	// YkhK9IBtOxfs3ORVeVBoHx/Mq40BAGzGxQQopVpZAoGAScFtCWPMb9SuuWK02tRB
	// Le9sP1+3Qyr5rT6FZ8TykiVXNd80koI0JcUOgWs+RDTrZ2MAWPg1U/XkyiL/AVwt
	// A4T5TzbAhoVUiFymZU1Ce3aRU8PDTGy5xN3eFYIHgyyPHUF9YuPNZLFc4ENWNA0i
	// Z3uGgCbjCUWGmpipvDLAo3sCgYApQEDlvgLAgbofaIlCz76Eo5QjVLEMwq+fzOui
	// 0OnAQhwGVltGgZo9ih+EzMF3ZNLRYOMRmR77kpxke25UXubmLipHajrTMpEvI/OD
	// b9xDYIoKCe9P+Pcu/9Q/j942w4WRwjSTriiAZ2yYcbtwmycfSQkg6iXeLSTGMnke
	// 6PbaqQKBgQDGNwOgdHtMdHyy2kDMLdGKCysEo2eBNAxdRqjGxmsjm6bsd4xyLxS2
	// lkf7v3e9vE24HfBbwMoW4sx1eEDbFc4pai4l4vG3dpbrd3CJa5mpvL3mxGnTlPUy
	// 1PopL5pyjSZ6bcRETolZNM4L8X4jgfwHl3Lvc5jBgQW0PCAVtBVp8g==
	// -----END RSA PRIVATE KEY-----
	//
	// -----BEGIN EC PRIVATE KEY-----
	// MHcCAQEEIBP/5KHpYJ1GwqdOUOCu4+264KP4loONT+9QIzNJwVGjoAoGCCqGSM49
	// AwEHoUQDQgAEnlK01BDTYbvRBxGM0o3vXNqqvI25eZ/s3Cq9OXnNpoCI3/DH/tuD
	// 3n7cnWcNSfl1qJIH2LVZ0cWUW/L/9i/jPA==
	// -----END EC PRIVATE KEY-----
	//
	// And here is the payload data:
	//
	// {
	// 	"sub": "Adam",
	// 	"name": "Eve",
	// 	"admin": true,
	// 	"iat": 1516239022
	// }
	//
	// Go to https://jwt.io/ and
	// - select the right algorithm (RS256 / ES256)
	// - fill in the public key
	// - fill in the private key
	// - ensure the token is still valid (shows Signature Verified)
	// - copy the new token from the encoded section
	//
	validTokenRS256 := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJBZGFtIiwibmFtZSI6IkV2ZSIsImFkbWluIjp0cnVlLCJpYXQiOjE1MTYyMzkwMjJ9.WHDAmZzmX50GRSXTvB0MqQl2gFHFrQav-v6V2MdbqGXvmBZXus9Bl965Uuqs8uxdJzDad8Is05kC77iHElTasgQZqLwSTN5-WXpZFsW_EOGVcy0puDgREm2QcD8pQeagy6KxwDs0BAQIWwPSfjTCn05w-CRKveo1t0TsKUSMiZltebaZOtAr9etOAwBHIy7QzexrhIzlG6-7fqMbpsNZ8DbanUBc2fiL6Ogs461TQixBDHoRw2HjykGoPRvH3sy8bSRX5l1olBkRb4kic7xSKhiU_YlvmBo9ybC81TRGUtQZl87aLcnv4foDLtFvNAwTyTxfikt2Ka1peKJNgk82Dw"
	validTokenES256 := "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJBZGFtIiwibmFtZSI6IkV2ZSIsImFkbWluIjp0cnVlLCJpYXQiOjE1MTYyMzkwMjJ9.V9HGK6yEZBbjgEsyhQeU6i0Io1KZaCMVgSC0u6fQTRd2TX4Ac-FSDnf44s89PPm8RCHqBATJdJMspIQM66y9Hw"

	// currently unsupported algorithm PS256
	unsupportedTokenPS256 := "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.P9_X1ctIxnnoUpKSWpYw3rF62e-d8LXe3sETuLn4Lhigw5OQhi-mBBKoBMneHy4kimS84zxnMby0FYo9wKM3I3pEg8Qrz0Q00tNhKCwOnZ7Q-e86sW1luK1z82tufF-sZ9_BY_LGQsym0lQmQaHFzLmEDXnOzWsjUThHGVJTI64"

	// supported algorithm but signed with a different key
	invalidTokenRS256 := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.TCYt5XsITJX1CxPCT8yAV-TVkIEq_PbChOMqsLfRoPsnsgw5WEuts01mq-pQy7UJiN5mgRxD-WUcX16dUEMGlv50aqzpqh4Qktb3rk-BuQy72IFLOqV0G_zS245-kronKb78cPN25DGlcTwLtjPAYuNzVBAh4vGHSrQyHUdBBPM"

	Convey("Given a valid PEM", t, func() {

		Convey("it should create a new verifier successfully using NewVerifier()", func() {
			verifier, err := NewVerifier(&PKIJWTVerifier{
				JWTCertPEM: pemBytes,
			})
			So(err, ShouldBeNil)
			So(verifier, ShouldNotBeNil)
			So(len(verifier.keys), ShouldEqual, 2)
		})

		Convey("it should create a new verifier successfully using NewVerifierFromPEM()", func() {
			verifier, err := NewVerifierFromPEM(pemBytes, "", false, false)
			So(err, ShouldBeNil)
			So(verifier, ShouldNotBeNil)
			So(len(verifier.keys), ShouldEqual, 2)
		})
	})

	Convey("Given a verifier with no loaded public keys", t, func() {
		verifier := &PKIJWTVerifier{
			JWTCertPEM: pemBytes,
			keys:       []crypto.PublicKey{},
		}

		Convey("it should fail to validate", func() {
			token := "not empty token"
			_, _, _, err := verifier.Validate(ctx, token)
			So(err, ShouldNotBeNil)
			So(err.Error(), ShouldEqual, "No public keys loaded into verifier")
		})
	})

	Convey("Given a valid verifier", t, func() {
		verifier, err := NewVerifierFromPEM(pemBytes, "", false, false)
		So(verifier, ShouldNotBeNil)
		So(err, ShouldBeNil)
		So(len(verifier.keys), ShouldEqual, 2)

		Convey("it should fail to validate an empty token", func() {
			token := ""
			_, _, _, err := verifier.Validate(ctx, token)
			So(err, ShouldNotBeNil)
			So(err.Error(), ShouldEqual, "Empty token")
		})

		Convey("it should validate a valid RS256 token successfully", func() {
			token := validTokenRS256
			attributes, _, _, err := verifier.Validate(ctx, token)
			So(err, ShouldBeNil)
			So(len(attributes), ShouldBeGreaterThan, 0)
			So(attributes, ShouldContain, "sub=Adam")
			So(attributes, ShouldContain, "name=Eve")
		})

		Convey("it should validate a valid ES256 token successfully", func() {
			token := validTokenES256
			attributes, _, _, err := verifier.Validate(ctx, token)
			So(err, ShouldBeNil)
			So(len(attributes), ShouldBeGreaterThan, 0)
			So(attributes, ShouldContain, "sub=Adam")
			So(attributes, ShouldContain, "name=Eve")
		})

		Convey("it should fail to validate a token signed with an unsupported algorithm", func() {
			token := unsupportedTokenPS256
			_, _, _, err := verifier.Validate(ctx, token)
			So(err, ShouldNotBeNil)
			So(err.Error(), ShouldEqual, "Invalid token - errors: [unsupported signing method '*jwt.SigningMethodRSAPSS'; unsupported signing method '*jwt.SigningMethodRSAPSS']")
		})

		Convey("it should fail to validate a token signed with an unexpected key", func() {
			token := invalidTokenRS256
			_, _, _, err := verifier.Validate(ctx, token)
			So(err, ShouldNotBeNil)
			So(err.Error(), ShouldEqual, "Invalid token - errors: [crypto/rsa: verification error; signing method '*jwt.SigningMethodRSA' and public key type '*ecdsa.PublicKey' mismatch]")
		})
	})
}


================================================
FILE: controller/pkg/usertokens/pkitokens/publickeys.go
================================================
package pkitokens

import (
	"crypto"
	"crypto/ecdsa"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"fmt"
)

// parsePublicKeysFromPEM reads all public keys from PEMs that are either
// in a "PUBLIC KEY", "RSA PUBLIC KEY" or "CERTIFICATE" type PEM and
// returns them in an array. Only RSA and ECDSA keys are taken into account.
// NOTE: pay attention to the special return logic!
//
// The return logic is as follows:
// if no keys could be found or parsed: nil, err
// if no errors were found at all: keys, nil
// if some keys could be parsed, but others failed: keys, err
//
func parsePublicKeysFromPEM(bytesPEM []byte) ([]crypto.PublicKey, error) {
	keys := make([]crypto.PublicKey, 0, 1)
	rest := bytesPEM
	var errs []error
	for {
		var block *pem.Block
		block, rest = pem.Decode(rest)
		if block == nil {
			break
		}
		switch block.Type {
		case "CERTIFICATE":
			cert, err := x509.ParseCertificate(block.Bytes)
			if err != nil {
				errs = append(errs, err)
				continue
			}
			if !isSupportedPublicKeyType(cert.PublicKey) {
				errs = append(errs, fmt.Errorf("unsupported key type %T", cert.PublicKey))
				continue
			}
			keys = append(keys, cert.PublicKey)
		case "PUBLIC KEY":
			pub, err := x509.ParsePKIXPublicKey(block.Bytes)
			if err != nil {
				errs = append(errs, err)
				continue
			}
			if !isSupportedPublicKeyType(pub) {
				errs = append(errs, fmt.Errorf("unsupported key type %T", pub))
				continue
			}
			keys = append(keys, pub)
		case "RSA PUBLIC KEY":
			pub, err := x509.ParsePKCS1PublicKey(block.Bytes)
			if err != nil {
				errs = append(errs, err)
				continue
			}
			if !isSupportedPublicKeyType(pub) {
				errs = append(errs, fmt.Errorf("unsupported key type %T", pub))
				continue
			}
			keys = append(keys, pub)
		default:
			// invalid type, read the next entry
			errs = append(errs, fmt.Errorf("unsupported PEM type %s", block.Type))
			continue
		}
	}

	// create detailed error
	var detailedErrors string
	for i, err := range errs {
		detailedErrors += err.Error()
		if i+1 < len(errs) {
			detailedErrors += "; "
		}
	}

	// if no keys at all were found, be specific about this
	if len(keys) == 0 {
		return nil, fmt.Errorf("no valid certificates or public keys found (errors: [%s])", detailedErrors)
	}

	// if some errors were encountered, but we have some keys, return both
	if len(keys) > 0 && len(errs) > 0 {
		return keys, fmt.Errorf("[%s]", detailedErrors)
	}

	// if all went well, return keys, but no error
	return keys, nil
}

// isSupportedPublicKeyType returns true if `key` is an RSA or ECDSA public key
func isSupportedPublicKeyType(key crypto.PublicKey) bool {
	return isRSAPublicKey(key) || isECDSAPublicKey(key)
}

func isRSAPublicKey(key crypto.PublicKey) bool {
	_, ok := key.(*rsa.PublicKey)
	return ok
}

func isECDSAPublicKey(key crypto.PublicKey) bool {
	_, ok := key.(*ecdsa.PublicKey)
	return ok
}


================================================
FILE: controller/pkg/usertokens/pkitokens/publickeys_test.go
================================================
// +build !windows

package pkitokens

import (
	"crypto/ecdsa"
	"crypto/rsa"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func TestParsePublicKeysFromPEM(t *testing.T) {

	Convey("Given a PEM with a PKIX RSA public key, a PKCS#1 RSA public key and an X509 certificate", t, func() {
		pemBytes := []byte(`
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjDEPJD1Fv1IJIq4mnec
oMlSve0vZOTuzDmKuMB4vfBXalKZgbp4ONL+BvWV9OPs22Smv9SAfnoQ25q8Q9so
ihzUKhaIAY2CI70ll4exbLK9FD4uTi1bqn0FdIh04UIyW6s2EqTGMkSKx9THNvAM
Kx++pPt3US2sQVEC24bWPxRN7RsBBpRjoiEamkA04ioGFhMBbas5MdCLt/fd92aR
QCBISOb6PU08fQiARK8g/wdpBUTxy9/Ud1vUnNaZtWm+eLrwdTXgHM3/LG1M4lc0
ZqHIL3rMxhae5W+j3SL3ApreiUYugv/0bCSypvJZjEXKS7SBR/+rtw0/mQpS8DpI
kwIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAyjDEPJD1Fv1IJIq4mnecoMlSve0vZOTuzDmKuMB4vfBXalKZgbp4
ONL+BvWV9OPs22Smv9SAfnoQ25q8Q9soihzUKhaIAY2CI70ll4exbLK9FD4uTi1b
qn0FdIh04UIyW6s2EqTGMkSKx9THNvAMKx++pPt3US2sQVEC24bWPxRN7RsBBpRj
oiEamkA04ioGFhMBbas5MdCLt/fd92aRQCBISOb6PU08fQiARK8g/wdpBUTxy9/U
d1vUnNaZtWm+eLrwdTXgHM3/LG1M4lc0ZqHIL3rMxhae5W+j3SL3ApreiUYugv/0
bCSypvJZjEXKS7SBR/+rtw0/mQpS8DpIkwIDAQAB
-----END RSA PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUTBdVdOoTt+z1c+25X1WdKLEqc/IwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTAxMzEwNTE4MDVaFw0yOTAx
MjgwNTE4MDVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDKMMQ8kPUW/Ugkiriad5ygyVK97S9k5O7MOYq4wHi9
8FdqUpmBung40v4G9ZX04+zbZKa/1IB+ehDbmrxD2yiKHNQqFogBjYIjvSWXh7Fs
sr0UPi5OLVuqfQV0iHThQjJbqzYSpMYyRIrH1Mc28AwrH76k+3dRLaxBUQLbhtY/
FE3tGwEGlGOiIRqaQDTiKgYWEwFtqzkx0Iu39933ZpFAIEhI5vo9TTx9CIBEryD/
B2kFRPHL39R3W9Sc1pm1ab54uvB1NeAczf8sbUziVzRmocgveszGFp7lb6PdIvcC
mt6JRi6C//RsJLKm8lmMRcpLtIFH/6u3DT+ZClLwOkiTAgMBAAGjUzBRMB0GA1Ud
DgQWBBRzt5Gi91WRLBU1PRlo/wCC44DNnzAfBgNVHSMEGDAWgBRzt5Gi91WRLBU1
PRlo/wCC44DNnzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAv
+NayVYU//8QX2TIQ5CcH/3iOCOa9Qx4KHYtyv+/ElBm2WaWRbJiy470D/I2tjkO0
J4a0kihMKEkwAVUvskbM+PjTcrgaE205YO/Pyn00s0Xt3yBp2Cf6rmcNtda4hqCs
ZNhCEXxAXbLxGb5oXd+Wis/tzpBNYrw9x9r3Axr9U2pW+sSzXsUqRdBvaHpywIRq
6FnpawXPJMIOaMohmWAPYnmqILUs0CslzmXQypayslAFC2adr1NQPwZw0FJ3UIQM
AyfixuFuZbOVlwm/zJqX0G0NbitPybGV5XneC89OF90H0zfv47Us0akzyY6yGLp/
+3ASkOBz0ypQ6pgZK/kj
-----END CERTIFICATE-----
		`)

		Convey("then parsePublicKeysFromPEM should return 3 public keys", func() {
			keys, err := parsePublicKeysFromPEM(pemBytes)
			So(err, ShouldBeNil)
			So(len(keys), ShouldEqual, 3)
		})
	})

	Convey("Given a PEM with an RSA private key and a DSA public key", t, func() {
		pemBytes := []byte(`
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyjDEPJD1Fv1IJIq4mnecoMlSve0vZOTuzDmKuMB4vfBXalKZ
gbp4ONL+BvWV9OPs22Smv9SAfnoQ25q8Q9soihzUKhaIAY2CI70ll4exbLK9FD4u
Ti1bqn0FdIh04UIyW6s2EqTGMkSKx9THNvAMKx++pPt3US2sQVEC24bWPxRN7RsB
BpRjoiEamkA04ioGFhMBbas5MdCLt/fd92aRQCBISOb6PU08fQiARK8g/wdpBUTx
y9/Ud1vUnNaZtWm+eLrwdTXgHM3/LG1M4lc0ZqHIL3rMxhae5W+j3SL3ApreiUYu
gv/0bCSypvJZjEXKS7SBR/+rtw0/mQpS8DpIkwIDAQABAoIBAQCWkraxfCpp0nn1
bLGJp2Ynf4Z1Frvi4XLM+FVMvVmt6dzPu2/CYsHBX6/6Ms5YL51mzZA47+I5TmJb
iOKHjiCkqk9+gIUM0vuF7giezljdYEbbWmtVoQXQ84YqgKy6THgAOILuY3OOX+kS
ZG1vhlkpjFyHtRXoiKDti40bO1E2a2+O/vpD417hZrezzb97JQ4Cw417jRs3+dpc
BaVutFUiIm5HFeVdD0/hqwnYMPeoxxxdj4kiuzI2FZOexPufq9MSrSI0RMnegRGL
8fgg4ZhVuEONtA8eXFI8EpIEhaKOq9CPZuImyKh+Vx4pwcT7NVld70ohqhQaEVqs
6QblHf6hAoGBAOqimWdjGY6PKT6ipF9/6CsNnAAyyG1IRWSLweVDK36DkIxzTKGU
fk2uXFw6GlAKu1J0lTfQjxtKoYVljUHjUvfvW9KE/GyuW6eWTxUIrvmpvpcyAV6H
gHkt8/A+l8sQS3oMiLJ14c8/W5d4YdB/VBLQHsOi8I5EOGsO7a52fETLAoGBANyZ
3+nq/tyk6hGk+lNJSXnkURydbkONCFhU92iwPC+f/4ILcHdBVjwLOAYa/qUzHvEE
H+MtMiuGbDrnjjCytvjmIKmMnJ30BHbXwn0dV+hes1O0EwHoIGtvQyWVH/6zB4ar
YkhK9IBtOxfs3ORVeVBoHx/Mq40BAGzGxQQopVpZAoGAScFtCWPMb9SuuWK02tRB
Le9sP1+3Qyr5rT6FZ8TykiVXNd80koI0JcUOgWs+RDTrZ2MAWPg1U/XkyiL/AVwt
A4T5TzbAhoVUiFymZU1Ce3aRU8PDTGy5xN3eFYIHgyyPHUF9YuPNZLFc4ENWNA0i
Z3uGgCbjCUWGmpipvDLAo3sCgYApQEDlvgLAgbofaIlCz76Eo5QjVLEMwq+fzOui
0OnAQhwGVltGgZo9ih+EzMF3ZNLRYOMRmR77kpxke25UXubmLipHajrTMpEvI/OD
b9xDYIoKCe9P+Pcu/9Q/j942w4WRwjSTriiAZ2yYcbtwmycfSQkg6iXeLSTGMnke
6PbaqQKBgQDGNwOgdHtMdHyy2kDMLdGKCysEo2eBNAxdRqjGxmsjm6bsd4xyLxS2
lkf7v3e9vE24HfBbwMoW4sx1eEDbFc4pai4l4vG3dpbrd3CJa5mpvL3mxGnTlPUy
1PopL5pyjSZ6bcRETolZNM4L8X4jgfwHl3Lvc5jBgQW0PCAVtBVp8g==
-----END RSA PRIVATE KEY-----
		`)

		Convey("then parsePublicKeysFromPEM should return with an error", func() {
			keys, err := parsePublicKeysFromPEM(pemBytes)
			So(keys, ShouldBeNil)
			So(err, ShouldNotBeNil)
			So(err.Error(), ShouldEqual, "no valid certificates or public keys found (errors: [unsupported PEM type RSA PRIVATE KEY])")
		})
	})

	Convey("Given a PEM with a valid ECDSA and RSA public key, and a DSA public key and an invalid PKCS#1 RSA public key", t, func() {
		pemBytes := []byte(`
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnlK01BDTYbvRBxGM0o3vXNqqvI25
eZ/s3Cq9OXnNpoCI3/DH/tuD3n7cnWcNSfl1qJIH2LVZ0cWUW/L/9i/jPA==
-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjDEPJD1Fv1IJIq4mnec
oMlSve0vZOTuzDmKuMB4vfBXalKZgbp4ONL+BvWV9OPs22Smv9SAfnoQ25q8Q9so
ihzUKhaIAY2CI70ll4exbLK9FD4uTi1bqn0FdIh04UIyW6s2EqTGMkSKx9THNvAM
Kx++pPt3US2sQVEC24bWPxRN7RsBBpRjoiEamkA04ioGFhMBbas5MdCLt/fd92aR
QCBISOb6PU08fQiARK8g/wdpBUTxy9/Ud1vUnNaZtWm+eLrwdTXgHM3/LG1M4lc0
ZqHIL3rMxhae5W+j3SL3ApreiUYugv/0bCSypvJZjEXKS7SBR/+rtw0/mQpS8DpI
kwIDAQAB
-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MIIDSDCCAjoGByqGSM44BAEwggItAoIBAQCsVBV4gVV/zdmxWu8cU95vxY5D2RVG
n6r56BOmnBF6beLZJKIK17FsurubePRfhLiVSk/RIA3aECPe8kRdRYAR23daCptw
THaZMZ0s2mNQfJEc6sXCE3/EVlPPEZqvm7RilYxb1PNZY55X7EzMhhBc1zRiSQck
Va8qDHP98vvZjd4G9W+aF2UOMQko9iN6hTjFkUgmNhqIHS3UAoANQ3y2sYHXZZuq
EP9EKk8EQ5wv4w73eFJXj84pN6L3VvhLjq1Akjk/gl2p7w8cCdXzcfKBD7qXQZZr
Qt4Pmz/BQu6wr4QBX3FiIghUZULlnCjhFNIrXTYbOskK/XGg62aV7Qn5AiEA6hP4
cBgclv0kO5Qyg3qLVwMWOO1e4opX6EbqmK+kXysCggEBAIF77NYg4ttsGG2OiIs2
yVBsV4w7EORIC+lG2+ZzVRSHm3QtNPeLoN6PwDtagpER2pUyjpXuxOcgE47hSUCQ
RpSjXGtj22WbKjXZ2p8mkTScFvA2btgR+O4Nx0f0eShCz1fkrt8BaKRumzrzgoNI
mcAuVOVqLLl4VkOXwsGvuH5cBVhW1sNKDc3VMYTsh34MDSJJEutFZeCokYwd6wo2
pYVdXsDmc7uhPRK3YhtBV3lrXIehNlIukyO7li+wKU7SLyneBY/huBzYrw1JBDWK
1CHqRDJm38yzpEOKhu3gefR+j1BZqev9O2tsbFJe3F/cYV1hDWR8jsZz+gfDUXja
z9oDggEGAAKCAQEAoIbxish+OZADAwMJRP8nGYVIfSkWBXvC96nfQG4tZtqB4Z14
cjOyChnMuHlQnDIWYhVVmDiIHJFGtsHUb8iPGqbpGeEmScWG4HsSnsNAK/dOKVTE
OxGaq/3+Lisg8uyTqzAR5W5OdFlCw3qhzYG6G7kHNxGicN5qLQILTQeHIJiuioiE
oDhpga7IB8pGNsXHpO40KeFe2BaZBpKnCQUF32kMnEFP9AqYnZ/io2vhCViee+O3
A5/Wjke753qo+HUPj7C41wUwvXbXNfkGpXE4nyJZb37Ed+IMQu3sE/X6A2Vgbl+F
2mpfWPo/ZC23fGe4ExyTKsD+hRIP2LlxhWI1xw==
-----END PUBLIC KEY-----
-----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjDEPJD1Fv1IJIq4mnec
oMlSve0vZOTuzDmKuMB4vfBXalKZgbp4ONL+BvWV9OPs22Smv9SAfnoQ25q8Q9so
ihzUKhaIAY2CI70ll4exbLK9FD4uTi1bqn0FdIh04UIyW6s2EqTGMkSKx9THNvAM
Kx++pPt3US2sQVEC24bWPxRN7RsBBpRjoiEamkA04ioGFhMBbas5MdCLt/fd92aR
QCBISOb6PU08fQiARK8g/wdpBUTxy9/Ud1vUnNaZtWm+eLrwdTXgHM3/LG1M4lc0
ZqHIL3rMxhae5W+j3SL3ApreiUYugv/0bCSypvJZjEXKS7SBR/+rtw0/mQpS8DpI
kwIDAQAB
-----END RSA PUBLIC KEY-----
		`)

		Convey("then parsePublicKeysFromPEM should return with an error", func() {
			keys, err := parsePublicKeysFromPEM(pemBytes)
			So(keys, ShouldNotBeNil)
			So(err, ShouldNotBeNil)
			So(len(keys), ShouldEqual, 2)
			So(err.Error(), ShouldEqual, "[unsupported key type *dsa.PublicKey; x509: failed to parse public key (use ParsePKIXPublicKey instead for this key format)]")
			So(keys[0], ShouldHaveSameTypeAs, &ecdsa.PublicKey{})
			So(keys[1], ShouldHaveSameTypeAs, &rsa.PublicKey{})
		})
	})
}


================================================
FILE: controller/pkg/usertokens/usertokens.go
================================================
package usertokens

import (
	"context"
	"fmt"
	"net/url"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/usertokens/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/usertokens/oidc"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/usertokens/pkitokens"

	"go.uber.org/zap"
)

// Verifier is a generic JWT verifier interface. Different implementations
// will use different client libraries to verify the tokens. Currently
// requires only one method. Given a token, return the claims and whether
// there is a verification error.
type Verifier interface {
	VerifierType() common.JWTType
	Validate(ctx context.Context, token string) ([]string, bool, string, error)
	Callback(ctx context.Context, u *url.URL) (string, string, int, error)
	IssueRedirect(string) string
}

// NewVerifier initializes data structures based on the interface that
// is transmitted over the RPC between main and remote enforcers.
func NewVerifier(ctx context.Context, v Verifier) (Verifier, error) {
	if v == nil {
		return nil, nil
	}
	switch v.VerifierType() {
	case common.PKI:
		p := v.(*pkitokens.PKIJWTVerifier)
		v, err := pkitokens.NewVerifier(p)
		if err != nil {
			return nil, err
		}
		return v, nil
	case common.OIDC:
		p := v.(*oidc.TokenVerifier)
		verifier, err := oidc.NewClient(ctx, p)
		if err != nil {
			zap.L().Debug("usertokens: oidc.NewClient() failed", zap.Error(err))
			return nil, err
		}
		return verifier, nil
	}
	return nil, fmt.Errorf("unknown verifier type")
}


================================================
FILE: controller/runtime/runtime.go
================================================
package runtime

import "go.aporeto.io/enforcerd/trireme-lib/controller/constants"

// Configuration is configuration parameters that can be safely updated
// for the controller after it is started
type Configuration struct {
	// TCPTargetNetworks is the set of networks that host Trireme.
	TCPTargetNetworks []string
	// UDPTargetNetworks is the set of UDP networks that host Trireme.
	UDPTargetNetworks []string
	// ExcludedNetworks is the list of networks that must be excxluded from any enforcement.
	ExcludedNetworks []string
	// LogLevel sets loglevel.
	LogLevel constants.LogLevel
}

// DeepCopy copies the configuration and avoids locking issues.
func (c *Configuration) DeepCopy() *Configuration {
	return &Configuration{
		TCPTargetNetworks: append([]string{}, c.TCPTargetNetworks...),
		UDPTargetNetworks: append([]string{}, c.UDPTargetNetworks...),
		ExcludedNetworks:  append([]string{}, c.ExcludedNetworks...),
		LogLevel:          c.LogLevel,
	}
}


================================================
FILE: doc.go
================================================
// Package trireme needs to be documented here for godoc.
package trireme


================================================
FILE: docs/README.md
================================================
# Documentation and Configuration Examples


1. [Secure application segmentation](secure-application_segmentation.md) : Goes over the key ideas behind Trireme security and segmentation concepts.
1. [Trireme Architecture](trireme_architecture.md) : Describes the general Trireme architecture.
1. [Trireme and Linux Processes](linux_processes.md) : Using Trireme with Linux processes. 
1. [Policy Design](policy_design.md) : Describes how to create your own Trireme policies.


================================================
FILE: docs/docker_host_networks.md
================================================
# Docker Host Networks and Trireme

Docker and most other container systems have several options for networking.
In most cases, people will choose to use bridge networks or some overlay.
However, for some particular use cases, there is a need for direct access to
a container to the host network. For example, Consul has a use case of
exposing a DNS server using host networks. The RedHat OpenShift router or
several ingress implementations in Kubernetes instantiate the ingress proxy
on a host network so that they can fix its IP address.
(see https://docs.docker.com/engine/userguide/networking/
or
https://docs.openshift.com/enterprise/3.0/install_config/install/deploy_router.html
for some examples).

In general exposing a container directly on the host network poses some
challenges from a security perspective. The container is essentially
attached to the host namespace and can freely interact with any endpoint
with which the host network can communicate. This situation can be
especially dangerous for an ingress proxy that is exposed to the Internet.
Even a non-privileged container with host network access can create a
security vulnerability.

Trireme de-couples security from networking and since it treats containers
and Linux processes as equal, it can give you some additional protections
when your implementation requires access to the host network. Essentially
with Trireme, you can still isolate the container from a networking
perspective, even though it uses the same IP address and ports as your host.

## TL;DR Show me how
To illustrate how to use Trireme with Docker host networks, we will use the
 Trireme example with default settings.
1.	Download and build trireme-example from 
https://go.aporeto.io/trireme-example 
Follow the instructions in the Readme file and make sure all the
dependencies are installed in your system.
2.	Start trireme-example in one window

```bash
% sudo trireme-example daemon --hybrid
```

3.	Start an Nginx container with host network access. In other words, you
Nginx container will be accessible through the host interface without any
network address translations.

```bash
% docker run -l app=nginx --net=host -d nginx
```

If you want to verify that your container is running in host mode, just
issue the command

```bash
% docker inspect <container id> | grep NetworkMode
  "NetworkMode" : "host"
```

4.	Despite the fact that your container is running in host mode, it is
still protected by Trireme and it cannot be actually accessed. The
default policy in Trireme allows two containers or processes to interact
only if they are both protected by Trireme and they have the same labels.
Try:

```bash
% curl http://127.0.0.1
```

This should fail.

5.	Instantiate a curl container now with the same labels as the Nginx
container that we just started.

```bash
% docker run -l app=nginx -it nhoag/curl
```

Assuming that your local docker bridge is at 172.17.0.1 (the default in
docker) the nginx container should be accessible through the bridge IP.
Initiate a curl command to the bridge IP

```bash
root@b84a73c6d5ba:# curl http://172.17.0.1
```

You will see that curl succeeded in this case. You can now exit from the
curl container.

6.	Since Trireme also supports Linux Processes through we can actually
access the container from the host as well, provided that we use Trireme
to control the network capabilities of the Linux process. From your host
cell, just issue the command:

```bash
trireme-example run --label=app=nginx curl -- http://127.0.0.1
```

This command should succeed and you should see the Nginx output. Note, that we start the curl process with the same labels as the Nginx container.

## What Did We Do?

We started a docker container with the net=host parameter. The effect of
this parameter is that the container uses the host network namespace and
has direct access to the interfaces and the network of the host. Doing
that without extra controls poses security risks. Trireme allows you to
protect even containers started in the host network namespace. Since the
container was protected by default by Trireme we instantiated another
container and a Linux process and demonstrated how to use the Trireme
policies to control which network or Linux process can interact with the
host network container.

## Trireme and Host Networking Architecture

As we explained in some of the previous sections, Trireme treats containers
and Linux processes equally from a network security perspective. Trireme
can apply granular policy equally well to a container or a Linux process.

When a container is activated in host network mode, Trireme detects this
activation. Instead of giving full access to the container, it treats it as
a Linux process. It gets the first process (Pid : 1 ) that is run in the
container and places it on a dedicated net_cls cgroup as it would do with
Linux processes. All subsequent processes instantiated/forked inside the
container inherit by default the same policy. It can then apply the
granular policy to the particular container, even though the container is
in the same namespace as the host network. This policy does not affect
any other process or container running on the same host.

This capability makes Trireme very useful in environments that you need
to implement some containers with host network mode.

## Taking it to the extreme
The Trireme isolation for host networks is of course not as strong as a
full network namespace isolation. Containers will still share several
others of the stack. However, in several cases, users are looking for a
less granular isolation, since networking is a pain. See
 (https://medium.com/@copyconstruct/schedulers-kubernetes-and-nomad-b0f2e14a896)
 for some discussion on the topic.

Even the original Borg architecture used this approach to minimize network
complexities. From the corresponding ACM article

"All containers running on a Borg machine share the host’s IP address, so
Borg assigns the containers unique port numbers as part of the scheduling
process."

Although this is not optimal, there are several implementations of docker
in production environments that have decided to take the risk and
instantiate all containers in host network mode since they don't want to
adapt their applications to the concept of either random ports (docker
bridge approach) or IP per container (Kubernetes default). They just did not
want to deal with the complexities of networking. One can not discount
the pragmatic operational reasons that are leading teams down this path.

Obviously, there is an isolation risk with this decision and Trireme can
bridge this gap. By using Trireme as the network policy mechanism, we have
decoupled security from the network. Security is delegated to an end-to-end
authorization function, and the fact that containers live in the same
network namespace does not affect the capability of Trireme to provide
strong isolation.

Therefore, one can use Trireme to implement a container based system
without the need for complex networking. Yes, there are architectural
limitations in some of these choices, but nevertheless it is useful in
some environments.


================================================
FILE: docs/linux_processes.md
================================================
# Trireme and Linux Processes

The goal of Trireme is to assign an identity with every application and use this
identity to transparently insert authentication and authorization in any communication.
The Trireme library has been designed to support both containers as well as any
application supporting linux processes.

In this document we will describe how one can use Trireme with Linux processes
and what are the underlying mechanisms used by the library.

Essentially, Trireme allows you to introduce end-to-end authentication and
authorization between any two Linux processes without ever touching the
process. Through this mechanism you can achieve detailed access control
in your Linux environment without the need for firewall rules, ACLs,
and a complex infrastructure.

# TL;DR - Show me how

In order to illustrate how to use Trireme with Linux processes we will use
the Trireme example with default settings.

1. Download and build trireme-example from https://go.aporeto.io/trireme-example
   Follow the instructions in the Readme file and make sure all the dependencies
   are installed in your system.

2. Start trireme-example in one window
```bash
% sudo trireme-example daemon --hybrid
```
The above command will start the Trireme daemon supporting both Linux Processes
and docker containers and basic PSK authentication. You will be able to see
all the Trireme messages in the window.

3. In a different window start an nginx server protected by Trireme
```bash
% sudo trireme-example run --ports=80 --label=app=web nginx
```
Note, that we use sudo for this since nginx requires root access by default. The
additional parameters are:
- Nginx will be listening on port 80
- The label app=web will be attached to the nginx service.

4. Try to access the nginx server with a standard curl command
```bash
% curl http://127.0.0.1
```
You will see that the curl command fails to connect to the nginx server, even
though the server is running and listening on port 80.

5. Run a curl command with a Trireme identity so that it can actually access
the server:
```bash
% trireme-example run --label=app=web curl -- http://127.0.0.1
```
In this case your curl command will succeed.

6. Let's run now a bash shell in the Trireme context
```bash
% trireme-example run --label=app=web /bin/bash
```
We essentially started just a standard bash shell within the Trireme context
and protected by Trireme. In this case our bash shell can actually access the
nginx server. A simple curl will succeed.
```bash
curl http://127.0.0.1
```

## What did we do?

We started the Trireme daemon and started an nginx server protected by Trireme. By
default only authorized traffic will be able to ever reach this nginx server
at this point. Even processes in the same host will be unable to reach the
server, unless they are also started with Trireme and they are protected by
the same authorization framework.

Trireme allows us very easily to introduce authorization to
any process in the Linux subsystem within the same host or across hosts over
the network.

# Trireme and Linux Processes

In this section we will describe how Trireme introduces the transparent authorization
for every Linux Process. This has several use cases that we will illustrate
in some subsequent blogs. Some examples are:

1. Separate Linux users in different authorization contexts and allow them only
specific access to network resources.
2. Isolate important applications like databases from the network and restrict
access to authorized sources only.
3. Isolate the sshd daemon and allow access only to management tool like
Ansible to ssh into the machine.
4. Restrict communication between processes based on libraries, checksums on
executables, SELinux labels or other structures.

## The forgotten cgroup : net_cls

For several reasons the Linux kernel does not have an easy method to differentiate
traffic based on the source or destination process. However, it has a very
important facility that is not very well documented, but very useful. One
of the cgroup controllers is known as net_cls. When a process is associated with
this controller, the Linux kernel will mark all packets initiated by a process
with a mark that is set in the configuration of the net_cls cgroup. For example,
in a standard Ubuntu distribution you can see the mark in
/sys/fs/cgroup/net_cls/net_cls.classid. The standard value there is 0, indicating
that there is essentially no mark placed on the packets.

In the case of Trireme, you will find a trireme directory under this controller
in /sys/fs/cgroup/net_cls/trireme and Trireme will create a sub-directory there
for every process that is protected by Trireme. Let us assume that the nginx
process above had a process ID of 100. Then Trireme will create the directory
/sys/fs/cgroup/net_cls/trireme/100 and it will populate the net_cls.classid
file there with a mark value. For example 100.

Once Trireme does that, it means that all packets out of the nginx server or any
of its children will be marked with the same mark. We cannot apply the Trireme
ACLs that capture Syn/SynAck traffic only on packets with this mark. As a result,
we can apply policy to a specific Linux processes and not just a container.

Of course we need some more work. Eventually the process will die and we need
to clean up. Fortunately, there is a kernel  facility for that. The file
/sys/fs/cgroup/net_cls/trireme/100/notify_on_release is populated with 1, meaning
that the kernel should notify a release agent that there are no more processes
associated with the particular cgroup. The file /sys/fs/cgroup/net_cls/release_agent
identifies the binary that should be executed when such an event happens.

We can now put all the parts together.
1. The trireme-example command sends an
RPC message to the Trireme daemon requesting to run a process in the Trireme
context.
2. The daemon resolves the policy for the requested command and populates
the right fields in the net_cls file structures.
3. It then does a simple exec and release command to the requested process.
4. When the process dies, the release_agent notifies the Trireme daemon about
the event, and the Trireme daemon cleans up the state.

## Metadata Extractor and Linux Processes

One of the most powerful features of the Trireme approach is the metadata extractor.
In the above example we used a simple method where the labels that are forming
the identity are provided by the user. However, these are not the only attributes
that Trireme identifies and it can be extended to actually associate any attribute
with this identity model.

By default the metadata extractor will capture the following information:
- Md5 checksum of the binary that is executed.
- Library dependencies of the binary
- User ID
- Group ID
- Executable path

The result is that a user can define an authorization policy across any of these
attributes. For example, you can define a policy that only a binary with a specific
checksum can access a database. Or that only a process with a given User ID can
access an application. Or that users with sudo capability can never talk to the
Internet.

One can enhance this metadata extractor with additional sources. For example in
an AWS environment, the ami ID, VPC ID, subnet, SELinux/AppArmor labels and so on.
The possibilities are unlimited.

By associating custom and system metadata with a process, Trireme allows
you to create a "contextual identity" for every Linux process. You can then
use this identity to control access over the network without worrying about IP
addresses and port numbers. It is the identity that matters.


================================================
FILE: docs/policy_design.md
================================================
# Policy design in Trireme

Trireme includes a powerful policy language that defines authorization policies between containers or processes
(often referred as Processing Units). This document aims to explain the basic concepts behind the Trireme
policies and how to get started to define your own policies.

As a user of the Trireme library, you need to implement a `Policy Resolver` interface that will fully
define the policies that will apply to your traffic.

The example part of Trireme can be used as a starting point for implementing your own `Policy Resolver`

# Trireme Cluster

When using Trireme, two different perimeters are defined:
* Trireme endpoints is the set of all Processing Units (typically represents a container) that implement authorization
and the related policies are captured through `Trireme Internal Policies`
* Outside world: Everything else that is not being explicitly authorized. Traffic to those endpoints is
managed through the `External policies`

The complex and granular Trireme policies can only be applied if both the receiver and destination are being part of the Trireme endpoints.
In any other cases, a standard set of ACLs will be applied in egress and ingress.

## Trireme CIDR

Trireme is typically installed inside a private cluster. This cluster is a large set of servers under the same
administrative control. Each node part of the cluster will get one Trireme agent installed.
We recommend that the endpoints used inside the private Trireme cluster use a well-defined Network CIDR,
although this is not mandatory.  The endpoints addresses are the Processing Unit (typically docker) IPs that
will be used on your cluster and that will be policed through the Trireme agent.
The typical server on which the Trireme agent runs is typically not an endpoint,
but the containers or processes that will run on that servers are endpoints.

This can be for example `10.0.0.0/8` and `172.17.0.0/16` It is referred to as the `Trireme CIDRs`
and can be composed of a large set of independent CIDRs.

Those `Trireme CIDRs` is given as parameter to the Trireme agent at startup. The agent uses those CIDRs to
decide if a socket Endpoint is going to be inside your Trireme cluster, and therefore if there
is a need to add the Trireme metadata to the socket.

Trireme also supports an auto-discovery mechanism that automatically detects these end-points. The
auto-discovery assumes that all endpoints are Trireme enabled and initiates an authorization process
to all endpoints. If the authorization fails, the Trireme falls back to a list of ACL rules based
on IP addresses.

## Excluding IPs from `Trireme CIDRs` cluster.

In some specific use-case you want to be able to define a set of CIDRs for Trireme with the
exception of a couple of well defined subnets or/and IPs. In order to achieve this,
Trireme supports an Exclusion API that can exclude specific endpoints out of the
general `Trireme CIDRs` dynamically during runtime.

Any set of IPs in the `Trireme CIDRs` that are not going to get policed through the agent need
to be removed through this exclusion API. This API is defined in supervisor/interfaces.go:


```go
// An Excluder can add/remove specific IPs that are not part of Trireme.
type Excluder interface {

	// AddExcludedIP adds an exception for the destination parameter IP, allowing all the traffic.
	AddExcludedIP(ip string) error

	// RemoveExcludedIP removes the exception for the destination IP given in parameter.
	RemoveExcludedIP(ip string) error
}
```


# Whitelist model for Trireme

Trireme uses a whitelist model. That is, everything that is not explicitely allowed will be denied.

# General logic for policy application.

For Traffic reaching the Processing Unit, the following logic is applied:
```
- If traffic source is part of Trireme CIDRs or it has authorization information:
    - If traffic is matched through one of the Trireme rules:
        - If action is ALLOW: Allow traffic.
        - If action is DROP: Drop traffic.
    - Drop unmatched traffic
- If traffic source matches one of the Network ACLs:
    - If action is ALLOW: Allow traffic.
    - If action is DROP: Drop traffic.
- Drop unmatched traffic
```

For traffic exiting the Processing Unit, the following logic is applied:

```
- If traffic destination is part of Trireme CIDRs:
    - Allow traffic (Add Trireme information to the TCP session)
- If traffic destination matches one of the App. ACLs:
    - If action is ALLOW: Allow traffic.
    - If action is DROP: Drop traffic.
- Drop unmatched traffic
```

# Policies for Trireme traffic.

Traffic flowing inside a cluster between two endpoints that are both policed by Trireme is subject to the Trireme policies.

Those policies rely heavily on a set of metadata identity that is sent as part of the Trireme traffic
and decapsulated/encapsulated by the endpoint agents. Those metadata are labels in the form of `Key:values`
and are defined by the  Policy Resolver. Each Processing Unit will have a set of those labels associated.
Each processing Unit also got a set of Trireme Policies that define which remote Trireme processing
units are allowed to connect to the local processing unit.

The Trireme policy is defined as a logical set of `OR` Rules that are each defined as `AND` Clauses:
The action of a Trireme policy is applied IF at least one of the Rules is matched successfully. (Logical `OR`)
In order for a rule to be matched successfully, each clause inside the rule needs to be successfully matched (Logical `AND`)

Each clause is built as a `Key`, Set of `Values` and `Operator`.
Each clause translated to a binary TRUE or FALSE.
The following operations are supported:

* `Equal` returns true if the PU got a label associated to the `Key` with a `value` equal to one of the `values` defined in the policy.
Example:
The clause
```
KEY: App
VALUE: {'nginx', 'centos', 'mysql'}
OPERATOR: `Equal`
```
will return TRUE for the following PU metadata:
```
Image:centos
App:centos
owner:admin
```

will return FALSE for the following PU metadata:
```
Image:server
owner:root
```

* `NotEqual` returns true if the PU got a label associated to the `Key` with a `value` NOT equal to one of the `values` defined in the policy
Example:
The clause
```
KEY: App
VALUE: {'nginx', 'centos', 'mysql'}
OPERATOR: `NotEqual`
```
will return FALSE for the following PU metadata:
```
Image:centos
App:centos
owner:admin
```

will return TRUE for the following PU metadata:
```
Image:server
owner:root
```

will return TRUE for the following PU metadata:
```
Image:server
owner:root
App:redis
```

* `KeyExists` returns true if the PU got a label with  that key in it.

Example:
The clause
```
KEY: App
VALUE: *
OPERATOR: `KeyExists`
```
will return TRUE for the following PU metadata:
```
Image:centos
App:abcd
owner:admin
```

will return FALSE for the following PU metadata:
```
Image:server
owner:root
```

* `KeyNotExists` returns true if the PU doesn't have a label with the specified key in it.

Example:
The clause
```
KEY: App
VALUE: *
OPERATOR: `KeyNotExists`
```
will return FALSE for the following PU metadata:
```
Image:centos
App:centos
owner:admin
```

will return TRUE for the following PU metadata:
```
Image:server
owner:root
```

# Special tags for Port matching.

Trireme introduces dynamically an extra label per TCP connection that represents the TCP destination port.
That extra label got the following format:
```
@port:xx
```
This label can then be used for matching in any of the previously defined rules, like any other usual label.

# Policies for External traffic.

If the source or receiver endpoint is not part of the Trireme CIDRs, then the Policies for external traffic are used.
Those policies are defined as usual Network ACLs with Network and port matches.

For each Processing Unit, the following two policies are defined:
* Application policy: The allowed traffic that originates from that processing unit.

* Net policy: The traffic that is allowed to reach the Processing unit from the network.

Both these policies take the format of a set of (Network/Port-range/Protocol type).
* Network is the CIDR of the network traffic we want to allow (Example: `192.169.0.0/16`)
* Port-range can be a single port or any range of port (Example: `100-200`)
* Protocol type is the L4 protocol type (Must be one of `TCP`/`UDP`/`ICMP`)


================================================
FILE: docs/secure-application_segmentation.md
================================================
# Secure Application Segmentation

The concept of segmentation, or separating applications in different domains, is one of the most widely used security practices. Segmentation protects application deployments by minimizing lateral movement of attackers or reducing the blast radius by containing a system component compromise within a small subsystem.

Over the last several years segmentation was often translated to a network isolation problem where, by restricting network reachability, we could achieve isolation. VLANs, VXLAN, MPLS, firewall ACLs, host ACLs are all trying to segment applications by associating application context to an IP address/port and then managing reachability between two components by controlling routing or five-tuple rules.

Network segmentation approaches had to solve two problems:

1. Associate a workload with an IP address and port number; and
2. create the necessary network structures or reachability rules to limit communication.

These techniques worked well in traditional server environments and virtual machine deployments where the creation of new servers or VMs is an infrequent event. When new servers are created they are placed in the proper network segment (VLAN or even AWS VPC) or the proper ACL rules are added to the host. However, as we move to containers, microservices, and serverless architectures, scaling this model has become increasingly more complex and cumbersome. Because we are shifting away from monolithic architectures towards microservice architectures, the rate of instantiation of new application components is increasing by orders of magnitude.

Additionally, several of these techniques introduce significant complexity in the network by requiring gateways, middle-boxes, and other devices to co-ordinate this segmentation and deal with the problems of reachability outside the simple domain of a network segment.

With Trireme we take an entirely different approach to segmentation issues by introducing transparent authentication and authorization in any communication between workloads. Instead of using an IP address as the identifier of a workload, we use a proper identity mechanism. Instead of using ACLs and network reachability for controlling communication between applications, we introduce an end-to-end authentication and authorization step.

Transitioning to such a model comes with some fundamental benefits for any deployment:

1. Security is decoupled from network IP addressing, allowing operators to optimize their network (transport) with simple techniques and delegate security to the application layer where it belongs.
2. The network architecture for large scale container deployments can be reduced to a simple L3 network. In short:  no VLANs, no tunnels, no firewall rules, no ACLs, no fast route updates that will never converge. Crossing domains, NAT, IPv4/IPv6 translations are orthogonal and irrelevant to the end-to-end isolation.
3. Security is much stronger since workloads are isolated by cryptographically verified end-to-end authentication and authorization that can defend against spoofing, man-in-the-middle, and replay attacks.
4. Developers do not need to deal or depend on network segments and IP address assignments. An isolation segment can be created simply by attaching an identity property to a workload.
5. The scheme does not require any control plane. The technique is completely distributed with no shared state and no eventual consistency problems.

The biggest value of Trireme is its simplicity: simple deployment and simple operations. One would naturally ask the question why this has never be done before. Actually,similar techniques have been attempted in the past but with less success. The first example of such a technique was [the CIPSO standard] (https://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01). The idea, embraced by US government agencies, Trusted Solaris, and SELinux, was was to carry applicationcontext in IP options. There are several differences of Trireme compared to this initial approach:

1. IP options are dropped or improperly handled by the majority of high-speed routers and switches;
2. although some application context is carried in packets, this context is rather limited and not cryptographically protected.

The benefit we have today is that cloud deployments enable the automatic distribution of identity. Systems like Kubernetes make it much simpler to distribute and manage workload identity, and it is exactly these capabilities that make the Trireme approach attractive and viable.

We are happy to share Trireme with the community and solicit feedback. We believe that we are at the first stages of a transformation where the transition to cloud native deployments will become a catalyst for stronger security. Trireme is just the first step.


================================================
FILE: docs/trireme_architecture.md
================================================
#Trireme Architecture

Trireme takes a different approach to application segmentation by treating the problem as what it is: an authentication and authorization problem. Every application component, such as process, a container, a Kubernetes POD, has an identity.  A segmentation function is a simple policy that defines identities of the endpoints that are allowed to communicate with each other. 

By following this approach instead of managing either IP addresses/port numbers or ACL five-tuple rules, both of which have limited context and are ephemeral by definition, we deal with security policy as a function of identities. This allows us to scale to very large systems, decouple networking from security, and streamline the operational models. 

Indeed, networking is simplified to a transport layer that can use a flat L3 network structure and ignore complex routing protocols. At its simplest form, every container host gets a layer-3 subnet.  As such, there is no need for any route advertisements or route distribution with every container activation.  You can see [the default Kubernetes network architecture] (https://github.com/kubernetes/kubernetes/blob/master/docs/design/networking.md) for an example.

One could argue that identity and policy are complex mechanisms;however, some key components allow us to implement this identity-based application segmentation at the scale that we outline in the next sections.  Specifically: 

1. How do we determine identity and manage policy?
2. How do we insert end-to-end authentication and authorization in applications that we do not control?
3. What is the security model that we can achieve with such a mechanism?

##Identity and Policy Management 

Determining and distributing workload identity can be achieved in multiple ways. If we focus on cloud-native environments where an orchestrator like Kubernetes is used for deploying containers, then identity is  simple to define:  Together with orchestrating the workload, the orchestrator can distribute the identity. 

One could, for example, distribute private/public key pairs to each workload.  Subsequently, the certificate will automatically define the identity of the workload.  However, such an identity is not very useful in policy definition.  One would need to set access policies based on specific workload identities that can change regularly. Imagine, for example, if identity was simply the UUID of the container.  Mapping the container to roles or authorization policies would be challenging by itself.

An alternative approach is to define identity as a collection of attributes that describe a workload. For example, in a container environment, the labels associated with a container can become the identity description. In a Kubernetes cluster, the Kubernetes label selectors can define the identity.  In the Trireme context, we define identity simply as a collection of attributes that describe a workload; moreover, we allow users of the library to determine how  identity attributes are created. For example, attributes can be metadata labels, users that activated the service, or even IP addresses in case someone wants to create a policy that takes IP information into account. 

Once identity is defined as a collection of attributes, it is straightforward to start thinking about authorization as an extension of Attribute-Based Access Control (ABAC).  An authorization policy is just defined as a logical relation between attributes. For example, if a workload is identified with a label “environment=production”, an authorization policy can be “Accept traffic from workloads with “environment=production.”  At its simple form, one can achieve isolation with just a single policy that allows connectivity when two entities have the same labels.  In this way, managing isolation is achieved by just managing the label namespace. 

The Kubernetes Network Policy extension uses a very similar approach and defines access control rules as a function of label selectors. As a result, using Trireme in a Kubernetes environment is a straightforward mapping of label selectors to identities and Network Policies to authorization policies. 

##Transparent Enforcement of Authorization

Enforcing an authorization process for any application has its specific challenges. In some environments, organizations have the freedom to mandate the use of specific RPC libraries for all their components. In these environments, one could enforce the authorization step in the library and be done with it.  In fact, some indications are that certain web-scale providers are doing just this.

Unfortunately, however, for the majority of software deployments, this is not possible because applications use external components and a full control of the software stack is not a viable choice. Therefore, we need a mechanism that can transparently insert end-to-end authorization without modifying applications. Interestingly enough, the IETF community attempted something like that several years ago (see https://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01) by encoding segmentation information as IP header options. Unfortunately, most modern high-speed routers tend to drop or not process IP options because of the increased overhead. 

In Trireme, we chose to overlay the authorization step in the TCP connection setup protocol with a very simple approach.  Once identity has been defined and cryptographically signed, it can be communicated to the other parties during the Syn/SynAck negotiation as a payload that the application never sees. To achieve this, we have implemented a TCP Authorization Proxy that encapsulates identity in the connection setup packets and allows the two ends to cryptographically verify the validity of the identity attributes and enable connection establishment based on mutual, end-to-end authorization.  In other words, a Syn packet is accepted if and only if it carries a valid identity and the receiving identity is authorized to receive traffic from the given source. Similarly, a SynAck packet is accepted if and only if the identity is valid and the policy allows such a connection. Our proxy implementation only captures/modifies the connection establishment packets and releases all other packets to the kernel for forwarding. 

There are several other benefits of this implementation.  Namely,
- The method does not require any modifications in the application stack or Linux kernel.
- TCP offloads and the TCP negotiation and protocols just work as designed, significantly improving performance over tunneling mechanisms. 
- Although there is an increased connection setup latency, this increase does not require additional round-trip times in the - - TCP negotiation. 
- Since only connection setup packets are processed in the user space the performance impact is minimized. 

##Security Model

The security protection that can be provided with Trireme is significantly more robust than any IP-based mechanism. The classic problem that some Trireme users are solving already is that they operate in environments that they do not trust the network infrastructure. With implementations that tie identity to IP addresses only, it is easy for an attacker that takes control of the network to spoof IP addresses and gain access to applications without authorization. The Trireme approach enforces end-to-end authorization, and the risk of a man-in-the-middle attack is limited to someone taking complete control of the end-system.

Indeed, the Trireme protocol implements a three-way handshake that includes nonces (random numbers) at every step of the negotiation to defend against man-in-the-middle and replay or spoofing attacks.  

##Kubernetes Integration

Together with Trireme, we also provide a Kubernetes integration that implements the Network Policy API without any centralized controllers or coordinated state.  An instance of Trireme runs on every minion, deployed through daemon sets. This local instance listens to the relevant APIs (policies, namespace changes), and POD activation events. When a POD is instantiated, the local instance associates an identity with the POD based on the labels and implements the authorization policy in a completely distributed manner.  From a deployment standpoint, the only requirement is the daemon set deployment. 

Note that the integration can be extended easily to federated clusters and cross NAT boundaries since IP addresses are of no importance. 


================================================
FILE: fix_bpf
================================================
#!/bin/bash

printf "copy .c and .h files as dep ensure isn't pulling them\n"

rm -rf /tmp/gobpf
git clone https://github.com/iovisor/gobpf.git /tmp/gobpf

cp -r /tmp/gobpf/elf vendor/github.com/iovisor/gobpf/



================================================
FILE: mockgen.sh
================================================
#! /bin/bash -e

GO111MODULE=on go get github.com/golang/mock/mockgen@latest
go get github.com/golang/mock/mockgen/model
go get -u golang.org/x/tools/cmd/goimports

goimport_sanitize () {
  tmp=$(mktemp)
  goimports "$1" > "$tmp"
  sed  $'s/^func /\/\/ nolint\\\nfunc /g' < "$tmp" | sed  $'s/^type /\/\/ nolint\\\ntype /g' > "$1"
  rm -f "$tmp"
}

echo "Cgnetcls Mocks"
mkdir -p utils/cgnetcls/mockcgnetcls
mockgen -source utils/cgnetcls/interfaces.go -destination utils/cgnetcls/mockcgnetcls/mockcgnetcls.go -package mockcgnetcls
goimport_sanitize utils/cgnetcls/mockcgnetcls/mockcgnetcls.go

echo "Controller/internal/supervisor/Provider Mocks"
mkdir -p controller/internal/supervisor/mocksupervisor
mockgen -source controller/internal/supervisor/interfaces.go -destination controller/internal/supervisor/mocksupervisor/mocksupervisor.go -package mocksupervisor
goimport_sanitize controller/internal/supervisor/mocksupervisor/mocksupervisor.go

echo "Enforcer Mocks"
mkdir -p controller/internal/enforcer/mockenforcer
mockgen -source controller/internal/enforcer/enforcer.go -destination controller/internal/enforcer/mockenforcer/mockenforcer.go -package mockenforcer
goimport_sanitize controller/internal/enforcer/mockenforcer/mockenforcer.go

echo "DNSProxy Mocks"
mkdir -p controller/internal/enforcer/dnsproxy/mockdnsproxy
mockgen -source controller/internal/enforcer/dnsproxy/dnsproxy.go -destination controller/internal/enforcer/dnsproxy/mockdnsproxy/mockdnsproxy.go -package mockdnsproxy
goimport_sanitize controller/internal/enforcer/dnsproxy/mockdnsproxy/mockdnsproxy.go


echo "Controller/Processmon Mocks"
mkdir -p controller/internal/processmon/mockprocessmon
mockgen -source controller/internal/processmon/interfaces.go -destination controller/internal/processmon/mockprocessmon/mockprocessmon.go -package mockprocessmon
goimport_sanitize controller/internal/processmon/mockprocessmon/mockprocessmon.go

echo "controller/pkg/remoteenforcer Mocks"
mkdir -p controller/pkg/remoteenforcer/mockremoteenforcer
mockgen -source controller/pkg/remoteenforcer/interfaces.go -destination controller/pkg/remoteenforcer/mockremoteenforcer/mockremoteenforcer.go -package mockremoteenforcer
goimport_sanitize controller/pkg/remoteenforcer/mockremoteenforcer/mockremoteenforcer.go

echo "controller/pkg/remoteenforcer/client Mocks"
mkdir -p controller/pkg/remoteenforcer/internal/client/mockclient
mockgen -source controller/pkg/remoteenforcer/internal/client/interfaces.go -destination controller/pkg/remoteenforcer/internal/client/mockclient/mockclient.go -package mockclient
goimport_sanitize controller/pkg/remoteenforcer/internal/client/mockclient/mockclient.go

echo "controller/pkg/remoteenforcer/TokenIssuer Mocks"
mkdir -p controller/pkg/remoteenforcer/internal/tokenissuer/mocktokenclient
mockgen -source controller/pkg/remoteenforcer/internal/tokenissuer/tokenissuer.go -destination controller/pkg/remoteenforcer/internal/tokenissuer/mocktokenclient/mocktokenclient.go -package mocktokenclient
goimport_sanitize controller/pkg/remoteenforcer/internal/tokenissuer/mocktokenclient/mocktokenclient.go

echo "controller/pkg/remoteenforcer/StatsCollector Mocks"
mkdir -p controller/pkg/remoteenforcer/internal/statscollector/mockstatscollector
mockgen \
-source controller/pkg/remoteenforcer/internal/statscollector/interfaces.go \
-destination controller/pkg/remoteenforcer/internal/statscollector/mockstatscollector/mockstatscollector.go \
-package mockstatscollector \
-aux_files collector=collector/interfaces.go \
-imports statscollector=go.aporeto.io/enforcerd/trireme-lib/controller/pkg/remoteenforcer/internal/statscollector
goimport_sanitize controller/pkg/remoteenforcer/internal/statscollector/mockstatscollector/mockstatscollector.go

echo "controller/pkg/usertokens Mocks"
mkdir -p controller/pkg/usertokens/mockusertokens
mockgen -source controller/pkg/usertokens/usertokens.go -destination controller/pkg/usertokens/mockusertokens/mockusertokens.go -package mockusertokens
goimport_sanitize controller/pkg/usertokens/mockusertokens/mockusertokens.go

echo "controller/pkg/flowtracking Mocks"
mkdir -p controller/pkg/flowtracking/mockflowclient
mockgen -source controller/pkg/flowtracking/interfaces.go -destination controller/pkg/flowtracking/mockflowclient/mockflowclient.go -package mockflowclient
goimport_sanitize controller/pkg/flowtracking/mockflowclient/mockflowclient.go

echo "Collector Mocks"
mkdir -p collector/mockcollector
mockgen -source collector/interfaces.go -destination collector/mockcollector/mockcollector.go -package mockcollector
goimport_sanitize collector/mockcollector/mockcollector.go

echo "Monitor Mocks"
mkdir -p monitor/mockmonitor
mockgen -source monitor/interfaces.go -destination monitor/mockmonitor/mockmonitor.go -package mockmonitor
goimport_sanitize monitor/mockmonitor/mockmonitor.go

echo "Monitor remoteapi client mocks"
mkdir -p monitor/remoteapi/client/mockclient
mockgen -source monitor/remoteapi/client/interfaces.go -destination monitor/remoteapi/client/mockclient/mockclient.go -package mockclient
goimport_sanitize monitor/remoteapi/client/mockclient/mockclient.go

echo "Monitor/processor Mocks"
mkdir -p monitor/processor/mockprocessor
mockgen -source monitor/processor/interfaces.go -destination monitor/processor/mockprocessor/mockprocessor.go -aux_files collector=collector/interfaces.go -package mockprocessor
goimport_sanitize monitor/processor/mockprocessor/mockprocessor.go

echo "controller/internal/enforcer/nfqdatapath/tokenaccessor Mocks"
mkdir -p controller/internal/enforcer/nfqdatapath/tokenaccessor/mocktokenaccessor
mockgen -source controller/internal/enforcer/nfqdatapath/tokenaccessor/interfaces.go -destination controller/internal/enforcer/nfqdatapath/tokenaccessor/mocktokenaccessor/mocktokenaccessor.go -package mocktokenaccessor
goimport_sanitize controller/internal/enforcer/nfqdatapath/tokenaccessor/mocktokenaccessor/mocktokenaccessor.go

echo "controller/internal/enforcer/utils/ephemeralkeys Mocks"
mkdir -p controller/internal/enforcer/utils/ephemeralkeys/mockephemeralkeys
mockgen -source controller/internal/enforcer/utils/ephemeralkeys/interfaces.go -destination controller/internal/enforcer/utils/ephemeralkeys/mockephemeralkeys/mockephemeralkeys.go -package mockephemeralkeys
goimport_sanitize controller/internal/enforcer/utils/ephemeralkeys/mockephemeralkeys/mockephemeralkeys.go

echo "controller/pkg/tokens Mocks"
mkdir -p controller/pkg/tokens/mocktokens
mockgen -source controller/pkg/tokens/tokens.go -destination controller/pkg/tokens/mocktokens/mocktokens.go -package mocktokens
goimport_sanitize controller/pkg/tokens/mocktokens/mocktokens.go

echo "RPC Wrapper Mocks"
mkdir -p controller/internal/enforcer/utils/rpcwrapper/mockrpcwrapper
mockgen -source controller/internal/enforcer/utils/rpcwrapper/interfaces.go -destination controller/internal/enforcer/utils/rpcwrapper/mockrpcwrapper/mockrpcwrapper.go -package mockrpcwrapper
goimport_sanitize controller/internal/enforcer/utils/rpcwrapper/mockrpcwrapper/mockrpcwrapper.go

echo "Policy Interfaces Mock"
mkdir -p policy/mockpolicy
mockgen -source policy/interfaces.go -destination policy/mockpolicy/mockpolicy.go -package mockpolicy
goimport_sanitize policy/mockpolicy/mockpolicy.go

echo "Trireme Controller Mock"
mkdir -p controller/mockcontroller
mockgen -source controller/interfaces.go -destination controller/mockcontroller/mocktrireme.go -package mockcontroller  -aux_files constants=controller/constants/constants.go events=common/events.go policy=policy/interfaces.go processor=monitor/processor/interfaces.go supervisor=controller/internal/supervisor/interfaces.go
goimport_sanitize controller/mockcontroller/mocktrireme.go

echo "Pod Monitor Mocks (manager, client and zap core)"
# NOTE: this uses interface mode because these are all 3rd party dependencies
mockgen -package podmonitor -destination monitor/internal/pod/mockzapcore_test.go go.uber.org/zap/zapcore Core
goimport_sanitize monitor/internal/pod/mockzapcore_test.go
mockgen -package podmonitor -destination monitor/internal/pod/mockclient_test.go sigs.k8s.io/controller-runtime/pkg/client Client
goimport_sanitize monitor/internal/pod/mockclient_test.go
mockgen -package podmonitor -destination monitor/internal/pod/mockcache_test.go sigs.k8s.io/controller-runtime/pkg/cache Cache
goimport_sanitize monitor/internal/pod/mockcache_test.go
mockgen -package podmonitor -destination monitor/internal/pod/mockinformer_test.go sigs.k8s.io/controller-runtime/pkg/cache Informer
goimport_sanitize monitor/internal/pod/mockinformer_test.go
# mockgen -package podmonitor -destination monitor/internal/pod/mockinformer_test.go k8s.io/client-go/tools/cache SharedIndexInformer
# goimport_sanitize monitor/internal/pod/mockinformer_test.go
mockgen -package podmonitor -destination monitor/internal/pod/mockmanager_test.go sigs.k8s.io/controller-runtime/pkg/manager Manager
goimport_sanitize monitor/internal/pod/mockmanager_test.go

echo >&2 "OK"


================================================
FILE: monitor/api/spec/Makefile
================================================
PROTOS_PATH = protos

.PHONY: all protos

all: protos

# Please use version v1.3.3 of protobuf to compile: 
# go get -u github.com/golang/protobuf/proto@v1.3.3
# go get -u github.com/golang/protobuf/protoc-gen-go@v1.3.3
protos: $(PROTOS_PATH)/monitor.proto
	protoc -I $(PROTOS_PATH) --go_out=plugins=grpc:$(PROTOS_PATH) \
		$(PROTOS_PATH)/monitor.proto


================================================
FILE: monitor/api/spec/protos/monitor.pb.go
================================================
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
// 	protoc-gen-go v1.25.0-devel
// 	protoc        v3.6.1
// source: monitor.proto

package protos

import (
	context "context"
	proto "github.com/golang/protobuf/proto"
	empty "github.com/golang/protobuf/ptypes/empty"
	grpc "google.golang.org/grpc"
	codes "google.golang.org/grpc/codes"
	status "google.golang.org/grpc/status"
	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
	reflect "reflect"
	sync "sync"
)

const (
	// Verify that this generated code is sufficiently up-to-date.
	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
	// Verify that runtime/protoimpl is sufficiently up-to-date.
	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)

// This is a compile-time assertion that a sufficiently up-to-date version
// of the legacy proto package is being used.
const _ = proto.ProtoPackageIsVersion4

type CNIContainerEventRequest_Type int32

const (
	CNIContainerEventRequest_ADD    CNIContainerEventRequest_Type = 0
	CNIContainerEventRequest_DELETE CNIContainerEventRequest_Type = 1
)

// Enum value maps for CNIContainerEventRequest_Type.
var (
	CNIContainerEventRequest_Type_name = map[int32]string{
		0: "ADD",
		1: "DELETE",
	}
	CNIContainerEventRequest_Type_value = map[string]int32{
		"ADD":    0,
		"DELETE": 1,
	}
)

func (x CNIContainerEventRequest_Type) Enum() *CNIContainerEventRequest_Type {
	p := new(CNIContainerEventRequest_Type)
	*p = x
	return p
}

func (x CNIContainerEventRequest_Type) String() string {
	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
}

func (CNIContainerEventRequest_Type) Descriptor() protoreflect.EnumDescriptor {
	return file_monitor_proto_enumTypes[0].Descriptor()
}

func (CNIContainerEventRequest_Type) Type() protoreflect.EnumType {
	return &file_monitor_proto_enumTypes[0]
}

func (x CNIContainerEventRequest_Type) Number() protoreflect.EnumNumber {
	return protoreflect.EnumNumber(x)
}

// Deprecated: Use CNIContainerEventRequest_Type.Descriptor instead.
func (CNIContainerEventRequest_Type) EnumDescriptor() ([]byte, []int) {
	return file_monitor_proto_rawDescGZIP(), []int{1, 0}
}

type RunCContainerEventRequest struct {
	state         protoimpl.MessageState
	sizeCache     protoimpl.SizeCache
	unknownFields protoimpl.UnknownFields

	CommandLine []string `protobuf:"bytes,1,rep,name=commandLine,proto3" json:"commandLine,omitempty"` // the full commandline of the runc command incl. flags, etc. - this is expected to come from `os.Args`
}

func (x *RunCContainerEventRequest) Reset() {
	*x = RunCContainerEventRequest{}
	if protoimpl.UnsafeEnabled {
		mi := &file_monitor_proto_msgTypes[0]
		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
		ms.StoreMessageInfo(mi)
	}
}

func (x *RunCContainerEventRequest) String() string {
	return protoimpl.X.MessageStringOf(x)
}

func (*RunCContainerEventRequest) ProtoMessage() {}

func (x *RunCContainerEventRequest) ProtoReflect() protoreflect.Message {
	mi := &file_monitor_proto_msgTypes[0]
	if protoimpl.UnsafeEnabled && x != nil {
		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
		if ms.LoadMessageInfo() == nil {
			ms.StoreMessageInfo(mi)
		}
		return ms
	}
	return mi.MessageOf(x)
}

// Deprecated: Use RunCContainerEventRequest.ProtoReflect.Descriptor instead.
func (*RunCContainerEventRequest) Descriptor() ([]byte, []int) {
	return file_monitor_proto_rawDescGZIP(), []int{0}
}

func (x *RunCContainerEventRequest) GetCommandLine() []string {
	if x != nil {
		return x.CommandLine
	}
	return nil
}

type CNIContainerEventRequest struct {
	state         protoimpl.MessageState
	sizeCache     protoimpl.SizeCache
	unknownFields protoimpl.UnknownFields

	Type         CNIContainerEventRequest_Type `protobuf:"varint,1,opt,name=type,proto3,enum=protos.CNIContainerEventRequest_Type" json:"type,omitempty"`
	ContainerID  string                        `protobuf:"bytes,2,opt,name=containerID,proto3" json:"containerID,omitempty"`
	NetnsPath    string                        `protobuf:"bytes,3,opt,name=netnsPath,proto3" json:"netnsPath,omitempty"`
	PodName      string                        `protobuf:"bytes,4,opt,name=podName,proto3" json:"podName,omitempty"`
	PodNamespace string                        `protobuf:"bytes,5,opt,name=podNamespace,proto3" json:"podNamespace,omitempty"`
}

func (x *CNIContainerEventRequest) Reset() {
	*x = CNIContainerEventRequest{}
	if protoimpl.UnsafeEnabled {
		mi := &file_monitor_proto_msgTypes[1]
		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
		ms.StoreMessageInfo(mi)
	}
}

func (x *CNIContainerEventRequest) String() string {
	return protoimpl.X.MessageStringOf(x)
}

func (*CNIContainerEventRequest) ProtoMessage() {}

func (x *CNIContainerEventRequest) ProtoReflect() protoreflect.Message {
	mi := &file_monitor_proto_msgTypes[1]
	if protoimpl.UnsafeEnabled && x != nil {
		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
		if ms.LoadMessageInfo() == nil {
			ms.StoreMessageInfo(mi)
		}
		return ms
	}
	return mi.MessageOf(x)
}

// Deprecated: Use CNIContainerEventRequest.ProtoReflect.Descriptor instead.
func (*CNIContainerEventRequest) Descriptor() ([]byte, []int) {
	return file_monitor_proto_rawDescGZIP(), []int{1}
}

func (x *CNIContainerEventRequest) GetType() CNIContainerEventRequest_Type {
	if x != nil {
		return x.Type
	}
	return CNIContainerEventRequest_ADD
}

func (x *CNIContainerEventRequest) GetContainerID() string {
	if x != nil {
		return x.ContainerID
	}
	return ""
}

func (x *CNIContainerEventRequest) GetNetnsPath() string {
	if x != nil {
		return x.NetnsPath
	}
	return ""
}

func (x *CNIContainerEventRequest) GetPodName() string {
	if x != nil {
		return x.PodName
	}
	return ""
}

func (x *CNIContainerEventRequest) GetPodNamespace() string {
	if x != nil {
		return x.PodNamespace
	}
	return ""
}

type ContainerEventResponse struct {
	state         protoimpl.MessageState
	sizeCache     protoimpl.SizeCache
	unknownFields protoimpl.UnknownFields

	ErrorMessage string `protobuf:"bytes,1,opt,name=errorMessage,proto3" json:"errorMessage,omitempty"` // errorMessage will be empty on success, and have an error message set only on an error
}

func (x *ContainerEventResponse) Reset() {
	*x = ContainerEventResponse{}
	if protoimpl.UnsafeEnabled {
		mi := &file_monitor_proto_msgTypes[2]
		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
		ms.StoreMessageInfo(mi)
	}
}

func (x *ContainerEventResponse) String() string {
	return protoimpl.X.MessageStringOf(x)
}

func (*ContainerEventResponse) ProtoMessage() {}

func (x *ContainerEventResponse) ProtoReflect() protoreflect.Message {
	mi := &file_monitor_proto_msgTypes[2]
	if protoimpl.UnsafeEnabled && x != nil {
		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
		if ms.LoadMessageInfo() == nil {
			ms.StoreMessageInfo(mi)
		}
		return ms
	}
	return mi.MessageOf(x)
}

// Deprecated: Use ContainerEventResponse.ProtoReflect.Descriptor instead.
func (*ContainerEventResponse) Descriptor() ([]byte, []int) {
	return file_monitor_proto_rawDescGZIP(), []int{2}
}

func (x *ContainerEventResponse) GetErrorMessage() string {
	if x != nil {
		return x.ErrorMessage
	}
	return ""
}

var File_monitor_proto protoreflect.FileDescriptor

var file_monitor_proto_rawDesc = []byte{
	0x0a, 0x0d, 0x6d, 0x6f, 0x6e, 0x69, 0x74, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x73, 0x1a, 0x1b, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f,
	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x2e, 0x70,
	0x72, 0x6f, 0x74, 0x6f, 0x22, 0x3d, 0x0a, 0x19, 0x52, 0x75, 0x6e, 0x43, 0x43, 0x6f, 0x6e, 0x74,
	0x61, 0x69, 0x6e, 0x65, 0x72, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
	0x74, 0x12, 0x20, 0x0a, 0x0b, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x4c, 0x69, 0x6e, 0x65,
	0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x4c,
	0x69, 0x6e, 0x65, 0x22, 0xf0, 0x01, 0x0a, 0x18, 0x43, 0x4e, 0x49, 0x43, 0x6f, 0x6e, 0x74, 0x61,
	0x69, 0x6e, 0x65, 0x72, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
	0x12, 0x39, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x25,
	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x73, 0x2e, 0x43, 0x4e, 0x49, 0x43, 0x6f, 0x6e, 0x74, 0x61,
	0x69, 0x6e, 0x65, 0x72, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
	0x2e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x63,
	0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x49, 0x44, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
	0x52, 0x0b, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x49, 0x44, 0x12, 0x1c, 0x0a,
	0x09, 0x6e, 0x65, 0x74, 0x6e, 0x73, 0x50, 0x61, 0x74, 0x68, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
	0x52, 0x09, 0x6e, 0x65, 0x74, 0x6e, 0x73, 0x50, 0x61, 0x74, 0x68, 0x12, 0x18, 0x0a, 0x07, 0x70,
	0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x6f,
	0x64, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x70, 0x6f, 0x64, 0x4e, 0x61, 0x6d, 0x65,
	0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x6f, 0x64,
	0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x22, 0x1b, 0x0a, 0x04, 0x54, 0x79, 0x70,
	0x65, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x44, 0x44, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x44, 0x45,
	0x4c, 0x45, 0x54, 0x45, 0x10, 0x01, 0x22, 0x3c, 0x0a, 0x16, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69,
	0x6e, 0x65, 0x72, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
	0x12, 0x22, 0x0a, 0x0c, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73,
	0x73, 0x61, 0x67, 0x65, 0x32, 0xa7, 0x01, 0x0a, 0x04, 0x52, 0x75, 0x6e, 0x43, 0x12, 0x44, 0x0a,
	0x10, 0x52, 0x75, 0x6e, 0x63, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53, 0x74, 0x61, 0x72, 0x74, 0x65,
	0x64, 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
	0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74,
	0x79, 0x22, 0x00, 0x12, 0x59, 0x0a, 0x12, 0x52, 0x75, 0x6e, 0x43, 0x43, 0x6f, 0x6e, 0x74, 0x61,
	0x69, 0x6e, 0x65, 0x72, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x12, 0x21, 0x2e, 0x70, 0x72, 0x6f, 0x74,
	0x6f, 0x73, 0x2e, 0x52, 0x75, 0x6e, 0x43, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72,
	0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1e, 0x2e, 0x70,
	0x72, 0x6f, 0x74, 0x6f, 0x73, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x45,
	0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x32, 0x5e,
	0x0a, 0x03, 0x43, 0x4e, 0x49, 0x12, 0x57, 0x0a, 0x11, 0x43, 0x4e, 0x49, 0x43, 0x6f, 0x6e, 0x74,
	0x61, 0x69, 0x6e, 0x65, 0x72, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x12, 0x20, 0x2e, 0x70, 0x72, 0x6f,
	0x74, 0x6f, 0x73, 0x2e, 0x43, 0x4e, 0x49, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72,
	0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1e, 0x2e, 0x70,
	0x72, 0x6f, 0x74, 0x6f, 0x73, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x45,
	0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x0a,
	0x5a, 0x08, 0x2e, 0x3b, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
	0x6f, 0x33,
}

var (
	file_monitor_proto_rawDescOnce sync.Once
	file_monitor_proto_rawDescData = file_monitor_proto_rawDesc
)

func file_monitor_proto_rawDescGZIP() []byte {
	file_monitor_proto_rawDescOnce.Do(func() {
		file_monitor_proto_rawDescData = protoimpl.X.CompressGZIP(file_monitor_proto_rawDescData)
	})
	return file_monitor_proto_rawDescData
}

var file_monitor_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
var file_monitor_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
var file_monitor_proto_goTypes = []interface{}{
	(CNIContainerEventRequest_Type)(0), // 0: protos.CNIContainerEventRequest.Type
	(*RunCContainerEventRequest)(nil),  // 1: protos.RunCContainerEventRequest
	(*CNIContainerEventRequest)(nil),   // 2: protos.CNIContainerEventRequest
	(*ContainerEventResponse)(nil),     // 3: protos.ContainerEventResponse
	(*empty.Empty)(nil),                // 4: google.protobuf.Empty
}
var file_monitor_proto_depIdxs = []int32{
	0, // 0: protos.CNIContainerEventRequest.type:type_name -> protos.CNIContainerEventRequest.Type
	4, // 1: protos.RunC.RuncProxyStarted:input_type -> google.protobuf.Empty
	1, // 2: protos.RunC.RunCContainerEvent:input_type -> protos.RunCContainerEventRequest
	2, // 3: protos.CNI.CNIContainerEvent:input_type -> protos.CNIContainerEventRequest
	4, // 4: protos.RunC.RuncProxyStarted:output_type -> google.protobuf.Empty
	3, // 5: protos.RunC.RunCContainerEvent:output_type -> protos.ContainerEventResponse
	3, // 6: protos.CNI.CNIContainerEvent:output_type -> protos.ContainerEventResponse
	4, // [4:7] is the sub-list for method output_type
	1, // [1:4] is the sub-list for method input_type
	1, // [1:1] is the sub-list for extension type_name
	1, // [1:1] is the sub-list for extension extendee
	0, // [0:1] is the sub-list for field type_name
}

func init() { file_monitor_proto_init() }
func file_monitor_proto_init() {
	if File_monitor_proto != nil {
		return
	}
	if !protoimpl.UnsafeEnabled {
		file_monitor_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
			switch v := v.(*RunCContainerEventRequest); i {
			case 0:
				return &v.state
			case 1:
				return &v.sizeCache
			case 2:
				return &v.unknownFields
			default:
				return nil
			}
		}
		file_monitor_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
			switch v := v.(*CNIContainerEventRequest); i {
			case 0:
				return &v.state
			case 1:
				return &v.sizeCache
			case 2:
				return &v.unknownFields
			default:
				return nil
			}
		}
		file_monitor_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
			switch v := v.(*ContainerEventResponse); i {
			case 0:
				return &v.state
			case 1:
				return &v.sizeCache
			case 2:
				return &v.unknownFields
			default:
				return nil
			}
		}
	}
	type x struct{}
	out := protoimpl.TypeBuilder{
		File: protoimpl.DescBuilder{
			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
			RawDescriptor: file_monitor_proto_rawDesc,
			NumEnums:      1,
			NumMessages:   3,
			NumExtensions: 0,
			NumServices:   2,
		},
		GoTypes:           file_monitor_proto_goTypes,
		DependencyIndexes: file_monitor_proto_depIdxs,
		EnumInfos:         file_monitor_proto_enumTypes,
		MessageInfos:      file_monitor_proto_msgTypes,
	}.Build()
	File_monitor_proto = out.File
	file_monitor_proto_rawDesc = nil
	file_monitor_proto_goTypes = nil
	file_monitor_proto_depIdxs = nil
}

// Reference imports to suppress errors if they are not otherwise used.
var _ context.Context
var _ grpc.ClientConnInterface

// This is a compile-time assertion to ensure that this generated file
// is compatible with the grpc package it is being compiled against.
const _ = grpc.SupportPackageIsVersion6

// RunCClient is the client API for RunC service.
//
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
type RunCClient interface {
	// RuncProxyStarted is called by the PCC agent once the runc proxy has been started
	RuncProxyStarted(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*empty.Empty, error)
	// ContainerEvent will be invoked by the runc proxy on the following events at this point:
	// - ‘runc start’
	// - 'runc delete'
	RunCContainerEvent(ctx context.Context, in *RunCContainerEventRequest, opts ...grpc.CallOption) (*ContainerEventResponse, error)
}

type runCClient struct {
	cc grpc.ClientConnInterface
}

func NewRunCClient(cc grpc.ClientConnInterface) RunCClient {
	return &runCClient{cc}
}

func (c *runCClient) RuncProxyStarted(ctx context.Context, in *empty.Empty, opts ...grpc.CallOption) (*empty.Empty, error) {
	out := new(empty.Empty)
	err := c.cc.Invoke(ctx, "/protos.RunC/RuncProxyStarted", in, out, opts...)
	if err != nil {
		return nil, err
	}
	return out, nil
}

func (c *runCClient) RunCContainerEvent(ctx context.Context, in *RunCContainerEventRequest, opts ...grpc.CallOption) (*ContainerEventResponse, error) {
	out := new(ContainerEventResponse)
	err := c.cc.Invoke(ctx, "/protos.RunC/RunCContainerEvent", in, out, opts...)
	if err != nil {
		return nil, err
	}
	return out, nil
}

// RunCServer is the server API for RunC service.
type RunCServer interface {
	// RuncProxyStarted is called by the PCC agent once the runc proxy has been started
	RuncProxyStarted(context.Context, *empty.Empty) (*empty.Empty, error)
	// ContainerEvent will be invoked by the runc proxy on the following events at this point:
	// - ‘runc start’
	// - 'runc delete'
	RunCContainerEvent(context.Context, *RunCContainerEventRequest) (*ContainerEventResponse, error)
}

// UnimplementedRunCServer can be embedded to have forward compatible implementations.
type UnimplementedRunCServer struct {
}

func (*UnimplementedRunCServer) RuncProxyStarted(context.Context, *empty.Empty) (*empty.Empty, error) {
	return nil, status.Errorf(codes.Unimplemented, "method RuncProxyStarted not implemented")
}
func (*UnimplementedRunCServer) RunCContainerEvent(context.Context, *RunCContainerEventRequest) (*ContainerEventResponse, error) {
	return nil, status.Errorf(codes.Unimplemented, "method RunCContainerEvent not implemented")
}

func RegisterRunCServer(s *grpc.Server, srv RunCServer) {
	s.RegisterService(&_RunC_serviceDesc, srv)
}

func _RunC_RuncProxyStarted_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
	in := new(empty.Empty)
	if err := dec(in); err != nil {
		return nil, err
	}
	if interceptor == nil {
		return srv.(RunCServer).RuncProxyStarted(ctx, in)
	}
	info := &grpc.UnaryServerInfo{
		Server:     srv,
		FullMethod: "/protos.RunC/RuncProxyStarted",
	}
	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
		return srv.(RunCServer).RuncProxyStarted(ctx, req.(*empty.Empty))
	}
	return interceptor(ctx, in, info, handler)
}

func _RunC_RunCContainerEvent_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
	in := new(RunCContainerEventRequest)
	if err := dec(in); err != nil {
		return nil, err
	}
	if interceptor == nil {
		return srv.(RunCServer).RunCContainerEvent(ctx, in)
	}
	info := &grpc.UnaryServerInfo{
		Server:     srv,
		FullMethod: "/protos.RunC/RunCContainerEvent",
	}
	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
		return srv.(RunCServer).RunCContainerEvent(ctx, req.(*RunCContainerEventRequest))
	}
	return interceptor(ctx, in, info, handler)
}

var _RunC_serviceDesc = grpc.ServiceDesc{
	ServiceName: "protos.RunC",
	HandlerType: (*RunCServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "RuncProxyStarted",
			Handler:    _RunC_RuncProxyStarted_Handler,
		},
		{
			MethodName: "RunCContainerEvent",
			Handler:    _RunC_RunCContainerEvent_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "monitor.proto",
}

// CNIClient is the client API for CNI service.
//
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
type CNIClient interface {
	// ContainerEvent will be invoked by the CNI plugin on the following events at this point:
	// - ‘cmdADD start’
	// - 'cmdDEL delete'
	CNIContainerEvent(ctx context.Context, in *CNIContainerEventRequest, opts ...grpc.CallOption) (*ContainerEventResponse, error)
}

type cNIClient struct {
	cc grpc.ClientConnInterface
}

func NewCNIClient(cc grpc.ClientConnInterface) CNIClient {
	return &cNIClient{cc}
}

func (c *cNIClient) CNIContainerEvent(ctx context.Context, in *CNIContainerEventRequest, opts ...grpc.CallOption) (*ContainerEventResponse, error) {
	out := new(ContainerEventResponse)
	err := c.cc.Invoke(ctx, "/protos.CNI/CNIContainerEvent", in, out, opts...)
	if err != nil {
		return nil, err
	}
	return out, nil
}

// CNIServer is the server API for CNI service.
type CNIServer interface {
	// ContainerEvent will be invoked by the CNI plugin on the following events at this point:
	// - ‘cmdADD start’
	// - 'cmdDEL delete'
	CNIContainerEvent(context.Context, *CNIContainerEventRequest) (*ContainerEventResponse, error)
}

// UnimplementedCNIServer can be embedded to have forward compatible implementations.
type UnimplementedCNIServer struct {
}

func (*UnimplementedCNIServer) CNIContainerEvent(context.Context, *CNIContainerEventRequest) (*ContainerEventResponse, error) {
	return nil, status.Errorf(codes.Unimplemented, "method CNIContainerEvent not implemented")
}

func RegisterCNIServer(s *grpc.Server, srv CNIServer) {
	s.RegisterService(&_CNI_serviceDesc, srv)
}

func _CNI_CNIContainerEvent_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
	in := new(CNIContainerEventRequest)
	if err := dec(in); err != nil {
		return nil, err
	}
	if interceptor == nil {
		return srv.(CNIServer).CNIContainerEvent(ctx, in)
	}
	info := &grpc.UnaryServerInfo{
		Server:     srv,
		FullMethod: "/protos.CNI/CNIContainerEvent",
	}
	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
		return srv.(CNIServer).CNIContainerEvent(ctx, req.(*CNIContainerEventRequest))
	}
	return interceptor(ctx, in, info, handler)
}

var _CNI_serviceDesc = grpc.ServiceDesc{
	ServiceName: "protos.CNI",
	HandlerType: (*CNIServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "CNIContainerEvent",
			Handler:    _CNI_CNIContainerEvent_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "monitor.proto",
}


================================================
FILE: monitor/api/spec/protos/monitor.proto
================================================
syntax = "proto3";
option go_package = ".;protos";
package protos;

import "google/protobuf/empty.proto";

// RunCClient is the API between runc-proxy  and  enforcerd
service RunC {
    // RuncProxyStarted is called by the PCC agent once the runc proxy has been started
    rpc RuncProxyStarted (google.protobuf.Empty) returns (google.protobuf.Empty) {}

 
    // ContainerEvent will be invoked by the runc proxy on the following events at this point:
    // - ‘runc start’
    // - 'runc delete'
    rpc RunCContainerEvent (RunCContainerEventRequest) returns (ContainerEventResponse) {} 
}

// CNIClient is the API between cni-plugin  and  enforcerd
service CNI {
    // ContainerEvent will be invoked by the CNI plugin on the following events at this point:
    // - ‘cmdADD start’
    // - 'cmdDEL delete'
    rpc CNIContainerEvent (CNIContainerEventRequest) returns (ContainerEventResponse) {} 
}

message RunCContainerEventRequest {
    repeated string commandLine = 1; // the full commandline of the runc command incl. flags, etc. - this is expected to come from `os.Args`
}

message CNIContainerEventRequest {
    enum Type {
        ADD = 0;
        DELETE = 1;
    }
    Type type = 1;
    string containerID	= 2;
    string netnsPath = 3;
    string podName = 4;
    string podNamespace = 5;
}

message ContainerEventResponse {
    string errorMessage = 1; // errorMessage will be empty on success, and have an error message set only on an error
}


================================================
FILE: monitor/config/config.go
================================================
package config

import (
	"fmt"
	"strings"
	"sync"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/external"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

// Type specifies the type of monitors supported.
type Type int

// Types supported.
const (
	Docker Type = iota + 1
	LinuxProcess
	LinuxHost
	K8s
	Windows
)

// MonitorConfig specifies the configs for monitors.
type MonitorConfig struct {
	Common    *ProcessorConfig
	MergeTags []string
	Monitors  map[Type]interface{}
}

// String returns the configuration in string
func (c *MonitorConfig) String() string {
	buf := fmt.Sprintf("MergeTags:[%s] ", strings.Join(c.MergeTags, ","))
	buf += fmt.Sprintf("Common:%+v ", c.Common)
	buf += fmt.Sprintf("Monitors:{") // nolint
	for k, v := range c.Monitors {
		buf += fmt.Sprintf("{%d:%+v},", k, v)
	}
	buf += fmt.Sprintf("}") // nolint:gosimple // lint:ignore S1039
	return buf
}

// ProcessorConfig holds configuration for the processors
type ProcessorConfig struct {
	Collector           collector.EventCollector
	Policy              policy.Resolver
	ExternalEventSender []external.ReceiverRegistration
	MergeTags           []string
	ResyncLock          *sync.RWMutex
}

// IsComplete checks if configuration is complete
func (c *ProcessorConfig) IsComplete() error {

	if c.Collector == nil {
		return fmt.Errorf("Missing configuration: collector")
	}

	if c.Policy == nil {
		return fmt.Errorf("Missing configuration: puHandler")
	}
	if c.ResyncLock == nil {
		return fmt.Errorf("Missing resyncLock: puHandler")
	}
	// not all monitors implement external.ReceiveEvents
	// so ExternalEventSender is optional

	return nil
}


================================================
FILE: monitor/constants/constants.go
================================================
package constants

const (
	// DefaultDockerSocket is the default socket to use to communicate with docker
	// it is canonicalized with utils.GetPathOnHostViaProcRoot() at point of use
	DefaultDockerSocket = "/var/run/docker.sock"

	// DefaultDockerSocketType is unix
	DefaultDockerSocketType = "unix"

	// K8sPodName is pod name of K8s pod.
	K8sPodName = "io.kubernetes.pod.name"

	// K8sPodNamespace is the namespace of K8s pod.
	K8sPodNamespace = "io.kubernetes.pod.namespace"
)

const (
	// DockerHostMode is the string of the network mode that indicates a host namespace
	DockerHostMode = "host"
	// DockerLinkedMode is the string of the network mode that indicates shared network namespace
	DockerLinkedMode = "container:"

	// DockerHostPUID represents the PUID of the host network container.
	DockerHostPUID = "HostPUID"

	// UserLabelPrefix is the label prefix for all user defined labels
	UserLabelPrefix = "@usr:"
)

const (
	// K8sMonitorRegistrationName is used as the registration constant with the external sender (gRPC server)
	K8sMonitorRegistrationName = "k8sMonitor"

	// MonitorExtSenderName is the name of the monitor that registers with the trireme monitors to send events
	MonitorExtSenderName = "grpcMonitorServer"
)


================================================
FILE: monitor/external/interfaces.go
================================================
package external

import (
	"context"

	"go.aporeto.io/enforcerd/trireme-lib/common"
)

// ReceiveEvents can be implemented by monitors which receive their monitoring events
// for processing from different parts of the stack.
type ReceiveEvents interface {
	// Event will receive event `data` for processing a common.Event in the monitor.
	// The sent data is implementation specific - therefore it has no type in the interface.
	// If the sent data is of an unexpected type, its implementor must return an error
	// indicating so.
	Event(ctx context.Context, ev common.Event, data interface{}) error

	// SenderReady will be called by the sender to notify the receiver that the sender
	// is now ready to send events.
	SenderReady()
}

// ReceiverRegistration allows the trireme monitors to register themselves to receive events
// from an implementor. This interface is expected to be implemented outside of the monitor
// for the component which generates the event data for the registering monitor.
// The implementor must have a unique name which gets returned from `SenderName()`.
// The implementor is responsible for calling `Event()` on all monitors once they have
// registered through `Register()`.
type ReceiverRegistration interface {
	// SenderName must return a globally unique name of the implementor.
	SenderName() string

	// Register will register the given `monitor` for receiving events under `name`.
	// The registering monitor must implement `ReceiveEvents` before it can register.
	// Multiple calls to this function for the same `name` must update the internal
	// state of the implementor to now send events to the newly regitered monitor of this
	// name. Only one registration of a monitor of the same name is allowed.
	Register(name string, monitor ReceiveEvents) error
}


================================================
FILE: monitor/external/mockexternal/mockinterfaces.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: go.aporeto.io/enforcerd/trireme-lib/monitor/external (interfaces: ReceiveEvents,ReceiverRegistration)

// Package mockexternal is a generated GoMock package.
package mockexternal

import (
	context "context"
	gomock "github.com/golang/mock/gomock"
	common "go.aporeto.io/enforcerd/trireme-lib/common"
	external "go.aporeto.io/enforcerd/trireme-lib/monitor/external"
	reflect "reflect"
)

// MockReceiveEvents is a mock of ReceiveEvents interface
type MockReceiveEvents struct {
	ctrl     *gomock.Controller
	recorder *MockReceiveEventsMockRecorder
}

// MockReceiveEventsMockRecorder is the mock recorder for MockReceiveEvents
type MockReceiveEventsMockRecorder struct {
	mock *MockReceiveEvents
}

// NewMockReceiveEvents creates a new mock instance
func NewMockReceiveEvents(ctrl *gomock.Controller) *MockReceiveEvents {
	mock := &MockReceiveEvents{ctrl: ctrl}
	mock.recorder = &MockReceiveEventsMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockReceiveEvents) EXPECT() *MockReceiveEventsMockRecorder {
	return m.recorder
}

// Event mocks base method
func (m *MockReceiveEvents) Event(arg0 context.Context, arg1 common.Event, arg2 interface{}) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Event", arg0, arg1, arg2)
	ret0, _ := ret[0].(error)
	return ret0
}

// Event indicates an expected call of Event
func (mr *MockReceiveEventsMockRecorder) Event(arg0, arg1, arg2 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Event", reflect.TypeOf((*MockReceiveEvents)(nil).Event), arg0, arg1, arg2)
}

// SenderReady mocks base method
func (m *MockReceiveEvents) SenderReady() {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "SenderReady")
}

// SenderReady indicates an expected call of SenderReady
func (mr *MockReceiveEventsMockRecorder) SenderReady() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SenderReady", reflect.TypeOf((*MockReceiveEvents)(nil).SenderReady))
}

// MockReceiverRegistration is a mock of ReceiverRegistration interface
type MockReceiverRegistration struct {
	ctrl     *gomock.Controller
	recorder *MockReceiverRegistrationMockRecorder
}

// MockReceiverRegistrationMockRecorder is the mock recorder for MockReceiverRegistration
type MockReceiverRegistrationMockRecorder struct {
	mock *MockReceiverRegistration
}

// NewMockReceiverRegistration creates a new mock instance
func NewMockReceiverRegistration(ctrl *gomock.Controller) *MockReceiverRegistration {
	mock := &MockReceiverRegistration{ctrl: ctrl}
	mock.recorder = &MockReceiverRegistrationMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockReceiverRegistration) EXPECT() *MockReceiverRegistrationMockRecorder {
	return m.recorder
}

// Register mocks base method
func (m *MockReceiverRegistration) Register(arg0 string, arg1 external.ReceiveEvents) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Register", arg0, arg1)
	ret0, _ := ret[0].(error)
	return ret0
}

// Register indicates an expected call of Register
func (mr *MockReceiverRegistrationMockRecorder) Register(arg0, arg1 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Register", reflect.TypeOf((*MockReceiverRegistration)(nil).Register), arg0, arg1)
}

// SenderName mocks base method
func (m *MockReceiverRegistration) SenderName() string {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SenderName")
	ret0, _ := ret[0].(string)
	return ret0
}

// SenderName indicates an expected call of SenderName
func (mr *MockReceiverRegistrationMockRecorder) SenderName() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SenderName", reflect.TypeOf((*MockReceiverRegistration)(nil).SenderName))
}


================================================
FILE: monitor/extractors/constants.go
================================================
// +build !windows

package extractors

// OSHostString holds the OS host string
const OSHostString = "linux"


================================================
FILE: monitor/extractors/constants_windows.go
================================================
package extractors

// OSHostString holds the windows host string
const OSHostString = "windows"


================================================
FILE: monitor/extractors/docker.go
================================================
package extractors

import (
	"encoding/json"
	"errors"
	"fmt"
	"os"
	"os/exec"
	"strconv"
	"strings"

	"github.com/docker/docker/api/types"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/constants"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cgnetcls"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

// A DockerMetadataExtractor is a function used to extract a *policy.PURuntime from a given
// docker ContainerJSON.
type DockerMetadataExtractor func(*types.ContainerJSON) (*policy.PURuntime, error)

// DefaultMetadataExtractor is the default metadata extractor for Docker
func DefaultMetadataExtractor(info *types.ContainerJSON) (*policy.PURuntime, error) {

	// trigger new build
	tags := policy.NewTagStore()
	tags.AppendKeyValue("@app:image", info.Config.Image)
	tags.AppendKeyValue("@app:extractor", "docker")
	tags.AppendKeyValue("@app:docker:name", info.Name)

	for k, v := range info.Config.Labels {
		if len(strings.TrimSpace(k)) == 0 {
			continue
		}
		value := v
		if len(v) == 0 {
			value = "<empty>"
		}
		if !strings.HasPrefix(k, constants.UserLabelPrefix) {
			tags.AppendKeyValue(constants.UserLabelPrefix+k, value)
		} else {
			tags.AppendKeyValue(k, value)
		}
	}

	ipa := policy.ExtendedMap{
		"bridge": info.NetworkSettings.IPAddress,
	}

	if info.HostConfig.NetworkMode == constants.DockerHostMode {
		return policy.NewPURuntime(info.Name, info.State.Pid, "", tags, ipa, common.LinuxProcessPU, policy.None, hostModeOptions(info)), nil
	}

	return policy.NewPURuntime(info.Name, info.State.Pid, "", tags, ipa, common.ContainerPU, policy.None, nil), nil
}

// hostModeOptions creates the default options for a host-mode container. This is done
// based on the policy and the metadata extractor logic and can very by implementation
func hostModeOptions(dockerInfo *types.ContainerJSON) *policy.OptionsType {

	options := policy.OptionsType{
		CgroupName: strconv.Itoa(dockerInfo.State.Pid),
		CgroupMark: strconv.FormatUint(cgnetcls.MarkVal(), 10),
		AutoPort:   true,
	}

	for p := range dockerInfo.Config.ExposedPorts {
		if p.Proto() == "tcp" {
			s, err := portspec.NewPortSpecFromString(p.Port(), nil)
			if err != nil {
				continue
			}

			options.Services = append(options.Services, common.Service{
				Protocol: uint8(6),
				Ports:    s,
			})
		}
	}

	return &options
}

// NewExternalExtractor returns a new bash metadata extractor for Docker that will call
// the executable given in parameter and will generate a Policy Runtime as standard output
// The format of Input/Output of the executable are in standard JSON.
func NewExternalExtractor(filePath string) (DockerMetadataExtractor, error) {

	if filePath == "" {
		return nil, errors.New("file argument is empty in bash extractor")
	}

	path, err := exec.LookPath(filePath)
	if err != nil {
		return nil, fmt.Errorf("exec file not found %s: %s", filePath, err)
	}

	if _, err := os.Stat(path); os.IsNotExist(err) {
		return nil, fmt.Errorf("exec file not found %s: %s", filePath, err)
	}

	// Generate a new function
	externalExtractor := func(dockerInfo *types.ContainerJSON) (*policy.PURuntime, error) {

		dockerInfoJSON, err := json.Marshal(dockerInfo)
		if err != nil {
			return nil, fmt.Errorf("unable to marshal docker info: %s", err)
		}

		cmd := exec.Command(path, string(dockerInfoJSON))
		jsonResult, err := cmd.Output()
		if err != nil {
			return nil, fmt.Errorf("unable to run bash extractor: %s", err)
		}

		var m policy.PURuntime
		err = json.Unmarshal(jsonResult, &m)
		if err != nil {
			return nil, fmt.Errorf("unable to unmarshal data from bash extractor: %s", err)
		}

		return &m, nil
	}

	return externalExtractor, nil
}


================================================
FILE: monitor/extractors/docker_test.go
================================================
// +build !windows

package extractors

import (
	"bufio"
	"fmt"
	"os"
	"testing"

	"github.com/docker/docker/api/types"
	"github.com/docker/docker/api/types/container"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/constants"
)

func TestDefaultMetadataExtractor(t *testing.T) {
	info := &types.ContainerJSON{
		ContainerJSONBase: &types.ContainerJSONBase{
			Name:  "name",
			State: &types.ContainerState{},
			HostConfig: &container.HostConfig{
				NetworkMode: constants.DockerHostMode,
			},
		},
		NetworkSettings: &types.NetworkSettings{
			DefaultNetworkSettings: types.DefaultNetworkSettings{
				IPAddress: "10.0.0.1",
			},
		},
		Config: &container.Config{
			Image: "image",
			Labels: map[string]string{
				"   ":            "remove me",
				"empty-label":    "",
				"standard-label": "one",
			},
		},
	}

	pu, err := DefaultMetadataExtractor(info)
	if err != nil {
		t.Error(err)
	}
	var foundEmptyTag bool
	for _, tag := range pu.Tags().GetSlice() {
		if tag == "@usr:empty-label=<empty>" {
			foundEmptyTag = true
			break
		}
	}
	if !foundEmptyTag {
		t.Error("empty tag not found")
	}
}

func TestCreate(t *testing.T) {
	// Test for Empty file.
	_, err := NewExternalExtractor("")
	if err == nil {
		t.Errorf("Expected Error, but got none")
	}

	// Test for NonExistent file.
	_, err = NewExternalExtractor("/tmp/abcde.test")
	if err == nil {
		t.Errorf("Expected Error, but got none")
	}
}

const testfile = `#!/bin/sh
echo '{"Pid":16823,"Name":"/stoic_snyder","IPAddresses":{"bridge":"172.17.0.2"},"Tags":{"image":"nginx","name":"/stoic_snyder"}}'
`

func createFileTest(destination string) error {

	fileHandle, err := os.Create(destination)
	if err != nil {
		return err
	}
	writer := bufio.NewWriter(fileHandle)
	fmt.Fprintln(writer, testfile)
	writer.Flush() // nolint: errcheck
	return nil
}

func TestReturnedFunc(t *testing.T) {

	if err := createFileTest("/tmp/test.sh"); err != nil {
		t.Skipf("Skip test because no support for writing files to /tmp")
	}
	function, err := NewExternalExtractor("/tmp/test.sh")
	if err != nil {
		t.Skipf("Skip test because no support for writing files to /tmp")
	}
	_, err = function(nil)
	if err != nil {
		t.Errorf("Failed to create extractor")
	}
}


================================================
FILE: monitor/extractors/error.go
================================================
package extractors

import (
	"fmt"
)

type errNetclsAlreadyProgrammed struct {
	mark string
}

func (e *errNetclsAlreadyProgrammed) Error() string {
	return fmt.Sprintf("net_cls cgroup already programmed with mark %s", e.mark)
}

// ErrNetclsAlreadyProgrammed is returned from the NetclsProgrammer when the net_cls cgroup for this pod has already been programmed
func ErrNetclsAlreadyProgrammed(mark string) error {
	return &errNetclsAlreadyProgrammed{mark: mark}
}

// ErrNoHostNetworkPod is returned from the NetclsProgrammer if the given pod is not a host network pod.
var ErrNoHostNetworkPod = fmt.Errorf("pod is not a host network pod")

// IsErrNetclsAlreadyProgrammed checks if the provided error is an ErrNetclsAlreadyProgrammed error
func IsErrNetclsAlreadyProgrammed(err error) bool {
	switch err.(type) {
	case *errNetclsAlreadyProgrammed:
		return true
	default:
		return false
	}
}

// IsErrNoHostNetworkPod checks if the provided error is an ErrNoHostNetworkPod error
func IsErrNoHostNetworkPod(err error) bool {
	return err.Error() == ErrNoHostNetworkPod.Error()
}


================================================
FILE: monitor/extractors/error_test.go
================================================
package extractors

import (
	"fmt"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func TestErrors(t *testing.T) {
	Convey("Testing ErrNetclsAlreadyProgrammed handling functions", t, func() {
		err := ErrNetclsAlreadyProgrammed("mark")
		So(err, ShouldNotBeNil)

		expected := fmt.Sprintf("net_cls cgroup already programmed with mark %s", "mark")
		So(err.Error(), ShouldEqual, expected)

		So(IsErrNetclsAlreadyProgrammed(err), ShouldBeTrue)
		So(IsErrNetclsAlreadyProgrammed(ErrNoHostNetworkPod), ShouldBeFalse)
	})
	Convey("Testing ErrNoHostNetworkPod handling functions", t, func() {
		So(IsErrNoHostNetworkPod(ErrNoHostNetworkPod), ShouldBeTrue)
		So(IsErrNoHostNetworkPod(fmt.Errorf("random")), ShouldBeFalse)
	})
}


================================================
FILE: monitor/extractors/interface.go
================================================
package extractors

import (
	"context"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/policy"

	corev1 "k8s.io/api/core/v1"
)

// EventMetadataExtractor is a function used to extract a *policy.PURuntime from a given
// EventInfo. The EventInfo is generic and is provided over the RPC interface
type EventMetadataExtractor func(*common.EventInfo) (*policy.PURuntime, error)

// PodMetadataExtractor is a function used to extract a *policy.PURuntime from a given
// Kubernetes pod. It can furthermore extract more information using the client.
// The 5th argument (bool) indicates if a network namespace should get extracted
type PodMetadataExtractor func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error)

// PodPidsSetMaxProcsProgrammer is a function used to program the pids cgroup of a pod for Trireme.
type PodPidsSetMaxProcsProgrammer func(ctx context.Context, pod *corev1.Pod, maxProcs int) error


================================================
FILE: monitor/extractors/kubernetes.go
================================================
package extractors

import (
	"fmt"
	"strings"

	"go.aporeto.io/trireme-lib/policy"
	"go.uber.org/zap"
	api "k8s.io/api/core/v1"
)

// KubernetesPodNameIdentifier is the label used by Docker for the K8S pod name.
const KubernetesPodNameIdentifier = "@usr:io.kubernetes.pod.name"

// KubernetesPodNamespaceIdentifier is the label used by Docker for the K8S namespace.
const KubernetesPodNamespaceIdentifier = "@usr:io.kubernetes.pod.namespace"

// KubernetesContainerNameIdentifier is the label used by Docker for the K8S container name.
const KubernetesContainerNameIdentifier = "@usr:io.kubernetes.container.name"

// KubernetesInfraContainerName is the name of the infra POD.
const KubernetesInfraContainerName = "POD"

// UpstreamOldNameIdentifier is the identifier used to identify the nane on the resulting PU
// TODO: Remove OLDTAGS
const UpstreamOldNameIdentifier = "@k8s:name"

// UpstreamNameIdentifier is the identifier used to identify the nane on the resulting PU
const UpstreamNameIdentifier = "@app:k8s:name"

// UpstreamOldNamespaceIdentifier is the identifier used to identify the nanespace on the resulting PU
const UpstreamOldNamespaceIdentifier = "@k8s:namespace"

// UpstreamNamespaceIdentifier is the identifier used to identify the nanespace on the resulting PU
const UpstreamNamespaceIdentifier = "@app:k8s:namespace"

// UserLabelPrefix is the label prefix for all user defined labels
const UserLabelPrefix = "@usr:"

// KubernetesMetadataExtractorType is an extractor function for Kubernetes.
// It takes as parameter a standard Docker runtime and a Pod Kubernetes definition and return a PolicyRuntime
// This extractor also provides an extra boolean parameter that is used as a token to decide if activation is required.
type KubernetesMetadataExtractorType func(runtime policy.RuntimeReader, pod *api.Pod) (*policy.PURuntime, bool, error)

// DefaultKubernetesMetadataExtractor is a default implementation for the medatadata extractor for Kubernetes
// It only activates the POD//INFRA containers and strips all the labels from docker to only keep the ones from Kubernetes
func DefaultKubernetesMetadataExtractor(runtime policy.RuntimeReader, pod *api.Pod) (*policy.PURuntime, bool, error) {

	if runtime == nil {
		return nil, false, fmt.Errorf("empty runtime")
	}

	if pod == nil {
		return nil, false, fmt.Errorf("empty pod")
	}

	// In this specific metadataExtractor we only want to activate the Infra Container for each pod.
	if !isPodInfraContainer(runtime) {
		return nil, false, nil
	}

	podLabels := pod.GetLabels()
	if podLabels == nil {
		podLabels = make(map[string]string)
	}
	for key, value := range podLabels {
		if len(strings.TrimSpace(key)) == 0 {
			delete(podLabels, key)
		}
		if len(value) == 0 {
			podLabels[key] = "<empty>"
		}
	}

	tags := policy.NewTagStoreFromMap(podLabels)
	tags.AppendKeyValue(UpstreamOldNameIdentifier, pod.GetName())
	tags.AppendKeyValue(UpstreamNameIdentifier, pod.GetName())
	tags.AppendKeyValue(UpstreamOldNamespaceIdentifier, pod.GetNamespace())
	tags.AppendKeyValue(UpstreamNamespaceIdentifier, pod.GetNamespace())

	originalRuntime, ok := runtime.(*policy.PURuntime)
	if !ok {
		return nil, false, fmt.Errorf("Error casting puruntime")
	}

	newRuntime := originalRuntime.Clone()
	newRuntime.SetTags(tags)

	zap.L().Debug("kubernetes runtime tags", zap.String("name", pod.GetName()), zap.String("namespace", pod.GetNamespace()), zap.Strings("tags", newRuntime.Tags().GetSlice()))

	return newRuntime, true, nil
}

// isPodInfraContainer returns true if the runtime represents the infra container for the POD
func isPodInfraContainer(runtime policy.RuntimeReader) bool {
	// The Infra container can be found by checking env. variable.
	tagContent, ok := runtime.Tag(KubernetesContainerNameIdentifier)
	if !ok || tagContent != KubernetesInfraContainerName {
		return false
	}

	return true
}


================================================
FILE: monitor/extractors/kubernetes_test.go
================================================
// +build !windows

package extractors

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"

	"go.aporeto.io/trireme-lib/policy"
	api "k8s.io/api/core/v1"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func TestDefaultKubernetesMetadataExtractor(t *testing.T) {
	Convey("TestDefaultKubernetesMetadataExtractor", t, func() {
		pod1 := &corev1.Pod{}
		pod1.SetName("test")
		pod1.SetNamespace("ns")
		pod1.SetLabels(map[string]string{
			"    ":        "removeme",
			"label":       "one",
			"empty-label": "",
		})

		pod2 := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "test2",
				Namespace: "ns",
			},
		}

		runtimeDocker := policy.NewPURuntimeWithDefaults()
		tags := runtimeDocker.Tags()
		tags.AppendKeyValue(KubernetesContainerNameIdentifier, "POD")
		runtimeDocker.SetTags(tags)

		runtimeResult1 := policy.NewPURuntimeWithDefaults()
		tags = runtimeResult1.Tags()
		tags.AppendKeyValue("label", "one")
		tags.AppendKeyValue("empty-label", "<empty>")
		tags.AppendKeyValue(UpstreamOldNameIdentifier, "test")
		tags.AppendKeyValue(UpstreamNameIdentifier, "test")
		tags.AppendKeyValue(UpstreamOldNamespaceIdentifier, "ns")
		tags.AppendKeyValue(UpstreamNamespaceIdentifier, "ns")
		runtimeResult1.SetTags(tags)

		runtimeResult2 := policy.NewPURuntimeWithDefaults()
		tags = runtimeResult2.Tags()
		tags.AppendKeyValue(UpstreamOldNameIdentifier, "test2")
		tags.AppendKeyValue(UpstreamNameIdentifier, "test2")
		tags.AppendKeyValue(UpstreamOldNamespaceIdentifier, "ns")
		tags.AppendKeyValue(UpstreamNamespaceIdentifier, "ns")
		runtimeResult2.SetTags(tags)

		type args struct {
			runtime policy.RuntimeReader
			pod     *api.Pod
		}
		tests := []struct {
			name    string
			args    args
			want    *policy.PURuntime
			want1   bool
			wantErr bool
		}{
			{
				name: "empty1",
				args: args{
					runtime: nil,
					pod:     &api.Pod{},
				},
				wantErr: true,
			},
			{
				name: "empty2",
				args: args{
					runtime: policy.NewPURuntimeWithDefaults(),
					pod:     nil,
				},
				wantErr: true,
			},
			{
				name: "Simple test, non Kubernetes Container",
				args: args{
					runtime: policy.NewPURuntimeWithDefaults(),
					pod:     pod1,
				},
				want:    nil,
				want1:   false,
				wantErr: false,
			},
			{
				name: "Simple test",
				args: args{
					runtime: runtimeDocker,
					pod:     pod1,
				},
				want:    runtimeResult1,
				want1:   true,
				wantErr: false,
			},
			{
				name: "Simple test 2",
				args: args{
					runtime: runtimeDocker,
					pod:     pod2,
				},
				want:    runtimeResult2,
				want1:   true,
				wantErr: false,
			},
		}
		for _, tt := range tests {
			Convey(tt.name, func() {
				got, got1, err := DefaultKubernetesMetadataExtractor(tt.args.runtime, tt.args.pod)
				So(err != nil, ShouldEqual, tt.wantErr)
				if got != nil && got.Tags() != nil {
					So(got.Tags().Tags, ShouldHaveLength, len(tt.want.Tags().Tags))
					for _, tag := range tt.want.Tags().Tags {
						So(got.Tags().Tags, ShouldContain, tag)
					}
				}
				So(got1, ShouldEqual, tt.want1)
			})
		}
	})
}


================================================
FILE: monitor/extractors/linux.go
================================================
package extractors

import (
	"debug/elf"
	"fmt"
	"os/user"
	"strconv"
	"strings"
	"time"

	"github.com/shirou/gopsutil/process"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cgnetcls"
	portspec "go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

// LinuxMetadataExtractorType is a type of Linux metadata extractors
type LinuxMetadataExtractorType func(event *common.EventInfo) (*policy.PURuntime, error)

// DefaultHostMetadataExtractor is a host specific metadata extractor
func DefaultHostMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error) {

	runtimeTags := policy.NewTagStore()

	for _, tag := range event.Tags {
		parts := strings.SplitN(tag, "=", 2)
		if len(parts) != 2 {
			return nil, fmt.Errorf("invalid tag: %s", tag)
		}
		runtimeTags.AppendKeyValue("@usr:"+parts[0], parts[1])
	}

	options := &policy.OptionsType{
		CgroupName: event.PUID,
		CgroupMark: strconv.FormatUint(cgnetcls.MarkVal(), 10),
		Services:   event.Services,
	}

	runtimeIps := policy.ExtendedMap{"bridge": "0.0.0.0/0"}

	return policy.NewPURuntime(event.Name, int(event.PID), "", runtimeTags, runtimeIps, event.PUType, policy.None, options), nil
}

// SystemdEventMetadataExtractor is a systemd based metadata extractor
// TODO: Remove OLDTAGS
func SystemdEventMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error) {

	runtimeTags := policy.NewTagStore()

	for _, tag := range event.Tags {
		parts := strings.SplitN(tag, "=", 2)
		if len(parts) != 2 {
			return nil, fmt.Errorf("invalid tag: %s", tag)
		}
		key, value := parts[0], parts[1]

		if strings.HasPrefix(key, "@app:linux:") {
			runtimeTags.AppendKeyValue(key, value)
			continue
		}

		runtimeTags.AppendKeyValue("@usr:"+key, value)
	}

	userdata := ProcessInfo(event.PID)

	for _, u := range userdata {
		runtimeTags.AppendKeyValue("@app:linux:"+u, "true")
	}

	runtimeTags.AppendKeyValue("@os:hostname", findFQDN(time.Second))

	options := policy.OptionsType{}
	for index, s := range event.Services {
		if s.Port != 0 && s.Ports == nil {
			if pspec, err := portspec.NewPortSpec(s.Port, s.Port, nil); err == nil {
				event.Services[index].Ports = pspec
				event.Services[index].Port = 0
			} else {
				return nil, fmt.Errorf("Invalid Port Spec %s", err)
			}
		}
	}
	options.Services = event.Services
	options.UserID, _ = runtimeTags.Get("@usr:originaluser")
	options.CgroupMark = strconv.FormatUint(cgnetcls.MarkVal(), 10)
	options.AutoPort = event.AutoPort

	runtimeIps := policy.ExtendedMap{"bridge": "0.0.0.0/0"}

	return policy.NewPURuntime(event.Name, int(event.PID), "", runtimeTags, runtimeIps, event.PUType, policy.None, &options), nil
}

// ProcessInfo returns all metadata captured by a process
func ProcessInfo(pid int32) []string {
	userdata := []string{}

	p, err := process.NewProcess(pid)
	if err != nil {
		return userdata
	}

	uids, err := p.Uids()
	if err != nil {
		return userdata
	}

	groups, err := p.Gids()
	if err != nil {
		return userdata
	}

	username, err := p.Username()
	if err != nil {
		return userdata
	}

	for _, uid := range uids {
		userdata = append(userdata, "uid:"+strconv.Itoa(int(uid)))
	}

	for _, gid := range groups {
		userdata = append(userdata, "gid:"+strconv.Itoa(int(gid)))
	}

	userdata = append(userdata, "username:"+username)

	userid, err := user.Lookup(username)
	if err != nil {
		return userdata
	}

	gids, err := userid.GroupIds()
	if err != nil {
		return userdata
	}

	for i := 0; i < len(gids); i++ {
		userdata = append(userdata, "gids:"+gids[i])
		group, err := user.LookupGroupId(gids[i])
		if err != nil {
			continue
		}
		userdata = append(userdata, "groups:"+group.Name)
	}

	return userdata
}

// Libs returns the list of dynamic library dependencies of an executable
func Libs(binpath string) []string {
	f, err := elf.Open(binpath)
	if err != nil {
		return []string{}
	}

	libraries, _ := f.ImportedLibraries()
	return libraries
}


================================================
FILE: monitor/extractors/linux_test.go
================================================
// +build linux windows

package extractors

import (
	"encoding/hex"
	"net"
	"reflect"
	"testing"
	"time"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	portspec "go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

func TestComputeFileMd5(t *testing.T) {

	Convey("When I calculate the MD5 of a bad file", t, func() {
		_, err := ComputeFileMd5("testdata/nofile")
		Convey("I should get an error", func() {
			So(err, ShouldNotBeNil)
		})
	})

	Convey("When I calculate the MD5 of a good file", t, func() {
		hash, err := ComputeFileMd5("testdata/curl")
		Convey("I should get no error and the right value", func() {
			So(err, ShouldBeNil)
			So(hex.EncodeToString(hash), ShouldResemble, "bf7e66d7bbd0465cfcba5b1cf68a9b59")
		})
	})
}

func TestFindFQDN(t *testing.T) {

	Convey("When I try to get the hostname of a good host", t, func() {
		hostname := findFQDN(1000 * time.Second)

		Convey("I should be able to resolve this hostname", func() {
			addr, err := net.LookupHost(hostname)
			So(err, ShouldBeNil)
			So(len(addr), ShouldBeGreaterThan, 0)
		})
	})
}

func TestLibs(t *testing.T) {

	Convey("When I try to get the libraries of a known binary", t, func() {
		libraries := Libs("./testdata/curl")
		Convey("I should get the execpted libraries", func() {
			So(len(libraries), ShouldEqual, 4)
			So(libraries, ShouldContain, "libcurl-gnutls.so.4")
			So(libraries, ShouldContain, "libz.so.1")
			So(libraries, ShouldContain, "libpthread.so.0")
			So(libraries, ShouldContain, "libc.so.6")
		})
	})

	Convey("When I try to get the libraries of a bad binary", t, func() {

		libraries := Libs("./testdata/nofile")
		Convey("I should get an empty array", func() {
			So(len(libraries), ShouldEqual, 0)
		})
	})
}

func TestSystemdEventMetadataExtractor(t *testing.T) {

	Convey("When I call the metadata extrator", t, func() {

		Convey("If all data are present", func() {
			event := &common.EventInfo{
				Name:       "./testdata/curl",
				Executable: "./testdata/curl",
				PID:        1234,
				PUID:       "/1234",
				Tags:       []string{"app=web"},
			}

			pu, err := SystemdEventMetadataExtractor(event)
			Convey("I should get no error and a valid PU runitime", func() {
				So(err, ShouldBeNil)
				So(pu, ShouldNotBeNil)
			})
		})
	})
}

func TestDefaultHostMetadataExtractor(t *testing.T) {

	Convey("When I call the host metadata extractor", t, func() {

		Convey("If its valid data", func() {

			s, _ := portspec.NewPortSpecFromString("1000", nil) // nolint
			services := []common.Service{
				{
					Protocol: uint8(6),
					Ports:    s,
				},
			}

			event := &common.EventInfo{
				Name:     "Web",
				PID:      1234,
				PUID:     "Web",
				Tags:     []string{"app=web"},
				Services: services,
			}

			pu, err := DefaultHostMetadataExtractor(event)
			Convey("I should get no error and a valid PU runtimg", func() {
				So(err, ShouldBeNil)
				So(pu, ShouldNotBeNil)
				So(pu.Options().CgroupName, ShouldResemble, "Web")
				So(pu.Options().Services, ShouldResemble, services)
			})
		})

		Convey("If I get invalid tags", func() {

			event := &common.EventInfo{
				Name: "Web",
				PID:  1234,
				PUID: "Web",
				Tags: []string{"invalid"},
			}

			_, err := DefaultHostMetadataExtractor(event)
			Convey("I should get an error", func() {
				So(err, ShouldNotBeNil)
			})
		})

		Convey("If I get an invalid PID", func() {

			event := &common.EventInfo{
				Name: "Web",
				PID:  -1233,
				PUID: "Web",
				Tags: []string{"invalid"},
			}

			_, err := DefaultHostMetadataExtractor(event)
			Convey("I should get an error", func() {
				So(err, ShouldNotBeNil)
			})
		})
	})
}

func Test_policyExtensions(t *testing.T) {
	type args struct {
		runtime policy.RuntimeReader
	}

	pur1 := policy.NewPURuntime("", 0, "", nil, nil, common.LinuxProcessPU, policy.None, nil)
	em1 := policy.ExtendedMap{
		"Key": "Value",
	}
	options := pur1.Options()
	options.PolicyExtensions = em1
	pur1.SetOptions(options)

	// 2nd Runtime
	pur2 := policy.NewPURuntime("", 0, "", nil, nil, common.LinuxProcessPU, policy.None, nil)
	options = pur2.Options()
	pur2.SetOptions(options)

	// 3rd runtime
	pur3 := policy.NewPURuntime("", 0, "", nil, nil, common.LinuxProcessPU, policy.None, nil)
	options = pur3.Options()
	options.PolicyExtensions = nil
	pur3.SetOptions(options)

	tests := []struct {
		name           string
		args           args
		wantExtensions policy.ExtendedMap
	}{
		// TODO: Add test cases.
		{
			name: "Test if runtime is nil",
			args: args{
				runtime: nil,
			},
			wantExtensions: nil,
		},
		{
			name: "Test if policy extensions are nil",
			args: args{
				runtime: pur3,
			},
			wantExtensions: nil,
		},
		{
			name: "Test if policy extensions are defined",
			args: args{
				runtime: pur1,
			},
			wantExtensions: em1,
		},
		{
			name: "Test if policy extensions are not defined",
			args: args{
				runtime: pur2,
			},
			wantExtensions: nil,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if gotExtensions := policyExtensions(tt.args.runtime); !reflect.DeepEqual(gotExtensions, tt.wantExtensions) {
				t.Errorf("policyExtensions() = %v, want %v", gotExtensions, tt.wantExtensions)
			}
		})
	}
}

func TestIsHostmodePU(t *testing.T) {
	type args struct {
		runtime policy.RuntimeReader
		mode    constants.ModeType
	}

	pur1 := policy.NewPURuntime("", 0, "", nil, nil, common.HostPU, policy.None, nil)

	// 2nd Runtime
	pur2 := policy.NewPURuntime("", 0, "", nil, nil, common.HostNetworkPU, policy.None, nil)

	// 3rd runtime
	pur3 := policy.NewPURuntime("", 0, "", nil, nil, common.LinuxProcessPU, policy.None, nil)

	tests := []struct {
		name string
		args args
		want bool
	}{
		{
			name: "Test if pu type is Container",
			args: args{
				runtime: nil,
				mode:    constants.RemoteContainer,
			},
			want: false,
		},
		{
			name: "Test if PU type is hostpu",
			args: args{
				runtime: pur1,
				mode:    constants.LocalServer,
			},
			want: true,
		},
		{
			name: "Test if pu type is hostnetworkmode pu",
			args: args{
				runtime: pur2,
				mode:    constants.LocalServer,
			},
			want: true,
		},
		{
			name: "Test if pu type is linux pu",
			args: args{
				runtime: pur3,
				mode:    constants.LocalServer,
			},
			want: false,
		},
		{
			name: "Test invalid runtime",
			args: args{
				runtime: nil,
				mode:    constants.LocalServer,
			},
			want: false,
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := IsHostmodePU(tt.args.runtime, tt.args.mode); got != tt.want {
				t.Errorf("IsHostmodePU() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestIsHostPU(t *testing.T) {
	type args struct {
		runtime policy.RuntimeReader
		mode    constants.ModeType
	}

	pur1 := policy.NewPURuntime("", 0, "", nil, nil, common.HostPU, policy.None, nil)

	// 2nd Runtime
	pur2 := policy.NewPURuntime("", 0, "", nil, nil, common.HostNetworkPU, policy.None, nil)

	// 3rd runtime
	pur3 := policy.NewPURuntime("", 0, "", nil, nil, common.LinuxProcessPU, policy.None, nil)

	tests := []struct {
		name string
		args args
		want bool
	}{{
		name: "Test if pu type is Container",
		args: args{
			runtime: nil,
			mode:    constants.RemoteContainer,
		},
		want: false,
	},
		{
			name: "Test if PU type is hostpu",
			args: args{
				runtime: pur1,
				mode:    constants.LocalServer,
			},
			want: true,
		},
		{
			name: "Test if pu type is hostnetworkmode pu",
			args: args{
				runtime: pur2,
				mode:    constants.LocalServer,
			},
			want: false,
		},
		{
			name: "Test if pu type is linux pu",
			args: args{
				runtime: pur3,
				mode:    constants.LocalServer,
			},
			want: false,
		},
		{
			name: "Test invalid runtime",
			args: args{
				runtime: nil,
				mode:    constants.LocalServer,
			},
			want: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := IsHostPU(tt.args.runtime, tt.args.mode); got != tt.want {
				t.Errorf("IsHostPU() = %v, want %v", got, tt.want)
			}
		})
	}
}


================================================
FILE: monitor/extractors/ssh.go
================================================
package extractors

import (
	"fmt"
	"strconv"
	"strings"

	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/policy"
	"go.aporeto.io/trireme-lib/utils/cgnetcls"
)

// SSHMetadataExtractor is a metadata extractor for ssh.
func SSHMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error) {

	runtimeTags := policy.NewTagStore()

	for _, tag := range event.Tags {
		parts := strings.SplitN(tag, "=", 2)
		if len(parts) != 2 {
			return nil, fmt.Errorf("invalid tag: %s", tag)
		}

		// This means we send something that is for internal purposes only
		// We add it as it is.
		if strings.HasPrefix(tag, "$") {
			runtimeTags.AppendKeyValue(parts[0], parts[1])
			continue
		}

		runtimeTags.AppendKeyValue("@user:ssh:"+parts[0], parts[1])
	}

	options := &policy.OptionsType{
		CgroupName: event.PUID,
		CgroupMark: strconv.FormatUint(cgnetcls.MarkVal(), 10),
	}

	runtimeIps := policy.ExtendedMap{"bridge": "0.0.0.0/0"}

	return policy.NewPURuntime(event.Name, int(event.PID), "", runtimeTags, runtimeIps, event.PUType, options), nil
}


================================================
FILE: monitor/extractors/ssh_test.go
================================================
// +build !windows

package extractors

import (
	"strconv"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/policy"
)

func testRuntime() *policy.PURuntime {

	tags := policy.NewTagStore()
	tags.AppendKeyValue("@user:ssh:app", "web")
	tags.AppendKeyValue("$cert", "ss")

	runtimeIps := policy.ExtendedMap{"bridge": "0.0.0.0/0"}
	options := &policy.OptionsType{
		CgroupName: "/1234",
		CgroupMark: strconv.FormatUint(104, 10),
	}

	return policy.NewPURuntime("curl", 1234, "", tags, runtimeIps, common.SSHSessionPU, options)
}

func TestSSHMetadataExtractor(t *testing.T) {

	Convey("When I call the ssh metadata extrator", t, func() {

		Convey("If all data are present", func() {
			event := &common.EventInfo{
				Name:   "curl",
				PID:    1234,
				PUID:   "/1234",
				PUType: common.SSHSessionPU,
				Tags:   []string{"app=web", "$cert=ss"},
			}

			pu, err := SSHMetadataExtractor(event)
			Convey("I should get no error and a valid PU runtime", func() {
				So(err, ShouldBeNil)
				So(pu, ShouldResemble, testRuntime())
			})
		})
	})
}


================================================
FILE: monitor/extractors/uid.go
================================================
package extractors

import (
	"fmt"
	"strconv"
	"strings"

	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/policy"
	"go.aporeto.io/trireme-lib/utils/cgnetcls"
)

// UIDMetadataExtractor is a metadata extractor for uid/gid.
func UIDMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error) {

	runtimeTags := policy.NewTagStore()

	for _, tag := range event.Tags {
		parts := strings.SplitN(tag, "=", 2)
		if len(parts) != 2 {
			return nil, fmt.Errorf("invalid tag: %s", tag)
		}
		// TODO: Remove OLDTAGS
		runtimeTags.AppendKeyValue("@sys:"+parts[0], parts[1])
		runtimeTags.AppendKeyValue("@app:linux:"+parts[0], parts[1])
	}

	if event.Name == "" {
		event.Name = event.PUID
	}

	// TODO: improve with additional information here.
	options := &policy.OptionsType{
		CgroupName: event.PUID,
		CgroupMark: strconv.FormatUint(cgnetcls.MarkVal(), 10),
		UserID:     event.PUID,
		Services:   event.Services,
	}

	runtimeIps := policy.ExtendedMap{"bridge": "0.0.0.0/0"}

	return policy.NewPURuntime(event.Name, int(event.PID), "", runtimeTags, runtimeIps, common.UIDLoginPU, options), nil
}


================================================
FILE: monitor/extractors/uid_test.go
================================================
// +build !windows

package extractors

import (
	"reflect"
	"strconv"
	"testing"

	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/policy"
)

func createDummyPolicy(event *common.EventInfo) *policy.PURuntime {
	runtimeTags := policy.NewTagStore()
	runtimeTags.AppendKeyValue("@sys:test", "valid")
	runtimeTags.AppendKeyValue("@app:linux:test", "valid")
	runtimeIps := policy.ExtendedMap{"bridge": "0.0.0.0/0"}
	options := &policy.OptionsType{
		CgroupName: event.PUID,
		CgroupMark: strconv.Itoa(105),
		UserID:     event.PUID,
		Services:   nil,
	}
	return policy.NewPURuntime(event.Name, int(event.PID), "", runtimeTags, runtimeIps, common.UIDLoginPU, options)
}
func TestUIDMetadataExtractor(t *testing.T) {
	var marshaledgot, marshalledwant []byte
	type args struct {
		event *common.EventInfo
	}
	e := &common.EventInfo{
		PID:      100,
		Name:     "TestPU",
		Tags:     []string{"test=valid"},
		PUID:     "TestPU",
		Services: nil,
		PUType:   common.LinuxProcessPU,
	}
	tests := []struct {
		name    string
		args    args
		want    *policy.PURuntime
		wantErr bool
	}{
		{
			name: "Invalid Tags",
			args: args{
				event: &common.EventInfo{
					Tags: []string{"InvalidTagFormat"},
				},
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "Valid Tags",
			args: args{
				event: e,
			},
			want:    createDummyPolicy(e),
			wantErr: false,
		},

		// TODO: Add test cases.
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got, err := UIDMetadataExtractor(tt.args.event)
			if (err != nil) != tt.wantErr {
				t.Errorf("UIDMetadataExtractor() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if got != nil && tt.want != nil {
				marshaledgot, _ = got.MarshalJSON()
				marshalledwant, _ = tt.want.MarshalJSON()
			}
			if !reflect.DeepEqual(marshaledgot, marshalledwant) {
				t.Errorf("\nUIDMetadataExtractor()\ngot  = %s\n, want %s\n", string(marshaledgot), string(marshalledwant))
			}
		})
	}
}


================================================
FILE: monitor/extractors/util.go
================================================
package extractors

import (
	"crypto/md5"
	"io"
	"os"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/constants"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/fqdn"
)

// ComputeFileMd5 computes the Md5 of a file
func ComputeFileMd5(filePath string) ([]byte, error) {

	var result []byte
	file, err := os.Open(filePath)
	if err != nil {
		return result, err
	}
	defer file.Close() // nolint: errcheck

	hash := md5.New()
	if _, err := io.Copy(hash, file); err != nil {
		return result, err
	}

	return hash.Sum(result), nil
}

func findFQDN(expiration time.Duration) string {

	hostname, err := os.Hostname()
	if err != nil {
		return "unknown"
	}

	// Try to find FQDN
	globalHostname := make(chan string, 1)
	go func() {
		globalHostname <- fqdn.Find()

	}()

	// Use OS hostname if we dont hear back in a second
	select {
	case <-time.After(expiration):
		return hostname
	case name := <-globalHostname:
		return name
	}
}

// policyExtensions retrieves policy extensions. Moving this function from extractor package.
func policyExtensions(runtime policy.RuntimeReader) (extensions policy.ExtendedMap) {

	if runtime == nil {
		return nil
	}

	if runtime.Options().PolicyExtensions == nil {
		return nil
	}

	if extensions, ok := runtime.Options().PolicyExtensions.(policy.ExtendedMap); ok {
		return extensions
	}
	return nil
}

// IsHostmodePU returns true if puType stored by policy extensions is hostmode PU
func IsHostmodePU(runtime policy.RuntimeReader, mode constants.ModeType) bool {

	if runtime == nil {
		return false
	}

	if mode != constants.LocalServer {
		return false
	}

	return runtime.PUType() == common.HostPU || runtime.PUType() == common.HostNetworkPU
}

// IsHostPU returns true if puType stored by policy extensions is host PU
func IsHostPU(runtime policy.RuntimeReader, mode constants.ModeType) bool {

	if runtime == nil {
		return false
	}

	if mode != constants.LocalServer {
		return false
	}

	return runtime.PUType() == common.HostPU
}


================================================
FILE: monitor/extractors/windows.go
================================================
// +build windows

package extractors

import (
	"encoding/hex"
	"fmt"
	"os/user"
	"strconv"
	"strings"
	"time"

	"github.com/shirou/gopsutil/process"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cgnetcls"
	portspec "go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

// WindowsMetadataExtractorType is a type of Windows metadata extractors
type WindowsMetadataExtractorType func(event *common.EventInfo) (*policy.PURuntime, error)

// WindowsServiceEventMetadataExtractor is a windows service based metadata extractor
func WindowsServiceEventMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error) {

	runtimeTags := policy.NewTagStore()

	for _, tag := range event.Tags {
		parts := strings.SplitN(tag, "=", 2)
		if len(parts) != 2 {
			return nil, fmt.Errorf("invalid tag: %s", tag)
		}
		key, value := parts[0], parts[1]

		if strings.HasPrefix(key, "@app:windows:") {
			runtimeTags.AppendKeyValue(key, value)
			continue
		}

		runtimeTags.AppendKeyValue("@usr:"+key, value)
	}

	userdata := WinProcessInfo(event.PID)

	for _, u := range userdata {
		runtimeTags.AppendKeyValue("@app:windows:"+u, "true")
	}

	runtimeTags.AppendKeyValue("@os:hostname", findFQDN(time.Second))

	if fileMd5, err := ComputeFileMd5(event.Executable); err == nil {
		runtimeTags.AppendKeyValue("@app:windows:filechecksum", hex.EncodeToString(fileMd5))
	}

	depends := getDllImports(event.Name)
	for _, lib := range depends {
		runtimeTags.AppendKeyValue("@app:windows:lib:"+lib, "true")
	}

	options := policy.OptionsType{}
	for index, s := range event.Services {
		if s.Port != 0 && s.Ports == nil {
			pspec, err := portspec.NewPortSpec(s.Port, s.Port, nil)
			if err != nil {
				return nil, fmt.Errorf("Invalid Port Spec %s", err)
			}
			event.Services[index].Ports = pspec
			event.Services[index].Port = 0
		}
	}
	options.Services = event.Services
	options.UserID, _ = runtimeTags.Get("@usr:originaluser")
	options.CgroupMark = strconv.FormatUint(cgnetcls.MarkVal(), 10)
	options.AutoPort = event.AutoPort

	runtimeIps := policy.ExtendedMap{"bridge": "0.0.0.0/0"}

	return policy.NewPURuntime(event.Name, int(event.PID), "", runtimeTags, runtimeIps, event.PUType, policy.None, &options), nil
}

// WinProcessInfo returns all metadata captured by a Windows process
func WinProcessInfo(pid int32) []string {
	userdata := []string{}

	p, err := process.NewProcess(pid)
	if err != nil {
		return userdata
	}

	// TODO(windows): do equivalent of uids and gids (using GetNamedSecurityInfo and LookupAccountSid, eg)
	uids, err := p.Uids()
	if err != nil {
		return userdata
	}

	groups, err := p.Gids()
	if err != nil {
		return userdata
	}

	username, err := p.Username()
	if err != nil {
		return userdata
	}

	for _, uid := range uids {
		userdata = append(userdata, "uid:"+strconv.Itoa(int(uid)))
	}

	for _, gid := range groups {
		userdata = append(userdata, "gid:"+strconv.Itoa(int(gid)))
	}

	userdata = append(userdata, "username:"+username)

	userid, err := user.Lookup(username)
	if err != nil {
		return userdata
	}

	gids, err := userid.GroupIds()
	if err != nil {
		return userdata
	}

	for i := 0; i < len(gids); i++ {
		userdata = append(userdata, "gids:"+gids[i])
		group, err := user.LookupGroupId(gids[i])
		if err != nil {
			continue
		}
		userdata = append(userdata, "groups:"+group.Name)
	}

	return userdata
}

// getDllImports returns the list of dynamic library dependencies of an executable
// TODO(windows): debug/pe File.ImportedLibraries is not implemented currently
func getDllImports(binpath string) []string {
	return []string{}
}


================================================
FILE: monitor/extractors/windows_test.go
================================================
// +build windows

package extractors

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/common"
)

func TestWindowsServiceEventMetadataExtractor(t *testing.T) {

	Convey("When I call the windows metadata extrator", t, func() {

		Convey("If all data are present", func() {
			event := &common.EventInfo{
				Name:       "./testdata/curl",
				Executable: "./testdata/curl",
				PID:        1234,
				PUID:       "/1234",
				Tags:       []string{"app=web"},
			}

			pu, err := WindowsServiceEventMetadataExtractor(event)
			Convey("I should get no error and a valid PU runitime", func() {
				So(err, ShouldBeNil)
				So(pu, ShouldNotBeNil)
			})
		})
	})
}


================================================
FILE: monitor/interfaces.go
================================================
package monitor

import (
	"context"

	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/registerer"
)

// A Monitor is an interface implmented to start/stop monitors.
type Monitor interface {

	// Start starts the monitor.
	Run(ctx context.Context) error

	// UpdateConfiguration updates the configuration of the monitor
	UpdateConfiguration(ctx context.Context, config *config.MonitorConfig) error

	// Resync requests to the monitor to do a resync.
	Resync(ctx context.Context) error
}

// Implementation for a monitor.
type Implementation interface {

	// Run starts the monitor implementation.
	Run(ctx context.Context) error

	// SetupConfig provides a configuration to implmentations. Every implmentation
	// can have its own config type.
	SetupConfig(registerer registerer.Registerer, cfg interface{}) error

	// SetupHandlers sets up handlers for monitors to invoke for various events such as
	// processing unit events and synchronization events. This will be called before Start()
	// by the consumer of the monitor
	SetupHandlers(c *config.ProcessorConfig)

	// Resync should resynchronize PUs. This should be done while starting up.
	Resync(ctx context.Context) error
}


================================================
FILE: monitor/internal/cni/extractor.go
================================================
package cnimonitor

import (
	"errors"
	"fmt"
	"strings"

	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/policy"
)

// KubernetesMetadataExtractor is a systemd based metadata extractor
func KubernetesMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error) {

	if event.NS == "" {
		return nil, errors.New("namespace path is required when using cni")
	}

	runtimeTags := policy.NewTagStore()
	for _, tag := range event.Tags {
		parts := strings.Split(tag, "=")
		if len(parts) != 2 {
			return nil, fmt.Errorf("invalid tag: %s", tag)
		}
		runtimeTags.AppendKeyValue("@usr:"+parts[0], parts[1])
	}

	runtimeIps := policy.ExtendedMap{"bridge": "0.0.0.0/0"}

	return policy.NewPURuntime(event.Name, 1, "", runtimeTags, runtimeIps, common.LinuxProcessPU, nil), nil
}

// DockerMetadataExtractor is a systemd based metadata extractor
func DockerMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error) {

	if event.NS == "" {
		return nil, errors.New("namespace path is required when using cni")
	}

	runtimeTags := policy.NewTagStore()
	for _, tag := range event.Tags {
		parts := strings.Split(tag, "=")
		if len(parts) != 2 {
			return nil, fmt.Errorf("invalid tag: %s", tag)
		}
		runtimeTags.AppendKeyValue("@usr:"+parts[0], parts[1])
	}

	runtimeIps := policy.ExtendedMap{"bridge": "0.0.0.0/0"}

	return policy.NewPURuntime(event.Name, 0, event.NS, runtimeTags, runtimeIps, common.ContainerPU, nil), nil
}


================================================
FILE: monitor/internal/cni/monitor.go
================================================
package cnimonitor

import (
	"context"
	"fmt"

	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/monitor/extractors"
	"go.aporeto.io/trireme-lib/monitor/registerer"
)

// Config is the configuration options to start a CNI monitor
type Config struct {
	EventMetadataExtractor extractors.EventMetadataExtractor
}

// DefaultConfig provides a default configuration
func DefaultConfig() *Config {
	return &Config{
		EventMetadataExtractor: DockerMetadataExtractor,
	}
}

// SetupDefaultConfig adds defaults to a partial configuration
func SetupDefaultConfig(cniConfig *Config) *Config {

	defaultConfig := DefaultConfig()

	if cniConfig.EventMetadataExtractor == nil {
		cniConfig.EventMetadataExtractor = defaultConfig.EventMetadataExtractor
	}

	return cniConfig
}

// CniMonitor captures all the monitor processor information
// It implements the EventProcessor interface of the rpc monitor
type CniMonitor struct {
	proc *cniProcessor
}

// New returns a new implmentation of a monitor implmentation
func New() *CniMonitor {

	return &CniMonitor{
		proc: &cniProcessor{},
	}
}

// Run implements Implementation interface
func (c *CniMonitor) Run(ctx context.Context) error {

	return c.proc.config.IsComplete()
}

// SetupConfig provides a configuration to implmentations. Every implmentation
// can have its own config type.
func (c *CniMonitor) SetupConfig(registerer registerer.Registerer, cfg interface{}) error {

	defaultConfig := DefaultConfig()
	if cfg == nil {
		cfg = defaultConfig
	}

	cniConfig, ok := cfg.(*Config)
	if !ok {
		return fmt.Errorf("Invalid configuration specified")
	}

	if registerer != nil {
		if err := registerer.RegisterProcessor(common.KubernetesPU, c.proc); err != nil {
			return err
		}
	}

	// Setup defaults
	cniConfig = SetupDefaultConfig(cniConfig)

	// Setup configuration
	c.proc.metadataExtractor = cniConfig.EventMetadataExtractor
	if c.proc.metadataExtractor == nil {
		return fmt.Errorf("Unable to setup a metadata extractor")
	}

	return nil
}

// SetupHandlers sets up handlers for monitors to invoke for various events such as
// processing unit events and synchronization events. This will be called before Start()
// by the consumer of the monitor
func (c *CniMonitor) SetupHandlers(m *config.ProcessorConfig) {

	c.proc.config = m
}

// Resync instructs the monitor to do a resync.
func (c *CniMonitor) Resync(ctx context.Context) error {

	// TODO: Implement resync
	return fmt.Errorf("resync not implemented")
}


================================================
FILE: monitor/internal/cni/processor.go
================================================
package cnimonitor

import (
	"context"
	"errors"
	"fmt"

	"go.aporeto.io/trireme-lib/collector"
	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/monitor/extractors"
	"go.aporeto.io/trireme-lib/policy"
)

type cniProcessor struct {
	config            *config.ProcessorConfig
	metadataExtractor extractors.EventMetadataExtractor
}

// Create handles create events
func (c *cniProcessor) Create(ctx context.Context, eventInfo *common.EventInfo) error {
	return nil
}

// Start handles start events
func (c *cniProcessor) Start(ctx context.Context, eventInfo *common.EventInfo) error {
	contextID, err := generateContextID(eventInfo)
	if err != nil {
		return err
	}

	runtimeInfo, err := c.metadataExtractor(eventInfo)
	if err != nil {
		return err
	}

	if err := c.config.Policy.HandlePUEvent(ctx, contextID, common.EventCreate, runtimeInfo); err != nil {
		return err
	}

	if err := c.config.Policy.HandlePUEvent(ctx, contextID, common.EventStart, runtimeInfo); err != nil {
		return err
	}

	c.config.Collector.CollectContainerEvent(&collector.ContainerRecord{
		ContextID: contextID,
		IPAddress: runtimeInfo.IPAddresses(),
		Tags:      runtimeInfo.Tags(),
		Event:     collector.ContainerStart,
	})

	return nil
}

// Stop handles a stop event
func (c *cniProcessor) Stop(ctx context.Context, eventInfo *common.EventInfo) error {

	contextID, err := generateContextID(eventInfo)
	if err != nil {
		return fmt.Errorf("unable to generate context id: %s", err)
	}

	runtime := policy.NewPURuntimeWithDefaults()

	if err := c.config.Policy.HandlePUEvent(ctx, contextID, common.EventStop, runtime); err != nil {
		return err
	}

	return c.config.Policy.HandlePUEvent(ctx, contextID, common.EventDestroy, runtime)
}

// Destroy handles a destroy event
func (c *cniProcessor) Destroy(ctx context.Context, eventInfo *common.EventInfo) error {
	return nil
}

// Pause handles a pause event
func (c *cniProcessor) Pause(ctx context.Context, eventInfo *common.EventInfo) error {
	return nil
}

// Resync resyncs with all the existing services that were there before we start
func (c *cniProcessor) Resync(ctx context.Context, e *common.EventInfo) error {
	return nil
}

// generateContextID creates the contextID from the event information
func generateContextID(eventInfo *common.EventInfo) (string, error) {

	if eventInfo.PUID == "" {
		return "", errors.New("puid is empty from event info")
	}

	if len(eventInfo.PUID) < 12 {
		return "", errors.New("puid smaller than 12 characters")
	}

	return eventInfo.PUID[:12], nil
}


================================================
FILE: monitor/internal/docker/config.go
================================================
package dockermonitor

import (
	"go.aporeto.io/enforcerd/trireme-lib/monitor/constants"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
)

// Config is the configuration options to start a CNI monitor
type Config struct {
	EventMetadataExtractor   extractors.DockerMetadataExtractor
	SocketType               string
	SocketAddress            string
	SyncAtStart              bool
	DestroyStoppedContainers bool
	ignoreHostModeContainers bool
}

// DefaultConfig provides a default configuration
func DefaultConfig() *Config {
	return &Config{
		EventMetadataExtractor:   extractors.DefaultMetadataExtractor,
		SocketType:               string(constants.DefaultDockerSocketType),
		SocketAddress:            constants.DefaultDockerSocket,
		SyncAtStart:              true,
		ignoreHostModeContainers: true,
	}
}

// SetupDefaultConfig adds defaults to a partial configuration
func SetupDefaultConfig(dockerConfig *Config) *Config {

	defaultConfig := DefaultConfig()

	if dockerConfig.EventMetadataExtractor == nil {
		dockerConfig.EventMetadataExtractor = defaultConfig.EventMetadataExtractor
	}
	if dockerConfig.SocketType == "" {
		dockerConfig.SocketType = defaultConfig.SocketType
	}
	if dockerConfig.SocketAddress == "" {
		dockerConfig.SocketAddress = defaultConfig.SocketAddress
	}
	return dockerConfig
}


================================================
FILE: monitor/internal/docker/helpers.go
================================================
package dockermonitor

import (
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/constants"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

// getPausePUID returns puid of pause container.
func getPausePUID(extensions policy.ExtendedMap) string {

	if extensions == nil {
		return ""
	}

	if puid, ok := extensions.Get(constants.DockerHostPUID); ok {
		zap.L().Debug("puid of pause container is", zap.String("puid", puid))
		return puid
	}

	return ""
}

// PolicyExtensions retrieves policy extensions
func policyExtensions(runtime policy.RuntimeReader) (extensions policy.ExtendedMap) {

	if runtime == nil {
		return nil
	}

	if runtime.Options().PolicyExtensions == nil {
		return nil
	}

	if extensions, ok := runtime.Options().PolicyExtensions.(policy.ExtendedMap); ok {
		return extensions
	}
	return nil
}

// IsHostNetworkContainer returns true if container has hostnetwork set
// to true or is linked to container with hostnetwork set to true.
func isHostNetworkContainer(runtime policy.RuntimeReader) bool {

	return runtime.PUType() == common.LinuxProcessPU || (getPausePUID(policyExtensions(runtime)) != "")
}

// IsKubernetesContainer checks if the container is in K8s.
func isKubernetesContainer(labels map[string]string) bool {

	if _, ok := labels[constants.K8sPodNamespace]; ok {
		return true
	}
	return false
}

// KubePodIdentifier returns identifier for K8s pod.
func kubePodIdentifier(labels map[string]string) string {

	if !isKubernetesContainer(labels) {
		return ""
	}
	podName := ""
	podNamespace := ""

	podNamespace, ok := labels[constants.K8sPodNamespace]
	if !ok {
		podNamespace = ""
	}

	podName, ok = labels[constants.K8sPodName]
	if !ok {
		podName = ""
	}

	if podName == "" || podNamespace == "" {
		zap.L().Warn("K8s pod does not have podname/podnamespace labels")
		return ""
	}

	return podNamespace + "/" + podName
}


================================================
FILE: monitor/internal/docker/helpers_test.go
================================================
// +build linux

package dockermonitor

import (
	"reflect"
	"testing"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/constants"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

func TestGetPausePUID(t *testing.T) {
	type args struct {
		extensions policy.ExtendedMap
	}
	tests := []struct {
		name string
		args args
		want string
	}{
		{
			name: "Test when puid is populated",
			args: args{
				extensions: policy.ExtendedMap{
					constants.DockerHostPUID: "1234",
				},
			},
			want: "1234",
		},
		{
			name: "Test when puid is not populated",
			args: args{
				extensions: policy.ExtendedMap{},
			},
			want: "",
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := getPausePUID(tt.args.extensions); got != tt.want {
				t.Errorf("GetPausePUID() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestPolicyExtensions(t *testing.T) {

	puRuntimeWithExtensions := func() *policy.PURuntime {
		extensions := policy.ExtendedMap{}
		extensions[constants.DockerHostPUID] = "1234"
		puRuntime := policy.NewPURuntimeWithDefaults()
		options := puRuntime.Options()
		options.PolicyExtensions = extensions
		puRuntime.SetOptions(options)
		return puRuntime
	}

	puRuntimeWithWrongExtensions := func() *policy.PURuntime {
		puRuntime := policy.NewPURuntimeWithDefaults()
		extensions := "abcd"
		options := puRuntime.Options()
		options.PolicyExtensions = extensions
		puRuntime.SetOptions(options)
		return puRuntime
	}

	type args struct {
		runtime policy.RuntimeReader
	}
	tests := []struct {
		name           string
		args           args
		wantExtensions policy.ExtendedMap
	}{
		{
			name: "Valid case with extensions defined",
			args: args{
				runtime: puRuntimeWithExtensions(),
			},
			wantExtensions: policy.ExtendedMap{
				constants.DockerHostPUID: "1234",
			},
		},
		{
			name: "Runtime with no extensions defined",
			args: args{
				runtime: policy.NewPURuntimeWithDefaults(),
			},
			wantExtensions: nil,
		},
		{
			name: "Nil runntime",
			args: args{
				runtime: nil,
			},
			wantExtensions: nil,
		},
		{
			name: "extensions which isnt a map",
			args: args{
				runtime: puRuntimeWithWrongExtensions(),
			},
			wantExtensions: nil,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if gotExtensions := policyExtensions(tt.args.runtime); !reflect.DeepEqual(gotExtensions, tt.wantExtensions) {
				t.Errorf("PolicyExtensions() = %v, want %v", gotExtensions, tt.wantExtensions)
			}
		})
	}
}

func TestIsKubernetesContainer(t *testing.T) {

	type args struct {
		labels map[string]string
	}
	tests := []struct {
		name string
		args args
		want bool
	}{
		{
			name: "Test if container is in kubernetes",
			args: args{
				labels: map[string]string{
					constants.K8sPodNamespace: "abcd",
					constants.K8sPodName:      "abcd",
				},
			},
			want: true,
		},
		{
			name: "Test if container is not in kubernetes",
			args: args{
				labels: map[string]string{
					"app": "nginx",
				},
			},
			want: false,
		},
		{
			name: "Test for empty labels",
			args: args{
				labels: nil,
			},
			want: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := isKubernetesContainer(tt.args.labels); got != tt.want {
				t.Errorf("IsKubernetesContainer() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_isHostNetworkContainer(t *testing.T) {

	puRuntimeWithExtensions := func() *policy.PURuntime {
		extensions := policy.ExtendedMap{
			constants.DockerHostPUID: "1234",
		}
		puRuntime := policy.NewPURuntimeWithDefaults()
		options := puRuntime.Options()
		options.PolicyExtensions = extensions
		puRuntime.SetOptions(options)
		return puRuntime
	}

	puRuntimeForProcess := func() *policy.PURuntime {
		puRuntime := policy.NewPURuntimeWithDefaults()
		puRuntime.SetPUType(common.LinuxProcessPU)
		return puRuntime
	}

	type args struct {
		runtime policy.RuntimeReader
	}
	tests := []struct {
		name string
		args args
		want bool
	}{
		{
			name: "Test when puid is populated",
			args: args{
				runtime: puRuntimeWithExtensions(),
			},
			want: true,
		},
		{
			name: "Test when puid is not populated",
			args: args{
				runtime: policy.NewPURuntimeWithDefaults(),
			},
			want: false,
		},
		{
			name: "Test when runtime is of Linux process pu",
			args: args{
				runtime: puRuntimeForProcess(),
			},
			want: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := isHostNetworkContainer(tt.args.runtime); got != tt.want {
				t.Errorf("isHostNetworkContainer() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_kubePodIdentifier(t *testing.T) {
	type args struct {
		labels map[string]string
	}
	tests := []struct {
		name string
		args args
		want string
	}{
		{
			name: "Test valid scenario",
			args: args{
				labels: map[string]string{
					constants.K8sPodNamespace: "abcd",
					constants.K8sPodName:      "abcd",
				},
			},
			want: "abcd/abcd",
		},
		{
			name: "Test when only one of tags are present",
			args: args{
				labels: map[string]string{
					constants.K8sPodNamespace: "abcd",
				},
			},
			want: "",
		},
		{
			name: "Test when only no k8s tags are present",
			args: args{
				labels: map[string]string{},
			},
			want: "",
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := kubePodIdentifier(tt.args.labels); got != tt.want {
				t.Errorf("kubePodIdentifier() = %v, want %v", got, tt.want)
			}
		})
	}
}


================================================
FILE: monitor/internal/docker/mockdocker/mockdocker.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: github.com/docker/docker/client/interface.go

// Package mockdocker is a generated GoMock package.
package mockdocker

import (
	context "context"
	io "io"
	net "net"
	http "net/http"
	reflect "reflect"
	time "time"

	types "github.com/docker/docker/api/types"
	containerpkg "github.com/docker/docker/api/types/container"
	events "github.com/docker/docker/api/types/events"
	filters "github.com/docker/docker/api/types/filters"
	imagepkg "github.com/docker/docker/api/types/image"
	network "github.com/docker/docker/api/types/network"
	registry "github.com/docker/docker/api/types/registry"
	swarm "github.com/docker/docker/api/types/swarm"
	volume "github.com/docker/docker/api/types/volume"
	gomock "github.com/golang/mock/gomock"
)

// MockCommonAPIClient is a mock of CommonAPIClient interface
type MockCommonAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockCommonAPIClientMockRecorder
}

// MockCommonAPIClientMockRecorder is the mock recorder for MockCommonAPIClient
type MockCommonAPIClientMockRecorder struct {
	mock *MockCommonAPIClient
}

// NewMockCommonAPIClient creates a new mock instance
func NewMockCommonAPIClient(ctrl *gomock.Controller) *MockCommonAPIClient {
	mock := &MockCommonAPIClient{ctrl: ctrl}
	mock.recorder = &MockCommonAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockCommonAPIClient) EXPECT() *MockCommonAPIClientMockRecorder {
	return m.recorder
}

// ConfigList mocks base method
func (m *MockCommonAPIClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ConfigList", ctx, options)
	ret0, _ := ret[0].([]swarm.Config)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ConfigList indicates an expected call of ConfigList
func (mr *MockCommonAPIClientMockRecorder) ConfigList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ConfigList", reflect.TypeOf((*MockCommonAPIClient)(nil).ConfigList), ctx, options)
}

// ConfigCreate mocks base method
func (m *MockCommonAPIClient) ConfigCreate(ctx context.Context, config swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ConfigCreate", ctx, config)
	ret0, _ := ret[0].(types.ConfigCreateResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ConfigCreate indicates an expected call of ConfigCreate
func (mr *MockCommonAPIClientMockRecorder) ConfigCreate(ctx, config interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ConfigCreate", reflect.TypeOf((*MockCommonAPIClient)(nil).ConfigCreate), ctx, config)
}

// ConfigRemove mocks base method
func (m *MockCommonAPIClient) ConfigRemove(ctx context.Context, id string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ConfigRemove", ctx, id)
	ret0, _ := ret[0].(error)
	return ret0
}

// ConfigRemove indicates an expected call of ConfigRemove
func (mr *MockCommonAPIClientMockRecorder) ConfigRemove(ctx, id interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ConfigRemove", reflect.TypeOf((*MockCommonAPIClient)(nil).ConfigRemove), ctx, id)
}

// ConfigInspectWithRaw mocks base method
func (m *MockCommonAPIClient) ConfigInspectWithRaw(ctx context.Context, name string) (swarm.Config, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ConfigInspectWithRaw", ctx, name)
	ret0, _ := ret[0].(swarm.Config)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// ConfigInspectWithRaw indicates an expected call of ConfigInspectWithRaw
func (mr *MockCommonAPIClientMockRecorder) ConfigInspectWithRaw(ctx, name interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ConfigInspectWithRaw", reflect.TypeOf((*MockCommonAPIClient)(nil).ConfigInspectWithRaw), ctx, name)
}

// ConfigUpdate mocks base method
func (m *MockCommonAPIClient) ConfigUpdate(ctx context.Context, id string, version swarm.Version, config swarm.ConfigSpec) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ConfigUpdate", ctx, id, version, config)
	ret0, _ := ret[0].(error)
	return ret0
}

// ConfigUpdate indicates an expected call of ConfigUpdate
func (mr *MockCommonAPIClientMockRecorder) ConfigUpdate(ctx, id, version, config interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ConfigUpdate", reflect.TypeOf((*MockCommonAPIClient)(nil).ConfigUpdate), ctx, id, version, config)
}

// ContainerAttach mocks base method
func (m *MockCommonAPIClient) ContainerAttach(ctx context.Context, container string, options types.ContainerAttachOptions) (types.HijackedResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerAttach", ctx, container, options)
	ret0, _ := ret[0].(types.HijackedResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerAttach indicates an expected call of ContainerAttach
func (mr *MockCommonAPIClientMockRecorder) ContainerAttach(ctx, container, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerAttach", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerAttach), ctx, container, options)
}

// ContainerCommit mocks base method
func (m *MockCommonAPIClient) ContainerCommit(ctx context.Context, container string, options types.ContainerCommitOptions) (types.IDResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerCommit", ctx, container, options)
	ret0, _ := ret[0].(types.IDResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerCommit indicates an expected call of ContainerCommit
func (mr *MockCommonAPIClientMockRecorder) ContainerCommit(ctx, container, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerCommit", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerCommit), ctx, container, options)
}

// ContainerCreate mocks base method
func (m *MockCommonAPIClient) ContainerCreate(ctx context.Context, config *containerpkg.Config, hostConfig *containerpkg.HostConfig, networkingConfig *network.NetworkingConfig, containerName string) (containerpkg.ContainerCreateCreatedBody, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerCreate", ctx, config, hostConfig, networkingConfig, containerName)
	ret0, _ := ret[0].(containerpkg.ContainerCreateCreatedBody)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerCreate indicates an expected call of ContainerCreate
func (mr *MockCommonAPIClientMockRecorder) ContainerCreate(ctx, config, hostConfig, networkingConfig, containerName interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerCreate", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerCreate), ctx, config, hostConfig, networkingConfig, containerName)
}

// ContainerDiff mocks base method
func (m *MockCommonAPIClient) ContainerDiff(ctx context.Context, container string) ([]containerpkg.ContainerChangeResponseItem, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerDiff", ctx, container)
	ret0, _ := ret[0].([]containerpkg.ContainerChangeResponseItem)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerDiff indicates an expected call of ContainerDiff
func (mr *MockCommonAPIClientMockRecorder) ContainerDiff(ctx, container interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerDiff", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerDiff), ctx, container)
}

// ContainerExecAttach mocks base method
func (m *MockCommonAPIClient) ContainerExecAttach(ctx context.Context, execID string, config types.ExecStartCheck) (types.HijackedResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerExecAttach", ctx, execID, config)
	ret0, _ := ret[0].(types.HijackedResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerExecAttach indicates an expected call of ContainerExecAttach
func (mr *MockCommonAPIClientMockRecorder) ContainerExecAttach(ctx, execID, config interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerExecAttach", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerExecAttach), ctx, execID, config)
}

// ContainerExecCreate mocks base method
func (m *MockCommonAPIClient) ContainerExecCreate(ctx context.Context, container string, config types.ExecConfig) (types.IDResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerExecCreate", ctx, container, config)
	ret0, _ := ret[0].(types.IDResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerExecCreate indicates an expected call of ContainerExecCreate
func (mr *MockCommonAPIClientMockRecorder) ContainerExecCreate(ctx, container, config interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerExecCreate", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerExecCreate), ctx, container, config)
}

// ContainerExecInspect mocks base method
func (m *MockCommonAPIClient) ContainerExecInspect(ctx context.Context, execID string) (types.ContainerExecInspect, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerExecInspect", ctx, execID)
	ret0, _ := ret[0].(types.ContainerExecInspect)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerExecInspect indicates an expected call of ContainerExecInspect
func (mr *MockCommonAPIClientMockRecorder) ContainerExecInspect(ctx, execID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerExecInspect", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerExecInspect), ctx, execID)
}

// ContainerExecResize mocks base method
func (m *MockCommonAPIClient) ContainerExecResize(ctx context.Context, execID string, options types.ResizeOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerExecResize", ctx, execID, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerExecResize indicates an expected call of ContainerExecResize
func (mr *MockCommonAPIClientMockRecorder) ContainerExecResize(ctx, execID, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerExecResize", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerExecResize), ctx, execID, options)
}

// ContainerExecStart mocks base method
func (m *MockCommonAPIClient) ContainerExecStart(ctx context.Context, execID string, config types.ExecStartCheck) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerExecStart", ctx, execID, config)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerExecStart indicates an expected call of ContainerExecStart
func (mr *MockCommonAPIClientMockRecorder) ContainerExecStart(ctx, execID, config interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerExecStart", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerExecStart), ctx, execID, config)
}

// ContainerExport mocks base method
func (m *MockCommonAPIClient) ContainerExport(ctx context.Context, container string) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerExport", ctx, container)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerExport indicates an expected call of ContainerExport
func (mr *MockCommonAPIClientMockRecorder) ContainerExport(ctx, container interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerExport", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerExport), ctx, container)
}

// ContainerInspect mocks base method
func (m *MockCommonAPIClient) ContainerInspect(ctx context.Context, container string) (types.ContainerJSON, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerInspect", ctx, container)
	ret0, _ := ret[0].(types.ContainerJSON)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerInspect indicates an expected call of ContainerInspect
func (mr *MockCommonAPIClientMockRecorder) ContainerInspect(ctx, container interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerInspect", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerInspect), ctx, container)
}

// ContainerInspectWithRaw mocks base method
func (m *MockCommonAPIClient) ContainerInspectWithRaw(ctx context.Context, container string, getSize bool) (types.ContainerJSON, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerInspectWithRaw", ctx, container, getSize)
	ret0, _ := ret[0].(types.ContainerJSON)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// ContainerInspectWithRaw indicates an expected call of ContainerInspectWithRaw
func (mr *MockCommonAPIClientMockRecorder) ContainerInspectWithRaw(ctx, container, getSize interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerInspectWithRaw", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerInspectWithRaw), ctx, container, getSize)
}

// ContainerKill mocks base method
func (m *MockCommonAPIClient) ContainerKill(ctx context.Context, container, signal string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerKill", ctx, container, signal)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerKill indicates an expected call of ContainerKill
func (mr *MockCommonAPIClientMockRecorder) ContainerKill(ctx, container, signal interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerKill", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerKill), ctx, container, signal)
}

// ContainerList mocks base method
func (m *MockCommonAPIClient) ContainerList(ctx context.Context, options types.ContainerListOptions) ([]types.Container, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerList", ctx, options)
	ret0, _ := ret[0].([]types.Container)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerList indicates an expected call of ContainerList
func (mr *MockCommonAPIClientMockRecorder) ContainerList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerList", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerList), ctx, options)
}

// ContainerLogs mocks base method
func (m *MockCommonAPIClient) ContainerLogs(ctx context.Context, container string, options types.ContainerLogsOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerLogs", ctx, container, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerLogs indicates an expected call of ContainerLogs
func (mr *MockCommonAPIClientMockRecorder) ContainerLogs(ctx, container, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerLogs", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerLogs), ctx, container, options)
}

// ContainerPause mocks base method
func (m *MockCommonAPIClient) ContainerPause(ctx context.Context, container string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerPause", ctx, container)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerPause indicates an expected call of ContainerPause
func (mr *MockCommonAPIClientMockRecorder) ContainerPause(ctx, container interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerPause", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerPause), ctx, container)
}

// ContainerRemove mocks base method
func (m *MockCommonAPIClient) ContainerRemove(ctx context.Context, container string, options types.ContainerRemoveOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerRemove", ctx, container, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerRemove indicates an expected call of ContainerRemove
func (mr *MockCommonAPIClientMockRecorder) ContainerRemove(ctx, container, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerRemove", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerRemove), ctx, container, options)
}

// ContainerRename mocks base method
func (m *MockCommonAPIClient) ContainerRename(ctx context.Context, container, newContainerName string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerRename", ctx, container, newContainerName)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerRename indicates an expected call of ContainerRename
func (mr *MockCommonAPIClientMockRecorder) ContainerRename(ctx, container, newContainerName interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerRename", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerRename), ctx, container, newContainerName)
}

// ContainerResize mocks base method
func (m *MockCommonAPIClient) ContainerResize(ctx context.Context, container string, options types.ResizeOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerResize", ctx, container, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerResize indicates an expected call of ContainerResize
func (mr *MockCommonAPIClientMockRecorder) ContainerResize(ctx, container, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerResize", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerResize), ctx, container, options)
}

// ContainerRestart mocks base method
func (m *MockCommonAPIClient) ContainerRestart(ctx context.Context, container string, timeout *time.Duration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerRestart", ctx, container, timeout)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerRestart indicates an expected call of ContainerRestart
func (mr *MockCommonAPIClientMockRecorder) ContainerRestart(ctx, container, timeout interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerRestart", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerRestart), ctx, container, timeout)
}

// ContainerStatPath mocks base method
func (m *MockCommonAPIClient) ContainerStatPath(ctx context.Context, container, path string) (types.ContainerPathStat, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerStatPath", ctx, container, path)
	ret0, _ := ret[0].(types.ContainerPathStat)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerStatPath indicates an expected call of ContainerStatPath
func (mr *MockCommonAPIClientMockRecorder) ContainerStatPath(ctx, container, path interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerStatPath", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerStatPath), ctx, container, path)
}

// ContainerStats mocks base method
func (m *MockCommonAPIClient) ContainerStats(ctx context.Context, container string, stream bool) (types.ContainerStats, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerStats", ctx, container, stream)
	ret0, _ := ret[0].(types.ContainerStats)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerStats indicates an expected call of ContainerStats
func (mr *MockCommonAPIClientMockRecorder) ContainerStats(ctx, container, stream interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerStats", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerStats), ctx, container, stream)
}

// ContainerStart mocks base method
func (m *MockCommonAPIClient) ContainerStart(ctx context.Context, container string, options types.ContainerStartOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerStart", ctx, container, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerStart indicates an expected call of ContainerStart
func (mr *MockCommonAPIClientMockRecorder) ContainerStart(ctx, container, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerStart", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerStart), ctx, container, options)
}

// ContainerStop mocks base method
func (m *MockCommonAPIClient) ContainerStop(ctx context.Context, container string, timeout *time.Duration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerStop", ctx, container, timeout)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerStop indicates an expected call of ContainerStop
func (mr *MockCommonAPIClientMockRecorder) ContainerStop(ctx, container, timeout interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerStop", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerStop), ctx, container, timeout)
}

// ContainerTop mocks base method
func (m *MockCommonAPIClient) ContainerTop(ctx context.Context, container string, arguments []string) (containerpkg.ContainerTopOKBody, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerTop", ctx, container, arguments)
	ret0, _ := ret[0].(containerpkg.ContainerTopOKBody)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerTop indicates an expected call of ContainerTop
func (mr *MockCommonAPIClientMockRecorder) ContainerTop(ctx, container, arguments interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerTop", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerTop), ctx, container, arguments)
}

// ContainerUnpause mocks base method
func (m *MockCommonAPIClient) ContainerUnpause(ctx context.Context, container string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerUnpause", ctx, container)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerUnpause indicates an expected call of ContainerUnpause
func (mr *MockCommonAPIClientMockRecorder) ContainerUnpause(ctx, container interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerUnpause", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerUnpause), ctx, container)
}

// ContainerUpdate mocks base method
func (m *MockCommonAPIClient) ContainerUpdate(ctx context.Context, container string, updateConfig containerpkg.UpdateConfig) (containerpkg.ContainerUpdateOKBody, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerUpdate", ctx, container, updateConfig)
	ret0, _ := ret[0].(containerpkg.ContainerUpdateOKBody)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerUpdate indicates an expected call of ContainerUpdate
func (mr *MockCommonAPIClientMockRecorder) ContainerUpdate(ctx, container, updateConfig interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerUpdate", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerUpdate), ctx, container, updateConfig)
}

// ContainerWait mocks base method
func (m *MockCommonAPIClient) ContainerWait(ctx context.Context, container string, condition containerpkg.WaitCondition) (<-chan containerpkg.ContainerWaitOKBody, <-chan error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerWait", ctx, container, condition)
	ret0, _ := ret[0].(<-chan containerpkg.ContainerWaitOKBody)
	ret1, _ := ret[1].(<-chan error)
	return ret0, ret1
}

// ContainerWait indicates an expected call of ContainerWait
func (mr *MockCommonAPIClientMockRecorder) ContainerWait(ctx, container, condition interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerWait", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainerWait), ctx, container, condition)
}

// CopyFromContainer mocks base method
func (m *MockCommonAPIClient) CopyFromContainer(ctx context.Context, container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CopyFromContainer", ctx, container, srcPath)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(types.ContainerPathStat)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// CopyFromContainer indicates an expected call of CopyFromContainer
func (mr *MockCommonAPIClientMockRecorder) CopyFromContainer(ctx, container, srcPath interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CopyFromContainer", reflect.TypeOf((*MockCommonAPIClient)(nil).CopyFromContainer), ctx, container, srcPath)
}

// CopyToContainer mocks base method
func (m *MockCommonAPIClient) CopyToContainer(ctx context.Context, container, path string, content io.Reader, options types.CopyToContainerOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CopyToContainer", ctx, container, path, content, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// CopyToContainer indicates an expected call of CopyToContainer
func (mr *MockCommonAPIClientMockRecorder) CopyToContainer(ctx, container, path, content, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CopyToContainer", reflect.TypeOf((*MockCommonAPIClient)(nil).CopyToContainer), ctx, container, path, content, options)
}

// ContainersPrune mocks base method
func (m *MockCommonAPIClient) ContainersPrune(ctx context.Context, pruneFilters filters.Args) (types.ContainersPruneReport, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainersPrune", ctx, pruneFilters)
	ret0, _ := ret[0].(types.ContainersPruneReport)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainersPrune indicates an expected call of ContainersPrune
func (mr *MockCommonAPIClientMockRecorder) ContainersPrune(ctx, pruneFilters interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainersPrune", reflect.TypeOf((*MockCommonAPIClient)(nil).ContainersPrune), ctx, pruneFilters)
}

// DistributionInspect mocks base method
func (m *MockCommonAPIClient) DistributionInspect(ctx context.Context, image, encodedRegistryAuth string) (registry.DistributionInspect, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DistributionInspect", ctx, image, encodedRegistryAuth)
	ret0, _ := ret[0].(registry.DistributionInspect)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// DistributionInspect indicates an expected call of DistributionInspect
func (mr *MockCommonAPIClientMockRecorder) DistributionInspect(ctx, image, encodedRegistryAuth interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DistributionInspect", reflect.TypeOf((*MockCommonAPIClient)(nil).DistributionInspect), ctx, image, encodedRegistryAuth)
}

// ImageBuild mocks base method
func (m *MockCommonAPIClient) ImageBuild(ctx context.Context, context io.Reader, options types.ImageBuildOptions) (types.ImageBuildResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageBuild", ctx, context, options)
	ret0, _ := ret[0].(types.ImageBuildResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageBuild indicates an expected call of ImageBuild
func (mr *MockCommonAPIClientMockRecorder) ImageBuild(ctx, context, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageBuild", reflect.TypeOf((*MockCommonAPIClient)(nil).ImageBuild), ctx, context, options)
}

// BuildCachePrune mocks base method
func (m *MockCommonAPIClient) BuildCachePrune(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "BuildCachePrune", ctx, opts)
	ret0, _ := ret[0].(*types.BuildCachePruneReport)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// BuildCachePrune indicates an expected call of BuildCachePrune
func (mr *MockCommonAPIClientMockRecorder) BuildCachePrune(ctx, opts interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BuildCachePrune", reflect.TypeOf((*MockCommonAPIClient)(nil).BuildCachePrune), ctx, opts)
}

// BuildCancel mocks base method
func (m *MockCommonAPIClient) BuildCancel(ctx context.Context, id string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "BuildCancel", ctx, id)
	ret0, _ := ret[0].(error)
	return ret0
}

// BuildCancel indicates an expected call of BuildCancel
func (mr *MockCommonAPIClientMockRecorder) BuildCancel(ctx, id interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BuildCancel", reflect.TypeOf((*MockCommonAPIClient)(nil).BuildCancel), ctx, id)
}

// ImageCreate mocks base method
func (m *MockCommonAPIClient) ImageCreate(ctx context.Context, parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageCreate", ctx, parentReference, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageCreate indicates an expected call of ImageCreate
func (mr *MockCommonAPIClientMockRecorder) ImageCreate(ctx, parentReference, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageCreate", reflect.TypeOf((*MockCommonAPIClient)(nil).ImageCreate), ctx, parentReference, options)
}

// ImageHistory mocks base method
func (m *MockCommonAPIClient) ImageHistory(ctx context.Context, image string) ([]imagepkg.HistoryResponseItem, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageHistory", ctx, image)
	ret0, _ := ret[0].([]imagepkg.HistoryResponseItem)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageHistory indicates an expected call of ImageHistory
func (mr *MockCommonAPIClientMockRecorder) ImageHistory(ctx, image interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageHistory", reflect.TypeOf((*MockCommonAPIClient)(nil).ImageHistory), ctx, image)
}

// ImageImport mocks base method
func (m *MockCommonAPIClient) ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageImport", ctx, source, ref, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageImport indicates an expected call of ImageImport
func (mr *MockCommonAPIClientMockRecorder) ImageImport(ctx, source, ref, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageImport", reflect.TypeOf((*MockCommonAPIClient)(nil).ImageImport), ctx, source, ref, options)
}

// ImageInspectWithRaw mocks base method
func (m *MockCommonAPIClient) ImageInspectWithRaw(ctx context.Context, image string) (types.ImageInspect, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageInspectWithRaw", ctx, image)
	ret0, _ := ret[0].(types.ImageInspect)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// ImageInspectWithRaw indicates an expected call of ImageInspectWithRaw
func (mr *MockCommonAPIClientMockRecorder) ImageInspectWithRaw(ctx, image interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageInspectWithRaw", reflect.TypeOf((*MockCommonAPIClient)(nil).ImageInspectWithRaw), ctx, image)
}

// ImageList mocks base method
func (m *MockCommonAPIClient) ImageList(ctx context.Context, options types.ImageListOptions) ([]types.ImageSummary, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageList", ctx, options)
	ret0, _ := ret[0].([]types.ImageSummary)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageList indicates an expected call of ImageList
func (mr *MockCommonAPIClientMockRecorder) ImageList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageList", reflect.TypeOf((*MockCommonAPIClient)(nil).ImageList), ctx, options)
}

// ImageLoad mocks base method
func (m *MockCommonAPIClient) ImageLoad(ctx context.Context, input io.Reader, quiet bool) (types.ImageLoadResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageLoad", ctx, input, quiet)
	ret0, _ := ret[0].(types.ImageLoadResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageLoad indicates an expected call of ImageLoad
func (mr *MockCommonAPIClientMockRecorder) ImageLoad(ctx, input, quiet interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageLoad", reflect.TypeOf((*MockCommonAPIClient)(nil).ImageLoad), ctx, input, quiet)
}

// ImagePull mocks base method
func (m *MockCommonAPIClient) ImagePull(ctx context.Context, ref string, options types.ImagePullOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImagePull", ctx, ref, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImagePull indicates an expected call of ImagePull
func (mr *MockCommonAPIClientMockRecorder) ImagePull(ctx, ref, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImagePull", reflect.TypeOf((*MockCommonAPIClient)(nil).ImagePull), ctx, ref, options)
}

// ImagePush mocks base method
func (m *MockCommonAPIClient) ImagePush(ctx context.Context, ref string, options types.ImagePushOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImagePush", ctx, ref, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImagePush indicates an expected call of ImagePush
func (mr *MockCommonAPIClientMockRecorder) ImagePush(ctx, ref, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImagePush", reflect.TypeOf((*MockCommonAPIClient)(nil).ImagePush), ctx, ref, options)
}

// ImageRemove mocks base method
func (m *MockCommonAPIClient) ImageRemove(ctx context.Context, image string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageRemove", ctx, image, options)
	ret0, _ := ret[0].([]types.ImageDeleteResponseItem)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageRemove indicates an expected call of ImageRemove
func (mr *MockCommonAPIClientMockRecorder) ImageRemove(ctx, image, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageRemove", reflect.TypeOf((*MockCommonAPIClient)(nil).ImageRemove), ctx, image, options)
}

// ImageSearch mocks base method
func (m *MockCommonAPIClient) ImageSearch(ctx context.Context, term string, options types.ImageSearchOptions) ([]registry.SearchResult, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageSearch", ctx, term, options)
	ret0, _ := ret[0].([]registry.SearchResult)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageSearch indicates an expected call of ImageSearch
func (mr *MockCommonAPIClientMockRecorder) ImageSearch(ctx, term, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageSearch", reflect.TypeOf((*MockCommonAPIClient)(nil).ImageSearch), ctx, term, options)
}

// ImageSave mocks base method
func (m *MockCommonAPIClient) ImageSave(ctx context.Context, images []string) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageSave", ctx, images)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageSave indicates an expected call of ImageSave
func (mr *MockCommonAPIClientMockRecorder) ImageSave(ctx, images interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageSave", reflect.TypeOf((*MockCommonAPIClient)(nil).ImageSave), ctx, images)
}

// ImageTag mocks base method
func (m *MockCommonAPIClient) ImageTag(ctx context.Context, image, ref string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageTag", ctx, image, ref)
	ret0, _ := ret[0].(error)
	return ret0
}

// ImageTag indicates an expected call of ImageTag
func (mr *MockCommonAPIClientMockRecorder) ImageTag(ctx, image, ref interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageTag", reflect.TypeOf((*MockCommonAPIClient)(nil).ImageTag), ctx, image, ref)
}

// ImagesPrune mocks base method
func (m *MockCommonAPIClient) ImagesPrune(ctx context.Context, pruneFilter filters.Args) (types.ImagesPruneReport, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImagesPrune", ctx, pruneFilter)
	ret0, _ := ret[0].(types.ImagesPruneReport)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImagesPrune indicates an expected call of ImagesPrune
func (mr *MockCommonAPIClientMockRecorder) ImagesPrune(ctx, pruneFilter interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImagesPrune", reflect.TypeOf((*MockCommonAPIClient)(nil).ImagesPrune), ctx, pruneFilter)
}

// NodeInspectWithRaw mocks base method
func (m *MockCommonAPIClient) NodeInspectWithRaw(ctx context.Context, nodeID string) (swarm.Node, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NodeInspectWithRaw", ctx, nodeID)
	ret0, _ := ret[0].(swarm.Node)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// NodeInspectWithRaw indicates an expected call of NodeInspectWithRaw
func (mr *MockCommonAPIClientMockRecorder) NodeInspectWithRaw(ctx, nodeID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NodeInspectWithRaw", reflect.TypeOf((*MockCommonAPIClient)(nil).NodeInspectWithRaw), ctx, nodeID)
}

// NodeList mocks base method
func (m *MockCommonAPIClient) NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NodeList", ctx, options)
	ret0, _ := ret[0].([]swarm.Node)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// NodeList indicates an expected call of NodeList
func (mr *MockCommonAPIClientMockRecorder) NodeList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NodeList", reflect.TypeOf((*MockCommonAPIClient)(nil).NodeList), ctx, options)
}

// NodeRemove mocks base method
func (m *MockCommonAPIClient) NodeRemove(ctx context.Context, nodeID string, options types.NodeRemoveOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NodeRemove", ctx, nodeID, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// NodeRemove indicates an expected call of NodeRemove
func (mr *MockCommonAPIClientMockRecorder) NodeRemove(ctx, nodeID, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NodeRemove", reflect.TypeOf((*MockCommonAPIClient)(nil).NodeRemove), ctx, nodeID, options)
}

// NodeUpdate mocks base method
func (m *MockCommonAPIClient) NodeUpdate(ctx context.Context, nodeID string, version swarm.Version, node swarm.NodeSpec) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NodeUpdate", ctx, nodeID, version, node)
	ret0, _ := ret[0].(error)
	return ret0
}

// NodeUpdate indicates an expected call of NodeUpdate
func (mr *MockCommonAPIClientMockRecorder) NodeUpdate(ctx, nodeID, version, node interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NodeUpdate", reflect.TypeOf((*MockCommonAPIClient)(nil).NodeUpdate), ctx, nodeID, version, node)
}

// NetworkConnect mocks base method
func (m *MockCommonAPIClient) NetworkConnect(ctx context.Context, network, container string, config *network.EndpointSettings) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkConnect", ctx, network, container, config)
	ret0, _ := ret[0].(error)
	return ret0
}

// NetworkConnect indicates an expected call of NetworkConnect
func (mr *MockCommonAPIClientMockRecorder) NetworkConnect(ctx, network, container, config interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkConnect", reflect.TypeOf((*MockCommonAPIClient)(nil).NetworkConnect), ctx, network, container, config)
}

// NetworkCreate mocks base method
func (m *MockCommonAPIClient) NetworkCreate(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkCreate", ctx, name, options)
	ret0, _ := ret[0].(types.NetworkCreateResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// NetworkCreate indicates an expected call of NetworkCreate
func (mr *MockCommonAPIClientMockRecorder) NetworkCreate(ctx, name, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkCreate", reflect.TypeOf((*MockCommonAPIClient)(nil).NetworkCreate), ctx, name, options)
}

// NetworkDisconnect mocks base method
func (m *MockCommonAPIClient) NetworkDisconnect(ctx context.Context, network, container string, force bool) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkDisconnect", ctx, network, container, force)
	ret0, _ := ret[0].(error)
	return ret0
}

// NetworkDisconnect indicates an expected call of NetworkDisconnect
func (mr *MockCommonAPIClientMockRecorder) NetworkDisconnect(ctx, network, container, force interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkDisconnect", reflect.TypeOf((*MockCommonAPIClient)(nil).NetworkDisconnect), ctx, network, container, force)
}

// NetworkInspect mocks base method
func (m *MockCommonAPIClient) NetworkInspect(ctx context.Context, network string, options types.NetworkInspectOptions) (types.NetworkResource, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkInspect", ctx, network, options)
	ret0, _ := ret[0].(types.NetworkResource)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// NetworkInspect indicates an expected call of NetworkInspect
func (mr *MockCommonAPIClientMockRecorder) NetworkInspect(ctx, network, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkInspect", reflect.TypeOf((*MockCommonAPIClient)(nil).NetworkInspect), ctx, network, options)
}

// NetworkInspectWithRaw mocks base method
func (m *MockCommonAPIClient) NetworkInspectWithRaw(ctx context.Context, network string, options types.NetworkInspectOptions) (types.NetworkResource, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkInspectWithRaw", ctx, network, options)
	ret0, _ := ret[0].(types.NetworkResource)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// NetworkInspectWithRaw indicates an expected call of NetworkInspectWithRaw
func (mr *MockCommonAPIClientMockRecorder) NetworkInspectWithRaw(ctx, network, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkInspectWithRaw", reflect.TypeOf((*MockCommonAPIClient)(nil).NetworkInspectWithRaw), ctx, network, options)
}

// NetworkList mocks base method
func (m *MockCommonAPIClient) NetworkList(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkList", ctx, options)
	ret0, _ := ret[0].([]types.NetworkResource)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// NetworkList indicates an expected call of NetworkList
func (mr *MockCommonAPIClientMockRecorder) NetworkList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkList", reflect.TypeOf((*MockCommonAPIClient)(nil).NetworkList), ctx, options)
}

// NetworkRemove mocks base method
func (m *MockCommonAPIClient) NetworkRemove(ctx context.Context, network string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkRemove", ctx, network)
	ret0, _ := ret[0].(error)
	return ret0
}

// NetworkRemove indicates an expected call of NetworkRemove
func (mr *MockCommonAPIClientMockRecorder) NetworkRemove(ctx, network interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkRemove", reflect.TypeOf((*MockCommonAPIClient)(nil).NetworkRemove), ctx, network)
}

// NetworksPrune mocks base method
func (m *MockCommonAPIClient) NetworksPrune(ctx context.Context, pruneFilter filters.Args) (types.NetworksPruneReport, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworksPrune", ctx, pruneFilter)
	ret0, _ := ret[0].(types.NetworksPruneReport)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// NetworksPrune indicates an expected call of NetworksPrune
func (mr *MockCommonAPIClientMockRecorder) NetworksPrune(ctx, pruneFilter interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworksPrune", reflect.TypeOf((*MockCommonAPIClient)(nil).NetworksPrune), ctx, pruneFilter)
}

// PluginList mocks base method
func (m *MockCommonAPIClient) PluginList(ctx context.Context, filter filters.Args) (types.PluginsListResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginList", ctx, filter)
	ret0, _ := ret[0].(types.PluginsListResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// PluginList indicates an expected call of PluginList
func (mr *MockCommonAPIClientMockRecorder) PluginList(ctx, filter interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginList", reflect.TypeOf((*MockCommonAPIClient)(nil).PluginList), ctx, filter)
}

// PluginRemove mocks base method
func (m *MockCommonAPIClient) PluginRemove(ctx context.Context, name string, options types.PluginRemoveOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginRemove", ctx, name, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// PluginRemove indicates an expected call of PluginRemove
func (mr *MockCommonAPIClientMockRecorder) PluginRemove(ctx, name, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginRemove", reflect.TypeOf((*MockCommonAPIClient)(nil).PluginRemove), ctx, name, options)
}

// PluginEnable mocks base method
func (m *MockCommonAPIClient) PluginEnable(ctx context.Context, name string, options types.PluginEnableOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginEnable", ctx, name, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// PluginEnable indicates an expected call of PluginEnable
func (mr *MockCommonAPIClientMockRecorder) PluginEnable(ctx, name, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginEnable", reflect.TypeOf((*MockCommonAPIClient)(nil).PluginEnable), ctx, name, options)
}

// PluginDisable mocks base method
func (m *MockCommonAPIClient) PluginDisable(ctx context.Context, name string, options types.PluginDisableOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginDisable", ctx, name, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// PluginDisable indicates an expected call of PluginDisable
func (mr *MockCommonAPIClientMockRecorder) PluginDisable(ctx, name, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginDisable", reflect.TypeOf((*MockCommonAPIClient)(nil).PluginDisable), ctx, name, options)
}

// PluginInstall mocks base method
func (m *MockCommonAPIClient) PluginInstall(ctx context.Context, name string, options types.PluginInstallOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginInstall", ctx, name, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// PluginInstall indicates an expected call of PluginInstall
func (mr *MockCommonAPIClientMockRecorder) PluginInstall(ctx, name, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginInstall", reflect.TypeOf((*MockCommonAPIClient)(nil).PluginInstall), ctx, name, options)
}

// PluginUpgrade mocks base method
func (m *MockCommonAPIClient) PluginUpgrade(ctx context.Context, name string, options types.PluginInstallOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginUpgrade", ctx, name, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// PluginUpgrade indicates an expected call of PluginUpgrade
func (mr *MockCommonAPIClientMockRecorder) PluginUpgrade(ctx, name, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginUpgrade", reflect.TypeOf((*MockCommonAPIClient)(nil).PluginUpgrade), ctx, name, options)
}

// PluginPush mocks base method
func (m *MockCommonAPIClient) PluginPush(ctx context.Context, name, registryAuth string) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginPush", ctx, name, registryAuth)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// PluginPush indicates an expected call of PluginPush
func (mr *MockCommonAPIClientMockRecorder) PluginPush(ctx, name, registryAuth interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginPush", reflect.TypeOf((*MockCommonAPIClient)(nil).PluginPush), ctx, name, registryAuth)
}

// PluginSet mocks base method
func (m *MockCommonAPIClient) PluginSet(ctx context.Context, name string, args []string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginSet", ctx, name, args)
	ret0, _ := ret[0].(error)
	return ret0
}

// PluginSet indicates an expected call of PluginSet
func (mr *MockCommonAPIClientMockRecorder) PluginSet(ctx, name, args interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginSet", reflect.TypeOf((*MockCommonAPIClient)(nil).PluginSet), ctx, name, args)
}

// PluginInspectWithRaw mocks base method
func (m *MockCommonAPIClient) PluginInspectWithRaw(ctx context.Context, name string) (*types.Plugin, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginInspectWithRaw", ctx, name)
	ret0, _ := ret[0].(*types.Plugin)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// PluginInspectWithRaw indicates an expected call of PluginInspectWithRaw
func (mr *MockCommonAPIClientMockRecorder) PluginInspectWithRaw(ctx, name interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginInspectWithRaw", reflect.TypeOf((*MockCommonAPIClient)(nil).PluginInspectWithRaw), ctx, name)
}

// PluginCreate mocks base method
func (m *MockCommonAPIClient) PluginCreate(ctx context.Context, createContext io.Reader, options types.PluginCreateOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginCreate", ctx, createContext, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// PluginCreate indicates an expected call of PluginCreate
func (mr *MockCommonAPIClientMockRecorder) PluginCreate(ctx, createContext, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginCreate", reflect.TypeOf((*MockCommonAPIClient)(nil).PluginCreate), ctx, createContext, options)
}

// ServiceCreate mocks base method
func (m *MockCommonAPIClient) ServiceCreate(ctx context.Context, service swarm.ServiceSpec, options types.ServiceCreateOptions) (types.ServiceCreateResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ServiceCreate", ctx, service, options)
	ret0, _ := ret[0].(types.ServiceCreateResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ServiceCreate indicates an expected call of ServiceCreate
func (mr *MockCommonAPIClientMockRecorder) ServiceCreate(ctx, service, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ServiceCreate", reflect.TypeOf((*MockCommonAPIClient)(nil).ServiceCreate), ctx, service, options)
}

// ServiceInspectWithRaw mocks base method
func (m *MockCommonAPIClient) ServiceInspectWithRaw(ctx context.Context, serviceID string, options types.ServiceInspectOptions) (swarm.Service, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ServiceInspectWithRaw", ctx, serviceID, options)
	ret0, _ := ret[0].(swarm.Service)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// ServiceInspectWithRaw indicates an expected call of ServiceInspectWithRaw
func (mr *MockCommonAPIClientMockRecorder) ServiceInspectWithRaw(ctx, serviceID, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ServiceInspectWithRaw", reflect.TypeOf((*MockCommonAPIClient)(nil).ServiceInspectWithRaw), ctx, serviceID, options)
}

// ServiceList mocks base method
func (m *MockCommonAPIClient) ServiceList(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ServiceList", ctx, options)
	ret0, _ := ret[0].([]swarm.Service)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ServiceList indicates an expected call of ServiceList
func (mr *MockCommonAPIClientMockRecorder) ServiceList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ServiceList", reflect.TypeOf((*MockCommonAPIClient)(nil).ServiceList), ctx, options)
}

// ServiceRemove mocks base method
func (m *MockCommonAPIClient) ServiceRemove(ctx context.Context, serviceID string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ServiceRemove", ctx, serviceID)
	ret0, _ := ret[0].(error)
	return ret0
}

// ServiceRemove indicates an expected call of ServiceRemove
func (mr *MockCommonAPIClientMockRecorder) ServiceRemove(ctx, serviceID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ServiceRemove", reflect.TypeOf((*MockCommonAPIClient)(nil).ServiceRemove), ctx, serviceID)
}

// ServiceUpdate mocks base method
func (m *MockCommonAPIClient) ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ServiceUpdate", ctx, serviceID, version, service, options)
	ret0, _ := ret[0].(types.ServiceUpdateResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ServiceUpdate indicates an expected call of ServiceUpdate
func (mr *MockCommonAPIClientMockRecorder) ServiceUpdate(ctx, serviceID, version, service, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ServiceUpdate", reflect.TypeOf((*MockCommonAPIClient)(nil).ServiceUpdate), ctx, serviceID, version, service, options)
}

// ServiceLogs mocks base method
func (m *MockCommonAPIClient) ServiceLogs(ctx context.Context, serviceID string, options types.ContainerLogsOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ServiceLogs", ctx, serviceID, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ServiceLogs indicates an expected call of ServiceLogs
func (mr *MockCommonAPIClientMockRecorder) ServiceLogs(ctx, serviceID, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ServiceLogs", reflect.TypeOf((*MockCommonAPIClient)(nil).ServiceLogs), ctx, serviceID, options)
}

// TaskLogs mocks base method
func (m *MockCommonAPIClient) TaskLogs(ctx context.Context, taskID string, options types.ContainerLogsOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "TaskLogs", ctx, taskID, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// TaskLogs indicates an expected call of TaskLogs
func (mr *MockCommonAPIClientMockRecorder) TaskLogs(ctx, taskID, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TaskLogs", reflect.TypeOf((*MockCommonAPIClient)(nil).TaskLogs), ctx, taskID, options)
}

// TaskInspectWithRaw mocks base method
func (m *MockCommonAPIClient) TaskInspectWithRaw(ctx context.Context, taskID string) (swarm.Task, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "TaskInspectWithRaw", ctx, taskID)
	ret0, _ := ret[0].(swarm.Task)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// TaskInspectWithRaw indicates an expected call of TaskInspectWithRaw
func (mr *MockCommonAPIClientMockRecorder) TaskInspectWithRaw(ctx, taskID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TaskInspectWithRaw", reflect.TypeOf((*MockCommonAPIClient)(nil).TaskInspectWithRaw), ctx, taskID)
}

// TaskList mocks base method
func (m *MockCommonAPIClient) TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "TaskList", ctx, options)
	ret0, _ := ret[0].([]swarm.Task)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// TaskList indicates an expected call of TaskList
func (mr *MockCommonAPIClientMockRecorder) TaskList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TaskList", reflect.TypeOf((*MockCommonAPIClient)(nil).TaskList), ctx, options)
}

// SwarmInit mocks base method
func (m *MockCommonAPIClient) SwarmInit(ctx context.Context, req swarm.InitRequest) (string, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmInit", ctx, req)
	ret0, _ := ret[0].(string)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// SwarmInit indicates an expected call of SwarmInit
func (mr *MockCommonAPIClientMockRecorder) SwarmInit(ctx, req interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmInit", reflect.TypeOf((*MockCommonAPIClient)(nil).SwarmInit), ctx, req)
}

// SwarmJoin mocks base method
func (m *MockCommonAPIClient) SwarmJoin(ctx context.Context, req swarm.JoinRequest) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmJoin", ctx, req)
	ret0, _ := ret[0].(error)
	return ret0
}

// SwarmJoin indicates an expected call of SwarmJoin
func (mr *MockCommonAPIClientMockRecorder) SwarmJoin(ctx, req interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmJoin", reflect.TypeOf((*MockCommonAPIClient)(nil).SwarmJoin), ctx, req)
}

// SwarmGetUnlockKey mocks base method
func (m *MockCommonAPIClient) SwarmGetUnlockKey(ctx context.Context) (types.SwarmUnlockKeyResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmGetUnlockKey", ctx)
	ret0, _ := ret[0].(types.SwarmUnlockKeyResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// SwarmGetUnlockKey indicates an expected call of SwarmGetUnlockKey
func (mr *MockCommonAPIClientMockRecorder) SwarmGetUnlockKey(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmGetUnlockKey", reflect.TypeOf((*MockCommonAPIClient)(nil).SwarmGetUnlockKey), ctx)
}

// SwarmUnlock mocks base method
func (m *MockCommonAPIClient) SwarmUnlock(ctx context.Context, req swarm.UnlockRequest) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmUnlock", ctx, req)
	ret0, _ := ret[0].(error)
	return ret0
}

// SwarmUnlock indicates an expected call of SwarmUnlock
func (mr *MockCommonAPIClientMockRecorder) SwarmUnlock(ctx, req interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmUnlock", reflect.TypeOf((*MockCommonAPIClient)(nil).SwarmUnlock), ctx, req)
}

// SwarmLeave mocks base method
func (m *MockCommonAPIClient) SwarmLeave(ctx context.Context, force bool) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmLeave", ctx, force)
	ret0, _ := ret[0].(error)
	return ret0
}

// SwarmLeave indicates an expected call of SwarmLeave
func (mr *MockCommonAPIClientMockRecorder) SwarmLeave(ctx, force interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmLeave", reflect.TypeOf((*MockCommonAPIClient)(nil).SwarmLeave), ctx, force)
}

// SwarmInspect mocks base method
func (m *MockCommonAPIClient) SwarmInspect(ctx context.Context) (swarm.Swarm, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmInspect", ctx)
	ret0, _ := ret[0].(swarm.Swarm)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// SwarmInspect indicates an expected call of SwarmInspect
func (mr *MockCommonAPIClientMockRecorder) SwarmInspect(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmInspect", reflect.TypeOf((*MockCommonAPIClient)(nil).SwarmInspect), ctx)
}

// SwarmUpdate mocks base method
func (m *MockCommonAPIClient) SwarmUpdate(ctx context.Context, version swarm.Version, swarm swarm.Spec, flags swarm.UpdateFlags) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmUpdate", ctx, version, swarm, flags)
	ret0, _ := ret[0].(error)
	return ret0
}

// SwarmUpdate indicates an expected call of SwarmUpdate
func (mr *MockCommonAPIClientMockRecorder) SwarmUpdate(ctx, version, swarm, flags interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmUpdate", reflect.TypeOf((*MockCommonAPIClient)(nil).SwarmUpdate), ctx, version, swarm, flags)
}

// SecretList mocks base method
func (m *MockCommonAPIClient) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SecretList", ctx, options)
	ret0, _ := ret[0].([]swarm.Secret)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// SecretList indicates an expected call of SecretList
func (mr *MockCommonAPIClientMockRecorder) SecretList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SecretList", reflect.TypeOf((*MockCommonAPIClient)(nil).SecretList), ctx, options)
}

// SecretCreate mocks base method
func (m *MockCommonAPIClient) SecretCreate(ctx context.Context, secret swarm.SecretSpec) (types.SecretCreateResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SecretCreate", ctx, secret)
	ret0, _ := ret[0].(types.SecretCreateResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// SecretCreate indicates an expected call of SecretCreate
func (mr *MockCommonAPIClientMockRecorder) SecretCreate(ctx, secret interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SecretCreate", reflect.TypeOf((*MockCommonAPIClient)(nil).SecretCreate), ctx, secret)
}

// SecretRemove mocks base method
func (m *MockCommonAPIClient) SecretRemove(ctx context.Context, id string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SecretRemove", ctx, id)
	ret0, _ := ret[0].(error)
	return ret0
}

// SecretRemove indicates an expected call of SecretRemove
func (mr *MockCommonAPIClientMockRecorder) SecretRemove(ctx, id interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SecretRemove", reflect.TypeOf((*MockCommonAPIClient)(nil).SecretRemove), ctx, id)
}

// SecretInspectWithRaw mocks base method
func (m *MockCommonAPIClient) SecretInspectWithRaw(ctx context.Context, name string) (swarm.Secret, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SecretInspectWithRaw", ctx, name)
	ret0, _ := ret[0].(swarm.Secret)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// SecretInspectWithRaw indicates an expected call of SecretInspectWithRaw
func (mr *MockCommonAPIClientMockRecorder) SecretInspectWithRaw(ctx, name interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SecretInspectWithRaw", reflect.TypeOf((*MockCommonAPIClient)(nil).SecretInspectWithRaw), ctx, name)
}

// SecretUpdate mocks base method
func (m *MockCommonAPIClient) SecretUpdate(ctx context.Context, id string, version swarm.Version, secret swarm.SecretSpec) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SecretUpdate", ctx, id, version, secret)
	ret0, _ := ret[0].(error)
	return ret0
}

// SecretUpdate indicates an expected call of SecretUpdate
func (mr *MockCommonAPIClientMockRecorder) SecretUpdate(ctx, id, version, secret interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SecretUpdate", reflect.TypeOf((*MockCommonAPIClient)(nil).SecretUpdate), ctx, id, version, secret)
}

// Events mocks base method
func (m *MockCommonAPIClient) Events(ctx context.Context, options types.EventsOptions) (<-chan events.Message, <-chan error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Events", ctx, options)
	ret0, _ := ret[0].(<-chan events.Message)
	ret1, _ := ret[1].(<-chan error)
	return ret0, ret1
}

// Events indicates an expected call of Events
func (mr *MockCommonAPIClientMockRecorder) Events(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Events", reflect.TypeOf((*MockCommonAPIClient)(nil).Events), ctx, options)
}

// Info mocks base method
func (m *MockCommonAPIClient) Info(ctx context.Context) (types.Info, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Info", ctx)
	ret0, _ := ret[0].(types.Info)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Info indicates an expected call of Info
func (mr *MockCommonAPIClientMockRecorder) Info(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Info", reflect.TypeOf((*MockCommonAPIClient)(nil).Info), ctx)
}

// RegistryLogin mocks base method
func (m *MockCommonAPIClient) RegistryLogin(ctx context.Context, auth types.AuthConfig) (registry.AuthenticateOKBody, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "RegistryLogin", ctx, auth)
	ret0, _ := ret[0].(registry.AuthenticateOKBody)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// RegistryLogin indicates an expected call of RegistryLogin
func (mr *MockCommonAPIClientMockRecorder) RegistryLogin(ctx, auth interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RegistryLogin", reflect.TypeOf((*MockCommonAPIClient)(nil).RegistryLogin), ctx, auth)
}

// DiskUsage mocks base method
func (m *MockCommonAPIClient) DiskUsage(ctx context.Context) (types.DiskUsage, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DiskUsage", ctx)
	ret0, _ := ret[0].(types.DiskUsage)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// DiskUsage indicates an expected call of DiskUsage
func (mr *MockCommonAPIClientMockRecorder) DiskUsage(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DiskUsage", reflect.TypeOf((*MockCommonAPIClient)(nil).DiskUsage), ctx)
}

// Ping mocks base method
func (m *MockCommonAPIClient) Ping(ctx context.Context) (types.Ping, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Ping", ctx)
	ret0, _ := ret[0].(types.Ping)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Ping indicates an expected call of Ping
func (mr *MockCommonAPIClientMockRecorder) Ping(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Ping", reflect.TypeOf((*MockCommonAPIClient)(nil).Ping), ctx)
}

// VolumeCreate mocks base method
func (m *MockCommonAPIClient) VolumeCreate(ctx context.Context, options volume.VolumeCreateBody) (types.Volume, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "VolumeCreate", ctx, options)
	ret0, _ := ret[0].(types.Volume)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// VolumeCreate indicates an expected call of VolumeCreate
func (mr *MockCommonAPIClientMockRecorder) VolumeCreate(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VolumeCreate", reflect.TypeOf((*MockCommonAPIClient)(nil).VolumeCreate), ctx, options)
}

// VolumeInspect mocks base method
func (m *MockCommonAPIClient) VolumeInspect(ctx context.Context, volumeID string) (types.Volume, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "VolumeInspect", ctx, volumeID)
	ret0, _ := ret[0].(types.Volume)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// VolumeInspect indicates an expected call of VolumeInspect
func (mr *MockCommonAPIClientMockRecorder) VolumeInspect(ctx, volumeID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VolumeInspect", reflect.TypeOf((*MockCommonAPIClient)(nil).VolumeInspect), ctx, volumeID)
}

// VolumeInspectWithRaw mocks base method
func (m *MockCommonAPIClient) VolumeInspectWithRaw(ctx context.Context, volumeID string) (types.Volume, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "VolumeInspectWithRaw", ctx, volumeID)
	ret0, _ := ret[0].(types.Volume)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// VolumeInspectWithRaw indicates an expected call of VolumeInspectWithRaw
func (mr *MockCommonAPIClientMockRecorder) VolumeInspectWithRaw(ctx, volumeID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VolumeInspectWithRaw", reflect.TypeOf((*MockCommonAPIClient)(nil).VolumeInspectWithRaw), ctx, volumeID)
}

// VolumeList mocks base method
func (m *MockCommonAPIClient) VolumeList(ctx context.Context, filter filters.Args) (volume.VolumeListOKBody, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "VolumeList", ctx, filter)
	ret0, _ := ret[0].(volume.VolumeListOKBody)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// VolumeList indicates an expected call of VolumeList
func (mr *MockCommonAPIClientMockRecorder) VolumeList(ctx, filter interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VolumeList", reflect.TypeOf((*MockCommonAPIClient)(nil).VolumeList), ctx, filter)
}

// VolumeRemove mocks base method
func (m *MockCommonAPIClient) VolumeRemove(ctx context.Context, volumeID string, force bool) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "VolumeRemove", ctx, volumeID, force)
	ret0, _ := ret[0].(error)
	return ret0
}

// VolumeRemove indicates an expected call of VolumeRemove
func (mr *MockCommonAPIClientMockRecorder) VolumeRemove(ctx, volumeID, force interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VolumeRemove", reflect.TypeOf((*MockCommonAPIClient)(nil).VolumeRemove), ctx, volumeID, force)
}

// VolumesPrune mocks base method
func (m *MockCommonAPIClient) VolumesPrune(ctx context.Context, pruneFilter filters.Args) (types.VolumesPruneReport, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "VolumesPrune", ctx, pruneFilter)
	ret0, _ := ret[0].(types.VolumesPruneReport)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// VolumesPrune indicates an expected call of VolumesPrune
func (mr *MockCommonAPIClientMockRecorder) VolumesPrune(ctx, pruneFilter interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VolumesPrune", reflect.TypeOf((*MockCommonAPIClient)(nil).VolumesPrune), ctx, pruneFilter)
}

// ClientVersion mocks base method
func (m *MockCommonAPIClient) ClientVersion() string {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ClientVersion")
	ret0, _ := ret[0].(string)
	return ret0
}

// ClientVersion indicates an expected call of ClientVersion
func (mr *MockCommonAPIClientMockRecorder) ClientVersion() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ClientVersion", reflect.TypeOf((*MockCommonAPIClient)(nil).ClientVersion))
}

// DaemonHost mocks base method
func (m *MockCommonAPIClient) DaemonHost() string {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DaemonHost")
	ret0, _ := ret[0].(string)
	return ret0
}

// DaemonHost indicates an expected call of DaemonHost
func (mr *MockCommonAPIClientMockRecorder) DaemonHost() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DaemonHost", reflect.TypeOf((*MockCommonAPIClient)(nil).DaemonHost))
}

// HTTPClient mocks base method
func (m *MockCommonAPIClient) HTTPClient() *http.Client {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "HTTPClient")
	ret0, _ := ret[0].(*http.Client)
	return ret0
}

// HTTPClient indicates an expected call of HTTPClient
func (mr *MockCommonAPIClientMockRecorder) HTTPClient() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HTTPClient", reflect.TypeOf((*MockCommonAPIClient)(nil).HTTPClient))
}

// ServerVersion mocks base method
func (m *MockCommonAPIClient) ServerVersion(ctx context.Context) (types.Version, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ServerVersion", ctx)
	ret0, _ := ret[0].(types.Version)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ServerVersion indicates an expected call of ServerVersion
func (mr *MockCommonAPIClientMockRecorder) ServerVersion(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ServerVersion", reflect.TypeOf((*MockCommonAPIClient)(nil).ServerVersion), ctx)
}

// NegotiateAPIVersion mocks base method
func (m *MockCommonAPIClient) NegotiateAPIVersion(ctx context.Context) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "NegotiateAPIVersion", ctx)
}

// NegotiateAPIVersion indicates an expected call of NegotiateAPIVersion
func (mr *MockCommonAPIClientMockRecorder) NegotiateAPIVersion(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NegotiateAPIVersion", reflect.TypeOf((*MockCommonAPIClient)(nil).NegotiateAPIVersion), ctx)
}

// NegotiateAPIVersionPing mocks base method
func (m *MockCommonAPIClient) NegotiateAPIVersionPing(arg0 types.Ping) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "NegotiateAPIVersionPing", arg0)
}

// NegotiateAPIVersionPing indicates an expected call of NegotiateAPIVersionPing
func (mr *MockCommonAPIClientMockRecorder) NegotiateAPIVersionPing(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NegotiateAPIVersionPing", reflect.TypeOf((*MockCommonAPIClient)(nil).NegotiateAPIVersionPing), arg0)
}

// DialHijack mocks base method
func (m *MockCommonAPIClient) DialHijack(ctx context.Context, url, proto string, meta map[string][]string) (net.Conn, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DialHijack", ctx, url, proto, meta)
	ret0, _ := ret[0].(net.Conn)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// DialHijack indicates an expected call of DialHijack
func (mr *MockCommonAPIClientMockRecorder) DialHijack(ctx, url, proto, meta interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DialHijack", reflect.TypeOf((*MockCommonAPIClient)(nil).DialHijack), ctx, url, proto, meta)
}

// Dialer mocks base method
func (m *MockCommonAPIClient) Dialer() func(context.Context) (net.Conn, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Dialer")
	ret0, _ := ret[0].(func(context.Context) (net.Conn, error))
	return ret0
}

// Dialer indicates an expected call of Dialer
func (mr *MockCommonAPIClientMockRecorder) Dialer() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Dialer", reflect.TypeOf((*MockCommonAPIClient)(nil).Dialer))
}

// Close mocks base method
func (m *MockCommonAPIClient) Close() error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Close")
	ret0, _ := ret[0].(error)
	return ret0
}

// Close indicates an expected call of Close
func (mr *MockCommonAPIClientMockRecorder) Close() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Close", reflect.TypeOf((*MockCommonAPIClient)(nil).Close))
}

// MockContainerAPIClient is a mock of ContainerAPIClient interface
type MockContainerAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockContainerAPIClientMockRecorder
}

// MockContainerAPIClientMockRecorder is the mock recorder for MockContainerAPIClient
type MockContainerAPIClientMockRecorder struct {
	mock *MockContainerAPIClient
}

// NewMockContainerAPIClient creates a new mock instance
func NewMockContainerAPIClient(ctrl *gomock.Controller) *MockContainerAPIClient {
	mock := &MockContainerAPIClient{ctrl: ctrl}
	mock.recorder = &MockContainerAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockContainerAPIClient) EXPECT() *MockContainerAPIClientMockRecorder {
	return m.recorder
}

// ContainerAttach mocks base method
func (m *MockContainerAPIClient) ContainerAttach(ctx context.Context, container string, options types.ContainerAttachOptions) (types.HijackedResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerAttach", ctx, container, options)
	ret0, _ := ret[0].(types.HijackedResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerAttach indicates an expected call of ContainerAttach
func (mr *MockContainerAPIClientMockRecorder) ContainerAttach(ctx, container, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerAttach", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerAttach), ctx, container, options)
}

// ContainerCommit mocks base method
func (m *MockContainerAPIClient) ContainerCommit(ctx context.Context, container string, options types.ContainerCommitOptions) (types.IDResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerCommit", ctx, container, options)
	ret0, _ := ret[0].(types.IDResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerCommit indicates an expected call of ContainerCommit
func (mr *MockContainerAPIClientMockRecorder) ContainerCommit(ctx, container, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerCommit", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerCommit), ctx, container, options)
}

// ContainerCreate mocks base method
func (m *MockContainerAPIClient) ContainerCreate(ctx context.Context, config *containerpkg.Config, hostConfig *containerpkg.HostConfig, networkingConfig *network.NetworkingConfig, containerName string) (containerpkg.ContainerCreateCreatedBody, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerCreate", ctx, config, hostConfig, networkingConfig, containerName)
	ret0, _ := ret[0].(containerpkg.ContainerCreateCreatedBody)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerCreate indicates an expected call of ContainerCreate
func (mr *MockContainerAPIClientMockRecorder) ContainerCreate(ctx, config, hostConfig, networkingConfig, containerName interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerCreate", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerCreate), ctx, config, hostConfig, networkingConfig, containerName)
}

// ContainerDiff mocks base method
func (m *MockContainerAPIClient) ContainerDiff(ctx context.Context, container string) ([]containerpkg.ContainerChangeResponseItem, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerDiff", ctx, container)
	ret0, _ := ret[0].([]containerpkg.ContainerChangeResponseItem)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerDiff indicates an expected call of ContainerDiff
func (mr *MockContainerAPIClientMockRecorder) ContainerDiff(ctx, container interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerDiff", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerDiff), ctx, container)
}

// ContainerExecAttach mocks base method
func (m *MockContainerAPIClient) ContainerExecAttach(ctx context.Context, execID string, config types.ExecStartCheck) (types.HijackedResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerExecAttach", ctx, execID, config)
	ret0, _ := ret[0].(types.HijackedResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerExecAttach indicates an expected call of ContainerExecAttach
func (mr *MockContainerAPIClientMockRecorder) ContainerExecAttach(ctx, execID, config interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerExecAttach", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerExecAttach), ctx, execID, config)
}

// ContainerExecCreate mocks base method
func (m *MockContainerAPIClient) ContainerExecCreate(ctx context.Context, container string, config types.ExecConfig) (types.IDResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerExecCreate", ctx, container, config)
	ret0, _ := ret[0].(types.IDResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerExecCreate indicates an expected call of ContainerExecCreate
func (mr *MockContainerAPIClientMockRecorder) ContainerExecCreate(ctx, container, config interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerExecCreate", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerExecCreate), ctx, container, config)
}

// ContainerExecInspect mocks base method
func (m *MockContainerAPIClient) ContainerExecInspect(ctx context.Context, execID string) (types.ContainerExecInspect, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerExecInspect", ctx, execID)
	ret0, _ := ret[0].(types.ContainerExecInspect)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerExecInspect indicates an expected call of ContainerExecInspect
func (mr *MockContainerAPIClientMockRecorder) ContainerExecInspect(ctx, execID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerExecInspect", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerExecInspect), ctx, execID)
}

// ContainerExecResize mocks base method
func (m *MockContainerAPIClient) ContainerExecResize(ctx context.Context, execID string, options types.ResizeOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerExecResize", ctx, execID, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerExecResize indicates an expected call of ContainerExecResize
func (mr *MockContainerAPIClientMockRecorder) ContainerExecResize(ctx, execID, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerExecResize", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerExecResize), ctx, execID, options)
}

// ContainerExecStart mocks base method
func (m *MockContainerAPIClient) ContainerExecStart(ctx context.Context, execID string, config types.ExecStartCheck) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerExecStart", ctx, execID, config)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerExecStart indicates an expected call of ContainerExecStart
func (mr *MockContainerAPIClientMockRecorder) ContainerExecStart(ctx, execID, config interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerExecStart", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerExecStart), ctx, execID, config)
}

// ContainerExport mocks base method
func (m *MockContainerAPIClient) ContainerExport(ctx context.Context, container string) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerExport", ctx, container)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerExport indicates an expected call of ContainerExport
func (mr *MockContainerAPIClientMockRecorder) ContainerExport(ctx, container interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerExport", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerExport), ctx, container)
}

// ContainerInspect mocks base method
func (m *MockContainerAPIClient) ContainerInspect(ctx context.Context, container string) (types.ContainerJSON, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerInspect", ctx, container)
	ret0, _ := ret[0].(types.ContainerJSON)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerInspect indicates an expected call of ContainerInspect
func (mr *MockContainerAPIClientMockRecorder) ContainerInspect(ctx, container interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerInspect", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerInspect), ctx, container)
}

// ContainerInspectWithRaw mocks base method
func (m *MockContainerAPIClient) ContainerInspectWithRaw(ctx context.Context, container string, getSize bool) (types.ContainerJSON, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerInspectWithRaw", ctx, container, getSize)
	ret0, _ := ret[0].(types.ContainerJSON)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// ContainerInspectWithRaw indicates an expected call of ContainerInspectWithRaw
func (mr *MockContainerAPIClientMockRecorder) ContainerInspectWithRaw(ctx, container, getSize interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerInspectWithRaw", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerInspectWithRaw), ctx, container, getSize)
}

// ContainerKill mocks base method
func (m *MockContainerAPIClient) ContainerKill(ctx context.Context, container, signal string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerKill", ctx, container, signal)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerKill indicates an expected call of ContainerKill
func (mr *MockContainerAPIClientMockRecorder) ContainerKill(ctx, container, signal interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerKill", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerKill), ctx, container, signal)
}

// ContainerList mocks base method
func (m *MockContainerAPIClient) ContainerList(ctx context.Context, options types.ContainerListOptions) ([]types.Container, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerList", ctx, options)
	ret0, _ := ret[0].([]types.Container)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerList indicates an expected call of ContainerList
func (mr *MockContainerAPIClientMockRecorder) ContainerList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerList", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerList), ctx, options)
}

// ContainerLogs mocks base method
func (m *MockContainerAPIClient) ContainerLogs(ctx context.Context, container string, options types.ContainerLogsOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerLogs", ctx, container, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerLogs indicates an expected call of ContainerLogs
func (mr *MockContainerAPIClientMockRecorder) ContainerLogs(ctx, container, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerLogs", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerLogs), ctx, container, options)
}

// ContainerPause mocks base method
func (m *MockContainerAPIClient) ContainerPause(ctx context.Context, container string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerPause", ctx, container)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerPause indicates an expected call of ContainerPause
func (mr *MockContainerAPIClientMockRecorder) ContainerPause(ctx, container interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerPause", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerPause), ctx, container)
}

// ContainerRemove mocks base method
func (m *MockContainerAPIClient) ContainerRemove(ctx context.Context, container string, options types.ContainerRemoveOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerRemove", ctx, container, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerRemove indicates an expected call of ContainerRemove
func (mr *MockContainerAPIClientMockRecorder) ContainerRemove(ctx, container, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerRemove", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerRemove), ctx, container, options)
}

// ContainerRename mocks base method
func (m *MockContainerAPIClient) ContainerRename(ctx context.Context, container, newContainerName string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerRename", ctx, container, newContainerName)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerRename indicates an expected call of ContainerRename
func (mr *MockContainerAPIClientMockRecorder) ContainerRename(ctx, container, newContainerName interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerRename", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerRename), ctx, container, newContainerName)
}

// ContainerResize mocks base method
func (m *MockContainerAPIClient) ContainerResize(ctx context.Context, container string, options types.ResizeOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerResize", ctx, container, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerResize indicates an expected call of ContainerResize
func (mr *MockContainerAPIClientMockRecorder) ContainerResize(ctx, container, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerResize", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerResize), ctx, container, options)
}

// ContainerRestart mocks base method
func (m *MockContainerAPIClient) ContainerRestart(ctx context.Context, container string, timeout *time.Duration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerRestart", ctx, container, timeout)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerRestart indicates an expected call of ContainerRestart
func (mr *MockContainerAPIClientMockRecorder) ContainerRestart(ctx, container, timeout interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerRestart", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerRestart), ctx, container, timeout)
}

// ContainerStatPath mocks base method
func (m *MockContainerAPIClient) ContainerStatPath(ctx context.Context, container, path string) (types.ContainerPathStat, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerStatPath", ctx, container, path)
	ret0, _ := ret[0].(types.ContainerPathStat)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerStatPath indicates an expected call of ContainerStatPath
func (mr *MockContainerAPIClientMockRecorder) ContainerStatPath(ctx, container, path interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerStatPath", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerStatPath), ctx, container, path)
}

// ContainerStats mocks base method
func (m *MockContainerAPIClient) ContainerStats(ctx context.Context, container string, stream bool) (types.ContainerStats, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerStats", ctx, container, stream)
	ret0, _ := ret[0].(types.ContainerStats)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerStats indicates an expected call of ContainerStats
func (mr *MockContainerAPIClientMockRecorder) ContainerStats(ctx, container, stream interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerStats", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerStats), ctx, container, stream)
}

// ContainerStart mocks base method
func (m *MockContainerAPIClient) ContainerStart(ctx context.Context, container string, options types.ContainerStartOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerStart", ctx, container, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerStart indicates an expected call of ContainerStart
func (mr *MockContainerAPIClientMockRecorder) ContainerStart(ctx, container, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerStart", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerStart), ctx, container, options)
}

// ContainerStop mocks base method
func (m *MockContainerAPIClient) ContainerStop(ctx context.Context, container string, timeout *time.Duration) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerStop", ctx, container, timeout)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerStop indicates an expected call of ContainerStop
func (mr *MockContainerAPIClientMockRecorder) ContainerStop(ctx, container, timeout interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerStop", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerStop), ctx, container, timeout)
}

// ContainerTop mocks base method
func (m *MockContainerAPIClient) ContainerTop(ctx context.Context, container string, arguments []string) (containerpkg.ContainerTopOKBody, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerTop", ctx, container, arguments)
	ret0, _ := ret[0].(containerpkg.ContainerTopOKBody)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerTop indicates an expected call of ContainerTop
func (mr *MockContainerAPIClientMockRecorder) ContainerTop(ctx, container, arguments interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerTop", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerTop), ctx, container, arguments)
}

// ContainerUnpause mocks base method
func (m *MockContainerAPIClient) ContainerUnpause(ctx context.Context, container string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerUnpause", ctx, container)
	ret0, _ := ret[0].(error)
	return ret0
}

// ContainerUnpause indicates an expected call of ContainerUnpause
func (mr *MockContainerAPIClientMockRecorder) ContainerUnpause(ctx, container interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerUnpause", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerUnpause), ctx, container)
}

// ContainerUpdate mocks base method
func (m *MockContainerAPIClient) ContainerUpdate(ctx context.Context, container string, updateConfig containerpkg.UpdateConfig) (containerpkg.ContainerUpdateOKBody, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerUpdate", ctx, container, updateConfig)
	ret0, _ := ret[0].(containerpkg.ContainerUpdateOKBody)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerUpdate indicates an expected call of ContainerUpdate
func (mr *MockContainerAPIClientMockRecorder) ContainerUpdate(ctx, container, updateConfig interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerUpdate", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerUpdate), ctx, container, updateConfig)
}

// ContainerWait mocks base method
func (m *MockContainerAPIClient) ContainerWait(ctx context.Context, container string, condition containerpkg.WaitCondition) (<-chan containerpkg.ContainerWaitOKBody, <-chan error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerWait", ctx, container, condition)
	ret0, _ := ret[0].(<-chan containerpkg.ContainerWaitOKBody)
	ret1, _ := ret[1].(<-chan error)
	return ret0, ret1
}

// ContainerWait indicates an expected call of ContainerWait
func (mr *MockContainerAPIClientMockRecorder) ContainerWait(ctx, container, condition interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerWait", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainerWait), ctx, container, condition)
}

// CopyFromContainer mocks base method
func (m *MockContainerAPIClient) CopyFromContainer(ctx context.Context, container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CopyFromContainer", ctx, container, srcPath)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(types.ContainerPathStat)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// CopyFromContainer indicates an expected call of CopyFromContainer
func (mr *MockContainerAPIClientMockRecorder) CopyFromContainer(ctx, container, srcPath interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CopyFromContainer", reflect.TypeOf((*MockContainerAPIClient)(nil).CopyFromContainer), ctx, container, srcPath)
}

// CopyToContainer mocks base method
func (m *MockContainerAPIClient) CopyToContainer(ctx context.Context, container, path string, content io.Reader, options types.CopyToContainerOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CopyToContainer", ctx, container, path, content, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// CopyToContainer indicates an expected call of CopyToContainer
func (mr *MockContainerAPIClientMockRecorder) CopyToContainer(ctx, container, path, content, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CopyToContainer", reflect.TypeOf((*MockContainerAPIClient)(nil).CopyToContainer), ctx, container, path, content, options)
}

// ContainersPrune mocks base method
func (m *MockContainerAPIClient) ContainersPrune(ctx context.Context, pruneFilters filters.Args) (types.ContainersPruneReport, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainersPrune", ctx, pruneFilters)
	ret0, _ := ret[0].(types.ContainersPruneReport)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainersPrune indicates an expected call of ContainersPrune
func (mr *MockContainerAPIClientMockRecorder) ContainersPrune(ctx, pruneFilters interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainersPrune", reflect.TypeOf((*MockContainerAPIClient)(nil).ContainersPrune), ctx, pruneFilters)
}

// MockDistributionAPIClient is a mock of DistributionAPIClient interface
type MockDistributionAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockDistributionAPIClientMockRecorder
}

// MockDistributionAPIClientMockRecorder is the mock recorder for MockDistributionAPIClient
type MockDistributionAPIClientMockRecorder struct {
	mock *MockDistributionAPIClient
}

// NewMockDistributionAPIClient creates a new mock instance
func NewMockDistributionAPIClient(ctrl *gomock.Controller) *MockDistributionAPIClient {
	mock := &MockDistributionAPIClient{ctrl: ctrl}
	mock.recorder = &MockDistributionAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockDistributionAPIClient) EXPECT() *MockDistributionAPIClientMockRecorder {
	return m.recorder
}

// DistributionInspect mocks base method
func (m *MockDistributionAPIClient) DistributionInspect(ctx context.Context, image, encodedRegistryAuth string) (registry.DistributionInspect, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DistributionInspect", ctx, image, encodedRegistryAuth)
	ret0, _ := ret[0].(registry.DistributionInspect)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// DistributionInspect indicates an expected call of DistributionInspect
func (mr *MockDistributionAPIClientMockRecorder) DistributionInspect(ctx, image, encodedRegistryAuth interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DistributionInspect", reflect.TypeOf((*MockDistributionAPIClient)(nil).DistributionInspect), ctx, image, encodedRegistryAuth)
}

// MockImageAPIClient is a mock of ImageAPIClient interface
type MockImageAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockImageAPIClientMockRecorder
}

// MockImageAPIClientMockRecorder is the mock recorder for MockImageAPIClient
type MockImageAPIClientMockRecorder struct {
	mock *MockImageAPIClient
}

// NewMockImageAPIClient creates a new mock instance
func NewMockImageAPIClient(ctrl *gomock.Controller) *MockImageAPIClient {
	mock := &MockImageAPIClient{ctrl: ctrl}
	mock.recorder = &MockImageAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockImageAPIClient) EXPECT() *MockImageAPIClientMockRecorder {
	return m.recorder
}

// ImageBuild mocks base method
func (m *MockImageAPIClient) ImageBuild(ctx context.Context, context io.Reader, options types.ImageBuildOptions) (types.ImageBuildResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageBuild", ctx, context, options)
	ret0, _ := ret[0].(types.ImageBuildResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageBuild indicates an expected call of ImageBuild
func (mr *MockImageAPIClientMockRecorder) ImageBuild(ctx, context, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageBuild", reflect.TypeOf((*MockImageAPIClient)(nil).ImageBuild), ctx, context, options)
}

// BuildCachePrune mocks base method
func (m *MockImageAPIClient) BuildCachePrune(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "BuildCachePrune", ctx, opts)
	ret0, _ := ret[0].(*types.BuildCachePruneReport)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// BuildCachePrune indicates an expected call of BuildCachePrune
func (mr *MockImageAPIClientMockRecorder) BuildCachePrune(ctx, opts interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BuildCachePrune", reflect.TypeOf((*MockImageAPIClient)(nil).BuildCachePrune), ctx, opts)
}

// BuildCancel mocks base method
func (m *MockImageAPIClient) BuildCancel(ctx context.Context, id string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "BuildCancel", ctx, id)
	ret0, _ := ret[0].(error)
	return ret0
}

// BuildCancel indicates an expected call of BuildCancel
func (mr *MockImageAPIClientMockRecorder) BuildCancel(ctx, id interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BuildCancel", reflect.TypeOf((*MockImageAPIClient)(nil).BuildCancel), ctx, id)
}

// ImageCreate mocks base method
func (m *MockImageAPIClient) ImageCreate(ctx context.Context, parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageCreate", ctx, parentReference, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageCreate indicates an expected call of ImageCreate
func (mr *MockImageAPIClientMockRecorder) ImageCreate(ctx, parentReference, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageCreate", reflect.TypeOf((*MockImageAPIClient)(nil).ImageCreate), ctx, parentReference, options)
}

// ImageHistory mocks base method
func (m *MockImageAPIClient) ImageHistory(ctx context.Context, image string) ([]imagepkg.HistoryResponseItem, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageHistory", ctx, image)
	ret0, _ := ret[0].([]imagepkg.HistoryResponseItem)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageHistory indicates an expected call of ImageHistory
func (mr *MockImageAPIClientMockRecorder) ImageHistory(ctx, image interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageHistory", reflect.TypeOf((*MockImageAPIClient)(nil).ImageHistory), ctx, image)
}

// ImageImport mocks base method
func (m *MockImageAPIClient) ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageImport", ctx, source, ref, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageImport indicates an expected call of ImageImport
func (mr *MockImageAPIClientMockRecorder) ImageImport(ctx, source, ref, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageImport", reflect.TypeOf((*MockImageAPIClient)(nil).ImageImport), ctx, source, ref, options)
}

// ImageInspectWithRaw mocks base method
func (m *MockImageAPIClient) ImageInspectWithRaw(ctx context.Context, image string) (types.ImageInspect, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageInspectWithRaw", ctx, image)
	ret0, _ := ret[0].(types.ImageInspect)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// ImageInspectWithRaw indicates an expected call of ImageInspectWithRaw
func (mr *MockImageAPIClientMockRecorder) ImageInspectWithRaw(ctx, image interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageInspectWithRaw", reflect.TypeOf((*MockImageAPIClient)(nil).ImageInspectWithRaw), ctx, image)
}

// ImageList mocks base method
func (m *MockImageAPIClient) ImageList(ctx context.Context, options types.ImageListOptions) ([]types.ImageSummary, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageList", ctx, options)
	ret0, _ := ret[0].([]types.ImageSummary)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageList indicates an expected call of ImageList
func (mr *MockImageAPIClientMockRecorder) ImageList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageList", reflect.TypeOf((*MockImageAPIClient)(nil).ImageList), ctx, options)
}

// ImageLoad mocks base method
func (m *MockImageAPIClient) ImageLoad(ctx context.Context, input io.Reader, quiet bool) (types.ImageLoadResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageLoad", ctx, input, quiet)
	ret0, _ := ret[0].(types.ImageLoadResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageLoad indicates an expected call of ImageLoad
func (mr *MockImageAPIClientMockRecorder) ImageLoad(ctx, input, quiet interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageLoad", reflect.TypeOf((*MockImageAPIClient)(nil).ImageLoad), ctx, input, quiet)
}

// ImagePull mocks base method
func (m *MockImageAPIClient) ImagePull(ctx context.Context, ref string, options types.ImagePullOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImagePull", ctx, ref, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImagePull indicates an expected call of ImagePull
func (mr *MockImageAPIClientMockRecorder) ImagePull(ctx, ref, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImagePull", reflect.TypeOf((*MockImageAPIClient)(nil).ImagePull), ctx, ref, options)
}

// ImagePush mocks base method
func (m *MockImageAPIClient) ImagePush(ctx context.Context, ref string, options types.ImagePushOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImagePush", ctx, ref, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImagePush indicates an expected call of ImagePush
func (mr *MockImageAPIClientMockRecorder) ImagePush(ctx, ref, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImagePush", reflect.TypeOf((*MockImageAPIClient)(nil).ImagePush), ctx, ref, options)
}

// ImageRemove mocks base method
func (m *MockImageAPIClient) ImageRemove(ctx context.Context, image string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageRemove", ctx, image, options)
	ret0, _ := ret[0].([]types.ImageDeleteResponseItem)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageRemove indicates an expected call of ImageRemove
func (mr *MockImageAPIClientMockRecorder) ImageRemove(ctx, image, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageRemove", reflect.TypeOf((*MockImageAPIClient)(nil).ImageRemove), ctx, image, options)
}

// ImageSearch mocks base method
func (m *MockImageAPIClient) ImageSearch(ctx context.Context, term string, options types.ImageSearchOptions) ([]registry.SearchResult, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageSearch", ctx, term, options)
	ret0, _ := ret[0].([]registry.SearchResult)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageSearch indicates an expected call of ImageSearch
func (mr *MockImageAPIClientMockRecorder) ImageSearch(ctx, term, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageSearch", reflect.TypeOf((*MockImageAPIClient)(nil).ImageSearch), ctx, term, options)
}

// ImageSave mocks base method
func (m *MockImageAPIClient) ImageSave(ctx context.Context, images []string) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageSave", ctx, images)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImageSave indicates an expected call of ImageSave
func (mr *MockImageAPIClientMockRecorder) ImageSave(ctx, images interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageSave", reflect.TypeOf((*MockImageAPIClient)(nil).ImageSave), ctx, images)
}

// ImageTag mocks base method
func (m *MockImageAPIClient) ImageTag(ctx context.Context, image, ref string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImageTag", ctx, image, ref)
	ret0, _ := ret[0].(error)
	return ret0
}

// ImageTag indicates an expected call of ImageTag
func (mr *MockImageAPIClientMockRecorder) ImageTag(ctx, image, ref interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImageTag", reflect.TypeOf((*MockImageAPIClient)(nil).ImageTag), ctx, image, ref)
}

// ImagesPrune mocks base method
func (m *MockImageAPIClient) ImagesPrune(ctx context.Context, pruneFilter filters.Args) (types.ImagesPruneReport, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ImagesPrune", ctx, pruneFilter)
	ret0, _ := ret[0].(types.ImagesPruneReport)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ImagesPrune indicates an expected call of ImagesPrune
func (mr *MockImageAPIClientMockRecorder) ImagesPrune(ctx, pruneFilter interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ImagesPrune", reflect.TypeOf((*MockImageAPIClient)(nil).ImagesPrune), ctx, pruneFilter)
}

// MockNetworkAPIClient is a mock of NetworkAPIClient interface
type MockNetworkAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockNetworkAPIClientMockRecorder
}

// MockNetworkAPIClientMockRecorder is the mock recorder for MockNetworkAPIClient
type MockNetworkAPIClientMockRecorder struct {
	mock *MockNetworkAPIClient
}

// NewMockNetworkAPIClient creates a new mock instance
func NewMockNetworkAPIClient(ctrl *gomock.Controller) *MockNetworkAPIClient {
	mock := &MockNetworkAPIClient{ctrl: ctrl}
	mock.recorder = &MockNetworkAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockNetworkAPIClient) EXPECT() *MockNetworkAPIClientMockRecorder {
	return m.recorder
}

// NetworkConnect mocks base method
func (m *MockNetworkAPIClient) NetworkConnect(ctx context.Context, network, container string, config *network.EndpointSettings) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkConnect", ctx, network, container, config)
	ret0, _ := ret[0].(error)
	return ret0
}

// NetworkConnect indicates an expected call of NetworkConnect
func (mr *MockNetworkAPIClientMockRecorder) NetworkConnect(ctx, network, container, config interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkConnect", reflect.TypeOf((*MockNetworkAPIClient)(nil).NetworkConnect), ctx, network, container, config)
}

// NetworkCreate mocks base method
func (m *MockNetworkAPIClient) NetworkCreate(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkCreate", ctx, name, options)
	ret0, _ := ret[0].(types.NetworkCreateResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// NetworkCreate indicates an expected call of NetworkCreate
func (mr *MockNetworkAPIClientMockRecorder) NetworkCreate(ctx, name, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkCreate", reflect.TypeOf((*MockNetworkAPIClient)(nil).NetworkCreate), ctx, name, options)
}

// NetworkDisconnect mocks base method
func (m *MockNetworkAPIClient) NetworkDisconnect(ctx context.Context, network, container string, force bool) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkDisconnect", ctx, network, container, force)
	ret0, _ := ret[0].(error)
	return ret0
}

// NetworkDisconnect indicates an expected call of NetworkDisconnect
func (mr *MockNetworkAPIClientMockRecorder) NetworkDisconnect(ctx, network, container, force interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkDisconnect", reflect.TypeOf((*MockNetworkAPIClient)(nil).NetworkDisconnect), ctx, network, container, force)
}

// NetworkInspect mocks base method
func (m *MockNetworkAPIClient) NetworkInspect(ctx context.Context, network string, options types.NetworkInspectOptions) (types.NetworkResource, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkInspect", ctx, network, options)
	ret0, _ := ret[0].(types.NetworkResource)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// NetworkInspect indicates an expected call of NetworkInspect
func (mr *MockNetworkAPIClientMockRecorder) NetworkInspect(ctx, network, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkInspect", reflect.TypeOf((*MockNetworkAPIClient)(nil).NetworkInspect), ctx, network, options)
}

// NetworkInspectWithRaw mocks base method
func (m *MockNetworkAPIClient) NetworkInspectWithRaw(ctx context.Context, network string, options types.NetworkInspectOptions) (types.NetworkResource, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkInspectWithRaw", ctx, network, options)
	ret0, _ := ret[0].(types.NetworkResource)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// NetworkInspectWithRaw indicates an expected call of NetworkInspectWithRaw
func (mr *MockNetworkAPIClientMockRecorder) NetworkInspectWithRaw(ctx, network, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkInspectWithRaw", reflect.TypeOf((*MockNetworkAPIClient)(nil).NetworkInspectWithRaw), ctx, network, options)
}

// NetworkList mocks base method
func (m *MockNetworkAPIClient) NetworkList(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkList", ctx, options)
	ret0, _ := ret[0].([]types.NetworkResource)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// NetworkList indicates an expected call of NetworkList
func (mr *MockNetworkAPIClientMockRecorder) NetworkList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkList", reflect.TypeOf((*MockNetworkAPIClient)(nil).NetworkList), ctx, options)
}

// NetworkRemove mocks base method
func (m *MockNetworkAPIClient) NetworkRemove(ctx context.Context, network string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworkRemove", ctx, network)
	ret0, _ := ret[0].(error)
	return ret0
}

// NetworkRemove indicates an expected call of NetworkRemove
func (mr *MockNetworkAPIClientMockRecorder) NetworkRemove(ctx, network interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworkRemove", reflect.TypeOf((*MockNetworkAPIClient)(nil).NetworkRemove), ctx, network)
}

// NetworksPrune mocks base method
func (m *MockNetworkAPIClient) NetworksPrune(ctx context.Context, pruneFilter filters.Args) (types.NetworksPruneReport, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NetworksPrune", ctx, pruneFilter)
	ret0, _ := ret[0].(types.NetworksPruneReport)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// NetworksPrune indicates an expected call of NetworksPrune
func (mr *MockNetworkAPIClientMockRecorder) NetworksPrune(ctx, pruneFilter interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NetworksPrune", reflect.TypeOf((*MockNetworkAPIClient)(nil).NetworksPrune), ctx, pruneFilter)
}

// MockNodeAPIClient is a mock of NodeAPIClient interface
type MockNodeAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockNodeAPIClientMockRecorder
}

// MockNodeAPIClientMockRecorder is the mock recorder for MockNodeAPIClient
type MockNodeAPIClientMockRecorder struct {
	mock *MockNodeAPIClient
}

// NewMockNodeAPIClient creates a new mock instance
func NewMockNodeAPIClient(ctrl *gomock.Controller) *MockNodeAPIClient {
	mock := &MockNodeAPIClient{ctrl: ctrl}
	mock.recorder = &MockNodeAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockNodeAPIClient) EXPECT() *MockNodeAPIClientMockRecorder {
	return m.recorder
}

// NodeInspectWithRaw mocks base method
func (m *MockNodeAPIClient) NodeInspectWithRaw(ctx context.Context, nodeID string) (swarm.Node, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NodeInspectWithRaw", ctx, nodeID)
	ret0, _ := ret[0].(swarm.Node)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// NodeInspectWithRaw indicates an expected call of NodeInspectWithRaw
func (mr *MockNodeAPIClientMockRecorder) NodeInspectWithRaw(ctx, nodeID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NodeInspectWithRaw", reflect.TypeOf((*MockNodeAPIClient)(nil).NodeInspectWithRaw), ctx, nodeID)
}

// NodeList mocks base method
func (m *MockNodeAPIClient) NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NodeList", ctx, options)
	ret0, _ := ret[0].([]swarm.Node)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// NodeList indicates an expected call of NodeList
func (mr *MockNodeAPIClientMockRecorder) NodeList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NodeList", reflect.TypeOf((*MockNodeAPIClient)(nil).NodeList), ctx, options)
}

// NodeRemove mocks base method
func (m *MockNodeAPIClient) NodeRemove(ctx context.Context, nodeID string, options types.NodeRemoveOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NodeRemove", ctx, nodeID, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// NodeRemove indicates an expected call of NodeRemove
func (mr *MockNodeAPIClientMockRecorder) NodeRemove(ctx, nodeID, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NodeRemove", reflect.TypeOf((*MockNodeAPIClient)(nil).NodeRemove), ctx, nodeID, options)
}

// NodeUpdate mocks base method
func (m *MockNodeAPIClient) NodeUpdate(ctx context.Context, nodeID string, version swarm.Version, node swarm.NodeSpec) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NodeUpdate", ctx, nodeID, version, node)
	ret0, _ := ret[0].(error)
	return ret0
}

// NodeUpdate indicates an expected call of NodeUpdate
func (mr *MockNodeAPIClientMockRecorder) NodeUpdate(ctx, nodeID, version, node interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NodeUpdate", reflect.TypeOf((*MockNodeAPIClient)(nil).NodeUpdate), ctx, nodeID, version, node)
}

// MockPluginAPIClient is a mock of PluginAPIClient interface
type MockPluginAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockPluginAPIClientMockRecorder
}

// MockPluginAPIClientMockRecorder is the mock recorder for MockPluginAPIClient
type MockPluginAPIClientMockRecorder struct {
	mock *MockPluginAPIClient
}

// NewMockPluginAPIClient creates a new mock instance
func NewMockPluginAPIClient(ctrl *gomock.Controller) *MockPluginAPIClient {
	mock := &MockPluginAPIClient{ctrl: ctrl}
	mock.recorder = &MockPluginAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockPluginAPIClient) EXPECT() *MockPluginAPIClientMockRecorder {
	return m.recorder
}

// PluginList mocks base method
func (m *MockPluginAPIClient) PluginList(ctx context.Context, filter filters.Args) (types.PluginsListResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginList", ctx, filter)
	ret0, _ := ret[0].(types.PluginsListResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// PluginList indicates an expected call of PluginList
func (mr *MockPluginAPIClientMockRecorder) PluginList(ctx, filter interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginList", reflect.TypeOf((*MockPluginAPIClient)(nil).PluginList), ctx, filter)
}

// PluginRemove mocks base method
func (m *MockPluginAPIClient) PluginRemove(ctx context.Context, name string, options types.PluginRemoveOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginRemove", ctx, name, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// PluginRemove indicates an expected call of PluginRemove
func (mr *MockPluginAPIClientMockRecorder) PluginRemove(ctx, name, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginRemove", reflect.TypeOf((*MockPluginAPIClient)(nil).PluginRemove), ctx, name, options)
}

// PluginEnable mocks base method
func (m *MockPluginAPIClient) PluginEnable(ctx context.Context, name string, options types.PluginEnableOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginEnable", ctx, name, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// PluginEnable indicates an expected call of PluginEnable
func (mr *MockPluginAPIClientMockRecorder) PluginEnable(ctx, name, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginEnable", reflect.TypeOf((*MockPluginAPIClient)(nil).PluginEnable), ctx, name, options)
}

// PluginDisable mocks base method
func (m *MockPluginAPIClient) PluginDisable(ctx context.Context, name string, options types.PluginDisableOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginDisable", ctx, name, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// PluginDisable indicates an expected call of PluginDisable
func (mr *MockPluginAPIClientMockRecorder) PluginDisable(ctx, name, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginDisable", reflect.TypeOf((*MockPluginAPIClient)(nil).PluginDisable), ctx, name, options)
}

// PluginInstall mocks base method
func (m *MockPluginAPIClient) PluginInstall(ctx context.Context, name string, options types.PluginInstallOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginInstall", ctx, name, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// PluginInstall indicates an expected call of PluginInstall
func (mr *MockPluginAPIClientMockRecorder) PluginInstall(ctx, name, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginInstall", reflect.TypeOf((*MockPluginAPIClient)(nil).PluginInstall), ctx, name, options)
}

// PluginUpgrade mocks base method
func (m *MockPluginAPIClient) PluginUpgrade(ctx context.Context, name string, options types.PluginInstallOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginUpgrade", ctx, name, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// PluginUpgrade indicates an expected call of PluginUpgrade
func (mr *MockPluginAPIClientMockRecorder) PluginUpgrade(ctx, name, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginUpgrade", reflect.TypeOf((*MockPluginAPIClient)(nil).PluginUpgrade), ctx, name, options)
}

// PluginPush mocks base method
func (m *MockPluginAPIClient) PluginPush(ctx context.Context, name, registryAuth string) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginPush", ctx, name, registryAuth)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// PluginPush indicates an expected call of PluginPush
func (mr *MockPluginAPIClientMockRecorder) PluginPush(ctx, name, registryAuth interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginPush", reflect.TypeOf((*MockPluginAPIClient)(nil).PluginPush), ctx, name, registryAuth)
}

// PluginSet mocks base method
func (m *MockPluginAPIClient) PluginSet(ctx context.Context, name string, args []string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginSet", ctx, name, args)
	ret0, _ := ret[0].(error)
	return ret0
}

// PluginSet indicates an expected call of PluginSet
func (mr *MockPluginAPIClientMockRecorder) PluginSet(ctx, name, args interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginSet", reflect.TypeOf((*MockPluginAPIClient)(nil).PluginSet), ctx, name, args)
}

// PluginInspectWithRaw mocks base method
func (m *MockPluginAPIClient) PluginInspectWithRaw(ctx context.Context, name string) (*types.Plugin, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginInspectWithRaw", ctx, name)
	ret0, _ := ret[0].(*types.Plugin)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// PluginInspectWithRaw indicates an expected call of PluginInspectWithRaw
func (mr *MockPluginAPIClientMockRecorder) PluginInspectWithRaw(ctx, name interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginInspectWithRaw", reflect.TypeOf((*MockPluginAPIClient)(nil).PluginInspectWithRaw), ctx, name)
}

// PluginCreate mocks base method
func (m *MockPluginAPIClient) PluginCreate(ctx context.Context, createContext io.Reader, options types.PluginCreateOptions) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PluginCreate", ctx, createContext, options)
	ret0, _ := ret[0].(error)
	return ret0
}

// PluginCreate indicates an expected call of PluginCreate
func (mr *MockPluginAPIClientMockRecorder) PluginCreate(ctx, createContext, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PluginCreate", reflect.TypeOf((*MockPluginAPIClient)(nil).PluginCreate), ctx, createContext, options)
}

// MockServiceAPIClient is a mock of ServiceAPIClient interface
type MockServiceAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockServiceAPIClientMockRecorder
}

// MockServiceAPIClientMockRecorder is the mock recorder for MockServiceAPIClient
type MockServiceAPIClientMockRecorder struct {
	mock *MockServiceAPIClient
}

// NewMockServiceAPIClient creates a new mock instance
func NewMockServiceAPIClient(ctrl *gomock.Controller) *MockServiceAPIClient {
	mock := &MockServiceAPIClient{ctrl: ctrl}
	mock.recorder = &MockServiceAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockServiceAPIClient) EXPECT() *MockServiceAPIClientMockRecorder {
	return m.recorder
}

// ServiceCreate mocks base method
func (m *MockServiceAPIClient) ServiceCreate(ctx context.Context, service swarm.ServiceSpec, options types.ServiceCreateOptions) (types.ServiceCreateResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ServiceCreate", ctx, service, options)
	ret0, _ := ret[0].(types.ServiceCreateResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ServiceCreate indicates an expected call of ServiceCreate
func (mr *MockServiceAPIClientMockRecorder) ServiceCreate(ctx, service, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ServiceCreate", reflect.TypeOf((*MockServiceAPIClient)(nil).ServiceCreate), ctx, service, options)
}

// ServiceInspectWithRaw mocks base method
func (m *MockServiceAPIClient) ServiceInspectWithRaw(ctx context.Context, serviceID string, options types.ServiceInspectOptions) (swarm.Service, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ServiceInspectWithRaw", ctx, serviceID, options)
	ret0, _ := ret[0].(swarm.Service)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// ServiceInspectWithRaw indicates an expected call of ServiceInspectWithRaw
func (mr *MockServiceAPIClientMockRecorder) ServiceInspectWithRaw(ctx, serviceID, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ServiceInspectWithRaw", reflect.TypeOf((*MockServiceAPIClient)(nil).ServiceInspectWithRaw), ctx, serviceID, options)
}

// ServiceList mocks base method
func (m *MockServiceAPIClient) ServiceList(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ServiceList", ctx, options)
	ret0, _ := ret[0].([]swarm.Service)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ServiceList indicates an expected call of ServiceList
func (mr *MockServiceAPIClientMockRecorder) ServiceList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ServiceList", reflect.TypeOf((*MockServiceAPIClient)(nil).ServiceList), ctx, options)
}

// ServiceRemove mocks base method
func (m *MockServiceAPIClient) ServiceRemove(ctx context.Context, serviceID string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ServiceRemove", ctx, serviceID)
	ret0, _ := ret[0].(error)
	return ret0
}

// ServiceRemove indicates an expected call of ServiceRemove
func (mr *MockServiceAPIClientMockRecorder) ServiceRemove(ctx, serviceID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ServiceRemove", reflect.TypeOf((*MockServiceAPIClient)(nil).ServiceRemove), ctx, serviceID)
}

// ServiceUpdate mocks base method
func (m *MockServiceAPIClient) ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ServiceUpdate", ctx, serviceID, version, service, options)
	ret0, _ := ret[0].(types.ServiceUpdateResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ServiceUpdate indicates an expected call of ServiceUpdate
func (mr *MockServiceAPIClientMockRecorder) ServiceUpdate(ctx, serviceID, version, service, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ServiceUpdate", reflect.TypeOf((*MockServiceAPIClient)(nil).ServiceUpdate), ctx, serviceID, version, service, options)
}

// ServiceLogs mocks base method
func (m *MockServiceAPIClient) ServiceLogs(ctx context.Context, serviceID string, options types.ContainerLogsOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ServiceLogs", ctx, serviceID, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ServiceLogs indicates an expected call of ServiceLogs
func (mr *MockServiceAPIClientMockRecorder) ServiceLogs(ctx, serviceID, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ServiceLogs", reflect.TypeOf((*MockServiceAPIClient)(nil).ServiceLogs), ctx, serviceID, options)
}

// TaskLogs mocks base method
func (m *MockServiceAPIClient) TaskLogs(ctx context.Context, taskID string, options types.ContainerLogsOptions) (io.ReadCloser, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "TaskLogs", ctx, taskID, options)
	ret0, _ := ret[0].(io.ReadCloser)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// TaskLogs indicates an expected call of TaskLogs
func (mr *MockServiceAPIClientMockRecorder) TaskLogs(ctx, taskID, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TaskLogs", reflect.TypeOf((*MockServiceAPIClient)(nil).TaskLogs), ctx, taskID, options)
}

// TaskInspectWithRaw mocks base method
func (m *MockServiceAPIClient) TaskInspectWithRaw(ctx context.Context, taskID string) (swarm.Task, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "TaskInspectWithRaw", ctx, taskID)
	ret0, _ := ret[0].(swarm.Task)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// TaskInspectWithRaw indicates an expected call of TaskInspectWithRaw
func (mr *MockServiceAPIClientMockRecorder) TaskInspectWithRaw(ctx, taskID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TaskInspectWithRaw", reflect.TypeOf((*MockServiceAPIClient)(nil).TaskInspectWithRaw), ctx, taskID)
}

// TaskList mocks base method
func (m *MockServiceAPIClient) TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "TaskList", ctx, options)
	ret0, _ := ret[0].([]swarm.Task)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// TaskList indicates an expected call of TaskList
func (mr *MockServiceAPIClientMockRecorder) TaskList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "TaskList", reflect.TypeOf((*MockServiceAPIClient)(nil).TaskList), ctx, options)
}

// MockSwarmAPIClient is a mock of SwarmAPIClient interface
type MockSwarmAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockSwarmAPIClientMockRecorder
}

// MockSwarmAPIClientMockRecorder is the mock recorder for MockSwarmAPIClient
type MockSwarmAPIClientMockRecorder struct {
	mock *MockSwarmAPIClient
}

// NewMockSwarmAPIClient creates a new mock instance
func NewMockSwarmAPIClient(ctrl *gomock.Controller) *MockSwarmAPIClient {
	mock := &MockSwarmAPIClient{ctrl: ctrl}
	mock.recorder = &MockSwarmAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockSwarmAPIClient) EXPECT() *MockSwarmAPIClientMockRecorder {
	return m.recorder
}

// SwarmInit mocks base method
func (m *MockSwarmAPIClient) SwarmInit(ctx context.Context, req swarm.InitRequest) (string, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmInit", ctx, req)
	ret0, _ := ret[0].(string)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// SwarmInit indicates an expected call of SwarmInit
func (mr *MockSwarmAPIClientMockRecorder) SwarmInit(ctx, req interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmInit", reflect.TypeOf((*MockSwarmAPIClient)(nil).SwarmInit), ctx, req)
}

// SwarmJoin mocks base method
func (m *MockSwarmAPIClient) SwarmJoin(ctx context.Context, req swarm.JoinRequest) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmJoin", ctx, req)
	ret0, _ := ret[0].(error)
	return ret0
}

// SwarmJoin indicates an expected call of SwarmJoin
func (mr *MockSwarmAPIClientMockRecorder) SwarmJoin(ctx, req interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmJoin", reflect.TypeOf((*MockSwarmAPIClient)(nil).SwarmJoin), ctx, req)
}

// SwarmGetUnlockKey mocks base method
func (m *MockSwarmAPIClient) SwarmGetUnlockKey(ctx context.Context) (types.SwarmUnlockKeyResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmGetUnlockKey", ctx)
	ret0, _ := ret[0].(types.SwarmUnlockKeyResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// SwarmGetUnlockKey indicates an expected call of SwarmGetUnlockKey
func (mr *MockSwarmAPIClientMockRecorder) SwarmGetUnlockKey(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmGetUnlockKey", reflect.TypeOf((*MockSwarmAPIClient)(nil).SwarmGetUnlockKey), ctx)
}

// SwarmUnlock mocks base method
func (m *MockSwarmAPIClient) SwarmUnlock(ctx context.Context, req swarm.UnlockRequest) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmUnlock", ctx, req)
	ret0, _ := ret[0].(error)
	return ret0
}

// SwarmUnlock indicates an expected call of SwarmUnlock
func (mr *MockSwarmAPIClientMockRecorder) SwarmUnlock(ctx, req interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmUnlock", reflect.TypeOf((*MockSwarmAPIClient)(nil).SwarmUnlock), ctx, req)
}

// SwarmLeave mocks base method
func (m *MockSwarmAPIClient) SwarmLeave(ctx context.Context, force bool) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmLeave", ctx, force)
	ret0, _ := ret[0].(error)
	return ret0
}

// SwarmLeave indicates an expected call of SwarmLeave
func (mr *MockSwarmAPIClientMockRecorder) SwarmLeave(ctx, force interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmLeave", reflect.TypeOf((*MockSwarmAPIClient)(nil).SwarmLeave), ctx, force)
}

// SwarmInspect mocks base method
func (m *MockSwarmAPIClient) SwarmInspect(ctx context.Context) (swarm.Swarm, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmInspect", ctx)
	ret0, _ := ret[0].(swarm.Swarm)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// SwarmInspect indicates an expected call of SwarmInspect
func (mr *MockSwarmAPIClientMockRecorder) SwarmInspect(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmInspect", reflect.TypeOf((*MockSwarmAPIClient)(nil).SwarmInspect), ctx)
}

// SwarmUpdate mocks base method
func (m *MockSwarmAPIClient) SwarmUpdate(ctx context.Context, version swarm.Version, swarm swarm.Spec, flags swarm.UpdateFlags) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SwarmUpdate", ctx, version, swarm, flags)
	ret0, _ := ret[0].(error)
	return ret0
}

// SwarmUpdate indicates an expected call of SwarmUpdate
func (mr *MockSwarmAPIClientMockRecorder) SwarmUpdate(ctx, version, swarm, flags interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SwarmUpdate", reflect.TypeOf((*MockSwarmAPIClient)(nil).SwarmUpdate), ctx, version, swarm, flags)
}

// MockSystemAPIClient is a mock of SystemAPIClient interface
type MockSystemAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockSystemAPIClientMockRecorder
}

// MockSystemAPIClientMockRecorder is the mock recorder for MockSystemAPIClient
type MockSystemAPIClientMockRecorder struct {
	mock *MockSystemAPIClient
}

// NewMockSystemAPIClient creates a new mock instance
func NewMockSystemAPIClient(ctrl *gomock.Controller) *MockSystemAPIClient {
	mock := &MockSystemAPIClient{ctrl: ctrl}
	mock.recorder = &MockSystemAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockSystemAPIClient) EXPECT() *MockSystemAPIClientMockRecorder {
	return m.recorder
}

// Events mocks base method
func (m *MockSystemAPIClient) Events(ctx context.Context, options types.EventsOptions) (<-chan events.Message, <-chan error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Events", ctx, options)
	ret0, _ := ret[0].(<-chan events.Message)
	ret1, _ := ret[1].(<-chan error)
	return ret0, ret1
}

// Events indicates an expected call of Events
func (mr *MockSystemAPIClientMockRecorder) Events(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Events", reflect.TypeOf((*MockSystemAPIClient)(nil).Events), ctx, options)
}

// Info mocks base method
func (m *MockSystemAPIClient) Info(ctx context.Context) (types.Info, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Info", ctx)
	ret0, _ := ret[0].(types.Info)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Info indicates an expected call of Info
func (mr *MockSystemAPIClientMockRecorder) Info(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Info", reflect.TypeOf((*MockSystemAPIClient)(nil).Info), ctx)
}

// RegistryLogin mocks base method
func (m *MockSystemAPIClient) RegistryLogin(ctx context.Context, auth types.AuthConfig) (registry.AuthenticateOKBody, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "RegistryLogin", ctx, auth)
	ret0, _ := ret[0].(registry.AuthenticateOKBody)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// RegistryLogin indicates an expected call of RegistryLogin
func (mr *MockSystemAPIClientMockRecorder) RegistryLogin(ctx, auth interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RegistryLogin", reflect.TypeOf((*MockSystemAPIClient)(nil).RegistryLogin), ctx, auth)
}

// DiskUsage mocks base method
func (m *MockSystemAPIClient) DiskUsage(ctx context.Context) (types.DiskUsage, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DiskUsage", ctx)
	ret0, _ := ret[0].(types.DiskUsage)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// DiskUsage indicates an expected call of DiskUsage
func (mr *MockSystemAPIClientMockRecorder) DiskUsage(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DiskUsage", reflect.TypeOf((*MockSystemAPIClient)(nil).DiskUsage), ctx)
}

// Ping mocks base method
func (m *MockSystemAPIClient) Ping(ctx context.Context) (types.Ping, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Ping", ctx)
	ret0, _ := ret[0].(types.Ping)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Ping indicates an expected call of Ping
func (mr *MockSystemAPIClientMockRecorder) Ping(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Ping", reflect.TypeOf((*MockSystemAPIClient)(nil).Ping), ctx)
}

// MockVolumeAPIClient is a mock of VolumeAPIClient interface
type MockVolumeAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockVolumeAPIClientMockRecorder
}

// MockVolumeAPIClientMockRecorder is the mock recorder for MockVolumeAPIClient
type MockVolumeAPIClientMockRecorder struct {
	mock *MockVolumeAPIClient
}

// NewMockVolumeAPIClient creates a new mock instance
func NewMockVolumeAPIClient(ctrl *gomock.Controller) *MockVolumeAPIClient {
	mock := &MockVolumeAPIClient{ctrl: ctrl}
	mock.recorder = &MockVolumeAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockVolumeAPIClient) EXPECT() *MockVolumeAPIClientMockRecorder {
	return m.recorder
}

// VolumeCreate mocks base method
func (m *MockVolumeAPIClient) VolumeCreate(ctx context.Context, options volume.VolumeCreateBody) (types.Volume, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "VolumeCreate", ctx, options)
	ret0, _ := ret[0].(types.Volume)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// VolumeCreate indicates an expected call of VolumeCreate
func (mr *MockVolumeAPIClientMockRecorder) VolumeCreate(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VolumeCreate", reflect.TypeOf((*MockVolumeAPIClient)(nil).VolumeCreate), ctx, options)
}

// VolumeInspect mocks base method
func (m *MockVolumeAPIClient) VolumeInspect(ctx context.Context, volumeID string) (types.Volume, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "VolumeInspect", ctx, volumeID)
	ret0, _ := ret[0].(types.Volume)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// VolumeInspect indicates an expected call of VolumeInspect
func (mr *MockVolumeAPIClientMockRecorder) VolumeInspect(ctx, volumeID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VolumeInspect", reflect.TypeOf((*MockVolumeAPIClient)(nil).VolumeInspect), ctx, volumeID)
}

// VolumeInspectWithRaw mocks base method
func (m *MockVolumeAPIClient) VolumeInspectWithRaw(ctx context.Context, volumeID string) (types.Volume, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "VolumeInspectWithRaw", ctx, volumeID)
	ret0, _ := ret[0].(types.Volume)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// VolumeInspectWithRaw indicates an expected call of VolumeInspectWithRaw
func (mr *MockVolumeAPIClientMockRecorder) VolumeInspectWithRaw(ctx, volumeID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VolumeInspectWithRaw", reflect.TypeOf((*MockVolumeAPIClient)(nil).VolumeInspectWithRaw), ctx, volumeID)
}

// VolumeList mocks base method
func (m *MockVolumeAPIClient) VolumeList(ctx context.Context, filter filters.Args) (volume.VolumeListOKBody, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "VolumeList", ctx, filter)
	ret0, _ := ret[0].(volume.VolumeListOKBody)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// VolumeList indicates an expected call of VolumeList
func (mr *MockVolumeAPIClientMockRecorder) VolumeList(ctx, filter interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VolumeList", reflect.TypeOf((*MockVolumeAPIClient)(nil).VolumeList), ctx, filter)
}

// VolumeRemove mocks base method
func (m *MockVolumeAPIClient) VolumeRemove(ctx context.Context, volumeID string, force bool) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "VolumeRemove", ctx, volumeID, force)
	ret0, _ := ret[0].(error)
	return ret0
}

// VolumeRemove indicates an expected call of VolumeRemove
func (mr *MockVolumeAPIClientMockRecorder) VolumeRemove(ctx, volumeID, force interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VolumeRemove", reflect.TypeOf((*MockVolumeAPIClient)(nil).VolumeRemove), ctx, volumeID, force)
}

// VolumesPrune mocks base method
func (m *MockVolumeAPIClient) VolumesPrune(ctx context.Context, pruneFilter filters.Args) (types.VolumesPruneReport, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "VolumesPrune", ctx, pruneFilter)
	ret0, _ := ret[0].(types.VolumesPruneReport)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// VolumesPrune indicates an expected call of VolumesPrune
func (mr *MockVolumeAPIClientMockRecorder) VolumesPrune(ctx, pruneFilter interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VolumesPrune", reflect.TypeOf((*MockVolumeAPIClient)(nil).VolumesPrune), ctx, pruneFilter)
}

// MockSecretAPIClient is a mock of SecretAPIClient interface
type MockSecretAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockSecretAPIClientMockRecorder
}

// MockSecretAPIClientMockRecorder is the mock recorder for MockSecretAPIClient
type MockSecretAPIClientMockRecorder struct {
	mock *MockSecretAPIClient
}

// NewMockSecretAPIClient creates a new mock instance
func NewMockSecretAPIClient(ctrl *gomock.Controller) *MockSecretAPIClient {
	mock := &MockSecretAPIClient{ctrl: ctrl}
	mock.recorder = &MockSecretAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockSecretAPIClient) EXPECT() *MockSecretAPIClientMockRecorder {
	return m.recorder
}

// SecretList mocks base method
func (m *MockSecretAPIClient) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SecretList", ctx, options)
	ret0, _ := ret[0].([]swarm.Secret)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// SecretList indicates an expected call of SecretList
func (mr *MockSecretAPIClientMockRecorder) SecretList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SecretList", reflect.TypeOf((*MockSecretAPIClient)(nil).SecretList), ctx, options)
}

// SecretCreate mocks base method
func (m *MockSecretAPIClient) SecretCreate(ctx context.Context, secret swarm.SecretSpec) (types.SecretCreateResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SecretCreate", ctx, secret)
	ret0, _ := ret[0].(types.SecretCreateResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// SecretCreate indicates an expected call of SecretCreate
func (mr *MockSecretAPIClientMockRecorder) SecretCreate(ctx, secret interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SecretCreate", reflect.TypeOf((*MockSecretAPIClient)(nil).SecretCreate), ctx, secret)
}

// SecretRemove mocks base method
func (m *MockSecretAPIClient) SecretRemove(ctx context.Context, id string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SecretRemove", ctx, id)
	ret0, _ := ret[0].(error)
	return ret0
}

// SecretRemove indicates an expected call of SecretRemove
func (mr *MockSecretAPIClientMockRecorder) SecretRemove(ctx, id interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SecretRemove", reflect.TypeOf((*MockSecretAPIClient)(nil).SecretRemove), ctx, id)
}

// SecretInspectWithRaw mocks base method
func (m *MockSecretAPIClient) SecretInspectWithRaw(ctx context.Context, name string) (swarm.Secret, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SecretInspectWithRaw", ctx, name)
	ret0, _ := ret[0].(swarm.Secret)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// SecretInspectWithRaw indicates an expected call of SecretInspectWithRaw
func (mr *MockSecretAPIClientMockRecorder) SecretInspectWithRaw(ctx, name interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SecretInspectWithRaw", reflect.TypeOf((*MockSecretAPIClient)(nil).SecretInspectWithRaw), ctx, name)
}

// SecretUpdate mocks base method
func (m *MockSecretAPIClient) SecretUpdate(ctx context.Context, id string, version swarm.Version, secret swarm.SecretSpec) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SecretUpdate", ctx, id, version, secret)
	ret0, _ := ret[0].(error)
	return ret0
}

// SecretUpdate indicates an expected call of SecretUpdate
func (mr *MockSecretAPIClientMockRecorder) SecretUpdate(ctx, id, version, secret interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SecretUpdate", reflect.TypeOf((*MockSecretAPIClient)(nil).SecretUpdate), ctx, id, version, secret)
}

// MockConfigAPIClient is a mock of ConfigAPIClient interface
type MockConfigAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockConfigAPIClientMockRecorder
}

// MockConfigAPIClientMockRecorder is the mock recorder for MockConfigAPIClient
type MockConfigAPIClientMockRecorder struct {
	mock *MockConfigAPIClient
}

// NewMockConfigAPIClient creates a new mock instance
func NewMockConfigAPIClient(ctrl *gomock.Controller) *MockConfigAPIClient {
	mock := &MockConfigAPIClient{ctrl: ctrl}
	mock.recorder = &MockConfigAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockConfigAPIClient) EXPECT() *MockConfigAPIClientMockRecorder {
	return m.recorder
}

// ConfigList mocks base method
func (m *MockConfigAPIClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ConfigList", ctx, options)
	ret0, _ := ret[0].([]swarm.Config)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ConfigList indicates an expected call of ConfigList
func (mr *MockConfigAPIClientMockRecorder) ConfigList(ctx, options interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ConfigList", reflect.TypeOf((*MockConfigAPIClient)(nil).ConfigList), ctx, options)
}

// ConfigCreate mocks base method
func (m *MockConfigAPIClient) ConfigCreate(ctx context.Context, config swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ConfigCreate", ctx, config)
	ret0, _ := ret[0].(types.ConfigCreateResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ConfigCreate indicates an expected call of ConfigCreate
func (mr *MockConfigAPIClientMockRecorder) ConfigCreate(ctx, config interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ConfigCreate", reflect.TypeOf((*MockConfigAPIClient)(nil).ConfigCreate), ctx, config)
}

// ConfigRemove mocks base method
func (m *MockConfigAPIClient) ConfigRemove(ctx context.Context, id string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ConfigRemove", ctx, id)
	ret0, _ := ret[0].(error)
	return ret0
}

// ConfigRemove indicates an expected call of ConfigRemove
func (mr *MockConfigAPIClientMockRecorder) ConfigRemove(ctx, id interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ConfigRemove", reflect.TypeOf((*MockConfigAPIClient)(nil).ConfigRemove), ctx, id)
}

// ConfigInspectWithRaw mocks base method
func (m *MockConfigAPIClient) ConfigInspectWithRaw(ctx context.Context, name string) (swarm.Config, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ConfigInspectWithRaw", ctx, name)
	ret0, _ := ret[0].(swarm.Config)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// ConfigInspectWithRaw indicates an expected call of ConfigInspectWithRaw
func (mr *MockConfigAPIClientMockRecorder) ConfigInspectWithRaw(ctx, name interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ConfigInspectWithRaw", reflect.TypeOf((*MockConfigAPIClient)(nil).ConfigInspectWithRaw), ctx, name)
}

// ConfigUpdate mocks base method
func (m *MockConfigAPIClient) ConfigUpdate(ctx context.Context, id string, version swarm.Version, config swarm.ConfigSpec) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ConfigUpdate", ctx, id, version, config)
	ret0, _ := ret[0].(error)
	return ret0
}

// ConfigUpdate indicates an expected call of ConfigUpdate
func (mr *MockConfigAPIClientMockRecorder) ConfigUpdate(ctx, id, version, config interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ConfigUpdate", reflect.TypeOf((*MockConfigAPIClient)(nil).ConfigUpdate), ctx, id, version, config)
}


================================================
FILE: monitor/internal/docker/monitor.go
================================================
package dockermonitor

import (
	"context"
	"errors"
	"fmt"
	"io"
	"os"
	"runtime"
	"strconv"
	"sync"
	"time"

	"github.com/dchest/siphash"
	"github.com/docker/docker/api/types"
	"github.com/docker/docker/api/types/events"
	"github.com/docker/docker/api/types/filters"
	dockerClient "github.com/docker/docker/client"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	tevents "go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/constants"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/registerer"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cgnetcls"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
	"go.uber.org/zap"
)

type lockedDockerClient struct {
	client           dockerClient.CommonAPIClient
	dockerClientLock sync.Mutex
}

// DockerMonitor implements the connection to Docker and monitoring based on docker events.
type DockerMonitor struct {
	clientHdl                  lockedDockerClient
	socketType                 string
	socketAddress              string
	metadataExtractor          extractors.DockerMetadataExtractor
	handlers                   map[Event]func(ctx context.Context, event *events.Message) error
	eventnotifications         []chan *events.Message
	stopprocessor              []chan bool
	numberOfQueues             int
	stoplistener               chan bool
	config                     *config.ProcessorConfig
	netcls                     cgnetcls.Cgroupnetcls
	syncAtStart                bool
	terminateStoppedContainers bool
	ignoreHostModeContainers   bool
}

// New returns a new docker monitor.
func New(context.Context) *DockerMonitor {
	return &DockerMonitor{}
}

// SetupConfig provides a configuration to implmentations. Every implementation
// can have its own config type.
func (d *DockerMonitor) SetupConfig(registerer registerer.Registerer, cfg interface{}) (err error) {

	defaultConfig := DefaultConfig()

	if cfg == nil {
		cfg = defaultConfig
	}

	dockerConfig, ok := cfg.(*Config)
	if !ok {
		return fmt.Errorf("Invalid configuration specified")
	}

	// Setup defaults
	dockerConfig = SetupDefaultConfig(dockerConfig)

	d.socketType = dockerConfig.SocketType
	d.socketAddress = dockerConfig.SocketAddress
	d.metadataExtractor = dockerConfig.EventMetadataExtractor
	d.syncAtStart = dockerConfig.SyncAtStart
	d.handlers = make(map[Event]func(ctx context.Context, event *events.Message) error)
	d.stoplistener = make(chan bool)
	d.netcls = cgnetcls.NewDockerCgroupNetController()
	d.numberOfQueues = runtime.NumCPU() * 8
	d.eventnotifications = make([]chan *events.Message, d.numberOfQueues)
	d.stopprocessor = make([]chan bool, d.numberOfQueues)
	d.terminateStoppedContainers = dockerConfig.DestroyStoppedContainers
	d.ignoreHostModeContainers = dockerConfig.ignoreHostModeContainers
	for i := 0; i < d.numberOfQueues; i++ {
		d.eventnotifications[i] = make(chan *events.Message, 1000)
		d.stopprocessor[i] = make(chan bool)
	}

	// Add handlers for the events that we know how to process
	d.addHandler(EventCreate, d.handleCreateEvent)
	d.addHandler(EventStart, d.handleStartEvent)
	d.addHandler(EventDie, d.handleDieEvent)
	d.addHandler(EventDestroy, d.handleDestroyEvent)
	d.addHandler(EventPause, d.handlePauseEvent)
	d.addHandler(EventUnpause, d.handleUnpauseEvent)

	return nil
}

func (d *DockerMonitor) dockerClient() dockerClient.CommonAPIClient {
	d.clientHdl.dockerClientLock.Lock()
	defer d.clientHdl.dockerClientLock.Unlock()
	client := d.clientHdl.client
	return client
}

func (d *DockerMonitor) setDockerClient(client dockerClient.CommonAPIClient) {
	d.clientHdl.dockerClientLock.Lock()
	d.clientHdl.client = client
	d.clientHdl.dockerClientLock.Unlock()

}

// SetupHandlers sets up handlers for monitors to invoke for various events such as
// processing unit events and synchronization events. This will be called before Start()
// by the consumer of the monitor
func (d *DockerMonitor) SetupHandlers(c *config.ProcessorConfig) {

	d.config = c
}

// Run will start the DockerPolicy Enforcement.
// It applies a policy to each Container already Up and Running.
// It listens to all ContainerEvents
func (d *DockerMonitor) Run(ctx context.Context) error {

	if err := d.config.IsComplete(); err != nil {
		return fmt.Errorf("docker config issue: %s", err)
	}

	if err := d.waitForDockerDaemon(ctx); err != nil {
		zap.L().Error("Docker daemon is not running at startup - skipping container processing. periodic retries will be attempted",
			zap.Error(err),
			zap.Duration("retry interval", dockerRetryTimer),
		)
		return nil
	}

	return nil
}

func (d *DockerMonitor) syncContainers(ctx context.Context) error {
	if d.syncAtStart && d.config.Policy != nil {
		options := types.ContainerListOptions{
			All: !d.terminateStoppedContainers,
		}
		client := d.dockerClient()
		if client == nil {
			return errors.New("unable to init monitor: nil clienthdl")
		}
		containers, err := client.ContainerList(ctx, options)
		if err != nil {
			return fmt.Errorf("unable to get container list: %s", err)
		}
		// Syncing all Existing containers depending on MonitorSetting
		if err := d.resyncContainers(ctx, containers); err != nil {
			zap.L().Error("Unable to sync existing containers", zap.Error(err))
		}
	}
	return nil
}

func (d *DockerMonitor) initMonitor(ctx context.Context) {

	// Starting the eventListener and wait to hear on channel for it to be ready.
	// We are not doing resync. We just start the listener.
	listenerReady := make(chan struct{})
	go d.eventListener(ctx, listenerReady)
	<-listenerReady

	// Start processing the events
	go d.eventProcessors(ctx)
}

// addHandler adds a callback handler for the given docker event.
// Interesting event names include 'start' and 'die'. For more on events see
// https://docs.docker.com/engine/reference/api/docker_remote_api/
// under the section 'Docker Events'.
func (d *DockerMonitor) addHandler(event Event, handler EventHandler) {
	d.handlers[event] = handler
}

// getHashKey returns key to loadbalance on. This ensures that all
// events from a pod/container fall onto the same queue.
func (d *DockerMonitor) getHashKey(r *events.Message) string {

	if isKubernetesContainer(r.Actor.Attributes) {
		return kubePodIdentifier(r.Actor.Attributes)
	}
	return r.ID
}

// sendRequestToQueue sends a request to a channel based on a hash function
func (d *DockerMonitor) sendRequestToQueue(r *events.Message) {

	key0 := uint64(256203161)
	key1 := uint64(982451653)

	key := d.getHashKey(r)
	h := siphash.Hash(key0, key1, []byte(key))

	d.eventnotifications[int(h%uint64(d.numberOfQueues))] <- r
}

// eventProcessor processes docker events. We are processing multiple
// queues in parallel so that we can activate containers as fast
// as possible.
func (d *DockerMonitor) eventProcessors(ctx context.Context) {

	for i := 0; i < d.numberOfQueues; i++ {
		go func(i int) {
			for {
				select {
				case event := <-d.eventnotifications[i]:
					if f, ok := d.handlers[Event(event.Action)]; ok {
						if err := f(ctx, event); err != nil {
							zap.L().Error("Unable to handle docker event",
								zap.String("action", event.Action),
								zap.Error(err),
							)
						}
						continue
					}
				case <-ctx.Done():
					return
				}
			}
		}(i)
	}
}

// eventListener listens to Docker events from the daemon and passes to
// to the processor through a buffered channel. This minimizes the chances
// that we will miss events because the processor is delayed
func (d *DockerMonitor) eventListener(ctx context.Context, listenerReady chan struct{}) {

	// Once the buffered event channel was returned by Docker we return the ready status.
	listenerReady <- struct{}{}

	for {
		select {
		case <-ctx.Done():
			return
		default:
			if d.dockerClient() == nil {
				zap.L().Debug("Trying to setup docker daemon")
				if err := d.setupDockerDaemon(ctx); err != nil {
					d.setDockerClient(nil)
					continue
				}
				// We are here means the docker daemon restarted. we need to resync
				if err := d.Resync(ctx); err != nil {
					zap.L().Error("Unable to resync containers after reconnecting to docker daemon", zap.Error(err))
				}
			}
			d.listener(ctx)
		}
	}
}

func (d *DockerMonitor) listener(ctx context.Context) {
	f := filters.NewArgs()
	f.Add("type", "container")
	options := types.EventsOptions{
		Filters: f,
	}
	client := d.dockerClient()
	if client == nil {
		return
	}
	messages, errs := client.Events(ctx, options)
	for {
		select {
		case message := <-messages:
			zap.L().Debug("Got message from docker client",
				zap.String("action", message.Action),
				zap.String("ID", message.ID),
			)
			d.sendRequestToQueue(&message)

		case err := <-errs:
			if err != nil && err != io.EOF {
				zap.L().Warn("Received docker event error",
					zap.Error(err),
				)
			}
			d.setDockerClient(nil)
			return

		case <-ctx.Done():
			return
		}
	}

}

// Resync resyncs all the existing containers on the Host, using the
// same process as when a container is initially spawn up
func (d *DockerMonitor) Resync(ctx context.Context) error {

	if !d.syncAtStart || d.config.Policy == nil {
		zap.L().Debug("No synchronization of containers performed")
		return nil
	}

	zap.L().Debug("Syncing all existing containers")
	options := types.ContainerListOptions{
		All: !d.terminateStoppedContainers,
	}
	client := d.dockerClient()
	if client == nil {
		return errors.New("unable to resync: nil clienthdl")
	}
	containers, err := client.ContainerList(ctx, options)
	if err != nil {
		return fmt.Errorf("unable to get container list: %s", err)
	}

	return d.resyncContainers(ctx, containers)
}

func (d *DockerMonitor) resyncContainers(ctx context.Context, containers []types.Container) error {

	d.config.ResyncLock.RLock()
	defer d.config.ResyncLock.RUnlock()
	// resync containers that share host network first if we are not ignoring host mode container
	if !d.ignoreHostModeContainers {
		if err := d.resyncContainersByOrder(ctx, containers, true); err != nil {
			zap.L().Error("Unable to sync container", zap.Error(err))
		}
	}

	// resync remaining containers.
	if err := d.resyncContainersByOrder(ctx, containers, false); err != nil {
		zap.L().Error("Unable to sync container", zap.Error(err))
	}

	return nil
}

//container.HostConfig.NetworkMode == constants.DockerHostMode
func (d *DockerMonitor) resyncContainersByOrder(ctx context.Context, containers []types.Container, syncHost bool) error {
	for _, c := range containers {
		client := d.dockerClient()
		if client == nil {
			return errors.New("unable to resync: nil clienthdl")
		}
		container, err := client.ContainerInspect(ctx, c.ID)
		if err != nil {
			continue
		}

		if (syncHost && container.HostConfig.NetworkMode != constants.DockerHostMode) ||
			(!syncHost && container.HostConfig.NetworkMode == constants.DockerHostMode) {
			continue
		}

		puID, _ := puIDFromDockerID(container.ID)

		runtime, err := d.extractMetadata(&container)
		if err != nil {
			continue
		}

		event := common.EventStop
		if container.State.Running {
			if !container.State.Paused {
				event = common.EventStart
			} else {
				event = common.EventPause
			}
		}

		// If it is a host container, we need to activate it as a Linux process. We will
		// override the options that the metadata extractor provided.
		if container.HostConfig.NetworkMode == constants.DockerHostMode {
			options := hostModeOptions(&container)
			options.PolicyExtensions = runtime.Options().PolicyExtensions
			runtime.SetOptions(*options)
			runtime.SetPUType(common.LinuxProcessPU)
		}

		runtime.SetOptions(runtime.Options())

		if err := d.config.Policy.HandlePUEvent(ctx, puID, event, runtime); err != nil {
			zap.L().Error("Unable to sync existing Container",
				zap.String("dockerID", c.ID),
				zap.Error(err),
			)
		}

		// if the container has hostnet set to true or is linked
		// to container with hostnet set to true, program the cgroup.
		if isHostNetworkContainer(runtime) {
			if err = d.setupHostMode(puID, runtime, &container); err != nil {
				return fmt.Errorf("unable to setup host mode for container %s: %s", puID, err)
			}
		}

	}

	return nil
}

// setupHostMode sets up the net_cls cgroup for the host mode
func (d *DockerMonitor) setupHostMode(puID string, runtimeInfo policy.RuntimeReader, dockerInfo *types.ContainerJSON) (err error) {

	pausePUID := puID
	if dockerInfo.HostConfig.NetworkMode == constants.DockerHostMode {
		if err = d.netcls.Creategroup(puID); err != nil {
			return err
		}

		// Clean the cgroup on exit, if we have failed t activate.
		defer func() {
			if err != nil {
				if derr := d.netcls.DeleteCgroup(puID); derr != nil {
					zap.L().Warn("Failed to clean cgroup",
						zap.String("puID", puID),
						zap.Error(derr),
						zap.Error(err),
					)
				}
			}
		}()

		markval := runtimeInfo.Options().CgroupMark
		if markval == "" {
			return errors.New("mark value not found")
		}

		mark, _ := strconv.ParseUint(markval, 10, 32)
		if err := d.netcls.AssignMark(puID, mark); err != nil {
			return err
		}
	} else {
		// Add the container pid that is linked to hostnet to
		// the cgroup of the parent container.

		pausePUID = getPausePUID(policyExtensions(runtimeInfo))
	}

	return d.netcls.AddProcess(pausePUID, dockerInfo.State.Pid)
}

func (d *DockerMonitor) retrieveDockerInfo(ctx context.Context, event *events.Message) (*types.ContainerJSON, error) {
	client := d.dockerClient()
	if client == nil {
		return nil, errors.New("unable to get container info: nil clienthdl")
	}
	info, err := client.ContainerInspect(ctx, event.ID)
	if err != nil {
		return nil, fmt.Errorf("unable to read container information: container %s kept alive per policy: %s", event.ID, err)
	}
	return &info, nil
}

// ExtractMetadata generates the RuntimeInfo based on Docker primitive
func (d *DockerMonitor) extractMetadata(dockerInfo *types.ContainerJSON) (*policy.PURuntime, error) {

	if dockerInfo == nil {
		return nil, errors.New("docker info is empty")
	}

	if d.metadataExtractor != nil {
		return d.metadataExtractor(dockerInfo)
	}

	return extractors.DefaultMetadataExtractor(dockerInfo)
}

// handleCreateEvent generates a create event type. We extract the metadata
// and start the policy resolution at the create event. No need to wait
// for the start event.
func (d *DockerMonitor) handleCreateEvent(ctx context.Context, event *events.Message) error {

	puID, err := puIDFromDockerID(event.ID)
	if err != nil {
		return err
	}

	container, err := d.retrieveDockerInfo(ctx, event)
	if err != nil {
		return err
	}

	runtime, err := d.extractMetadata(container)
	if err != nil {
		return err
	}

	// If it is a host container, we need to activate it as a Linux process. We will
	// override the options that the metadata extractor provided. We will maintain
	// any policy extensions in the object.
	if container.HostConfig.NetworkMode == constants.DockerHostMode {
		options := hostModeOptions(container)
		options.PolicyExtensions = runtime.Options().PolicyExtensions
		runtime.SetOptions(*options)
		runtime.SetPUType(common.LinuxProcessPU)
	}

	runtime.SetOptions(runtime.Options())

	return d.config.Policy.HandlePUEvent(ctx, puID, tevents.EventCreate, runtime)
}

// handleStartEvent will notify the policy engine immediately about the event in order
// to start the implementation of the functions. At this point we know the process ID
// that is needed for the remote enforcers.
func (d *DockerMonitor) handleStartEvent(ctx context.Context, event *events.Message) error {

	container, err := d.retrieveDockerInfo(ctx, event)
	if err != nil {
		return err
	}

	if !container.State.Running {
		return nil
	}

	puID, err := puIDFromDockerID(container.ID)
	if err != nil {
		return err
	}

	runtime, err := d.extractMetadata(container)
	if err != nil {
		return err
	}

	// If it is a host container, we need to activate it as a Linux process. We will
	// override the options that the metadata extractor provided.
	if container.HostConfig.NetworkMode == constants.DockerHostMode {
		options := hostModeOptions(container)
		options.PolicyExtensions = runtime.Options().PolicyExtensions
		runtime.SetOptions(*options)
		runtime.SetPUType(common.LinuxProcessPU)
	}

	runtime.SetOptions(runtime.Options())

	if err = d.config.Policy.HandlePUEvent(ctx, puID, tevents.EventStart, runtime); err != nil {
		return fmt.Errorf("unable to set policy: container %s kept alive per policy: %s", puID, err)
	}

	// if the container has hostnet set to true or is linked
	// to container with hostnet set to true, program the cgroup.
	if isHostNetworkContainer(runtime) && !d.ignoreHostModeContainers {
		if err = d.setupHostMode(puID, runtime, container); err != nil {
			return fmt.Errorf("unable to setup host mode for container %s: %s", puID, err)
		}
	}
	return nil
}

//handleDie event is called when a container dies. It generates a "Stop" event.
func (d *DockerMonitor) handleDieEvent(ctx context.Context, event *events.Message) error {

	puID, err := puIDFromDockerID(event.ID)
	if err != nil {
		return err
	}

	runtime := policy.NewPURuntimeWithDefaults()
	runtime.SetOptions(runtime.Options())

	if err := d.config.Policy.HandlePUEvent(ctx, puID, tevents.EventStop, runtime); err != nil && !d.terminateStoppedContainers {
		return err
	}

	if d.terminateStoppedContainers {
		return d.config.Policy.HandlePUEvent(ctx, puID, tevents.EventDestroy, runtime)
	}
	return nil
}

// handleDestroyEvent handles destroy events from Docker. It generated a "Destroy event"
func (d *DockerMonitor) handleDestroyEvent(ctx context.Context, event *events.Message) error {

	puID, err := puIDFromDockerID(event.ID)
	if err != nil {
		return err
	}
	runtime := policy.NewPURuntimeWithDefaults()
	runtime.SetOptions(runtime.Options())

	if err = d.config.Policy.HandlePUEvent(ctx, puID, tevents.EventDestroy, runtime); err != nil {
		zap.L().Error("Failed to handle delete event",
			zap.Error(err),
		)
	}

	if err = d.netcls.DeleteCgroup(puID); err != nil {
		zap.L().Warn("Failed to clean netcls group",
			zap.String("puID", puID),
			zap.Error(err),
		)
	}

	return nil
}

// handlePauseEvent generates a create event type.
func (d *DockerMonitor) handlePauseEvent(ctx context.Context, event *events.Message) error {
	zap.L().Info("UnPause Event for nativeID", zap.String("ID", event.ID))

	puID, err := puIDFromDockerID(event.ID)
	if err != nil {
		return err
	}

	runtime := policy.NewPURuntimeWithDefaults()
	runtime.SetOptions(runtime.Options())

	return d.config.Policy.HandlePUEvent(ctx, puID, tevents.EventPause, runtime)
}

// handleCreateEvent generates a create event type.
func (d *DockerMonitor) handleUnpauseEvent(ctx context.Context, event *events.Message) error {

	puID, err := puIDFromDockerID(event.ID)
	if err != nil {
		return err
	}

	runtime := policy.NewPURuntimeWithDefaults()
	runtime.SetOptions(runtime.Options())

	return d.config.Policy.HandlePUEvent(ctx, puID, tevents.EventUnpause, runtime)
}

func puIDFromDockerID(dockerID string) (string, error) {

	if dockerID == "" {
		return "", errors.New("unable to generate context id: empty docker id")
	}

	if len(dockerID) < 12 {
		return "", fmt.Errorf("unable to generate context id: dockerid smaller than 12 characters: %s", dockerID)
	}

	return dockerID[:12], nil
}

func initDockerClient(socketType string, socketAddress string) (*dockerClient.Client, error) {

	var socket string

	switch socketType {
	case "tcp":
		socket = "https://" + socketAddress
	case "unix":
		// Sanity check that this path exists
		if _, oserr := os.Stat(socketAddress); os.IsNotExist(oserr) {
			return nil, oserr
		}
		socket = "unix://" + socketAddress
	default:
		return nil, fmt.Errorf("bad socket type: %s", socketType)
	}

	defaultHeaders := map[string]string{"User-Agent": "engine-api-dockerClient-1.0"}

	dc, err := dockerClient.NewClient(socket, DockerClientVersion, nil, defaultHeaders)
	if err != nil {
		return nil, fmt.Errorf("unable to create docker client: %s", err)
	}

	return dc, nil
}

func (d *DockerMonitor) setupDockerDaemon(ctx context.Context) (err error) {

	if d.dockerClient() == nil {
		// Initialize client
		dockerClient, err := initDockerClient(d.socketType, d.socketAddress)
		if err != nil {
			// Reset this here since the interface = nil check will fail later this is partly initialized.
			// cheaper than doing reflect and check later
			return err
		}
		d.setDockerClient(dockerClient)
	}

	subctx, cancel := context.WithTimeout(ctx, dockerPingTimeout)
	defer cancel()

	client := d.dockerClient()
	if client == nil {
		return errors.New("unable to Ping: nil clienthdl")
	}
	_, err = client.Ping(subctx)
	return err
}

// waitForDockerDaemon is a blocking call which will try to bring up docker, if not return err
// with timeout
func (d *DockerMonitor) waitForDockerDaemon(ctx context.Context) (err error) {

	done := make(chan bool)
	zap.L().Info("Trying to initialize docker monitor")
	go func(gctx context.Context) {

		for {
			errg := d.setupDockerDaemon(gctx)
			if errg == nil {
				d.initMonitor(gctx)
				break
			}

			select {
			case <-gctx.Done():
				return
			case <-time.After(dockerRetryTimer):
				continue
			}

		}
		done <- true
	}(ctx)

	select {
	case <-ctx.Done():
		return nil
	case <-time.After(dockerInitializationWait):
		return fmt.Errorf("Unable to connect to docker daemon")
	case <-done:
		if err := d.syncContainers(ctx); err != nil {
			zap.L().Error("Failed To Sync containers at start", zap.Error(err))
		}
		zap.L().Info("Started Docker Monitor")
	}

	return nil
}

// hostModeOptions creates the default options for a host-mode container. The
// container must be activated as a Linux Process.
func hostModeOptions(dockerInfo *types.ContainerJSON) *policy.OptionsType {

	options := policy.OptionsType{
		CgroupName:        strconv.Itoa(dockerInfo.State.Pid),
		CgroupMark:        strconv.FormatUint(cgnetcls.MarkVal(), 10),
		ConvertedDockerPU: true,
		AutoPort:          true,
	}

	for p := range dockerInfo.Config.ExposedPorts {
		if p.Proto() == "tcp" {
			s, err := portspec.NewPortSpecFromString(p.Port(), nil)
			if err != nil {
				continue
			}

			options.Services = append(options.Services, common.Service{
				Protocol: uint8(6),
				Ports:    s,
			})
		}
	}

	return &options
}


================================================
FILE: monitor/internal/docker/monitor_linux_test.go
================================================
// +build linux,!rhel6

package dockermonitor

import (
	"errors"
	"os"
	"syscall"
	"testing"

	. "github.com/smartystreets/goconvey/convey"

	"go.aporeto.io/enforcerd/trireme-lib/monitor/constants"
)

func TestInitDockerClient(t *testing.T) {

	Convey("When I try to initialize a new docker client as unix", t, func() {
		dc, err := initDockerClient(constants.DefaultDockerSocketType, constants.DefaultDockerSocket)

		Convey("Then docker client should not be nil", func() {
			So(dc, ShouldNotBeNil)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I try to initialize a new docker client as tcp", t, func() {
		dc, err := initDockerClient("tcp", constants.DefaultDockerSocket)

		Convey("Then docker client should not be nil", func() {
			So(dc, ShouldNotBeNil)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I try to initialize a new docker client with some random type", t, func() {
		dc, err := initDockerClient("wrongtype", constants.DefaultDockerSocket)

		Convey("Then docker client should be nil and I should get error", func() {
			So(dc, ShouldBeNil)
			So(err, ShouldResemble, errors.New("bad socket type: wrongtype"))
		})
	})

	Convey("When I try to initialize a new docker client with some random path", t, func() {
		dc, err := initDockerClient(constants.DefaultDockerSocketType, "/var/random.sock")

		Convey("Then docker client should be nil and I should get error", func() {
			So(dc, ShouldBeNil)
			So(err, ShouldResemble, &os.PathError{Op: "stat", Path: "/var/random.sock", Err: syscall.Errno(2)})
		})
	})
}


================================================
FILE: monitor/internal/docker/monitor_test.go
================================================
// +build linux

package dockermonitor

import (
	"context"
	"errors"
	"reflect"
	"sync"
	"testing"
	"time"

	types "github.com/docker/docker/api/types"

	"github.com/docker/docker/api/types/container"
	"github.com/docker/docker/api/types/events"
	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	tevents "go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/internal/docker/mockdocker"
	"go.aporeto.io/enforcerd/trireme-lib/policy/mockpolicy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cgnetcls/mockcgnetcls"
)

var (
	testDockerMetadataExtractor extractors.DockerMetadataExtractor
	ID                          string
)

func init() {
	ID = "74cc486f9ec3256d7bee789853ce05510167c7daf893f90a7577cdcba259d063"
}

func eventCollector() collector.EventCollector {
	newEvent := &collector.DefaultCollector{}
	return newEvent
}

func initTestDockerInfo(id string, nwmode container.NetworkMode, state bool) *types.ContainerJSON {
	var testInfoBase types.ContainerJSON
	var testInfo types.ContainerJSONBase
	var testConfig container.Config
	var testNetwork types.NetworkSettings
	var testDefaultNW types.DefaultNetworkSettings
	var testContainer types.ContainerState
	var testHostConfig container.HostConfig

	m := make(map[string]string)
	m["role"] = "client"
	m["vendor"] = "CentOS"
	m["$id"] = "598a35a60f79af0001b52ef5"
	m["$namespace"] = "/sibicentos"
	m["build-date"] = "20170801"
	m["license"] = "GPLv2"
	m["name"] = "CentOS Base Image"

	testDefaultNW.IPAddress = "172.17.0.2"

	testNetwork.DefaultNetworkSettings = testDefaultNW

	testConfig.Image = "centos"
	testConfig.Labels = m

	testInfo.Name = "/priceless_rosalind"
	testInfo.State = &testContainer
	testInfo.HostConfig = &testHostConfig

	testContainer.Pid = 4912
	testContainer.Running = state

	testHostConfig.NetworkMode = nwmode

	testInfoBase.NetworkSettings = &testNetwork
	testInfoBase.ContainerJSONBase = &testInfo
	testInfoBase.Config = &testConfig
	testInfoBase.ID = id
	testInfoBase.Config.Labels["storedTags"] = "$id=5a3b4e903653d4000133254f,$namespace=/test"

	return &testInfoBase
}

func initTestMessage(id string) *events.Message {
	var testMessage events.Message

	testMessage.ID = id

	return &testMessage
}

func defaultContainer(host bool) types.ContainerJSON {

	networkMode := "bridge"
	if host {
		networkMode = "host"
	}
	c := types.ContainerJSON{
		ContainerJSONBase: &types.ContainerJSONBase{
			ID: ID,
			State: &types.ContainerState{
				Running: true,
				Paused:  false,
			},
			HostConfig: &container.HostConfig{
				NetworkMode: container.NetworkMode(networkMode),
			},
		},
		Mounts: nil,
		Config: &container.Config{
			Labels: map[string]string{"app": "web"},
		},
		NetworkSettings: &types.NetworkSettings{
			DefaultNetworkSettings: types.DefaultNetworkSettings{
				IPAddress: "172.17.0.1",
			},
		},
	}

	return c
}

func TestNewDockerMonitor(t *testing.T) {

	Convey("When I try to initialize a new docker monitor", t, func() {
		dm := New(context.Background())
		err := dm.SetupConfig(nil, &Config{
			EventMetadataExtractor: testDockerMetadataExtractor,
		})
		So(err, ShouldBeNil)

		Convey("Then docker monitor should not be nil", func() {
			So(dm, ShouldNotBeNil)
		})
	})
}

func TestContextIDFromDockerID(t *testing.T) {
	Convey("When I try to retrieve contextID from dockerID", t, func() {
		cID, err := puIDFromDockerID(ID)
		cID1 := "74cc486f9ec3"

		Convey("Then contextID should match and I should not get any error", func() {
			So(cID, ShouldEqual, cID1)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I try to retrieve contextID when dockerID length less than 12", t, func() {
		cID, err := puIDFromDockerID("6f47830f64")

		Convey("Then I should get error", func() {
			So(cID, ShouldEqual, "")
			So(err, ShouldResemble, errors.New("unable to generate context id: dockerid smaller than 12 characters: 6f47830f64"))
		})
	})

	Convey("When I try to retrieve contextID when no dockerID given", t, func() {
		cID, err := puIDFromDockerID("")

		Convey("Then I should get error", func() {
			So(cID, ShouldEqual, "")
			So(err, ShouldResemble, errors.New("unable to generate context id: empty docker id"))
		})
	})
}

func TestDefaultDockerMetadataExtractor(t *testing.T) {
	Convey("When I try to extract metadata from default docker container", t, func() {
		puR, err := extractors.DefaultMetadataExtractor(initTestDockerInfo(ID, "default", false))

		Convey("Then I should not get any error", func() {
			So(puR, ShouldNotBeNil)
			So(err, ShouldBeNil)
		})
	})

	Convey("When I try to extract metadata from host docker container", t, func() {
		puR, err := extractors.DefaultMetadataExtractor(initTestDockerInfo(ID, "host", false))

		Convey("Then I should not get any error", func() {
			So(puR, ShouldNotBeNil)
			So(err, ShouldBeNil)
		})
	})
}

func setupDockerMonitor(ctrl *gomock.Controller) (*DockerMonitor, *mockpolicy.MockResolver) {

	dm := New(context.Background())
	mockPolicy := mockpolicy.NewMockResolver(ctrl)

	dm.SetupHandlers(&config.ProcessorConfig{
		Collector:  eventCollector(),
		Policy:     mockPolicy,
		ResyncLock: &sync.RWMutex{},
	})
	err := dm.SetupConfig(nil, &Config{
		EventMetadataExtractor: testDockerMetadataExtractor,
	})
	So(err, ShouldBeNil)

	mockDocker := mockdocker.NewMockCommonAPIClient(ctrl)
	dm.setDockerClient(mockDocker)

	// ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
	// defer cancel()
	// // mockDocker.EXPECT().Ping(gomock.Any()).Return(types.Ping{}, nil)

	// err = dm.Run(ctx)
	// err = dm.waitForDockerDaemon(ctx)
	So(err, ShouldBeNil)
	return dm, mockPolicy
}

func TestStopDockerContainer(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to initialize a new docker monitor", t, func() {

		dm, mockPU := setupDockerMonitor(ctrl)
		Convey("Then docker monitor should not be nil", func() {
			So(dm, ShouldNotBeNil)
			So(dm, ShouldNotBeNil)
		})

		Convey("When I try to stop a container", func() {
			mockPU.EXPECT().HandlePUEvent(gomock.Any(), "74cc486f9ec3", tevents.EventStop, gomock.Any()).Times(1).Return(nil)
			dm.SetupHandlers(&config.ProcessorConfig{
				Collector:  eventCollector(),
				Policy:     mockPU,
				ResyncLock: &sync.RWMutex{},
			})

			err := dm.handleDieEvent(context.Background(), &events.Message{ID: "74cc486f9ec3"})

			Convey("Then I should not get any error", func() {
				So(err, ShouldBeNil)
			})
		})
	})
}

func TestHandleCreateEvent(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to initialize a new docker monitor", t, func() {

		dmi, mockPU := setupDockerMonitor(ctrl)
		Convey("Then docker monitor should not be nil", func() {
			So(dmi, ShouldNotBeNil)
		})

		Convey("When I try to handle create event", func() {
			dmi.SetupHandlers(&config.ProcessorConfig{
				Collector:  eventCollector(),
				Policy:     mockPU,
				ResyncLock: &sync.RWMutex{},
			})

			dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().
				ContainerInspect(gomock.Any(), ID).Return(defaultContainer(false), nil)
			mockPU.EXPECT().
				HandlePUEvent(gomock.Any(), ID[:12], tevents.EventCreate, gomock.Any()).Times(1).Return(nil)

			err := dmi.handleCreateEvent(context.Background(), initTestMessage(ID))

			Convey("Then I should not get any error", func() {
				So(err, ShouldBeNil)
			})
		})

		Convey("When I try to handle create event with failed container ", func() {
			dmi.SetupHandlers(&config.ProcessorConfig{
				Collector:  eventCollector(),
				Policy:     mockPU,
				ResyncLock: &sync.RWMutex{},
			})

			dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().
				ContainerInspect(gomock.Any(), ID).Return(defaultContainer(false), errors.New("error1"))
			err := dmi.handleCreateEvent(context.Background(), initTestMessage(ID))

			Convey("Then I should get error", func() {
				So(err, ShouldResemble, errors.New("unable to read container information: container 74cc486f9ec3256d7bee789853ce05510167c7daf893f90a7577cdcba259d063 kept alive per policy: error1"))
			})
		})

		Convey("When I try to handle create event with no ID given", func() {
			err := dmi.handleCreateEvent(context.Background(), initTestMessage(""))

			Convey("Then I should get error", func() {
				So(err, ShouldResemble, errors.New("unable to generate context id: empty docker id"))
			})
		})
	})
}

func TestHandleStartEvent(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to initialize a new docker monitor", t, func() {

		dmi, mockPU := setupDockerMonitor(ctrl)
		Convey("Then docker monitor should not be nil", func() {
			So(dmi, ShouldNotBeNil)
		})

		dmi.SetupHandlers(&config.ProcessorConfig{
			Collector:  eventCollector(),
			Policy:     mockPU,
			ResyncLock: &sync.RWMutex{},
		})

		Convey("When I try to handle start event with a valid container", func() {
			dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().
				ContainerInspect(gomock.Any(), ID).Return(defaultContainer(false), nil)
			mockPU.EXPECT().
				HandlePUEvent(gomock.Any(), ID[:12], tevents.EventStart, gomock.Any()).Times(1).Return(nil)

			err := dmi.handleStartEvent(context.Background(), initTestMessage(ID))
			Convey("Then I should get no errors", func() {
				So(err, ShouldBeNil)
			})
		})

		Convey("When I try to handle start event with a bad container", func() {
			dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().
				ContainerInspect(gomock.Any(), ID).Return(defaultContainer(false), errors.New("error"))

			err := dmi.handleStartEvent(context.Background(), initTestMessage(ID))

			Convey("Then I should get error", func() {
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I try to handle start event with no ID given", func() {
			c := defaultContainer(false)
			c.ID = ""
			dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().
				ContainerInspect(gomock.Any(), gomock.Any()).Return(c, nil)

			err := dmi.handleStartEvent(context.Background(), initTestMessage(""))

			Convey("Then I should get error", func() {
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I try to handle start event with a valid container and policy fails", func() {
			dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().
				ContainerInspect(gomock.Any(), ID).Return(defaultContainer(false), nil)
			mockPU.EXPECT().
				HandlePUEvent(gomock.Any(), ID[:12], tevents.EventStart, gomock.Any()).Times(1).Return(errors.New("policy"))

			err := dmi.handleStartEvent(context.Background(), initTestMessage(ID))
			Convey("Then I should an error", func() {
				So(err, ShouldNotBeNil)
			})
		})
	})
}

func TestHandleDieEvent(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to initialize a new docker monitor", t, func() {

		dmi, mockPU := setupDockerMonitor(ctrl)
		Convey("Then docker monitor should not be nil", func() {
			So(dmi, ShouldNotBeNil)
		})

		Convey("When I try to handle die event", func() {
			mockPU.EXPECT().HandlePUEvent(gomock.Any(), "74cc486f9ec3", tevents.EventStop, gomock.Any()).Times(1).Return(nil)
			dmi.SetupHandlers(&config.ProcessorConfig{
				Collector:  eventCollector(),
				Policy:     mockPU,
				ResyncLock: &sync.RWMutex{},
			})
			err := dmi.handleDieEvent(context.Background(), initTestMessage(ID))

			Convey("Then I should not get any error", func() {
				So(err, ShouldBeNil)
			})
		})
	})
}

func TestHandleDestroyEvent(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to initialize a new docker monitor", t, func() {

		dmi, mockPU := setupDockerMonitor(ctrl)

		Convey("Then docker monitor should not be nil", func() {
			So(dmi, ShouldNotBeNil)
		})

		mockCG := mockcgnetcls.NewMockCgroupnetcls(ctrl)

		Convey("When I try to handle destroy event", func() {
			mockPU.EXPECT().HandlePUEvent(gomock.Any(), "74cc486f9ec3", tevents.EventDestroy, gomock.Any()).Times(1).Return(nil)
			mockCG.EXPECT().DeleteCgroup("74cc486f9ec3").Times(1).Return(nil)
			dmi.SetupHandlers(&config.ProcessorConfig{
				Collector:  eventCollector(),
				Policy:     mockPU,
				ResyncLock: &sync.RWMutex{},
			})
			dmi.netcls = mockCG
			err := dmi.handleDestroyEvent(context.Background(), initTestMessage(ID))

			Convey("Then I should not get any error", func() {
				So(err, ShouldBeNil)
			})
		})

		Convey("When I try to handle destroy event with no docker ID", func() {
			err := dmi.handleDestroyEvent(context.Background(), initTestMessage(""))

			Convey("Then I should get error", func() {
				So(err, ShouldResemble, errors.New("unable to generate context id: empty docker id"))
			})
		})
	})
}

func TestHandlePauseEvent(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to initialize a new docker monitor", t, func() {

		dmi, mockPU := setupDockerMonitor(ctrl)

		Convey("Then docker monitor should not be nil", func() {
			So(dmi, ShouldNotBeNil)
		})

		Convey("When I try to handle pause event", func() {
			mockPU.EXPECT().HandlePUEvent(gomock.Any(), "74cc486f9ec3", tevents.EventPause, gomock.Any()).Times(1).Return(nil)
			dmi.SetupHandlers(&config.ProcessorConfig{
				Collector:  eventCollector(),
				Policy:     mockPU,
				ResyncLock: &sync.RWMutex{},
			})
			err := dmi.handlePauseEvent(context.Background(), initTestMessage(ID))

			Convey("Then I should not get any error", func() {
				So(err, ShouldBeNil)
			})
		})

		Convey("When I try to handle pause event with no ID", func() {
			err := dmi.handlePauseEvent(context.Background(), initTestMessage(""))

			Convey("Then I should get error", func() {
				So(err, ShouldResemble, errors.New("unable to generate context id: empty docker id"))
			})
		})
	})
}

func TestHandleUnpauseEvent(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to initialize a new docker monitor", t, func() {

		dmi, mockPU := setupDockerMonitor(ctrl)

		Convey("Then docker monitor should not be nil", func() {
			So(dmi, ShouldNotBeNil)
		})

		Convey("When I try to handle unpause event", func() {
			mockPU.EXPECT().HandlePUEvent(gomock.Any(), "74cc486f9ec3", tevents.EventUnpause, gomock.Any()).Times(1).Return(nil)
			dmi.SetupHandlers(&config.ProcessorConfig{
				Collector:  eventCollector(),
				Policy:     mockPU,
				ResyncLock: &sync.RWMutex{},
			})
			err := dmi.handleUnpauseEvent(context.Background(), initTestMessage(ID))

			Convey("Then I should not get any error", func() {
				So(err, ShouldBeNil)
			})
		})

		Convey("When I try to handle unpause event with no ID", func() {
			err := dmi.handleUnpauseEvent(context.Background(), initTestMessage(""))

			Convey("Then I should get error", func() {
				So(err, ShouldResemble, errors.New("unable to generate context id: empty docker id"))
			})
		})
	})
}

func TestExtractMetadata(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to initialize a new docker monitor", t, func() {

		dmi, _ := setupDockerMonitor(ctrl)

		Convey("Then docker monitor should not be nil", func() {
			So(dmi, ShouldNotBeNil)
		})

		Convey("When I try to call extractmetadata with nil docker info", func() {
			puR, err := dmi.extractMetadata(nil)

			Convey("I should get error", func() {
				So(puR, ShouldBeNil)
				So(err, ShouldResemble, errors.New("docker info is empty"))
			})
		})
	})
}

func TestSyncContainers(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I try to initialize a new docker monitor", t, func() {

		dmi, mockPU := setupDockerMonitor(ctrl)
		dmi.SetupHandlers(&config.ProcessorConfig{
			Collector:  eventCollector(),
			Policy:     mockPU,
			ResyncLock: &sync.RWMutex{},
		})

		Convey("Then docker monitor should not be nil", func() {
			So(dmi, ShouldNotBeNil)
		})

		Convey("If I try to sync containers where when SyncAtStart is not set, I should get nil", func() {
			dmi.syncAtStart = false
			err := dmi.Resync(context.Background())
			So(err, ShouldBeNil)
		})

		Convey("If I try to sync containers and docker list fails, I should get an error", func() {
			dmi.syncAtStart = true
			dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().
				ContainerList(gomock.Any(), gomock.Any()).Return([]types.Container{{ID: ID}}, errors.New("error"))

			err := dmi.Resync(context.Background())
			So(err, ShouldNotBeNil)
		})

		Convey("When I try to call sync containers and a policy call fails", func() {
			dmi.syncAtStart = true

			dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().
				ContainerList(gomock.Any(), gomock.Any()).Return([]types.Container{{ID: ID}}, nil)

			dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().
				ContainerInspect(gomock.Any(), ID).Return(defaultContainer(false), nil).MaxTimes(2)

			mockPU.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(errors.New("blah"))

			err := dmi.Resync(context.Background())

			Convey("Then I should  get  error since we ignore bad containers", func() {
				So(err, ShouldBeNil)
			})

		})

		Convey("When I try to call sync containers", func() {
			dmi.syncAtStart = true

			dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().
				ContainerList(gomock.Any(), gomock.Any()).Return([]types.Container{{ID: ID}}, nil)

			dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().
				ContainerInspect(gomock.Any(), ID).Return(defaultContainer(false), nil).MaxTimes(2)

			mockPU.EXPECT().HandlePUEvent(gomock.Any(), ID[:12], tevents.EventStart, gomock.Any()).AnyTimes().Return(nil)

			err := dmi.Resync(context.Background())

			Convey("Then I should not get no error ", func() {
				So(err, ShouldBeNil)
			})

		})

		Convey("When I try to call sync host containers", func() {
			dmi.syncAtStart = true
			hostContainer := types.Container{
				ID: ID,
				HostConfig: struct {
					NetworkMode string `json:",omitempty"`
				}{NetworkMode: "host"}}

			dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().
				ContainerList(gomock.Any(), gomock.Any()).Return([]types.Container{hostContainer}, nil)

			dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().
				ContainerInspect(gomock.Any(), ID).Return(defaultContainer(true), nil).MaxTimes(2)

			mockPU.EXPECT().HandlePUEvent(gomock.Any(), ID[:12], tevents.EventStart, gomock.Any()).AnyTimes().Return(nil)

			err := dmi.Resync(context.Background())

			Convey("Then I should not get no error ", func() {
				So(err, ShouldBeNil)
			})

		})
	})
}

func Test_initTestDockerInfo(t *testing.T) {
	type args struct {
		id     string
		nwmode container.NetworkMode
		state  bool
	}
	tests := []struct {
		name string
		args args
		want *types.ContainerJSON
	}{}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := initTestDockerInfo(tt.args.id, tt.args.nwmode, tt.args.state); !reflect.DeepEqual(got, tt.want) {
				t.Errorf("initTestDockerInfo() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestWaitForDockerDaemon(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("If docker daemon is not running and setup docker daemon returns an error", t, func() {

		dmi, _ := setupDockerMonitor(ctrl)
		dmi.dockerClient().(*mockdocker.MockCommonAPIClient).EXPECT().Ping(gomock.Any()).Return(types.Ping{}, errors.New("Ping Error")).AnyTimes()
		// 30*time.Second is greater then dockerInitializationwait
		waitforDockerInitializationTimeout := dockerInitializationWait + 5*time.Second
		expiryTime := time.Now().Add(waitforDockerInitializationTimeout)
		dmi.socketAddress = "unix://tmp/test.sock"
		ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(waitforDockerInitializationTimeout))
		err := dmi.waitForDockerDaemon(ctx)
		So(err, ShouldNotBeNil)
		So(time.Now(), ShouldHappenBefore, expiryTime)
		// this will kill the Goroutine
		cancel()
	})
}

func TestSetupDockerDaemon(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("If setupDockerdaemon returns an error dockerClient is nil", t, func() {

		dmi, _ := setupDockerMonitor(ctrl)
		dmi.setDockerClient(nil)
		dmi.socketType = "invalid"
		err := dmi.setupDockerDaemon(context.Background())
		So(err, ShouldNotBeNil)
		So(dmi.dockerClient(), ShouldBeNil)

	})
}


================================================
FILE: monitor/internal/docker/types.go
================================================
package dockermonitor

import (
	"context"
	"time"

	"github.com/docker/docker/api/types"
	"github.com/docker/docker/api/types/events"
)

// Event is the type of various docker events.
type Event string

const (
	// EventCreate represents the Docker "create" event.
	EventCreate Event = "create"

	// EventStart represents the Docker "start" event.
	EventStart Event = "start"

	// EventDie represents the Docker "die" event.
	EventDie Event = "die"

	// EventDestroy represents the Docker "destroy" event.
	EventDestroy Event = "destroy"

	// EventPause represents the Docker "pause" event.
	EventPause Event = "pause"

	// EventUnpause represents the Docker "unpause" event.
	EventUnpause Event = "unpause"

	// EventConnect represents the Docker "connect" event.
	EventConnect Event = "connect"

	// DockerClientVersion is the version sent out as the client
	DockerClientVersion = "v1.23"

	// dockerPingTimeout is the time to wait for a ping to succeed.
	dockerPingTimeout = 2 * time.Second

	// dockerRetryTimer is the time after which we will retry to bring docker up.
	dockerRetryTimer = 2 * time.Second

	// dockerInitializationWait is the time after which we will retry to bring docker up.
	dockerInitializationWait = 2 * dockerRetryTimer
)

// A EventHandler is type of docker event handler functions.
type EventHandler func(ctx context.Context, event *events.Message) error

// DockerClientInterface creates an interface for the docker client so that we can do tests.
type DockerClientInterface interface {
	// ContainerInspect corresponds to the ContainerInspect of docker.
	ContainerInspect(ctx context.Context, containerID string) (types.ContainerJSON, error)

	// ContainerList abstracts the ContainerList as interface.
	ContainerList(ctx context.Context, options types.ContainerListOptions) ([]types.Container, error)

	// ContainerStop abstracts the ContainerStop as interface.
	ContainerStop(ctx context.Context, containerID string, timeout *time.Duration) error

	// Events abstracts the Event method as an interface.
	Events(ctx context.Context, options types.EventsOptions) (<-chan events.Message, <-chan error)

	// Ping abstracts the Event method as an interface
	Ping(ctx context.Context) (types.Ping, error)
}


================================================
FILE: monitor/internal/k8s/config.go
================================================
package k8smonitor

import (
	criapi "k8s.io/cri-api/pkg/apis"

	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
)

// Config is the config for the Kubernetes monitor
type Config struct { // nolint
	Kubeconfig string
	Nodename   string

	CRIRuntimeService criapi.RuntimeService

	MetadataExtractor extractors.PodMetadataExtractor
}

// DefaultConfig provides a default configuration
func DefaultConfig() *Config {
	return &Config{
		MetadataExtractor: nil,
		CRIRuntimeService: nil,
		Kubeconfig:        "",
		Nodename:          "",
	}
}

// SetupDefaultConfig adds defaults to a partial configuration
func SetupDefaultConfig(kubernetesConfig *Config) *Config {
	return kubernetesConfig
}


================================================
FILE: monitor/internal/k8s/event_handler.go
================================================
package k8smonitor

import (
	"context"
	"fmt"

	"go.aporeto.io/enforcerd/internal/extractors/containermetadata"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/external"

	"go.uber.org/zap"

	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

var _ external.ReceiveEvents = &K8sMonitor{}

func (m *K8sMonitor) isCniInstalledOrRuncProxyStarted() bool {
	m.extMonitorStartedLock.RLock()
	defer m.extMonitorStartedLock.RUnlock()
	return m.cniInstalledOrRuncProxyStarted
}

// SenderReady will be called by the sender to notify the receiver that the sender
// is now ready to send events.
func (m *K8sMonitor) SenderReady() {
	m.extMonitorStartedLock.Lock()
	m.cniInstalledOrRuncProxyStarted = true
	m.extMonitorStartedLock.Unlock()
	close(m.cniInstalledOrRuncProxyStartedCh)
	zap.L().Debug("K8sMonitor: CNI plugin is installed and configured or runc-proxy has started")
}

// Event will receive event `data` for processing a common.Event in the monitor.
// The sent data is implementation specific - therefore it has no type in the interface.
// If the sent data is of an unexpected type, its implementor must return an error
// indicating so.
func (m *K8sMonitor) Event(ctx context.Context, ev common.Event, data interface{}) error {
	// the data is expected to be of type
	kmd, ok := data.(containermetadata.CommonKubernetesContainerMetadata)
	if !ok {
		return fmt.Errorf("K8sMonitor: invalid data type: %T", data)
	}

	switch ev {
	case common.EventStart:
		if err := m.startEvent(ctx, kmd, 0); err != nil {
			// TODO: handle retries that we can handle
			return fmt.Errorf("K8sMonitor: startEvent: %s", err)
		}
	case common.EventDestroy:
		if err := m.destroyEvent(ctx, kmd); err != nil {
			return fmt.Errorf("K8sMonitor: destroyEvent: %s", err)
		}
	default:
		return fmt.Errorf("K8sMonitor: unexpected event %s", ev)
	}
	return nil
}

type startEventFunc func(context.Context, containermetadata.CommonKubernetesContainerMetadata, uint) error

func (m *K8sMonitor) startEvent(ctx context.Context, kmd containermetadata.CommonKubernetesContainerMetadata, retry uint) error {
	switch kmd.Kind() {
	case containermetadata.PodSandbox:
		zap.L().Debug("K8sMonitor: startEvent: PodSandbox", zap.String("sandboxID", kmd.ID()), zap.String("podName", kmd.PodName()), zap.String("podNamespace", kmd.PodNamespace()))
		// get pod
		pod, err := m.getPod(ctx, kmd.PodNamespace(), kmd.PodName())
		if err != nil {
			// fire off a retry for this, but simply return with the error
			go m.startEventRetry(kmd, retry+1)
			return err
		}
		// this should never happen, but if it does, simply return
		if pod.Spec.HostNetwork {
			return nil
		}
		if err := m.podCache.Set(kmd.ID(), pod); err != nil {
			return err
		}

		// metadata exraction
		runtime, err := m.metadataExtractor(ctx, pod, kmd.NetNSPath())
		if err != nil {
			return err
		}
		if err := m.runtimeCache.Set(kmd.ID(), runtime); err != nil {
			return err
		}

		return m.handlers.Policy.HandlePUEvent(ctx, kmd.ID(), common.EventStart, runtime)

	case containermetadata.PodContainer:
		zap.L().Debug("K8sMonitor: startEvent: PodContainer", zap.String("id", kmd.ID()), zap.String("sandboxID", kmd.PodSandboxID()), zap.String("podName", kmd.PodName()), zap.String("podNamespace", kmd.PodNamespace()))
		// as we don't handle host network containers, this is a noop
		return nil
	default:
		return fmt.Errorf("K8sMonitor: unexpected container kind for start event: %s", kmd.Kind())
	}
}

type destroyEventFunc func(context.Context, containermetadata.CommonKubernetesContainerMetadata) error

func (m *K8sMonitor) destroyEvent(ctx context.Context, kmd containermetadata.CommonKubernetesContainerMetadata) error {
	switch kmd.Kind() {
	case containermetadata.PodSandbox:
		zap.L().Debug("K8sMonitor: destroyEvent: PodSandbox", zap.String("sandboxID", kmd.ID()))
		runtime := m.runtimeCache.Get(kmd.ID())
		if runtime == nil {
			// destroy event was sent previously, not a problem, just return
			zap.L().Debug("K8sMonitor: destroyEvent: sandbox not in runtime cache")
			return nil
		}

		// simply delete it from the caches and send a destroy event
		// even if that fails in the policy engine, there is nothing we can do about it
		m.runtimeCache.Delete(kmd.ID())
		m.podCache.Delete(kmd.ID())
		return m.handlers.Policy.HandlePUEvent(ctx, kmd.ID(), common.EventDestroy, runtime)

	case containermetadata.PodContainer:
		// if this is a container event that belongs to an existing sandbox
		// we can simply return, we don't need to do anything
		return nil

	default:
		return fmt.Errorf("K8sMonitor: unexpected container kind for destroy event: %s", kmd.Kind())
	}
}

type stopEventFunc func(context.Context, string) error

func (m *K8sMonitor) stopEvent(ctx context.Context, sandboxID string) error {
	zap.L().Debug("K8sMonitor: stopEvent", zap.String("sandboxID", sandboxID))
	runtime := m.runtimeCache.Get(sandboxID)
	if runtime == nil {
		// destroy event had been sent already, not a problem, simply return
		zap.L().Debug("K8sMonitor: stopEvent: sandbox not in runtime cache")
		return nil
	}

	return m.handlers.Policy.HandlePUEvent(ctx, sandboxID, common.EventStop, runtime)
}

type updateEventFunc func(context.Context, string) error

func (m *K8sMonitor) updateEvent(ctx context.Context, sandboxID string) error {
	zap.L().Debug("K8sMonitor: updateEvent", zap.String("sandboxID", sandboxID))
	runtime := m.runtimeCache.Get(sandboxID)
	if runtime == nil {
		// destroy event had been sent already, not a problem, simply return
		zap.L().Debug("K8sMonitor: updateEvent: sandbox not in runtime cache")
		return nil
	}

	pod := m.podCache.Get(sandboxID)
	if pod == nil {
		// destroy event had been sent already, not a problem, simply return
		zap.L().Debug("K8sMonitor: updateEvent: pod not in pod cache")
		return nil
	}

	// run metadata extraction again
	// don't forget to update the runtime cache
	runtime, err := m.metadataExtractor(ctx, pod, runtime.NSPath())
	if err != nil {
		return err
	}
	if err := m.runtimeCache.Set(sandboxID, runtime); err != nil {
		return err
	}

	// send an update event
	return m.handlers.Policy.HandlePUEvent(ctx, sandboxID, common.EventUpdate, runtime)
}

// getPod tries to get the pod from the internal informer cache first, and falls back to the Kubernetes API if that fails
// the cache is being kept up-to-date by Kubernetes internals, we don't need to care about this
// NOTE: do not confuse the informer cache with the podCache from this package!
func (m *K8sMonitor) getPod(ctx context.Context, namespace, name string) (*corev1.Pod, error) {
	pod, err := m.podLister.Pods(namespace).Get(name)
	if err != nil {
		zap.L().Debug("K8sMonitor: getPod: failed to get pod from cache. Using Kubernetes API directly now instead...", zap.String("name", name), zap.String("namespace", namespace), zap.Error(err))
		return m.kubeClient.CoreV1().Pods(namespace).Get(ctx, name, metav1.GetOptions{})
	}
	return pod, nil
}


================================================
FILE: monitor/internal/k8s/event_handler_test.go
================================================
package k8smonitor

import (
	"context"
	"fmt"
	"testing"

	"github.com/golang/mock/gomock"
	"go.aporeto.io/enforcerd/internal/extractors/containermetadata"
	"go.aporeto.io/enforcerd/internal/extractors/containermetadata/mockcontainermetadata"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
	policy "go.aporeto.io/enforcerd/trireme-lib/policy"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	kubernetes "k8s.io/client-go/kubernetes"
	"k8s.io/client-go/kubernetes/fake"
)

func TestK8sMonitor_updateEvent(t *testing.T) {
	type args struct {
		ctx       context.Context
		sandboxID string
	}
	tests := []struct {
		name              string
		args              args
		wantErr           bool
		metadataExtractor extractors.PodMetadataExtractor
		prepare           func(t *testing.T, mocks *unitTestMonitorMocks)
	}{
		{
			name: "runtime not found for sandbox ID",
			args: args{
				ctx:       context.Background(),
				sandboxID: "not found",
			},
			wantErr: false,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
				mocks.runtimeCache.EXPECT().Get(gomock.Eq("not found")).Return(nil).Times(1)
			},
		},
		{
			name: "runtime found, but pod not found for sandbox ID",
			args: args{
				ctx:       context.Background(),
				sandboxID: "not found",
			},
			wantErr: false,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
				mocks.runtimeCache.EXPECT().Get(gomock.Eq("not found")).Return(policy.NewPURuntimeWithDefaults()).Times(1)
				mocks.podCache.EXPECT().Get(gomock.Eq("not found")).Return(nil).Times(1)
			},
		},
		{
			name: "runtime and pod found, but metadata extraction fails",
			args: args{
				ctx:       context.Background(),
				sandboxID: "sandboxID",
			},
			wantErr: true,
			metadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
				return nil, fmt.Errorf("error")
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
				mocks.runtimeCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(policy.NewPURuntimeWithDefaults()).Times(1)
				mocks.podCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(&corev1.Pod{}).Times(1)
			},
		},
		{
			name: "runtime and pod found, metadata extraction succeeded, but internal update failed",
			args: args{
				ctx:       context.Background(),
				sandboxID: "sandboxID",
			},
			wantErr: true,
			metadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
				return policy.NewPURuntimeWithDefaults(), nil
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
				mocks.runtimeCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(policy.NewPURuntimeWithDefaults()).Times(1)
				mocks.podCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(&corev1.Pod{}).Times(1)
				mocks.runtimeCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(policy.NewPURuntimeWithDefaults())).Return(fmt.Errorf("error")).Times(1)
			},
		},
		{
			name: "update event fails in policy engine",
			args: args{
				ctx:       context.Background(),
				sandboxID: "sandboxID",
			},
			wantErr: true,
			metadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
				return policy.NewPURuntimeWithDefaults(), nil
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
				mocks.runtimeCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(policy.NewPURuntimeWithDefaults()).Times(1)
				mocks.podCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(&corev1.Pod{}).Times(1)
				mocks.runtimeCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(policy.NewPURuntimeWithDefaults())).Return(nil).Times(1)
				mocks.policy.EXPECT().HandlePUEvent(
					gomock.Any(),
					gomock.Eq("sandboxID"),
					gomock.Eq(common.EventUpdate),
					gomock.Eq(policy.NewPURuntimeWithDefaults()),
				).Return(fmt.Errorf("error")).Times(1)
			},
		},
		{
			name: "update event succeeds",
			args: args{
				ctx:       context.Background(),
				sandboxID: "sandboxID",
			},
			wantErr: false,
			metadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
				return policy.NewPURuntimeWithDefaults(), nil
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
				mocks.runtimeCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(policy.NewPURuntimeWithDefaults()).Times(1)
				mocks.podCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(&corev1.Pod{}).Times(1)
				mocks.runtimeCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(policy.NewPURuntimeWithDefaults())).Return(nil).Times(1)
				mocks.policy.EXPECT().HandlePUEvent(
					gomock.Any(),
					gomock.Eq("sandboxID"),
					gomock.Eq(common.EventUpdate),
					gomock.Eq(policy.NewPURuntimeWithDefaults()),
				).Return(nil).Times(1)
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctrl := gomock.NewController(t)
			m, mocks := newUnitTestMonitor(ctrl)
			m.metadataExtractor = tt.metadataExtractor
			tt.prepare(t, mocks)
			if err := m.updateEvent(tt.args.ctx, tt.args.sandboxID); (err != nil) != tt.wantErr {
				t.Errorf("K8sMonitor.updateEvent() error = %v, wantErr %v", err, tt.wantErr)
			}
			ctrl.Finish()
		})
	}
}

func TestK8sMonitor_stopEvent(t *testing.T) {
	type args struct {
		ctx       context.Context
		sandboxID string
	}
	tests := []struct {
		name    string
		args    args
		wantErr bool
		prepare func(t *testing.T, mocks *unitTestMonitorMocks)
	}{
		{
			name: "runtime not found for sandbox ID",
			args: args{
				ctx:       context.Background(),
				sandboxID: "not found",
			},
			wantErr: false,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
				mocks.runtimeCache.EXPECT().Get(gomock.Eq("not found")).Return(nil).Times(1)
			},
		},
		{
			name: "stop event failed in policy engine",
			args: args{
				ctx:       context.Background(),
				sandboxID: "sandboxID",
			},
			wantErr: true,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
				mocks.runtimeCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(policy.NewPURuntimeWithDefaults()).Times(1)
				mocks.policy.EXPECT().HandlePUEvent(
					gomock.Any(),
					gomock.Eq("sandboxID"),
					gomock.Eq(common.EventStop),
					gomock.Eq(policy.NewPURuntimeWithDefaults()),
				).Return(fmt.Errorf("error")).Times(1)
			},
		},
		{
			name: "stop event succeeds",
			args: args{
				ctx:       context.Background(),
				sandboxID: "sandboxID",
			},
			wantErr: false,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
				mocks.runtimeCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(policy.NewPURuntimeWithDefaults()).Times(1)
				mocks.policy.EXPECT().HandlePUEvent(
					gomock.Any(),
					gomock.Eq("sandboxID"),
					gomock.Eq(common.EventStop),
					gomock.Eq(policy.NewPURuntimeWithDefaults()),
				).Return(nil).Times(1)
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctrl := gomock.NewController(t)
			m, mocks := newUnitTestMonitor(ctrl)
			tt.prepare(t, mocks)
			if err := m.stopEvent(tt.args.ctx, tt.args.sandboxID); (err != nil) != tt.wantErr {
				t.Errorf("K8sMonitor.stopEvent() error = %v, wantErr %v", err, tt.wantErr)
			}
			ctrl.Finish()
		})
	}
}

func TestK8sMonitor_destroyEvent(t *testing.T) {
	tests := []struct {
		name    string
		wantErr bool
		prepare func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata)
	}{
		{
			name:    "unexpected container kind",
			wantErr: true,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.Container).Times(2)
			},
		},
		{
			name:    "nothing happens for a PodContainer",
			wantErr: false,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodContainer).Times(1)
			},
		},
		{
			name:    "PodSandbox not found in cache",
			wantErr: false,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("sandboxID").Times(2)
				mocks.runtimeCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(nil).Times(1)
			},
		},
		{
			name:    "destroy event failed in policy engine",
			wantErr: true,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("sandboxID").Times(5)
				mocks.runtimeCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(policy.NewPURuntimeWithDefaults()).Times(1)
				mocks.runtimeCache.EXPECT().Delete(gomock.Eq("sandboxID")).Times(1)
				mocks.podCache.EXPECT().Delete(gomock.Eq("sandboxID")).Times(1)
				mocks.policy.EXPECT().HandlePUEvent(
					gomock.Any(),
					gomock.Eq("sandboxID"),
					gomock.Eq(common.EventDestroy),
					gomock.Eq(policy.NewPURuntimeWithDefaults()),
				).Return(fmt.Errorf("error")).Times(1)
			},
		},
		{
			name:    "destroy event succeeds",
			wantErr: false,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("sandboxID").Times(5)
				mocks.runtimeCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(policy.NewPURuntimeWithDefaults()).Times(1)
				mocks.runtimeCache.EXPECT().Delete(gomock.Eq("sandboxID")).Times(1)
				mocks.podCache.EXPECT().Delete(gomock.Eq("sandboxID")).Times(1)
				mocks.policy.EXPECT().HandlePUEvent(
					gomock.Any(),
					gomock.Eq("sandboxID"),
					gomock.Eq(common.EventDestroy),
					gomock.Eq(policy.NewPURuntimeWithDefaults()),
				).Return(nil).Times(1)
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctrl := gomock.NewController(t)
			m, mocks := newUnitTestMonitor(ctrl)
			kmd := mockcontainermetadata.NewMockCommonKubernetesContainerMetadata(ctrl)
			tt.prepare(t, mocks, kmd)
			if err := m.destroyEvent(context.Background(), kmd); (err != nil) != tt.wantErr {
				t.Errorf("K8sMonitor.destroyEvent() error = %v, wantErr %v", err, tt.wantErr)
			}
			ctrl.Finish()
		})
	}
}

func TestK8sMonitor_startEvent(t *testing.T) {
	podTemplate1 := &corev1.Pod{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "my-pod",
			Namespace: "default",
		},
		Spec: corev1.PodSpec{
			NodeName: "test",
		},
	}
	podTemplate2 := &corev1.Pod{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "my-host-network-pod",
			Namespace: "default",
		},
		Spec: corev1.PodSpec{
			HostNetwork: true,
			NodeName:    "test",
		},
	}
	c := fake.NewSimpleClientset(
		podTemplate1.DeepCopy(),
		podTemplate2.DeepCopy(),
	)

	tests := []struct {
		name              string
		wantErr           bool
		metadataExtractor extractors.PodMetadataExtractor
		kubeClient        kubernetes.Interface
		prepare           func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata)
	}{
		{
			name:    "unexpected container kind",
			wantErr: true,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.Container).Times(2)
			},
		},
		{
			name:    "PodContainer: is simply being ignored",
			wantErr: false,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodContainer).Times(1)
				kmd.EXPECT().ID().Return("containerID").Times(1)
				kmd.EXPECT().PodSandboxID().Return("sandboxID").Times(1)
				kmd.EXPECT().PodName().Return("my-pod").Times(1)
				kmd.EXPECT().PodNamespace().Return("default").Times(1)
			},
		},
		{
			name:       "PodSandbox: failed to get pod from API",
			wantErr:    true,
			kubeClient: c,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("sandboxID").Times(1)
				kmd.EXPECT().PodName().Return("not-found").Times(2)
				kmd.EXPECT().PodNamespace().Return("default").Times(2)
			},
		},
		{
			name:       "PodSandbox: got pod from API, but failed to update cache",
			wantErr:    true,
			kubeClient: c,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("sandboxID").Times(2)
				kmd.EXPECT().PodName().Return("my-pod").Times(2)
				kmd.EXPECT().PodNamespace().Return("default").Times(2)
				mocks.podCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(podTemplate1.DeepCopy())).Return(fmt.Errorf("error")).Times(1)
			},
		},
		{
			name:       "PodSandbox: metadata extraction fails",
			wantErr:    true,
			kubeClient: c,
			metadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
				return nil, fmt.Errorf("error")
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("sandboxID").Times(2)
				kmd.EXPECT().PodName().Return("my-pod").Times(2)
				kmd.EXPECT().PodNamespace().Return("default").Times(2)
				kmd.EXPECT().NetNSPath().Return("/var/run/netns/container1")
				mocks.podCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(podTemplate1.DeepCopy())).Return(nil).Times(1)
			},
		},
		{
			name:       "PodSandbox: metadata extraction succeeds, but updating cache fails",
			wantErr:    true,
			kubeClient: c,
			metadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
				return policy.NewPURuntimeWithDefaults(), nil
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("sandboxID").Times(3)
				kmd.EXPECT().PodName().Return("my-pod").Times(2)
				kmd.EXPECT().PodNamespace().Return("default").Times(2)
				kmd.EXPECT().NetNSPath().Return("/var/run/netns/container1")
				mocks.podCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(podTemplate1.DeepCopy())).Return(nil).Times(1)
				mocks.runtimeCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(policy.NewPURuntimeWithDefaults())).Return(fmt.Errorf("error")).Times(1)
			},
		},
		{
			name:       "PodSandbox: HostNetwork pods are being ignored",
			wantErr:    false,
			kubeClient: c,
			metadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
				return nil, fmt.Errorf("we should not get here")
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("sandboxID").Times(1)
				kmd.EXPECT().PodName().Return("my-host-network-pod").Times(2)
				kmd.EXPECT().PodNamespace().Return("default").Times(2)
				//mocks.podCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(podTemplate2.DeepCopy())).Return(nil).Times(1)
			},
		},
		{
			name:       "PodSandbox: start event fails in policy engine",
			wantErr:    true,
			kubeClient: c,
			metadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
				return policy.NewPURuntimeWithDefaults(), nil
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("sandboxID").Times(4)
				kmd.EXPECT().PodName().Return("my-pod").Times(2)
				kmd.EXPECT().PodNamespace().Return("default").Times(2)
				kmd.EXPECT().NetNSPath().Return("/var/run/netns/container1")
				mocks.podCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(podTemplate1.DeepCopy())).Return(nil).Times(1)
				mocks.runtimeCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(policy.NewPURuntimeWithDefaults())).Return(nil).Times(1)
				mocks.policy.EXPECT().HandlePUEvent(
					gomock.Any(),
					gomock.Eq("sandboxID"),
					gomock.Eq(common.EventStart),
					gomock.Eq(policy.NewPURuntimeWithDefaults()),
				).Return(fmt.Errorf("error")).Times(1)
			},
		},
		{
			name:       "PodSandbox: start event succeeds",
			wantErr:    false,
			kubeClient: c,
			metadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
				return policy.NewPURuntimeWithDefaults(), nil
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("sandboxID").Times(4)
				kmd.EXPECT().PodName().Return("my-pod").Times(2)
				kmd.EXPECT().PodNamespace().Return("default").Times(2)
				kmd.EXPECT().NetNSPath().Return("/var/run/netns/container1")
				mocks.podCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(podTemplate1.DeepCopy())).Return(nil).Times(1)
				mocks.runtimeCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(policy.NewPURuntimeWithDefaults())).Return(nil).Times(1)
				mocks.policy.EXPECT().HandlePUEvent(
					gomock.Any(),
					gomock.Eq("sandboxID"),
					gomock.Eq(common.EventStart),
					gomock.Eq(policy.NewPURuntimeWithDefaults()),
				).Return(nil).Times(1)
			},
		},
	}
	for _, tt := range tests {
		ctx, cancel := context.WithCancel(context.Background())
		ctrl := gomock.NewController(t)
		m, mocks := newUnitTestMonitor(ctrl)
		m.metadataExtractor = tt.metadataExtractor
		kmd := mockcontainermetadata.NewMockCommonKubernetesContainerMetadata(ctrl)
		m.kubeClient = tt.kubeClient
		if m.kubeClient != nil {
			m.podLister = setupInformerForUnitTests(ctx, m.kubeClient, m.nodename)
		}
		tt.prepare(t, mocks, kmd)
		t.Run(tt.name, func(t *testing.T) {
			if err := m.startEvent(ctx, kmd, 0); (err != nil) != tt.wantErr {
				t.Errorf("K8sMonitor.startEvent() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
		ctrl.Finish()
		cancel()
	}
}

func TestK8sMonitor_Event(t *testing.T) {
	podTemplate1 := &corev1.Pod{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "my-pod",
			Namespace: "default",
		},
		Spec: corev1.PodSpec{
			NodeName: "test",
		},
	}
	podTemplate2 := &corev1.Pod{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "my-host-network-pod",
			Namespace: "default",
		},
		Spec: corev1.PodSpec{
			HostNetwork: true,
			NodeName:    "test",
		},
	}
	c := fake.NewSimpleClientset(
		podTemplate1.DeepCopy(),
		podTemplate2.DeepCopy(),
	)

	type args struct {
		ctx  context.Context
		ev   common.Event
		data interface{}
	}
	tests := []struct {
		name              string
		args              args
		metadataExtractor extractors.PodMetadataExtractor
		kubeClient        kubernetes.Interface
		prepare           func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata)
		wantErr           bool
	}{
		{
			name: "unexpected event",
			args: args{
				ctx: context.Background(),
				ev:  common.EventPause,
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
			},
			wantErr: true,
		},
		{
			name: "unexpected event data",
			args: args{
				ctx:  context.Background(),
				ev:   common.EventPause,
				data: "wrong type",
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
			},
			wantErr: true,
		},
		{
			name: "failing start event",
			args: args{
				ctx: context.Background(),
				ev:  common.EventStart,
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.Container).Times(2)
			},
			wantErr: true,
		},
		{
			name:       "successful start event for sandbox for pod",
			kubeClient: c,
			metadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
				return policy.NewPURuntimeWithDefaults(), nil
			},
			args: args{
				ctx: context.Background(),
				ev:  common.EventStart,
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("sandboxID").Times(4)
				kmd.EXPECT().PodName().Return("my-pod").Times(2)
				kmd.EXPECT().PodNamespace().Return("default").Times(2)
				kmd.EXPECT().NetNSPath().Return("/var/run/netns/container1")
				mocks.podCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(podTemplate1.DeepCopy())).Return(nil).Times(1)
				mocks.runtimeCache.EXPECT().Set(gomock.Eq("sandboxID"), gomock.Eq(policy.NewPURuntimeWithDefaults())).Return(nil).Times(1)
				mocks.policy.EXPECT().HandlePUEvent(
					gomock.Any(),
					gomock.Eq("sandboxID"),
					gomock.Eq(common.EventStart),
					gomock.Eq(policy.NewPURuntimeWithDefaults()),
				).Return(nil).Times(1)
			},
		},
		{
			name: "failing destroy event",
			args: args{
				ctx: context.Background(),
				ev:  common.EventDestroy,
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.Container).Times(2)
			},
			wantErr: true,
		},
		{
			name:    "successful destroy event for sandbox for pod",
			wantErr: false,
			args: args{
				ctx: context.Background(),
				ev:  common.EventDestroy,
			},
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("sandboxID").Times(5)
				mocks.runtimeCache.EXPECT().Get(gomock.Eq("sandboxID")).Return(policy.NewPURuntimeWithDefaults()).Times(1)
				mocks.runtimeCache.EXPECT().Delete(gomock.Eq("sandboxID")).Times(1)
				mocks.podCache.EXPECT().Delete(gomock.Eq("sandboxID")).Times(1)
				mocks.policy.EXPECT().HandlePUEvent(
					gomock.Any(),
					gomock.Eq("sandboxID"),
					gomock.Eq(common.EventDestroy),
					gomock.Eq(policy.NewPURuntimeWithDefaults()),
				).Return(nil).Times(1)
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctx, cancel := context.WithCancel(tt.args.ctx)
			ctrl := gomock.NewController(t)
			m, mocks := newUnitTestMonitor(ctrl)
			m.metadataExtractor = tt.metadataExtractor
			kmd := mockcontainermetadata.NewMockCommonKubernetesContainerMetadata(ctrl)
			m.kubeClient = tt.kubeClient
			if m.kubeClient != nil {
				m.podLister = setupInformerForUnitTests(ctx, m.kubeClient, m.nodename)
			}
			tt.prepare(t, mocks, kmd)
			var data interface{}
			if tt.args.data != nil {
				data = tt.args.data
			} else {
				data = kmd
			}
			if err := m.Event(ctx, tt.args.ev, data); (err != nil) != tt.wantErr {
				t.Errorf("K8sMonitor.Event() error = %v, wantErr %v", err, tt.wantErr)
			}
			ctrl.Finish()
			cancel()
		})
	}
}


================================================
FILE: monitor/internal/k8s/event_retry_handler.go
================================================
package k8smonitor

import (
	"context"
	"time"

	"go.aporeto.io/enforcerd/internal/extractors/containermetadata"
	"go.uber.org/zap"
)

var (
	retryWaittimeUnit = time.Second
	retryTimeout      = time.Second * 30
)

type startEventRetryFunc func(containermetadata.CommonKubernetesContainerMetadata, uint)

func newStartEventRetryFunc(mainCtx context.Context, extractor containermetadata.CommonContainerMetadataExtractor, startEvent startEventFunc) startEventRetryFunc {
	return func(kmd containermetadata.CommonKubernetesContainerMetadata, retry uint) {
		// we only care about pod sandboxes for restarts
		// make sure that we stick to that
		if kmd.Kind() != containermetadata.PodSandbox {
			zap.L().Debug(
				"K8sMonitor: startEventRetry: this is not a pod sandbox. Aborting retry...",
				zap.Uint("retry", retry),
				zap.String("kind", kmd.Kind().String()),
				zap.String("id", kmd.ID()),
			)
			return
		}

		// wait before we retry
		waitTime := calculateWaitTime(retry)
		zap.L().Debug(
			"K8sMonitor: startEventRetry: waiting before retry...",
			zap.Uint("retry", retry),
			zap.Duration("waitTime", waitTime),
			zap.String("id", kmd.ID()),
		)
		select {
		case <-mainCtx.Done():
			// no point in continuing if the main context is done
			return
		case <-time.After(waitTime):
		}

		// check if the sandbox still exists, otherwise we can abort the retries
		if !extractor.Has(containermetadata.NewRuncArguments(containermetadata.StartAction, kmd.ID())) {
			zap.L().Debug(
				"K8sMonitor: startEventRetry: container for start event does not exist any longer. Aborting...",
				zap.Uint("retry", retry),
				zap.String("id", kmd.ID()),
			)
			return
		}

		// now create a new context and retry
		// the recursion occurs within the startEvent
		ctx, cancel := context.WithTimeout(mainCtx, retryTimeout)
		defer cancel()
		if err := startEvent(ctx, kmd, retry); err != nil {
			zap.L().Error(
				"K8sMonitor: startEventRetry: failed to process start event on retry",
				zap.Uint("retry", retry),
				zap.Error(err),
				zap.String("id", kmd.ID()),
				zap.String("podUID", kmd.PodUID()),
				zap.String("podName", kmd.PodName()),
				zap.String("podNamespace", kmd.PodNamespace()),
			)
		}
	}
}

// calculateWaitTime calculates a fibonacci style backoff wait time based on the number of retry
// It uses `retryWaittimeUnit` as the base unit for the wait time
func calculateWaitTime(retry uint) time.Duration {
	var n uint
	switch retry {
	case 0:
		n = 0
	case 1:
		n = 1
	case 2:
		n = 1
	case 3:
		n = 2
	case 4:
		n = 3
	case 5:
		n = 5
	case 6:
		n = 8
	case 7:
		n = 13
	case 8:
		n = 21
	case 9:
		n = 34
	default:
		n = 55
	}
	return retryWaittimeUnit * time.Duration(n)
}


================================================
FILE: monitor/internal/k8s/event_retry_handler_test.go
================================================
package k8smonitor

import (
	"context"
	"fmt"
	"testing"
	"time"

	"github.com/golang/mock/gomock"
	"go.aporeto.io/enforcerd/internal/extractors/containermetadata"
	"go.aporeto.io/enforcerd/internal/extractors/containermetadata/mockcontainermetadata"
)

func Test_calculateWaitTime(t *testing.T) {
	tests := []struct {
		name  string
		retry uint
		want  time.Duration
	}{
		{
			retry: 0,
			want:  0,
		},
		{
			retry: 1,
			want:  retryWaittimeUnit * time.Duration(1),
		},
		{
			retry: 2,
			want:  retryWaittimeUnit * time.Duration(1),
		},
		{
			retry: 3,
			want:  retryWaittimeUnit * time.Duration(2),
		},
		{
			retry: 4,
			want:  retryWaittimeUnit * time.Duration(3),
		},
		{
			retry: 5,
			want:  retryWaittimeUnit * time.Duration(5),
		},
		{
			retry: 6,
			want:  retryWaittimeUnit * time.Duration(8),
		},
		{
			retry: 7,
			want:  retryWaittimeUnit * time.Duration(13),
		},
		{
			retry: 8,
			want:  retryWaittimeUnit * time.Duration(21),
		},
		{
			retry: 9,
			want:  retryWaittimeUnit * time.Duration(34),
		},
		{
			retry: 10,
			want:  retryWaittimeUnit * time.Duration(55),
		},
		{
			retry: 1000000,
			want:  retryWaittimeUnit * time.Duration(55),
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := calculateWaitTime(tt.retry); got != tt.want {
				t.Errorf("calculateWaitTime() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_newStartEventRetryFunc(t *testing.T) {
	oldRetryWaittimeUnit := retryWaittimeUnit
	defer func() {
		retryWaittimeUnit = oldRetryWaittimeUnit
	}()
	retryWaittimeUnit = 0

	// used by the test which needs a cancelled context
	cancelledCtx, cancel := context.WithCancel(context.Background())
	cancel()

	tests := []struct {
		name               string
		mainCtx            context.Context
		startEventHandler  unitTestStartEvent
		retry              uint
		prepare            func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata)
		expectedStartEvent bool
	}{
		{
			name:              "not a pod sandbox",
			mainCtx:           context.Background(),
			startEventHandler: newUnitTestStartEventHandler(0, nil),
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodContainer).Times(2)
				kmd.EXPECT().ID().Return("containerID").Times(1)
			},
		},
		{
			name:              "main context is already cancelled",
			mainCtx:           cancelledCtx,
			startEventHandler: newUnitTestStartEventHandler(0, nil),
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("containerID").Times(1)
			},
		},
		{
			name:              "sandbox does not exist any longer",
			mainCtx:           context.Background(),
			startEventHandler: newUnitTestStartEventHandler(0, nil),
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("containerID").Times(3)
				extractor.EXPECT().Has(gomock.Eq(containermetadata.NewRuncArguments(containermetadata.StartAction, "containerID"))).Return(false).Times(1)
			},
		},
		{
			name:              "retrying with success",
			mainCtx:           context.Background(),
			startEventHandler: newUnitTestStartEventHandler(1, nil),
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("containerID").Times(2)
				extractor.EXPECT().Has(gomock.Eq(containermetadata.NewRuncArguments(containermetadata.StartAction, "containerID"))).Return(true).Times(1)
			},
			expectedStartEvent: true,
		},
		{
			name:              "retrying with error",
			mainCtx:           context.Background(),
			startEventHandler: newUnitTestStartEventHandler(1, fmt.Errorf("start event failed")),
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor, kmd *mockcontainermetadata.MockCommonKubernetesContainerMetadata) {
				kmd.EXPECT().Kind().Return(containermetadata.PodSandbox).Times(1)
				kmd.EXPECT().ID().Return("containerID").Times(3)
				kmd.EXPECT().PodName().Return("podName").Times(1)
				kmd.EXPECT().PodNamespace().Return("podNamespace").Times(1)
				kmd.EXPECT().PodUID().Return("podUID").Times(1)
				extractor.EXPECT().Has(gomock.Eq(containermetadata.NewRuncArguments(containermetadata.StartAction, "containerID"))).Return(true).Times(1)
			},
			expectedStartEvent: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctrl := gomock.NewController(t)
			extractor := mockcontainermetadata.NewMockCommonContainerMetadataExtractor(ctrl)
			kmd := mockcontainermetadata.NewMockCommonKubernetesContainerMetadata(ctrl)
			ctx, cancel := context.WithCancel(tt.mainCtx)
			startEventRetry := newStartEventRetryFunc(ctx, extractor, tt.startEventHandler.f())
			tt.prepare(t, extractor, kmd)
			startEventRetry(kmd, tt.retry)
			tt.startEventHandler.wait()
			if tt.expectedStartEvent != tt.startEventHandler.called() {
				t.Errorf("startEventHandler.called() = %v, want %v", tt.startEventHandler.called(), tt.expectedStartEvent)
			}
			cancel()
			ctrl.Finish()
		})
	}
}


================================================
FILE: monitor/internal/k8s/helpers_test.go
================================================
package k8smonitor

import (
	"context"
	"sync"
	"time"

	"github.com/golang/mock/gomock"

	"go.aporeto.io/enforcerd/internal/extractors/containermetadata"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/external"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/external/mockexternal"
	"go.aporeto.io/enforcerd/trireme-lib/policy/mockpolicy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cri/mockcri"

	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/fields"
	"k8s.io/client-go/informers"
	"k8s.io/client-go/kubernetes"
	listersv1 "k8s.io/client-go/listers/core/v1"
	"k8s.io/client-go/tools/cache"
)

type unitTestMonitorMocks struct {
	podCache            *MockpodCacheInterface
	runtimeCache        *MockruntimeCacheInterface
	policy              *mockpolicy.MockResolver
	externalEventSender *mockexternal.MockReceiverRegistration
	cri                 *mockcri.MockExtendedRuntimeService
}

func newUnitTestMonitor(ctrl *gomock.Controller) (*K8sMonitor, *unitTestMonitorMocks) {
	podCache := NewMockpodCacheInterface(ctrl)
	runtimeCache := NewMockruntimeCacheInterface(ctrl)
	policyResolver := mockpolicy.NewMockResolver(ctrl)
	externalEventSender := mockexternal.NewMockReceiverRegistration(ctrl)
	cri := mockcri.NewMockExtendedRuntimeService(ctrl)

	mocks := &unitTestMonitorMocks{
		podCache:            podCache,
		runtimeCache:        runtimeCache,
		policy:              policyResolver,
		externalEventSender: externalEventSender,
		cri:                 cri,
	}

	return &K8sMonitor{
		nodename:        "test",
		startEventRetry: func(containermetadata.CommonKubernetesContainerMetadata, uint) {},
		podCache:        podCache,
		runtimeCache:    runtimeCache,
		handlers: &config.ProcessorConfig{
			Policy:              policyResolver,
			ExternalEventSender: []external.ReceiverRegistration{externalEventSender},
			ResyncLock:          &sync.RWMutex{},
		},
		criRuntimeService:                cri,
		cniInstalledOrRuncProxyStartedCh: make(chan struct{}),
	}, mocks
}

func setupInformerForUnitTests(ctx context.Context, kubeClient kubernetes.Interface, nodeName string) listersv1.PodLister {
	// get the pod informer from the default factory
	// add a field selector to narrow down our results
	fieldSelector := fields.OneTermEqualSelector(nodeNameKeyIndex, nodeName).String()
	factory := informers.NewSharedInformerFactoryWithOptions(kubeClient, time.Hour*24, informers.WithTweakListOptions(func(opts *metav1.ListOptions) {
		opts.FieldSelector = fieldSelector
	}))
	informer := factory.Core().V1().Pods().Informer()

	// add an indexer so that our field selector by node name will work
	informer.AddIndexers(cache.Indexers{ // nolint: errcheck
		nodeNameKeyIndex: func(obj interface{}) ([]string, error) {
			// this is essentially exactly what the node lifecycel controller uses as well
			pod, ok := obj.(*corev1.Pod)
			if !ok {
				return []string{}, nil
			}
			if len(pod.Spec.NodeName) == 0 {
				return []string{}, nil
			}
			return []string{pod.Spec.NodeName}, nil
		},
	})

	// now start the informer
	go informer.Run(ctx.Done())

	// wait for the caches to sync before we return
	// if this fails, we can print a log, but this is not a
	if !cache.WaitForNamedCacheSync("pods", ctx.Done(), informer.HasSynced) {
		panic("K8sMonitor: setupInformer: waiting for caches timed out")
	}

	// return with a lister of the cache of this informer
	return listersv1.NewPodLister(informer.GetIndexer())
}


================================================
FILE: monitor/internal/k8s/mocks_pod_cache_test.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: trireme-lib/monitor/internal/k8s/pod_cache.go

// Package k8smonitor is a generated GoMock package.
package k8smonitor

import (
	context "context"
	gomock "github.com/golang/mock/gomock"
	v1 "k8s.io/api/core/v1"
	kubernetes "k8s.io/client-go/kubernetes"
	v10 "k8s.io/client-go/listers/core/v1"
	reflect "reflect"
)

// MockpodCacheInterface is a mock of podCacheInterface interface
type MockpodCacheInterface struct {
	ctrl     *gomock.Controller
	recorder *MockpodCacheInterfaceMockRecorder
}

// MockpodCacheInterfaceMockRecorder is the mock recorder for MockpodCacheInterface
type MockpodCacheInterfaceMockRecorder struct {
	mock *MockpodCacheInterface
}

// NewMockpodCacheInterface creates a new mock instance
func NewMockpodCacheInterface(ctrl *gomock.Controller) *MockpodCacheInterface {
	mock := &MockpodCacheInterface{ctrl: ctrl}
	mock.recorder = &MockpodCacheInterfaceMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockpodCacheInterface) EXPECT() *MockpodCacheInterfaceMockRecorder {
	return m.recorder
}

// Delete mocks base method
func (m *MockpodCacheInterface) Delete(sandboxID string) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "Delete", sandboxID)
}

// Delete indicates an expected call of Delete
func (mr *MockpodCacheInterfaceMockRecorder) Delete(sandboxID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Delete", reflect.TypeOf((*MockpodCacheInterface)(nil).Delete), sandboxID)
}

// Get mocks base method
func (m *MockpodCacheInterface) Get(sandboxID string) *v1.Pod {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Get", sandboxID)
	ret0, _ := ret[0].(*v1.Pod)
	return ret0
}

// Get indicates an expected call of Get
func (mr *MockpodCacheInterfaceMockRecorder) Get(sandboxID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockpodCacheInterface)(nil).Get), sandboxID)
}

// Set mocks base method
func (m *MockpodCacheInterface) Set(sandboxID string, pod *v1.Pod) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Set", sandboxID, pod)
	ret0, _ := ret[0].(error)
	return ret0
}

// Set indicates an expected call of Set
func (mr *MockpodCacheInterfaceMockRecorder) Set(sandboxID, pod interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Set", reflect.TypeOf((*MockpodCacheInterface)(nil).Set), sandboxID, pod)
}

// FindSandboxID mocks base method
func (m *MockpodCacheInterface) FindSandboxID(name, namespace string) (string, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "FindSandboxID", name, namespace)
	ret0, _ := ret[0].(string)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// FindSandboxID indicates an expected call of FindSandboxID
func (mr *MockpodCacheInterfaceMockRecorder) FindSandboxID(name, namespace interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FindSandboxID", reflect.TypeOf((*MockpodCacheInterface)(nil).FindSandboxID), name, namespace)
}

// SetupInformer mocks base method
func (m *MockpodCacheInterface) SetupInformer(ctx context.Context, kubeClient kubernetes.Interface, nodeName string, needsUpdate needsUpdateFunc) v10.PodLister {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SetupInformer", ctx, kubeClient, nodeName, needsUpdate)
	ret0, _ := ret[0].(v10.PodLister)
	return ret0
}

// SetupInformer indicates an expected call of SetupInformer
func (mr *MockpodCacheInterfaceMockRecorder) SetupInformer(ctx, kubeClient, nodeName, needsUpdate interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetupInformer", reflect.TypeOf((*MockpodCacheInterface)(nil).SetupInformer), ctx, kubeClient, nodeName, needsUpdate)
}


================================================
FILE: monitor/internal/k8s/mocks_runtime_cache_test.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: trireme-lib/monitor/internal/k8s/runtime_cache.go

// Package k8smonitor is a generated GoMock package.
package k8smonitor

import (
	gomock "github.com/golang/mock/gomock"
	policy "go.aporeto.io/enforcerd/trireme-lib/policy"
	reflect "reflect"
)

// MockruntimeCacheInterface is a mock of runtimeCacheInterface interface
type MockruntimeCacheInterface struct {
	ctrl     *gomock.Controller
	recorder *MockruntimeCacheInterfaceMockRecorder
}

// MockruntimeCacheInterfaceMockRecorder is the mock recorder for MockruntimeCacheInterface
type MockruntimeCacheInterfaceMockRecorder struct {
	mock *MockruntimeCacheInterface
}

// NewMockruntimeCacheInterface creates a new mock instance
func NewMockruntimeCacheInterface(ctrl *gomock.Controller) *MockruntimeCacheInterface {
	mock := &MockruntimeCacheInterface{ctrl: ctrl}
	mock.recorder = &MockruntimeCacheInterfaceMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockruntimeCacheInterface) EXPECT() *MockruntimeCacheInterfaceMockRecorder {
	return m.recorder
}

// Delete mocks base method
func (m *MockruntimeCacheInterface) Delete(sandboxID string) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "Delete", sandboxID)
}

// Delete indicates an expected call of Delete
func (mr *MockruntimeCacheInterfaceMockRecorder) Delete(sandboxID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Delete", reflect.TypeOf((*MockruntimeCacheInterface)(nil).Delete), sandboxID)
}

// Get mocks base method
func (m *MockruntimeCacheInterface) Get(sandboxID string) policy.RuntimeReader {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Get", sandboxID)
	ret0, _ := ret[0].(policy.RuntimeReader)
	return ret0
}

// Get indicates an expected call of Get
func (mr *MockruntimeCacheInterfaceMockRecorder) Get(sandboxID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockruntimeCacheInterface)(nil).Get), sandboxID)
}

// Set mocks base method
func (m *MockruntimeCacheInterface) Set(sandboxID string, runtime policy.RuntimeReader) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Set", sandboxID, runtime)
	ret0, _ := ret[0].(error)
	return ret0
}

// Set indicates an expected call of Set
func (mr *MockruntimeCacheInterfaceMockRecorder) Set(sandboxID, runtime interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Set", reflect.TypeOf((*MockruntimeCacheInterface)(nil).Set), sandboxID, runtime)
}


================================================
FILE: monitor/internal/k8s/monitor.go
================================================
package k8smonitor

import (
	"context"
	"errors"
	"fmt"
	"sync"

	criapi "k8s.io/cri-api/pkg/apis"

	"go.aporeto.io/enforcerd/internal/extractors/containermetadata"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/constants"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/registerer"
	"k8s.io/client-go/kubernetes"
	listersv1 "k8s.io/client-go/listers/core/v1"
	"k8s.io/client-go/rest"
	"k8s.io/client-go/tools/clientcmd"
)

// K8sMonitor is the monitor for Kubernetes.
type K8sMonitor struct {
	nodename                         string
	handlers                         *config.ProcessorConfig
	metadataExtractor                extractors.PodMetadataExtractor
	kubeClient                       kubernetes.Interface
	podLister                        listersv1.PodLister
	criRuntimeService                criapi.RuntimeService
	podCache                         podCacheInterface
	runtimeCache                     runtimeCacheInterface
	startEventRetry                  startEventRetryFunc
	cniInstalledOrRuncProxyStartedCh chan struct{}
	cniInstalledOrRuncProxyStarted   bool
	extMonitorStartedLock            sync.RWMutex
}

// New returns a new kubernetes monitor.
func New(ctx context.Context) *K8sMonitor {
	m := &K8sMonitor{}
	m.podCache = newPodCache(m.updateEvent)
	m.runtimeCache = newRuntimeCache(ctx, m.stopEvent)
	m.cniInstalledOrRuncProxyStartedCh = make(chan struct{})
	return m
}

// SetupConfig provides a configuration to implmentations. Every implmentation
// can have its own config type.
func (m *K8sMonitor) SetupConfig(_ registerer.Registerer, cfg interface{}) error {

	defaultConfig := DefaultConfig()

	if cfg == nil {
		cfg = defaultConfig
	}

	kubernetesconfig, ok := cfg.(*Config)
	if !ok {
		return fmt.Errorf("Invalid configuration specified (type '%T')", cfg)
	}

	kubernetesconfig = SetupDefaultConfig(kubernetesconfig)

	// simple config checks
	if kubernetesconfig.MetadataExtractor == nil {
		return fmt.Errorf("missing metadata extractor")
	}
	if kubernetesconfig.CRIRuntimeService == nil {
		return fmt.Errorf("missing CRIRuntimeService implementation")
	}

	// Initialize most of our monitor
	m.nodename = kubernetesconfig.Nodename
	m.metadataExtractor = kubernetesconfig.MetadataExtractor
	m.criRuntimeService = kubernetesconfig.CRIRuntimeService

	// build kubernetes client config
	var kubeCfg *rest.Config
	if len(kubernetesconfig.Kubeconfig) > 0 {
		var err error
		kubeCfg, err = clientcmd.BuildConfigFromFlags("", kubernetesconfig.Kubeconfig)
		if err != nil {
			return err
		}
	} else {
		var err error
		kubeCfg, err = rest.InClusterConfig()
		if err != nil {
			return err
		}
	}

	// and initialize client from it
	var err error
	m.kubeClient, err = kubernetes.NewForConfig(kubeCfg)
	return err
}

// SetupHandlers sets up handlers for monitors to invoke for various events such as
// processing unit events and synchronization events. This will be called before Start()
// by the consumer of the monitor
func (m *K8sMonitor) SetupHandlers(c *config.ProcessorConfig) {
	m.handlers = c
}

// Run starts the monitor implementation.
func (m *K8sMonitor) Run(ctx context.Context) error {
	m.startEventRetry = newStartEventRetryFunc(ctx, containermetadata.AutoDetect(), m.startEvent)
	if m.kubeClient == nil {
		return errors.New("K8sMonitor: missing Kubernetes client")
	}

	if err := m.handlers.IsComplete(); err != nil {
		return fmt.Errorf("K8sMonitor: handlers are not complete: %s", err.Error())
	}

	if m.handlers.ExternalEventSender == nil {
		return fmt.Errorf("K8sMonitor: external event sender option must be used together with this monitor")
	}

	// setup informer for update events (this starts the informer as well)
	// this also returns a pod lister which uses the same underlying cache as the informer
	m.podLister = m.podCache.SetupInformer(ctx, m.kubeClient, m.nodename, defaultNeedsUpdate)

	// register ourselves with the gRPC server to receive events
	var registered bool
	for _, evs := range m.handlers.ExternalEventSender {
		if evs.SenderName() == constants.MonitorExtSenderName {
			if err := evs.Register(constants.K8sMonitorRegistrationName, m); err != nil {
				return fmt.Errorf("K8sMonitor: failed to register with the grpcMonitorServer external events sender: %w", err)
			}
			registered = true
			break
		}
	}
	if !registered {
		return fmt.Errorf("K8sMonitor: failed to register with the grpcMonitorServer external events sender: unavailable")
	}

	// get list of pods on node, and handle them
	if err := m.onStartup(ctx, m.startEvent); err != nil {
		return fmt.Errorf("K8sMonitor: failed to get list of pods running sandboxes from CRI and generating events for them: %s", err)
	}

	return nil
}

// Resync should resynchronize PUs. This should be done while starting up.
func (m *K8sMonitor) Resync(ctx context.Context) error {
	return nil
}


================================================
FILE: monitor/internal/k8s/monitor_test.go
================================================
package k8smonitor

import (
	"context"
	"fmt"
	"reflect"
	"testing"

	"github.com/golang/mock/gomock"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/constants"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/external"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/external/mockexternal"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/registerer"
	policy "go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/policy/mockpolicy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cri/mockcri"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	kubernetes "k8s.io/client-go/kubernetes"
	"k8s.io/client-go/kubernetes/fake"
	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
)

func TestK8sMonitor_SetupConfig(t *testing.T) {
	type args struct {
		registerer registerer.Registerer
		cfg        interface{}
	}
	tests := []struct {
		name    string
		args    args
		wantErr bool
	}{
		{
			name: "wrong config type",
			args: args{
				registerer: nil,
				cfg:        "wrong type",
			},
			wantErr: true,
		},
		{
			name: "default config is not workable",
			args: args{
				registerer: nil,
				cfg:        nil,
			},
			wantErr: true,
		},
		{
			name: "config: missing metadataExtractor",
			args: args{
				registerer: nil,
				cfg: &Config{
					MetadataExtractor: nil,
				},
			},
			wantErr: true,
		},
		{
			name: "config: missing netclsProgrammer",
			args: args{
				registerer: nil,
				cfg: &Config{
					MetadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
						return nil, nil
					},
				},
			},
			wantErr: true,
		},
		{
			name: "config: missing sandboxExtractor",
			args: args{
				registerer: nil,
				cfg: &Config{
					MetadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
						return nil, nil
					},
				},
			},
			wantErr: true,
		},
		{
			name: "config: missing resetNetcls",
			args: args{
				registerer: nil,
				cfg: &Config{
					MetadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
						return nil, nil
					},
				},
			},
			wantErr: true,
		},
		{
			name: "config: missing CRI runtime service",
			args: args{
				registerer: nil,
				cfg: &Config{
					MetadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
						return nil, nil
					},
					CRIRuntimeService: nil,
				},
			},
			wantErr: true,
		},
		{
			name: "config: missing CRI runtime service",
			args: args{
				registerer: nil,
				cfg: &Config{
					MetadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
						return nil, nil
					},
					CRIRuntimeService: nil,
				},
			},
			wantErr: true,
		},
		{
			name: "kubeClient: in-cluster config fails",
			args: args{
				registerer: nil,
				cfg: &Config{
					MetadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
						return nil, nil
					},
					CRIRuntimeService: mockcri.NewMockExtendedRuntimeService(nil),
					Nodename:          "",
					Kubeconfig:        "",
				},
			},
			wantErr: true,
		},
		{
			name: "kubeClient: non-existent kubeconfig fails",
			args: args{
				registerer: nil,
				cfg: &Config{
					MetadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
						return nil, nil
					},
					CRIRuntimeService: mockcri.NewMockExtendedRuntimeService(nil),
					Nodename:          "",
					Kubeconfig:        "does-not-exist",
				},
			},
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				registerer: nil,
				cfg: &Config{
					MetadataExtractor: func(context.Context, *corev1.Pod, string) (*policy.PURuntime, error) {
						return nil, nil
					},
					CRIRuntimeService: mockcri.NewMockExtendedRuntimeService(nil),
					Nodename:          "",
					Kubeconfig:        "testdata/kubeconfig",
				},
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctx, cancel := context.WithCancel(context.Background())
			m := New(ctx)
			if err := m.SetupConfig(tt.args.registerer, tt.args.cfg); (err != nil) != tt.wantErr {
				t.Errorf("k8sMonitor.SetupConfig() error = %v, wantErr %v", err, tt.wantErr)
			}
			cancel()
		})
	}
}

func TestK8sMonitor_Resync(t *testing.T) {
	type args struct {
		ctx context.Context
	}
	tests := []struct {
		name    string
		args    args
		wantErr bool
	}{
		{
			name:    "unimplemented",
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctx, cancel := context.WithCancel(context.Background())
			m := New(ctx)
			if err := m.Resync(tt.args.ctx); (err != nil) != tt.wantErr {
				t.Errorf("k8sMonitor.Resync() error = %v, wantErr %v", err, tt.wantErr)
			}
			cancel()
		})
	}
}

func TestK8sMonitor_SetupHandlers(t *testing.T) {
	type args struct {
		c *config.ProcessorConfig
	}
	tests := []struct {
		name string
		args args
	}{
		{
			name: "arguments must be set 1-to-1 in monitor: nil",
			args: args{
				c: nil,
			},
		},
		{
			name: "arguments must be set 1-to-1 in monitor: simple handler",
			args: args{
				c: &config.ProcessorConfig{
					Collector: collector.NewDefaultCollector(),
					Policy:    mockpolicy.NewMockResolver(nil),
					ExternalEventSender: []external.ReceiverRegistration{
						mockexternal.NewMockReceiverRegistration(nil),
					},
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctx, cancel := context.WithCancel(context.Background())
			m := New(ctx)
			m.SetupHandlers(tt.args.c)
			if !reflect.DeepEqual(m.handlers, tt.args.c) {
				t.Errorf("m.handlers %v, want %v", m.handlers, tt.args.c)
			}
			cancel()
		})
	}
}

func TestK8sMonitor_Run(t *testing.T) {
	podTemplate1 := &corev1.Pod{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "my-pod",
			Namespace: "default",
		},
		Spec: corev1.PodSpec{
			NodeName: "test",
		},
	}
	podTemplate2 := &corev1.Pod{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "my-host-network-pod",
			Namespace: "default",
		},
		Spec: corev1.PodSpec{
			HostNetwork: true,
			NodeName:    "test",
		},
	}
	c := fake.NewSimpleClientset(
		podTemplate1.DeepCopy(),
		podTemplate2.DeepCopy(),
	)
	type fields struct {
		collector                collector.EventCollector
		unsetExternalEventSender bool
		kubeClient               kubernetes.Interface
		metadataExtractor        extractors.PodMetadataExtractor
		nodename                 string
	}
	tests := []struct {
		name    string
		fields  fields
		wantErr bool
		prepare func(t *testing.T, mocks *unitTestMonitorMocks)
	}{
		{
			name: "no kubeClient",
			fields: fields{
				kubeClient: nil,
			},
			wantErr: true,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
			},
		},
		{
			name: "handlers setup is incomplete",
			fields: fields{
				collector:  nil,
				kubeClient: c,
			},
			wantErr: true,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
			},
		},
		{
			name: "ExternalEventSender is not set",
			fields: fields{
				collector:                collector.NewDefaultCollector(),
				unsetExternalEventSender: true,
				kubeClient:               c,
			},
			wantErr: true,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
			},
		},
		{
			name: "ReceiverRegistration fails: unavailable",
			fields: fields{
				collector:                collector.NewDefaultCollector(),
				unsetExternalEventSender: false,
				kubeClient:               c,
				nodename:                 "test",
			},
			wantErr: true,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
				mocks.podCache.EXPECT().SetupInformer(
					gomock.Any(),
					gomock.Eq(c),
					gomock.Eq("test"),
					gomock.AssignableToTypeOf(defaultNeedsUpdate),
				)
				mocks.externalEventSender.EXPECT().SenderName().Return("random").Times(1)
			},
		},
		{
			name: "ReceiverRegistration fails: Register call fails",
			fields: fields{
				collector:                collector.NewDefaultCollector(),
				unsetExternalEventSender: false,
				kubeClient:               c,
				nodename:                 "test",
			},
			wantErr: true,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
				mocks.podCache.EXPECT().SetupInformer(
					gomock.Any(),
					gomock.Eq(c),
					gomock.Eq("test"),
					gomock.AssignableToTypeOf(defaultNeedsUpdate),
				)
				mocks.externalEventSender.EXPECT().SenderName().Return(constants.MonitorExtSenderName).Times(1)
				mocks.externalEventSender.EXPECT().Register(
					gomock.Eq(constants.K8sMonitorRegistrationName),
					gomock.AssignableToTypeOf(&K8sMonitor{}),
				).Return(fmt.Errorf("error")).Times(1)
			},
		},
		{
			name: "Listing Sandboxes from CRI fails",
			fields: fields{
				collector:                collector.NewDefaultCollector(),
				unsetExternalEventSender: false,
				kubeClient:               c,
				nodename:                 "test",
			},
			wantErr: true,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
				mocks.externalEventSender.EXPECT().SenderName().Return(constants.MonitorExtSenderName).Times(1)
				mocks.externalEventSender.EXPECT().Register(
					gomock.Eq(constants.K8sMonitorRegistrationName),
					gomock.AssignableToTypeOf(&K8sMonitor{}),
				).Return(nil).Times(1)
				mocks.podCache.EXPECT().SetupInformer(
					gomock.Any(),
					gomock.Eq(c),
					gomock.Eq("test"),
					gomock.AssignableToTypeOf(defaultNeedsUpdate),
				)
				mocks.cri.EXPECT().ListPodSandbox(gomock.Eq(&runtimeapi.PodSandboxFilter{
					State: &runtimeapi.PodSandboxStateValue{
						State: runtimeapi.PodSandboxState_SANDBOX_READY,
					},
				})).Return(nil, fmt.Errorf("error")).Times(1)
			},
		},
		{
			name: "monitor starts successful with empty sandbox list from CRI",
			fields: fields{
				collector:                collector.NewDefaultCollector(),
				unsetExternalEventSender: false,
				kubeClient:               c,
				nodename:                 "test",
			},
			wantErr: false,
			prepare: func(t *testing.T, mocks *unitTestMonitorMocks) {
				mocks.externalEventSender.EXPECT().SenderName().Return(constants.MonitorExtSenderName).Times(1)
				mocks.externalEventSender.EXPECT().Register(
					gomock.Eq(constants.K8sMonitorRegistrationName),
					gomock.AssignableToTypeOf(&K8sMonitor{}),
				).Return(nil).Times(1)
				mocks.podCache.EXPECT().SetupInformer(
					gomock.Any(),
					gomock.Eq(c),
					gomock.Eq("test"),
					gomock.AssignableToTypeOf(defaultNeedsUpdate),
				)
				mocks.cri.EXPECT().ListPodSandbox(gomock.Eq(&runtimeapi.PodSandboxFilter{
					State: &runtimeapi.PodSandboxStateValue{
						State: runtimeapi.PodSandboxState_SANDBOX_READY,
					},
				})).Return(
					[]*runtimeapi.PodSandbox{},
					nil,
				).Times(1)
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctrl := gomock.NewController(t)
			m, mocks := newUnitTestMonitor(ctrl)
			m.SenderReady()
			m.handlers.Collector = tt.fields.collector
			if tt.fields.unsetExternalEventSender {
				m.handlers.ExternalEventSender = nil
			}
			m.kubeClient = tt.fields.kubeClient
			m.metadataExtractor = tt.fields.metadataExtractor
			m.nodename = tt.fields.nodename
			tt.prepare(t, mocks)
			if err := m.Run(context.Background()); (err != nil) != tt.wantErr {
				t.Errorf("k8sMonitor.Run() error = %v, wantErr %v", err, tt.wantErr)
			}
			ctrl.Finish()
		})
	}
}


================================================
FILE: monitor/internal/k8s/on_startup.go
================================================
package k8smonitor

import (
	"context"
	"fmt"
	"sync"

	"go.aporeto.io/enforcerd/internal/extractors/containermetadata"
	"go.uber.org/zap"

	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
)

func (m *K8sMonitor) onStartup(ctx context.Context, startEvent startEventFunc) error {
	// wait for runc-proxy to be started before continuing with syncing state
	if !m.isCniInstalledOrRuncProxyStarted() {
		zap.L().Info("K8sMonitor: waiting for CNI plugin to be installed and configured...")
		select {
		case <-ctx.Done():
			return fmt.Errorf("K8sMonitor: startup was canceled: %w", ctx.Err())
		case <-m.cniInstalledOrRuncProxyStartedCh:
			zap.L().Info("K8sMonitor: CNI plugin is ready. Continuing startup.")
		}
	}

	sandboxList, err := m.criRuntimeService.ListPodSandbox(&runtimeapi.PodSandboxFilter{
		State: &runtimeapi.PodSandboxStateValue{
			State: runtimeapi.PodSandboxState_SANDBOX_READY,
		},
	})
	if err != nil {
		return err
	}

	var wg sync.WaitGroup
	m.handlers.ResyncLock.RLock()
	defer m.handlers.ResyncLock.RUnlock()
	for _, sandbox := range sandboxList {
		// extract common Kubernetes metadata from the filesystem
		// technically CRI provides us with everything we need right now,
		// however, this way the results are consistent and easier to maintain in the future
		sandboxID := sandbox.GetId()
		kmd, err := extractKmdFromCRISandbox(sandboxID)
		if err != nil {
			zap.L().Error("K8sMonitor: onStartup: failed to extract sandbox metadata. Skipping initialization for this pod...", zap.String("sandboxID", sandboxID), zap.Error(err))
			continue
		}

		// fire away a start event
		wg.Add(1)
		go func(ctx context.Context, id string, m containermetadata.CommonKubernetesContainerMetadata) {
			if err := startEvent(ctx, m, 0); err != nil {
				zap.L().Error("K8sMonitor: onStartup: failed to send start event", zap.String("sandboxID", id), zap.Error(err))
			}
			wg.Done()
		}(ctx, sandboxID, kmd)
	}
	wg.Wait()

	return nil
}

var extractor = containermetadata.AutoDetect()

func extractKmdFromCRISandbox(sandboxID string) (containermetadata.CommonKubernetesContainerMetadata, error) {
	if sandboxID == "" {
		return nil, fmt.Errorf("sandbox ID empty")
	}
	containerArgs := containermetadata.NewRuncArguments(containermetadata.StartAction, sandboxID)
	if !extractor.Has(containerArgs) {
		return nil, fmt.Errorf("failed to detect sandbox on filesystem")
	}
	_, kmd, err := extractor.Extract(containerArgs)
	if err != nil {
		return nil, fmt.Errorf("failed to extract metadata of sandbox from filesystem: %s", err)
	}
	if kmd == nil {
		zap.L().Error("K8sMonitor: onStartup: failed to this container as Kubernetes sandbox from filesystem", zap.String("sandboxID", sandboxID), zap.Error(err))
		return nil, fmt.Errorf("failed to detect this container as Kubernetes sandbox from filesystem")
	}
	return kmd, nil
}


================================================
FILE: monitor/internal/k8s/on_startup_test.go
================================================
package k8smonitor

import (
	"context"
	"fmt"
	"reflect"
	"sync"
	"testing"

	"github.com/golang/mock/gomock"

	"go.aporeto.io/enforcerd/internal/extractors/containermetadata"
	"go.aporeto.io/enforcerd/internal/extractors/containermetadata/mockcontainermetadata"

	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"

	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cri/mockcri"
)

func Test_extractKmdFromCRISandbox(t *testing.T) {

	type args struct {
		sandboxID string
	}
	tests := []struct {
		name    string
		args    args
		want    containermetadata.CommonKubernetesContainerMetadata
		wantErr bool
		prepare func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor)
	}{
		{
			name: "sandbox ID empty",
			args: args{
				sandboxID: "",
			},
			want:    nil,
			wantErr: true,
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor) {
				//nothing to be done here
			},
		},
		{
			name: "container not found with the extractor",
			args: args{
				sandboxID: "not-found",
			},
			want:    nil,
			wantErr: true,
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor) {
				extractor.EXPECT().Has(
					gomock.Eq(containermetadata.NewRuncArguments(containermetadata.StartAction, "not-found")),
				).Return(false).Times(1)
			},
		},
		{
			name: "container extractor failed",
			args: args{
				sandboxID: "sandbox-id",
			},
			want:    nil,
			wantErr: true,
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor) {
				ContainerArgs := containermetadata.NewRuncArguments(containermetadata.StartAction, "sandbox-id")
				extractor.EXPECT().Has(gomock.Eq(ContainerArgs)).Return(true).Times(1)
				extractor.EXPECT().Extract(gomock.Eq(ContainerArgs)).Return(nil, nil, fmt.Errorf("failed to extrat")).Times(1)
			},
		},
		{
			name: "container extractor succeeded but is not Kubernetes container",
			args: args{
				sandboxID: "sandbox-id",
			},
			want:    nil,
			wantErr: true,
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor) {
				ContainerArgs := containermetadata.NewRuncArguments(containermetadata.StartAction, "sandbox-id")
				extractor.EXPECT().Has(gomock.Eq(ContainerArgs)).Return(true).Times(1)
				// technically the first result would need to be populated, but that doesn't matter for the test
				extractor.EXPECT().Extract(gomock.Eq(ContainerArgs)).Return(nil, nil, nil).Times(1)
			},
		},
		{
			name: "container extractor succeeded",
			args: args{
				sandboxID: "sandbox-id",
			},
			want:    mockcontainermetadata.NewMockCommonKubernetesContainerMetadata(nil),
			wantErr: false,
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor) {
				ContainerArgs := containermetadata.NewRuncArguments(containermetadata.StartAction, "sandbox-id")
				extractor.EXPECT().Has(gomock.Eq(ContainerArgs)).Return(true).Times(1)
				// technically the first result would need to be populated, but that doesn't matter for the test
				extractor.EXPECT().Extract(gomock.Eq(ContainerArgs)).Return(
					nil,
					mockcontainermetadata.NewMockCommonKubernetesContainerMetadata(nil),
					nil,
				).Times(1)
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctrl := gomock.NewController(t)
			mockExtractor := mockcontainermetadata.NewMockCommonContainerMetadataExtractor(ctrl)
			extractor = mockExtractor
			tt.prepare(t, mockExtractor)
			got, err := extractKmdFromCRISandbox(tt.args.sandboxID)
			if (err != nil) != tt.wantErr {
				t.Errorf("extractKmdFromCRISandbox() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extractKmdFromCRISandbox() = %v, want %v", got, tt.want)
			}
			ctrl.Finish()
		})
	}
}

type unitTestStartEvent interface {
	f() startEventFunc
	wait()
	called() bool
}
type unitTestStartEventHandler struct {
	sync.RWMutex
	wg        sync.WaitGroup
	wgCounter int
	wasCalled bool
	err       error
}

func (h *unitTestStartEventHandler) startEvent(ctx context.Context, kmd containermetadata.CommonKubernetesContainerMetadata, retry uint) error {
	h.Lock()
	defer h.Unlock()
	h.wasCalled = true
	if h.wgCounter > 0 {
		h.wgCounter--
	}
	if h.wgCounter >= 0 {
		h.wg.Done()
	}
	return h.err
}

func (h *unitTestStartEventHandler) f() startEventFunc {
	return h.startEvent
}

func (h *unitTestStartEventHandler) wait() {
	h.wg.Wait()
}

func (h *unitTestStartEventHandler) called() bool {
	h.RLock()
	defer h.RUnlock()
	return h.wasCalled
}

func newUnitTestStartEventHandler(n int, err error) unitTestStartEvent {
	h := &unitTestStartEventHandler{
		err:       err,
		wgCounter: n,
	}
	h.wg.Add(n)
	return h
}

func TestK8sMonitor_onStartup(t *testing.T) {

	listSandboxFilter := &runtimeapi.PodSandboxFilter{
		State: &runtimeapi.PodSandboxStateValue{
			State: runtimeapi.PodSandboxState_SANDBOX_READY,
		},
	}

	tests := []struct {
		name               string
		startEventHandler  unitTestStartEvent
		wantErr            bool
		prepare            func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor, cri *mockcri.MockExtendedRuntimeService)
		expectedStartEvent bool
	}{
		{
			name:               "listing sandboxes fails",
			startEventHandler:  newUnitTestStartEventHandler(0, nil),
			wantErr:            true,
			expectedStartEvent: false,
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor, cri *mockcri.MockExtendedRuntimeService) {
				cri.EXPECT().ListPodSandbox(gomock.Eq(listSandboxFilter)).Return(nil, fmt.Errorf("failed")).Times(1)
			},
		},
		{
			name:               "listing sandboxes succeeds, but extracting metadata fails",
			startEventHandler:  newUnitTestStartEventHandler(0, nil),
			wantErr:            false,
			expectedStartEvent: false,
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor, cri *mockcri.MockExtendedRuntimeService) {
				cri.EXPECT().ListPodSandbox(gomock.Eq(listSandboxFilter)).Return(
					[]*runtimeapi.PodSandbox{
						{
							Id: "sandbox-id",
						},
					},
					nil,
				).Times(1)

				ContainerArgs := containermetadata.NewRuncArguments(containermetadata.StartAction, "sandbox-id")
				extractor.EXPECT().Has(gomock.Eq(ContainerArgs)).Return(false).Times(1)
			},
		},
		{
			name:               "listing sandboxes succeeds, sending an event that fails",
			startEventHandler:  newUnitTestStartEventHandler(1, fmt.Errorf("error")),
			wantErr:            false,
			expectedStartEvent: true,
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor, cri *mockcri.MockExtendedRuntimeService) {
				cri.EXPECT().ListPodSandbox(gomock.Eq(listSandboxFilter)).Return(
					[]*runtimeapi.PodSandbox{
						{
							Id: "sandbox-id",
						},
					},
					nil,
				).Times(1)

				ContainerArgs := containermetadata.NewRuncArguments(containermetadata.StartAction, "sandbox-id")
				extractor.EXPECT().Has(gomock.Eq(ContainerArgs)).Return(true).Times(1)
				// technically the first result would need to be populated, but that doesn't matter for the test
				extractor.EXPECT().Extract(gomock.Eq(ContainerArgs)).Return(
					nil,
					mockcontainermetadata.NewMockCommonKubernetesContainerMetadata(nil),
					nil,
				).Times(1)
			},
		},
		{
			name:               "listing 2 sandboxes succeeds, sending 2 start events",
			startEventHandler:  newUnitTestStartEventHandler(2, nil),
			wantErr:            false,
			expectedStartEvent: true,
			prepare: func(t *testing.T, extractor *mockcontainermetadata.MockCommonContainerMetadataExtractor, cri *mockcri.MockExtendedRuntimeService) {
				cri.EXPECT().ListPodSandbox(gomock.Eq(listSandboxFilter)).Return(
					[]*runtimeapi.PodSandbox{
						{
							Id: "sandbox-id-1",
						},
						{
							Id: "sandbox-id-2",
						},
					},
					nil,
				).Times(1)

				ContainerArgs1 := containermetadata.NewRuncArguments(containermetadata.StartAction, "sandbox-id-1")
				extractor.EXPECT().Has(gomock.Eq(ContainerArgs1)).Return(true).Times(1)
				// technically the first result would need to be populated, but that doesn't matter for the test
				extractor.EXPECT().Extract(gomock.Eq(ContainerArgs1)).Return(
					nil,
					mockcontainermetadata.NewMockCommonKubernetesContainerMetadata(nil),
					nil,
				).Times(1)
				ContainerArgs2 := containermetadata.NewRuncArguments(containermetadata.StartAction, "sandbox-id-2")
				extractor.EXPECT().Has(gomock.Eq(ContainerArgs2)).Return(true).Times(1)
				// technically the first result would need to be populated, but that doesn't matter for the test
				extractor.EXPECT().Extract(gomock.Eq(ContainerArgs2)).Return(
					nil,
					mockcontainermetadata.NewMockCommonKubernetesContainerMetadata(nil),
					nil,
				).Times(1)
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctrl := gomock.NewController(t)
			mockExtractor := mockcontainermetadata.NewMockCommonContainerMetadataExtractor(ctrl)
			extractor = mockExtractor
			ctx, cancel := context.WithCancel(context.Background())
			m := New(ctx)
			m.SetupHandlers(&config.ProcessorConfig{
				ResyncLock: &sync.RWMutex{},
			})
			m.SenderReady()
			mockcri := mockcri.NewMockExtendedRuntimeService(ctrl)
			m.criRuntimeService = mockcri
			tt.prepare(t, mockExtractor, mockcri)
			if err := m.onStartup(ctx, tt.startEventHandler.f()); (err != nil) != tt.wantErr {
				t.Errorf("K8sMonitor.onStartup() error = %v, wantErr %v", err, tt.wantErr)
			}
			tt.startEventHandler.wait()
			if tt.expectedStartEvent != tt.startEventHandler.called() {
				t.Errorf("startEventHandler.called() = %v, want %v", tt.startEventHandler.called(), tt.expectedStartEvent)
			}
			cancel()
			ctrl.Finish()
		})
	}
}


================================================
FILE: monitor/internal/k8s/pod_cache.go
================================================
package k8smonitor

import (
	"context"
	"errors"
	"reflect"
	"sync"
	"time"

	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/fields"
	"k8s.io/client-go/informers"
	"k8s.io/client-go/kubernetes"
	listersv1 "k8s.io/client-go/listers/core/v1"
	"k8s.io/client-go/tools/cache"

	"go.uber.org/zap"
)

var (
	errCacheUninitialized = errors.New("cache uninitialized")
	errSandboxEmpty       = errors.New("sandboxID must not be empty")
	errPodNil             = errors.New("pod must not be nil")
	errRuntimeNil         = errors.New("runtime must not be nil")
	errPodNameEmpty       = errors.New("pod name must not be empty")
	errPodNamespaceEmpty  = errors.New("nod namespace must not be empty")
	errSandboxNotFound    = errors.New("sandbox not found")
)

const (
	nodeNameKeyIndex = "spec.nodeName"
)

// needsUpdateFunc is a function which compares two pod objects and determines
// if we need to send an update event to the policy engine.
type needsUpdateFunc func(*corev1.Pod, *corev1.Pod) bool

// defaultNeedsUpdate simply compares if the labels changed.
// As we are using the reduced metadata extractor by now, this is
// the only change that we need to watch out for at the moment.
func defaultNeedsUpdate(prev, obj *corev1.Pod) bool {
	return !reflect.DeepEqual(prev.GetLabels(), obj.GetLabels())
}

type podCacheInterface interface {
	Delete(sandboxID string)
	Get(sandboxID string) *corev1.Pod
	Set(sandboxID string, pod *corev1.Pod) error
	FindSandboxID(name, namespace string) (string, error)
	SetupInformer(ctx context.Context, kubeClient kubernetes.Interface, nodeName string, needsUpdate needsUpdateFunc) listersv1.PodLister
}

var _ podCacheInterface = &podCache{}

type podCache struct {
	pods map[string]*corev1.Pod
	sync.RWMutex
	updateEvent updateEventFunc
}

func newPodCache(updateEvent updateEventFunc) *podCache {

	c := &podCache{
		pods:        make(map[string]*corev1.Pod),
		updateEvent: updateEvent,
	}
	return c
}

func (c *podCache) SetupInformer(ctx context.Context, kubeClient kubernetes.Interface, nodeName string, needsUpdate needsUpdateFunc) listersv1.PodLister {
	// get the pod informer from the default factory
	// add a field selector to narrow down our results
	fieldSelector := fields.OneTermEqualSelector(nodeNameKeyIndex, nodeName).String()
	factory := informers.NewSharedInformerFactoryWithOptions(kubeClient, time.Hour*24, informers.WithTweakListOptions(func(opts *metav1.ListOptions) {
		opts.FieldSelector = fieldSelector
	}))
	informer := factory.Core().V1().Pods().Informer()

	// add an indexer so that our field selector by node name will work
	informer.AddIndexers(cache.Indexers{ // nolint: errcheck
		nodeNameKeyIndex: func(obj interface{}) ([]string, error) {
			// this is essentially exactly what the node lifecycel controller uses as well
			pod, ok := obj.(*corev1.Pod)
			if !ok {
				return []string{}, nil
			}
			if len(pod.Spec.NodeName) == 0 {
				return []string{}, nil
			}
			return []string{pod.Spec.NodeName}, nil
		},
	})
	informer.AddEventHandler(cache.ResourceEventHandlerFuncs{
		// we only subscribe to pod update events
		UpdateFunc: func(prev, obj interface{}) {
			prevPod, ok := prev.(*corev1.Pod)
			if !ok {
				return
			}
			pod, ok := obj.(*corev1.Pod)
			if !ok {
				return
			}

			if pod.Spec.NodeName != nodeName {
				// TODO: unit tests are hitting this
				// the added indexer and the FieldSelector which are added to the lister through the factory options
				// should prevent this code path from ever being hit.
				// This might be a shortcoming of the fake clientset. We have run into limitations before.
				zap.L().Debug("K8sMonitor: informer: received pod update event which does not belong to this node", zap.String("podNodeName", pod.Spec.NodeName), zap.String("nodeName", nodeName))
				return
			}

			if pod.Spec.HostNetwork {
				zap.L().Debug("K8sMonitor: informer: skipping host network pods", zap.String("podName", pod.GetName()),
					zap.String("podNamespace", pod.GetNamespace()),
					zap.String("nodeName", pod.Spec.NodeName))
				return
			}

			updateInternal := func(p *corev1.Pod) (string, error) {
				// find the sandbox for this pod
				sandboxID, err := c.FindSandboxID(p.GetName(), p.GetNamespace())
				if err != nil {
					// this can only happen if we were wrongly monitoring a pod which we shouldn't have
					// it's not the end of the world, but something might be up, let's log a debug message
					// The problem with this log message is: when a pod first starts up, it is bound to receive
					// update events. However, the kubelet has not started the pod yet, so we are not interested
					// in the event yet. There is unfortunately no way for us to distinguish between the two
					zap.L().Debug(
						"K8sMonitor: informer: sandbox for pod not found in cache. Will not update the processing unit",
						zap.String("podName", p.GetName()),
						zap.String("podNamespace", p.GetNamespace()),
						zap.String("nodeName", p.Spec.NodeName),
					)
					return "", err
				}
				// update it in our internal state
				if err := c.Set(sandboxID, p.DeepCopy()); err != nil {
					zap.L().Error(
						"K8sMonitor: informer: failed to update pod in cache",
						zap.String("sandboxID", sandboxID),
						zap.String("podName", p.GetName()),
						zap.String("podNamespace", p.GetNamespace()),
						zap.String("nodeName", p.Spec.NodeName),
					)
					return "", err
				}
				return sandboxID, nil
			}

			// now send the event to the policy engine if
			// 1. there is a update on the pod labels.
			if needsUpdate(prevPod, pod) {
				go func(ctx context.Context, p *corev1.Pod) {
					sandboxID, err := updateInternal(p)
					if err != nil {
						return
					}
					// now send the update event
					if err := c.updateEvent(ctx, sandboxID); err != nil {
						zap.L().Error(
							"K8sMonitor: informer: failed to send update event to policy engine",
							zap.String("sandboxID", sandboxID),
							zap.Error(err),
						)
					}
				}(ctx, pod)
			} else {
				zap.L().Debug(
					"K8sMonitor: informer: no update event necessary",
					zap.String("podName", pod.GetName()),
					zap.String("podNamespace", pod.GetNamespace()),
				)

				// try to update the internal state anyway
				// this is technically not required at the moment
				// but we never know when it might
				go updateInternal(pod) // nolint
			}
		},
	})

	// now start the informer
	go informer.Run(ctx.Done())

	// wait for the caches to sync before we return
	// if this fails, we can print a log, but this is not a
	if !cache.WaitForNamedCacheSync("pods", ctx.Done(), informer.HasSynced) {
		zap.L().Warn("K8sMonitor: setupInformer: waiting for caches timed out")
	}

	// return with a lister of the cache of this informer
	return listersv1.NewPodLister(informer.GetIndexer())
}

func (c *podCache) Get(sandboxID string) *corev1.Pod {
	if c == nil {
		return nil
	}
	c.RLock()
	defer c.RUnlock()
	if c.pods == nil {
		return nil
	}
	p, ok := c.pods[sandboxID]
	if !ok {
		return nil
	}
	return p.DeepCopy()
}

// FindSandboxID returns the sandbox ID of the pod that matches name and namespace.
// It returns an error in all other cases - also if the sandbox is not in the cache.
func (c *podCache) FindSandboxID(name, namespace string) (string, error) {
	if c == nil {
		return "", errCacheUninitialized
	}
	if c.pods == nil {
		return "", errCacheUninitialized
	}
	if name == "" {
		return "", errPodNameEmpty
	}
	if namespace == "" {
		return "", errPodNamespaceEmpty
	}
	c.RLock()
	defer c.RUnlock()
	for sandboxID, pod := range c.pods {
		if pod.GetName() == name && pod.GetNamespace() == namespace {
			return sandboxID, nil
		}
	}
	return "", errSandboxNotFound
}

func (c *podCache) Set(sandboxID string, pod *corev1.Pod) error {
	if c == nil {
		return errCacheUninitialized
	}
	if sandboxID == "" {
		return errSandboxEmpty
	}
	if pod == nil {
		return errPodNil
	}
	c.Lock()
	defer c.Unlock()
	if c.pods == nil {
		return errCacheUninitialized
	}
	c.pods[sandboxID] = pod
	return nil
}

func (c *podCache) Delete(sandboxID string) {
	if c == nil {
		return
	}
	c.Lock()
	defer c.Unlock()
	delete(c.pods, sandboxID)
}


================================================
FILE: monitor/internal/k8s/pod_cache_test.go
================================================
package k8smonitor

import (
	"context"
	"fmt"
	"reflect"
	"sync"
	"testing"
	"time"

	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/client-go/kubernetes"
	"k8s.io/client-go/kubernetes/fake"
	//kubernetesTesting "k8s.io/client-go/testing"
)

func Test_podCache_Delete(t *testing.T) {
	updateEvent := func(context.Context, string) error {
		return nil
	}

	tests := []struct {
		name      string
		c         *podCache
		sandboxID string
	}{
		{
			name:      "cache uninitialized",
			c:         nil,
			sandboxID: "does-not-matter",
		},
		{
			name:      "cache initialized",
			c:         newPodCache(updateEvent),
			sandboxID: "does-not-mater",
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			tt.c.Delete(tt.sandboxID)
		})
	}
}

func Test_podCache_Set(t *testing.T) {
	updateEvent := func(context.Context, string) error {
		return nil
	}
	type args struct {
		sandboxID string
		pod       *corev1.Pod
	}
	tests := []struct {
		name         string
		c            *podCache
		args         args
		wantErr      bool
		wantErrError error
	}{
		{
			name:         "cache uninitialized",
			c:            nil,
			wantErr:      true,
			wantErrError: errCacheUninitialized,
		},
		{
			name:         "cache has unintialized map",
			c:            &podCache{},
			wantErr:      true,
			wantErrError: errCacheUninitialized,
			args: args{
				sandboxID: "does-not-matter",
				pod:       &corev1.Pod{},
			},
		},
		{
			name:         "no sandboxID",
			c:            newPodCache(updateEvent),
			wantErr:      true,
			wantErrError: errSandboxEmpty,
			args: args{
				sandboxID: "",
				pod:       &corev1.Pod{},
			},
		},
		{
			name:         "pod is nil",
			c:            newPodCache(updateEvent),
			wantErr:      true,
			wantErrError: errPodNil,
			args: args{
				sandboxID: "does-not-matter",
				pod:       nil,
			},
		},
		{
			name:    "successful update entry",
			c:       newPodCache(updateEvent),
			wantErr: false,
			args: args{
				sandboxID: "does-not-matter",
				pod:       &corev1.Pod{},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			err := tt.c.Set(tt.args.sandboxID, tt.args.pod)
			if (err != nil) != tt.wantErr {
				t.Errorf("podCache.Set() error = %v, wantErr %v", err, tt.wantErr)
			}
			if tt.wantErr {
				if err != tt.wantErrError {
					t.Errorf("podCache.Set() error = %v, wantErrError %v", err, tt.wantErrError)
				}
			}
		})
	}
}

func Test_podCache_Get(t *testing.T) {
	updateEvent := func(context.Context, string) error {
		return nil
	}
	cacheWithEntry := newPodCache(updateEvent)
	if err := cacheWithEntry.Set("entry", &corev1.Pod{}); err != nil {
		panic(err)
	}
	tests := []struct {
		name      string
		sandboxID string
		c         *podCache
		want      *corev1.Pod
	}{
		{
			name: "uninitialized podCache",
			c:    nil,
			want: nil,
		},
		{
			name: "uninitialized map in podCache",
			c:    &podCache{},
			want: nil,
		},
		{
			name:      "entry does not exist",
			c:         newPodCache(updateEvent),
			sandboxID: "does-not-exist",
			want:      nil,
		},
		{
			name:      "entry exists",
			c:         cacheWithEntry,
			sandboxID: "entry",
			want:      &corev1.Pod{},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := tt.c.Get(tt.sandboxID); !reflect.DeepEqual(got, tt.want) {
				t.Errorf("podCache.Get() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_podCache_FindSandboxID(t *testing.T) {
	updateEvent := func(context.Context, string) error {
		return nil
	}
	cacheWithEntry := newPodCache(updateEvent)
	if err := cacheWithEntry.Set("entry", &corev1.Pod{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "my-pod",
			Namespace: "default",
		},
	}); err != nil {
		panic(err)
	}
	type args struct {
		name      string
		namespace string
	}
	tests := []struct {
		name         string
		c            *podCache
		args         args
		want         string
		wantErr      bool
		wantErrError error
	}{
		{
			name:         "cache uninitialized",
			c:            nil,
			wantErr:      true,
			wantErrError: errCacheUninitialized,
		},
		{
			name:         "pods uninitialized",
			c:            &podCache{},
			wantErr:      true,
			wantErrError: errCacheUninitialized,
		},
		{
			name: "pod name empty",
			c:    newPodCache(updateEvent),
			args: args{
				name:      "",
				namespace: "default",
			},
			wantErr:      true,
			wantErrError: errPodNameEmpty,
		},
		{
			name: "pod namespace empty",
			c:    newPodCache(updateEvent),
			args: args{
				name:      "my-pod",
				namespace: "",
			},
			wantErr:      true,
			wantErrError: errPodNamespaceEmpty,
		},
		{
			name: "sandbox not found",
			c:    newPodCache(updateEvent),
			args: args{
				name:      "my-pod",
				namespace: "default",
			},
			wantErr:      true,
			wantErrError: errSandboxNotFound,
		},
		{
			name: "sandbox found",
			c:    cacheWithEntry,
			args: args{
				name:      "my-pod",
				namespace: "default",
			},
			wantErr: false,
			want:    "entry",
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got, err := tt.c.FindSandboxID(tt.args.name, tt.args.namespace)
			if (err != nil) != tt.wantErr {
				t.Errorf("podCache.FindSandboxID() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if got != tt.want {
				t.Errorf("podCache.FindSandboxID() = %v, want %v", got, tt.want)
			}
			if tt.wantErr {
				if err != tt.wantErrError {
					t.Errorf("podCache.FindSandboxID() error = %v, wantErrError %v", err, tt.wantErrError)
				}
			}
		})
	}
}

type unitTestUpdateEvent interface {
	f() updateEventFunc
	wait()
	called() bool
}
type unitTestUpdateEventHandler struct {
	sync.RWMutex
	wg        sync.WaitGroup
	wgCounter int
	wasCalled bool
	err       error
}

func (h *unitTestUpdateEventHandler) updateEvent(context.Context, string) error {
	h.Lock()
	defer h.Unlock()
	h.wasCalled = true
	if h.wgCounter > 0 {
		h.wgCounter--
	}
	if h.wgCounter >= 0 {
		h.wg.Done()
	}
	return h.err
}

func (h *unitTestUpdateEventHandler) f() updateEventFunc {
	return h.updateEvent
}

func (h *unitTestUpdateEventHandler) wait() {
	h.wg.Wait()
}

func (h *unitTestUpdateEventHandler) called() bool {
	h.RLock()
	defer h.RUnlock()
	return h.wasCalled
}

func newUnitTestUpdateEventHandler(n int, err error) unitTestUpdateEvent {
	h := &unitTestUpdateEventHandler{
		err:       err,
		wgCounter: n,
	}
	h.wg.Add(n)
	return h
}

func Test_podCache_SetupInformer(t *testing.T) {
	podTemplate := &corev1.Pod{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "my-pod",
			Namespace: "default",
		},
		Spec: corev1.PodSpec{
			NodeName: "test",
		},
	}
	running := corev1.ContainerStateRunning{}
	pending := corev1.ContainerStateWaiting{}

	hostpodTemplate := &corev1.Pod{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "my-host-pod",
			Namespace: "default",
		},
		Spec: corev1.PodSpec{
			NodeName:    "test",
			HostNetwork: true,
		},
		Status: corev1.PodStatus{
			Phase: corev1.PodRunning,
			InitContainerStatuses: []corev1.ContainerStatus{
				{
					ContainerID: "testing://containerID",
					Ready:       true,
					State: corev1.ContainerState{
						Waiting: &pending,
					},
				},
			},
			ContainerStatuses: []corev1.ContainerStatus{
				{
					ContainerID: "broken-container-id-needs-to-be-skipped",
					Ready:       true,
					State: corev1.ContainerState{
						Waiting: &pending,
					},
				},
			},
		},
	}
	updateHostPodTemplate := hostpodTemplate.DeepCopy()
	updateHostPodTemplate.Status.InitContainerStatuses[0].State.Running = &running
	updateHostPodTemplate2 := updateHostPodTemplate.DeepCopy()
	updateHostPodTemplate2.Labels = map[string]string{
		"a": "b",
	}

	updatedPodTemplate := podTemplate.DeepCopy()
	updatedPodTemplate.Labels = map[string]string{
		"a": "b",
	}
	updatedPodTemplate2 := updatedPodTemplate.DeepCopy()
	updatedPodTemplate2.Annotations = map[string]string{
		"annotated": "",
	}

	untrackedPodOnSameHostTemplate := &corev1.Pod{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "untracked-same-host",
			Namespace: "default",
		},
		Spec: corev1.PodSpec{
			NodeName: "test",
		},
	}
	untrackedPodOnDifferentHostTemplate := &corev1.Pod{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "untracked-different-host",
			Namespace: "default",
		},
		Spec: corev1.PodSpec{
			NodeName: "different",
		},
	}

	c := fake.NewSimpleClientset(
		podTemplate.DeepCopy(),
		untrackedPodOnSameHostTemplate.DeepCopy(),
		untrackedPodOnDifferentHostTemplate.DeepCopy(),
		hostpodTemplate.DeepCopy(),
	)

	type fields struct {
		pods map[string]*corev1.Pod
	}
	type args struct {
		ctx         context.Context
		kubeClient  kubernetes.Interface
		nodeName    string
		needsUpdate needsUpdateFunc
	}
	tests := []struct {
		name                string
		updateEventHandler  unitTestUpdateEvent
		fields              fields
		args                args
		action              func(*testing.T, *podCache)
		expectedUpdateEvent bool
		expectedPods        map[string]*corev1.Pod
	}{
		{
			name:               "update to a pod which we have in cache which requires update event",
			updateEventHandler: newUnitTestUpdateEventHandler(1, fmt.Errorf("increase coverage")),
			fields: fields{
				pods: map[string]*corev1.Pod{
					"entry": podTemplate.DeepCopy(),
				},
			},
			args: args{
				ctx:         context.Background(),
				kubeClient:  c,
				nodeName:    "test",
				needsUpdate: defaultNeedsUpdate,
			},
			action: func(_ *testing.T, _ *podCache) {
				_, err := c.CoreV1().Pods("default").Update(context.Background(), updatedPodTemplate.DeepCopy(), metav1.UpdateOptions{})
				if err != nil {
					panic(err)
				}
			},
			expectedUpdateEvent: true,
			expectedPods: map[string]*corev1.Pod{
				"entry": updatedPodTemplate.DeepCopy(),
			},
		},
		{
			name:               "update to a pod which we have in cache which does not require an update event",
			updateEventHandler: newUnitTestUpdateEventHandler(0, nil),
			fields: fields{
				pods: map[string]*corev1.Pod{
					"entry": podTemplate.DeepCopy(),
				},
			},
			args: args{
				ctx:         context.Background(),
				kubeClient:  c,
				nodeName:    "test",
				needsUpdate: defaultNeedsUpdate,
			},
			action: func(_ *testing.T, _ *podCache) {
				_, err := c.CoreV1().Pods("default").Update(context.Background(), updatedPodTemplate2.DeepCopy(), metav1.UpdateOptions{})
				if err != nil {
					panic(err)
				}
				time.Sleep(time.Millisecond * 100)
			},
			expectedUpdateEvent: false,
			expectedPods: map[string]*corev1.Pod{
				"entry": updatedPodTemplate2.DeepCopy(),
			},
		},
		{
			name:               "update to a pod from different host which we do not track",
			updateEventHandler: newUnitTestUpdateEventHandler(0, nil),
			fields: fields{
				pods: map[string]*corev1.Pod{
					"entry": podTemplate.DeepCopy(),
				},
			},
			args: args{
				ctx:         context.Background(),
				kubeClient:  c,
				nodeName:    "test",
				needsUpdate: defaultNeedsUpdate,
			},
			action: func(_ *testing.T, _ *podCache) {
				updated := untrackedPodOnDifferentHostTemplate.DeepCopy()
				updated.Labels = map[string]string{
					"update": "",
				}
				_, err := c.CoreV1().Pods("default").Update(context.Background(), updated.DeepCopy(), metav1.UpdateOptions{})
				if err != nil {
					panic(err)
				}
			},
			expectedUpdateEvent: false,
			expectedPods: map[string]*corev1.Pod{
				"entry": podTemplate.DeepCopy(),
			},
		},
		{
			name:               "update to a pod from the same host which we do not track",
			updateEventHandler: newUnitTestUpdateEventHandler(0, nil),
			fields: fields{
				pods: map[string]*corev1.Pod{
					"entry": podTemplate.DeepCopy(),
				},
			},
			args: args{
				ctx:         context.Background(),
				kubeClient:  c,
				nodeName:    "test",
				needsUpdate: defaultNeedsUpdate,
			},
			action: func(_ *testing.T, _ *podCache) {
				updated := untrackedPodOnSameHostTemplate.DeepCopy()
				updated.Labels = map[string]string{
					"update": "",
				}
				_, err := c.CoreV1().Pods("default").Update(context.Background(), updated.DeepCopy(), metav1.UpdateOptions{})
				if err != nil {
					panic(err)
				}
			},
			expectedUpdateEvent: false,
			expectedPods: map[string]*corev1.Pod{
				"entry": podTemplate.DeepCopy(),
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &podCache{
				pods:        tt.fields.pods,
				updateEvent: tt.updateEventHandler.f(),
			}
			ctx, cancel := context.WithCancel(tt.args.ctx)
			c.SetupInformer(ctx, tt.args.kubeClient, tt.args.nodeName, tt.args.needsUpdate)
			tt.action(t, c)
			tt.updateEventHandler.wait()
			c.RLock()
			if !reflect.DeepEqual(c.pods, tt.expectedPods) {
				t.Errorf("c.pods = %v, want %v", c.pods, tt.expectedPods)
			}
			c.RUnlock()
			if tt.expectedUpdateEvent != tt.updateEventHandler.called() {
				t.Errorf("updateEventHandler.called() = %v, want %v", tt.updateEventHandler.called(), tt.expectedUpdateEvent)
			}
			cancel()
		})
	}
}

func Test_defaultNeedsUpdate(t *testing.T) {
	type args struct {
		prev *corev1.Pod
		obj  *corev1.Pod
	}
	tests := []struct {
		name string
		args args
		want bool
	}{
		{
			name: "labels are both nil",
			args: args{
				prev: &corev1.Pod{},
				obj:  &corev1.Pod{},
			},
			want: false,
		},
		{
			name: "labels are empty",
			args: args{
				prev: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{},
					},
				},
				obj: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{},
					},
				},
			},
			want: false,
		},
		{
			name: "labels are the same",
			args: args{
				prev: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{
							"a": "b",
						},
					},
				},
				obj: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{
							"a": "b",
						},
					},
				},
			},
			want: false,
		},
		{
			name: "labels are the same, but one has annotations",
			args: args{
				prev: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{
							"a": "b",
						},
					},
				},
				obj: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{
							"a": "b",
						},
						Annotations: map[string]string{
							"a": "b",
						},
					},
				},
			},
			want: false,
		},
		{
			name: "labels are nil in prev, but set on new",
			args: args{
				prev: &corev1.Pod{},
				obj: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{
							"a": "b",
						},
					},
				},
			},
			want: true,
		},
		{
			name: "labels are empty in prev, but set on new",
			args: args{
				prev: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{},
					},
				},
				obj: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{
							"a": "b",
						},
					},
				},
			},
			want: true,
		},
		{
			name: "labels have same key but different value",
			args: args{
				prev: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{
							"a": "a",
						},
					},
				},
				obj: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{
							"a": "b",
						},
					},
				},
			},
			want: true,
		},
		{
			name: "prev has one label more",
			args: args{
				prev: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{
							"a": "b",
							"b": "b",
						},
					},
				},
				obj: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{
							"a": "b",
						},
					},
				},
			},
			want: true,
		},
		{
			name: "prev has different labels",
			args: args{
				prev: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{
							"b": "b",
						},
					},
				},
				obj: &corev1.Pod{
					ObjectMeta: metav1.ObjectMeta{
						Labels: map[string]string{
							"a": "b",
						},
					},
				},
			},
			want: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := defaultNeedsUpdate(tt.args.prev, tt.args.obj); got != tt.want {
				t.Errorf("defaultNeedsUpdate() = %v, want %v", got, tt.want)
			}
		})
	}
}


================================================
FILE: monitor/internal/k8s/runtime_cache.go
================================================
package k8smonitor

import (
	"context"
	"sync"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

var (
	// defaultLoopWait defines how often we loop over the entries to discover dead containers
	defaultLoopWait = time.Second * 5
)

type runtimeCacheInterface interface {
	Delete(sandboxID string)
	Get(sandboxID string) policy.RuntimeReader
	Set(sandboxID string, runtime policy.RuntimeReader) error
}

var _ runtimeCacheInterface = &runtimeCache{}

type runtimeCache struct {
	sync.RWMutex
	runtimes  map[string]runtimeCacheEntry
	loopWait  time.Duration
	stopEvent stopEventFunc
}

type runtimeCacheEntry struct {
	runtime policy.RuntimeReader
	running bool
}

func newRuntimeCache(ctx context.Context, stopEvent stopEventFunc) *runtimeCache {
	c := &runtimeCache{
		runtimes:  make(map[string]runtimeCacheEntry),
		loopWait:  defaultLoopWait,
		stopEvent: stopEvent,
	}
	if c.loopWait > 0 {
		go c.loop(ctx)
	}
	return c
}

func makeSnapshot(m map[string]runtimeCacheEntry) map[string]policy.RuntimeReader {
	snap := make(map[string]policy.RuntimeReader, len(m))
	for k, v := range m {
		if v.running {
			snap[k] = v.runtime
		}
	}
	return snap
}

// loop is very awkward: it implements a runtime poller that checks if all runtimes
// are actually still running. If not, it sends a stop event.
// NOTE: this must be deprecated once we have hooked into the OCI runtime hooks in the bundle!
func (c *runtimeCache) loop(ctx context.Context) {
loop:
	for {
		select {
		case <-ctx.Done():
			break loop
		case <-time.After(c.loopWait):
			c.RLock()
			if len(c.runtimes) > 0 {
				// take a snapshot
				snap := makeSnapshot(c.runtimes)
				c.RUnlock()
				// and process them
				c.processRuntimes(ctx, snap)
			} else {
				c.RUnlock()
			}
		}
	}
}

// processRuntimes takes a snapshot of the runtimeCache, checks if the process is running, and sends a stop event if not
func (c *runtimeCache) processRuntimes(ctx context.Context, snap map[string]policy.RuntimeReader) {
	for id, runtime := range snap {
		pid := runtime.Pid()
		if pid > 0 {
			if running, err := sandboxIsRunning(pid); !running {
				// if there has been error checking, just continue
				if err != nil {
					zap.L().Error("K8sMonitor: runtime poller: failed to check if sandbox is still running",
						zap.String("sandboxID", id),
						zap.Int("sandboxPid", pid),
						zap.Error(err),
					)
					continue
				}
				zap.L().Debug("K8sMonitor: runtime poller: sandbox container must have stopped", zap.String("sandboxID", id), zap.Int("sandboxPid", pid), zap.Error(err))

				// update the entry
				c.Lock()
				if _, ok := c.runtimes[id]; ok {
					c.runtimes[id] = runtimeCacheEntry{
						runtime: runtime,
						running: false,
					}
				}
				c.Unlock()

				// fire away a stop event to the policy engine
				// log an error as every caller should do, but continue normally
				// there is nothing we can do about the error
				go func(ctx context.Context, sandboxID string) {
					if err := c.stopEvent(ctx, sandboxID); err != nil {
						zap.L().Error("K8sMonitor: runtime poller: failed to send stop event to policy engine", zap.String("sandboxID", sandboxID), zap.Error(err))
					}
				}(ctx, id)
			}
		}
	}
}

func (c *runtimeCache) Get(sandboxID string) policy.RuntimeReader {
	if c == nil {
		return nil
	}
	c.RLock()
	defer c.RUnlock()
	if c.runtimes == nil {
		return nil
	}
	r, ok := c.runtimes[sandboxID]
	if !ok {
		return nil
	}
	// TODO: should return a clone, not a pointer
	return r.runtime
}

func (c *runtimeCache) Set(sandboxID string, runtime policy.RuntimeReader) error {
	if c == nil {
		return errCacheUninitialized
	}
	if sandboxID == "" {
		return errSandboxEmpty
	}
	if runtime == nil {
		return errRuntimeNil
	}
	c.Lock()
	defer c.Unlock()
	if c.runtimes == nil {
		return errCacheUninitialized
	}
	c.runtimes[sandboxID] = runtimeCacheEntry{
		runtime: runtime,
		running: true,
	}
	return nil
}

func (c *runtimeCache) Delete(sandboxID string) {
	if c == nil {
		return
	}
	c.Lock()
	defer c.Unlock()
	delete(c.runtimes, sandboxID)
}


================================================
FILE: monitor/internal/k8s/runtime_cache_linux.go
================================================
// +build linux

package k8smonitor

import (
	"syscall"
)

// syscallKill points to syscall.Kill and can be overwritten in unit tests
var syscallKill func(pid int, sig syscall.Signal) (err error) = syscall.Kill

func sandboxIsRunning(pid int) (bool, error) {
	if err := syscallKill(pid, syscall.Signal(0)); err != nil {
		// the expected error is ESRCH: The process or process group does not exist.
		if err != syscall.ESRCH {
			return false, err
		}

		// this is a successful check that the process is dead
		// and therefore the sandbox is not running anymore
		return false, nil
	}

	// otherwise it means that the process is not dead and is still running
	return true, nil
}


================================================
FILE: monitor/internal/k8s/runtime_cache_test.go
================================================
// +build linux

package k8smonitor

// TODO: make compatible with Windows

import (
	"context"
	"fmt"
	"reflect"
	"sync"
	"syscall"
	"testing"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
)

func Test_runtimeCache_Delete(t *testing.T) {
	stopEvent := func(context.Context, string) error {
		return nil
	}

	// override globals for unit tests
	oldDefaultLoopWait := defaultLoopWait
	oldSyscallKill := syscallKill
	defer func() {
		defaultLoopWait = oldDefaultLoopWait
		syscallKill = oldSyscallKill
	}()
	defaultLoopWait = time.Duration(0)
	syscallKill = func(int, syscall.Signal) (err error) {
		return nil
	}

	tests := []struct {
		name      string
		c         *runtimeCache
		sandboxID string
	}{
		{
			name:      "cache uninitialized",
			c:         nil,
			sandboxID: "does-not-matter",
		},
		{
			name:      "cache initialized",
			c:         newRuntimeCache(context.TODO(), stopEvent),
			sandboxID: "does-not-mater",
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			tt.c.Delete(tt.sandboxID)
		})
	}
}

func Test_runtimeCache_Set(t *testing.T) {
	stopEvent := func(context.Context, string) error {
		return nil
	}

	// override globals for unit tests
	oldDefaultLoopWait := defaultLoopWait
	oldSyscallKill := syscallKill
	defer func() {
		defaultLoopWait = oldDefaultLoopWait
		syscallKill = oldSyscallKill
	}()
	defaultLoopWait = time.Duration(0)
	syscallKill = func(int, syscall.Signal) (err error) {
		return nil
	}

	type args struct {
		sandboxID string
		runtime   policy.RuntimeReader
	}
	tests := []struct {
		name         string
		c            *runtimeCache
		args         args
		wantErr      bool
		wantErrError error
	}{
		{
			name:         "cache uninitialized",
			c:            nil,
			wantErr:      true,
			wantErrError: errCacheUninitialized,
		},
		{
			name:         "cache has unintialized map",
			c:            &runtimeCache{},
			wantErr:      true,
			wantErrError: errCacheUninitialized,
			args: args{
				sandboxID: "does-not-matter",
				runtime:   policy.NewPURuntimeWithDefaults(),
			},
		},
		{
			name:         "no sandboxID",
			c:            newRuntimeCache(context.TODO(), stopEvent),
			wantErr:      true,
			wantErrError: errSandboxEmpty,
			args: args{
				sandboxID: "",
				runtime:   policy.NewPURuntimeWithDefaults(),
			},
		},
		{
			name:         "runtime is nil",
			c:            newRuntimeCache(context.TODO(), stopEvent),
			wantErr:      true,
			wantErrError: errRuntimeNil,
			args: args{
				sandboxID: "does-not-matter",
				runtime:   nil,
			},
		},
		{
			name:    "successful update entry",
			c:       newRuntimeCache(context.TODO(), stopEvent),
			wantErr: false,
			args: args{
				sandboxID: "does-not-matter",
				runtime:   policy.NewPURuntimeWithDefaults(),
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			err := tt.c.Set(tt.args.sandboxID, tt.args.runtime)
			if (err != nil) != tt.wantErr {
				t.Errorf("runtimeCache.Set() error = %v, wantErr %v", err, tt.wantErr)
			}
			if tt.wantErr {
				if err != tt.wantErrError {
					t.Errorf("runtimeCache.Set() error = %v, wantErrError %v", err, tt.wantErrError)
				}
			}
		})
	}
}

func Test_runtimeCache_Get(t *testing.T) {
	stopEvent := func(context.Context, string) error {
		return nil
	}

	// override globals for unit tests
	oldDefaultLoopWait := defaultLoopWait
	oldSyscallKill := syscallKill
	defer func() {
		defaultLoopWait = oldDefaultLoopWait
		syscallKill = oldSyscallKill
	}()
	defaultLoopWait = time.Duration(0)
	syscallKill = func(int, syscall.Signal) (err error) {
		return nil
	}

	cacheWithEntry := newRuntimeCache(context.TODO(), stopEvent)
	if err := cacheWithEntry.Set("entry", policy.NewPURuntimeWithDefaults()); err != nil {
		panic(err)
	}
	tests := []struct {
		name      string
		sandboxID string
		c         *runtimeCache
		want      policy.RuntimeReader
	}{
		{
			name: "uninitialized runtimeCache",
			c:    nil,
			want: nil,
		},
		{
			name: "uninitialized map in runtimeCache",
			c:    &runtimeCache{},
			want: nil,
		},
		{
			name:      "entry does not exist",
			c:         newRuntimeCache(context.TODO(), stopEvent),
			sandboxID: "does-not-exist",
			want:      nil,
		},
		{
			name:      "entry exists",
			c:         cacheWithEntry,
			sandboxID: "entry",
			want:      policy.NewPURuntimeWithDefaults(),
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := tt.c.Get(tt.sandboxID); !reflect.DeepEqual(got, tt.want) {
				t.Errorf("runtimeCache.Get() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_makeSnapshot(t *testing.T) {
	type args struct {
		m map[string]runtimeCacheEntry
	}
	tests := []struct {
		name string
		args args
		want map[string]policy.RuntimeReader
	}{
		{
			name: "empty",
			args: args{
				m: map[string]runtimeCacheEntry{},
			},
			want: map[string]policy.RuntimeReader{},
		},
		{
			name: "not-running entry",
			args: args{
				m: map[string]runtimeCacheEntry{
					"entry": {
						runtime: policy.NewPURuntimeWithDefaults(),
						running: false,
					},
				},
			},
			want: map[string]policy.RuntimeReader{},
		},
		{
			name: "running entry",
			args: args{
				m: map[string]runtimeCacheEntry{
					"entry": {
						runtime: policy.NewPURuntimeWithDefaults(),
						running: true,
					},
				},
			},
			want: map[string]policy.RuntimeReader{
				"entry": policy.NewPURuntimeWithDefaults(),
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := makeSnapshot(tt.args.m); !reflect.DeepEqual(got, tt.want) {
				t.Errorf("makeSnapshot() = %v, want %v", got, tt.want)
			}
		})
	}
}

type unitTestStopEvent interface {
	f() stopEventFunc
	wait()
	called() bool
}
type unitTestStopEventHandler struct {
	sync.RWMutex
	wg        sync.WaitGroup
	wgCounter int
	wasCalled bool
	err       error
}

func (h *unitTestStopEventHandler) stopEvent(context.Context, string) error {
	h.Lock()
	defer h.Unlock()
	h.wasCalled = true
	if h.wgCounter > 0 {
		h.wgCounter--
	}
	if h.wgCounter >= 0 {
		h.wg.Done()
	}
	return h.err
}

func (h *unitTestStopEventHandler) f() stopEventFunc {
	return h.stopEvent
}

func (h *unitTestStopEventHandler) wait() {
	h.wg.Wait()
}

func (h *unitTestStopEventHandler) called() bool {
	h.RLock()
	defer h.RUnlock()
	return h.wasCalled
}

func newUnitTestStopEventHandler(n int, err error) unitTestStopEvent {
	h := &unitTestStopEventHandler{
		err:       err,
		wgCounter: n,
	}
	h.wg.Add(n)
	return h
}

func Test_runtimeCache_processRuntimes(t *testing.T) {
	// override globals for unit tests
	oldDefaultLoopWait := defaultLoopWait
	oldSyscallKill := syscallKill
	defer func() {
		defaultLoopWait = oldDefaultLoopWait
		syscallKill = oldSyscallKill
	}()
	defaultLoopWait = time.Duration(0)
	syscallKill = func(int, syscall.Signal) (err error) {
		return nil
	}

	type fields struct {
		runtimes map[string]runtimeCacheEntry
	}
	type args struct {
		ctx  context.Context
		snap map[string]policy.RuntimeReader
	}

	runtime := policy.NewPURuntime("entry", 42, "", nil, nil, common.ContainerPU, policy.None, nil)
	tests := []struct {
		name              string
		syscallKill       func(int, syscall.Signal) error
		stopEventHandler  unitTestStopEvent
		fields            fields
		args              args
		expectedStopEvent bool
		expectedRuntimes  map[string]runtimeCacheEntry
	}{
		{
			name: "process still running",
			syscallKill: func(int, syscall.Signal) error {
				return nil
			},
			stopEventHandler: newUnitTestStopEventHandler(0, nil),
			fields: fields{
				runtimes: map[string]runtimeCacheEntry{
					"entry": {
						runtime: runtime,
						running: true,
					},
				},
			},
			args: args{
				ctx: context.Background(),
				snap: map[string]policy.RuntimeReader{
					"entry": runtime,
				},
			},
			expectedStopEvent: false,
			expectedRuntimes: map[string]runtimeCacheEntry{
				"entry": {
					runtime: runtime,
					running: true,
				},
			},
		},
		{
			name: "syscall returns unexpected error",
			syscallKill: func(int, syscall.Signal) error {
				return fmt.Errorf("unexpected error")
			},
			stopEventHandler: newUnitTestStopEventHandler(0, nil),
			fields: fields{
				runtimes: map[string]runtimeCacheEntry{
					"entry": {
						runtime: runtime,
						running: true,
					},
				},
			},
			args: args{
				ctx: context.Background(),
				snap: map[string]policy.RuntimeReader{
					"entry": runtime,
				},
			},
			expectedStopEvent: false,
			expectedRuntimes: map[string]runtimeCacheEntry{
				"entry": {
					runtime: runtime,
					running: true,
				},
			},
		},
		{
			name: "process not running anymore",
			syscallKill: func(int, syscall.Signal) error {
				return syscall.ESRCH
			},
			stopEventHandler: newUnitTestStopEventHandler(1, fmt.Errorf("more test coverage")),
			fields: fields{
				runtimes: map[string]runtimeCacheEntry{
					"entry": {
						runtime: runtime,
						running: true,
					},
				},
			},
			args: args{
				ctx: context.Background(),
				snap: map[string]policy.RuntimeReader{
					"entry": runtime,
				},
			},
			expectedStopEvent: true,
			expectedRuntimes: map[string]runtimeCacheEntry{
				"entry": {
					runtime: runtime,
					running: false,
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			syscallKill = tt.syscallKill
			c := &runtimeCache{
				runtimes:  tt.fields.runtimes,
				stopEvent: tt.stopEventHandler.f(),
			}
			ctx, cancel := context.WithCancel(tt.args.ctx)
			defer cancel()
			c.processRuntimes(ctx, tt.args.snap)
			tt.stopEventHandler.wait()
			if !reflect.DeepEqual(c.runtimes, tt.expectedRuntimes) {
				t.Errorf("c.runtimes = %v, want %v", c.runtimes, tt.expectedRuntimes)
			}
			if tt.expectedStopEvent != tt.stopEventHandler.called() {
				t.Errorf("stopEventHandler.called() = %v, want %v", tt.stopEventHandler.called(), tt.expectedStopEvent)
			}
		})
	}
}

func Test_runtimeCache_loop(t *testing.T) {
	stopEventHandler := newUnitTestStopEventHandler(1, nil)

	// override globals for unit tests
	oldDefaultLoopWait := defaultLoopWait
	oldSyscallKill := syscallKill
	defer func() {
		defaultLoopWait = oldDefaultLoopWait
		syscallKill = oldSyscallKill
	}()
	defaultLoopWait = time.Duration(1)
	syscallKill = func(int, syscall.Signal) error {
		return syscall.ESRCH
	}

	tests := []struct {
		name             string
		stopEventHandler unitTestStopEvent
	}{
		{
			name:             "successful loop",
			stopEventHandler: stopEventHandler,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// this starts the loop already
			ctx, cancel := context.WithCancel(context.Background())
			c := newRuntimeCache(ctx, tt.stopEventHandler.f())

			// TODO: to get that last inch of coverage :) not sure how else to get that
			time.Sleep(time.Millisecond * 10)

			// add a runtime
			runtime := policy.NewPURuntime("entry", 42, "", nil, nil, common.ContainerPU, policy.None, nil)
			c.Set("entry", runtime) // nolint: errcheck
			c.RLock()
			if c.runtimes["entry"].running != true { // nolint
				t.Errorf("entry is not marked as running")
			}
			c.RUnlock()

			// wait until the stop event was called
			tt.stopEventHandler.wait()
			cancel()

			c.RLock()
			if c.runtimes["entry"].running != false { // nolint
				t.Errorf("entry is still marked as running")
			}
			c.RUnlock()
		})
	}
}


================================================
FILE: monitor/internal/k8s/runtime_cache_unsupported.go
================================================
// +build !linux,!windows

package k8smonitor

import (
	"errors"
)

func sandboxIsRunning(pid int) (bool, error) {
	return false, errors.New("unsupported platform")
}


================================================
FILE: monitor/internal/k8s/runtime_cache_windows.go
================================================
// +build windows

package k8smonitor

func sandboxIsRunning(pid int) (bool, error) {
	// TODO: implement
	return true, nil
}


================================================
FILE: monitor/internal/k8s/testdata/kubeconfig
================================================
apiVersion: v1
clusters:
- cluster:
    server: https://localhost:9443
  name: apiserver
contexts:
- context:
    cluster: apiserver
    user: apiserver
  name: apiserver
current-context: apiserver
kind: Config
preferences: {}
users:
- name: apiserver
  user: {}

================================================
FILE: monitor/internal/kubernetes/DEPRECATED.txt
================================================
This monitor has been deprecated in favour of the 'pod' monitor.


================================================
FILE: monitor/internal/kubernetes/cache.go
================================================
// +build !windows

package kubernetesmonitor

import (
	"sync"

	"go.aporeto.io/trireme-lib/policy"
)

// puidCacheEntry is a Kubernetes entry based on Docker as a key.
// This entry keeps track of the DockerMonitor properties that cannot be queried later on (such as the runtime)
type puidCacheEntry struct {
	// podID is the reference to the Kubernetes pod that this container refers to
	kubeIdentifier string

	// The latest reference to the runtime as received from DockerMonitor
	dockerRuntime policy.RuntimeReader

	// The latest reference to the runtime as received from DockerMonitor
	kubernetesRuntime policy.RuntimeReader
}

// podCacheEntry is a Kubernetes entry based on a Pod as Key. The main goal here is to keep a mapping to all
// existing Dockers PUIDs implementing this pod (as there might be multiple)
type podCacheEntry struct {
	// puIDs us a map containing a link to all the containers currently known to be part of that pod.
	puIDs map[string]bool
}

// Cache is a cache implementation specific to KubernetesMonitor.
// puidCache is centered on Docker and podCache is centered on Kubernetes
type cache struct {
	// popuidCache keeps a mapping between a PUID and the corresponding puidCacheEntry.
	puidCache map[string]*puidCacheEntry

	// podCache keeps a mapping between a POD/Namespace name and the corresponding podCacheEntry.
	podCache map[string]*podCacheEntry

	// Lock for the whole cache
	sync.RWMutex
}

// NewCache initialize a cache
func newCache() *cache {
	return &cache{
		puidCache: map[string]*puidCacheEntry{},
		podCache:  map[string]*podCacheEntry{},
	}
}

func kubePodIdentifier(podName string, podNamespace string) string {
	return podNamespace + "/" + podName
}

// updatePUIDCache updates the cache with an entry coming from a container perspective
func (c *cache) updatePUIDCache(podNamespace string, podName string, puID string, dockerRuntime policy.RuntimeReader, kubernetesRuntime policy.RuntimeReader) {
	if podNamespace == "" || podName == "" || puID == "" {
		return
	}

	c.Lock()
	defer c.Unlock()

	kubeIdentifier := kubePodIdentifier(podName, podNamespace)

	puidEntry, ok := c.puidCache[puID]
	if !ok {
		puidEntry = &puidCacheEntry{}
		c.puidCache[puID] = puidEntry
	}
	puidEntry.kubeIdentifier = kubeIdentifier
	puidEntry.dockerRuntime = dockerRuntime
	puidEntry.kubernetesRuntime = kubernetesRuntime

	podEntry, ok := c.podCache[kubeIdentifier]
	if !ok {
		podEntry = &podCacheEntry{}
		podEntry.puIDs = map[string]bool{}
		c.podCache[kubeIdentifier] = podEntry
	}
	podEntry.puIDs[puID] = true

}

// deletePUIDCache deletes puid corresponding entries from the cache.
func (c *cache) deletePUIDCache(puID string) {
	c.Lock()
	defer c.Unlock()

	// Remove from pod cache.
	puidEntry, ok := c.puidCache[puID]
	if !ok {
		return
	}
	kubeIdentifier := puidEntry.kubeIdentifier

	podEntry, ok := c.podCache[kubeIdentifier]
	if !ok {
		return
	}

	delete(podEntry.puIDs, puID)

	// if no more containers in the pod, delete the podEntry.
	if len(podEntry.puIDs) == 0 {
		delete(c.podCache, kubeIdentifier)
	}

	// delete entry in puidcache
	delete(c.puidCache, puID)
}

// getOrCreatePodFromCache locks the cache in order to return the pod cache entry if found, or create it if not found
func (c *cache) getPUIDsbyPod(podNamespace string, podName string) []string {
	c.RLock()
	defer c.RUnlock()

	kubeIdentifier := kubePodIdentifier(podName, podNamespace)
	podEntry, ok := c.podCache[kubeIdentifier]
	if !ok {
		return []string{}
	}

	return keysFromMap(podEntry.puIDs)
}

// getRuntimeByPUID locks the cache in order to return the pod cache entry if found, or create it if not found
func (c *cache) getDockerRuntimeByPUID(puid string) policy.RuntimeReader {
	c.RLock()
	defer c.RUnlock()

	puidEntry, ok := c.puidCache[puid]
	if !ok {
		return nil
	}

	return puidEntry.dockerRuntime
}

// getRuntimeByPUID locks the cache in order to return the pod cache entry if found, or create it if not found
func (c *cache) getKubernetesRuntimeByPUID(puid string) policy.RuntimeReader {
	c.RLock()
	defer c.RUnlock()

	puidEntry, ok := c.puidCache[puid]
	if !ok {
		return nil
	}

	return puidEntry.kubernetesRuntime
}

// deletePodEntry locks the cache in order to deletes pod cache entry.
func (c *cache) deletePodEntry(podNamespace string, podName string) {
	c.Lock()
	defer c.Unlock()

	kubeIdentifier := kubePodIdentifier(podName, podNamespace)

	delete(c.podCache, kubeIdentifier)
}

// deletePUID locks the cache in order to delete the puid from puidcache.
func (c *cache) deletePUIDEntry(puid string) {
	c.Lock()
	defer c.Unlock()

	delete(c.puidCache, puid)
}

func keysFromMap(m map[string]bool) []string {
	keys := make([]string, len(m))

	i := 0
	for k := range m {
		keys[i] = k
		i++
	}

	return keys
}


================================================
FILE: monitor/internal/kubernetes/cache_test.go
================================================
// +build !windows

package kubernetesmonitor

import (
	"reflect"
	"sync"
	"testing"

	"go.aporeto.io/trireme-lib/policy"
)

func Test_cache_updatePUIDCache(t *testing.T) {

	// Pregenerating a couple fake runtimes
	runtime1 := policy.NewPURuntimeWithDefaults()
	runtime1.SetPid(1)
	runtime2 := policy.NewPURuntimeWithDefaults()
	runtime2.SetPid(2)
	runtime3 := policy.NewPURuntimeWithDefaults()
	runtime3.SetPid(3)

	type fields struct {
		puidCache map[string]*puidCacheEntry
		podCache  map[string]*podCacheEntry
		RWMutex   sync.RWMutex
	}
	type args struct {
		podNamespace      string
		podName           string
		puID              string
		dockerRuntime     policy.RuntimeReader
		kubernetesRuntime policy.RuntimeReader
	}
	tests := []struct {
		name         string
		fields       *fields
		fieldsResult *fields
		args         *args
	}{
		{
			name: "test empty all",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{},
				podCache:  map[string]*podCacheEntry{},
			},
			fieldsResult: &fields{
				puidCache: map[string]*puidCacheEntry{},
				podCache:  map[string]*podCacheEntry{},
			},
			args: &args{
				podNamespace:      "",
				podName:           "",
				puID:              "",
				dockerRuntime:     policy.NewPURuntimeWithDefaults(),
				kubernetesRuntime: policy.NewPURuntimeWithDefaults(),
			},
		},
		{
			name: "test empty NS",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{},
				podCache:  map[string]*podCacheEntry{},
			},
			fieldsResult: &fields{
				puidCache: map[string]*puidCacheEntry{},
				podCache:  map[string]*podCacheEntry{},
			},
			args: &args{
				podNamespace:      "",
				podName:           "xcvxcv",
				puID:              "xcvxcv",
				dockerRuntime:     policy.NewPURuntimeWithDefaults(),
				kubernetesRuntime: policy.NewPURuntimeWithDefaults(),
			},
		},
		{
			name: "test empty Name",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{},
				podCache:  map[string]*podCacheEntry{},
			},
			fieldsResult: &fields{
				puidCache: map[string]*puidCacheEntry{},
				podCache:  map[string]*podCacheEntry{},
			},
			args: &args{
				podNamespace:      "xcvxcv",
				podName:           "",
				puID:              "xcvxcv",
				dockerRuntime:     policy.NewPURuntimeWithDefaults(),
				kubernetesRuntime: policy.NewPURuntimeWithDefaults(),
			},
		},
		{
			name: "test empty PUID",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{},
				podCache:  map[string]*podCacheEntry{},
			},
			fieldsResult: &fields{
				puidCache: map[string]*puidCacheEntry{},
				podCache:  map[string]*podCacheEntry{},
			},
			args: &args{
				podNamespace:      "xcvxcv",
				podName:           "xcvxcv",
				puID:              "",
				dockerRuntime:     policy.NewPURuntimeWithDefaults(),
				kubernetesRuntime: policy.NewPURuntimeWithDefaults(),
			},
		},
		{
			name: "test normal behavior",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{},
				podCache:  map[string]*podCacheEntry{},
			},
			fieldsResult: &fields{
				puidCache: map[string]*puidCacheEntry{
					"123456": {
						kubeIdentifier:    "namespace/name",
						dockerRuntime:     runtime1,
						kubernetesRuntime: runtime2,
					},
				},
				podCache: map[string]*podCacheEntry{
					"namespace/name": {
						puIDs: map[string]bool{
							"123456": true,
						},
					},
				},
			},
			args: &args{
				podNamespace:      "namespace",
				podName:           "name",
				puID:              "123456",
				dockerRuntime:     runtime1,
				kubernetesRuntime: runtime2,
			},
		},
		{
			name: "test additive behavior",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					"123456": {
						kubeIdentifier:    "namespace/name",
						dockerRuntime:     runtime1,
						kubernetesRuntime: runtime2,
					},
				},
				podCache: map[string]*podCacheEntry{
					"namespace/name": {
						puIDs: map[string]bool{
							"123456": true,
						},
					},
				},
			},
			fieldsResult: &fields{
				puidCache: map[string]*puidCacheEntry{
					"123456": {
						kubeIdentifier:    "namespace/name",
						dockerRuntime:     runtime1,
						kubernetesRuntime: runtime2,
					},
					"abcdef": {
						kubeIdentifier:    "namespace2/name2",
						dockerRuntime:     runtime3,
						kubernetesRuntime: runtime2,
					},
				},
				podCache: map[string]*podCacheEntry{
					"namespace/name": {
						puIDs: map[string]bool{
							"123456": true,
						},
					},
					"namespace2/name2": {
						puIDs: map[string]bool{
							"abcdef": true,
						},
					},
				},
			},
			args: &args{
				podNamespace:      "namespace2",
				podName:           "name2",
				puID:              "abcdef",
				dockerRuntime:     runtime3,
				kubernetesRuntime: runtime2,
			},
		},
		{
			name: "test additive same pod",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					"123456": {
						kubeIdentifier:    "namespace/name",
						dockerRuntime:     runtime1,
						kubernetesRuntime: runtime2,
					},
				},
				podCache: map[string]*podCacheEntry{
					"namespace/name": {
						puIDs: map[string]bool{
							"123456": true,
						},
					},
				},
			},
			fieldsResult: &fields{
				puidCache: map[string]*puidCacheEntry{
					"123456": {
						kubeIdentifier:    "namespace/name",
						dockerRuntime:     runtime1,
						kubernetesRuntime: runtime2,
					},
					"abcdef": {
						kubeIdentifier:    "namespace/name",
						dockerRuntime:     runtime3,
						kubernetesRuntime: runtime2,
					},
				},
				podCache: map[string]*podCacheEntry{
					"namespace/name": {
						puIDs: map[string]bool{
							"123456": true,
							"abcdef": true,
						},
					},
				},
			},
			args: &args{
				podNamespace:      "namespace",
				podName:           "name",
				puID:              "abcdef",
				dockerRuntime:     runtime3,
				kubernetesRuntime: runtime2,
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &cache{
				puidCache: tt.fields.puidCache,
				podCache:  tt.fields.podCache,
			}
			c.updatePUIDCache(tt.args.podNamespace, tt.args.podName, tt.args.puID, tt.args.dockerRuntime, tt.args.kubernetesRuntime)
			if !reflect.DeepEqual(c.puidCache, tt.fieldsResult.puidCache) {
				t.Errorf("updatePUIDCache() field. got %v, want %v", c.puidCache, tt.fieldsResult.puidCache)
			}
			if !reflect.DeepEqual(c.podCache, tt.fieldsResult.podCache) {
				t.Errorf("updatePUIDCache() field. got %v, want %v", c.podCache, tt.fieldsResult.podCache)
			}
		})
	}
}

func Test_cache_getPUIDsbyPod(t *testing.T) {
	puid1 := "12350"
	pod1 := "test/test5"
	puidEntry1 := &puidCacheEntry{
		kubeIdentifier: pod1,
	}
	podEntry1 := &podCacheEntry{
		puIDs: map[string]bool{
			puid1: true,
		},
	}

	type fields struct {
		puidCache map[string]*puidCacheEntry
		podCache  map[string]*podCacheEntry
		RWMutex   sync.RWMutex
	}
	type args struct {
		podNamespace string
		podName      string
	}
	tests := []struct {
		name   string
		fields *fields
		args   *args
		want   []string
	}{
		{
			name: "simple get",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					puid1: puidEntry1,
				},
				podCache: map[string]*podCacheEntry{
					pod1: podEntry1,
				},
			},
			args: &args{
				podName:      "test5",
				podNamespace: "test",
			},
			want: []string{puid1},
		},
		{
			name: "non existing",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					puid1: puidEntry1,
				},
				podCache: map[string]*podCacheEntry{
					pod1: podEntry1,
				},
			},
			args: &args{
				podName:      "test1",
				podNamespace: "test",
			},
			want: []string{},
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &cache{
				puidCache: tt.fields.puidCache,
				podCache:  tt.fields.podCache,
			}
			if got := c.getPUIDsbyPod(tt.args.podNamespace, tt.args.podName); !reflect.DeepEqual(got, tt.want) {
				t.Errorf("cache.getPUIDsbyPod() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_cache_getDockerRuntimeByPUID(t *testing.T) {

	puid1 := "12346"
	pod1 := "test/test1"
	containerRuntime := policy.NewPURuntimeWithDefaults()
	containerRuntime.SetPid(123)
	puidEntry1 := &puidCacheEntry{
		kubeIdentifier: pod1,
		dockerRuntime:  containerRuntime,
	}
	podEntry1 := &podCacheEntry{
		puIDs: map[string]bool{
			puid1: true,
		},
	}

	type fields struct {
		puidCache map[string]*puidCacheEntry
		podCache  map[string]*podCacheEntry
		RWMutex   sync.RWMutex
	}
	type args struct {
		puid string
	}
	tests := []struct {
		name   string
		fields *fields
		args   *args
		want   policy.RuntimeReader
	}{
		{
			name: "simple get",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					puid1: puidEntry1,
				},
				podCache: map[string]*podCacheEntry{
					pod1: podEntry1,
				},
			},
			args: &args{
				puid: puid1,
			},
			want: containerRuntime,
		},
		{
			name: "empty get",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					puid1: puidEntry1,
				},
				podCache: map[string]*podCacheEntry{
					pod1: podEntry1,
				},
			},
			args: &args{
				puid: "123123",
			},
			want: nil,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &cache{
				puidCache: tt.fields.puidCache,
				podCache:  tt.fields.podCache,
			}
			if got := c.getDockerRuntimeByPUID(tt.args.puid); !reflect.DeepEqual(got, tt.want) {
				t.Errorf("cache.getDockerRuntimeByPUID() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_cache_getKubernetesRuntimeByPUID(t *testing.T) {

	puid1 := "12347"
	pod1 := "test/test2"
	containerRuntime := policy.NewPURuntimeWithDefaults()
	containerRuntime.SetPid(123)
	puidEntry1 := &puidCacheEntry{
		kubeIdentifier:    pod1,
		kubernetesRuntime: containerRuntime,
	}
	podEntry1 := &podCacheEntry{
		puIDs: map[string]bool{
			puid1: true,
		},
	}

	type fields struct {
		puidCache map[string]*puidCacheEntry
		podCache  map[string]*podCacheEntry
		RWMutex   sync.RWMutex
	}
	type args struct {
		puid string
	}
	tests := []struct {
		name   string
		fields *fields
		args   *args
		want   policy.RuntimeReader
	}{
		{
			name: "simple get",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					puid1: puidEntry1,
				},
				podCache: map[string]*podCacheEntry{
					pod1: podEntry1,
				},
			},
			args: &args{
				puid: puid1,
			},
			want: containerRuntime,
		},
		{
			name: "empty get",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					puid1: puidEntry1,
				},
				podCache: map[string]*podCacheEntry{
					pod1: podEntry1,
				},
			},
			args: &args{
				puid: "123123",
			},
			want: nil,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &cache{
				puidCache: tt.fields.puidCache,
				podCache:  tt.fields.podCache,
			}
			if got := c.getKubernetesRuntimeByPUID(tt.args.puid); !reflect.DeepEqual(got, tt.want) {
				t.Errorf("cache.getKubernetesRuntimeByPUID() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_cache_deletePodEntry(t *testing.T) {

	puid1 := "12348"
	pod1 := "test/test3"
	containerRuntime := policy.NewPURuntimeWithDefaults()
	containerRuntime.SetPid(123)
	puidEntry1 := &puidCacheEntry{
		kubeIdentifier:    pod1,
		kubernetesRuntime: containerRuntime,
	}
	podEntry1 := &podCacheEntry{
		puIDs: map[string]bool{
			puid1: true,
		},
	}

	type fields struct {
		puidCache map[string]*puidCacheEntry
		podCache  map[string]*podCacheEntry
		RWMutex   sync.RWMutex
	}
	type args struct {
		podNamespace string
		podName      string
	}
	tests := []struct {
		name   string
		fields *fields
		args   *args
		want1  map[string]*puidCacheEntry
		want2  map[string]*podCacheEntry
	}{
		{
			name: "simple delete",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					puid1: puidEntry1,
				},
				podCache: map[string]*podCacheEntry{
					pod1: podEntry1,
				},
			},
			args: &args{
				podName:      "test3",
				podNamespace: "test",
			},
			want1: map[string]*puidCacheEntry{
				puid1: puidEntry1,
			},
			want2: map[string]*podCacheEntry{},
		},
		{
			name: "non mexisting delete",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					puid1: puidEntry1,
				},
				podCache: map[string]*podCacheEntry{
					pod1: podEntry1,
				},
			},
			args: &args{
				podName:      "test2",
				podNamespace: "test",
			},
			want1: map[string]*puidCacheEntry{
				puid1: puidEntry1,
			},
			want2: map[string]*podCacheEntry{
				pod1: podEntry1,
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &cache{
				puidCache: tt.fields.puidCache,
				podCache:  tt.fields.podCache,
			}
			c.deletePodEntry(tt.args.podNamespace, tt.args.podName)

			if got := tt.fields.puidCache; !reflect.DeepEqual(got, tt.want1) {
				t.Errorf("after cache.deleteByPod = %v, want %v", got, tt.want1)
			}
			if got := tt.fields.podCache; !reflect.DeepEqual(got, tt.want2) {
				t.Errorf("after cache.deleteByPod = %v, want %v", got, tt.want2)
			}
		})
	}
}

func Test_cache_deletePUIDEntry(t *testing.T) {

	puid1 := "12349"
	pod1 := "test/test4"
	containerRuntime := policy.NewPURuntimeWithDefaults()
	containerRuntime.SetPid(123)
	puidEntry1 := &puidCacheEntry{
		kubeIdentifier:    pod1,
		kubernetesRuntime: containerRuntime,
	}
	podEntry1 := &podCacheEntry{
		puIDs: map[string]bool{
			puid1: true,
		},
	}

	type fields struct {
		puidCache map[string]*puidCacheEntry
		podCache  map[string]*podCacheEntry
		RWMutex   sync.RWMutex
	}
	type args struct {
		puid string
	}
	tests := []struct {
		name   string
		fields *fields
		args   *args
		want1  map[string]*puidCacheEntry
		want2  map[string]*podCacheEntry
	}{
		{
			name: "simple delete",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					puid1: puidEntry1,
				},
				podCache: map[string]*podCacheEntry{
					pod1: podEntry1,
				},
			},
			args: &args{
				puid: puid1,
			},
			want1: map[string]*puidCacheEntry{},
			want2: map[string]*podCacheEntry{
				pod1: podEntry1,
			},
		},
		{
			name: "non mexisting delete",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					puid1: puidEntry1,
				},
				podCache: map[string]*podCacheEntry{
					pod1: podEntry1,
				},
			},
			args: &args{
				puid: "123123",
			},
			want1: map[string]*puidCacheEntry{
				puid1: puidEntry1,
			},
			want2: map[string]*podCacheEntry{
				pod1: podEntry1,
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &cache{
				puidCache: tt.fields.puidCache,
				podCache:  tt.fields.podCache,
			}
			c.deletePUIDEntry(tt.args.puid)

			if got := tt.fields.puidCache; !reflect.DeepEqual(got, tt.want1) {
				t.Errorf("after cache.deleteByPod = %v, want %v", got, tt.want1)
			}
			if got := tt.fields.podCache; !reflect.DeepEqual(got, tt.want2) {
				t.Errorf("after cache.deleteByPod = %v, want %v", got, tt.want2)
			}

		})
	}
}

func Test_cache_deletePUIDCache(t *testing.T) {

	puid1 := "12349"
	pod1 := "test/test4"
	containerRuntime := policy.NewPURuntimeWithDefaults()
	containerRuntime.SetPid(123)
	puidEntry1 := &puidCacheEntry{
		kubeIdentifier:    pod1,
		kubernetesRuntime: containerRuntime,
	}
	podEntry1 := &podCacheEntry{
		puIDs: map[string]bool{
			puid1: true,
		},
	}

	type fields struct {
		puidCache map[string]*puidCacheEntry
		podCache  map[string]*podCacheEntry
		RWMutex   sync.RWMutex
	}
	type args struct {
		puID string
	}
	tests := []struct {
		name   string
		fields *fields
		args   *args
		want1  map[string]*puidCacheEntry
		want2  map[string]*podCacheEntry
	}{
		{
			name:   "Delete on empty cache",
			fields: &fields{},
			args: &args{
				puID: "1234",
			},
			want1: nil,
			want2: nil,
		},
		{
			name: "Deleting a non existent puid",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					puid1: puidEntry1,
				},
				podCache: map[string]*podCacheEntry{
					pod1: podEntry1,
				},
			},
			args: &args{
				puID: "1234",
			},
			want1: map[string]*puidCacheEntry{
				puid1: puidEntry1,
			},
			want2: map[string]*podCacheEntry{
				pod1: podEntry1,
			},
		},
		{
			name: "Normal case",
			fields: &fields{
				puidCache: map[string]*puidCacheEntry{
					puid1: puidEntry1,
				},
				podCache: map[string]*podCacheEntry{
					pod1: podEntry1,
				},
			},
			args: &args{
				puID: "12349",
			},
			want1: map[string]*puidCacheEntry{},
			want2: map[string]*podCacheEntry{},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			c := &cache{
				puidCache: tt.fields.puidCache,
				podCache:  tt.fields.podCache,
			}
			c.deletePUIDCache(tt.args.puID)
			if got := tt.fields.puidCache; !reflect.DeepEqual(got, tt.want1) {
				t.Errorf("after cache.deleteByPod = %v, want %v", got, tt.want1)
			}
			if got := tt.fields.podCache; !reflect.DeepEqual(got, tt.want2) {
				t.Errorf("after cache.deleteByPod = %v, want %v", got, tt.want2)
			}
		})
	}
}


================================================
FILE: monitor/internal/kubernetes/client.go
================================================
// +build !windows

package kubernetesmonitor

import (
	"fmt"

	"go.uber.org/zap"
	api "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/fields"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/client-go/kubernetes"
	kubecache "k8s.io/client-go/tools/cache"
	"k8s.io/client-go/tools/clientcmd"
)

// NewKubeClient Generate and initialize a Kubernetes client based on the parameter kubeconfig
func NewKubeClient(kubeconfig string) (*kubernetes.Clientset, error) {
	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
	if err != nil {
		return nil, fmt.Errorf("Error Building config from Kubeconfig: %v", err)
	}

	return kubernetes.NewForConfig(config)
}

// CreateResourceController creates a controller for a specific ressource and namespace.
// The parameter function will be called on Add/Delete/Update events
func CreateResourceController(client kubecache.Getter, resource string, namespace string, apiStruct runtime.Object, selector fields.Selector,
	addFunc func(addedApiStruct interface{}), deleteFunc func(deletedApiStruct interface{}), updateFunc func(oldApiStruct, updatedApiStruct interface{})) (kubecache.Store, kubecache.Controller) {

	handlers := kubecache.ResourceEventHandlerFuncs{
		AddFunc:    addFunc,
		DeleteFunc: deleteFunc,
		UpdateFunc: updateFunc,
	}

	listWatch := kubecache.NewListWatchFromClient(client, resource, namespace, selector)
	store, controller := kubecache.NewInformer(listWatch, apiStruct, 0, handlers)
	return store, controller
}

// CreateLocalPodController creates a controller specifically for Pods.
func (m *KubernetesMonitor) CreateLocalPodController(namespace string,
	addFunc func(addedApiStruct *api.Pod) error, deleteFunc func(deletedApiStruct *api.Pod) error, updateFunc func(oldApiStruct, updatedApiStruct *api.Pod) error) (kubecache.Store, kubecache.Controller) {

	return CreateResourceController(m.kubeClient.CoreV1().RESTClient(), "pods", namespace, &api.Pod{}, m.localNodeSelector(),
		func(addedApiStruct interface{}) {
			if err := addFunc(addedApiStruct.(*api.Pod)); err != nil {
				zap.L().Error("Error while handling Add Pod", zap.Error(err))
			}
		},
		func(deletedApiStruct interface{}) {
			if err := deleteFunc(deletedApiStruct.(*api.Pod)); err != nil {
				zap.L().Error("Error while handling Delete Pod", zap.Error(err))
			}
		},
		func(oldApiStruct, updatedApiStruct interface{}) {
			if err := updateFunc(oldApiStruct.(*api.Pod), updatedApiStruct.(*api.Pod)); err != nil {
				zap.L().Error("Error while handling Update Pod", zap.Error(err))
			}
		})
}

func (m *KubernetesMonitor) localNodeSelector() fields.Selector {
	return fields.Set(map[string]string{
		"spec.nodeName": m.localNode,
	}).AsSelector()
}

// Pod returns the full pod object.
func (m *KubernetesMonitor) Pod(podName string, namespace string) (*api.Pod, error) {
	targetPod, err := m.kubeClient.CoreV1().Pods(namespace).Get(podName, metav1.GetOptions{})
	if err != nil {
		return nil, fmt.Errorf("error getting Kubernetes labels & IP for pod %v : %v ", podName, err)
	}
	return targetPod, nil
}


================================================
FILE: monitor/internal/kubernetes/client_test.go
================================================
// +build !windows

package kubernetesmonitor

import (
	"reflect"
	"testing"

	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/monitor/extractors"
	dockermonitor "go.aporeto.io/trireme-lib/monitor/internal/docker"
	api "k8s.io/api/core/v1"
	kubefields "k8s.io/apimachinery/pkg/fields"
	"k8s.io/client-go/kubernetes"
	kubefake "k8s.io/client-go/kubernetes/fake"
	kubecache "k8s.io/client-go/tools/cache"
)

func TestNewKubeClient(t *testing.T) {
	type args struct {
		kubeconfig string
	}
	tests := []struct {
		name    string
		args    args
		want    *kubernetes.Clientset
		wantErr bool
	}{
		{
			name: "test1",
			args: args{
				kubeconfig: "/tmp/abcd",
			},
			want:    nil,
			wantErr: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got, err := NewKubeClient(tt.args.kubeconfig)
			if (err != nil) != tt.wantErr {
				t.Errorf("NewKubeClient() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("NewKubeClient() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestKubernetesMonitor_Pod(t *testing.T) {

	pod1 := &api.Pod{}
	pod1.SetName("pod1")
	pod1.SetNamespace("beer")

	type fields struct {
		dockerMonitor       *dockermonitor.DockerMonitor
		kubeClient          kubernetes.Interface
		localNode           string
		handlers            *config.ProcessorConfig
		cache               *cache
		kubernetesExtractor extractors.KubernetesMetadataExtractorType
		podStore            kubecache.Store
		podController       kubecache.Controller
		podControllerStop   chan struct{}
		enableHostPods      bool
	}
	type args struct {
		podName   string
		namespace string
	}
	tests := []struct {
		name    string
		fields  fields
		args    args
		want    *api.Pod
		wantErr bool
	}{
		{
			name: "Query existing pod",
			fields: fields{
				kubeClient: kubefake.NewSimpleClientset(pod1),
			},
			args: args{
				podName:   "pod1",
				namespace: "beer",
			},
			want:    pod1,
			wantErr: false,
		},
		{
			name: "Query non existing pod",
			fields: fields{
				kubeClient: kubefake.NewSimpleClientset(pod1),
			},
			args: args{
				podName:   "pod2",
				namespace: "beer",
			},
			want:    nil,
			wantErr: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			m := &KubernetesMonitor{
				dockerMonitor:       tt.fields.dockerMonitor,
				kubeClient:          tt.fields.kubeClient,
				localNode:           tt.fields.localNode,
				handlers:            tt.fields.handlers,
				cache:               tt.fields.cache,
				kubernetesExtractor: tt.fields.kubernetesExtractor,
				podStore:            tt.fields.podStore,
				podController:       tt.fields.podController,
				podControllerStop:   tt.fields.podControllerStop,
				enableHostPods:      tt.fields.enableHostPods,
			}
			got, err := m.Pod(tt.args.podName, tt.args.namespace)
			if (err != nil) != tt.wantErr {
				t.Errorf("KubernetesMonitor.Pod() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("KubernetesMonitor.Pod() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestKubernetesMonitor_localNodeSelector(t *testing.T) {
	type fields struct {
		dockerMonitor       *dockermonitor.DockerMonitor
		kubeClient          kubernetes.Interface
		localNode           string
		handlers            *config.ProcessorConfig
		cache               *cache
		kubernetesExtractor extractors.KubernetesMetadataExtractorType
		podStore            kubecache.Store
		podController       kubecache.Controller
		podControllerStop   chan struct{}
		enableHostPods      bool
	}
	tests := []struct {
		name   string
		fields fields
		want   kubefields.Selector
	}{
		{
			name: "Normal string",
			fields: fields{
				localNode: "abc",
			},
			want: kubefields.Set(map[string]string{
				"spec.nodeName": "abc",
			}).AsSelector(),
		},
		{
			name: "Empty string",
			fields: fields{
				localNode: "",
			},
			want: kubefields.Set(map[string]string{
				"spec.nodeName": "",
			}).AsSelector(),
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			m := &KubernetesMonitor{
				dockerMonitor:       tt.fields.dockerMonitor,
				kubeClient:          tt.fields.kubeClient,
				localNode:           tt.fields.localNode,
				handlers:            tt.fields.handlers,
				cache:               tt.fields.cache,
				kubernetesExtractor: tt.fields.kubernetesExtractor,
				podStore:            tt.fields.podStore,
				podController:       tt.fields.podController,
				podControllerStop:   tt.fields.podControllerStop,
				enableHostPods:      tt.fields.enableHostPods,
			}
			if got := m.localNodeSelector(); !reflect.DeepEqual(got, tt.want) {
				t.Errorf("KubernetesMonitor.localNodeSelector() = %v, want %v", got, tt.want)
			}
		})
	}
}


================================================
FILE: monitor/internal/kubernetes/config.go
================================================
package kubernetesmonitor

import (
	"go.aporeto.io/trireme-lib/monitor/extractors"
	dockerMonitor "go.aporeto.io/trireme-lib/monitor/internal/docker"
)

// Config is the config for the Kubernetes monitor
type Config struct { // nolint
	DockerConfig dockerMonitor.Config

	Kubeconfig     string
	Nodename       string
	EnableHostPods bool

	KubernetesExtractor extractors.KubernetesMetadataExtractorType
	DockerExtractor     extractors.DockerMetadataExtractor
}

// DefaultConfig provides a default configuration
func DefaultConfig() *Config {
	return &Config{
		KubernetesExtractor: extractors.DefaultKubernetesMetadataExtractor,
		DockerExtractor:     extractors.DefaultMetadataExtractor,
		EnableHostPods:      false,
		Kubeconfig:          "",
		Nodename:            "",
	}
}

// SetupDefaultConfig adds defaults to a partial configuration
func SetupDefaultConfig(kubernetesConfig *Config) *Config {
	return kubernetesConfig
}


================================================
FILE: monitor/internal/kubernetes/handler.go
================================================
// +build !windows

package kubernetesmonitor

import (
	"context"
	"fmt"

	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/monitor/constants"
	"go.aporeto.io/trireme-lib/policy"
	"go.uber.org/zap"
	api "k8s.io/api/core/v1"
)

// General logic for handling logic fron the DockerMonitor ss the following:
// The only interesting event is the Start and Die event. All the other events are ignored

// Those events are then put together with the Pod events received from the Kubernetes API.
// Once both are received and are consistent, the Pod get activated.

// HandlePUEvent is called by all monitors when a PU event is generated. The implementer
// is responsible to update all components by explicitly adding a new PU.
// Specifically for Kubernetes, The monitor handles the downstream events from Docker.
func (m *KubernetesMonitor) HandlePUEvent(ctx context.Context, puID string, event common.Event, dockerRuntime policy.RuntimeReader) error {
	zap.L().Debug("dockermonitor event", zap.String("puID", puID), zap.String("eventType", string(event)))

	var kubernetesRuntime policy.RuntimeReader

	// If the event coming from DockerMonitor is start or create, we will get a meaningful PURuntime from
	// DockerMonitor. We can use it and combine it with the pod information on Kubernetes API.
	if event == common.EventStart || event == common.EventCreate {

		// We check first if this is a Kubernetes managed container
		podNamespace, podName, err := getKubernetesInformation(dockerRuntime)
		if err != nil {
			return err
		}

		// We get the information for that specific POD from Kubernetes API
		pod, err := m.getPod(podNamespace, podName)
		if err != nil {
			return err
		}
		// The KubernetesMetadataExtractor combines the information coming from Docker (runtime)
		// and from Kube (pod) in order to create a KubernetesRuntime.
		// The managedContainer parameters define if this container should be ignored.
		var managedContainer bool
		kubernetesRuntime, managedContainer, err = m.kubernetesExtractor(dockerRuntime, pod)
		if err != nil {

			return fmt.Errorf("error while processing Kubernetes pod %s/%s for container %s %s", podNamespace, podName, puID, err)
		}

		// UnmanagedContainers are simply ignored. No policy is associated.
		if !managedContainer {
			// for Unmanaged container check if host network and add the process to cgroup.
			zap.L().Debug("unmanaged Kubernetes container on create or start", zap.String("puID", puID), zap.String("podNamespace", podNamespace), zap.String("podName", podName))
			return m.decorateRuntime(puID, dockerRuntime, event, podName, podNamespace)
		}

		// We keep the cache uptoDate for future queries
		m.cache.updatePUIDCache(podNamespace, podName, puID, dockerRuntime, kubernetesRuntime)
	} else {

		// We check if this PUID was previously managed. We only sent the event upstream to the resolver if it was managed on create or start.
		kubernetesRuntime = m.cache.getKubernetesRuntimeByPUID(puID)
		if kubernetesRuntime == nil {
			zap.L().Debug("unmanaged Kubernetes container", zap.String("puID", puID), zap.String("event", string(event)))
			return nil
		}
	}

	if event == common.EventDestroy {
		// Time to kill the cache entry
		m.cache.deletePUIDCache(puID)
	}

	// The event is then sent to the upstream policyResolver
	if err := m.handlers.Policy.HandlePUEvent(ctx, puID, event, kubernetesRuntime); err != nil {
		zap.L().Error("Unable to resolve policy for puid", zap.String("puID", puID), zap.Error(err))
		return fmt.Errorf("Unable to resolve policy for puid:%s", puID)
	}

	if dockerRuntime.PUType() == common.LinuxProcessPU {
		return m.decorateRuntime(puID, dockerRuntime, event, "", "")
	}

	return nil
}

// RefreshPUs is used to resend an update event to the Upstream Policy Resolver in case of an update is needed.
func (m *KubernetesMonitor) RefreshPUs(ctx context.Context, pod *api.Pod) error {
	if pod == nil {
		return fmt.Errorf("pod is nil")
	}

	podNamespace := pod.GetNamespace()
	podName := pod.GetName()

	puIDs := m.cache.getPUIDsbyPod(podNamespace, podName)

	for _, puid := range puIDs {
		dockerRuntime := m.cache.getDockerRuntimeByPUID(puid)
		if dockerRuntime == nil {
			continue
		}

		kubernetesRuntime, managedContainer, err := m.kubernetesExtractor(dockerRuntime, pod)
		if err != nil {
			return fmt.Errorf("error while processing Kubernetes pod %s/%s for container %s %s", podNamespace, podName, puid, err)
		}

		// UnmanagedContainers are simply ignored. It should not come this far if it is a non managed container anyways.
		if !managedContainer {
			zap.L().Debug("unmanaged Kubernetes container", zap.String("puID", puid), zap.String("podNamespace", podNamespace), zap.String("podName", podName))
			continue
		}

		// We keep the cache uptoDate for future queries
		m.cache.updatePUIDCache(podNamespace, podName, puid, dockerRuntime, kubernetesRuntime)

		if err := m.handlers.Policy.HandlePUEvent(ctx, puid, common.EventUpdate, kubernetesRuntime); err != nil {
			return err
		}
	}

	return nil
}

// getKubernetesInformation returns the name and namespace from a standard Docker runtime, if the docker container is associated at all with Kubernetes
func getKubernetesInformation(runtime policy.RuntimeReader) (string, string, error) {
	podNamespace, ok := runtime.Tag(KubernetesPodNamespaceIdentifier)
	if !ok {
		return "", "", fmt.Errorf("Error getting Kubernetes Pod namespace")
	}
	podName, ok := runtime.Tag(KubernetesPodNameIdentifier)
	if !ok {
		return "", "", fmt.Errorf("Error getting Kubernetes Pod name")
	}

	return podNamespace, podName, nil
}

// decorateRuntime decorates the docker runtime with puid of the pause container.
func (m *KubernetesMonitor) decorateRuntime(puID string, runtimeInfo policy.RuntimeReader, event common.Event,
	podName, podNamespace string) (err error) {

	// Do nothing on other events apart from start event.
	if event != common.EventStart {
		return nil
	}

	puRuntime, ok := runtimeInfo.(*policy.PURuntime)
	if !ok {
		zap.L().Error("Found invalid runtime for puid", zap.String("puid", puID))
		return fmt.Errorf("invalid runtime for puid:%s", puID)
	}

	extensions := policy.ExtendedMap{}

	// pause container with host net set to true.
	if runtimeInfo.PUType() == common.LinuxProcessPU {
		extensions[constants.DockerHostMode] = "true"
		extensions[constants.DockerHostPUID] = puID
		options := puRuntime.Options()
		options.PolicyExtensions = extensions
		options.AutoPort = true

		// set Options on docker runtime.
		puRuntime.SetOptions(options)
		return nil
	}

	pausePUID := ""
	puIDs := m.cache.getPUIDsbyPod(podNamespace, podName)
	// get the puid of the pause container.
	for _, id := range puIDs {
		rtm := m.cache.getDockerRuntimeByPUID(id)
		if rtm == nil {
			continue
		}

		if isPodInfraContainer(rtm) && rtm.PUType() == common.LinuxProcessPU {
			pausePUID = id
			break
		}

		// if the pause container is not host net container, nothing to do.
		if isPodInfraContainer(rtm) {
			return nil
		}
	}

	extensions[constants.DockerHostPUID] = pausePUID
	options := puRuntime.Options()
	options.PolicyExtensions = extensions
	// set Options on docker runtime.
	puRuntime.SetOptions(options)

	return nil
}

// isPodInfraContainer returns true if the runtime represents the infra container for the POD
func isPodInfraContainer(runtime policy.RuntimeReader) bool {
	// The Infra container can be found by checking env. variable.
	tagContent, ok := runtime.Tag(KubernetesContainerNameIdentifier)

	return ok && tagContent == KubernetesInfraContainerName
}


================================================
FILE: monitor/internal/kubernetes/handler_test.go
================================================
// +build !windows

package kubernetesmonitor

import (
	"context"
	"errors"
	"fmt"
	"testing"

	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/monitor/extractors"
	dockermonitor "go.aporeto.io/trireme-lib/monitor/internal/docker"
	"go.aporeto.io/trireme-lib/policy"
	api "k8s.io/api/core/v1"
	"k8s.io/client-go/kubernetes"
	kubefake "k8s.io/client-go/kubernetes/fake"
	kubecache "k8s.io/client-go/tools/cache"
)

func Test_getKubernetesInformation(t *testing.T) {

	puRuntimeWithTags := func(tags map[string]string) *policy.PURuntime {
		puRuntime := policy.NewPURuntimeWithDefaults()
		puRuntime.SetTags(policy.NewTagStoreFromMap(tags))
		return puRuntime
	}

	type args struct {
		runtime policy.RuntimeReader
	}
	tests := []struct {
		name    string
		args    args
		want    string
		want1   string
		wantErr bool
	}{
		{
			name:    "no Kubernetes Information",
			args:    args{runtime: policy.NewPURuntimeWithDefaults()},
			want:    "",
			want1:   "",
			wantErr: true,
		},
		{
			name: "both present",
			args: args{runtime: puRuntimeWithTags(map[string]string{
				KubernetesPodNamespaceIdentifier: "a",
				KubernetesPodNameIdentifier:      "b",
			},
			),
			},
			want:    "a",
			want1:   "b",
			wantErr: false,
		},
		{
			name: "both present. NamespaceIdentifier empty",
			args: args{runtime: puRuntimeWithTags(map[string]string{
				KubernetesPodNamespaceIdentifier: "",
				KubernetesPodNameIdentifier:      "b",
			},
			),
			},
			want:    "",
			want1:   "b",
			wantErr: false,
		},
		{
			name: "both present. Name empty",
			args: args{runtime: puRuntimeWithTags(map[string]string{
				KubernetesPodNamespaceIdentifier: "a",
				KubernetesPodNameIdentifier:      "",
			},
			),
			},
			want:    "a",
			want1:   "",
			wantErr: false,
		},
		{
			name: "Namespace missing",
			args: args{runtime: puRuntimeWithTags(map[string]string{
				KubernetesPodNameIdentifier: "b",
			},
			),
			},
			want:    "",
			want1:   "",
			wantErr: true,
		},
		{
			name: "Name missing",
			args: args{runtime: puRuntimeWithTags(map[string]string{
				KubernetesPodNamespaceIdentifier: "a",
			},
			),
			},
			want:    "",
			want1:   "",
			wantErr: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got, got1, err := getKubernetesInformation(tt.args.runtime)
			if (err != nil) != tt.wantErr {
				t.Errorf("getKubernetesInformation() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if got != tt.want {
				t.Errorf("getKubernetesInformation() got = %v, want %v", got, tt.want)
			}
			if got1 != tt.want1 {
				t.Errorf("getKubernetesInformation() got1 = %v, want %v", got1, tt.want1)
			}
		})
	}
}

type mockHandler struct{}

func (m *mockHandler) HandlePUEvent(ctx context.Context, puID string, event common.Event, runtime policy.RuntimeReader) error {
	return nil
}

type mockErrHandler struct{}

func (m *mockErrHandler) HandlePUEvent(ctx context.Context, puID string, event common.Event, runtime policy.RuntimeReader) error {
	return errors.New("Dummy error")
}

func TestKubernetesMonitor_HandlePUEvent(t *testing.T) {

	pod1 := &api.Pod{}
	pod1.SetName("pod1")
	pod1.SetNamespace("beer")

	pod1Runtime := policy.NewPURuntimeWithDefaults()
	pod1Runtime.SetTags(policy.NewTagStoreFromMap(map[string]string{
		KubernetesPodNamespaceIdentifier: "beer",
		KubernetesPodNameIdentifier:      "pod1",
	}))

	hostContainerRuntime := func() *policy.PURuntime {

		pur := policy.NewPURuntime("", 1, "", nil, nil, common.LinuxProcessPU, nil)
		pur.SetOptions(policy.OptionsType{
			CgroupMark: "100",
		})
		pur.SetTags(policy.NewTagStoreFromMap(map[string]string{
			KubernetesPodNamespaceIdentifier: "beer",
			KubernetesPodNameIdentifier:      "pod1",
		}))
		return pur
	}

	kubernetesExtractorUnmanaged := func(runtime policy.RuntimeReader, pod *api.Pod) (*policy.PURuntime, bool, error) {
		originalRuntime, ok := runtime.(*policy.PURuntime)
		if !ok {
			return nil, false, fmt.Errorf("Error casting puruntime")
		}

		newRuntime := originalRuntime.Clone()

		return newRuntime, false, nil
	}

	kubernetesExtractorErrored := func(runtime policy.RuntimeReader, pod *api.Pod) (*policy.PURuntime, bool, error) {
		originalRuntime, ok := runtime.(*policy.PURuntime)
		if !ok {
			return nil, false, fmt.Errorf("Error casting puruntime")
		}

		newRuntime := originalRuntime.Clone()

		return newRuntime, false, fmt.Errorf("Previsible error")
	}

	kubernetesExtractorManaged := func(runtime policy.RuntimeReader, pod *api.Pod) (*policy.PURuntime, bool, error) {
		originalRuntime, ok := runtime.(*policy.PURuntime)
		if !ok {
			return nil, false, fmt.Errorf("Error casting puruntime")
		}

		newRuntime := originalRuntime.Clone()

		return newRuntime, true, nil
	}

	type fields struct {
		dockerMonitor       *dockermonitor.DockerMonitor
		kubeClient          kubernetes.Interface
		localNode           string
		handlers            *config.ProcessorConfig
		cache               *cache
		kubernetesExtractor extractors.KubernetesMetadataExtractorType
		podStore            kubecache.Store
		podController       kubecache.Controller
		podControllerStop   chan struct{}
		enableHostPods      bool
	}
	type args struct {
		ctx           context.Context
		puID          string
		event         common.Event
		dockerRuntime policy.RuntimeReader
	}
	tests := []struct {
		name    string
		fields  fields
		args    args
		wantErr bool
	}{
		{
			name:   "empty dockerruntime on create",
			fields: fields{},
			args: args{
				event:         common.EventCreate,
				dockerRuntime: policy.NewPURuntimeWithDefaults(),
			},
			wantErr: true,
		},
		{
			name:   "empty dockerruntime on start",
			fields: fields{},
			args: args{
				event:         common.EventCreate,
				dockerRuntime: policy.NewPURuntimeWithDefaults(),
			},
			wantErr: true,
		},
		{
			name: "Extractor with Unmanaged PU",
			fields: fields{
				kubeClient:          kubefake.NewSimpleClientset(pod1),
				kubernetesExtractor: kubernetesExtractorUnmanaged,
			},
			args: args{
				event:         common.EventCreate,
				dockerRuntime: pod1Runtime,
			},
			wantErr: false,
		},
		{
			name: "Extractor with Errored output",
			fields: fields{
				kubeClient:          kubefake.NewSimpleClientset(pod1),
				kubernetesExtractor: kubernetesExtractorErrored,
			},
			args: args{
				event:         common.EventCreate,
				dockerRuntime: pod1Runtime,
			},
			wantErr: true,
		},
		{
			name: "Extractor with managed PU",
			fields: fields{
				kubeClient:          kubefake.NewSimpleClientset(pod1),
				kubernetesExtractor: kubernetesExtractorManaged,
				cache:               newCache(),
				handlers: &config.ProcessorConfig{
					Policy: &mockHandler{},
				},
			},
			args: args{
				event:         common.EventCreate,
				dockerRuntime: pod1Runtime,
			},
			wantErr: false,
		},
		{
			name: "Destroy not in cache",
			fields: fields{
				kubeClient:          kubefake.NewSimpleClientset(pod1),
				kubernetesExtractor: kubernetesExtractorManaged,
				cache:               newCache(),
				handlers: &config.ProcessorConfig{
					Policy: &mockHandler{},
				},
			},
			args: args{
				event:         common.EventDestroy,
				dockerRuntime: pod1Runtime,
			},
			wantErr: false,
		},
		{
			name: "Activate host network pu",
			fields: fields{
				kubeClient:          kubefake.NewSimpleClientset(pod1),
				kubernetesExtractor: kubernetesExtractorManaged,
				cache:               newCache(),
				handlers: &config.ProcessorConfig{
					Policy: &mockHandler{},
				},
			},
			args: args{
				event:         common.EventStart,
				dockerRuntime: hostContainerRuntime(),
			},
			wantErr: false,
		},
		{
			name: "Non infra containers in a pod with host net",
			fields: fields{
				kubeClient:          kubefake.NewSimpleClientset(pod1),
				kubernetesExtractor: kubernetesExtractorUnmanaged,
				cache:               newCache(),
				handlers: &config.ProcessorConfig{
					Policy: &mockHandler{},
				},
			},
			args: args{
				event:         common.EventStart,
				dockerRuntime: pod1Runtime,
			},
			wantErr: false,
		},
		{
			name: "Activate host network pu and policy engine fails",
			fields: fields{
				kubeClient:          kubefake.NewSimpleClientset(pod1),
				kubernetesExtractor: kubernetesExtractorManaged,
				cache:               newCache(),
				handlers: &config.ProcessorConfig{
					Policy: &mockErrHandler{},
				},
			},
			args: args{
				event:         common.EventStart,
				dockerRuntime: hostContainerRuntime(),
			},
			wantErr: true,
		},
	}
	for _, tt := range tests {

		t.Run(tt.name, func(t *testing.T) {
			m := &KubernetesMonitor{
				dockerMonitor:       tt.fields.dockerMonitor,
				kubeClient:          tt.fields.kubeClient,
				localNode:           tt.fields.localNode,
				handlers:            tt.fields.handlers,
				cache:               tt.fields.cache,
				kubernetesExtractor: tt.fields.kubernetesExtractor,
				podStore:            tt.fields.podStore,
				podController:       tt.fields.podController,
				podControllerStop:   tt.fields.podControllerStop,
				enableHostPods:      tt.fields.enableHostPods,
			}
			if err := m.HandlePUEvent(tt.args.ctx, tt.args.puID, tt.args.event, tt.args.dockerRuntime); (err != nil) != tt.wantErr {
				t.Errorf("KubernetesMonitor.HandlePUEvent() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func TestKubernetesMonitor_RefreshPUs(t *testing.T) {
	type fields struct {
		dockerMonitor       *dockermonitor.DockerMonitor
		kubeClient          kubernetes.Interface
		localNode           string
		handlers            *config.ProcessorConfig
		cache               *cache
		kubernetesExtractor extractors.KubernetesMetadataExtractorType
		podStore            kubecache.Store
		podController       kubecache.Controller
		podControllerStop   chan struct{}
		enableHostPods      bool
	}
	type args struct {
		ctx context.Context
		pod *api.Pod
	}
	tests := []struct {
		name    string
		fields  fields
		args    args
		wantErr bool
	}{
		{
			name:   "empty pod",
			fields: fields{},
			args: args{
				pod: nil,
			},
			wantErr: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			m := &KubernetesMonitor{
				dockerMonitor:       tt.fields.dockerMonitor,
				kubeClient:          tt.fields.kubeClient,
				localNode:           tt.fields.localNode,
				handlers:            tt.fields.handlers,
				cache:               tt.fields.cache,
				kubernetesExtractor: tt.fields.kubernetesExtractor,
				podStore:            tt.fields.podStore,
				podController:       tt.fields.podController,
				podControllerStop:   tt.fields.podControllerStop,
				enableHostPods:      tt.fields.enableHostPods,
			}
			if err := m.RefreshPUs(tt.args.ctx, tt.args.pod); (err != nil) != tt.wantErr {
				t.Errorf("KubernetesMonitor.RefreshPUs() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func Test_isPodInfraContainer(t *testing.T) {
	type args struct {
		runtime policy.RuntimeReader
	}

	puRuntimeWithTags := func(tags map[string]string) *policy.PURuntime {
		puRuntime := policy.NewPURuntimeWithDefaults()
		puRuntime.SetTags(policy.NewTagStoreFromMap(tags))
		return puRuntime
	}

	tests := []struct {
		name string
		args args
		want bool
	}{
		{
			name: "Test if runtime has kubernetes infra pod tags",
			args: args{
				runtime: puRuntimeWithTags(map[string]string{
					"@usr:io.kubernetes.container.name": "POD",
				},
				),
			},
			want: true,
		},
		{
			name: "Test if runtime does not have kubernetes infra pod tags",
			args: args{
				runtime: puRuntimeWithTags(map[string]string{
					"key": "value",
				},
				),
			},
			want: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if got := isPodInfraContainer(tt.args.runtime); got != tt.want {
				t.Errorf("isPodInfraContainer() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestKubernetesMonitor_decorateRuntime(t *testing.T) {

	pur1 := policy.NewPURuntime("", 1, "", nil, nil, common.LinuxProcessPU, nil)
	pur2 := policy.NewPURuntime("", 1, "", nil, nil, common.ContainerPU, nil)

	hostpuID := "1234"
	puID := "12345"

	podName := "abcd"
	podNamespace := "abcd"
	testCache := newCache()
	testCache.updatePUIDCache("abcd", "abcd", "1234", pur1, nil)

	type fields struct {
		dockerMonitor       *dockermonitor.DockerMonitor
		kubeClient          kubernetes.Interface
		localNode           string
		handlers            *config.ProcessorConfig
		cache               *cache
		kubernetesExtractor extractors.KubernetesMetadataExtractorType
		podStore            kubecache.Store
		podController       kubecache.Controller
		podControllerStop   chan struct{}
		enableHostPods      bool
	}
	type args struct {
		puID         string
		runtimeInfo  policy.RuntimeReader
		event        common.Event
		podName      string
		podNamespace string
	}
	tests := []struct {
		name    string
		fields  fields
		args    args
		wantErr bool
	}{
		{
			name:   "Check no op behavior on non start events",
			fields: fields{},
			args: args{
				puID:  "123",
				event: common.EventCreate,
			},
			wantErr: false,
		},
		{
			name:   "Invalid Runtime",
			fields: fields{},
			args: args{
				event: common.EventStart,
			},
			wantErr: true,
		},
		{
			name:   "Decorate runtime for pu activated as linux process",
			fields: fields{},
			args: args{
				event:        common.EventStart,
				podName:      podName,
				podNamespace: podNamespace,
				runtimeInfo:  pur1,
				puID:         hostpuID,
			},
			wantErr: false,
		},
		{
			name: "Decorate runtime for pu activated as container process",
			fields: fields{
				cache: testCache,
			},
			args: args{
				event:        common.EventStart,
				podName:      podName,
				podNamespace: podNamespace,
				runtimeInfo:  pur2,
				puID:         puID,
			},
			wantErr: false,
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			m := &KubernetesMonitor{
				dockerMonitor:       tt.fields.dockerMonitor,
				kubeClient:          tt.fields.kubeClient,
				localNode:           tt.fields.localNode,
				handlers:            tt.fields.handlers,
				cache:               tt.fields.cache,
				kubernetesExtractor: tt.fields.kubernetesExtractor,
				podStore:            tt.fields.podStore,
				podController:       tt.fields.podController,
				podControllerStop:   tt.fields.podControllerStop,
				enableHostPods:      tt.fields.enableHostPods,
			}
			if err := m.decorateRuntime(tt.args.puID, tt.args.runtimeInfo, tt.args.event, tt.args.podName, tt.args.podNamespace); (err != nil) != tt.wantErr {
				t.Errorf("KubernetesMonitor.decorateRuntime() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}


================================================
FILE: monitor/internal/kubernetes/kubernetes.go
================================================
// +build !windows

package kubernetesmonitor

import (
	"context"
	"time"

	"go.uber.org/zap"
	api "k8s.io/api/core/v1"
	"k8s.io/apimachinery/pkg/labels"
	kubecache "k8s.io/client-go/tools/cache"
)

// KubernetesPodNameIdentifier is the label used by Docker for the K8S pod name.
const KubernetesPodNameIdentifier = "@usr:io.kubernetes.pod.name"

// KubernetesPodNamespaceIdentifier is the label used by Docker for the K8S namespace.
const KubernetesPodNamespaceIdentifier = "@usr:io.kubernetes.pod.namespace"

// KubernetesContainerNameIdentifier is the label used by Docker for the K8S container name.
const KubernetesContainerNameIdentifier = "@usr:io.kubernetes.container.name"

// KubernetesInfraContainerName is the name of the infra POD.
const KubernetesInfraContainerName = "POD"

// UpstreamNameIdentifier is the identifier used to identify the nane on the resulting PU
const UpstreamNameIdentifier = "k8s:name"

// UpstreamNamespaceIdentifier is the identifier used to identify the nanespace on the resulting PU
const UpstreamNamespaceIdentifier = "k8s:namespace"

func (m *KubernetesMonitor) addPod(addedPod *api.Pod) error {
	zap.L().Debug("pod added event", zap.String("name", addedPod.GetName()), zap.String("namespace", addedPod.GetNamespace()))

	// This event is not needed as the trigger is the  DockerMonitor event
	// The pod obejct is cached in order to reuse it and avoid an API request possibly laster on

	return nil
}

func (m *KubernetesMonitor) deletePod(deletedPod *api.Pod) error {
	zap.L().Debug("pod deleted event", zap.String("name", deletedPod.GetName()), zap.String("namespace", deletedPod.GetNamespace()))

	return nil
}

func (m *KubernetesMonitor) updatePod(oldPod, updatedPod *api.Pod) error {
	zap.L().Debug("pod modified event", zap.String("name", updatedPod.GetName()), zap.String("namespace", updatedPod.GetNamespace()))

	if !isPolicyUpdateNeeded(oldPod, updatedPod) {
		zap.L().Debug("no modified labels for Pod", zap.String("name", updatedPod.GetName()), zap.String("namespace", updatedPod.GetNamespace()))
		return nil
	}

	// This event requires sending the Runtime upstream again.
	// TODO: Use propagated context
	return m.RefreshPUs(context.TODO(), updatedPod)
}

func (m *KubernetesMonitor) getPod(podNamespace, podName string) (*api.Pod, error) {
	zap.L().Debug("no pod cached, querying Kubernetes API")

	// TODO: Use cached Kube Store (from a shared informer)
	return m.Pod(podName, podNamespace)
}

func isPolicyUpdateNeeded(oldPod, newPod *api.Pod) bool {
	if !(oldPod.Status.PodIP == newPod.Status.PodIP) {
		return true
	}
	if !labels.Equals(oldPod.GetLabels(), newPod.GetLabels()) {
		return true
	}
	return false
}

// hasSynced sends an event on the Sync chan when the attachedController finished syncing.
func hasSynced(sync chan struct{}, controller kubecache.Controller) {
	for {
		if controller.HasSynced() {
			sync <- struct{}{}
			return
		}
		<-time.After(100 * time.Millisecond)
	}
}


================================================
FILE: monitor/internal/kubernetes/monitor.go
================================================
// +build !windows

package kubernetesmonitor

import (
	"context"
	"fmt"

	"go.aporeto.io/trireme-lib/collector"
	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/monitor/extractors"
	dockermonitor "go.aporeto.io/trireme-lib/monitor/internal/docker"
	"go.aporeto.io/trireme-lib/monitor/registerer"
	"go.uber.org/zap"
	"k8s.io/client-go/kubernetes"
	kubecache "k8s.io/client-go/tools/cache"
)

// KubernetesMonitor implements a monitor that sends pod events upstream
// It is implemented as a filter on the standard DockerMonitor.
// It gets all the PU events from the DockerMonitor and if the container is the POD container from Kubernetes,
// It connects to the Kubernetes API and adds the tags that are coming from Kuberntes that cannot be found
type KubernetesMonitor struct {
	dockerMonitor       *dockermonitor.DockerMonitor
	kubeClient          kubernetes.Interface
	localNode           string
	handlers            *config.ProcessorConfig
	cache               *cache
	kubernetesExtractor extractors.KubernetesMetadataExtractorType

	podStore          kubecache.Store
	podController     kubecache.Controller
	podControllerStop chan struct{}

	enableHostPods bool
}

// New returns a new kubernetes monitor.
func New() *KubernetesMonitor {
	kubeMonitor := &KubernetesMonitor{}
	kubeMonitor.cache = newCache()

	return kubeMonitor
}

// SetupConfig provides a configuration to implmentations. Every implmentation
// can have its own config type.
func (m *KubernetesMonitor) SetupConfig(registerer registerer.Registerer, cfg interface{}) error {

	defaultConfig := DefaultConfig()

	if cfg == nil {
		cfg = defaultConfig
	}

	kubernetesconfig, ok := cfg.(*Config)
	if !ok {
		return fmt.Errorf("Invalid configuration specified")
	}

	kubernetesconfig = SetupDefaultConfig(kubernetesconfig)

	processorConfig := &config.ProcessorConfig{
		Policy:    m,
		Collector: collector.NewDefaultCollector(),
	}

	// As the Kubernetes monitor depends on the DockerMonitor, we setup the Docker monitor first
	dockerMon := dockermonitor.New()
	dockerMon.SetupHandlers(processorConfig)

	dockerConfig := dockermonitor.DefaultConfig()
	dockerConfig.EventMetadataExtractor = kubernetesconfig.DockerExtractor

	// we use the defaultconfig for now
	if err := dockerMon.SetupConfig(nil, dockerConfig); err != nil {
		return fmt.Errorf("docker monitor instantiation error: %s", err.Error())
	}

	m.dockerMonitor = dockerMon

	// Setting up Kubernetes
	m.localNode = kubernetesconfig.Nodename
	kubeClient, err := NewKubeClient(kubernetesconfig.Kubeconfig)
	if err != nil {
		return fmt.Errorf("kubernetes client instantiation error: %s", err.Error())
	}
	m.kubeClient = kubeClient

	m.enableHostPods = kubernetesconfig.EnableHostPods
	m.kubernetesExtractor = kubernetesconfig.KubernetesExtractor

	m.podStore, m.podController = m.CreateLocalPodController("",
		m.addPod,
		m.deletePod,
		m.updatePod)

	m.podControllerStop = make(chan struct{})

	zap.L().Warn("Using deprecated Kubernetes Monitor")

	return nil
}

// Run starts the monitor.
func (m *KubernetesMonitor) Run(ctx context.Context) error {
	if m.kubeClient == nil {
		return fmt.Errorf("kubernetes client is not initialized correctly")
	}

	// TODO. Give directly the channel to the Kubernetes library
	go m.podController.Run(ctx.Done())
	initialPodSync := make(chan struct{})
	go hasSynced(initialPodSync, m.podController)
	<-initialPodSync

	return m.dockerMonitor.Run(ctx)
}

// SetupHandlers sets up handlers for monitors to invoke for various events such as
// processing unit events and synchronization events. This will be called before Start()
// by the consumer of the monitor
func (m *KubernetesMonitor) SetupHandlers(c *config.ProcessorConfig) {
	m.handlers = c
}

// Resync requests to the monitor to do a resync.
func (m *KubernetesMonitor) Resync(ctx context.Context) error {
	return m.dockerMonitor.Resync(ctx)
}


================================================
FILE: monitor/internal/kubernetes/monitor_test.go
================================================
// +build !windows

package kubernetesmonitor

import (
	"testing"

	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/monitor/extractors"
	dockermonitor "go.aporeto.io/trireme-lib/monitor/internal/docker"
	"go.aporeto.io/trireme-lib/monitor/registerer"
	"k8s.io/client-go/kubernetes"
	kubecache "k8s.io/client-go/tools/cache"
)

func TestKubernetesMonitor_SetupConfig(t *testing.T) {

	type fields struct {
		dockerMonitor       *dockermonitor.DockerMonitor
		kubeClient          kubernetes.Interface
		localNode           string
		handlers            *config.ProcessorConfig
		cache               *cache
		kubernetesExtractor extractors.KubernetesMetadataExtractorType
		podStore            kubecache.Store
		podController       kubecache.Controller
		podControllerStop   chan struct{}
		enableHostPods      bool
	}
	type args struct {
		registerer registerer.Registerer
		cfg        interface{}
	}
	tests := []struct {
		name    string
		fields  fields
		args    args
		wantErr bool
	}{
		{
			name:   "random config",
			fields: fields{},
			args: args{
				registerer: nil,
				cfg:        "123",
			},
			wantErr: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			m := &KubernetesMonitor{
				dockerMonitor:       tt.fields.dockerMonitor,
				kubeClient:          tt.fields.kubeClient,
				localNode:           tt.fields.localNode,
				handlers:            tt.fields.handlers,
				cache:               tt.fields.cache,
				kubernetesExtractor: tt.fields.kubernetesExtractor,
				podStore:            tt.fields.podStore,
				podController:       tt.fields.podController,
				podControllerStop:   tt.fields.podControllerStop,
				enableHostPods:      tt.fields.enableHostPods,
			}
			if err := m.SetupConfig(tt.args.registerer, tt.args.cfg); (err != nil) != tt.wantErr {
				t.Errorf("KubernetesMonitor.SetupConfig() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}


================================================
FILE: monitor/internal/linux/config.go
================================================
package linuxmonitor

import (
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
)

// Config is the configuration options to start a CNI monitor
type Config struct {
	EventMetadataExtractor extractors.EventMetadataExtractor
	StoredPath             string
	ReleasePath            string
	Host                   bool
}

// DefaultConfig provides a default configuration
func DefaultConfig(host bool) *Config {

	return &Config{
		EventMetadataExtractor: extractors.DefaultHostMetadataExtractor,
		ReleasePath:            "",
		StoredPath:             common.TriremeCgroupPath,
		Host:                   host,
	}
}

// SetupDefaultConfig adds defaults to a partial configuration
func SetupDefaultConfig(linuxConfig *Config) *Config {

	defaultConfig := DefaultConfig(linuxConfig.Host)

	if linuxConfig.ReleasePath == "" {
		linuxConfig.ReleasePath = defaultConfig.ReleasePath
	}

	if linuxConfig.EventMetadataExtractor == nil {
		linuxConfig.EventMetadataExtractor = defaultConfig.EventMetadataExtractor
	}

	if linuxConfig.StoredPath == "" {
		linuxConfig.StoredPath = common.TriremeCgroupPath
	}

	return linuxConfig
}


================================================
FILE: monitor/internal/linux/monitor.go
================================================
package linuxmonitor

import (
	"context"
	"fmt"
	"regexp"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/registerer"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cgnetcls"
)

// LinuxMonitor captures all the monitor processor information
// It implements the EventProcessor interface of the rpc monitor
type LinuxMonitor struct {
	proc *linuxProcessor
}

// New returns a new implmentation of a monitor implmentation
func New(context.Context) *LinuxMonitor {

	return &LinuxMonitor{
		proc: &linuxProcessor{},
	}
}

// Run implements Implementation interface
func (l *LinuxMonitor) Run(ctx context.Context) error {

	if err := l.proc.config.IsComplete(); err != nil {
		return fmt.Errorf("linux %t: %s", l.proc.host, err)
	}

	return l.Resync(ctx)
}

// SetupConfig provides a configuration to implmentations. Every implmentation
// can have its own config type.
func (l *LinuxMonitor) SetupConfig(registerer registerer.Registerer, cfg interface{}) error {

	if cfg == nil {
		cfg = DefaultConfig(false)
	}

	linuxConfig, ok := cfg.(*Config)
	if !ok {
		return fmt.Errorf("Invalid configuration specified")
	}

	if registerer != nil {
		if err := registerer.RegisterProcessor(common.HostNetworkPU, l.proc); err != nil {
			return err
		}
		if err := registerer.RegisterProcessor(common.HostPU, l.proc); err != nil {
			return err
		}
		if err := registerer.RegisterProcessor(common.LinuxProcessPU, l.proc); err != nil {
			return err
		}
	}

	// Setup defaults
	linuxConfig = SetupDefaultConfig(linuxConfig)

	// Setup config
	l.proc.host = linuxConfig.Host

	l.proc.netcls = cgnetcls.NewCgroupNetController(common.TriremeCgroupPath, linuxConfig.ReleasePath)

	l.proc.regStart = regexp.MustCompile("^[a-zA-Z0-9_]{1,11}$")
	l.proc.regStop = regexp.MustCompile("^/trireme/[a-zA-Z0-9_]{1,11}$")

	l.proc.metadataExtractor = linuxConfig.EventMetadataExtractor
	if l.proc.metadataExtractor == nil {
		return fmt.Errorf("Unable to setup a metadata extractor")
	}

	return nil
}

// SetupHandlers sets up handlers for monitors to invoke for various events such as
// processing unit events and synchronization events. This will be called before Start()
// by the consumer of the monitor
func (l *LinuxMonitor) SetupHandlers(m *config.ProcessorConfig) {

	l.proc.config = m
}

// Resync instructs the monitor to do a resync.
func (l *LinuxMonitor) Resync(ctx context.Context) error {
	return l.proc.Resync(ctx, nil)
}


================================================
FILE: monitor/internal/linux/processor.go
================================================
package linuxmonitor

import (
	"context"
	"fmt"
	"regexp"
	"strconv"
	"strings"
	"sync"

	"go.aporeto.io/enforcerd/trireme-lib/buildflags"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cgnetcls"
	"go.uber.org/zap"
)

var ignoreNames = map[string]*struct{}{
	"cgroup.clone_children": nil,
	"cgroup.procs":          nil,
	"net_cls.classid":       nil,
	"net_prio.ifpriomap":    nil,
	"net_prio.prioidx":      nil,
	"notify_on_release":     nil,
	"tasks":                 nil,
}

// linuxProcessor captures all the monitor processor information
// It implements the EventProcessor interface of the rpc monitor
type linuxProcessor struct {
	host              bool
	config            *config.ProcessorConfig
	metadataExtractor extractors.EventMetadataExtractor
	netcls            cgnetcls.Cgroupnetcls
	regStart          *regexp.Regexp
	regStop           *regexp.Regexp
	sync.Mutex
}

func baseName(name, separator string) string {

	lastseparator := strings.LastIndex(name, separator)
	if len(name) <= lastseparator {
		return ""
	}
	return name[lastseparator+1:]
}

// Create handles create events
func (l *linuxProcessor) Create(ctx context.Context, eventInfo *common.EventInfo) error {
	// This should never be called for Linux Processes
	return fmt.Errorf("Use start directly for Linux processes. Create not supported")
}

// Start handles start events
func (l *linuxProcessor) Start(ctx context.Context, eventInfo *common.EventInfo) error {

	// Validate the PUID format. Additional validations TODO
	if !l.regStart.Match([]byte(eventInfo.PUID)) {
		return fmt.Errorf("invalid pu id: %s", eventInfo.PUID)
	}

	// Normalize to a nativeID context. This will become key for any recoveries
	// and it's an one way function.
	nativeID, err := l.generateContextID(eventInfo)
	if err != nil {
		return err
	}

	processes, err := l.netcls.ListCgroupProcesses(nativeID)
	if err == nil && len(processes) != 0 {
		//This PU already exists we are getting a duplicate event
		zap.L().Debug("Duplicate start event for the same PU", zap.String("PUID", nativeID))
		if err = l.netcls.AddProcess(nativeID, int(eventInfo.PID)); err != nil {
			if derr := l.netcls.DeleteCgroup(nativeID); derr != nil {
				zap.L().Warn("Failed to clean cgroup", zap.Error(derr))
			}
			return err
		}
		return nil
	}

	// Extract the metadata and create the runtime
	runtime, err := l.metadataExtractor(eventInfo)
	if err != nil {
		return err
	}

	// We need to send a create event to the policy engine.
	if err = l.config.Policy.HandlePUEvent(ctx, nativeID, common.EventCreate, runtime); err != nil {
		return fmt.Errorf("Unable to create PU: %s", err)
	}

	// We can now send a start event to the policy engine
	if err = l.config.Policy.HandlePUEvent(ctx, nativeID, common.EventStart, runtime); err != nil {
		return fmt.Errorf("Unable to start PU: %s", err)
	}

	l.Lock()
	// We can now program cgroups and everything else.
	if eventInfo.HostService {
		err = l.processHostServiceStart(eventInfo, runtime)
	} else {
		err = l.processLinuxServiceStart(nativeID, eventInfo, runtime)
	}
	l.Unlock()
	if err != nil {
		return fmt.Errorf("Failed to program cgroups: %s", err)
	}

	// Send the event to the collector.
	l.config.Collector.CollectContainerEvent(&collector.ContainerRecord{
		ContextID: eventInfo.PUID,
		IPAddress: runtime.IPAddresses(),
		Tags:      runtime.Tags(),
		Event:     collector.ContainerStart,
	})

	return nil
}

// Stop handles a stop event
func (l *linuxProcessor) Stop(ctx context.Context, event *common.EventInfo) error {

	puID, err := l.generateContextID(event)
	if err != nil {
		return err
	}

	processes, err := l.netcls.ListCgroupProcesses(puID)
	if err == nil && len(processes) != 0 {
		zap.L().Debug("Received Bogus Stop", zap.Int("Num Processes", len(processes)), zap.Error(err))
		return nil
	}

	if puID == "/trireme" {
		return nil
	}

	runtime := policy.NewPURuntimeWithDefaults()
	runtime.SetPUType(event.PUType)

	return l.config.Policy.HandlePUEvent(ctx, puID, common.EventStop, runtime)
}

// Destroy handles a destroy event
func (l *linuxProcessor) Destroy(ctx context.Context, eventInfo *common.EventInfo) error {

	puID, err := l.generateContextID(eventInfo)
	if err != nil {
		return err
	}

	if puID == "/trireme" {
		puID = strings.TrimLeft(puID, "/")
		l.netcls.Deletebasepath(puID)
		return nil
	}

	runtime := policy.NewPURuntimeWithDefaults()
	runtime.SetPUType(eventInfo.PUType)

	// Send the event upstream
	if err := l.config.Policy.HandlePUEvent(ctx, puID, common.EventDestroy, runtime); err != nil {
		zap.L().Warn("Unable to clean trireme ",
			zap.String("puID", puID),
			zap.Error(err),
		)
	}

	l.Lock()
	defer l.Unlock()

	if eventInfo.HostService {
		// For network only pus, we do not program cgroups and hence should not clean it.
		// Cleaning this could result in removal of root cgroup that was configured for
		// true host mode pu.
		if eventInfo.NetworkOnlyTraffic {
			return nil
		}

		if err := l.netcls.AssignRootMark(0); err != nil {
			return fmt.Errorf("unable to write to net_cls.classid file for new cgroup: %s", err)
		}
	}

	puID = baseName(puID, "/")

	//let us remove the cgroup files now
	if err := l.netcls.DeleteCgroup(puID); err != nil {
		zap.L().Warn("Failed to clean netcls group",
			zap.String("puID", puID),
			zap.Error(err),
		)
	}

	return nil
}

// Pause handles a pause event
func (l *linuxProcessor) Pause(ctx context.Context, eventInfo *common.EventInfo) error {

	puID, err := l.generateContextID(eventInfo)
	if err != nil {
		return fmt.Errorf("unable to generate context id: %s", err)
	}

	return l.config.Policy.HandlePUEvent(ctx, puID, common.EventPause, nil)
}

func (l *linuxProcessor) resyncHostService(ctx context.Context, e *common.EventInfo) error {

	runtime, err := l.metadataExtractor(e)
	if err != nil {
		return err
	}

	nativeID, err := l.generateContextID(e)
	if err != nil {
		return err
	}

	if err = l.config.Policy.HandlePUEvent(ctx, nativeID, common.EventStart, runtime); err != nil {
		return fmt.Errorf("Unable to start PU: %s", err)
	}

	return l.processHostServiceStart(e, runtime)
}

// Resync resyncs with all the existing services that were there before we start
func (l *linuxProcessor) Resync(ctx context.Context, e *common.EventInfo) error {
	// This lock is not complete necessary here
	l.config.ResyncLock.RLock()
	defer l.config.ResyncLock.RUnlock()
	if e != nil {
		// If its a host service then use pu from eventInfo
		// The code block below assumes that pu is already created
		if e.HostService {
			return l.resyncHostService(ctx, e)
		}
	}

	cgroups := l.netcls.ListAllCgroups("")
	for _, cgroup := range cgroups {

		if _, ok := ignoreNames[cgroup]; ok {
			continue
		}

		// List all the cgroup processes. If its empty, we can remove it.
		procs, err := l.netcls.ListCgroupProcesses(cgroup)
		if err != nil {
			continue
		}

		// All processes in cgroup have died. Let's clean up.
		if len(procs) == 0 {
			if err := l.netcls.DeleteCgroup(cgroup); err != nil {
				zap.L().Warn("Failed to deleted cgroup",
					zap.String("cgroup", cgroup),
					zap.Error(err),
				)
			}
			continue
		}

		runtime := policy.NewPURuntimeWithDefaults()
		puType := common.LinuxProcessPU

		runtime.SetPUType(puType)
		runtime.SetOptions(policy.OptionsType{
			CgroupMark: strconv.FormatUint(cgnetcls.MarkVal(), 10),
			CgroupName: cgroup,
		})

		// Processes are still alive. We should enforce policy.
		if err := l.config.Policy.HandlePUEvent(ctx, cgroup, common.EventStart, runtime); err != nil {
			zap.L().Error("Failed to restart cgroup control", zap.String("cgroup ID", cgroup), zap.Error(err))
		}

		if err := l.processLinuxServiceStart(cgroup, nil, runtime); err != nil {
			return err
		}
	}
	return nil
}

// generateContextID creates the puID from the event information
func (l *linuxProcessor) generateContextID(eventInfo *common.EventInfo) (string, error) {

	puID := eventInfo.PUID
	if eventInfo.Cgroup == "" {
		return puID, nil
	}

	if !l.regStop.Match([]byte(eventInfo.Cgroup)) {
		return "", fmt.Errorf("invalid pu id: %s", eventInfo.Cgroup)
	}

	puID = baseName(eventInfo.Cgroup, "/")

	return puID, nil
}

func (l *linuxProcessor) processLinuxServiceStart(nativeID string, event *common.EventInfo, runtimeInfo *policy.PURuntime) error {

	// It is okay to launch this so let us create a cgroup for it
	if err := l.netcls.Creategroup(nativeID); err != nil {
		return err
	}

	markval := runtimeInfo.Options().CgroupMark
	if markval == "" {
		if derr := l.netcls.DeleteCgroup(nativeID); derr != nil {
			zap.L().Warn("Failed to clean cgroup", zap.Error(derr))
		}
		return fmt.Errorf("mark value %s not found", markval)
	}

	mark, _ := strconv.ParseUint(markval, 10, 32)
	if err := l.netcls.AssignMark(nativeID, mark); err != nil {
		if derr := l.netcls.DeleteCgroup(nativeID); derr != nil {
			zap.L().Warn("Failed to clean cgroup", zap.Error(derr))
		}
		return err
	}

	if event != nil {
		if err := l.netcls.AddProcess(nativeID, int(event.PID)); err != nil {
			if derr := l.netcls.DeleteCgroup(nativeID); derr != nil {
				zap.L().Warn("Failed to clean cgroup", zap.Error(derr))
			}
			return err
		}
	}

	return nil
}

func (l *linuxProcessor) processHostServiceStart(event *common.EventInfo, runtimeInfo *policy.PURuntime) error {

	if event.NetworkOnlyTraffic || buildflags.IsLegacyKernel() {
		return nil
	}

	markval := runtimeInfo.Options().CgroupMark
	mark, _ := strconv.ParseUint(markval, 10, 32)

	return l.netcls.AssignRootMark(mark)
}


================================================
FILE: monitor/internal/linux/processor_test.go
================================================
// +build !windows

package linuxmonitor

import (
	"context"
	"errors"
	"io/ioutil"
	"os"
	"sync"
	"testing"

	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/policy/mockpolicy"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cgnetcls/mockcgnetcls"
)

func testLinuxProcessor(puHandler policy.Resolver) *linuxProcessor {
	l := New(context.Background())
	l.SetupHandlers(&config.ProcessorConfig{
		Collector:  &collector.DefaultCollector{},
		Policy:     puHandler,
		ResyncLock: &sync.RWMutex{},
	})
	if err := l.SetupConfig(nil, &Config{
		EventMetadataExtractor: extractors.DefaultHostMetadataExtractor,
		StoredPath:             "/tmp",
		ReleasePath:            "./",
	}); err != nil {
		return nil
	}
	return l.proc
}

func TestCreate(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a valid processor", t, func() {
		puHandler := mockpolicy.NewMockResolver(ctrl)

		p := testLinuxProcessor(puHandler)

		Convey("When I try a create event with invalid PU ID, ", func() {
			event := &common.EventInfo{
				PUID: "/@#$@",
			}
			Convey("I should get an error", func() {
				err := p.Create(context.Background(), event)
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I get a create event that is valid", func() {
			event := &common.EventInfo{
				PUID: "1234",
			}
			Convey("I should get an error - create not supported", func() {
				err := p.Create(context.Background(), event)
				So(err, ShouldNotBeNil)
			})
		})
	})
}

func TestStop(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a valid processor", t, func() {
		puHandler := mockpolicy.NewMockResolver(ctrl)

		p := testLinuxProcessor(puHandler)
		mockcls := mockcgnetcls.NewMockCgroupnetcls(ctrl)
		p.netcls = mockcls

		Convey("When I get a stop event that is valid", func() {
			event := &common.EventInfo{
				PUID: "/trireme/1234",
			}

			puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
			mockcls.EXPECT().ListCgroupProcesses("/trireme/1234")

			Convey("I should get the status of the upstream function", func() {
				err := p.Stop(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})

	})
}

// TODO: remove nolint
// nolint
func TestDestroy(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()
	dummyPUPath := "/var/run/trireme/linux/1234"
	ioutil.WriteFile(dummyPUPath, []byte{}, 0644) // nolint

	defer os.RemoveAll(dummyPUPath) // nolint
	Convey("Given a valid processor", t, func() {
		puHandler := mockpolicy.NewMockResolver(ctrl)

		p := testLinuxProcessor(puHandler)
		mockcls := mockcgnetcls.NewMockCgroupnetcls(ctrl)
		p.netcls = mockcls

		Convey("When I get a destroy event that is valid", func() {
			event := &common.EventInfo{
				PUID: "1234",
			}
			mockcls.EXPECT().DeleteCgroup(gomock.Any()).Return(nil)

			puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
			Convey("I should get the status of the upstream function", func() {
				err := p.Destroy(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})

		Convey("When I get a destroy event that is valid for hostpu", func() {
			event := &common.EventInfo{
				PUID:               "123",
				HostService:        true,
				NetworkOnlyTraffic: true,
			}

			puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
			Convey("I should get the status of the upstream function", func() {
				err := p.Destroy(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})
	})
}

func TestPause(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a valid processor", t, func() {
		puHandler := mockpolicy.NewMockResolver(ctrl)

		p := testLinuxProcessor(puHandler)

		Convey("When I get a pause event that is valid", func() {
			event := &common.EventInfo{
				PUID: "/trireme/1234",
			}

			puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
			Convey("I should get the status of the upstream function", func() {
				err := p.Pause(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})
	})
}

func TestStart(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a valid processor", t, func() {
		puHandler := mockpolicy.NewMockResolver(ctrl)
		p := testLinuxProcessor(puHandler)

		Convey("When I get a start event with no PUID", func() {
			event := &common.EventInfo{
				PUID: "",
			}
			Convey("I should get an error", func() {
				err := p.Start(context.Background(), event)
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I get a start event that is valid that fails on the generation of PU ID", func() {
			event := &common.EventInfo{
				Name: "^^^",
			}
			Convey("I should get an error", func() {
				err := p.Start(context.Background(), event)
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I get a start event that is valid that fails on the metadata extractor", func() {
			event := &common.EventInfo{
				Name: "service",
				Tags: []string{"badtag"},
			}
			Convey("I should get an error", func() {
				err := p.Start(context.Background(), event)
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I get a start event and the upstream returns an error ", func() {
			event := &common.EventInfo{
				Name:      "PU",
				PID:       1,
				PUID:      "12345",
				EventType: common.EventStart,
				PUType:    common.LinuxProcessPU,
			}
			Convey("I should get an error ", func() {
				puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(errors.New("error"))
				err := p.Start(context.Background(), event)
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I get a start event and create group fails ", func() {
			event := &common.EventInfo{
				Name:      "PU",
				PID:       1,
				PUID:      "12345",
				EventType: common.EventStop,
				PUType:    common.LinuxProcessPU,
			}

			mockcls := mockcgnetcls.NewMockCgroupnetcls(ctrl)
			p.netcls = mockcls

			Convey("I should get an error ", func() {
				puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(2).Return(nil)
				mockcls.EXPECT().Creategroup(gomock.Any()).Return(errors.New("error"))
				mockcls.EXPECT().ListCgroupProcesses("12345")

				err := p.Start(context.Background(), event)
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I get a start event and the runtime options don't have a mark value", func() {
			event := &common.EventInfo{
				Name:      "PU",
				PID:       1,
				PUID:      "12345",
				EventType: common.EventStop,
				PUType:    common.LinuxProcessPU,
			}

			mockcls := mockcgnetcls.NewMockCgroupnetcls(ctrl)
			p.netcls = mockcls

			Convey("I should not get an error ", func() {
				puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(2).Return(nil)
				mockcls.EXPECT().Creategroup(gomock.Any()).Return(nil)
				mockcls.EXPECT().AssignMark(gomock.Any(), gomock.Any()).Return(nil)
				mockcls.EXPECT().AddProcess(gomock.Any(), gomock.Any())
				mockcls.EXPECT().ListCgroupProcesses("12345")
				err := p.Start(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})
	})
}

func TestResync(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a valid processor", t, func() {
		puHandler := mockpolicy.NewMockResolver(ctrl)
		p := testLinuxProcessor(puHandler)

		Convey("When I get a resync event ", func() {
			event := &common.EventInfo{
				Name:      "PU",
				PID:       1,
				PUID:      "12345",
				EventType: common.EventStart,
				PUType:    common.LinuxProcessPU,
			}

			mockcls := mockcgnetcls.NewMockCgroupnetcls(ctrl)
			p.netcls = mockcls

			Convey("I should not get an error ", func() {
				mockcls.EXPECT().ListAllCgroups(gomock.Any()).Return([]string{"cgroup"})
				mockcls.EXPECT().ListCgroupProcesses(gomock.Any()).Return([]string{"procs"}, nil)
				mockcls.EXPECT().Creategroup(gomock.Any()).Return(nil)
				mockcls.EXPECT().AssignMark(gomock.Any(), gomock.Any()).Return(nil)
				puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
				err := p.Resync(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})

		Convey("When I get a resync event with no croup process", func() {
			event := &common.EventInfo{
				Name:      "PU",
				PID:       1,
				PUID:      "12345",
				EventType: common.EventStart,
				PUType:    common.LinuxProcessPU,
			}

			mockcls := mockcgnetcls.NewMockCgroupnetcls(ctrl)
			p.netcls = mockcls

			Convey("I should not get an error ", func() {
				mockcls.EXPECT().ListAllCgroups(gomock.Any()).Return([]string{"cgroup"})
				mockcls.EXPECT().ListCgroupProcesses(gomock.Any()).Return([]string{}, nil)
				mockcls.EXPECT().DeleteCgroup(gomock.Any()).Return(nil)
				err := p.Resync(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})

		Convey("When I get a resync event for hostservice", func() {
			event := &common.EventInfo{
				Name:               "PU",
				PID:                1,
				PUID:               "12345",
				EventType:          common.EventStart,
				HostService:        true,
				NetworkOnlyTraffic: true,
				PUType:             common.LinuxProcessPU,
			}

			Convey("I should not get an error ", func() {
				puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
				err := p.Resync(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})
	})
}


================================================
FILE: monitor/internal/pod/config.go
================================================
package podmonitor

import (
	"go.aporeto.io/trireme-lib/monitor/extractors"
)

// Config is the config for the Kubernetes monitor
type Config struct { // nolint
	Kubeconfig     string
	Nodename       string
	EnableHostPods bool
	Workers        int

	MetadataExtractor         extractors.PodMetadataExtractor
	NetclsProgrammer          extractors.PodNetclsProgrammer
	PidsSetMaxProcsProgrammer extractors.PodPidsSetMaxProcsProgrammer
	ResetNetcls               extractors.ResetNetclsKubepods
	SandboxExtractor          extractors.PodSandboxExtractor
}

// DefaultConfig provides a default configuration
func DefaultConfig() *Config {
	return &Config{
		MetadataExtractor:         nil,
		NetclsProgrammer:          nil,
		PidsSetMaxProcsProgrammer: nil,
		ResetNetcls:               nil,
		SandboxExtractor:          nil,
		EnableHostPods:            false,
		Kubeconfig:                "",
		Nodename:                  "",
		Workers:                   4,
	}
}

// SetupDefaultConfig adds defaults to a partial configuration
func SetupDefaultConfig(kubernetesConfig *Config) *Config {
	return kubernetesConfig
}


================================================
FILE: monitor/internal/pod/config_test.go
================================================
package podmonitor

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func TestConfig(t *testing.T) {
	Convey("SetupDefaultConfig should just return the config as is", t, func() {
		c := SetupDefaultConfig(&Config{
			Kubeconfig:        "test",
			Nodename:          "test",
			EnableHostPods:    true,
			MetadataExtractor: nil,
			NetclsProgrammer:  nil,
			ResetNetcls:       nil,
			Workers:           6,
		})
		So(c.Kubeconfig, ShouldEqual, "test")
		So(c.Nodename, ShouldEqual, "test")
		So(c.EnableHostPods, ShouldBeTrue)
		So(c.MetadataExtractor, ShouldBeNil)
		So(c.NetclsProgrammer, ShouldBeNil)
		So(c.ResetNetcls, ShouldBeNil)
		So(c.Workers, ShouldEqual, 6)
	})

	Convey("DefaultConfig should always return a pointer to a config", t, func() {
		c := DefaultConfig()
		So(c, ShouldNotBeNil)
	})
}


================================================
FILE: monitor/internal/pod/controller.go
================================================
// +build linux !windows

package podmonitor

import (
	"context"
	errs "errors"
	"time"

	"k8s.io/client-go/tools/record"

	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/monitor/extractors"
	"go.aporeto.io/trireme-lib/policy"
	"go.uber.org/zap"

	corev1 "k8s.io/api/core/v1"
	"k8s.io/apimachinery/pkg/api/errors"

	"sigs.k8s.io/controller-runtime/pkg/client"
	"sigs.k8s.io/controller-runtime/pkg/controller"
	"sigs.k8s.io/controller-runtime/pkg/event"
	"sigs.k8s.io/controller-runtime/pkg/handler"
	"sigs.k8s.io/controller-runtime/pkg/manager"
	"sigs.k8s.io/controller-runtime/pkg/reconcile"
	"sigs.k8s.io/controller-runtime/pkg/source"
)

var (
	// ErrHandlePUStartEventFailed is the error sent back if a start event fails
	ErrHandlePUStartEventFailed = errs.New("Aporeto Enforcer start event failed")

	// ErrNetnsExtractionMissing is the error when we are missing a PID or netns path after successful metadata extraction
	ErrNetnsExtractionMissing = errs.New("Aporeto Enforcer missed to extract PID or netns path")

	// ErrHandlePUStopEventFailed is the error sent back if a stop event fails
	ErrHandlePUStopEventFailed = errs.New("Aporeto Enforcer stop event failed")

	// ErrHandlePUDestroyEventFailed is the error sent back if a create event fails
	ErrHandlePUDestroyEventFailed = errs.New("Aporeto Enforcer destroy event failed")
)

// newReconciler returns a new reconcile.Reconciler
func newReconciler(mgr manager.Manager, handler *config.ProcessorConfig, metadataExtractor extractors.PodMetadataExtractor, netclsProgrammer extractors.PodNetclsProgrammer, sandboxExtractor extractors.PodSandboxExtractor, nodeName string, enableHostPods bool, deleteCh chan<- DeleteEvent, deleteReconcileCh chan<- struct{}, resyncInfo *ResyncInfoChan) *ReconcilePod {
	return &ReconcilePod{
		client:            mgr.GetClient(),
		recorder:          mgr.GetRecorder("trireme-pod-controller"),
		handler:           handler,
		metadataExtractor: metadataExtractor,
		netclsProgrammer:  netclsProgrammer,
		sandboxExtractor:  sandboxExtractor,
		nodeName:          nodeName,
		enableHostPods:    enableHostPods,
		deleteCh:          deleteCh,
		deleteReconcileCh: deleteReconcileCh,
		resyncInfo:        resyncInfo,

		// TODO: should move into configuration
		handlePUEventTimeout:   60 * time.Second,
		metadataExtractTimeout: 10 * time.Second,
		netclsProgramTimeout:   10 * time.Second,
	}
}

// addController adds a new Controller to mgr with r as the reconcile.Reconciler
func addController(mgr manager.Manager, r *ReconcilePod, workers int, eventsCh <-chan event.GenericEvent) error {
	// Create a new controller
	c, err := controller.New("trireme-pod-controller", mgr, controller.Options{
		Reconciler:              r,
		MaxConcurrentReconciles: workers,
	})
	if err != nil {
		return err
	}

	// we use this mapper in both of our event sources
	mapper := &WatchPodMapper{
		client:         mgr.GetClient(),
		nodeName:       r.nodeName,
		enableHostPods: r.enableHostPods,
	}

	// use the our watch pod mapper which filters pods before we reconcile
	if err := c.Watch(
		&source.Kind{Type: &corev1.Pod{}},
		&handler.EnqueueRequestsFromMapFunc{ToRequests: mapper},
	); err != nil {
		return err
	}

	// we pass in a custom channel for events generated by resync
	return c.Watch(
		&source.Channel{Source: eventsCh},
		&handler.EnqueueRequestsFromMapFunc{ToRequests: mapper},
	)
}

var _ reconcile.Reconciler = &ReconcilePod{}

// DeleteEvent is used to send delete events to our event loop which will watch
// them for real deletion in the Kubernetes API. Once an object is gone, we will
// send down destroy events to trireme.
type DeleteEvent struct {
	PodUID        string
	SandboxID     string
	NamespaceName client.ObjectKey
}

// ReconcilePod reconciles a Pod object
type ReconcilePod struct {
	// This client, initialized using mgr.Client() above, is a split client
	// that reads objects from the cache and writes to the apiserver
	client            client.Client
	recorder          record.EventRecorder
	handler           *config.ProcessorConfig
	metadataExtractor extractors.PodMetadataExtractor
	netclsProgrammer  extractors.PodNetclsProgrammer
	sandboxExtractor  extractors.PodSandboxExtractor
	nodeName          string
	enableHostPods    bool
	deleteCh          chan<- DeleteEvent
	deleteReconcileCh chan<- struct{}
	resyncInfo        *ResyncInfoChan

	metadataExtractTimeout time.Duration
	handlePUEventTimeout   time.Duration
	netclsProgramTimeout   time.Duration
}

func (r *ReconcilePod) resyncHelper(nn string) {
	if r.resyncInfo != nil {
		r.resyncInfo.SendInfo(nn)
	}
}

// Reconcile reads that state of the cluster for a pod object
func (r *ReconcilePod) Reconcile(request reconcile.Request) (reconcile.Result, error) {
	ctx := context.Background()
	nn := request.NamespacedName.String()

	// we do this very early on:
	// whatever happened to the processing of this pod event, we are telling the Resync handler
	// that we have seen it. Even if we have not sent an event to the policy engine,
	// it means that most likely we are okay for an existing PU to be deleted first
	defer r.resyncHelper(nn)

	var puID, sandboxID string
	var err error
	// Fetch the corresponding pod object.
	pod := &corev1.Pod{}
	if err := r.client.Get(ctx, request.NamespacedName, pod); err != nil {
		if errors.IsNotFound(err) {
			r.deleteReconcileCh <- struct{}{}
			return reconcile.Result{}, nil
		}
		// Otherwise, we retry.
		return reconcile.Result{}, err
	}

	sandboxID, err = r.sandboxExtractor(ctx, pod)
	if err != nil {
		// Do nothing if we can't find the sandboxID
		zap.L().Debug("Pod reconcile: Cannot extract the SandboxID for ", zap.String("podname: ", nn))
	}
	puID = string(pod.GetUID())
	// abort immediately if this is a HostNetwork pod, but we don't want to activate them
	// NOTE: is already done in the mapper, however, this additional check does not hurt
	if pod.Spec.HostNetwork && !r.enableHostPods {
		zap.L().Debug("Pod is a HostNetwork pod, but enableHostPods is false", zap.String("puID", puID), zap.String("namespacedName", nn))
		return reconcile.Result{}, nil
	}

	// it looks like we can miss events for all sorts of unknown reasons
	// if we reconcile though and the pod exists, we definitely know though
	// that it must go away at some point, so always register it with the delete controller
	r.deleteCh <- DeleteEvent{
		PodUID:        puID,
		SandboxID:     sandboxID,
		NamespaceName: request.NamespacedName,
	}

	// try to find out if any of the containers have been started yet
	// this is static information on the pod, we don't need to care of the phase for determining that
	// NOTE: This is important because InitContainers are started during the PodPending phase which is
	//       what we need to rely on for activation as early as possible
	var started bool
	for _, status := range pod.Status.InitContainerStatuses {
		if status.State.Running != nil {
			started = true
			break
		}
	}
	if !started {
		for _, status := range pod.Status.ContainerStatuses {
			if status.State.Running != nil {
				started = true
				break
			}
		}
	}

	switch pod.Status.Phase {
	case corev1.PodPending:
		fallthrough
	case corev1.PodRunning:
		zap.L().Debug("PodPending / PodRunning", zap.String("puID", puID), zap.String("namespacedName", nn), zap.Bool("anyContainerStarted", started))

		// now try to do the metadata extraction
		extractCtx, extractCancel := context.WithTimeout(ctx, r.metadataExtractTimeout)
		defer extractCancel()
		puRuntime, err := r.metadataExtractor(extractCtx, pod, started)
		if err != nil {
			zap.L().Error("failed to extract metadata", zap.String("puID", puID), zap.String("namespacedName", nn), zap.Error(err))
			r.recorder.Eventf(pod, "Warning", "PUExtractMetadata", "PU '%s' failed to extract metadata: %s", puID, err.Error())
			return reconcile.Result{}, err
		}

		// now create/update the PU
		// every HandlePUEvent call gets done in this context
		handlePUCtx, handlePUCancel := context.WithTimeout(ctx, r.handlePUEventTimeout)
		defer handlePUCancel()
		if err := r.handler.Policy.HandlePUEvent(
			handlePUCtx,
			puID,
			common.EventUpdate,
			puRuntime,
		); err != nil {
			zap.L().Error("failed to handle update event", zap.String("puID", puID), zap.String("namespacedName", nn), zap.Error(err))
			r.recorder.Eventf(pod, "Warning", "PUUpdate", "failed to handle update event for PU '%s': %s", puID, err.Error())
			// return reconcile.Result{}, err
		} else {
			r.recorder.Eventf(pod, "Normal", "PUUpdate", "PU '%s' updated successfully", puID)
		}

		// NOTE: a pod that is terminating, is going to reconcile as well in the PodRunning phase,
		// however, it will have the deletion timestamp set which is an indicator for us that it is
		// shutting down. It means for us, that we don't have to start anything anymore. We can safely stop
		// the PU when the phase is PodSucceeded/PodFailed. However, we sent an update event above and included
		// some new tags from the metadata extractor.
		if pod.DeletionTimestamp != nil {
			return reconcile.Result{}, nil
		}
		// If the pod hasn't started or if there is no sandbox present, requeue.
		if sandboxID == "" || !started {
			return reconcile.Result{Requeue: true}, nil
		}
		if started {
			// if the metadata extractor is missing the PID or nspath, we need to try again
			// we need it for starting the PU. However, only require this if we are not in host network mode.
			// NOTE: this can happen for example if the containers are not in a running state on their own
			if !pod.Spec.HostNetwork && len(puRuntime.NSPath()) == 0 && puRuntime.Pid() == 0 {
				zap.L().Error("Kubernetes thinks a container is running, however, we failed to extract a PID or NSPath with the metadata extractor. Requeueing...", zap.String("puID", puID), zap.String("namespacedName", nn))
				r.recorder.Eventf(pod, "Warning", "PUStart", "PU '%s' failed to extract netns", puID)
				return reconcile.Result{}, ErrNetnsExtractionMissing
			}

			// now start the PU
			// every HandlePUEvent call gets done in this context
			handlePUStartCtx, handlePUStartCancel := context.WithTimeout(ctx, r.handlePUEventTimeout)
			defer handlePUStartCancel()
			if err := r.handler.Policy.HandlePUEvent(
				handlePUStartCtx,
				puID,
				common.EventStart,
				puRuntime,
			); err != nil {
				if policy.IsErrPUAlreadyActivated(err) {
					// abort early if this PU has already been activated before
					zap.L().Debug("PU has already been activated", zap.String("puID", puID), zap.String("namespacedName", nn), zap.Error(err))
				} else {
					zap.L().Error("failed to handle start event", zap.String("puID", puID), zap.String("namespacedName", nn), zap.Error(err))
					r.recorder.Eventf(pod, "Warning", "PUStart", "PU '%s' failed to start: %s", puID, err.Error())
				}
			} else {
				r.recorder.Eventf(pod, "Normal", "PUStart", "PU '%s' started successfully", puID)
			}

			// if this is a host network pod, we need to program the net_cls cgroup
			if pod.Spec.HostNetwork {
				netclsProgramCtx, netclsProgramCancel := context.WithTimeout(ctx, r.netclsProgramTimeout)
				defer netclsProgramCancel()
				if err := r.netclsProgrammer(netclsProgramCtx, pod, puRuntime); err != nil {
					if extractors.IsErrNetclsAlreadyProgrammed(err) {
						zap.L().Debug("net_cls cgroup has already been programmed previously", zap.String("puID", puID), zap.String("namespacedName", nn), zap.Error(err))
					} else if extractors.IsErrNoHostNetworkPod(err) {
						zap.L().Error("net_cls cgroup programmer told us that this is no host network pod.", zap.String("puID", puID), zap.String("namespacedName", nn), zap.Error(err))
					} else {
						zap.L().Error("failed to program net_cls cgroup of pod", zap.String("puID", puID), zap.String("namespacedName", nn), zap.Error(err))
						r.recorder.Eventf(pod, "Warning", "PUStart", "Host Network PU '%s' failed to program its net_cls cgroups: %s", puID, err.Error())
						return reconcile.Result{}, err
					}
				} else {
					zap.L().Debug("net_cls cgroup has been successfully programmed for trireme", zap.String("puID", puID), zap.String("namespacedName", nn))
					r.recorder.Eventf(pod, "Normal", "PUStart", "Host Network PU '%s' has successfully programmed its net_cls cgroups", puID)
				}
			}
		}
		return reconcile.Result{}, nil

	case corev1.PodSucceeded:
		fallthrough
	case corev1.PodFailed:
		zap.L().Debug("PodSucceeded / PodFailed", zap.String("puID", puID), zap.String("namespacedName", nn))
		// do metadata extraction regardless of them being stopped
		//
		// there is the edge case that the enforcer is starting up and we encounter the pod for the first time
		// in stopped state, so we have to do metadata extraction here as well
		extractCtx, extractCancel := context.WithTimeout(ctx, r.metadataExtractTimeout)
		defer extractCancel()
		puRuntime, err := r.metadataExtractor(extractCtx, pod, started)
		if err != nil {
			zap.L().Error("failed to extract metadata", zap.String("puID", puID), zap.String("namespacedName", nn), zap.Error(err))
			r.recorder.Eventf(pod, "Warning", "PUExtractMetadata", "PU '%s' failed to extract metadata: %s", puID, err.Error())
			return reconcile.Result{}, err
		}

		// every HandlePUEvent call gets done in this context
		handlePUCtx, handlePUCancel := context.WithTimeout(ctx, r.handlePUEventTimeout)
		defer handlePUCancel()

		if err := r.handler.Policy.HandlePUEvent(
			handlePUCtx,
			puID,
			common.EventUpdate,
			puRuntime,
		); err != nil {
			zap.L().Error("failed to handle update event", zap.String("puID", puID), zap.String("namespacedName", nn), zap.Error(err))
			r.recorder.Eventf(pod, "Warning", "PUUpdate", "failed to handle update event for PU '%s': %s", puID, err.Error())
			// return reconcile.Result{}, err
		} else {
			r.recorder.Eventf(pod, "Normal", "PUUpdate", "PU '%s' updated successfully", puID)
		}

		if err := r.handler.Policy.HandlePUEvent(
			handlePUCtx,
			puID,
			common.EventStop,
			puRuntime,
		); err != nil {
			zap.L().Error("failed to handle stop event", zap.String("puID", puID), zap.String("namespacedName", nn), zap.Error(err))
			r.recorder.Eventf(pod, "Warning", "PUStop", "PU '%s' failed to stop: %s", puID, err.Error())
		} else {
			r.recorder.Eventf(pod, "Normal", "PUStop", "PU '%s' has been successfully stopped", puID)
		}

		// we don't need to reconcile
		// sending the stop event is enough
		return reconcile.Result{}, nil

	case corev1.PodUnknown:
		zap.L().Error("pod is in unknown state", zap.String("puID", puID), zap.String("namespacedName", nn))

		// we don't need to retry, there is nothing *we* can do about it to fix this
		return reconcile.Result{}, nil
	default:
		zap.L().Error("unknown pod phase", zap.String("puID", puID), zap.String("namespacedName", nn), zap.String("podPhase", string(pod.Status.Phase)))

		// we don't need to retry, there is nothing *we* can do about it to fix this
		return reconcile.Result{}, nil
	}
}


================================================
FILE: monitor/internal/pod/controller_test.go
================================================
// +build linux

package podmonitor

import (
	"context"
	"fmt"
	"testing"
	"time"

	"go.aporeto.io/trireme-lib/monitor/extractors"

	"go.aporeto.io/trireme-lib/common"

	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/policy"
	"go.aporeto.io/trireme-lib/policy/mockpolicy"

	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/apimachinery/pkg/types"

	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
	"sigs.k8s.io/controller-runtime/pkg/reconcile"
)

// TODO: should be a mock, but how to create it? we don't even vendor in tireme-lib
type fakeRecorder struct{}

func (r *fakeRecorder) Event(object runtime.Object, eventtype, reason, message string) {
}
func (r *fakeRecorder) Eventf(object runtime.Object, eventtype, reason, messageFmt string, args ...interface{}) {
}
func (r *fakeRecorder) PastEventf(object runtime.Object, timestamp metav1.Time, eventtype, reason, messageFmt string, args ...interface{}) {
}
func (r *fakeRecorder) AnnotatedEventf(object runtime.Object, annotations map[string]string, eventtype, reason, messageFmt string, args ...interface{}) {
}

func TestController(t *testing.T) {
	Convey("Given a reconciler", t, func() {
		ctrl := gomock.NewController(t)
		defer ctrl.Finish()
		// ctx := context.TODO()

		failure := fmt.Errorf("fail hard")

		pod1 := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "pod1",
				Namespace: "default",
				UID:       types.UID("default/pod1"),
			},
		}
		pod2 := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "pod2",
				Namespace: "default",
				UID:       types.UID("default/pod2"),
			},
			Spec: corev1.PodSpec{
				HostNetwork: true,
			},
		}
		pod3 := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:              "pod3",
				Namespace:         "default",
				UID:               types.UID("default/pod3"),
				DeletionTimestamp: &metav1.Time{Time: time.Now()},
			},
			Status: corev1.PodStatus{
				Phase: corev1.PodRunning,
			},
		}
		podUnknown := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "unknown",
				Namespace: "default",
				UID:       types.UID("default/unknown"),
			},
			Status: corev1.PodStatus{
				Phase: corev1.PodUnknown,
			},
		}
		podUnrecognized := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "unrecognized",
				Namespace: "default",
				UID:       types.UID("default/unrecognized"),
			},
			Status: corev1.PodStatus{
				Phase: corev1.PodPhase("not-really-a-pod-phase"),
			},
		}
		podFailed := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "failed",
				Namespace: "default",
				UID:       types.UID("default/failed"),
			},
			Status: corev1.PodStatus{
				Phase: corev1.PodFailed,
			},
		}
		podSucceeded := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "succeeded",
				Namespace: "default",
				UID:       types.UID("default/succeeded"),
			},
			Status: corev1.PodStatus{
				Phase: corev1.PodSucceeded,
			},
		}
		podPending := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "pending",
				Namespace: "default",
				UID:       types.UID("default/pending"),
			},
			Status: corev1.PodStatus{
				Phase: corev1.PodPending,
			},
		}
		podPendingAndStarted := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "pendingAndStarted",
				Namespace: "default",
				UID:       types.UID("default/pendingAndStarted"),
			},
			Status: corev1.PodStatus{
				Phase: corev1.PodPending,
				InitContainerStatuses: []corev1.ContainerStatus{
					{
						State: corev1.ContainerState{
							Running: &corev1.ContainerStateRunning{
								StartedAt: metav1.Time{Time: time.Now()},
							},
						},
					},
				},
			},
		}
		podRunningNotStarted := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "runningNotStarted",
				Namespace: "default",
				UID:       types.UID("default/runningNotStarted"),
			},
			Status: corev1.PodStatus{
				Phase: corev1.PodRunning,
			},
		}
		podRunning := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "running",
				Namespace: "default",
				UID:       types.UID("default/running"),
			},
			Status: corev1.PodStatus{
				Phase: corev1.PodRunning,
				InitContainerStatuses: []corev1.ContainerStatus{
					{
						State: corev1.ContainerState{
							Terminated: &corev1.ContainerStateTerminated{
								ExitCode: 0,
							},
						},
					},
				},
				ContainerStatuses: []corev1.ContainerStatus{
					{
						State: corev1.ContainerState{
							Running: &corev1.ContainerStateRunning{
								StartedAt: metav1.Time{Time: time.Now()},
							},
						},
					},
				},
			},
		}
		podRunningHostNetwork := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "runningHostNetwork",
				Namespace: "default",
				UID:       types.UID("default/runningHostNetwork"),
			},
			Spec: corev1.PodSpec{
				HostNetwork: true,
			},
			Status: corev1.PodStatus{
				Phase: corev1.PodRunning,
				ContainerStatuses: []corev1.ContainerStatus{
					{
						State: corev1.ContainerState{
							Running: &corev1.ContainerStateRunning{
								StartedAt: metav1.Time{Time: time.Now()},
							},
						},
					},
				},
			},
		}
		c := fakeclient.NewFakeClient(pod1, pod2, pod3, podUnknown, podUnrecognized, podSucceeded, podFailed, podPending, podPendingAndStarted, podRunningNotStarted, podRunning, podRunningHostNetwork)

		handler := mockpolicy.NewMockResolver(ctrl)

		metadataExtractor := func(ctx context.Context, p *corev1.Pod, extractNetns bool) (*policy.PURuntime, error) {
			return nil, nil
		}
		netclsProgrammer := func(context.Context, *corev1.Pod, policy.RuntimeReader) error {
			return nil
		}

		sandboxExtractor := func(context.Context, *corev1.Pod) (string, error) {
			return "", nil
		}

		sandboxID := "test"
		// we will only send all delete events in this test, we are not going to handle them
		deleteCh := make(chan DeleteEvent, 1000)
		deleteReconcileCh := make(chan struct{}, 1000)

		pc := &config.ProcessorConfig{
			Policy: handler,
		}

		r := &ReconcilePod{
			client:            c,
			recorder:          &fakeRecorder{},
			handler:           pc,
			metadataExtractor: metadataExtractor,
			netclsProgrammer:  netclsProgrammer,
			sandboxExtractor:  sandboxExtractor,
			nodeName:          "testing-node",
			enableHostPods:    true,
			deleteCh:          deleteCh,
			deleteReconcileCh: deleteReconcileCh,
			resyncInfo:        NewResyncInfoChan(),

			// taken from original file
			handlePUEventTimeout:   5 * time.Second,
			metadataExtractTimeout: 3 * time.Second,
			netclsProgramTimeout:   2 * time.Second,
		}

		Convey("a not existing pod should trigger a destroy event without any error", func() {
			//handler.EXPECT().HandlePUEvent(gomock.Any(), "b/a", common.EventDestroy, gomock.Any()).Return(nil).Times(1)
			_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "a", Namespace: "b"}})
			So(err, ShouldBeNil)
		})

		Convey("a not existing pod should trigger a destroy event, and *not* fail if it cannot handle the destroy", func() {
			//handler.EXPECT().HandlePUEvent(gomock.Any(), "b/a", common.EventDestroy, gomock.Any()).Return(fmt.Errorf("stopping failed")).Times(1)
			_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "a", Namespace: "b"}})
			So(err, ShouldBeNil)
		})

		Convey("an existing pod with HostNetwork=true, but host pod activation disabled, should silently return", func() {
			r.enableHostPods = false
			_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "pod2", Namespace: "default"}})
			So(err, ShouldBeNil)
		})

		Convey("a pod which is terminating, should update metadata and silently return", func() {
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/pod3", common.EventUpdate, gomock.Any()).Return(nil).Times(1)
			_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "pod3", Namespace: "default"}})
			So(err, ShouldBeNil)
		})

		Convey("a pod which is in PodUnknown state should silently return", func() {
			_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "unknown", Namespace: "default"}})
			So(err, ShouldBeNil)
		})

		Convey("a pod which has an unrecognized pod phase should silently return", func() {
			_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "unrecognized", Namespace: "default"}})
			So(err, ShouldBeNil)
		})

		Convey("a pod which is in podsucceeded or podfailed state should try to stop the PU", func() {
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/failed", common.EventUpdate, gomock.Any()).Return(fmt.Errorf("update failed")).Times(1)
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/failed", common.EventStop, gomock.Any()).Return(fmt.Errorf("stop failed")).Times(1)
			_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "failed", Namespace: "default"}})
			So(err, ShouldBeNil)

			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/succeeded", common.EventUpdate, gomock.Any()).Return(nil).Times(1)
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/succeeded", common.EventStop, gomock.Any()).Return(nil).Times(1)
			_, err = r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "succeeded", Namespace: "default"}})
			So(err, ShouldBeNil)

			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/succeeded", common.EventUpdate, gomock.Any()).Return(policy.ErrPUNotFound("default/succeeded", nil)).Times(1)
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/succeeded", common.EventStop, gomock.Any()).Return(policy.ErrPUNotFound("default/succeeded", nil)).Times(1)
			_, err = r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "succeeded", Namespace: "default"}})
			So(err, ShouldBeNil)

			Convey("and retry if metadata extraction fails", func() {
				r.metadataExtractor = func(ctx context.Context, p *corev1.Pod, extractNetns bool) (*policy.PURuntime, error) {
					return nil, failure
				}
				_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "succeeded", Namespace: "default"}})
				So(err, ShouldNotBeNil)
				So(err, ShouldEqual, failure)
			})

			Reset(func() {
				r.metadataExtractor = metadataExtractor
			})
		})

		Convey("a pod in pending state should update or create a PU if it does already exist", func() {
			// metadata extractor needs to change tags in order to provoke an update call
			r.metadataExtractor = func(ctx context.Context, p *corev1.Pod, extractNetns bool) (*policy.PURuntime, error) {
				ru := policy.NewPURuntimeWithDefaults()
				ru.SetTags(policy.NewTagStoreFromMap(map[string]string{"exists": "exists", "a": "b"}))
				return ru, nil
			}

			// update works
			existingRuntime := policy.NewPURuntimeWithDefaults()
			existingRuntime.SetTags(policy.NewTagStoreFromMap(map[string]string{"exists": "exists"}))
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/pending", common.EventUpdate, gomock.Any()).Return(nil).Times(1)
			_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "pending", Namespace: "default"}})
			So(err, ShouldBeNil)

			// update fails hard
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/pending", common.EventUpdate, gomock.Any()).Return(failure).Times(1)
			_, err = r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "pending", Namespace: "default"}})
			So(err, ShouldBeNil)

			// PU does not exist, but create fails hard
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/pending", common.EventUpdate, gomock.Any()).Return(policy.ErrPUNotFound("default/pending", nil)).Times(1)
			_, err = r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "pending", Namespace: "default"}})
			So(err, ShouldBeNil)

			// PU does not exist, but create succeeds
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/pending", common.EventUpdate, gomock.Any()).Return(policy.ErrPUNotFound("default/pending", nil)).Times(1)
			_, err = r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "pending", Namespace: "default"}})
			So(err, ShouldBeNil)
		})

		Convey("a pod in pending state which has an init container started, should silently return if everything could be started", func() {
			r.metadataExtractor = func(ctx context.Context, p *corev1.Pod, extractNetns bool) (*policy.PURuntime, error) {
				return policy.NewPURuntime("default/pendingAndStarted", 42, "", nil, nil, common.ContainerPU, nil), nil
			}
			r.sandboxExtractor = func(context.Context, *corev1.Pod) (string, error) {
				return sandboxID, nil
			}
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/pendingAndStarted", common.EventUpdate, gomock.Any()).Return(nil).Times(1)
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/pendingAndStarted", common.EventStart, gomock.Any()).Return(nil).Times(1)
			_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "pendingAndStarted", Namespace: "default"}})
			So(err, ShouldBeNil)
		})

		Convey("a pod in running state should silently return if no containers have been started yet", func() {
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/runningNotStarted", common.EventUpdate, gomock.Any()).Return(nil).Times(1)
			_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "runningNotStarted", Namespace: "default"}})
			So(err, ShouldBeNil)
		})

		Convey("a pod in running state", func() {
			Convey("should retry if metadata extraction fails", func() {
				r.metadataExtractor = func(ctx context.Context, p *corev1.Pod, extractNetns bool) (*policy.PURuntime, error) {
					return nil, failure
				}
				_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "running", Namespace: "default"}})
				So(err, ShouldNotBeNil)
				So(err, ShouldEqual, failure)
			})
			Convey("should retry if metadata extraction succeeded, but no PID nor netns path were found and this is not a hostnetwork pod", func() {
				handler.EXPECT().HandlePUEvent(gomock.Any(), "default/running", common.EventUpdate, gomock.Any()).Return(nil).Times(1)
				r.metadataExtractor = func(ctx context.Context, p *corev1.Pod, extractNetns bool) (*policy.PURuntime, error) {
					return policy.NewPURuntimeWithDefaults(), nil
				}
				r.sandboxExtractor = func(context.Context, *corev1.Pod) (string, error) {
					return sandboxID, nil
				}
				_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "running", Namespace: "default"}})
				So(err, ShouldNotBeNil)
				So(err, ShouldEqual, ErrNetnsExtractionMissing)
			})
			Convey("should *not* fail if metadata and PID/netnspath extraction succeeded, but the Start PU event fails", func() {
				r.metadataExtractor = func(ctx context.Context, p *corev1.Pod, extractNetns bool) (*policy.PURuntime, error) {
					return policy.NewPURuntime("default/running", 42, "", nil, nil, common.ContainerPU, nil), nil
				}
				r.sandboxExtractor = func(context.Context, *corev1.Pod) (string, error) {
					return sandboxID, nil
				}
				handler.EXPECT().HandlePUEvent(gomock.Any(), "default/running", common.EventUpdate, gomock.Any()).Return(nil).Times(1)
				handler.EXPECT().HandlePUEvent(gomock.Any(), "default/running", common.EventStart, gomock.Any()).Return(failure).Times(1)
				_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "running", Namespace: "default"}})
				So(err, ShouldBeNil)
			})
			Convey("should return silently if metadata and PID/netnspath extraction succeeded, but the PU has already been activated", func() {
				r.metadataExtractor = func(ctx context.Context, p *corev1.Pod, extractNetns bool) (*policy.PURuntime, error) {
					return policy.NewPURuntime("default/running", 42, "", nil, nil, common.ContainerPU, nil), nil
				}
				r.sandboxExtractor = func(context.Context, *corev1.Pod) (string, error) {
					return sandboxID, nil
				}
				handler.EXPECT().HandlePUEvent(gomock.Any(), "default/running", common.EventUpdate, gomock.Any()).Return(nil).Times(1)
				handler.EXPECT().HandlePUEvent(gomock.Any(), "default/running", common.EventStart, gomock.Any()).Return(policy.ErrPUAlreadyActivated("default/running", nil)).Times(1)
				_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "running", Namespace: "default"}})
				So(err, ShouldBeNil)
			})
			Convey("should return silently if metadata and PID/netnspath extraction succeeded, and the PU could be successfully activated", func() {
				r.metadataExtractor = func(ctx context.Context, p *corev1.Pod, extractNetns bool) (*policy.PURuntime, error) {
					return policy.NewPURuntime("default/running", 42, "", nil, nil, common.ContainerPU, nil), nil
				}
				r.sandboxExtractor = func(context.Context, *corev1.Pod) (string, error) {
					return sandboxID, nil
				}
				handler.EXPECT().HandlePUEvent(gomock.Any(), "default/running", common.EventUpdate, gomock.Any()).Return(nil).Times(1)
				handler.EXPECT().HandlePUEvent(gomock.Any(), "default/running", common.EventStart, gomock.Any()).Return(nil).Times(1)
				_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "running", Namespace: "default"}})
				So(err, ShouldBeNil)
			})
		})

		Convey("a HostNetwork=true pod should try to start the PU and try to program the netcls cgroup", func() {
			r.metadataExtractor = func(ctx context.Context, p *corev1.Pod, extractNetns bool) (*policy.PURuntime, error) {
				return policy.NewPURuntime("default/runningHostNetwork", 0, "", nil, nil, common.LinuxProcessPU, nil), nil
			}
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/runningHostNetwork", common.EventUpdate, gomock.Any()).Return(nil).Times(1)
			handler.EXPECT().HandlePUEvent(gomock.Any(), "default/runningHostNetwork", common.EventStart, gomock.Any()).Return(nil).AnyTimes()
			Convey("and succeed if metadata extraction succeeded, and netcls cgroup programming succeeded", func() {
				_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "runningHostNetwork", Namespace: "default"}})
				So(err, ShouldBeNil)
			})
			Convey("and succeed if metadata extraction succeeded, and netcls cgroup programming failed with netcls already programmed", func() {
				r.netclsProgrammer = func(context.Context, *corev1.Pod, policy.RuntimeReader) error {
					return extractors.ErrNetclsAlreadyProgrammed("mark")
				}
				_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "runningHostNetwork", Namespace: "default"}})
				So(err, ShouldBeNil)
			})
			Convey("and return silently if metadata extraction succeeded, but netcls cgroup programming discovered that this pod is not a host network pod (cannot recover)", func() {
				r.netclsProgrammer = func(context.Context, *corev1.Pod, policy.RuntimeReader) error {
					return extractors.ErrNoHostNetworkPod
				}
				_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "runningHostNetwork", Namespace: "default"}})
				So(err, ShouldBeNil)
			})
			Convey("should fail if metadata extraction succeeded, but netcls cgroup programming fails", func() {
				r.netclsProgrammer = func(context.Context, *corev1.Pod, policy.RuntimeReader) error {
					return failure
				}
				r.sandboxExtractor = func(context.Context, *corev1.Pod) (string, error) {
					return sandboxID, nil
				}
				_, err := r.Reconcile(reconcile.Request{NamespacedName: types.NamespacedName{Name: "runningHostNetwork", Namespace: "default"}})
				So(err, ShouldNotBeNil)
				So(err, ShouldEqual, failure)
			})
		})
	})
}


================================================
FILE: monitor/internal/pod/delete_controller.go
================================================
// +build !windows

package podmonitor

import (
	"context"
	"time"

	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/monitor/extractors"
	"go.aporeto.io/trireme-lib/policy"
	"go.uber.org/zap"
	corev1 "k8s.io/api/core/v1"
	"k8s.io/apimachinery/pkg/api/errors"
	"sigs.k8s.io/controller-runtime/pkg/client"
	"sigs.k8s.io/controller-runtime/pkg/event"
)

// deleteControllerReconcileFunc is the reconciler function signature for the DeleteController
type deleteControllerReconcileFunc func(context.Context, client.Client, string, *config.ProcessorConfig, time.Duration, map[string]DeleteObject, extractors.PodSandboxExtractor, chan event.GenericEvent)

// DeleteController is responsible for cleaning up after Kubernetes because we
// are missing our native ID on the last reconcile event where the pod has already
// been deleted. This is also more reliable because we are filling this controller
// with events starting from the time when we first see a deletion timestamp on a pod.
// It pretty much facilitates the work of a finalizer without needing a finalizer and
// also only kicking in once a pod has *really* been deleted.
type DeleteController struct {
	client   client.Client
	nodeName string
	handler  *config.ProcessorConfig

	deleteCh           chan DeleteEvent
	reconcileCh        chan struct{}
	reconcileFunc      deleteControllerReconcileFunc
	tickerPeriod       time.Duration
	itemProcessTimeout time.Duration
	sandboxExtractor   extractors.PodSandboxExtractor
	eventsCh           chan event.GenericEvent
}

// DeleteObject is the obj used to store in the event map.
type DeleteObject struct {
	podUID    string
	sandboxID string
	podName   client.ObjectKey
}

// NewDeleteController creates a new DeleteController.
func NewDeleteController(c client.Client, nodeName string, pc *config.ProcessorConfig, sandboxExtractor extractors.PodSandboxExtractor, eventsCh chan event.GenericEvent) *DeleteController {
	return &DeleteController{
		client:             c,
		nodeName:           nodeName,
		handler:            pc,
		deleteCh:           make(chan DeleteEvent, 1000),
		reconcileCh:        make(chan struct{}),
		reconcileFunc:      deleteControllerReconcile,
		tickerPeriod:       5 * time.Second,
		itemProcessTimeout: 30 * time.Second,
		sandboxExtractor:   sandboxExtractor,
		eventsCh:           eventsCh,
	}
}

// GetDeleteCh returns the delete channel on which to queue delete events
func (c *DeleteController) GetDeleteCh() chan<- DeleteEvent {
	return c.deleteCh
}

// GetReconcileCh returns the channel on which to notify the controller about an immediate reconcile event
func (c *DeleteController) GetReconcileCh() chan<- struct{} {
	return c.reconcileCh
}

// Start implemets the Runnable interface
func (c *DeleteController) Start(z <-chan struct{}) error {
	backgroundCtx := context.Background()
	t := time.NewTicker(c.tickerPeriod)
	m := make(map[string]DeleteObject)

	// the poor man's controller loop
	for {
		select {
		case ev := <-c.deleteCh:
			obj := DeleteObject{podUID: ev.PodUID, sandboxID: ev.SandboxID, podName: ev.NamespaceName}
			// here don't update the map, insert only if not present.
			if _, ok := m[ev.PodUID]; !ok {
				m[ev.PodUID] = obj
			}
		case <-c.reconcileCh:
			c.reconcileFunc(backgroundCtx, c.client, c.nodeName, c.handler, c.itemProcessTimeout, m, c.sandboxExtractor, c.eventsCh)
		case <-t.C:
			c.reconcileFunc(backgroundCtx, c.client, c.nodeName, c.handler, c.itemProcessTimeout, m, c.sandboxExtractor, c.eventsCh)
		case <-z:
			t.Stop()
			return nil
		}
	}
}

// deleteControllerReconcile is the real reconciler implementation for the DeleteController
func deleteControllerReconcile(backgroundCtx context.Context, c client.Client, nodeName string, pc *config.ProcessorConfig, itemProcessTimeout time.Duration, m map[string]DeleteObject, sandboxExtractor extractors.PodSandboxExtractor, eventCh chan event.GenericEvent) {
	for podUID, req := range m {
		deleteControllerProcessItem(backgroundCtx, c, nodeName, pc, itemProcessTimeout, m, podUID, req.podName, sandboxExtractor, eventCh)
	}
}

func deleteControllerProcessItem(backgroundCtx context.Context, c client.Client, nodeName string, pc *config.ProcessorConfig, itemProcessTimeout time.Duration, m map[string]DeleteObject, podUID string, req client.ObjectKey, sandboxExtractor extractors.PodSandboxExtractor, eventCh chan event.GenericEvent) {
	var ok bool
	var delObj DeleteObject
	if delObj, ok = m[podUID]; !ok {
		zap.L().Warn("DeleteController: nativeID not found in delete controller map", zap.String("nativeID", podUID))
		return
	}
	ctx, cancel := context.WithTimeout(backgroundCtx, itemProcessTimeout)
	defer cancel()
	pod := &corev1.Pod{}
	if err := c.Get(ctx, req, pod); err != nil {
		if errors.IsNotFound(err) {
			// this is the normal case: a pod is gone
			// so just send a destroy event
			zap.L().Warn("DeleteController: the pod is deleted in the cluster, so call the destroy PU")
			if err := pc.Policy.HandlePUEvent(
				ctx,
				podUID,
				common.EventDestroy,
				policy.NewPURuntimeWithDefaults(),
			); err != nil {
				// we don't really care, we just warn
				zap.L().Warn("DeleteController: Failed to handle destroy event", zap.String("puID", podUID), zap.String("namespacedName", req.String()), zap.Error(err))
			}
			// we only fire events away, we don't really care about the error anyway
			// it is up to the policy engine to make sense of that
			delete(m, podUID)
		} else {
			// we don't really care, we just warn
			zap.L().Warn("DeleteController: Failed to get pod from Kubernetes API", zap.String("puID", podUID), zap.String("namespacedName", req.String()), zap.Error(err))
		}
		return
	}

	// For StatefulSets we need to account for another special case: pods that move between nodes *keep* the same UID, so they won't fit the check below.
	// However, we can simply double-check the node name in the same way how we already filter events in the watcher/monitor
	if pod.Spec.NodeName != nodeName {
		zap.L().Warn("DeleteController: the pod is now on a different node, send destroy event and delete the cache", zap.String("puID", podUID), zap.String("namespacedName", req.String()), zap.String("podNodeName", pod.Spec.NodeName), zap.String("nodeName", nodeName))
		if err := pc.Policy.HandlePUEvent(
			ctx,
			podUID,
			common.EventDestroy,
			policy.NewPURuntimeWithDefaults(),
		); err != nil {
			// we don't really care, we just warn
			zap.L().Warn("DeleteController: Failed to handle destroy event", zap.String("puID", podUID), zap.String("namespacedName", req.String()), zap.Error(err))
		}
		// we only fire events away, we don't really care about the error anyway
		// it is up to the policy engine to make sense of that
		delete(m, podUID)
		return
	}

	// the edge case: a pod with the same namespaced name came up and we have missed a delete event
	// this means that this pod belongs to a different PU and must live, therefore we try to delete the old one

	// the following code also takes care of any restarts in the Pod, the restarts can be caused by either
	// the sandbox getting killed or all the containers restarting due a crash or kill.

	// Now destroy the PU only if the following
	// 1. Simple case if the pod UID don't match then go ahead and destroy the PU.
	// 2. When the pod UID match then do the following:
	//		2.a Get the current SandboxID from the pod.
	// 		2.b Get the sandboxID from the map.
	// 		2.c If the sandBoxID differ then send the destroy event for the old(map) sandBoxID.

	// 1st case, simple if the pod UID don't match then just call the destroy PU event and delete the map entry with the old key.
	if string(pod.UID) != delObj.podUID {

		zap.L().Warn("DeleteController: Pod does not have expected native ID, we must have missed an event and the same pod was recreated. Trying to destroy PU", zap.String("puID", podUID), zap.String("namespacedName", req.String()), zap.String("podUID", string(pod.GetUID())))
		if err := pc.Policy.HandlePUEvent(
			ctx,
			podUID,
			common.EventDestroy,
			policy.NewPURuntimeWithDefaults(),
		); err != nil {
			// we don't really care, we just warn
			zap.L().Warn("DeleteController: Failed to handle destroy event", zap.String("puID", podUID), zap.String("namespacedName", req.String()), zap.Error(err))
		}
		// we only fire events away, we don't really care about the error anyway
		// it is up to the policy engine to make sense of that
		delete(m, podUID)
		return
	}

	// now the 2nd case, when pod UID match
	if string(pod.UID) == delObj.podUID {
		zap.L().Debug("DeleteController: the pod UID Match happened for", zap.String("podName:", req.String()), zap.String("podUID", string(pod.UID)))
		// 2a get the current sandboxID
		if sandboxExtractor == nil {
			return
		}
		currentSandboxID, err := sandboxExtractor(ctx, pod)
		if err != nil {
			zap.L().Debug("DeleteController: cannot extract the SandboxID, return", zap.String("namespacedName", req.String()), zap.String("podUID", string(pod.GetUID())))
			return
		}
		// update the map with the sandboxID
		// here we update the map only if the sandboxID has not been extracted.
		// The extraction of the sandboxID if  missed by the main controller then we will update the map below.
		if delObj.sandboxID == "" {
			delObj = DeleteObject{podUID: podUID, sandboxID: currentSandboxID, podName: req}
			m[podUID] = delObj
		}
		// 2b get the pod/old sandboxID
		oldSandboxID := delObj.sandboxID

		zap.L().Debug("DeleteController:", zap.String(" the sandboxID, curr:", currentSandboxID), zap.String(" old sandboxID: ", oldSandboxID))
		// 2c compare the oldSandboxID and currentSandboxID, if they differ then destroy the PU
		if oldSandboxID != currentSandboxID {
			zap.L().Warn("DeleteController: Pod SandboxID differ. Trying to destroy PU", zap.String("namespacedName", req.String()), zap.String("currentSandboxID", currentSandboxID), zap.String("oldSandboxID", oldSandboxID))
			if err := pc.Policy.HandlePUEvent(
				ctx,
				podUID,
				common.EventDestroy,
				policy.NewPURuntimeWithDefaults(),
			); err != nil {
				// we don't really care, we just warn
				zap.L().Warn("DeleteController: Failed to handle destroy event", zap.String("puID", podUID), zap.String("namespacedName", req.String()), zap.Error(err))
			}
			// we only fire events away, we don't really care about the error anyway
			// it is up to the policy engine to make sense of that
			delete(m, podUID)
			zap.L().Warn("DeleteController: PU destroyed, now send event for the pod-controller to reconcile", zap.String(" podName: ", req.String()))
			// below we send event to the main pod-controller to reconcile again and to create a PU if it is not created yet.
			eventCh <- event.GenericEvent{
				Object: pod,
				Meta:   pod.GetObjectMeta(),
			}
			return
		}
	}
}


================================================
FILE: monitor/internal/pod/delete_controller_test.go
================================================
// +build !windows

package podmonitor

import (
	"context"
	"fmt"
	"testing"
	"time"

	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/monitor/extractors"
	"go.aporeto.io/trireme-lib/policy/mockpolicy"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/types"

	"sigs.k8s.io/controller-runtime/pkg/client"
	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
	"sigs.k8s.io/controller-runtime/pkg/event"
)

func TestDeleteControllerFunctionality(t *testing.T) {
	Convey("Given a fake controller-runtime client and a mock policy resolver", t, func() {
		ctrl := gomock.NewController(t)
		defer ctrl.Finish()

		nodeName := "test1"
		pod1 := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "pod1",
				Namespace: "default",
				UID:       types.UID("aaaa"),
			},
			Spec: corev1.PodSpec{
				NodeName: nodeName,
			},
		}
		c := fakeclient.NewFakeClient(pod1)
		eventsCh := make(chan event.GenericEvent)
		go func() {
			for {
				<-eventsCh
			}
		}()
		handler := mockpolicy.NewMockResolver(ctrl)

		pc := &config.ProcessorConfig{
			Policy: handler,
		}

		ctx := context.Background()
		itemProcessTimeout := 5 * time.Second

		failure := fmt.Errorf("failure")

		Convey("then no destroy events should be sent if there is nothing in the state right now", func() {
			handler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), common.EventDestroy, gomock.Any()).Return(nil).Times(0)
			m := make(map[string]DeleteObject)
			deleteControllerReconcile(ctx, c, nodeName, pc, itemProcessTimeout, m, nil, eventsCh)
			So(m, ShouldBeEmpty)
		})

		Convey("then *no* destroy events should be sent if the pod with the same namespaced name and UID still exists in the Kubernetes API", func() {
			handler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), common.EventDestroy, gomock.Any()).Return(nil).Times(0)
			m := make(map[string]DeleteObject)
			nn := client.ObjectKey{
				Name:      "pod1",
				Namespace: "default",
			}
			m["aaaa"] = DeleteObject{podUID: "aaaa", sandboxID: "", podName: nn}
			deleteControllerReconcile(ctx, c, nodeName, pc, itemProcessTimeout, m, nil, eventsCh)
			So(m, ShouldHaveLength, 1)
		})

		Convey("then a destroy event should be sent if the pod with the same namespaced name and UID still exists in the Kubernetes API, but is now on a different node", func() {
			handler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), common.EventDestroy, gomock.Any()).Return(nil).Times(1)
			m := make(map[string]DeleteObject)
			nn := client.ObjectKey{
				Name:      "pod1",
				Namespace: "default",
			}
			m["aaaa"] = DeleteObject{podUID: "aaaa", sandboxID: "", podName: nn}
			deleteControllerReconcile(ctx, c, "test2", pc, itemProcessTimeout, m, nil, eventsCh)
			So(m, ShouldBeEmpty)
		})

		Convey("then a destroy event should be sent if the pod with the same namespaced name but *different* UID exists in the Kubernetes API", func() {
			handler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), common.EventDestroy, gomock.Any()).Return(nil).Times(1)
			m := make(map[string]DeleteObject)
			nn := client.ObjectKey{
				Name:      "pod1",
				Namespace: "default",
			}
			m["bbbb"] = DeleteObject{podUID: "", sandboxID: "", podName: nn}
			deleteControllerReconcile(ctx, c, nodeName, pc, itemProcessTimeout, m, nil, eventsCh)
			So(m, ShouldBeEmpty)
		})

		Convey("then a destroy event should be sent if the pod does not exist in the Kubernetes API", func() {
			handler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), common.EventDestroy, gomock.Any()).Return(nil).Times(1)
			m := make(map[string]DeleteObject)

			nn := client.ObjectKey{
				Name:      "pod2",
				Namespace: "default",
			}
			m["aaaa"] = DeleteObject{podUID: "", sandboxID: "", podName: nn}
			deleteControllerReconcile(ctx, c, nodeName, pc, itemProcessTimeout, m, nil, eventsCh)
			So(m, ShouldBeEmpty)
		})

		Convey("then a destroy event should be sent if the pod with the same namespaced name but *different* UID exists in the Kubernetes API, and it should still be removed from the map if it fails", func() {
			handler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), common.EventDestroy, gomock.Any()).Return(failure).Times(1)
			m := make(map[string]DeleteObject)

			nn := client.ObjectKey{
				Name:      "pod1",
				Namespace: "default",
			}
			m["bbbb"] = DeleteObject{podUID: "", sandboxID: "", podName: nn}
			deleteControllerReconcile(ctx, c, nodeName, pc, itemProcessTimeout, m, nil, eventsCh)
			So(m, ShouldBeEmpty)
		})

		Convey("then a destroy event should be sent if the pod does not exist in the Kubernetes API, and it should still be removed from the map if it fails", func() {
			handler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), common.EventDestroy, gomock.Any()).Return(failure).Times(1)
			m := make(map[string]DeleteObject)

			nn := client.ObjectKey{
				Name:      "pod2",
				Namespace: "default",
			}
			m["aaaa"] = DeleteObject{podUID: "", sandboxID: "", podName: nn}
			deleteControllerReconcile(ctx, c, nodeName, pc, itemProcessTimeout, m, nil, eventsCh)
			So(m, ShouldBeEmpty)
		})

		sandboxExtractor := func(context.Context, *corev1.Pod) (string, error) {
			return "different", nil
		}

		Convey("then a destroy event should be sent if the pod exists in the Kubernetes API, but the sandbox has changed", func() {
			handler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), common.EventDestroy, gomock.Any()).Return(nil).Times(1)
			m := make(map[string]DeleteObject)

			nn := client.ObjectKey{
				Name:      "pod1",
				Namespace: "default",
			}
			m["aaaa"] = DeleteObject{podUID: "aaaa", sandboxID: "sandbox", podName: nn}
			deleteControllerReconcile(ctx, c, nodeName, pc, itemProcessTimeout, m, sandboxExtractor, eventsCh)
			So(m, ShouldBeEmpty)
		})
	})
}

func TestDeleteController(t *testing.T) {
	Convey("Given a delete controller", t, func() {
		z := make(chan struct{})

		nodeName := "test1"
		testMap := make(map[string]DeleteObject)
		eventsCh := make(chan event.GenericEvent)
		go func() {
			<-eventsCh
		}()
		//nolint:unparam
		reconcileFunc := func(ctx context.Context, c client.Client, nodeName string, pc *config.ProcessorConfig, t time.Duration, m map[string]DeleteObject, s extractors.PodSandboxExtractor, eventsCh chan event.GenericEvent) {
			for k, v := range m {
				testMap[k] = v
			}
		}

		dc := NewDeleteController(nil, nodeName, nil, nil, eventsCh)
		dc.deleteCh = make(chan DeleteEvent)
		dc.reconcileCh = make(chan struct{})
		dc.tickerPeriod = 1 * time.Second
		dc.itemProcessTimeout = 1 * time.Second
		dc.reconcileFunc = reconcileFunc

		Convey("it should be able to receive delete events, and access them during a reconcile", func() {
			ev := DeleteEvent{
				PodUID: "aaaa",
				NamespaceName: client.ObjectKey{
					Name:      "pod1",
					Namespace: "default",
				},
			}
			exp := DeleteObject{
				podUID:    "aaaa",
				sandboxID: "",
				podName: client.ObjectKey{
					Name:      "pod1",
					Namespace: "default",
				},
			}
			go func() {
				dc.GetDeleteCh() <- ev
				dc.GetReconcileCh() <- struct{}{}
				close(z)
			}()

			err := dc.Start(z)
			So(err, ShouldBeNil)
			So(testMap, ShouldContainKey, ev.PodUID)
			So(testMap[ev.PodUID], ShouldResemble, exp)
		})

		Convey("it should be able to receive delete events, and access them during a reconcile that was triggered through the ticker", func() {
			ev := DeleteEvent{
				PodUID: "aaaa",
				NamespaceName: client.ObjectKey{
					Name:      "pod1",
					Namespace: "default",
				},
			}
			exp := DeleteObject{
				podUID:    "aaaa",
				sandboxID: "",
				podName: client.ObjectKey{
					Name:      "pod1",
					Namespace: "default",
				},
			}
			go func() {
				dc.GetDeleteCh() <- ev
				// sleeping for twice the ticker period should always trigger the reconcile
				time.Sleep(dc.tickerPeriod * 2)
				close(z)
			}()

			err := dc.Start(z)
			So(err, ShouldBeNil)
			So(testMap, ShouldContainKey, ev.PodUID)
			So(testMap[ev.PodUID], ShouldResemble, exp)
		})

		Reset(func() {
			testMap = make(map[string]DeleteObject)
			dc = &DeleteController{
				client:             nil,
				handler:            nil,
				deleteCh:           make(chan DeleteEvent),
				reconcileCh:        make(chan struct{}),
				tickerPeriod:       1 * time.Second,
				itemProcessTimeout: 1 * time.Second,
				reconcileFunc:      reconcileFunc,
			}
		})
	})
}


================================================
FILE: monitor/internal/pod/mockcache_test.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: sigs.k8s.io/controller-runtime/pkg/cache (interfaces: Cache)

// Package podmonitor is a generated GoMock package.
package podmonitor

import (
	context "context"
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	runtime "k8s.io/apimachinery/pkg/runtime"
	schema "k8s.io/apimachinery/pkg/runtime/schema"
	types "k8s.io/apimachinery/pkg/types"
	cache "k8s.io/client-go/tools/cache"
	client "sigs.k8s.io/controller-runtime/pkg/client"
)

// MockCache is a mock of Cache interface
// nolint
type MockCache struct {
	ctrl     *gomock.Controller
	recorder *MockCacheMockRecorder
}

// MockCacheMockRecorder is the mock recorder for MockCache
// nolint
type MockCacheMockRecorder struct {
	mock *MockCache
}

// NewMockCache creates a new mock instance
// nolint
func NewMockCache(ctrl *gomock.Controller) *MockCache {
	mock := &MockCache{ctrl: ctrl}
	mock.recorder = &MockCacheMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockCache) EXPECT() *MockCacheMockRecorder {
	return m.recorder
}

// Get mocks base method
// nolint
func (m *MockCache) Get(arg0 context.Context, arg1 types.NamespacedName, arg2 runtime.Object) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Get", arg0, arg1, arg2)
	ret0, _ := ret[0].(error)
	return ret0
}

// Get indicates an expected call of Get
// nolint
func (mr *MockCacheMockRecorder) Get(arg0, arg1, arg2 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockCache)(nil).Get), arg0, arg1, arg2)
}

// GetInformer mocks base method
// nolint
func (m *MockCache) GetInformer(arg0 runtime.Object) (cache.SharedIndexInformer, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetInformer", arg0)
	ret0, _ := ret[0].(cache.SharedIndexInformer)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// GetInformer indicates an expected call of GetInformer
// nolint
func (mr *MockCacheMockRecorder) GetInformer(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetInformer", reflect.TypeOf((*MockCache)(nil).GetInformer), arg0)
}

// GetInformerForKind mocks base method
// nolint
func (m *MockCache) GetInformerForKind(arg0 schema.GroupVersionKind) (cache.SharedIndexInformer, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetInformerForKind", arg0)
	ret0, _ := ret[0].(cache.SharedIndexInformer)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// GetInformerForKind indicates an expected call of GetInformerForKind
// nolint
func (mr *MockCacheMockRecorder) GetInformerForKind(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetInformerForKind", reflect.TypeOf((*MockCache)(nil).GetInformerForKind), arg0)
}

// IndexField mocks base method
// nolint
func (m *MockCache) IndexField(arg0 runtime.Object, arg1 string, arg2 client.IndexerFunc) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "IndexField", arg0, arg1, arg2)
	ret0, _ := ret[0].(error)
	return ret0
}

// IndexField indicates an expected call of IndexField
// nolint
func (mr *MockCacheMockRecorder) IndexField(arg0, arg1, arg2 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IndexField", reflect.TypeOf((*MockCache)(nil).IndexField), arg0, arg1, arg2)
}

// List mocks base method
// nolint
func (m *MockCache) List(arg0 context.Context, arg1 *client.ListOptions, arg2 runtime.Object) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "List", arg0, arg1, arg2)
	ret0, _ := ret[0].(error)
	return ret0
}

// List indicates an expected call of List
// nolint
func (mr *MockCacheMockRecorder) List(arg0, arg1, arg2 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "List", reflect.TypeOf((*MockCache)(nil).List), arg0, arg1, arg2)
}

// Start mocks base method
// nolint
func (m *MockCache) Start(arg0 <-chan struct{}) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Start", arg0)
	ret0, _ := ret[0].(error)
	return ret0
}

// Start indicates an expected call of Start
// nolint
func (mr *MockCacheMockRecorder) Start(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Start", reflect.TypeOf((*MockCache)(nil).Start), arg0)
}

// WaitForCacheSync mocks base method
// nolint
func (m *MockCache) WaitForCacheSync(arg0 <-chan struct{}) bool {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "WaitForCacheSync", arg0)
	ret0, _ := ret[0].(bool)
	return ret0
}

// WaitForCacheSync indicates an expected call of WaitForCacheSync
// nolint
func (mr *MockCacheMockRecorder) WaitForCacheSync(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WaitForCacheSync", reflect.TypeOf((*MockCache)(nil).WaitForCacheSync), arg0)
}


================================================
FILE: monitor/internal/pod/mockclient_test.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: sigs.k8s.io/controller-runtime/pkg/client (interfaces: Client)

// Package podmonitor is a generated GoMock package.
package podmonitor

import (
	context "context"
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	runtime "k8s.io/apimachinery/pkg/runtime"
	types "k8s.io/apimachinery/pkg/types"
	client "sigs.k8s.io/controller-runtime/pkg/client"
)

// MockClient is a mock of Client interface
// nolint
type MockClient struct {
	ctrl     *gomock.Controller
	recorder *MockClientMockRecorder
}

// MockClientMockRecorder is the mock recorder for MockClient
// nolint
type MockClientMockRecorder struct {
	mock *MockClient
}

// NewMockClient creates a new mock instance
// nolint
func NewMockClient(ctrl *gomock.Controller) *MockClient {
	mock := &MockClient{ctrl: ctrl}
	mock.recorder = &MockClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockClient) EXPECT() *MockClientMockRecorder {
	return m.recorder
}

// Create mocks base method
// nolint
func (m *MockClient) Create(arg0 context.Context, arg1 runtime.Object) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Create", arg0, arg1)
	ret0, _ := ret[0].(error)
	return ret0
}

// Create indicates an expected call of Create
// nolint
func (mr *MockClientMockRecorder) Create(arg0, arg1 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Create", reflect.TypeOf((*MockClient)(nil).Create), arg0, arg1)
}

// Delete mocks base method
// nolint
func (m *MockClient) Delete(arg0 context.Context, arg1 runtime.Object, arg2 ...client.DeleteOptionFunc) error {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "Delete", varargs...)
	ret0, _ := ret[0].(error)
	return ret0
}

// Delete indicates an expected call of Delete
// nolint
func (mr *MockClientMockRecorder) Delete(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Delete", reflect.TypeOf((*MockClient)(nil).Delete), varargs...)
}

// Get mocks base method
// nolint
func (m *MockClient) Get(arg0 context.Context, arg1 types.NamespacedName, arg2 runtime.Object) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Get", arg0, arg1, arg2)
	ret0, _ := ret[0].(error)
	return ret0
}

// Get indicates an expected call of Get
// nolint
func (mr *MockClientMockRecorder) Get(arg0, arg1, arg2 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Get", reflect.TypeOf((*MockClient)(nil).Get), arg0, arg1, arg2)
}

// List mocks base method
// nolint
func (m *MockClient) List(arg0 context.Context, arg1 *client.ListOptions, arg2 runtime.Object) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "List", arg0, arg1, arg2)
	ret0, _ := ret[0].(error)
	return ret0
}

// List indicates an expected call of List
// nolint
func (mr *MockClientMockRecorder) List(arg0, arg1, arg2 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "List", reflect.TypeOf((*MockClient)(nil).List), arg0, arg1, arg2)
}

// Status mocks base method
// nolint
func (m *MockClient) Status() client.StatusWriter {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Status")
	ret0, _ := ret[0].(client.StatusWriter)
	return ret0
}

// Status indicates an expected call of Status
// nolint
func (mr *MockClientMockRecorder) Status() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Status", reflect.TypeOf((*MockClient)(nil).Status))
}

// Update mocks base method
// nolint
func (m *MockClient) Update(arg0 context.Context, arg1 runtime.Object) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Update", arg0, arg1)
	ret0, _ := ret[0].(error)
	return ret0
}

// Update indicates an expected call of Update
// nolint
func (mr *MockClientMockRecorder) Update(arg0, arg1 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Update", reflect.TypeOf((*MockClient)(nil).Update), arg0, arg1)
}


================================================
FILE: monitor/internal/pod/mockinformer_test.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: k8s.io/client-go/tools/cache (interfaces: SharedIndexInformer)

// Package podmonitor is a generated GoMock package.
package podmonitor

import (
	reflect "reflect"
	time "time"

	gomock "github.com/golang/mock/gomock"
	cache "k8s.io/client-go/tools/cache"
)

// MockSharedIndexInformer is a mock of SharedIndexInformer interface
// nolint
type MockSharedIndexInformer struct {
	ctrl     *gomock.Controller
	recorder *MockSharedIndexInformerMockRecorder
}

// MockSharedIndexInformerMockRecorder is the mock recorder for MockSharedIndexInformer
// nolint
type MockSharedIndexInformerMockRecorder struct {
	mock *MockSharedIndexInformer
}

// NewMockSharedIndexInformer creates a new mock instance
// nolint
func NewMockSharedIndexInformer(ctrl *gomock.Controller) *MockSharedIndexInformer {
	mock := &MockSharedIndexInformer{ctrl: ctrl}
	mock.recorder = &MockSharedIndexInformerMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockSharedIndexInformer) EXPECT() *MockSharedIndexInformerMockRecorder {
	return m.recorder
}

// AddEventHandler mocks base method
// nolint
func (m *MockSharedIndexInformer) AddEventHandler(arg0 cache.ResourceEventHandler) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "AddEventHandler", arg0)
}

// AddEventHandler indicates an expected call of AddEventHandler
// nolint
func (mr *MockSharedIndexInformerMockRecorder) AddEventHandler(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddEventHandler", reflect.TypeOf((*MockSharedIndexInformer)(nil).AddEventHandler), arg0)
}

// AddEventHandlerWithResyncPeriod mocks base method
// nolint
func (m *MockSharedIndexInformer) AddEventHandlerWithResyncPeriod(arg0 cache.ResourceEventHandler, arg1 time.Duration) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "AddEventHandlerWithResyncPeriod", arg0, arg1)
}

// AddEventHandlerWithResyncPeriod indicates an expected call of AddEventHandlerWithResyncPeriod
// nolint
func (mr *MockSharedIndexInformerMockRecorder) AddEventHandlerWithResyncPeriod(arg0, arg1 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddEventHandlerWithResyncPeriod", reflect.TypeOf((*MockSharedIndexInformer)(nil).AddEventHandlerWithResyncPeriod), arg0, arg1)
}

// AddIndexers mocks base method
// nolint
func (m *MockSharedIndexInformer) AddIndexers(arg0 cache.Indexers) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "AddIndexers", arg0)
	ret0, _ := ret[0].(error)
	return ret0
}

// AddIndexers indicates an expected call of AddIndexers
// nolint
func (mr *MockSharedIndexInformerMockRecorder) AddIndexers(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddIndexers", reflect.TypeOf((*MockSharedIndexInformer)(nil).AddIndexers), arg0)
}

// GetController mocks base method
// nolint
func (m *MockSharedIndexInformer) GetController() cache.Controller {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetController")
	ret0, _ := ret[0].(cache.Controller)
	return ret0
}

// GetController indicates an expected call of GetController
// nolint
func (mr *MockSharedIndexInformerMockRecorder) GetController() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetController", reflect.TypeOf((*MockSharedIndexInformer)(nil).GetController))
}

// GetIndexer mocks base method
// nolint
func (m *MockSharedIndexInformer) GetIndexer() cache.Indexer {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetIndexer")
	ret0, _ := ret[0].(cache.Indexer)
	return ret0
}

// GetIndexer indicates an expected call of GetIndexer
// nolint
func (mr *MockSharedIndexInformerMockRecorder) GetIndexer() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetIndexer", reflect.TypeOf((*MockSharedIndexInformer)(nil).GetIndexer))
}

// GetStore mocks base method
// nolint
func (m *MockSharedIndexInformer) GetStore() cache.Store {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetStore")
	ret0, _ := ret[0].(cache.Store)
	return ret0
}

// GetStore indicates an expected call of GetStore
// nolint
func (mr *MockSharedIndexInformerMockRecorder) GetStore() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetStore", reflect.TypeOf((*MockSharedIndexInformer)(nil).GetStore))
}

// HasSynced mocks base method
// nolint
func (m *MockSharedIndexInformer) HasSynced() bool {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "HasSynced")
	ret0, _ := ret[0].(bool)
	return ret0
}

// HasSynced indicates an expected call of HasSynced
// nolint
func (mr *MockSharedIndexInformerMockRecorder) HasSynced() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HasSynced", reflect.TypeOf((*MockSharedIndexInformer)(nil).HasSynced))
}

// LastSyncResourceVersion mocks base method
// nolint
func (m *MockSharedIndexInformer) LastSyncResourceVersion() string {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "LastSyncResourceVersion")
	ret0, _ := ret[0].(string)
	return ret0
}

// LastSyncResourceVersion indicates an expected call of LastSyncResourceVersion
// nolint
func (mr *MockSharedIndexInformerMockRecorder) LastSyncResourceVersion() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LastSyncResourceVersion", reflect.TypeOf((*MockSharedIndexInformer)(nil).LastSyncResourceVersion))
}

// Run mocks base method
// nolint
func (m *MockSharedIndexInformer) Run(arg0 <-chan struct{}) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "Run", arg0)
}

// Run indicates an expected call of Run
// nolint
func (mr *MockSharedIndexInformerMockRecorder) Run(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Run", reflect.TypeOf((*MockSharedIndexInformer)(nil).Run), arg0)
}


================================================
FILE: monitor/internal/pod/mockmanager_test.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: sigs.k8s.io/controller-runtime/pkg/manager (interfaces: Manager)

// Package podmonitor is a generated GoMock package.
package podmonitor

import (
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	meta "k8s.io/apimachinery/pkg/api/meta"
	runtime "k8s.io/apimachinery/pkg/runtime"
	rest "k8s.io/client-go/rest"
	record "k8s.io/client-go/tools/record"
	cache "sigs.k8s.io/controller-runtime/pkg/cache"
	client "sigs.k8s.io/controller-runtime/pkg/client"
	manager "sigs.k8s.io/controller-runtime/pkg/manager"
	types "sigs.k8s.io/controller-runtime/pkg/webhook/admission/types"
)

// MockManager is a mock of Manager interface
// nolint
type MockManager struct {
	ctrl     *gomock.Controller
	recorder *MockManagerMockRecorder
}

// MockManagerMockRecorder is the mock recorder for MockManager
// nolint
type MockManagerMockRecorder struct {
	mock *MockManager
}

// NewMockManager creates a new mock instance
// nolint
func NewMockManager(ctrl *gomock.Controller) *MockManager {
	mock := &MockManager{ctrl: ctrl}
	mock.recorder = &MockManagerMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockManager) EXPECT() *MockManagerMockRecorder {
	return m.recorder
}

// Add mocks base method
// nolint
func (m *MockManager) Add(arg0 manager.Runnable) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Add", arg0)
	ret0, _ := ret[0].(error)
	return ret0
}

// Add indicates an expected call of Add
// nolint
func (mr *MockManagerMockRecorder) Add(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Add", reflect.TypeOf((*MockManager)(nil).Add), arg0)
}

// GetAdmissionDecoder mocks base method
// nolint
func (m *MockManager) GetAdmissionDecoder() types.Decoder {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetAdmissionDecoder")
	ret0, _ := ret[0].(types.Decoder)
	return ret0
}

// GetAdmissionDecoder indicates an expected call of GetAdmissionDecoder
// nolint
func (mr *MockManagerMockRecorder) GetAdmissionDecoder() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAdmissionDecoder", reflect.TypeOf((*MockManager)(nil).GetAdmissionDecoder))
}

// GetCache mocks base method
// nolint
func (m *MockManager) GetCache() cache.Cache {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetCache")
	ret0, _ := ret[0].(cache.Cache)
	return ret0
}

// GetCache indicates an expected call of GetCache
// nolint
func (mr *MockManagerMockRecorder) GetCache() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCache", reflect.TypeOf((*MockManager)(nil).GetCache))
}

// GetClient mocks base method
// nolint
func (m *MockManager) GetClient() client.Client {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetClient")
	ret0, _ := ret[0].(client.Client)
	return ret0
}

// GetClient indicates an expected call of GetClient
// nolint
func (mr *MockManagerMockRecorder) GetClient() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetClient", reflect.TypeOf((*MockManager)(nil).GetClient))
}

// GetConfig mocks base method
// nolint
func (m *MockManager) GetConfig() *rest.Config {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetConfig")
	ret0, _ := ret[0].(*rest.Config)
	return ret0
}

// GetConfig indicates an expected call of GetConfig
// nolint
func (mr *MockManagerMockRecorder) GetConfig() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetConfig", reflect.TypeOf((*MockManager)(nil).GetConfig))
}

// GetFieldIndexer mocks base method
// nolint
func (m *MockManager) GetFieldIndexer() client.FieldIndexer {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetFieldIndexer")
	ret0, _ := ret[0].(client.FieldIndexer)
	return ret0
}

// GetFieldIndexer indicates an expected call of GetFieldIndexer
// nolint
func (mr *MockManagerMockRecorder) GetFieldIndexer() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetFieldIndexer", reflect.TypeOf((*MockManager)(nil).GetFieldIndexer))
}

// GetRESTMapper mocks base method
// nolint
func (m *MockManager) GetRESTMapper() meta.RESTMapper {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetRESTMapper")
	ret0, _ := ret[0].(meta.RESTMapper)
	return ret0
}

// GetRESTMapper indicates an expected call of GetRESTMapper
// nolint
func (mr *MockManagerMockRecorder) GetRESTMapper() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetRESTMapper", reflect.TypeOf((*MockManager)(nil).GetRESTMapper))
}

// GetRecorder mocks base method
// nolint
func (m *MockManager) GetRecorder(arg0 string) record.EventRecorder {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetRecorder", arg0)
	ret0, _ := ret[0].(record.EventRecorder)
	return ret0
}

// GetRecorder indicates an expected call of GetRecorder
// nolint
func (mr *MockManagerMockRecorder) GetRecorder(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetRecorder", reflect.TypeOf((*MockManager)(nil).GetRecorder), arg0)
}

// GetScheme mocks base method
// nolint
func (m *MockManager) GetScheme() *runtime.Scheme {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "GetScheme")
	ret0, _ := ret[0].(*runtime.Scheme)
	return ret0
}

// GetScheme indicates an expected call of GetScheme
// nolint
func (mr *MockManagerMockRecorder) GetScheme() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetScheme", reflect.TypeOf((*MockManager)(nil).GetScheme))
}

// SetFields mocks base method
// nolint
func (m *MockManager) SetFields(arg0 interface{}) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SetFields", arg0)
	ret0, _ := ret[0].(error)
	return ret0
}

// SetFields indicates an expected call of SetFields
// nolint
func (mr *MockManagerMockRecorder) SetFields(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetFields", reflect.TypeOf((*MockManager)(nil).SetFields), arg0)
}

// Start mocks base method
// nolint
func (m *MockManager) Start(arg0 <-chan struct{}) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Start", arg0)
	ret0, _ := ret[0].(error)
	return ret0
}

// Start indicates an expected call of Start
// nolint
func (mr *MockManagerMockRecorder) Start(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Start", reflect.TypeOf((*MockManager)(nil).Start), arg0)
}


================================================
FILE: monitor/internal/pod/mockzapcore_test.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: go.uber.org/zap/zapcore (interfaces: Core)

// Package podmonitor is a generated GoMock package.
package podmonitor

import (
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	zapcore "go.uber.org/zap/zapcore"
)

// MockCore is a mock of Core interface
// nolint
type MockCore struct {
	ctrl     *gomock.Controller
	recorder *MockCoreMockRecorder
}

// MockCoreMockRecorder is the mock recorder for MockCore
// nolint
type MockCoreMockRecorder struct {
	mock *MockCore
}

// NewMockCore creates a new mock instance
// nolint
func NewMockCore(ctrl *gomock.Controller) *MockCore {
	mock := &MockCore{ctrl: ctrl}
	mock.recorder = &MockCoreMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockCore) EXPECT() *MockCoreMockRecorder {
	return m.recorder
}

// Check mocks base method
// nolint
func (m *MockCore) Check(arg0 zapcore.Entry, arg1 *zapcore.CheckedEntry) *zapcore.CheckedEntry {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Check", arg0, arg1)
	ret0, _ := ret[0].(*zapcore.CheckedEntry)
	return ret0
}

// Check indicates an expected call of Check
// nolint
func (mr *MockCoreMockRecorder) Check(arg0, arg1 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Check", reflect.TypeOf((*MockCore)(nil).Check), arg0, arg1)
}

// Enabled mocks base method
// nolint
func (m *MockCore) Enabled(arg0 zapcore.Level) bool {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Enabled", arg0)
	ret0, _ := ret[0].(bool)
	return ret0
}

// Enabled indicates an expected call of Enabled
// nolint
func (mr *MockCoreMockRecorder) Enabled(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Enabled", reflect.TypeOf((*MockCore)(nil).Enabled), arg0)
}

// Sync mocks base method
// nolint
func (m *MockCore) Sync() error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Sync")
	ret0, _ := ret[0].(error)
	return ret0
}

// Sync indicates an expected call of Sync
// nolint
func (mr *MockCoreMockRecorder) Sync() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Sync", reflect.TypeOf((*MockCore)(nil).Sync))
}

// With mocks base method
// nolint
func (m *MockCore) With(arg0 []zapcore.Field) zapcore.Core {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "With", arg0)
	ret0, _ := ret[0].(zapcore.Core)
	return ret0
}

// With indicates an expected call of With
// nolint
func (mr *MockCoreMockRecorder) With(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "With", reflect.TypeOf((*MockCore)(nil).With), arg0)
}

// Write mocks base method
// nolint
func (m *MockCore) Write(arg0 zapcore.Entry, arg1 []zapcore.Field) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Write", arg0, arg1)
	ret0, _ := ret[0].(error)
	return ret0
}

// Write indicates an expected call of Write
// nolint
func (mr *MockCoreMockRecorder) Write(arg0, arg1 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Write", reflect.TypeOf((*MockCore)(nil).Write), arg0, arg1)
}


================================================
FILE: monitor/internal/pod/monitor.go
================================================
// +build linux !windows

package podmonitor

import (
	"context"
	"errors"
	"fmt"
	"time"

	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/monitor/extractors"
	"go.aporeto.io/trireme-lib/monitor/registerer"

	"k8s.io/client-go/rest"
	"k8s.io/client-go/tools/clientcmd"

	"sigs.k8s.io/controller-runtime/pkg/client"
	"sigs.k8s.io/controller-runtime/pkg/event"
	"sigs.k8s.io/controller-runtime/pkg/manager"

	"go.uber.org/zap"
)

// PodMonitor implements a monitor that sends pod events upstream
// It is implemented as a filter on the standard DockerMonitor.
// It gets all the PU events from the DockerMonitor and if the container is the POD container from Kubernetes,
// It connects to the Kubernetes API and adds the tags that are coming from Kuberntes that cannot be found
type PodMonitor struct {
	localNode                 string
	handlers                  *config.ProcessorConfig
	metadataExtractor         extractors.PodMetadataExtractor
	netclsProgrammer          extractors.PodNetclsProgrammer
	pidsSetMaxProcsProgrammer extractors.PodPidsSetMaxProcsProgrammer
	resetNetcls               extractors.ResetNetclsKubepods
	sandboxExtractor          extractors.PodSandboxExtractor
	enableHostPods            bool
	workers                   int
	kubeCfg                   *rest.Config
	kubeClient                client.Client
	eventsCh                  chan event.GenericEvent
	resyncInfo                *ResyncInfoChan
}

// New returns a new kubernetes monitor.
func New() *PodMonitor {
	podMonitor := &PodMonitor{
		eventsCh:   make(chan event.GenericEvent),
		resyncInfo: NewResyncInfoChan(),
	}

	return podMonitor
}

// SetupConfig provides a configuration to implmentations. Every implmentation
// can have its own config type.
func (m *PodMonitor) SetupConfig(_ registerer.Registerer, cfg interface{}) error {

	defaultConfig := DefaultConfig()

	if cfg == nil {
		cfg = defaultConfig
	}

	kubernetesconfig, ok := cfg.(*Config)
	if !ok {
		return fmt.Errorf("Invalid configuration specified (type '%T')", cfg)
	}

	kubernetesconfig = SetupDefaultConfig(kubernetesconfig)

	// build kubernetes config
	var kubeCfg *rest.Config
	if len(kubernetesconfig.Kubeconfig) > 0 {
		var err error
		kubeCfg, err = clientcmd.BuildConfigFromFlags("", kubernetesconfig.Kubeconfig)
		if err != nil {
			return err
		}
	} else {
		var err error
		kubeCfg, err = rest.InClusterConfig()
		if err != nil {
			return err
		}
	}

	if kubernetesconfig.MetadataExtractor == nil {
		return fmt.Errorf("missing metadata extractor")
	}

	if kubernetesconfig.NetclsProgrammer == nil {
		return fmt.Errorf("missing net_cls programmer")
	}

	if kubernetesconfig.ResetNetcls == nil {
		return fmt.Errorf("missing reset net_cls implementation")
	}
	if kubernetesconfig.SandboxExtractor == nil {
		return fmt.Errorf("missing SandboxExtractor implementation")
	}
	if kubernetesconfig.Workers < 1 {
		return fmt.Errorf("number of Kubernetes monitor workers must be at least 1")
	}
	// Setting up Kubernetes
	m.kubeCfg = kubeCfg
	m.localNode = kubernetesconfig.Nodename
	m.enableHostPods = kubernetesconfig.EnableHostPods
	m.metadataExtractor = kubernetesconfig.MetadataExtractor
	m.netclsProgrammer = kubernetesconfig.NetclsProgrammer
	m.pidsSetMaxProcsProgrammer = kubernetesconfig.PidsSetMaxProcsProgrammer
	m.sandboxExtractor = kubernetesconfig.SandboxExtractor
	m.resetNetcls = kubernetesconfig.ResetNetcls
	m.workers = kubernetesconfig.Workers

	return nil
}

// Run starts the monitor.
func (m *PodMonitor) Run(ctx context.Context) error {
	if m.kubeCfg == nil {
		return errors.New("pod: missing kubeconfig")
	}

	if err := m.handlers.IsComplete(); err != nil {
		return fmt.Errorf("pod: handlers are not complete: %s", err.Error())
	}

	// ensure to run the reset net_cls
	// NOTE: we also call this during resync, however, that is not called at startup (we call ResyncWithAllPods instead before we return)
	if m.resetNetcls == nil {
		return errors.New("pod: missing net_cls reset implementation")
	}
	if err := m.resetNetcls(ctx); err != nil {
		return fmt.Errorf("pod: failed to reset net_cls cgroups: %s", err.Error())
	}

	// starts the manager in the background and will return once it is running
	// NOTE: This will block until the Kubernetes manager and all controllers are up. All errors are being handled within the function
	m.startManager(ctx)

	// call ResyncWithAllPods before we return from here
	// this will block until every pod at this point in time has been seeing at least one `Reconcile` call
	// we do this so that we build up our internal PU cache in the policy engine,
	// so that when we remove stale pods on startup, we don't remove them and create them again
	if err := ResyncWithAllPods(ctx, m.kubeClient, m.resyncInfo, m.eventsCh, m.localNode); err != nil {
		zap.L().Warn("Pod resync failed", zap.Error(err))
	}
	return nil
}

// SetupHandlers sets up handlers for monitors to invoke for various events such as
// processing unit events and synchronization events. This will be called before Start()
// by the consumer of the monitor
func (m *PodMonitor) SetupHandlers(c *config.ProcessorConfig) {
	m.handlers = c
}

// Resync requests to the monitor to do a resync.
func (m *PodMonitor) Resync(ctx context.Context) error {
	if m.resetNetcls != nil {
		if err := m.resetNetcls(ctx); err != nil {
			return err
		}
	}

	if m.kubeClient == nil {
		return errors.New("pod: client has not been initialized yet")
	}

	return ResyncWithAllPods(ctx, m.kubeClient, m.resyncInfo, m.eventsCh, m.localNode)
}

const (
	startupWarningMessage = "pod: the Kubernetes controller did not start within the last 5s. Waiting..."
)

var (
	retrySleep          = time.Second * 3
	warningMessageSleep = time.Second * 5
	warningTimeout      = time.Second * 5
	managerNew          = manager.New
)

func (m *PodMonitor) startManager(ctx context.Context) {
	var mgr manager.Manager

	startTimestamp := time.Now()
	controllerStarted := make(chan struct{})

	go func() {
		// manager.New already contacts the Kubernetes API
		for {
			var err error
			mgr, err = managerNew(m.kubeCfg, manager.Options{})
			if err != nil {
				zap.L().Error("pod: new manager instantiation failed. Retrying in 3s...", zap.Error(err))
				time.Sleep(retrySleep)
				continue
			}
			break
		}

		// Create the delete event controller first
		dc := NewDeleteController(mgr.GetClient(), m.localNode, m.handlers, m.sandboxExtractor, m.eventsCh)
		for {
			if err := mgr.Add(dc); err != nil {
				zap.L().Error("pod: adding delete controller failed. Retrying in 3s...", zap.Error(err))
				time.Sleep(retrySleep)
				continue
			}
			break
		}

		// Create the main controller for the monitor
		for {
			if err := addController(
				mgr,
				newReconciler(mgr, m.handlers, m.metadataExtractor, m.netclsProgrammer, m.sandboxExtractor, m.localNode, m.enableHostPods, dc.GetDeleteCh(), dc.GetReconcileCh(), m.resyncInfo),
				m.workers,
				m.eventsCh,
			); err != nil {
				zap.L().Error("pod: adding main monitor controller failed. Retrying in 3s...", zap.Error(err))
				time.Sleep(retrySleep)
				continue
			}
			break
		}

		for {
			if err := mgr.Add(&runnable{ch: controllerStarted}); err != nil {
				zap.L().Error("pod: adding side controller failed. Retrying in 3s...", zap.Error(err))
				time.Sleep(retrySleep)
				continue
			}
			break
		}

		// starting the manager is a bit awkward:
		// - it does not use contexts
		// - we pass in a fake signal handler channel
		// - we start another go routine which waits for the context to be cancelled
		//   and closes that channel if that is the case

		for {
			if err := mgr.Start(ctx.Done()); err != nil {
				zap.L().Error("pod: manager start failed. Retrying in 3s...", zap.Error(err))
				time.Sleep(retrySleep)
				continue
			}
			break
		}
	}()

waitLoop:
	for {
		select {
		case <-ctx.Done():
			break waitLoop
		case <-time.After(warningMessageSleep):
			// we give everything 5 seconds to report back before we issue a warning
			zap.L().Warn(startupWarningMessage)
		case <-controllerStarted:
			m.kubeClient = mgr.GetClient()
			t := time.Since(startTimestamp)
			if t > warningTimeout {
				zap.L().Warn("pod: controller startup finished, but took longer than expected", zap.Duration("duration", t))
			} else {
				zap.L().Debug("pod: controller startup finished", zap.Duration("duration", t))
			}
			break waitLoop
		}
	}
}

type runnable struct {
	ch chan struct{}
}

func (r *runnable) Start(z <-chan struct{}) error {
	// close the indicator channel which means that the manager has been started successfully
	close(r.ch)

	// stay up and running, the manager needs that
	<-z
	return nil
}


================================================
FILE: monitor/internal/pod/monitor_test.go
================================================
// +build linux !windows

package podmonitor

import (
	"context"
	"fmt"
	"math"
	"strings"
	"testing"
	"time"

	"github.com/golang/mock/gomock"
	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/policy"
	"go.aporeto.io/trireme-lib/policy/mockpolicy"
	"go.uber.org/zap"
	zapcore "go.uber.org/zap/zapcore"
	corev1 "k8s.io/api/core/v1"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/client-go/kubernetes/scheme"
	"k8s.io/client-go/rest"
	cache "k8s.io/client-go/tools/cache"
	"sigs.k8s.io/controller-runtime/pkg/controller"
	"sigs.k8s.io/controller-runtime/pkg/manager"
	"sigs.k8s.io/controller-runtime/pkg/runtime/inject"
)

func createNewPodMonitor() *PodMonitor {
	m := New()
	mockError := fmt.Errorf("mockerror: overwrite function with your own mock before using")
	monitorConfig := DefaultConfig()
	monitorConfig.Kubeconfig = "testdata/kubeconfig"
	monitorConfig.MetadataExtractor = func(context.Context, *corev1.Pod, bool) (*policy.PURuntime, error) {
		return nil, mockError
	}
	monitorConfig.NetclsProgrammer = func(context.Context, *corev1.Pod, policy.RuntimeReader) error {
		return mockError
	}
	monitorConfig.PidsSetMaxProcsProgrammer = func(ctx context.Context, pod *corev1.Pod, maxProcs int) error {
		return mockError
	}
	monitorConfig.ResetNetcls = func(context.Context) error {
		return mockError
	}
	monitorConfig.SandboxExtractor = func(context.Context, *corev1.Pod) (string, error) {
		return "", mockError
	}

	if err := m.SetupConfig(nil, monitorConfig); err != nil {
		panic(err)
	}
	return m
}

func isKubernetesController() gomock.Matcher {
	return &controllerMatcher{}
}

type controllerMatcher struct{}

var _ gomock.Matcher = &controllerMatcher{}

// Matches returns whether x is a match.
func (m *controllerMatcher) Matches(x interface{}) bool {
	_, ok := x.(controller.Controller)
	return ok
}

// String describes what the matcher matches.
func (m *controllerMatcher) String() string {
	return "is not a Kubernetes controller"
}

const durationKey = "duration"

func TestPodMonitor_startManager(t *testing.T) {
	origLogger := zap.L()
	// reset logger after this test completes
	defer func() {
		zap.ReplaceGlobals(origLogger)
	}()

	// overwrite globals
	retrySleep = time.Duration(0)
	warningMessageSleep = time.Millisecond * 300
	warningTimeout = time.Millisecond * 300

	// use this like:
	//   managerNew = managerNewTest(mgr, nil)
	managerNewTest := func(mgr *MockManager, err error) func(*rest.Config, manager.Options) (manager.Manager, error) {
		return func(*rest.Config, manager.Options) (manager.Manager, error) {
			return mgr, err
		}
	}

	m := createNewPodMonitor()

	tests := []struct {
		name           string
		m              *PodMonitor
		expect         func(*testing.T, *gomock.Controller, context.Context, context.CancelFunc)
		wantKubeClient bool
	}{
		{
			name:           "successful startup without any errors in the expected timeframe",
			m:              m,
			wantKubeClient: true,
			expect: func(t *testing.T, ctrl *gomock.Controller, ctx context.Context, cancel context.CancelFunc) {
				mgr := NewMockManager(ctrl)
				managerNew = managerNewTest(mgr, nil)
				c := NewMockClient(ctrl)
				cch := NewMockCache(ctrl)
				inf := NewMockSharedIndexInformer(ctrl)

				// this is our version of a mocked SetFields function
				var sf func(i interface{}) error
				sf = func(i interface{}) error {
					if _, err := inject.InjectorInto(sf, i); err != nil {
						return err
					}
					if _, err := inject.SchemeInto(scheme.Scheme, i); err != nil {
						return err
					}
					if _, err := inject.CacheInto(cch, i); err != nil {
						return err
					}
					if _, err := inject.StopChannelInto(ctx.Done(), i); err != nil {
						return err
					}
					return nil
				}

				// delete controller
				mgr.EXPECT().Add(gomock.AssignableToTypeOf(&DeleteController{})).Times(1).Return(nil)
				mgr.EXPECT().GetClient().Times(1).Return(c)

				// main controller
				// newReconciler calls these
				mgr.EXPECT().GetClient().Times(1).Return(c)
				mgr.EXPECT().GetRecorder("trireme-pod-controller").Times(1).Return(nil)
				// addController calls controller.New which calls these
				mgr.EXPECT().SetFields(gomock.AssignableToTypeOf(&ReconcilePod{})).Times(1).DoAndReturn(sf)
				mgr.EXPECT().GetCache().Times(1).Return(cch)
				mgr.EXPECT().GetConfig().Times(1).Return(nil)
				mgr.EXPECT().GetScheme().Times(1).Return(scheme.Scheme)
				mgr.EXPECT().GetClient().Times(2).Return(c) // once inside of controller.New and once by us
				mgr.EXPECT().GetRecorder("trireme-pod-controller").Times(1).Return(nil)
				mgr.EXPECT().Add(isKubernetesController()).Times(1).DoAndReturn(func(run manager.Runnable) error {
					return sf(run)
				})
				// these are called by our c.Watch statement for registering our Pod event source
				// NOTE: this will also call Start on the informer already! This is the reason why the mgr.Start which
				//       waits for the caches to be filled will already download a fresh list of all the pods!
				cch.EXPECT().GetInformer(gomock.AssignableToTypeOf(&corev1.Pod{})).Times(1).DoAndReturn(func(arg0 runtime.Object) (cache.SharedIndexInformer, error) {
					return inf, nil
				})
				inf.EXPECT().AddEventHandler(gomock.Any()).Times(1)

				// monitoring/side controller
				var r manager.Runnable
				mgr.EXPECT().Add(gomock.AssignableToTypeOf(&runnable{})).DoAndReturn(func(run manager.Runnable) error {
					r = run
					return nil
				}).Times(1)

				// the manager start needs to at least start the monitoring controller for the right behaviour in our code
				mgr.EXPECT().Start(gomock.Any()).DoAndReturn(func(z <-chan struct{}) error {
					go r.Start(z) //nolint
					return nil
				}).Times(1)

				// after start, we call GetClient as well to assign it to the monitor
				mgr.EXPECT().GetClient().Times(1).Return(c)

				// on successful startup, we only expect one debug message at the end
				// we setup everything here to ensure that *only* this log will appear
				// we are additionally testing if the logic of the if condition worked
				zc := NewMockCore(ctrl)
				logger := zap.New(zc)
				zap.ReplaceGlobals(logger)
				zc.EXPECT().Enabled(zapcore.DebugLevel).Times(1).Return(true)
				zc.EXPECT().Check(gomock.Any(), gomock.Any()).Times(1).DoAndReturn(func(ent zapcore.Entry, ce *zapcore.CheckedEntry) *zapcore.CheckedEntry {
					return ce.AddCore(ent, zc)
				})
				zc.EXPECT().Write(gomock.Any(), gomock.Any()).Times(1).DoAndReturn(func(ent zapcore.Entry, fields []zapcore.Field) error {
					expectedLogMessage := "pod: controller startup finished"
					if !strings.HasPrefix(ent.Message, expectedLogMessage) {
						t.Errorf("expectedLogMessage = '%s', ent.Message = '%s'", expectedLogMessage, ent.Message)
						return nil
					}
					var foundDuration bool
					for _, field := range fields {
						if field.Key == durationKey {
							foundDuration = true
							if field.Type != zapcore.DurationType {
								t.Errorf("duration field of log message is not DurationType (8), but %v", field.Type)
								break
							}
							d := time.Duration(field.Integer)
							if d > warningTimeout {
								t.Errorf("startup time (%s) surpassed the warningTimeout (%s), but printed it as debug log instead of warning", d, warningTimeout)
							}
							break
						}
					}
					if !foundDuration {
						t.Errorf("did not find debug log message which has test duration field")
					}
					return nil
				})
			},
		},
		{
			name:           "successful startup without any errors taking longer than expected",
			m:              m,
			wantKubeClient: true,
			expect: func(t *testing.T, ctrl *gomock.Controller, ctx context.Context, cancel context.CancelFunc) {
				mgr := NewMockManager(ctrl)
				managerNew = managerNewTest(mgr, nil)
				c := NewMockClient(ctrl)
				cch := NewMockCache(ctrl)
				inf := NewMockSharedIndexInformer(ctrl)

				// this is our version of a mocked SetFields function
				var sf func(i interface{}) error
				sf = func(i interface{}) error {
					if _, err := inject.InjectorInto(sf, i); err != nil {
						return err
					}
					if _, err := inject.SchemeInto(scheme.Scheme, i); err != nil {
						return err
					}
					if _, err := inject.CacheInto(cch, i); err != nil {
						return err
					}
					if _, err := inject.StopChannelInto(ctx.Done(), i); err != nil {
						return err
					}
					return nil
				}

				// delete controller
				mgr.EXPECT().Add(gomock.AssignableToTypeOf(&DeleteController{})).Times(1).Return(nil)
				mgr.EXPECT().GetClient().Times(1).Return(c)

				// main controller
				// newReconciler calls these
				mgr.EXPECT().GetClient().Times(1).Return(c)
				mgr.EXPECT().GetRecorder("trireme-pod-controller").Times(1).Return(nil)
				// addController calls controller.New which calls these
				mgr.EXPECT().SetFields(gomock.AssignableToTypeOf(&ReconcilePod{})).Times(1).DoAndReturn(sf)
				mgr.EXPECT().GetCache().Times(1).Return(cch)
				mgr.EXPECT().GetConfig().Times(1).Return(nil)
				mgr.EXPECT().GetScheme().Times(1).Return(scheme.Scheme)
				mgr.EXPECT().GetClient().Times(2).Return(c) // once inside of controller.New and once by us
				mgr.EXPECT().GetRecorder("trireme-pod-controller").Times(1).Return(nil)
				mgr.EXPECT().Add(isKubernetesController()).Times(1).DoAndReturn(func(run manager.Runnable) error {
					return sf(run)
				})
				// these are called by our c.Watch statement for registering our Pod event source
				// NOTE: this will also call Start on the informer already! This is the reason why the mgr.Start which
				//       waits for the caches to be filled will already download a fresh list of all the pods!
				cch.EXPECT().GetInformer(gomock.AssignableToTypeOf(&corev1.Pod{})).Times(1).DoAndReturn(func(arg0 runtime.Object) (cache.SharedIndexInformer, error) {
					return inf, nil
				})
				inf.EXPECT().AddEventHandler(gomock.Any()).Times(1)

				// monitoring/side controller
				var r manager.Runnable
				mgr.EXPECT().Add(gomock.AssignableToTypeOf(&runnable{})).DoAndReturn(func(run manager.Runnable) error {
					r = run
					return nil
				}).Times(1)

				// the manager start needs to at least start the monitoring controller for the right behaviour in our code
				mgr.EXPECT().Start(gomock.Any()).DoAndReturn(func(z <-chan struct{}) error {
					// delay the startup by the warningMessage or warningTimeout messages depending on which one is longer
					time.Sleep(time.Duration(math.Max(float64(warningTimeout), float64(warningMessageSleep))))
					go r.Start(z) //nolint
					return nil
				}).Times(1)

				// after start, we call GetClient as well to assign it to the monitor
				mgr.EXPECT().GetClient().Times(1).Return(c)

				// on successful startup, we only expect one debug message at the end
				// we setup everything here to ensure that *only* this log will appear
				// we are additionally testing if the logic of the if condition worked
				zc := NewMockCore(ctrl)
				logger := zap.New(zc)
				zap.ReplaceGlobals(logger)
				zc.EXPECT().Enabled(zapcore.WarnLevel).Times(2).Return(true)
				zc.EXPECT().Check(gomock.Any(), gomock.Any()).Times(2).DoAndReturn(func(ent zapcore.Entry, ce *zapcore.CheckedEntry) *zapcore.CheckedEntry {
					return ce.AddCore(ent, zc)
				})
				expectedLogMessages := []string{
					"pod: the Kubernetes controller did not start within the last 5s. Waiting...",
					"pod: controller startup finished, but took longer than expected",
				}
				zc.EXPECT().Write(gomock.Any(), gomock.Any()).Times(2).DoAndReturn(func(ent zapcore.Entry, fields []zapcore.Field) error {
					var found bool
					for _, expectedLogMessage := range expectedLogMessages {
						if ent.Message == expectedLogMessage {
							found = true
							break
						}
					}
					if !found {
						t.Errorf("expectedLogMessages = '%s', ent.Message = '%s'", expectedLogMessages, ent.Message)
					}

					// this is where we expect the duration field
					if ent.Message == "pod: controller startup finished, but took longer than expected undefined" {
						var foundDuration bool
						for _, field := range fields {
							if field.Key == durationKey {
								foundDuration = true
								if field.Type != zapcore.DurationType {
									t.Errorf("duration field of log message is not DurationType (8), but %v", field.Type)
									break
								}
								d := time.Duration(field.Integer)
								if d < warningTimeout {
									t.Errorf("startup time (%s) surpassed the warningTimeout (%s), but printed it as warning log instead of debug", d, warningTimeout)
								}
								break
							}
						}
						if !foundDuration {
							t.Errorf("did not find warning log message which has test duration field")
						}
					}
					return nil
				})
			},
		},
		{
			name:           "successful startup with an error once for all actions",
			m:              m,
			wantKubeClient: true,
			expect: func(t *testing.T, ctrl *gomock.Controller, ctx context.Context, cancel context.CancelFunc) {
				mgr := NewMockManager(ctrl)
				var managerNewErrorerd bool
				managerNew = func(*rest.Config, manager.Options) (manager.Manager, error) {
					if !managerNewErrorerd {
						managerNewErrorerd = true
						return nil, fmt.Errorf("errored")
					}
					return mgr, nil
				}
				c := NewMockClient(ctrl)
				cch := NewMockCache(ctrl)
				inf := NewMockSharedIndexInformer(ctrl)

				// this is our version of a mocked SetFields function
				var sf func(i interface{}) error
				sf = func(i interface{}) error {
					if _, err := inject.InjectorInto(sf, i); err != nil {
						return err
					}
					if _, err := inject.SchemeInto(scheme.Scheme, i); err != nil {
						return err
					}
					if _, err := inject.CacheInto(cch, i); err != nil {
						return err
					}
					if _, err := inject.StopChannelInto(ctx.Done(), i); err != nil {
						return err
					}
					return nil
				}

				// delete controller
				var deleteControllerErrored bool
				mgr.EXPECT().Add(gomock.AssignableToTypeOf(&DeleteController{})).Times(2).DoAndReturn(func(run manager.Runnable) error {
					if !deleteControllerErrored {
						deleteControllerErrored = true
						return fmt.Errorf("errored")
					}
					return nil
				})
				mgr.EXPECT().GetClient().Times(1).Return(c)

				// main controller
				// newReconciler calls these
				mgr.EXPECT().GetClient().Times(2).Return(c)
				mgr.EXPECT().GetRecorder("trireme-pod-controller").Times(2).Return(nil)
				// addController calls controller.New which calls these
				mgr.EXPECT().SetFields(gomock.AssignableToTypeOf(&ReconcilePod{})).Times(2).DoAndReturn(sf)
				mgr.EXPECT().GetCache().Times(2).Return(cch)
				mgr.EXPECT().GetConfig().Times(2).Return(nil)
				mgr.EXPECT().GetScheme().Times(2).Return(scheme.Scheme)
				mgr.EXPECT().GetClient().Times(3).Return(c) // twice in controller.New because of the failure, and one time after that (that is after mgr.Add actually)
				mgr.EXPECT().GetRecorder("trireme-pod-controller").Times(2).Return(nil)
				var mainControllerErrored bool
				mgr.EXPECT().Add(isKubernetesController()).Times(2).DoAndReturn(func(run manager.Runnable) error {
					if !mainControllerErrored {
						mainControllerErrored = true
						return fmt.Errorf("errored")
					}
					return sf(run)
				})
				// these are called by our c.Watch statement for registering our Pod event source
				// NOTE: this will also call Start on the informer already! This is the reason why the mgr.Start which
				//       waits for the caches to be filled will already download a fresh list of all the pods!
				cch.EXPECT().GetInformer(gomock.AssignableToTypeOf(&corev1.Pod{})).Times(1).DoAndReturn(func(arg0 runtime.Object) (cache.SharedIndexInformer, error) {
					return inf, nil
				})
				inf.EXPECT().AddEventHandler(gomock.Any()).Times(1)

				// monitoring/side controller
				var r manager.Runnable
				var sideControllerErrored bool
				mgr.EXPECT().Add(gomock.AssignableToTypeOf(&runnable{})).DoAndReturn(func(run manager.Runnable) error {
					if !sideControllerErrored {
						sideControllerErrored = true
						return fmt.Errorf("errored")
					}
					r = run
					return nil
				}).Times(2)

				// the manager start needs to at least start the monitoring controller for the right behaviour in our code
				var managerStartErrored bool
				mgr.EXPECT().Start(gomock.Any()).DoAndReturn(func(z <-chan struct{}) error {
					if !managerStartErrored {
						managerStartErrored = true
						return fmt.Errorf("errored")
					}
					go r.Start(z) //nolint
					return nil
				}).Times(2)

				// after start, we call GetClient as well to assign it to the monitor
				mgr.EXPECT().GetClient().Times(1).Return(c)

				// on successful startup, we only expect one debug message at the end
				// we setup everything here to ensure that *only* this log will appear
				// we are additionally testing if the logic of the if condition worked
				zc := NewMockCore(ctrl)
				logger := zap.New(zc)
				zap.ReplaceGlobals(logger)
				zc.EXPECT().Enabled(zapcore.DebugLevel).Times(1).Return(true)
				zc.EXPECT().Enabled(zapcore.ErrorLevel).Times(5).Return(true)
				zc.EXPECT().Check(gomock.Any(), gomock.Any()).Times(6).DoAndReturn(func(ent zapcore.Entry, ce *zapcore.CheckedEntry) *zapcore.CheckedEntry {
					return ce.AddCore(ent, zc)
				})
				expectedLogMessages := []string{
					"pod: new manager instantiation failed. Retrying in 3s...",
					"pod: adding delete controller failed. Retrying in 3s...",
					"pod: adding main monitor controller failed. Retrying in 3s...",
					"pod: adding side controller failed. Retrying in 3s...",
					"pod: manager start failed. Retrying in 3s...",
					"pod: controller startup finished",
				}
				zc.EXPECT().Write(gomock.Any(), gomock.Any()).Times(6).DoAndReturn(func(ent zapcore.Entry, fields []zapcore.Field) error {
					var found bool
					for _, expectedLogMessage := range expectedLogMessages {
						if ent.Message == expectedLogMessage {
							found = true
							break
						}
					}
					if !found {
						t.Errorf("expectedLogMessages = '%s', ent.Message = '%s'", expectedLogMessages, ent.Message)
					}

					// this is where we expect the duration field
					if ent.Message == "pod: controller startup finished" {
						var foundDuration bool
						for _, field := range fields {
							if field.Key == durationKey {
								foundDuration = true
								if field.Type != zapcore.DurationType {
									t.Errorf("duration field of log message is not DurationType (8), but %v", field.Type)
									break
								}
								d := time.Duration(field.Integer)
								if d > warningTimeout {
									t.Errorf("startup time (%s) surpassed the warningTimeout (%s), but printed it as debug log instead of warning", d, warningTimeout)
								}
								break
							}
						}
						if !foundDuration {
							t.Errorf("did not find debug log message which has test duration field")
						}
					}
					return nil
				})
			},
		},
		{
			name:           "context gets cancelled",
			m:              m,
			wantKubeClient: false,
			expect: func(t *testing.T, ctrl *gomock.Controller, ctx context.Context, cancel context.CancelFunc) {
				managerNew = managerNewTest(nil, fmt.Errorf("error"))
				zc := NewMockCore(ctrl)
				logger := zap.New(zc)
				zap.ReplaceGlobals(logger)
				zc.EXPECT().Enabled(zapcore.ErrorLevel).AnyTimes().Return(false)
				cancel()
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// create a mock controller per test run to track mocked calls
			// call expect() to register and prepare for the side effects of the functions
			// always nil the kubeClient for every call
			ctx, cancel := context.WithCancel(context.Background())
			ctrl := gomock.NewController(t)
			tt.expect(t, ctrl, ctx, cancel)
			tt.m.kubeClient = nil

			// probably paranoid: this ensures that nothing in the tested function actually calls out to the policy engine yet (ctrl.Finish() would catch those)
			handler := mockpolicy.NewMockResolver(ctrl)
			pc := &config.ProcessorConfig{
				Policy: handler,
			}
			tt.m.SetupHandlers(pc)

			// now execute the mocked test
			tt.m.startManager(ctx)

			// do the kubeclient check
			if tt.wantKubeClient && tt.m.kubeClient == nil {
				t.Errorf("PodMonitor.startManager() kubeClient = %v, wantKubeClient %v", tt.m.kubeClient, tt.wantKubeClient)
			}
			if !tt.wantKubeClient && tt.m.kubeClient != nil {
				t.Errorf("PodMonitor.startManager() kubeClient = %v, wantKubeClient %v", tt.m.kubeClient, tt.wantKubeClient)
			}

			// call Finish on every test run to ensure the calls add up per test
			// this is essentially the real check of all the test conditions as the whole function is side-effecting only
			ctrl.Finish()

			// last but not least, call cancel() so that all mocked routines which were depending on this context stop for sure
			cancel()
		})
	}
}

func TestPodMonitor_Resync(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	ctx := context.Background()

	c := NewMockClient(ctrl)
	m := createNewPodMonitor()
	handler := mockpolicy.NewMockResolver(ctrl)
	pc := &config.ProcessorConfig{
		Policy: handler,
	}
	m.SetupHandlers(pc)

	type args struct {
		ctx context.Context
	}
	tests := []struct {
		name    string
		m       *PodMonitor
		expect  func(t *testing.T, m *PodMonitor)
		args    args
		wantErr bool
	}{
		{
			name: "resync fails with a failing reset netcls",
			m:    m,
			args: args{
				ctx: ctx,
			},
			expect: func(t *testing.T, m *PodMonitor) {
				m.kubeClient = c
				m.resetNetcls = func(context.Context) error {
					return fmt.Errorf("resync error")
				}
			},
			wantErr: true,
		},
		{
			name: "resync fails with a missing kubeclient",
			m:    m,
			args: args{
				ctx: ctx,
			},
			expect: func(t *testing.T, m *PodMonitor) {
				m.kubeClient = nil
				m.resetNetcls = func(context.Context) error {
					return nil
				}
			},
			wantErr: true,
		},
		{
			name: "successful call to ResyncWathAllPods",
			m:    m,
			args: args{
				ctx: ctx,
			},
			expect: func(t *testing.T, m *PodMonitor) {
				m.kubeClient = c
				m.resetNetcls = func(context.Context) error {
					return nil
				}
				c.EXPECT().List(gomock.Any(), gomock.Any(), gomock.Any()).Times(1).Return(nil)
			},
			wantErr: false,
		},
		// not more to test, the heavy lifting is done in ResyncWithAllPods
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			tt.expect(t, tt.m)
			if err := tt.m.Resync(tt.args.ctx); (err != nil) != tt.wantErr {
				t.Errorf("PodMonitor.Resync() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}


================================================
FILE: monitor/internal/pod/resync.go
================================================
// +build linux !windows

package podmonitor

import (
	"context"
	"errors"
	"fmt"
	"sync"
	"time"

	corev1 "k8s.io/api/core/v1"

	"sigs.k8s.io/controller-runtime/pkg/client"
	"sigs.k8s.io/controller-runtime/pkg/event"

	"go.uber.org/zap"
)

// ResyncWithAllPods is called from the implemented resync, it will list all pods
// and fire them down the event source (the generic event channel).
// It will block until every pod at the time of calling has been calling `Reconcile` at least once.
func ResyncWithAllPods(ctx context.Context, c client.Client, i *ResyncInfoChan, evCh chan<- event.GenericEvent, nodeName string) error {
	zap.L().Debug("Pod resync: starting to resync all pods")
	if c == nil {
		return errors.New("pod: no client available")
	}

	if evCh == nil {
		return errors.New("pod: no event source available")
	}

	if i == nil {
		return errors.New("pod: no resync info channel available")
	}

	list := &corev1.PodList{}
	if err := c.List(ctx, &client.ListOptions{}, list); err != nil {
		return fmt.Errorf("pod: %s", err.Error())
	}

	// build a map of pods that we will expect to turn true
	m := make(map[string]bool)
	for _, pod := range list.Items {
		if pod.Spec.NodeName != nodeName {
			continue
		}
		podName := pod.GetName()
		podNamespace := pod.GetNamespace()
		if podName != "" && podNamespace != "" {
			m[fmt.Sprintf("%s/%s", podNamespace, podName)] = false
		}
	}
	zap.L().Debug("Pod resync: pods that need to be resynced", zap.Any("pods", m))

	// Request that the controller reports to us from now on
	i.EnableNeedsInfo()

	// fire away events to the controller
	for _, pod := range list.Items {
		if pod.Spec.NodeName != nodeName {
			continue
		}
		p := pod.DeepCopy()
		evCh <- event.GenericEvent{
			Meta:   p.GetObjectMeta(),
			Object: p,
		}
	}

	// now wait for all pods to have reported back
	begin := time.Now()
waitLoop:
	for {
		if time.Since(begin) > (time.Second * 60) {
			zap.L().Warn("Pod resync: failed to reconcile on all pods. Unblocking now anyway.")
			break waitLoop
		}

		select {
		case info := <-*i.GetInfoCh():
			if _, ok := m[info]; ok {
				zap.L().Debug("Pod resync: pod that is part of the resync", zap.String("pod", info))
				m[info] = true
			} else {
				zap.L().Debug("Pod resync: *not* a pod that is part of the resync", zap.String("pod", info))
			}
		case <-time.After(time.Second * 5):
			zap.L().Debug("Pod resync: timeout waiting for pod reconcile")
		}

		// now check if we can abort already
		for _, v := range m {
			if !v {
				continue waitLoop
			}
		}
		break waitLoop
	}
	i.DisableNeedsInfo()
	zap.L().Debug("Pod resync: finished resyncing all pods")

	return nil
}

// ResyncInfoChan is used to report back from the controller on which pods it has processed.
// It allows the Resync of the monitor to block and wait until a list has been processed.
type ResyncInfoChan struct {
	m  sync.RWMutex
	b  bool
	ch chan string
}

// NewResyncInfoChan creates a new ResyncInfoChan
func NewResyncInfoChan() *ResyncInfoChan {
	return &ResyncInfoChan{
		ch: make(chan string, 100),
	}
}

// EnableNeedsInfo enables the need for sending info
func (r *ResyncInfoChan) EnableNeedsInfo() {
	r.m.Lock()
	defer r.m.Unlock()
	r.b = true
}

// DisableNeedsInfo disables the need for sending info
func (r *ResyncInfoChan) DisableNeedsInfo() {
	r.m.Lock()
	defer r.m.Unlock()
	r.b = false
}

// NeedsInfo returns if there is a need for sending info
func (r *ResyncInfoChan) NeedsInfo() bool {
	r.m.RLock()
	defer r.m.RUnlock()
	return r.b
}

// SendInfo will make the info available through an internal channel
func (r *ResyncInfoChan) SendInfo(info string) {
	r.m.RLock()
	defer r.m.RUnlock()
	if r.b {
		r.ch <- info
	}
}

// GetInfoCh returns the channel
func (r *ResyncInfoChan) GetInfoCh() *chan string {
	r.m.RLock()
	defer r.m.RUnlock()
	return &r.ch
}


================================================
FILE: monitor/internal/pod/resync_test.go
================================================
// +build !windows

package podmonitor

import (
	"context"
	"testing"

	. "github.com/smartystreets/goconvey/convey"

	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
	"sigs.k8s.io/controller-runtime/pkg/event"
)

func TestResyncWithAllPods(t *testing.T) {
	Convey("Given a client, two pods and an event channel", t, func() {
		ctx := context.TODO()
		evCh := make(chan event.GenericEvent, 100)
		resyncInfo := NewResyncInfoChan()
		pod1 := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "pod1",
				Namespace: "default",
			},
			Spec: corev1.PodSpec{
				NodeName: "node",
			},
		}
		pod2 := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "pod2",
				Namespace: "default",
			},
			Spec: corev1.PodSpec{
				NodeName: "node",
			},
		}
		c := fakeclient.NewFakeClient(pod1, pod2)

		Convey("resync should fail if there is no client", func() {
			err := ResyncWithAllPods(ctx, nil, resyncInfo, evCh, "node")
			So(err, ShouldNotBeNil)
			So(err.Error(), ShouldEqual, "pod: no client available")
		})

		Convey("resync should fail if there is no event channel", func() {
			err := ResyncWithAllPods(ctx, c, resyncInfo, nil, "node")
			So(err, ShouldNotBeNil)
			So(err.Error(), ShouldEqual, "pod: no event source available")
		})

		Convey("resync should successfully send messages with all pods", func() {
			resyncInfo.EnableNeedsInfo()
			resyncInfo.SendInfo("default/pod1")
			resyncInfo.SendInfo("default/pod2")
			err := ResyncWithAllPods(ctx, c, resyncInfo, evCh, "node")
			So(err, ShouldBeNil)
			allPods := []string{"pod1", "pod2"}
			collectedPods := []string{}

			obj1 := <-evCh
			So(obj1.Meta.GetName(), ShouldBeIn, allPods)
			collectedPods = append(collectedPods, obj1.Meta.GetName())
			obj2 := <-evCh
			So(obj2.Meta.GetName(), ShouldBeIn, allPods)
			collectedPods = append(collectedPods, obj2.Meta.GetName())
			So("pod1", ShouldBeIn, collectedPods)
			So("pod2", ShouldBeIn, collectedPods)
			So(obj1.Meta.GetName(), ShouldNotEqual, obj2.Meta.GetName())
		})
	})
}


================================================
FILE: monitor/internal/pod/testdata/kubeconfig
================================================
apiVersion: v1
clusters:
- cluster:
    server: https://localhost:9443
  name: apiserver
contexts:
- context:
    cluster: apiserver
    user: apiserver
  name: apiserver
current-context: apiserver
kind: Config
preferences: {}
users:
- name: apiserver
  user: {}

================================================
FILE: monitor/internal/pod/watcher.go
================================================
// +build !windows

package podmonitor

import (
	corev1 "k8s.io/api/core/v1"
	"k8s.io/apimachinery/pkg/types"
	"sigs.k8s.io/controller-runtime/pkg/client"
	"sigs.k8s.io/controller-runtime/pkg/handler"
	"sigs.k8s.io/controller-runtime/pkg/reconcile"
)

// WatchPodMapper determines if we want to reconcile on a pod event. There are two limitiations:
// - the pod must be schedule on a matching nodeName
// - if the pod requests host networking, only reconcile if we want to enable host pods
type WatchPodMapper struct {
	client         client.Client
	nodeName       string
	enableHostPods bool
}

// Map implements the handler.Mapper interface to emit reconciles for corev1.Pods. It effectively
// filters the pods by looking for a matching nodeName and filters them out if host networking is requested,
// but we don't want to enable those.
func (w *WatchPodMapper) Map(obj handler.MapObject) []reconcile.Request {
	pod, ok := obj.Object.(*corev1.Pod)
	if !ok {
		return nil
	}

	if pod.Spec.NodeName != w.nodeName {
		return nil
	}

	if pod.Spec.HostNetwork && !w.enableHostPods {
		return nil
	}

	return []reconcile.Request{
		{
			NamespacedName: types.NamespacedName{
				Name:      pod.Name,
				Namespace: pod.Namespace,
			},
		},
	}
}


================================================
FILE: monitor/internal/pod/watcher_test.go
================================================
// +build !windows

package podmonitor

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"

	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"sigs.k8s.io/controller-runtime/pkg/handler"
)

func TestWatchPodMapper(t *testing.T) {
	Convey("Given a watch pod mapper and a pod", t, func() {
		m := WatchPodMapper{
			// client is currently not in use for this mapper
			client:         nil,
			nodeName:       "testing-node",
			enableHostPods: true,
		}
		p := &corev1.Pod{
			ObjectMeta: metav1.ObjectMeta{
				Name: "p1",
			},
			Spec: corev1.PodSpec{
				NodeName: "testing-node",
			},
		}
		Convey("do not reconcile if the object is not a pod", func() {
			svc := &corev1.Service{
				ObjectMeta: metav1.ObjectMeta{
					Name: "service",
				},
			}
			reqs := m.Map(handler.MapObject{Meta: svc.GetObjectMeta(), Object: svc})
			So(reqs, ShouldHaveLength, 0)
		})
		Convey("do not reconcile if the node name does not match", func() {
			p.Spec.NodeName = "wrong"
			reqs := m.Map(handler.MapObject{Meta: p.GetObjectMeta(), Object: p})
			So(reqs, ShouldHaveLength, 0)
		})
		Convey("do not reconcile if enabling host pods is not enabled, but the pod has HostNetwork set to true", func() {
			m.enableHostPods = false
			p.Spec.HostNetwork = true
			reqs := m.Map(handler.MapObject{Meta: p.GetObjectMeta(), Object: p})
			So(reqs, ShouldHaveLength, 0)
		})
		Convey("reconcile if the node name matches", func() {
			reqs := m.Map(handler.MapObject{Meta: p.GetObjectMeta(), Object: p})
			So(reqs, ShouldHaveLength, 1)
		})
	})
}


================================================
FILE: monitor/internal/uid/config.go
================================================
package uidmonitor

import (
	"go.aporeto.io/trireme-lib/monitor/extractors"
)

// Config is the configuration options to start a CNI monitor
type Config struct {
	EventMetadataExtractor extractors.EventMetadataExtractor
	StoredPath             string
	ReleasePath            string
}

// DefaultConfig provides default configuration for uid monitor
func DefaultConfig() *Config {

	return &Config{
		EventMetadataExtractor: extractors.UIDMetadataExtractor,
		StoredPath:             "/var/run/trireme_uid",
		ReleasePath:            "",
	}
}

// SetupDefaultConfig adds defaults to a partial configuration
func SetupDefaultConfig(uidConfig *Config) *Config {

	defaultConfig := DefaultConfig()

	if uidConfig.ReleasePath == "" {
		uidConfig.ReleasePath = defaultConfig.ReleasePath
	}
	if uidConfig.StoredPath == "" {
		uidConfig.StoredPath = defaultConfig.StoredPath
	}
	if uidConfig.EventMetadataExtractor == nil {
		uidConfig.EventMetadataExtractor = defaultConfig.EventMetadataExtractor
	}

	return uidConfig
}


================================================
FILE: monitor/internal/uid/monitor.go
================================================
package uidmonitor

import (
	"context"
	"fmt"
	"regexp"

	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/monitor/registerer"
	"go.aporeto.io/trireme-lib/utils/cache"
	"go.aporeto.io/trireme-lib/utils/cgnetcls"
)

// UIDMonitor captures all the monitor processor information for a UIDLoginPU
// It implements the EventProcessor interface of the rpc monitor
type UIDMonitor struct {
	proc *uidProcessor
}

// New returns a new implmentation of a monitor implmentation
func New() *UIDMonitor {

	return &UIDMonitor{
		proc: &uidProcessor{},
	}
}

// Run implements Implementation interface
func (u *UIDMonitor) Run(ctx context.Context) error {

	if err := u.proc.config.IsComplete(); err != nil {
		return fmt.Errorf("uid: %s", err)
	}

	return u.Resync(ctx)
}

// SetupConfig provides a configuration to implmentations. Every implmentation
// can have its own config type.
func (u *UIDMonitor) SetupConfig(registerer registerer.Registerer, cfg interface{}) error {

	defaultConfig := DefaultConfig()
	if cfg == nil {
		cfg = defaultConfig
	}

	uidConfig, ok := cfg.(*Config)
	if !ok {
		return fmt.Errorf("Invalid configuration specified")
	}

	if registerer != nil {
		if err := registerer.RegisterProcessor(common.UIDLoginPU, u.proc); err != nil {
			return err
		}
	}

	// Setup defaults
	uidConfig = SetupDefaultConfig(uidConfig)

	// Setup config
	u.proc.netcls = cgnetcls.NewCgroupNetController(common.TriremeUIDCgroupPath, uidConfig.ReleasePath)
	u.proc.regStart = regexp.MustCompile("^[a-zA-Z0-9_]{1,11}$")
	u.proc.regStop = regexp.MustCompile("^/trireme/[a-zA-Z0-9_]{1,11}$")
	u.proc.putoPidMap = cache.NewCache("putoPidMap")
	u.proc.pidToPU = cache.NewCache("pidToPU")
	u.proc.metadataExtractor = uidConfig.EventMetadataExtractor
	if u.proc.metadataExtractor == nil {
		return fmt.Errorf("Unable to setup a metadata extractor")
	}

	return nil
}

// SetupHandlers sets up handlers for monitors to invoke for various events such as
// processing unit events and synchronization events. This will be called before Start()
// by the consumer of the monitor
func (u *UIDMonitor) SetupHandlers(m *config.ProcessorConfig) {

	u.proc.config = m
}

// Resync asks the monitor to do a resync
func (u *UIDMonitor) Resync(ctx context.Context) error {
	return u.proc.Resync(ctx, nil)
}


================================================
FILE: monitor/internal/uid/processor.go
================================================
package uidmonitor

import (
	"context"
	"errors"
	"regexp"
	"strconv"
	"strings"
	"sync"

	"go.aporeto.io/trireme-lib/collector"
	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/monitor/config"
	"go.aporeto.io/trireme-lib/monitor/extractors"
	"go.aporeto.io/trireme-lib/policy"
	"go.aporeto.io/trireme-lib/utils/cache"
	"go.aporeto.io/trireme-lib/utils/cgnetcls"
	"go.uber.org/zap"
)

var ignoreNames = map[string]*struct{}{
	"cgroup.clone_children": nil,
	"cgroup.procs":          nil,
	"net_cls.classid":       nil,
	"net_prio.ifpriomap":    nil,
	"net_prio.prioidx":      nil,
	"notify_on_release":     nil,
	"tasks":                 nil,
}

// uidProcessor captures all the monitor processor information for a UIDLoginPU
// It implements the EventProcessor interface of the rpc monitor
type uidProcessor struct {
	config            *config.ProcessorConfig
	metadataExtractor extractors.EventMetadataExtractor
	netcls            cgnetcls.Cgroupnetcls
	regStart          *regexp.Regexp
	regStop           *regexp.Regexp
	putoPidMap        *cache.Cache
	pidToPU           *cache.Cache
	sync.Mutex
}

const (
	triremeBaseCgroup = "/trireme"
)

// puToPidEntry represents an entry to puToPidMap
type puToPidEntry struct {
	pidlist            map[int32]bool
	Info               *policy.PURuntime
	publishedContextID string
}

// Start handles start events
func (u *uidProcessor) Start(ctx context.Context, eventInfo *common.EventInfo) error {

	return u.createAndStart(ctx, eventInfo, false)
}

// Stop handles a stop event and destroy as well. Destroy does nothing for the uid monitor
func (u *uidProcessor) Stop(ctx context.Context, eventInfo *common.EventInfo) error {

	puID := eventInfo.PUID

	if puID == triremeBaseCgroup {
		u.netcls.Deletebasepath(puID)
		return nil
	}

	u.Lock()
	defer u.Unlock()

	// Take the PID part of the user/pid PUID
	var pid string
	userID := eventInfo.PUID
	parts := strings.SplitN(puID, "/", 2)
	if len(parts) == 2 {
		userID = parts[0]
		pid = parts[1]
	}

	if len(pid) > 0 {
		// Delete the cgroup for that pid
		if err := u.netcls.DeleteCgroup(puID); err != nil {
			return err
		}

		if pidlist, err := u.putoPidMap.Get(userID); err == nil {
			pidCxt := pidlist.(*puToPidEntry)

			iPid, err := strconv.Atoi(pid)
			if err != nil {
				return err
			}

			// Clean pid from both caches
			delete(pidCxt.pidlist, int32(iPid))

			if err = u.pidToPU.Remove(int32(iPid)); err != nil {
				zap.L().Warn("Failed to remove entry in the cache", zap.Error(err), zap.String("stopped pid", pid))
			}
		}
		return nil
	}

	runtime := policy.NewPURuntimeWithDefaults()
	runtime.SetPUType(common.UIDLoginPU)

	// Since all the PIDs of the user are gone, we can delete the user context.
	if err := u.config.Policy.HandlePUEvent(ctx, userID, common.EventStop, runtime); err != nil {
		zap.L().Warn("Failed to stop trireme PU ",
			zap.String("puID", puID),
			zap.Error(err),
		)
	}

	if err := u.config.Policy.HandlePUEvent(ctx, userID, common.EventDestroy, runtime); err != nil {
		zap.L().Warn("Failed to Destroy clean trireme ",
			zap.String("puID", puID),
			zap.Error(err),
		)
	}

	if err := u.putoPidMap.Remove(userID); err != nil {
		zap.L().Warn("Failed to remove entry in the cache", zap.Error(err), zap.String("puID", puID))
	}

	return u.netcls.DeleteCgroup(strings.TrimRight(userID, "/"))
}

// Create handles create events
func (u *uidProcessor) Create(ctx context.Context, eventInfo *common.EventInfo) error {
	return nil
}

// Destroy handles a destroy event
func (u *uidProcessor) Destroy(ctx context.Context, eventInfo *common.EventInfo) error {
	// Destroy is not used for the UIDMonitor since we will destroy when we get stop
	// This is to try and save some time .Stop/Destroy is two RPC calls.
	// We don't define pause on uid monitor so stop is always followed by destroy
	return nil
}

// Pause handles a pause event
func (u *uidProcessor) Pause(ctx context.Context, eventInfo *common.EventInfo) error {

	return u.config.Policy.HandlePUEvent(ctx, eventInfo.PUID, common.EventPause, nil)
}

// Resync resyncs with all the existing services that were there before we start
func (u *uidProcessor) Resync(ctx context.Context, e *common.EventInfo) error {

	uids := u.netcls.ListAllCgroups("")
	for _, uid := range uids {

		if _, ok := ignoreNames[uid]; ok {
			continue
		}

		processesOfUID := u.netcls.ListAllCgroups(uid)
		activePids := []int32{}

		for _, pid := range processesOfUID {
			if _, ok := ignoreNames[pid]; ok {
				continue
			}

			cgroupPath := uid + "/" + pid
			pidlist, _ := u.netcls.ListCgroupProcesses(cgroupPath)
			if len(pidlist) == 0 {
				if err := u.netcls.DeleteCgroup(cgroupPath); err != nil {
					zap.L().Warn("Unable to delete cgroup",
						zap.String("cgroup", cgroupPath),
						zap.Error(err),
					)
				}
				continue
			}

			iPid, _ := strconv.Atoi(pid)
			activePids = append(activePids, int32(iPid))
		}

		if len(activePids) == 0 {
			if err := u.netcls.DeleteCgroup(uid); err != nil {
				zap.L().Warn("Unable to delete cgroup",
					zap.String("cgroup", uid),
					zap.Error(err),
				)
			}
			continue
		}

		event := &common.EventInfo{
			PID:    activePids[0],
			PUID:   uid,
			PUType: common.UIDLoginPU,
		}

		if err := u.createAndStart(ctx, event, true); err != nil {
			zap.L().Error("Can not synchronize user", zap.String("user", uid))
		}

		for i := 1; i < len(activePids); i++ {
			event := &common.EventInfo{
				PID:    activePids[i],
				PUID:   uid,
				PUType: common.UIDLoginPU,
			}
			if err := u.createAndStart(ctx, event, true); err != nil {
				zap.L().Error("Can not synchronize user", zap.String("user", uid))
			}
		}
	}

	return nil
}

func (u *uidProcessor) createAndStart(ctx context.Context, eventInfo *common.EventInfo, startOnly bool) error {

	u.Lock()
	defer u.Unlock()

	if eventInfo.Name == "" {
		eventInfo.Name = eventInfo.PUID
	}

	puID := eventInfo.PUID
	pids, err := u.putoPidMap.Get(puID)
	var runtimeInfo *policy.PURuntime
	if err != nil {
		runtimeInfo, err = u.metadataExtractor(eventInfo)
		if err != nil {
			return err
		}

		publishedContextID := puID
		// Setup the run time
		if !startOnly {
			if perr := u.config.Policy.HandlePUEvent(ctx, publishedContextID, common.EventCreate, runtimeInfo); perr != nil {
				zap.L().Error("Failed to create process", zap.Error(perr))
				return perr
			}
		}

		if perr := u.config.Policy.HandlePUEvent(ctx, publishedContextID, common.EventStart, runtimeInfo); perr != nil {
			zap.L().Error("Failed to start process", zap.Error(perr))
			return perr
		}

		if err = u.processLinuxServiceStart(puID, eventInfo, runtimeInfo); err != nil {
			zap.L().Error("processLinuxServiceStart", zap.Error(err))
			return err
		}

		u.config.Collector.CollectContainerEvent(&collector.ContainerRecord{
			ContextID: puID,
			IPAddress: runtimeInfo.IPAddresses(),
			Tags:      runtimeInfo.Tags(),
			Event:     collector.ContainerStart,
		})

		entry := &puToPidEntry{
			Info:               runtimeInfo,
			publishedContextID: publishedContextID,
			pidlist:            map[int32]bool{},
		}

		if err := u.putoPidMap.Add(puID, entry); err != nil {
			zap.L().Warn("Failed to add puID/PU in the cache",
				zap.Error(err),
				zap.String("puID", puID),
			)
		}

		pids = entry
	}

	pids.(*puToPidEntry).pidlist[eventInfo.PID] = true
	if err := u.pidToPU.Add(eventInfo.PID, eventInfo.PUID); err != nil {
		zap.L().Warn("Failed to add eventInfoPID/eventInfoPUID in the cache",
			zap.Error(err),
			zap.Int32("eventInfo.PID", eventInfo.PID),
			zap.String("eventInfo.PUID", eventInfo.PUID),
		)
	}

	pidPath := puID + "/" + strconv.Itoa(int(eventInfo.PID))

	return u.processLinuxServiceStart(pidPath, eventInfo, pids.(*puToPidEntry).Info)

}

func (u *uidProcessor) processLinuxServiceStart(pidName string, event *common.EventInfo, runtimeInfo *policy.PURuntime) error {

	if err := u.netcls.Creategroup(pidName); err != nil {
		zap.L().Error("Failed to create cgroup for the user", zap.String("user", pidName), zap.Error(err))
		return err
	}

	markval := runtimeInfo.Options().CgroupMark
	if markval == "" {
		if derr := u.netcls.DeleteCgroup(pidName); derr != nil {
			zap.L().Warn("Failed to clean cgroup", zap.Error(derr))
		}
		return errors.New("mark value not found")
	}

	mark, err := strconv.ParseUint(markval, 10, 32)
	if err != nil {
		return err
	}

	if err = u.netcls.AssignMark(pidName, mark); err != nil {
		if derr := u.netcls.DeleteCgroup(pidName); derr != nil {
			zap.L().Warn("Failed to clean cgroup", zap.Error(derr))
		}
		return err
	}

	if err := u.netcls.AddProcess(pidName, int(event.PID)); err != nil {
		if derr := u.netcls.DeleteCgroup(pidName); derr != nil {
			zap.L().Warn("Failed to clean cgroup", zap.Error(derr))
		}
		return err
	}

	return nil
}


================================================
FILE: monitor/internal/windows/config.go
================================================
// +build windows

package windowsmonitor

import "go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"

// Config is the configuration options to start a CNI monitor
type Config struct {
	EventMetadataExtractor extractors.EventMetadataExtractor
	Host                   bool
}

// DefaultConfig provides a default configuration
func DefaultConfig(host bool) *Config {
	return &Config{
		EventMetadataExtractor: extractors.DefaultHostMetadataExtractor,
		Host:                   host,
	}
}

// SetupDefaultConfig adds defaults to a partial configuration
func SetupDefaultConfig(windowsConfig *Config) *Config {

	defaultConfig := DefaultConfig(windowsConfig.Host)
	if windowsConfig.EventMetadataExtractor == nil {
		windowsConfig.EventMetadataExtractor = defaultConfig.EventMetadataExtractor
	}
	return windowsConfig
}


================================================
FILE: monitor/internal/windows/monitor.go
================================================
// +build windows

package windowsmonitor

import (
	"context"
	"fmt"
	"regexp"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/registerer"
)

// WindowsMonitor hold state for the windows monitor
type WindowsMonitor struct {
	proc *windowsProcessor
}

// New returns a new implmentation of a monitor implmentation
func New(context.Context) *WindowsMonitor {
	return &WindowsMonitor{
		proc: &windowsProcessor{},
	}
}

// Run implements Implementation interface
func (w *WindowsMonitor) Run(ctx context.Context) error {
	if err := w.proc.config.IsComplete(); err != nil {
		return fmt.Errorf("windows %t: %s", w.proc.host, err)
	}

	return w.Resync(ctx)

}

// SetupHandlers sets up handlers for monitors to invoke for various events such as
// processing unit events and synchronization events. This will be called before Start()
// by the consumer of the monitor
func (w *WindowsMonitor) SetupHandlers(m *config.ProcessorConfig) {
	w.proc.config = m
}

// SetupConfig sets up the config for the monitor
func (w *WindowsMonitor) SetupConfig(registerer registerer.Registerer, cfg interface{}) error {
	if cfg == nil {
		cfg = DefaultConfig(false)
	}
	windowsConfig, ok := cfg.(*Config)
	if !ok {
		return fmt.Errorf("Invalid configuration specified")
	}
	if registerer != nil {
		if err := registerer.RegisterProcessor(common.HostPU, w.proc); err != nil {
			return err
		}
		if err := registerer.RegisterProcessor(common.HostNetworkPU, w.proc); err != nil {
			return err
		}
		if err := registerer.RegisterProcessor(common.WindowsProcessPU, w.proc); err != nil {
			return err
		}
	}
	windowsConfig = SetupDefaultConfig(windowsConfig)
	w.proc.host = windowsConfig.Host
	w.proc.regStart = regexp.MustCompile("^[a-zA-Z0-9_]{1,11}$")
	w.proc.metadataExtractor = windowsConfig.EventMetadataExtractor
	if w.proc.metadataExtractor == nil {
		return fmt.Errorf("Unable to setup a metadata extractor")
	}
	return nil
}

// Resync instructs the monitor to do a resync.
func (w *WindowsMonitor) Resync(ctx context.Context) error {
	return w.proc.Resync(ctx, nil)
}


================================================
FILE: monitor/internal/windows/processor.go
================================================
// +build windows

package windowsmonitor

import (
	"context"
	"fmt"
	"regexp"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.uber.org/zap"
)

type windowsProcessor struct {
	regStart          *regexp.Regexp
	metadataExtractor extractors.EventMetadataExtractor
	config            *config.ProcessorConfig
	host              bool
}

// Start processes PU start events
func (w *windowsProcessor) Start(ctx context.Context, eventInfo *common.EventInfo) error {
	// Validate the PUID format. Additional validations TODO
	if !w.regStart.Match([]byte(eventInfo.PUID)) {
		return fmt.Errorf("invalid pu id: %s", eventInfo.PUID)
	}

	// Normalize to a nativeID context. This will become key for any recoveries
	// and it's an one way function.
	nativeID := w.generateContextID(eventInfo)
	// Extract the metadata and create the runtime
	runtime, err := w.metadataExtractor(eventInfo)
	if err != nil {
		return err
	}

	// We need to send a create event to the policy engine.
	if err = w.config.Policy.HandlePUEvent(ctx, nativeID, common.EventCreate, runtime); err != nil {
		return fmt.Errorf("Unable to create PU: %s", err)
	}

	// We can now send a start event to the policy engine
	if err = w.config.Policy.HandlePUEvent(ctx, nativeID, common.EventStart, runtime); err != nil {
		return fmt.Errorf("Unable to start PU: %s", err)
	}
	return nil
}

// Event processes PU stop events
func (w *windowsProcessor) Stop(ctx context.Context, eventInfo *common.EventInfo) error {
	puID := w.generateContextID(eventInfo)
	runtime := policy.NewPURuntimeWithDefaults()
	runtime.SetPUType(eventInfo.PUType)

	return w.config.Policy.HandlePUEvent(ctx, puID, common.EventStop, runtime)
}

// Create process a PU create event
func (w *windowsProcessor) Create(ctx context.Context, eventInfo *common.EventInfo) error {
	return fmt.Errorf("Use start directly for windows processes. Create not supported")
}

// Event process a PU destroy event
func (w *windowsProcessor) Destroy(ctx context.Context, eventInfo *common.EventInfo) error {
	puID := w.generateContextID(eventInfo)
	runtime := policy.NewPURuntimeWithDefaults()
	runtime.SetPUType(eventInfo.PUType)

	// Send the event upstream
	if err := w.config.Policy.HandlePUEvent(ctx, puID, common.EventDestroy, runtime); err != nil {
		zap.L().Warn("Unable to clean trireme ",
			zap.String("puID", puID),
			zap.Error(err),
		)
	}
	return nil
}

// Event processes a pause event
func (w *windowsProcessor) Pause(ctx context.Context, eventInfo *common.EventInfo) error {
	return fmt.Errorf("Use start directly for windows processes. Pause not supported")
}

// Resync resyncs all PUs handled by this processor
func (w *windowsProcessor) Resync(ctx context.Context, eventInfo *common.EventInfo) error {
	if eventInfo != nil {
		// If its a host service then use pu from eventInfo
		if eventInfo.HostService {
			runtime, err := w.metadataExtractor(eventInfo)
			if err != nil {
				return err
			}
			nativeID := w.generateContextID(eventInfo)
			if err = w.config.Policy.HandlePUEvent(ctx, nativeID, common.EventStart, runtime); err != nil {
				return fmt.Errorf("Unable to start PU: %s", err)
			}
			return nil
		}
	}

	// TODO(windows): handle resync of windows process PU later?
	zap.L().Debug("Resync not handled")

	return nil
}

func (w *windowsProcessor) generateContextID(eventInfo *common.EventInfo) string {
	puID := eventInfo.PUID

	// TODO(windows): regStop may be used here somewhere in the future?

	return puID
}


================================================
FILE: monitor/internal/windows/processor_test.go
================================================
// +build windows

package windowsmonitor

import (
	"context"
	"errors"
	"testing"

	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	"go.aporeto.io/enforcerd/trireme-lib/policy/mockpolicy"
)

func testWindowsProcessor(puHandler policy.Resolver) *windowsProcessor {
	w := New(context.Background())
	w.SetupHandlers(&config.ProcessorConfig{
		Collector: &collector.DefaultCollector{},
		Policy:    puHandler,
	})
	if err := w.SetupConfig(nil, &Config{
		EventMetadataExtractor: extractors.DefaultHostMetadataExtractor,
	}); err != nil {
		return nil
	}
	return w.proc
}

func TestCreate(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a valid processor", t, func() {
		puHandler := mockpolicy.NewMockResolver(ctrl)

		p := testWindowsProcessor(puHandler)

		Convey("When I try a create event with invalid PU ID, ", func() {
			event := &common.EventInfo{
				PUID: "/@#$@",
			}
			Convey("I should get an error", func() {
				err := p.Create(context.Background(), event)
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I get a create event that is valid", func() {
			event := &common.EventInfo{
				PUID: "1234",
			}
			Convey("I should get an error - create not supported", func() {
				err := p.Create(context.Background(), event)
				So(err, ShouldNotBeNil)
			})
		})
	})
}

func TestStop(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a valid processor", t, func() {
		puHandler := mockpolicy.NewMockResolver(ctrl)

		p := testWindowsProcessor(puHandler)

		Convey("When I get a stop event that is valid", func() {
			event := &common.EventInfo{
				PUID: "/trireme/1234",
			}

			puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)

			Convey("I should get the status of the upstream function", func() {
				err := p.Stop(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})

	})
}

// TODO: remove nolint
// nolint
func TestDestroy(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a valid processor", t, func() {
		puHandler := mockpolicy.NewMockResolver(ctrl)

		p := testWindowsProcessor(puHandler)

		Convey("When I get a destroy event that is valid", func() {
			event := &common.EventInfo{
				PUID: "1234",
			}

			puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
			Convey("I should get the status of the upstream function", func() {
				err := p.Destroy(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})

		Convey("When I get a destroy event that is valid for hostpu", func() {
			event := &common.EventInfo{
				PUID:               "123",
				HostService:        true,
				NetworkOnlyTraffic: true,
			}

			puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
			Convey("I should get the status of the upstream function", func() {
				err := p.Destroy(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})
	})
}

func TestPause(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a valid processor", t, func() {
		puHandler := mockpolicy.NewMockResolver(ctrl)

		p := testWindowsProcessor(puHandler)

		Convey("When I get a pause event that is valid", func() {
			event := &common.EventInfo{
				PUID: "/trireme/1234",
			}

			Convey("I should get the status of the upstream function", func() {
				err := p.Pause(context.Background(), event)
				So(err, ShouldNotBeNil) // Pause does nothing on Windows
			})
		})
	})
}

func TestStart(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a valid processor", t, func() {
		puHandler := mockpolicy.NewMockResolver(ctrl)
		p := testWindowsProcessor(puHandler)

		Convey("When I get a start event with no PUID", func() {
			event := &common.EventInfo{
				PUID: "",
			}
			Convey("I should get an error", func() {
				err := p.Start(context.Background(), event)
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I get a start event that is valid that fails on the generation of PU ID", func() {
			event := &common.EventInfo{
				Name: "^^^",
			}
			Convey("I should get an error", func() {
				err := p.Start(context.Background(), event)
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I get a start event that is valid that fails on the metadata extractor", func() {
			event := &common.EventInfo{
				Name: "service",
				Tags: []string{"badtag"},
			}
			Convey("I should get an error", func() {
				err := p.Start(context.Background(), event)
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I get a start event and the upstream returns an error ", func() {
			event := &common.EventInfo{
				Name:      "PU",
				PID:       1,
				PUID:      "12345",
				EventType: common.EventStart,
				PUType:    common.LinuxProcessPU,
			}
			Convey("I should get an error ", func() {
				puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(errors.New("error"))
				err := p.Start(context.Background(), event)
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I get a start event and the runtime options don't have a mark value", func() {
			event := &common.EventInfo{
				Name:      "PU",
				PID:       1,
				PUID:      "12345",
				EventType: common.EventStop,
				PUType:    common.LinuxProcessPU,
			}

			Convey("I should not get an error ", func() {
				puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(2).Return(nil)
				err := p.Start(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})
	})
}

func TestResync(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a valid processor", t, func() {
		puHandler := mockpolicy.NewMockResolver(ctrl)
		p := testWindowsProcessor(puHandler)

		Convey("When I get a resync event ", func() {
			event := &common.EventInfo{
				Name:      "PU",
				PID:       1,
				PUID:      "12345",
				EventType: common.EventStart,
				PUType:    common.LinuxProcessPU,
			}

			Convey("I should not get an error ", func() {
				err := p.Resync(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})

		Convey("When I get a resync event for hostservice", func() {
			event := &common.EventInfo{
				Name:               "PU",
				PID:                1,
				PUID:               "12345",
				EventType:          common.EventStart,
				HostService:        true,
				NetworkOnlyTraffic: true,
				PUType:             common.LinuxProcessPU,
			}

			Convey("I should not get an error ", func() {
				puHandler.EXPECT().HandlePUEvent(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
				err := p.Resync(context.Background(), event)
				So(err, ShouldBeNil)
			})
		})
	})
}


================================================
FILE: monitor/mockmonitor/mockmonitor.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: monitor/interfaces.go

// Package mockmonitor is a generated GoMock package.
package mockmonitor

import (
	context "context"
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	config "go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	registerer "go.aporeto.io/enforcerd/trireme-lib/monitor/registerer"
)

// MockMonitor is a mock of Monitor interface
// nolint
type MockMonitor struct {
	ctrl     *gomock.Controller
	recorder *MockMonitorMockRecorder
}

// MockMonitorMockRecorder is the mock recorder for MockMonitor
// nolint
type MockMonitorMockRecorder struct {
	mock *MockMonitor
}

// NewMockMonitor creates a new mock instance
// nolint
func NewMockMonitor(ctrl *gomock.Controller) *MockMonitor {
	mock := &MockMonitor{ctrl: ctrl}
	mock.recorder = &MockMonitorMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockMonitor) EXPECT() *MockMonitorMockRecorder {
	return m.recorder
}

// Run mocks base method
// nolint
func (m *MockMonitor) Run(ctx context.Context) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Run", ctx)
	ret0, _ := ret[0].(error)
	return ret0
}

// Run indicates an expected call of Run
// nolint
func (mr *MockMonitorMockRecorder) Run(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Run", reflect.TypeOf((*MockMonitor)(nil).Run), ctx)
}

// UpdateConfiguration mocks base method
// nolint
func (m *MockMonitor) UpdateConfiguration(ctx context.Context, config *config.MonitorConfig) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "UpdateConfiguration", ctx, config)
	ret0, _ := ret[0].(error)
	return ret0
}

// UpdateConfiguration indicates an expected call of UpdateConfiguration
// nolint
func (mr *MockMonitorMockRecorder) UpdateConfiguration(ctx, config interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateConfiguration", reflect.TypeOf((*MockMonitor)(nil).UpdateConfiguration), ctx, config)
}

// Resync mocks base method
// nolint
func (m *MockMonitor) Resync(ctx context.Context) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Resync", ctx)
	ret0, _ := ret[0].(error)
	return ret0
}

// Resync indicates an expected call of Resync
// nolint
func (mr *MockMonitorMockRecorder) Resync(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Resync", reflect.TypeOf((*MockMonitor)(nil).Resync), ctx)
}

// MockImplementation is a mock of Implementation interface
// nolint
type MockImplementation struct {
	ctrl     *gomock.Controller
	recorder *MockImplementationMockRecorder
}

// MockImplementationMockRecorder is the mock recorder for MockImplementation
// nolint
type MockImplementationMockRecorder struct {
	mock *MockImplementation
}

// NewMockImplementation creates a new mock instance
// nolint
func NewMockImplementation(ctrl *gomock.Controller) *MockImplementation {
	mock := &MockImplementation{ctrl: ctrl}
	mock.recorder = &MockImplementationMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockImplementation) EXPECT() *MockImplementationMockRecorder {
	return m.recorder
}

// Run mocks base method
// nolint
func (m *MockImplementation) Run(ctx context.Context) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Run", ctx)
	ret0, _ := ret[0].(error)
	return ret0
}

// Run indicates an expected call of Run
// nolint
func (mr *MockImplementationMockRecorder) Run(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Run", reflect.TypeOf((*MockImplementation)(nil).Run), ctx)
}

// SetupConfig mocks base method
// nolint
func (m *MockImplementation) SetupConfig(registerer registerer.Registerer, cfg interface{}) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SetupConfig", registerer, cfg)
	ret0, _ := ret[0].(error)
	return ret0
}

// SetupConfig indicates an expected call of SetupConfig
// nolint
func (mr *MockImplementationMockRecorder) SetupConfig(registerer, cfg interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetupConfig", reflect.TypeOf((*MockImplementation)(nil).SetupConfig), registerer, cfg)
}

// SetupHandlers mocks base method
// nolint
func (m *MockImplementation) SetupHandlers(c *config.ProcessorConfig) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "SetupHandlers", c)
}

// SetupHandlers indicates an expected call of SetupHandlers
// nolint
func (mr *MockImplementationMockRecorder) SetupHandlers(c interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetupHandlers", reflect.TypeOf((*MockImplementation)(nil).SetupHandlers), c)
}

// Resync mocks base method
// nolint
func (m *MockImplementation) Resync(ctx context.Context) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Resync", ctx)
	ret0, _ := ret[0].(error)
	return ret0
}

// Resync indicates an expected call of Resync
// nolint
func (mr *MockImplementationMockRecorder) Resync(ctx interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Resync", reflect.TypeOf((*MockImplementation)(nil).Resync), ctx)
}


================================================
FILE: monitor/monitor.go
================================================
// +build linux !windows

package monitor

import (
	"context"
	"fmt"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	dockermonitor "go.aporeto.io/enforcerd/trireme-lib/monitor/internal/docker"
	k8smonitor "go.aporeto.io/enforcerd/trireme-lib/monitor/internal/k8s"
	linuxmonitor "go.aporeto.io/enforcerd/trireme-lib/monitor/internal/linux"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/registerer"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/remoteapi/server"
	"go.uber.org/zap"
)

type monitors struct {
	config     *config.MonitorConfig
	monitors   map[config.Type]Implementation
	registerer registerer.Registerer
	server     server.APIServer
}

// NewMonitors instantiates all/any combination of monitors supported.
func NewMonitors(ctx context.Context, opts ...Options) (Monitor, error) {

	var err error

	c := &config.MonitorConfig{
		MergeTags: []string{},
		Common:    &config.ProcessorConfig{},
		Monitors:  map[config.Type]interface{}{},
	}

	for _, opt := range opts {
		opt(c)
	}

	if err = c.Common.IsComplete(); err != nil {
		return nil, err
	}

	m := &monitors{
		config:   c,
		monitors: make(map[config.Type]Implementation),
	}

	m.registerer = registerer.New()

	m.server, err = server.NewEventServer(common.TriremeSocket, m.registerer)
	if err != nil {
		return nil, err
	}

	for k, v := range c.Monitors {
		switch k {
		case config.Docker:
			mon := dockermonitor.New(ctx)
			mon.SetupHandlers(c.Common)
			if err := mon.SetupConfig(nil, v); err != nil {
				return nil, fmt.Errorf("Docker: %s", err.Error())
			}
			m.monitors[config.Docker] = mon

		case config.K8s:
			mon := k8smonitor.New(ctx)
			mon.SetupHandlers(c.Common)
			if err := mon.SetupConfig(nil, v); err != nil {
				return nil, fmt.Errorf("K8s: %s", err.Error())
			}
			m.monitors[config.K8s] = mon

		case config.LinuxProcess:
			mon := linuxmonitor.New(ctx)
			mon.SetupHandlers(c.Common)
			if err := mon.SetupConfig(m.registerer, v); err != nil {
				return nil, fmt.Errorf("Process: %s", err.Error())
			}
			m.monitors[config.LinuxProcess] = mon

		case config.LinuxHost:
			mon := linuxmonitor.New(ctx)
			mon.SetupHandlers(c.Common)
			if err := mon.SetupConfig(m.registerer, v); err != nil {
				return nil, fmt.Errorf("Host: %s", err.Error())
			}
			m.monitors[config.LinuxHost] = mon

		default:
			return nil, fmt.Errorf("Unsupported type %d", k)
		}
	}

	zap.L().Debug("Monitor configuration", zap.String("conf", m.config.String()))

	return m, nil
}

func (m *monitors) Run(ctx context.Context) (err error) {

	if err = m.server.Run(ctx); err != nil {
		return err
	}

	for _, v := range m.monitors {
		if err = v.Run(ctx); err != nil {
			return err
		}
	}

	return nil
}

// UpdateConfiguration updates the configuration of the monitors.
func (m *monitors) UpdateConfiguration(ctx context.Context, config *config.MonitorConfig) error {
	// Monitor configuration cannot change at this time.
	// TODO:
	return nil
}

// Resync resyncs the monitor
func (m *monitors) Resync(ctx context.Context) error {

	failure := false
	var errs string

	for _, i := range m.monitors {
		if err := i.Resync(ctx); err != nil {
			errs = errs + err.Error()
			failure = true
		}
	}

	if failure {
		return fmt.Errorf("Monitor resync failed: %s", errs)
	}

	return nil
}


================================================
FILE: monitor/monitor_windows.go
================================================
// +build windows

package monitor

import (
	"context"
	"fmt"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	windowsmonitor "go.aporeto.io/enforcerd/trireme-lib/monitor/internal/windows"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/registerer"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/remoteapi/server"
	"go.uber.org/zap"
)

type monitors struct {
	config     *config.MonitorConfig
	monitors   map[config.Type]Implementation
	registerer registerer.Registerer
	server     server.APIServer
}

// Run starts the monitor.
func (m *monitors) Run(ctx context.Context) (err error) {
	if err = m.server.Run(ctx); err != nil {
		return err
	}

	for _, v := range m.monitors {
		if err = v.Run(ctx); err != nil {
			return err
		}
	}
	return nil
}

// UpdateConfiguration updates the configuration of the monitor
func (m *monitors) UpdateConfiguration(ctx context.Context, config *config.MonitorConfig) error {
	return nil
}

// Resync requests to the monitor to do a resync.
func (m *monitors) Resync(ctx context.Context) error {

	failure := false
	var errs string

	for _, i := range m.monitors {
		if err := i.Resync(ctx); err != nil {
			errs = errs + err.Error()
			failure = true
		}
	}

	if failure {
		return fmt.Errorf("Monitor resync failed: %s", errs)
	}

	return nil
}

// NewMonitors instantiates all/any combination of monitors supported.
func NewMonitors(ctx context.Context, opts ...Options) (Monitor, error) {
	var err error

	c := &config.MonitorConfig{
		MergeTags: []string{},
		Common:    &config.ProcessorConfig{},
		Monitors:  map[config.Type]interface{}{},
	}

	for _, opt := range opts {
		opt(c)
	}

	if err = c.Common.IsComplete(); err != nil {
		return nil, err
	}

	m := &monitors{
		config:   c,
		monitors: make(map[config.Type]Implementation),
	}

	m.registerer = registerer.New()

	m.server, err = server.NewEventServer(common.TriremeSocket, m.registerer)
	if err != nil {
		return nil, err
	}

	for k, v := range c.Monitors {
		switch k {
		case config.Windows:
			mon := windowsmonitor.New(ctx)
			mon.SetupHandlers(c.Common)
			// TODO(windows): make a real Windows monitor option rather than using LinuxHost
			if err := mon.SetupConfig(m.registerer, v); err != nil {
				return nil, fmt.Errorf("Windows: %s", err.Error())
			}
			m.monitors[config.Windows] = mon
		case config.LinuxHost:
			mon := windowsmonitor.New(ctx)
			mon.SetupHandlers(c.Common)
			if err := mon.SetupConfig(m.registerer, v); err != nil {
				return nil, fmt.Errorf("Host: %s", err.Error())
			}
			m.monitors[config.LinuxHost] = mon
		case config.LinuxProcess:
			mon := windowsmonitor.New(ctx)
			mon.SetupHandlers(c.Common)
			if err := mon.SetupConfig(m.registerer, v); err != nil {
				return nil, fmt.Errorf("Process: %s", err.Error())
			}
			m.monitors[config.LinuxProcess] = mon
		}
	}
	zap.L().Debug("Monitor configuration", zap.String("conf", m.config.String()))

	return m, nil

}


================================================
FILE: monitor/options.go
================================================
package monitor

import (
	"sync"

	"go.aporeto.io/enforcerd/trireme-lib/collector"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/external"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
	dockermonitor "go.aporeto.io/enforcerd/trireme-lib/monitor/internal/docker"
	k8smonitor "go.aporeto.io/enforcerd/trireme-lib/monitor/internal/k8s"
	linuxmonitor "go.aporeto.io/enforcerd/trireme-lib/monitor/internal/linux"
	"go.aporeto.io/enforcerd/trireme-lib/policy"
	criapi "k8s.io/cri-api/pkg/apis"
)

// Options is provided using functional arguments.
type Options func(*config.MonitorConfig)

// DockerMonitorOption is provided using functional arguments.
type DockerMonitorOption func(*dockermonitor.Config)

// K8smonitorOption is provided using functional arguments.
type K8smonitorOption func(*k8smonitor.Config)

// LinuxMonitorOption is provided using functional arguments.
type LinuxMonitorOption func(*linuxmonitor.Config)

// SubOptionMonitorLinuxExtractor provides a way to specify metadata extractor for linux monitors.
func SubOptionMonitorLinuxExtractor(extractor extractors.EventMetadataExtractor) LinuxMonitorOption {
	return func(cfg *linuxmonitor.Config) {
		cfg.EventMetadataExtractor = extractor
	}
}

// SubOptionMonitorLinuxRealeaseAgentPath specifies the path to release agent programmed in cgroup
func SubOptionMonitorLinuxRealeaseAgentPath(releasePath string) LinuxMonitorOption {
	return func(cfg *linuxmonitor.Config) {
		cfg.ReleasePath = releasePath
	}
}

// optionMonitorLinux provides a way to add a linux monitor and related configuration to be used with New().
func optionMonitorLinux(
	host bool,
	opts ...LinuxMonitorOption,
) Options {
	lc := linuxmonitor.DefaultConfig(host)
	// Collect all docker options
	for _, opt := range opts {
		opt(lc)
	}
	return func(cfg *config.MonitorConfig) {
		if host {
			cfg.Monitors[config.LinuxHost] = lc
		} else {
			cfg.Monitors[config.LinuxProcess] = lc
		}
	}
}

// OptionMonitorLinuxHost provides a way to add a linux host monitor and related configuration to be used with New().
func OptionMonitorLinuxHost(
	opts ...LinuxMonitorOption,
) Options {
	return optionMonitorLinux(true, opts...)
}

// OptionMonitorLinuxProcess provides a way to add a linux process monitor and related configuration to be used with New().
func OptionMonitorLinuxProcess(
	opts ...LinuxMonitorOption,
) Options {
	return optionMonitorLinux(false, opts...)
}

// SubOptionMonitorDockerExtractor provides a way to specify metadata extractor for docker.
func SubOptionMonitorDockerExtractor(extractor extractors.DockerMetadataExtractor) DockerMonitorOption {
	return func(cfg *dockermonitor.Config) {
		cfg.EventMetadataExtractor = extractor
	}
}

// SubOptionMonitorDockerSocket provides a way to specify socket info for docker.
func SubOptionMonitorDockerSocket(socketType, socketAddress string) DockerMonitorOption {
	return func(cfg *dockermonitor.Config) {
		cfg.SocketType = socketType
		cfg.SocketAddress = socketAddress
	}
}

// SubOptionMonitorDockerFlags provides a way to specify configuration flags info for docker.
func SubOptionMonitorDockerFlags(syncAtStart bool) DockerMonitorOption {
	return func(cfg *dockermonitor.Config) {
		cfg.SyncAtStart = syncAtStart
	}
}

// SubOptionMonitorDockerDestroyStoppedContainers sets the option to destroy stopped containers.
func SubOptionMonitorDockerDestroyStoppedContainers(f bool) DockerMonitorOption {
	return func(cfg *dockermonitor.Config) {
		cfg.DestroyStoppedContainers = f
	}
}

// OptionMonitorDocker provides a way to add a docker monitor and related configuration to be used with New().
func OptionMonitorDocker(opts ...DockerMonitorOption) Options {

	dc := dockermonitor.DefaultConfig()
	// Collect all docker options
	for _, opt := range opts {
		opt(dc)
	}

	return func(cfg *config.MonitorConfig) {
		cfg.Monitors[config.Docker] = dc
	}
}

// OptionMonitorK8s provides a way to add a K8s monitor and related configuration to be used with New().
func OptionMonitorK8s(opts ...K8smonitorOption) Options {
	kc := k8smonitor.DefaultConfig()
	for _, opt := range opts {
		opt(kc)
	}

	return func(cfg *config.MonitorConfig) {
		cfg.Monitors[config.K8s] = kc
	}
}

// SubOptionMonitorK8sKubeconfig provides a way to specify a kubeconfig to use to connect to Kubernetes.
// In case of an in-cluter config, leave the kubeconfig field blank
func SubOptionMonitorK8sKubeconfig(kubeconfig string) K8smonitorOption {
	return func(cfg *k8smonitor.Config) {
		cfg.Kubeconfig = kubeconfig
	}
}

// SubOptionMonitorK8sNodename provides a way to specify the kubernetes node name.
// This is useful for filtering
func SubOptionMonitorK8sNodename(nodename string) K8smonitorOption {
	return func(cfg *k8smonitor.Config) {
		cfg.Nodename = nodename
	}
}

// SubOptionMonitorK8sMetadataExtractor provides a way to specify metadata extractor for Kubernetes
func SubOptionMonitorK8sMetadataExtractor(extractor extractors.PodMetadataExtractor) K8smonitorOption {
	return func(cfg *k8smonitor.Config) {
		cfg.MetadataExtractor = extractor
	}
}

// SubOptionMonitorK8sCRIRuntimeService provides a way to pass through the CRI runtime service
func SubOptionMonitorK8sCRIRuntimeService(criRuntimeService criapi.RuntimeService) K8smonitorOption {
	return func(cfg *k8smonitor.Config) {
		cfg.CRIRuntimeService = criRuntimeService
	}
}

// OptionMergeTags provides a way to add merge tags to be used with New().
func OptionMergeTags(tags []string) Options {
	return func(cfg *config.MonitorConfig) {
		cfg.MergeTags = tags
		cfg.Common.MergeTags = tags
	}
}

// OptionCollector provide a way to add to the monitor the collector instance
func OptionCollector(c collector.EventCollector) Options {
	return func(cfg *config.MonitorConfig) {
		cfg.Common.Collector = c
	}
}

// OptionPolicyResolver provides a way to add to the monitor the policy resolver instance
func OptionPolicyResolver(p policy.Resolver) Options {
	return func(cfg *config.MonitorConfig) {
		cfg.Common.Policy = p
	}
}

// OptionExternalEventSenders provide a way to add to the monitor the external event senders
func OptionExternalEventSenders(evs []external.ReceiverRegistration) Options {
	return func(cfg *config.MonitorConfig) {
		cfg.Common.ExternalEventSender = evs
	}
}

// OptionResyncLock provide a shared lock between monitors if the monitor desires to sync with other components during PU resync at startup
func OptionResyncLock(resyncLock *sync.RWMutex) Options {
	return func(cfg *config.MonitorConfig) {
		cfg.Common.ResyncLock = resyncLock
	}
}

// NewMonitor provides a configuration for monitors.
func NewMonitor(opts ...Options) *config.MonitorConfig {

	cfg := &config.MonitorConfig{
		Monitors: make(map[config.Type]interface{}),
	}

	for _, opt := range opts {
		opt(cfg)
	}

	return cfg
}


================================================
FILE: monitor/options_windows.go
================================================
// +build windows

package monitor

import (
	"go.aporeto.io/enforcerd/trireme-lib/monitor/config"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/extractors"
	windowsmonitor "go.aporeto.io/enforcerd/trireme-lib/monitor/internal/windows"
)

// WindowsMonitorOption is provided using functional arguments
type WindowsMonitorOption func(*windowsmonitor.Config)

// OptionMonitorWindows provides a way to add a windows monitor and related configuration to be used with New().
func OptionMonitorWindows(
	opts ...WindowsMonitorOption,
) Options {
	return optionMonitorWindows(true, opts...)
}

// OptionMonitorWindowsProcess provides a way to add a linux process monitor and related configuration to be used with New().
func OptionMonitorWindowsProcess(
	opts ...WindowsMonitorOption,
) Options {
	return optionMonitorWindows(false, opts...)
}

// SubOptionMonitorWindowsExtractor provides a way to specify metadata extractor for linux monitors.
func SubOptionMonitorWindowsExtractor(extractor extractors.EventMetadataExtractor) WindowsMonitorOption {
	return func(cfg *windowsmonitor.Config) {
		cfg.EventMetadataExtractor = extractor
	}
}

// optionMonitorWindows provides a way to add a windows monitor and related configuration to be used with New().
func optionMonitorWindows(host bool,
	opts ...WindowsMonitorOption,
) Options {
	wc := windowsmonitor.DefaultConfig(host)
	// Collect all docker options
	for _, opt := range opts {
		opt(wc)
	}
	return func(cfg *config.MonitorConfig) {
		if host {
			cfg.Monitors[config.LinuxHost] = wc
		} else {
			cfg.Monitors[config.LinuxProcess] = wc
		}
	}
}

// SubOptionWindowsHostMode provides a way to add a windows host monitor and related configuration to be used with New().
func SubOptionWindowsHostMode(host bool) WindowsMonitorOption {
	return func(cfg *windowsmonitor.Config) {
		cfg.Host = host
	}
}


================================================
FILE: monitor/processor/interfaces.go
================================================
package processor

import (
	"context"

	"go.aporeto.io/enforcerd/trireme-lib/common"
)

// Processor is a generic interface that processes monitor events using
// a normalized event structure.
type Processor interface {

	// Start processes PU start events
	Start(ctx context.Context, eventInfo *common.EventInfo) error

	// Event processes PU stop events
	Stop(ctx context.Context, eventInfo *common.EventInfo) error

	// Create process a PU create event
	Create(ctx context.Context, eventInfo *common.EventInfo) error

	// Event process a PU destroy event
	Destroy(ctx context.Context, eventInfo *common.EventInfo) error

	// Event processes a pause event
	Pause(ctx context.Context, eventInfo *common.EventInfo) error

	// Resync resyncs all PUs handled by this processor
	Resync(ctx context.Context, EventInfo *common.EventInfo) error
}


================================================
FILE: monitor/processor/mockprocessor/mockprocessor.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: monitor/processor/interfaces.go

// Package mockprocessor is a generated GoMock package.
package mockprocessor

import (
	context "context"
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	common "go.aporeto.io/enforcerd/trireme-lib/common"
)

// MockProcessor is a mock of Processor interface
// nolint
type MockProcessor struct {
	ctrl     *gomock.Controller
	recorder *MockProcessorMockRecorder
}

// MockProcessorMockRecorder is the mock recorder for MockProcessor
// nolint
type MockProcessorMockRecorder struct {
	mock *MockProcessor
}

// NewMockProcessor creates a new mock instance
// nolint
func NewMockProcessor(ctrl *gomock.Controller) *MockProcessor {
	mock := &MockProcessor{ctrl: ctrl}
	mock.recorder = &MockProcessorMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockProcessor) EXPECT() *MockProcessorMockRecorder {
	return m.recorder
}

// Start mocks base method
// nolint
func (m *MockProcessor) Start(ctx context.Context, eventInfo *common.EventInfo) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Start", ctx, eventInfo)
	ret0, _ := ret[0].(error)
	return ret0
}

// Start indicates an expected call of Start
// nolint
func (mr *MockProcessorMockRecorder) Start(ctx, eventInfo interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Start", reflect.TypeOf((*MockProcessor)(nil).Start), ctx, eventInfo)
}

// Stop mocks base method
// nolint
func (m *MockProcessor) Stop(ctx context.Context, eventInfo *common.EventInfo) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Stop", ctx, eventInfo)
	ret0, _ := ret[0].(error)
	return ret0
}

// Stop indicates an expected call of Stop
// nolint
func (mr *MockProcessorMockRecorder) Stop(ctx, eventInfo interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Stop", reflect.TypeOf((*MockProcessor)(nil).Stop), ctx, eventInfo)
}

// Create mocks base method
// nolint
func (m *MockProcessor) Create(ctx context.Context, eventInfo *common.EventInfo) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Create", ctx, eventInfo)
	ret0, _ := ret[0].(error)
	return ret0
}

// Create indicates an expected call of Create
// nolint
func (mr *MockProcessorMockRecorder) Create(ctx, eventInfo interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Create", reflect.TypeOf((*MockProcessor)(nil).Create), ctx, eventInfo)
}

// Destroy mocks base method
// nolint
func (m *MockProcessor) Destroy(ctx context.Context, eventInfo *common.EventInfo) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Destroy", ctx, eventInfo)
	ret0, _ := ret[0].(error)
	return ret0
}

// Destroy indicates an expected call of Destroy
// nolint
func (mr *MockProcessorMockRecorder) Destroy(ctx, eventInfo interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Destroy", reflect.TypeOf((*MockProcessor)(nil).Destroy), ctx, eventInfo)
}

// Pause mocks base method
// nolint
func (m *MockProcessor) Pause(ctx context.Context, eventInfo *common.EventInfo) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Pause", ctx, eventInfo)
	ret0, _ := ret[0].(error)
	return ret0
}

// Pause indicates an expected call of Pause
// nolint
func (mr *MockProcessorMockRecorder) Pause(ctx, eventInfo interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Pause", reflect.TypeOf((*MockProcessor)(nil).Pause), ctx, eventInfo)
}

// Resync mocks base method
// nolint
func (m *MockProcessor) Resync(ctx context.Context, EventInfo *common.EventInfo) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Resync", ctx, EventInfo)
	ret0, _ := ret[0].(error)
	return ret0
}

// Resync indicates an expected call of Resync
// nolint
func (mr *MockProcessorMockRecorder) Resync(ctx, EventInfo interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Resync", reflect.TypeOf((*MockProcessor)(nil).Resync), ctx, EventInfo)
}


================================================
FILE: monitor/registerer/interfaces.go
================================================
package registerer

import (
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/processor"
)

// Registerer inteface allows event processors to register themselves with the event server.
type Registerer interface {

	// Register Processor registers event processors for a certain type of PU
	RegisterProcessor(puType common.PUType, p processor.Processor) error

	GetHandler(puType common.PUType, e common.Event) (common.EventHandler, error)
}


================================================
FILE: monitor/registerer/registerer.go
================================================
package registerer

import (
	"fmt"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/processor"
)

// registerer provides a way for others to register a registerer
type registerer struct {
	handlers map[common.PUType]map[common.Event]common.EventHandler
}

// New returns a new registerer
func New() Registerer {

	return &registerer{
		handlers: map[common.PUType]map[common.Event]common.EventHandler{},
	}
}

// RegisterProcessor registers an event processor for a given PUTYpe. Only one
// processor is allowed for a given PU Type.
func (r *registerer) RegisterProcessor(puType common.PUType, ep processor.Processor) error {

	if _, ok := r.handlers[puType]; ok {
		return fmt.Errorf("Processor already registered for this PU type %d ", puType)
	}

	r.handlers[puType] = map[common.Event]common.EventHandler{}

	r.addHandler(puType, common.EventStart, ep.Start)
	r.addHandler(puType, common.EventStop, ep.Stop)
	r.addHandler(puType, common.EventCreate, ep.Create)
	r.addHandler(puType, common.EventDestroy, ep.Destroy)
	r.addHandler(puType, common.EventPause, ep.Pause)
	r.addHandler(puType, common.EventResync, ep.Resync)

	return nil
}

func (r *registerer) GetHandler(puType common.PUType, eventType common.Event) (common.EventHandler, error) {

	handlers, ok := r.handlers[puType]
	if !ok {
		return nil, fmt.Errorf("PUType %d not registered", puType)
	}

	e, ok := handlers[eventType]
	if !ok {
		return nil, fmt.Errorf("PUType %d event type %s not registered", puType, eventType)
	}

	return e, nil
}

// addHandler adds a handler for a puType/event.
func (r *registerer) addHandler(puType common.PUType, event common.Event, handler common.EventHandler) {
	r.handlers[puType][event] = handler
}


================================================
FILE: monitor/registerer/registerer_test.go
================================================
package registerer

import (
	"testing"

	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/processor/mockprocessor"
)

func TestNew(t *testing.T) {
	Convey("When I create a new registrer", t, func() {
		r := New()
		Convey("It should be valid", func() {
			So(r, ShouldNotBeNil)
			So(r.(*registerer).handlers, ShouldNotBeNil)
		})
	})
}

func TestRegisterProcessor(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("When I register a new processor", t, func() {
		r := New()

		processor := mockprocessor.NewMockProcessor(ctrl)
		err := r.RegisterProcessor(common.ContainerPU, processor)

		Convey("The registration should be succesfull", func() {
			So(err, ShouldBeNil)
			h, ok := r.(*registerer).handlers[common.ContainerPU]
			So(ok, ShouldBeTrue)
			So(h, ShouldNotBeNil)
			So(len(h), ShouldEqual, 6)
		})

		Convey("If I ask for the handler, I should ge the right handler", func() {
			_, err := r.GetHandler(common.ContainerPU, common.EventCreate)
			So(err, ShouldBeNil)

			_, err = r.GetHandler(common.ContainerPU, common.EventStart)
			So(err, ShouldBeNil)

			_, err = r.GetHandler(common.ContainerPU, common.EventDestroy)
			So(err, ShouldBeNil)

			_, err = r.GetHandler(common.ContainerPU, common.EventPause)
			So(err, ShouldBeNil)
		})

		Convey("If I ask for the handler with a bad PUType, I should get an error ", func() {
			_, err := r.GetHandler(common.LinuxProcessPU, common.EventCreate)
			So(err, ShouldNotBeNil)
		})

		Convey("If I ask for the handler, with a bad event, I should get an error ", func() {
			_, err := r.GetHandler(common.LinuxProcessPU, common.Event("300"))
			So(err, ShouldNotBeNil)
		})

		Convey("If I try to register the processor twice, I should get an error ", func() {
			err := r.RegisterProcessor(common.ContainerPU, processor)
			So(err, ShouldNotBeNil)
		})
	})

}


================================================
FILE: monitor/remoteapi/client/client.go
================================================
package client

import (
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"net"
	"net/http"
	"time"

	"go.aporeto.io/enforcerd/trireme-lib/common"
)

type dialContextFunc func(ctx context.Context, network, address string) (net.Conn, error)

// SendRequest sends a request to the remote.
// TODO: Add retries
func (c *Client) SendRequest(event *common.EventInfo) error {

	httpc := http.Client{
		Transport: &http.Transport{
			DialContext:     c.getDialContext(),
			MaxIdleConns:    10,
			IdleConnTimeout: 10 * time.Second,
		},
	}

	b := new(bytes.Buffer)
	if err := json.NewEncoder(b).Encode(event); err != nil {
		return fmt.Errorf("Unable to encode message: %s", err)
	}

	resp, err := httpc.Post("http://unix", "application/json", b)
	if err != nil {
		return err
	}
	defer resp.Body.Close() // nolint

	if resp.StatusCode == http.StatusAccepted {
		return nil
	}

	errorBuffer, err := ioutil.ReadAll(resp.Body)
	if err != nil {
		return fmt.Errorf("Invalid request: %s", err)
	}

	return fmt.Errorf("Invalid request : %s", string(errorBuffer))
}


================================================
FILE: monitor/remoteapi/client/client_nonwindows.go
================================================
// +build !windows

package client

import (
	"context"
	"fmt"
	"net"
)

// Client is an api client structure.
type Client struct {
	addr *net.UnixAddr
}

// NewClient creates a new client.
func NewClient(path string) (*Client, error) {
	addr, err := net.ResolveUnixAddr("unix", path)
	if err != nil {
		return nil, fmt.Errorf("invalid address: %s", err)
	}

	return &Client{addr: addr}, nil
}

func (c *Client) getDialContext() dialContextFunc {
	return func(_ context.Context, _, _ string) (net.Conn, error) {
		return net.DialUnix("unix", nil, c.addr)
	}
}


================================================
FILE: monitor/remoteapi/client/client_windows.go
================================================
// +build windows

package client

import (
	"context"
	"net"

	"gopkg.in/natefinch/npipe.v2"
)

// Client is an api client structure.
type Client struct {
	pipeName string
}

// NewClient creates a new client.
func NewClient(path string) (*Client, error) {
	return &Client{pipeName: `\\.\pipe\` + path}, nil
}

func (c *Client) getDialContext() dialContextFunc {
	return func(_ context.Context, _, _ string) (net.Conn, error) {
		return npipe.Dial(c.pipeName)
	}
}


================================================
FILE: monitor/remoteapi/client/interfaces.go
================================================
package client

import (
	"go.aporeto.io/enforcerd/trireme-lib/common"
)

// APIClient is the interface of the API client
type APIClient interface {
	// SendRequest will send a request to the server.
	SendRequest(event *common.EventInfo) error
}


================================================
FILE: monitor/remoteapi/client/mockclient/mockclient.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: monitor/remoteapi/client/interfaces.go

// Package mockclient is a generated GoMock package.
package mockclient

import (
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	common "go.aporeto.io/enforcerd/trireme-lib/common"
)

// MockAPIClient is a mock of APIClient interface
// nolint
type MockAPIClient struct {
	ctrl     *gomock.Controller
	recorder *MockAPIClientMockRecorder
}

// MockAPIClientMockRecorder is the mock recorder for MockAPIClient
// nolint
type MockAPIClientMockRecorder struct {
	mock *MockAPIClient
}

// NewMockAPIClient creates a new mock instance
// nolint
func NewMockAPIClient(ctrl *gomock.Controller) *MockAPIClient {
	mock := &MockAPIClient{ctrl: ctrl}
	mock.recorder = &MockAPIClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockAPIClient) EXPECT() *MockAPIClientMockRecorder {
	return m.recorder
}

// SendRequest mocks base method
// nolint
func (m *MockAPIClient) SendRequest(event *common.EventInfo) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "SendRequest", event)
	ret0, _ := ret[0].(error)
	return ret0
}

// SendRequest indicates an expected call of SendRequest
// nolint
func (mr *MockAPIClientMockRecorder) SendRequest(event interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SendRequest", reflect.TypeOf((*MockAPIClient)(nil).SendRequest), event)
}


================================================
FILE: monitor/remoteapi/server/interfaces.go
================================================
package server

import (
	"context"
)

// APIServer is the main interface of the API server.
// Allows to create mock functions for testing.
type APIServer interface {
	// Run runs an API server
	Run(ctx context.Context) error
}


================================================
FILE: monitor/remoteapi/server/server.go
================================================
package server

import (
	"context"
	"encoding/json"
	"fmt"
	"net"
	"net/http"
	"regexp"
	"strconv"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/registerer"
	"go.uber.org/zap"
)

// EventServer is a new event server
type EventServer struct {
	socketPath string
	server     *http.Server
	registerer registerer.Registerer
}

// NewEventServer creates a new event server
func NewEventServer(address string, registerer registerer.Registerer) (*EventServer, error) {

	err := cleanupPipe(address)
	if err != nil {
		return nil, err
	}

	return &EventServer{
		socketPath: address,
		registerer: registerer,
	}, nil
}

// ServeHTTP is called for every request.
func (e *EventServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	e.create(w, r)
}

// Run runs the server. The server will run in the background. It will
// gracefully die with the provided context.
func (e *EventServer) Run(ctx context.Context) error {

	// Create the handler
	e.server = &http.Server{
		Handler: e,
	}

	listener, err := e.makePipe()

	if err != nil {
		return err
	}

	// Start serving HTTP requests in the background
	go e.server.Serve(listener) // nolint

	// Listen for context cancellation to close the socket.
	go func() {
		<-ctx.Done()
		listener.Close() // nolint
	}()

	return nil
}

// create is the main hadler that process and validates the events
// before calling the actual monitor handlers to process the event.
func (e *EventServer) create(w http.ResponseWriter, r *http.Request) {
	event := &common.EventInfo{}
	defer r.Body.Close() // nolint

	if err := json.NewDecoder(r.Body).Decode(event); err != nil {
		http.Error(w, "Invalid request", http.StatusBadRequest)
		return
	}

	if err := validateTypes(event); err != nil {
		zap.L().Error("Error in validating types", zap.Error(err), zap.Reflect("Event", event))
		http.Error(w, fmt.Sprintf("Invalid request fields: %s", err), http.StatusBadRequest)
		return
	}

	if err := validateUser(r, event); err != nil {
		http.Error(w, fmt.Sprintf("Invalid user to pid mapping found: %s", err), http.StatusForbidden)
		return
	}

	if err := validateEvent(event); err != nil {
		http.Error(w, fmt.Sprintf("Bad request: %s", err), http.StatusBadRequest)
		return
	}

	if err := e.processEvent(r.Context(), event); err != nil {
		zap.L().Error("Error in processing event", zap.Error(err), zap.Reflect("Event", event))
		http.Error(w, fmt.Sprintf("Cannot handle request: %s", err), http.StatusInternalServerError)
		return
	}

	w.WriteHeader(http.StatusAccepted)
}

// processEvent processes the event by retrieving the right monitor handler.
func (e *EventServer) processEvent(ctx context.Context, eventInfo *common.EventInfo) (err error) {

	if e.registerer == nil {
		return fmt.Errorf("No registered handlers")
	}

	f, err := e.registerer.GetHandler(eventInfo.PUType, eventInfo.EventType)
	if err != nil {
		return fmt.Errorf("Handler not found: %s", err)
	}

	return f(ctx, eventInfo)
}

// validateTypes validates the various types and prevents any bad strings.
func validateTypes(event *common.EventInfo) error {

	regexStrings := regexp.MustCompile("^[a-zA-Z0-9_:.$%/-]{0,256}$")
	regexNS := regexp.MustCompile("^[a-zA-Z0-9/-]{0,128}$")
	regexCgroup := regexp.MustCompile("^/trireme/(uid/){0,1}[a-zA-Z0-9_:.$%]{1,64}$")

	if _, ok := common.EventMap[event.EventType]; !ok {
		return fmt.Errorf("invalid event: %s", string(event.EventType))
	}

	if event.PUType > common.TransientPU {
		return fmt.Errorf("invalid pu type %v", event.PUType)
	}

	if len(event.Cgroup) > 0 && !regexCgroup.Match([]byte(event.Cgroup)) {
		return fmt.Errorf("Invalid cgroup format: %s", event.Cgroup)
	}

	if !regexNS.Match([]byte(event.NS)) {
		return fmt.Errorf("Namespace is not of the right format")
	}

	for k, v := range event.IPs {
		if !regexStrings.Match([]byte(k)) {
			return fmt.Errorf("Invalid IP name: %s", k)
		}

		if ip := net.ParseIP(v); ip == nil {
			return fmt.Errorf("Invalid IP address: %s", v)
		}
	}

	return nil
}

// validateEvent validates that this is reasonable event and
// modifies the default values.
func validateEvent(event *common.EventInfo) error {

	if event.EventType == common.EventCreate || event.EventType == common.EventStart {
		if event.HostService {
			if event.NetworkOnlyTraffic {
				if event.Name == "" {
					return fmt.Errorf("Service name must be provided and must not be default")
				}
			}
		} else {
			if event.PUID == "" {
				event.PUID = strconv.Itoa(int(event.PID))
			}
		}
	}

	if event.EventType == common.EventStop || event.EventType == common.EventDestroy {
		regStop := regexp.MustCompile("^/trireme/[a-zA-Z0-9_]{1,11}$")
		if event.Cgroup != "" && !regStop.Match([]byte(event.Cgroup)) {
			return fmt.Errorf("Cgroup is not of the right format")
		}
	}

	return nil
}


================================================
FILE: monitor/remoteapi/server/server_nonwindows.go
================================================
// +build !windows

package server

import (
	"fmt"
	"net"
	"net/http"
	"os"
	"strconv"
	"strings"

	"github.com/shirou/gopsutil/process"
	"go.aporeto.io/enforcerd/trireme-lib/common"
)

func cleanupPipe(address string) error {
	// Cleanup the socket first.
	if _, err := os.Stat(address); err == nil {
		if err := os.Remove(address); err != nil {
			return fmt.Errorf("Cannot create clean up socket: %s", err)
		}
	}
	return nil
}

func (e *EventServer) makePipe() (net.Listener, error) {
	// Start a custom listener
	addr, _ := net.ResolveUnixAddr("unix", e.socketPath)
	nl, err := net.ListenUnix("unix", addr)

	if err != nil {
		return nil, fmt.Errorf("Unable to start API server: %s", err)
	}

	// We make the socket accesible to all users of the system.
	// TODO: create a trireme group for this
	if err := os.Chmod(addr.String(), 0766); err != nil {
		return nil, fmt.Errorf("Cannot make the socket accessible to all users: %s", err)
	}

	return &UIDListener{nl}, nil
}

// validateUser validates that the originating user is not sending a request
// for a process that they don't own. Root users are allowed to send
// any event.
func validateUser(r *http.Request, event *common.EventInfo) error {

	// Find the calling user.
	parts := strings.Split(r.RemoteAddr, ":")
	if len(parts) != 3 {
		return fmt.Errorf("Invalid user context")
	}

	// Accept all requests from root users
	if parts[0] == "0" {
		return nil
	}

	// The target process must be valid.
	p, err := process.NewProcess(event.PID)
	if err != nil {
		return fmt.Errorf("Process not found")
	}

	// The UID of the calling process must match the UID of the target process.
	uids, err := p.Uids()
	if err != nil {
		return fmt.Errorf("Unknown user ID")
	}

	match := false
	for _, uid := range uids {
		if strconv.Itoa(int(uid)) == parts[0] {
			match = true
		}
	}

	if !match {
		return fmt.Errorf("Invalid user - no access to this process: %+v PARTS: %+v", event, parts)
	}

	return nil
}


================================================
FILE: monitor/remoteapi/server/server_test.go
================================================
package server

import (
	"bytes"
	"encoding/json"
	"errors"
	"net/http"
	"net/http/httptest"
	"os"
	"strconv"
	"testing"

	"github.com/golang/mock/gomock"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/processor/mockprocessor"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/registerer"
)

func TestNewEventServer(t *testing.T) {
	Convey("When I create a new server", t, func() {
		reg := registerer.New()
		s, err := NewEventServer("/tmp/trireme.sock", reg)
		Convey("The object should be correct", func() {
			So(err, ShouldBeNil)
			So(s, ShouldNotBeNil)
			So(s.socketPath, ShouldResemble, "/tmp/trireme.sock")
			So(s.registerer, ShouldEqual, reg)
		})
	})
}

func TestValidateUser(t *testing.T) {
	Convey("When I try to validate a user", t, func() {

		Convey("When I get a bad remote address, it should fail", func() {
			r := &http.Request{}
			r.RemoteAddr = "badpath"
			event := &common.EventInfo{}

			err := validateUser(r, event)
			So(err, ShouldNotBeNil)
		})

		Convey("When I issue the request as a superuser it should always succeed", func() {
			r := &http.Request{}
			r.RemoteAddr = "0:0:1000"
			event := &common.EventInfo{}

			err := validateUser(r, event)
			So(err, ShouldBeNil)
		})

		Convey("When I issue the request as a regular user with a bad process it should fail", func() {
			r := &http.Request{}
			r.RemoteAddr = "1:10:1000"
			event := &common.EventInfo{PID: -1}

			err := validateUser(r, event)
			So(err, ShouldNotBeNil)
		})

		Convey("When I issue the request as a regular user to a foreign process", func() {

			myuid := strconv.Itoa(os.Getuid())
			myguyid := strconv.Itoa(os.Getgid())
			mypid := int32(os.Getpid())
			mypidstring := strconv.Itoa(int(mypid))

			r := &http.Request{}
			r.RemoteAddr = myuid + ":" + myguyid + ":" + mypidstring
			event := &common.EventInfo{PID: 0}

			err := validateUser(r, event)
			So(err, ShouldNotBeNil)
		})

		Convey("When I issue the request as a regular user with valid pid", func() {

			myuid := strconv.Itoa(os.Getuid())
			myguyid := strconv.Itoa(os.Getgid())
			mypid := int32(os.Getpid())
			mypidstring := strconv.Itoa(int(mypid))

			r := &http.Request{}
			r.RemoteAddr = myuid + ":" + myguyid + ":" + mypidstring
			event := &common.EventInfo{PID: mypid}

			err := validateUser(r, event)
			So(err, ShouldBeNil)
		})

	})
}

func TestValidateTypes(t *testing.T) {
	Convey("When I validate the types of an event", t, func() {

		Convey("If I have a bad eventtype it should error.", func() {
			event := &common.EventInfo{
				EventType: common.Event(123),
			}

			err := validateTypes(event)
			So(err, ShouldNotBeNil)
		})

		Convey("If I have a bad PUType it should error.", func() {
			event := &common.EventInfo{
				EventType: common.EventStart,
				PUType:    common.PUType(123),
			}

			err := validateTypes(event)
			So(err, ShouldNotBeNil)
		})

		Convey("If the event name has utf8 charaters and it is NOT UIDPAM PU, it should succeed.", func() {
			event := &common.EventInfo{
				EventType: common.EventStart,
				PUType:    common.ContainerPU,
				Name:      "utf8-_!@#%&\" (*)+.,/$!:;<>=?{}~",
			}

			err := validateTypes(event)
			So(err, ShouldBeNil)
		})

		Convey("If the cgroup has bad charaters, it should error.", func() {
			event := &common.EventInfo{
				EventType: common.EventStart,
				PUType:    common.ContainerPU,
				Name:      "Container",
				Cgroup:    "/potatoes",
			}

			err := validateTypes(event)
			So(err, ShouldNotBeNil)
		})

		Convey("If the namespace path has bad charaters, it should error.", func() {
			event := &common.EventInfo{
				EventType: common.EventStart,
				PUType:    common.ContainerPU,
				Name:      "Container",
				Cgroup:    "/trireme/123",
				NS:        "!@##$!#",
			}

			err := validateTypes(event)
			So(err, ShouldNotBeNil)
		})

		Convey("If the IPs have a bad name, it should error.", func() {
			event := &common.EventInfo{
				EventType: common.EventStart,
				PUType:    common.ContainerPU,
				Name:      "Container",
				Cgroup:    "/trireme/123",
				NS:        "/var/run/docker/netns/6f7287cc342b",
				IPs:       map[string]string{"^^^": "123"},
			}

			err := validateTypes(event)
			So(err, ShouldNotBeNil)
		})

		Convey("If the IP address is bad, it should error.", func() {
			event := &common.EventInfo{
				EventType: common.EventStart,
				PUType:    common.ContainerPU,
				Name:      "Container",
				Cgroup:    "/trireme/123",
				NS:        "/var/run/docker/netns/6f7287cc342b",
				IPs:       map[string]string{"bridge": "123"},
			}

			err := validateTypes(event)
			So(err, ShouldNotBeNil)
		})

		Convey("If all the types are correct, it should succeed.", func() {
			event := &common.EventInfo{
				EventType: common.EventStart,
				PUType:    common.ContainerPU,
				Name:      "Container",
				Cgroup:    "/trireme/123",
				NS:        "/var/run/docker/netns/6f7287cc342b",
				IPs:       map[string]string{"bridge": "172.17.0.1"},
			}

			err := validateTypes(event)
			So(err, ShouldBeNil)
		})

	})
}

func TestValidateEvent(t *testing.T) {
	Convey("When I validate events", t, func() {

		Convey("If I get a Create  with no HostService, and PUID is nil, I should update it.", func() {
			event := &common.EventInfo{
				EventType:   common.EventCreate,
				PID:         1,
				HostService: false,
			}

			err := validateEvent(event)
			So(err, ShouldBeNil)
			So(event.PUID, ShouldResemble, "1")
		})

		Convey("If I get a Create  with no HostService, and PUID is not nil, I should get the right PUID", func() {
			event := &common.EventInfo{
				EventType:   common.EventCreate,
				PID:         1,
				HostService: false,
				PUID:        "mypu",
			}

			err := validateEvent(event)
			So(err, ShouldBeNil)
			So(event.PUID, ShouldResemble, "mypu")
		})

		Convey("If I get a Create  with the HostService and no networktraffic only, I should get PUID with the same name", func() {
			event := &common.EventInfo{
				EventType:          common.EventCreate,
				PID:                1,
				HostService:        true,
				NetworkOnlyTraffic: false,
				PUID:               "mypu",
			}

			err := validateEvent(event)
			So(err, ShouldBeNil)
			So(event.PUID, ShouldResemble, "mypu")
		})

		Convey("If I get a Create  with the HostService and networktraffic only, I should get PUID as my name", func() {
			event := &common.EventInfo{
				EventType:          common.EventCreate,
				PID:                1,
				HostService:        true,
				NetworkOnlyTraffic: true,
				Name:               "myservice",
				PUID:               "mypu",
			}

			err := validateEvent(event)
			So(err, ShouldBeNil)
			So(event.PUID, ShouldResemble, "mypu")
		})

		Convey("If I get a Stop event and cgroup is in the right format, it should return nil.", func() {
			event := &common.EventInfo{
				EventType: common.EventStop,
				Cgroup:    "/trireme/1234",
			}

			err := validateEvent(event)
			So(err, ShouldBeNil)
		})

		Convey("If I get a Stop event and cgroup is in the wrong format, it should error.", func() {
			event := &common.EventInfo{
				EventType: common.EventStop,
				Cgroup:    "/potatoes",
			}

			err := validateEvent(event)
			So(err, ShouldNotBeNil)
		})

	})
}

func TestCreate(t *testing.T) {
	ctrl := gomock.NewController(t)
	defer ctrl.Finish()

	Convey("Given a new server", t, func() {
		reg := registerer.New()
		s, err := NewEventServer("/tmp/trireme.sock", reg)
		proc := mockprocessor.NewMockProcessor(ctrl)
		procerr := reg.RegisterProcessor(common.ContainerPU, proc)
		So(procerr, ShouldBeNil)

		So(err, ShouldBeNil)

		Convey("Given a valid event, I should get 200 response.", func() {
			event := &common.EventInfo{
				EventType: common.EventStart,
				PUType:    common.ContainerPU,
				PID:       int32(os.Getpid()),
				Name:      "Container",
				Cgroup:    "/trireme/123",
				NS:        "/var/run/docker/netns/6f7287cc342b",
				IPs:       map[string]string{"bridge": "172.17.0.1"},
			}

			proc.EXPECT().Start(gomock.Any(), gomock.Any()).Return(nil)

			b := new(bytes.Buffer)
			err := json.NewEncoder(b).Encode(event)
			So(err, ShouldBeNil)

			req := httptest.NewRequest("POST", "http://unix", b)
			req.RemoteAddr = strconv.Itoa(os.Getuid()) + ":" + strconv.Itoa(os.Getgid()) + ":" + strconv.Itoa(int(event.PID))
			w := httptest.NewRecorder()
			s.create(w, req)

			So(w.Result().StatusCode, ShouldEqual, http.StatusAccepted)
		})

		Convey("Given bad json a BadRequest", func() {

			b := new(bytes.Buffer)
			b.WriteString("garbage")

			req := httptest.NewRequest("POST", "http://unix", b)

			w := httptest.NewRecorder()
			s.create(w, req)

			So(w.Result().StatusCode, ShouldEqual, http.StatusBadRequest)
		})

		Convey("Given bad event type, I should get BadRequest ", func() {
			event := &common.EventInfo{
				EventType: common.EventStart,
				PUType:    common.ContainerPU,
				PID:       -1,
				Name:      "^^^^",
				Cgroup:    "/trireme/123",
				NS:        "/var/run/docker/netns/6f7287cc342b",
				IPs:       map[string]string{"bridge": "172.17.0.1", "ip": "thisisnotip"},
			}

			b := new(bytes.Buffer)
			err := json.NewEncoder(b).Encode(event)
			So(err, ShouldBeNil)

			req := httptest.NewRequest("POST", "http://unix", b)
			// req.RemoteAddr = strconv.Itoa(os.Getuid()) + ":" + strconv.Itoa(os.Getgid()) + ":" + strconv.Itoa(int(event.PID))
			w := httptest.NewRecorder()
			s.create(w, req)

			So(w.Result().StatusCode, ShouldEqual, http.StatusBadRequest)
		})

		Convey("Given a bad user request, I should get StatusForbidden ", func() {
			event := &common.EventInfo{
				EventType: common.EventStart,
				PUType:    common.ContainerPU,
				PID:       1,
				Name:      "name",
				Cgroup:    "/trireme/123",
				NS:        "/var/run/docker/netns/6f7287cc342b",
				IPs:       map[string]string{"bridge": "172.17.0.1"},
			}

			b := new(bytes.Buffer)
			err := json.NewEncoder(b).Encode(event)
			So(err, ShouldBeNil)

			req := httptest.NewRequest("POST", "http://unix", b)
			req.RemoteAddr = strconv.Itoa(os.Getuid()) + ":" + strconv.Itoa(os.Getgid()) + ":" + strconv.Itoa(int(event.PID))
			w := httptest.NewRecorder()
			s.create(w, req)

			So(w.Result().StatusCode, ShouldEqual, http.StatusForbidden)
		})

		Convey("Given a bad event, I should get BadRequest ", func() {
			event := &common.EventInfo{
				EventType:          common.EventStart,
				PUType:             common.ContainerPU,
				PID:                int32(os.Getpid()),
				Name:               "",
				Cgroup:             "/trireme/123",
				NS:                 "/var/run/docker/netns/6f7287cc342b",
				IPs:                map[string]string{"bridge": "172.17.0.1"},
				HostService:        true,
				NetworkOnlyTraffic: true,
			}

			b := new(bytes.Buffer)
			err := json.NewEncoder(b).Encode(event)
			So(err, ShouldBeNil)

			req := httptest.NewRequest("POST", "http://unix", b)
			req.RemoteAddr = strconv.Itoa(os.Getuid()) + ":" + strconv.Itoa(os.Getgid()) + ":" + strconv.Itoa(int(event.PID))
			w := httptest.NewRecorder()
			s.create(w, req)

			So(w.Result().StatusCode, ShouldEqual, http.StatusBadRequest)
		})

		Convey("Given a valid event,where the processor fails, I should get InternalServerError.", func() {
			event := &common.EventInfo{
				EventType: common.EventStart,
				PUType:    common.ContainerPU,
				PID:       int32(os.Getpid()),
				Name:      "Container",
				Cgroup:    "/trireme/123",
				NS:        "/var/run/docker/netns/6f7287cc342b",
				IPs:       map[string]string{"bridge": "172.17.0.1"},
			}

			proc.EXPECT().Start(gomock.Any(), gomock.Any()).Return(errors.New("some error"))

			b := new(bytes.Buffer)
			err := json.NewEncoder(b).Encode(event)
			So(err, ShouldBeNil)

			req := httptest.NewRequest("POST", "http://unix", b)
			req.RemoteAddr = strconv.Itoa(os.Getuid()) + ":" + strconv.Itoa(os.Getgid()) + ":" + strconv.Itoa(int(event.PID))
			w := httptest.NewRecorder()
			s.create(w, req)

			So(w.Result().StatusCode, ShouldEqual, http.StatusInternalServerError)
		})

	})

}


================================================
FILE: monitor/remoteapi/server/server_windows.go
================================================
// +build windows

package server

import (
	"net"
	"net/http"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"gopkg.in/natefinch/npipe.v2"
)

func cleanupPipe(address string) error {
	// TODO(windows): anything?
	return nil
}

func (e *EventServer) makePipe() (net.Listener, error) {
	pipeName := `\\.\pipe\` + e.socketPath
	pipeListener, err := npipe.Listen(pipeName)
	if err != nil {
		return nil, err
	}
	return pipeListener, nil
}

// TODO(windows): Uids() not impl currently in Windows
func validateUser(r *http.Request, event *common.EventInfo) error {
	return nil
}


================================================
FILE: monitor/remoteapi/server/uidlistener.go
================================================
// +build linux

package server

import (
	"net"
	"strconv"
	"syscall"
	"time"
)

// UIDConnection is a connection wrapper that allows to recover
// the user ID of the calling process.
type UIDConnection struct {
	nc *net.UnixConn
}

// Read implements the read interface of the connection.
func (c UIDConnection) Read(b []byte) (n int, err error) {
	return c.nc.Read(b)
}

// Write implements the write interface of the connection.
func (c UIDConnection) Write(b []byte) (n int, err error) {
	return c.nc.Write(b)
}

// Close implements the close interface of the connection.
func (c UIDConnection) Close() error {
	return c.nc.Close()
}

// LocalAddr implements the LocalAddr interface of the connection.
func (c UIDConnection) LocalAddr() net.Addr {
	return c.nc.LocalAddr()
}

// RemoteAddr implements the RemoteAddr interface of the connection.
// This is the main change where we actually use the FD of the unix
// socket to find the remote UID.
func (c UIDConnection) RemoteAddr() net.Addr {

	uidAddr := &UIDAddr{
		NetworkAddress: c.nc.RemoteAddr().Network(),
	}

	f, err := c.nc.File()
	if err != nil {
		uidAddr.Address = "NotAvailable"
	}
	defer f.Close() // nolint: errcheck

	cred, err := syscall.GetsockoptUcred(int(f.Fd()), syscall.SOL_SOCKET, syscall.SO_PEERCRED)
	if err != nil {
		uidAddr.Address = "NotAvailable"
	}

	uidAddr.Address = strconv.Itoa(int(cred.Uid)) + ":" + strconv.Itoa(int(cred.Gid)) + ":" + strconv.Itoa(int(cred.Pid))

	return uidAddr

}

// SetDeadline implements the SetDeadLine interface.
func (c UIDConnection) SetDeadline(t time.Time) error {
	return c.nc.SetDeadline(t)
}

// SetReadDeadline implements the SetReadDeadling interface
func (c UIDConnection) SetReadDeadline(t time.Time) error {
	return c.nc.SetReadDeadline(t)
}

// SetWriteDeadline implements the SetWriteDeadline method of the interface.
func (c UIDConnection) SetWriteDeadline(t time.Time) error {
	return c.nc.SetWriteDeadline(t)
}

// UIDAddr implements the Addr interface and allows us to customize the address.
type UIDAddr struct {
	NetworkAddress string
	Address        string
}

// Network returns the network of the connection
func (a *UIDAddr) Network() string {
	return a.NetworkAddress
}

// String returns a string representation.
func (a *UIDAddr) String() string {
	return a.Address
}

// UIDListener is a custom net listener that uses the UID connection
type UIDListener struct {
	nl *net.UnixListener
}

// NewUIDListener creates a new UID listener.
func NewUIDListener(nl *net.UnixListener) *UIDListener {
	return &UIDListener{nl: nl}
}

// Accept implements the accept method of the interface.
func (l UIDListener) Accept() (c net.Conn, err error) {
	nc, err := l.nl.AcceptUnix()
	if err != nil {
		return nil, err
	}
	return UIDConnection{nc}, nil
}

// Close implements the close method of the interface.
func (l UIDListener) Close() error {
	return l.nl.Close()
}

// Addr returns the address of the listener.
func (l UIDListener) Addr() net.Addr {
	return l.nl.Addr()
}


================================================
FILE: monitor/remoteapi/server/uidlistener_nonlinux.go
================================================
// +build darwin windows

package server

import (
	"net"
	"time"
)

// UIDConnection is a connection wrapper that allows to recover
// the user ID of the calling process.
type UIDConnection struct {
	nc *net.UnixConn
}

// Read implements the read interface of the connection.
func (c UIDConnection) Read(b []byte) (n int, err error) {
	return c.nc.Read(b)
}

// Write implements the write interface of the connection.
func (c UIDConnection) Write(b []byte) (n int, err error) {
	return c.nc.Write(b)
}

// Close implements the close interface of the connection.
func (c UIDConnection) Close() error {
	return c.nc.Close()
}

// LocalAddr implements the LocalAddr interface of the connection.
func (c UIDConnection) LocalAddr() net.Addr {
	return c.nc.LocalAddr()
}

// RemoteAddr implements the RemoteAddr interface of the connection.
// This is the main change where we actually use the FD of the unix
// socket to find the remote UID.
func (c UIDConnection) RemoteAddr() net.Addr {
	return c.nc.RemoteAddr()
}

// SetDeadline implements the SetDeadLine interface.
func (c UIDConnection) SetDeadline(t time.Time) error {
	return c.nc.SetDeadline(t)
}

// SetReadDeadline implements the SetReadDeadling interface
func (c UIDConnection) SetReadDeadline(t time.Time) error {
	return c.nc.SetReadDeadline(t)
}

// SetWriteDeadline implements the SetWriteDeadline method of the interface.
func (c UIDConnection) SetWriteDeadline(t time.Time) error {
	return c.nc.SetWriteDeadline(t)
}

// UIDAddr implements the Addr interface and allows us to customize the address.
type UIDAddr struct {
	NetworkAddress string
	Address        string
}

// Network returns the network of the connection
func (a *UIDAddr) Network() string {
	return a.NetworkAddress
}

// String returns a string representation.
func (a *UIDAddr) String() string {
	return a.Address
}

// UIDListener is a custom net listener that uses the UID connection
type UIDListener struct {
	nl *net.UnixListener
}

// NewUIDListener creates a new listener with UID information.
func NewUIDListener(nl *net.UnixListener) *UIDListener {
	return &UIDListener{
		nl: nl,
	}
}

// Accept implements the accept method of the interface.
func (l UIDListener) Accept() (c net.Conn, err error) {
	nc, err := l.nl.AcceptUnix()
	if err != nil {
		return nil, err
	}
	return UIDConnection{nc}, nil
}

// Close implements the close method of the interface.
func (l UIDListener) Close() error {
	return l.nl.Close()
}

// Addr returns the address of the listener.
func (l UIDListener) Addr() net.Addr {
	return l.nl.Addr()
}


================================================
FILE: monitor/server/pipe.go
================================================
// +build !windows

package server

import (
	"net"
	"os"

	"go.uber.org/zap"
)

func cleanupPipe(address string) error {
	// Cleanup the leftover socket first.
	if _, err := os.Stat(address); err == nil {
		if err := os.Remove(address); err != nil {
			zap.L().Error("Cannot remove existing pipe", zap.String("address", address), zap.Error(err))
			return err
		}
	}
	return nil
}

func makePipe(address string) (net.Listener, error) {
	// Start a custom listener
	addr, _ := net.ResolveUnixAddr("unix", address)
	nl, err := net.ListenUnix("unix", addr)
	if err != nil {
		zap.L().Error("Unable to start the listener", zap.String("address", address), zap.Error(err))
		return nil, err
	}

	// make it owner,group rw only.
	// TODO: which group ID? or should it be owner root rw only ?
	if err := os.Chmod(addr.String(), 0600); err != nil {
		zap.L().Error("Cannot set permissions on the pipe", zap.String("address", address), zap.Error(err))
		return nil, err
	}

	return nl, nil
}


================================================
FILE: monitor/server/pipe_windows.go
================================================
// +build windows

package server

import (
	"fmt"
	"net"
	"os/user"
	"strings"

	winio "github.com/Microsoft/go-winio"
	zap "go.uber.org/zap"
)

const pipePrefix = `\\.\pipe\`

func cleanupPipe(address string) error {
	return nil
}

func makePipe(address string) (net.Listener, error) {
	var pipeListener net.Listener
	var err error

	pipeName := address
	if !strings.HasPrefix(pipeName, pipePrefix) {
		pipeName = pipePrefix + pipeName
	}

	pipeCfg := &winio.PipeConfig{}

	current, err := user.Current()
	if err != nil {
		zap.L().Error("Unable to get the current user", zap.String("address", address), zap.Error(err))
		return nil, err
	}

	// A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object.
	// D:P(A;;GA;;;SY)(A;;GA;;;BA) = DACL allowing (A) General all access (GA) for SYSTEM (SY), Admin (BA) and current user.
	// This library is creating the pipe using undocumented kernel functions instead of using the win32 functions.
	// So if the code is running as the administrator, then the security descriptor works just fine, but
	// if you are running as a non admin even if you are in the administrator's group, then you don't get access to the pipe,
	// and that is why the code is also granting access to the current user.  Normally you would not need to do this.

	pipeCfg.SecurityDescriptor = fmt.Sprintf("D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;%s)", current.Uid)

	pipeListener, err = winio.ListenPipe(pipeName, pipeCfg)

	if err != nil {
		zap.L().Error("Unable to start the listener", zap.String("address", address), zap.Error(err))
		return nil, err
	}
	return pipeListener, nil
}


================================================
FILE: monitor/server/server.go
================================================
package server

import (
	"context"
	"fmt"
	"sync"

	"time"

	"github.com/golang/protobuf/ptypes/empty"
	"go.aporeto.io/enforcerd/internal/extractors/containermetadata"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/counters"
	monitorpb "go.aporeto.io/enforcerd/trireme-lib/monitor/api/spec/protos"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/constants"
	"go.aporeto.io/enforcerd/trireme-lib/monitor/external"
	"go.uber.org/zap"
	"google.golang.org/grpc"
)

var _ Controls = &Server{}

var _ external.ReceiverRegistration = &Server{}

var _ monitorpb.CNIServer = &Server{}
var _ monitorpb.RunCServer = &Server{}

// Controls is the controlling interface for starting/stopping the server
type Controls interface {
	Start(context.Context) error
	Stop() error
}

// Server is the grpcMonitorServer server
type Server struct {
	ctx                             context.Context
	enforcerID                      string
	stop                            chan struct{}
	enforcerStop                    chan struct{}
	socketAddress                   string
	socketType                      int
	running                         bool
	monitors                        map[string]external.ReceiveEvents
	monitorsLock                    sync.RWMutex
	runcProxyStarted                bool
	cniInstalled                    bool
	notifyProcessRuncProxyStartedCh chan struct{}
	notifyProcessCniInstalledCh     chan struct{}
	extMonitorStartedLock           sync.RWMutex
	waitStopGrp                     sync.WaitGroup
	apoRuncWaitGrp                  *sync.WaitGroup
}

const (
	socketTypeUnix = iota
	socketTypeTCP  // nolint: varcheck
	socketTypeWindowsNamedPipe
)

// NewMonitorServer creates a gRPC server for the twistlock defender integration
func NewMonitorServer(
	socketAddress string,
	stopchan chan struct{},
	enforcerID string,
	runcWaitGrp *sync.WaitGroup,
) *Server {
	return &Server{
		enforcerID:                      enforcerID,
		stop:                            make(chan struct{}),
		enforcerStop:                    stopchan,
		socketAddress:                   socketAddress,
		socketType:                      socketTypeUnix,
		running:                         false,
		monitors:                        make(map[string]external.ReceiveEvents),
		notifyProcessRuncProxyStartedCh: make(chan struct{}),
		notifyProcessCniInstalledCh:     make(chan struct{}),
		waitStopGrp:                     sync.WaitGroup{},
		apoRuncWaitGrp:                  runcWaitGrp,
	}
}

// Start the grpcMonitorServer gRPC server
func (s *Server) Start(ctx context.Context) (err error) {

	s.ctx = ctx

	errChan := make(chan error)
	zap.L().Info("Starting the gRPC Monitor server, listening on", zap.String("address", s.socketAddress))

	if err := cleanupPipe(s.socketAddress); err != nil {
		zap.L().Fatal("unable to cleanup the old gRPC Monitor server socket address", zap.String("address", s.socketAddress), zap.Error(err))
	}

	// create the listener
	lis, err := makePipe(s.socketAddress)
	if err != nil {
		zap.L().Fatal("Failed to create the listener socket", zap.String("address", s.socketAddress), zap.Error(err))
	}

	var opts []grpc.ServerOption

	// TODO - TLS certs for the gRPC connection ??
	// if tls {
	// 	creds, err := credentials.NewServerTLSFromFile(tls.certFile, tls.keyFile)
	// 	if err != nil {
	// 		zap.L().Fatal("Failed to load TLS credentials %v", zap.Error(err))
	// 	}
	//
	// 	opts = []grpc.ServerOption{grpc.Creds(creds)}
	// }

	grpcServer := grpc.NewServer(opts...)

	// now register the runc and CNI servers.
	monitorpb.RegisterCNIServer(grpcServer, s)
	monitorpb.RegisterRunCServer(grpcServer, s)
	zap.L().Debug("Starting the gRPC Monitor' server loop")

	go s.processExtMonitorStarted(ctx)

	// run blocking call in a separate goroutine, report errors via channel
	go func() {
		if err := grpcServer.Serve(lis); err != nil {
			zap.L().Error("failed to start the gRPC Monitor' server", zap.Error(err))
			errChan <- err
		}
		zap.L().Debug("Exiting gRPC Monitor' server go func")

		// the listener should be closed by this time, remove it
		if s.socketType == socketTypeUnix || s.socketType == socketTypeWindowsNamedPipe {
			if err := cleanupPipe(s.socketAddress); err != nil {
				zap.L().Error("unable to cleanup the gRPC Monitor' server socket address", zap.String("address", s.socketAddress), zap.Error(err))
				errChan <- err
			}
		}
	}()
	// add the waitGrp to make sure that the GRPC shuts down graceFully.
	s.waitStopGrp.Add(1)

	// Start() is non-blocking, but we block in the go routine
	// until either OS signal, or server fatal error
	go func() {

		s.running = true
		zap.L().Debug("the gRPC Monitor' server loop is running")

		// terminate gracefully
		defer func() {
			zap.L().Debug("Stopping the gRPC Monitor' server loop and listener socket")
			grpcServer.GracefulStop()
			// now we are sure that the connections have been drained completely.
			s.waitStopGrp.Done()
			s.running = false
		}()

		for {
			select {
			case <-s.stop:
				zap.L().Debug("gRPC Monitor' server channel loop: got a stop notification on the stop channel")
				return
			case err := <-errChan:
				zap.L().Fatal("gRPC Monitor' server channel loop: got an error notification on the error channel", zap.Error(err))
			case <-ctx.Done():
				return
			}
		}
	}()

	return nil
}

// Stop stops the Monitor' gRPC server (does not stop enforcer)
func (s *Server) Stop() error {
	if s.running {
		zap.L().Debug("gRPC Server: notified the graceful stop")
		close(s.stop)
	}
	// add the wait for to make sure the GRPC gracefulStop drains all the connections.
	s.waitStopGrp.Wait()
	return nil
}

// RuncProxyStarted gets sent by the defender once when the defender has started the runc-proxy.
func (s *Server) RuncProxyStarted(context.Context, *empty.Empty) (*empty.Empty, error) {
	zap.L().Info("grpc: runc-proxy has started")
	s.extMonitorStartedLock.Lock()
	s.runcProxyStarted = true
	s.extMonitorStartedLock.Unlock()
	s.notifyProcessRuncProxyStartedCh <- struct{}{}
	return &empty.Empty{}, nil
}

// isRuncProxyStarted returns the internal state of RuncProxyStarted as a copy
func (s *Server) isRuncProxyStarted() bool {
	s.extMonitorStartedLock.RLock()
	defer s.extMonitorStartedLock.RUnlock()
	return s.runcProxyStarted
}

// CniPluginInstalled gets sent by the defender once when the defender has started the runc-proxy.
func (s *Server) CniPluginInstalled(context.Context, *empty.Empty) (*empty.Empty, error) {
	zap.L().Info("grpc: cni Plugin is installed")
	s.extMonitorStartedLock.Lock()
	s.cniInstalled = true
	s.extMonitorStartedLock.Unlock()
	s.notifyProcessCniInstalledCh <- struct{}{}
	return &empty.Empty{}, nil
}

// isCniInstalled returns the internal state of RuncProxyStarted as a copy
func (s *Server) isCniInstalled() bool {
	s.extMonitorStartedLock.RLock()
	defer s.extMonitorStartedLock.RUnlock()
	return s.cniInstalled
}

func (s *Server) processExtMonitorStarted(ctx context.Context) {
	m := make(map[string]struct{})
	for {
		// signal only when runc/cni has not yet started
		if !s.isRuncProxyStarted() && !s.isCniInstalled() {
			s.apoRuncWaitGrp.Done()
		}
		// wait for a notification: this will be sent for two cases:
		// - RuncProxyStarted was called
		// - a new monitor registers with the grpc servcer
		select {
		case <-ctx.Done():
			return
		case <-s.notifyProcessRuncProxyStartedCh:
			// continue here
		case <-s.notifyProcessCniInstalledCh:
		}
		if s.isRuncProxyStarted() || s.isCniInstalled() {
			s.monitorsLock.RLock()
			// iterate over all currently registered monitors
			// and if they haven't gotten the SenderReady() yet
			// we will send it to them
			for name, monitor := range s.monitors {
				if _, ok := m[name]; ok {
					continue
				}
				monitor.SenderReady()
				m[name] = struct{}{}
			}
			s.monitorsLock.RUnlock()
		}
	}
}

const maxProcessingTime = time.Second * 5

func calProcessingTime(onStart time.Time, containerID string) {
	processingTime := time.Since(onStart)
	if processingTime > (maxProcessingTime) {
		counters.IncrementCounter(counters.ErrSegmentServerContainerEventExceedsProcessingTime)
		zap.L().Warn(
			"grpc: ContainerEvent: processing of container event took longer than allowed processing time",
			zap.String("id", containerID),
			zap.Duration("processingTime", processingTime),
			zap.Duration("maxProcessingTime", maxProcessingTime),
		)
	} else {
		zap.L().Debug(
			"grpc: ContainerEvent: processing of container event was within allowed time frame",
			zap.String("id", containerID),
			zap.Duration("processingTime", processingTime),
			zap.Duration("maxProcessingTime", maxProcessingTime),
		)
	}
}

// CNIContainerEvent handles container event requests
func (s *Server) CNIContainerEvent(ctx context.Context, req *monitorpb.CNIContainerEventRequest) (*monitorpb.ContainerEventResponse, error) {
	zap.L().Debug("grpc: CNI ContainerEvent received", zap.Any("request", req), zap.Any("type", req.Type))

	// calculate the time that this function takes and log accordingly
	onStart := time.Now()
	defer func() {
		calProcessingTime(onStart, req.ContainerID)
	}()
	containerArgs := containermetadata.NewCniArguments(req)
	// now send the container event to the monitor
	return s.sendContainerEvent(ctx, containerArgs)
}

// RunCContainerEvent handles container event requests
func (s *Server) RunCContainerEvent(ctx context.Context, req *monitorpb.RunCContainerEventRequest) (*monitorpb.ContainerEventResponse, error) {
	zap.L().Debug("grpc: runc ContainerEvent received", zap.Strings("commandLine", req.GetCommandLine()))

	if !s.isRuncProxyStarted() {
		zap.L().Warn("grpc: receiving ContainerEvent, but have not received RuncProxyStarted event yet. Compensating...")
		s.RuncProxyStarted(ctx, &empty.Empty{}) // nolint
		return &monitorpb.ContainerEventResponse{
			ErrorMessage: "received ContainerEvent before RuncProxyStarted event",
		}, nil
	}

	// parse the runc command-line first
	containerArgs, err := containermetadata.ParseRuncArguments(req.GetCommandLine())
	if err != nil {
		zap.L().Error("grpc: ContainerEvent: failed to parse runc commandline")
		return &monitorpb.ContainerEventResponse{
			ErrorMessage: fmt.Sprintf("failed to parse runc commandline: %s", err),
		}, nil
	}
	// calculate the time that this function takes and log accordingly
	onStart := time.Now()
	defer func() {
		calProcessingTime(onStart, containerArgs.ID())
	}()
	// now send the container event to the monitor
	return s.sendContainerEvent(ctx, containerArgs)
}

func (s *Server) sendContainerEvent(ctx context.Context, containerArgs containermetadata.ContainerArgs) (*monitorpb.ContainerEventResponse, error) {
	var kmd containermetadata.CommonKubernetesContainerMetadata
	var md containermetadata.CommonContainerMetadata
	var err error
	// now 1st check if the netnsPath is given, if given then its a CNI event and process it 1st
	// if the netnsPath is not given then we fallback to the default mechanism for extraction.
	// if we can identify that we have this container
	if len(containerArgs.NetNsPath()) > 0 && len(containerArgs.PodName()) > 0 && len(containerArgs.PodNamespace()) > 0 {
		// create the cni containerMetadata
		kmd = containermetadata.NewCniContainerMetadata(containerArgs)
	} else if containermetadata.AutoDetect().Has(containerArgs) {

		// then extract the common container metadata
		md, kmd, err = containermetadata.AutoDetect().Extract(containerArgs)
		if err != nil {
			return &monitorpb.ContainerEventResponse{
				ErrorMessage: fmt.Sprintf("failed to parse runc commandline: %s", err),
			}, nil
		}

		// as we are only interested in Kubernetes containers at the moment
		// simply log if this is a non-Kubernetes event
		if md != nil && kmd == nil {
			zap.L().Debug(
				"grpc: ContainerEvent: container event does not belong to a Kubernetes container",
				zap.String("md.ID()", md.ID()),
				zap.String("md.Root()", md.Root()),
				zap.String("md.Kind()", md.Kind().String()),
				zap.String("md.Runtime()", md.Runtime().String()),
				zap.Int("md.PID()", md.PID()),
				zap.Bool("md.SystemdCgroups()", md.SystemdCgroups()),
			)
			return &monitorpb.ContainerEventResponse{}, nil
		}
	}

	// and now send an event to the K8s monitor
	if kmd != nil {
		zap.L().Debug(
			"grpc: ContainerEvent: container event belongs to a Kubernetes container",
			zap.String("kmd.ID()", kmd.ID()),
			zap.String("kmd.Root()", kmd.Root()),
			zap.String("kmd.Kind()", kmd.Kind().String()),
			zap.String("kmd.Runtime()", kmd.Runtime().String()),
			zap.Int("kmd.PID()", kmd.PID()),
			zap.Bool("kmd.SystemdCgroups()", kmd.SystemdCgroups()),
			zap.String("kmd.PodName()", kmd.PodName()),
			zap.String("kmd.NetNsPath()", kmd.NetNSPath()),
			zap.String("kmd.PodNamespace()", kmd.PodNamespace()),
			zap.String("kmd.PodUID()", kmd.PodUID()),
			zap.String("kmd.PodSandboxID()", kmd.PodSandboxID()),
		)

		s.monitorsLock.RLock()
		defer s.monitorsLock.RUnlock()
		monitor, ok := s.monitors[constants.K8sMonitorRegistrationName]
		if !ok {
			zap.L().Debug("grpc: K8s monitor is not registered yet. Skipping processing of event.")
			return &monitorpb.ContainerEventResponse{
				ErrorMessage: "K8s monitor is not initialized yet",
			}, nil
		}

		switch containerArgs.Action() {
		case containermetadata.StartAction:
			// the start action MUST be synchronous at all costs
			monitor.Event(ctx, common.EventStart, kmd) // nolint: errcheck
		case containermetadata.DeleteAction:
			// the delete event SHOULD be synchronous
			// however, we can unblock the caller and respect the context if it is not
			ch := make(chan struct{})
			go func() {
				monitor.Event(context.Background(), common.EventDestroy, kmd) // nolint: errcheck
				close(ch)
			}()
			select {
			case <-ctx.Done():
				zap.L().Warn("grpc: ContainerEvent: failed to process delete event within the context constraints",
					zap.String("kmd.ID()", kmd.ID()),
					zap.String("kmd.PodName()", kmd.PodName()),
					zap.String("kmd.PodNamespace()", kmd.PodNamespace()),
					zap.String("kmd.PodUID()", kmd.PodUID()),
					zap.String("kmd.NetNsPath()", kmd.NetNSPath()),
					zap.Error(ctx.Err()),
				)
			case <-ch:
				// success, nothing more needs to be done
			}
		default:
			zap.L().Debug("grpc: unsupported action by the K8s monitor", zap.String("action", containerArgs.Action().String()))
			return &monitorpb.ContainerEventResponse{
				ErrorMessage: "unexpected action received: " + containerArgs.Action().String(),
			}, nil
		}

		return &monitorpb.ContainerEventResponse{}, nil
	}

	// log an error if we can't find it because we should always be able to find it, and this is an error in the extractor
	zap.L().Error("grpc: ContainerEvent: container not found", zap.String("containerID", containerArgs.ID()), zap.String("action", containerArgs.Action().String()))
	return &monitorpb.ContainerEventResponse{
		ErrorMessage: "container not found",
	}, nil
}

// SenderName must return a globally unique name of the implementor.
func (s *Server) SenderName() string {
	return constants.MonitorExtSenderName
}

// Register will register the given `monitor` for receiving events under `name`.
// Multiple calls to this function for the same `name` must update the internal
// state of the implementor to now send events to the newly regitered monitor of this
// name. Only one registration of a monitor of the same name is allowed.
func (s *Server) Register(name string, monitor external.ReceiveEvents) error {
	s.monitorsLock.Lock()
	defer s.monitorsLock.Unlock()
	s.monitors[name] = monitor
	s.notifyProcessRuncProxyStartedCh <- struct{}{}
	return nil
}


================================================
FILE: plugins/pam/README.md
================================================
# PAM Authorization Module for Trireme 

The PAM Authorization module allws the integration of Trireme with PAM Linux module. On every authorization
request to the PAM module, the plugin can intercept the login or sudo attempt and activate the user 
in a specific network context where access to network resources is managed through the Trireme 
end-to-end authorization process. A simple use case is to give specific network access to specific 
users such as the case of a jump-box in a cloud environment. 

To build the module simple do:

```bash 
go build -buildmode=c-shared -o pam-module.so
```

This file needs to be copied to the directory of PAM modules (usually in /lib/x86_64-linux-gnu/security/). Once 
installed there, you can configure the PAM module to invoke the plugin by adding the corresponding
directive. For example, you can add this line to /etc/pam.d/sudo 

```
session required pam_aporeto_uidm.so in 
```

Once this is installed, running sudo -u <anyuser> /bin/bash will cause the PAM module to send an event
to Trireme and a unique network context will be activated for this user. Based on the user
information one can select the right network policy to apply to the user.

You can achieve the same thing for the login shell by adding the directive to the 
/etc/pam.d/login file. 


================================================
FILE: plugins/pam/uidmonitorpam.go
================================================
package main

/*
#cgo LDFLAGS: -lpam -fPIC
#include <security/pam_appl.h>
#include <stdlib.h>
char *get_user(pam_handle_t *pamh);
char *get_ruser(pam_handle_t *pamh);
char *get_rhost(pam_handle_t *pamh);
char *get_service(pam_handle_t *pam_h);
void initLog() ;
int is_system_user(char *user);
int is_root(char *user);
*/
import "C"
import (
	"fmt"
	"log/syslog"
	"os"
	"os/user"

	"go.aporeto.io/trireme-lib/common"
	"go.aporeto.io/trireme-lib/monitor/remoteapi/client"
)

func getGroupList(username string) ([]string, error) {
	slog, _ := syslog.New(syslog.LOG_ALERT|syslog.LOG_AUTH, "mypam")
	defer func() {
		_ = slog.Close()
	}()
	userhdl, err := user.Lookup(username)
	if err != nil {
		return nil, err
	}
	gids, err := userhdl.GroupIds()
	if err != nil {
		return nil, err
	}
	groups := make([]string, len(gids))
	index := 0
	for _, gid := range gids {
		grphdl, err := user.LookupGroupId(gid)
		if err != nil {
			continue
		}
		groups[index] = "groupname=" + grphdl.Name
		index++

	}
	return groups[:index], nil
}

// nolint
//export pam_sm_open_session
func pam_sm_open_session(pamh *C.pam_handle_t, flags, argc int, argv **C.char) C.int {
	C.initLog()
	user := C.get_user(pamh)
	service := C.get_service(pamh)
	metadatamap := []string{}
	userstring := "user=" + C.GoString(user)
	metadatamap = append(metadatamap, userstring)
	if groups, err := getGroupList(C.GoString(user)); err == nil {
		metadatamap = append(metadatamap, groups...)
	}

	if service != nil {
		metadatamap = append(metadatamap, "SessionType="+C.GoString(service))
	} else {
		metadatamap = append(metadatamap, "SessionType=login")
	}

	request := &common.EventInfo{
		PUType:    common.UIDLoginPU,
		PUID:      C.GoString(user),
		Name:      "login-" + C.GoString(user),
		PID:       int32(os.Getpid()),
		Tags:      metadatamap,
		EventType: "start",
	}

	if C.is_root(user) == 1 {
		//Do nothing this is login shell account
	} else {
		//Do something
		slog, _ := syslog.New(syslog.LOG_ALERT|syslog.LOG_AUTH, "mypam")
		defer func() {
			_ = slog.Close()
		}()

		client, err := client.NewClient(common.TriremeSocket)
		if err != nil {
			return C.PAM_SUCCESS
		}

		slog.Alert("Calling Trireme") // nolit
		if err := client.SendRequest(request); err != nil {
			err = fmt.Errorf("Policy Server call failed %s", err)
			_ = slog.Alert(err.Error())
			return C.PAM_SESSION_ERR
		}
	}
	return C.PAM_SUCCESS
}

// nolint
//export pam_sm_close_session
func pam_sm_close_session(pamh *C.pam_handle_t, flags, argc int, argv **C.char) C.int {
	slog, _ := syslog.New(syslog.LOG_ALERT|syslog.LOG_AUTH, "mypam")
	slog.Alert("pam_sm_close_session") // nolint
	slog.Close()                       // nolint
	return C.PAM_SUCCESS
}

func main() {
}


================================================
FILE: plugins/pam/uidmonitorpam_c.go
================================================
package main

/*
#cgo LDFLAGS: -lpam -fPIC
#include <errno.h>
#include <pwd.h>
#include <security/pam_appl.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include<syslog.h>
int get_uid(char *user);

// get_user pulls the username out of the pam handle.
char *get_user(pam_handle_t *pamh) {
  if (!pamh)
    return NULL;
  int pam_err = 0;
  const char *user;

  if ((pam_err = pam_get_item(pamh, PAM_USER, (const void**)&user)) != PAM_SUCCESS)
    return NULL;

  return strdup(user);
}

// get_user pulls the username out of the pam handle.
char *get_ruser(pam_handle_t *pamh) {
  if (!pamh)
    return NULL;
  int pam_err = 0;
  const char *user;
  if ((pam_err = pam_get_item(pamh, PAM_RUSER, (const void**)&user)) != PAM_SUCCESS)
    return NULL;
  return strdup(user);
}



char *get_service(pam_handle_t *pamh){
  int pam_err = 0;
  if (!pamh)
    return NULL;
  const char *service;
  if ((pam_err = pam_get_item(pamh, PAM_SERVICE, (const void**)&service)) != PAM_SUCCESS)
    return NULL;
  return strdup(service);
}

void initLog() {
   openlog(NULL,LOG_PID,LOG_AUTH);
}

int is_system_user(char *user){
   struct passwd entry;
   struct passwd *result;
   char *buf;
   size_t bufsize;
  int s;
  bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
  if (bufsize == -1)
        bufsize = 16384;
   buf = malloc(bufsize);
   s = getpwnam_r(user,&entry,buf,bufsize,&result);
   if(result == NULL){
     if (s ==0){
       return 0;
     }
   }
//We are late enough in the stack to get no errors about missing users ideally

if(strcmp("/bin/nologin",entry.pw_shell)== 0 || strcmp("/bin/false",entry.pw_shell) || strlen(entry.pw_shell) < 1){
    syslog(LOG_ALERT,"Called with ruser %s",entry.pw_shell);
    syslog(LOG_ALERT,"Called with ruser %s",entry.pw_passwd);
    return 1;
 }
if(entry.pw_passwd[0] == '!' || entry.pw_passwd[0] == '*' || strcmp(entry.pw_passwd,"x") == 0){
return 1;
}
  return 0;
}

int is_root(char *user){
  struct passwd entry;
  struct passwd *result;
  char *buf;
  size_t bufsize;
  int s;
  int i =0;

  bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
  if (bufsize == -1)
        bufsize = 16384;
   buf = malloc(bufsize);
   s = getpwnam_r(user,&entry,buf,bufsize,&result);
   if(result == NULL){
     if (s ==0){
       return 0;
     }
   }
   if (entry.pw_uid == 0){
      return 1;
   }

  return 0;
}
*/
import "C"


================================================
FILE: policy/apiservices.go
================================================
package policy

import (
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/usertokens"
)

// ServiceType are the types of services that can are suported.
type ServiceType int

// Values of ServiceType
const (
	ServiceL3 ServiceType = iota
	ServiceHTTP
	ServiceTCP
	ServiceSecretsProxy
)

// ServiceTLSType is the types of TLS used on public port
type ServiceTLSType int

// Values of UserAuthorizationTypeValues
const (
	ServiceTLSTypeNone ServiceTLSType = iota
	ServiceTLSTypeAporeto
	ServiceTLSTypeCustom
)

// UserAuthorizationTypeValues is the types of user authorization methods that
// are supported.
type UserAuthorizationTypeValues int

// Values of UserAuthorizationTypeValues
const (
	UserAuthorizationNone UserAuthorizationTypeValues = iota
	UserAuthorizationMutualTLS
	UserAuthorizationJWT
	UserAuthorizationOIDC
)

// ApplicationServicesList is a list of ApplicationServices.
type ApplicationServicesList []*ApplicationService

// ApplicationService is the type of service that this PU exposes.
type ApplicationService struct {
	// ID is the id of the service
	ID string

	// NetworkInfo provides the network information (addresses/ports) of the service.
	// This is the public facing network information, or how the service can be
	// accessed. In the case of Load Balancers for example, this would be the
	// IP/port of the load balancer.
	NetworkInfo *common.Service

	// PrivateNetworkInfo captures the network service definition of an application
	// as seen by the application. For example the port that the application is
	// listening to. This is needed in the case of port mappings.
	PrivateNetworkInfo *common.Service

	// PrivateTLSListener indicates that the service uses a TLS listener. As a
	// result we must TLS for traffic send locally in the service.
	PrivateTLSListener bool

	// NoTLSExternalService indicates that TLS should not be used for an external
	// service. This option is used for API calls to local metadata APIs and
	// should not be used for access to the Internet.
	NoTLSExternalService bool

	// PublicNetworkInfo provides the network information where the enforcer
	// should listen for incoming connections of the service. This can be
	// different than the PrivateNetworkInfo where the application is listening
	// and it essentially allows users to create Virtual IPs and Virtual Ports
	// for the new exposed TLS services. So, if an application is listening
	// on port 80, users do not need to access the application from external
	// network through TLS on port 80, that looks weird. They can instead create
	// a PublicNetworkInfo and have the trireme listen on port 443, while the
	// application is still listening on port 80.
	PublicNetworkInfo *common.Service

	// Type is the type of the service.
	Type ServiceType

	// HTTPRules are only valid for HTTP Services and capture the list of APIs
	// exposed by the service.
	HTTPRules []*HTTPRule

	// Tags are the tags of the service.
	Tags []string

	// FallbackJWTAuthorizationCert is the certificate that has been used to sign
	// JWTs if they are not signed by the datapath
	FallbackJWTAuthorizationCert string

	// UserAuthorizationType is the type of user authorization that must be used.
	UserAuthorizationType UserAuthorizationTypeValues

	// UserAuthorizationHandler is the token handler for validating user tokens.
	UserAuthorizationHandler usertokens.Verifier

	// UserTokenToHTTPMappings is a map of mappings between JWT claims arriving in
	// a user request and outgoing HTTP headers towards an application. It
	// is used to allow operators to map claims to HTTP headers that downstream
	// applications can understand.
	UserTokenToHTTPMappings map[string]string

	// UserRedirectOnAuthorizationFail is the URL that the user can be redirected
	// if there is an authorization failure. This allows the display of a custom
	// message.
	UserRedirectOnAuthorizationFail string

	// External indicates if this is an external service. For external services
	// access control is implemented at the ingress.
	External bool

	// CACert is the certificate of the CA of external services. This allows TLS to
	// work with external services that use private CAs.
	CACert []byte

	// AuthToken is the authentication token for any external API service calls. It is
	// used for example by the secrets proxy.
	AuthToken string

	// MutualTLSTrustedRoots is the CA that must be used for mutual TLS authentication.
	MutualTLSTrustedRoots []byte

	// PublicServiceCertificate is a publically signed certificate that can be used
	// by the service to expose TLS to users without a Trireme client
	PublicServiceCertificate []byte

	// PublicServiceCertificateKey is the corresponding private key.
	PublicServiceCertificateKey []byte

	// PublicServiceTLSType specifies TLS Type to support on PublicService port.
	// This is useful for health checks. It should not be used for API access.
	PublicServiceTLSType ServiceTLSType
}

// HTTPRule holds a rule for a particular HTTPService. The rule
// relates a set of URIs defined as regular expressions with associated
// verbs. The * VERB indicates all actions.
type HTTPRule struct {
	// URIs is a list of regular expressions that describe the URIs that
	// a service is exposing.
	URIs []string

	// Methods is a list of the allowed verbs for the given list of URIs.
	Methods []string

	// ClaimMatchingRules is a list of matching rules associated with this rule. Clients
	// must present a set of claims that will satisfy these rules. Each rule
	// is an AND clause. The list of expressions is an OR of the AND clauses.
	ClaimMatchingRules [][]string

	// Public indicates that this is a public API and anyone can access it.
	// No authorization will be performed on public APIs.
	Public bool

	// HookMethod indicates that this rule is not for generic proxying but
	// must first be processed by the hook with the corresponding name.
	HookMethod string
}

// PublicPort returns the min port in the spec for the publicly exposed port.
func (a *ApplicationService) PublicPort() int {
	if a.PublicNetworkInfo == nil {
		return 0
	}
	return int(a.PublicNetworkInfo.Ports.Min)
}

// PrivatePort returns the min port in the spec for the private listening port.
func (a *ApplicationService) PrivatePort() int {
	if a.PrivateNetworkInfo == nil {
		return 0
	}
	return int(a.PrivateNetworkInfo.Ports.Min)
}


================================================
FILE: policy/interfaces.go
================================================
// Package policy describes a generic interface for retrieving policies.
// Different implementations are possible for environments such as Kubernetes,
// Mesos or other custom environments. An implementation has to provide
// a method for retrieving policy based on the metadata associated with the container
// and deleting the policy when the container dies. It is up to the implementation
// to decide how to generate the policy. The package also defines the basic data
// structure for communicating policy information. The implementations are responsible
// for providing all the necessary data.
package policy

import (
	"context"

	"github.com/docker/go-connections/nat"
	"go.aporeto.io/enforcerd/trireme-lib/common"
)

// A RuntimeReader allows to get the specific parameters stored in the Runtime
type RuntimeReader interface {

	// Pid returns the Pid of the Runtime.
	Pid() int

	// Name returns the process name of the Runtime.
	Name() string

	// NSPath returns the path to the namespace of the PU, if applicable
	NSPath() string

	// Tag returns  the value of the given tag.
	Tag(string) (string, bool)

	// Tags returns a copy of the list of the tags.
	Tags() *TagStore

	// Options returns a copy of the list of options.
	Options() OptionsType

	// IPAddresses returns a copy of all the IP addresses.
	IPAddresses() ExtendedMap

	// Returns the PUType for the PU
	PUType() common.PUType

	// SetServices sets the services of the runtime.
	SetServices(services []common.Service)

	// PortMap returns portmap (container port -> host port)
	PortMap() map[nat.Port][]string
}

// A Resolver must be implemented by a policy engine that receives monitor events.
type Resolver interface {

	// HandlePUEvent is called by all monitors when a PU event is generated. The implementer
	// is responsible to update all components by explicitly adding a new PU.
	HandlePUEvent(ctx context.Context, puID string, event common.Event, runtime RuntimeReader) error
}


================================================
FILE: policy/mockpolicy/mockpolicy.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: policy/interfaces.go

// Package mockpolicy is a generated GoMock package.
package mockpolicy

import (
	context "context"
	reflect "reflect"

	nat "github.com/docker/go-connections/nat"
	gomock "github.com/golang/mock/gomock"
	common "go.aporeto.io/enforcerd/trireme-lib/common"
	policy "go.aporeto.io/enforcerd/trireme-lib/policy"
)

// MockRuntimeReader is a mock of RuntimeReader interface
// nolint
type MockRuntimeReader struct {
	ctrl     *gomock.Controller
	recorder *MockRuntimeReaderMockRecorder
}

// MockRuntimeReaderMockRecorder is the mock recorder for MockRuntimeReader
// nolint
type MockRuntimeReaderMockRecorder struct {
	mock *MockRuntimeReader
}

// NewMockRuntimeReader creates a new mock instance
// nolint
func NewMockRuntimeReader(ctrl *gomock.Controller) *MockRuntimeReader {
	mock := &MockRuntimeReader{ctrl: ctrl}
	mock.recorder = &MockRuntimeReaderMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockRuntimeReader) EXPECT() *MockRuntimeReaderMockRecorder {
	return m.recorder
}

// Pid mocks base method
// nolint
func (m *MockRuntimeReader) Pid() int {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Pid")
	ret0, _ := ret[0].(int)
	return ret0
}

// Pid indicates an expected call of Pid
// nolint
func (mr *MockRuntimeReaderMockRecorder) Pid() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Pid", reflect.TypeOf((*MockRuntimeReader)(nil).Pid))
}

// Name mocks base method
// nolint
func (m *MockRuntimeReader) Name() string {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Name")
	ret0, _ := ret[0].(string)
	return ret0
}

// Name indicates an expected call of Name
// nolint
func (mr *MockRuntimeReaderMockRecorder) Name() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Name", reflect.TypeOf((*MockRuntimeReader)(nil).Name))
}

// NSPath mocks base method
// nolint
func (m *MockRuntimeReader) NSPath() string {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "NSPath")
	ret0, _ := ret[0].(string)
	return ret0
}

// NSPath indicates an expected call of NSPath
// nolint
func (mr *MockRuntimeReaderMockRecorder) NSPath() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NSPath", reflect.TypeOf((*MockRuntimeReader)(nil).NSPath))
}

// Tag mocks base method
// nolint
func (m *MockRuntimeReader) Tag(arg0 string) (string, bool) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Tag", arg0)
	ret0, _ := ret[0].(string)
	ret1, _ := ret[1].(bool)
	return ret0, ret1
}

// Tag indicates an expected call of Tag
// nolint
func (mr *MockRuntimeReaderMockRecorder) Tag(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Tag", reflect.TypeOf((*MockRuntimeReader)(nil).Tag), arg0)
}

// Tags mocks base method
// nolint
func (m *MockRuntimeReader) Tags() *policy.TagStore {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Tags")
	ret0, _ := ret[0].(*policy.TagStore)
	return ret0
}

// Tags indicates an expected call of Tags
// nolint
func (mr *MockRuntimeReaderMockRecorder) Tags() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Tags", reflect.TypeOf((*MockRuntimeReader)(nil).Tags))
}

// Options mocks base method
// nolint
func (m *MockRuntimeReader) Options() policy.OptionsType {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Options")
	ret0, _ := ret[0].(policy.OptionsType)
	return ret0
}

// Options indicates an expected call of Options
// nolint
func (mr *MockRuntimeReaderMockRecorder) Options() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Options", reflect.TypeOf((*MockRuntimeReader)(nil).Options))
}

// IPAddresses mocks base method
// nolint
func (m *MockRuntimeReader) IPAddresses() policy.ExtendedMap {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "IPAddresses")
	ret0, _ := ret[0].(policy.ExtendedMap)
	return ret0
}

// IPAddresses indicates an expected call of IPAddresses
// nolint
func (mr *MockRuntimeReaderMockRecorder) IPAddresses() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IPAddresses", reflect.TypeOf((*MockRuntimeReader)(nil).IPAddresses))
}

// PUType mocks base method
// nolint
func (m *MockRuntimeReader) PUType() common.PUType {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PUType")
	ret0, _ := ret[0].(common.PUType)
	return ret0
}

// PUType indicates an expected call of PUType
// nolint
func (mr *MockRuntimeReaderMockRecorder) PUType() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PUType", reflect.TypeOf((*MockRuntimeReader)(nil).PUType))
}

// SetServices mocks base method
// nolint
func (m *MockRuntimeReader) SetServices(services []common.Service) {
	m.ctrl.T.Helper()
	m.ctrl.Call(m, "SetServices", services)
}

// SetServices indicates an expected call of SetServices
// nolint
func (mr *MockRuntimeReaderMockRecorder) SetServices(services interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetServices", reflect.TypeOf((*MockRuntimeReader)(nil).SetServices), services)
}

// PortMap mocks base method
// nolint
func (m *MockRuntimeReader) PortMap() map[nat.Port][]string {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PortMap")
	ret0, _ := ret[0].(map[nat.Port][]string)
	return ret0
}

// PortMap indicates an expected call of PortMap
// nolint
func (mr *MockRuntimeReaderMockRecorder) PortMap() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PortMap", reflect.TypeOf((*MockRuntimeReader)(nil).PortMap))
}

// MockResolver is a mock of Resolver interface
// nolint
type MockResolver struct {
	ctrl     *gomock.Controller
	recorder *MockResolverMockRecorder
}

// MockResolverMockRecorder is the mock recorder for MockResolver
// nolint
type MockResolverMockRecorder struct {
	mock *MockResolver
}

// NewMockResolver creates a new mock instance
// nolint
func NewMockResolver(ctrl *gomock.Controller) *MockResolver {
	mock := &MockResolver{ctrl: ctrl}
	mock.recorder = &MockResolverMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockResolver) EXPECT() *MockResolverMockRecorder {
	return m.recorder
}

// HandlePUEvent mocks base method
// nolint
func (m *MockResolver) HandlePUEvent(ctx context.Context, puID string, event common.Event, runtime policy.RuntimeReader) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "HandlePUEvent", ctx, puID, event, runtime)
	ret0, _ := ret[0].(error)
	return ret0
}

// HandlePUEvent indicates an expected call of HandlePUEvent
// nolint
func (mr *MockResolverMockRecorder) HandlePUEvent(ctx, puID, event, runtime interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HandlePUEvent", reflect.TypeOf((*MockResolver)(nil).HandlePUEvent), ctx, puID, event, runtime)
}


================================================
FILE: policy/policy.go
================================================
package policy

import (
	"context"
	"fmt"
	"strconv"
	"sync"

	"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/usertokens"
)

// EnforcerType defines which enforcer type should be selected
type EnforcerType int

const (
	// EnforcerMapping lets the default enforcer configuration deal with it
	EnforcerMapping EnforcerType = iota
	// EnvoyAuthorizerEnforcer specifically asks for running an envoy enforcer/authorizer
	EnvoyAuthorizerEnforcer
)

// String implements the string interface
func (t EnforcerType) String() string {
	switch t {
	case EnforcerMapping:
		return "EnforcerMapping"
	case EnvoyAuthorizerEnforcer:
		return "EnvoyAuthorizerEnforcer"
	default:
		return strconv.Itoa(int(t))
	}
}

// EnforcerTypeFromString parses `str` and tries to convert it to
func EnforcerTypeFromString(str string) (EnforcerType, error) {
	switch str {
	case "EnforcerMapping":
		return EnforcerMapping, nil
	case "EnvoyAuthorizerEnforcer":
		return EnvoyAuthorizerEnforcer, nil
	default:
		i, err := strconv.Atoi(str)
		if err != nil {
			return EnforcerMapping, fmt.Errorf("failed to parse enforcer type from string number (input '%s'): %s", str, err.Error())
		}
		if i < int(EnforcerMapping) {
			return EnforcerMapping, fmt.Errorf("failed to parse enforcer type from string number (input '%s'): below possible valid value", str)
		}
		if i > int(EnvoyAuthorizerEnforcer) {
			return EnforcerMapping, fmt.Errorf("failed to parse enforcer type from string number (input '%s'): above possible valid value", str)
		}

		return EnforcerType(i), nil
	}
}

// PUPolicy captures all policy information related ot the container
type PUPolicy struct {

	// ManagementID is provided for the policy implementations as a means of
	// holding a policy identifier related to the implementation.
	managementID string
	// managementNamespace is provided for the policy implementations as a means of
	// holding a policy sub identifier related to the implementation.
	managementNamespace string
	// triremeAction defines what level of policy should be applied to that container.
	triremeAction PUAction
	// dnsACLs is the list of DNS names and the associated ports that the container is
	// allowed to talk to outside the data center
	DNSACLs DNSRuleList
	// applicationACLs is the list of ACLs to be applied when the container talks
	// to IP Addresses outside the data center
	applicationACLs IPRuleList
	// networkACLs is the list of ACLs to be applied from IP Addresses outside
	// the data center
	networkACLs IPRuleList
	// identity is the set of key value pairs that must be send over the wire.
	identity *TagStore
	// compressedTags is the set of of compressed key/value pairs as binary values.
	compressedTags *TagStore
	// annotations are key/value pairs  that should be used for accounting reasons
	annotations *TagStore
	// transmitterRules is the set of rules that implement the label matching at the Transmitter
	transmitterRules TagSelectorList
	// teceiverRules is the set of rules that implement matching at the Receiver
	receiverRules TagSelectorList
	// ips is the set of IP addresses and namespaces that the policy must be applied to
	ips ExtendedMap
	// servicesListeningPort is the port that we will use for the proxy.
	servicesListeningPort int
	// dnsProxyPort is the proxy port that listens dns traffic
	dnsProxyPort int
	// exposedServices is the list of services that this PU is exposing.
	exposedServices ApplicationServicesList
	// dependentServices is the list of services that this PU depends on.
	dependentServices ApplicationServicesList
	// servicesCertificate is the services certificate
	servicesCertificate string
	// servicePrivateKey is the service private key
	servicesPrivateKey string
	// servicesCA is the CA to be used for the outgoing services
	servicesCA string
	// scopes are the processing unit granted scopes
	scopes []string
	// enforcerType is the enforcer type that is supposed to get used for this PU
	enforcerType EnforcerType
	// appDefaultPolicyAction is the application default action of the namespace
	appDefaultPolicyAction ActionType
	// netDefaultPolicyAction is the network default action of the namespace
	netDefaultPolicyAction ActionType
	// logPrefixMapping maps a short nlog prefix it it's long prefix
	logPrefixMapping map[string]string
	// logPrefixMappingCalculated is used to no when to calculate the log mapping
	logPrefixMappingCalculated bool

	sync.Mutex
}

// PUAction defines the action types that applies for a specific PU as a whole.
type PUAction int

const (
	// AllowAll allows everything for the specific PU.
	AllowAll = 0x1
	// Police filters on the PU based on the PolicyRules.
	Police = 0x2
)

// NewPUPolicy generates a new ContainerPolicyInfo
// appACLs are the ACLs for packet coming from the Application/PU to the Network.
// netACLs are the ACLs for packet coming from the Network to the Application/PU.
func NewPUPolicy(
	id string,
	namespace string,
	action PUAction,
	appACLs IPRuleList,
	netACLs IPRuleList,
	dnsACLs DNSRuleList,
	txtags TagSelectorList,
	rxtags TagSelectorList,
	identity *TagStore,
	annotations *TagStore,
	compressedTags *TagStore,
	ips ExtendedMap,
	servicesListeningPort int,
	dnsProxyPort int,
	exposedServices ApplicationServicesList,
	dependentServices ApplicationServicesList,
	scopes []string,
	enforcerType EnforcerType,
	appDefaultPolicyAction ActionType,
	netDefaultPolicyAction ActionType,
) *PUPolicy {

	if appACLs == nil {
		appACLs = IPRuleList{}
	}
	if netACLs == nil {
		netACLs = IPRuleList{}
	}
	if dnsACLs == nil {
		dnsACLs = DNSRuleList{}
	}
	if txtags == nil {
		txtags = TagSelectorList{}
	}
	if rxtags == nil {
		rxtags = TagSelectorList{}
	}

	if identity == nil {
		identity = NewTagStore()
	}

	if annotations == nil {
		annotations = NewTagStore()
	}

	if compressedTags == nil {
		compressedTags = NewTagStore()
	}

	if ips == nil {
		ips = ExtendedMap{}
	}

	if exposedServices == nil {
		exposedServices = ApplicationServicesList{}
	}

	if dependentServices == nil {
		dependentServices = ApplicationServicesList{}
	}

	return &PUPolicy{
		managementID:           id,
		managementNamespace:    namespace,
		triremeAction:          action,
		applicationACLs:        appACLs,
		networkACLs:            netACLs,
		DNSACLs:                dnsACLs,
		transmitterRules:       txtags,
		receiverRules:          rxtags,
		identity:               identity,
		compressedTags:         compressedTags,
		annotations:            annotations,
		ips:                    ips,
		servicesListeningPort:  servicesListeningPort,
		dnsProxyPort:           dnsProxyPort,
		exposedServices:        exposedServices,
		dependentServices:      dependentServices,
		scopes:                 scopes,
		enforcerType:           enforcerType,
		appDefaultPolicyAction: appDefaultPolicyAction,
		netDefaultPolicyAction: netDefaultPolicyAction,
	}
}

// NewPUPolicyWithDefaults sets up a PU policy with defaults
func NewPUPolicyWithDefaults() *PUPolicy {
	return NewPUPolicy("", "", AllowAll, nil, nil, nil, nil, nil, nil, nil, nil, nil, 0, 0, nil, nil, []string{}, EnforcerMapping, Reject|Log, Reject|Log)
}

// Clone returns a copy of the policy
func (p *PUPolicy) Clone() *PUPolicy {
	p.Lock()
	defer p.Unlock()

	np := NewPUPolicy(
		p.managementID,
		p.managementNamespace,
		p.triremeAction,
		p.applicationACLs.Copy(),
		p.networkACLs.Copy(),
		p.DNSACLs.Copy(),
		p.transmitterRules.Copy(),
		p.receiverRules.Copy(),
		p.identity.Copy(),
		p.annotations.Copy(),
		p.compressedTags.Copy(),
		p.ips.Copy(),
		p.servicesListeningPort,
		p.dnsProxyPort,
		p.exposedServices,
		p.dependentServices,
		p.scopes,
		p.enforcerType,
		p.appDefaultPolicyAction,
		p.netDefaultPolicyAction,
	)

	return np
}

// ManagementID returns the management ID
func (p *PUPolicy) ManagementID() string {
	p.Lock()
	defer p.Unlock()

	return p.managementID
}

// ManagementNamespace returns the management Namespace
func (p *PUPolicy) ManagementNamespace() string {
	p.Lock()
	defer p.Unlock()

	return p.managementNamespace
}

// TriremeAction returns the TriremeAction
func (p *PUPolicy) TriremeAction() PUAction {
	p.Lock()
	defer p.Unlock()

	return p.triremeAction
}

// SetTriremeAction returns the TriremeAction
func (p *PUPolicy) SetTriremeAction(action PUAction) {
	p.Lock()
	defer p.Unlock()

	p.triremeAction = action
}

// ApplicationACLs returns a copy of IPRuleList
func (p *PUPolicy) ApplicationACLs() IPRuleList {
	p.Lock()
	defer p.Unlock()

	return p.applicationACLs.Copy()
}

// NetworkACLs returns a copy of IPRuleList
func (p *PUPolicy) NetworkACLs() IPRuleList {
	p.Lock()
	defer p.Unlock()

	return p.networkACLs.Copy()
}

// DNSNameACLs returns a copy of DNSRuleList
func (p *PUPolicy) DNSNameACLs() DNSRuleList {
	p.Lock()
	defer p.Unlock()

	return p.DNSACLs.Copy()
}

// ReceiverRules returns a copy of TagSelectorList
func (p *PUPolicy) ReceiverRules() TagSelectorList {
	p.Lock()
	defer p.Unlock()

	return p.receiverRules.Copy()
}

// AddReceiverRules adds a receiver rule
func (p *PUPolicy) AddReceiverRules(t TagSelector) {
	p.Lock()
	defer p.Unlock()

	p.receiverRules = append(p.receiverRules, t)
}

// TransmitterRules returns a copy of TagSelectorList
func (p *PUPolicy) TransmitterRules() TagSelectorList {
	p.Lock()
	defer p.Unlock()

	return p.transmitterRules.Copy()
}

// AddTransmitterRules adds a transmitter rule
func (p *PUPolicy) AddTransmitterRules(t TagSelector) {
	p.Lock()
	defer p.Unlock()

	p.transmitterRules = append(p.transmitterRules, t)
}

// Identity returns a copy of the Identity
func (p *PUPolicy) Identity() *TagStore {
	p.Lock()
	defer p.Unlock()

	return p.identity.Copy()
}

// CompressedTags returns the compressed tags of the policy.
func (p *PUPolicy) CompressedTags() *TagStore {
	p.Lock()
	defer p.Unlock()

	return p.compressedTags.Copy()
}

// Annotations returns a copy of the annotations
func (p *PUPolicy) Annotations() *TagStore {
	p.Lock()
	defer p.Unlock()

	return p.annotations.Copy()
}

// AddIdentityTag adds a policy tag
func (p *PUPolicy) AddIdentityTag(k, v string) {
	p.Lock()
	defer p.Unlock()

	p.identity.AppendKeyValue(k, v)
}

// IPAddresses returns all the IP addresses for the processing unit
func (p *PUPolicy) IPAddresses() ExtendedMap {
	p.Lock()
	defer p.Unlock()

	return p.ips.Copy()
}

// SetIPAddresses sets the IP addresses for the processing unit
func (p *PUPolicy) SetIPAddresses(l ExtendedMap) {
	p.Lock()
	defer p.Unlock()

	p.ips = l
}

// ExposedServices returns the exposed services
func (p *PUPolicy) ExposedServices() ApplicationServicesList {
	p.Lock()
	defer p.Unlock()

	return p.exposedServices
}

// DNSProxyPort gets the dns proxy port
func (p *PUPolicy) DNSProxyPort() string {
	p.Lock()
	defer p.Unlock()

	return strconv.Itoa(p.dnsProxyPort)
}

// DependentServices returns the external services.
func (p *PUPolicy) DependentServices() ApplicationServicesList {
	p.Lock()
	defer p.Unlock()

	return p.dependentServices
}

// ServicesListeningPort returns the port that should be used by the proxies.
func (p *PUPolicy) ServicesListeningPort() string {
	p.Lock()
	defer p.Unlock()

	return strconv.Itoa(p.servicesListeningPort)
}

// UpdateDNSNetworks updates the set of FQDN names allowed by the policy
func (p *PUPolicy) UpdateDNSNetworks(networks DNSRuleList) {
	p.Lock()
	defer p.Unlock()

	for k, v := range networks {
		p.DNSACLs[k] = v
	}
}

// UpdateServiceCertificates updates the certificate and private key of the policy
func (p *PUPolicy) UpdateServiceCertificates(cert, key string) {
	p.Lock()
	defer p.Unlock()

	p.servicesCertificate = cert
	p.servicesPrivateKey = key
}

// ServiceCertificates returns the service certificate.
func (p *PUPolicy) ServiceCertificates() (string, string, string) {
	p.Lock()
	defer p.Unlock()

	return p.servicesCertificate, p.servicesPrivateKey, p.servicesCA
}

// Scopes returns the scopes of the policy.
func (p *PUPolicy) Scopes() []string {
	p.Lock()
	defer p.Unlock()

	return p.scopes
}

// EnforcerType returns the enforcer type of the policy.
func (p *PUPolicy) EnforcerType() EnforcerType {
	p.Lock()
	defer p.Unlock()

	return p.enforcerType
}

// AppDefaultPolicyAction returns default application action.
func (p *PUPolicy) AppDefaultPolicyAction() ActionType {
	p.Lock()
	defer p.Unlock()

	return p.appDefaultPolicyAction
}

// NetDefaultPolicyAction returns default network action.
func (p *PUPolicy) NetDefaultPolicyAction() ActionType {
	p.Lock()
	defer p.Unlock()

	return p.netDefaultPolicyAction
}

// ToPublicPolicy converts the object to a marshallable object.
func (p *PUPolicy) ToPublicPolicy() *PUPolicyPublic {
	p.Lock()
	defer p.Unlock()

	return &PUPolicyPublic{
		ManagementID:           p.managementID,
		ManagementNamespace:    p.managementNamespace,
		TriremeAction:          p.triremeAction,
		ApplicationACLs:        p.applicationACLs.Copy(),
		NetworkACLs:            p.networkACLs.Copy(),
		DNSACLs:                p.DNSACLs.Copy(),
		TransmitterRules:       p.transmitterRules.Copy(),
		ReceiverRules:          p.receiverRules.Copy(),
		Annotations:            p.annotations.GetSlice(),
		CompressedTags:         p.compressedTags.GetSlice(),
		Identity:               p.identity.GetSlice(),
		IPs:                    p.ips.Copy(),
		ServicesListeningPort:  p.servicesListeningPort,
		DNSProxyPort:           p.dnsProxyPort,
		ExposedServices:        p.exposedServices,
		DependentServices:      p.dependentServices,
		Scopes:                 p.scopes,
		ServicesCA:             p.servicesCA,
		ServicesCertificate:    p.servicesCertificate,
		ServicesPrivateKey:     p.servicesPrivateKey,
		EnforcerType:           p.enforcerType,
		AppDefaultPolicyAction: p.appDefaultPolicyAction,
		NetDefaultPolicyAction: p.netDefaultPolicyAction,
	}
}

// LookupLogPrefix returns the long version of the nlog prefix
func (p *PUPolicy) LookupLogPrefix(key string) (string, bool) {

	p.Lock()
	defer p.Unlock()

	// On demand calculate the mapping
	p.calculateLogPrefixes()

	logPrefix, ok := p.logPrefixMapping[key]
	return logPrefix, ok
}

// GetLogPrefixes returns the current map of logging prefixes
func (p *PUPolicy) GetLogPrefixes() map[string]string {

	p.Lock()
	defer p.Unlock()

	// On demand calculate the mapping
	p.calculateLogPrefixes()

	clone := map[string]string{}
	for key, value := range p.logPrefixMapping {
		clone[key] = value
	}
	return clone
}

// MergeLogPrefixes merges existing prefixes with the current logging prefixes
func (p *PUPolicy) MergeLogPrefixes(prefixes map[string]string) {

	p.Lock()
	defer p.Unlock()

	// On demand calculate the mapping
	p.calculateLogPrefixes()

	for key, value := range prefixes {
		p.logPrefixMapping[key] = value
	}
}

// calculateLogPrefixes calculates the short/long logging prefixes
func (p *PUPolicy) calculateLogPrefixes() {

	// On demand calculate the mapping
	if !p.logPrefixMappingCalculated {
		p.logPrefixMapping = map[string]string{}
		compute := func(ruleList IPRuleList) {
			for _, ipRule := range ruleList {
				if ipRule.Policy != nil {
					key, value := ipRule.Policy.GetShortAndLongLogPrefix()
					p.logPrefixMapping[key] = value
				}
			}
		}
		compute(p.applicationACLs)
		compute(p.networkACLs)

		// mapping has been calculated
		p.logPrefixMappingCalculated = true
	}
}

// PUPolicyPublic captures all policy information related ot the processing
// unit in an object that can be marshalled and transmitted over the RPC interface.
type PUPolicyPublic struct {
	ManagementID           string                  `json:"managementID,omitempty"`
	ManagementNamespace    string                  `json:"managementNamespace,omitempty"`
	TriremeAction          PUAction                `json:"triremeAction,omitempty"`
	ApplicationACLs        IPRuleList              `json:"applicationACLs,omitempty"`
	NetworkACLs            IPRuleList              `json:"networkACLs,omitempty"`
	DNSACLs                DNSRuleList             `json:"dnsACLs,omitempty"`
	Identity               []string                `json:"identity,omitempty"`
	Annotations            []string                `json:"annotations,omitempty"`
	CompressedTags         []string                `json:"compressedtags,omitempty"`
	TransmitterRules       TagSelectorList         `json:"transmitterRules,omitempty"`
	ReceiverRules          TagSelectorList         `json:"receiverRules,omitempty"`
	IPs                    ExtendedMap             `json:"IPs,omitempty"`
	ServicesListeningPort  int                     `json:"servicesListeningPort,omitempty"`
	DNSProxyPort           int                     `json:"dnsProxyPort,omitempty"`
	ExposedServices        ApplicationServicesList `json:"exposedServices,omitempty"`
	DependentServices      ApplicationServicesList `json:"dependentServices,omitempty"`
	ServicesCertificate    string                  `json:"servicesCertificate,omitempty"`
	ServicesPrivateKey     string                  `json:"servicesPrivateKey,omitempty"`
	ServicesCA             string                  `json:"servicesCA,omitempty"`
	Scopes                 []string                `json:"scopes,omitempty"`
	EnforcerType           EnforcerType            `json:"enforcerTypes,omitempty"`
	AppDefaultPolicyAction ActionType              `json:"appDefaultPolicyAction,omitempty"`
	NetDefaultPolicyAction ActionType              `json:"netDefaultPolicyAction,omitempty"`
}

// ToPrivatePolicy converts the object to a private object.
func (p *PUPolicyPublic) ToPrivatePolicy(ctx context.Context, convert bool) (*PUPolicy, error) {
	var err error

	exposedServices := ApplicationServicesList{}
	for _, e := range p.ExposedServices {
		if convert {
			e.UserAuthorizationHandler, err = usertokens.NewVerifier(ctx, e.UserAuthorizationHandler)
			if err != nil {
				return nil, fmt.Errorf("unable to initialize user authorization handler for service: %s - error %s", e.ID, err)
			}
		}
		exposedServices = append(exposedServices, e)
	}

	return &PUPolicy{
		managementID:           p.ManagementID,
		managementNamespace:    p.ManagementNamespace,
		triremeAction:          p.TriremeAction,
		applicationACLs:        p.ApplicationACLs,
		networkACLs:            p.NetworkACLs.Copy(),
		DNSACLs:                p.DNSACLs.Copy(),
		transmitterRules:       p.TransmitterRules.Copy(),
		receiverRules:          p.ReceiverRules.Copy(),
		annotations:            NewTagStoreFromSlice(p.Annotations),
		compressedTags:         NewTagStoreFromSlice(p.CompressedTags),
		identity:               NewTagStoreFromSlice(p.Identity),
		ips:                    p.IPs.Copy(),
		servicesListeningPort:  p.ServicesListeningPort,
		dnsProxyPort:           p.DNSProxyPort,
		exposedServices:        exposedServices,
		dependentServices:      p.DependentServices,
		scopes:                 p.Scopes,
		enforcerType:           p.EnforcerType,
		servicesCA:             p.ServicesCA,
		servicesCertificate:    p.ServicesCertificate,
		servicesPrivateKey:     p.ServicesPrivateKey,
		appDefaultPolicyAction: p.AppDefaultPolicyAction,
		netDefaultPolicyAction: p.NetDefaultPolicyAction,
	}, nil
}


================================================
FILE: policy/policy_test.go
================================================
// +build !windows

package policy

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/common"
)

func TestNewPolicy(t *testing.T) {
	Convey("Given that I instantiate a new policy", t, func() {

		Convey("When I provide only the mandatory fields", func() {
			p := NewPUPolicy("id1", "/abc", AllowAll, nil, nil, nil, nil, nil, nil, nil, nil, nil, 0, 0, nil, nil, []string{}, EnforcerMapping, Reject|Log, Reject|Log)
			Convey("I shpuld get an empty policy", func() {
				So(p, ShouldNotBeNil)
				So(p.applicationACLs, ShouldNotBeNil)
				So(p.networkACLs, ShouldNotBeNil)
				So(p.triremeAction, ShouldEqual, AllowAll)
				So(p.transmitterRules, ShouldNotBeNil)
				So(p.receiverRules, ShouldNotBeNil)
				So(p.identity, ShouldNotBeNil)
				So(p.ips, ShouldNotBeNil)
				ShouldEqual(p.appDefaultPolicyAction, Reject|Log)
				ShouldEqual(p.netDefaultPolicyAction, Reject|Log)
			})
		})

		Convey("When I provide all the feilds", func() {
			appACL := IPRule{
				Policy: &FlowPolicy{
					Action:   Accept,
					PolicyID: "1",
				},
				Addresses: []string{"10.0.0.0/8"},
				Protocols: []string{"tcp"},
				Ports:     []string{"80"},
			}

			netACL := IPRule{
				Policy: &FlowPolicy{
					Action:   Accept,
					PolicyID: "2",
				},
				Addresses: []string{"20.0.0.0/8"},
				Protocols: []string{"tcp"},
				Ports:     []string{"80"},
			}

			clause := KeyValueOperator{
				Key:      "app",
				Value:    []string{"web"},
				Operator: Equal,
			}

			txtags := TagSelectorList{
				TagSelector{
					Clause: []KeyValueOperator{clause},
					Policy: &FlowPolicy{Action: Accept, PolicyID: "3"},
				},
			}
			rxtags := TagSelectorList{
				TagSelector{
					Clause: []KeyValueOperator{clause},
					Policy: &FlowPolicy{Action: Reject, PolicyID: "4"},
				},
			}

			identity := NewTagStore()
			identity.AppendKeyValue("image", "nginx")

			annotations := NewTagStore()
			annotations.AppendKeyValue("image", "nginx")
			annotations.AppendKeyValue("server", "local")

			ips := ExtendedMap{DefaultNamespace: "172.0.0.1"}

			p := NewPUPolicy(
				"id",
				"/abc",
				AllowAll,
				IPRuleList{appACL},
				IPRuleList{netACL},
				nil,
				txtags,
				rxtags,
				identity,
				annotations,
				nil,
				ips,
				0,
				0,
				nil,
				nil,
				[]string{},
				EnforcerMapping,
				Reject|Log,
				Reject|Log,
			)

			Convey("Then I should get the right policy", func() {
				So(p, ShouldNotBeNil)
				So(p.triremeAction, ShouldEqual, AllowAll)
				So(p.applicationACLs, ShouldResemble, IPRuleList{appACL})
				So(p.networkACLs, ShouldResemble, IPRuleList{netACL})
				So(p.transmitterRules, ShouldResemble, txtags)
				So(p.receiverRules, ShouldResemble, rxtags)
				So(p.identity, ShouldResemble, identity)
				So(p.annotations, ShouldResemble, annotations)
				So(p.ips, ShouldResemble, ips)
			})
		})
	})
}

func TestNewPolicyWithDefaults(t *testing.T) {
	Convey("When I create a default policy", t, func() {
		p := NewPUPolicyWithDefaults()
		Convey("I shpuld get an empty policy", func() {
			So(p, ShouldNotBeNil)
			So(p.applicationACLs, ShouldNotBeNil)
			So(p.networkACLs, ShouldNotBeNil)
			So(p.triremeAction, ShouldEqual, AllowAll)
			So(p.transmitterRules, ShouldNotBeNil)
			So(p.receiverRules, ShouldNotBeNil)
			So(p.identity, ShouldNotBeNil)
			So(p.ips, ShouldNotBeNil)
		})
	})
}

func TestFuncClone(t *testing.T) {
	Convey("When I have a default policy", t, func() {
		appACL := IPRule{
			Policy: &FlowPolicy{
				Action:   Accept,
				PolicyID: "1",
			},
			Addresses: []string{"10.0.0.0/8"},
			Protocols: []string{"tcp"},
			Ports:     []string{"80"},
		}

		netACL := IPRule{
			Policy: &FlowPolicy{
				Action:   Accept,
				PolicyID: "2",
			},
			Addresses: []string{"20.0.0.0/8"},
			Protocols: []string{"tcp"},
			Ports:     []string{"80"},
		}

		clause := KeyValueOperator{
			Key:      "app",
			Value:    []string{"web"},
			Operator: Equal,
		}

		txtags := TagSelectorList{
			TagSelector{
				Clause: []KeyValueOperator{clause},
				Policy: &FlowPolicy{Action: Accept, PolicyID: "3"},
			},
		}
		rxtags := TagSelectorList{
			TagSelector{
				Clause: []KeyValueOperator{clause},
				Policy: &FlowPolicy{Action: Reject, PolicyID: "4"},
			},
		}

		identity := NewTagStore()
		identity.AppendKeyValue("image", "nginx")

		annotations := NewTagStore()
		annotations.AppendKeyValue("image", "nginx")
		annotations.AppendKeyValue("server", "local")

		ips := ExtendedMap{DefaultNamespace: "172.0.0.1"}

		d := NewPUPolicy(
			"id",
			"/abc",
			AllowAll,
			IPRuleList{appACL},
			IPRuleList{netACL},
			nil,
			txtags,
			rxtags,
			identity,
			annotations,
			nil,
			ips,
			0,
			0,
			nil,
			nil,
			[]string{},
			EnforcerMapping,
			Reject|Log,
			Reject|Log,
		)
		Convey("If I clone the policy", func() {
			p := d.Clone()
			Convey("I should get the same policy", func() {
				So(p, ShouldNotBeNil)
				So(p.triremeAction, ShouldEqual, AllowAll)
				So(p.applicationACLs, ShouldResemble, IPRuleList{appACL})
				So(p.networkACLs, ShouldResemble, IPRuleList{netACL})
				So(p.transmitterRules, ShouldResemble, txtags)
				So(p.receiverRules, ShouldResemble, rxtags)
				So(p.identity, ShouldResemble, identity)
				So(p.annotations, ShouldResemble, annotations)
				So(p.ips, ShouldResemble, ips)
			})
		})
	})
}

func TestAllLockedSetGet(t *testing.T) {
	Convey("Given a good policy", t, func() {
		appACL := IPRule{
			Policy: &FlowPolicy{
				Action:   Accept,
				PolicyID: "1",
			},
			Addresses: []string{"10.0.0.0/8"},
			Protocols: []string{"tcp"},
			Ports:     []string{"80"},
		}

		netACL := IPRule{
			Policy: &FlowPolicy{
				Action:   Accept,
				PolicyID: "2",
			},
			Addresses: []string{"20.0.0.0/8"},
			Protocols: []string{"tcp"},
			Ports:     []string{"80"},
		}

		clause := KeyValueOperator{
			Key:      "app",
			Value:    []string{"web"},
			Operator: Equal,
		}

		txtags := TagSelectorList{
			TagSelector{
				Clause: []KeyValueOperator{clause},
				Policy: &FlowPolicy{Action: Accept, PolicyID: "3"},
			},
		}
		rxtags := TagSelectorList{
			TagSelector{
				Clause: []KeyValueOperator{clause},
				Policy: &FlowPolicy{Action: Reject, PolicyID: "4"},
			},
		}

		identity := NewTagStore()
		identity.AppendKeyValue("image", "nginx")

		annotations := NewTagStore()
		annotations.AppendKeyValue("image", "nginx")
		annotations.AppendKeyValue("server", "local")

		ips := ExtendedMap{DefaultNamespace: "172.0.0.1"}

		p := NewPUPolicy(
			"id1",
			"/abc",
			AllowAll,
			IPRuleList{appACL},
			IPRuleList{netACL},
			nil,
			txtags,
			rxtags,
			identity,
			annotations,
			nil,
			ips,
			0,
			0,
			nil,
			nil,
			[]string{},
			EnvoyAuthorizerEnforcer,
			Reject|Log,
			Reject|Log,
		)

		Convey("I should be able to retrieve the management ID ", func() {
			id := p.ManagementID()
			So(id, ShouldResemble, "id1")
		})

		Convey("I should be able to retrieve the management namespace ", func() {
			ns := p.ManagementNamespace()
			So(ns, ShouldResemble, "/abc")
		})

		Convey("I should be able to retrieve the Action", func() {
			So(p.TriremeAction(), ShouldEqual, AllowAll)
		})

		Convey("I should be able to set the trireme action", func() {
			p.SetTriremeAction(Police)
			So(p.triremeAction, ShouldEqual, Police)
		})

		Convey("I should be able to retrieve the APP acls ", func() {
			So(p.ApplicationACLs(), ShouldResemble, IPRuleList{appACL})
		})

		Convey("I should be able to retrieve the NET acls", func() {
			So(p.NetworkACLs(), ShouldResemble, IPRuleList{netACL})
		})

		Convey("I should be able to retrieve the receiver rules", func() {
			So(p.ReceiverRules(), ShouldResemble, rxtags)
		})

		Convey("I should be able to retrieve the transmitter rules", func() {
			So(p.TransmitterRules(), ShouldResemble, txtags)
		})

		Convey("I should be able to retrieve the identity", func() {
			So(p.Identity(), ShouldResemble, identity)
		})

		Convey("I should be able to retrieve the annotations", func() {
			So(p.Annotations(), ShouldResemble, annotations)
		})

		Convey("I should be able to retrieve the IPAddresses", func() {
			So(p.IPAddresses(), ShouldResemble, ips)
		})

		Convey("I should be able to retrieve the EnforcerType", func() {
			So(p.EnforcerType(), ShouldEqual, EnvoyAuthorizerEnforcer)
		})

		Convey("If I add an identity key/value pair, it should succeed", func() {
			p.AddIdentityTag("key", "value")
			t, ok := p.Identity().Get("key")
			So(ok, ShouldBeTrue)
			So(t, ShouldResemble, "value")
		})

		Convey("If I update the IPS, it should succeed", func() {
			p.SetIPAddresses(ExtendedMap{DefaultNamespace: "40.0.0.0/8"})
			So(p.IPAddresses(), ShouldResemble, ExtendedMap{DefaultNamespace: "40.0.0.0/8"})
		})

		newclause := KeyValueOperator{
			Key:      "app",
			Value:    []string{"added"},
			Operator: Equal,
		}

		Convey("If I add a transmitter rule, it should succeed", func() {

			rule := TagSelector{
				Clause: []KeyValueOperator{newclause},
				Policy: &FlowPolicy{Action: Accept, PolicyID: "3"},
			}

			p.AddTransmitterRules(rule)
			So(len(p.TransmitterRules()), ShouldEqual, 2)
			So(p.TransmitterRules()[1], ShouldResemble, rule)
		})

		Convey("If I add a receiver rule, it should succeed", func() {
			rule := TagSelector{
				Clause: []KeyValueOperator{newclause},
				Policy: &FlowPolicy{Action: Reject, PolicyID: "4"},
			}
			p.AddReceiverRules(rule)
			So(len(p.ReceiverRules()), ShouldEqual, 2)
			So(p.ReceiverRules()[1], ShouldResemble, rule)
		})
	})

}

func TestPUInfo(t *testing.T) {
	Convey("Given I try to initiate a new container policy", t, func() {
		puInfor := NewPUInfo("123", "/abc", common.ContainerPU)
		policy := NewPUPolicy("123", "/abc", AllowAll, nil, nil, nil, nil, nil, nil, nil, nil, nil, 0, 0, nil, nil, []string{}, EnforcerMapping, Reject|Log, Reject|Log)
		runtime := NewPURuntime("", 0, "", nil, nil, common.ContainerPU, None, nil)
		Convey("Then I expect the struct to be populated", func() {
			So(puInfor.ContextID, ShouldEqual, "123")
			So(puInfor.Policy, ShouldResemble, policy)
			So(puInfor.Runtime, ShouldResemble, runtime)
		})
	})
}


================================================
FILE: policy/policyerror.go
================================================
package policy

import "fmt"

// ErrorReason is the reason for an error
type ErrorReason string

const (
	// PUNotFound error reason
	PUNotFound ErrorReason = "PUNotFound"

	// PUNotUnique error reason
	PUNotUnique ErrorReason = "PUNotUnique"

	// PUCreateFailed error reason
	PUCreateFailed ErrorReason = "PUCreateFailed"

	// PUAlreadyActivated error reason
	PUAlreadyActivated ErrorReason = "PUAlreadyActivated"

	// PUPolicyPending error reason indicates that policy activation is pending.
	PUPolicyPending ErrorReason = "PUPolicyPending"

	// PUPolicyEnforcementFailed error reason indicates that enforcement failed.
	PUPolicyEnforcementFailed
)

var policyErrorDescription = map[ErrorReason]string{
	PUNotFound:         "unable to find PU with ID",
	PUNotUnique:        "more than one PU with ID exist",
	PUCreateFailed:     "failed to create PU",
	PUAlreadyActivated: "PU has been already activated previously",
}

// Error is a specific error type for context
type Error struct {
	puID   string
	reason ErrorReason
	err    error
}

func (e *Error) Error() string {
	desc, ok := policyErrorDescription[e.reason]
	var err string
	if e.err != nil {
		err = ": " + e.err.Error()
	}
	if !ok {
		return fmt.Sprintf("%s %s%s", e.reason, e.puID, err)
	}
	return fmt.Sprintf("%s %s: %s%s", e.reason, e.puID, desc, err)
}

// ErrPUNotFound creates a new context not found error
func ErrPUNotFound(puID string, err error) error {
	return &Error{
		puID:   puID,
		reason: PUNotFound,
		err:    err,
	}
}

// ErrPUNotUnique creates a new not unique error
func ErrPUNotUnique(puID string, err error) error {
	return &Error{
		puID:   puID,
		reason: PUNotUnique,
		err:    err,
	}
}

// ErrPUCreateFailed creates a new PU create failed error
func ErrPUCreateFailed(puID string, err error) error {
	return &Error{
		puID:   puID,
		reason: PUCreateFailed,
		err:    err,
	}
}

// ErrPUAlreadyActivated creates a new PU already activated error
func ErrPUAlreadyActivated(puID string, err error) error {
	return &Error{
		puID:   puID,
		reason: PUAlreadyActivated,
		err:    err,
	}
}

// ErrPUPolicyPending creates a new PU policy pending error.
func ErrPUPolicyPending(puID string, err error) error {
	return &Error{
		puID:   puID,
		reason: PUPolicyPending,
		err:    err,
	}
}

// ErrPUPolicyEnforcementFailed creates a new PU policy pending error.
func ErrPUPolicyEnforcementFailed(puID string, err error) error {
	return &Error{
		puID:   puID,
		reason: PUPolicyEnforcementFailed,
		err:    err,
	}
}

// IsErrPUNotFound checks if this error is a PU not found error
func IsErrPUNotFound(err error) bool {
	switch t := err.(type) {
	case *Error:
		return t.reason == PUNotFound
	default:
		return false
	}
}

// IsErrPUNotUnique checks if this error is a PU not unique error
func IsErrPUNotUnique(err error) bool {
	switch t := err.(type) {
	case *Error:
		return t.reason == PUNotUnique
	default:
		return false
	}
}

// IsErrPUCreateFailed checks if this error is a PU not unique error
func IsErrPUCreateFailed(err error) bool {
	switch t := err.(type) {
	case *Error:
		return t.reason == PUCreateFailed
	default:
		return false
	}
}

// IsErrPUAlreadyActivated checks if this error is a PU already activated error
func IsErrPUAlreadyActivated(err error) bool {
	switch t := err.(type) {
	case *Error:
		return t.reason == PUAlreadyActivated
	default:
		return false
	}
}

// IsErrPUPolicyPending checks if this error is a PU policy pending error.
func IsErrPUPolicyPending(err error) bool {
	switch t := err.(type) {
	case *Error:
		return t.reason == PUPolicyPending
	default:
		return false
	}
}

// IsErrPUEnforcementFailed checks if this error is a PU policy pending error.
func IsErrPUEnforcementFailed(err error) bool {
	switch t := err.(type) {
	case *Error:
		return t.reason == PUPolicyEnforcementFailed
	default:
		return false
	}
}


================================================
FILE: policy/policyerror_test.go
================================================
// +build !windows

package policy

import (
	"fmt"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func TestPolicyErrors(t *testing.T) {
	Convey("A manually constructed error object", t, func() {
		err := Error{
			puID:   "whatever",
			reason: ErrorReason("its-typed-for-a-reason"),
			err:    nil,
		}
		Convey("should still print a proper error message", func() {
			expected := "its-typed-for-a-reason whatever"
			So(err.Error(), ShouldEqual, expected)
		})
	})
	Convey("Creating error objects using their initializers for", t, func() {
		failure := fmt.Errorf("failure")
		Convey("ErrPUNotFound", func() {
			err := ErrPUNotFound("default/pod", failure)
			So(err, ShouldNotBeNil)
			Convey("should print an expected error message", func() {
				expected := fmt.Sprintf("%s %s: %s%s", PUNotFound, "default/pod", policyErrorDescription[PUNotFound], ": "+failure.Error())
				So(err.Error(), ShouldEqual, expected)
			})
			Convey("should successfully test against its probing function", func() {
				So(IsErrPUNotFound(err), ShouldBeTrue)
				So(IsErrPUNotFound(failure), ShouldBeFalse)
			})
		})
		Convey("ErrPUNotUnique", func() {
			err := ErrPUNotUnique("default/pod", failure)
			So(err, ShouldNotBeNil)
			Convey("should print an expected error message", func() {
				expected := fmt.Sprintf("%s %s: %s%s", PUNotUnique, "default/pod", policyErrorDescription[PUNotUnique], ": "+failure.Error())
				So(err.Error(), ShouldEqual, expected)
			})
			Convey("should successfully test against its probing function", func() {
				So(IsErrPUNotUnique(err), ShouldBeTrue)
				So(IsErrPUNotUnique(failure), ShouldBeFalse)
			})
		})
		Convey("ErrPUCreateFailed", func() {
			err := ErrPUCreateFailed("default/pod", failure)
			So(err, ShouldNotBeNil)
			Convey("should print an expected error message", func() {
				expected := fmt.Sprintf("%s %s: %s%s", PUCreateFailed, "default/pod", policyErrorDescription[PUCreateFailed], ": "+failure.Error())
				So(err.Error(), ShouldEqual, expected)
			})
			Convey("should successfully test against its probing function", func() {
				So(IsErrPUCreateFailed(err), ShouldBeTrue)
				So(IsErrPUCreateFailed(failure), ShouldBeFalse)
			})
		})
		Convey("ErrPUAlreadyActivated", func() {
			err := ErrPUAlreadyActivated("default/pod", failure)
			So(err, ShouldNotBeNil)
			Convey("should print an expected error message", func() {
				expected := fmt.Sprintf("%s %s: %s%s", PUAlreadyActivated, "default/pod", policyErrorDescription[PUAlreadyActivated], ": "+failure.Error())
				So(err.Error(), ShouldEqual, expected)
			})
			Convey("should successfully test against its probing function", func() {
				So(IsErrPUAlreadyActivated(err), ShouldBeTrue)
				So(IsErrPUAlreadyActivated(failure), ShouldBeFalse)
			})
		})
	})
}


================================================
FILE: policy/puinfo.go
================================================
package policy

import "go.aporeto.io/enforcerd/trireme-lib/common"

// PUInfo  captures all policy information related to a connection as well as runtime.
// It makes passing data around simpler.
type PUInfo struct {
	// ContextID is the ID of the container that the policy applies to
	ContextID string
	// Policy is an instantiation of the container policy
	Policy *PUPolicy
	// RunTime captures all data that are captured from the container
	Runtime *PURuntime
}

// NewPUInfo instantiates a new ContainerPolicy
func NewPUInfo(contextID, namespace string, puType common.PUType) *PUInfo {
	policy := NewPUPolicy(contextID, namespace, AllowAll, nil, nil, nil, nil, nil, nil, nil, nil, nil, 0, 0, nil, nil, []string{}, EnforcerMapping, Reject|Log, Reject|Log)
	runtime := NewPURuntime("", 0, "", nil, nil, puType, None, nil)
	return PUInfoFromPolicyAndRuntime(contextID, policy, runtime)
}

// PUInfoFromPolicyAndRuntime generates a ContainerInfo Struct from an existing RuntimeInfo and PolicyInfo
func PUInfoFromPolicyAndRuntime(contextID string, policyInfo *PUPolicy, runtimeInfo *PURuntime) *PUInfo {
	return &PUInfo{
		ContextID: contextID,
		Policy:    policyInfo,
		Runtime:   runtimeInfo,
	}
}


================================================
FILE: policy/runtime.go
================================================
package policy

import (
	"encoding/json"
	"sync"

	"github.com/docker/go-connections/nat"
	"go.aporeto.io/enforcerd/trireme-lib/common"
)

// PURuntime holds all data related to the status of the container run time
type PURuntime struct {
	// puType is the type of the PU (container or process )
	puType common.PUType
	// Pid holds the value of the first process of the container
	pid int
	// NsPath is the path to the networking namespace for this PURuntime if applicable.
	nsPath string
	// Name is the name of the container
	name string
	// IPAddress is the IP Address of the container
	ips ExtendedMap
	// Tags is a map of the metadata of the container
	tags *TagStore
	// options
	options *OptionsType
	// ServiceMeshType determines which serviceMesh is enabled ont he pod
	ServiceMeshType ServiceMesh

	sync.Mutex
}

// PURuntimeJSON is a Json representation of PURuntime
type PURuntimeJSON struct {
	// PUType is the type of the PU
	PUType common.PUType
	// Pid holds the value of the first process of the container
	Pid int
	// NSPath is the path to the networking namespace for this PURuntime if applicable.
	NSPath string
	// Name is the name of the container
	Name string
	// IPAddress is the IP Address of the container
	IPAddresses ExtendedMap
	// Tags is a map of the metadata of the container
	Tags []string
	// Options is a map of the options of the container
	Options *OptionsType
}

// NewPURuntime Generate a new RuntimeInfo
func NewPURuntime(
	name string, pid int, nsPath string, tags *TagStore,
	ips ExtendedMap, puType common.PUType, serviceMeshType ServiceMesh, options *OptionsType) *PURuntime {

	if tags == nil {
		tags = NewTagStore()
	}

	if ips == nil {
		ips = ExtendedMap{}
	}

	if options == nil {
		options = &OptionsType{}
	}

	return &PURuntime{
		puType:          puType,
		tags:            tags,
		ips:             ips,
		options:         options,
		pid:             pid,
		nsPath:          nsPath,
		name:            name,
		ServiceMeshType: serviceMeshType,
	}
}

// NewPURuntimeWithDefaults sets up PURuntime with defaults
func NewPURuntimeWithDefaults() *PURuntime {

	return NewPURuntime("", 0, "", nil, nil, common.ContainerPU, None, nil)
}

// Clone returns a copy of the policy
func (r *PURuntime) Clone() *PURuntime {
	r.Lock()
	defer r.Unlock()

	return NewPURuntime(r.name, r.pid, r.nsPath, r.tags.Copy(), r.ips.Copy(), r.puType, None, r.options)
}

// MarshalJSON Marshals this struct.
func (r *PURuntime) MarshalJSON() ([]byte, error) {
	return json.Marshal(&PURuntimeJSON{
		PUType:      r.puType,
		Pid:         r.pid,
		NSPath:      r.nsPath,
		Name:        r.name,
		IPAddresses: r.ips,
		Tags:        r.tags.GetSlice(),
		Options:     r.options,
	})
}

// UnmarshalJSON Unmarshals this struct.
func (r *PURuntime) UnmarshalJSON(param []byte) error {
	a := &PURuntimeJSON{}
	if err := json.Unmarshal(param, &a); err != nil {
		return err
	}
	r.pid = a.Pid
	r.nsPath = a.NSPath
	r.name = a.Name
	r.ips = a.IPAddresses
	r.tags = NewTagStoreFromSlice(a.Tags)
	r.options = a.Options
	r.puType = a.PUType
	return nil
}

// Pid returns the PID
func (r *PURuntime) Pid() int {
	r.Lock()
	defer r.Unlock()

	return r.pid
}

// SetPid sets the PID
func (r *PURuntime) SetPid(pid int) {
	r.Lock()
	defer r.Unlock()

	r.pid = pid
}

// NSPath returns the NSPath
func (r *PURuntime) NSPath() string {
	r.Lock()
	defer r.Unlock()

	return r.nsPath
}

// SetNSPath sets the NSPath
func (r *PURuntime) SetNSPath(nsPath string) {
	r.Lock()
	defer r.Unlock()

	r.nsPath = nsPath
}

// SetPUType sets the PU Type
func (r *PURuntime) SetPUType(puType common.PUType) {
	r.Lock()
	defer r.Unlock()

	r.puType = puType
}

// SetOptions sets the Options
func (r *PURuntime) SetOptions(options OptionsType) {
	r.Lock()
	defer r.Unlock()

	r.options = &options
}

// Name returns the PID
func (r *PURuntime) Name() string {
	r.Lock()
	defer r.Unlock()

	return r.name
}

// PUType returns the PU type
func (r *PURuntime) PUType() common.PUType {
	r.Lock()
	defer r.Unlock()

	return r.puType
}

// IPAddresses returns all the IP addresses for the processing unit
func (r *PURuntime) IPAddresses() ExtendedMap {
	r.Lock()
	defer r.Unlock()

	return r.ips.Copy()
}

// SetIPAddresses sets up all the IP addresses for the processing unit
func (r *PURuntime) SetIPAddresses(ipa ExtendedMap) {
	r.Lock()
	defer r.Unlock()

	r.ips = ipa.Copy()
}

// Tag returns a specific tag for the processing unit
func (r *PURuntime) Tag(key string) (string, bool) {
	r.Lock()
	defer r.Unlock()

	tag, ok := r.tags.Get(key)
	return tag, ok
}

// Tags returns a copy of the tags for the processing unit
func (r *PURuntime) Tags() *TagStore {
	r.Lock()
	defer r.Unlock()

	return r.tags.Copy()
}

// SetTags returns tags for the processing unit
func (r *PURuntime) SetTags(t *TagStore) {
	r.Lock()
	defer r.Unlock()

	r.tags = t.Copy()
}

// Options returns tags for the processing unit
func (r *PURuntime) Options() OptionsType {
	r.Lock()
	defer r.Unlock()

	r.ensureOptions()

	return *r.options
}

// SetServices updates the services of the runtime.
func (r *PURuntime) SetServices(services []common.Service) {
	r.Lock()
	defer r.Unlock()

	r.ensureOptions()

	r.options.Services = services
}

// PortMap returns the mapping from host port->container port
func (r *PURuntime) PortMap() map[nat.Port][]string {
	r.Lock()
	defer r.Unlock()

	if r.options != nil {
		return r.options.PortMap
	}

	return nil
}

func (r *PURuntime) ensureOptions() {
	if r.options == nil {
		r.options = &OptionsType{}
	}
}


================================================
FILE: policy/runtime_test.go
================================================
// +build !windows

package policy

import (
	"testing"

	"github.com/docker/go-connections/nat"
	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/common"
)

func TestNewPURunTime(t *testing.T) {
	Convey("When I create a new run time, it should be valid", t, func() {

		tags := NewTagStore()
		tags.AppendKeyValue("image", "nginx")
		tags.AppendKeyValue("server", "local")

		ips := ExtendedMap{DefaultNamespace: "172.0.0.1"}

		runtime := NewPURuntime(
			"container1",
			123,
			"",
			tags,
			ips,
			common.ContainerPU,
			None,
			nil,
		)

		So(runtime, ShouldNotBeNil)
		So(runtime.puType, ShouldEqual, common.ContainerPU)
		So(runtime.tags, ShouldResemble, tags)
		So(runtime.ips, ShouldResemble, ips)
		So(runtime.options, ShouldNotBeNil)
		So(runtime.pid, ShouldEqual, 123)
		So(runtime.name, ShouldResemble, "container1")
	})
}

func TestNewPDefaultURunTime(t *testing.T) {
	Convey("When I create a new run time, it should be valid", t, func() {
		runtime := NewPURuntimeWithDefaults()

		So(runtime, ShouldNotBeNil)
		So(runtime.puType, ShouldEqual, common.ContainerPU)
		So(runtime.tags, ShouldResemble, NewTagStore())
		So(runtime.ips, ShouldResemble, ExtendedMap{})
		So(runtime.options, ShouldNotBeNil)
		So(runtime.pid, ShouldEqual, 0)
		So(runtime.name, ShouldResemble, "")
	})
}

func TestBasicFunctions(t *testing.T) {
	Convey("Given a valid runtime", t, func() {
		tags := NewTagStore()
		tags.AppendKeyValue("image", "nginx")
		tags.AppendKeyValue("server", "local")

		ips := ExtendedMap{DefaultNamespace: "172.0.0.1"}

		portMap := map[nat.Port][]string{nat.Port("80"): {"8001", "8002"}}

		runtime := NewPURuntime(
			"container1",
			123,
			"",
			tags,
			ips,
			common.ContainerPU,
			None,
			nil,
		)

		Convey("When I clone it, I should get the right runtime", func() {
			cloned := runtime.Clone()
			So(cloned, ShouldResemble, runtime)
		})

		Convey("I should retrieve the right Pid", func() {
			So(runtime.Pid(), ShouldEqual, 123)
		})

		Convey("I shopuld be able to set the Pid", func() {
			runtime.SetPid(567)
			So(runtime.Pid(), ShouldEqual, 567)
		})

		Convey("I should be able to update and get the PUType", func() {
			runtime.SetPUType(common.LinuxProcessPU)
			So(runtime.PUType(), ShouldEqual, common.LinuxProcessPU)
		})

		Convey("I should be able to set and get the right options", func() {
			runtime.SetOptions(OptionsType{CgroupName: "test"})
			So(runtime.Options(), ShouldResemble, OptionsType{CgroupName: "test"})
		})

		Convey("I should be able to set portmap in options and get the right portmap", func() {
			runtime.SetOptions(OptionsType{PortMap: portMap})
			So(runtime.PortMap(), ShouldResemble, portMap)
		})

		Convey("I should ge the right name", func() {
			So(runtime.Name(), ShouldEqual, "container1")
		})

		Convey("If I update the IP addresses, they should updated", func() {
			runtime.SetIPAddresses(ExtendedMap{DefaultNamespace: "10.1.1.1"})
			So(runtime.IPAddresses(), ShouldResemble, ExtendedMap{DefaultNamespace: "10.1.1.1"})
		})

		Convey("I should be able to get the tags", func() {
			So(runtime.Tags(), ShouldResemble, tags)
			value, ok := runtime.Tag("image")
			So(ok, ShouldBeTrue)
			So(value, ShouldEqual, "nginx")
		})

		Convey("I should be able to set the tags", func() {
			modify := NewTagStoreFromSlice([]string{"$set=new"})
			runtime.SetTags(modify)
			So(runtime.Tags(), ShouldResemble, modify)
			value, ok := runtime.Tag("$set")
			So(ok, ShouldBeTrue)
			So(value, ShouldEqual, "new")
			_, ok = runtime.Tag("image")
			So(ok, ShouldBeFalse)
		})
	})
}


================================================
FILE: policy/tagstore.go
================================================
package policy

import (
	"encoding/json"
	"fmt"
	"strings"
)

// TagStore stores the tags - it allows duplicate key values
type TagStore struct {
	// Could have used a map of maps, but I want to preserve the insert order of the key=value.
	tags map[string][]string
}

// UnmarshalJSON custom unmarshal bytes to tagstore
func (t *TagStore) UnmarshalJSON(b []byte) error {
	var s []string
	if err := json.Unmarshal(b, &s); err != nil {
		return err
	}
	// create new map because I expect only the unmarshalled data be in the storen
	t.tags = map[string][]string{}
	t.MergeSlice(s)
	return nil
}

// MarshalJSON custom marshal tagstore to bytes
func (t *TagStore) MarshalJSON() ([]byte, error) {
	return json.Marshal(t.GetSlice())
}

// NewTagStore creates a new TagStore
func NewTagStore() *TagStore {
	return &TagStore{map[string][]string{}}
}

// NewTagStoreFromSlice creates a new tag store from a slice.
func NewTagStoreFromSlice(tags []string) *TagStore {
	tagStore := NewTagStore()
	tagStore.MergeSlice(tags)
	return tagStore
}

// NewTagStoreFromMap creates a tag store from an input map
func NewTagStoreFromMap(tags map[string]string) *TagStore {
	tagStore := NewTagStore()
	tagStore.MergeMap(tags)
	return tagStore
}

// GetSlice returns the tagstore as a slice
func (t *TagStore) GetSlice() []string {
	slice := []string{}
	for key, values := range t.tags {
		if len(values) == 0 {
			slice = append(slice, key)
		} else {
			for _, value := range values {
				slice = append(slice, fmt.Sprintf("%s=%s", key, value))
			}
		}
	}
	return slice
}

// Copy copies a TagStore
func (t *TagStore) Copy() *TagStore {
	tagStore := NewTagStore()
	tagStore.MergeSlice(t.GetSlice())
	return tagStore
}

// Get does a lookup in the list of tags
func (t *TagStore) Get(key string) (string, bool) {
	// This function doesn't handle duplicate keys, so we grab the first one that was inserted.
	// This is how the previous code would have worked when it used a slice
	if _, ok := t.tags[key]; ok {
		values := t.tags[key]
		if len(values) != 0 {
			return values[0], true
		}
	}
	return "", false
}

// Merge merges tags from m into native tag store.
func (t *TagStore) Merge(m *TagStore) {
	for key, values := range m.tags {
		if len(values) == 0 {
			t.AppendKeyValue(key, "")
		} else {
			for _, value := range values {
				t.AppendKeyValue(key, value)
			}
		}
	}
}

// MergeSlice merges slice of tags into the tag store.
func (t *TagStore) MergeSlice(tags []string) {
	for _, tag := range tags {
		t.Add(tag)
	}
}

// MergeMap merges map of tags into the tag store.
func (t *TagStore) MergeMap(tags map[string]string) {
	for key, value := range tags {
		t.AppendKeyValue(key, value)
	}
}

// Add appends tag to the tag store
func (t *TagStore) Add(tag string) {
	parts := strings.Split(tag, "=")
	switch len(parts) {
	case 1:
		t.AppendKeyValue(tag, "")
	case 2:
		t.AppendKeyValue(parts[0], parts[1])
	}
}

// AppendKeyValue appends a key and value to the tag store
func (t *TagStore) AppendKeyValue(key, value string) {
	if _, ok := t.tags[key]; !ok {
		t.tags[key] = []string{}
	}
	// Dont add empty string to the slice
	if len(value) == 0 {
		return
	}
	// Only add if it doesn't exist
	for _, v := range t.tags[key] {
		if v == value {
			return
		}
	}
	t.tags[key] = append(t.tags[key], value)
}

// String provides a string representation of tag store.
func (t *TagStore) String() string {
	builder := strings.Builder{}
	for key, values := range t.tags {
		if builder.Len() != 0 {
			builder.WriteString(" ")
		}
		if len(values) == 0 {
			builder.WriteString(key)
		} else {
			for index, value := range values {
				if index != 0 {
					builder.WriteString(" ")
				}
				builder.WriteString(key)
				builder.WriteString("=")
				builder.WriteString(value)
			}
		}
	}
	return builder.String()
}

// IsEmpty if no key value pairs exist.
func (t *TagStore) IsEmpty() bool {
	return len(t.tags) == 0
}

// GetKeys returns the unique keys for this tag store
func (t *TagStore) GetKeys() []string {
	keys := []string{}
	for k := range t.tags {
		keys = append(keys, k)
	}
	return keys
}

// RemoveTagsByKeys removes all tags by key
func (t *TagStore) RemoveTagsByKeys(keys []string) {
	for _, k := range keys {
		delete(t.tags, k)
	}
}


================================================
FILE: policy/tagstore_test.go
================================================
// +build !windows

package policy

import (
	"encoding/json"
	"strings"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func TestNewTagStore(t *testing.T) {
	Convey("When I create a new Tagstore", t, func() {
		t := NewTagStore()
		Convey("It should not be nil", func() {
			So(t, ShouldNotBeNil)
			So(t.IsEmpty(), ShouldEqual, true)
		})
	})
}

func TestNewTagStoreFromMap(t *testing.T) {
	Convey("When I create a new tagstore from a map", t, func() {
		t := NewTagStoreFromMap(map[string]string{
			"app":   "web",
			"image": "nginx",
		})

		Convey("I should have the right store", func() {
			So(t, ShouldNotBeNil)
			tags := t.GetSlice()

			So(len(tags), ShouldEqual, 2)
			So(tags, ShouldContain, "app=web")
			So(tags, ShouldContain, "image=nginx")
		})
	})
}

func TestMerge(t *testing.T) {
	Convey("When I create a new tagstore from a map", t, func() {
		t := NewTagStoreFromMap(map[string]string{
			"app":   "web",
			"image": "nginx",
		})

		Convey("When I merge another store", func() {
			So(t, ShouldNotBeNil)
			m := NewTagStoreFromMap(map[string]string{
				"location": "somewhere",
			})
			So(m, ShouldNotBeNil)
			t.Merge(m)

			tags := t.GetSlice()
			So(len(tags), ShouldEqual, 3)
			So(tags, ShouldContain, "app=web")
			So(tags, ShouldContain, "image=nginx")
			So(tags, ShouldContain, "location=somewhere")
		})
	})
}

func TestString(t *testing.T) {
	Convey("When I create a new tagstore the String() should match", t, func() {
		tags := []string{"app=web", "app=web1", "id", "image=nginx"}
		t := NewTagStoreFromSlice(tags)
		So(t.IsEmpty(), ShouldEqual, false)
		newTags := strings.Split(t.String(), " ")
		So(len(tags), ShouldEqual, len(newTags))
		for _, tag := range newTags {
			So(tags, ShouldContain, tag)
		}
	})
}

func TestMergeCollision(t *testing.T) {
	Convey("When I create a new tagstore from a map", t, func() {
		t := NewTagStoreFromMap(map[string]string{
			"app":   "web",
			"image": "nginx",
		})

		Convey("When I merge another store with collisions", func() {
			So(t, ShouldNotBeNil)
			m := NewTagStoreFromMap(map[string]string{
				"app": "web",
			})
			So(m, ShouldNotBeNil)
			t.Merge(m)

			tags := t.GetSlice()
			So(len(tags), ShouldEqual, 2)
			So(tags, ShouldContain, "app=web")
			So(tags, ShouldContain, "image=nginx")
		})

		Convey("When I merge another store with duplicate keys", func() {
			So(t, ShouldNotBeNil)
			m := NewTagStoreFromSlice([]string{
				"fred",
				"app",
				"app=web2",
			})
			So(m, ShouldNotBeNil)
			t.Merge(m)

			tags := t.GetSlice()
			So(len(tags), ShouldEqual, 4)
			So(tags, ShouldContain, "fred")
			So(tags, ShouldContain, "app=web")
			So(tags, ShouldContain, "app=web2")
			So(tags, ShouldContain, "image=nginx")
		})
	})
}

func TestAllSettersGetters(t *testing.T) {
	Convey("When I create a new tagstore from a map", t, func() {
		ts := NewTagStoreFromMap(map[string]string{
			"app":   "web",
			"image": "nginx",
		})

		Convey("If I copy the tag store, it should be equal", func() {
			newstore := ts.Copy()
			So(newstore, ShouldNotBeNil)
			So(newstore, ShouldResemble, ts)
		})

		Convey("When I get a valid key, it should return the value", func() {
			value, ok := ts.Get("app")
			So(ok, ShouldBeTrue)
			So(value, ShouldResemble, "web")
		})

		Convey("When I get a non valid key, it should return false", func() {
			value, ok := ts.Get("randomkey")
			So(ok, ShouldBeFalse)
			So(value, ShouldEqual, "")
		})

		Convey("If I append a key/value pair, it should be in the store", func() {
			ts.AppendKeyValue("NewKey", "NewValue")
			value, ok := ts.Get("NewKey")
			So(ok, ShouldBeTrue)
			So(value, ShouldEqual, "NewValue")
		})

		Convey("If the store is corrupted", func() {
			tags := ts.GetSlice()
			tags = append(tags, "badtag")
			ts = NewTagStoreFromSlice(tags)
			value, ok := ts.Get("randomeky")
			So(ok, ShouldBeFalse)
			So(value, ShouldEqual, "")
		})
	})
}

func TestJsonMarshal(t *testing.T) {

	tags := []string{
		"app=web",
		"image=nginx",
		"fred",
	}

	Convey("When I create a new tagstore from a slice", t, func() {
		ts := NewTagStoreFromSlice(tags)

		bytes, err := json.Marshal(ts)
		So(err, ShouldBeNil)
		So(bytes, ShouldNotBeNil)

		newTS := &TagStore{}
		err = json.Unmarshal(bytes, newTS)
		So(err, ShouldBeNil)

		tags := newTS.GetSlice()
		So(len(tags), ShouldEqual, 3)
		So(tags, ShouldContain, "fred")
		So(tags, ShouldContain, "app=web")
		So(tags, ShouldContain, "image=nginx")

		// this test will make sure the tagstore is re-initialized
		newTS2 := NewTagStoreFromSlice([]string{"dummy"})
		err = json.Unmarshal(bytes, newTS2)
		So(err, ShouldBeNil)
		tags = newTS2.GetSlice()
		So(len(tags), ShouldEqual, 3)
		So(tags, ShouldContain, "fred")
		So(tags, ShouldContain, "app=web")
		So(tags, ShouldContain, "image=nginx")
	})
}

func TestGetKeys(t *testing.T) {
	Convey("When I create a new tagstore from a map", t, func() {
		t := NewTagStoreFromMap(map[string]string{
			"app":   "web",
			"image": "nginx",
		})

		keys := t.GetKeys()
		So(len(keys), ShouldEqual, 2)
		So(keys, ShouldContain, "app")
		So(keys, ShouldContain, "image")
	})
}

func TestRemoveKeys(t *testing.T) {
	Convey("When I create a new tagstore from a map", t, func() {
		t := NewTagStoreFromSlice([]string{
			"app=web",
			"app1=web",
			"image=nginx",
			"image=nginx1",
		})

		t.RemoveTagsByKeys([]string{"app", "image", "fred"})

		keys := t.GetKeys()
		So(len(keys), ShouldEqual, 1)
		So(keys, ShouldContain, "app1")
	})
}


================================================
FILE: policy/types.go
================================================
package policy

import (
	"errors"
	"fmt"
	"hash/fnv"
	"net"
	"strings"

	"github.com/docker/go-connections/nat"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
	"go.aporeto.io/gaia"
	"go.uber.org/zap"
)

// Aporeto tag key and value constants
const (
	TagKeyController = "$controller"
	TagKeyID         = "$id"
	TagKeyIdentity   = "$identity"

	TagValueProcessingUnit = "processingunit"
)

const (
	// DefaultNamespace is the default namespace for applying policy
	DefaultNamespace = "bridge"
)

// constants for various actions
const (
	actionReject      = "reject"
	actionAccept      = "accept"
	actionPassthrough = "passthrough"
	actionEncrypt     = "encrypt"
	actionLog         = "log"

	oactionContinue = "continue"
	oactionApply    = "apply"

	actionNone    = "none"
	actionUnknown = "unknown"
)

// Operator defines the operation between your key and value.
type Operator string

const (
	// Equal is the equal operator
	Equal = "="
	// NotEqual is the not equal operator
	NotEqual = "=!"
	// KeyExists is the key=* operator
	KeyExists = "*"
	// KeyNotExists means that the key doesnt exist in the incoming tags
	KeyNotExists = "!*"
)

// ActionType   is the action that can be applied to a flow.
type ActionType byte

// Accepted returns if the action mask contains the Accepted mask.
func (f ActionType) Accepted() bool {
	return f&Accept > 0
}

// Rejected returns if the action mask contains the Rejected mask.
func (f ActionType) Rejected() bool {
	return f&Reject > 0
}

// Encrypted returns if the action mask contains the Encrypted mask.
func (f ActionType) Encrypted() bool {
	return f&Encrypt > 0
}

// Logged returns if the action mask contains the Logged mask.
func (f ActionType) Logged() bool {
	return f&Log > 0
}

// Observed returns if the action mask contains the Observed mask.
func (f ActionType) Observed() bool {
	return f&Observe > 0
}

// ActionString returns if the action if accepted of rejected as a long string.
func (f ActionType) ActionString() string {
	if f.Accepted() && !f.Rejected() {
		return actionAccept
	}

	if !f.Accepted() && f.Rejected() {
		return actionReject
	}

	return actionPassthrough
}

func (f ActionType) String() string {
	switch f {
	case Accept:
		return actionAccept
	case Reject:
		return actionReject
	case Encrypt:
		return actionEncrypt
	case Log:
		return actionLog
	}

	return actionUnknown
}

const (
	// Accept is the accept action
	Accept ActionType = 0x1
	// Reject is the reject  action
	Reject ActionType = 0x2
	// Encrypt instructs data to be encrypted
	Encrypt ActionType = 0x4
	// Log instructs the datapath to log the IP addresses
	Log ActionType = 0x8
	// Observe instructs the datapath to observe policy results
	Observe ActionType = 0x10
)

// ObserveActionType is the action that can be applied to a flow for an observation rule.
type ObserveActionType byte

// Observed returns true if any observed action was found.
func (f ObserveActionType) Observed() bool {
	return f != ObserveNone
}

// ObserveContinue returns if the action of observation rule is continue.
func (f ObserveActionType) ObserveContinue() bool {
	return f&ObserveContinue > 0
}

// ObserveApply returns if the action of observation rule is allow.
func (f ObserveActionType) ObserveApply() bool {
	return f&ObserveApply > 0
}

func (f ObserveActionType) String() string {
	switch f {
	case ObserveNone:
		return actionNone
	case ObserveContinue:
		return oactionContinue
	case ObserveApply:
		return oactionApply
	}

	return actionUnknown
}

// Observe actions are used in conjunction with action.
const (
	// ObserveNone specifies if any observation was made or not.
	ObserveNone ObserveActionType = 0x0
	// ObserveContinue is used to not take any action on packet and is deferred to
	// an actual rule with accept or deny action.
	ObserveContinue ObserveActionType = 0x1
	// ObserveApply is used to apply action to packets hitting this rule.
	ObserveApply ObserveActionType = 0x2
)

// FlowPolicy captures the policy for a particular flow
type FlowPolicy struct {
	ObserveAction   ObserveActionType
	Action          ActionType
	ServiceID       string
	PolicyID        string
	RuleName        string
	Labels          []string
	ServicePriority uint32 // A hash of the ServiceID
	Priority        uint32 // Priority based on the ExternalNetwork entries
}

// Clone creates a copy of the FlowPolicy
func (f *FlowPolicy) Clone() *FlowPolicy {
	clone := &FlowPolicy{
		ObserveAction:   f.ObserveAction,
		Action:          f.Action,
		ServiceID:       f.ServiceID,
		PolicyID:        f.PolicyID,
		RuleName:        f.RuleName,
		Labels:          f.Labels,
		ServicePriority: f.ServicePriority,
		Priority:        f.Priority,
	}
	return clone
}

// LogPrefix is the prefix used in nf-log action. It must be less than
func (f *FlowPolicy) LogPrefix(contextID string) string {

	hash, err := Fnv32Hash(contextID)
	if err != nil {
		zap.L().Warn("unable to generate log prefix hash", zap.Error(err))
	}

	ruleExtNetName, _ := f.GetShortAndLongLogPrefix()
	return hash + ":" + ruleExtNetName + ":" + f.EncodedActionString()
}

// LogPrefixAction is the prefix used in nf-log action with the given action.
// NOTE: If 0 or empty action is passed, the default is reject (6).
func (f *FlowPolicy) LogPrefixAction(contextID string, action string) string {

	hash, err := Fnv32Hash(contextID)
	if err != nil {
		zap.L().Warn("unable to generate log prefix hash", zap.Error(err))
	}

	if len(action) == 0 || action == "0" {
		action = "6"
	}

	ruleExtNetName, _ := f.GetShortAndLongLogPrefix()
	return hash + ":" + ruleExtNetName + ":" + action
}

// DefaultLogPrefix return the prefix used in nf-log action for default rule.
func DefaultLogPrefix(contextID string, action ActionType) string {

	hash, err := Fnv32Hash(contextID)
	if err != nil {
		zap.L().Warn("unable to generate log prefix hash", zap.Error(err))
	}

	if action.Accepted() {
		return hash + ":default:default:3"
	}

	return hash + ":default:default:6"
}

// DefaultDropPacketLogPrefix generates the nflog prefix for packets logged by the catch all default rule
func DefaultDropPacketLogPrefix(contextID string) string {

	hash, err := Fnv32Hash(contextID)
	if err != nil {
		zap.L().Warn("unable to generate log prefix hash", zap.Error(err))
	}

	return hash + ":default:default:10"
}

// DefaultAction generates the default action of the rule
func DefaultAction(action ActionType) string {
	if action.Accepted() {
		return "ACCEPT"
	}
	return "DROP"
}

// EncodedActionString is used to encode observed action as well as action
func (f *FlowPolicy) EncodedActionString() string {

	var e string

	if f.Action.Accepted() && !f.Action.Rejected() {
		if f.ObserveAction.ObserveContinue() {
			e = "1"
		} else if f.ObserveAction.ObserveApply() {
			e = "2"
		} else {
			e = "3"
		}
	} else if !f.Action.Accepted() && f.Action.Rejected() {
		if f.ObserveAction.ObserveContinue() {
			e = "4"
		} else if f.ObserveAction.ObserveApply() {
			e = "5"
		} else {
			e = "6"
		}
	} else {
		if f.ObserveAction.ObserveContinue() {
			e = "7"
		} else if f.ObserveAction.ObserveApply() {
			e = "8"
		} else {
			e = "9"
		}
	}
	return e
}

// GetShortAndLongLogPrefix returns the short and long log prefix
func (f *FlowPolicy) GetShortAndLongLogPrefix() (string, string) {

	getFirstXChars := func(str string, numChars int) string {
		if len(str) <= numChars {
			return str
		}
		return str[0:numChars]
	}

	getLastXChars := func(str string, numChars int) string {
		strLen := len(str)
		if strLen <= numChars {
			return str
		}
		index := strLen - numChars
		return str[index:]
	}

	// If we don't have a rulename, then do it the old way
	if (len(f.RuleName)) <= 0 {
		prefix := f.PolicyID + ":" + f.ServiceID
		return prefix, prefix
	}

	// The shortPrefix will become a key in a map we use to look up the long prefix.
	// I want to put as much of the info in the short logging prefix as possible to help
	// with debugging, but it needs to be unique
	hash, err := Fnv32Hash(f.PolicyID, f.ServiceID, f.RuleName)
	if err != nil {
		zap.L().Warn("unable to generate log prefix hash", zap.Error(err))
	}

	longPrefix := f.PolicyID + ":" + f.ServiceID + ":" + f.RuleName

	// We have 64 characters max for the logging prefix.
	// The ContextHash and Action are appended else where
	// ContextHash(10):PolicyID(10):ServiceID(10):RuleName(10)_hash(10):Action(2) = a max of 57 chars

	var builder strings.Builder
	builder.WriteString(getLastXChars(f.PolicyID, 10))
	builder.WriteString(":")
	builder.WriteString(getLastXChars(f.ServiceID, 10))
	builder.WriteString(":")
	builder.WriteString(getFirstXChars(f.RuleName, 10))
	builder.WriteString("_")
	builder.WriteString(hash)
	return builder.String(), longPrefix
}

// EncodedStringToAction returns action and observed action from encoded string.
func EncodedStringToAction(e string) (ActionType, ObserveActionType, error) {

	switch e {
	case "1":
		return Observe | Accept, ObserveContinue, nil
	case "2":
		return Observe | Accept, ObserveApply, nil
	case "3":
		return Accept, ObserveNone, nil
	case "4":
		return Observe | Reject, ObserveContinue, nil
	case "5":
		return Observe | Reject, ObserveApply, nil
	case "6":
		return Reject, ObserveNone, nil
	case "7":
		return Observe, ObserveContinue, nil
	case "8":
		return Observe, ObserveApply, nil
	case "9":
		return 0, ObserveNone, nil
	}

	return 0, 0, errors.New("Invalid encoding")
}

// IPRule holds IP rules to external services
type IPRule struct {
	Addresses  []string
	Ports      []string
	Protocols  []string
	Extensions []string
	Policy     *FlowPolicy
}

// IPRuleList is a list of IP rules
type IPRuleList []IPRule

// PortProtocolPolicy holds the assicated ports, protocols and policy
type PortProtocolPolicy struct {
	Ports     []string
	Protocols []string
	Policy    *FlowPolicy
}

// DNSRuleList is a map from fqdns to a list of policies.
type DNSRuleList map[string][]PortProtocolPolicy

// Copy creates a clone of DNS rule list
func (l DNSRuleList) Copy() DNSRuleList {
	dnsRuleList := DNSRuleList{}

	// nolint:gosimple //S1001: should use copy() instead of a loop (gosimple) // false positive
	for k, v := range l {
		dnsRuleList[k] = v
	}

	return dnsRuleList
}

// Copy creates a clone of the IP rule list
func (l IPRuleList) Copy() IPRuleList {
	list := make(IPRuleList, len(l))

	// nolint:gosimple //S1001: should use copy() instead of a loop (gosimple) // false positive
	for i, v := range l {
		list[i] = v
	}

	return list
}

// KeyValueOperator describes an individual matchinggit  rule
type KeyValueOperator struct {
	Key       string
	Value     []string
	Operator  Operator
	ID        string
	PortRange *portspec.PortSpec
}

// TagSelector info describes a tag selector key Operator value
type TagSelector struct {
	Clause []KeyValueOperator
	Policy *FlowPolicy
}

// TagSelectorList defines a list of TagSelectors
type TagSelectorList []TagSelector

// Copy  returns a copy of the TagSelectorList
func (t TagSelectorList) Copy() TagSelectorList {
	list := make(TagSelectorList, len(t))

	// nolint:gosimple //S1001: should use copy() instead of a loop (gosimple) // false positive
	for i, v := range t {
		list[i] = v
	}

	return list
}

// ExtendedMap is a common map with additional functions
type ExtendedMap map[string]string

// Copy copies an ExtendedMap
func (s ExtendedMap) Copy() ExtendedMap {
	// nolint:gosimple //S1001: should use copy() instead of a loop (gosimple) // false positive
	c := ExtendedMap{}
	for k, v := range s {
		c[k] = v
	}
	return c
}

// Get does a lookup in the map
func (s ExtendedMap) Get(key string) (string, bool) {
	value, ok := s[key]
	return value, ok
}

// OptionsType is a set of options that can be passed with a policy request
type OptionsType struct {
	// CgroupName is the name of the cgroup
	CgroupName string

	// CgroupMark is the tag of the cgroup
	CgroupMark string

	// UserID is the user ID if it exists
	UserID string

	// AutoPort option is set if auto port is enabled
	AutoPort bool

	// Services is the list of services of interest
	Services []common.Service

	// PolicyExtensions is policy resolution extensions
	PolicyExtensions interface{}

	// PortMap maps container port -> host ports.
	PortMap map[nat.Port][]string

	// ConvertedDockerPU is set when a docker PU is converted to LinuxProcess
	// in order to implement host network containers.
	ConvertedDockerPU bool
}

// RuntimeError is an error detected by the TriremeController that has to be
// returned at a later time to the policy engine to take action.
type RuntimeError struct {
	ContextID string
	Error     error
}

// DebugConfigInput holds information needed to start a debug collect.
type DebugConfigInput struct {
	DebugType   gaia.EnforcerRefreshDebugValue
	NativeID    string
	FilePath    string
	PcapFilter  string
	CommandExec string
}

// DebugConfigResult holds results from a debug collect.
type DebugConfigResult struct {
	PID           int
	CommandOutput string
}

// DebugConfig holds information needed for a single debug collect operation.
type DebugConfig struct {
	DebugConfigInput
	DebugConfigResult
}

// DebugConfigMulti holds information needed for a debug collect operation on all remote enforcers.
type DebugConfigMulti struct {
	DebugConfigInput
	Results map[string]*DebugConfigResult
}

// PingConfig holds the configuration to run ping.
type PingConfig struct {
	Mode               gaia.ProcessingUnitRefreshPingModeValue
	ID                 string
	IP                 net.IP
	Port               uint16
	Iterations         int
	TargetTCPNetworks  bool
	ExcludedNetworks   bool
	ServiceCertificate string
	ServiceKey         string
	ServiceAddresses   map[string][]string
}

// Ping Errors.
const (
	ErrExcludedNetworks  = "excludednetworks"
	ErrTargetTCPNetworks = "targettcpnetworks"
)

// Error returns error as string from ping config.
func (p *PingConfig) Error() string {

	switch {
	case p.ExcludedNetworks:
		return ErrExcludedNetworks
	case !p.TargetTCPNetworks:
		return ErrTargetTCPNetworks
	default:
		return ""
	}
}

// PingPayload holds the payload carried on the wire.
type PingPayload struct {
	PingID               string      `codec:",omitempty"`
	IterationID          int         `codec:",omitempty"`
	ApplicationListening bool        `codec:",omitempty"`
	NamespaceHash        string      `codec:",omitempty"`
	ServiceType          ServiceType `codec:",omitempty"`
}

// Fnv32Hash hash the given data by Fnv32-bit algorithm.
func Fnv32Hash(data ...string) (string, error) {

	if len(data) == 0 {
		return "", fmt.Errorf("no data to hash")
	}

	aggregatedData := ""
	for _, ed := range data {
		aggregatedData += ed
	}

	hash := fnv.New32()
	if _, err := hash.Write([]byte(aggregatedData)); err != nil {
		return "", fmt.Errorf("unable to hash data: %v", err)
	}

	return fmt.Sprintf("%d", hash.Sum32()), nil
}

// ServiceMesh to determine pod is of which servicemesh type
type ServiceMesh int

const (
	// None means the pod have no servicemesh enabled on it
	None ServiceMesh = iota
	// Istio servicemesh enabled on the pod
	Istio
)

func (s ServiceMesh) String() string {
	return [...]string{"None", "Istio"}[s]
}


================================================
FILE: policy/types_test.go
================================================
// +build !windows

package policy

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func TestDefaultLogPrefix(t *testing.T) {
	Convey("When I request a new default log prefix", t, func() {
		t := DefaultLogPrefix("abc", Reject)
		f := &FlowPolicy{
			Action: Reject,
		}
		Convey("I should have the correct default prefix", func() {
			So(t, ShouldEqual, "1134309195:default:default:"+f.EncodedActionString())
		})
	})

	Convey("When I request a new default log prefix", t, func() {
		t := DefaultLogPrefix("abc", Accept)
		f := &FlowPolicy{
			Action: Accept,
		}
		Convey("I should have the correct default prefix", func() {
			So(t, ShouldEqual, "1134309195:default:default:"+f.EncodedActionString())
		})
	})
}

func Test_DefaultDropPacketLogPrefix(t *testing.T) {
	Convey("When I request a new default reject log prefix", t, func() {
		t := DefaultDropPacketLogPrefix("abcasd")

		Convey("I should have the correct default prefix", func() {
			So(t, ShouldEqual, "2569040509:default:default:10")
		})
	})
}

func TestDefaultAction(t *testing.T) {
	Convey("When I request the default action for Reject", t, func() {
		t := DefaultAction(Reject)

		Convey("I should have the correct default", func() {
			So(t, ShouldEqual, "DROP")
		})
	})

	Convey("When I request the default action for Accept", t, func() {
		t := DefaultAction(Accept)

		Convey("I should have the correct default", func() {
			So(t, ShouldEqual, "ACCEPT")
		})
	})
}

func TestLogPrefix(t *testing.T) {
	Convey("When I request log prefix reject", t, func() {
		f := &FlowPolicy{
			Action:        Reject,
			ObserveAction: ObserveNone,
			PolicyID:      "deadbeef",
			ServiceID:     "beaddead",
		}
		Convey("I should have the correct log prefix", func() {
			So(f.LogPrefix("somecontextID"), ShouldEqual, "3985287229:deadbeef:beaddead:6")
		})
	})

	Convey("When I request log prefix", t, func() {
		f := &FlowPolicy{
			Action:        Accept,
			ObserveAction: ObserveNone,
			PolicyID:      "deadbeef",
			ServiceID:     "beaddead",
		}
		Convey("I should have the correct log prefix", func() {
			So(f.LogPrefix("somecontextID"), ShouldEqual, "3985287229:deadbeef:beaddead:3")
		})
	})
}

func TestRuleNameLogPrefix(t *testing.T) {
	Convey("When I request log prefix reject", t, func() {
		f := &FlowPolicy{
			Action:        Reject,
			ObserveAction: ObserveNone,
			PolicyID:      "deadbeef",
			ServiceID:     "beaddead",
			RuleName:      "rule",
		}
		Convey("I should have the correct log prefix", func() {
			So(f.LogPrefix("somecontextID"), ShouldEqual, "3985287229:deadbeef:beaddead:rule_2929530537:6")
		})
	})

	Convey("When I request log with long PolicyID, ServiceID and RuleName prefixes", t, func() {
		f := &FlowPolicy{
			Action:        Accept,
			ObserveAction: ObserveNone,
			PolicyID:      "0123456789ABCDEFG",
			ServiceID:     "0123456789ABCDEFG",
			RuleName:      "LongRuleName",
		}
		Convey("I should have the correct log prefix", func() {
			So(f.LogPrefix("somecontextID"), ShouldEqual, "3985287229:789ABCDEFG:789ABCDEFG:LongRuleNa_3922170690:3")
			So(len(f.LogPrefix("somecontextID")), ShouldBeLessThanOrEqualTo, 64)
		})
	})
}

func TestLogPrefixAction(t *testing.T) {
	Convey("When I request log prefix action 6", t, func() {
		f := &FlowPolicy{
			Action:        Accept,
			ObserveAction: ObserveNone,
			PolicyID:      "deadbeef",
			ServiceID:     "beaddead",
		}
		Convey("I should have the correct log prefix", func() {
			So(f.LogPrefixAction("somecontextID", "6"), ShouldEqual, "3985287229:deadbeef:beaddead:6")
		})
	})

	Convey("When I request log prefix action 0", t, func() {
		f := &FlowPolicy{
			Action:        Accept,
			ObserveAction: ObserveNone,
			PolicyID:      "deadbeef",
			ServiceID:     "beaddead",
		}
		Convey("I should have the correct log prefix", func() {
			So(f.LogPrefixAction("somecontextID", "0"), ShouldEqual, "3985287229:deadbeef:beaddead:6")
		})
	})

	Convey("When I request log prefix action empty", t, func() {
		f := &FlowPolicy{
			Action:        Accept,
			ObserveAction: ObserveNone,
			PolicyID:      "deadbeef",
			ServiceID:     "beaddead",
		}
		Convey("I should have the correct log prefix", func() {
			So(f.LogPrefixAction("somecontextID", ""), ShouldEqual, "3985287229:deadbeef:beaddead:6")
		})
	})
}

func TestFnv32(t *testing.T) {

	Convey("When I request log prefix with no data", t, func() {
		hash, err := Fnv32Hash()

		Convey("I should have the hash", func() {
			So(hash, ShouldBeEmpty)
			So(err, ShouldNotBeNil)
		})
	})

	Convey("When I request log prefix with small data", t, func() {
		hash, err := Fnv32Hash("xyz")

		Convey("I should have the hash", func() {
			So(hash, ShouldEqual, "845396910")
			So(err, ShouldBeNil)
		})
	})

	Convey("When I request log prefix with large data", t, func() {
		hash, err := Fnv32Hash("xyzsadsadasfkjhjkasdjhsajkdhsad", "asdasdasda", "asdhjkashdjkashdjashdkasjdhasjkdhjashdkasjdhkaslfjsalkjdklasjdklasjdk")

		Convey("I should have the hash", func() {
			So(hash, ShouldEqual, "2149035768")
			So(err, ShouldBeNil)
		})
	})
}

func TestEncodedStringToActionInvalidValue(t *testing.T) {
	Convey("When I run decode and encode, the results should match", t, func() {
		ea := "badvalue"
		_, _, err := EncodedStringToAction(ea)
		if err == nil {
			Convey("I should get an error for value "+ea, func() {
				So(err, ShouldNotBeNil)
			})
		}
	})
}

func TestEncodeDecodePrefix(t *testing.T) {
	Convey("When I run decode and encode, the results should match", t, func() {
		encodedAction := []string{"1", "2", "3", "4", "5", "6", "7", "8", "9"}
		for _, ea := range encodedAction {
			f := &FlowPolicy{}
			var err error
			f.Action, f.ObserveAction, err = EncodedStringToAction(ea)
			Convey("I should have the same actions after decoding and encoding for action "+ea, func() {
				So(err, ShouldBeNil)
				So(f.EncodedActionString(), ShouldEqual, ea)
			})
		}
	})
}


================================================
FILE: protogen.sh
================================================
#!/bin/bash

CUR_DIR="$(pwd)"
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"

ENVOY_REPO="github.com/envoyproxy/data-plane-api"
ENVOY_REPO_PKG="go.aporeto.io/enforcerd/trireme-lib/third_party/generated/envoyproxy/data-plane-api"
PB_OUT="${DIR}/third_party/generated/envoyproxy/data-plane-api"
# gogofaster and gogoslick don't work unfortunately
# also, they currently don't work with validate
PB_GENERATOR="gogofast"

PROTOC="$(which protoc)"
if [ $? -ne 0 ] ; then
  echo "ERROR: protoc needs to be installed and in the PATH" 1>&2
  exit 2
fi

PB_GENERATOR_BIN="$(which protoc-gen-${PB_GENERATOR})"
if [ $? -ne 0 ] ; then
  echo "ERROR: protoc-gen-${PB_GENERATOR} needs to be installed and in the PATH" 1>&2
  exit 2
fi

echo "Protobuf compilers are at:"
echo "PROTOC=${PROTOC}"
echo "PB_GENERATOR_BIN=${PB_GENERATOR_BIN}"
echo

echo "Ensuring output folder exists: ${PB_OUT}"
mkdir -v -p ${PB_OUT}
echo

echo "Updating / Downloading necessary packages and repo..."
go get -u -v google.golang.org/grpc
echo
go get -u -v github.com/gogo/protobuf/types
echo
go get -u -v github.com/gogo/googleapis/google/rpc
echo
go get -u -v github.com/gogo/googleapis/google/api
echo
go get -u -v github.com/envoyproxy/protoc-gen-validate
echo "NOTE: it is okay for this to fail, there is no go code in here"
go get -v -u -d ${ENVOY_REPO}
echo

# useful when you need to find out dependencies and things for mapping
#  --descriptor_set_out=${PB_OUT}/${input}.descriptor_set \
#  --include_imports \
#  --dependency_out=${PB_OUT}/${input}.dependencies \
# validate currently doesn't work
#  --validate_out=lang=go:${PB_OUT} \
PROTOC_CMD="
${PROTOC} \
  -I${GOPATH:-${HOME/go}}/src/${ENVOY_REPO} \
  -I${GOPATH:-${HOME/go}}/src/github.com/gogo/protobuf/protobuf \
  -I${GOPATH:-${HOME/go}}/src/github.com/gogo/protobuf \
  -I${GOPATH:-${HOME/go}}/src/github.com/gogo/googleapis \
  -I${GOPATH:-${HOME/go}}/src/github.com/envoyproxy/protoc-gen-validate \
  --${PB_GENERATOR}_out=plugins=\
grpc,\
Menvoy/type/percent.proto=${ENVOY_REPO_PKG}/envoy/type,\
Menvoy/type/http_status.proto=${ENVOY_REPO_PKG}/envoy/type,\
Menvoy/api/v2/discovery.proto=${ENVOY_REPO_PKG}/envoy/api/v2,\
Menvoy/api/v2/core/address.proto=${ENVOY_REPO_PKG}/envoy/api/v2/core,\
Menvoy/api/v2/core/base.proto=${ENVOY_REPO_PKG}/envoy/api/v2/core,\
Menvoy/api/v2/core/http_uri.proto=${ENVOY_REPO_PKG}/envoy/api/v2/core,\
Mgoogle/rpc/status.proto=github.com/gogo/googleapis/google/rpc,\
Mgoogle/api/annotations.proto=github.com/gogo/googleapis/google/api,\
Mgoogle/protobuf/any.proto=github.com/gogo/protobuf/types,\
Mgoogle/protobuf/duration.proto=github.com/gogo/protobuf/types,\
Mgoogle/protobuf/struct.proto=github.com/gogo/protobuf/types,\
Mgoogle/protobuf/timestamp.proto=github.com/gogo/protobuf/types,\
Mgoogle/protobuf/wrappers.proto=github.com/gogo/protobuf/types\
:${PB_OUT} \
"

echo "Changing working directory to the envoy repo..."
cd ${GOPATH:-${HOME/go}}/src/${ENVOY_REPO}

echo "running protoc for dependencies from envoy/type..."
$PROTOC_CMD \
  envoy/type/http_status.proto \
  envoy/type/percent.proto
echo

echo "running protoc for dependencies from envoy/api/v2/core..."
$PROTOC_CMD \
  envoy/api/v2/core/address.proto \
  envoy/api/v2/core/base.proto \
  envoy/api/v2/core/http_uri.proto
echo

echo "running protoc for ext_authz_v2..."
$PROTOC_CMD \
  envoy/service/auth/v2/attribute_context.proto \
  envoy/service/auth/v2/external_auth.proto
echo

echo "running protoc for discovery..."
$PROTOC_CMD \
  envoy/api/v2/discovery.proto

echo "running protoc for disovery services..."
$PROTOC_CMD \
  envoy/service/discovery/v2/sds.proto

cd ${CUR_DIR}


================================================
FILE: scripts/fix_bpf
================================================
#!/bin/bash

printf "fix_bfp not needed for go modules"
exit 0


================================================
FILE: scripts/lint.sh
================================================
#!/usr/bin/env bash

export GO111MODULE=auto

# goimports and gofmt complain about cr-lf line endings, so don't run them on
#	a Windows machine where git is configured to auto-convert line endings

OS="$(uname -s)"
if [[ "$OS" == *"NT-"* ]]; then
	GOIMPORTS_OPTION=
	GOFMT_OPTION=
else
	GOIMPORTS_OPTION="--enable=goimports"
	GOFMT_OPTION="--enable=gofmt"
fi

golangci-lint run \
    --verbose \
    --skip-dirs='[third_party|test|vendor]' \
    --skip-files='[.*\.pb\.go|.*\.gen\.go]' \
    --deadline=20m \
    --disable-all \
    --exclude-use-default=false \
    --enable=errcheck \
    --enable=ineffassign \
    --enable=govet \
    --enable=golint \
    --enable=unused \
    --enable=structcheck \
    --enable=varcheck \
    --enable=deadcode \
    --enable=unconvert \
    --enable=goconst \
    --enable=gosimple \
    --enable=misspell \
    --enable=staticcheck \
    --enable=unparam \
    --enable=prealloc \
    --enable=nakedret \
    --enable=typecheck \
    $GOIMPORTS_OPTION \
    $GOFMT_OPTION \
    ./...



================================================
FILE: scripts/lint.windows.sh
================================================
#!/usr/bin/env bash

export GO111MODULE=auto
export CGO_ENABLED=0
export GOOS=windows
export GOARCH=amd64

# goimports and gofmt complain about cr-lf line endings, so don't run them on
#	a Windows machine where git is configured to auto-convert line endings

OS="$(uname -s)"
if [[ "$OS" == *"NT-"* ]]; then
	GOIMPORTS_OPTION=
	GOFMT_OPTION=
else
	GOIMPORTS_OPTION="--enable=goimports"
	GOFMT_OPTION="--enable=gofmt"
fi

golangci-lint run \
    --verbose \
    --skip-dirs='[third_party|test|vendor]' \
    --skip-files='[.*\.pb\.go|.*\.gen\.go]' \
    --deadline=20m \
    --disable-all \
    --exclude-use-default=false \
    --enable=errcheck \
    --enable=ineffassign \
    --enable=govet \
    --enable=golint \
    --enable=unused \
    --enable=structcheck \
    --enable=varcheck \
    --enable=deadcode \
    --enable=unconvert \
    --enable=goconst \
    --enable=gosimple \
    --enable=misspell \
    --enable=staticcheck \
    --enable=unparam \
    --enable=prealloc \
    --enable=nakedret \
    --enable=typecheck \
    $GOIMPORTS_OPTION \
    $GOFMT_OPTION \
    ./...


================================================
FILE: scripts/test.sh
================================================
#!/usr/bin/env bash

export GO111MODULE=auto

## FIX ME. go1.14 automatically enables unsafe ptr checks when doing race checks,
## and it is not clear if this is compatible (it is disabled on Windows)
##
## This needs to be revisited and maybe remove "-gcflags=all=-d=checkptr=0" below
## for go1.14 once we determine if there is a real pointer issue in the tests.
##
## this is the file that fails when ptr checking is enabled:
## go.aporeto.io/trireme-lib/controller/internal/enforcer/applicationproxy/markedconn_test.go
##
## to see the failure, test that package individually setting "checkptr=1"

case "$(go version)" in
    *1.13*) CHECKPTR=""  ;;
    *)      CHECKPTR="-gcflags=all=-d=checkptr=0" ;;
esac

# set -e
rm -f coverage.txt
touch coverage.txt

## FIX ME. go1.14 automatically enables unsafe ptr checks when doing race checks,
## and it is not clear if this is compatible (it is disabled on Windows)
##
## This needs to be revisited and maybe remove "-gcflags=all=-d=checkptr=0" below
## for go1.14 once we determine if there is a real pointer issue in the tests.
##
## this is the file that fails when ptr checking is enabled:
## go.aporeto.io/trireme-lib/controller/internal/enforcer/applicationproxy/markedconn_test.go
##
## to see the failure, test that package individually setting "checkptr=1"

case "$(go version)" in
    *1.13*) CHECKPTR=""  ;;
    *)      CHECKPTR="-gcflags=all=-d=checkptr=0" ;;
esac

if [[ $# -gt 0 ]]; then
    pkglist="$*"
else
    pkglist="$(go list ./... | grep -E -v '(mock|bpf)')"
fi

echo
echo  "========= BEGIN LINUX TESTS ==========="
echo

for pkg in $pkglist ; do
    go test -tags test $CHECKPTR -race -coverprofile=profile.out -covermode=atomic "$pkg"
    if [ -f profile.out ]; then
        cat profile.out >> coverage.txt
        rm profile.out
    fi
done

echo
echo  "========= END LINUX TESTS ==========="
echo


================================================
FILE: scripts/test.windows.sh
================================================
#!/usr/bin/env bash

export GO111MODULES=auto
export CGO_ENABLED=0
export GOOS=windows
export GOARCH=amd64

# set -e
rm -f coverage.windows.txt
touch coverage.windows.txt

# use wine to execute if not running tests on a Windows machine
OS="$(uname -s)"
if [[ "$OS" == *"NT-"* ]]; then
	WINE_EXEC=
else
	WINE_EXEC="-exec wine"
fi

## FIX ME. go1.14 automatically enables unsafe ptr checks when doing race checks,
## and it is not clear if this is compatible (it is disabled on Windows)
##
## This needs to be revisited and maybe remove "-gcflags=all=-d=checkptr=0" below
## for go1.14 once we determine if there is a real pointer issue in the tests.
##
## this is the file that fails when ptr checking is enabled:
## go.aporeto.io/trireme-lib/controller/internal/enforcer/applicationproxy/markedconn_test.go
##
## to see the failure, test that package individually setting "checkptr=1"

case "$(go version)" in
    *1.13*) CHECKPTR=""  ;;
    *)      CHECKPTR="-gcflags=all=-d=checkptr=0" ;;
esac

if [[ $# -gt 0 ]]; then
    pkglist="$*"
else
    pkglist="$(go list ./... | grep -v remoteenforcer | grep -v remoteapi | grep -v "plugins/pam")"
fi

echo
echo  "========= BEGIN WINDOWS TESTS ==========="
echo

for pkg in $pkglist; do
    go test -tags test $WINE_EXEC $CHECKPTR -coverprofile=profile.windows.out -covermode=atomic "$pkg"
    if [ -f profile.windows.out ]; then
        cat profile.windows.out >> coverage.windows.txt
        rm profile.windows.out
    fi
done

echo
echo  "========= END WINDOWS TESTS ==========="
echo


================================================
FILE: third_party/generated/envoyproxy/data-plane-api/envoy/api/v2/core/address.pb.go
================================================
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: envoy/api/v2/core/address.proto

package core

import (
	bytes "bytes"
	fmt "fmt"
	_ "github.com/envoyproxy/protoc-gen-validate/validate"
	_ "github.com/gogo/protobuf/gogoproto"
	proto "github.com/gogo/protobuf/proto"
	types "github.com/gogo/protobuf/types"
	io "io"
	math "math"
	math_bits "math/bits"
)

// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf

// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package

type SocketAddress_Protocol int32

const (
	TCP SocketAddress_Protocol = 0
	// [#not-implemented-hide:]
	UDP SocketAddress_Protocol = 1
)

var SocketAddress_Protocol_name = map[int32]string{
	0: "TCP",
	1: "UDP",
}

var SocketAddress_Protocol_value = map[string]int32{
	"TCP": 0,
	"UDP": 1,
}

func (x SocketAddress_Protocol) String() string {
	return proto.EnumName(SocketAddress_Protocol_name, int32(x))
}

func (SocketAddress_Protocol) EnumDescriptor() ([]byte, []int) {
	return fileDescriptor_6906417f87bcce55, []int{1, 0}
}

type Pipe struct {
	// Unix Domain Socket path. On Linux, paths starting with '@' will use the
	// abstract namespace. The starting '@' is replaced by a null byte by Envoy.
	// Paths starting with '@' will result in an error in environments other than
	// Linux.
	Path                 string   `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *Pipe) Reset()         { *m = Pipe{} }
func (m *Pipe) String() string { return proto.CompactTextString(m) }
func (*Pipe) ProtoMessage()    {}
func (*Pipe) Descriptor() ([]byte, []int) {
	return fileDescriptor_6906417f87bcce55, []int{0}
}
func (m *Pipe) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *Pipe) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_Pipe.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *Pipe) XXX_Merge(src proto.Message) {
	xxx_messageInfo_Pipe.Merge(m, src)
}
func (m *Pipe) XXX_Size() int {
	return m.Size()
}
func (m *Pipe) XXX_DiscardUnknown() {
	xxx_messageInfo_Pipe.DiscardUnknown(m)
}

var xxx_messageInfo_Pipe proto.InternalMessageInfo

func (m *Pipe) GetPath() string {
	if m != nil {
		return m.Path
	}
	return ""
}

type SocketAddress struct {
	Protocol SocketAddress_Protocol `protobuf:"varint,1,opt,name=protocol,proto3,enum=envoy.api.v2.core.SocketAddress_Protocol" json:"protocol,omitempty"`
	// The address for this socket. :ref:`Listeners <config_listeners>` will bind
	// to the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::``
	// to bind to any address. [#comment:TODO(zuercher) reinstate when implemented:
	// It is possible to distinguish a Listener address via the prefix/suffix matching
	// in :ref:`FilterChainMatch <envoy_api_msg_listener.FilterChainMatch>`.] When used
	// within an upstream :ref:`BindConfig <envoy_api_msg_core.BindConfig>`, the address
	// controls the source address of outbound connections. For :ref:`clusters
	// <envoy_api_msg_Cluster>`, the cluster type determines whether the
	// address must be an IP (*STATIC* or *EDS* clusters) or a hostname resolved by DNS
	// (*STRICT_DNS* or *LOGICAL_DNS* clusters). Address resolution can be customized
	// via :ref:`resolver_name <envoy_api_field_core.SocketAddress.resolver_name>`.
	Address string `protobuf:"bytes,2,opt,name=address,proto3" json:"address,omitempty"`
	// Types that are valid to be assigned to PortSpecifier:
	//	*SocketAddress_PortValue
	//	*SocketAddress_NamedPort
	PortSpecifier isSocketAddress_PortSpecifier `protobuf_oneof:"port_specifier"`
	// The name of the custom resolver. This must have been registered with Envoy. If
	// this is empty, a context dependent default applies. If the address is a concrete
	// IP address, no resolution will occur. If address is a hostname this
	// should be set for resolution other than DNS. Specifying a custom resolver with
	// *STRICT_DNS* or *LOGICAL_DNS* will generate an error at runtime.
	ResolverName string `protobuf:"bytes,5,opt,name=resolver_name,json=resolverName,proto3" json:"resolver_name,omitempty"`
	// When binding to an IPv6 address above, this enables `IPv4 compatibility
	// <https://tools.ietf.org/html/rfc3493#page-11>`_. Binding to ``::`` will
	// allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into
	// IPv6 space as ``::FFFF:<IPv4-address>``.
	Ipv4Compat           bool     `protobuf:"varint,6,opt,name=ipv4_compat,json=ipv4Compat,proto3" json:"ipv4_compat,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *SocketAddress) Reset()         { *m = SocketAddress{} }
func (m *SocketAddress) String() string { return proto.CompactTextString(m) }
func (*SocketAddress) ProtoMessage()    {}
func (*SocketAddress) Descriptor() ([]byte, []int) {
	return fileDescriptor_6906417f87bcce55, []int{1}
}
func (m *SocketAddress) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *SocketAddress) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_SocketAddress.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *SocketAddress) XXX_Merge(src proto.Message) {
	xxx_messageInfo_SocketAddress.Merge(m, src)
}
func (m *SocketAddress) XXX_Size() int {
	return m.Size()
}
func (m *SocketAddress) XXX_DiscardUnknown() {
	xxx_messageInfo_SocketAddress.DiscardUnknown(m)
}

var xxx_messageInfo_SocketAddress proto.InternalMessageInfo

type isSocketAddress_PortSpecifier interface {
	isSocketAddress_PortSpecifier()
	Equal(interface{}) bool
	MarshalTo([]byte) (int, error)
	Size() int
}

type SocketAddress_PortValue struct {
	PortValue uint32 `protobuf:"varint,3,opt,name=port_value,json=portValue,proto3,oneof"`
}
type SocketAddress_NamedPort struct {
	NamedPort string `protobuf:"bytes,4,opt,name=named_port,json=namedPort,proto3,oneof"`
}

func (*SocketAddress_PortValue) isSocketAddress_PortSpecifier() {}
func (*SocketAddress_NamedPort) isSocketAddress_PortSpecifier() {}

func (m *SocketAddress) GetPortSpecifier() isSocketAddress_PortSpecifier {
	if m != nil {
		return m.PortSpecifier
	}
	return nil
}

func (m *SocketAddress) GetProtocol() SocketAddress_Protocol {
	if m != nil {
		return m.Protocol
	}
	return TCP
}

func (m *SocketAddress) GetAddress() string {
	if m != nil {
		return m.Address
	}
	return ""
}

func (m *SocketAddress) GetPortValue() uint32 {
	if x, ok := m.GetPortSpecifier().(*SocketAddress_PortValue); ok {
		return x.PortValue
	}
	return 0
}

func (m *SocketAddress) GetNamedPort() string {
	if x, ok := m.GetPortSpecifier().(*SocketAddress_NamedPort); ok {
		return x.NamedPort
	}
	return ""
}

func (m *SocketAddress) GetResolverName() string {
	if m != nil {
		return m.ResolverName
	}
	return ""
}

func (m *SocketAddress) GetIpv4Compat() bool {
	if m != nil {
		return m.Ipv4Compat
	}
	return false
}

// XXX_OneofFuncs is for the internal use of the proto package.
func (*SocketAddress) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) {
	return _SocketAddress_OneofMarshaler, _SocketAddress_OneofUnmarshaler, _SocketAddress_OneofSizer, []interface{}{
		(*SocketAddress_PortValue)(nil),
		(*SocketAddress_NamedPort)(nil),
	}
}

func _SocketAddress_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
	m := msg.(*SocketAddress)
	// port_specifier
	switch x := m.PortSpecifier.(type) {
	case *SocketAddress_PortValue:
		_ = b.EncodeVarint(3<<3 | proto.WireVarint)
		_ = b.EncodeVarint(uint64(x.PortValue))
	case *SocketAddress_NamedPort:
		_ = b.EncodeVarint(4<<3 | proto.WireBytes)
		_ = b.EncodeStringBytes(x.NamedPort)
	case nil:
	default:
		return fmt.Errorf("SocketAddress.PortSpecifier has unexpected type %T", x)
	}
	return nil
}

func _SocketAddress_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
	m := msg.(*SocketAddress)
	switch tag {
	case 3: // port_specifier.port_value
		if wire != proto.WireVarint {
			return true, proto.ErrInternalBadWireType
		}
		x, err := b.DecodeVarint()
		m.PortSpecifier = &SocketAddress_PortValue{uint32(x)}
		return true, err
	case 4: // port_specifier.named_port
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		x, err := b.DecodeStringBytes()
		m.PortSpecifier = &SocketAddress_NamedPort{x}
		return true, err
	default:
		return false, nil
	}
}

func _SocketAddress_OneofSizer(msg proto.Message) (n int) {
	m := msg.(*SocketAddress)
	// port_specifier
	switch x := m.PortSpecifier.(type) {
	case *SocketAddress_PortValue:
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(x.PortValue))
	case *SocketAddress_NamedPort:
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(len(x.NamedPort)))
		n += len(x.NamedPort)
	case nil:
	default:
		panic(fmt.Sprintf("proto: unexpected type %T in oneof", x))
	}
	return n
}

type TcpKeepalive struct {
	// Maximum number of keepalive probes to send without response before deciding
	// the connection is dead. Default is to use the OS level configuration (unless
	// overridden, Linux defaults to 9.)
	KeepaliveProbes *types.UInt32Value `protobuf:"bytes,1,opt,name=keepalive_probes,json=keepaliveProbes,proto3" json:"keepalive_probes,omitempty"`
	// The number of seconds a connection needs to be idle before keep-alive probes
	// start being sent. Default is to use the OS level configuration (unless
	// overridden, Linux defaults to 7200s (ie 2 hours.)
	KeepaliveTime *types.UInt32Value `protobuf:"bytes,2,opt,name=keepalive_time,json=keepaliveTime,proto3" json:"keepalive_time,omitempty"`
	// The number of seconds between keep-alive probes. Default is to use the OS
	// level configuration (unless overridden, Linux defaults to 75s.)
	KeepaliveInterval    *types.UInt32Value `protobuf:"bytes,3,opt,name=keepalive_interval,json=keepaliveInterval,proto3" json:"keepalive_interval,omitempty"`
	XXX_NoUnkeyedLiteral struct{}           `json:"-"`
	XXX_unrecognized     []byte             `json:"-"`
	XXX_sizecache        int32              `json:"-"`
}

func (m *TcpKeepalive) Reset()         { *m = TcpKeepalive{} }
func (m *TcpKeepalive) String() string { return proto.CompactTextString(m) }
func (*TcpKeepalive) ProtoMessage()    {}
func (*TcpKeepalive) Descriptor() ([]byte, []int) {
	return fileDescriptor_6906417f87bcce55, []int{2}
}
func (m *TcpKeepalive) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *TcpKeepalive) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_TcpKeepalive.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *TcpKeepalive) XXX_Merge(src proto.Message) {
	xxx_messageInfo_TcpKeepalive.Merge(m, src)
}
func (m *TcpKeepalive) XXX_Size() int {
	return m.Size()
}
func (m *TcpKeepalive) XXX_DiscardUnknown() {
	xxx_messageInfo_TcpKeepalive.DiscardUnknown(m)
}

var xxx_messageInfo_TcpKeepalive proto.InternalMessageInfo

func (m *TcpKeepalive) GetKeepaliveProbes() *types.UInt32Value {
	if m != nil {
		return m.KeepaliveProbes
	}
	return nil
}

func (m *TcpKeepalive) GetKeepaliveTime() *types.UInt32Value {
	if m != nil {
		return m.KeepaliveTime
	}
	return nil
}

func (m *TcpKeepalive) GetKeepaliveInterval() *types.UInt32Value {
	if m != nil {
		return m.KeepaliveInterval
	}
	return nil
}

type BindConfig struct {
	// The address to bind to when creating a socket.
	SourceAddress *SocketAddress `protobuf:"bytes,1,opt,name=source_address,json=sourceAddress,proto3" json:"source_address,omitempty"`
	// Whether to set the *IP_FREEBIND* option when creating the socket. When this
	// flag is set to true, allows the :ref:`source_address
	// <envoy_api_field_UpstreamBindConfig.source_address>` to be an IP address
	// that is not configured on the system running Envoy. When this flag is set
	// to false, the option *IP_FREEBIND* is disabled on the socket. When this
	// flag is not set (default), the socket is not modified, i.e. the option is
	// neither enabled nor disabled.
	Freebind *types.BoolValue `protobuf:"bytes,2,opt,name=freebind,proto3" json:"freebind,omitempty"`
	// Additional socket options that may not be present in Envoy source code or
	// precompiled binaries.
	SocketOptions        []*SocketOption `protobuf:"bytes,3,rep,name=socket_options,json=socketOptions,proto3" json:"socket_options,omitempty"`
	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
	XXX_unrecognized     []byte          `json:"-"`
	XXX_sizecache        int32           `json:"-"`
}

func (m *BindConfig) Reset()         { *m = BindConfig{} }
func (m *BindConfig) String() string { return proto.CompactTextString(m) }
func (*BindConfig) ProtoMessage()    {}
func (*BindConfig) Descriptor() ([]byte, []int) {
	return fileDescriptor_6906417f87bcce55, []int{3}
}
func (m *BindConfig) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *BindConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_BindConfig.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *BindConfig) XXX_Merge(src proto.Message) {
	xxx_messageInfo_BindConfig.Merge(m, src)
}
func (m *BindConfig) XXX_Size() int {
	return m.Size()
}
func (m *BindConfig) XXX_DiscardUnknown() {
	xxx_messageInfo_BindConfig.DiscardUnknown(m)
}

var xxx_messageInfo_BindConfig proto.InternalMessageInfo

func (m *BindConfig) GetSourceAddress() *SocketAddress {
	if m != nil {
		return m.SourceAddress
	}
	return nil
}

func (m *BindConfig) GetFreebind() *types.BoolValue {
	if m != nil {
		return m.Freebind
	}
	return nil
}

func (m *BindConfig) GetSocketOptions() []*SocketOption {
	if m != nil {
		return m.SocketOptions
	}
	return nil
}

// Addresses specify either a logical or physical address and port, which are
// used to tell Envoy where to bind/listen, connect to upstream and find
// management servers.
type Address struct {
	// Types that are valid to be assigned to Address:
	//	*Address_SocketAddress
	//	*Address_Pipe
	Address              isAddress_Address `protobuf_oneof:"address"`
	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
	XXX_unrecognized     []byte            `json:"-"`
	XXX_sizecache        int32             `json:"-"`
}

func (m *Address) Reset()         { *m = Address{} }
func (m *Address) String() string { return proto.CompactTextString(m) }
func (*Address) ProtoMessage()    {}
func (*Address) Descriptor() ([]byte, []int) {
	return fileDescriptor_6906417f87bcce55, []int{4}
}
func (m *Address) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *Address) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_Address.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *Address) XXX_Merge(src proto.Message) {
	xxx_messageInfo_Address.Merge(m, src)
}
func (m *Address) XXX_Size() int {
	return m.Size()
}
func (m *Address) XXX_DiscardUnknown() {
	xxx_messageInfo_Address.DiscardUnknown(m)
}

var xxx_messageInfo_Address proto.InternalMessageInfo

type isAddress_Address interface {
	isAddress_Address()
	Equal(interface{}) bool
	MarshalTo([]byte) (int, error)
	Size() int
}

type Address_SocketAddress struct {
	SocketAddress *SocketAddress `protobuf:"bytes,1,opt,name=socket_address,json=socketAddress,proto3,oneof"`
}
type Address_Pipe struct {
	Pipe *Pipe `protobuf:"bytes,2,opt,name=pipe,proto3,oneof"`
}

func (*Address_SocketAddress) isAddress_Address() {}
func (*Address_Pipe) isAddress_Address()          {}

func (m *Address) GetAddress() isAddress_Address {
	if m != nil {
		return m.Address
	}
	return nil
}

func (m *Address) GetSocketAddress() *SocketAddress {
	if x, ok := m.GetAddress().(*Address_SocketAddress); ok {
		return x.SocketAddress
	}
	return nil
}

func (m *Address) GetPipe() *Pipe {
	if x, ok := m.GetAddress().(*Address_Pipe); ok {
		return x.Pipe
	}
	return nil
}

// XXX_OneofFuncs is for the internal use of the proto package.
func (*Address) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) {
	return _Address_OneofMarshaler, _Address_OneofUnmarshaler, _Address_OneofSizer, []interface{}{
		(*Address_SocketAddress)(nil),
		(*Address_Pipe)(nil),
	}
}

func _Address_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
	m := msg.(*Address)
	// address
	switch x := m.Address.(type) {
	case *Address_SocketAddress:
		_ = b.EncodeVarint(1<<3 | proto.WireBytes)
		if err := b.EncodeMessage(x.SocketAddress); err != nil {
			return err
		}
	case *Address_Pipe:
		_ = b.EncodeVarint(2<<3 | proto.WireBytes)
		if err := b.EncodeMessage(x.Pipe); err != nil {
			return err
		}
	case nil:
	default:
		return fmt.Errorf("Address.Address has unexpected type %T", x)
	}
	return nil
}

func _Address_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
	m := msg.(*Address)
	switch tag {
	case 1: // address.socket_address
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		msg := new(SocketAddress)
		err := b.DecodeMessage(msg)
		m.Address = &Address_SocketAddress{msg}
		return true, err
	case 2: // address.pipe
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		msg := new(Pipe)
		err := b.DecodeMessage(msg)
		m.Address = &Address_Pipe{msg}
		return true, err
	default:
		return false, nil
	}
}

func _Address_OneofSizer(msg proto.Message) (n int) {
	m := msg.(*Address)
	// address
	switch x := m.Address.(type) {
	case *Address_SocketAddress:
		s := proto.Size(x.SocketAddress)
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(s))
		n += s
	case *Address_Pipe:
		s := proto.Size(x.Pipe)
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(s))
		n += s
	case nil:
	default:
		panic(fmt.Sprintf("proto: unexpected type %T in oneof", x))
	}
	return n
}

// CidrRange specifies an IP Address and a prefix length to construct
// the subnet mask for a `CIDR <https://tools.ietf.org/html/rfc4632>`_ range.
type CidrRange struct {
	// IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``.
	AddressPrefix string `protobuf:"bytes,1,opt,name=address_prefix,json=addressPrefix,proto3" json:"address_prefix,omitempty"`
	// Length of prefix, e.g. 0, 32.
	PrefixLen            *types.UInt32Value `protobuf:"bytes,2,opt,name=prefix_len,json=prefixLen,proto3" json:"prefix_len,omitempty"`
	XXX_NoUnkeyedLiteral struct{}           `json:"-"`
	XXX_unrecognized     []byte             `json:"-"`
	XXX_sizecache        int32              `json:"-"`
}

func (m *CidrRange) Reset()         { *m = CidrRange{} }
func (m *CidrRange) String() string { return proto.CompactTextString(m) }
func (*CidrRange) ProtoMessage()    {}
func (*CidrRange) Descriptor() ([]byte, []int) {
	return fileDescriptor_6906417f87bcce55, []int{5}
}
func (m *CidrRange) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *CidrRange) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_CidrRange.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *CidrRange) XXX_Merge(src proto.Message) {
	xxx_messageInfo_CidrRange.Merge(m, src)
}
func (m *CidrRange) XXX_Size() int {
	return m.Size()
}
func (m *CidrRange) XXX_DiscardUnknown() {
	xxx_messageInfo_CidrRange.DiscardUnknown(m)
}

var xxx_messageInfo_CidrRange proto.InternalMessageInfo

func (m *CidrRange) GetAddressPrefix() string {
	if m != nil {
		return m.AddressPrefix
	}
	return ""
}

func (m *CidrRange) GetPrefixLen() *types.UInt32Value {
	if m != nil {
		return m.PrefixLen
	}
	return nil
}

func init() {
	proto.RegisterEnum("envoy.api.v2.core.SocketAddress_Protocol", SocketAddress_Protocol_name, SocketAddress_Protocol_value)
	proto.RegisterType((*Pipe)(nil), "envoy.api.v2.core.Pipe")
	proto.RegisterType((*SocketAddress)(nil), "envoy.api.v2.core.SocketAddress")
	proto.RegisterType((*TcpKeepalive)(nil), "envoy.api.v2.core.TcpKeepalive")
	proto.RegisterType((*BindConfig)(nil), "envoy.api.v2.core.BindConfig")
	proto.RegisterType((*Address)(nil), "envoy.api.v2.core.Address")
	proto.RegisterType((*CidrRange)(nil), "envoy.api.v2.core.CidrRange")
}

func init() { proto.RegisterFile("envoy/api/v2/core/address.proto", fileDescriptor_6906417f87bcce55) }

var fileDescriptor_6906417f87bcce55 = []byte{
	// 695 bytes of a gzipped FileDescriptorProto
	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x53, 0xcd, 0x6e, 0xd3, 0x4c,
	0x14, 0xcd, 0x24, 0x69, 0x93, 0xdc, 0x36, 0xf9, 0xd2, 0xd1, 0x87, 0x6a, 0x85, 0x2a, 0x09, 0xe9,
	0x26, 0x54, 0xc2, 0x96, 0x52, 0xc4, 0xbe, 0x0e, 0x3f, 0xad, 0x8a, 0xa8, 0x31, 0x2d, 0x5b, 0x6b,
	0x92, 0x4c, 0xc2, 0xa8, 0x8e, 0x67, 0x34, 0x76, 0x4d, 0xbb, 0x43, 0x5d, 0x21, 0xb6, 0x3c, 0x02,
	0x1b, 0x1e, 0x85, 0x25, 0x3c, 0x01, 0x28, 0x3b, 0xde, 0x00, 0x75, 0x53, 0x34, 0x63, 0x3b, 0x55,
	0x09, 0xa8, 0xb0, 0x9b, 0x39, 0xf7, 0x9e, 0x33, 0xe7, 0xfe, 0x0c, 0xb4, 0x68, 0x10, 0xf3, 0x33,
	0x8b, 0x08, 0x66, 0xc5, 0x3d, 0x6b, 0xc8, 0x25, 0xb5, 0xc8, 0x68, 0x24, 0x69, 0x18, 0x9a, 0x42,
	0xf2, 0x88, 0xe3, 0x35, 0x9d, 0x60, 0x12, 0xc1, 0xcc, 0xb8, 0x67, 0xaa, 0x84, 0xc6, 0xc6, 0x22,
	0x67, 0x40, 0x42, 0x9a, 0x10, 0x1a, 0xcd, 0x09, 0xe7, 0x13, 0x9f, 0x5a, 0xfa, 0x36, 0x38, 0x19,
	0x5b, 0xaf, 0x25, 0x11, 0x82, 0xca, 0x54, 0xb0, 0xb1, 0x1e, 0x13, 0x9f, 0x8d, 0x48, 0x44, 0xad,
	0xec, 0x90, 0x06, 0xfe, 0x9f, 0xf0, 0x09, 0xd7, 0x47, 0x4b, 0x9d, 0x12, 0xb4, 0xb3, 0x09, 0x45,
	0x87, 0x09, 0x8a, 0x6f, 0x43, 0x51, 0x90, 0xe8, 0x95, 0x81, 0xda, 0xa8, 0x5b, 0xb1, 0x4b, 0x17,
	0x76, 0x51, 0xe6, 0xdb, 0xc8, 0xd5, 0x60, 0xe7, 0x4b, 0x1e, 0xaa, 0x2f, 0xf8, 0xf0, 0x98, 0x46,
	0x3b, 0x89, 0x79, 0x7c, 0x00, 0x65, 0xcd, 0x1f, 0x72, 0x5f, 0x53, 0x6a, 0xbd, 0xbb, 0xe6, 0x42,
	0x25, 0xe6, 0x35, 0x8e, 0xe9, 0xa4, 0x04, 0xbb, 0x7c, 0x61, 0x2f, 0x9d, 0xa3, 0x7c, 0x1d, 0xb9,
	0x73, 0x11, 0x7c, 0x07, 0x4a, 0x69, 0x63, 0x8c, 0xfc, 0x75, 0x0b, 0x19, 0x8e, 0xb7, 0x00, 0x04,
	0x97, 0x91, 0x17, 0x13, 0xff, 0x84, 0x1a, 0x85, 0x36, 0xea, 0x56, 0xed, 0xca, 0x85, 0xbd, 0xbc,
	0x55, 0x34, 0x2e, 0x2f, 0x0b, 0xbb, 0x39, 0xb7, 0xa2, 0xc2, 0x2f, 0x55, 0x14, 0xb7, 0x00, 0x02,
	0x32, 0xa5, 0x23, 0x4f, 0x41, 0x46, 0x51, 0x29, 0xaa, 0x04, 0x8d, 0x39, 0x5c, 0x46, 0x78, 0x13,
	0xaa, 0x92, 0x86, 0xdc, 0x8f, 0xa9, 0xf4, 0x14, 0x6a, 0x2c, 0xa9, 0x1c, 0x77, 0x35, 0x03, 0x9f,
	0x91, 0xa9, 0x52, 0x59, 0x61, 0x22, 0xbe, 0xef, 0x0d, 0xf9, 0x54, 0x90, 0xc8, 0x58, 0x6e, 0xa3,
	0x6e, 0xd9, 0x05, 0x05, 0xf5, 0x35, 0xd2, 0xe9, 0x40, 0x39, 0xab, 0x0a, 0x97, 0xa0, 0x70, 0xd8,
	0x77, 0xea, 0x39, 0x75, 0x38, 0x7a, 0xe8, 0xd4, 0x51, 0xa3, 0xf8, 0xf6, 0x43, 0x33, 0x67, 0xdf,
	0x82, 0x9a, 0xb6, 0x1d, 0x0a, 0x3a, 0x64, 0x63, 0x46, 0x25, 0x2e, 0xfc, 0xb0, 0x51, 0xe7, 0x3b,
	0x82, 0xd5, 0xc3, 0xa1, 0xd8, 0xa7, 0x54, 0x10, 0x9f, 0xc5, 0x14, 0x3f, 0x81, 0xfa, 0x71, 0x76,
	0xf1, 0x84, 0xe4, 0x03, 0x1a, 0xea, 0xd6, 0xae, 0xf4, 0x36, 0xcc, 0x64, 0xe6, 0x66, 0x36, 0x73,
	0xf3, 0x68, 0x2f, 0x88, 0xb6, 0x7b, 0xba, 0x54, 0xf7, 0xbf, 0x39, 0xcb, 0xd1, 0x24, 0xdc, 0x87,
	0xda, 0x95, 0x50, 0xc4, 0xa6, 0x54, 0x77, 0xf4, 0x26, 0x99, 0xea, 0x9c, 0x73, 0xc8, 0xa6, 0x14,
	0xef, 0x03, 0xbe, 0x12, 0x61, 0x41, 0x44, 0x65, 0x4c, 0x7c, 0xdd, 0xf4, 0x9b, 0x84, 0xd6, 0xe6,
	0xbc, 0xbd, 0x94, 0xd6, 0xf9, 0x8a, 0x00, 0x6c, 0x16, 0x8c, 0xfa, 0x3c, 0x18, 0xb3, 0x09, 0x7e,
	0x0e, 0xb5, 0x90, 0x9f, 0xc8, 0x21, 0xf5, 0xb2, 0x91, 0x27, 0x75, 0xb6, 0x6f, 0x5a, 0x21, 0xbd,
	0x39, 0xef, 0xf4, 0xe6, 0x54, 0x13, 0x85, 0x6c, 0x1f, 0x1f, 0x40, 0x79, 0x2c, 0x29, 0x1d, 0xb0,
	0x60, 0x94, 0x56, 0xdb, 0x58, 0x30, 0x69, 0x73, 0xee, 0x27, 0x16, 0xe7, 0xb9, 0xf8, 0xb1, 0xb2,
	0xa2, 0x5e, 0xf0, 0xb8, 0x88, 0x18, 0x0f, 0x42, 0xa3, 0xd0, 0x2e, 0x74, 0x57, 0x7a, 0xad, 0x3f,
	0x5a, 0x39, 0xd0, 0x79, 0xea, 0xfd, 0xab, 0x5b, 0xd8, 0x79, 0x8f, 0xa0, 0x94, 0x79, 0xd9, 0x9b,
	0x6b, 0xfe, 0x63, 0x79, 0xbb, 0xb9, 0x4c, 0x36, 0x93, 0xba, 0x07, 0x45, 0xc1, 0x44, 0x36, 0xc0,
	0xf5, 0xdf, 0x08, 0xa8, 0xcf, 0xbb, 0x9b, 0x73, 0x75, 0x9a, 0x5d, 0x9b, 0x7f, 0xa2, 0x64, 0xc7,
	0xce, 0x11, 0x54, 0xfa, 0x6c, 0x24, 0x5d, 0x12, 0x4c, 0x28, 0x36, 0xa1, 0x96, 0x46, 0x3d, 0x21,
	0xe9, 0x98, 0x9d, 0xfe, 0xfa, 0xd9, 0xab, 0x69, 0xd8, 0xd1, 0x51, 0xfc, 0x08, 0x20, 0xc9, 0xf3,
	0x7c, 0x1a, 0xfc, 0xcd, 0x0e, 0xe9, 0xf1, 0x6c, 0x15, 0x8c, 0x37, 0xc8, 0xad, 0x24, 0xcc, 0xa7,
	0x34, 0xb0, 0x77, 0x3e, 0xce, 0x9a, 0xe8, 0xd3, 0xac, 0x89, 0x3e, 0xcf, 0x9a, 0xe8, 0xdb, 0xac,
	0x89, 0xa0, 0xc5, 0x78, 0x52, 0x89, 0x90, 0xfc, 0xf4, 0x6c, 0xb1, 0x28, 0x7b, 0x75, 0x27, 0x33,
	0xc2, 0x23, 0xee, 0xa0, 0xc1, 0xb2, 0x7e, 0x6d, 0xfb, 0x67, 0x00, 0x00, 0x00, 0xff, 0xff, 0xed,
	0x28, 0x0a, 0x59, 0x4e, 0x05, 0x00, 0x00,
}

func (this *Pipe) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*Pipe)
	if !ok {
		that2, ok := that.(Pipe)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Path != that1.Path {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *SocketAddress) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*SocketAddress)
	if !ok {
		that2, ok := that.(SocketAddress)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Protocol != that1.Protocol {
		return false
	}
	if this.Address != that1.Address {
		return false
	}
	if that1.PortSpecifier == nil {
		if this.PortSpecifier != nil {
			return false
		}
	} else if this.PortSpecifier == nil {
		return false
	} else if !this.PortSpecifier.Equal(that1.PortSpecifier) {
		return false
	}
	if this.ResolverName != that1.ResolverName {
		return false
	}
	if this.Ipv4Compat != that1.Ipv4Compat {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *SocketAddress_PortValue) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*SocketAddress_PortValue)
	if !ok {
		that2, ok := that.(SocketAddress_PortValue)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.PortValue != that1.PortValue {
		return false
	}
	return true
}
func (this *SocketAddress_NamedPort) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*SocketAddress_NamedPort)
	if !ok {
		that2, ok := that.(SocketAddress_NamedPort)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.NamedPort != that1.NamedPort {
		return false
	}
	return true
}
func (this *TcpKeepalive) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*TcpKeepalive)
	if !ok {
		that2, ok := that.(TcpKeepalive)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !this.KeepaliveProbes.Equal(that1.KeepaliveProbes) {
		return false
	}
	if !this.KeepaliveTime.Equal(that1.KeepaliveTime) {
		return false
	}
	if !this.KeepaliveInterval.Equal(that1.KeepaliveInterval) {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *BindConfig) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*BindConfig)
	if !ok {
		that2, ok := that.(BindConfig)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !this.SourceAddress.Equal(that1.SourceAddress) {
		return false
	}
	if !this.Freebind.Equal(that1.Freebind) {
		return false
	}
	if len(this.SocketOptions) != len(that1.SocketOptions) {
		return false
	}
	for i := range this.SocketOptions {
		if !this.SocketOptions[i].Equal(that1.SocketOptions[i]) {
			return false
		}
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *Address) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*Address)
	if !ok {
		that2, ok := that.(Address)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if that1.Address == nil {
		if this.Address != nil {
			return false
		}
	} else if this.Address == nil {
		return false
	} else if !this.Address.Equal(that1.Address) {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *Address_SocketAddress) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*Address_SocketAddress)
	if !ok {
		that2, ok := that.(Address_SocketAddress)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !this.SocketAddress.Equal(that1.SocketAddress) {
		return false
	}
	return true
}
func (this *Address_Pipe) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*Address_Pipe)
	if !ok {
		that2, ok := that.(Address_Pipe)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !this.Pipe.Equal(that1.Pipe) {
		return false
	}
	return true
}
func (this *CidrRange) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*CidrRange)
	if !ok {
		that2, ok := that.(CidrRange)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.AddressPrefix != that1.AddressPrefix {
		return false
	}
	if !this.PrefixLen.Equal(that1.PrefixLen) {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (m *Pipe) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *Pipe) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.Path) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintAddress(dAtA, i, uint64(len(m.Path)))
		i += copy(dAtA[i:], m.Path)
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *SocketAddress) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *SocketAddress) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Protocol != 0 {
		dAtA[i] = 0x8
		i++
		i = encodeVarintAddress(dAtA, i, uint64(m.Protocol))
	}
	if len(m.Address) > 0 {
		dAtA[i] = 0x12
		i++
		i = encodeVarintAddress(dAtA, i, uint64(len(m.Address)))
		i += copy(dAtA[i:], m.Address)
	}
	if m.PortSpecifier != nil {
		nn1, err1 := m.PortSpecifier.MarshalTo(dAtA[i:])
		if err1 != nil {
			return 0, err1
		}
		i += nn1
	}
	if len(m.ResolverName) > 0 {
		dAtA[i] = 0x2a
		i++
		i = encodeVarintAddress(dAtA, i, uint64(len(m.ResolverName)))
		i += copy(dAtA[i:], m.ResolverName)
	}
	if m.Ipv4Compat {
		dAtA[i] = 0x30
		i++
		if m.Ipv4Compat {
			dAtA[i] = 1
		} else {
			dAtA[i] = 0
		}
		i++
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *SocketAddress_PortValue) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	dAtA[i] = 0x18
	i++
	i = encodeVarintAddress(dAtA, i, uint64(m.PortValue))
	return i, nil
}
func (m *SocketAddress_NamedPort) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	dAtA[i] = 0x22
	i++
	i = encodeVarintAddress(dAtA, i, uint64(len(m.NamedPort)))
	i += copy(dAtA[i:], m.NamedPort)
	return i, nil
}
func (m *TcpKeepalive) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *TcpKeepalive) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.KeepaliveProbes != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintAddress(dAtA, i, uint64(m.KeepaliveProbes.Size()))
		n2, err2 := m.KeepaliveProbes.MarshalTo(dAtA[i:])
		if err2 != nil {
			return 0, err2
		}
		i += n2
	}
	if m.KeepaliveTime != nil {
		dAtA[i] = 0x12
		i++
		i = encodeVarintAddress(dAtA, i, uint64(m.KeepaliveTime.Size()))
		n3, err3 := m.KeepaliveTime.MarshalTo(dAtA[i:])
		if err3 != nil {
			return 0, err3
		}
		i += n3
	}
	if m.KeepaliveInterval != nil {
		dAtA[i] = 0x1a
		i++
		i = encodeVarintAddress(dAtA, i, uint64(m.KeepaliveInterval.Size()))
		n4, err4 := m.KeepaliveInterval.MarshalTo(dAtA[i:])
		if err4 != nil {
			return 0, err4
		}
		i += n4
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *BindConfig) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *BindConfig) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.SourceAddress != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintAddress(dAtA, i, uint64(m.SourceAddress.Size()))
		n5, err5 := m.SourceAddress.MarshalTo(dAtA[i:])
		if err5 != nil {
			return 0, err5
		}
		i += n5
	}
	if m.Freebind != nil {
		dAtA[i] = 0x12
		i++
		i = encodeVarintAddress(dAtA, i, uint64(m.Freebind.Size()))
		n6, err6 := m.Freebind.MarshalTo(dAtA[i:])
		if err6 != nil {
			return 0, err6
		}
		i += n6
	}
	if len(m.SocketOptions) > 0 {
		for _, msg := range m.SocketOptions {
			dAtA[i] = 0x1a
			i++
			i = encodeVarintAddress(dAtA, i, uint64(msg.Size()))
			n, err := msg.MarshalTo(dAtA[i:])
			if err != nil {
				return 0, err
			}
			i += n
		}
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *Address) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *Address) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Address != nil {
		nn7, err7 := m.Address.MarshalTo(dAtA[i:])
		if err7 != nil {
			return 0, err7
		}
		i += nn7
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *Address_SocketAddress) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	if m.SocketAddress != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintAddress(dAtA, i, uint64(m.SocketAddress.Size()))
		n8, err8 := m.SocketAddress.MarshalTo(dAtA[i:])
		if err8 != nil {
			return 0, err8
		}
		i += n8
	}
	return i, nil
}
func (m *Address_Pipe) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	if m.Pipe != nil {
		dAtA[i] = 0x12
		i++
		i = encodeVarintAddress(dAtA, i, uint64(m.Pipe.Size()))
		n9, err9 := m.Pipe.MarshalTo(dAtA[i:])
		if err9 != nil {
			return 0, err9
		}
		i += n9
	}
	return i, nil
}
func (m *CidrRange) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *CidrRange) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.AddressPrefix) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintAddress(dAtA, i, uint64(len(m.AddressPrefix)))
		i += copy(dAtA[i:], m.AddressPrefix)
	}
	if m.PrefixLen != nil {
		dAtA[i] = 0x12
		i++
		i = encodeVarintAddress(dAtA, i, uint64(m.PrefixLen.Size()))
		n10, err10 := m.PrefixLen.MarshalTo(dAtA[i:])
		if err10 != nil {
			return 0, err10
		}
		i += n10
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func encodeVarintAddress(dAtA []byte, offset int, v uint64) int {
	for v >= 1<<7 {
		dAtA[offset] = uint8(v&0x7f | 0x80)
		v >>= 7
		offset++
	}
	dAtA[offset] = uint8(v)
	return offset + 1
}
func (m *Pipe) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.Path)
	if l > 0 {
		n += 1 + l + sovAddress(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *SocketAddress) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Protocol != 0 {
		n += 1 + sovAddress(uint64(m.Protocol))
	}
	l = len(m.Address)
	if l > 0 {
		n += 1 + l + sovAddress(uint64(l))
	}
	if m.PortSpecifier != nil {
		n += m.PortSpecifier.Size()
	}
	l = len(m.ResolverName)
	if l > 0 {
		n += 1 + l + sovAddress(uint64(l))
	}
	if m.Ipv4Compat {
		n += 2
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *SocketAddress_PortValue) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	n += 1 + sovAddress(uint64(m.PortValue))
	return n
}
func (m *SocketAddress_NamedPort) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.NamedPort)
	n += 1 + l + sovAddress(uint64(l))
	return n
}
func (m *TcpKeepalive) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.KeepaliveProbes != nil {
		l = m.KeepaliveProbes.Size()
		n += 1 + l + sovAddress(uint64(l))
	}
	if m.KeepaliveTime != nil {
		l = m.KeepaliveTime.Size()
		n += 1 + l + sovAddress(uint64(l))
	}
	if m.KeepaliveInterval != nil {
		l = m.KeepaliveInterval.Size()
		n += 1 + l + sovAddress(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *BindConfig) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.SourceAddress != nil {
		l = m.SourceAddress.Size()
		n += 1 + l + sovAddress(uint64(l))
	}
	if m.Freebind != nil {
		l = m.Freebind.Size()
		n += 1 + l + sovAddress(uint64(l))
	}
	if len(m.SocketOptions) > 0 {
		for _, e := range m.SocketOptions {
			l = e.Size()
			n += 1 + l + sovAddress(uint64(l))
		}
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *Address) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Address != nil {
		n += m.Address.Size()
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *Address_SocketAddress) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.SocketAddress != nil {
		l = m.SocketAddress.Size()
		n += 1 + l + sovAddress(uint64(l))
	}
	return n
}
func (m *Address_Pipe) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Pipe != nil {
		l = m.Pipe.Size()
		n += 1 + l + sovAddress(uint64(l))
	}
	return n
}
func (m *CidrRange) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.AddressPrefix)
	if l > 0 {
		n += 1 + l + sovAddress(uint64(l))
	}
	if m.PrefixLen != nil {
		l = m.PrefixLen.Size()
		n += 1 + l + sovAddress(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func sovAddress(x uint64) (n int) {
	return (math_bits.Len64(x|1) + 6) / 7
}
func sozAddress(x uint64) (n int) {
	return sovAddress(uint64((x << 1) ^ uint64((int64(x) >> 63))))
}
func (m *Pipe) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowAddress
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: Pipe: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: Pipe: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Path = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipAddress(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthAddress
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthAddress
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *SocketAddress) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowAddress
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: SocketAddress: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: SocketAddress: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 0 {
				return fmt.Errorf("proto: wrong wireType = %d for field Protocol", wireType)
			}
			m.Protocol = 0
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				m.Protocol |= SocketAddress_Protocol(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Address", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Address = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 3:
			if wireType != 0 {
				return fmt.Errorf("proto: wrong wireType = %d for field PortValue", wireType)
			}
			var v uint32
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				v |= uint32(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			m.PortSpecifier = &SocketAddress_PortValue{v}
		case 4:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field NamedPort", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.PortSpecifier = &SocketAddress_NamedPort{string(dAtA[iNdEx:postIndex])}
			iNdEx = postIndex
		case 5:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field ResolverName", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.ResolverName = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 6:
			if wireType != 0 {
				return fmt.Errorf("proto: wrong wireType = %d for field Ipv4Compat", wireType)
			}
			var v int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				v |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			m.Ipv4Compat = bool(v != 0)
		default:
			iNdEx = preIndex
			skippy, err := skipAddress(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthAddress
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthAddress
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *TcpKeepalive) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowAddress
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: TcpKeepalive: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: TcpKeepalive: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field KeepaliveProbes", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.KeepaliveProbes == nil {
				m.KeepaliveProbes = &types.UInt32Value{}
			}
			if err := m.KeepaliveProbes.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field KeepaliveTime", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.KeepaliveTime == nil {
				m.KeepaliveTime = &types.UInt32Value{}
			}
			if err := m.KeepaliveTime.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field KeepaliveInterval", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.KeepaliveInterval == nil {
				m.KeepaliveInterval = &types.UInt32Value{}
			}
			if err := m.KeepaliveInterval.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipAddress(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthAddress
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthAddress
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *BindConfig) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowAddress
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: BindConfig: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: BindConfig: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field SourceAddress", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.SourceAddress == nil {
				m.SourceAddress = &SocketAddress{}
			}
			if err := m.SourceAddress.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Freebind", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Freebind == nil {
				m.Freebind = &types.BoolValue{}
			}
			if err := m.Freebind.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field SocketOptions", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.SocketOptions = append(m.SocketOptions, &SocketOption{})
			if err := m.SocketOptions[len(m.SocketOptions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipAddress(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthAddress
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthAddress
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *Address) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowAddress
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: Address: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: Address: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field SocketAddress", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			v := &SocketAddress{}
			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			m.Address = &Address_SocketAddress{v}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Pipe", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			v := &Pipe{}
			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			m.Address = &Address_Pipe{v}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipAddress(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthAddress
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthAddress
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *CidrRange) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowAddress
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: CidrRange: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: CidrRange: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field AddressPrefix", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.AddressPrefix = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field PrefixLen", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAddress
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAddress
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.PrefixLen == nil {
				m.PrefixLen = &types.UInt32Value{}
			}
			if err := m.PrefixLen.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipAddress(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthAddress
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthAddress
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func skipAddress(dAtA []byte) (n int, err error) {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return 0, ErrIntOverflowAddress
			}
			if iNdEx >= l {
				return 0, io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= (uint64(b) & 0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		wireType := int(wire & 0x7)
		switch wireType {
		case 0:
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				iNdEx++
				if dAtA[iNdEx-1] < 0x80 {
					break
				}
			}
			return iNdEx, nil
		case 1:
			iNdEx += 8
			return iNdEx, nil
		case 2:
			var length int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowAddress
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				length |= (int(b) & 0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if length < 0 {
				return 0, ErrInvalidLengthAddress
			}
			iNdEx += length
			if iNdEx < 0 {
				return 0, ErrInvalidLengthAddress
			}
			return iNdEx, nil
		case 3:
			for {
				var innerWire uint64
				var start int = iNdEx
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return 0, ErrIntOverflowAddress
					}
					if iNdEx >= l {
						return 0, io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					innerWire |= (uint64(b) & 0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				innerWireType := int(innerWire & 0x7)
				if innerWireType == 4 {
					break
				}
				next, err := skipAddress(dAtA[start:])
				if err != nil {
					return 0, err
				}
				iNdEx = start + next
				if iNdEx < 0 {
					return 0, ErrInvalidLengthAddress
				}
			}
			return iNdEx, nil
		case 4:
			return iNdEx, nil
		case 5:
			iNdEx += 4
			return iNdEx, nil
		default:
			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
		}
	}
	panic("unreachable")
}

var (
	ErrInvalidLengthAddress = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowAddress   = fmt.Errorf("proto: integer overflow")
)


================================================
FILE: third_party/generated/envoyproxy/data-plane-api/envoy/api/v2/core/base.pb.go
================================================
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: envoy/api/v2/core/base.proto

package core

import (
	bytes "bytes"
	fmt "fmt"
	_ "github.com/envoyproxy/protoc-gen-validate/validate"
	_ "github.com/gogo/protobuf/gogoproto"
	proto "github.com/gogo/protobuf/proto"
	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
	types "github.com/gogo/protobuf/types"
	_type "go.aporeto.io/trireme-lib/third_party/generated/envoyproxy/data-plane-api/envoy/type"
	io "io"
	math "math"
	math_bits "math/bits"
)

// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf

// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package

// Envoy supports :ref:`upstream priority routing
// <arch_overview_http_routing_priority>` both at the route and the virtual
// cluster level. The current priority implementation uses different connection
// pool and circuit breaking settings for each priority level. This means that
// even for HTTP/2 requests, two physical connections will be used to an
// upstream host. In the future Envoy will likely support true HTTP/2 priority
// over a single upstream connection.
type RoutingPriority int32

const (
	RoutingPriority_DEFAULT RoutingPriority = 0
	RoutingPriority_HIGH    RoutingPriority = 1
)

var RoutingPriority_name = map[int32]string{
	0: "DEFAULT",
	1: "HIGH",
}

var RoutingPriority_value = map[string]int32{
	"DEFAULT": 0,
	"HIGH":    1,
}

func (x RoutingPriority) String() string {
	return proto.EnumName(RoutingPriority_name, int32(x))
}

func (RoutingPriority) EnumDescriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{0}
}

// HTTP request method.
type RequestMethod int32

const (
	METHOD_UNSPECIFIED RequestMethod = 0
	GET                RequestMethod = 1
	HEAD               RequestMethod = 2
	POST               RequestMethod = 3
	PUT                RequestMethod = 4
	DELETE             RequestMethod = 5
	CONNECT            RequestMethod = 6
	OPTIONS            RequestMethod = 7
	TRACE              RequestMethod = 8
	PATCH              RequestMethod = 9
)

var RequestMethod_name = map[int32]string{
	0: "METHOD_UNSPECIFIED",
	1: "GET",
	2: "HEAD",
	3: "POST",
	4: "PUT",
	5: "DELETE",
	6: "CONNECT",
	7: "OPTIONS",
	8: "TRACE",
	9: "PATCH",
}

var RequestMethod_value = map[string]int32{
	"METHOD_UNSPECIFIED": 0,
	"GET":                1,
	"HEAD":               2,
	"POST":               3,
	"PUT":                4,
	"DELETE":             5,
	"CONNECT":            6,
	"OPTIONS":            7,
	"TRACE":              8,
	"PATCH":              9,
}

func (x RequestMethod) String() string {
	return proto.EnumName(RequestMethod_name, int32(x))
}

func (RequestMethod) EnumDescriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{1}
}

// Identifies the direction of the traffic relative to the local Envoy.
type TrafficDirection int32

const (
	// Default option is unspecified.
	TrafficDirection_UNSPECIFIED TrafficDirection = 0
	// The transport is used for incoming traffic.
	TrafficDirection_INBOUND TrafficDirection = 1
	// The transport is used for outgoing traffic.
	TrafficDirection_OUTBOUND TrafficDirection = 2
)

var TrafficDirection_name = map[int32]string{
	0: "UNSPECIFIED",
	1: "INBOUND",
	2: "OUTBOUND",
}

var TrafficDirection_value = map[string]int32{
	"UNSPECIFIED": 0,
	"INBOUND":     1,
	"OUTBOUND":    2,
}

func (x TrafficDirection) String() string {
	return proto.EnumName(TrafficDirection_name, int32(x))
}

func (TrafficDirection) EnumDescriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{2}
}

type SocketOption_SocketState int32

const (
	// Socket options are applied after socket creation but before binding the socket to a port
	STATE_PREBIND SocketOption_SocketState = 0
	// Socket options are applied after binding the socket to a port but before calling listen()
	STATE_BOUND SocketOption_SocketState = 1
	// Socket options are applied after calling listen()
	STATE_LISTENING SocketOption_SocketState = 2
)

var SocketOption_SocketState_name = map[int32]string{
	0: "STATE_PREBIND",
	1: "STATE_BOUND",
	2: "STATE_LISTENING",
}

var SocketOption_SocketState_value = map[string]int32{
	"STATE_PREBIND":   0,
	"STATE_BOUND":     1,
	"STATE_LISTENING": 2,
}

func (x SocketOption_SocketState) String() string {
	return proto.EnumName(SocketOption_SocketState_name, int32(x))
}

func (SocketOption_SocketState) EnumDescriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{11, 0}
}

// Identifies location of where either Envoy runs or where upstream hosts run.
type Locality struct {
	// Region this :ref:`zone <envoy_api_field_core.Locality.zone>` belongs to.
	Region string `protobuf:"bytes,1,opt,name=region,proto3" json:"region,omitempty"`
	// Defines the local service zone where Envoy is running. Though optional, it
	// should be set if discovery service routing is used and the discovery
	// service exposes :ref:`zone data <envoy_api_field_endpoint.LocalityLbEndpoints.locality>`,
	// either in this message or via :option:`--service-zone`. The meaning of zone
	// is context dependent, e.g. `Availability Zone (AZ)
	// <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html>`_
	// on AWS, `Zone <https://cloud.google.com/compute/docs/regions-zones/>`_ on
	// GCP, etc.
	Zone string `protobuf:"bytes,2,opt,name=zone,proto3" json:"zone,omitempty"`
	// When used for locality of upstream hosts, this field further splits zone
	// into smaller chunks of sub-zones so they can be load balanced
	// independently.
	SubZone              string   `protobuf:"bytes,3,opt,name=sub_zone,json=subZone,proto3" json:"sub_zone,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *Locality) Reset()         { *m = Locality{} }
func (m *Locality) String() string { return proto.CompactTextString(m) }
func (*Locality) ProtoMessage()    {}
func (*Locality) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{0}
}
func (m *Locality) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *Locality) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *Locality) XXX_Merge(src proto.Message) {
	xxx_messageInfo_Locality.Merge(m, src)
}
func (m *Locality) XXX_Size() int {
	return m.Size()
}
func (m *Locality) XXX_DiscardUnknown() {
	xxx_messageInfo_Locality.DiscardUnknown(m)
}

var xxx_messageInfo_Locality proto.InternalMessageInfo

func (m *Locality) GetRegion() string {
	if m != nil {
		return m.Region
	}
	return ""
}

func (m *Locality) GetZone() string {
	if m != nil {
		return m.Zone
	}
	return ""
}

func (m *Locality) GetSubZone() string {
	if m != nil {
		return m.SubZone
	}
	return ""
}

// Identifies a specific Envoy instance. The node identifier is presented to the
// management server, which may use this identifier to distinguish per Envoy
// configuration for serving.
type Node struct {
	// An opaque node identifier for the Envoy node. This also provides the local
	// service node name. It should be set if any of the following features are
	// used: :ref:`statsd <arch_overview_statistics>`, :ref:`CDS
	// <config_cluster_manager_cds>`, and :ref:`HTTP tracing
	// <arch_overview_tracing>`, either in this message or via
	// :option:`--service-node`.
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// Defines the local service cluster name where Envoy is running. Though
	// optional, it should be set if any of the following features are used:
	// :ref:`statsd <arch_overview_statistics>`, :ref:`health check cluster
	// verification <envoy_api_field_core.HealthCheck.HttpHealthCheck.service_name>`,
	// :ref:`runtime override directory <envoy_api_msg_config.bootstrap.v2.Runtime>`,
	// :ref:`user agent addition
	// <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.add_user_agent>`,
	// :ref:`HTTP global rate limiting <config_http_filters_rate_limit>`,
	// :ref:`CDS <config_cluster_manager_cds>`, and :ref:`HTTP tracing
	// <arch_overview_tracing>`, either in this message or via
	// :option:`--service-cluster`.
	Cluster string `protobuf:"bytes,2,opt,name=cluster,proto3" json:"cluster,omitempty"`
	// Opaque metadata extending the node identifier. Envoy will pass this
	// directly to the management server.
	Metadata *types.Struct `protobuf:"bytes,3,opt,name=metadata,proto3" json:"metadata,omitempty"`
	// Locality specifying where the Envoy instance is running.
	Locality *Locality `protobuf:"bytes,4,opt,name=locality,proto3" json:"locality,omitempty"`
	// This is motivated by informing a management server during canary which
	// version of Envoy is being tested in a heterogeneous fleet. This will be set
	// by Envoy in management server RPCs.
	BuildVersion         string   `protobuf:"bytes,5,opt,name=build_version,json=buildVersion,proto3" json:"build_version,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *Node) Reset()         { *m = Node{} }
func (m *Node) String() string { return proto.CompactTextString(m) }
func (*Node) ProtoMessage()    {}
func (*Node) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{1}
}
func (m *Node) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *Node) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *Node) XXX_Merge(src proto.Message) {
	xxx_messageInfo_Node.Merge(m, src)
}
func (m *Node) XXX_Size() int {
	return m.Size()
}
func (m *Node) XXX_DiscardUnknown() {
	xxx_messageInfo_Node.DiscardUnknown(m)
}

var xxx_messageInfo_Node proto.InternalMessageInfo

func (m *Node) GetId() string {
	if m != nil {
		return m.Id
	}
	return ""
}

func (m *Node) GetCluster() string {
	if m != nil {
		return m.Cluster
	}
	return ""
}

func (m *Node) GetMetadata() *types.Struct {
	if m != nil {
		return m.Metadata
	}
	return nil
}

func (m *Node) GetLocality() *Locality {
	if m != nil {
		return m.Locality
	}
	return nil
}

func (m *Node) GetBuildVersion() string {
	if m != nil {
		return m.BuildVersion
	}
	return ""
}

// Metadata provides additional inputs to filters based on matched listeners,
// filter chains, routes and endpoints. It is structured as a map, usually from
// filter name (in reverse DNS format) to metadata specific to the filter. Metadata
// key-values for a filter are merged as connection and request handling occurs,
// with later values for the same key overriding earlier values.
//
// An example use of metadata is providing additional values to
// http_connection_manager in the envoy.http_connection_manager.access_log
// namespace.
//
// Another example use of metadata is to per service config info in cluster metadata, which may get
// consumed by multiple filters.
//
// For load balancing, Metadata provides a means to subset cluster endpoints.
// Endpoints have a Metadata object associated and routes contain a Metadata
// object to match against. There are some well defined metadata used today for
// this purpose:
//
// * ``{"envoy.lb": {"canary": <bool> }}`` This indicates the canary status of an
//   endpoint and is also used during header processing
//   (x-envoy-upstream-canary) and for stats purposes.
type Metadata struct {
	// Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.*
	// namespace is reserved for Envoy's built-in filters.
	FilterMetadata       map[string]*types.Struct `protobuf:"bytes,1,rep,name=filter_metadata,json=filterMetadata,proto3" json:"filter_metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
	XXX_NoUnkeyedLiteral struct{}                 `json:"-"`
	XXX_unrecognized     []byte                   `json:"-"`
	XXX_sizecache        int32                    `json:"-"`
}

func (m *Metadata) Reset()         { *m = Metadata{} }
func (m *Metadata) String() string { return proto.CompactTextString(m) }
func (*Metadata) ProtoMessage()    {}
func (*Metadata) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{2}
}
func (m *Metadata) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *Metadata) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *Metadata) XXX_Merge(src proto.Message) {
	xxx_messageInfo_Metadata.Merge(m, src)
}
func (m *Metadata) XXX_Size() int {
	return m.Size()
}
func (m *Metadata) XXX_DiscardUnknown() {
	xxx_messageInfo_Metadata.DiscardUnknown(m)
}

var xxx_messageInfo_Metadata proto.InternalMessageInfo

func (m *Metadata) GetFilterMetadata() map[string]*types.Struct {
	if m != nil {
		return m.FilterMetadata
	}
	return nil
}

// Runtime derived uint32 with a default when not specified.
type RuntimeUInt32 struct {
	// Default value if runtime value is not available.
	DefaultValue uint32 `protobuf:"varint,2,opt,name=default_value,json=defaultValue,proto3" json:"default_value,omitempty"`
	// Runtime key to get value for comparison. This value is used if defined.
	RuntimeKey           string   `protobuf:"bytes,3,opt,name=runtime_key,json=runtimeKey,proto3" json:"runtime_key,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *RuntimeUInt32) Reset()         { *m = RuntimeUInt32{} }
func (m *RuntimeUInt32) String() string { return proto.CompactTextString(m) }
func (*RuntimeUInt32) ProtoMessage()    {}
func (*RuntimeUInt32) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{3}
}
func (m *RuntimeUInt32) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *RuntimeUInt32) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *RuntimeUInt32) XXX_Merge(src proto.Message) {
	xxx_messageInfo_RuntimeUInt32.Merge(m, src)
}
func (m *RuntimeUInt32) XXX_Size() int {
	return m.Size()
}
func (m *RuntimeUInt32) XXX_DiscardUnknown() {
	xxx_messageInfo_RuntimeUInt32.DiscardUnknown(m)
}

var xxx_messageInfo_RuntimeUInt32 proto.InternalMessageInfo

func (m *RuntimeUInt32) GetDefaultValue() uint32 {
	if m != nil {
		return m.DefaultValue
	}
	return 0
}

func (m *RuntimeUInt32) GetRuntimeKey() string {
	if m != nil {
		return m.RuntimeKey
	}
	return ""
}

// Header name/value pair.
type HeaderValue struct {
	// Header name.
	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
	// Header value.
	//
	// The same :ref:`format specifier <config_access_log_format>` as used for
	// :ref:`HTTP access logging <config_access_log>` applies here, however
	// unknown header values are replaced with the empty string instead of `-`.
	Value                string   `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *HeaderValue) Reset()         { *m = HeaderValue{} }
func (m *HeaderValue) String() string { return proto.CompactTextString(m) }
func (*HeaderValue) ProtoMessage()    {}
func (*HeaderValue) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{4}
}
func (m *HeaderValue) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *HeaderValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *HeaderValue) XXX_Merge(src proto.Message) {
	xxx_messageInfo_HeaderValue.Merge(m, src)
}
func (m *HeaderValue) XXX_Size() int {
	return m.Size()
}
func (m *HeaderValue) XXX_DiscardUnknown() {
	xxx_messageInfo_HeaderValue.DiscardUnknown(m)
}

var xxx_messageInfo_HeaderValue proto.InternalMessageInfo

func (m *HeaderValue) GetKey() string {
	if m != nil {
		return m.Key
	}
	return ""
}

func (m *HeaderValue) GetValue() string {
	if m != nil {
		return m.Value
	}
	return ""
}

// Header name/value pair plus option to control append behavior.
type HeaderValueOption struct {
	// Header name/value pair that this option applies to.
	Header *HeaderValue `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"`
	// Should the value be appended? If true (default), the value is appended to
	// existing values.
	Append               *types.BoolValue `protobuf:"bytes,2,opt,name=append,proto3" json:"append,omitempty"`
	XXX_NoUnkeyedLiteral struct{}         `json:"-"`
	XXX_unrecognized     []byte           `json:"-"`
	XXX_sizecache        int32            `json:"-"`
}

func (m *HeaderValueOption) Reset()         { *m = HeaderValueOption{} }
func (m *HeaderValueOption) String() string { return proto.CompactTextString(m) }
func (*HeaderValueOption) ProtoMessage()    {}
func (*HeaderValueOption) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{5}
}
func (m *HeaderValueOption) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *HeaderValueOption) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *HeaderValueOption) XXX_Merge(src proto.Message) {
	xxx_messageInfo_HeaderValueOption.Merge(m, src)
}
func (m *HeaderValueOption) XXX_Size() int {
	return m.Size()
}
func (m *HeaderValueOption) XXX_DiscardUnknown() {
	xxx_messageInfo_HeaderValueOption.DiscardUnknown(m)
}

var xxx_messageInfo_HeaderValueOption proto.InternalMessageInfo

func (m *HeaderValueOption) GetHeader() *HeaderValue {
	if m != nil {
		return m.Header
	}
	return nil
}

func (m *HeaderValueOption) GetAppend() *types.BoolValue {
	if m != nil {
		return m.Append
	}
	return nil
}

// Wrapper for a set of headers.
type HeaderMap struct {
	Headers              []*HeaderValue `protobuf:"bytes,1,rep,name=headers,proto3" json:"headers,omitempty"`
	XXX_NoUnkeyedLiteral struct{}       `json:"-"`
	XXX_unrecognized     []byte         `json:"-"`
	XXX_sizecache        int32          `json:"-"`
}

func (m *HeaderMap) Reset()         { *m = HeaderMap{} }
func (m *HeaderMap) String() string { return proto.CompactTextString(m) }
func (*HeaderMap) ProtoMessage()    {}
func (*HeaderMap) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{6}
}
func (m *HeaderMap) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *HeaderMap) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *HeaderMap) XXX_Merge(src proto.Message) {
	xxx_messageInfo_HeaderMap.Merge(m, src)
}
func (m *HeaderMap) XXX_Size() int {
	return m.Size()
}
func (m *HeaderMap) XXX_DiscardUnknown() {
	xxx_messageInfo_HeaderMap.DiscardUnknown(m)
}

var xxx_messageInfo_HeaderMap proto.InternalMessageInfo

func (m *HeaderMap) GetHeaders() []*HeaderValue {
	if m != nil {
		return m.Headers
	}
	return nil
}

// Data source consisting of either a file or an inline value.
type DataSource struct {
	// Types that are valid to be assigned to Specifier:
	//	*DataSource_Filename
	//	*DataSource_InlineBytes
	//	*DataSource_InlineString
	Specifier            isDataSource_Specifier `protobuf_oneof:"specifier"`
	XXX_NoUnkeyedLiteral struct{}               `json:"-"`
	XXX_unrecognized     []byte                 `json:"-"`
	XXX_sizecache        int32                  `json:"-"`
}

func (m *DataSource) Reset()         { *m = DataSource{} }
func (m *DataSource) String() string { return proto.CompactTextString(m) }
func (*DataSource) ProtoMessage()    {}
func (*DataSource) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{7}
}
func (m *DataSource) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *DataSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *DataSource) XXX_Merge(src proto.Message) {
	xxx_messageInfo_DataSource.Merge(m, src)
}
func (m *DataSource) XXX_Size() int {
	return m.Size()
}
func (m *DataSource) XXX_DiscardUnknown() {
	xxx_messageInfo_DataSource.DiscardUnknown(m)
}

var xxx_messageInfo_DataSource proto.InternalMessageInfo

type isDataSource_Specifier interface {
	isDataSource_Specifier()
	Equal(interface{}) bool
	MarshalTo([]byte) (int, error)
	Size() int
}

type DataSource_Filename struct {
	Filename string `protobuf:"bytes,1,opt,name=filename,proto3,oneof"`
}
type DataSource_InlineBytes struct {
	InlineBytes []byte `protobuf:"bytes,2,opt,name=inline_bytes,json=inlineBytes,proto3,oneof"`
}
type DataSource_InlineString struct {
	InlineString string `protobuf:"bytes,3,opt,name=inline_string,json=inlineString,proto3,oneof"`
}

func (*DataSource_Filename) isDataSource_Specifier()     {}
func (*DataSource_InlineBytes) isDataSource_Specifier()  {}
func (*DataSource_InlineString) isDataSource_Specifier() {}

func (m *DataSource) GetSpecifier() isDataSource_Specifier {
	if m != nil {
		return m.Specifier
	}
	return nil
}

func (m *DataSource) GetFilename() string {
	if x, ok := m.GetSpecifier().(*DataSource_Filename); ok {
		return x.Filename
	}
	return ""
}

func (m *DataSource) GetInlineBytes() []byte {
	if x, ok := m.GetSpecifier().(*DataSource_InlineBytes); ok {
		return x.InlineBytes
	}
	return nil
}

func (m *DataSource) GetInlineString() string {
	if x, ok := m.GetSpecifier().(*DataSource_InlineString); ok {
		return x.InlineString
	}
	return ""
}

// XXX_OneofFuncs is for the internal use of the proto package.
func (*DataSource) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) {
	return _DataSource_OneofMarshaler, _DataSource_OneofUnmarshaler, _DataSource_OneofSizer, []interface{}{
		(*DataSource_Filename)(nil),
		(*DataSource_InlineBytes)(nil),
		(*DataSource_InlineString)(nil),
	}
}

func _DataSource_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
	m := msg.(*DataSource)
	// specifier
	switch x := m.Specifier.(type) {
	case *DataSource_Filename:
		_ = b.EncodeVarint(1<<3 | proto.WireBytes)
		_ = b.EncodeStringBytes(x.Filename)
	case *DataSource_InlineBytes:
		_ = b.EncodeVarint(2<<3 | proto.WireBytes)
		_ = b.EncodeRawBytes(x.InlineBytes)
	case *DataSource_InlineString:
		_ = b.EncodeVarint(3<<3 | proto.WireBytes)
		_ = b.EncodeStringBytes(x.InlineString)
	case nil:
	default:
		return fmt.Errorf("DataSource.Specifier has unexpected type %T", x)
	}
	return nil
}

func _DataSource_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
	m := msg.(*DataSource)
	switch tag {
	case 1: // specifier.filename
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		x, err := b.DecodeStringBytes()
		m.Specifier = &DataSource_Filename{x}
		return true, err
	case 2: // specifier.inline_bytes
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		x, err := b.DecodeRawBytes(true)
		m.Specifier = &DataSource_InlineBytes{x}
		return true, err
	case 3: // specifier.inline_string
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		x, err := b.DecodeStringBytes()
		m.Specifier = &DataSource_InlineString{x}
		return true, err
	default:
		return false, nil
	}
}

func _DataSource_OneofSizer(msg proto.Message) (n int) {
	m := msg.(*DataSource)
	// specifier
	switch x := m.Specifier.(type) {
	case *DataSource_Filename:
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(len(x.Filename)))
		n += len(x.Filename)
	case *DataSource_InlineBytes:
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(len(x.InlineBytes)))
		n += len(x.InlineBytes)
	case *DataSource_InlineString:
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(len(x.InlineString)))
		n += len(x.InlineString)
	case nil:
	default:
		panic(fmt.Sprintf("proto: unexpected type %T in oneof", x))
	}
	return n
}

// The message specifies how to fetch data from remote and how to verify it.
type RemoteDataSource struct {
	// The HTTP URI to fetch the remote data.
	HttpUri *HttpUri `protobuf:"bytes,1,opt,name=http_uri,json=httpUri,proto3" json:"http_uri,omitempty"`
	// SHA256 string for verifying data.
	Sha256               string   `protobuf:"bytes,2,opt,name=sha256,proto3" json:"sha256,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *RemoteDataSource) Reset()         { *m = RemoteDataSource{} }
func (m *RemoteDataSource) String() string { return proto.CompactTextString(m) }
func (*RemoteDataSource) ProtoMessage()    {}
func (*RemoteDataSource) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{8}
}
func (m *RemoteDataSource) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *RemoteDataSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *RemoteDataSource) XXX_Merge(src proto.Message) {
	xxx_messageInfo_RemoteDataSource.Merge(m, src)
}
func (m *RemoteDataSource) XXX_Size() int {
	return m.Size()
}
func (m *RemoteDataSource) XXX_DiscardUnknown() {
	xxx_messageInfo_RemoteDataSource.DiscardUnknown(m)
}

var xxx_messageInfo_RemoteDataSource proto.InternalMessageInfo

func (m *RemoteDataSource) GetHttpUri() *HttpUri {
	if m != nil {
		return m.HttpUri
	}
	return nil
}

func (m *RemoteDataSource) GetSha256() string {
	if m != nil {
		return m.Sha256
	}
	return ""
}

// Async data source which support async data fetch.
type AsyncDataSource struct {
	// Types that are valid to be assigned to Specifier:
	//	*AsyncDataSource_Local
	//	*AsyncDataSource_Remote
	Specifier            isAsyncDataSource_Specifier `protobuf_oneof:"specifier"`
	XXX_NoUnkeyedLiteral struct{}                    `json:"-"`
	XXX_unrecognized     []byte                      `json:"-"`
	XXX_sizecache        int32                       `json:"-"`
}

func (m *AsyncDataSource) Reset()         { *m = AsyncDataSource{} }
func (m *AsyncDataSource) String() string { return proto.CompactTextString(m) }
func (*AsyncDataSource) ProtoMessage()    {}
func (*AsyncDataSource) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{9}
}
func (m *AsyncDataSource) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *AsyncDataSource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *AsyncDataSource) XXX_Merge(src proto.Message) {
	xxx_messageInfo_AsyncDataSource.Merge(m, src)
}
func (m *AsyncDataSource) XXX_Size() int {
	return m.Size()
}
func (m *AsyncDataSource) XXX_DiscardUnknown() {
	xxx_messageInfo_AsyncDataSource.DiscardUnknown(m)
}

var xxx_messageInfo_AsyncDataSource proto.InternalMessageInfo

type isAsyncDataSource_Specifier interface {
	isAsyncDataSource_Specifier()
	Equal(interface{}) bool
	MarshalTo([]byte) (int, error)
	Size() int
}

type AsyncDataSource_Local struct {
	Local *DataSource `protobuf:"bytes,1,opt,name=local,proto3,oneof"`
}
type AsyncDataSource_Remote struct {
	Remote *RemoteDataSource `protobuf:"bytes,2,opt,name=remote,proto3,oneof"`
}

func (*AsyncDataSource_Local) isAsyncDataSource_Specifier()  {}
func (*AsyncDataSource_Remote) isAsyncDataSource_Specifier() {}

func (m *AsyncDataSource) GetSpecifier() isAsyncDataSource_Specifier {
	if m != nil {
		return m.Specifier
	}
	return nil
}

func (m *AsyncDataSource) GetLocal() *DataSource {
	if x, ok := m.GetSpecifier().(*AsyncDataSource_Local); ok {
		return x.Local
	}
	return nil
}

func (m *AsyncDataSource) GetRemote() *RemoteDataSource {
	if x, ok := m.GetSpecifier().(*AsyncDataSource_Remote); ok {
		return x.Remote
	}
	return nil
}

// XXX_OneofFuncs is for the internal use of the proto package.
func (*AsyncDataSource) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) {
	return _AsyncDataSource_OneofMarshaler, _AsyncDataSource_OneofUnmarshaler, _AsyncDataSource_OneofSizer, []interface{}{
		(*AsyncDataSource_Local)(nil),
		(*AsyncDataSource_Remote)(nil),
	}
}

func _AsyncDataSource_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
	m := msg.(*AsyncDataSource)
	// specifier
	switch x := m.Specifier.(type) {
	case *AsyncDataSource_Local:
		_ = b.EncodeVarint(1<<3 | proto.WireBytes)
		if err := b.EncodeMessage(x.Local); err != nil {
			return err
		}
	case *AsyncDataSource_Remote:
		_ = b.EncodeVarint(2<<3 | proto.WireBytes)
		if err := b.EncodeMessage(x.Remote); err != nil {
			return err
		}
	case nil:
	default:
		return fmt.Errorf("AsyncDataSource.Specifier has unexpected type %T", x)
	}
	return nil
}

func _AsyncDataSource_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
	m := msg.(*AsyncDataSource)
	switch tag {
	case 1: // specifier.local
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		msg := new(DataSource)
		err := b.DecodeMessage(msg)
		m.Specifier = &AsyncDataSource_Local{msg}
		return true, err
	case 2: // specifier.remote
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		msg := new(RemoteDataSource)
		err := b.DecodeMessage(msg)
		m.Specifier = &AsyncDataSource_Remote{msg}
		return true, err
	default:
		return false, nil
	}
}

func _AsyncDataSource_OneofSizer(msg proto.Message) (n int) {
	m := msg.(*AsyncDataSource)
	// specifier
	switch x := m.Specifier.(type) {
	case *AsyncDataSource_Local:
		s := proto.Size(x.Local)
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(s))
		n += s
	case *AsyncDataSource_Remote:
		s := proto.Size(x.Remote)
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(s))
		n += s
	case nil:
	default:
		panic(fmt.Sprintf("proto: unexpected type %T in oneof", x))
	}
	return n
}

// Configuration for transport socket in :ref:`listeners <config_listeners>` and
// :ref:`clusters <envoy_api_msg_Cluster>`. If the configuration is
// empty, a default transport socket implementation and configuration will be
// chosen based on the platform and existence of tls_context.
type TransportSocket struct {
	// The name of the transport socket to instantiate. The name must match a supported transport
	// socket implementation.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Implementation specific configuration which depends on the implementation being instantiated.
	// See the supported transport socket implementations for further documentation.
	//
	// Types that are valid to be assigned to ConfigType:
	//	*TransportSocket_Config
	//	*TransportSocket_TypedConfig
	ConfigType           isTransportSocket_ConfigType `protobuf_oneof:"config_type"`
	XXX_NoUnkeyedLiteral struct{}                     `json:"-"`
	XXX_unrecognized     []byte                       `json:"-"`
	XXX_sizecache        int32                        `json:"-"`
}

func (m *TransportSocket) Reset()         { *m = TransportSocket{} }
func (m *TransportSocket) String() string { return proto.CompactTextString(m) }
func (*TransportSocket) ProtoMessage()    {}
func (*TransportSocket) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{10}
}
func (m *TransportSocket) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *TransportSocket) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *TransportSocket) XXX_Merge(src proto.Message) {
	xxx_messageInfo_TransportSocket.Merge(m, src)
}
func (m *TransportSocket) XXX_Size() int {
	return m.Size()
}
func (m *TransportSocket) XXX_DiscardUnknown() {
	xxx_messageInfo_TransportSocket.DiscardUnknown(m)
}

var xxx_messageInfo_TransportSocket proto.InternalMessageInfo

type isTransportSocket_ConfigType interface {
	isTransportSocket_ConfigType()
	Equal(interface{}) bool
	MarshalTo([]byte) (int, error)
	Size() int
}

type TransportSocket_Config struct {
	Config *types.Struct `protobuf:"bytes,2,opt,name=config,proto3,oneof"`
}
type TransportSocket_TypedConfig struct {
	TypedConfig *types.Any `protobuf:"bytes,3,opt,name=typed_config,json=typedConfig,proto3,oneof"`
}

func (*TransportSocket_Config) isTransportSocket_ConfigType()      {}
func (*TransportSocket_TypedConfig) isTransportSocket_ConfigType() {}

func (m *TransportSocket) GetConfigType() isTransportSocket_ConfigType {
	if m != nil {
		return m.ConfigType
	}
	return nil
}

func (m *TransportSocket) GetName() string {
	if m != nil {
		return m.Name
	}
	return ""
}

func (m *TransportSocket) GetConfig() *types.Struct {
	if x, ok := m.GetConfigType().(*TransportSocket_Config); ok {
		return x.Config
	}
	return nil
}

func (m *TransportSocket) GetTypedConfig() *types.Any {
	if x, ok := m.GetConfigType().(*TransportSocket_TypedConfig); ok {
		return x.TypedConfig
	}
	return nil
}

// XXX_OneofFuncs is for the internal use of the proto package.
func (*TransportSocket) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) {
	return _TransportSocket_OneofMarshaler, _TransportSocket_OneofUnmarshaler, _TransportSocket_OneofSizer, []interface{}{
		(*TransportSocket_Config)(nil),
		(*TransportSocket_TypedConfig)(nil),
	}
}

func _TransportSocket_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
	m := msg.(*TransportSocket)
	// config_type
	switch x := m.ConfigType.(type) {
	case *TransportSocket_Config:
		_ = b.EncodeVarint(2<<3 | proto.WireBytes)
		if err := b.EncodeMessage(x.Config); err != nil {
			return err
		}
	case *TransportSocket_TypedConfig:
		_ = b.EncodeVarint(3<<3 | proto.WireBytes)
		if err := b.EncodeMessage(x.TypedConfig); err != nil {
			return err
		}
	case nil:
	default:
		return fmt.Errorf("TransportSocket.ConfigType has unexpected type %T", x)
	}
	return nil
}

func _TransportSocket_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
	m := msg.(*TransportSocket)
	switch tag {
	case 2: // config_type.config
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		msg := new(types.Struct)
		err := b.DecodeMessage(msg)
		m.ConfigType = &TransportSocket_Config{msg}
		return true, err
	case 3: // config_type.typed_config
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		msg := new(types.Any)
		err := b.DecodeMessage(msg)
		m.ConfigType = &TransportSocket_TypedConfig{msg}
		return true, err
	default:
		return false, nil
	}
}

func _TransportSocket_OneofSizer(msg proto.Message) (n int) {
	m := msg.(*TransportSocket)
	// config_type
	switch x := m.ConfigType.(type) {
	case *TransportSocket_Config:
		s := proto.Size(x.Config)
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(s))
		n += s
	case *TransportSocket_TypedConfig:
		s := proto.Size(x.TypedConfig)
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(s))
		n += s
	case nil:
	default:
		panic(fmt.Sprintf("proto: unexpected type %T in oneof", x))
	}
	return n
}

// Generic socket option message. This would be used to set socket options that
// might not exist in upstream kernels or precompiled Envoy binaries.
type SocketOption struct {
	// An optional name to give this socket option for debugging, etc.
	// Uniqueness is not required and no special meaning is assumed.
	Description string `protobuf:"bytes,1,opt,name=description,proto3" json:"description,omitempty"`
	// Corresponding to the level value passed to setsockopt, such as IPPROTO_TCP
	Level int64 `protobuf:"varint,2,opt,name=level,proto3" json:"level,omitempty"`
	// The numeric name as passed to setsockopt
	Name int64 `protobuf:"varint,3,opt,name=name,proto3" json:"name,omitempty"`
	// Types that are valid to be assigned to Value:
	//	*SocketOption_IntValue
	//	*SocketOption_BufValue
	Value isSocketOption_Value `protobuf_oneof:"value"`
	// The state in which the option will be applied. When used in BindConfig
	// STATE_PREBIND is currently the only valid value.
	State                SocketOption_SocketState `protobuf:"varint,6,opt,name=state,proto3,enum=envoy.api.v2.core.SocketOption_SocketState" json:"state,omitempty"`
	XXX_NoUnkeyedLiteral struct{}                 `json:"-"`
	XXX_unrecognized     []byte                   `json:"-"`
	XXX_sizecache        int32                    `json:"-"`
}

func (m *SocketOption) Reset()         { *m = SocketOption{} }
func (m *SocketOption) String() string { return proto.CompactTextString(m) }
func (*SocketOption) ProtoMessage()    {}
func (*SocketOption) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{11}
}
func (m *SocketOption) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *SocketOption) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *SocketOption) XXX_Merge(src proto.Message) {
	xxx_messageInfo_SocketOption.Merge(m, src)
}
func (m *SocketOption) XXX_Size() int {
	return m.Size()
}
func (m *SocketOption) XXX_DiscardUnknown() {
	xxx_messageInfo_SocketOption.DiscardUnknown(m)
}

var xxx_messageInfo_SocketOption proto.InternalMessageInfo

type isSocketOption_Value interface {
	isSocketOption_Value()
	Equal(interface{}) bool
	MarshalTo([]byte) (int, error)
	Size() int
}

type SocketOption_IntValue struct {
	IntValue int64 `protobuf:"varint,4,opt,name=int_value,json=intValue,proto3,oneof"`
}
type SocketOption_BufValue struct {
	BufValue []byte `protobuf:"bytes,5,opt,name=buf_value,json=bufValue,proto3,oneof"`
}

func (*SocketOption_IntValue) isSocketOption_Value() {}
func (*SocketOption_BufValue) isSocketOption_Value() {}

func (m *SocketOption) GetValue() isSocketOption_Value {
	if m != nil {
		return m.Value
	}
	return nil
}

func (m *SocketOption) GetDescription() string {
	if m != nil {
		return m.Description
	}
	return ""
}

func (m *SocketOption) GetLevel() int64 {
	if m != nil {
		return m.Level
	}
	return 0
}

func (m *SocketOption) GetName() int64 {
	if m != nil {
		return m.Name
	}
	return 0
}

func (m *SocketOption) GetIntValue() int64 {
	if x, ok := m.GetValue().(*SocketOption_IntValue); ok {
		return x.IntValue
	}
	return 0
}

func (m *SocketOption) GetBufValue() []byte {
	if x, ok := m.GetValue().(*SocketOption_BufValue); ok {
		return x.BufValue
	}
	return nil
}

func (m *SocketOption) GetState() SocketOption_SocketState {
	if m != nil {
		return m.State
	}
	return STATE_PREBIND
}

// XXX_OneofFuncs is for the internal use of the proto package.
func (*SocketOption) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) {
	return _SocketOption_OneofMarshaler, _SocketOption_OneofUnmarshaler, _SocketOption_OneofSizer, []interface{}{
		(*SocketOption_IntValue)(nil),
		(*SocketOption_BufValue)(nil),
	}
}

func _SocketOption_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
	m := msg.(*SocketOption)
	// value
	switch x := m.Value.(type) {
	case *SocketOption_IntValue:
		_ = b.EncodeVarint(4<<3 | proto.WireVarint)
		_ = b.EncodeVarint(uint64(x.IntValue))
	case *SocketOption_BufValue:
		_ = b.EncodeVarint(5<<3 | proto.WireBytes)
		_ = b.EncodeRawBytes(x.BufValue)
	case nil:
	default:
		return fmt.Errorf("SocketOption.Value has unexpected type %T", x)
	}
	return nil
}

func _SocketOption_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
	m := msg.(*SocketOption)
	switch tag {
	case 4: // value.int_value
		if wire != proto.WireVarint {
			return true, proto.ErrInternalBadWireType
		}
		x, err := b.DecodeVarint()
		m.Value = &SocketOption_IntValue{int64(x)}
		return true, err
	case 5: // value.buf_value
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		x, err := b.DecodeRawBytes(true)
		m.Value = &SocketOption_BufValue{x}
		return true, err
	default:
		return false, nil
	}
}

func _SocketOption_OneofSizer(msg proto.Message) (n int) {
	m := msg.(*SocketOption)
	// value
	switch x := m.Value.(type) {
	case *SocketOption_IntValue:
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(x.IntValue))
	case *SocketOption_BufValue:
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(len(x.BufValue)))
		n += len(x.BufValue)
	case nil:
	default:
		panic(fmt.Sprintf("proto: unexpected type %T in oneof", x))
	}
	return n
}

// Runtime derived FractionalPercent with defaults for when the numerator or denominator is not
// specified via a runtime key.
type RuntimeFractionalPercent struct {
	// Default value if the runtime value's for the numerator/denominator keys are not available.
	DefaultValue *_type.FractionalPercent `protobuf:"bytes,1,opt,name=default_value,json=defaultValue,proto3" json:"default_value,omitempty"`
	// Runtime key for a YAML representation of a FractionalPercent.
	RuntimeKey           string   `protobuf:"bytes,2,opt,name=runtime_key,json=runtimeKey,proto3" json:"runtime_key,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *RuntimeFractionalPercent) Reset()         { *m = RuntimeFractionalPercent{} }
func (m *RuntimeFractionalPercent) String() string { return proto.CompactTextString(m) }
func (*RuntimeFractionalPercent) ProtoMessage()    {}
func (*RuntimeFractionalPercent) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{12}
}
func (m *RuntimeFractionalPercent) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *RuntimeFractionalPercent) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *RuntimeFractionalPercent) XXX_Merge(src proto.Message) {
	xxx_messageInfo_RuntimeFractionalPercent.Merge(m, src)
}
func (m *RuntimeFractionalPercent) XXX_Size() int {
	return m.Size()
}
func (m *RuntimeFractionalPercent) XXX_DiscardUnknown() {
	xxx_messageInfo_RuntimeFractionalPercent.DiscardUnknown(m)
}

var xxx_messageInfo_RuntimeFractionalPercent proto.InternalMessageInfo

func (m *RuntimeFractionalPercent) GetDefaultValue() *_type.FractionalPercent {
	if m != nil {
		return m.DefaultValue
	}
	return nil
}

func (m *RuntimeFractionalPercent) GetRuntimeKey() string {
	if m != nil {
		return m.RuntimeKey
	}
	return ""
}

// Identifies a specific ControlPlane instance that Envoy is connected to.
type ControlPlane struct {
	// An opaque control plane identifier that uniquely identifies an instance
	// of control plane. This can be used to identify which control plane instance,
	// the Envoy is connected to.
	Identifier           string   `protobuf:"bytes,1,opt,name=identifier,proto3" json:"identifier,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *ControlPlane) Reset()         { *m = ControlPlane{} }
func (m *ControlPlane) String() string { return proto.CompactTextString(m) }
func (*ControlPlane) ProtoMessage()    {}
func (*ControlPlane) Descriptor() ([]byte, []int) {
	return fileDescriptor_a7738c0f9e1bfff4, []int{13}
}
func (m *ControlPlane) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *ControlPlane) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *ControlPlane) XXX_Merge(src proto.Message) {
	xxx_messageInfo_ControlPlane.Merge(m, src)
}
func (m *ControlPlane) XXX_Size() int {
	return m.Size()
}
func (m *ControlPlane) XXX_DiscardUnknown() {
	xxx_messageInfo_ControlPlane.DiscardUnknown(m)
}

var xxx_messageInfo_ControlPlane proto.InternalMessageInfo

func (m *ControlPlane) GetIdentifier() string {
	if m != nil {
		return m.Identifier
	}
	return ""
}

func init() {
	proto.RegisterEnum("envoy.api.v2.core.RoutingPriority", RoutingPriority_name, RoutingPriority_value)
	proto.RegisterEnum("envoy.api.v2.core.RequestMethod", RequestMethod_name, RequestMethod_value)
	proto.RegisterEnum("envoy.api.v2.core.TrafficDirection", TrafficDirection_name, TrafficDirection_value)
	proto.RegisterEnum("envoy.api.v2.core.SocketOption_SocketState", SocketOption_SocketState_name, SocketOption_SocketState_value)
	proto.RegisterType((*Locality)(nil), "envoy.api.v2.core.Locality")
	proto.RegisterType((*Node)(nil), "envoy.api.v2.core.Node")
	proto.RegisterType((*Metadata)(nil), "envoy.api.v2.core.Metadata")
	proto.RegisterMapType((map[string]*types.Struct)(nil), "envoy.api.v2.core.Metadata.FilterMetadataEntry")
	proto.RegisterType((*RuntimeUInt32)(nil), "envoy.api.v2.core.RuntimeUInt32")
	proto.RegisterType((*HeaderValue)(nil), "envoy.api.v2.core.HeaderValue")
	proto.RegisterType((*HeaderValueOption)(nil), "envoy.api.v2.core.HeaderValueOption")
	proto.RegisterType((*HeaderMap)(nil), "envoy.api.v2.core.HeaderMap")
	proto.RegisterType((*DataSource)(nil), "envoy.api.v2.core.DataSource")
	proto.RegisterType((*RemoteDataSource)(nil), "envoy.api.v2.core.RemoteDataSource")
	proto.RegisterType((*AsyncDataSource)(nil), "envoy.api.v2.core.AsyncDataSource")
	proto.RegisterType((*TransportSocket)(nil), "envoy.api.v2.core.TransportSocket")
	proto.RegisterType((*SocketOption)(nil), "envoy.api.v2.core.SocketOption")
	proto.RegisterType((*RuntimeFractionalPercent)(nil), "envoy.api.v2.core.RuntimeFractionalPercent")
	proto.RegisterType((*ControlPlane)(nil), "envoy.api.v2.core.ControlPlane")
}

func init() { proto.RegisterFile("envoy/api/v2/core/base.proto", fileDescriptor_a7738c0f9e1bfff4) }

var fileDescriptor_a7738c0f9e1bfff4 = []byte{
	// 1293 bytes of a gzipped FileDescriptorProto
	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x55, 0xcd, 0x6f, 0x1b, 0x45,
	0x14, 0xf7, 0xfa, 0xdb, 0xcf, 0x76, 0xb3, 0x9d, 0x56, 0xad, 0x9b, 0xb6, 0x4e, 0xe4, 0x0a, 0x29,
	0x2a, 0x60, 0x0b, 0x57, 0x85, 0x82, 0xc4, 0x87, 0xd7, 0xde, 0xd4, 0x56, 0x13, 0xdb, 0xac, 0xd7,
	0x15, 0xea, 0x01, 0x6b, 0x6d, 0x8f, 0x9d, 0x51, 0x37, 0xbb, 0xcb, 0xec, 0xac, 0xc1, 0x3d, 0x55,
	0x9c, 0x28, 0x17, 0xce, 0x9c, 0x7b, 0x41, 0xe2, 0x9f, 0x00, 0x71, 0xe1, 0xc8, 0x91, 0x23, 0xca,
	0x5f, 0x81, 0x72, 0x42, 0xf3, 0xe1, 0xd4, 0x49, 0x2c, 0x7a, 0x9b, 0xf9, 0xfd, 0xde, 0xef, 0xcd,
	0xfb, 0x98, 0x79, 0x03, 0x77, 0xb0, 0xb7, 0xf0, 0x97, 0x35, 0x27, 0x20, 0xb5, 0x45, 0xbd, 0x36,
	0xf1, 0x29, 0xae, 0x8d, 0x9d, 0x10, 0x57, 0x03, 0xea, 0x33, 0x1f, 0x5d, 0x15, 0x6c, 0xd5, 0x09,
	0x48, 0x75, 0x51, 0xaf, 0x72, 0x76, 0x7b, 0xf7, 0xb2, 0xe0, 0x88, 0xb1, 0x60, 0x14, 0x51, 0x22,
	0x45, 0xdb, 0xb7, 0xe6, 0xbe, 0x3f, 0x77, 0x71, 0x4d, 0xec, 0xc6, 0xd1, 0xac, 0xe6, 0x78, 0x4b,
	0x45, 0xdd, 0xb9, 0x48, 0x85, 0x8c, 0x46, 0x13, 0xa6, 0xd8, 0xf2, 0x45, 0xf6, 0x5b, 0xea, 0x04,
	0x01, 0xa6, 0xa1, 0xe2, 0x6f, 0x2e, 0x1c, 0x97, 0x4c, 0x1d, 0x86, 0x6b, 0xab, 0x85, 0x22, 0xae,
	0xcf, 0xfd, 0xb9, 0x2f, 0x96, 0x35, 0xbe, 0x52, 0x68, 0x49, 0x46, 0xca, 0x96, 0x01, 0xae, 0x05,
	0x98, 0x4e, 0xb0, 0xa7, 0x0e, 0xaa, 0x7c, 0x09, 0xd9, 0x03, 0x7f, 0xe2, 0xb8, 0x84, 0x2d, 0xd1,
	0x0d, 0x48, 0x53, 0x3c, 0x27, 0xbe, 0x57, 0xd2, 0x76, 0xb5, 0xbd, 0x9c, 0xa5, 0x76, 0x08, 0x41,
	0xf2, 0x85, 0xef, 0xe1, 0x52, 0x5c, 0xa0, 0x62, 0x8d, 0x6e, 0x41, 0x36, 0x8c, 0xc6, 0x23, 0x81,
	0x27, 0x04, 0x9e, 0x09, 0xa3, 0xf1, 0x33, 0xdf, 0xc3, 0x95, 0x3f, 0x34, 0x48, 0x76, 0xfd, 0x29,
	0x46, 0x57, 0x20, 0x4e, 0xa6, 0xca, 0x57, 0x9c, 0x4c, 0x51, 0x09, 0x32, 0x13, 0x37, 0x0a, 0x19,
	0xa6, 0xca, 0xd5, 0x6a, 0x8b, 0x1e, 0x40, 0xf6, 0x18, 0x33, 0x67, 0xea, 0x30, 0x47, 0x78, 0xcb,
	0xd7, 0x6f, 0x56, 0x65, 0x05, 0xaa, 0xab, 0x0a, 0x54, 0x07, 0xa2, 0x3e, 0xd6, 0x99, 0x21, 0xfa,
	0x08, 0xb2, 0xae, 0x0a, 0xbd, 0x94, 0x14, 0xa2, 0xdb, 0xd5, 0x4b, 0x4d, 0xaa, 0xae, 0xb2, 0xb3,
	0xce, 0x8c, 0xd1, 0x3d, 0x28, 0x8e, 0x23, 0xe2, 0x4e, 0x47, 0x0b, 0x4c, 0x43, 0x9e, 0x6e, 0x4a,
	0x44, 0x53, 0x10, 0xe0, 0x53, 0x89, 0x55, 0x7e, 0xd3, 0x20, 0x7b, 0xb8, 0x3a, 0xea, 0x2b, 0xd8,
	0x9a, 0x11, 0x97, 0x61, 0x3a, 0x3a, 0x0b, 0x53, 0xdb, 0x4d, 0xec, 0xe5, 0xeb, 0xb5, 0x0d, 0x27,
	0xae, 0x54, 0xd5, 0x7d, 0x21, 0x59, 0x6d, 0x4d, 0x8f, 0xd1, 0xa5, 0x75, 0x65, 0x76, 0x0e, 0xdc,
	0x7e, 0x06, 0xd7, 0x36, 0x98, 0x21, 0x1d, 0x12, 0xcf, 0xf1, 0x52, 0xd5, 0x8e, 0x2f, 0xd1, 0xfb,
	0x90, 0x5a, 0x38, 0x6e, 0x24, 0xbb, 0xf0, 0x3f, 0xf5, 0x91, 0x56, 0x9f, 0xc4, 0x1f, 0x69, 0x95,
	0xaf, 0xa1, 0x68, 0x45, 0x1e, 0x23, 0xc7, 0x78, 0xd8, 0xf1, 0xd8, 0x83, 0x3a, 0x4f, 0x7c, 0x8a,
	0x67, 0x4e, 0xe4, 0xb2, 0xd1, 0x1b, 0x5f, 0x45, 0xab, 0xa0, 0xc0, 0xa7, 0x1c, 0x43, 0x7b, 0x90,
	0xa7, 0x52, 0x35, 0xe2, 0x21, 0x88, 0xe6, 0x1a, 0x99, 0x53, 0x23, 0x49, 0xe3, 0xbb, 0x9a, 0x05,
	0x8a, 0x7b, 0x82, 0x97, 0x95, 0x43, 0xc8, 0xb7, 0xb1, 0x33, 0xc5, 0x54, 0x0a, 0xef, 0xae, 0xc5,
	0x6c, 0xe4, 0x4f, 0x8d, 0x2c, 0x4d, 0xef, 0x6a, 0x7b, 0x2f, 0x5f, 0x6a, 0x32, 0x81, 0x9d, 0xf5,
	0x04, 0x72, 0x46, 0xee, 0xd4, 0x48, 0xd3, 0xa4, 0xa0, 0x25, 0x5e, 0x79, 0xa5, 0xc1, 0xd5, 0x35,
	0x7f, 0xbd, 0x80, 0xf1, 0xcb, 0xf7, 0x05, 0xa4, 0x8f, 0x04, 0x28, 0x1c, 0xe7, 0xeb, 0xe5, 0x0d,
	0x15, 0x5f, 0x53, 0x19, 0xd9, 0x53, 0x23, 0xf5, 0xa3, 0x16, 0xd7, 0x35, 0x4b, 0xe9, 0x50, 0x1d,
	0xd2, 0xfc, 0xed, 0x78, 0x53, 0x55, 0xba, 0xed, 0x4b, 0xa5, 0x33, 0x7c, 0xdf, 0x15, 0x6a, 0x4b,
	0x59, 0x56, 0x4c, 0xc8, 0x49, 0xa7, 0x87, 0x4e, 0x80, 0x1e, 0x41, 0x46, 0xba, 0x0a, 0x55, 0xd7,
	0xdf, 0x12, 0x83, 0xb5, 0x32, 0xaf, 0xbc, 0xd6, 0x00, 0x5a, 0x0e, 0x73, 0x06, 0x7e, 0x44, 0x27,
	0x18, 0xbd, 0x03, 0xd9, 0x19, 0x71, 0xb1, 0xe7, 0x1c, 0x63, 0x55, 0xa6, 0x55, 0x5d, 0xdb, 0x31,
	0xeb, 0x8c, 0x42, 0xef, 0x41, 0x81, 0x78, 0x2e, 0xf1, 0xf0, 0x68, 0xbc, 0x64, 0x38, 0x14, 0x61,
	0x17, 0x84, 0xe9, 0x8b, 0xb8, 0xce, 0x4d, 0xf3, 0x92, 0x36, 0x38, 0x8b, 0xaa, 0x50, 0x54, 0xd6,
	0x21, 0xa3, 0xc4, 0x9b, 0x5f, 0xe8, 0x58, 0x3b, 0x66, 0x29, 0x6f, 0x03, 0x41, 0x1b, 0x3a, 0xe4,
	0xc2, 0x00, 0x4f, 0xc8, 0x8c, 0x60, 0x8a, 0x12, 0xff, 0x1a, 0x5a, 0x85, 0x81, 0x6e, 0xe1, 0x63,
	0x9f, 0xe1, 0xb5, 0x50, 0x3f, 0x87, 0xec, 0x6a, 0x96, 0xa9, 0xc2, 0x6f, 0x6f, 0x4a, 0x9a, 0xb1,
	0x60, 0x48, 0xc9, 0x5a, 0xd1, 0x33, 0x47, 0x12, 0x42, 0x3b, 0x90, 0x0e, 0x8f, 0x9c, 0xfa, 0xc3,
	0x0f, 0x55, 0xbf, 0xcf, 0x6e, 0x90, 0x82, 0x2b, 0x3f, 0x6b, 0xb0, 0xd5, 0x08, 0x97, 0xde, 0x64,
	0xed, 0xd4, 0x87, 0x90, 0x12, 0xaf, 0x54, 0x1d, 0x79, 0x77, 0xc3, 0x91, 0x6f, 0xac, 0xdb, 0x31,
	0x4b, 0x5a, 0xa3, 0x4f, 0xf9, 0xe0, 0xe2, 0x09, 0xa8, 0x0e, 0xdf, 0xdb, 0xa0, 0xbb, 0x98, 0x61,
	0x3b, 0x66, 0x29, 0xd1, 0x86, 0x8a, 0xfc, 0xaa, 0xc1, 0x96, 0x4d, 0x1d, 0x2f, 0x0c, 0x7c, 0xca,
	0x06, 0xfe, 0xe4, 0x39, 0x66, 0xe8, 0x36, 0x24, 0x37, 0x34, 0xce, 0x12, 0x20, 0xfa, 0x00, 0xd2,
	0x13, 0xdf, 0x9b, 0x91, 0xf9, 0x5b, 0x9e, 0x27, 0x3f, 0x55, 0x1a, 0xa2, 0x8f, 0xa1, 0xc0, 0xe7,
	0xf1, 0x74, 0xa4, 0x84, 0x72, 0xee, 0x5d, 0xbf, 0x24, 0x6c, 0x78, 0x4b, 0xde, 0x72, 0x61, 0xdb,
	0x14, 0xa6, 0x46, 0x11, 0xf2, 0x52, 0x34, 0xe2, 0x68, 0xe5, 0xf7, 0x38, 0x14, 0x64, 0x90, 0xea,
	0xcd, 0xec, 0x42, 0x7e, 0x8a, 0xc3, 0x09, 0x25, 0x62, 0xab, 0xa6, 0xc8, 0x3a, 0x84, 0xae, 0x43,
	0xca, 0xc5, 0x0b, 0xec, 0x8a, 0x70, 0x13, 0x96, 0xdc, 0xf0, 0x41, 0x2f, 0x52, 0x4c, 0x08, 0x50,
	0x66, 0x76, 0x17, 0x72, 0xc4, 0x5b, 0xcd, 0x0b, 0x3e, 0x66, 0x13, 0xfc, 0xae, 0x12, 0x8f, 0xad,
	0x1e, 0x7d, 0x6e, 0x1c, 0xcd, 0x14, 0xcd, 0xe7, 0x68, 0x81, 0xd3, 0xe3, 0x68, 0x26, 0xe9, 0x27,
	0x90, 0x0a, 0x99, 0xc3, 0x70, 0x89, 0x8f, 0x82, 0x2b, 0xf5, 0x77, 0x37, 0x34, 0x66, 0x3d, 0x72,
	0xb5, 0x19, 0x70, 0x89, 0xb8, 0x54, 0xdf, 0x8b, 0x4b, 0x25, 0x7d, 0x54, 0x0e, 0x20, 0xbf, 0xc6,
	0xa3, 0xab, 0x50, 0x1c, 0xd8, 0x0d, 0xdb, 0x1c, 0xf5, 0x2d, 0xd3, 0xe8, 0x74, 0x5b, 0x7a, 0x0c,
	0x6d, 0x41, 0x5e, 0x42, 0x46, 0x6f, 0xd8, 0x6d, 0xe9, 0x1a, 0xba, 0x06, 0x5b, 0x12, 0x38, 0xe8,
	0x0c, 0x6c, 0xb3, 0xdb, 0xe9, 0x3e, 0xd6, 0xe3, 0xdb, 0xc9, 0x1f, 0x5e, 0x97, 0x63, 0x46, 0x41,
	0xcd, 0x23, 0xd9, 0xf1, 0x57, 0x1a, 0x94, 0xd4, 0xb0, 0xdc, 0xa7, 0xce, 0x84, 0x07, 0xe3, 0xb8,
	0x7d, 0xf9, 0x55, 0xa2, 0x83, 0x8b, 0x73, 0xf3, 0xfc, 0xf5, 0xe4, 0x4d, 0xa8, 0x5e, 0x52, 0xad,
	0x3d, 0x8a, 0xf3, 0x03, 0x76, 0xe7, 0xfc, 0x80, 0x95, 0x5f, 0xe1, 0xfa, 0x5c, 0xad, 0x42, 0xa1,
	0xe9, 0x7b, 0x8c, 0xfa, 0x6e, 0xdf, 0x75, 0x3c, 0x8c, 0xca, 0x00, 0x64, 0x8a, 0x3d, 0x26, 0x2e,
	0xa8, 0xea, 0xe6, 0x1a, 0x72, 0x7f, 0x0f, 0xb6, 0x2c, 0x3f, 0x62, 0xc4, 0x9b, 0xf7, 0x29, 0xf1,
	0x29, 0xff, 0xe2, 0xf2, 0x90, 0x69, 0x99, 0xfb, 0x8d, 0xe1, 0x81, 0xad, 0xc7, 0x50, 0x16, 0x92,
	0xed, 0xce, 0xe3, 0xb6, 0xae, 0xdd, 0xff, 0x49, 0x83, 0xa2, 0x85, 0xbf, 0x89, 0x70, 0xc8, 0x0e,
	0x31, 0x3b, 0xf2, 0xa7, 0xe8, 0x06, 0xa0, 0x43, 0xd3, 0x6e, 0xf7, 0x5a, 0xa3, 0x61, 0x77, 0xd0,
	0x37, 0x9b, 0x9d, 0xfd, 0x8e, 0xc9, 0x2b, 0x99, 0x81, 0xc4, 0x63, 0xd3, 0xd6, 0x35, 0x21, 0x36,
	0x1b, 0x2d, 0x3d, 0xce, 0x57, 0xfd, 0xde, 0xc0, 0xd6, 0x13, 0x9c, 0xec, 0x0f, 0x6d, 0x3d, 0x89,
	0x00, 0xd2, 0x2d, 0xf3, 0xc0, 0xb4, 0x4d, 0x3d, 0xc5, 0x8f, 0x6c, 0xf6, 0xba, 0x5d, 0xb3, 0x69,
	0xeb, 0x69, 0xbe, 0xe9, 0xf5, 0xed, 0x4e, 0xaf, 0x3b, 0xd0, 0x33, 0x28, 0x07, 0x29, 0xdb, 0x6a,
	0x34, 0x4d, 0x3d, 0xcb, 0x97, 0xfd, 0x86, 0xdd, 0x6c, 0xeb, 0x39, 0xd9, 0x85, 0xfb, 0x9f, 0x81,
	0x6e, 0x53, 0x67, 0x36, 0x23, 0x93, 0x16, 0xa1, 0x58, 0x54, 0x90, 0x77, 0xf1, 0x7c, 0x30, 0x79,
	0xc8, 0x74, 0xba, 0xab, 0x96, 0x16, 0x20, 0xdb, 0x1b, 0xda, 0x72, 0x17, 0x37, 0xda, 0xbf, 0x9c,
	0x94, 0xb5, 0x3f, 0x4f, 0xca, 0xda, 0x5f, 0x27, 0x65, 0xed, 0xef, 0x93, 0xb2, 0xf6, 0xcf, 0x49,
	0x59, 0x83, 0x1d, 0xe2, 0xcb, 0xde, 0x04, 0xd4, 0xff, 0x6e, 0x79, 0xf9, 0xd2, 0x19, 0x39, 0xc3,
	0x09, 0x71, 0x9f, 0x3f, 0xb1, 0xbe, 0xf6, 0x2c, 0xc9, 0xa1, 0x71, 0x5a, 0xbc, 0xb8, 0x07, 0xff,
	0x05, 0x00, 0x00, 0xff, 0xff, 0xf4, 0x76, 0xb1, 0x50, 0x07, 0x0a, 0x00, 0x00,
}

func (this *Locality) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*Locality)
	if !ok {
		that2, ok := that.(Locality)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Region != that1.Region {
		return false
	}
	if this.Zone != that1.Zone {
		return false
	}
	if this.SubZone != that1.SubZone {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *Node) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*Node)
	if !ok {
		that2, ok := that.(Node)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Id != that1.Id {
		return false
	}
	if this.Cluster != that1.Cluster {
		return false
	}
	if !this.Metadata.Equal(that1.Metadata) {
		return false
	}
	if !this.Locality.Equal(that1.Locality) {
		return false
	}
	if this.BuildVersion != that1.BuildVersion {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *Metadata) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*Metadata)
	if !ok {
		that2, ok := that.(Metadata)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if len(this.FilterMetadata) != len(that1.FilterMetadata) {
		return false
	}
	for i := range this.FilterMetadata {
		if !this.FilterMetadata[i].Equal(that1.FilterMetadata[i]) {
			return false
		}
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *RuntimeUInt32) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*RuntimeUInt32)
	if !ok {
		that2, ok := that.(RuntimeUInt32)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.DefaultValue != that1.DefaultValue {
		return false
	}
	if this.RuntimeKey != that1.RuntimeKey {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *HeaderValue) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*HeaderValue)
	if !ok {
		that2, ok := that.(HeaderValue)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Key != that1.Key {
		return false
	}
	if this.Value != that1.Value {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *HeaderValueOption) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*HeaderValueOption)
	if !ok {
		that2, ok := that.(HeaderValueOption)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !this.Header.Equal(that1.Header) {
		return false
	}
	if !this.Append.Equal(that1.Append) {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *HeaderMap) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*HeaderMap)
	if !ok {
		that2, ok := that.(HeaderMap)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if len(this.Headers) != len(that1.Headers) {
		return false
	}
	for i := range this.Headers {
		if !this.Headers[i].Equal(that1.Headers[i]) {
			return false
		}
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *DataSource) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*DataSource)
	if !ok {
		that2, ok := that.(DataSource)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if that1.Specifier == nil {
		if this.Specifier != nil {
			return false
		}
	} else if this.Specifier == nil {
		return false
	} else if !this.Specifier.Equal(that1.Specifier) {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *DataSource_Filename) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*DataSource_Filename)
	if !ok {
		that2, ok := that.(DataSource_Filename)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Filename != that1.Filename {
		return false
	}
	return true
}
func (this *DataSource_InlineBytes) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*DataSource_InlineBytes)
	if !ok {
		that2, ok := that.(DataSource_InlineBytes)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !bytes.Equal(this.InlineBytes, that1.InlineBytes) {
		return false
	}
	return true
}
func (this *DataSource_InlineString) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*DataSource_InlineString)
	if !ok {
		that2, ok := that.(DataSource_InlineString)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.InlineString != that1.InlineString {
		return false
	}
	return true
}
func (this *RemoteDataSource) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*RemoteDataSource)
	if !ok {
		that2, ok := that.(RemoteDataSource)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !this.HttpUri.Equal(that1.HttpUri) {
		return false
	}
	if this.Sha256 != that1.Sha256 {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *AsyncDataSource) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*AsyncDataSource)
	if !ok {
		that2, ok := that.(AsyncDataSource)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if that1.Specifier == nil {
		if this.Specifier != nil {
			return false
		}
	} else if this.Specifier == nil {
		return false
	} else if !this.Specifier.Equal(that1.Specifier) {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *AsyncDataSource_Local) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*AsyncDataSource_Local)
	if !ok {
		that2, ok := that.(AsyncDataSource_Local)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !this.Local.Equal(that1.Local) {
		return false
	}
	return true
}
func (this *AsyncDataSource_Remote) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*AsyncDataSource_Remote)
	if !ok {
		that2, ok := that.(AsyncDataSource_Remote)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !this.Remote.Equal(that1.Remote) {
		return false
	}
	return true
}
func (this *TransportSocket) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*TransportSocket)
	if !ok {
		that2, ok := that.(TransportSocket)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Name != that1.Name {
		return false
	}
	if that1.ConfigType == nil {
		if this.ConfigType != nil {
			return false
		}
	} else if this.ConfigType == nil {
		return false
	} else if !this.ConfigType.Equal(that1.ConfigType) {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *TransportSocket_Config) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*TransportSocket_Config)
	if !ok {
		that2, ok := that.(TransportSocket_Config)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !this.Config.Equal(that1.Config) {
		return false
	}
	return true
}
func (this *TransportSocket_TypedConfig) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*TransportSocket_TypedConfig)
	if !ok {
		that2, ok := that.(TransportSocket_TypedConfig)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !this.TypedConfig.Equal(that1.TypedConfig) {
		return false
	}
	return true
}
func (this *SocketOption) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*SocketOption)
	if !ok {
		that2, ok := that.(SocketOption)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Description != that1.Description {
		return false
	}
	if this.Level != that1.Level {
		return false
	}
	if this.Name != that1.Name {
		return false
	}
	if that1.Value == nil {
		if this.Value != nil {
			return false
		}
	} else if this.Value == nil {
		return false
	} else if !this.Value.Equal(that1.Value) {
		return false
	}
	if this.State != that1.State {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *SocketOption_IntValue) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*SocketOption_IntValue)
	if !ok {
		that2, ok := that.(SocketOption_IntValue)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.IntValue != that1.IntValue {
		return false
	}
	return true
}
func (this *SocketOption_BufValue) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*SocketOption_BufValue)
	if !ok {
		that2, ok := that.(SocketOption_BufValue)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !bytes.Equal(this.BufValue, that1.BufValue) {
		return false
	}
	return true
}
func (this *RuntimeFractionalPercent) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*RuntimeFractionalPercent)
	if !ok {
		that2, ok := that.(RuntimeFractionalPercent)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !this.DefaultValue.Equal(that1.DefaultValue) {
		return false
	}
	if this.RuntimeKey != that1.RuntimeKey {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *ControlPlane) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*ControlPlane)
	if !ok {
		that2, ok := that.(ControlPlane)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Identifier != that1.Identifier {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (m *Locality) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *Locality) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.Region) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.Region)))
		i += copy(dAtA[i:], m.Region)
	}
	if len(m.Zone) > 0 {
		dAtA[i] = 0x12
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.Zone)))
		i += copy(dAtA[i:], m.Zone)
	}
	if len(m.SubZone) > 0 {
		dAtA[i] = 0x1a
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.SubZone)))
		i += copy(dAtA[i:], m.SubZone)
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *Node) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *Node) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.Id) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.Id)))
		i += copy(dAtA[i:], m.Id)
	}
	if len(m.Cluster) > 0 {
		dAtA[i] = 0x12
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.Cluster)))
		i += copy(dAtA[i:], m.Cluster)
	}
	if m.Metadata != nil {
		dAtA[i] = 0x1a
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.Metadata.Size()))
		n1, err1 := m.Metadata.MarshalTo(dAtA[i:])
		if err1 != nil {
			return 0, err1
		}
		i += n1
	}
	if m.Locality != nil {
		dAtA[i] = 0x22
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.Locality.Size()))
		n2, err2 := m.Locality.MarshalTo(dAtA[i:])
		if err2 != nil {
			return 0, err2
		}
		i += n2
	}
	if len(m.BuildVersion) > 0 {
		dAtA[i] = 0x2a
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.BuildVersion)))
		i += copy(dAtA[i:], m.BuildVersion)
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *Metadata) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *Metadata) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.FilterMetadata) > 0 {
		keysForFilterMetadata := make([]string, 0, len(m.FilterMetadata))
		for k, _ := range m.FilterMetadata {
			keysForFilterMetadata = append(keysForFilterMetadata, string(k))
		}
		github_com_gogo_protobuf_sortkeys.Strings(keysForFilterMetadata)
		for _, k := range keysForFilterMetadata {
			dAtA[i] = 0xa
			i++
			v := m.FilterMetadata[string(k)]
			msgSize := 0
			if v != nil {
				msgSize = v.Size()
				msgSize += 1 + sovBase(uint64(msgSize))
			}
			mapSize := 1 + len(k) + sovBase(uint64(len(k))) + msgSize
			i = encodeVarintBase(dAtA, i, uint64(mapSize))
			dAtA[i] = 0xa
			i++
			i = encodeVarintBase(dAtA, i, uint64(len(k)))
			i += copy(dAtA[i:], k)
			if v != nil {
				dAtA[i] = 0x12
				i++
				i = encodeVarintBase(dAtA, i, uint64(v.Size()))
				n3, err3 := v.MarshalTo(dAtA[i:])
				if err3 != nil {
					return 0, err3
				}
				i += n3
			}
		}
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *RuntimeUInt32) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *RuntimeUInt32) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.DefaultValue != 0 {
		dAtA[i] = 0x10
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.DefaultValue))
	}
	if len(m.RuntimeKey) > 0 {
		dAtA[i] = 0x1a
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.RuntimeKey)))
		i += copy(dAtA[i:], m.RuntimeKey)
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *HeaderValue) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *HeaderValue) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.Key) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.Key)))
		i += copy(dAtA[i:], m.Key)
	}
	if len(m.Value) > 0 {
		dAtA[i] = 0x12
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.Value)))
		i += copy(dAtA[i:], m.Value)
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *HeaderValueOption) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *HeaderValueOption) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Header != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.Header.Size()))
		n4, err4 := m.Header.MarshalTo(dAtA[i:])
		if err4 != nil {
			return 0, err4
		}
		i += n4
	}
	if m.Append != nil {
		dAtA[i] = 0x12
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.Append.Size()))
		n5, err5 := m.Append.MarshalTo(dAtA[i:])
		if err5 != nil {
			return 0, err5
		}
		i += n5
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *HeaderMap) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *HeaderMap) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.Headers) > 0 {
		for _, msg := range m.Headers {
			dAtA[i] = 0xa
			i++
			i = encodeVarintBase(dAtA, i, uint64(msg.Size()))
			n, err := msg.MarshalTo(dAtA[i:])
			if err != nil {
				return 0, err
			}
			i += n
		}
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *DataSource) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *DataSource) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Specifier != nil {
		nn6, err6 := m.Specifier.MarshalTo(dAtA[i:])
		if err6 != nil {
			return 0, err6
		}
		i += nn6
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *DataSource_Filename) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	dAtA[i] = 0xa
	i++
	i = encodeVarintBase(dAtA, i, uint64(len(m.Filename)))
	i += copy(dAtA[i:], m.Filename)
	return i, nil
}
func (m *DataSource_InlineBytes) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	if m.InlineBytes != nil {
		dAtA[i] = 0x12
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.InlineBytes)))
		i += copy(dAtA[i:], m.InlineBytes)
	}
	return i, nil
}
func (m *DataSource_InlineString) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	dAtA[i] = 0x1a
	i++
	i = encodeVarintBase(dAtA, i, uint64(len(m.InlineString)))
	i += copy(dAtA[i:], m.InlineString)
	return i, nil
}
func (m *RemoteDataSource) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *RemoteDataSource) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.HttpUri != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.HttpUri.Size()))
		n7, err7 := m.HttpUri.MarshalTo(dAtA[i:])
		if err7 != nil {
			return 0, err7
		}
		i += n7
	}
	if len(m.Sha256) > 0 {
		dAtA[i] = 0x12
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.Sha256)))
		i += copy(dAtA[i:], m.Sha256)
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *AsyncDataSource) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *AsyncDataSource) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Specifier != nil {
		nn8, err8 := m.Specifier.MarshalTo(dAtA[i:])
		if err8 != nil {
			return 0, err8
		}
		i += nn8
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *AsyncDataSource_Local) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	if m.Local != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.Local.Size()))
		n9, err9 := m.Local.MarshalTo(dAtA[i:])
		if err9 != nil {
			return 0, err9
		}
		i += n9
	}
	return i, nil
}
func (m *AsyncDataSource_Remote) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	if m.Remote != nil {
		dAtA[i] = 0x12
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.Remote.Size()))
		n10, err10 := m.Remote.MarshalTo(dAtA[i:])
		if err10 != nil {
			return 0, err10
		}
		i += n10
	}
	return i, nil
}
func (m *TransportSocket) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *TransportSocket) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.Name) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.Name)))
		i += copy(dAtA[i:], m.Name)
	}
	if m.ConfigType != nil {
		nn11, err11 := m.ConfigType.MarshalTo(dAtA[i:])
		if err11 != nil {
			return 0, err11
		}
		i += nn11
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *TransportSocket_Config) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	if m.Config != nil {
		dAtA[i] = 0x12
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.Config.Size()))
		n12, err12 := m.Config.MarshalTo(dAtA[i:])
		if err12 != nil {
			return 0, err12
		}
		i += n12
	}
	return i, nil
}
func (m *TransportSocket_TypedConfig) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	if m.TypedConfig != nil {
		dAtA[i] = 0x1a
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.TypedConfig.Size()))
		n13, err13 := m.TypedConfig.MarshalTo(dAtA[i:])
		if err13 != nil {
			return 0, err13
		}
		i += n13
	}
	return i, nil
}
func (m *SocketOption) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *SocketOption) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.Description) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.Description)))
		i += copy(dAtA[i:], m.Description)
	}
	if m.Level != 0 {
		dAtA[i] = 0x10
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.Level))
	}
	if m.Name != 0 {
		dAtA[i] = 0x18
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.Name))
	}
	if m.Value != nil {
		nn14, err14 := m.Value.MarshalTo(dAtA[i:])
		if err14 != nil {
			return 0, err14
		}
		i += nn14
	}
	if m.State != 0 {
		dAtA[i] = 0x30
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.State))
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *SocketOption_IntValue) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	dAtA[i] = 0x20
	i++
	i = encodeVarintBase(dAtA, i, uint64(m.IntValue))
	return i, nil
}
func (m *SocketOption_BufValue) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	if m.BufValue != nil {
		dAtA[i] = 0x2a
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.BufValue)))
		i += copy(dAtA[i:], m.BufValue)
	}
	return i, nil
}
func (m *RuntimeFractionalPercent) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *RuntimeFractionalPercent) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.DefaultValue != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintBase(dAtA, i, uint64(m.DefaultValue.Size()))
		n15, err15 := m.DefaultValue.MarshalTo(dAtA[i:])
		if err15 != nil {
			return 0, err15
		}
		i += n15
	}
	if len(m.RuntimeKey) > 0 {
		dAtA[i] = 0x12
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.RuntimeKey)))
		i += copy(dAtA[i:], m.RuntimeKey)
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *ControlPlane) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *ControlPlane) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.Identifier) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintBase(dAtA, i, uint64(len(m.Identifier)))
		i += copy(dAtA[i:], m.Identifier)
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func encodeVarintBase(dAtA []byte, offset int, v uint64) int {
	for v >= 1<<7 {
		dAtA[offset] = uint8(v&0x7f | 0x80)
		v >>= 7
		offset++
	}
	dAtA[offset] = uint8(v)
	return offset + 1
}
func (m *Locality) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.Region)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	l = len(m.Zone)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	l = len(m.SubZone)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *Node) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.Id)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	l = len(m.Cluster)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	if m.Metadata != nil {
		l = m.Metadata.Size()
		n += 1 + l + sovBase(uint64(l))
	}
	if m.Locality != nil {
		l = m.Locality.Size()
		n += 1 + l + sovBase(uint64(l))
	}
	l = len(m.BuildVersion)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *Metadata) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if len(m.FilterMetadata) > 0 {
		for k, v := range m.FilterMetadata {
			_ = k
			_ = v
			l = 0
			if v != nil {
				l = v.Size()
				l += 1 + sovBase(uint64(l))
			}
			mapEntrySize := 1 + len(k) + sovBase(uint64(len(k))) + l
			n += mapEntrySize + 1 + sovBase(uint64(mapEntrySize))
		}
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *RuntimeUInt32) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.DefaultValue != 0 {
		n += 1 + sovBase(uint64(m.DefaultValue))
	}
	l = len(m.RuntimeKey)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *HeaderValue) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.Key)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	l = len(m.Value)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *HeaderValueOption) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Header != nil {
		l = m.Header.Size()
		n += 1 + l + sovBase(uint64(l))
	}
	if m.Append != nil {
		l = m.Append.Size()
		n += 1 + l + sovBase(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *HeaderMap) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if len(m.Headers) > 0 {
		for _, e := range m.Headers {
			l = e.Size()
			n += 1 + l + sovBase(uint64(l))
		}
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *DataSource) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Specifier != nil {
		n += m.Specifier.Size()
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *DataSource_Filename) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.Filename)
	n += 1 + l + sovBase(uint64(l))
	return n
}
func (m *DataSource_InlineBytes) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.InlineBytes != nil {
		l = len(m.InlineBytes)
		n += 1 + l + sovBase(uint64(l))
	}
	return n
}
func (m *DataSource_InlineString) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.InlineString)
	n += 1 + l + sovBase(uint64(l))
	return n
}
func (m *RemoteDataSource) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.HttpUri != nil {
		l = m.HttpUri.Size()
		n += 1 + l + sovBase(uint64(l))
	}
	l = len(m.Sha256)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *AsyncDataSource) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Specifier != nil {
		n += m.Specifier.Size()
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *AsyncDataSource_Local) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Local != nil {
		l = m.Local.Size()
		n += 1 + l + sovBase(uint64(l))
	}
	return n
}
func (m *AsyncDataSource_Remote) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Remote != nil {
		l = m.Remote.Size()
		n += 1 + l + sovBase(uint64(l))
	}
	return n
}
func (m *TransportSocket) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.Name)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	if m.ConfigType != nil {
		n += m.ConfigType.Size()
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *TransportSocket_Config) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Config != nil {
		l = m.Config.Size()
		n += 1 + l + sovBase(uint64(l))
	}
	return n
}
func (m *TransportSocket_TypedConfig) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.TypedConfig != nil {
		l = m.TypedConfig.Size()
		n += 1 + l + sovBase(uint64(l))
	}
	return n
}
func (m *SocketOption) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.Description)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	if m.Level != 0 {
		n += 1 + sovBase(uint64(m.Level))
	}
	if m.Name != 0 {
		n += 1 + sovBase(uint64(m.Name))
	}
	if m.Value != nil {
		n += m.Value.Size()
	}
	if m.State != 0 {
		n += 1 + sovBase(uint64(m.State))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *SocketOption_IntValue) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	n += 1 + sovBase(uint64(m.IntValue))
	return n
}
func (m *SocketOption_BufValue) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.BufValue != nil {
		l = len(m.BufValue)
		n += 1 + l + sovBase(uint64(l))
	}
	return n
}
func (m *RuntimeFractionalPercent) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.DefaultValue != nil {
		l = m.DefaultValue.Size()
		n += 1 + l + sovBase(uint64(l))
	}
	l = len(m.RuntimeKey)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *ControlPlane) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.Identifier)
	if l > 0 {
		n += 1 + l + sovBase(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func sovBase(x uint64) (n int) {
	return (math_bits.Len64(x|1) + 6) / 7
}
func sozBase(x uint64) (n int) {
	return sovBase(uint64((x << 1) ^ uint64((int64(x) >> 63))))
}
func (m *Locality) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: Locality: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: Locality: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Region", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Region = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Zone", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Zone = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field SubZone", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.SubZone = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *Node) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: Node: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: Node: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Id", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Id = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Cluster", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Cluster = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Metadata", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Metadata == nil {
				m.Metadata = &types.Struct{}
			}
			if err := m.Metadata.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 4:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Locality", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Locality == nil {
				m.Locality = &Locality{}
			}
			if err := m.Locality.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 5:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field BuildVersion", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.BuildVersion = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *Metadata) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: Metadata: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: Metadata: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field FilterMetadata", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.FilterMetadata == nil {
				m.FilterMetadata = make(map[string]*types.Struct)
			}
			var mapkey string
			var mapvalue *types.Struct
			for iNdEx < postIndex {
				entryPreIndex := iNdEx
				var wire uint64
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return ErrIntOverflowBase
					}
					if iNdEx >= l {
						return io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					wire |= uint64(b&0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				fieldNum := int32(wire >> 3)
				if fieldNum == 1 {
					var stringLenmapkey uint64
					for shift := uint(0); ; shift += 7 {
						if shift >= 64 {
							return ErrIntOverflowBase
						}
						if iNdEx >= l {
							return io.ErrUnexpectedEOF
						}
						b := dAtA[iNdEx]
						iNdEx++
						stringLenmapkey |= uint64(b&0x7F) << shift
						if b < 0x80 {
							break
						}
					}
					intStringLenmapkey := int(stringLenmapkey)
					if intStringLenmapkey < 0 {
						return ErrInvalidLengthBase
					}
					postStringIndexmapkey := iNdEx + intStringLenmapkey
					if postStringIndexmapkey < 0 {
						return ErrInvalidLengthBase
					}
					if postStringIndexmapkey > l {
						return io.ErrUnexpectedEOF
					}
					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
					iNdEx = postStringIndexmapkey
				} else if fieldNum == 2 {
					var mapmsglen int
					for shift := uint(0); ; shift += 7 {
						if shift >= 64 {
							return ErrIntOverflowBase
						}
						if iNdEx >= l {
							return io.ErrUnexpectedEOF
						}
						b := dAtA[iNdEx]
						iNdEx++
						mapmsglen |= int(b&0x7F) << shift
						if b < 0x80 {
							break
						}
					}
					if mapmsglen < 0 {
						return ErrInvalidLengthBase
					}
					postmsgIndex := iNdEx + mapmsglen
					if postmsgIndex < 0 {
						return ErrInvalidLengthBase
					}
					if postmsgIndex > l {
						return io.ErrUnexpectedEOF
					}
					mapvalue = &types.Struct{}
					if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil {
						return err
					}
					iNdEx = postmsgIndex
				} else {
					iNdEx = entryPreIndex
					skippy, err := skipBase(dAtA[iNdEx:])
					if err != nil {
						return err
					}
					if skippy < 0 {
						return ErrInvalidLengthBase
					}
					if (iNdEx + skippy) > postIndex {
						return io.ErrUnexpectedEOF
					}
					iNdEx += skippy
				}
			}
			m.FilterMetadata[mapkey] = mapvalue
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *RuntimeUInt32) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: RuntimeUInt32: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: RuntimeUInt32: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 2:
			if wireType != 0 {
				return fmt.Errorf("proto: wrong wireType = %d for field DefaultValue", wireType)
			}
			m.DefaultValue = 0
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				m.DefaultValue |= uint32(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field RuntimeKey", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.RuntimeKey = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *HeaderValue) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: HeaderValue: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: HeaderValue: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Key = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Value = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *HeaderValueOption) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: HeaderValueOption: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: HeaderValueOption: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Header", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Header == nil {
				m.Header = &HeaderValue{}
			}
			if err := m.Header.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Append", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Append == nil {
				m.Append = &types.BoolValue{}
			}
			if err := m.Append.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *HeaderMap) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: HeaderMap: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: HeaderMap: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Headers", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Headers = append(m.Headers, &HeaderValue{})
			if err := m.Headers[len(m.Headers)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *DataSource) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: DataSource: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: DataSource: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Filename", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Specifier = &DataSource_Filename{string(dAtA[iNdEx:postIndex])}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field InlineBytes", wireType)
			}
			var byteLen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				byteLen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if byteLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + byteLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			v := make([]byte, postIndex-iNdEx)
			copy(v, dAtA[iNdEx:postIndex])
			m.Specifier = &DataSource_InlineBytes{v}
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field InlineString", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Specifier = &DataSource_InlineString{string(dAtA[iNdEx:postIndex])}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *RemoteDataSource) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: RemoteDataSource: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: RemoteDataSource: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field HttpUri", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.HttpUri == nil {
				m.HttpUri = &HttpUri{}
			}
			if err := m.HttpUri.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Sha256", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Sha256 = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *AsyncDataSource) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: AsyncDataSource: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: AsyncDataSource: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Local", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			v := &DataSource{}
			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			m.Specifier = &AsyncDataSource_Local{v}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Remote", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			v := &RemoteDataSource{}
			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			m.Specifier = &AsyncDataSource_Remote{v}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *TransportSocket) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: TransportSocket: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: TransportSocket: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Name = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Config", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			v := &types.Struct{}
			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			m.ConfigType = &TransportSocket_Config{v}
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field TypedConfig", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			v := &types.Any{}
			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			m.ConfigType = &TransportSocket_TypedConfig{v}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *SocketOption) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: SocketOption: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: SocketOption: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Description", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Description = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 2:
			if wireType != 0 {
				return fmt.Errorf("proto: wrong wireType = %d for field Level", wireType)
			}
			m.Level = 0
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				m.Level |= int64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
		case 3:
			if wireType != 0 {
				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
			}
			m.Name = 0
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				m.Name |= int64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
		case 4:
			if wireType != 0 {
				return fmt.Errorf("proto: wrong wireType = %d for field IntValue", wireType)
			}
			var v int64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				v |= int64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			m.Value = &SocketOption_IntValue{v}
		case 5:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field BufValue", wireType)
			}
			var byteLen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				byteLen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if byteLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + byteLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			v := make([]byte, postIndex-iNdEx)
			copy(v, dAtA[iNdEx:postIndex])
			m.Value = &SocketOption_BufValue{v}
			iNdEx = postIndex
		case 6:
			if wireType != 0 {
				return fmt.Errorf("proto: wrong wireType = %d for field State", wireType)
			}
			m.State = 0
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				m.State |= SocketOption_SocketState(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *RuntimeFractionalPercent) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: RuntimeFractionalPercent: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: RuntimeFractionalPercent: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field DefaultValue", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.DefaultValue == nil {
				m.DefaultValue = &_type.FractionalPercent{}
			}
			if err := m.DefaultValue.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field RuntimeKey", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.RuntimeKey = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *ControlPlane) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowBase
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: ControlPlane: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: ControlPlane: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Identifier", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowBase
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthBase
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthBase
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Identifier = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipBase(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthBase
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func skipBase(dAtA []byte) (n int, err error) {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return 0, ErrIntOverflowBase
			}
			if iNdEx >= l {
				return 0, io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= (uint64(b) & 0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		wireType := int(wire & 0x7)
		switch wireType {
		case 0:
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowBase
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				iNdEx++
				if dAtA[iNdEx-1] < 0x80 {
					break
				}
			}
			return iNdEx, nil
		case 1:
			iNdEx += 8
			return iNdEx, nil
		case 2:
			var length int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowBase
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				length |= (int(b) & 0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if length < 0 {
				return 0, ErrInvalidLengthBase
			}
			iNdEx += length
			if iNdEx < 0 {
				return 0, ErrInvalidLengthBase
			}
			return iNdEx, nil
		case 3:
			for {
				var innerWire uint64
				var start int = iNdEx
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return 0, ErrIntOverflowBase
					}
					if iNdEx >= l {
						return 0, io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					innerWire |= (uint64(b) & 0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				innerWireType := int(innerWire & 0x7)
				if innerWireType == 4 {
					break
				}
				next, err := skipBase(dAtA[start:])
				if err != nil {
					return 0, err
				}
				iNdEx = start + next
				if iNdEx < 0 {
					return 0, ErrInvalidLengthBase
				}
			}
			return iNdEx, nil
		case 4:
			return iNdEx, nil
		case 5:
			iNdEx += 4
			return iNdEx, nil
		default:
			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
		}
	}
	panic("unreachable")
}

var (
	ErrInvalidLengthBase = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowBase   = fmt.Errorf("proto: integer overflow")
)


================================================
FILE: third_party/generated/envoyproxy/data-plane-api/envoy/api/v2/core/http_uri.pb.go
================================================
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: envoy/api/v2/core/http_uri.proto

package core

import (
	bytes "bytes"
	fmt "fmt"
	_ "github.com/envoyproxy/protoc-gen-validate/validate"
	_ "github.com/gogo/protobuf/gogoproto"
	proto "github.com/gogo/protobuf/proto"
	_ "github.com/gogo/protobuf/types"
	github_com_gogo_protobuf_types "github.com/gogo/protobuf/types"
	io "io"
	math "math"
	math_bits "math/bits"
	time "time"
)

// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf
var _ = time.Kitchen

// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package

// Envoy external URI descriptor
type HttpUri struct {
	// The HTTP server URI. It should be a full FQDN with protocol, host and path.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//    uri: https://www.googleapis.com/oauth2/v1/certs
	//
	Uri string `protobuf:"bytes,1,opt,name=uri,proto3" json:"uri,omitempty"`
	// Specify how `uri` is to be fetched. Today, this requires an explicit
	// cluster, but in the future we may support dynamic cluster creation or
	// inline DNS resolution. See `issue
	// <https://github.com/envoyproxy/envoy/issues/1606>`_.
	//
	// Types that are valid to be assigned to HttpUpstreamType:
	//	*HttpUri_Cluster
	HttpUpstreamType isHttpUri_HttpUpstreamType `protobuf_oneof:"http_upstream_type"`
	// Sets the maximum duration in milliseconds that a response can take to arrive upon request.
	Timeout              *time.Duration `protobuf:"bytes,3,opt,name=timeout,proto3,stdduration" json:"timeout,omitempty"`
	XXX_NoUnkeyedLiteral struct{}       `json:"-"`
	XXX_unrecognized     []byte         `json:"-"`
	XXX_sizecache        int32          `json:"-"`
}

func (m *HttpUri) Reset()         { *m = HttpUri{} }
func (m *HttpUri) String() string { return proto.CompactTextString(m) }
func (*HttpUri) ProtoMessage()    {}
func (*HttpUri) Descriptor() ([]byte, []int) {
	return fileDescriptor_1660b946db74c078, []int{0}
}
func (m *HttpUri) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *HttpUri) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_HttpUri.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *HttpUri) XXX_Merge(src proto.Message) {
	xxx_messageInfo_HttpUri.Merge(m, src)
}
func (m *HttpUri) XXX_Size() int {
	return m.Size()
}
func (m *HttpUri) XXX_DiscardUnknown() {
	xxx_messageInfo_HttpUri.DiscardUnknown(m)
}

var xxx_messageInfo_HttpUri proto.InternalMessageInfo

type isHttpUri_HttpUpstreamType interface {
	isHttpUri_HttpUpstreamType()
	Equal(interface{}) bool
	MarshalTo([]byte) (int, error)
	Size() int
}

type HttpUri_Cluster struct {
	Cluster string `protobuf:"bytes,2,opt,name=cluster,proto3,oneof"`
}

func (*HttpUri_Cluster) isHttpUri_HttpUpstreamType() {}

func (m *HttpUri) GetHttpUpstreamType() isHttpUri_HttpUpstreamType {
	if m != nil {
		return m.HttpUpstreamType
	}
	return nil
}

func (m *HttpUri) GetUri() string {
	if m != nil {
		return m.Uri
	}
	return ""
}

func (m *HttpUri) GetCluster() string {
	if x, ok := m.GetHttpUpstreamType().(*HttpUri_Cluster); ok {
		return x.Cluster
	}
	return ""
}

func (m *HttpUri) GetTimeout() *time.Duration {
	if m != nil {
		return m.Timeout
	}
	return nil
}

// XXX_OneofFuncs is for the internal use of the proto package.
func (*HttpUri) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) {
	return _HttpUri_OneofMarshaler, _HttpUri_OneofUnmarshaler, _HttpUri_OneofSizer, []interface{}{
		(*HttpUri_Cluster)(nil),
	}
}

func _HttpUri_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
	m := msg.(*HttpUri)
	// http_upstream_type
	switch x := m.HttpUpstreamType.(type) {
	case *HttpUri_Cluster:
		_ = b.EncodeVarint(2<<3 | proto.WireBytes)
		_ = b.EncodeStringBytes(x.Cluster)
	case nil:
	default:
		return fmt.Errorf("HttpUri.HttpUpstreamType has unexpected type %T", x)
	}
	return nil
}

func _HttpUri_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
	m := msg.(*HttpUri)
	switch tag {
	case 2: // http_upstream_type.cluster
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		x, err := b.DecodeStringBytes()
		m.HttpUpstreamType = &HttpUri_Cluster{x}
		return true, err
	default:
		return false, nil
	}
}

func _HttpUri_OneofSizer(msg proto.Message) (n int) {
	m := msg.(*HttpUri)
	// http_upstream_type
	switch x := m.HttpUpstreamType.(type) {
	case *HttpUri_Cluster:
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(len(x.Cluster)))
		n += len(x.Cluster)
	case nil:
	default:
		panic(fmt.Sprintf("proto: unexpected type %T in oneof", x))
	}
	return n
}

func init() {
	proto.RegisterType((*HttpUri)(nil), "envoy.api.v2.core.HttpUri")
}

func init() { proto.RegisterFile("envoy/api/v2/core/http_uri.proto", fileDescriptor_1660b946db74c078) }

var fileDescriptor_1660b946db74c078 = []byte{
	// 298 bytes of a gzipped FileDescriptorProto
	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x64, 0x90, 0xc1, 0x4e, 0x32, 0x31,
	0x14, 0x85, 0xb9, 0xf0, 0xff, 0x8e, 0x56, 0x37, 0x36, 0x24, 0x02, 0x8b, 0x61, 0xa2, 0x1b, 0x56,
	0x6d, 0x32, 0x3e, 0x81, 0x8d, 0x0b, 0xdc, 0x11, 0x12, 0xd7, 0xa4, 0x40, 0x1d, 0x9b, 0x00, 0xb7,
	0x29, 0xb7, 0x13, 0x79, 0x13, 0x1f, 0xc1, 0xb8, 0xf1, 0x35, 0x5c, 0xfa, 0x06, 0x9a, 0x79, 0x0a,
	0xc3, 0xca, 0xcc, 0x0c, 0xb3, 0x30, 0xae, 0x7a, 0x72, 0xcf, 0x39, 0xc9, 0xd7, 0xc3, 0x12, 0xb3,
	0xc9, 0x71, 0x27, 0xb5, 0xb3, 0x32, 0x4f, 0xe5, 0x02, 0xbd, 0x91, 0x8f, 0x44, 0x6e, 0x16, 0xbc,
	0x15, 0xce, 0x23, 0x21, 0x3f, 0xaf, 0x12, 0x42, 0x3b, 0x2b, 0xf2, 0x54, 0x94, 0x89, 0x41, 0x9c,
	0x21, 0x66, 0x2b, 0x23, 0xab, 0xc0, 0x3c, 0x3c, 0xc8, 0x65, 0xf0, 0x9a, 0x2c, 0x6e, 0xea, 0xca,
	0xa0, 0x9b, 0x61, 0x86, 0x95, 0x94, 0xa5, 0x3a, 0x5c, 0x2f, 0x72, 0xbd, 0xb2, 0x4b, 0x4d, 0x46,
	0x36, 0xa2, 0x36, 0x2e, 0xdf, 0x80, 0x45, 0x63, 0x22, 0x77, 0xef, 0x2d, 0xef, 0xb3, 0x4e, 0xf0,
	0xb6, 0x07, 0x09, 0x8c, 0x4e, 0x54, 0xb4, 0x57, 0xff, 0x7c, 0x3b, 0x81, 0x69, 0x79, 0xe3, 0x57,
	0x2c, 0x5a, 0xac, 0xc2, 0x96, 0x8c, 0xef, 0xb5, 0x7f, 0xd9, 0xe3, 0xd6, 0xb4, 0x71, 0xf8, 0x1d,
	0x8b, 0xc8, 0xae, 0x0d, 0x06, 0xea, 0x75, 0x12, 0x18, 0x9d, 0xa6, 0x7d, 0x51, 0xc3, 0x8a, 0x06,
	0x56, 0xdc, 0x1e, 0x60, 0x55, 0x77, 0xaf, 0xfe, 0xbf, 0x42, 0x3b, 0x6d, 0xd5, 0xef, 0x31, 0x3c,
	0x7f, 0x0e, 0x61, 0xda, 0xf4, 0x55, 0x9f, 0xf1, 0x7a, 0x0a, 0xb7, 0x25, 0x6f, 0xf4, 0x7a, 0x46,
	0x3b, 0x67, 0x78, 0xe7, 0x5b, 0x81, 0xba, 0x79, 0x29, 0x62, 0x78, 0x2f, 0x62, 0xf8, 0x28, 0x62,
	0xf8, 0x2a, 0x62, 0x60, 0x43, 0x8b, 0xa2, 0x1a, 0xca, 0x79, 0x7c, 0xda, 0x89, 0x3f, 0x9b, 0xa9,
	0xb3, 0xc3, 0x0f, 0x27, 0x25, 0xc6, 0x04, 0xe6, 0x47, 0x15, 0xcf, 0xf5, 0x4f, 0x00, 0x00, 0x00,
	0xff, 0xff, 0xa1, 0xbd, 0x86, 0xa3, 0x81, 0x01, 0x00, 0x00,
}

func (this *HttpUri) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*HttpUri)
	if !ok {
		that2, ok := that.(HttpUri)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Uri != that1.Uri {
		return false
	}
	if that1.HttpUpstreamType == nil {
		if this.HttpUpstreamType != nil {
			return false
		}
	} else if this.HttpUpstreamType == nil {
		return false
	} else if !this.HttpUpstreamType.Equal(that1.HttpUpstreamType) {
		return false
	}
	if this.Timeout != nil && that1.Timeout != nil {
		if *this.Timeout != *that1.Timeout {
			return false
		}
	} else if this.Timeout != nil {
		return false
	} else if that1.Timeout != nil {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *HttpUri_Cluster) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*HttpUri_Cluster)
	if !ok {
		that2, ok := that.(HttpUri_Cluster)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Cluster != that1.Cluster {
		return false
	}
	return true
}
func (m *HttpUri) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *HttpUri) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.Uri) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintHttpUri(dAtA, i, uint64(len(m.Uri)))
		i += copy(dAtA[i:], m.Uri)
	}
	if m.HttpUpstreamType != nil {
		nn1, err1 := m.HttpUpstreamType.MarshalTo(dAtA[i:])
		if err1 != nil {
			return 0, err1
		}
		i += nn1
	}
	if m.Timeout != nil {
		dAtA[i] = 0x1a
		i++
		i = encodeVarintHttpUri(dAtA, i, uint64(github_com_gogo_protobuf_types.SizeOfStdDuration(*m.Timeout)))
		n2, err2 := github_com_gogo_protobuf_types.StdDurationMarshalTo(*m.Timeout, dAtA[i:])
		if err2 != nil {
			return 0, err2
		}
		i += n2
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *HttpUri_Cluster) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	dAtA[i] = 0x12
	i++
	i = encodeVarintHttpUri(dAtA, i, uint64(len(m.Cluster)))
	i += copy(dAtA[i:], m.Cluster)
	return i, nil
}
func encodeVarintHttpUri(dAtA []byte, offset int, v uint64) int {
	for v >= 1<<7 {
		dAtA[offset] = uint8(v&0x7f | 0x80)
		v >>= 7
		offset++
	}
	dAtA[offset] = uint8(v)
	return offset + 1
}
func (m *HttpUri) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.Uri)
	if l > 0 {
		n += 1 + l + sovHttpUri(uint64(l))
	}
	if m.HttpUpstreamType != nil {
		n += m.HttpUpstreamType.Size()
	}
	if m.Timeout != nil {
		l = github_com_gogo_protobuf_types.SizeOfStdDuration(*m.Timeout)
		n += 1 + l + sovHttpUri(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *HttpUri_Cluster) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.Cluster)
	n += 1 + l + sovHttpUri(uint64(l))
	return n
}

func sovHttpUri(x uint64) (n int) {
	return (math_bits.Len64(x|1) + 6) / 7
}
func sozHttpUri(x uint64) (n int) {
	return sovHttpUri(uint64((x << 1) ^ uint64((int64(x) >> 63))))
}
func (m *HttpUri) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowHttpUri
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: HttpUri: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: HttpUri: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Uri", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowHttpUri
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthHttpUri
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthHttpUri
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Uri = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Cluster", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowHttpUri
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthHttpUri
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthHttpUri
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.HttpUpstreamType = &HttpUri_Cluster{string(dAtA[iNdEx:postIndex])}
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Timeout", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowHttpUri
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthHttpUri
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthHttpUri
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Timeout == nil {
				m.Timeout = new(time.Duration)
			}
			if err := github_com_gogo_protobuf_types.StdDurationUnmarshal(m.Timeout, dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipHttpUri(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthHttpUri
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthHttpUri
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func skipHttpUri(dAtA []byte) (n int, err error) {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return 0, ErrIntOverflowHttpUri
			}
			if iNdEx >= l {
				return 0, io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= (uint64(b) & 0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		wireType := int(wire & 0x7)
		switch wireType {
		case 0:
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowHttpUri
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				iNdEx++
				if dAtA[iNdEx-1] < 0x80 {
					break
				}
			}
			return iNdEx, nil
		case 1:
			iNdEx += 8
			return iNdEx, nil
		case 2:
			var length int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowHttpUri
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				length |= (int(b) & 0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if length < 0 {
				return 0, ErrInvalidLengthHttpUri
			}
			iNdEx += length
			if iNdEx < 0 {
				return 0, ErrInvalidLengthHttpUri
			}
			return iNdEx, nil
		case 3:
			for {
				var innerWire uint64
				var start int = iNdEx
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return 0, ErrIntOverflowHttpUri
					}
					if iNdEx >= l {
						return 0, io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					innerWire |= (uint64(b) & 0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				innerWireType := int(innerWire & 0x7)
				if innerWireType == 4 {
					break
				}
				next, err := skipHttpUri(dAtA[start:])
				if err != nil {
					return 0, err
				}
				iNdEx = start + next
				if iNdEx < 0 {
					return 0, ErrInvalidLengthHttpUri
				}
			}
			return iNdEx, nil
		case 4:
			return iNdEx, nil
		case 5:
			iNdEx += 4
			return iNdEx, nil
		default:
			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
		}
	}
	panic("unreachable")
}

var (
	ErrInvalidLengthHttpUri = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowHttpUri   = fmt.Errorf("proto: integer overflow")
)


================================================
FILE: third_party/generated/envoyproxy/data-plane-api/envoy/api/v2/discovery.pb.go
================================================
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: envoy/api/v2/discovery.proto

package v2

import (
	bytes "bytes"
	fmt "fmt"
	rpc "github.com/gogo/googleapis/google/rpc"
	_ "github.com/gogo/protobuf/gogoproto"
	proto "github.com/gogo/protobuf/proto"
	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
	types "github.com/gogo/protobuf/types"
	core "go.aporeto.io/trireme-lib/third_party/generated/envoyproxy/data-plane-api/envoy/api/v2/core"
	io "io"
	math "math"
	math_bits "math/bits"
)

// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf

// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package

// A DiscoveryRequest requests a set of versioned resources of the same type for
// a given Envoy node on some API.
type DiscoveryRequest struct {
	// The version_info provided in the request messages will be the version_info
	// received with the most recent successfully processed response or empty on
	// the first request. It is expected that no new request is sent after a
	// response is received until the Envoy instance is ready to ACK/NACK the new
	// configuration. ACK/NACK takes place by returning the new API config version
	// as applied or the previous API config version respectively. Each type_url
	// (see below) has an independent version associated with it.
	VersionInfo string `protobuf:"bytes,1,opt,name=version_info,json=versionInfo,proto3" json:"version_info,omitempty"`
	// The node making the request.
	Node *core.Node `protobuf:"bytes,2,opt,name=node,proto3" json:"node,omitempty"`
	// List of resources to subscribe to, e.g. list of cluster names or a route
	// configuration name. If this is empty, all resources for the API are
	// returned. LDS/CDS may have empty resource_names, which will cause all
	// resources for the Envoy instance to be returned. The LDS and CDS responses
	// will then imply a number of resources that need to be fetched via EDS/RDS,
	// which will be explicitly enumerated in resource_names.
	ResourceNames []string `protobuf:"bytes,3,rep,name=resource_names,json=resourceNames,proto3" json:"resource_names,omitempty"`
	// Type of the resource that is being requested, e.g.
	// "type.googleapis.com/envoy.api.v2.ClusterLoadAssignment". This is implicit
	// in requests made via singleton xDS APIs such as CDS, LDS, etc. but is
	// required for ADS.
	TypeUrl string `protobuf:"bytes,4,opt,name=type_url,json=typeUrl,proto3" json:"type_url,omitempty"`
	// nonce corresponding to DiscoveryResponse being ACK/NACKed. See above
	// discussion on version_info and the DiscoveryResponse nonce comment. This
	// may be empty if no nonce is available, e.g. at startup or for non-stream
	// xDS implementations.
	ResponseNonce string `protobuf:"bytes,5,opt,name=response_nonce,json=responseNonce,proto3" json:"response_nonce,omitempty"`
	// This is populated when the previous :ref:`DiscoveryResponse <envoy_api_msg_DiscoveryResponse>`
	// failed to update configuration. The *message* field in *error_details* provides the Envoy
	// internal exception related to the failure. It is only intended for consumption during manual
	// debugging, the string provided is not guaranteed to be stable across Envoy versions.
	ErrorDetail          *rpc.Status `protobuf:"bytes,6,opt,name=error_detail,json=errorDetail,proto3" json:"error_detail,omitempty"`
	XXX_NoUnkeyedLiteral struct{}    `json:"-"`
	XXX_unrecognized     []byte      `json:"-"`
	XXX_sizecache        int32       `json:"-"`
}

func (m *DiscoveryRequest) Reset()         { *m = DiscoveryRequest{} }
func (m *DiscoveryRequest) String() string { return proto.CompactTextString(m) }
func (*DiscoveryRequest) ProtoMessage()    {}
func (*DiscoveryRequest) Descriptor() ([]byte, []int) {
	return fileDescriptor_2c7365e287e5c035, []int{0}
}
func (m *DiscoveryRequest) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *DiscoveryRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *DiscoveryRequest) XXX_Merge(src proto.Message) {
	xxx_messageInfo_DiscoveryRequest.Merge(m, src)
}
func (m *DiscoveryRequest) XXX_Size() int {
	return m.Size()
}
func (m *DiscoveryRequest) XXX_DiscardUnknown() {
	xxx_messageInfo_DiscoveryRequest.DiscardUnknown(m)
}

var xxx_messageInfo_DiscoveryRequest proto.InternalMessageInfo

func (m *DiscoveryRequest) GetVersionInfo() string {
	if m != nil {
		return m.VersionInfo
	}
	return ""
}

func (m *DiscoveryRequest) GetNode() *core.Node {
	if m != nil {
		return m.Node
	}
	return nil
}

func (m *DiscoveryRequest) GetResourceNames() []string {
	if m != nil {
		return m.ResourceNames
	}
	return nil
}

func (m *DiscoveryRequest) GetTypeUrl() string {
	if m != nil {
		return m.TypeUrl
	}
	return ""
}

func (m *DiscoveryRequest) GetResponseNonce() string {
	if m != nil {
		return m.ResponseNonce
	}
	return ""
}

func (m *DiscoveryRequest) GetErrorDetail() *rpc.Status {
	if m != nil {
		return m.ErrorDetail
	}
	return nil
}

type DiscoveryResponse struct {
	// The version of the response data.
	VersionInfo string `protobuf:"bytes,1,opt,name=version_info,json=versionInfo,proto3" json:"version_info,omitempty"`
	// The response resources. These resources are typed and depend on the API being called.
	Resources []*types.Any `protobuf:"bytes,2,rep,name=resources,proto3" json:"resources,omitempty"`
	// [#not-implemented-hide:]
	// Canary is used to support two Envoy command line flags:
	//
	// * --terminate-on-canary-transition-failure. When set, Envoy is able to
	//   terminate if it detects that configuration is stuck at canary. Consider
	//   this example sequence of updates:
	//   - Management server applies a canary config successfully.
	//   - Management server rolls back to a production config.
	//   - Envoy rejects the new production config.
	//   Since there is no sensible way to continue receiving configuration
	//   updates, Envoy will then terminate and apply production config from a
	//   clean slate.
	// * --dry-run-canary. When set, a canary response will never be applied, only
	//   validated via a dry run.
	Canary bool `protobuf:"varint,3,opt,name=canary,proto3" json:"canary,omitempty"`
	// Type URL for resources. Identifies the xDS API when muxing over ADS.
	// Must be consistent with the type_url in the 'resources' repeated Any (if non-empty).
	TypeUrl string `protobuf:"bytes,4,opt,name=type_url,json=typeUrl,proto3" json:"type_url,omitempty"`
	// For gRPC based subscriptions, the nonce provides a way to explicitly ack a
	// specific DiscoveryResponse in a following DiscoveryRequest. Additional
	// messages may have been sent by Envoy to the management server for the
	// previous version on the stream prior to this DiscoveryResponse, that were
	// unprocessed at response send time. The nonce allows the management server
	// to ignore any further DiscoveryRequests for the previous version until a
	// DiscoveryRequest bearing the nonce. The nonce is optional and is not
	// required for non-stream based xDS implementations.
	Nonce string `protobuf:"bytes,5,opt,name=nonce,proto3" json:"nonce,omitempty"`
	// [#not-implemented-hide:]
	// The control plane instance that sent the response.
	ControlPlane         *core.ControlPlane `protobuf:"bytes,6,opt,name=control_plane,json=controlPlane,proto3" json:"control_plane,omitempty"`
	XXX_NoUnkeyedLiteral struct{}           `json:"-"`
	XXX_unrecognized     []byte             `json:"-"`
	XXX_sizecache        int32              `json:"-"`
}

func (m *DiscoveryResponse) Reset()         { *m = DiscoveryResponse{} }
func (m *DiscoveryResponse) String() string { return proto.CompactTextString(m) }
func (*DiscoveryResponse) ProtoMessage()    {}
func (*DiscoveryResponse) Descriptor() ([]byte, []int) {
	return fileDescriptor_2c7365e287e5c035, []int{1}
}
func (m *DiscoveryResponse) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *DiscoveryResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *DiscoveryResponse) XXX_Merge(src proto.Message) {
	xxx_messageInfo_DiscoveryResponse.Merge(m, src)
}
func (m *DiscoveryResponse) XXX_Size() int {
	return m.Size()
}
func (m *DiscoveryResponse) XXX_DiscardUnknown() {
	xxx_messageInfo_DiscoveryResponse.DiscardUnknown(m)
}

var xxx_messageInfo_DiscoveryResponse proto.InternalMessageInfo

func (m *DiscoveryResponse) GetVersionInfo() string {
	if m != nil {
		return m.VersionInfo
	}
	return ""
}

func (m *DiscoveryResponse) GetResources() []*types.Any {
	if m != nil {
		return m.Resources
	}
	return nil
}

func (m *DiscoveryResponse) GetCanary() bool {
	if m != nil {
		return m.Canary
	}
	return false
}

func (m *DiscoveryResponse) GetTypeUrl() string {
	if m != nil {
		return m.TypeUrl
	}
	return ""
}

func (m *DiscoveryResponse) GetNonce() string {
	if m != nil {
		return m.Nonce
	}
	return ""
}

func (m *DiscoveryResponse) GetControlPlane() *core.ControlPlane {
	if m != nil {
		return m.ControlPlane
	}
	return nil
}

// DeltaDiscoveryRequest and DeltaDiscoveryResponse are used in a new gRPC
// endpoint for Delta xDS.
//
// With Delta xDS, the DeltaDiscoveryResponses do not need to include a full
// snapshot of the tracked resources. Instead, DeltaDiscoveryResponses are a
// diff to the state of a xDS client.
// In Delta XDS there are per-resource versions, which allow tracking state at
// the resource granularity.
// An xDS Delta session is always in the context of a gRPC bidirectional
// stream. This allows the xDS server to keep track of the state of xDS clients
// connected to it.
//
// In Delta xDS the nonce field is required and used to pair
// DeltaDiscoveryResponse to a DeltaDiscoveryRequest ACK or NACK.
// Optionally, a response message level system_version_info is present for
// debugging purposes only.
//
// DeltaDiscoveryRequest plays two independent roles. Any DeltaDiscoveryRequest
// can be either or both of: [1] informing the server of what resources the
// client has gained/lost interest in (using resource_names_subscribe and
// resource_names_unsubscribe), or [2] (N)ACKing an earlier resource update from
// the server (using response_nonce, with presence of error_detail making it a NACK).
// Additionally, the first message (for a given type_url) of a reconnected gRPC stream
// has a third role: informing the server of the resources (and their versions)
// that the client already possesses, using the initial_resource_versions field.
//
// As with state-of-the-world, when multiple resource types are multiplexed (ADS),
// all requests/acknowledgments/updates are logically walled off by type_url:
// a Cluster ACK exists in a completely separate world from a prior Route NACK.
// In particular, initial_resource_versions being sent at the "start" of every
// gRPC stream actually entails a message for each type_url, each with its own
// initial_resource_versions.
type DeltaDiscoveryRequest struct {
	// The node making the request.
	Node *core.Node `protobuf:"bytes,1,opt,name=node,proto3" json:"node,omitempty"`
	// Type of the resource that is being requested, e.g.
	// "type.googleapis.com/envoy.api.v2.ClusterLoadAssignment".
	TypeUrl string `protobuf:"bytes,2,opt,name=type_url,json=typeUrl,proto3" json:"type_url,omitempty"`
	// DeltaDiscoveryRequests allow the client to add or remove individual
	// resources to the set of tracked resources in the context of a stream.
	// All resource names in the resource_names_subscribe list are added to the
	// set of tracked resources and all resource names in the resource_names_unsubscribe
	// list are removed from the set of tracked resources.
	//
	// *Unlike* state-of-the-world xDS, an empty resource_names_subscribe or
	// resource_names_unsubscribe list simply means that no resources are to be
	// added or removed to the resource list.
	// *Like* state-of-the-world xDS, the server must send updates for all tracked
	// resources, but can also send updates for resources the client has not subscribed to.
	//
	// NOTE: the server must respond with all resources listed in resource_names_subscribe,
	// even if it believes the client has the most recent version of them. The reason:
	// the client may have dropped them, but then regained interest before it had a chance
	// to send the unsubscribe message. See DeltaSubscriptionStateTest.RemoveThenAdd.
	//
	// These two fields can be set in any DeltaDiscoveryRequest, including ACKs
	// and initial_resource_versions.
	//
	// A list of Resource names to add to the list of tracked resources.
	ResourceNamesSubscribe []string `protobuf:"bytes,3,rep,name=resource_names_subscribe,json=resourceNamesSubscribe,proto3" json:"resource_names_subscribe,omitempty"`
	// A list of Resource names to remove from the list of tracked resources.
	ResourceNamesUnsubscribe []string `protobuf:"bytes,4,rep,name=resource_names_unsubscribe,json=resourceNamesUnsubscribe,proto3" json:"resource_names_unsubscribe,omitempty"`
	// Informs the server of the versions of the resources the xDS client knows of, to enable the
	// client to continue the same logical xDS session even in the face of gRPC stream reconnection.
	// It will not be populated: [1] in the very first stream of a session, since the client will
	// not yet have any resources,  [2] in any message after the first in a stream (for a given
	// type_url), since the server will already be correctly tracking the client's state.
	// (In ADS, the first message *of each type_url* of a reconnected stream populates this map.)
	// The map's keys are names of xDS resources known to the xDS client.
	// The map's values are opaque resource versions.
	InitialResourceVersions map[string]string `protobuf:"bytes,5,rep,name=initial_resource_versions,json=initialResourceVersions,proto3" json:"initial_resource_versions,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
	// When the DeltaDiscoveryRequest is a ACK or NACK message in response
	// to a previous DeltaDiscoveryResponse, the response_nonce must be the
	// nonce in the DeltaDiscoveryResponse.
	// Otherwise response_nonce must be omitted.
	ResponseNonce string `protobuf:"bytes,6,opt,name=response_nonce,json=responseNonce,proto3" json:"response_nonce,omitempty"`
	// This is populated when the previous :ref:`DiscoveryResponse <envoy_api_msg_DiscoveryResponse>`
	// failed to update configuration. The *message* field in *error_details*
	// provides the Envoy internal exception related to the failure.
	ErrorDetail          *rpc.Status `protobuf:"bytes,7,opt,name=error_detail,json=errorDetail,proto3" json:"error_detail,omitempty"`
	XXX_NoUnkeyedLiteral struct{}    `json:"-"`
	XXX_unrecognized     []byte      `json:"-"`
	XXX_sizecache        int32       `json:"-"`
}

func (m *DeltaDiscoveryRequest) Reset()         { *m = DeltaDiscoveryRequest{} }
func (m *DeltaDiscoveryRequest) String() string { return proto.CompactTextString(m) }
func (*DeltaDiscoveryRequest) ProtoMessage()    {}
func (*DeltaDiscoveryRequest) Descriptor() ([]byte, []int) {
	return fileDescriptor_2c7365e287e5c035, []int{2}
}
func (m *DeltaDiscoveryRequest) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *DeltaDiscoveryRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *DeltaDiscoveryRequest) XXX_Merge(src proto.Message) {
	xxx_messageInfo_DeltaDiscoveryRequest.Merge(m, src)
}
func (m *DeltaDiscoveryRequest) XXX_Size() int {
	return m.Size()
}
func (m *DeltaDiscoveryRequest) XXX_DiscardUnknown() {
	xxx_messageInfo_DeltaDiscoveryRequest.DiscardUnknown(m)
}

var xxx_messageInfo_DeltaDiscoveryRequest proto.InternalMessageInfo

func (m *DeltaDiscoveryRequest) GetNode() *core.Node {
	if m != nil {
		return m.Node
	}
	return nil
}

func (m *DeltaDiscoveryRequest) GetTypeUrl() string {
	if m != nil {
		return m.TypeUrl
	}
	return ""
}

func (m *DeltaDiscoveryRequest) GetResourceNamesSubscribe() []string {
	if m != nil {
		return m.ResourceNamesSubscribe
	}
	return nil
}

func (m *DeltaDiscoveryRequest) GetResourceNamesUnsubscribe() []string {
	if m != nil {
		return m.ResourceNamesUnsubscribe
	}
	return nil
}

func (m *DeltaDiscoveryRequest) GetInitialResourceVersions() map[string]string {
	if m != nil {
		return m.InitialResourceVersions
	}
	return nil
}

func (m *DeltaDiscoveryRequest) GetResponseNonce() string {
	if m != nil {
		return m.ResponseNonce
	}
	return ""
}

func (m *DeltaDiscoveryRequest) GetErrorDetail() *rpc.Status {
	if m != nil {
		return m.ErrorDetail
	}
	return nil
}

type DeltaDiscoveryResponse struct {
	// The version of the response data (used for debugging).
	SystemVersionInfo string `protobuf:"bytes,1,opt,name=system_version_info,json=systemVersionInfo,proto3" json:"system_version_info,omitempty"`
	// The response resources. These are typed resources, whose types must match
	// the type_url field.
	Resources []*Resource `protobuf:"bytes,2,rep,name=resources,proto3" json:"resources,omitempty"`
	// Type URL for resources. Identifies the xDS API when muxing over ADS.
	// Must be consistent with the type_url in the Any within 'resources' if 'resources' is non-empty.
	TypeUrl string `protobuf:"bytes,4,opt,name=type_url,json=typeUrl,proto3" json:"type_url,omitempty"`
	// Resources names of resources that have be deleted and to be removed from the xDS Client.
	// Removed resources for missing resources can be ignored.
	RemovedResources []string `protobuf:"bytes,6,rep,name=removed_resources,json=removedResources,proto3" json:"removed_resources,omitempty"`
	// The nonce provides a way for DeltaDiscoveryRequests to uniquely
	// reference a DeltaDiscoveryResponse when (N)ACKing. The nonce is required.
	Nonce                string   `protobuf:"bytes,5,opt,name=nonce,proto3" json:"nonce,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *DeltaDiscoveryResponse) Reset()         { *m = DeltaDiscoveryResponse{} }
func (m *DeltaDiscoveryResponse) String() string { return proto.CompactTextString(m) }
func (*DeltaDiscoveryResponse) ProtoMessage()    {}
func (*DeltaDiscoveryResponse) Descriptor() ([]byte, []int) {
	return fileDescriptor_2c7365e287e5c035, []int{3}
}
func (m *DeltaDiscoveryResponse) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *DeltaDiscoveryResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *DeltaDiscoveryResponse) XXX_Merge(src proto.Message) {
	xxx_messageInfo_DeltaDiscoveryResponse.Merge(m, src)
}
func (m *DeltaDiscoveryResponse) XXX_Size() int {
	return m.Size()
}
func (m *DeltaDiscoveryResponse) XXX_DiscardUnknown() {
	xxx_messageInfo_DeltaDiscoveryResponse.DiscardUnknown(m)
}

var xxx_messageInfo_DeltaDiscoveryResponse proto.InternalMessageInfo

func (m *DeltaDiscoveryResponse) GetSystemVersionInfo() string {
	if m != nil {
		return m.SystemVersionInfo
	}
	return ""
}

func (m *DeltaDiscoveryResponse) GetResources() []*Resource {
	if m != nil {
		return m.Resources
	}
	return nil
}

func (m *DeltaDiscoveryResponse) GetTypeUrl() string {
	if m != nil {
		return m.TypeUrl
	}
	return ""
}

func (m *DeltaDiscoveryResponse) GetRemovedResources() []string {
	if m != nil {
		return m.RemovedResources
	}
	return nil
}

func (m *DeltaDiscoveryResponse) GetNonce() string {
	if m != nil {
		return m.Nonce
	}
	return ""
}

type Resource struct {
	// The resource's name, to distinguish it from others of the same type of resource.
	Name string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
	// [#not-implemented-hide:]
	// The aliases are a list of other names that this resource can go by.
	Aliases []string `protobuf:"bytes,4,rep,name=aliases,proto3" json:"aliases,omitempty"`
	// The resource level version. It allows xDS to track the state of individual
	// resources.
	Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
	// The resource being tracked.
	Resource             *types.Any `protobuf:"bytes,2,opt,name=resource,proto3" json:"resource,omitempty"`
	XXX_NoUnkeyedLiteral struct{}   `json:"-"`
	XXX_unrecognized     []byte     `json:"-"`
	XXX_sizecache        int32      `json:"-"`
}

func (m *Resource) Reset()         { *m = Resource{} }
func (m *Resource) String() string { return proto.CompactTextString(m) }
func (*Resource) ProtoMessage()    {}
func (*Resource) Descriptor() ([]byte, []int) {
	return fileDescriptor_2c7365e287e5c035, []int{4}
}
func (m *Resource) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *Resource) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *Resource) XXX_Merge(src proto.Message) {
	xxx_messageInfo_Resource.Merge(m, src)
}
func (m *Resource) XXX_Size() int {
	return m.Size()
}
func (m *Resource) XXX_DiscardUnknown() {
	xxx_messageInfo_Resource.DiscardUnknown(m)
}

var xxx_messageInfo_Resource proto.InternalMessageInfo

func (m *Resource) GetName() string {
	if m != nil {
		return m.Name
	}
	return ""
}

func (m *Resource) GetAliases() []string {
	if m != nil {
		return m.Aliases
	}
	return nil
}

func (m *Resource) GetVersion() string {
	if m != nil {
		return m.Version
	}
	return ""
}

func (m *Resource) GetResource() *types.Any {
	if m != nil {
		return m.Resource
	}
	return nil
}

func init() {
	proto.RegisterType((*DiscoveryRequest)(nil), "envoy.api.v2.DiscoveryRequest")
	proto.RegisterType((*DiscoveryResponse)(nil), "envoy.api.v2.DiscoveryResponse")
	proto.RegisterType((*DeltaDiscoveryRequest)(nil), "envoy.api.v2.DeltaDiscoveryRequest")
	proto.RegisterMapType((map[string]string)(nil), "envoy.api.v2.DeltaDiscoveryRequest.InitialResourceVersionsEntry")
	proto.RegisterType((*DeltaDiscoveryResponse)(nil), "envoy.api.v2.DeltaDiscoveryResponse")
	proto.RegisterType((*Resource)(nil), "envoy.api.v2.Resource")
}

func init() { proto.RegisterFile("envoy/api/v2/discovery.proto", fileDescriptor_2c7365e287e5c035) }

var fileDescriptor_2c7365e287e5c035 = []byte{
	// 698 bytes of a gzipped FileDescriptorProto
	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x54, 0x41, 0x6b, 0xdb, 0x4c,
	0x10, 0x65, 0x6d, 0xc7, 0xb1, 0xd7, 0x4e, 0x48, 0xf6, 0xcb, 0xe7, 0x28, 0x26, 0xb8, 0xae, 0xa1,
	0x60, 0x08, 0x48, 0xc5, 0x6d, 0x21, 0x94, 0x1e, 0xda, 0xd4, 0x2d, 0xa4, 0x87, 0x10, 0x14, 0x92,
	0x43, 0x2f, 0x62, 0x2d, 0x4f, 0x8c, 0xa8, 0xb2, 0xab, 0xee, 0x4a, 0xa2, 0x82, 0x9e, 0x4a, 0x7f,
	0x4c, 0x7f, 0x4a, 0x8f, 0x3d, 0xf6, 0xd0, 0x43, 0xf1, 0xbf, 0xe8, 0xa9, 0x45, 0xab, 0x95, 0x6d,
	0x25, 0x22, 0xf8, 0xb6, 0xb3, 0xf3, 0xf6, 0x69, 0x66, 0xde, 0x1b, 0xe1, 0x43, 0x60, 0x31, 0x4f,
	0x2c, 0x1a, 0x78, 0x56, 0x3c, 0xb2, 0xa6, 0x9e, 0x74, 0x79, 0x0c, 0x22, 0x31, 0x03, 0xc1, 0x43,
	0x4e, 0xda, 0x2a, 0x6b, 0xd2, 0xc0, 0x33, 0xe3, 0x51, 0xb7, 0x88, 0x75, 0xb9, 0x00, 0x6b, 0x42,
	0x25, 0x64, 0xd8, 0xee, 0xc1, 0x8c, 0xf3, 0x99, 0x0f, 0x96, 0x8a, 0x26, 0xd1, 0xb5, 0x45, 0x99,
	0xa6, 0xe9, 0xee, 0xeb, 0x94, 0x08, 0x5c, 0x4b, 0x86, 0x34, 0x8c, 0xa4, 0x4e, 0xec, 0xcd, 0xf8,
	0x8c, 0xab, 0xa3, 0x95, 0x9e, 0xb2, 0xdb, 0xc1, 0x97, 0x0a, 0xde, 0x19, 0xe7, 0x95, 0xd8, 0xf0,
	0x31, 0x02, 0x19, 0x92, 0x87, 0xb8, 0x1d, 0x83, 0x90, 0x1e, 0x67, 0x8e, 0xc7, 0xae, 0xb9, 0x81,
	0xfa, 0x68, 0xd8, 0xb4, 0x5b, 0xfa, 0xee, 0x94, 0x5d, 0x73, 0x72, 0x84, 0x6b, 0x8c, 0x4f, 0xc1,
	0xa8, 0xf4, 0xd1, 0xb0, 0x35, 0xda, 0x37, 0x57, 0x8b, 0x37, 0xd3, 0x72, 0xcd, 0x33, 0x3e, 0x05,
	0x5b, 0x81, 0xc8, 0x23, 0xbc, 0x2d, 0x40, 0xf2, 0x48, 0xb8, 0xe0, 0x30, 0x7a, 0x03, 0xd2, 0xa8,
	0xf6, 0xab, 0xc3, 0xa6, 0xbd, 0x95, 0xdf, 0x9e, 0xa5, 0x97, 0xe4, 0x00, 0x37, 0xc2, 0x24, 0x00,
	0x27, 0x12, 0xbe, 0x51, 0x53, 0x9f, 0xdc, 0x4c, 0xe3, 0x4b, 0xe1, 0x6b, 0x86, 0x80, 0x33, 0x09,
	0x0e, 0xe3, 0xcc, 0x05, 0x63, 0x43, 0x01, 0xb6, 0xf2, 0xdb, 0xb3, 0xf4, 0x92, 0x3c, 0xc3, 0x6d,
	0x10, 0x82, 0x0b, 0x67, 0x0a, 0x21, 0xf5, 0x7c, 0xa3, 0xae, 0xaa, 0x23, 0x66, 0x36, 0x13, 0x53,
	0x04, 0xae, 0x79, 0xa1, 0x66, 0x62, 0xb7, 0x14, 0x6e, 0xac, 0x60, 0x83, 0x3f, 0x08, 0xef, 0xae,
	0x0c, 0x21, 0x63, 0x5c, 0x67, 0x0a, 0x23, 0xdc, 0xcc, 0x5b, 0x90, 0x46, 0xa5, 0x5f, 0x1d, 0xb6,
	0x46, 0x7b, 0xf9, 0xc7, 0x72, 0x6d, 0xcc, 0x57, 0x2c, 0xb1, 0x97, 0x30, 0xd2, 0xc1, 0x75, 0x97,
	0x32, 0x2a, 0x12, 0xa3, 0xda, 0x47, 0xc3, 0x86, 0xad, 0xa3, 0xfb, 0xba, 0xdf, 0xc3, 0x1b, 0xab,
	0x4d, 0x67, 0x01, 0x19, 0xe3, 0x2d, 0x97, 0xb3, 0x50, 0x70, 0xdf, 0x09, 0x7c, 0xca, 0x40, 0x77,
	0xfb, 0xa0, 0x44, 0x8b, 0xd7, 0x19, 0xee, 0x3c, 0x85, 0xd9, 0x6d, 0x77, 0x25, 0x1a, 0xfc, 0xad,
	0xe2, 0xff, 0xc7, 0xe0, 0x87, 0xf4, 0x8e, 0x0b, 0x72, 0x89, 0xd1, 0x3a, 0x12, 0xaf, 0x56, 0x5f,
	0x29, 0x56, 0x7f, 0x8c, 0x8d, 0xa2, 0xfa, 0x8e, 0x8c, 0x26, 0xd2, 0x15, 0xde, 0x04, 0xb4, 0x0f,
	0x3a, 0x05, 0x1f, 0x5c, 0xe4, 0x59, 0xf2, 0x02, 0x77, 0x6f, 0xbd, 0x8c, 0xd8, 0xf2, 0x6d, 0x4d,
	0xbd, 0x35, 0x0a, 0x6f, 0x2f, 0x97, 0x79, 0xf2, 0x19, 0x1f, 0x78, 0xcc, 0x0b, 0x3d, 0xea, 0x3b,
	0x0b, 0x16, 0x2d, 0x9e, 0x34, 0x36, 0x94, 0x58, 0x2f, 0x8b, 0x4d, 0x95, 0xce, 0xc1, 0x3c, 0xcd,
	0x48, 0x6c, 0xcd, 0x71, 0xa5, 0x29, 0xde, 0xb0, 0x50, 0x24, 0xf6, 0xbe, 0x57, 0x9e, 0x2d, 0x71,
	0x6c, 0x7d, 0x1d, 0xc7, 0x6e, 0xae, 0xe5, 0xd8, 0xee, 0x3b, 0x7c, 0x78, 0x5f, 0x59, 0x64, 0x07,
	0x57, 0x3f, 0x40, 0xa2, 0x2d, 0x9b, 0x1e, 0x53, 0x0f, 0xc5, 0xd4, 0x8f, 0x40, 0xab, 0x93, 0x05,
	0xcf, 0x2b, 0xc7, 0x68, 0xf0, 0x0b, 0xe1, 0xce, 0xed, 0xce, 0xf5, 0x0a, 0x98, 0xf8, 0x3f, 0x99,
	0xc8, 0x10, 0x6e, 0x9c, 0x92, 0x4d, 0xd8, 0xcd, 0x52, 0x57, 0x2b, 0xfb, 0xf0, 0xf4, 0xee, 0x3e,
	0x74, 0x8a, 0x23, 0xce, 0xcb, 0x5d, 0xdd, 0x88, 0x7b, 0x9c, 0x7f, 0x84, 0x77, 0x05, 0xdc, 0xf0,
	0x18, 0xa6, 0xce, 0x92, 0xb8, 0xae, 0x84, 0xdf, 0xd1, 0x09, 0x7b, 0xc1, 0x53, 0xba, 0x26, 0x83,
	0xaf, 0x08, 0x37, 0x72, 0x0c, 0x21, 0xb8, 0x96, 0x1a, 0x49, 0xad, 0x5e, 0xd3, 0x56, 0x67, 0x62,
	0xe0, 0x4d, 0xea, 0x7b, 0x54, 0x82, 0xd4, 0x96, 0xca, 0xc3, 0x34, 0xa3, 0xfb, 0xd6, 0x2d, 0xe7,
	0x21, 0x79, 0x8c, 0x1b, 0x79, 0x3d, 0xfa, 0x17, 0x58, 0xbe, 0xf7, 0x0b, 0xd4, 0xc9, 0xdb, 0x6f,
	0xf3, 0x1e, 0xfa, 0x3e, 0xef, 0xa1, 0x1f, 0xf3, 0x1e, 0xfa, 0x39, 0xef, 0xa1, 0xdf, 0xf3, 0x1e,
	0xc2, 0x5d, 0x8f, 0x67, 0xf3, 0x09, 0x04, 0xff, 0x94, 0x14, 0x46, 0x75, 0xb2, 0xbd, 0xd0, 0xe3,
	0x3c, 0xa5, 0x3c, 0x47, 0xef, 0x2b, 0xf1, 0x68, 0x52, 0x57, 0xfc, 0x4f, 0xfe, 0x05, 0x00, 0x00,
	0xff, 0xff, 0x85, 0x0a, 0x39, 0xfc, 0x4d, 0x06, 0x00, 0x00,
}

func (this *DiscoveryRequest) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*DiscoveryRequest)
	if !ok {
		that2, ok := that.(DiscoveryRequest)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.VersionInfo != that1.VersionInfo {
		return false
	}
	if !this.Node.Equal(that1.Node) {
		return false
	}
	if len(this.ResourceNames) != len(that1.ResourceNames) {
		return false
	}
	for i := range this.ResourceNames {
		if this.ResourceNames[i] != that1.ResourceNames[i] {
			return false
		}
	}
	if this.TypeUrl != that1.TypeUrl {
		return false
	}
	if this.ResponseNonce != that1.ResponseNonce {
		return false
	}
	if !this.ErrorDetail.Equal(that1.ErrorDetail) {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *DiscoveryResponse) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*DiscoveryResponse)
	if !ok {
		that2, ok := that.(DiscoveryResponse)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.VersionInfo != that1.VersionInfo {
		return false
	}
	if len(this.Resources) != len(that1.Resources) {
		return false
	}
	for i := range this.Resources {
		if !this.Resources[i].Equal(that1.Resources[i]) {
			return false
		}
	}
	if this.Canary != that1.Canary {
		return false
	}
	if this.TypeUrl != that1.TypeUrl {
		return false
	}
	if this.Nonce != that1.Nonce {
		return false
	}
	if !this.ControlPlane.Equal(that1.ControlPlane) {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *DeltaDiscoveryRequest) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*DeltaDiscoveryRequest)
	if !ok {
		that2, ok := that.(DeltaDiscoveryRequest)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if !this.Node.Equal(that1.Node) {
		return false
	}
	if this.TypeUrl != that1.TypeUrl {
		return false
	}
	if len(this.ResourceNamesSubscribe) != len(that1.ResourceNamesSubscribe) {
		return false
	}
	for i := range this.ResourceNamesSubscribe {
		if this.ResourceNamesSubscribe[i] != that1.ResourceNamesSubscribe[i] {
			return false
		}
	}
	if len(this.ResourceNamesUnsubscribe) != len(that1.ResourceNamesUnsubscribe) {
		return false
	}
	for i := range this.ResourceNamesUnsubscribe {
		if this.ResourceNamesUnsubscribe[i] != that1.ResourceNamesUnsubscribe[i] {
			return false
		}
	}
	if len(this.InitialResourceVersions) != len(that1.InitialResourceVersions) {
		return false
	}
	for i := range this.InitialResourceVersions {
		if this.InitialResourceVersions[i] != that1.InitialResourceVersions[i] {
			return false
		}
	}
	if this.ResponseNonce != that1.ResponseNonce {
		return false
	}
	if !this.ErrorDetail.Equal(that1.ErrorDetail) {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *DeltaDiscoveryResponse) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*DeltaDiscoveryResponse)
	if !ok {
		that2, ok := that.(DeltaDiscoveryResponse)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.SystemVersionInfo != that1.SystemVersionInfo {
		return false
	}
	if len(this.Resources) != len(that1.Resources) {
		return false
	}
	for i := range this.Resources {
		if !this.Resources[i].Equal(that1.Resources[i]) {
			return false
		}
	}
	if this.TypeUrl != that1.TypeUrl {
		return false
	}
	if len(this.RemovedResources) != len(that1.RemovedResources) {
		return false
	}
	for i := range this.RemovedResources {
		if this.RemovedResources[i] != that1.RemovedResources[i] {
			return false
		}
	}
	if this.Nonce != that1.Nonce {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *Resource) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*Resource)
	if !ok {
		that2, ok := that.(Resource)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Name != that1.Name {
		return false
	}
	if len(this.Aliases) != len(that1.Aliases) {
		return false
	}
	for i := range this.Aliases {
		if this.Aliases[i] != that1.Aliases[i] {
			return false
		}
	}
	if this.Version != that1.Version {
		return false
	}
	if !this.Resource.Equal(that1.Resource) {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (m *DiscoveryRequest) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *DiscoveryRequest) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.VersionInfo) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(len(m.VersionInfo)))
		i += copy(dAtA[i:], m.VersionInfo)
	}
	if m.Node != nil {
		dAtA[i] = 0x12
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(m.Node.Size()))
		n1, err1 := m.Node.MarshalTo(dAtA[i:])
		if err1 != nil {
			return 0, err1
		}
		i += n1
	}
	if len(m.ResourceNames) > 0 {
		for _, s := range m.ResourceNames {
			dAtA[i] = 0x1a
			i++
			l = len(s)
			for l >= 1<<7 {
				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
				l >>= 7
				i++
			}
			dAtA[i] = uint8(l)
			i++
			i += copy(dAtA[i:], s)
		}
	}
	if len(m.TypeUrl) > 0 {
		dAtA[i] = 0x22
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(len(m.TypeUrl)))
		i += copy(dAtA[i:], m.TypeUrl)
	}
	if len(m.ResponseNonce) > 0 {
		dAtA[i] = 0x2a
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(len(m.ResponseNonce)))
		i += copy(dAtA[i:], m.ResponseNonce)
	}
	if m.ErrorDetail != nil {
		dAtA[i] = 0x32
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(m.ErrorDetail.Size()))
		n2, err2 := m.ErrorDetail.MarshalTo(dAtA[i:])
		if err2 != nil {
			return 0, err2
		}
		i += n2
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *DiscoveryResponse) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *DiscoveryResponse) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.VersionInfo) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(len(m.VersionInfo)))
		i += copy(dAtA[i:], m.VersionInfo)
	}
	if len(m.Resources) > 0 {
		for _, msg := range m.Resources {
			dAtA[i] = 0x12
			i++
			i = encodeVarintDiscovery(dAtA, i, uint64(msg.Size()))
			n, err := msg.MarshalTo(dAtA[i:])
			if err != nil {
				return 0, err
			}
			i += n
		}
	}
	if m.Canary {
		dAtA[i] = 0x18
		i++
		if m.Canary {
			dAtA[i] = 1
		} else {
			dAtA[i] = 0
		}
		i++
	}
	if len(m.TypeUrl) > 0 {
		dAtA[i] = 0x22
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(len(m.TypeUrl)))
		i += copy(dAtA[i:], m.TypeUrl)
	}
	if len(m.Nonce) > 0 {
		dAtA[i] = 0x2a
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(len(m.Nonce)))
		i += copy(dAtA[i:], m.Nonce)
	}
	if m.ControlPlane != nil {
		dAtA[i] = 0x32
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(m.ControlPlane.Size()))
		n3, err3 := m.ControlPlane.MarshalTo(dAtA[i:])
		if err3 != nil {
			return 0, err3
		}
		i += n3
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *DeltaDiscoveryRequest) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *DeltaDiscoveryRequest) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Node != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(m.Node.Size()))
		n4, err4 := m.Node.MarshalTo(dAtA[i:])
		if err4 != nil {
			return 0, err4
		}
		i += n4
	}
	if len(m.TypeUrl) > 0 {
		dAtA[i] = 0x12
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(len(m.TypeUrl)))
		i += copy(dAtA[i:], m.TypeUrl)
	}
	if len(m.ResourceNamesSubscribe) > 0 {
		for _, s := range m.ResourceNamesSubscribe {
			dAtA[i] = 0x1a
			i++
			l = len(s)
			for l >= 1<<7 {
				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
				l >>= 7
				i++
			}
			dAtA[i] = uint8(l)
			i++
			i += copy(dAtA[i:], s)
		}
	}
	if len(m.ResourceNamesUnsubscribe) > 0 {
		for _, s := range m.ResourceNamesUnsubscribe {
			dAtA[i] = 0x22
			i++
			l = len(s)
			for l >= 1<<7 {
				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
				l >>= 7
				i++
			}
			dAtA[i] = uint8(l)
			i++
			i += copy(dAtA[i:], s)
		}
	}
	if len(m.InitialResourceVersions) > 0 {
		keysForInitialResourceVersions := make([]string, 0, len(m.InitialResourceVersions))
		for k, _ := range m.InitialResourceVersions {
			keysForInitialResourceVersions = append(keysForInitialResourceVersions, string(k))
		}
		github_com_gogo_protobuf_sortkeys.Strings(keysForInitialResourceVersions)
		for _, k := range keysForInitialResourceVersions {
			dAtA[i] = 0x2a
			i++
			v := m.InitialResourceVersions[string(k)]
			mapSize := 1 + len(k) + sovDiscovery(uint64(len(k))) + 1 + len(v) + sovDiscovery(uint64(len(v)))
			i = encodeVarintDiscovery(dAtA, i, uint64(mapSize))
			dAtA[i] = 0xa
			i++
			i = encodeVarintDiscovery(dAtA, i, uint64(len(k)))
			i += copy(dAtA[i:], k)
			dAtA[i] = 0x12
			i++
			i = encodeVarintDiscovery(dAtA, i, uint64(len(v)))
			i += copy(dAtA[i:], v)
		}
	}
	if len(m.ResponseNonce) > 0 {
		dAtA[i] = 0x32
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(len(m.ResponseNonce)))
		i += copy(dAtA[i:], m.ResponseNonce)
	}
	if m.ErrorDetail != nil {
		dAtA[i] = 0x3a
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(m.ErrorDetail.Size()))
		n5, err5 := m.ErrorDetail.MarshalTo(dAtA[i:])
		if err5 != nil {
			return 0, err5
		}
		i += n5
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *DeltaDiscoveryResponse) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *DeltaDiscoveryResponse) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.SystemVersionInfo) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(len(m.SystemVersionInfo)))
		i += copy(dAtA[i:], m.SystemVersionInfo)
	}
	if len(m.Resources) > 0 {
		for _, msg := range m.Resources {
			dAtA[i] = 0x12
			i++
			i = encodeVarintDiscovery(dAtA, i, uint64(msg.Size()))
			n, err := msg.MarshalTo(dAtA[i:])
			if err != nil {
				return 0, err
			}
			i += n
		}
	}
	if len(m.TypeUrl) > 0 {
		dAtA[i] = 0x22
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(len(m.TypeUrl)))
		i += copy(dAtA[i:], m.TypeUrl)
	}
	if len(m.Nonce) > 0 {
		dAtA[i] = 0x2a
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(len(m.Nonce)))
		i += copy(dAtA[i:], m.Nonce)
	}
	if len(m.RemovedResources) > 0 {
		for _, s := range m.RemovedResources {
			dAtA[i] = 0x32
			i++
			l = len(s)
			for l >= 1<<7 {
				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
				l >>= 7
				i++
			}
			dAtA[i] = uint8(l)
			i++
			i += copy(dAtA[i:], s)
		}
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *Resource) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *Resource) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.Version) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(len(m.Version)))
		i += copy(dAtA[i:], m.Version)
	}
	if m.Resource != nil {
		dAtA[i] = 0x12
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(m.Resource.Size()))
		n6, err6 := m.Resource.MarshalTo(dAtA[i:])
		if err6 != nil {
			return 0, err6
		}
		i += n6
	}
	if len(m.Name) > 0 {
		dAtA[i] = 0x1a
		i++
		i = encodeVarintDiscovery(dAtA, i, uint64(len(m.Name)))
		i += copy(dAtA[i:], m.Name)
	}
	if len(m.Aliases) > 0 {
		for _, s := range m.Aliases {
			dAtA[i] = 0x22
			i++
			l = len(s)
			for l >= 1<<7 {
				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
				l >>= 7
				i++
			}
			dAtA[i] = uint8(l)
			i++
			i += copy(dAtA[i:], s)
		}
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func encodeVarintDiscovery(dAtA []byte, offset int, v uint64) int {
	for v >= 1<<7 {
		dAtA[offset] = uint8(v&0x7f | 0x80)
		v >>= 7
		offset++
	}
	dAtA[offset] = uint8(v)
	return offset + 1
}
func (m *DiscoveryRequest) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.VersionInfo)
	if l > 0 {
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if m.Node != nil {
		l = m.Node.Size()
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if len(m.ResourceNames) > 0 {
		for _, s := range m.ResourceNames {
			l = len(s)
			n += 1 + l + sovDiscovery(uint64(l))
		}
	}
	l = len(m.TypeUrl)
	if l > 0 {
		n += 1 + l + sovDiscovery(uint64(l))
	}
	l = len(m.ResponseNonce)
	if l > 0 {
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if m.ErrorDetail != nil {
		l = m.ErrorDetail.Size()
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *DiscoveryResponse) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.VersionInfo)
	if l > 0 {
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if len(m.Resources) > 0 {
		for _, e := range m.Resources {
			l = e.Size()
			n += 1 + l + sovDiscovery(uint64(l))
		}
	}
	if m.Canary {
		n += 2
	}
	l = len(m.TypeUrl)
	if l > 0 {
		n += 1 + l + sovDiscovery(uint64(l))
	}
	l = len(m.Nonce)
	if l > 0 {
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if m.ControlPlane != nil {
		l = m.ControlPlane.Size()
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *DeltaDiscoveryRequest) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Node != nil {
		l = m.Node.Size()
		n += 1 + l + sovDiscovery(uint64(l))
	}
	l = len(m.TypeUrl)
	if l > 0 {
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if len(m.ResourceNamesSubscribe) > 0 {
		for _, s := range m.ResourceNamesSubscribe {
			l = len(s)
			n += 1 + l + sovDiscovery(uint64(l))
		}
	}
	if len(m.ResourceNamesUnsubscribe) > 0 {
		for _, s := range m.ResourceNamesUnsubscribe {
			l = len(s)
			n += 1 + l + sovDiscovery(uint64(l))
		}
	}
	if len(m.InitialResourceVersions) > 0 {
		for k, v := range m.InitialResourceVersions {
			_ = k
			_ = v
			mapEntrySize := 1 + len(k) + sovDiscovery(uint64(len(k))) + 1 + len(v) + sovDiscovery(uint64(len(v)))
			n += mapEntrySize + 1 + sovDiscovery(uint64(mapEntrySize))
		}
	}
	l = len(m.ResponseNonce)
	if l > 0 {
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if m.ErrorDetail != nil {
		l = m.ErrorDetail.Size()
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *DeltaDiscoveryResponse) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.SystemVersionInfo)
	if l > 0 {
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if len(m.Resources) > 0 {
		for _, e := range m.Resources {
			l = e.Size()
			n += 1 + l + sovDiscovery(uint64(l))
		}
	}
	l = len(m.TypeUrl)
	if l > 0 {
		n += 1 + l + sovDiscovery(uint64(l))
	}
	l = len(m.Nonce)
	if l > 0 {
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if len(m.RemovedResources) > 0 {
		for _, s := range m.RemovedResources {
			l = len(s)
			n += 1 + l + sovDiscovery(uint64(l))
		}
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *Resource) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.Version)
	if l > 0 {
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if m.Resource != nil {
		l = m.Resource.Size()
		n += 1 + l + sovDiscovery(uint64(l))
	}
	l = len(m.Name)
	if l > 0 {
		n += 1 + l + sovDiscovery(uint64(l))
	}
	if len(m.Aliases) > 0 {
		for _, s := range m.Aliases {
			l = len(s)
			n += 1 + l + sovDiscovery(uint64(l))
		}
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func sovDiscovery(x uint64) (n int) {
	return (math_bits.Len64(x|1) + 6) / 7
}
func sozDiscovery(x uint64) (n int) {
	return sovDiscovery(uint64((x << 1) ^ uint64((int64(x) >> 63))))
}
func (m *DiscoveryRequest) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowDiscovery
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: DiscoveryRequest: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: DiscoveryRequest: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field VersionInfo", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.VersionInfo = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Node", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Node == nil {
				m.Node = &core.Node{}
			}
			if err := m.Node.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field ResourceNames", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.ResourceNames = append(m.ResourceNames, string(dAtA[iNdEx:postIndex]))
			iNdEx = postIndex
		case 4:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field TypeUrl", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.TypeUrl = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 5:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field ResponseNonce", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.ResponseNonce = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 6:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field ErrorDetail", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.ErrorDetail == nil {
				m.ErrorDetail = &rpc.Status{}
			}
			if err := m.ErrorDetail.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipDiscovery(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthDiscovery
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthDiscovery
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *DiscoveryResponse) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowDiscovery
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: DiscoveryResponse: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: DiscoveryResponse: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field VersionInfo", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.VersionInfo = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Resources = append(m.Resources, &types.Any{})
			if err := m.Resources[len(m.Resources)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 3:
			if wireType != 0 {
				return fmt.Errorf("proto: wrong wireType = %d for field Canary", wireType)
			}
			var v int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				v |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			m.Canary = bool(v != 0)
		case 4:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field TypeUrl", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.TypeUrl = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 5:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Nonce", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Nonce = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 6:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field ControlPlane", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.ControlPlane == nil {
				m.ControlPlane = &core.ControlPlane{}
			}
			if err := m.ControlPlane.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipDiscovery(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthDiscovery
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthDiscovery
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *DeltaDiscoveryRequest) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowDiscovery
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: DeltaDiscoveryRequest: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: DeltaDiscoveryRequest: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Node", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Node == nil {
				m.Node = &core.Node{}
			}
			if err := m.Node.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field TypeUrl", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.TypeUrl = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field ResourceNamesSubscribe", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.ResourceNamesSubscribe = append(m.ResourceNamesSubscribe, string(dAtA[iNdEx:postIndex]))
			iNdEx = postIndex
		case 4:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field ResourceNamesUnsubscribe", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.ResourceNamesUnsubscribe = append(m.ResourceNamesUnsubscribe, string(dAtA[iNdEx:postIndex]))
			iNdEx = postIndex
		case 5:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field InitialResourceVersions", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.InitialResourceVersions == nil {
				m.InitialResourceVersions = make(map[string]string)
			}
			var mapkey string
			var mapvalue string
			for iNdEx < postIndex {
				entryPreIndex := iNdEx
				var wire uint64
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return ErrIntOverflowDiscovery
					}
					if iNdEx >= l {
						return io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					wire |= uint64(b&0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				fieldNum := int32(wire >> 3)
				if fieldNum == 1 {
					var stringLenmapkey uint64
					for shift := uint(0); ; shift += 7 {
						if shift >= 64 {
							return ErrIntOverflowDiscovery
						}
						if iNdEx >= l {
							return io.ErrUnexpectedEOF
						}
						b := dAtA[iNdEx]
						iNdEx++
						stringLenmapkey |= uint64(b&0x7F) << shift
						if b < 0x80 {
							break
						}
					}
					intStringLenmapkey := int(stringLenmapkey)
					if intStringLenmapkey < 0 {
						return ErrInvalidLengthDiscovery
					}
					postStringIndexmapkey := iNdEx + intStringLenmapkey
					if postStringIndexmapkey < 0 {
						return ErrInvalidLengthDiscovery
					}
					if postStringIndexmapkey > l {
						return io.ErrUnexpectedEOF
					}
					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
					iNdEx = postStringIndexmapkey
				} else if fieldNum == 2 {
					var stringLenmapvalue uint64
					for shift := uint(0); ; shift += 7 {
						if shift >= 64 {
							return ErrIntOverflowDiscovery
						}
						if iNdEx >= l {
							return io.ErrUnexpectedEOF
						}
						b := dAtA[iNdEx]
						iNdEx++
						stringLenmapvalue |= uint64(b&0x7F) << shift
						if b < 0x80 {
							break
						}
					}
					intStringLenmapvalue := int(stringLenmapvalue)
					if intStringLenmapvalue < 0 {
						return ErrInvalidLengthDiscovery
					}
					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
					if postStringIndexmapvalue < 0 {
						return ErrInvalidLengthDiscovery
					}
					if postStringIndexmapvalue > l {
						return io.ErrUnexpectedEOF
					}
					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
					iNdEx = postStringIndexmapvalue
				} else {
					iNdEx = entryPreIndex
					skippy, err := skipDiscovery(dAtA[iNdEx:])
					if err != nil {
						return err
					}
					if skippy < 0 {
						return ErrInvalidLengthDiscovery
					}
					if (iNdEx + skippy) > postIndex {
						return io.ErrUnexpectedEOF
					}
					iNdEx += skippy
				}
			}
			m.InitialResourceVersions[mapkey] = mapvalue
			iNdEx = postIndex
		case 6:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field ResponseNonce", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.ResponseNonce = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 7:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field ErrorDetail", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.ErrorDetail == nil {
				m.ErrorDetail = &rpc.Status{}
			}
			if err := m.ErrorDetail.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipDiscovery(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthDiscovery
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthDiscovery
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *DeltaDiscoveryResponse) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowDiscovery
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: DeltaDiscoveryResponse: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: DeltaDiscoveryResponse: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field SystemVersionInfo", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.SystemVersionInfo = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Resources", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Resources = append(m.Resources, &Resource{})
			if err := m.Resources[len(m.Resources)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 4:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field TypeUrl", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.TypeUrl = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 5:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Nonce", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Nonce = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 6:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field RemovedResources", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.RemovedResources = append(m.RemovedResources, string(dAtA[iNdEx:postIndex]))
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipDiscovery(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthDiscovery
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthDiscovery
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *Resource) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowDiscovery
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: Resource: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: Resource: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Version", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Version = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Resource", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Resource == nil {
				m.Resource = &types.Any{}
			}
			if err := m.Resource.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Name = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 4:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Aliases", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthDiscovery
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthDiscovery
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Aliases = append(m.Aliases, string(dAtA[iNdEx:postIndex]))
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipDiscovery(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthDiscovery
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthDiscovery
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func skipDiscovery(dAtA []byte) (n int, err error) {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return 0, ErrIntOverflowDiscovery
			}
			if iNdEx >= l {
				return 0, io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= (uint64(b) & 0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		wireType := int(wire & 0x7)
		switch wireType {
		case 0:
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				iNdEx++
				if dAtA[iNdEx-1] < 0x80 {
					break
				}
			}
			return iNdEx, nil
		case 1:
			iNdEx += 8
			return iNdEx, nil
		case 2:
			var length int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowDiscovery
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				length |= (int(b) & 0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if length < 0 {
				return 0, ErrInvalidLengthDiscovery
			}
			iNdEx += length
			if iNdEx < 0 {
				return 0, ErrInvalidLengthDiscovery
			}
			return iNdEx, nil
		case 3:
			for {
				var innerWire uint64
				var start int = iNdEx
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return 0, ErrIntOverflowDiscovery
					}
					if iNdEx >= l {
						return 0, io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					innerWire |= (uint64(b) & 0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				innerWireType := int(innerWire & 0x7)
				if innerWireType == 4 {
					break
				}
				next, err := skipDiscovery(dAtA[start:])
				if err != nil {
					return 0, err
				}
				iNdEx = start + next
				if iNdEx < 0 {
					return 0, ErrInvalidLengthDiscovery
				}
			}
			return iNdEx, nil
		case 4:
			return iNdEx, nil
		case 5:
			iNdEx += 4
			return iNdEx, nil
		default:
			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
		}
	}
	panic("unreachable")
}

var (
	ErrInvalidLengthDiscovery = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowDiscovery   = fmt.Errorf("proto: integer overflow")
)


================================================
FILE: third_party/generated/envoyproxy/data-plane-api/envoy/service/auth/v2/attribute_context.pb.go
================================================
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: envoy/service/auth/v2/attribute_context.proto

package v2

import (
	fmt "fmt"
	_ "github.com/gogo/protobuf/gogoproto"
	proto "github.com/gogo/protobuf/proto"
	github_com_gogo_protobuf_sortkeys "github.com/gogo/protobuf/sortkeys"
	types "github.com/gogo/protobuf/types"
	core "go.aporeto.io/trireme-lib/third_party/generated/envoyproxy/data-plane-api/envoy/api/v2/core"
	io "io"
	math "math"
	math_bits "math/bits"
)

// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf

// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package

// An attribute is a piece of metadata that describes an activity on a network.
// For example, the size of an HTTP request, or the status code of an HTTP response.
//
// Each attribute has a type and a name, which is logically defined as a proto message field
// of the `AttributeContext`. The `AttributeContext` is a collection of individual attributes
// supported by Envoy authorization system.
type AttributeContext struct {
	// The source of a network activity, such as starting a TCP connection.
	// In a multi hop network activity, the source represents the sender of the
	// last hop.
	Source *AttributeContext_Peer `protobuf:"bytes,1,opt,name=source,proto3" json:"source,omitempty"`
	// The destination of a network activity, such as accepting a TCP connection.
	// In a multi hop network activity, the destination represents the receiver of
	// the last hop.
	Destination *AttributeContext_Peer `protobuf:"bytes,2,opt,name=destination,proto3" json:"destination,omitempty"`
	// Represents a network request, such as an HTTP request.
	Request *AttributeContext_Request `protobuf:"bytes,4,opt,name=request,proto3" json:"request,omitempty"`
	// This is analogous to http_request.headers, however these contents will not be sent to the
	// upstream server. Context_extensions provide an extension mechanism for sending additional
	// information to the auth server without modifying the proto definition. It maps to the
	// internal opaque context in the filter chain.
	ContextExtensions    map[string]string `protobuf:"bytes,10,rep,name=context_extensions,json=contextExtensions,proto3" json:"context_extensions,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
	XXX_unrecognized     []byte            `json:"-"`
	XXX_sizecache        int32             `json:"-"`
}

func (m *AttributeContext) Reset()         { *m = AttributeContext{} }
func (m *AttributeContext) String() string { return proto.CompactTextString(m) }
func (*AttributeContext) ProtoMessage()    {}
func (*AttributeContext) Descriptor() ([]byte, []int) {
	return fileDescriptor_a6030c9468e3591b, []int{0}
}
func (m *AttributeContext) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *AttributeContext) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *AttributeContext) XXX_Merge(src proto.Message) {
	xxx_messageInfo_AttributeContext.Merge(m, src)
}
func (m *AttributeContext) XXX_Size() int {
	return m.Size()
}
func (m *AttributeContext) XXX_DiscardUnknown() {
	xxx_messageInfo_AttributeContext.DiscardUnknown(m)
}

var xxx_messageInfo_AttributeContext proto.InternalMessageInfo

func (m *AttributeContext) GetSource() *AttributeContext_Peer {
	if m != nil {
		return m.Source
	}
	return nil
}

func (m *AttributeContext) GetDestination() *AttributeContext_Peer {
	if m != nil {
		return m.Destination
	}
	return nil
}

func (m *AttributeContext) GetRequest() *AttributeContext_Request {
	if m != nil {
		return m.Request
	}
	return nil
}

func (m *AttributeContext) GetContextExtensions() map[string]string {
	if m != nil {
		return m.ContextExtensions
	}
	return nil
}

// This message defines attributes for a node that handles a network request.
// The node can be either a service or an application that sends, forwards,
// or receives the request. Service peers should fill in the `service`,
// `principal`, and `labels` as appropriate.
type AttributeContext_Peer struct {
	// The address of the peer, this is typically the IP address.
	// It can also be UDS path, or others.
	Address *core.Address `protobuf:"bytes,1,opt,name=address,proto3" json:"address,omitempty"`
	// The canonical service name of the peer.
	// It should be set to :ref:`the HTTP x-envoy-downstream-service-cluster
	// <config_http_conn_man_headers_downstream-service-cluster>`
	// If a more trusted source of the service name is available through mTLS/secure naming, it
	// should be used.
	Service string `protobuf:"bytes,2,opt,name=service,proto3" json:"service,omitempty"`
	// The labels associated with the peer.
	// These could be pod labels for Kubernetes or tags for VMs.
	// The source of the labels could be an X.509 certificate or other configuration.
	Labels map[string]string `protobuf:"bytes,3,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
	// The authenticated identity of this peer.
	// For example, the identity associated with the workload such as a service account.
	// If an X.509 certificate is used to assert the identity this field should be sourced from
	// `Subject` or `Subject Alternative Names`. The primary identity should be the principal.
	// The principal format is issuer specific.
	//
	// Example:
	// *    SPIFFE format is `spiffe://trust-domain/path`
	// *    Google account format is `https://accounts.google.com/{userid}`
	Principal            string   `protobuf:"bytes,4,opt,name=principal,proto3" json:"principal,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *AttributeContext_Peer) Reset()         { *m = AttributeContext_Peer{} }
func (m *AttributeContext_Peer) String() string { return proto.CompactTextString(m) }
func (*AttributeContext_Peer) ProtoMessage()    {}
func (*AttributeContext_Peer) Descriptor() ([]byte, []int) {
	return fileDescriptor_a6030c9468e3591b, []int{0, 0}
}
func (m *AttributeContext_Peer) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *AttributeContext_Peer) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *AttributeContext_Peer) XXX_Merge(src proto.Message) {
	xxx_messageInfo_AttributeContext_Peer.Merge(m, src)
}
func (m *AttributeContext_Peer) XXX_Size() int {
	return m.Size()
}
func (m *AttributeContext_Peer) XXX_DiscardUnknown() {
	xxx_messageInfo_AttributeContext_Peer.DiscardUnknown(m)
}

var xxx_messageInfo_AttributeContext_Peer proto.InternalMessageInfo

func (m *AttributeContext_Peer) GetAddress() *core.Address {
	if m != nil {
		return m.Address
	}
	return nil
}

func (m *AttributeContext_Peer) GetService() string {
	if m != nil {
		return m.Service
	}
	return ""
}

func (m *AttributeContext_Peer) GetLabels() map[string]string {
	if m != nil {
		return m.Labels
	}
	return nil
}

func (m *AttributeContext_Peer) GetPrincipal() string {
	if m != nil {
		return m.Principal
	}
	return ""
}

// Represents a network request, such as an HTTP request.
type AttributeContext_Request struct {
	// The timestamp when the proxy receives the first byte of the request.
	Time *types.Timestamp `protobuf:"bytes,1,opt,name=time,proto3" json:"time,omitempty"`
	// Represents an HTTP request or an HTTP-like request.
	Http                 *AttributeContext_HttpRequest `protobuf:"bytes,2,opt,name=http,proto3" json:"http,omitempty"`
	XXX_NoUnkeyedLiteral struct{}                      `json:"-"`
	XXX_unrecognized     []byte                        `json:"-"`
	XXX_sizecache        int32                         `json:"-"`
}

func (m *AttributeContext_Request) Reset()         { *m = AttributeContext_Request{} }
func (m *AttributeContext_Request) String() string { return proto.CompactTextString(m) }
func (*AttributeContext_Request) ProtoMessage()    {}
func (*AttributeContext_Request) Descriptor() ([]byte, []int) {
	return fileDescriptor_a6030c9468e3591b, []int{0, 1}
}
func (m *AttributeContext_Request) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *AttributeContext_Request) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *AttributeContext_Request) XXX_Merge(src proto.Message) {
	xxx_messageInfo_AttributeContext_Request.Merge(m, src)
}
func (m *AttributeContext_Request) XXX_Size() int {
	return m.Size()
}
func (m *AttributeContext_Request) XXX_DiscardUnknown() {
	xxx_messageInfo_AttributeContext_Request.DiscardUnknown(m)
}

var xxx_messageInfo_AttributeContext_Request proto.InternalMessageInfo

func (m *AttributeContext_Request) GetTime() *types.Timestamp {
	if m != nil {
		return m.Time
	}
	return nil
}

func (m *AttributeContext_Request) GetHttp() *AttributeContext_HttpRequest {
	if m != nil {
		return m.Http
	}
	return nil
}

// This message defines attributes for an HTTP request.
// HTTP/1.x, HTTP/2, gRPC are all considered as HTTP requests.
type AttributeContext_HttpRequest struct {
	// The unique ID for a request, which can be propagated to downstream
	// systems. The ID should have low probability of collision
	// within a single day for a specific service.
	// For HTTP requests, it should be X-Request-ID or equivalent.
	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
	// The HTTP request method, such as `GET`, `POST`.
	Method string `protobuf:"bytes,2,opt,name=method,proto3" json:"method,omitempty"`
	// The HTTP request headers. If multiple headers share the same key, they
	// must be merged according to the HTTP spec. All header keys must be
	// lowercased, because HTTP header keys are case-insensitive.
	Headers map[string]string `protobuf:"bytes,3,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
	// The request target, as it appears in the first line of the HTTP request. This includes
	// the URL path and query-string. No decoding is performed.
	Path string `protobuf:"bytes,4,opt,name=path,proto3" json:"path,omitempty"`
	// The HTTP request `Host` or 'Authority` header value.
	Host string `protobuf:"bytes,5,opt,name=host,proto3" json:"host,omitempty"`
	// The HTTP URL scheme, such as `http` and `https`.
	Scheme string `protobuf:"bytes,6,opt,name=scheme,proto3" json:"scheme,omitempty"`
	// This field is always empty, and exists for compatibility reasons. The HTTP URL query is
	// included in `path` field.
	Query string `protobuf:"bytes,7,opt,name=query,proto3" json:"query,omitempty"`
	// This field is always empty, and exists for compatibility reasons. The URL fragment is
	// not submitted as part of HTTP requests; it is unknowable.
	Fragment string `protobuf:"bytes,8,opt,name=fragment,proto3" json:"fragment,omitempty"`
	// The HTTP request size in bytes. If unknown, it must be -1.
	Size_ int64 `protobuf:"varint,9,opt,name=size,proto3" json:"size,omitempty"`
	// The network protocol used with the request, such as "HTTP/1.0", "HTTP/1.1", or "HTTP/2".
	//
	// See :repo:`headers.h:ProtocolStrings <source/common/http/headers.h>` for a list of all
	// possible values.
	Protocol string `protobuf:"bytes,10,opt,name=protocol,proto3" json:"protocol,omitempty"`
	// The HTTP request body.
	Body                 string   `protobuf:"bytes,11,opt,name=body,proto3" json:"body,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *AttributeContext_HttpRequest) Reset()         { *m = AttributeContext_HttpRequest{} }
func (m *AttributeContext_HttpRequest) String() string { return proto.CompactTextString(m) }
func (*AttributeContext_HttpRequest) ProtoMessage()    {}
func (*AttributeContext_HttpRequest) Descriptor() ([]byte, []int) {
	return fileDescriptor_a6030c9468e3591b, []int{0, 2}
}
func (m *AttributeContext_HttpRequest) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *AttributeContext_HttpRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	b = b[:cap(b)]
	n, err := m.MarshalTo(b)
	if err != nil {
		return nil, err
	}
	return b[:n], nil
}
func (m *AttributeContext_HttpRequest) XXX_Merge(src proto.Message) {
	xxx_messageInfo_AttributeContext_HttpRequest.Merge(m, src)
}
func (m *AttributeContext_HttpRequest) XXX_Size() int {
	return m.Size()
}
func (m *AttributeContext_HttpRequest) XXX_DiscardUnknown() {
	xxx_messageInfo_AttributeContext_HttpRequest.DiscardUnknown(m)
}

var xxx_messageInfo_AttributeContext_HttpRequest proto.InternalMessageInfo

func (m *AttributeContext_HttpRequest) GetId() string {
	if m != nil {
		return m.Id
	}
	return ""
}

func (m *AttributeContext_HttpRequest) GetMethod() string {
	if m != nil {
		return m.Method
	}
	return ""
}

func (m *AttributeContext_HttpRequest) GetHeaders() map[string]string {
	if m != nil {
		return m.Headers
	}
	return nil
}

func (m *AttributeContext_HttpRequest) GetPath() string {
	if m != nil {
		return m.Path
	}
	return ""
}

func (m *AttributeContext_HttpRequest) GetHost() string {
	if m != nil {
		return m.Host
	}
	return ""
}

func (m *AttributeContext_HttpRequest) GetScheme() string {
	if m != nil {
		return m.Scheme
	}
	return ""
}

func (m *AttributeContext_HttpRequest) GetQuery() string {
	if m != nil {
		return m.Query
	}
	return ""
}

func (m *AttributeContext_HttpRequest) GetFragment() string {
	if m != nil {
		return m.Fragment
	}
	return ""
}

func (m *AttributeContext_HttpRequest) GetSize_() int64 {
	if m != nil {
		return m.Size_
	}
	return 0
}

func (m *AttributeContext_HttpRequest) GetProtocol() string {
	if m != nil {
		return m.Protocol
	}
	return ""
}

func (m *AttributeContext_HttpRequest) GetBody() string {
	if m != nil {
		return m.Body
	}
	return ""
}

func init() {
	proto.RegisterType((*AttributeContext)(nil), "envoy.service.auth.v2.AttributeContext")
	proto.RegisterMapType((map[string]string)(nil), "envoy.service.auth.v2.AttributeContext.ContextExtensionsEntry")
	proto.RegisterType((*AttributeContext_Peer)(nil), "envoy.service.auth.v2.AttributeContext.Peer")
	proto.RegisterMapType((map[string]string)(nil), "envoy.service.auth.v2.AttributeContext.Peer.LabelsEntry")
	proto.RegisterType((*AttributeContext_Request)(nil), "envoy.service.auth.v2.AttributeContext.Request")
	proto.RegisterType((*AttributeContext_HttpRequest)(nil), "envoy.service.auth.v2.AttributeContext.HttpRequest")
	proto.RegisterMapType((map[string]string)(nil), "envoy.service.auth.v2.AttributeContext.HttpRequest.HeadersEntry")
}

func init() {
	proto.RegisterFile("envoy/service/auth/v2/attribute_context.proto", fileDescriptor_a6030c9468e3591b)
}

var fileDescriptor_a6030c9468e3591b = []byte{
	// 621 bytes of a gzipped FileDescriptorProto
	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x53, 0x4d, 0x6f, 0xd3, 0x40,
	0x10, 0x95, 0x93, 0x34, 0x69, 0x26, 0x08, 0x95, 0x55, 0x5b, 0x59, 0x16, 0x4a, 0x2b, 0xb8, 0xf4,
	0x00, 0x6b, 0x29, 0xe5, 0x50, 0x7a, 0x40, 0xb4, 0xb4, 0xa2, 0x48, 0xa8, 0x8a, 0x2c, 0x4e, 0x5c,
	0xaa, 0x8d, 0x3d, 0x8d, 0x57, 0x24, 0x5e, 0x77, 0x77, 0x1d, 0x35, 0xdc, 0x80, 0x1f, 0xc5, 0x5f,
	0xe0, 0xc8, 0x91, 0x23, 0xca, 0x2f, 0x41, 0xfb, 0xe1, 0x12, 0x55, 0x3d, 0x34, 0x3d, 0x65, 0x66,
	0xf2, 0xe6, 0xed, 0x9b, 0x37, 0x63, 0x78, 0x89, 0xc5, 0x4c, 0xcc, 0x63, 0x85, 0x72, 0xc6, 0x53,
	0x8c, 0x59, 0xa5, 0xf3, 0x78, 0x36, 0x88, 0x99, 0xd6, 0x92, 0x8f, 0x2a, 0x8d, 0x17, 0xa9, 0x28,
	0x34, 0x5e, 0x6b, 0x5a, 0x4a, 0xa1, 0x05, 0xd9, 0xb2, 0x70, 0xea, 0xe1, 0xd4, 0xc0, 0xe9, 0x6c,
	0x10, 0xed, 0x38, 0x16, 0x56, 0x72, 0xd3, 0x9c, 0x0a, 0x89, 0x31, 0xcb, 0x32, 0x89, 0x4a, 0xb9,
	0xbe, 0x68, 0x67, 0x2c, 0xc4, 0x78, 0x82, 0xb1, 0xcd, 0x46, 0xd5, 0x65, 0xac, 0xf9, 0x14, 0x95,
	0x66, 0xd3, 0xd2, 0x03, 0x36, 0xc7, 0x62, 0x2c, 0x6c, 0x18, 0x9b, 0xc8, 0x55, 0x9f, 0xfd, 0xec,
	0xc2, 0xc6, 0x51, 0x2d, 0xe5, 0x9d, 0x53, 0x42, 0x4e, 0xa0, 0xad, 0x44, 0x25, 0x53, 0x0c, 0x83,
	0xdd, 0x60, 0xaf, 0x37, 0x78, 0x41, 0xef, 0x14, 0x45, 0x6f, 0x37, 0xd2, 0x21, 0xa2, 0x4c, 0x7c,
	0x2f, 0x39, 0x87, 0x5e, 0x86, 0x4a, 0xf3, 0x82, 0x69, 0x2e, 0x8a, 0xb0, 0xf1, 0x00, 0xaa, 0x65,
	0x02, 0xf2, 0x01, 0x3a, 0x12, 0xaf, 0x2a, 0x54, 0x3a, 0x6c, 0x59, 0xae, 0xf8, 0xbe, 0x5c, 0x89,
	0x6b, 0x4b, 0xea, 0x7e, 0x32, 0x05, 0xe2, 0x5d, 0xbf, 0xc0, 0x6b, 0x8d, 0x85, 0xe2, 0xa2, 0x50,
	0x21, 0xec, 0x36, 0xf7, 0x7a, 0x83, 0x37, 0xf7, 0x65, 0xf5, 0xbf, 0xa7, 0x37, 0x04, 0xa7, 0x85,
	0x96, 0xf3, 0xe4, 0x49, 0x7a, 0xbb, 0x1e, 0x7d, 0x6b, 0x40, 0xcb, 0xcc, 0x43, 0x5e, 0x41, 0xc7,
	0x6f, 0xcd, 0x3b, 0x1b, 0xf9, 0xc7, 0x58, 0xc9, 0xcd, 0x1b, 0x66, 0xaf, 0xf4, 0xc8, 0x21, 0x92,
	0x1a, 0x4a, 0x42, 0xe8, 0x78, 0x31, 0xd6, 0xc4, 0x6e, 0x52, 0xa7, 0x64, 0x08, 0xed, 0x09, 0x1b,
	0xe1, 0x44, 0x85, 0x4d, 0xab, 0xfd, 0x60, 0x15, 0x77, 0xe9, 0x47, 0xdb, 0xea, 0x54, 0x7b, 0x1e,
	0xf2, 0x14, 0xba, 0xa5, 0xe4, 0x45, 0xca, 0x4b, 0x36, 0xb1, 0x36, 0x77, 0x93, 0xff, 0x85, 0xe8,
	0x35, 0xf4, 0x96, 0x9a, 0xc8, 0x06, 0x34, 0xbf, 0xe0, 0xdc, 0x8e, 0xd2, 0x4d, 0x4c, 0x48, 0x36,
	0x61, 0x6d, 0xc6, 0x26, 0x55, 0x2d, 0xd4, 0x25, 0x87, 0x8d, 0x83, 0x20, 0xfa, 0x1e, 0x40, 0xc7,
	0xef, 0x81, 0x50, 0x68, 0x99, 0xeb, 0xbc, 0xf1, 0xc0, 0x9d, 0x2e, 0xad, 0x4f, 0x97, 0x7e, 0xaa,
	0x4f, 0x37, 0xb1, 0x38, 0xf2, 0x1e, 0x5a, 0xb9, 0xd6, 0xa5, 0x3f, 0xa1, 0xfd, 0xfb, 0x0e, 0x79,
	0xa6, 0x75, 0x59, 0xaf, 0xde, 0x12, 0x44, 0x3f, 0x9a, 0xd0, 0x5b, 0xaa, 0x92, 0xc7, 0xd0, 0xe0,
	0x99, 0xd7, 0xdf, 0xe0, 0x19, 0xd9, 0x86, 0xf6, 0x14, 0x75, 0x2e, 0x32, 0xaf, 0xdf, 0x67, 0xe4,
	0x33, 0x74, 0x72, 0x64, 0x19, 0xca, 0xda, 0xe8, 0xb7, 0x0f, 0xd0, 0x40, 0xcf, 0x1c, 0x85, 0x33,
	0xbc, 0x26, 0x24, 0x04, 0x5a, 0x25, 0xd3, 0xb9, 0x37, 0xdb, 0xc6, 0xa6, 0x96, 0x0b, 0xa5, 0xc3,
	0x35, 0x57, 0x33, 0xb1, 0xd1, 0xa6, 0xd2, 0x1c, 0xa7, 0x18, 0xb6, 0x9d, 0x36, 0x97, 0x19, 0xcb,
	0xaf, 0x2a, 0x94, 0xf3, 0xb0, 0xe3, 0x2c, 0xb7, 0x09, 0x89, 0x60, 0xfd, 0x52, 0xb2, 0xf1, 0x14,
	0x0b, 0x1d, 0xae, 0xdb, 0x3f, 0x6e, 0x72, 0xc3, 0xae, 0xf8, 0x57, 0x0c, 0xbb, 0xbb, 0xc1, 0x5e,
	0x33, 0xb1, 0xb1, 0xc1, 0x5b, 0xfb, 0x53, 0x31, 0x09, 0xc1, 0xe1, 0xeb, 0xdc, 0xe0, 0x47, 0x22,
	0x9b, 0x87, 0x3d, 0xa7, 0xc6, 0xc4, 0xd1, 0x21, 0x3c, 0x5a, 0x1e, 0x67, 0xa5, 0x53, 0x38, 0x81,
	0xed, 0xbb, 0xbf, 0x9d, 0x55, 0x58, 0x8e, 0xcf, 0x7f, 0x2d, 0xfa, 0xc1, 0xef, 0x45, 0x3f, 0xf8,
	0xb3, 0xe8, 0x07, 0x7f, 0x17, 0xfd, 0x00, 0x9e, 0x73, 0xe1, 0xd6, 0x52, 0x4a, 0x71, 0x3d, 0xbf,
	0x7b, 0x43, 0xc7, 0x5b, 0xb7, 0x57, 0x34, 0x34, 0x63, 0x0e, 0x83, 0x51, 0xdb, 0xce, 0xbb, 0xff,
	0x2f, 0x00, 0x00, 0xff, 0xff, 0xf8, 0x85, 0x21, 0xfa, 0xb0, 0x05, 0x00, 0x00,
}

func (m *AttributeContext) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *AttributeContext) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Source != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(m.Source.Size()))
		n1, err1 := m.Source.MarshalTo(dAtA[i:])
		if err1 != nil {
			return 0, err1
		}
		i += n1
	}
	if m.Destination != nil {
		dAtA[i] = 0x12
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(m.Destination.Size()))
		n2, err2 := m.Destination.MarshalTo(dAtA[i:])
		if err2 != nil {
			return 0, err2
		}
		i += n2
	}
	if m.Request != nil {
		dAtA[i] = 0x22
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(m.Request.Size()))
		n3, err3 := m.Request.MarshalTo(dAtA[i:])
		if err3 != nil {
			return 0, err3
		}
		i += n3
	}
	if len(m.ContextExtensions) > 0 {
		keysForContextExtensions := make([]string, 0, len(m.ContextExtensions))
		for k, _ := range m.ContextExtensions {
			keysForContextExtensions = append(keysForContextExtensions, string(k))
		}
		github_com_gogo_protobuf_sortkeys.Strings(keysForContextExtensions)
		for _, k := range keysForContextExtensions {
			dAtA[i] = 0x52
			i++
			v := m.ContextExtensions[string(k)]
			mapSize := 1 + len(k) + sovAttributeContext(uint64(len(k))) + 1 + len(v) + sovAttributeContext(uint64(len(v)))
			i = encodeVarintAttributeContext(dAtA, i, uint64(mapSize))
			dAtA[i] = 0xa
			i++
			i = encodeVarintAttributeContext(dAtA, i, uint64(len(k)))
			i += copy(dAtA[i:], k)
			dAtA[i] = 0x12
			i++
			i = encodeVarintAttributeContext(dAtA, i, uint64(len(v)))
			i += copy(dAtA[i:], v)
		}
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *AttributeContext_Peer) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *AttributeContext_Peer) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Address != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(m.Address.Size()))
		n4, err4 := m.Address.MarshalTo(dAtA[i:])
		if err4 != nil {
			return 0, err4
		}
		i += n4
	}
	if len(m.Service) > 0 {
		dAtA[i] = 0x12
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(len(m.Service)))
		i += copy(dAtA[i:], m.Service)
	}
	if len(m.Labels) > 0 {
		keysForLabels := make([]string, 0, len(m.Labels))
		for k, _ := range m.Labels {
			keysForLabels = append(keysForLabels, string(k))
		}
		github_com_gogo_protobuf_sortkeys.Strings(keysForLabels)
		for _, k := range keysForLabels {
			dAtA[i] = 0x1a
			i++
			v := m.Labels[string(k)]
			mapSize := 1 + len(k) + sovAttributeContext(uint64(len(k))) + 1 + len(v) + sovAttributeContext(uint64(len(v)))
			i = encodeVarintAttributeContext(dAtA, i, uint64(mapSize))
			dAtA[i] = 0xa
			i++
			i = encodeVarintAttributeContext(dAtA, i, uint64(len(k)))
			i += copy(dAtA[i:], k)
			dAtA[i] = 0x12
			i++
			i = encodeVarintAttributeContext(dAtA, i, uint64(len(v)))
			i += copy(dAtA[i:], v)
		}
	}
	if len(m.Principal) > 0 {
		dAtA[i] = 0x22
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(len(m.Principal)))
		i += copy(dAtA[i:], m.Principal)
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *AttributeContext_Request) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *AttributeContext_Request) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Time != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(m.Time.Size()))
		n5, err5 := m.Time.MarshalTo(dAtA[i:])
		if err5 != nil {
			return 0, err5
		}
		i += n5
	}
	if m.Http != nil {
		dAtA[i] = 0x12
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(m.Http.Size()))
		n6, err6 := m.Http.MarshalTo(dAtA[i:])
		if err6 != nil {
			return 0, err6
		}
		i += n6
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *AttributeContext_HttpRequest) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *AttributeContext_HttpRequest) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.Id) > 0 {
		dAtA[i] = 0xa
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(len(m.Id)))
		i += copy(dAtA[i:], m.Id)
	}
	if len(m.Method) > 0 {
		dAtA[i] = 0x12
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(len(m.Method)))
		i += copy(dAtA[i:], m.Method)
	}
	if len(m.Headers) > 0 {
		keysForHeaders := make([]string, 0, len(m.Headers))
		for k, _ := range m.Headers {
			keysForHeaders = append(keysForHeaders, string(k))
		}
		github_com_gogo_protobuf_sortkeys.Strings(keysForHeaders)
		for _, k := range keysForHeaders {
			dAtA[i] = 0x1a
			i++
			v := m.Headers[string(k)]
			mapSize := 1 + len(k) + sovAttributeContext(uint64(len(k))) + 1 + len(v) + sovAttributeContext(uint64(len(v)))
			i = encodeVarintAttributeContext(dAtA, i, uint64(mapSize))
			dAtA[i] = 0xa
			i++
			i = encodeVarintAttributeContext(dAtA, i, uint64(len(k)))
			i += copy(dAtA[i:], k)
			dAtA[i] = 0x12
			i++
			i = encodeVarintAttributeContext(dAtA, i, uint64(len(v)))
			i += copy(dAtA[i:], v)
		}
	}
	if len(m.Path) > 0 {
		dAtA[i] = 0x22
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(len(m.Path)))
		i += copy(dAtA[i:], m.Path)
	}
	if len(m.Host) > 0 {
		dAtA[i] = 0x2a
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(len(m.Host)))
		i += copy(dAtA[i:], m.Host)
	}
	if len(m.Scheme) > 0 {
		dAtA[i] = 0x32
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(len(m.Scheme)))
		i += copy(dAtA[i:], m.Scheme)
	}
	if len(m.Query) > 0 {
		dAtA[i] = 0x3a
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(len(m.Query)))
		i += copy(dAtA[i:], m.Query)
	}
	if len(m.Fragment) > 0 {
		dAtA[i] = 0x42
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(len(m.Fragment)))
		i += copy(dAtA[i:], m.Fragment)
	}
	if m.Size_ != 0 {
		dAtA[i] = 0x48
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(m.Size_))
	}
	if len(m.Protocol) > 0 {
		dAtA[i] = 0x52
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(len(m.Protocol)))
		i += copy(dAtA[i:], m.Protocol)
	}
	if len(m.Body) > 0 {
		dAtA[i] = 0x5a
		i++
		i = encodeVarintAttributeContext(dAtA, i, uint64(len(m.Body)))
		i += copy(dAtA[i:], m.Body)
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func encodeVarintAttributeContext(dAtA []byte, offset int, v uint64) int {
	for v >= 1<<7 {
		dAtA[offset] = uint8(v&0x7f | 0x80)
		v >>= 7
		offset++
	}
	dAtA[offset] = uint8(v)
	return offset + 1
}
func (m *AttributeContext) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Source != nil {
		l = m.Source.Size()
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	if m.Destination != nil {
		l = m.Destination.Size()
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	if m.Request != nil {
		l = m.Request.Size()
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	if len(m.ContextExtensions) > 0 {
		for k, v := range m.ContextExtensions {
			_ = k
			_ = v
			mapEntrySize := 1 + len(k) + sovAttributeContext(uint64(len(k))) + 1 + len(v) + sovAttributeContext(uint64(len(v)))
			n += mapEntrySize + 1 + sovAttributeContext(uint64(mapEntrySize))
		}
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *AttributeContext_Peer) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Address != nil {
		l = m.Address.Size()
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	l = len(m.Service)
	if l > 0 {
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	if len(m.Labels) > 0 {
		for k, v := range m.Labels {
			_ = k
			_ = v
			mapEntrySize := 1 + len(k) + sovAttributeContext(uint64(len(k))) + 1 + len(v) + sovAttributeContext(uint64(len(v)))
			n += mapEntrySize + 1 + sovAttributeContext(uint64(mapEntrySize))
		}
	}
	l = len(m.Principal)
	if l > 0 {
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *AttributeContext_Request) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Time != nil {
		l = m.Time.Size()
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	if m.Http != nil {
		l = m.Http.Size()
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *AttributeContext_HttpRequest) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	l = len(m.Id)
	if l > 0 {
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	l = len(m.Method)
	if l > 0 {
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	if len(m.Headers) > 0 {
		for k, v := range m.Headers {
			_ = k
			_ = v
			mapEntrySize := 1 + len(k) + sovAttributeContext(uint64(len(k))) + 1 + len(v) + sovAttributeContext(uint64(len(v)))
			n += mapEntrySize + 1 + sovAttributeContext(uint64(mapEntrySize))
		}
	}
	l = len(m.Path)
	if l > 0 {
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	l = len(m.Host)
	if l > 0 {
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	l = len(m.Scheme)
	if l > 0 {
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	l = len(m.Query)
	if l > 0 {
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	l = len(m.Fragment)
	if l > 0 {
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	if m.Size_ != 0 {
		n += 1 + sovAttributeContext(uint64(m.Size_))
	}
	l = len(m.Protocol)
	if l > 0 {
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	l = len(m.Body)
	if l > 0 {
		n += 1 + l + sovAttributeContext(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func sovAttributeContext(x uint64) (n int) {
	return (math_bits.Len64(x|1) + 6) / 7
}
func sozAttributeContext(x uint64) (n int) {
	return sovAttributeContext(uint64((x << 1) ^ uint64((int64(x) >> 63))))
}
func (m *AttributeContext) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowAttributeContext
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: AttributeContext: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: AttributeContext: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Source", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Source == nil {
				m.Source = &AttributeContext_Peer{}
			}
			if err := m.Source.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Destination", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Destination == nil {
				m.Destination = &AttributeContext_Peer{}
			}
			if err := m.Destination.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 4:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Request", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Request == nil {
				m.Request = &AttributeContext_Request{}
			}
			if err := m.Request.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 10:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field ContextExtensions", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.ContextExtensions == nil {
				m.ContextExtensions = make(map[string]string)
			}
			var mapkey string
			var mapvalue string
			for iNdEx < postIndex {
				entryPreIndex := iNdEx
				var wire uint64
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return ErrIntOverflowAttributeContext
					}
					if iNdEx >= l {
						return io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					wire |= uint64(b&0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				fieldNum := int32(wire >> 3)
				if fieldNum == 1 {
					var stringLenmapkey uint64
					for shift := uint(0); ; shift += 7 {
						if shift >= 64 {
							return ErrIntOverflowAttributeContext
						}
						if iNdEx >= l {
							return io.ErrUnexpectedEOF
						}
						b := dAtA[iNdEx]
						iNdEx++
						stringLenmapkey |= uint64(b&0x7F) << shift
						if b < 0x80 {
							break
						}
					}
					intStringLenmapkey := int(stringLenmapkey)
					if intStringLenmapkey < 0 {
						return ErrInvalidLengthAttributeContext
					}
					postStringIndexmapkey := iNdEx + intStringLenmapkey
					if postStringIndexmapkey < 0 {
						return ErrInvalidLengthAttributeContext
					}
					if postStringIndexmapkey > l {
						return io.ErrUnexpectedEOF
					}
					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
					iNdEx = postStringIndexmapkey
				} else if fieldNum == 2 {
					var stringLenmapvalue uint64
					for shift := uint(0); ; shift += 7 {
						if shift >= 64 {
							return ErrIntOverflowAttributeContext
						}
						if iNdEx >= l {
							return io.ErrUnexpectedEOF
						}
						b := dAtA[iNdEx]
						iNdEx++
						stringLenmapvalue |= uint64(b&0x7F) << shift
						if b < 0x80 {
							break
						}
					}
					intStringLenmapvalue := int(stringLenmapvalue)
					if intStringLenmapvalue < 0 {
						return ErrInvalidLengthAttributeContext
					}
					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
					if postStringIndexmapvalue < 0 {
						return ErrInvalidLengthAttributeContext
					}
					if postStringIndexmapvalue > l {
						return io.ErrUnexpectedEOF
					}
					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
					iNdEx = postStringIndexmapvalue
				} else {
					iNdEx = entryPreIndex
					skippy, err := skipAttributeContext(dAtA[iNdEx:])
					if err != nil {
						return err
					}
					if skippy < 0 {
						return ErrInvalidLengthAttributeContext
					}
					if (iNdEx + skippy) > postIndex {
						return io.ErrUnexpectedEOF
					}
					iNdEx += skippy
				}
			}
			m.ContextExtensions[mapkey] = mapvalue
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipAttributeContext(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *AttributeContext_Peer) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowAttributeContext
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: Peer: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: Peer: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Address", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Address == nil {
				m.Address = &core.Address{}
			}
			if err := m.Address.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Service", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Service = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Labels", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Labels == nil {
				m.Labels = make(map[string]string)
			}
			var mapkey string
			var mapvalue string
			for iNdEx < postIndex {
				entryPreIndex := iNdEx
				var wire uint64
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return ErrIntOverflowAttributeContext
					}
					if iNdEx >= l {
						return io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					wire |= uint64(b&0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				fieldNum := int32(wire >> 3)
				if fieldNum == 1 {
					var stringLenmapkey uint64
					for shift := uint(0); ; shift += 7 {
						if shift >= 64 {
							return ErrIntOverflowAttributeContext
						}
						if iNdEx >= l {
							return io.ErrUnexpectedEOF
						}
						b := dAtA[iNdEx]
						iNdEx++
						stringLenmapkey |= uint64(b&0x7F) << shift
						if b < 0x80 {
							break
						}
					}
					intStringLenmapkey := int(stringLenmapkey)
					if intStringLenmapkey < 0 {
						return ErrInvalidLengthAttributeContext
					}
					postStringIndexmapkey := iNdEx + intStringLenmapkey
					if postStringIndexmapkey < 0 {
						return ErrInvalidLengthAttributeContext
					}
					if postStringIndexmapkey > l {
						return io.ErrUnexpectedEOF
					}
					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
					iNdEx = postStringIndexmapkey
				} else if fieldNum == 2 {
					var stringLenmapvalue uint64
					for shift := uint(0); ; shift += 7 {
						if shift >= 64 {
							return ErrIntOverflowAttributeContext
						}
						if iNdEx >= l {
							return io.ErrUnexpectedEOF
						}
						b := dAtA[iNdEx]
						iNdEx++
						stringLenmapvalue |= uint64(b&0x7F) << shift
						if b < 0x80 {
							break
						}
					}
					intStringLenmapvalue := int(stringLenmapvalue)
					if intStringLenmapvalue < 0 {
						return ErrInvalidLengthAttributeContext
					}
					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
					if postStringIndexmapvalue < 0 {
						return ErrInvalidLengthAttributeContext
					}
					if postStringIndexmapvalue > l {
						return io.ErrUnexpectedEOF
					}
					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
					iNdEx = postStringIndexmapvalue
				} else {
					iNdEx = entryPreIndex
					skippy, err := skipAttributeContext(dAtA[iNdEx:])
					if err != nil {
						return err
					}
					if skippy < 0 {
						return ErrInvalidLengthAttributeContext
					}
					if (iNdEx + skippy) > postIndex {
						return io.ErrUnexpectedEOF
					}
					iNdEx += skippy
				}
			}
			m.Labels[mapkey] = mapvalue
			iNdEx = postIndex
		case 4:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Principal", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Principal = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipAttributeContext(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *AttributeContext_Request) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowAttributeContext
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: Request: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: Request: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Time", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Time == nil {
				m.Time = &types.Timestamp{}
			}
			if err := m.Time.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Http", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Http == nil {
				m.Http = &AttributeContext_HttpRequest{}
			}
			if err := m.Http.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipAttributeContext(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *AttributeContext_HttpRequest) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowAttributeContext
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: HttpRequest: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: HttpRequest: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Id", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Id = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Method", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Method = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Headers", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Headers == nil {
				m.Headers = make(map[string]string)
			}
			var mapkey string
			var mapvalue string
			for iNdEx < postIndex {
				entryPreIndex := iNdEx
				var wire uint64
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return ErrIntOverflowAttributeContext
					}
					if iNdEx >= l {
						return io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					wire |= uint64(b&0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				fieldNum := int32(wire >> 3)
				if fieldNum == 1 {
					var stringLenmapkey uint64
					for shift := uint(0); ; shift += 7 {
						if shift >= 64 {
							return ErrIntOverflowAttributeContext
						}
						if iNdEx >= l {
							return io.ErrUnexpectedEOF
						}
						b := dAtA[iNdEx]
						iNdEx++
						stringLenmapkey |= uint64(b&0x7F) << shift
						if b < 0x80 {
							break
						}
					}
					intStringLenmapkey := int(stringLenmapkey)
					if intStringLenmapkey < 0 {
						return ErrInvalidLengthAttributeContext
					}
					postStringIndexmapkey := iNdEx + intStringLenmapkey
					if postStringIndexmapkey < 0 {
						return ErrInvalidLengthAttributeContext
					}
					if postStringIndexmapkey > l {
						return io.ErrUnexpectedEOF
					}
					mapkey = string(dAtA[iNdEx:postStringIndexmapkey])
					iNdEx = postStringIndexmapkey
				} else if fieldNum == 2 {
					var stringLenmapvalue uint64
					for shift := uint(0); ; shift += 7 {
						if shift >= 64 {
							return ErrIntOverflowAttributeContext
						}
						if iNdEx >= l {
							return io.ErrUnexpectedEOF
						}
						b := dAtA[iNdEx]
						iNdEx++
						stringLenmapvalue |= uint64(b&0x7F) << shift
						if b < 0x80 {
							break
						}
					}
					intStringLenmapvalue := int(stringLenmapvalue)
					if intStringLenmapvalue < 0 {
						return ErrInvalidLengthAttributeContext
					}
					postStringIndexmapvalue := iNdEx + intStringLenmapvalue
					if postStringIndexmapvalue < 0 {
						return ErrInvalidLengthAttributeContext
					}
					if postStringIndexmapvalue > l {
						return io.ErrUnexpectedEOF
					}
					mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue])
					iNdEx = postStringIndexmapvalue
				} else {
					iNdEx = entryPreIndex
					skippy, err := skipAttributeContext(dAtA[iNdEx:])
					if err != nil {
						return err
					}
					if skippy < 0 {
						return ErrInvalidLengthAttributeContext
					}
					if (iNdEx + skippy) > postIndex {
						return io.ErrUnexpectedEOF
					}
					iNdEx += skippy
				}
			}
			m.Headers[mapkey] = mapvalue
			iNdEx = postIndex
		case 4:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Path = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 5:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Host", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Host = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 6:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Scheme", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Scheme = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 7:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Query", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Query = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 8:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Fragment", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Fragment = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 9:
			if wireType != 0 {
				return fmt.Errorf("proto: wrong wireType = %d for field Size_", wireType)
			}
			m.Size_ = 0
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				m.Size_ |= int64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
		case 10:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Protocol", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Protocol = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		case 11:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Body", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthAttributeContext
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Body = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipAttributeContext(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthAttributeContext
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func skipAttributeContext(dAtA []byte) (n int, err error) {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return 0, ErrIntOverflowAttributeContext
			}
			if iNdEx >= l {
				return 0, io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= (uint64(b) & 0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		wireType := int(wire & 0x7)
		switch wireType {
		case 0:
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				iNdEx++
				if dAtA[iNdEx-1] < 0x80 {
					break
				}
			}
			return iNdEx, nil
		case 1:
			iNdEx += 8
			return iNdEx, nil
		case 2:
			var length int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowAttributeContext
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				length |= (int(b) & 0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if length < 0 {
				return 0, ErrInvalidLengthAttributeContext
			}
			iNdEx += length
			if iNdEx < 0 {
				return 0, ErrInvalidLengthAttributeContext
			}
			return iNdEx, nil
		case 3:
			for {
				var innerWire uint64
				var start int = iNdEx
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return 0, ErrIntOverflowAttributeContext
					}
					if iNdEx >= l {
						return 0, io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					innerWire |= (uint64(b) & 0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				innerWireType := int(innerWire & 0x7)
				if innerWireType == 4 {
					break
				}
				next, err := skipAttributeContext(dAtA[start:])
				if err != nil {
					return 0, err
				}
				iNdEx = start + next
				if iNdEx < 0 {
					return 0, ErrInvalidLengthAttributeContext
				}
			}
			return iNdEx, nil
		case 4:
			return iNdEx, nil
		case 5:
			iNdEx += 4
			return iNdEx, nil
		default:
			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
		}
	}
	panic("unreachable")
}

var (
	ErrInvalidLengthAttributeContext = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowAttributeContext   = fmt.Errorf("proto: integer overflow")
)


================================================
FILE: third_party/generated/envoyproxy/data-plane-api/envoy/service/auth/v2/external_auth.pb.go
================================================
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: envoy/service/auth/v2/external_auth.proto

package v2

import (
	context "context"
	fmt "fmt"
	_ "github.com/envoyproxy/protoc-gen-validate/validate"
	rpc "github.com/gogo/googleapis/google/rpc"
	proto "github.com/gogo/protobuf/proto"
	core "go.aporeto.io/trireme-lib/third_party/generated/envoyproxy/data-plane-api/envoy/api/v2/core"
	_type "go.aporeto.io/trireme-lib/third_party/generated/envoyproxy/data-plane-api/envoy/type"
	grpc "google.golang.org/grpc"
	codes "google.golang.org/grpc/codes"
	status "google.golang.org/grpc/status"
	io "io"
	math "math"
	math_bits "math/bits"
)

// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf

// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package

type CheckRequest struct {
	// The request attributes.
	Attributes           *AttributeContext `protobuf:"bytes,1,opt,name=attributes,proto3" json:"attributes,omitempty"`
	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
	XXX_unrecognized     []byte            `json:"-"`
	XXX_sizecache        int32             `json:"-"`
}

func (m *CheckRequest) Reset()         { *m = CheckRequest{} }
func (m *CheckRequest) String() string { return proto.CompactTextString(m) }
func (*CheckRequest) ProtoMessage()    {}
func (*CheckRequest) Descriptor() ([]byte, []int) {
	return fileDescriptor_5257cfee93a30acb, []int{0}
}
func (m *CheckRequest) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *CheckRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_CheckRequest.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *CheckRequest) XXX_Merge(src proto.Message) {
	xxx_messageInfo_CheckRequest.Merge(m, src)
}
func (m *CheckRequest) XXX_Size() int {
	return m.Size()
}
func (m *CheckRequest) XXX_DiscardUnknown() {
	xxx_messageInfo_CheckRequest.DiscardUnknown(m)
}

var xxx_messageInfo_CheckRequest proto.InternalMessageInfo

func (m *CheckRequest) GetAttributes() *AttributeContext {
	if m != nil {
		return m.Attributes
	}
	return nil
}

// HTTP attributes for a denied response.
type DeniedHttpResponse struct {
	// This field allows the authorization service to send a HTTP response status
	// code to the downstream client other than 403 (Forbidden).
	Status *_type.HttpStatus `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
	// This field allows the authorization service to send HTTP response headers
	// to the downstream client.
	Headers []*core.HeaderValueOption `protobuf:"bytes,2,rep,name=headers,proto3" json:"headers,omitempty"`
	// This field allows the authorization service to send a response body data
	// to the downstream client.
	Body                 string   `protobuf:"bytes,3,opt,name=body,proto3" json:"body,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *DeniedHttpResponse) Reset()         { *m = DeniedHttpResponse{} }
func (m *DeniedHttpResponse) String() string { return proto.CompactTextString(m) }
func (*DeniedHttpResponse) ProtoMessage()    {}
func (*DeniedHttpResponse) Descriptor() ([]byte, []int) {
	return fileDescriptor_5257cfee93a30acb, []int{1}
}
func (m *DeniedHttpResponse) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *DeniedHttpResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_DeniedHttpResponse.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *DeniedHttpResponse) XXX_Merge(src proto.Message) {
	xxx_messageInfo_DeniedHttpResponse.Merge(m, src)
}
func (m *DeniedHttpResponse) XXX_Size() int {
	return m.Size()
}
func (m *DeniedHttpResponse) XXX_DiscardUnknown() {
	xxx_messageInfo_DeniedHttpResponse.DiscardUnknown(m)
}

var xxx_messageInfo_DeniedHttpResponse proto.InternalMessageInfo

func (m *DeniedHttpResponse) GetStatus() *_type.HttpStatus {
	if m != nil {
		return m.Status
	}
	return nil
}

func (m *DeniedHttpResponse) GetHeaders() []*core.HeaderValueOption {
	if m != nil {
		return m.Headers
	}
	return nil
}

func (m *DeniedHttpResponse) GetBody() string {
	if m != nil {
		return m.Body
	}
	return ""
}

// HTTP attributes for an ok response.
type OkHttpResponse struct {
	// HTTP entity headers in addition to the original request headers. This allows the authorization
	// service to append, to add or to override headers from the original request before
	// dispatching it to the upstream. By setting `append` field to `true` in the `HeaderValueOption`,
	// the filter will append the correspondent header value to the matched request header. Note that
	// by Leaving `append` as false, the filter will either add a new header, or override an existing
	// one if there is a match.
	Headers              []*core.HeaderValueOption `protobuf:"bytes,2,rep,name=headers,proto3" json:"headers,omitempty"`
	XXX_NoUnkeyedLiteral struct{}                  `json:"-"`
	XXX_unrecognized     []byte                    `json:"-"`
	XXX_sizecache        int32                     `json:"-"`
}

func (m *OkHttpResponse) Reset()         { *m = OkHttpResponse{} }
func (m *OkHttpResponse) String() string { return proto.CompactTextString(m) }
func (*OkHttpResponse) ProtoMessage()    {}
func (*OkHttpResponse) Descriptor() ([]byte, []int) {
	return fileDescriptor_5257cfee93a30acb, []int{2}
}
func (m *OkHttpResponse) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *OkHttpResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_OkHttpResponse.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *OkHttpResponse) XXX_Merge(src proto.Message) {
	xxx_messageInfo_OkHttpResponse.Merge(m, src)
}
func (m *OkHttpResponse) XXX_Size() int {
	return m.Size()
}
func (m *OkHttpResponse) XXX_DiscardUnknown() {
	xxx_messageInfo_OkHttpResponse.DiscardUnknown(m)
}

var xxx_messageInfo_OkHttpResponse proto.InternalMessageInfo

func (m *OkHttpResponse) GetHeaders() []*core.HeaderValueOption {
	if m != nil {
		return m.Headers
	}
	return nil
}

// Intended for gRPC and Network Authorization servers `only`.
type CheckResponse struct {
	// Status `OK` allows the request. Any other status indicates the request should be denied.
	Status *rpc.Status `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
	// An message that contains HTTP response attributes. This message is
	// used when the authorization service needs to send custom responses to the
	// downstream client or, to modify/add request headers being dispatched to the upstream.
	//
	// Types that are valid to be assigned to HttpResponse:
	//	*CheckResponse_DeniedResponse
	//	*CheckResponse_OkResponse
	HttpResponse         isCheckResponse_HttpResponse `protobuf_oneof:"http_response"`
	XXX_NoUnkeyedLiteral struct{}                     `json:"-"`
	XXX_unrecognized     []byte                       `json:"-"`
	XXX_sizecache        int32                        `json:"-"`
}

func (m *CheckResponse) Reset()         { *m = CheckResponse{} }
func (m *CheckResponse) String() string { return proto.CompactTextString(m) }
func (*CheckResponse) ProtoMessage()    {}
func (*CheckResponse) Descriptor() ([]byte, []int) {
	return fileDescriptor_5257cfee93a30acb, []int{3}
}
func (m *CheckResponse) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *CheckResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_CheckResponse.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *CheckResponse) XXX_Merge(src proto.Message) {
	xxx_messageInfo_CheckResponse.Merge(m, src)
}
func (m *CheckResponse) XXX_Size() int {
	return m.Size()
}
func (m *CheckResponse) XXX_DiscardUnknown() {
	xxx_messageInfo_CheckResponse.DiscardUnknown(m)
}

var xxx_messageInfo_CheckResponse proto.InternalMessageInfo

type isCheckResponse_HttpResponse interface {
	isCheckResponse_HttpResponse()
	MarshalTo([]byte) (int, error)
	Size() int
}

type CheckResponse_DeniedResponse struct {
	DeniedResponse *DeniedHttpResponse `protobuf:"bytes,2,opt,name=denied_response,json=deniedResponse,proto3,oneof"`
}
type CheckResponse_OkResponse struct {
	OkResponse *OkHttpResponse `protobuf:"bytes,3,opt,name=ok_response,json=okResponse,proto3,oneof"`
}

func (*CheckResponse_DeniedResponse) isCheckResponse_HttpResponse() {}
func (*CheckResponse_OkResponse) isCheckResponse_HttpResponse()     {}

func (m *CheckResponse) GetHttpResponse() isCheckResponse_HttpResponse {
	if m != nil {
		return m.HttpResponse
	}
	return nil
}

func (m *CheckResponse) GetStatus() *rpc.Status {
	if m != nil {
		return m.Status
	}
	return nil
}

func (m *CheckResponse) GetDeniedResponse() *DeniedHttpResponse {
	if x, ok := m.GetHttpResponse().(*CheckResponse_DeniedResponse); ok {
		return x.DeniedResponse
	}
	return nil
}

func (m *CheckResponse) GetOkResponse() *OkHttpResponse {
	if x, ok := m.GetHttpResponse().(*CheckResponse_OkResponse); ok {
		return x.OkResponse
	}
	return nil
}

// XXX_OneofFuncs is for the internal use of the proto package.
func (*CheckResponse) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) {
	return _CheckResponse_OneofMarshaler, _CheckResponse_OneofUnmarshaler, _CheckResponse_OneofSizer, []interface{}{
		(*CheckResponse_DeniedResponse)(nil),
		(*CheckResponse_OkResponse)(nil),
	}
}

func _CheckResponse_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
	m := msg.(*CheckResponse)
	// http_response
	switch x := m.HttpResponse.(type) {
	case *CheckResponse_DeniedResponse:
		_ = b.EncodeVarint(2<<3 | proto.WireBytes)
		if err := b.EncodeMessage(x.DeniedResponse); err != nil {
			return err
		}
	case *CheckResponse_OkResponse:
		_ = b.EncodeVarint(3<<3 | proto.WireBytes)
		if err := b.EncodeMessage(x.OkResponse); err != nil {
			return err
		}
	case nil:
	default:
		return fmt.Errorf("CheckResponse.HttpResponse has unexpected type %T", x)
	}
	return nil
}

func _CheckResponse_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
	m := msg.(*CheckResponse)
	switch tag {
	case 2: // http_response.denied_response
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		msg := new(DeniedHttpResponse)
		err := b.DecodeMessage(msg)
		m.HttpResponse = &CheckResponse_DeniedResponse{msg}
		return true, err
	case 3: // http_response.ok_response
		if wire != proto.WireBytes {
			return true, proto.ErrInternalBadWireType
		}
		msg := new(OkHttpResponse)
		err := b.DecodeMessage(msg)
		m.HttpResponse = &CheckResponse_OkResponse{msg}
		return true, err
	default:
		return false, nil
	}
}

func _CheckResponse_OneofSizer(msg proto.Message) (n int) {
	m := msg.(*CheckResponse)
	// http_response
	switch x := m.HttpResponse.(type) {
	case *CheckResponse_DeniedResponse:
		s := proto.Size(x.DeniedResponse)
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(s))
		n += s
	case *CheckResponse_OkResponse:
		s := proto.Size(x.OkResponse)
		n += 1 // tag and wire
		n += proto.SizeVarint(uint64(s))
		n += s
	case nil:
	default:
		panic(fmt.Sprintf("proto: unexpected type %T in oneof", x))
	}
	return n
}

func init() {
	proto.RegisterType((*CheckRequest)(nil), "envoy.service.auth.v2.CheckRequest")
	proto.RegisterType((*DeniedHttpResponse)(nil), "envoy.service.auth.v2.DeniedHttpResponse")
	proto.RegisterType((*OkHttpResponse)(nil), "envoy.service.auth.v2.OkHttpResponse")
	proto.RegisterType((*CheckResponse)(nil), "envoy.service.auth.v2.CheckResponse")
}

func init() {
	proto.RegisterFile("envoy/service/auth/v2/external_auth.proto", fileDescriptor_5257cfee93a30acb)
}

var fileDescriptor_5257cfee93a30acb = []byte{
	// 492 bytes of a gzipped FileDescriptorProto
	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x93, 0xc1, 0x6e, 0xd3, 0x40,
	0x10, 0x86, 0xbb, 0x09, 0x2d, 0xb0, 0x21, 0x2d, 0xac, 0x04, 0x8d, 0x2a, 0x14, 0x45, 0x69, 0x11,
	0x29, 0x12, 0x6b, 0xc9, 0x5c, 0x38, 0x21, 0x35, 0x05, 0xe1, 0x0b, 0x6a, 0x64, 0x10, 0x48, 0x5c,
	0xa2, 0x8d, 0x3d, 0xaa, 0xad, 0x44, 0xde, 0x65, 0x3d, 0xb6, 0x12, 0x9e, 0x00, 0xf1, 0x18, 0x3c,
	0x0d, 0x47, 0x1e, 0x01, 0xe5, 0xcc, 0x13, 0x70, 0x42, 0xde, 0x5d, 0x87, 0x06, 0x12, 0x2e, 0xdc,
	0x56, 0x9e, 0xff, 0xff, 0x76, 0xfe, 0xd9, 0x31, 0x3d, 0x85, 0xac, 0x94, 0x0b, 0x2f, 0x07, 0x5d,
	0xa6, 0x11, 0x78, 0xa2, 0xc0, 0xc4, 0x2b, 0x7d, 0x0f, 0xe6, 0x08, 0x3a, 0x13, 0xb3, 0x71, 0xf5,
	0x81, 0x2b, 0x2d, 0x51, 0xb2, 0xbb, 0x46, 0xca, 0x9d, 0x94, 0x9b, 0x4a, 0xe9, 0x1f, 0xdd, 0xb7,
	0x04, 0xa1, 0xd2, 0xca, 0x18, 0x49, 0x0d, 0xde, 0x44, 0xe4, 0x60, 0x4d, 0x75, 0x15, 0x17, 0x0a,
	0xbc, 0x04, 0x51, 0x8d, 0x73, 0x14, 0x58, 0xe4, 0xae, 0xfa, 0x78, 0xf3, 0xed, 0x02, 0x51, 0xa7,
	0x93, 0x02, 0x61, 0x1c, 0xc9, 0x0c, 0x61, 0x8e, 0x4e, 0x7e, 0x78, 0x29, 0xe5, 0xe5, 0x0c, 0x3c,
	0xad, 0x22, 0x6f, 0x8d, 0x73, 0x58, 0x8a, 0x59, 0x1a, 0x0b, 0x04, 0xaf, 0x3e, 0xd8, 0x42, 0xff,
	0x1d, 0xbd, 0x75, 0x9e, 0x40, 0x34, 0x0d, 0xe1, 0x43, 0x01, 0x39, 0xb2, 0x97, 0x94, 0xae, 0xe0,
	0x79, 0x87, 0xf4, 0xc8, 0xa0, 0xe5, 0x3f, 0xe4, 0x1b, 0x83, 0xf1, 0xb3, 0x5a, 0x78, 0x6e, 0x9b,
	0x08, 0xaf, 0x58, 0xfb, 0x5f, 0x08, 0x65, 0xcf, 0x21, 0x4b, 0x21, 0x0e, 0x10, 0x55, 0x08, 0xb9,
	0x92, 0x59, 0x0e, 0xec, 0x29, 0xdd, 0xb3, 0x8d, 0x39, 0xf6, 0x3d, 0xc7, 0xae, 0xf2, 0xf3, 0x4a,
	0xf9, 0xda, 0x54, 0x87, 0x37, 0x7e, 0x0e, 0x77, 0x3f, 0x93, 0xc6, 0x6d, 0x12, 0x3a, 0x3d, 0x7b,
	0x46, 0xaf, 0x27, 0x20, 0x62, 0xd0, 0x79, 0xa7, 0xd1, 0x6b, 0x0e, 0x5a, 0xfe, 0x89, 0xb3, 0x0a,
	0x95, 0x56, 0xdd, 0x54, 0x83, 0xe5, 0x81, 0x51, 0xbc, 0x15, 0xb3, 0x02, 0x2e, 0x14, 0xa6, 0x32,
	0x0b, 0x6b, 0x13, 0x63, 0xf4, 0xda, 0x44, 0xc6, 0x8b, 0x4e, 0xb3, 0x47, 0x06, 0x37, 0x43, 0x73,
	0xee, 0x8f, 0xe8, 0xfe, 0xc5, 0x74, 0xad, 0xbf, 0xff, 0xbc, 0xa5, 0xff, 0x83, 0xd0, 0xb6, 0x1b,
	0xa8, 0x23, 0x3e, 0xfa, 0x23, 0x31, 0xe3, 0xf6, 0x91, 0xb8, 0x56, 0x11, 0xb7, 0x69, 0x57, 0x19,
	0xdf, 0xd0, 0x83, 0xd8, 0xcc, 0x6c, 0xac, 0x9d, 0xbd, 0xd3, 0x30, 0xa6, 0xd3, 0x2d, 0x4f, 0xf0,
	0xf7, 0x84, 0x83, 0x9d, 0x70, 0xdf, 0x32, 0x56, 0x1d, 0x04, 0xb4, 0x25, 0xa7, 0xbf, 0x89, 0x4d,
	0x43, 0x7c, 0xb0, 0x85, 0xb8, 0x3e, 0x8f, 0x60, 0x27, 0xa4, 0x72, 0x95, 0x65, 0x78, 0x40, 0xdb,
	0x66, 0x47, 0x6b, 0x96, 0x1f, 0xd1, 0xf6, 0x59, 0x81, 0x89, 0xd4, 0xe9, 0x47, 0x51, 0x0d, 0x82,
	0x85, 0x74, 0xd7, 0xc4, 0x67, 0xc7, 0x5b, 0xf8, 0x57, 0xb7, 0xed, 0xe8, 0xe4, 0xdf, 0x22, 0x77,
	0xeb, 0xab, 0xaf, 0xcb, 0x2e, 0xf9, 0xb6, 0xec, 0x92, 0xef, 0xcb, 0x2e, 0xa1, 0xc7, 0xa9, 0xb4,
	0x2e, 0xa5, 0xe5, 0x7c, 0xb1, 0x19, 0x30, 0xbc, 0xf3, 0xc2, 0xfd, 0x9f, 0x55, 0x77, 0xa3, 0x6a,
	0xd3, 0x47, 0xe4, 0x7d, 0xa3, 0xf4, 0x3f, 0x11, 0x32, 0xd9, 0x33, 0x9b, 0xff, 0xe4, 0x57, 0x00,
	0x00, 0x00, 0xff, 0xff, 0x29, 0xe1, 0x8a, 0xc0, 0xda, 0x03, 0x00, 0x00,
}

// Reference imports to suppress errors if they are not otherwise used.
var _ context.Context
var _ grpc.ClientConn

// This is a compile-time assertion to ensure that this generated file
// is compatible with the grpc package it is being compiled against.
const _ = grpc.SupportPackageIsVersion4

// AuthorizationClient is the client API for Authorization service.
//
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
type AuthorizationClient interface {
	// Performs authorization check based on the attributes associated with the
	// incoming request, and returns status `OK` or not `OK`.
	Check(ctx context.Context, in *CheckRequest, opts ...grpc.CallOption) (*CheckResponse, error)
}

type authorizationClient struct {
	cc *grpc.ClientConn
}

func NewAuthorizationClient(cc *grpc.ClientConn) AuthorizationClient {
	return &authorizationClient{cc}
}

func (c *authorizationClient) Check(ctx context.Context, in *CheckRequest, opts ...grpc.CallOption) (*CheckResponse, error) {
	out := new(CheckResponse)
	err := c.cc.Invoke(ctx, "/envoy.service.auth.v2.Authorization/Check", in, out, opts...)
	if err != nil {
		return nil, err
	}
	return out, nil
}

// AuthorizationServer is the server API for Authorization service.
type AuthorizationServer interface {
	// Performs authorization check based on the attributes associated with the
	// incoming request, and returns status `OK` or not `OK`.
	Check(context.Context, *CheckRequest) (*CheckResponse, error)
}

// UnimplementedAuthorizationServer can be embedded to have forward compatible implementations.
type UnimplementedAuthorizationServer struct {
}

func (*UnimplementedAuthorizationServer) Check(ctx context.Context, req *CheckRequest) (*CheckResponse, error) {
	return nil, status.Errorf(codes.Unimplemented, "method Check not implemented")
}

func RegisterAuthorizationServer(s *grpc.Server, srv AuthorizationServer) {
	s.RegisterService(&_Authorization_serviceDesc, srv)
}

func _Authorization_Check_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
	in := new(CheckRequest)
	if err := dec(in); err != nil {
		return nil, err
	}
	if interceptor == nil {
		return srv.(AuthorizationServer).Check(ctx, in)
	}
	info := &grpc.UnaryServerInfo{
		Server:     srv,
		FullMethod: "/envoy.service.auth.v2.Authorization/Check",
	}
	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
		return srv.(AuthorizationServer).Check(ctx, req.(*CheckRequest))
	}
	return interceptor(ctx, in, info, handler)
}

var _Authorization_serviceDesc = grpc.ServiceDesc{
	ServiceName: "envoy.service.auth.v2.Authorization",
	HandlerType: (*AuthorizationServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "Check",
			Handler:    _Authorization_Check_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "envoy/service/auth/v2/external_auth.proto",
}

func (m *CheckRequest) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *CheckRequest) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Attributes != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintExternalAuth(dAtA, i, uint64(m.Attributes.Size()))
		n1, err1 := m.Attributes.MarshalTo(dAtA[i:])
		if err1 != nil {
			return 0, err1
		}
		i += n1
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *DeniedHttpResponse) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *DeniedHttpResponse) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Status != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintExternalAuth(dAtA, i, uint64(m.Status.Size()))
		n2, err2 := m.Status.MarshalTo(dAtA[i:])
		if err2 != nil {
			return 0, err2
		}
		i += n2
	}
	if len(m.Headers) > 0 {
		for _, msg := range m.Headers {
			dAtA[i] = 0x12
			i++
			i = encodeVarintExternalAuth(dAtA, i, uint64(msg.Size()))
			n, err := msg.MarshalTo(dAtA[i:])
			if err != nil {
				return 0, err
			}
			i += n
		}
	}
	if len(m.Body) > 0 {
		dAtA[i] = 0x1a
		i++
		i = encodeVarintExternalAuth(dAtA, i, uint64(len(m.Body)))
		i += copy(dAtA[i:], m.Body)
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *OkHttpResponse) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *OkHttpResponse) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if len(m.Headers) > 0 {
		for _, msg := range m.Headers {
			dAtA[i] = 0x12
			i++
			i = encodeVarintExternalAuth(dAtA, i, uint64(msg.Size()))
			n, err := msg.MarshalTo(dAtA[i:])
			if err != nil {
				return 0, err
			}
			i += n
		}
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *CheckResponse) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *CheckResponse) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Status != nil {
		dAtA[i] = 0xa
		i++
		i = encodeVarintExternalAuth(dAtA, i, uint64(m.Status.Size()))
		n3, err3 := m.Status.MarshalTo(dAtA[i:])
		if err3 != nil {
			return 0, err3
		}
		i += n3
	}
	if m.HttpResponse != nil {
		nn4, err4 := m.HttpResponse.MarshalTo(dAtA[i:])
		if err4 != nil {
			return 0, err4
		}
		i += nn4
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *CheckResponse_DeniedResponse) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	if m.DeniedResponse != nil {
		dAtA[i] = 0x12
		i++
		i = encodeVarintExternalAuth(dAtA, i, uint64(m.DeniedResponse.Size()))
		n5, err5 := m.DeniedResponse.MarshalTo(dAtA[i:])
		if err5 != nil {
			return 0, err5
		}
		i += n5
	}
	return i, nil
}
func (m *CheckResponse_OkResponse) MarshalTo(dAtA []byte) (int, error) {
	i := 0
	if m.OkResponse != nil {
		dAtA[i] = 0x1a
		i++
		i = encodeVarintExternalAuth(dAtA, i, uint64(m.OkResponse.Size()))
		n6, err6 := m.OkResponse.MarshalTo(dAtA[i:])
		if err6 != nil {
			return 0, err6
		}
		i += n6
	}
	return i, nil
}
func encodeVarintExternalAuth(dAtA []byte, offset int, v uint64) int {
	for v >= 1<<7 {
		dAtA[offset] = uint8(v&0x7f | 0x80)
		v >>= 7
		offset++
	}
	dAtA[offset] = uint8(v)
	return offset + 1
}
func (m *CheckRequest) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Attributes != nil {
		l = m.Attributes.Size()
		n += 1 + l + sovExternalAuth(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *DeniedHttpResponse) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Status != nil {
		l = m.Status.Size()
		n += 1 + l + sovExternalAuth(uint64(l))
	}
	if len(m.Headers) > 0 {
		for _, e := range m.Headers {
			l = e.Size()
			n += 1 + l + sovExternalAuth(uint64(l))
		}
	}
	l = len(m.Body)
	if l > 0 {
		n += 1 + l + sovExternalAuth(uint64(l))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *OkHttpResponse) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if len(m.Headers) > 0 {
		for _, e := range m.Headers {
			l = e.Size()
			n += 1 + l + sovExternalAuth(uint64(l))
		}
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *CheckResponse) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Status != nil {
		l = m.Status.Size()
		n += 1 + l + sovExternalAuth(uint64(l))
	}
	if m.HttpResponse != nil {
		n += m.HttpResponse.Size()
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *CheckResponse_DeniedResponse) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.DeniedResponse != nil {
		l = m.DeniedResponse.Size()
		n += 1 + l + sovExternalAuth(uint64(l))
	}
	return n
}
func (m *CheckResponse_OkResponse) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.OkResponse != nil {
		l = m.OkResponse.Size()
		n += 1 + l + sovExternalAuth(uint64(l))
	}
	return n
}

func sovExternalAuth(x uint64) (n int) {
	return (math_bits.Len64(x|1) + 6) / 7
}
func sozExternalAuth(x uint64) (n int) {
	return sovExternalAuth(uint64((x << 1) ^ uint64((int64(x) >> 63))))
}
func (m *CheckRequest) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowExternalAuth
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: CheckRequest: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: CheckRequest: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Attributes", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowExternalAuth
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthExternalAuth
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Attributes == nil {
				m.Attributes = &AttributeContext{}
			}
			if err := m.Attributes.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipExternalAuth(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *DeniedHttpResponse) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowExternalAuth
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: DeniedHttpResponse: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: DeniedHttpResponse: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowExternalAuth
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthExternalAuth
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Status == nil {
				m.Status = &_type.HttpStatus{}
			}
			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Headers", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowExternalAuth
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthExternalAuth
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Headers = append(m.Headers, &core.HeaderValueOption{})
			if err := m.Headers[len(m.Headers)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Body", wireType)
			}
			var stringLen uint64
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowExternalAuth
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				stringLen |= uint64(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			intStringLen := int(stringLen)
			if intStringLen < 0 {
				return ErrInvalidLengthExternalAuth
			}
			postIndex := iNdEx + intStringLen
			if postIndex < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Body = string(dAtA[iNdEx:postIndex])
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipExternalAuth(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *OkHttpResponse) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowExternalAuth
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: OkHttpResponse: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: OkHttpResponse: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Headers", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowExternalAuth
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthExternalAuth
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			m.Headers = append(m.Headers, &core.HeaderValueOption{})
			if err := m.Headers[len(m.Headers)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipExternalAuth(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *CheckResponse) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowExternalAuth
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: CheckResponse: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: CheckResponse: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowExternalAuth
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthExternalAuth
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			if m.Status == nil {
				m.Status = &rpc.Status{}
			}
			if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			iNdEx = postIndex
		case 2:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field DeniedResponse", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowExternalAuth
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthExternalAuth
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			v := &DeniedHttpResponse{}
			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			m.HttpResponse = &CheckResponse_DeniedResponse{v}
			iNdEx = postIndex
		case 3:
			if wireType != 2 {
				return fmt.Errorf("proto: wrong wireType = %d for field OkResponse", wireType)
			}
			var msglen int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowExternalAuth
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				msglen |= int(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if msglen < 0 {
				return ErrInvalidLengthExternalAuth
			}
			postIndex := iNdEx + msglen
			if postIndex < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if postIndex > l {
				return io.ErrUnexpectedEOF
			}
			v := &OkHttpResponse{}
			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
				return err
			}
			m.HttpResponse = &CheckResponse_OkResponse{v}
			iNdEx = postIndex
		default:
			iNdEx = preIndex
			skippy, err := skipExternalAuth(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthExternalAuth
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func skipExternalAuth(dAtA []byte) (n int, err error) {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return 0, ErrIntOverflowExternalAuth
			}
			if iNdEx >= l {
				return 0, io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= (uint64(b) & 0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		wireType := int(wire & 0x7)
		switch wireType {
		case 0:
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowExternalAuth
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				iNdEx++
				if dAtA[iNdEx-1] < 0x80 {
					break
				}
			}
			return iNdEx, nil
		case 1:
			iNdEx += 8
			return iNdEx, nil
		case 2:
			var length int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowExternalAuth
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				length |= (int(b) & 0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if length < 0 {
				return 0, ErrInvalidLengthExternalAuth
			}
			iNdEx += length
			if iNdEx < 0 {
				return 0, ErrInvalidLengthExternalAuth
			}
			return iNdEx, nil
		case 3:
			for {
				var innerWire uint64
				var start int = iNdEx
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return 0, ErrIntOverflowExternalAuth
					}
					if iNdEx >= l {
						return 0, io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					innerWire |= (uint64(b) & 0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				innerWireType := int(innerWire & 0x7)
				if innerWireType == 4 {
					break
				}
				next, err := skipExternalAuth(dAtA[start:])
				if err != nil {
					return 0, err
				}
				iNdEx = start + next
				if iNdEx < 0 {
					return 0, ErrInvalidLengthExternalAuth
				}
			}
			return iNdEx, nil
		case 4:
			return iNdEx, nil
		case 5:
			iNdEx += 4
			return iNdEx, nil
		default:
			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
		}
	}
	panic("unreachable")
}

var (
	ErrInvalidLengthExternalAuth = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowExternalAuth   = fmt.Errorf("proto: integer overflow")
)


================================================
FILE: third_party/generated/envoyproxy/data-plane-api/envoy/service/discovery/v2/sds.pb.go
================================================
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: envoy/service/discovery/v2/sds.proto

package envoy_service_discovery_v2

import (
	context "context"
	fmt "fmt"
	_ "github.com/gogo/googleapis/google/api"
	proto "github.com/gogo/protobuf/proto"
	v2 "go.aporeto.io/trireme-lib/third_party/generated/envoyproxy/data-plane-api/envoy/api/v2"
	grpc "google.golang.org/grpc"
	codes "google.golang.org/grpc/codes"
	status "google.golang.org/grpc/status"
	io "io"
	math "math"
	math_bits "math/bits"
)

// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf

// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package

// [#not-implemented-hide:] Not configuration. Workaround c++ protobuf issue with importing
// services: https://github.com/google/protobuf/issues/4221
type SdsDummy struct {
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *SdsDummy) Reset()         { *m = SdsDummy{} }
func (m *SdsDummy) String() string { return proto.CompactTextString(m) }
func (*SdsDummy) ProtoMessage()    {}
func (*SdsDummy) Descriptor() ([]byte, []int) {
	return fileDescriptor_f2a4da2e99d9a3e6, []int{0}
}
func (m *SdsDummy) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *SdsDummy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_SdsDummy.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *SdsDummy) XXX_Merge(src proto.Message) {
	xxx_messageInfo_SdsDummy.Merge(m, src)
}
func (m *SdsDummy) XXX_Size() int {
	return m.Size()
}
func (m *SdsDummy) XXX_DiscardUnknown() {
	xxx_messageInfo_SdsDummy.DiscardUnknown(m)
}

var xxx_messageInfo_SdsDummy proto.InternalMessageInfo

func init() {
	proto.RegisterType((*SdsDummy)(nil), "envoy.service.discovery.v2.SdsDummy")
}

func init() {
	proto.RegisterFile("envoy/service/discovery/v2/sds.proto", fileDescriptor_f2a4da2e99d9a3e6)
}

var fileDescriptor_f2a4da2e99d9a3e6 = []byte{
	// 287 bytes of a gzipped FileDescriptorProto
	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x91, 0xc1, 0x4a, 0xf3, 0x40,
	0x14, 0x85, 0xff, 0xe9, 0xe2, 0x47, 0x86, 0xba, 0x09, 0xe8, 0x22, 0x94, 0x28, 0xb1, 0x8b, 0xe2,
	0x62, 0x22, 0x71, 0xd7, 0x65, 0x08, 0xae, 0x8b, 0x01, 0xb7, 0x32, 0x26, 0x97, 0x3a, 0xd0, 0xe4,
	0xa6, 0x73, 0xa7, 0x83, 0xd9, 0xfa, 0x0a, 0xbe, 0x92, 0x0b, 0x97, 0x82, 0x2f, 0x20, 0xc1, 0x07,
	0x91, 0x64, 0xda, 0x4a, 0x0b, 0x75, 0xe5, 0xfa, 0x3b, 0xe7, 0xbb, 0xc3, 0x1c, 0x3e, 0x86, 0xca,
	0x62, 0x13, 0x11, 0x68, 0xab, 0x72, 0x88, 0x0a, 0x45, 0x39, 0x5a, 0xd0, 0x4d, 0x64, 0xe3, 0x88,
	0x0a, 0x12, 0xb5, 0x46, 0x83, 0x9e, 0xdf, 0xa7, 0xc4, 0x3a, 0x25, 0xb6, 0x29, 0x61, 0x63, 0x7f,
	0xe4, 0x0c, 0xb2, 0x56, 0x5d, 0xe7, 0x07, 0xf5, 0x4d, 0x7f, 0x34, 0x47, 0x9c, 0x2f, 0xa0, 0xc7,
	0xb2, 0xaa, 0xd0, 0x48, 0xa3, 0xb0, 0x5a, 0x7b, 0x43, 0xce, 0x8f, 0xb2, 0x82, 0xd2, 0x55, 0x59,
	0x36, 0xf1, 0xeb, 0x80, 0x9f, 0x66, 0x90, 0x6b, 0x30, 0xe9, 0xc6, 0x91, 0xb9, 0x7b, 0xde, 0x3d,
	0x1f, 0xa6, 0xb0, 0x30, 0xd2, 0x61, 0xf2, 0x2e, 0x84, 0x7b, 0x8f, 0xac, 0x95, 0xb0, 0xb1, 0xe8,
	0xd9, 0xb6, 0x74, 0x0b, 0xcb, 0x15, 0x90, 0xf1, 0xc7, 0xbf, 0x87, 0xa8, 0xc6, 0x8a, 0x20, 0xfc,
	0x37, 0x61, 0x57, 0xcc, 0xbb, 0xe3, 0xc7, 0x99, 0xd1, 0x20, 0xcb, 0xcd, 0x85, 0x60, 0xaf, 0xbc,
	0x2f, 0x3f, 0x3b, 0xc8, 0x77, 0xbc, 0x4b, 0x3e, 0xbc, 0x01, 0x93, 0x3f, 0xfe, 0x99, 0xf6, 0xfc,
	0xf9, 0xe3, 0xeb, 0x65, 0xe0, 0x87, 0x27, 0x3b, 0x7f, 0x3d, 0x25, 0xe7, 0x9f, 0xb2, 0xcb, 0x24,
	0x79, 0x6b, 0x03, 0xf6, 0xde, 0x06, 0xec, 0xb3, 0x0d, 0x18, 0x9f, 0x28, 0x74, 0xca, 0x5a, 0xe3,
	0x53, 0x23, 0x0e, 0xcf, 0x98, 0x74, 0x43, 0xcc, 0xba, 0x51, 0x66, 0xec, 0xe1, 0x7f, 0xbf, 0xce,
	0xf5, 0x77, 0x00, 0x00, 0x00, 0xff, 0xff, 0x33, 0xae, 0xee, 0x26, 0x1d, 0x02, 0x00, 0x00,
}

// Reference imports to suppress errors if they are not otherwise used.
var _ context.Context
var _ grpc.ClientConn

// This is a compile-time assertion to ensure that this generated file
// is compatible with the grpc package it is being compiled against.
const _ = grpc.SupportPackageIsVersion4

// SecretDiscoveryServiceClient is the client API for SecretDiscoveryService service.
//
// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
type SecretDiscoveryServiceClient interface {
	DeltaSecrets(ctx context.Context, opts ...grpc.CallOption) (SecretDiscoveryService_DeltaSecretsClient, error)
	StreamSecrets(ctx context.Context, opts ...grpc.CallOption) (SecretDiscoveryService_StreamSecretsClient, error)
	FetchSecrets(ctx context.Context, in *v2.DiscoveryRequest, opts ...grpc.CallOption) (*v2.DiscoveryResponse, error)
}

type secretDiscoveryServiceClient struct {
	cc *grpc.ClientConn
}

func NewSecretDiscoveryServiceClient(cc *grpc.ClientConn) SecretDiscoveryServiceClient {
	return &secretDiscoveryServiceClient{cc}
}

func (c *secretDiscoveryServiceClient) DeltaSecrets(ctx context.Context, opts ...grpc.CallOption) (SecretDiscoveryService_DeltaSecretsClient, error) {
	stream, err := c.cc.NewStream(ctx, &_SecretDiscoveryService_serviceDesc.Streams[0], "/envoy.service.discovery.v2.SecretDiscoveryService/DeltaSecrets", opts...)
	if err != nil {
		return nil, err
	}
	x := &secretDiscoveryServiceDeltaSecretsClient{stream}
	return x, nil
}

type SecretDiscoveryService_DeltaSecretsClient interface {
	Send(*v2.DeltaDiscoveryRequest) error
	Recv() (*v2.DeltaDiscoveryResponse, error)
	grpc.ClientStream
}

type secretDiscoveryServiceDeltaSecretsClient struct {
	grpc.ClientStream
}

func (x *secretDiscoveryServiceDeltaSecretsClient) Send(m *v2.DeltaDiscoveryRequest) error {
	return x.ClientStream.SendMsg(m)
}

func (x *secretDiscoveryServiceDeltaSecretsClient) Recv() (*v2.DeltaDiscoveryResponse, error) {
	m := new(v2.DeltaDiscoveryResponse)
	if err := x.ClientStream.RecvMsg(m); err != nil {
		return nil, err
	}
	return m, nil
}

func (c *secretDiscoveryServiceClient) StreamSecrets(ctx context.Context, opts ...grpc.CallOption) (SecretDiscoveryService_StreamSecretsClient, error) {
	stream, err := c.cc.NewStream(ctx, &_SecretDiscoveryService_serviceDesc.Streams[1], "/envoy.service.discovery.v2.SecretDiscoveryService/StreamSecrets", opts...)
	if err != nil {
		return nil, err
	}
	x := &secretDiscoveryServiceStreamSecretsClient{stream}
	return x, nil
}

type SecretDiscoveryService_StreamSecretsClient interface {
	Send(*v2.DiscoveryRequest) error
	Recv() (*v2.DiscoveryResponse, error)
	grpc.ClientStream
}

type secretDiscoveryServiceStreamSecretsClient struct {
	grpc.ClientStream
}

func (x *secretDiscoveryServiceStreamSecretsClient) Send(m *v2.DiscoveryRequest) error {
	return x.ClientStream.SendMsg(m)
}

func (x *secretDiscoveryServiceStreamSecretsClient) Recv() (*v2.DiscoveryResponse, error) {
	m := new(v2.DiscoveryResponse)
	if err := x.ClientStream.RecvMsg(m); err != nil {
		return nil, err
	}
	return m, nil
}

func (c *secretDiscoveryServiceClient) FetchSecrets(ctx context.Context, in *v2.DiscoveryRequest, opts ...grpc.CallOption) (*v2.DiscoveryResponse, error) {
	out := new(v2.DiscoveryResponse)
	err := c.cc.Invoke(ctx, "/envoy.service.discovery.v2.SecretDiscoveryService/FetchSecrets", in, out, opts...)
	if err != nil {
		return nil, err
	}
	return out, nil
}

// SecretDiscoveryServiceServer is the server API for SecretDiscoveryService service.
type SecretDiscoveryServiceServer interface {
	DeltaSecrets(SecretDiscoveryService_DeltaSecretsServer) error
	StreamSecrets(SecretDiscoveryService_StreamSecretsServer) error
	FetchSecrets(context.Context, *v2.DiscoveryRequest) (*v2.DiscoveryResponse, error)
}

// UnimplementedSecretDiscoveryServiceServer can be embedded to have forward compatible implementations.
type UnimplementedSecretDiscoveryServiceServer struct {
}

func (*UnimplementedSecretDiscoveryServiceServer) DeltaSecrets(srv SecretDiscoveryService_DeltaSecretsServer) error {
	return status.Errorf(codes.Unimplemented, "method DeltaSecrets not implemented")
}
func (*UnimplementedSecretDiscoveryServiceServer) StreamSecrets(srv SecretDiscoveryService_StreamSecretsServer) error {
	return status.Errorf(codes.Unimplemented, "method StreamSecrets not implemented")
}
func (*UnimplementedSecretDiscoveryServiceServer) FetchSecrets(ctx context.Context, req *v2.DiscoveryRequest) (*v2.DiscoveryResponse, error) {
	return nil, status.Errorf(codes.Unimplemented, "method FetchSecrets not implemented")
}

func RegisterSecretDiscoveryServiceServer(s *grpc.Server, srv SecretDiscoveryServiceServer) {
	s.RegisterService(&_SecretDiscoveryService_serviceDesc, srv)
}

func _SecretDiscoveryService_DeltaSecrets_Handler(srv interface{}, stream grpc.ServerStream) error {
	return srv.(SecretDiscoveryServiceServer).DeltaSecrets(&secretDiscoveryServiceDeltaSecretsServer{stream})
}

type SecretDiscoveryService_DeltaSecretsServer interface {
	Send(*v2.DeltaDiscoveryResponse) error
	Recv() (*v2.DeltaDiscoveryRequest, error)
	grpc.ServerStream
}

type secretDiscoveryServiceDeltaSecretsServer struct {
	grpc.ServerStream
}

func (x *secretDiscoveryServiceDeltaSecretsServer) Send(m *v2.DeltaDiscoveryResponse) error {
	return x.ServerStream.SendMsg(m)
}

func (x *secretDiscoveryServiceDeltaSecretsServer) Recv() (*v2.DeltaDiscoveryRequest, error) {
	m := new(v2.DeltaDiscoveryRequest)
	if err := x.ServerStream.RecvMsg(m); err != nil {
		return nil, err
	}
	return m, nil
}

func _SecretDiscoveryService_StreamSecrets_Handler(srv interface{}, stream grpc.ServerStream) error {
	return srv.(SecretDiscoveryServiceServer).StreamSecrets(&secretDiscoveryServiceStreamSecretsServer{stream})
}

type SecretDiscoveryService_StreamSecretsServer interface {
	Send(*v2.DiscoveryResponse) error
	Recv() (*v2.DiscoveryRequest, error)
	grpc.ServerStream
}

type secretDiscoveryServiceStreamSecretsServer struct {
	grpc.ServerStream
}

func (x *secretDiscoveryServiceStreamSecretsServer) Send(m *v2.DiscoveryResponse) error {
	return x.ServerStream.SendMsg(m)
}

func (x *secretDiscoveryServiceStreamSecretsServer) Recv() (*v2.DiscoveryRequest, error) {
	m := new(v2.DiscoveryRequest)
	if err := x.ServerStream.RecvMsg(m); err != nil {
		return nil, err
	}
	return m, nil
}

func _SecretDiscoveryService_FetchSecrets_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
	in := new(v2.DiscoveryRequest)
	if err := dec(in); err != nil {
		return nil, err
	}
	if interceptor == nil {
		return srv.(SecretDiscoveryServiceServer).FetchSecrets(ctx, in)
	}
	info := &grpc.UnaryServerInfo{
		Server:     srv,
		FullMethod: "/envoy.service.discovery.v2.SecretDiscoveryService/FetchSecrets",
	}
	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
		return srv.(SecretDiscoveryServiceServer).FetchSecrets(ctx, req.(*v2.DiscoveryRequest))
	}
	return interceptor(ctx, in, info, handler)
}

var _SecretDiscoveryService_serviceDesc = grpc.ServiceDesc{
	ServiceName: "envoy.service.discovery.v2.SecretDiscoveryService",
	HandlerType: (*SecretDiscoveryServiceServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "FetchSecrets",
			Handler:    _SecretDiscoveryService_FetchSecrets_Handler,
		},
	},
	Streams: []grpc.StreamDesc{
		{
			StreamName:    "DeltaSecrets",
			Handler:       _SecretDiscoveryService_DeltaSecrets_Handler,
			ServerStreams: true,
			ClientStreams: true,
		},
		{
			StreamName:    "StreamSecrets",
			Handler:       _SecretDiscoveryService_StreamSecrets_Handler,
			ServerStreams: true,
			ClientStreams: true,
		},
	},
	Metadata: "envoy/service/discovery/v2/sds.proto",
}

func (m *SdsDummy) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *SdsDummy) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func encodeVarintSds(dAtA []byte, offset int, v uint64) int {
	for v >= 1<<7 {
		dAtA[offset] = uint8(v&0x7f | 0x80)
		v >>= 7
		offset++
	}
	dAtA[offset] = uint8(v)
	return offset + 1
}
func (m *SdsDummy) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func sovSds(x uint64) (n int) {
	return (math_bits.Len64(x|1) + 6) / 7
}
func sozSds(x uint64) (n int) {
	return sovSds(uint64((x << 1) ^ uint64((int64(x) >> 63))))
}
func (m *SdsDummy) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowSds
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: SdsDummy: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: SdsDummy: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		default:
			iNdEx = preIndex
			skippy, err := skipSds(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthSds
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthSds
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func skipSds(dAtA []byte) (n int, err error) {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return 0, ErrIntOverflowSds
			}
			if iNdEx >= l {
				return 0, io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= (uint64(b) & 0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		wireType := int(wire & 0x7)
		switch wireType {
		case 0:
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowSds
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				iNdEx++
				if dAtA[iNdEx-1] < 0x80 {
					break
				}
			}
			return iNdEx, nil
		case 1:
			iNdEx += 8
			return iNdEx, nil
		case 2:
			var length int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowSds
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				length |= (int(b) & 0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if length < 0 {
				return 0, ErrInvalidLengthSds
			}
			iNdEx += length
			if iNdEx < 0 {
				return 0, ErrInvalidLengthSds
			}
			return iNdEx, nil
		case 3:
			for {
				var innerWire uint64
				var start int = iNdEx
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return 0, ErrIntOverflowSds
					}
					if iNdEx >= l {
						return 0, io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					innerWire |= (uint64(b) & 0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				innerWireType := int(innerWire & 0x7)
				if innerWireType == 4 {
					break
				}
				next, err := skipSds(dAtA[start:])
				if err != nil {
					return 0, err
				}
				iNdEx = start + next
				if iNdEx < 0 {
					return 0, ErrInvalidLengthSds
				}
			}
			return iNdEx, nil
		case 4:
			return iNdEx, nil
		case 5:
			iNdEx += 4
			return iNdEx, nil
		default:
			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
		}
	}
	panic("unreachable")
}

var (
	ErrInvalidLengthSds = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowSds   = fmt.Errorf("proto: integer overflow")
)


================================================
FILE: third_party/generated/envoyproxy/data-plane-api/envoy/type/http_status.pb.go
================================================
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: envoy/type/http_status.proto

package envoy_type

import (
	fmt "fmt"
	_ "github.com/envoyproxy/protoc-gen-validate/validate"
	proto "github.com/gogo/protobuf/proto"
	io "io"
	math "math"
	math_bits "math/bits"
)

// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf

// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package

// HTTP response codes supported in Envoy.
// For more details: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
type StatusCode int32

const (
	// Empty - This code not part of the HTTP status code specification, but it is needed for proto
	// `enum` type.
	StatusCode_Empty                         StatusCode = 0
	StatusCode_Continue                      StatusCode = 100
	StatusCode_OK                            StatusCode = 200
	StatusCode_Created                       StatusCode = 201
	StatusCode_Accepted                      StatusCode = 202
	StatusCode_NonAuthoritativeInformation   StatusCode = 203
	StatusCode_NoContent                     StatusCode = 204
	StatusCode_ResetContent                  StatusCode = 205
	StatusCode_PartialContent                StatusCode = 206
	StatusCode_MultiStatus                   StatusCode = 207
	StatusCode_AlreadyReported               StatusCode = 208
	StatusCode_IMUsed                        StatusCode = 226
	StatusCode_MultipleChoices               StatusCode = 300
	StatusCode_MovedPermanently              StatusCode = 301
	StatusCode_Found                         StatusCode = 302
	StatusCode_SeeOther                      StatusCode = 303
	StatusCode_NotModified                   StatusCode = 304
	StatusCode_UseProxy                      StatusCode = 305
	StatusCode_TemporaryRedirect             StatusCode = 307
	StatusCode_PermanentRedirect             StatusCode = 308
	StatusCode_BadRequest                    StatusCode = 400
	StatusCode_Unauthorized                  StatusCode = 401
	StatusCode_PaymentRequired               StatusCode = 402
	StatusCode_Forbidden                     StatusCode = 403
	StatusCode_NotFound                      StatusCode = 404
	StatusCode_MethodNotAllowed              StatusCode = 405
	StatusCode_NotAcceptable                 StatusCode = 406
	StatusCode_ProxyAuthenticationRequired   StatusCode = 407
	StatusCode_RequestTimeout                StatusCode = 408
	StatusCode_Conflict                      StatusCode = 409
	StatusCode_Gone                          StatusCode = 410
	StatusCode_LengthRequired                StatusCode = 411
	StatusCode_PreconditionFailed            StatusCode = 412
	StatusCode_PayloadTooLarge               StatusCode = 413
	StatusCode_URITooLong                    StatusCode = 414
	StatusCode_UnsupportedMediaType          StatusCode = 415
	StatusCode_RangeNotSatisfiable           StatusCode = 416
	StatusCode_ExpectationFailed             StatusCode = 417
	StatusCode_MisdirectedRequest            StatusCode = 421
	StatusCode_UnprocessableEntity           StatusCode = 422
	StatusCode_Locked                        StatusCode = 423
	StatusCode_FailedDependency              StatusCode = 424
	StatusCode_UpgradeRequired               StatusCode = 426
	StatusCode_PreconditionRequired          StatusCode = 428
	StatusCode_TooManyRequests               StatusCode = 429
	StatusCode_RequestHeaderFieldsTooLarge   StatusCode = 431
	StatusCode_InternalServerError           StatusCode = 500
	StatusCode_NotImplemented                StatusCode = 501
	StatusCode_BadGateway                    StatusCode = 502
	StatusCode_ServiceUnavailable            StatusCode = 503
	StatusCode_GatewayTimeout                StatusCode = 504
	StatusCode_HTTPVersionNotSupported       StatusCode = 505
	StatusCode_VariantAlsoNegotiates         StatusCode = 506
	StatusCode_InsufficientStorage           StatusCode = 507
	StatusCode_LoopDetected                  StatusCode = 508
	StatusCode_NotExtended                   StatusCode = 510
	StatusCode_NetworkAuthenticationRequired StatusCode = 511
)

var StatusCode_name = map[int32]string{
	0:   "Empty",
	100: "Continue",
	200: "OK",
	201: "Created",
	202: "Accepted",
	203: "NonAuthoritativeInformation",
	204: "NoContent",
	205: "ResetContent",
	206: "PartialContent",
	207: "MultiStatus",
	208: "AlreadyReported",
	226: "IMUsed",
	300: "MultipleChoices",
	301: "MovedPermanently",
	302: "Found",
	303: "SeeOther",
	304: "NotModified",
	305: "UseProxy",
	307: "TemporaryRedirect",
	308: "PermanentRedirect",
	400: "BadRequest",
	401: "Unauthorized",
	402: "PaymentRequired",
	403: "Forbidden",
	404: "NotFound",
	405: "MethodNotAllowed",
	406: "NotAcceptable",
	407: "ProxyAuthenticationRequired",
	408: "RequestTimeout",
	409: "Conflict",
	410: "Gone",
	411: "LengthRequired",
	412: "PreconditionFailed",
	413: "PayloadTooLarge",
	414: "URITooLong",
	415: "UnsupportedMediaType",
	416: "RangeNotSatisfiable",
	417: "ExpectationFailed",
	421: "MisdirectedRequest",
	422: "UnprocessableEntity",
	423: "Locked",
	424: "FailedDependency",
	426: "UpgradeRequired",
	428: "PreconditionRequired",
	429: "TooManyRequests",
	431: "RequestHeaderFieldsTooLarge",
	500: "InternalServerError",
	501: "NotImplemented",
	502: "BadGateway",
	503: "ServiceUnavailable",
	504: "GatewayTimeout",
	505: "HTTPVersionNotSupported",
	506: "VariantAlsoNegotiates",
	507: "InsufficientStorage",
	508: "LoopDetected",
	510: "NotExtended",
	511: "NetworkAuthenticationRequired",
}

var StatusCode_value = map[string]int32{
	"Empty":                         0,
	"Continue":                      100,
	"OK":                            200,
	"Created":                       201,
	"Accepted":                      202,
	"NonAuthoritativeInformation":   203,
	"NoContent":                     204,
	"ResetContent":                  205,
	"PartialContent":                206,
	"MultiStatus":                   207,
	"AlreadyReported":               208,
	"IMUsed":                        226,
	"MultipleChoices":               300,
	"MovedPermanently":              301,
	"Found":                         302,
	"SeeOther":                      303,
	"NotModified":                   304,
	"UseProxy":                      305,
	"TemporaryRedirect":             307,
	"PermanentRedirect":             308,
	"BadRequest":                    400,
	"Unauthorized":                  401,
	"PaymentRequired":               402,
	"Forbidden":                     403,
	"NotFound":                      404,
	"MethodNotAllowed":              405,
	"NotAcceptable":                 406,
	"ProxyAuthenticationRequired":   407,
	"RequestTimeout":                408,
	"Conflict":                      409,
	"Gone":                          410,
	"LengthRequired":                411,
	"PreconditionFailed":            412,
	"PayloadTooLarge":               413,
	"URITooLong":                    414,
	"UnsupportedMediaType":          415,
	"RangeNotSatisfiable":           416,
	"ExpectationFailed":             417,
	"MisdirectedRequest":            421,
	"UnprocessableEntity":           422,
	"Locked":                        423,
	"FailedDependency":              424,
	"UpgradeRequired":               426,
	"PreconditionRequired":          428,
	"TooManyRequests":               429,
	"RequestHeaderFieldsTooLarge":   431,
	"InternalServerError":           500,
	"NotImplemented":                501,
	"BadGateway":                    502,
	"ServiceUnavailable":            503,
	"GatewayTimeout":                504,
	"HTTPVersionNotSupported":       505,
	"VariantAlsoNegotiates":         506,
	"InsufficientStorage":           507,
	"LoopDetected":                  508,
	"NotExtended":                   510,
	"NetworkAuthenticationRequired": 511,
}

func (x StatusCode) String() string {
	return proto.EnumName(StatusCode_name, int32(x))
}

func (StatusCode) EnumDescriptor() ([]byte, []int) {
	return fileDescriptor_7544d7adacd3389b, []int{0}
}

// HTTP status.
type HttpStatus struct {
	// Supplies HTTP response code.
	Code                 StatusCode `protobuf:"varint,1,opt,name=code,proto3,enum=envoy.type.StatusCode" json:"code,omitempty"`
	XXX_NoUnkeyedLiteral struct{}   `json:"-"`
	XXX_unrecognized     []byte     `json:"-"`
	XXX_sizecache        int32      `json:"-"`
}

func (m *HttpStatus) Reset()         { *m = HttpStatus{} }
func (m *HttpStatus) String() string { return proto.CompactTextString(m) }
func (*HttpStatus) ProtoMessage()    {}
func (*HttpStatus) Descriptor() ([]byte, []int) {
	return fileDescriptor_7544d7adacd3389b, []int{0}
}
func (m *HttpStatus) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *HttpStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_HttpStatus.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *HttpStatus) XXX_Merge(src proto.Message) {
	xxx_messageInfo_HttpStatus.Merge(m, src)
}
func (m *HttpStatus) XXX_Size() int {
	return m.Size()
}
func (m *HttpStatus) XXX_DiscardUnknown() {
	xxx_messageInfo_HttpStatus.DiscardUnknown(m)
}

var xxx_messageInfo_HttpStatus proto.InternalMessageInfo

func (m *HttpStatus) GetCode() StatusCode {
	if m != nil {
		return m.Code
	}
	return StatusCode_Empty
}

func init() {
	proto.RegisterEnum("envoy.type.StatusCode", StatusCode_name, StatusCode_value)
	proto.RegisterType((*HttpStatus)(nil), "envoy.type.HttpStatus")
}

func init() { proto.RegisterFile("envoy/type/http_status.proto", fileDescriptor_7544d7adacd3389b) }

var fileDescriptor_7544d7adacd3389b = []byte{
	// 929 bytes of a gzipped FileDescriptorProto
	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x54, 0x49, 0x6f, 0x5c, 0xc5,
	0x13, 0xcf, 0x9b, 0xce, 0xe6, 0x4e, 0x62, 0x57, 0x3a, 0x8b, 0xfd, 0xcf, 0x3f, 0x58, 0x56, 0x4e,
	0x88, 0x83, 0x2d, 0xc1, 0x09, 0x89, 0x8b, 0xed, 0xd8, 0xb1, 0xc1, 0x33, 0x19, 0x8d, 0x67, 0x72,
	0x45, 0xed, 0xd7, 0x35, 0x33, 0xad, 0xbc, 0xe9, 0x7a, 0xe9, 0x57, 0x33, 0xf6, 0xe3, 0xc8, 0x27,
	0x60, 0xdf, 0xd7, 0x03, 0x8b, 0x50, 0x42, 0x40, 0xc0, 0x77, 0x08, 0x7b, 0x3e, 0x02, 0xf2, 0x67,
	0x60, 0x0d, 0x08, 0x50, 0xf7, 0x2c, 0xf6, 0x85, 0x93, 0xfd, 0xaa, 0x6b, 0xf9, 0x2d, 0x35, 0x25,
	0x2f, 0xa3, 0x1b, 0x50, 0xb9, 0xc4, 0x65, 0x8e, 0x4b, 0x5d, 0xe6, 0xfc, 0xe9, 0x82, 0x35, 0xf7,
	0x8b, 0xc5, 0xdc, 0x13, 0x93, 0x92, 0xf1, 0x75, 0x31, 0xbc, 0x5e, 0x9a, 0x1d, 0xe8, 0xcc, 0x1a,
	0xcd, 0xb8, 0x34, 0xfe, 0x67, 0x98, 0x74, 0xe5, 0x49, 0x29, 0x37, 0x98, 0xf3, 0xed, 0x58, 0xa8,
	0x9e, 0x90, 0x47, 0x53, 0x32, 0x38, 0x97, 0x2c, 0x24, 0x0f, 0x4f, 0x3f, 0x7a, 0x71, 0xf1, 0xa0,
	0xc3, 0xe2, 0x30, 0x63, 0x95, 0x0c, 0xae, 0xc0, 0x83, 0x95, 0x63, 0xcf, 0x26, 0x95, 0x85, 0x23,
	0xc3, 0xbf, 0x90, 0x34, 0x62, 0xd5, 0x23, 0x5f, 0x4d, 0x49, 0x79, 0x90, 0xa6, 0xa6, 0xe4, 0xb1,
	0xb5, 0x5e, 0xce, 0x25, 0x1c, 0x51, 0xa7, 0xe5, 0xc9, 0x55, 0x72, 0x6c, 0x5d, 0x1f, 0xc1, 0xa8,
	0x13, 0xb2, 0x72, 0xfd, 0x29, 0xb8, 0x97, 0xa8, 0xd3, 0xf2, 0xc4, 0xaa, 0x47, 0xcd, 0x68, 0xe0,
	0xeb, 0x44, 0x9d, 0x91, 0x27, 0x97, 0xd3, 0x14, 0xf3, 0xf0, 0xf9, 0x4d, 0xa2, 0x16, 0xe4, 0xff,
	0x6b, 0xe4, 0x96, 0xfb, 0xdc, 0x25, 0x6f, 0x59, 0xb3, 0x1d, 0xe0, 0xa6, 0x6b, 0x93, 0xef, 0x69,
	0xb6, 0xe4, 0xe0, 0xdb, 0x44, 0x4d, 0xcb, 0xa9, 0x1a, 0x85, 0xbe, 0xe8, 0x18, 0xbe, 0x4b, 0xd4,
	0x59, 0x79, 0xba, 0x81, 0x05, 0xf2, 0x38, 0xf4, 0x7d, 0xa2, 0xce, 0xc9, 0xe9, 0xba, 0xf6, 0x6c,
	0x75, 0x36, 0x0e, 0xfe, 0x90, 0x28, 0x90, 0xa7, 0xaa, 0xfd, 0x8c, 0xed, 0x10, 0x2b, 0xfc, 0x98,
	0xa8, 0xf3, 0x72, 0x66, 0x39, 0xf3, 0xa8, 0x4d, 0xd9, 0xc0, 0x9c, 0x7c, 0x40, 0x70, 0x3f, 0x51,
	0xa7, 0xe4, 0xf1, 0xcd, 0x6a, 0xab, 0x40, 0x03, 0xfb, 0x31, 0x25, 0x16, 0xe5, 0x19, 0xae, 0x76,
	0xc9, 0xa6, 0x58, 0xc0, 0xed, 0x8a, 0xba, 0x20, 0xa1, 0x4a, 0x03, 0x34, 0x75, 0xf4, 0x3d, 0xed,
	0xd0, 0x71, 0x56, 0xc2, 0x9d, 0x8a, 0x92, 0xf2, 0xd8, 0x3a, 0xf5, 0x9d, 0x81, 0x4f, 0x2b, 0x81,
	0xd6, 0x36, 0xe2, 0x75, 0xee, 0xa2, 0x87, 0xbb, 0x95, 0x30, 0xbc, 0x46, 0x5c, 0x25, 0x63, 0xdb,
	0x16, 0x0d, 0x7c, 0x16, 0x13, 0x5a, 0x05, 0xd6, 0x3d, 0xed, 0x95, 0xf0, 0x79, 0x45, 0x5d, 0x94,
	0x67, 0x9b, 0xd8, 0xcb, 0xc9, 0x6b, 0x5f, 0x36, 0xd0, 0x58, 0x8f, 0x29, 0xc3, 0x17, 0x31, 0x3e,
	0x99, 0x32, 0x89, 0x7f, 0x59, 0x51, 0x33, 0x52, 0xae, 0x68, 0xd3, 0xc0, 0x5b, 0x7d, 0x2c, 0x18,
	0x9e, 0x13, 0x41, 0x86, 0x96, 0xd3, 0x43, 0xdd, 0x9e, 0x41, 0x03, 0xcf, 0x8b, 0x00, 0xbe, 0xae,
	0xcb, 0x5e, 0xac, 0xbc, 0xd5, 0xb7, 0x1e, 0x0d, 0xbc, 0x20, 0x82, 0x7e, 0xeb, 0xe4, 0x77, 0xac,
	0x31, 0xe8, 0xe0, 0x45, 0x11, 0x80, 0xd4, 0x88, 0x87, 0xc0, 0x5f, 0x12, 0x91, 0x1b, 0x72, 0x97,
	0x4c, 0x8d, 0x78, 0x39, 0xcb, 0x68, 0x17, 0x0d, 0xbc, 0x2c, 0x94, 0x92, 0x67, 0x42, 0x20, 0x3a,
	0xa5, 0x77, 0x32, 0x84, 0x57, 0x44, 0xf0, 0x2a, 0xe2, 0x0f, 0x6e, 0xa1, 0x63, 0x9b, 0x46, 0x8f,
	0x26, 0xb3, 0x5e, 0x15, 0xc1, 0x88, 0x11, 0xc4, 0xa6, 0xed, 0x21, 0xf5, 0x19, 0x5e, 0x8b, 0x03,
	0x57, 0xc9, 0xb5, 0x33, 0x9b, 0x32, 0xbc, 0x2e, 0xd4, 0x94, 0x3c, 0x7a, 0x8d, 0x1c, 0xc2, 0x1b,
	0x31, 0x7d, 0x0b, 0x5d, 0x87, 0xbb, 0x93, 0x1e, 0x6f, 0x0a, 0x35, 0x2b, 0x55, 0xdd, 0x63, 0x4a,
	0xce, 0xd8, 0xd0, 0x7e, 0x5d, 0xdb, 0x0c, 0x0d, 0xbc, 0x35, 0xa6, 0x97, 0x91, 0x36, 0x4d, 0xa2,
	0x2d, 0xed, 0x3b, 0x08, 0x6f, 0x8b, 0x20, 0x4c, 0xab, 0xb1, 0x19, 0x22, 0xe4, 0x3a, 0xf0, 0x8e,
	0x50, 0xff, 0x93, 0xe7, 0x5b, 0xae, 0xe8, 0xe7, 0x43, 0x87, 0xab, 0x68, 0xac, 0x6e, 0x96, 0x39,
	0xc2, 0xbb, 0x42, 0xcd, 0xc9, 0x73, 0x0d, 0xed, 0x3a, 0x58, 0x23, 0xde, 0xd6, 0x6c, 0x8b, 0xb6,
	0x8d, 0xd4, 0xde, 0x13, 0x41, 0xf6, 0xb5, 0xbd, 0x1c, 0x53, 0xd6, 0x87, 0x66, 0xbe, 0x1f, 0xc1,
	0x54, 0x6d, 0x31, 0xb4, 0x01, 0x27, 0xf2, 0x7f, 0x10, 0x5b, 0xb5, 0x5c, 0xee, 0x29, 0xc5, 0xa2,
	0x08, 0x4d, 0xd6, 0x1c, 0x5b, 0x2e, 0xe1, 0x43, 0x11, 0xf6, 0x69, 0x8b, 0xd2, 0x9b, 0x68, 0xe0,
	0xa3, 0xa8, 0xee, 0xb0, 0xd9, 0x55, 0xcc, 0xd1, 0x19, 0x74, 0x69, 0x09, 0x1f, 0x47, 0x2a, 0xad,
	0xbc, 0xe3, 0xb5, 0xc1, 0x09, 0xf3, 0x4f, 0x22, 0xf2, 0xc3, 0xcc, 0x27, 0x4f, 0xb7, 0x63, 0x41,
	0x93, 0xa8, 0xaa, 0x5d, 0x39, 0xc2, 0x50, 0xc0, 0x9d, 0x68, 0xc8, 0xe8, 0x73, 0x03, 0xb5, 0x41,
	0xbf, 0x6e, 0x31, 0x33, 0xc5, 0x44, 0x9d, 0xbb, 0x11, 0xe6, 0xa6, 0x63, 0xf4, 0x4e, 0x67, 0xdb,
	0xe8, 0x07, 0xe8, 0xd7, 0xbc, 0x27, 0x0f, 0x3f, 0x47, 0xed, 0x6b, 0xc4, 0x9b, 0xbd, 0x3c, 0xc3,
	0xb0, 0x31, 0x68, 0xe0, 0x17, 0x31, 0xda, 0xb2, 0x6b, 0x9a, 0x71, 0x57, 0x97, 0xf0, 0x6b, 0xe4,
	0x1f, 0xea, 0x6c, 0x8a, 0x2d, 0xa7, 0x07, 0xda, 0x66, 0x51, 0xb0, 0xdf, 0x62, 0xf9, 0x28, 0x6d,
	0xec, 0xf4, 0xef, 0x42, 0x5d, 0x96, 0xb3, 0x1b, 0xcd, 0x66, 0xfd, 0x06, 0xfa, 0xc2, 0x92, 0x0b,
	0x2a, 0x8f, 0x6d, 0x80, 0x3f, 0x84, 0xba, 0x24, 0x2f, 0xdc, 0xd0, 0xde, 0x6a, 0xc7, 0xcb, 0x59,
	0x41, 0x35, 0xec, 0x10, 0x5b, 0xcd, 0x58, 0xc0, 0x83, 0x11, 0xce, 0xa2, 0xdf, 0x6e, 0xdb, 0xd4,
	0xa2, 0xe3, 0x6d, 0x26, 0xaf, 0x3b, 0x08, 0x7f, 0xc6, 0x3d, 0xdf, 0x22, 0xca, 0xaf, 0x22, 0x47,
	0x0b, 0xe0, 0x2f, 0x31, 0xfa, 0x71, 0xad, 0xed, 0x71, 0x50, 0xd4, 0xc0, 0xdf, 0x42, 0x5d, 0x91,
	0x0f, 0xd5, 0x90, 0x77, 0xc9, 0xdf, 0xfc, 0x8f, 0xdd, 0xfc, 0x47, 0xac, 0x3c, 0x7e, 0x6f, 0x7f,
	0x3e, 0xb9, 0xbf, 0x3f, 0x9f, 0xfc, 0xb4, 0x3f, 0x9f, 0xc8, 0x39, 0x4b, 0xc3, 0xbb, 0x97, 0x87,
	0x8d, 0x3e, 0x74, 0x02, 0x57, 0x66, 0x0e, 0x2e, 0x65, 0x3d, 0x1c, 0xcf, 0x7a, 0xb2, 0x73, 0x3c,
	0x5e, 0xd1, 0xc7, 0xfe, 0x0d, 0x00, 0x00, 0xff, 0xff, 0xaa, 0x49, 0xbb, 0xde, 0x8a, 0x05, 0x00,
	0x00,
}

func (m *HttpStatus) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *HttpStatus) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Code != 0 {
		dAtA[i] = 0x8
		i++
		i = encodeVarintHttpStatus(dAtA, i, uint64(m.Code))
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func encodeVarintHttpStatus(dAtA []byte, offset int, v uint64) int {
	for v >= 1<<7 {
		dAtA[offset] = uint8(v&0x7f | 0x80)
		v >>= 7
		offset++
	}
	dAtA[offset] = uint8(v)
	return offset + 1
}
func (m *HttpStatus) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Code != 0 {
		n += 1 + sovHttpStatus(uint64(m.Code))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func sovHttpStatus(x uint64) (n int) {
	return (math_bits.Len64(x|1) + 6) / 7
}
func sozHttpStatus(x uint64) (n int) {
	return sovHttpStatus(uint64((x << 1) ^ uint64((int64(x) >> 63))))
}
func (m *HttpStatus) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowHttpStatus
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: HttpStatus: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: HttpStatus: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 0 {
				return fmt.Errorf("proto: wrong wireType = %d for field Code", wireType)
			}
			m.Code = 0
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowHttpStatus
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				m.Code |= StatusCode(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
		default:
			iNdEx = preIndex
			skippy, err := skipHttpStatus(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthHttpStatus
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthHttpStatus
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func skipHttpStatus(dAtA []byte) (n int, err error) {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return 0, ErrIntOverflowHttpStatus
			}
			if iNdEx >= l {
				return 0, io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= (uint64(b) & 0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		wireType := int(wire & 0x7)
		switch wireType {
		case 0:
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowHttpStatus
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				iNdEx++
				if dAtA[iNdEx-1] < 0x80 {
					break
				}
			}
			return iNdEx, nil
		case 1:
			iNdEx += 8
			return iNdEx, nil
		case 2:
			var length int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowHttpStatus
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				length |= (int(b) & 0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if length < 0 {
				return 0, ErrInvalidLengthHttpStatus
			}
			iNdEx += length
			if iNdEx < 0 {
				return 0, ErrInvalidLengthHttpStatus
			}
			return iNdEx, nil
		case 3:
			for {
				var innerWire uint64
				var start int = iNdEx
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return 0, ErrIntOverflowHttpStatus
					}
					if iNdEx >= l {
						return 0, io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					innerWire |= (uint64(b) & 0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				innerWireType := int(innerWire & 0x7)
				if innerWireType == 4 {
					break
				}
				next, err := skipHttpStatus(dAtA[start:])
				if err != nil {
					return 0, err
				}
				iNdEx = start + next
				if iNdEx < 0 {
					return 0, ErrInvalidLengthHttpStatus
				}
			}
			return iNdEx, nil
		case 4:
			return iNdEx, nil
		case 5:
			iNdEx += 4
			return iNdEx, nil
		default:
			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
		}
	}
	panic("unreachable")
}

var (
	ErrInvalidLengthHttpStatus = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowHttpStatus   = fmt.Errorf("proto: integer overflow")
)


================================================
FILE: third_party/generated/envoyproxy/data-plane-api/envoy/type/percent.pb.go
================================================
// Code generated by protoc-gen-gogo. DO NOT EDIT.
// source: envoy/type/percent.proto

package envoy_type

import (
	bytes "bytes"
	encoding_binary "encoding/binary"
	fmt "fmt"
	_ "github.com/envoyproxy/protoc-gen-validate/validate"
	_ "github.com/gogo/protobuf/gogoproto"
	proto "github.com/gogo/protobuf/proto"
	io "io"
	math "math"
	math_bits "math/bits"
)

// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
var _ = math.Inf

// This is a compile-time assertion to ensure that this generated file
// is compatible with the proto package it is being compiled against.
// A compilation error at this line likely means your copy of the
// proto package needs to be updated.
const _ = proto.GoGoProtoPackageIsVersion2 // please upgrade the proto package

// Fraction percentages support several fixed denominator values.
type FractionalPercent_DenominatorType int32

const (
	// 100.
	//
	// **Example**: 1/100 = 1%.
	FractionalPercent_HUNDRED FractionalPercent_DenominatorType = 0
	// 10,000.
	//
	// **Example**: 1/10000 = 0.01%.
	FractionalPercent_TEN_THOUSAND FractionalPercent_DenominatorType = 1
	// 1,000,000.
	//
	// **Example**: 1/1000000 = 0.0001%.
	FractionalPercent_MILLION FractionalPercent_DenominatorType = 2
)

var FractionalPercent_DenominatorType_name = map[int32]string{
	0: "HUNDRED",
	1: "TEN_THOUSAND",
	2: "MILLION",
}

var FractionalPercent_DenominatorType_value = map[string]int32{
	"HUNDRED":      0,
	"TEN_THOUSAND": 1,
	"MILLION":      2,
}

func (x FractionalPercent_DenominatorType) String() string {
	return proto.EnumName(FractionalPercent_DenominatorType_name, int32(x))
}

func (FractionalPercent_DenominatorType) EnumDescriptor() ([]byte, []int) {
	return fileDescriptor_89401f90eb07307e, []int{1, 0}
}

// Identifies a percentage, in the range [0.0, 100.0].
type Percent struct {
	Value                float64  `protobuf:"fixed64,1,opt,name=value,proto3" json:"value,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (m *Percent) Reset()         { *m = Percent{} }
func (m *Percent) String() string { return proto.CompactTextString(m) }
func (*Percent) ProtoMessage()    {}
func (*Percent) Descriptor() ([]byte, []int) {
	return fileDescriptor_89401f90eb07307e, []int{0}
}
func (m *Percent) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *Percent) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_Percent.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *Percent) XXX_Merge(src proto.Message) {
	xxx_messageInfo_Percent.Merge(m, src)
}
func (m *Percent) XXX_Size() int {
	return m.Size()
}
func (m *Percent) XXX_DiscardUnknown() {
	xxx_messageInfo_Percent.DiscardUnknown(m)
}

var xxx_messageInfo_Percent proto.InternalMessageInfo

func (m *Percent) GetValue() float64 {
	if m != nil {
		return m.Value
	}
	return 0
}

// A fractional percentage is used in cases in which for performance reasons performing floating
// point to integer conversions during randomness calculations is undesirable. The message includes
// both a numerator and denominator that together determine the final fractional value.
//
// * **Example**: 1/100 = 1%.
// * **Example**: 3/10000 = 0.03%.
type FractionalPercent struct {
	// Specifies the numerator. Defaults to 0.
	Numerator uint32 `protobuf:"varint,1,opt,name=numerator,proto3" json:"numerator,omitempty"`
	// Specifies the denominator. If the denominator specified is less than the numerator, the final
	// fractional percentage is capped at 1 (100%).
	Denominator          FractionalPercent_DenominatorType `protobuf:"varint,2,opt,name=denominator,proto3,enum=envoy.type.FractionalPercent_DenominatorType" json:"denominator,omitempty"`
	XXX_NoUnkeyedLiteral struct{}                          `json:"-"`
	XXX_unrecognized     []byte                            `json:"-"`
	XXX_sizecache        int32                             `json:"-"`
}

func (m *FractionalPercent) Reset()         { *m = FractionalPercent{} }
func (m *FractionalPercent) String() string { return proto.CompactTextString(m) }
func (*FractionalPercent) ProtoMessage()    {}
func (*FractionalPercent) Descriptor() ([]byte, []int) {
	return fileDescriptor_89401f90eb07307e, []int{1}
}
func (m *FractionalPercent) XXX_Unmarshal(b []byte) error {
	return m.Unmarshal(b)
}
func (m *FractionalPercent) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
	if deterministic {
		return xxx_messageInfo_FractionalPercent.Marshal(b, m, deterministic)
	} else {
		b = b[:cap(b)]
		n, err := m.MarshalTo(b)
		if err != nil {
			return nil, err
		}
		return b[:n], nil
	}
}
func (m *FractionalPercent) XXX_Merge(src proto.Message) {
	xxx_messageInfo_FractionalPercent.Merge(m, src)
}
func (m *FractionalPercent) XXX_Size() int {
	return m.Size()
}
func (m *FractionalPercent) XXX_DiscardUnknown() {
	xxx_messageInfo_FractionalPercent.DiscardUnknown(m)
}

var xxx_messageInfo_FractionalPercent proto.InternalMessageInfo

func (m *FractionalPercent) GetNumerator() uint32 {
	if m != nil {
		return m.Numerator
	}
	return 0
}

func (m *FractionalPercent) GetDenominator() FractionalPercent_DenominatorType {
	if m != nil {
		return m.Denominator
	}
	return FractionalPercent_HUNDRED
}

func init() {
	proto.RegisterEnum("envoy.type.FractionalPercent_DenominatorType", FractionalPercent_DenominatorType_name, FractionalPercent_DenominatorType_value)
	proto.RegisterType((*Percent)(nil), "envoy.type.Percent")
	proto.RegisterType((*FractionalPercent)(nil), "envoy.type.FractionalPercent")
}

func init() { proto.RegisterFile("envoy/type/percent.proto", fileDescriptor_89401f90eb07307e) }

var fileDescriptor_89401f90eb07307e = []byte{
	// 304 bytes of a gzipped FileDescriptorProto
	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0x92, 0x48, 0xcd, 0x2b, 0xcb,
	0xaf, 0xd4, 0x2f, 0xa9, 0x2c, 0x48, 0xd5, 0x2f, 0x48, 0x2d, 0x4a, 0x4e, 0xcd, 0x2b, 0xd1, 0x2b,
	0x28, 0xca, 0x2f, 0xc9, 0x17, 0xe2, 0x02, 0xcb, 0xe8, 0x81, 0x64, 0xa4, 0xc4, 0xcb, 0x12, 0x73,
	0x32, 0x53, 0x12, 0x4b, 0x52, 0xf5, 0x61, 0x0c, 0x88, 0x22, 0x29, 0x91, 0xf4, 0xfc, 0xf4, 0x7c,
	0x30, 0x53, 0x1f, 0xc4, 0x82, 0x88, 0x2a, 0x59, 0x70, 0xb1, 0x07, 0x40, 0xcc, 0x12, 0xd2, 0xe5,
	0x62, 0x2d, 0x4b, 0xcc, 0x29, 0x4d, 0x95, 0x60, 0x54, 0x60, 0xd4, 0x60, 0x74, 0x12, 0xff, 0xe5,
	0x24, 0x22, 0x24, 0x24, 0xc9, 0x00, 0x06, 0x91, 0x0e, 0x9a, 0x0c, 0x50, 0x10, 0x04, 0x51, 0xa5,
	0x74, 0x9a, 0x91, 0x4b, 0xd0, 0xad, 0x28, 0x31, 0xb9, 0x24, 0x33, 0x3f, 0x2f, 0x31, 0x07, 0x66,
	0x88, 0x0c, 0x17, 0x67, 0x5e, 0x69, 0x6e, 0x6a, 0x51, 0x62, 0x49, 0x7e, 0x11, 0xd8, 0x20, 0xde,
	0x20, 0x84, 0x80, 0x50, 0x24, 0x17, 0x77, 0x4a, 0x6a, 0x5e, 0x7e, 0x6e, 0x66, 0x1e, 0x58, 0x9e,
	0x49, 0x81, 0x51, 0x83, 0xcf, 0x48, 0x57, 0x0f, 0xe1, 0x7c, 0x3d, 0x0c, 0x13, 0xf5, 0x5c, 0x10,
	0x1a, 0x42, 0x2a, 0x0b, 0x52, 0x9d, 0x38, 0x7e, 0x39, 0xb1, 0x36, 0x31, 0x32, 0x09, 0x30, 0x06,
	0x21, 0x9b, 0xa5, 0x64, 0xcb, 0xc5, 0x8f, 0xa6, 0x52, 0x88, 0x9b, 0x8b, 0xdd, 0x23, 0xd4, 0xcf,
	0x25, 0xc8, 0xd5, 0x45, 0x80, 0x41, 0x48, 0x80, 0x8b, 0x27, 0xc4, 0xd5, 0x2f, 0x3e, 0xc4, 0xc3,
	0x3f, 0x34, 0xd8, 0xd1, 0xcf, 0x45, 0x80, 0x11, 0x24, 0xed, 0xeb, 0xe9, 0xe3, 0xe3, 0xe9, 0xef,
	0x27, 0xc0, 0xe4, 0x64, 0xb5, 0xe2, 0x91, 0x1c, 0xe3, 0x89, 0x47, 0x72, 0x8c, 0x17, 0x1e, 0xc9,
	0x31, 0x3e, 0x78, 0x24, 0xc7, 0xc8, 0x25, 0x91, 0x99, 0x0f, 0x71, 0x58, 0x41, 0x51, 0x7e, 0x45,
	0x25, 0x92, 0x1b, 0x9d, 0x78, 0xa0, 0x4e, 0x0b, 0x00, 0x85, 0x60, 0x00, 0x63, 0x12, 0x1b, 0x38,
	0x28, 0x8d, 0x01, 0x01, 0x00, 0x00, 0xff, 0xff, 0x5c, 0x32, 0x60, 0x45, 0xa1, 0x01, 0x00, 0x00,
}

func (this *Percent) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*Percent)
	if !ok {
		that2, ok := that.(Percent)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Value != that1.Value {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (this *FractionalPercent) Equal(that interface{}) bool {
	if that == nil {
		return this == nil
	}

	that1, ok := that.(*FractionalPercent)
	if !ok {
		that2, ok := that.(FractionalPercent)
		if ok {
			that1 = &that2
		} else {
			return false
		}
	}
	if that1 == nil {
		return this == nil
	} else if this == nil {
		return false
	}
	if this.Numerator != that1.Numerator {
		return false
	}
	if this.Denominator != that1.Denominator {
		return false
	}
	if !bytes.Equal(this.XXX_unrecognized, that1.XXX_unrecognized) {
		return false
	}
	return true
}
func (m *Percent) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *Percent) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Value != 0 {
		dAtA[i] = 0x9
		i++
		encoding_binary.LittleEndian.PutUint64(dAtA[i:], uint64(math.Float64bits(float64(m.Value))))
		i += 8
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func (m *FractionalPercent) Marshal() (dAtA []byte, err error) {
	size := m.Size()
	dAtA = make([]byte, size)
	n, err := m.MarshalTo(dAtA)
	if err != nil {
		return nil, err
	}
	return dAtA[:n], nil
}

func (m *FractionalPercent) MarshalTo(dAtA []byte) (int, error) {
	var i int
	_ = i
	var l int
	_ = l
	if m.Numerator != 0 {
		dAtA[i] = 0x8
		i++
		i = encodeVarintPercent(dAtA, i, uint64(m.Numerator))
	}
	if m.Denominator != 0 {
		dAtA[i] = 0x10
		i++
		i = encodeVarintPercent(dAtA, i, uint64(m.Denominator))
	}
	if m.XXX_unrecognized != nil {
		i += copy(dAtA[i:], m.XXX_unrecognized)
	}
	return i, nil
}

func encodeVarintPercent(dAtA []byte, offset int, v uint64) int {
	for v >= 1<<7 {
		dAtA[offset] = uint8(v&0x7f | 0x80)
		v >>= 7
		offset++
	}
	dAtA[offset] = uint8(v)
	return offset + 1
}
func (m *Percent) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Value != 0 {
		n += 9
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func (m *FractionalPercent) Size() (n int) {
	if m == nil {
		return 0
	}
	var l int
	_ = l
	if m.Numerator != 0 {
		n += 1 + sovPercent(uint64(m.Numerator))
	}
	if m.Denominator != 0 {
		n += 1 + sovPercent(uint64(m.Denominator))
	}
	if m.XXX_unrecognized != nil {
		n += len(m.XXX_unrecognized)
	}
	return n
}

func sovPercent(x uint64) (n int) {
	return (math_bits.Len64(x|1) + 6) / 7
}
func sozPercent(x uint64) (n int) {
	return sovPercent(uint64((x << 1) ^ uint64((int64(x) >> 63))))
}
func (m *Percent) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowPercent
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: Percent: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: Percent: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 1 {
				return fmt.Errorf("proto: wrong wireType = %d for field Value", wireType)
			}
			var v uint64
			if (iNdEx + 8) > l {
				return io.ErrUnexpectedEOF
			}
			v = uint64(encoding_binary.LittleEndian.Uint64(dAtA[iNdEx:]))
			iNdEx += 8
			m.Value = float64(math.Float64frombits(v))
		default:
			iNdEx = preIndex
			skippy, err := skipPercent(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthPercent
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthPercent
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func (m *FractionalPercent) Unmarshal(dAtA []byte) error {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		preIndex := iNdEx
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return ErrIntOverflowPercent
			}
			if iNdEx >= l {
				return io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= uint64(b&0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		fieldNum := int32(wire >> 3)
		wireType := int(wire & 0x7)
		if wireType == 4 {
			return fmt.Errorf("proto: FractionalPercent: wiretype end group for non-group")
		}
		if fieldNum <= 0 {
			return fmt.Errorf("proto: FractionalPercent: illegal tag %d (wire type %d)", fieldNum, wire)
		}
		switch fieldNum {
		case 1:
			if wireType != 0 {
				return fmt.Errorf("proto: wrong wireType = %d for field Numerator", wireType)
			}
			m.Numerator = 0
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowPercent
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				m.Numerator |= uint32(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
		case 2:
			if wireType != 0 {
				return fmt.Errorf("proto: wrong wireType = %d for field Denominator", wireType)
			}
			m.Denominator = 0
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return ErrIntOverflowPercent
				}
				if iNdEx >= l {
					return io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				m.Denominator |= FractionalPercent_DenominatorType(b&0x7F) << shift
				if b < 0x80 {
					break
				}
			}
		default:
			iNdEx = preIndex
			skippy, err := skipPercent(dAtA[iNdEx:])
			if err != nil {
				return err
			}
			if skippy < 0 {
				return ErrInvalidLengthPercent
			}
			if (iNdEx + skippy) < 0 {
				return ErrInvalidLengthPercent
			}
			if (iNdEx + skippy) > l {
				return io.ErrUnexpectedEOF
			}
			m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...)
			iNdEx += skippy
		}
	}

	if iNdEx > l {
		return io.ErrUnexpectedEOF
	}
	return nil
}
func skipPercent(dAtA []byte) (n int, err error) {
	l := len(dAtA)
	iNdEx := 0
	for iNdEx < l {
		var wire uint64
		for shift := uint(0); ; shift += 7 {
			if shift >= 64 {
				return 0, ErrIntOverflowPercent
			}
			if iNdEx >= l {
				return 0, io.ErrUnexpectedEOF
			}
			b := dAtA[iNdEx]
			iNdEx++
			wire |= (uint64(b) & 0x7F) << shift
			if b < 0x80 {
				break
			}
		}
		wireType := int(wire & 0x7)
		switch wireType {
		case 0:
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowPercent
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				iNdEx++
				if dAtA[iNdEx-1] < 0x80 {
					break
				}
			}
			return iNdEx, nil
		case 1:
			iNdEx += 8
			return iNdEx, nil
		case 2:
			var length int
			for shift := uint(0); ; shift += 7 {
				if shift >= 64 {
					return 0, ErrIntOverflowPercent
				}
				if iNdEx >= l {
					return 0, io.ErrUnexpectedEOF
				}
				b := dAtA[iNdEx]
				iNdEx++
				length |= (int(b) & 0x7F) << shift
				if b < 0x80 {
					break
				}
			}
			if length < 0 {
				return 0, ErrInvalidLengthPercent
			}
			iNdEx += length
			if iNdEx < 0 {
				return 0, ErrInvalidLengthPercent
			}
			return iNdEx, nil
		case 3:
			for {
				var innerWire uint64
				var start int = iNdEx
				for shift := uint(0); ; shift += 7 {
					if shift >= 64 {
						return 0, ErrIntOverflowPercent
					}
					if iNdEx >= l {
						return 0, io.ErrUnexpectedEOF
					}
					b := dAtA[iNdEx]
					iNdEx++
					innerWire |= (uint64(b) & 0x7F) << shift
					if b < 0x80 {
						break
					}
				}
				innerWireType := int(innerWire & 0x7)
				if innerWireType == 4 {
					break
				}
				next, err := skipPercent(dAtA[start:])
				if err != nil {
					return 0, err
				}
				iNdEx = start + next
				if iNdEx < 0 {
					return 0, ErrInvalidLengthPercent
				}
			}
			return iNdEx, nil
		case 4:
			return iNdEx, nil
		case 5:
			iNdEx += 4
			return iNdEx, nil
		default:
			return 0, fmt.Errorf("proto: illegal wireType %d", wireType)
		}
	}
	panic("unreachable")
}

var (
	ErrInvalidLengthPercent = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowPercent   = fmt.Errorf("proto: integer overflow")
)


================================================
FILE: utils/README.md
================================================
# Utils directory

This directory has utility libraries that can be used outside the scope of trireme as well but should be looked at as independent packages.

In the roadmap these will move out into libs.


================================================
FILE: utils/allocator/allocator.go
================================================
package allocator

import (
	"strconv"
)

// allocator
type allocator struct {
	allocate chan int
}

// New provides a new allocator
func New(start, size int) Allocator {
	a := &allocator{
		allocate: make(chan int, size),
	}

	for i := start; i < (start + size); i++ {
		a.allocate <- i
	}

	return a
}

// Allocate allocates an item
func (p *allocator) Allocate() string {
	return strconv.Itoa(<-p.allocate)
}

// Release releases an item
func (p *allocator) Release(item string) {

	// Do not release when the channel is full. These can happen when we resync
	// stopped containers.
	if len(p.allocate) == cap(p.allocate) {
		return
	}

	intItem, err := strconv.Atoi(item)
	if err != nil {
		return
	}
	p.allocate <- intItem
}

// AllocateInt allocates an integer.
func (p *allocator) AllocateInt() int {
	return <-p.allocate
}

// ReleaseInt releases an int.
func (p *allocator) ReleaseInt(item int) {
	if len(p.allocate) == cap(p.allocate) || item == 0 {
		return
	}

	p.allocate <- item
}


================================================
FILE: utils/allocator/interfaces.go
================================================
package allocator

// Allocator is an allocator interface
type Allocator interface {

	// Allocate allocates a string
	Allocate() string

	// Release releases a string
	Release(item string)

	// AllocateInt allocates an int
	AllocateInt() int

	// ReleaseInt releases an item of type integer.
	ReleaseInt(item int)
}


================================================
FILE: utils/cache/cache.go
================================================
package cache

import (
	"errors"
	"fmt"
	"sync"
	"time"

	"go.uber.org/zap"
)

// ExpirationNotifier is a function which will be called every time a cache
// expires an item
type ExpirationNotifier func(id interface{}, item interface{})

// DataStore is the interface to a datastore.
type DataStore interface {
	Add(u interface{}, value interface{}) (err error)
	AddOrUpdate(u interface{}, value interface{}) bool
	Get(u interface{}) (i interface{}, err error)
	GetReset(u interface{}, duration time.Duration) (interface{}, error)
	Remove(u interface{}) (err error)
	RemoveWithDelay(u interface{}, duration time.Duration) (err error)
	LockedModify(u interface{}, add func(a, b interface{}) interface{}, increment interface{}) (interface{}, error)
	SetTimeOut(u interface{}, timeout time.Duration) (err error)
	KeyList() []interface{}
	ToString() string
}

// Cache is the structure that involves the map of entries. The cache
// provides a sync mechanism and allows multiple clients at the same time.
type Cache struct {
	name     string
	data     map[interface{}]entry
	lifetime time.Duration
	sync.RWMutex
	expirer ExpirationNotifier
	max     int
}

// entry is a single line in the datastore that includes the actual entry
// and the time that entry was created or updated
type entry struct {
	value     interface{}
	timestamp time.Time
	timer     *time.Timer
	expirer   ExpirationNotifier
}

// cacheRegistry keeps handles of all caches initialized through this library
// for book keeping
type cacheRegistry struct {
	sync.RWMutex
	items map[string]*Cache
}

var registry *cacheRegistry

func init() {

	registry = &cacheRegistry{
		items: make(map[string]*Cache),
	}
}

// Add adds a cache to a registry
func (r *cacheRegistry) Add(c *Cache) {
	r.Lock()
	defer r.Unlock()

	r.items[c.name] = c
}

// ToString generates information about all caches initialized through this lib
func (r *cacheRegistry) ToString() string {
	r.Lock()
	defer r.Unlock()

	buffer := fmt.Sprintf("Cache Registry: %d\n", len(r.items))
	buffer += fmt.Sprintf(" %32s : %s\n\n", "Cache Name", "max/curr")
	for k, c := range r.items {
		buffer += fmt.Sprintf(" %32s : %s\n", k, c.ToString())
	}
	return buffer
}

// NewCache creates a new data cache
func NewCache(name string) *Cache {

	return NewCacheWithExpirationNotifier(name, -1, nil)
}

// NewCacheWithExpiration creates a new data cache
func NewCacheWithExpiration(name string, lifetime time.Duration) *Cache {

	return NewCacheWithExpirationNotifier(name, lifetime, nil)
}

// NewCacheWithExpirationNotifier creates a new data cache with notifier
func NewCacheWithExpirationNotifier(name string, lifetime time.Duration, expirer ExpirationNotifier) *Cache {

	c := &Cache{
		name:     name,
		data:     make(map[interface{}]entry),
		lifetime: lifetime,
		expirer:  expirer,
	}
	c.max = len(c.data)
	registry.Add(c)
	return c
}

// ToString generates information about all caches initialized through this lib
func ToString() string {

	return registry.ToString()
}

// ToString provides statistics about this cache
func (c *Cache) ToString() string {
	c.Lock()
	defer c.Unlock()

	return fmt.Sprintf("%d/%d", c.max, len(c.data))
}

// Add stores an entry into the cache and updates the timestamp
func (c *Cache) Add(u interface{}, value interface{}) (err error) {

	var timer *time.Timer
	if c.lifetime != -1 {
		timer = time.AfterFunc(c.lifetime, func() {
			if err := c.removeNotify(u, true); err != nil {
				zap.L().Warn("Failed to remove item", zap.String("key", fmt.Sprintf("%v", u)))
			}
		})
	}

	t := time.Now()

	c.Lock()
	defer c.Unlock()

	if _, ok := c.data[u]; !ok {

		c.data[u] = entry{
			value:     value,
			timestamp: t,
			timer:     timer,
			expirer:   c.expirer,
		}
		if len(c.data) > c.max {
			c.max = len(c.data)
		}
		return nil
	}

	return errors.New("item exists: use update")
}

// GetReset  changes the value of an entry into the cache and updates the timestamp
func (c *Cache) GetReset(u interface{}, duration time.Duration) (interface{}, error) {

	c.Lock()
	defer c.Unlock()

	if line, ok := c.data[u]; ok {

		if c.lifetime != -1 && line.timer != nil {
			if duration > 0 {
				line.timer.Reset(duration)
			} else {
				line.timer.Reset(c.lifetime)
			}
		}

		return line.value, nil
	}

	return nil, errors.New("cannot read item: not found")
}

// Update changes the value of an entry into the cache and updates the timestamp
func (c *Cache) Update(u interface{}, value interface{}) (err error) {

	var timer *time.Timer
	if c.lifetime != -1 {
		timer = time.AfterFunc(c.lifetime, func() {
			if err := c.removeNotify(u, true); err != nil {
				zap.L().Warn("Failed to remove item", zap.String("key", fmt.Sprintf("%v", u)))
			}
		})
	}

	t := time.Now()

	c.Lock()
	defer c.Unlock()

	if _, ok := c.data[u]; ok {

		if c.data[u].timer != nil {
			c.data[u].timer.Stop()
		}

		c.data[u] = entry{
			value:     value,
			timestamp: t,
			timer:     timer,
			expirer:   c.expirer,
		}

		return nil
	}

	return errors.New("cannot update item: not found")
}

// AddOrUpdate adds a new value in the cache or updates the existing value
// if needed. If an update happens the timestamp is also updated.
// Returns true if key was updated.
func (c *Cache) AddOrUpdate(u interface{}, value interface{}) (updated bool) {

	var timer *time.Timer
	if c.lifetime != -1 {
		timer = time.AfterFunc(c.lifetime, func() {
			if err := c.removeNotify(u, true); err != nil {
				zap.L().Warn("Failed to remove item", zap.String("key", fmt.Sprintf("%v", u)))
			}
		})
	}

	t := time.Now()

	c.Lock()
	defer c.Unlock()

	if _, updated = c.data[u]; updated {
		if c.data[u].timer != nil {
			c.data[u].timer.Stop()
		}
	}

	c.data[u] = entry{
		value:     value,
		timestamp: t,
		timer:     timer,
		expirer:   c.expirer,
	}
	if len(c.data) > c.max {
		c.max = len(c.data)
	}

	return updated
}

// SetTimeOut sets the time out of an entry to a new value
func (c *Cache) SetTimeOut(u interface{}, timeout time.Duration) (err error) {
	c.Lock()
	defer c.Unlock()

	if _, ok := c.data[u]; !ok {
		return errors.New("item is already deleted")
	}

	c.data[u].timer.Reset(timeout)

	return nil
}

// Get retrieves the entry from the cache
func (c *Cache) Get(u interface{}) (i interface{}, err error) {

	c.Lock()
	defer c.Unlock()

	if _, ok := c.data[u]; !ok {
		return nil, errors.New("not found")
	}

	return c.data[u].value, nil
}

// KeyList returns all the keys that are currently stored in the cache.
func (c *Cache) KeyList() []interface{} {
	c.Lock()
	defer c.Unlock()

	list := []interface{}{}
	for k := range c.data {
		list = append(list, k)
	}
	return list
}

// removeNotify removes the entry from the cache and optionally notifies.
// returns error if not there
func (c *Cache) removeNotify(u interface{}, notify bool) (err error) {

	c.Lock()

	val, ok := c.data[u]
	if !ok {
		c.Unlock()
		return errors.New("not found")
	}

	if val.timer != nil {
		val.timer.Stop()
	}
	delete(c.data, u)
	c.Unlock()

	if notify && val.expirer != nil {
		val.expirer(u, val.value)
	}
	return nil
}

// Remove removes the entry from the cache and returns error if not there
func (c *Cache) Remove(u interface{}) (err error) {

	return c.removeNotify(u, false)
}

// RemoveWithDelay removes the entry from the cache after a certain duration
func (c *Cache) RemoveWithDelay(u interface{}, duration time.Duration) error {
	if duration == -1 {
		return c.Remove(u)
	}

	c.Lock()
	defer c.Unlock()

	e, ok := c.data[u]

	if !ok {
		return errors.New("cannot remove item with delay: not found")
	}

	timer := time.AfterFunc(duration, func() {
		if err := c.Remove(u); err != nil {
			zap.L().Warn("Failed to remove item with delay", zap.String("key", fmt.Sprintf("%v", u)), zap.String("delay", duration.String()))
		}
	})

	t := time.Now()

	if c.data[u].timer != nil {
		c.data[u].timer.Stop()
	}

	c.data[u] = entry{
		value:     e.value,
		timestamp: t,
		timer:     timer,
		expirer:   c.expirer,
	}

	return nil

}

// SizeOf returns the number of elements in the cache
func (c *Cache) SizeOf() int {

	c.Lock()
	defer c.Unlock()

	return len(c.data)
}

// LockedModify locks the data store
func (c *Cache) LockedModify(u interface{}, add func(a, b interface{}) interface{}, increment interface{}) (interface{}, error) {

	var timer *time.Timer
	if c.lifetime != -1 {
		timer = time.AfterFunc(c.lifetime, func() {
			if err := c.removeNotify(u, true); err != nil {
				zap.L().Warn("Failed to remove item", zap.String("key", fmt.Sprintf("%v", u)))
			}
		})
	}

	t := time.Now()

	c.Lock()
	defer c.Unlock()

	e, ok := c.data[u]
	if !ok {
		return nil, errors.New("not found")
	}

	if e.timer != nil {
		e.timer.Stop()
	}

	e.value = add(e.value, increment)
	e.timer = timer
	e.timestamp = t
	e.expirer = c.expirer

	c.data[u] = e

	return e.value, nil

}


================================================
FILE: utils/cache/cache_test.go
================================================
// +build !windows

package cache

import (
	"testing"
	"time"

	"github.com/rs/xid"
	. "github.com/smartystreets/goconvey/convey"
)

func TestConstructorNewCache(t *testing.T) {

	//	t.Parallel()

	Convey("Given I call the method NewCache, I should a new cache", t, func() {

		c := &Cache{
			name: "cache",
		}

		So(NewCache("cache"), ShouldHaveSameTypeAs, c)
	})
}

func TestElements(t *testing.T) {

	//	t.Parallel()

	c := NewCache("cache")
	id := xid.New()
	fakeid := xid.New()
	newid := xid.New()
	value := "element"
	secondValue := "element2"
	thirdValue := "element3"

	Convey("Given that I want to test elemenets, I must initialize a cache", t, func() {

		// Test Write
		Convey("Given that I add a new element in the cache, it should not have errors", func() {
			err := c.Add(id, value)
			So(err, ShouldBeNil)
		})

		Convey("Given that I add the same element for a second time, I should get an error", func() {
			err := c.Add(id, value)
			So(err, ShouldNotBeNil)
		})

		// Test Read
		Convey("Given that I have an element in the cache, I should be able to read it", func() {
			newvalue, err := c.Get(id)
			So(value, ShouldEqual, newvalue)
			So(err, ShouldBeNil)
		})

		Convey("Given that I try to read an element that is not there, I should get an error", func() {
			_, err := c.Get(fakeid)
			So(err, ShouldNotBeNil)
		})

		// Test Update
		Convey("Given that I want to update the element, I should be able to do it", func() {

			err := c.Update(id, secondValue)
			So(err, ShouldBeNil)
			newvalue, err := c.Get(id)
			So(newvalue, ShouldEqual, secondValue)
			So(err, ShouldBeNil)
		})

		Convey("Given that I try to update an element that doesn't exist, I should get an error ", func() {
			nextid := xid.New()
			err := c.Update(nextid, value)
			So(err, ShouldNotBeNil)
		})

		Convey("Given that I try to add or update an element in the cache, I should not get an error", func() {

			ok := c.AddOrUpdate(newid, secondValue)
			newvalue, err := c.Get(newid)
			So(newvalue, ShouldEqual, secondValue)
			So(err, ShouldBeNil)
			So(ok, ShouldBeFalse)
		})

		Convey("Given that I try to update an element in the cache, I should not get an error", func() {

			ok := c.AddOrUpdate(newid, thirdValue)
			newvalue, err := c.Get(newid)
			So(newvalue, ShouldEqual, thirdValue)
			So(err, ShouldBeNil)
			So(ok, ShouldBeTrue)
		})

		Convey("Given that I have an element in the cache, I should be able to delete it", func() {
			err := c.Remove(id)
			So(err, ShouldBeNil)
		})

		Convey("Given that I try to delete the same element twice, I should not be able to do it", func() {
			err := c.Remove(id)
			So(err, ShouldNotBeNil)
		})
	})
}

func Test_CacheTimer(t *testing.T) {

	//t.Parallel()

	Convey("Given a new cache with an expiration timer ", t, func() {
		c := NewCacheWithExpiration("cache", 3*time.Second)

		Convey("When I create an item that has to exist for a second", func() {
			err := c.Add("key", "value")
			So(err, ShouldBeNil)

			Convey("Then I should be able to get back the item", func() {
				val, err := c.Get("key")
				So(err, ShouldBeNil)
				So(val.(string), ShouldResemble, "value")

				Convey("When I wait for 1 second and update the time", func() {
					<-time.After(1 * time.Second)

					c.AddOrUpdate("key", "value2")

					Convey("I should be able to read the second item", func() {
						val, err := c.Get("key")
						So(err, ShouldBeNil)
						So(val.(string), ShouldResemble, "value2")

						Convey("But when I wait for a another second, the items should still exist", func() {
							<-time.After(1 * time.Second)
							val, err := c.Get("key")
							So(err, ShouldBeNil)
							So(val.(string), ShouldResemble, "value2")

							Convey("But if I wait for two seconds after the update, the item must not exixt", func() {
								<-time.After(4 * time.Second)
								_, err := c.Get("key")
								So(err, ShouldNotBeNil)
							})
						})
					})

				})

			})
		})
	})
}

func add(a, b interface{}) interface{} {
	return a.(int) + b.(int)
}

func TestLockedModify(t *testing.T) {

	//t.Parallel()

	Convey("Given a new cache", t, func() {
		c := NewCache("cache")

		Convey("Given an element that is an integer", func() {
			err := c.Add("key", 1)
			So(err, ShouldBeNil)
			Convey("Given an an incremental add function", func() {
				value, err := c.LockedModify("key", add, 1)
				So(err, ShouldBeNil)
				So(value, ShouldNotBeNil)
				Convey("I should get the right value  ", func() {
					val, err := c.Get("key")
					So(err, ShouldBeNil)
					So(val.(int), ShouldEqual, 2)
				})
			})
		})
	})
}

func TestTimerExpirationWithUpdate(t *testing.T) {

	//t.Parallel()

	Convey("Given that I instantiate 1 objects with 2 second timers", t, func() {
		i := 1
		c := NewCacheWithExpiration("cache", 2*time.Second)
		err := c.Add(i, i)
		So(err, ShouldBeNil)
		Convey("When I check the cache size After 1 seconds, the size should be 1", func() {
			<-time.After(1 * time.Second)
			// So(c.SizeOf(), ShouldEqual, 1)
			Convey("When I update the object and check again after another 1 seconds, the size should be 1", func() {
				err := c.Update(1, 1)
				So(err, ShouldBeNil)
				<-time.After(1 * time.Second)
				// So(c.SizeOf(), ShouldEqual, 1) // @TODO: fix me it should be 1
				Convey("When I check the cache size After another 2 seconds, the size should be 0", func() {
					<-time.After(2 * time.Second)
					So(c.SizeOf(), ShouldBeZeroValue)
				})
			})
		})
	})
}

func TestGetReset(t *testing.T) {

	//t.Parallel()

	Convey("Given that I instantiate 1 object with a 2 second timer", t, func() {
		c := NewCacheWithExpiration("cache", 2*time.Second)
		err := c.Add("test", "test")
		So(err, ShouldBeNil)
		Convey("When I check the cache after 1 second, the element should be there", func() {
			<-time.After(1 * time.Second)
			d, err := c.Get("test")
			So(err, ShouldBeNil)
			So(d.(string), ShouldResemble, "test")

			Convey("When I retrieve the data with get reset", func() {

				val, err := c.GetReset("test", 0)
				So(err, ShouldBeNil)
				So(val.(string), ShouldResemble, "test")

				Convey("If I wait 1100, the data should still be there ", func() {
					<-time.After(1100 * time.Millisecond)
					d, err := c.Get("test")
					So(err, ShouldBeNil)
					So(d.(string), ShouldResemble, "test")

					Convey("If I wait for another second, the data should be gone", func() {
						<-time.After(1200 * time.Millisecond)
						val, err := c.Get("test")
						So(err, ShouldNotBeNil)
						So(val, ShouldBeNil)
					})
				})
			})
		})
	})
}

func TestSetTimeOut(t *testing.T) {

	//t.Parallel()

	Convey("Given that I instantiate 1 object with a 2 second timer", t, func() {
		c := NewCacheWithExpiration("cache", 2*time.Second)
		err := c.Add("test", "test")
		So(err, ShouldBeNil)
		Convey("When I check the cache after 1 second, the element should be there", func() {
			<-time.After(1 * time.Second)
			d, err := c.Get("test")
			So(err, ShouldBeNil)
			err = c.SetTimeOut("test", 2*time.Second)
			So(err, ShouldBeNil)
			So(d.(string), ShouldResemble, "test")

			Convey("When I reset the timer to two more seconds", func() {

				err := c.SetTimeOut("test", 2*time.Second)
				So(err, ShouldBeNil)

				Convey("If I wait 1100, the data should still be there ", func() {
					<-time.After(1500 * time.Millisecond)
					d, err := c.Get("test")
					So(err, ShouldBeNil)
					So(d.(string), ShouldResemble, "test")

					Convey("If I wait for another second, the data should be gone", func() {
						<-time.After(1200 * time.Millisecond)
						val, err := c.Get("test")
						So(err, ShouldNotBeNil)
						So(val, ShouldBeNil)
					})
				})
			})
		})
	})
}

func TestCacheWithExpirationNotifier(t *testing.T) {

	//t.Parallel()

	finished := make(chan bool)

	Convey("Given a cache with an expiration notitifier ", t, func() {
		c := NewCacheWithExpirationNotifier("cache", 2*time.Second, func(id interface{}, item interface{}) {
			if id.(string) == "test" && item.(string) == "test" {
				finished <- true
			} else {
				finished <- false
			}
		})

		Convey("When I add an element", func() {
			oldtime := time.Now()
			err := c.Add("test", "test")
			So(err, ShouldBeNil)
			Convey("I should receive a notification", func() {
				r := <-finished
				Duration := time.Since(oldtime)
				So(r, ShouldBeTrue)
				So(Duration.Seconds(), ShouldBeGreaterThanOrEqualTo, 2.0)
			})
		})
	})
}

// func TestThousandsOfTimers(t *testing.T) {

// 	//t.Parallel()

// 	Convey("Given that I instantiate 10K objects with 2 second timers", t, func() {
// 		c := NewCacheWithExpiration("cache", 2*time.Second)
// 		for i := 0; i < 1000; i++ {
// 			err := c.Add(i, i)
// 			So(err, ShouldBeNil)
// 		}
// 		Convey("After I wait for 1 second and add 10K more objects with 2 second timers", func() {
// 			<-time.After(1 * time.Second)
// 			for i := 20000; i < 30000; i++ {
// 				err := c.Add(i, i)
// 				So(err, ShouldBeNil)
// 			}
// 			//TODO: This test is failing if we wait 3 seconds
// 			Convey("After I wait for another 4 seconds", func() {
// 				<-time.After(5 * time.Second)
// 				Convey("I should have no objects in the cache", func() {
// 					So(c.SizeOf(), ShouldEqual, 0)
// 				})
// 			})
// 		})
// 	})
// }

func TestRemoveWithDelay(t *testing.T) {
	Convey("Given an initial cache that is non empty", t, func() {
		c := NewCache("cache")
		c.Add("info1", "info1") // nolint
		c.Add("info2", "info2") // nolint
		c.Add("info3", "info3") // nolint
		c.Add("info4", "info4") // nolint

		Convey("When I remove an valid entry with a duration of -1", func() {
			err := c.RemoveWithDelay("info1", -1)
			Convey("It should remove the entry right away", func() {
				So(err, ShouldBeNil)
				So(c.SizeOf(), ShouldEqual, 3)
				_, err := c.Get("info1")
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I remove an valid entry with a duration of 2 seconds", func() {
			err := c.RemoveWithDelay("info2", 2*time.Second)
			Convey("It should remove the entry right away", func() {
				So(err, ShouldBeNil)
				So(c.SizeOf(), ShouldEqual, 4)
				<-time.After(3 * time.Second)
				So(c.SizeOf(), ShouldEqual, 3)
				_, err := c.Get("info2")
				So(err, ShouldNotBeNil)
			})
		})

		Convey("When I remove an unknown entry with a duration of 2 seconds", func() {
			err := c.RemoveWithDelay("unknown", 2*time.Second)
			Convey("It should return an error", func() {
				So(err, ShouldNotBeNil)
			})
		})

	})
}


================================================
FILE: utils/cgnetcls/cgnetcls.go
================================================
// +build linux

//Package cgnetcls implements functionality to manage classid for processes belonging to different cgroups
package cgnetcls

import (
	"bufio"
	"errors"
	"fmt"
	"io/ioutil"
	"os"
	"path/filepath"
	"strconv"
	"strings"
	"sync/atomic"
	"syscall"

	"github.com/kardianos/osext"
	"go.aporeto.io/enforcerd/trireme-lib/common"
	markconstants "go.aporeto.io/enforcerd/trireme-lib/utils/constants"
	"go.uber.org/zap"
)

// Creategroup creates a cgroup/net_cls structure and writes the allocated classid to the file.
// To add a new process to this cgroup we need to write to the cgroup file
func (s *netCls) Creategroup(cgroupname string) error {

	cgroupPath := filepath.Join(cgroupNetClsPath, s.TriremePath, cgroupname)
	if _, err := os.Stat(cgroupPath); err == nil {
		return nil
	}

	if err := os.MkdirAll(cgroupPath, 0700); err != nil {
		return err
	}

	// Write to the notify on release file and release agent files

	if s.ReleaseAgentPath != "" {
		if err := ioutil.WriteFile(filepath.Join(cgroupNetClsPath, releaseAgentConfFile), []byte(s.ReleaseAgentPath), 0644); err != nil {
			return fmt.Errorf("unable to register a release agent error: %s", err)
		}

		if err := ioutil.WriteFile(filepath.Join(cgroupNetClsPath, notifyOnReleaseFile), []byte("1"), 0644); err != nil {
			return fmt.Errorf("unable to write to the notify file: %s", err)
		}

		if err := ioutil.WriteFile(filepath.Join(cgroupNetClsPath, s.TriremePath, notifyOnReleaseFile), []byte("1"), 0644); err != nil {
			return fmt.Errorf("unable to write to the notify file: %s", err)
		}

		if err := ioutil.WriteFile(filepath.Join(cgroupNetClsPath, s.TriremePath, cgroupname, notifyOnReleaseFile), []byte("1"), 0644); err != nil {
			return fmt.Errorf("unable to write to the notify file: %s", err)
		}
	}

	return nil

}

// AssignRootMark assings the mark at the root of the file system.
func (s *netCls) AssignRootMark(mark uint64) error {

	if _, err := os.Stat(cgroupNetClsPath); os.IsNotExist(err) {
		return fmt.Errorf("cgroup does not exist: %s", err)
	}

	//16 is the base since the mark file expects hexadecimal values
	markval := "0x" + (strconv.FormatUint(mark, 16))

	if err := ioutil.WriteFile(filepath.Join(cgroupNetClsPath, markFile), []byte(markval), 0644); err != nil {
		return fmt.Errorf("failed to write to net_cls.classid file for the root cgroup: %s", err)
	}

	return nil
}

//AssignMark writes the mark value to net_cls.classid file.
func (s *netCls) AssignMark(cgroupname string, mark uint64) error {

	if _, err := os.Stat(filepath.Join(cgroupNetClsPath, s.TriremePath, cgroupname)); os.IsNotExist(err) {
		return fmt.Errorf("cgroup does not exist: %s", err)
	}

	//16 is the base since the mark file expects hexadecimal values
	markval := "0x" + (strconv.FormatUint(mark, 16))

	if err := ioutil.WriteFile(filepath.Join(cgroupNetClsPath, s.TriremePath, cgroupname, markFile), []byte(markval), 0644); err != nil {
		return fmt.Errorf("failed to write to net_cls.classid file for new cgroup: %s", err)
	}

	return nil
}

// AddProcess adds the process to the net_cls group
func (s *netCls) AddProcess(cgroupname string, pid int) error {

	if _, err := os.Stat(filepath.Join(cgroupNetClsPath, s.TriremePath, cgroupname)); os.IsNotExist(err) {
		return fmt.Errorf("cannot add process. cgroup does not exist: %s", err)
	}

	PID := []byte(strconv.Itoa(pid))
	if err := syscall.Kill(pid, 0); err != nil {
		return nil
	}

	if err := ioutil.WriteFile(filepath.Join(cgroupNetClsPath, s.TriremePath, cgroupname, procs), PID, 0644); err != nil {
		return fmt.Errorf("cannot add process: %s", err)
	}

	return nil
}

//RemoveProcess removes the process from the cgroup by writing the pid to the
//top of net_cls cgroup cgroup.procs
func (s *netCls) RemoveProcess(cgroupname string, pid int) error {

	if _, err := os.Stat(filepath.Join(cgroupNetClsPath, s.TriremePath, cgroupname)); os.IsNotExist(err) {
		return fmt.Errorf("cannot clean up process. cgroup does not exist: %s", err)
	}

	data, err := ioutil.ReadFile(filepath.Join(cgroupNetClsPath, procs))
	if err != nil {
		return fmt.Errorf("cannot cleanup process: %s", err)
	}
	if !strings.Contains(string(data), strconv.Itoa(pid)) {
		return errors.New("cannot cleanup process. process is not a part of this cgroup")
	}

	if err := ioutil.WriteFile(filepath.Join(cgroupNetClsPath, procs), []byte(strconv.Itoa(pid)), 0644); err != nil {
		return fmt.Errorf("cannot clean up process: %s", err)
	}

	return nil
}

// DeleteCgroup assumes the cgroup is already empty and destroys the directory structure.
// It will return an error if the group is not empty. Use RempoveProcess to remove all processes
// Before we try deletion
func (s *netCls) DeleteCgroup(cgroupname string) error {

	if _, err := os.Stat(filepath.Join(cgroupNetClsPath, s.TriremePath, cgroupname)); os.IsNotExist(err) {
		zap.L().Debug("Group already deleted", zap.Error(err))
		return nil
	}

	if err := os.Remove(filepath.Join(cgroupNetClsPath, s.TriremePath, cgroupname)); err != nil {
		return fmt.Errorf("unable to delete cgroup %s: %s", cgroupname, err)
	}

	return nil
}

//Deletebasepath removes the base aporeto directory which comes as a separate event when we are not managing any processes
func (s *netCls) Deletebasepath(cgroupName string) bool {

	if cgroupName == s.TriremePath {
		if err := os.Remove(filepath.Join(cgroupNetClsPath, cgroupName)); err != nil {
			zap.L().Error("Error when removing Trireme Base Path", zap.Error(err))
		}
		return true
	}

	return false
}

// ListCgroupProcesses returns lists of  processes in the cgroup
func (s *netCls) ListCgroupProcesses(cgroupname string) ([]string, error) {

	if _, err := os.Stat(filepath.Join(cgroupNetClsPath, s.TriremePath, cgroupname)); os.IsNotExist(err) {
		return []string{}, fmt.Errorf("cgroup %s does not exist: %s", cgroupname, err)
	}

	data, err := ioutil.ReadFile(filepath.Join(cgroupNetClsPath, s.TriremePath, cgroupname, "cgroup.procs"))
	if err != nil {
		return []string{}, fmt.Errorf("cannot read procs file: %s", err)
	}

	procs := []string{}

	for _, line := range strings.Split(string(data), "\n") {
		if len(line) > 0 {
			procs = append(procs, line)
		}
	}

	return procs, nil
}

// ListAllCgroups returns a list of the cgroups that are managed in the Trireme path
func (s *netCls) ListAllCgroups(path string) []string {

	cgroups, err := ioutil.ReadDir(filepath.Join(cgroupNetClsPath, s.TriremePath, path))
	if err != nil {
		return []string{}
	}

	names := make([]string, len(cgroups))
	for i := 0; i < len(cgroups); i++ {
		names[i] = cgroups[i].Name()
	}

	return names
}

func mountCgroupController() error {
	mounts, err := ioutil.ReadFile("/proc/mounts")
	if err != nil {
		return fmt.Errorf("Failed to read /proc/mount: %s", err)
	}

	sc := bufio.NewScanner(strings.NewReader(string(mounts)))
	var netCls = false
	var cgroupMount string
	for sc.Scan() {
		if strings.HasPrefix(sc.Text(), "cgroup") {
			cgroupMount = strings.Split(sc.Text(), " ")[1]
			cgroupMount = cgroupMount[:strings.LastIndex(cgroupMount, "/")]
			if strings.Contains(sc.Text(), "net_cls") {
				cgroupNetClsPath = strings.Split(sc.Text(), " ")[1]
				return nil
			}
		}

	}

	if len(cgroupMount) == 0 {
		return fmt.Errorf("Failed to get mount points: %s", err)
	}

	if !netCls {
		cgroupNetClsPath = cgroupMount + "/net_cls"

		if err := os.MkdirAll(cgroupNetClsPath, 0700); err != nil {
			return fmt.Errorf("Fail to create net_cls directory: %s", err)
		}

		if err := syscall.Mount("cgroup", cgroupNetClsPath, "cgroup", 0, "net_cls,net_prio"); err != nil {
			return fmt.Errorf("Fail to mount net_cls group: %s", err)
		}
	}
	return nil
}

// CgroupMemberCount -- Returns the cound of the number of processes in a cgroup
// TODO: looks like dead code
func CgroupMemberCount(cgroupName string) int {

	if _, err := os.Stat(filepath.Join(cgroupNetClsPath, cgroupName)); os.IsNotExist(err) {
		return 0
	}

	data, err := ioutil.ReadFile(filepath.Join(cgroupNetClsPath, cgroupName, "cgroup.procs"))
	if err != nil {
		return 0
	}

	return len(data)
}

// NewDockerCgroupNetController returns a handle to call functions on the cgroup net_cls controller
func NewDockerCgroupNetController() Cgroupnetcls {

	controller := &netCls{
		markchan:         make(chan uint64),
		ReleaseAgentPath: "",
		TriremePath:      common.TriremeDockerHostNetwork,
	}

	return controller
}

//NewCgroupNetController returns a handle to call functions on the cgroup net_cls controller
func NewCgroupNetController(triremepath string, releasePath string) Cgroupnetcls {

	binpath, _ := osext.Executable()
	controller := &netCls{
		markchan:         make(chan uint64),
		ReleaseAgentPath: binpath,
		TriremePath:      "",
	}

	if releasePath != "" {
		controller.ReleaseAgentPath = releasePath
	}

	if triremepath != "" {
		controller.TriremePath = triremepath
	}

	return controller
}

// MarkVal returns a new Mark Value
func MarkVal() uint64 {
	ret := atomic.AddUint64(&markval, 1)
	// bound to happen if someone has a long running enforcer
	// and uses a lot of LinuxProcess PUs
	if ret == markconstants.EnforcerCgroupMark {
		return atomic.AddUint64(&markval, 1)
	}
	return ret
}


================================================
FILE: utils/cgnetcls/cgnetcls_osx.go
================================================
// +build darwin

//Package cgnetcls implements functionality to manage classid for processes belonging to different cgroups
package cgnetcls

//Creategroup creates a cgroup/net_cls structure and writes the allocated classid to the file.
//To add a new process to this cgroup we need to write to the cgroup file
func (s *netCls) Creategroup(cgroupname string) error {
	return nil
}

//AssignMark writes the mark value to net_cls.classid file.
func (s *netCls) AssignMark(cgroupname string, mark uint64) error {
	return nil
}

// AssignRootMark assings the value at the root.
func (s *netCls) AssignRootMark(mark uint64) error {
	return nil
}

//AddProcess adds the process to the net_cls group
func (s *netCls) AddProcess(cgroupname string, pid int) error {
	return nil
}

//RemoveProcess removes the process from the cgroup by writing the pid to the
//top of net_cls cgroup cgroup.procs
func (s *netCls) RemoveProcess(cgroupname string, pid int) error {
	return nil
}

// DeleteCgroup removes the cgroup
func (s *netCls) DeleteCgroup(cgroupname string) error {
	return nil
}

func (s *netCls) Deletebasepath(contextID string) bool {
	return true
}

func (s *netCls) GetCgroupList() {

}

// ListCgroupProcesses lists the processes of the cgroup
func (s *netCls) ListCgroupProcesses(cgroupname string) ([]string, error) {
	return []string{}, nil
}

// ListAllCgroups returns a list of the cgroups that are managed in the Trireme path
func (s *netCls) ListAllCgroups(path string) []string {
	return []string{}
}

//NewCgroupNetController returns a handle to call functions on the cgroup net_cls controller
func NewCgroupNetController(triremepath string, releasePath string) Cgroupnetcls {
	return &netCls{}
}

//NewDockerCgroupNetController returns a handle to call functions on the cgroup net_cls controller
func NewDockerCgroupNetController() Cgroupnetcls {
	return &netCls{}
}

// MarkVal returns a new Mark
func MarkVal() uint64 {
	return 103
}


================================================
FILE: utils/cgnetcls/cgnetcls_test.go
================================================
// +build linux

package cgnetcls

import (
	"fmt"
	"io/ioutil"
	"math/rand"
	"os"
	"path/filepath"
	"strconv"
	"strings"
	"syscall"
	"testing"

	markconstants "go.aporeto.io/enforcerd/trireme-lib/utils/constants"
)

// This package does not use interfaces/objects from other trireme component so we don't need to mock anything here
// We will create actual system objects
// This can be tested only on linux since the directory structure will not exist anywhere else
// Tests here will be skipped if you don't run as root

const (
	testcgroupname       = "/test"
	testcgroupnameformat = "test"
	testmark             = 100
	testRootUser         = "root"
)

func cleanupnetclsgroup() {
	data, _ := ioutil.ReadFile(filepath.Join(cgroupNetClsPath, testcgroupname, procs))
	fmt.Println(string(data))
	_ = ioutil.WriteFile(filepath.Join(cgroupNetClsPath, procs), data, 0644)
	_ = os.RemoveAll(filepath.Join(cgroupNetClsPath, testcgroupname))
}

func TestCreategroup(t *testing.T) {

	if os.Getenv("USER") != testRootUser {
		t.SkipNow()
	}

	cg := NewCgroupNetController("/tmp", "")
	if err := cg.Creategroup(testcgroupnameformat); err != nil {
		//Check if all the files required are created
		t.Errorf("Failed to create group error returned %s", err.Error())
	}

	defer cleanupnetclsgroup()

	if _, err := ioutil.ReadFile(filepath.Join(cgroupNetClsPath, releaseAgentConfFile)); err != nil {
		if os.IsNotExist(err) {
			t.Errorf("ReleaseAgentConf File does not exist.Cgroup mount failed")
			t.SkipNow()
		}
	}

	if val, err := ioutil.ReadFile(filepath.Join(cgroupNetClsPath, notifyOnReleaseFile)); err != nil {
		if os.IsNotExist(err) {
			t.Errorf("Notify on release file does not exist.Cgroup mount failed")
			t.SkipNow()
		}
	} else {
		if strings.TrimSpace(string(val)) != "1" {
			t.Errorf("Notify release file in base net_cls not programmed")
			t.SkipNow()
		}
	}

	if val, err := ioutil.ReadFile(filepath.Join(cgroupNetClsPath, notifyOnReleaseFile)); err != nil {
		if os.IsNotExist(err) {
			t.Errorf("Notify on release file does not exist.Cgroup mount failed")
			t.SkipNow()
		}
	} else {
		if strings.TrimSpace(string(val)) != "1" {
			t.Errorf("Notify release file in aporeto base dir /sys/fs/cgroup/aporeto not programmed")
			t.SkipNow()
		}
	}

	if val, err := ioutil.ReadFile(filepath.Join(cgroupNetClsPath, testcgroupname, notifyOnReleaseFile)); err != nil {
		if os.IsNotExist(err) {
			t.Errorf("Notify on release file does not exist.Cgroup mount failed")
			t.SkipNow()
		}
	} else {
		if strings.TrimSpace(string(val)) != "1" {
			t.Errorf("Notify release file in cgroup not programmed")
			t.SkipNow()
		}
	}
}

func TestAssignMark(t *testing.T) {
	cg := NewCgroupNetController("/tmp", "")
	if os.Getenv("USER") != testRootUser {
		t.SkipNow()
	}
	//Assigning mark before creating group
	if err := cg.AssignMark(testcgroupname, testmark); err == nil {
		t.Errorf("Assign mark succeeded without a valid group being present ")
		t.SkipNow()
	}
	if err := cg.Creategroup(testcgroupnameformat); err != nil {
		t.Errorf("Error creating cgroup %s", err)
		t.SkipNow()
	}

	defer cleanupnetclsgroup()

	if err := cg.AssignMark(testcgroupnameformat, testmark); err != nil {
		t.Errorf("Failed to assign mark error = %s", err.Error())
		t.SkipNow()
	} else {
		data, _ := ioutil.ReadFile(filepath.Join(cgroupNetClsPath, testcgroupname, markFile))
		u, err := strconv.ParseUint(strings.TrimSpace(string(data)), 10, 64)
		if err != nil {
			t.Errorf("Non Integer mark value in classid file")
			t.SkipNow()
		}
		if u != testmark {
			t.Errorf("Unexpected mark val expected %d, read %d", testmark, u)
			t.SkipNow()
		}
	}
}

func TestAddProcess(t *testing.T) {
	//hopefully this pid does not exist
	pid := 1<<31 - 1
	r := rand.New(rand.NewSource(23))
	if os.Getenv("USER") != testRootUser {
		t.SkipNow()
	}
	cg := NewCgroupNetController("/tmp", "")
	//AddProcess to a non-existent group
	if err := cg.AddProcess(testcgroupname, os.Getpid()); err == nil {
		t.Errorf("Process successfully added to a non existent group")
		t.SkipNow()
	}
	if err := cg.Creategroup(testcgroupnameformat); err != nil {
		t.Errorf("Error creating cgroup")
		t.SkipNow()
	}

	defer cleanupnetclsgroup()

	//Add a non-existent process
	//loop to find non-existent pid
	for {
		if err := syscall.Kill(pid, 0); err != nil {
			break
		}
		pid = r.Int()

	}
	if err := cg.AddProcess(testcgroupnameformat, pid); err != nil {
		t.Errorf("Unexpected error not returned for non-existent process")
		t.SkipNow()
	}
	pid = 1 //Guaranteed to be present
	if err := cg.AddProcess(testcgroupname, pid); err != nil {
		t.Errorf("Failed to add process %s", err.Error())
		t.SkipNow()
	} else {
		//This directory structure should not be delete
		if err := os.RemoveAll(filepath.Join(cgroupNetClsPath, testcgroupname)); err == nil {
			t.Errorf("Process not added to cgroup")
			t.SkipNow()
		}
	}
}

func TestRemoveProcess(t *testing.T) {
	if os.Getenv("USER") != testRootUser {
		t.SkipNow()
	}
	cg := NewCgroupNetController("/tmp", "")
	//Removing process from non-existent group
	if err := cg.RemoveProcess(testcgroupname, 1); err == nil {
		t.Errorf("RemoveProcess succeeded without valid group being present ")
		t.SkipNow()
	}
	if err := cg.Creategroup(testcgroupnameformat); err != nil {
		t.Errorf("Error creating cgroup")
		t.SkipNow()
	}

	defer cleanupnetclsgroup()

	if err := cg.AddProcess(testcgroupname, 1); err != nil {
		t.Errorf("Error adding process")
		t.SkipNow()
	}
	if err := cg.RemoveProcess(testcgroupnameformat, 10); err == nil {
		t.Errorf("Removed process which was not a part of this cgroup")
		t.SkipNow()
	}
	if err := cg.RemoveProcess(testcgroupname, 1); err != nil {
		t.Errorf("Failed to remove process %s", err.Error())
		t.SkipNow()
	}
}

func TestDeleteCgroup(t *testing.T) {
	if os.Getenv("USER") != testRootUser {
		t.SkipNow()
	}
	cg := NewCgroupNetController("/tmp", "")
	//Removing process from non-existent group
	if err := cg.DeleteCgroup(testcgroupnameformat); err != nil {
		t.Errorf("Non-existent cgroup delelte returned an error")
		t.SkipNow()
	}
	if err := cg.Creategroup(testcgroupname); err != nil {
		t.Errorf("Failed to create cgroup %s", err.Error())
		t.SkipNow()
	}

	defer cleanupnetclsgroup()

	if err := cg.DeleteCgroup(testcgroupname); err != nil {
		t.Errorf("Failed to delete cgroup %s", err.Error())
		t.SkipNow()
	}

}

func TestDeleteBasePath(t *testing.T) {
	if os.Getenv("USER") != testRootUser {
		t.SkipNow()
	}
	cg := NewCgroupNetController("/tmp", "")
	//Removing process from non-existent group
	if err := cg.DeleteCgroup(testcgroupname); err != nil {
		t.Errorf("Delete of group failed %s", err.Error())
	}

	defer cleanupnetclsgroup()

	cg.Deletebasepath(testcgroupnameformat)
	_, err := os.Stat(filepath.Join(cgroupNetClsPath, testcgroupname))
	if err == nil {
		t.Errorf("Delete of cgroup from system failed")
		t.SkipNow()
	}
}

func TestListCgroupProcesses(t *testing.T) {
	pid := 1<<31 - 1
	r := rand.New(rand.NewSource(23))
	if os.Getenv("USER") != testRootUser {
		t.SkipNow()
	}
	cg := NewCgroupNetController("/tmp", "")

	_, err := cg.ListCgroupProcesses(testcgroupname)
	if err == nil {
		t.Errorf("No process found but succeeded")
	}
	//AddProcess to a non-existent group
	if err = cg.AddProcess(testcgroupname, os.Getpid()); err == nil {
		t.Errorf("Process successfully added to a non existent group")
		t.SkipNow()
	}
	if err = cg.Creategroup(testcgroupname); err != nil {
		t.Errorf("Error creating cgroup")
		t.SkipNow()
	}

	defer cleanupnetclsgroup()

	//Add a non-existent process
	//loop to find non-existent pid
	for {
		if err = syscall.Kill(pid, 0); err != nil {
			break
		}
		pid = r.Int()

	}

	pid = 1 //Guaranteed to be present
	if err = cg.AddProcess(testcgroupname, pid); err != nil {
		t.Errorf("Failed to add process %s", err.Error())
		t.SkipNow()
	} else {
		//This directory structure should not be delete
		if err = os.RemoveAll(filepath.Join(cgroupNetClsPath, testcgroupname)); err == nil {
			t.Errorf("Process not added to cgroup")
			t.SkipNow()
		}
	}

	procs, err := cg.ListCgroupProcesses(testcgroupname)
	if procs[0] != "1" && err != nil {
		t.Errorf("No process found %d", err)
	}
}

func TestMarkVal(t *testing.T) {
	type test struct {
		name string
		want uint64
	}
	// this is kind of silly, but as this is an atomic counter,
	// there is no other way than to really count up and compare
	generateTests := func() []test {
		ret := []test{}
		i := 1
		for {
			want := i + markconstants.Initialmarkval
			// this is the exception, in this case we should get plus one
			if want >= markconstants.EnforcerCgroupMark {
				want++
			}
			ret = append(ret, test{
				name: strconv.Itoa(i + markconstants.Initialmarkval),
				want: uint64(want),
			})
			// abort a couple tests after that
			if want == markconstants.EnforcerCgroupMark+2 {
				break
			}
			i++
		}
		return ret
	}
	for _, tt := range generateTests() {
		t.Run(tt.name, func(t *testing.T) {
			got := MarkVal()
			t.Logf("test %s, markVal %d", tt.name, got)
			if got != tt.want {
				t.Errorf("MarkVal() = %v, want %v", got, tt.want)
			}
		})
	}
}


================================================
FILE: utils/cgnetcls/cgnetcls_windows.go
================================================
// +build windows

package cgnetcls

import (
	"sync/atomic"

	"go.aporeto.io/enforcerd/trireme-lib/utils/constants"
)

type netCls struct {
}

var markval uint64 = constants.Initialmarkval

// MarkVal returns a new Mark Value
func MarkVal() uint64 {
	return atomic.AddUint64(&markval, 1)
}

//Creategroup creates a cgroup/net_cls structure and writes the allocated classid to the file.
//To add a new process to this cgroup we need to write to the cgroup file
func (s *netCls) Creategroup(cgroupname string) error {
	return nil
}

//AssignMark writes the mark value to net_cls.classid file.
func (s *netCls) AssignMark(cgroupname string, mark uint64) error {
	return nil
}

// AssignRootMark assings the value at the root.
func (s *netCls) AssignRootMark(mark uint64) error {
	return nil
}

//AddProcess adds the process to the net_cls group
func (s *netCls) AddProcess(cgroupname string, pid int) error {
	return nil
}

//RemoveProcess removes the process from the cgroup by writing the pid to the
//top of net_cls cgroup cgroup.procs
func (s *netCls) RemoveProcess(cgroupname string, pid int) error {
	return nil
}

// DeleteCgroup removes the cgroup
func (s *netCls) DeleteCgroup(cgroupname string) error {
	return nil
}

func (s *netCls) Deletebasepath(contextID string) bool {
	return true
}

func (s *netCls) GetCgroupList() {

}

// ListCgroupProcesses lists the processes of the cgroup
func (s *netCls) ListCgroupProcesses(cgroupname string) ([]string, error) {
	return []string{}, nil
}

// ListAllCgroups returns a list of the cgroups that are managed in the Trireme path
func (s *netCls) ListAllCgroups(path string) []string {
	return []string{}
}

//NewCgroupNetController returns a handle to call functions on the cgroup net_cls controller
func NewCgroupNetController(triremepath string, releasePath string) Cgroupnetcls {
	return &netCls{}
}

//NewDockerCgroupNetController returns a handle to call functions on the cgroup net_cls controller
func NewDockerCgroupNetController() Cgroupnetcls {
	return &netCls{}
}

// ConfigureNetClsPath does nothing for windows
func ConfigureNetClsPath(path string) {
}


================================================
FILE: utils/cgnetcls/constants.go
================================================
package cgnetcls

const (
	// CgroupNameTag  identifies the cgroup name
	CgroupNameTag = "@cgroup_name"
	// CgroupMarkTag identifies the cgroup mark value
	CgroupMarkTag = "@cgroup_mark"
	// PortTag is the tag for the port values
	PortTag = "port"
)


================================================
FILE: utils/cgnetcls/constants_nonwindows.go
================================================
// +build !windows

package cgnetcls

const (
	markFile             = "/net_cls.classid"
	procs                = "/cgroup.procs"
	releaseAgentConfFile = "/release_agent"     // nolint: varcheck
	notifyOnReleaseFile  = "/notify_on_release" // nolint: varcheck
)


================================================
FILE: utils/cgnetcls/interfaces.go
================================================
package cgnetcls

//Cgroupnetcls interface exposing methods that can be called from outside to manage net_cls cgroups
type Cgroupnetcls interface {
	Creategroup(cgroupname string) error
	AssignMark(cgroupname string, mark uint64) error
	AssignRootMark(mark uint64) error
	AddProcess(cgroupname string, pid int) error
	RemoveProcess(cgroupname string, pid int) error
	DeleteCgroup(cgroupname string) error
	Deletebasepath(contextID string) bool
	ListCgroupProcesses(cgroupname string) ([]string, error)
	ListAllCgroups(path string) []string
}


================================================
FILE: utils/cgnetcls/mockcgnetcls/mockcgnetcls.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: utils/cgnetcls/interfaces.go

// Package mockcgnetcls is a generated GoMock package.
package mockcgnetcls

import (
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
)

// MockCgroupnetcls is a mock of Cgroupnetcls interface
// nolint
type MockCgroupnetcls struct {
	ctrl     *gomock.Controller
	recorder *MockCgroupnetclsMockRecorder
}

// MockCgroupnetclsMockRecorder is the mock recorder for MockCgroupnetcls
// nolint
type MockCgroupnetclsMockRecorder struct {
	mock *MockCgroupnetcls
}

// NewMockCgroupnetcls creates a new mock instance
// nolint
func NewMockCgroupnetcls(ctrl *gomock.Controller) *MockCgroupnetcls {
	mock := &MockCgroupnetcls{ctrl: ctrl}
	mock.recorder = &MockCgroupnetclsMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockCgroupnetcls) EXPECT() *MockCgroupnetclsMockRecorder {
	return m.recorder
}

// Creategroup mocks base method
// nolint
func (m *MockCgroupnetcls) Creategroup(cgroupname string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Creategroup", cgroupname)
	ret0, _ := ret[0].(error)
	return ret0
}

// Creategroup indicates an expected call of Creategroup
// nolint
func (mr *MockCgroupnetclsMockRecorder) Creategroup(cgroupname interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Creategroup", reflect.TypeOf((*MockCgroupnetcls)(nil).Creategroup), cgroupname)
}

// AssignMark mocks base method
// nolint
func (m *MockCgroupnetcls) AssignMark(cgroupname string, mark uint64) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "AssignMark", cgroupname, mark)
	ret0, _ := ret[0].(error)
	return ret0
}

// AssignMark indicates an expected call of AssignMark
// nolint
func (mr *MockCgroupnetclsMockRecorder) AssignMark(cgroupname, mark interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AssignMark", reflect.TypeOf((*MockCgroupnetcls)(nil).AssignMark), cgroupname, mark)
}

// AssignRootMark mocks base method
// nolint
func (m *MockCgroupnetcls) AssignRootMark(mark uint64) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "AssignRootMark", mark)
	ret0, _ := ret[0].(error)
	return ret0
}

// AssignRootMark indicates an expected call of AssignRootMark
// nolint
func (mr *MockCgroupnetclsMockRecorder) AssignRootMark(mark interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AssignRootMark", reflect.TypeOf((*MockCgroupnetcls)(nil).AssignRootMark), mark)
}

// AddProcess mocks base method
// nolint
func (m *MockCgroupnetcls) AddProcess(cgroupname string, pid int) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "AddProcess", cgroupname, pid)
	ret0, _ := ret[0].(error)
	return ret0
}

// AddProcess indicates an expected call of AddProcess
// nolint
func (mr *MockCgroupnetclsMockRecorder) AddProcess(cgroupname, pid interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddProcess", reflect.TypeOf((*MockCgroupnetcls)(nil).AddProcess), cgroupname, pid)
}

// RemoveProcess mocks base method
// nolint
func (m *MockCgroupnetcls) RemoveProcess(cgroupname string, pid int) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "RemoveProcess", cgroupname, pid)
	ret0, _ := ret[0].(error)
	return ret0
}

// RemoveProcess indicates an expected call of RemoveProcess
// nolint
func (mr *MockCgroupnetclsMockRecorder) RemoveProcess(cgroupname, pid interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveProcess", reflect.TypeOf((*MockCgroupnetcls)(nil).RemoveProcess), cgroupname, pid)
}

// DeleteCgroup mocks base method
// nolint
func (m *MockCgroupnetcls) DeleteCgroup(cgroupname string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "DeleteCgroup", cgroupname)
	ret0, _ := ret[0].(error)
	return ret0
}

// DeleteCgroup indicates an expected call of DeleteCgroup
// nolint
func (mr *MockCgroupnetclsMockRecorder) DeleteCgroup(cgroupname interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteCgroup", reflect.TypeOf((*MockCgroupnetcls)(nil).DeleteCgroup), cgroupname)
}

// Deletebasepath mocks base method
// nolint
func (m *MockCgroupnetcls) Deletebasepath(contextID string) bool {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Deletebasepath", contextID)
	ret0, _ := ret[0].(bool)
	return ret0
}

// Deletebasepath indicates an expected call of Deletebasepath
// nolint
func (mr *MockCgroupnetclsMockRecorder) Deletebasepath(contextID interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Deletebasepath", reflect.TypeOf((*MockCgroupnetcls)(nil).Deletebasepath), contextID)
}

// ListCgroupProcesses mocks base method
// nolint
func (m *MockCgroupnetcls) ListCgroupProcesses(cgroupname string) ([]string, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ListCgroupProcesses", cgroupname)
	ret0, _ := ret[0].([]string)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ListCgroupProcesses indicates an expected call of ListCgroupProcesses
// nolint
func (mr *MockCgroupnetclsMockRecorder) ListCgroupProcesses(cgroupname interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListCgroupProcesses", reflect.TypeOf((*MockCgroupnetcls)(nil).ListCgroupProcesses), cgroupname)
}

// ListAllCgroups mocks base method
// nolint
func (m *MockCgroupnetcls) ListAllCgroups(path string) []string {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ListAllCgroups", path)
	ret0, _ := ret[0].([]string)
	return ret0
}

// ListAllCgroups indicates an expected call of ListAllCgroups
// nolint
func (mr *MockCgroupnetclsMockRecorder) ListAllCgroups(path interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListAllCgroups", reflect.TypeOf((*MockCgroupnetcls)(nil).ListAllCgroups), path)
}


================================================
FILE: utils/cgnetcls/netcls.go
================================================
// +build !windows

package cgnetcls

import (
	"fmt"
	"io/ioutil"
	"os"
	"path/filepath"
	"strings"

	"go.aporeto.io/enforcerd/trireme-lib/common"
	"go.aporeto.io/enforcerd/trireme-lib/utils/constants"
	"go.uber.org/zap"
)

// receiver definition.
type netCls struct {
	markchan         chan uint64 // nolint: structcheck
	ReleaseAgentPath string
	TriremePath      string
}

var (
	cgroupNetClsPath string
	markval          uint64 = constants.Initialmarkval // nolint: varcheck
)

// ConfigureNetClsPath updates the cgroupNetCls path
func ConfigureNetClsPath(path string) {
	cgroupNetClsPath = path
}

// GetCgroupList geta list of all cgroup names
// TODO: only used in autoport detection, and a bad usage as well
func GetCgroupList() []string {
	var cgroupList []string

	// iterate over our different base paths from the different cgroup base paths
	for _, baseCgroupPath := range []string{common.TriremeCgroupPath, common.TriremeDockerHostNetwork} {
		filelist, err := ioutil.ReadDir(filepath.Join(cgroupNetClsPath, baseCgroupPath))
		if err == nil {
			for _, file := range filelist {
				if file.IsDir() {
					cgroupList = append(cgroupList, filepath.Join(baseCgroupPath, file.Name()))
				}
			}
		}
	}
	return cgroupList
}

// ListCgroupProcesses lists the cgroups that trireme has created
// TODO: only used in autoport detection, and a bad usage as well
func ListCgroupProcesses(cgroupname string) ([]string, error) {

	if _, err := os.Stat(filepath.Join(cgroupNetClsPath, cgroupname)); os.IsNotExist(err) {
		return []string{}, fmt.Errorf("cgroup %s does not exist: %s", cgroupname, err)
	}

	data, err := ioutil.ReadFile(filepath.Join(cgroupNetClsPath, cgroupname, "cgroup.procs"))
	if err != nil {
		return []string{}, fmt.Errorf("cannot read procs file: %s", err)
	}

	procs := []string{}

	for _, line := range strings.Split(string(data), "\n") {
		if len(line) > 0 {
			procs = append(procs, line)
		}
	}

	return procs, nil
}

// GetAssignedMarkVal -- returns the mark val assigned to the group
// TODO: looks like dead code
func GetAssignedMarkVal(cgroupName string) string {
	mark, err := ioutil.ReadFile(filepath.Join(cgroupNetClsPath, cgroupName, markFile))

	if err != nil || len(mark) < 1 {
		zap.L().Error("Unable to read markval for cgroup", zap.String("Cgroup Name", cgroupName), zap.Error(err))
		return ""
	}
	return string(mark[:len(mark)-1])
}


================================================
FILE: utils/constants/constants.go
================================================
package constants

const (
	//Initialmarkval is the start of mark values we assign to cgroup
	Initialmarkval = 100
	// EnforcerCgroupMark is the net_cls.classid that is programmed for the cgroup that all enforcer processes belong to
	EnforcerCgroupMark = 1536
	//PacketMarkToSetConnmark is used to set mark on packet when repeating a packet through nfq.
	PacketMarkToSetConnmark = uint32(0x42)
	//DefaultInputMark is used to set mark on packet when repeating a packet through nfq.
	DefaultInputMark = uint32(0x43)
	// DefaultConnMark is the default conn mark for all data packets
	DefaultConnMark = uint32(0xEEEE)
	// DefaultExternalConnMark is the default conn mark for all data packets
	DefaultExternalConnMark = uint32(0xEEEF)
	// DeleteConnmark is the mark used to trigger udp handshake.
	DeleteConnmark = uint32(0xABCD)
	// DropConnmark is used to drop packets identified by acl's
	DropConnmark = uint32(0xEEED)
	// HandshakeConnmark is used to drop response packets
	HandshakeConnmark = uint32(0xEEEC)
	// IstioPacketMark is a mark that we use so that we don't loop in the Istio Chain forever.
	IstioPacketMark = 0x44
)


================================================
FILE: utils/constants/constants_linux.go
================================================
// +build !rhel6

package constants

// QueueBalanceFactor is always one for non-RHEL6 Linux
const QueueBalanceFactor = 1


================================================
FILE: utils/constants/constants_rhel6.go
================================================
// +build rhel6

package constants

// QueueBalanceFactor is zero on RHEL6 because the mark should not be adjusted
const QueueBalanceFactor = 0


================================================
FILE: utils/cri/common.go
================================================
package cri

// Type is the type to be given at startup
type Type string

// Different enforcer types
const (
	TypeNone       Type = "none"       // TypeNone is the default enforcer type
	TypeDocker     Type = "docker"     // TypeDocker is enforcerd which uses CRI docker
	TypeCRIO       Type = "crio"       // TypeDaemonset is enforcerd which uses CRIO CRI
	TypeContainerD Type = "containerd" // TypeContainerD is a enforcerd which uses containerD CRI
)

// Container returns true iff the enforcer supports containers
func (d Type) Container() bool {
	return d.Docker() || d.CRIO() || d.ContainerD()
}

// CRIO returns true if the enforcer is using CRI for container management
func (d Type) CRIO() bool {
	return d == TypeCRIO
}

// Docker returns true if the enforcer supports docker
func (d Type) Docker() bool {
	return d == TypeDocker
}

// ContainerD returns true if enforcerd is using ContainerD CRI
func (d Type) ContainerD() bool {
	return d == TypeContainerD
}

// SupportRuncProxy returns true iff the enforcer supports runc proxy
func (d Type) SupportRuncProxy() bool {
	return d.Docker() || d.CRIO() || d.ContainerD()
}


================================================
FILE: utils/cri/cri_client_setup.go
================================================
package cri

import "time"

// maxMsgSize use 16MB as the default message size limit.
// grpc library default is 4MB
// NOTE: this should be the exact same constant as used in the kubelet
//       this used to be here: https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/cri/remote/utils.go#L29
const maxMsgSize = 1024 * 1024 * 16 // nolint: varcheck

var (
	// connectTimeout is used for establishing the initial grpc dial context
	connectTimeout = time.Second * 30

	// callTimeout is used for every single call to CRI
	callTimeout = time.Second * 5 // nolint: varcheck
)


================================================
FILE: utils/cri/cri_client_setup_linux.go
================================================
// +build linux

package cri

import (
	"context"
	"fmt"
	"net"
	"net/url"
	"os"
	"path"
	"regexp"
	"strings"

	"go.aporeto.io/enforcerd/internal/utils"
	"go.uber.org/zap"
	"google.golang.org/grpc"
	criruntimev1alpha2 "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
)

// These are defined like this by Kubernetes. The kubelet will search for them exactly like this.
const (
	criDockerShimEndpoint = "/var/run/dockershim.sock"
	criContainerdEndpoint = "/run/containerd/containerd.sock"
	criCrioEndpoint       = "/var/run/crio/crio.sock"
)

var (
	nopFunc = func(path string) string { return path }

	// the following function was earlier utils.GetPathOnHostViaProcRoot but bow that we have proper mounts
	// we will make it a NOP operation.
	getHostPath = nopFunc
)

// ParseStringFlag parses a flag from a given command
func ParseStringFlag(cmd string, flagRegexp string) *string {
	flags := ParseStringFlags(cmd, flagRegexp)
	if len(flags) > 0 {
		return &flags[0]
	}
	return nil
}

// flagTemplate captures CLI flags (i.e., 'cmd --some-flag=value', 'cmd --some-flag value', 'cmd --some-flag=valA --some-flag=valB')
const flagTemplate = `(?:%s)(?:=|\s+)(\S+)`

// ParseStringFlags parses a list of flags from a given command
func ParseStringFlags(cmd string, flagRegexp string) []string {
	var res []string
	expression := fmt.Sprintf(flagTemplate, flagRegexp)
	matches := regexp.MustCompile(expression).FindAllStringSubmatch(cmd, -1)
	for _, tokens := range matches {
		if len(tokens) > 1 {
			res = append(res, strings.Trim(tokens[1], `"'`))
		}
	}
	return res
}

// BuildProcessRegex returns a regex that should match processes with a name matching the given process regular
// expression
// Remark: procExpression can be a regular expression
func BuildProcessRegex(procExpression string) *regexp.Regexp {
	// Expressions that should be matched by a given procname are:
	// procname -flag1 -flag2
	// /bin/procname -flag1 -flag2
	// /procname -flag1 -flag2
	//
	// Expressions that should NOT be matched are:
	// notprocname -flag1 -flag2
	// /bin/notprocname -flag1 -flag2
	// /bin/procname/notprocname -flag1 -flag2
	// notprocname -flag1 procname
	// notprocname -flag1 -procname
	return regexp.MustCompile(fmt.Sprintf(`^(\S*/)?(%s)( |$)`, procExpression))
}

// KubeletProcessRegex is the kubelet process regex used to find the kubelet process
// Sometimes it is not the kubelet binary that is used in the system (e.g. Openshift4) but k8s' all-in-one binary: https://github.com/kubernetes/kubernetes/tree/master/cluster/images/hyperkube
// The following is an example of a kubelet cmdline in Openshift4:
// /usr/bin/hyperkube kubelet --config=/etc/kubernetes/kubelet.conf --bootstrap-kubeconfig=/etc/kubernete s/kubeconfig --rotate-certificates --kubeconfig=/var/lib/kubelet/kubeconfig --container-runtime=remote --container-runtime-endpoint=/var/run/crio/crio.s ock --allow-privileged --node-labels=node-role.kubernetes.io/master --minimum-container-ttl-duration=6m0s --client-ca-file=/etc/kubernetes/ca.crt --clou d-provider=aws --anonymous-auth=false --register-with-taints=node-role.kubernetes.io/master=:NoSchedule
var KubeletProcessRegex = BuildProcessRegex("(hyperkube )?kubelet")

// CriSocket returns the CRI socket path used by kubelet
func CriSocket() (string, error) { //nolint
	procs, err := utils.Processes()
	if err != nil {
		return "", fmt.Errorf("failed to list processes: %v", err)
	}
	for _, proc := range procs {
		if KubeletProcessRegex.MatchString(proc.Cmdline) {
			if sock := ParseStringFlag(proc.Cmdline, "--container-runtime-endpoint"); sock != nil {
				return strings.TrimPrefix(*sock, "unix://"), nil
			}
		}
	}
	return "", nil
}

// DetectCRIRuntimeEndpoint checks if the unix socket path are present for CRI
func DetectCRIRuntimeEndpoint() (string, Type, error) {
	var retErr error
	isUDSocket := func(path string) (string, error) {
		fileInfo, err := os.Stat(path)
		if err != nil {
			return "", fmt.Errorf("%s not a socket", path)
		}
		if !(fileInfo.Mode()&os.ModeSocket == os.ModeSocket) {
			return "", fmt.Errorf("%s not a socket", path)
		}
		return "unix://" + path, nil

	}
	runtimes := []string{criDockerShimEndpoint, criContainerdEndpoint, criCrioEndpoint}
	existingCriSockets := []string{}

	for _, p := range runtimes {
		path := getHostPath(p)
		if addr, err := isUDSocket(path); err == nil {
			zap.L().Debug("cri: detected CRI runtime service socket address", zap.String("socketPathAddress", addr))
			existingCriSockets = append(existingCriSockets, addr)
		} else {
			retErr = err
			zap.L().Debug("cri: socket path unavailable/inaccessible", zap.String("socketPath", path), zap.Error(err))
		}
	}
	zap.L().Debug("The CRI sockets found are:", zap.Strings("paths", existingCriSockets))
	if len(existingCriSockets) > 1 {
		// this should ideally not happen but if it happens then get the kubelet cmdLine CRI
		// now check for the kubelet runtime
		sockaddr, err := CriSocket()
		if err != nil {
			return sockaddr, getCRISocketAddrType(sockaddr), fmt.Errorf("Multiple detection of CRI runtime endpoints, failed to get socketPath from kubelet")
		}
		// If there is no CRI EP on kubelet that means docker is the default, because kubelet's default CRI is docker.
		if sockaddr == "" {
			return getHostPath(criDockerShimEndpoint), TypeDocker, nil
		}
		return sockaddr, getCRISocketAddrType(sockaddr), nil
	} else if len(existingCriSockets) == 1 {
		return existingCriSockets[0], getCRISocketAddrType(existingCriSockets[0]), nil
	}
	// no CRI endpoint present on the system/node, this can happen during restarts
	return "", TypeNone, fmt.Errorf("auto detection of CRI runtime endpoints failed, tested common locations %s, %s", strings.Join(runtimes, ", "), retErr)
}

func getCRISocketAddrType(sockaddr string) Type {
	if strings.Contains(sockaddr, "crio") {
		return TypeCRIO
	}
	if strings.Contains(sockaddr, "containerd") {
		return TypeContainerD
	}
	if strings.Contains(sockaddr, "docker") {
		return TypeDocker
	}
	return TypeNone
}

func getCRISocketAddr(criRuntimeEndpoint string) (string, error) {
	var err error
	addr := criRuntimeEndpoint
	if addr == "" {
		addr, _, err = DetectCRIRuntimeEndpoint()
		if err != nil {
			return "", err
		}
	}
	if strings.HasPrefix(addr, "tcp:") {
		return "", fmt.Errorf("tcp endpoints are not supported")
	}
	if !strings.HasPrefix(addr, "unix:") {
		addr = "unix://" + addr
	}
	addr = path.Clean(addr)

	if strings.Contains(addr, "frakti") {
		return "", fmt.Errorf("frakti runtime is not supported")
	}

	u, err := url.Parse(addr)
	if err != nil {
		return "", err
	}
	if u.Scheme != "unix" {
		return "", fmt.Errorf("only unix sockets are supported")
	}

	// NOTE: convoluted, but makes unix socket paths and abstract unix socket socket URLs in gRPC connotation both work.
	// The trouble is that u.Path is only set for "proper" unix socket, and the rest is in u.Opaque
	// This strips "unix:" from the URL again as well as any following potential "//",
	// leaving a single '/' if this was a 'unix:///var/run/...' address
	return strings.TrimPrefix(strings.TrimPrefix(addr, "unix:"), "//"), nil
}

func connectCRISocket(ctx context.Context, addr string) (*grpc.ClientConn, error) {
	var err error
	var connection *grpc.ClientConn

	ctx, cancel := context.WithTimeout(ctx, connectTimeout)
	defer cancel()

	connection, err = grpc.DialContext(
		ctx,
		addr,
		// we want to wait for an initial connection
		grpc.WithBlock(),
		// we do everything like the kubelet: we bump this up to 16MB
		grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(maxMsgSize)),
		// unix socket connection, disable transport security
		grpc.WithInsecure(),
		grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
			return (&net.Dialer{}).DialContext(ctx, "unix", addr)
		}),
	)
	if err != nil {
		return nil, fmt.Errorf("connection to CRI runtime service failed: %s", err.Error())
	}
	return connection, nil
}

// NewCRIRuntimeServiceClient takes a CRI socket path and tries to establish a grpc connection to the CRI runtime service.
// On success it is returning an ExtendedRuntimeService interface which is an extended CRI runtime service interface.
func NewCRIRuntimeServiceClient(ctx context.Context, criRuntimeEndpoint string) (ExtendedRuntimeService, error) {
	// build the socket path URL
	addr, err := getCRISocketAddr(criRuntimeEndpoint)
	if err != nil {
		return nil, fmt.Errorf("cri: failed to get socket address: %s", err)
	}

	// establish the CRI connection
	// once this connection has been established
	// gRPC will take care of reconnections, etc.
	// connections are very much hands-off after that point
	connection, err := connectCRISocket(ctx, addr)
	if err != nil {
		return nil, fmt.Errorf("cri: failed to connect to CRI socket: %s", err)
	}

	// finally create the extended wrapper
	svc, err := NewCRIExtendedRuntimeServiceWrapper(
		ctx,
		callTimeout,
		criruntimev1alpha2.NewRuntimeServiceClient(connection),
	)
	if err != nil {
		return nil, fmt.Errorf("faile to create extended runtime service wrapper: %s", err.Error())
	}

	// and return with it
	return svc, nil
}


================================================
FILE: utils/cri/cri_client_setup_linux_test.go
================================================
// +build linux

package cri

import (
	"context"
	"net"
	"os"
	"path/filepath"
	"strings"
	"testing"
	"time"

	"google.golang.org/grpc"
)

func Test_DetectCRIRuntimeEndpoint(t *testing.T) {
	wd, err := os.Getwd()
	if err != nil {
		panic(err)
	}
	path := filepath.Join(wd, "testdata", "var", "run", "crio", "crio.sock")

	if err := os.RemoveAll(path); err != nil {
		panic(err)
	}
	if err := os.MkdirAll(filepath.Dir(path), 0777); err != nil {
		panic(err)
	}
	l, err := net.Listen("unix", path)
	if err != nil {
		panic(err)
	}
	defer l.Close() // nolint

	oldGetHostPath := getHostPath
	defer func() {
		getHostPath = oldGetHostPath
	}()
	tests := []struct {
		name        string
		getHostPath func(string) string
		want        string
		runType     Type
		wantErr     bool
	}{
		{
			name: "failed to detect a runtime",
			getHostPath: func(path string) string {
				return filepath.Join(wd, "does-not-exist", path)
			},
			want:    "",
			runType: TypeNone,
			wantErr: true,
		},
		{
			name: "detected a runtime",
			getHostPath: func(path string) string {
				return filepath.Join(wd, "testdata", path)
			},
			want:    "unix://" + filepath.Join(wd, "testdata", "var", "run", "crio", "crio.sock"),
			runType: TypeCRIO,
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			getHostPath = tt.getHostPath
			got, rtype, err := DetectCRIRuntimeEndpoint()
			if (err != nil) != tt.wantErr {
				t.Errorf("DetectCRIRuntimeEndpoint() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if got != tt.want {
				t.Errorf("DetectCRIRuntimeEndpoint() = %v, want %v", got, tt.want)
			}
			if rtype != tt.runType {
				t.Errorf("DetectCRIRuntimeEndpoint() = %v, want %v", rtype, tt.runType)
			}
		})
	}
}

func Test_getCRISocketAddr(t *testing.T) {
	wd, err := os.Getwd()
	if err != nil {
		panic(err)
	}

	path := filepath.Join(wd, "testdata", "var", "run", "crio", "crio.sock")

	if err := os.RemoveAll(path); err != nil {
		panic(err)
	}
	if err := os.MkdirAll(filepath.Dir(path), 0777); err != nil {
		panic(err)
	}
	l, err := net.Listen("unix", path)
	if err != nil {
		panic(err)
	}
	defer l.Close() // nolint

	oldGetHostPath := getHostPath
	defer func() {
		getHostPath = oldGetHostPath
	}()
	type args struct {
		criRuntimeEndpoint string
	}
	tests := []struct {
		name        string
		getHostPath func(string) string
		args        args
		want        string
		wantErr     bool
	}{
		{
			name: "auto-detected runtime should return without any error if it succeeds",
			args: args{
				criRuntimeEndpoint: "", // empty string enables auto-detection
			},
			getHostPath: func(path string) string {
				return filepath.Join(wd, "testdata", path)
			},
			want:    filepath.Join(wd, "testdata", "var", "run", "crio", "crio.sock"),
			wantErr: false,
		},
		{
			name: "if auto-detection is enabled and fails, we must fail",
			args: args{
				criRuntimeEndpoint: "", // empty string enables auto-detection
			},
			getHostPath: func(path string) string {
				return filepath.Join(wd, "does-not-exist", path)
			},
			want:    "",
			wantErr: true,
		},
		{
			name: "we fail on tcp endpoints",
			args: args{
				criRuntimeEndpoint: "tcp://127.0.0.1:1234",
			},
			want:    "",
			wantErr: true,
		},
		{
			name: "correct file paths to a unix socket should work",
			args: args{
				criRuntimeEndpoint: filepath.Join(wd, "testdata", "var", "run", "crio", "crio.sock"),
			},
			want:    filepath.Join(wd, "testdata", "var", "run", "crio", "crio.sock"),
			wantErr: false,
		},
		{
			name: "frakti is not supported",
			args: args{
				criRuntimeEndpoint: "/var/run/frakti.sock",
			},
			want:    "",
			wantErr: true,
		},
		{
			name: "frakti is not supported",
			args: args{
				criRuntimeEndpoint: "/var/run/frakti.sock",
			},
			want:    "",
			wantErr: true,
		},
		{
			name: "URL parsing of endpoint fails",
			args: args{
				criRuntimeEndpoint: string([]byte{0x7f}),
			},
			want:    "",
			wantErr: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			getHostPath = tt.getHostPath
			got, err := getCRISocketAddr(tt.args.criRuntimeEndpoint)
			if (err != nil) != tt.wantErr {
				t.Errorf("getCRISocketAddr() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if got != tt.want {
				t.Errorf("getCRISocketAddr() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_connectCRISocket(t *testing.T) {
	oldConnectTimeout := connectTimeout
	defer func() {
		connectTimeout = oldConnectTimeout
	}()
	type args struct {
		ctx  context.Context
		addr string
	}
	tests := []struct {
		name           string
		args           args
		connectTimeout time.Duration
		runServer      bool
		wantErr        bool
	}{
		{
			name: "no timeout produces a canceled context which must always error",
			args: args{
				ctx:  context.Background(),
				addr: "",
			},
			connectTimeout: 0,
			wantErr:        true,
		},
		{
			name: "successful connection to a unix server listening",
			args: args{
				ctx:  context.Background(),
				addr: "@aporeto_cri_grpc_connect_test",
			},
			runServer:      true,
			connectTimeout: time.Second * 10,
			wantErr:        false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			connectTimeout = tt.connectTimeout
			ctx, cancel := context.WithCancel(tt.args.ctx)
			defer cancel()
			if tt.runServer {
				s := grpc.NewServer()
				defer s.Stop()
				go func() {
					l, err := (&net.ListenConfig{}).Listen(ctx, "unix", tt.args.addr)
					if err != nil {
						panic(err)
					}
					s.Serve(l) // nolint: errcheck
				}()
			}
			_, err := connectCRISocket(ctx, tt.args.addr)
			if (err != nil) != tt.wantErr {
				t.Errorf("connectCRISocket() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
		})
	}
}

func TestNewCRIRuntimeServiceClient(t *testing.T) {
	oldConnectTimeout := connectTimeout
	oldCallTimeout := callTimeout
	defer func() {
		connectTimeout = oldConnectTimeout
		callTimeout = oldCallTimeout
	}()
	type args struct {
		ctx                context.Context
		criRuntimeEndpoint string
	}
	tests := []struct {
		name           string
		args           args
		connectTimeout time.Duration
		callTimeout    time.Duration
		runServer      bool
		wantErr        bool
	}{
		{
			name: "fails on getting socket path",
			args: args{
				ctx:                context.Background(),
				criRuntimeEndpoint: string([]byte{0x7f}),
			},
			runServer: false,
			wantErr:   true,
		},
		{
			name: "success",
			args: args{
				ctx:                context.Background(),
				criRuntimeEndpoint: "unix:@aporeto_cri_grpc_connect_test1",
			},
			connectTimeout: time.Second * 10,
			callTimeout:    time.Second * 5,
			runServer:      true,
			wantErr:        false,
		},
		{
			name: "fails creating the ExtendedRuntimeService",
			args: args{
				ctx:                context.Background(),
				criRuntimeEndpoint: "unix:@aporeto_cri_grpc_connect_test2",
			},
			connectTimeout: time.Second * 10,
			callTimeout:    0, // call timeout must not be 0
			runServer:      true,
			wantErr:        true,
		},
		{
			name: "fails connecting to the grpc socket",
			args: args{
				ctx:                context.Background(),
				criRuntimeEndpoint: "unix:@aporeto_cri_grpc_connect_test3",
			},
			connectTimeout: 0,
			runServer:      true,
			wantErr:        true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			connectTimeout = tt.connectTimeout
			callTimeout = tt.callTimeout
			ctx, cancel := context.WithCancel(tt.args.ctx)
			defer cancel()
			if tt.runServer {
				s := grpc.NewServer()
				defer s.Stop()
				go func() {
					l, err := (&net.ListenConfig{}).Listen(ctx, "unix", strings.TrimPrefix(strings.TrimPrefix(tt.args.criRuntimeEndpoint, "unix:"), "//"))
					if err != nil {
						panic(err)
					}
					s.Serve(l) // nolint: errcheck
				}()
			}
			_, err := NewCRIRuntimeServiceClient(ctx, tt.args.criRuntimeEndpoint)
			if (err != nil) != tt.wantErr {
				t.Errorf("NewCRIRuntimeServiceClient() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
		})
	}
}


================================================
FILE: utils/cri/cri_client_setup_unsupported.go
================================================
// +build !linux,!windows

package cri

import (
	"context"
	"errors"
)

// NewCRIRuntimeServiceClient is not supported for non-linux
func NewCRIRuntimeServiceClient(ctx context.Context, criRuntimeEndpoint string) (ExtendedRuntimeService, error) {
	return nil, errors.New("unsupported platform")
}

// DetectCRIRuntimeEndpoint checks if the unix socket path are present for CRI
func DetectCRIRuntimeEndpoint() (string, Type, error) {
	return "", TypeNone, errors.New("unsupported platform")
}


================================================
FILE: utils/cri/cri_client_setup_windows.go
================================================
// +build windows

package cri

import (
	"context"
	"fmt"
	"net"
	"net/url"
	"os"
	"path"
	"regexp"
	"strings"

	"github.com/Microsoft/go-winio"
	"go.aporeto.io/enforcerd/internal/utils"
	"go.uber.org/zap"
	"google.golang.org/grpc"
	criruntimev1alpha2 "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
)

const (
	criDockerShimEndpoint    = "//./pipe/dockershim"
	criContainerdOldEndpoint = "//./pipe/containerd"
	criContainerdEndpoint    = "//./pipe/containerd-containerd"
	criCrioEndpoint          = "//./pipe/crio"
)

// ParseStringFlag parses a flag from a given command
func ParseStringFlag(cmd string, flagRegexp string) *string {
	flags := ParseStringFlags(cmd, flagRegexp)
	if len(flags) > 0 {
		return &flags[0]
	}
	return nil
}

// flagTemplate captures CLI flags (i.e., 'cmd --some-flag=value', 'cmd --some-flag value', 'cmd --some-flag=valA --some-flag=valB')
const flagTemplate = `(?:%s)(?:=|\s+)(\S+)`

// ParseStringFlags parses a list of flags from a given command
func ParseStringFlags(cmd string, flagRegexp string) []string {
	var res []string
	expression := fmt.Sprintf(flagTemplate, flagRegexp)
	matches := regexp.MustCompile(expression).FindAllStringSubmatch(cmd, -1)
	for _, tokens := range matches {
		if len(tokens) > 1 {
			res = append(res, strings.Trim(tokens[1], `"'`))
		}
	}
	return res
}

// BuildProcessRegex returns a regex that should match processes with a name matching the given process regular
// expression
// Remark: procExpression can be a regular expression
func BuildProcessRegex(procExpression string) *regexp.Regexp {
	// Expressions that should be matched by a given procname are:
	// procname -flag1 -flag2
	// /bin/procname -flag1 -flag2
	// /procname -flag1 -flag2
	//
	// Expressions that should NOT be matched are:
	// notprocname -flag1 -flag2
	// /bin/notprocname -flag1 -flag2
	// /bin/procname/notprocname -flag1 -flag2
	// notprocname -flag1 procname
	// notprocname -flag1 -procname
	return regexp.MustCompile(fmt.Sprintf(`^(\S*/)?(%s)( |$)`, procExpression))
}

// KubeletProcessRegex is the kubelet process regex used to find the kubelet process
// Sometimes it is not the kubelet binary that is used in the system (e.g. Openshift4) but k8s' all-in-one binary: https://github.com/kubernetes/kubernetes/tree/master/cluster/images/hyperkube
// The following is an example of a kubelet cmdline in Openshift4:
// /usr/bin/hyperkube kubelet --config=/etc/kubernetes/kubelet.conf --bootstrap-kubeconfig=/etc/kubernete s/kubeconfig --rotate-certificates --kubeconfig=/var/lib/kubelet/kubeconfig --container-runtime=remote --container-runtime-endpoint=/var/run/crio/crio.s ock --allow-privileged --node-labels=node-role.kubernetes.io/master --minimum-container-ttl-duration=6m0s --client-ca-file=/etc/kubernetes/ca.crt --clou d-provider=aws --anonymous-auth=false --register-with-taints=node-role.kubernetes.io/master=:NoSchedule
var KubeletProcessRegex = BuildProcessRegex("(hyperkube )?kubelet")

// CriSocket returns the CRI socket path used by kubelet
func CriSocket() (string, error) { //nolint
	procs, err := utils.Processes()
	if err != nil {
		return "", fmt.Errorf("failed to list processes: %v", err)
	}
	for _, proc := range procs {
		if KubeletProcessRegex.MatchString(proc.Cmdline) {
			if sock := ParseStringFlag(proc.Cmdline, "--container-runtime-endpoint"); sock != nil {
				return strings.TrimPrefix(*sock, "npipe://"), nil
			}
		}
	}
	return "", nil
}

// DetectCRIRuntimeEndpoint checks if the unix socket path are present for CRI
func DetectCRIRuntimeEndpoint() (string, Type, error) {
	var retErr error
	isNamedPipe := func(path string) (string, error) {
		_, err := os.Stat(path)
		if err != nil {
			return "", fmt.Errorf("%s not a named pipe", path)
		}
		return path, nil
	}
	runtimes := []string{criDockerShimEndpoint, criContainerdEndpoint, criContainerdOldEndpoint, criCrioEndpoint}
	existingCriSockets := []string{}
	for _, p := range runtimes {
		if addr, err := isNamedPipe(p); err == nil {
			zap.L().Debug("cri: detected CRI runtime service socket address", zap.String("socketPathAddress", addr))
			existingCriSockets = append(existingCriSockets, addr)
		} else {
			retErr = err
			zap.L().Debug("cri: socket path unavailable/inaccessible", zap.String("socketPath", p), zap.Error(err))
		}
	}

	zap.L().Debug("The CRI sockets found are:", zap.Strings("paths", existingCriSockets))
	if len(existingCriSockets) > 1 {
		// this should ideally not happen but if it happens then get the kubelet cmdLine CRI
		// now check for the kubelet runtime
		sockaddr, err := CriSocket()
		if err != nil {
			return sockaddr, getCRISocketAddrType(sockaddr), fmt.Errorf("Multiple detection of CRI runtime endpoints, failed to get socketPath from kubelet")
		}
		// If there is no CRI EP on kubelet that means docker is the default, because kubelet's default CRI is docker.
		if sockaddr == "" {
			return criDockerShimEndpoint, TypeDocker, nil
		}
		return sockaddr, getCRISocketAddrType(sockaddr), nil
	} else if len(existingCriSockets) == 1 {
		return existingCriSockets[0], getCRISocketAddrType(existingCriSockets[0]), nil
	}
	// no CRI endpoint present on the system/node, this can happen during restarts
	return "", TypeNone, fmt.Errorf("auto detection of CRI runtime endpoints failed, tested common locations %s, %s", strings.Join(runtimes, ", "), retErr)
}

func getCRISocketAddrType(sockaddr string) Type {
	if strings.Contains(sockaddr, "crio") {
		return TypeCRIO
	}
	if strings.Contains(sockaddr, "containerd") {
		return TypeContainerD
	}
	if strings.Contains(sockaddr, "docker") {
		return TypeDocker
	}
	return TypeNone
}

func getCRISocketAddr(criRuntimeEndpoint string) (string, error) {
	var err error
	// url.Parse only supports forward slashes
	addr := strings.Replace(criRuntimeEndpoint, "\\", "/", -1)
	if addr == "" {
		addr, _, err = DetectCRIRuntimeEndpoint()
		if err != nil {
			return "", err
		}
	}
	if strings.HasPrefix(addr, "tcp:") {
		return "", fmt.Errorf("tcp endpoints are not supported")
	}
	if !strings.HasPrefix(addr, "npipe:") {
		addr = "npipe://" + addr
	}
	addr = path.Clean(addr)

	if strings.Contains(addr, "frakti") {
		return "", fmt.Errorf("frakti runtime is not supported")
	}

	u, err := url.Parse(addr)
	if err != nil {
		return "", err
	}
	if u.Scheme != "npipe" {
		return "", fmt.Errorf("only named pipes are supported")
	}
	if u.Host != "." {
		return "", fmt.Errorf("only named pipes on the local host are supported")
	}

	return fmt.Sprintf("//%s%s", u.Host, u.Path), nil
}

func connectCRISocket(ctx context.Context, addr string) (*grpc.ClientConn, error) {
	var err error
	var connection *grpc.ClientConn

	ctx, cancel := context.WithTimeout(ctx, connectTimeout)
	defer cancel()

	connection, err = grpc.DialContext(
		ctx,
		addr,
		// we want to wait for an initial connection
		grpc.WithBlock(),
		// we do everything like the kubelet: we bump this up to 16MB
		grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(maxMsgSize)),
		// unix socket connection, disable transport security
		grpc.WithInsecure(),
		grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
			return winio.DialPipeContext(ctx, addr)
		}),
	)
	if err != nil {
		return nil, fmt.Errorf("connection to CRI runtime service failed: %s", err.Error())
	}
	return connection, nil
}

// NewCRIRuntimeServiceClient takes a CRI socket path and tries to establish a grpc connection to the CRI runtime service.
// On success it is returning an ExtendedRuntimeService interface which is an extended CRI runtime service interface.
func NewCRIRuntimeServiceClient(ctx context.Context, criRuntimeEndpoint string) (ExtendedRuntimeService, error) {
	// build the socket path URL
	addr, err := getCRISocketAddr(criRuntimeEndpoint)
	if err != nil {
		return nil, fmt.Errorf("cri: failed to get socket address: %s", err)
	}

	// establish the CRI connection
	// once this connection has been established
	// gRPC will take care of reconnections, etc.
	// connections are very much hands-off after that point
	connection, err := connectCRISocket(ctx, addr)
	if err != nil {
		return nil, fmt.Errorf("cri: failed to connect to CRI socket: %s", err)
	}

	// finally create the extended wrapper
	svc, err := NewCRIExtendedRuntimeServiceWrapper(
		ctx,
		callTimeout,
		criruntimev1alpha2.NewRuntimeServiceClient(connection),
	)
	if err != nil {
		return nil, fmt.Errorf("faile to create extended runtime service wrapper: %s", err.Error())
	}

	// and return with it
	return svc, nil
}


================================================
FILE: utils/cri/cri_runtime_wrapper.go
================================================
package cri

import (
	"context"
	"fmt"
	"time"

	criruntimev1alpha2 "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
)

// NewCRIExtendedRuntimeServiceWrapper creates an ExtendedRuntimeService from a v1alpha2 runtime service client
// NOTE: the passed context is used for every subsequent call on the interface as the parent context with a timeout
// as passed through the argument. If the parent context gets canceled, this client becomes useless.
func NewCRIExtendedRuntimeServiceWrapper(ctx context.Context, timeout time.Duration, client criruntimev1alpha2.RuntimeServiceClient) (ExtendedRuntimeService, error) {
	if client == nil {
		return nil, fmt.Errorf("client cannot be nil")
	}
	if timeout == time.Duration(0) {
		return nil, fmt.Errorf("timeout cannot be 0")
	}
	return &extendedServiceRuntimeWrapper{
		ctx:     ctx,
		timeout: timeout,
		rs:      client,
	}, nil
}

type extendedServiceRuntimeWrapper struct {
	// well, this is stupid:
	// the criapi.RuntimeService should take a context as first argument everywhere
	// as it doesn't, the only sensible way is to be able to pass it from here
	// however, be careful with this: if that passed context gets canceled, nothing will work anymore
	ctx     context.Context
	timeout time.Duration
	rs      criruntimev1alpha2.RuntimeServiceClient
}

// Version returns the runtime name, runtime version and runtime API version
func (w *extendedServiceRuntimeWrapper) Version(apiVersion string) (*criruntimev1alpha2.VersionResponse, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	return w.rs.Version(ctx, &criruntimev1alpha2.VersionRequest{Version: apiVersion})
}

// CreateContainer creates a new container in specified PodSandbox.
func (w *extendedServiceRuntimeWrapper) CreateContainer(podSandboxID string, config *criruntimev1alpha2.ContainerConfig, sandboxConfig *criruntimev1alpha2.PodSandboxConfig) (string, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	resp, err := w.rs.CreateContainer(ctx, &criruntimev1alpha2.CreateContainerRequest{
		PodSandboxId:  podSandboxID,
		Config:        config,
		SandboxConfig: sandboxConfig,
	})
	if err != nil {
		return "", err
	}
	return resp.GetContainerId(), nil
}

// StartContainer starts the container.
func (w *extendedServiceRuntimeWrapper) StartContainer(containerID string) error {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	_, err := w.rs.StartContainer(ctx, &criruntimev1alpha2.StartContainerRequest{
		ContainerId: containerID,
	})
	return err
}

// StopContainer stops a running container with a grace period (i.e., timeout).
func (w *extendedServiceRuntimeWrapper) StopContainer(containerID string, timeout int64) error {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	_, err := w.rs.StopContainer(ctx, &criruntimev1alpha2.StopContainerRequest{
		ContainerId: containerID,
		Timeout:     timeout,
	})
	return err
}

// RemoveContainer removes the container.
func (w *extendedServiceRuntimeWrapper) RemoveContainer(containerID string) error {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	_, err := w.rs.RemoveContainer(ctx, &criruntimev1alpha2.RemoveContainerRequest{
		ContainerId: containerID,
	})
	return err
}

// ListContainers lists all containers by filters.
func (w *extendedServiceRuntimeWrapper) ListContainers(filter *criruntimev1alpha2.ContainerFilter) ([]*criruntimev1alpha2.Container, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	resp, err := w.rs.ListContainers(ctx, &criruntimev1alpha2.ListContainersRequest{
		Filter: filter,
	})
	if err != nil {
		return nil, err
	}
	return resp.GetContainers(), nil
}

// ContainerStatus returns the status of the container.
func (w *extendedServiceRuntimeWrapper) ContainerStatus(containerID string) (*criruntimev1alpha2.ContainerStatus, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	resp, err := w.rs.ContainerStatus(ctx, &criruntimev1alpha2.ContainerStatusRequest{
		ContainerId: containerID,
		Verbose:     false,
	})
	if err != nil {
		return nil, err
	}
	return resp.GetStatus(), nil
}

// ContainerStatusVerbose returns the status of the container.
func (w *extendedServiceRuntimeWrapper) ContainerStatusVerbose(containerID string) (*criruntimev1alpha2.ContainerStatus, map[string]string, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	resp, err := w.rs.ContainerStatus(ctx, &criruntimev1alpha2.ContainerStatusRequest{
		ContainerId: containerID,
		Verbose:     true,
	})
	if err != nil {
		return nil, nil, err
	}
	return resp.GetStatus(), resp.GetInfo(), nil
}

// UpdateContainerResources updates the cgroup resources for the container.
func (w *extendedServiceRuntimeWrapper) UpdateContainerResources(containerID string, resources *criruntimev1alpha2.LinuxContainerResources) error {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	_, err := w.rs.UpdateContainerResources(ctx, &criruntimev1alpha2.UpdateContainerResourcesRequest{
		ContainerId: containerID,
		Linux:       resources,
	})
	return err
}

// ExecSync executes a command in the container, and returns the stdout output.
// If command exits with a non-zero exit code, an error is returned.
func (w *extendedServiceRuntimeWrapper) ExecSync(containerID string, cmd []string, timeout time.Duration) (stdout []byte, stderr []byte, err error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	resp, err := w.rs.ExecSync(ctx, &criruntimev1alpha2.ExecSyncRequest{
		ContainerId: containerID,
		Cmd:         cmd,
		Timeout:     int64(timeout.Seconds()),
	})
	if err != nil {
		return nil, nil, err
	}
	if resp.GetExitCode() != int32(0) {
		return resp.GetStdout(), resp.GetStderr(), fmt.Errorf("exit code: %d", resp.GetExitCode())
	}
	return resp.GetStdout(), resp.GetStderr(), nil
}

// Exec prepares a streaming endpoint to execute a command in the container, and returns the address.
func (w *extendedServiceRuntimeWrapper) Exec(req *criruntimev1alpha2.ExecRequest) (*criruntimev1alpha2.ExecResponse, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	return w.rs.Exec(ctx, req)
}

// Attach prepares a streaming endpoint to attach to a running container, and returns the address.
func (w *extendedServiceRuntimeWrapper) Attach(req *criruntimev1alpha2.AttachRequest) (*criruntimev1alpha2.AttachResponse, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	return w.rs.Attach(ctx, req)
}

// ReopenContainerLog asks runtime to reopen the stdout/stderr log file
// for the container. If it returns error, new container log file MUST NOT
// be created.
func (w *extendedServiceRuntimeWrapper) ReopenContainerLog(containerID string) error {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	_, err := w.rs.ReopenContainerLog(ctx, &criruntimev1alpha2.ReopenContainerLogRequest{
		ContainerId: containerID,
	})
	return err
}

// RunPodSandbox creates and starts a pod-level sandbox. Runtimes should ensure
// the sandbox is in ready state.
func (w *extendedServiceRuntimeWrapper) RunPodSandbox(config *criruntimev1alpha2.PodSandboxConfig, runtimeHandler string) (string, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	resp, err := w.rs.RunPodSandbox(ctx, &criruntimev1alpha2.RunPodSandboxRequest{
		Config:         config,
		RuntimeHandler: runtimeHandler,
	})
	if err != nil {
		return "", err
	}
	return resp.GetPodSandboxId(), nil
}

// StopPodSandbox stops the sandbox. If there are any running containers in the
// sandbox, they should be force terminated.
func (w *extendedServiceRuntimeWrapper) StopPodSandbox(podSandboxID string) error {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	_, err := w.rs.StopPodSandbox(ctx, &criruntimev1alpha2.StopPodSandboxRequest{
		PodSandboxId: podSandboxID,
	})
	return err
}

// RemovePodSandbox removes the sandbox. If there are running containers in the
// sandbox, they should be forcibly removed.
func (w *extendedServiceRuntimeWrapper) RemovePodSandbox(podSandboxID string) error {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	_, err := w.rs.RemovePodSandbox(ctx, &criruntimev1alpha2.RemovePodSandboxRequest{
		PodSandboxId: podSandboxID,
	})
	return err
}

// PodSandboxStatus returns the Status of the PodSandbox.
func (w *extendedServiceRuntimeWrapper) PodSandboxStatus(podSandboxID string) (*criruntimev1alpha2.PodSandboxStatus, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	resp, err := w.rs.PodSandboxStatus(ctx, &criruntimev1alpha2.PodSandboxStatusRequest{
		PodSandboxId: podSandboxID,
		Verbose:      false,
	})
	if err != nil {
		return nil, err
	}
	return resp.GetStatus(), nil
}

// PodSandboxStatusVerbose returns the Status of the PodSandbox.
func (w *extendedServiceRuntimeWrapper) PodSandboxStatusVerbose(podSandboxID string) (*criruntimev1alpha2.PodSandboxStatus, map[string]string, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	resp, err := w.rs.PodSandboxStatus(ctx, &criruntimev1alpha2.PodSandboxStatusRequest{
		PodSandboxId: podSandboxID,
		Verbose:      true,
	})
	if err != nil {
		return nil, nil, err
	}
	return resp.GetStatus(), resp.GetInfo(), nil
}

// ListPodSandbox returns a list of Sandbox.
func (w *extendedServiceRuntimeWrapper) ListPodSandbox(filter *criruntimev1alpha2.PodSandboxFilter) ([]*criruntimev1alpha2.PodSandbox, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	resp, err := w.rs.ListPodSandbox(ctx, &criruntimev1alpha2.ListPodSandboxRequest{
		Filter: filter,
	})
	if err != nil {
		return nil, err
	}
	return resp.GetItems(), nil
}

// PortForward prepares a streaming endpoint to forward ports from a PodSandbox, and returns the address.
func (w *extendedServiceRuntimeWrapper) PortForward(req *criruntimev1alpha2.PortForwardRequest) (*criruntimev1alpha2.PortForwardResponse, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	return w.rs.PortForward(ctx, req)
}

// ContainerStats returns stats of the container. If the container does not
// exist, the call returns an error.
func (w *extendedServiceRuntimeWrapper) ContainerStats(containerID string) (*criruntimev1alpha2.ContainerStats, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	resp, err := w.rs.ContainerStats(ctx, &criruntimev1alpha2.ContainerStatsRequest{
		ContainerId: containerID,
	})
	if err != nil {
		return nil, err
	}
	return resp.GetStats(), nil
}

// ListContainerStats returns stats of all running containers.
func (w *extendedServiceRuntimeWrapper) ListContainerStats(filter *criruntimev1alpha2.ContainerStatsFilter) ([]*criruntimev1alpha2.ContainerStats, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	resp, err := w.rs.ListContainerStats(ctx, &criruntimev1alpha2.ListContainerStatsRequest{
		Filter: filter,
	})
	if err != nil {
		return nil, err
	}
	return resp.GetStats(), nil
}

// UpdateRuntimeConfig updates runtime configuration if specified
func (w *extendedServiceRuntimeWrapper) UpdateRuntimeConfig(runtimeConfig *criruntimev1alpha2.RuntimeConfig) error {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	_, err := w.rs.UpdateRuntimeConfig(ctx, &criruntimev1alpha2.UpdateRuntimeConfigRequest{
		RuntimeConfig: runtimeConfig,
	})
	return err
}

// Status returns the status of the runtime.
func (w *extendedServiceRuntimeWrapper) Status() (*criruntimev1alpha2.RuntimeStatus, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	resp, err := w.rs.Status(ctx, &criruntimev1alpha2.StatusRequest{
		Verbose: false,
	})
	if err != nil {
		return nil, err
	}
	return resp.GetStatus(), nil
}

// Status returns the status of the runtime.
func (w *extendedServiceRuntimeWrapper) StatusVerbose() (*criruntimev1alpha2.RuntimeStatus, map[string]string, error) {
	ctx, cancel := context.WithTimeout(w.ctx, w.timeout)
	defer cancel()
	resp, err := w.rs.Status(ctx, &criruntimev1alpha2.StatusRequest{
		Verbose: true,
	})
	if err != nil {
		return nil, nil, err
	}
	return resp.GetStatus(), resp.GetInfo(), nil
}


================================================
FILE: utils/cri/cri_runtime_wrapper_test.go
================================================
package cri

import (
	"context"
	"errors"
	"reflect"
	"testing"
	"time"

	"github.com/golang/mock/gomock"
	"go.aporeto.io/enforcerd/trireme-lib/utils/cri/mockcri"
	criruntimev1alpha2 "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
)

func TestNewCRIExtendedRuntimeServiceWrapper(t *testing.T) {
	type args struct {
		ctx     context.Context
		timeout time.Duration
		client  criruntimev1alpha2.RuntimeServiceClient
	}
	tests := []struct {
		name    string
		args    args
		want    ExtendedRuntimeService
		wantErr bool
	}{
		{
			name: "client is nil",
			args: args{
				ctx:     context.Background(),
				timeout: connectTimeout,
				client:  nil,
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "timeout is 0",
			args: args{
				ctx:     context.Background(),
				timeout: 0,
				client:  criruntimev1alpha2.NewRuntimeServiceClient(nil),
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				ctx:     context.Background(),
				timeout: connectTimeout,
				client:  criruntimev1alpha2.NewRuntimeServiceClient(nil),
			},
			want: &extendedServiceRuntimeWrapper{
				ctx:     context.Background(),
				timeout: connectTimeout,
				rs:      criruntimev1alpha2.NewRuntimeServiceClient(nil),
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got, err := NewCRIExtendedRuntimeServiceWrapper(tt.args.ctx, tt.args.timeout, tt.args.client)
			if (err != nil) != tt.wantErr {
				t.Errorf("NewCRIExtendedRuntimeServiceWrapper() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("NewCRIExtendedRuntimeServiceWrapper() = %v, want %v", got, tt.want)
			}
		})
	}
}

func newUnitTestCRIExtendedRuntimeServiceWrapper(t *testing.T) (*gomock.Controller, *mockcri.MockRuntimeServiceClient, context.CancelFunc, ExtendedRuntimeService) {
	ctrl := gomock.NewController(t)
	client := mockcri.NewMockRuntimeServiceClient(ctrl)
	ctx, cancel := context.WithCancel(context.Background())
	w, err := NewCRIExtendedRuntimeServiceWrapper(ctx, connectTimeout, client)
	if err != nil {
		panic(err)
	}
	return ctrl, client, cancel, w
}

type prepareFunc func(*testing.T, *mockcri.MockRuntimeServiceClient)

var errMock = errors.New("mocked error has occurred")

func Test_extendedServiceRuntimeWrapper_Version(t *testing.T) {
	type args struct {
		apiVersion string
	}
	tests := []struct {
		name    string
		args    args
		prepare prepareFunc
		want    *criruntimev1alpha2.VersionResponse
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				apiVersion: "version",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().Version(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.VersionRequest{Version: "version"}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				apiVersion: "version",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().Version(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.VersionRequest{Version: "version"}),
				).Times(1).Return(&criruntimev1alpha2.VersionResponse{}, nil)
			},
			want:    &criruntimev1alpha2.VersionResponse{},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, err := w.Version(tt.args.apiVersion)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.Version() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.Version() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_CreateContainer(t *testing.T) {
	type args struct {
		podSandboxID  string
		config        *criruntimev1alpha2.ContainerConfig
		sandboxConfig *criruntimev1alpha2.PodSandboxConfig
	}
	tests := []struct {
		name    string
		args    args
		prepare prepareFunc
		want    string
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				podSandboxID:  "sandboxID",
				config:        &criruntimev1alpha2.ContainerConfig{},
				sandboxConfig: &criruntimev1alpha2.PodSandboxConfig{},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().CreateContainer(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.CreateContainerRequest{
						PodSandboxId:  "sandboxID",
						Config:        &criruntimev1alpha2.ContainerConfig{},
						SandboxConfig: &criruntimev1alpha2.PodSandboxConfig{},
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    "",
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				podSandboxID:  "sandboxID",
				config:        &criruntimev1alpha2.ContainerConfig{},
				sandboxConfig: &criruntimev1alpha2.PodSandboxConfig{},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().CreateContainer(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.CreateContainerRequest{
						PodSandboxId:  "sandboxID",
						Config:        &criruntimev1alpha2.ContainerConfig{},
						SandboxConfig: &criruntimev1alpha2.PodSandboxConfig{},
					}),
				).Times(1).Return(&criruntimev1alpha2.CreateContainerResponse{
					ContainerId: "containerID",
				}, nil)
			},
			want:    "containerID",
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, err := w.CreateContainer(tt.args.podSandboxID, tt.args.config, tt.args.sandboxConfig)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.CreateContainer() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if got != tt.want {
				t.Errorf("extendedServiceRuntimeWrapper.CreateContainer() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_StartContainer(t *testing.T) {
	type args struct {
		containerID string
	}
	tests := []struct {
		name    string
		args    args
		prepare prepareFunc
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				containerID: "containerID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().StartContainer(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.StartContainerRequest{
						ContainerId: "containerID",
					}),
				).Times(1).Return(nil, errMock)
			},
			wantErr: true,
		},
		{
			name: "error",
			args: args{
				containerID: "containerID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().StartContainer(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.StartContainerRequest{
						ContainerId: "containerID",
					}),
				).Times(1).Return(&criruntimev1alpha2.StartContainerResponse{}, nil)
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			if err := w.StartContainer(tt.args.containerID); (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.StartContainer() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_StopContainer(t *testing.T) {
	type args struct {
		containerID string
		timeout     int64
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				containerID: "containerID",
				timeout:     42,
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().StopContainer(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.StopContainerRequest{
						ContainerId: "containerID",
						Timeout:     42,
					}),
				).Times(1).Return(nil, errMock)
			},
			wantErr: true,
		},
		{
			name: "error",
			args: args{
				containerID: "containerID",
				timeout:     42,
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().StopContainer(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.StopContainerRequest{
						ContainerId: "containerID",
						Timeout:     42,
					}),
				).Times(1).Return(&criruntimev1alpha2.StopContainerResponse{}, nil)
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			if err := w.StopContainer(tt.args.containerID, tt.args.timeout); (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.StopContainer() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_RemoveContainer(t *testing.T) {
	type args struct {
		containerID string
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				containerID: "containerID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().RemoveContainer(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.RemoveContainerRequest{
						ContainerId: "containerID",
					}),
				).Times(1).Return(nil, errMock)
			},
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				containerID: "containerID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().RemoveContainer(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.RemoveContainerRequest{
						ContainerId: "containerID",
					}),
				).Times(1).Return(&criruntimev1alpha2.RemoveContainerResponse{}, nil)
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			if err := w.RemoveContainer(tt.args.containerID); (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.RemoveContainer() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_ListContainers(t *testing.T) {
	type args struct {
		filter *criruntimev1alpha2.ContainerFilter
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		want    []*criruntimev1alpha2.Container
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				filter: &criruntimev1alpha2.ContainerFilter{
					LabelSelector: map[string]string{
						"a": "b",
					},
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ListContainers(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ListContainersRequest{
						Filter: &criruntimev1alpha2.ContainerFilter{
							LabelSelector: map[string]string{
								"a": "b",
							},
						},
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				filter: &criruntimev1alpha2.ContainerFilter{
					LabelSelector: map[string]string{
						"a": "b",
					},
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ListContainers(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ListContainersRequest{
						Filter: &criruntimev1alpha2.ContainerFilter{
							LabelSelector: map[string]string{
								"a": "b",
							},
						},
					}),
				).Times(1).Return(&criruntimev1alpha2.ListContainersResponse{
					Containers: []*criruntimev1alpha2.Container{
						{
							Id: "one",
							Labels: map[string]string{
								"a": "b",
							},
						},
						{
							Id: "two",
							Labels: map[string]string{
								"a": "b",
							},
						},
					},
				}, nil)
			},
			want: []*criruntimev1alpha2.Container{
				{
					Id: "one",
					Labels: map[string]string{
						"a": "b",
					},
				},
				{
					Id: "two",
					Labels: map[string]string{
						"a": "b",
					},
				},
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, err := w.ListContainers(tt.args.filter)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.ListContainers() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.ListContainers() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_ContainerStatus(t *testing.T) {
	type args struct {
		containerID string
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		want    *criruntimev1alpha2.ContainerStatus
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				containerID: "containerID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ContainerStatus(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ContainerStatusRequest{
						ContainerId: "containerID",
						Verbose:     false,
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				containerID: "containerID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ContainerStatus(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ContainerStatusRequest{
						ContainerId: "containerID",
						Verbose:     false,
					}),
				).Times(1).Return(&criruntimev1alpha2.ContainerStatusResponse{
					Status: &criruntimev1alpha2.ContainerStatus{
						Id:    "containerID",
						State: criruntimev1alpha2.ContainerState_CONTAINER_RUNNING,
					},
				}, nil)
			},
			want: &criruntimev1alpha2.ContainerStatus{
				Id:    "containerID",
				State: criruntimev1alpha2.ContainerState_CONTAINER_RUNNING,
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, err := w.ContainerStatus(tt.args.containerID)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.ContainerStatus() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.ContainerStatus() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_ContainerStatusVerbose(t *testing.T) {

	type args struct {
		containerID string
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		want    *criruntimev1alpha2.ContainerStatus
		want1   map[string]string
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				containerID: "containerID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ContainerStatus(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ContainerStatusRequest{
						ContainerId: "containerID",
						Verbose:     true,
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				containerID: "containerID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ContainerStatus(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ContainerStatusRequest{
						ContainerId: "containerID",
						Verbose:     true,
					}),
				).Times(1).Return(&criruntimev1alpha2.ContainerStatusResponse{
					Status: &criruntimev1alpha2.ContainerStatus{
						Id:    "containerID",
						State: criruntimev1alpha2.ContainerState_CONTAINER_RUNNING,
					},
				}, nil)
			},
			want: &criruntimev1alpha2.ContainerStatus{
				Id:    "containerID",
				State: criruntimev1alpha2.ContainerState_CONTAINER_RUNNING,
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, got1, err := w.ContainerStatusVerbose(tt.args.containerID)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.ContainerStatusVerbose() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.ContainerStatusVerbose() got = %v, want %v", got, tt.want)
			}
			if !reflect.DeepEqual(got1, tt.want1) {
				t.Errorf("extendedServiceRuntimeWrapper.ContainerStatusVerbose() got1 = %v, want %v", got1, tt.want1)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_UpdateContainerResources(t *testing.T) {

	type args struct {
		containerID string
		resources   *criruntimev1alpha2.LinuxContainerResources
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				containerID: "containerID",
				resources: &criruntimev1alpha2.LinuxContainerResources{
					CpuPeriod: 42,
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().UpdateContainerResources(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.UpdateContainerResourcesRequest{
						ContainerId: "containerID",
						Linux: &criruntimev1alpha2.LinuxContainerResources{
							CpuPeriod: 42,
						},
					}),
				).Times(1).Return(nil, errMock)
			},
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				containerID: "containerID",
				resources: &criruntimev1alpha2.LinuxContainerResources{
					CpuPeriod: 42,
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().UpdateContainerResources(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.UpdateContainerResourcesRequest{
						ContainerId: "containerID",
						Linux: &criruntimev1alpha2.LinuxContainerResources{
							CpuPeriod: 42,
						},
					}),
				).Times(1).Return(&criruntimev1alpha2.UpdateContainerResourcesResponse{}, nil)
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			if err := w.UpdateContainerResources(tt.args.containerID, tt.args.resources); (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.UpdateContainerResources() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_ExecSync(t *testing.T) {

	type args struct {
		containerID string
		cmd         []string
		timeout     time.Duration
	}
	tests := []struct {
		name       string
		prepare    prepareFunc
		args       args
		wantStdout []byte
		wantStderr []byte
		wantErr    bool
	}{
		{
			name: "error",
			args: args{
				containerID: "containerID",
				cmd:         []string{"/bin/bash", "-c", "echo hello world"},
				timeout:     time.Minute * 1,
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ExecSync(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ExecSyncRequest{
						ContainerId: "containerID",
						Cmd:         []string{"/bin/bash", "-c", "echo hello world"},
						Timeout:     int64((time.Minute * 1).Seconds()),
					}),
				).Times(1).Return(nil, errMock)
			},
			wantStdout: nil,
			wantStderr: nil,
			wantErr:    true,
		},
		{
			name: "command execution failed",
			args: args{
				containerID: "containerID",
				cmd:         []string{"/bin/bash", "-c", "echo hello world"},
				timeout:     time.Minute * 1,
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ExecSync(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ExecSyncRequest{
						ContainerId: "containerID",
						Cmd:         []string{"/bin/bash", "-c", "echo hello world"},
						Timeout:     int64((time.Minute * 1).Seconds()),
					}),
				).Times(1).Return(&criruntimev1alpha2.ExecSyncResponse{
					Stdout:   []byte("stdout"),
					Stderr:   []byte("stderr"),
					ExitCode: 42,
				}, nil)
			},
			wantStdout: []byte("stdout"),
			wantStderr: []byte("stderr"),
			wantErr:    true,
		},
		{
			name: "success",
			args: args{
				containerID: "containerID",
				cmd:         []string{"/bin/bash", "-c", "echo hello world"},
				timeout:     time.Minute * 1,
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ExecSync(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ExecSyncRequest{
						ContainerId: "containerID",
						Cmd:         []string{"/bin/bash", "-c", "echo hello world"},
						Timeout:     int64((time.Minute * 1).Seconds()),
					}),
				).Times(1).Return(&criruntimev1alpha2.ExecSyncResponse{
					Stdout:   []byte("stdout"),
					Stderr:   []byte("stderr"),
					ExitCode: 0,
				}, nil)
			},
			wantStdout: []byte("stdout"),
			wantStderr: []byte("stderr"),
			wantErr:    false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			gotStdout, gotStderr, err := w.ExecSync(tt.args.containerID, tt.args.cmd, tt.args.timeout)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.ExecSync() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(gotStdout, tt.wantStdout) {
				t.Errorf("extendedServiceRuntimeWrapper.ExecSync() gotStdout = %v, want %v", gotStdout, tt.wantStdout)
			}
			if !reflect.DeepEqual(gotStderr, tt.wantStderr) {
				t.Errorf("extendedServiceRuntimeWrapper.ExecSync() gotStderr = %v, want %v", gotStderr, tt.wantStderr)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_Exec(t *testing.T) {
	type args struct {
		req *criruntimev1alpha2.ExecRequest
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		want    *criruntimev1alpha2.ExecResponse
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				req: &criruntimev1alpha2.ExecRequest{
					ContainerId: "containerID",
					Cmd:         []string{"/bin/bash", "-c", "echo hello world"},
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().Exec(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ExecRequest{
						ContainerId: "containerID",
						Cmd:         []string{"/bin/bash", "-c", "echo hello world"},
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				req: &criruntimev1alpha2.ExecRequest{
					ContainerId: "containerID",
					Cmd:         []string{"/bin/bash", "-c", "echo hello world"},
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().Exec(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ExecRequest{
						ContainerId: "containerID",
						Cmd:         []string{"/bin/bash", "-c", "echo hello world"},
					}),
				).Times(1).Return(&criruntimev1alpha2.ExecResponse{
					Url: "pick up status of exec request here",
				}, nil)
			},
			want: &criruntimev1alpha2.ExecResponse{
				Url: "pick up status of exec request here",
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, err := w.Exec(tt.args.req)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.Exec() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.Exec() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_Attach(t *testing.T) {
	type args struct {
		req *criruntimev1alpha2.AttachRequest
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		want    *criruntimev1alpha2.AttachResponse
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				req: &criruntimev1alpha2.AttachRequest{
					ContainerId: "containerID",
					Stdout:      true,
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().Attach(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.AttachRequest{
						ContainerId: "containerID",
						Stdout:      true,
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				req: &criruntimev1alpha2.AttachRequest{
					ContainerId: "containerID",
					Stdout:      true,
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().Attach(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.AttachRequest{
						ContainerId: "containerID",
						Stdout:      true,
					}),
				).Times(1).Return(&criruntimev1alpha2.AttachResponse{
					Url: "pick up status of attach request here",
				}, nil)
			},
			want: &criruntimev1alpha2.AttachResponse{
				Url: "pick up status of attach request here",
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, err := w.Attach(tt.args.req)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.Attach() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.Attach() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_ReopenContainerLog(t *testing.T) {
	type args struct {
		containerID string
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				containerID: "containerID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ReopenContainerLog(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ReopenContainerLogRequest{
						ContainerId: "containerID",
					}),
				).Times(1).Return(nil, errMock)
			},
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				containerID: "containerID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ReopenContainerLog(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ReopenContainerLogRequest{
						ContainerId: "containerID",
					}),
				).Times(1).Return(&criruntimev1alpha2.ReopenContainerLogResponse{}, nil)
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			if err := w.ReopenContainerLog(tt.args.containerID); (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.ReopenContainerLog() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_RunPodSandbox(t *testing.T) {
	type args struct {
		config         *criruntimev1alpha2.PodSandboxConfig
		runtimeHandler string
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		want    string
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				config: &criruntimev1alpha2.PodSandboxConfig{
					Metadata: &criruntimev1alpha2.PodSandboxMetadata{
						Name:      "pod-name",
						Namespace: "default",
						Uid:       "b924b248-6395-4415-8603-4f3562e44418",
						Attempt:   0,
					},
					Hostname: "sandboxHostname",
				},
				runtimeHandler: "runtimeHandler",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().RunPodSandbox(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.RunPodSandboxRequest{
						RuntimeHandler: "runtimeHandler",
						Config: &criruntimev1alpha2.PodSandboxConfig{
							Metadata: &criruntimev1alpha2.PodSandboxMetadata{
								Name:      "pod-name",
								Namespace: "default",
								Uid:       "b924b248-6395-4415-8603-4f3562e44418",
								Attempt:   0,
							},
							Hostname: "sandboxHostname",
						},
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    "",
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				config: &criruntimev1alpha2.PodSandboxConfig{
					Metadata: &criruntimev1alpha2.PodSandboxMetadata{
						Name:      "pod-name",
						Namespace: "default",
						Uid:       "b924b248-6395-4415-8603-4f3562e44418",
						Attempt:   0,
					},
					Hostname: "sandboxHostname",
				},
				runtimeHandler: "runtimeHandler",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().RunPodSandbox(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.RunPodSandboxRequest{
						RuntimeHandler: "runtimeHandler",
						Config: &criruntimev1alpha2.PodSandboxConfig{
							Metadata: &criruntimev1alpha2.PodSandboxMetadata{
								Name:      "pod-name",
								Namespace: "default",
								Uid:       "b924b248-6395-4415-8603-4f3562e44418",
								Attempt:   0,
							},
							Hostname: "sandboxHostname",
						},
					}),
				).Times(1).Return(&criruntimev1alpha2.RunPodSandboxResponse{
					PodSandboxId: "podSandboxID",
				}, nil)
			},
			want:    "podSandboxID",
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, err := w.RunPodSandbox(tt.args.config, tt.args.runtimeHandler)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.RunPodSandbox() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if got != tt.want {
				t.Errorf("extendedServiceRuntimeWrapper.RunPodSandbox() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_StopPodSandbox(t *testing.T) {
	type args struct {
		podSandboxID string
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				podSandboxID: "podSandboxID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().StopPodSandbox(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.StopPodSandboxRequest{
						PodSandboxId: "podSandboxID",
					}),
				).Times(1).Return(nil, errMock)
			},
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				podSandboxID: "podSandboxID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().StopPodSandbox(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.StopPodSandboxRequest{
						PodSandboxId: "podSandboxID",
					}),
				).Times(1).Return(&criruntimev1alpha2.StopPodSandboxResponse{}, nil)
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			if err := w.StopPodSandbox(tt.args.podSandboxID); (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.StopPodSandbox() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_RemovePodSandbox(t *testing.T) {
	type args struct {
		podSandboxID string
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				podSandboxID: "podSandboxID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().RemovePodSandbox(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.RemovePodSandboxRequest{
						PodSandboxId: "podSandboxID",
					}),
				).Times(1).Return(nil, errMock)
			},
			wantErr: true,
		},
		{
			name: "error",
			args: args{
				podSandboxID: "podSandboxID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().RemovePodSandbox(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.RemovePodSandboxRequest{
						PodSandboxId: "podSandboxID",
					}),
				).Times(1).Return(&criruntimev1alpha2.RemovePodSandboxResponse{}, nil)
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			if err := w.RemovePodSandbox(tt.args.podSandboxID); (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.RemovePodSandbox() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_PodSandboxStatus(t *testing.T) {
	type args struct {
		podSandboxID string
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		want    *criruntimev1alpha2.PodSandboxStatus
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				podSandboxID: "podSandboxID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().PodSandboxStatus(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.PodSandboxStatusRequest{
						PodSandboxId: "podSandboxID",
						Verbose:      false,
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				podSandboxID: "podSandboxID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().PodSandboxStatus(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.PodSandboxStatusRequest{
						PodSandboxId: "podSandboxID",
						Verbose:      false,
					}),
				).Times(1).Return(&criruntimev1alpha2.PodSandboxStatusResponse{
					Status: &criruntimev1alpha2.PodSandboxStatus{
						Id:    "podSandboxID",
						State: criruntimev1alpha2.PodSandboxState_SANDBOX_READY,
					},
				}, nil)
			},
			want: &criruntimev1alpha2.PodSandboxStatus{
				Id:    "podSandboxID",
				State: criruntimev1alpha2.PodSandboxState_SANDBOX_READY,
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, err := w.PodSandboxStatus(tt.args.podSandboxID)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.PodSandboxStatus() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.PodSandboxStatus() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_PodSandboxStatusVerbose(t *testing.T) {

	type args struct {
		podSandboxID string
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		want    *criruntimev1alpha2.PodSandboxStatus
		want1   map[string]string
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				podSandboxID: "podSandboxID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().PodSandboxStatus(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.PodSandboxStatusRequest{
						PodSandboxId: "podSandboxID",
						Verbose:      true,
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				podSandboxID: "podSandboxID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().PodSandboxStatus(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.PodSandboxStatusRequest{
						PodSandboxId: "podSandboxID",
						Verbose:      true,
					}),
				).Times(1).Return(&criruntimev1alpha2.PodSandboxStatusResponse{
					Status: &criruntimev1alpha2.PodSandboxStatus{
						Id:    "podSandboxID",
						State: criruntimev1alpha2.PodSandboxState_SANDBOX_READY,
					},
				}, nil)
			},
			want: &criruntimev1alpha2.PodSandboxStatus{
				Id:    "podSandboxID",
				State: criruntimev1alpha2.PodSandboxState_SANDBOX_READY,
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, got1, err := w.PodSandboxStatusVerbose(tt.args.podSandboxID)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.PodSandboxStatusVerbose() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.PodSandboxStatusVerbose() got = %v, want %v", got, tt.want)
			}
			if !reflect.DeepEqual(got1, tt.want1) {
				t.Errorf("extendedServiceRuntimeWrapper.PodSandboxStatusVerbose() got1 = %v, want %v", got1, tt.want1)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_ListPodSandbox(t *testing.T) {
	type args struct {
		filter *criruntimev1alpha2.PodSandboxFilter
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		want    []*criruntimev1alpha2.PodSandbox
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				filter: &criruntimev1alpha2.PodSandboxFilter{
					LabelSelector: map[string]string{
						"a": "b",
					},
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ListPodSandbox(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ListPodSandboxRequest{
						Filter: &criruntimev1alpha2.PodSandboxFilter{
							LabelSelector: map[string]string{
								"a": "b",
							},
						},
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				filter: &criruntimev1alpha2.PodSandboxFilter{
					LabelSelector: map[string]string{
						"a": "b",
					},
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ListPodSandbox(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ListPodSandboxRequest{
						Filter: &criruntimev1alpha2.PodSandboxFilter{
							LabelSelector: map[string]string{
								"a": "b",
							},
						},
					}),
				).Times(1).Return(&criruntimev1alpha2.ListPodSandboxResponse{
					Items: []*criruntimev1alpha2.PodSandbox{
						{
							Id:    "one",
							State: criruntimev1alpha2.PodSandboxState_SANDBOX_READY,
						},
						{
							Id:    "two",
							State: criruntimev1alpha2.PodSandboxState_SANDBOX_NOTREADY,
						},
					},
				}, nil)
			},
			want: []*criruntimev1alpha2.PodSandbox{
				{
					Id:    "one",
					State: criruntimev1alpha2.PodSandboxState_SANDBOX_READY,
				},
				{
					Id:    "two",
					State: criruntimev1alpha2.PodSandboxState_SANDBOX_NOTREADY,
				},
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, err := w.ListPodSandbox(tt.args.filter)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.ListPodSandbox() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.ListPodSandbox() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_PortForward(t *testing.T) {
	type args struct {
		req *criruntimev1alpha2.PortForwardRequest
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		want    *criruntimev1alpha2.PortForwardResponse
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				req: &criruntimev1alpha2.PortForwardRequest{
					PodSandboxId: "podSandboxID",
					Port:         []int32{42},
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().PortForward(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.PortForwardRequest{
						PodSandboxId: "podSandboxID",
						Port:         []int32{42},
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				req: &criruntimev1alpha2.PortForwardRequest{
					PodSandboxId: "podSandboxID",
					Port:         []int32{42},
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().PortForward(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.PortForwardRequest{
						PodSandboxId: "podSandboxID",
						Port:         []int32{42},
					}),
				).Times(1).Return(&criruntimev1alpha2.PortForwardResponse{
					Url: "pick up port forward request here",
				}, nil)
			},
			want: &criruntimev1alpha2.PortForwardResponse{
				Url: "pick up port forward request here",
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, err := w.PortForward(tt.args.req)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.PortForward() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.PortForward() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_ContainerStats(t *testing.T) {
	type args struct {
		containerID string
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		want    *criruntimev1alpha2.ContainerStats
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				containerID: "containerID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ContainerStats(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ContainerStatsRequest{
						ContainerId: "containerID",
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				containerID: "containerID",
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ContainerStats(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ContainerStatsRequest{
						ContainerId: "containerID",
					}),
				).Times(1).Return(&criruntimev1alpha2.ContainerStatsResponse{
					Stats: &criruntimev1alpha2.ContainerStats{
						Attributes: &criruntimev1alpha2.ContainerAttributes{
							Id: "containerID",
						},
					},
				}, nil)
			},
			want: &criruntimev1alpha2.ContainerStats{
				Attributes: &criruntimev1alpha2.ContainerAttributes{
					Id: "containerID",
				},
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, err := w.ContainerStats(tt.args.containerID)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.ContainerStats() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.ContainerStats() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_ListContainerStats(t *testing.T) {
	type args struct {
		filter *criruntimev1alpha2.ContainerStatsFilter
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		want    []*criruntimev1alpha2.ContainerStats
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				filter: &criruntimev1alpha2.ContainerStatsFilter{
					LabelSelector: map[string]string{
						"a": "b",
					},
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ListContainerStats(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ListContainerStatsRequest{
						Filter: &criruntimev1alpha2.ContainerStatsFilter{
							LabelSelector: map[string]string{
								"a": "b",
							},
						},
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "error",
			args: args{
				filter: &criruntimev1alpha2.ContainerStatsFilter{
					LabelSelector: map[string]string{
						"a": "b",
					},
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().ListContainerStats(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.ListContainerStatsRequest{
						Filter: &criruntimev1alpha2.ContainerStatsFilter{
							LabelSelector: map[string]string{
								"a": "b",
							},
						},
					}),
				).Times(1).Return(&criruntimev1alpha2.ListContainerStatsResponse{
					Stats: []*criruntimev1alpha2.ContainerStats{
						{
							Attributes: &criruntimev1alpha2.ContainerAttributes{
								Id: "one",
								Labels: map[string]string{
									"a": "b",
								},
							},
						},
						{
							Attributes: &criruntimev1alpha2.ContainerAttributes{
								Id: "two",
								Labels: map[string]string{
									"a": "b",
								},
							},
						},
					},
				}, nil)
			},
			want: []*criruntimev1alpha2.ContainerStats{
				{
					Attributes: &criruntimev1alpha2.ContainerAttributes{
						Id: "one",
						Labels: map[string]string{
							"a": "b",
						},
					},
				},
				{
					Attributes: &criruntimev1alpha2.ContainerAttributes{
						Id: "two",
						Labels: map[string]string{
							"a": "b",
						},
					},
				},
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, err := w.ListContainerStats(tt.args.filter)
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.ListContainerStats() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.ListContainerStats() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_UpdateRuntimeConfig(t *testing.T) {
	type args struct {
		runtimeConfig *criruntimev1alpha2.RuntimeConfig
	}
	tests := []struct {
		name    string
		prepare prepareFunc
		args    args
		wantErr bool
	}{
		{
			name: "error",
			args: args{
				runtimeConfig: &criruntimev1alpha2.RuntimeConfig{
					NetworkConfig: &criruntimev1alpha2.NetworkConfig{
						PodCidr: "10.10.10.0/24",
					},
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().UpdateRuntimeConfig(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.UpdateRuntimeConfigRequest{
						RuntimeConfig: &criruntimev1alpha2.RuntimeConfig{
							NetworkConfig: &criruntimev1alpha2.NetworkConfig{
								PodCidr: "10.10.10.0/24",
							},
						},
					}),
				).Times(1).Return(nil, errMock)
			},
			wantErr: true,
		},
		{
			name: "success",
			args: args{
				runtimeConfig: &criruntimev1alpha2.RuntimeConfig{
					NetworkConfig: &criruntimev1alpha2.NetworkConfig{
						PodCidr: "10.10.10.0/24",
					},
				},
			},
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().UpdateRuntimeConfig(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.UpdateRuntimeConfigRequest{
						RuntimeConfig: &criruntimev1alpha2.RuntimeConfig{
							NetworkConfig: &criruntimev1alpha2.NetworkConfig{
								PodCidr: "10.10.10.0/24",
							},
						},
					}),
				).Times(1).Return(&criruntimev1alpha2.UpdateRuntimeConfigResponse{}, nil)
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			if err := w.UpdateRuntimeConfig(tt.args.runtimeConfig); (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.UpdateRuntimeConfig() error = %v, wantErr %v", err, tt.wantErr)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_Status(t *testing.T) {
	tests := []struct {
		name    string
		prepare prepareFunc
		want    *criruntimev1alpha2.RuntimeStatus
		wantErr bool
	}{
		{
			name: "error",
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().Status(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.StatusRequest{
						Verbose: false,
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().Status(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.StatusRequest{
						Verbose: false,
					}),
				).Times(1).Return(&criruntimev1alpha2.StatusResponse{
					Status: &criruntimev1alpha2.RuntimeStatus{
						Conditions: []*criruntimev1alpha2.RuntimeCondition{
							{
								Type:    "RuntimeReady",
								Status:  true,
								Reason:  "",
								Message: "",
							},
							{
								Type:    "NetworkReady",
								Status:  true,
								Reason:  "",
								Message: "",
							},
						},
					},
				}, nil)
			},
			want: &criruntimev1alpha2.RuntimeStatus{
				Conditions: []*criruntimev1alpha2.RuntimeCondition{
					{
						Type:    "RuntimeReady",
						Status:  true,
						Reason:  "",
						Message: "",
					},
					{
						Type:    "NetworkReady",
						Status:  true,
						Reason:  "",
						Message: "",
					},
				},
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, err := w.Status()
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.Status() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.Status() = %v, want %v", got, tt.want)
			}
		})
	}
}

func Test_extendedServiceRuntimeWrapper_StatusVerbose(t *testing.T) {
	tests := []struct {
		name    string
		prepare prepareFunc
		want    *criruntimev1alpha2.RuntimeStatus
		want1   map[string]string
		wantErr bool
	}{
		{
			name: "error",
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().Status(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.StatusRequest{
						Verbose: true,
					}),
				).Times(1).Return(nil, errMock)
			},
			want:    nil,
			wantErr: true,
		},
		{
			name: "success",
			prepare: func(t *testing.T, c *mockcri.MockRuntimeServiceClient) {
				c.EXPECT().Status(
					gomock.Any(),
					gomock.Eq(&criruntimev1alpha2.StatusRequest{
						Verbose: true,
					}),
				).Times(1).Return(&criruntimev1alpha2.StatusResponse{
					Status: &criruntimev1alpha2.RuntimeStatus{
						Conditions: []*criruntimev1alpha2.RuntimeCondition{
							{
								Type:    "RuntimeReady",
								Status:  true,
								Reason:  "",
								Message: "",
							},
							{
								Type:    "NetworkReady",
								Status:  true,
								Reason:  "",
								Message: "",
							},
						},
					},
					Info: map[string]string{
						"verobse": "output",
					},
				}, nil)
			},
			want: &criruntimev1alpha2.RuntimeStatus{
				Conditions: []*criruntimev1alpha2.RuntimeCondition{
					{
						Type:    "RuntimeReady",
						Status:  true,
						Reason:  "",
						Message: "",
					},
					{
						Type:    "NetworkReady",
						Status:  true,
						Reason:  "",
						Message: "",
					},
				},
			},
			want1: map[string]string{
				"verobse": "output",
			},
			wantErr: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			// the same in every test
			ctrl, client, cancel, w := newUnitTestCRIExtendedRuntimeServiceWrapper(t)
			defer cancel()
			defer ctrl.Finish()
			if tt.prepare != nil {
				tt.prepare(t, client)
			}
			got, got1, err := w.StatusVerbose()
			if (err != nil) != tt.wantErr {
				t.Errorf("extendedServiceRuntimeWrapper.StatusVerbose() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("extendedServiceRuntimeWrapper.StatusVerbose() got = %v, want %v", got, tt.want)
			}
			if !reflect.DeepEqual(got1, tt.want1) {
				t.Errorf("extendedServiceRuntimeWrapper.StatusVerbose() got1 = %v, want %v", got1, tt.want1)
			}
		})
	}
}


================================================
FILE: utils/cri/interface.go
================================================
package cri

import (
	criapi "k8s.io/cri-api/pkg/apis"
	criruntimev1alpha2 "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
)

// ExtendedRuntimeService extends the CRI RuntimeService by some verbose functions that are otherwise inaccessible
type ExtendedRuntimeService interface {
	criapi.RuntimeService
	ContainerStatusVerbose(containerID string) (*criruntimev1alpha2.ContainerStatus, map[string]string, error)
	PodSandboxStatusVerbose(podSandboxID string) (*criruntimev1alpha2.PodSandboxStatus, map[string]string, error)
	StatusVerbose() (*criruntimev1alpha2.RuntimeStatus, map[string]string, error)
}


================================================
FILE: utils/cri/mockcri/mock_runtime_service.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: k8s.io/cri-api/pkg/apis/runtime/v1alpha2 (interfaces: RuntimeServiceClient)

// Package mockcri is a generated GoMock package.
package mockcri

import (
	context "context"
	reflect "reflect"

	gomock "github.com/golang/mock/gomock"
	grpc "google.golang.org/grpc"
	v1alpha2 "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
)

// MockRuntimeServiceClient is a mock of RuntimeServiceClient interface
// nolint
type MockRuntimeServiceClient struct {
	ctrl     *gomock.Controller
	recorder *MockRuntimeServiceClientMockRecorder
}

// MockRuntimeServiceClientMockRecorder is the mock recorder for MockRuntimeServiceClient
// nolint
type MockRuntimeServiceClientMockRecorder struct {
	mock *MockRuntimeServiceClient
}

// NewMockRuntimeServiceClient creates a new mock instance
// nolint
func NewMockRuntimeServiceClient(ctrl *gomock.Controller) *MockRuntimeServiceClient {
	mock := &MockRuntimeServiceClient{ctrl: ctrl}
	mock.recorder = &MockRuntimeServiceClientMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockRuntimeServiceClient) EXPECT() *MockRuntimeServiceClientMockRecorder {
	return m.recorder
}

// Attach mocks base method
// nolint
func (m *MockRuntimeServiceClient) Attach(arg0 context.Context, arg1 *v1alpha2.AttachRequest, arg2 ...grpc.CallOption) (*v1alpha2.AttachResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "Attach", varargs...)
	ret0, _ := ret[0].(*v1alpha2.AttachResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Attach indicates an expected call of Attach
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) Attach(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Attach", reflect.TypeOf((*MockRuntimeServiceClient)(nil).Attach), varargs...)
}

// ContainerStats mocks base method
// nolint
func (m *MockRuntimeServiceClient) ContainerStats(arg0 context.Context, arg1 *v1alpha2.ContainerStatsRequest, arg2 ...grpc.CallOption) (*v1alpha2.ContainerStatsResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "ContainerStats", varargs...)
	ret0, _ := ret[0].(*v1alpha2.ContainerStatsResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerStats indicates an expected call of ContainerStats
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) ContainerStats(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerStats", reflect.TypeOf((*MockRuntimeServiceClient)(nil).ContainerStats), varargs...)
}

// ContainerStatus mocks base method
// nolint
func (m *MockRuntimeServiceClient) ContainerStatus(arg0 context.Context, arg1 *v1alpha2.ContainerStatusRequest, arg2 ...grpc.CallOption) (*v1alpha2.ContainerStatusResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "ContainerStatus", varargs...)
	ret0, _ := ret[0].(*v1alpha2.ContainerStatusResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerStatus indicates an expected call of ContainerStatus
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) ContainerStatus(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerStatus", reflect.TypeOf((*MockRuntimeServiceClient)(nil).ContainerStatus), varargs...)
}

// CreateContainer mocks base method
// nolint
func (m *MockRuntimeServiceClient) CreateContainer(arg0 context.Context, arg1 *v1alpha2.CreateContainerRequest, arg2 ...grpc.CallOption) (*v1alpha2.CreateContainerResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "CreateContainer", varargs...)
	ret0, _ := ret[0].(*v1alpha2.CreateContainerResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// CreateContainer indicates an expected call of CreateContainer
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) CreateContainer(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateContainer", reflect.TypeOf((*MockRuntimeServiceClient)(nil).CreateContainer), varargs...)
}

// Exec mocks base method
// nolint
func (m *MockRuntimeServiceClient) Exec(arg0 context.Context, arg1 *v1alpha2.ExecRequest, arg2 ...grpc.CallOption) (*v1alpha2.ExecResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "Exec", varargs...)
	ret0, _ := ret[0].(*v1alpha2.ExecResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Exec indicates an expected call of Exec
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) Exec(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Exec", reflect.TypeOf((*MockRuntimeServiceClient)(nil).Exec), varargs...)
}

// ExecSync mocks base method
// nolint
func (m *MockRuntimeServiceClient) ExecSync(arg0 context.Context, arg1 *v1alpha2.ExecSyncRequest, arg2 ...grpc.CallOption) (*v1alpha2.ExecSyncResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "ExecSync", varargs...)
	ret0, _ := ret[0].(*v1alpha2.ExecSyncResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ExecSync indicates an expected call of ExecSync
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) ExecSync(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExecSync", reflect.TypeOf((*MockRuntimeServiceClient)(nil).ExecSync), varargs...)
}

// ListContainerStats mocks base method
// nolint
func (m *MockRuntimeServiceClient) ListContainerStats(arg0 context.Context, arg1 *v1alpha2.ListContainerStatsRequest, arg2 ...grpc.CallOption) (*v1alpha2.ListContainerStatsResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "ListContainerStats", varargs...)
	ret0, _ := ret[0].(*v1alpha2.ListContainerStatsResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ListContainerStats indicates an expected call of ListContainerStats
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) ListContainerStats(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListContainerStats", reflect.TypeOf((*MockRuntimeServiceClient)(nil).ListContainerStats), varargs...)
}

// ListContainers mocks base method
// nolint
func (m *MockRuntimeServiceClient) ListContainers(arg0 context.Context, arg1 *v1alpha2.ListContainersRequest, arg2 ...grpc.CallOption) (*v1alpha2.ListContainersResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "ListContainers", varargs...)
	ret0, _ := ret[0].(*v1alpha2.ListContainersResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ListContainers indicates an expected call of ListContainers
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) ListContainers(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListContainers", reflect.TypeOf((*MockRuntimeServiceClient)(nil).ListContainers), varargs...)
}

// ListPodSandbox mocks base method
// nolint
func (m *MockRuntimeServiceClient) ListPodSandbox(arg0 context.Context, arg1 *v1alpha2.ListPodSandboxRequest, arg2 ...grpc.CallOption) (*v1alpha2.ListPodSandboxResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "ListPodSandbox", varargs...)
	ret0, _ := ret[0].(*v1alpha2.ListPodSandboxResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ListPodSandbox indicates an expected call of ListPodSandbox
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) ListPodSandbox(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListPodSandbox", reflect.TypeOf((*MockRuntimeServiceClient)(nil).ListPodSandbox), varargs...)
}

// PodSandboxStatus mocks base method
// nolint
func (m *MockRuntimeServiceClient) PodSandboxStatus(arg0 context.Context, arg1 *v1alpha2.PodSandboxStatusRequest, arg2 ...grpc.CallOption) (*v1alpha2.PodSandboxStatusResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "PodSandboxStatus", varargs...)
	ret0, _ := ret[0].(*v1alpha2.PodSandboxStatusResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// PodSandboxStatus indicates an expected call of PodSandboxStatus
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) PodSandboxStatus(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PodSandboxStatus", reflect.TypeOf((*MockRuntimeServiceClient)(nil).PodSandboxStatus), varargs...)
}

// PortForward mocks base method
// nolint
func (m *MockRuntimeServiceClient) PortForward(arg0 context.Context, arg1 *v1alpha2.PortForwardRequest, arg2 ...grpc.CallOption) (*v1alpha2.PortForwardResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "PortForward", varargs...)
	ret0, _ := ret[0].(*v1alpha2.PortForwardResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// PortForward indicates an expected call of PortForward
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) PortForward(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PortForward", reflect.TypeOf((*MockRuntimeServiceClient)(nil).PortForward), varargs...)
}

// RemoveContainer mocks base method
// nolint
func (m *MockRuntimeServiceClient) RemoveContainer(arg0 context.Context, arg1 *v1alpha2.RemoveContainerRequest, arg2 ...grpc.CallOption) (*v1alpha2.RemoveContainerResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "RemoveContainer", varargs...)
	ret0, _ := ret[0].(*v1alpha2.RemoveContainerResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// RemoveContainer indicates an expected call of RemoveContainer
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) RemoveContainer(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveContainer", reflect.TypeOf((*MockRuntimeServiceClient)(nil).RemoveContainer), varargs...)
}

// RemovePodSandbox mocks base method
// nolint
func (m *MockRuntimeServiceClient) RemovePodSandbox(arg0 context.Context, arg1 *v1alpha2.RemovePodSandboxRequest, arg2 ...grpc.CallOption) (*v1alpha2.RemovePodSandboxResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "RemovePodSandbox", varargs...)
	ret0, _ := ret[0].(*v1alpha2.RemovePodSandboxResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// RemovePodSandbox indicates an expected call of RemovePodSandbox
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) RemovePodSandbox(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemovePodSandbox", reflect.TypeOf((*MockRuntimeServiceClient)(nil).RemovePodSandbox), varargs...)
}

// ReopenContainerLog mocks base method
// nolint
func (m *MockRuntimeServiceClient) ReopenContainerLog(arg0 context.Context, arg1 *v1alpha2.ReopenContainerLogRequest, arg2 ...grpc.CallOption) (*v1alpha2.ReopenContainerLogResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "ReopenContainerLog", varargs...)
	ret0, _ := ret[0].(*v1alpha2.ReopenContainerLogResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ReopenContainerLog indicates an expected call of ReopenContainerLog
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) ReopenContainerLog(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReopenContainerLog", reflect.TypeOf((*MockRuntimeServiceClient)(nil).ReopenContainerLog), varargs...)
}

// RunPodSandbox mocks base method
// nolint
func (m *MockRuntimeServiceClient) RunPodSandbox(arg0 context.Context, arg1 *v1alpha2.RunPodSandboxRequest, arg2 ...grpc.CallOption) (*v1alpha2.RunPodSandboxResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "RunPodSandbox", varargs...)
	ret0, _ := ret[0].(*v1alpha2.RunPodSandboxResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// RunPodSandbox indicates an expected call of RunPodSandbox
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) RunPodSandbox(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RunPodSandbox", reflect.TypeOf((*MockRuntimeServiceClient)(nil).RunPodSandbox), varargs...)
}

// StartContainer mocks base method
// nolint
func (m *MockRuntimeServiceClient) StartContainer(arg0 context.Context, arg1 *v1alpha2.StartContainerRequest, arg2 ...grpc.CallOption) (*v1alpha2.StartContainerResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "StartContainer", varargs...)
	ret0, _ := ret[0].(*v1alpha2.StartContainerResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// StartContainer indicates an expected call of StartContainer
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) StartContainer(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StartContainer", reflect.TypeOf((*MockRuntimeServiceClient)(nil).StartContainer), varargs...)
}

// Status mocks base method
// nolint
func (m *MockRuntimeServiceClient) Status(arg0 context.Context, arg1 *v1alpha2.StatusRequest, arg2 ...grpc.CallOption) (*v1alpha2.StatusResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "Status", varargs...)
	ret0, _ := ret[0].(*v1alpha2.StatusResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Status indicates an expected call of Status
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) Status(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Status", reflect.TypeOf((*MockRuntimeServiceClient)(nil).Status), varargs...)
}

// StopContainer mocks base method
// nolint
func (m *MockRuntimeServiceClient) StopContainer(arg0 context.Context, arg1 *v1alpha2.StopContainerRequest, arg2 ...grpc.CallOption) (*v1alpha2.StopContainerResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "StopContainer", varargs...)
	ret0, _ := ret[0].(*v1alpha2.StopContainerResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// StopContainer indicates an expected call of StopContainer
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) StopContainer(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StopContainer", reflect.TypeOf((*MockRuntimeServiceClient)(nil).StopContainer), varargs...)
}

// StopPodSandbox mocks base method
// nolint
func (m *MockRuntimeServiceClient) StopPodSandbox(arg0 context.Context, arg1 *v1alpha2.StopPodSandboxRequest, arg2 ...grpc.CallOption) (*v1alpha2.StopPodSandboxResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "StopPodSandbox", varargs...)
	ret0, _ := ret[0].(*v1alpha2.StopPodSandboxResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// StopPodSandbox indicates an expected call of StopPodSandbox
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) StopPodSandbox(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StopPodSandbox", reflect.TypeOf((*MockRuntimeServiceClient)(nil).StopPodSandbox), varargs...)
}

// UpdateContainerResources mocks base method
// nolint
func (m *MockRuntimeServiceClient) UpdateContainerResources(arg0 context.Context, arg1 *v1alpha2.UpdateContainerResourcesRequest, arg2 ...grpc.CallOption) (*v1alpha2.UpdateContainerResourcesResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "UpdateContainerResources", varargs...)
	ret0, _ := ret[0].(*v1alpha2.UpdateContainerResourcesResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// UpdateContainerResources indicates an expected call of UpdateContainerResources
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) UpdateContainerResources(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateContainerResources", reflect.TypeOf((*MockRuntimeServiceClient)(nil).UpdateContainerResources), varargs...)
}

// UpdateRuntimeConfig mocks base method
// nolint
func (m *MockRuntimeServiceClient) UpdateRuntimeConfig(arg0 context.Context, arg1 *v1alpha2.UpdateRuntimeConfigRequest, arg2 ...grpc.CallOption) (*v1alpha2.UpdateRuntimeConfigResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "UpdateRuntimeConfig", varargs...)
	ret0, _ := ret[0].(*v1alpha2.UpdateRuntimeConfigResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// UpdateRuntimeConfig indicates an expected call of UpdateRuntimeConfig
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) UpdateRuntimeConfig(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateRuntimeConfig", reflect.TypeOf((*MockRuntimeServiceClient)(nil).UpdateRuntimeConfig), varargs...)
}

// Version mocks base method
// nolint
func (m *MockRuntimeServiceClient) Version(arg0 context.Context, arg1 *v1alpha2.VersionRequest, arg2 ...grpc.CallOption) (*v1alpha2.VersionResponse, error) {
	m.ctrl.T.Helper()
	varargs := []interface{}{arg0, arg1}
	for _, a := range arg2 {
		varargs = append(varargs, a)
	}
	ret := m.ctrl.Call(m, "Version", varargs...)
	ret0, _ := ret[0].(*v1alpha2.VersionResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Version indicates an expected call of Version
// nolint
func (mr *MockRuntimeServiceClientMockRecorder) Version(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	varargs := append([]interface{}{arg0, arg1}, arg2...)
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Version", reflect.TypeOf((*MockRuntimeServiceClient)(nil).Version), varargs...)
}


================================================
FILE: utils/cri/mockcri/mockinterface.go
================================================
// Code generated by MockGen. DO NOT EDIT.
// Source: go.aporeto.io/enforcerd/trireme-lib/utils/cri (interfaces: ExtendedRuntimeService)

// Package mockcri is a generated GoMock package.
package mockcri

import (
	reflect "reflect"
	time "time"

	gomock "github.com/golang/mock/gomock"
	v1alpha2 "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
)

// MockExtendedRuntimeService is a mock of ExtendedRuntimeService interface
// nolint
type MockExtendedRuntimeService struct {
	ctrl     *gomock.Controller
	recorder *MockExtendedRuntimeServiceMockRecorder
}

// MockExtendedRuntimeServiceMockRecorder is the mock recorder for MockExtendedRuntimeService
// nolint
type MockExtendedRuntimeServiceMockRecorder struct {
	mock *MockExtendedRuntimeService
}

// NewMockExtendedRuntimeService creates a new mock instance
// nolint
func NewMockExtendedRuntimeService(ctrl *gomock.Controller) *MockExtendedRuntimeService {
	mock := &MockExtendedRuntimeService{ctrl: ctrl}
	mock.recorder = &MockExtendedRuntimeServiceMockRecorder{mock}
	return mock
}

// EXPECT returns an object that allows the caller to indicate expected use
// nolint
func (m *MockExtendedRuntimeService) EXPECT() *MockExtendedRuntimeServiceMockRecorder {
	return m.recorder
}

// Attach mocks base method
// nolint
func (m *MockExtendedRuntimeService) Attach(arg0 *v1alpha2.AttachRequest) (*v1alpha2.AttachResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Attach", arg0)
	ret0, _ := ret[0].(*v1alpha2.AttachResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Attach indicates an expected call of Attach
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) Attach(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Attach", reflect.TypeOf((*MockExtendedRuntimeService)(nil).Attach), arg0)
}

// ContainerStats mocks base method
// nolint
func (m *MockExtendedRuntimeService) ContainerStats(arg0 string) (*v1alpha2.ContainerStats, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerStats", arg0)
	ret0, _ := ret[0].(*v1alpha2.ContainerStats)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerStats indicates an expected call of ContainerStats
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) ContainerStats(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerStats", reflect.TypeOf((*MockExtendedRuntimeService)(nil).ContainerStats), arg0)
}

// ContainerStatus mocks base method
// nolint
func (m *MockExtendedRuntimeService) ContainerStatus(arg0 string) (*v1alpha2.ContainerStatus, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerStatus", arg0)
	ret0, _ := ret[0].(*v1alpha2.ContainerStatus)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ContainerStatus indicates an expected call of ContainerStatus
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) ContainerStatus(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerStatus", reflect.TypeOf((*MockExtendedRuntimeService)(nil).ContainerStatus), arg0)
}

// ContainerStatusVerbose mocks base method
// nolint
func (m *MockExtendedRuntimeService) ContainerStatusVerbose(arg0 string) (*v1alpha2.ContainerStatus, map[string]string, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ContainerStatusVerbose", arg0)
	ret0, _ := ret[0].(*v1alpha2.ContainerStatus)
	ret1, _ := ret[1].(map[string]string)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// ContainerStatusVerbose indicates an expected call of ContainerStatusVerbose
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) ContainerStatusVerbose(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ContainerStatusVerbose", reflect.TypeOf((*MockExtendedRuntimeService)(nil).ContainerStatusVerbose), arg0)
}

// CreateContainer mocks base method
// nolint
func (m *MockExtendedRuntimeService) CreateContainer(arg0 string, arg1 *v1alpha2.ContainerConfig, arg2 *v1alpha2.PodSandboxConfig) (string, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "CreateContainer", arg0, arg1, arg2)
	ret0, _ := ret[0].(string)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// CreateContainer indicates an expected call of CreateContainer
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) CreateContainer(arg0, arg1, arg2 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateContainer", reflect.TypeOf((*MockExtendedRuntimeService)(nil).CreateContainer), arg0, arg1, arg2)
}

// Exec mocks base method
// nolint
func (m *MockExtendedRuntimeService) Exec(arg0 *v1alpha2.ExecRequest) (*v1alpha2.ExecResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Exec", arg0)
	ret0, _ := ret[0].(*v1alpha2.ExecResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Exec indicates an expected call of Exec
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) Exec(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Exec", reflect.TypeOf((*MockExtendedRuntimeService)(nil).Exec), arg0)
}

// ExecSync mocks base method
// nolint
func (m *MockExtendedRuntimeService) ExecSync(arg0 string, arg1 []string, arg2 time.Duration) ([]byte, []byte, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ExecSync", arg0, arg1, arg2)
	ret0, _ := ret[0].([]byte)
	ret1, _ := ret[1].([]byte)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// ExecSync indicates an expected call of ExecSync
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) ExecSync(arg0, arg1, arg2 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ExecSync", reflect.TypeOf((*MockExtendedRuntimeService)(nil).ExecSync), arg0, arg1, arg2)
}

// ListContainerStats mocks base method
// nolint
func (m *MockExtendedRuntimeService) ListContainerStats(arg0 *v1alpha2.ContainerStatsFilter) ([]*v1alpha2.ContainerStats, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ListContainerStats", arg0)
	ret0, _ := ret[0].([]*v1alpha2.ContainerStats)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ListContainerStats indicates an expected call of ListContainerStats
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) ListContainerStats(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListContainerStats", reflect.TypeOf((*MockExtendedRuntimeService)(nil).ListContainerStats), arg0)
}

// ListContainers mocks base method
// nolint
func (m *MockExtendedRuntimeService) ListContainers(arg0 *v1alpha2.ContainerFilter) ([]*v1alpha2.Container, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ListContainers", arg0)
	ret0, _ := ret[0].([]*v1alpha2.Container)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ListContainers indicates an expected call of ListContainers
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) ListContainers(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListContainers", reflect.TypeOf((*MockExtendedRuntimeService)(nil).ListContainers), arg0)
}

// ListPodSandbox mocks base method
// nolint
func (m *MockExtendedRuntimeService) ListPodSandbox(arg0 *v1alpha2.PodSandboxFilter) ([]*v1alpha2.PodSandbox, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ListPodSandbox", arg0)
	ret0, _ := ret[0].([]*v1alpha2.PodSandbox)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// ListPodSandbox indicates an expected call of ListPodSandbox
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) ListPodSandbox(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListPodSandbox", reflect.TypeOf((*MockExtendedRuntimeService)(nil).ListPodSandbox), arg0)
}

// PodSandboxStatus mocks base method
// nolint
func (m *MockExtendedRuntimeService) PodSandboxStatus(arg0 string) (*v1alpha2.PodSandboxStatus, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PodSandboxStatus", arg0)
	ret0, _ := ret[0].(*v1alpha2.PodSandboxStatus)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// PodSandboxStatus indicates an expected call of PodSandboxStatus
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) PodSandboxStatus(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PodSandboxStatus", reflect.TypeOf((*MockExtendedRuntimeService)(nil).PodSandboxStatus), arg0)
}

// PodSandboxStatusVerbose mocks base method
// nolint
func (m *MockExtendedRuntimeService) PodSandboxStatusVerbose(arg0 string) (*v1alpha2.PodSandboxStatus, map[string]string, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PodSandboxStatusVerbose", arg0)
	ret0, _ := ret[0].(*v1alpha2.PodSandboxStatus)
	ret1, _ := ret[1].(map[string]string)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// PodSandboxStatusVerbose indicates an expected call of PodSandboxStatusVerbose
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) PodSandboxStatusVerbose(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PodSandboxStatusVerbose", reflect.TypeOf((*MockExtendedRuntimeService)(nil).PodSandboxStatusVerbose), arg0)
}

// PortForward mocks base method
// nolint
func (m *MockExtendedRuntimeService) PortForward(arg0 *v1alpha2.PortForwardRequest) (*v1alpha2.PortForwardResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "PortForward", arg0)
	ret0, _ := ret[0].(*v1alpha2.PortForwardResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// PortForward indicates an expected call of PortForward
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) PortForward(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PortForward", reflect.TypeOf((*MockExtendedRuntimeService)(nil).PortForward), arg0)
}

// RemoveContainer mocks base method
// nolint
func (m *MockExtendedRuntimeService) RemoveContainer(arg0 string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "RemoveContainer", arg0)
	ret0, _ := ret[0].(error)
	return ret0
}

// RemoveContainer indicates an expected call of RemoveContainer
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) RemoveContainer(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveContainer", reflect.TypeOf((*MockExtendedRuntimeService)(nil).RemoveContainer), arg0)
}

// RemovePodSandbox mocks base method
// nolint
func (m *MockExtendedRuntimeService) RemovePodSandbox(arg0 string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "RemovePodSandbox", arg0)
	ret0, _ := ret[0].(error)
	return ret0
}

// RemovePodSandbox indicates an expected call of RemovePodSandbox
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) RemovePodSandbox(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemovePodSandbox", reflect.TypeOf((*MockExtendedRuntimeService)(nil).RemovePodSandbox), arg0)
}

// ReopenContainerLog mocks base method
// nolint
func (m *MockExtendedRuntimeService) ReopenContainerLog(arg0 string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "ReopenContainerLog", arg0)
	ret0, _ := ret[0].(error)
	return ret0
}

// ReopenContainerLog indicates an expected call of ReopenContainerLog
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) ReopenContainerLog(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReopenContainerLog", reflect.TypeOf((*MockExtendedRuntimeService)(nil).ReopenContainerLog), arg0)
}

// RunPodSandbox mocks base method
// nolint
func (m *MockExtendedRuntimeService) RunPodSandbox(arg0 *v1alpha2.PodSandboxConfig, arg1 string) (string, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "RunPodSandbox", arg0, arg1)
	ret0, _ := ret[0].(string)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// RunPodSandbox indicates an expected call of RunPodSandbox
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) RunPodSandbox(arg0, arg1 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RunPodSandbox", reflect.TypeOf((*MockExtendedRuntimeService)(nil).RunPodSandbox), arg0, arg1)
}

// StartContainer mocks base method
// nolint
func (m *MockExtendedRuntimeService) StartContainer(arg0 string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "StartContainer", arg0)
	ret0, _ := ret[0].(error)
	return ret0
}

// StartContainer indicates an expected call of StartContainer
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) StartContainer(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StartContainer", reflect.TypeOf((*MockExtendedRuntimeService)(nil).StartContainer), arg0)
}

// Status mocks base method
// nolint
func (m *MockExtendedRuntimeService) Status() (*v1alpha2.RuntimeStatus, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Status")
	ret0, _ := ret[0].(*v1alpha2.RuntimeStatus)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Status indicates an expected call of Status
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) Status() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Status", reflect.TypeOf((*MockExtendedRuntimeService)(nil).Status))
}

// StatusVerbose mocks base method
// nolint
func (m *MockExtendedRuntimeService) StatusVerbose() (*v1alpha2.RuntimeStatus, map[string]string, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "StatusVerbose")
	ret0, _ := ret[0].(*v1alpha2.RuntimeStatus)
	ret1, _ := ret[1].(map[string]string)
	ret2, _ := ret[2].(error)
	return ret0, ret1, ret2
}

// StatusVerbose indicates an expected call of StatusVerbose
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) StatusVerbose() *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StatusVerbose", reflect.TypeOf((*MockExtendedRuntimeService)(nil).StatusVerbose))
}

// StopContainer mocks base method
// nolint
func (m *MockExtendedRuntimeService) StopContainer(arg0 string, arg1 int64) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "StopContainer", arg0, arg1)
	ret0, _ := ret[0].(error)
	return ret0
}

// StopContainer indicates an expected call of StopContainer
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) StopContainer(arg0, arg1 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StopContainer", reflect.TypeOf((*MockExtendedRuntimeService)(nil).StopContainer), arg0, arg1)
}

// StopPodSandbox mocks base method
// nolint
func (m *MockExtendedRuntimeService) StopPodSandbox(arg0 string) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "StopPodSandbox", arg0)
	ret0, _ := ret[0].(error)
	return ret0
}

// StopPodSandbox indicates an expected call of StopPodSandbox
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) StopPodSandbox(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "StopPodSandbox", reflect.TypeOf((*MockExtendedRuntimeService)(nil).StopPodSandbox), arg0)
}

// UpdateContainerResources mocks base method
// nolint
func (m *MockExtendedRuntimeService) UpdateContainerResources(arg0 string, arg1 *v1alpha2.LinuxContainerResources) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "UpdateContainerResources", arg0, arg1)
	ret0, _ := ret[0].(error)
	return ret0
}

// UpdateContainerResources indicates an expected call of UpdateContainerResources
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) UpdateContainerResources(arg0, arg1 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateContainerResources", reflect.TypeOf((*MockExtendedRuntimeService)(nil).UpdateContainerResources), arg0, arg1)
}

// UpdateRuntimeConfig mocks base method
// nolint
func (m *MockExtendedRuntimeService) UpdateRuntimeConfig(arg0 *v1alpha2.RuntimeConfig) error {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "UpdateRuntimeConfig", arg0)
	ret0, _ := ret[0].(error)
	return ret0
}

// UpdateRuntimeConfig indicates an expected call of UpdateRuntimeConfig
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) UpdateRuntimeConfig(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateRuntimeConfig", reflect.TypeOf((*MockExtendedRuntimeService)(nil).UpdateRuntimeConfig), arg0)
}

// Version mocks base method
// nolint
func (m *MockExtendedRuntimeService) Version(arg0 string) (*v1alpha2.VersionResponse, error) {
	m.ctrl.T.Helper()
	ret := m.ctrl.Call(m, "Version", arg0)
	ret0, _ := ret[0].(*v1alpha2.VersionResponse)
	ret1, _ := ret[1].(error)
	return ret0, ret1
}

// Version indicates an expected call of Version
// nolint
func (mr *MockExtendedRuntimeServiceMockRecorder) Version(arg0 interface{}) *gomock.Call {
	mr.mock.ctrl.T.Helper()
	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Version", reflect.TypeOf((*MockExtendedRuntimeService)(nil).Version), arg0)
}


================================================
FILE: utils/crypto/crypto.go
================================================
package crypto

import (
	"bytes"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/hmac"
	"crypto/rand"
	"crypto/sha256"
	"crypto/x509"
	"encoding/base64"
	"encoding/binary"
	"encoding/pem"
	"errors"
	"fmt"
	"math/big"
	mrand "math/rand"
	"sync"
	"time"

	"github.com/ugorji/go/codec"
	"go.aporeto.io/tg/tglib/windowscertbug"
	"go.uber.org/zap"
)

type nonce struct {
	r *mrand.Rand
	sync.Mutex
}

// PublicKey is an intermediate structure to create gobs
type PublicKey struct {
	X *big.Int
	Y *big.Int
}

//Nonce16Byte interface generates 16 byte nonce
type Nonce16Byte interface {
	GenerateNonce16Bytes([]byte)
}

var doOnce sync.Once
var n nonce

// Nonce initializes and returns nonce of type Nonce16Byte.
func Nonce() Nonce16Byte {
	doOnce.Do(func() {
		n.r = mrand.New(mrand.NewSource(time.Now().UnixNano()))
	})

	return &n
}

func (n *nonce) GenerateNonce16Bytes(b []byte) {
	n.Lock()
	low := n.r.Uint64()
	high := n.r.Uint64()
	n.Unlock()

	binary.LittleEndian.PutUint64(b[:8], low)
	binary.LittleEndian.PutUint64(b[8:], high)
}

// ComputeHmac256 computes the HMAC256 of the message
func ComputeHmac256(tags []byte, key []byte) ([]byte, error) {

	var buffer bytes.Buffer
	if err := binary.Write(&buffer, binary.BigEndian, tags); err != nil {
		return []byte{}, err
	}

	h := hmac.New(sha256.New, key)

	if _, err := h.Write(buffer.Bytes()); err != nil {
		return []byte{}, err
	}

	return h.Sum(nil), nil

}

// VerifyHmac verifies if the HMAC of the message matches the one provided
func VerifyHmac(tags []byte, expectedMAC []byte, key []byte) bool {
	messageMAC, err := ComputeHmac256(tags, key)
	if err != nil {
		return false
	}

	return hmac.Equal(messageMAC, expectedMAC)
}

// GenerateRandomBytes returns securely generated random bytes.
// It will return an error if the system's secure random
// number generator fails to function correctly, in which
// case the caller should not continue.
func GenerateRandomBytes(n int) ([]byte, error) {
	b := make([]byte, n)

	if _, err := rand.Read(b); err != nil {
		zap.L().Debug("GenerateRandomBytes failed", zap.Error(err))
		return nil, err
	}

	s := base64.StdEncoding.EncodeToString(b)

	return []byte(s[:n]), nil
}

// GenerateRandomString returns a URL-safe, base64 encoded
// securely generated random string.
// It will return an error if the system's secure random
// number generator fails to function correctly, in which
// case the caller should not continue.
func GenerateRandomString(s int) (string, error) {
	b, err := GenerateRandomBytes(s)
	return base64.URLEncoding.EncodeToString(b), err
}

// CreateEphemeralKey creates an ephmeral private/public key based on the
// provided public key and the corresponding elliptic curve
func CreateEphemeralKey(curve func() elliptic.Curve, pub *ecdsa.PublicKey) (*ecdsa.PrivateKey, []byte) {

	ephemeral, err := ecdsa.GenerateKey(curve(), rand.Reader)
	if err != nil {
		zap.L().Error("CreateEphemeralKey failed, returning empty array of bytes", zap.Error(err))
		return nil, []byte{}
	}

	ephPub := elliptic.Marshal(pub.Curve, ephemeral.PublicKey.X, ephemeral.PublicKey.Y)

	return ephemeral, ephPub

}

// LoadRootCertificates loads the certificates in the provide PEM buffer in a CertPool
func LoadRootCertificates(rootPEM []byte) *x509.CertPool {

	roots := x509.NewCertPool()

	ok := roots.AppendCertsFromPEM(rootPEM)
	if !ok {
		zap.L().Error("AppendCertsFromPEM failed", zap.ByteString("rootPEM", rootPEM))
		return nil
	}

	return roots

}

// LoadEllipticCurveKey parses and creates an EC key
func LoadEllipticCurveKey(keyPEM []byte) (*ecdsa.PrivateKey, error) {

	block, _ := pem.Decode(keyPEM)
	if block == nil {
		return nil, fmt.Errorf("LoadElliticCurveKey bad pem block: %s", string(keyPEM))
	}

	// Parse the key
	key, err := x509.ParseECPrivateKey(block.Bytes)
	if err != nil {
		return nil, err
	}

	return key, nil
}

// LoadAndVerifyCertificate parses, validates, and creates a certificate structure from a PEM buffer
// It must be provided with the a CertPool
func LoadAndVerifyCertificate(certPEM []byte, roots *x509.CertPool) (*x509.Certificate, error) {

	cert, err := LoadCertificate(certPEM)
	if err != nil {
		return nil, err
	}

	opts := x509.VerifyOptions{
		Roots: roots,
	}

	if _, err := windowscertbug.VerifyCertificate(cert, opts); err != nil {
		return nil, err
	}

	return cert, nil

}

// LoadAndVerifyECSecrets loads all the certificates and keys to memory in the right data structures
func LoadAndVerifyECSecrets(keyPEM, certPEM, caCertPEM []byte) (key *ecdsa.PrivateKey, cert *x509.Certificate, rootCertPool *x509.CertPool, err error) {

	// Parse the key
	key, err = LoadEllipticCurveKey(keyPEM)
	if err != nil {
		return nil, nil, nil, err
	}

	rootCertPool = LoadRootCertificates(caCertPEM)
	if rootCertPool == nil {
		return nil, nil, nil, errors.New("unable to load root certificate pool")
	}

	cert, err = LoadAndVerifyCertificate(certPEM, rootCertPool)
	if err != nil {
		return nil, nil, nil, err
	}

	return key, cert, rootCertPool, nil

}

// LoadCertificate loads a certificate from a PEM file without verifying
// Should only be used for loading a root CA certificate. It will only read
// the first certificate
func LoadCertificate(certPEM []byte) (*x509.Certificate, error) {

	// Decode the certificate
	certBlock, _ := pem.Decode(certPEM)
	if certBlock == nil {
		return nil, fmt.Errorf("unable to parse pem block: %s", string(certPEM))
	}

	// Create the certificate structure
	cert, err := x509.ParseCertificate(certBlock.Bytes)
	if err != nil {
		return nil, err
	}

	return cert, nil
}

//EncodePublicKeyV1 encodes the public key to a byte slice
func EncodePublicKeyV1(publicKey *ecdsa.PublicKey) []byte {

	p := &PublicKey{X: publicKey.X, Y: publicKey.Y}

	buf := make([]byte, 0, 1400)
	var h codec.Handle = new(codec.CborHandle)
	enc := codec.NewEncoderBytes(&buf, h)

	if err := enc.Encode(p); err != nil {
		return nil
	}

	return buf

}

// DecodePublicKeyV1 decodes the provided public key
func DecodePublicKeyV1(key []byte) (*ecdsa.PublicKey, error) {
	var p PublicKey

	var h codec.Handle = new(codec.CborHandle)

	dec := codec.NewDecoderBytes(key, h)
	if err := dec.Decode(&p); err != nil {
		return nil, err
	}

	return &ecdsa.PublicKey{
		Curve: elliptic.P256(),
		X:     p.X,
		Y:     p.Y,
	}, nil
}

//EncodePublicKeyV2 encodes the public key to a byte slice
func EncodePublicKeyV2(publicKey *ecdsa.PublicKey) []byte {
	return elliptic.Marshal(publicKey.Curve, publicKey.X, publicKey.Y)
}

// DecodePublicKeyV2 decodes the provided public key
func DecodePublicKeyV2(key []byte) (*ecdsa.PublicKey, error) {

	x, y := elliptic.Unmarshal(elliptic.P256(), key)
	if x == nil || y == nil {
		return nil, fmt.Errorf("Failed to decode public key")
	}

	return &ecdsa.PublicKey{
		Curve: elliptic.P256(),
		X:     x,
		Y:     y,
	}, nil
}

//EncodePrivateKey encodes the private key to a byte slice.
func EncodePrivateKey(privateKey *ecdsa.PrivateKey) []byte {
	return elliptic.Marshal(privateKey.PublicKey.Curve, privateKey.D, privateKey.PublicKey.X)
}


================================================
FILE: utils/crypto/crypto_test.go
================================================
// +build !windows

package crypto

import (
	"errors"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

const (
	caPool = `-----BEGIN CERTIFICATE-----
MIIBhTCCASwCCQC8b53yGlcQazAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABJxneTUqhbtgEIwpKUUzwz3h92SqcOdIw3mfQkMjg3Vobvr6JKlpXYe9xhsN
rygJmLhMAN9gjF9qM9ybdbe+m3owCgYIKoZIzj0EAwIDRwAwRAIgC1fVMqdBy/o3
jNUje/Hx0fZF9VDyUK4ld+K/wF3QdK4CID1ONj/Kqinrq2OpjYdkgIjEPuXoOoR1
tCym8dnq4wtH
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB3jCCAYOgAwIBAgIJALsW7pyC2ERQMAoGCCqGSM49BAMCMEsxCzAJBgNVBAYT
AlVTMQswCQYDVQQIDAJDQTEMMAoGA1UEBwwDU0pDMRAwDgYDVQQKDAdUcmlyZW1l
MQ8wDQYDVQQDDAZ1YnVudHUwHhcNMTYwOTI3MjI0OTAwWhcNMjYwOTI1MjI0OTAw
WjBLMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4G
A1UECgwHVHJpcmVtZTEPMA0GA1UEAwwGdWJ1bnR1MFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAE4c2Fd7XeIB1Vfs51fWwREfLLDa55J+NBalV12CH7YEAnEXjl47aV
cmNqcAtdMUpf2oz9nFVI81bgO+OSudr3CqNQME4wHQYDVR0OBBYEFOBftuI09mmu
rXjqDyIta1gT8lqvMB8GA1UdIwQYMBaAFOBftuI09mmurXjqDyIta1gT8lqvMAwG
A1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMylAHhbFA0KqhXIFiXNpEbH
JKaELL6UXXdeQ5yup8q+AiEAh5laB9rbgTymjaANcZ2YzEZH4VFS3CKoSdVqgnwC
dW4=
-----END CERTIFICATE-----`
	certPEM = `-----BEGIN CERTIFICATE-----
MIIBhjCCASwCCQCPCdgp39gHJTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABAHwC/gHz4/w58a1OrVJBMsxMgsZ35TlsYaLstW3c4Se78TG9b0N9fGW1v1r
zDf6IyF6l2KxKSEqKI854+OsOuMwCgYIKoZIzj0EAwIDSAAwRQIgQwQn0jnK/XvD
KxgQd/0pW5FOAaB41cMcw4/XVlphO1oCIQDlGie+WlOMjCzrV0Xz+XqIIi1pIgPT
IG7Nv+YlTVp5qA==
-----END CERTIFICATE-----`
)

// TestComputeVerifyHMAC tests the compute and verify of HMAC functions
func TestComputeVerifyHMAC(t *testing.T) {
	Convey("Given a token and a key", t, func() {

		token := make([]byte, 256)
		for i := uint8(0); i < 255; i++ {
			token[i] = i
		}

		key := make([]byte, 32)
		for i := uint8(0); i < 32; i++ {
			key[i] = i
		}

		Convey("When I sign the token with the key", func() {
			expectedMac, err := ComputeHmac256(token, key)
			So(err, ShouldBeNil)
			So(expectedMac, ShouldNotBeNil)

			Convey("I should be able to verify the token with the same key", func() {
				verified := VerifyHmac(token, expectedMac, key)
				So(verified, ShouldBeTrue)
			})

			Convey("If I provide the worng key, I should fail verification", func() {
				fakeKey := make([]byte, 32)
				verified := VerifyHmac(token, expectedMac, fakeKey)
				So(verified, ShouldBeFalse)
			})

			Convey("If I provide the wright key, but I havae the wrong signature, I should fail verification", func() {
				failedMac := make([]byte, 32)
				verified := VerifyHmac(token, failedMac, key)
				So(verified, ShouldBeFalse)
			})
		})
	})
}

// TestRandomString tests the random string generation function and the random byte generation
func TestRandomString(t *testing.T) {
	Convey("Given a string length of 16", t, func() {
		length := 16
		Convey("I should be able to generate two random strings that are not equal", func() {
			string1, err1 := GenerateRandomString(length)
			string2, err2 := GenerateRandomString(length)
			So(err1, ShouldBeNil)
			So(err2, ShouldBeNil)
			So(string1, ShouldNotEqual, string2)
		})
	})
	Convey("Given a string length of 32", t, func() {
		length := 16
		Convey("I should be able to generate two random strings that are not equal", func() {
			string1, err1 := GenerateRandomString(length)
			string2, err2 := GenerateRandomString(length)
			So(err1, ShouldBeNil)
			So(err2, ShouldBeNil)
			So(string1, ShouldNotEqual, string2)
		})
	})
}

// TestFuncLoadEllipticCurve
func TestFuncLoadEllipticCurve(t *testing.T) {
	Convey("Given a valid EC key", t, func() {
		keyPEM := `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPkiHqtH372JJdAG/IxJlE1gv03cdwa8Lhg2b3m/HmbyoAoGCCqGSM49
AwEHoUQDQgAEAfAL+AfPj/DnxrU6tUkEyzEyCxnflOWxhouy1bdzhJ7vxMb1vQ31
8ZbW/WvMN/ojIXqXYrEpISoojznj46w64w==
-----END EC PRIVATE KEY-----`
		Convey("I should be able to load the key", func() {
			key, err := LoadEllipticCurveKey([]byte(keyPEM))
			So(key, ShouldNotBeNil)
			So(err, ShouldBeNil)
		})
	})

	Convey("Given an invalid PEM BLOCK", t, func() {
		keyPEM := ""
		Convey("I should get an error", func() {
			_, err := LoadEllipticCurveKey([]byte(keyPEM))
			So(err, ShouldNotBeNil)
		})
	})

	Convey("Given an invalid Key file", t, func() {
		keyPEM := `-----BEGIN EC PRIVATE KEY-----
-----END EC PRIVATE KEY-----`
		Convey("I should get an error", func() {
			_, err := LoadEllipticCurveKey([]byte(keyPEM))
			So(err, ShouldNotBeNil)
		})
	})
}

// TestFuncLoadRootCertificates test the loading of root certs in a cert pool
func TestFuncLoadRootCertificates(t *testing.T) {
	Convey("Given a valid certificate chain", t, func() {

		Convey("I should be able to get a valid certificate chain", func() {
			roots := LoadRootCertificates([]byte(caPool))
			So(roots, ShouldNotBeNil)
			So(len(roots.Subjects()), ShouldEqual, 2)
		})
	})
}

// TestFuncLoadAndVerifyCertificate
func TestLoadAndVerifyCertificate(t *testing.T) {
	Convey("Given a valid certificate chain", t, func() {
		roots := LoadRootCertificates([]byte(caPool))
		So(roots, ShouldNotBeNil)
		So(len(roots.Subjects()), ShouldEqual, 2)

		Convey("Given a certificate signed by the intermediatery", func() {
			Convey("I should be able to load and verify the certificate", func() {
				cert, err := LoadAndVerifyCertificate([]byte(certPEM), roots)
				So(cert, ShouldNotBeNil)
				So(err, ShouldBeNil)
			})
		})
	})

	Convey("Given the root CA certificate only ", t, func() {
		rootCA := `
-----BEGIN CERTIFICATE-----
MIIB3jCCAYOgAwIBAgIJALsW7pyC2ERQMAoGCCqGSM49BAMCMEsxCzAJBgNVBAYT
AlVTMQswCQYDVQQIDAJDQTEMMAoGA1UEBwwDU0pDMRAwDgYDVQQKDAdUcmlyZW1l
MQ8wDQYDVQQDDAZ1YnVudHUwHhcNMTYwOTI3MjI0OTAwWhcNMjYwOTI1MjI0OTAw
WjBLMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4G
A1UECgwHVHJpcmVtZTEPMA0GA1UEAwwGdWJ1bnR1MFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAE4c2Fd7XeIB1Vfs51fWwREfLLDa55J+NBalV12CH7YEAnEXjl47aV
cmNqcAtdMUpf2oz9nFVI81bgO+OSudr3CqNQME4wHQYDVR0OBBYEFOBftuI09mmu
rXjqDyIta1gT8lqvMB8GA1UdIwQYMBaAFOBftuI09mmurXjqDyIta1gT8lqvMAwG
A1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAMylAHhbFA0KqhXIFiXNpEbH
JKaELL6UXXdeQ5yup8q+AiEAh5laB9rbgTymjaANcZ2YzEZH4VFS3CKoSdVqgnwC
dW4=
-----END CERTIFICATE-----`
		roots := LoadRootCertificates([]byte(rootCA))
		So(roots, ShouldNotBeNil)
		So(len(roots.Subjects()), ShouldEqual, 1)

		Convey("Given a certificate signed by the intermediatery", func() {
			Convey("I should be able to fail to verify the certificate ", func() {
				cert, err := LoadAndVerifyCertificate([]byte(certPEM), roots)
				So(cert, ShouldBeNil)
				So(err, ShouldNotBeNil)
			})
		})
	})

	Convey("Given a good CA ", t, func() {
		goodCA := `-----BEGIN CERTIFICATE-----
MIIBhTCCASwCCQC8b53yGlcQazAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJVUzEL
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABJxneTUqhbtgEIwpKUUzwz3h92SqcOdIw3mfQkMjg3Vobvr6JKlpXYe9xhsN
rygJmLhMAN9gjF9qM9ybdbe+m3owCgYIKoZIzj0EAwIDRwAwRAIgC1fVMqdBy/o3
jNUje/Hx0fZF9VDyUK4ld+K/wF3QdK4CID1ONj/Kqinrq2OpjYdkgIjEPuXoOoR1
tCym8dnq4wtH
-----END CERTIFICATE-----`

		roots := LoadRootCertificates([]byte(goodCA))
		So(roots, ShouldNotBeNil)
		So(len(roots.Subjects()), ShouldEqual, 1)

		Convey("Given a bad certificate ", func() {
			badCA := `-----BEGIN CERTIFICATE-----
MAkGA1UECAwCQ0ExDDAKBgNVBAcMA1NKQzEQMA4GA1UECgwHVHJpcmVtZTEPMA0G
A1UEAwwGdWJ1bnR1MB4XDTE2MDkyNzIyNDkwMFoXDTI2MDkyNTIyNDkwMFowSzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQwwCgYDVQQHDANTSkMxEDAOBgNVBAoM
B1RyaXJlbWUxDzANBgNVBAMMBnVidW50dTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABAHwC/gHz4/w58a1OrVJBMsxMgsZ35TlsYaLstW3c4Se78TG9b0N9fGW1v1r
zDf6IyF6l2KxKSEqKI854+OsOuMwCgYIKoZIzj0EAwIDSAAwRQIgQwQn0jnK/XvD
KxgQd/0pW5FOAaB41cMcw4/XVlphO1oCIQDlGie+WlOMjCzrV0Xz+XqIIi1pIgPT
IG7Nv+YlTVp5qA==
-----END CERTIFICATE-----`
			Convey("I should be able to fail to verify the certificate ", func() {
				cert, err := LoadAndVerifyCertificate([]byte(badCA), roots)
				So(cert, ShouldBeNil)
				So(err, ShouldNotBeNil)
			})
		})
	})

	Convey("Given bad certificate   ", t, func() {

		Convey("Where the certificate block is bad  ", func() {
			emptyCA := ``
			Convey("I should be able to fail to verify the certificate ", func() {
				cert, err := LoadAndVerifyCertificate([]byte(emptyCA), nil)
				So(cert, ShouldBeNil)
				So(err, ShouldNotBeNil)
			})
		})
	})
}

// TestLoadAndVerifyECSecrets
func TestLoadAndVerifyECSecrets(t *testing.T) {

	Convey("Given a valid EC key", t, func() {
		keyPEM := `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPkiHqtH372JJdAG/IxJlE1gv03cdwa8Lhg2b3m/HmbyoAoGCCqGSM49
AwEHoUQDQgAEAfAL+AfPj/DnxrU6tUkEyzEyCxnflOWxhouy1bdzhJ7vxMb1vQ31
8ZbW/WvMN/ojIXqXYrEpISoojznj46w64w==
-----END EC PRIVATE KEY-----`
		Convey("I should be able to load the key", func() {
			key, err := LoadEllipticCurveKey([]byte(keyPEM))
			So(key, ShouldNotBeNil)
			So(err, ShouldBeNil)
		})

		Convey("Given a valid certificate chain", func() {
			roots := LoadRootCertificates([]byte(caPool))
			So(roots, ShouldNotBeNil)
			So(len(roots.Subjects()), ShouldEqual, 2)

			Convey("Given a certificate signed by the intermediatery", func() {
				Convey("I should be able to load and verify the certificate", func() {
					cert, err := LoadAndVerifyCertificate([]byte(certPEM), roots)
					So(cert, ShouldNotBeNil)
					So(err, ShouldBeNil)
				})

				Convey("Given I have valid EC key, certificate chain and signed certificate", func() {
					key, cert, certPool, err := LoadAndVerifyECSecrets([]byte(keyPEM), []byte(certPEM), []byte(caPool))

					Convey("I should be able to load and verify all the certificates and keys in the right data structures", func() {
						So(key, ShouldNotBeNil)
						So(cert, ShouldNotBeNil)
						So(certPool, ShouldNotBeNil)
						So(err, ShouldBeNil)
					})
				})

				Convey("Given I have invalid EC key, valid certificate chain and signed certificate", func() {
					invalidKeyPEM := `-----BEGIN EC PRIVATE KEY-----
			-----END EC PRIVATE KEY-----`
					key, cert, certPool, err := LoadAndVerifyECSecrets([]byte(invalidKeyPEM), []byte(certPEM), []byte(caPool))

					Convey("I should be able to fail verifying the EC key", func() {
						So(key, ShouldBeNil)
						So(cert, ShouldBeNil)
						So(certPool, ShouldBeNil)
						So(err, ShouldResemble, errors.New("LoadElliticCurveKey bad pem block: -----BEGIN EC PRIVATE KEY-----\n\t\t\t-----END EC PRIVATE KEY-----"))
					})
				})

				Convey("Given I have valid EC key, invalid certificate chain and valid signed certificate", func() {
					invalidCaPool := `-----BEGIN CERTIFICATE-----
			-----END CERTIFICATE-----`
					key, cert, certPool, err := LoadAndVerifyECSecrets([]byte(keyPEM), []byte(certPEM), []byte(invalidCaPool))

					Convey("I should be able to fail loading the certificate pool", func() {
						So(key, ShouldBeNil)
						So(cert, ShouldBeNil)
						So(certPool, ShouldBeNil)
						So(err, ShouldResemble, errors.New("unable to load root certificate pool"))
					})
				})

				Convey("Given I have valid EC key, certificate chain and invalid signed certificate", func() {
					invalidCertPEM := `-----BEGIN CERTIFICATE-----
		-----END CERTIFICATE-----`
					key, cert, certPool, err := LoadAndVerifyECSecrets([]byte(keyPEM), []byte(invalidCertPEM), []byte(caPool))

					Convey("I should be able to fail verifying certificate (bad certificate)", func() {
						So(key, ShouldBeNil)
						So(cert, ShouldBeNil)
						So(certPool, ShouldBeNil)
						So(err, ShouldResemble, errors.New("unable to parse pem block: -----BEGIN CERTIFICATE-----\n\t\t-----END CERTIFICATE-----"))
					})
				})
			})
		})
	})
}

// func TestPublicKeyEncDec(t *testing.T) {

// 	privateKey1, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
// 	encPub1 := EncodePublicKey(&privateKey1.PublicKey)
// 	decPub1, _ := DecodePublicKey(encPub1)

// 	pubKeyEq1 := reflect.DeepEqual(privateKey1.PublicKey, *decPub1)

// 	assert.Equal(t, pubKeyEq1, true, "public key1 should be equal")
// }


================================================
FILE: utils/fqdn/fqdn.go
================================================
package fqdn

import (
	"net"
	"os"
	"strings"
	"sync"
)

// defining os and net package functions in their own variables
// so that we can mock them for unit tests
var (
	osHostname    = os.Hostname
	netLookupIP   = net.LookupIP
	netLookupAddr = net.LookupAddr
)

const unknownHostname = "unknown"

// InitializeAlternativeHostname can be used to set an alternative hostname that is being used by `FindFQDN`.
// The enforcer can use this during startup to provide an alternative value.
func InitializeAlternativeHostname(hostname string) {
	if hostname != "" {
		alternativeHostnameOnce.Do(func() {
			alternativeHostnameLock.Lock()

			alternativeHostname = hostname

			alternativeHostnameLock.Unlock()
		})
	}
}

func getAlternativeHostname() string {
	alternativeHostnameLock.RLock()
	defer alternativeHostnameLock.RUnlock()
	return alternativeHostname
}

var (
	alternativeHostnameOnce = &sync.Once{}
	alternativeHostnameLock sync.RWMutex
	alternativeHostname     string
)

// Find returns fqdn. It uses the following algorithm:
// First of all, it will return the globally set alternative hostname if it has been initialized with previously with `IntializeAlternativeHostname`
// If this is not set, it will try to determine the hostname, resolve the hostname to an IP,
// and based on the hostname it will perform a reverse DNS lookup for the IP.
// The first entry of the reverse DNS lookup will be returned.
// If there are any errors during this process, this function will return "unknown".
// It will never return an empty string.
func Find() string {
	// return with the global alternative hostname if this is what we really want to do
	alternativeHostname := getAlternativeHostname()
	if alternativeHostname != "" {
		return alternativeHostname
	}

	// for some cloud providers (like AWS at some point) we prefer different FQDNs
	// return with th

	hostnameRaw, err := osHostname()
	if err != nil {
		return unknownHostname
	}

	// net.LookupIP will actually error if hostname is empty
	// so if there is no hostname set in the kernel, also return unknown
	// as in all other error cases we want to return a valid string
	// make sure that it is set to either os.Hostname or "unknown", but is never empty
	hostname := hostnameRaw
	if hostnameRaw == "" {
		hostname = unknownHostname
	}

	addrs, err := netLookupIP(hostnameRaw)
	if err != nil {
		return hostname
	}

	for _, addr := range addrs {
		if ipv4 := addr.To4(); ipv4 != nil {
			ip, err := ipv4.MarshalText()
			if err != nil {
				// impossible case and only possible if there is a bug in golang:
				// this will only error if this is not a valid IP address
				// To4() already proves that
				continue
			}
			hosts, err := netLookupAddr(string(ip))
			if err != nil || len(hosts) == 0 {
				continue
			}
			fqdn := hosts[0]
			ret := strings.TrimSuffix(fqdn, ".") // return fqdn without trailing dot
			if ret != "" {
				return ret
			}
		}
		if ipv6 := addr.To16(); ipv6 != nil {
			ip, err := ipv6.MarshalText()
			if err != nil {
				// impossible case and only possible if there is a bug in golang:
				// this will only error if this is not a valid IP address
				// To16() already proves that
				continue
			}
			hosts, err := netLookupAddr(string(ip))
			if err != nil || len(hosts) == 0 {
				continue
			}
			fqdn := hosts[0]
			ret := strings.TrimSuffix(fqdn, ".") // return fqdn without trailing dot
			if ret != "" {
				return ret
			}
		}
	}

	// fall back to os.Hostname or unknown if none of that worked
	return hostname
}


================================================
FILE: utils/fqdn/fqdn_test.go
================================================
package fqdn

import (
	"fmt"
	"net"
	"os"
	"sync"
	"testing"
)

func TestFind(t *testing.T) {
	ip41 := net.ParseIP("192.0.2.1")
	if ip41 == nil {
		panic("failed to parse ip41")
	}
	ip42 := net.ParseIP("192.0.2.2")
	if ip42 == nil {
		panic("failed to parse ip42")
	}
	ip61 := net.ParseIP("2001:db8::68")
	if ip61 == nil {
		panic("failed to parse ip61")
	}
	ip62 := net.ParseIP("2001:db8::69")
	if ip62 == nil {
		panic("failed to parse ip62")
	}
	invalidIP := (net.IP)([]byte("012345678901234567890"))
	tests := []struct {
		name          string
		want          string
		osHostname    func() (string, error)
		netLookupIP   func(string) ([]net.IP, error)
		netLookupAddr func(string) ([]string, error)
		pre           func()
	}{
		{
			name: "os.Hostname errors",
			want: unknownHostname,
			osHostname: func() (string, error) {
				return "", fmt.Errorf("failed to get hostname from the kernel")
			},
		},
		{
			name: "os.Hostname does not error but returns empty",
			want: unknownHostname,
			osHostname: func() (string, error) {
				return "", nil
			},
		},
		{
			name: "net.LookupIP errors",
			want: constMyhostname,
			osHostname: func() (string, error) {
				return constMyhostname, nil
			},
			netLookupIP: func(string) ([]net.IP, error) {
				return nil, fmt.Errorf("massive error")
			},
		},
		{
			name: "net.LookupIP returns empty",
			want: constMyhostname,
			osHostname: func() (string, error) {
				return constMyhostname, nil
			},
			netLookupIP: func(string) ([]net.IP, error) {
				return []net.IP{}, nil
			},
		},
		{
			name: "net.LookupIP returns addresses which cannot be reversed looked up",
			want: constMyhostname,
			osHostname: func() (string, error) {
				return constMyhostname, nil
			},
			netLookupIP: func(string) ([]net.IP, error) {
				return []net.IP{ip41, ip42}, nil
			},
		},
		{
			// NOTE: this will not cover the branch if `ipv4.MarshalText()` errors, because that is an impossible branch
			name: "net.LookupIP returns an invalid IP address",
			want: constMyhostname,
			osHostname: func() (string, error) {
				return constMyhostname, nil
			},
			netLookupIP: func(string) ([]net.IP, error) {
				return []net.IP{invalidIP}, nil
			},
		},
		{
			name: "net.LookupIP returns one address which can be reversed looked up",
			want: "myhostname.local",
			osHostname: func() (string, error) {
				return constMyhostname, nil
			},
			netLookupIP: func(string) ([]net.IP, error) {
				return []net.IP{ip41, ip42}, nil
			},
			netLookupAddr: func(addr string) ([]string, error) {
				if addr == "192.0.2.2" {
					return []string{"myhostname.local."}, nil
				}
				return nil, nil
			},
		},
		{
			name: "net.LookupIP returns IPv6 addresses which cannot be reversed looked up",
			want: constMyhostname,
			osHostname: func() (string, error) {
				return constMyhostname, nil
			},
			netLookupIP: func(string) ([]net.IP, error) {
				return []net.IP{ip61, ip62}, nil
			},
		},
		{
			name: "net.LookupIP returns one IPv6 address which can be reversed looked up",
			want: "myhostname.local",
			osHostname: func() (string, error) {
				return constMyhostname, nil
			},
			netLookupIP: func(string) ([]net.IP, error) {
				return []net.IP{ip61, ip62}, nil
			},
			netLookupAddr: func(addr string) ([]string, error) {
				if addr == "2001:db8::69" {
					return []string{"myhostname.local."}, nil
				}
				return nil, nil
			},
		},
		{
			name: "if an alternative hostname is set, return with this instead",
			want: constHostname,
			pre: func() {
				InitializeAlternativeHostname(constHostname)
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if tt.pre != nil {
				tt.pre()
			}
			if tt.osHostname != nil {
				osHostname = tt.osHostname
			} else {
				osHostname = os.Hostname
			}
			if tt.netLookupIP != nil {
				netLookupIP = tt.netLookupIP
			} else {
				netLookupIP = net.LookupIP
			}
			if tt.netLookupAddr != nil {
				netLookupAddr = tt.netLookupAddr
			} else {
				netLookupAddr = net.LookupAddr
			}
			if got := Find(); got != tt.want {
				t.Errorf("FindFQDN() = %v, want %v", got, tt.want)
			}
			// reset everything after each run
			alternativeHostnameLock.Lock()
			defer alternativeHostnameLock.Unlock()
			alternativeHostname = ""
			alternativeHostnameOnce = &sync.Once{}
		})
	}
}

const (
	constHostname   = "alternative.hostname"
	constMyhostname = "myhostname"
)

func TestInitializeAlternativeHostname(t *testing.T) {
	type args struct {
		hostname string
	}
	tests := []struct {
		name string
		args args
		want string
		pre  func()
	}{
		{
			name: "set and success",
			args: args{hostname: constHostname},
			want: constHostname,
		},
		{
			name: "second initialize call will not override",
			args: args{hostname: "hostname2"},
			want: constHostname,
			pre: func() {
				InitializeAlternativeHostname(constHostname)
			},
		},
		{
			name: "an empty initialize call does not initialize it",
			args: args{hostname: constHostname},
			want: constHostname,
			pre: func() {
				InitializeAlternativeHostname("")
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			if tt.pre != nil {
				tt.pre()
			}
			InitializeAlternativeHostname(tt.args.hostname)
			if got := getAlternativeHostname(); got != tt.want {
				t.Errorf("IntializeAlternativeHostname() = %v, want %v", got, tt.want)
			}
			// reset everything after each run
			alternativeHostnameLock.Lock()
			defer alternativeHostnameLock.Unlock()
			alternativeHostname = ""
			alternativeHostnameOnce = &sync.Once{}
		})
	}
}


================================================
FILE: utils/frontman/driver_windows.go
================================================
// +build windows

package frontman

import (
	"syscall"
)

// ABI represents the 'application binary interface' to the Frontman dll
type ABI interface {
	FrontmanOpenShared() (uintptr, error)
	GetDestInfo(driverHandle, socket, destInfo uintptr) (uintptr, error)
	ApplyDestHandle(socket, destHandle uintptr) (uintptr, error)
	FreeDestHandle(destHandle uintptr) (uintptr, error)
	NewIpset(driverHandle, name, ipsetType, ipset uintptr) (uintptr, error)
	GetIpset(driverHandle, name, ipset uintptr) (uintptr, error)
	DestroyAllIpsets(driverHandle, prefix uintptr) (uintptr, error)
	ListIpsets(driverHandle, ipsetNames, ipsetNamesSize, bytesReturned uintptr) (uintptr, error)
	ListIpsetsDetail(driverHandle, format, ipsetNames, ipsetNamesSize, bytesReturned uintptr) (uintptr, error)
	IpsetAdd(driverHandle, ipset, entry, timeout uintptr) (uintptr, error)
	IpsetAddOption(driverHandle, ipset, entry, option, timeout uintptr) (uintptr, error)
	IpsetDelete(driverHandle, ipset, entry uintptr) (uintptr, error)
	IpsetDestroy(driverHandle, ipset uintptr) (uintptr, error)
	IpsetFlush(driverHandle, ipset uintptr) (uintptr, error)
	IpsetTest(driverHandle, ipset, entry uintptr) (uintptr, error)
	PacketFilterStart(frontman, firewallName, receiveCallback, loggingCallback uintptr) (uintptr, error)
	PacketFilterClose() (uintptr, error)
	PacketFilterForward(info, packet uintptr) (uintptr, error)
	AppendFilter(driverHandle, outbound, filterName, isGotoFilter uintptr) (uintptr, error)
	InsertFilter(driverHandle, outbound, priority, filterName, isGotoFilter uintptr) (uintptr, error)
	DestroyFilter(driverHandle, filterName uintptr) (uintptr, error)
	EmptyFilter(driverHandle, filterName uintptr) (uintptr, error)
	GetFilterList(driverHandle, outbound, buffer, bufferSize, bytesReturned uintptr) (uintptr, error)
	AppendFilterCriteria(driverHandle, filterName, criteriaName, ruleSpec, ipsetRuleSpecs, ipsetRuleSpecCount uintptr) (uintptr, error)
	DeleteFilterCriteria(driverHandle, filterName, criteriaName uintptr) (uintptr, error)
	GetCriteriaList(driverHandle, format, criteriaList, criteriaListSize, bytesReturned uintptr) (uintptr, error)
}

type driver struct {
}

// Driver is actually the concrete calls into the Frontman dll, which call into the driver
var Driver = ABI(&driver{})

func (d *driver) FrontmanOpenShared() (uintptr, error) {
	ret, _, err := frontManOpenProc.Call()
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) GetDestInfo(driverHandle, socket, destInfo uintptr) (uintptr, error) {
	ret, _, err := getDestInfoProc.Call(driverHandle, socket, destInfo)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) ApplyDestHandle(socket, destHandle uintptr) (uintptr, error) {
	ret, _, err := applyDestHandleProc.Call(socket, destHandle)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) FreeDestHandle(destHandle uintptr) (uintptr, error) {
	ret, _, err := freeDestHandleProc.Call(destHandle)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) NewIpset(driverHandle, name, ipsetType, ipset uintptr) (uintptr, error) {
	ret, _, err := newIpsetProc.Call(driverHandle, name, ipsetType, ipset)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) GetIpset(driverHandle, name, ipset uintptr) (uintptr, error) {
	ret, _, err := getIpsetProc.Call(driverHandle, name, ipset)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) DestroyAllIpsets(driverHandle, prefix uintptr) (uintptr, error) {
	ret, _, err := destroyAllIpsetsProc.Call(driverHandle, prefix)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) ListIpsets(driverHandle, ipsetNames, ipsetNamesSize, bytesReturned uintptr) (uintptr, error) {
	ret, _, err := listIpsetsProc.Call(driverHandle, ipsetNames, ipsetNamesSize, bytesReturned)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) ListIpsetsDetail(driverHandle, format, ipsetNames, ipsetNamesSize, bytesReturned uintptr) (uintptr, error) {
	ret, _, err := listIpsetsDetailProc.Call(driverHandle, format, ipsetNames, ipsetNamesSize, bytesReturned)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) IpsetAdd(driverHandle, ipset, entry, timeout uintptr) (uintptr, error) {
	ret, _, err := ipsetAddProc.Call(driverHandle, ipset, entry, timeout)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) IpsetAddOption(driverHandle, ipset, entry, option, timeout uintptr) (uintptr, error) {
	ret, _, err := ipsetAddOptionProc.Call(driverHandle, ipset, entry, option, timeout)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) IpsetDelete(driverHandle, ipset, entry uintptr) (uintptr, error) {
	ret, _, err := ipsetDeleteProc.Call(driverHandle, ipset, entry)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) IpsetDestroy(driverHandle, ipset uintptr) (uintptr, error) {
	ret, _, err := ipsetDestroyProc.Call(driverHandle, ipset)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) IpsetFlush(driverHandle, ipset uintptr) (uintptr, error) {
	ret, _, err := ipsetFlushProc.Call(driverHandle, ipset)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) IpsetTest(driverHandle, ipset, entry uintptr) (uintptr, error) {
	ret, _, err := ipsetTestProc.Call(driverHandle, ipset, entry)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) PacketFilterStart(frontman, firewallName, receiveCallback, loggingCallback uintptr) (uintptr, error) {
	ret, _, err := packetFilterStartProc.Call(frontman, firewallName, receiveCallback, loggingCallback)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) PacketFilterClose() (uintptr, error) {
	ret, _, err := packetFilterCloseProc.Call()
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) PacketFilterForward(info, packet uintptr) (uintptr, error) {
	ret, _, err := packetFilterForwardProc.Call(info, packet)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) AppendFilter(driverHandle, outbound, filterName, isGotoFilter uintptr) (uintptr, error) {
	ret, _, err := appendFilterProc.Call(driverHandle, outbound, filterName, isGotoFilter)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) InsertFilter(driverHandle, outbound, priority, filterName, isGotoFilter uintptr) (uintptr, error) {
	ret, _, err := insertFilterProc.Call(driverHandle, outbound, priority, filterName, isGotoFilter)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) DestroyFilter(driverHandle, filterName uintptr) (uintptr, error) {
	ret, _, err := destroyFilterProc.Call(driverHandle, filterName)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) EmptyFilter(driverHandle, filterName uintptr) (uintptr, error) {
	ret, _, err := emptyFilterProc.Call(driverHandle, filterName)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) GetFilterList(driverHandle, outbound, buffer, bufferSize, bytesReturned uintptr) (uintptr, error) {
	ret, _, err := getFilterListProc.Call(driverHandle, outbound, buffer, bufferSize, bytesReturned)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) AppendFilterCriteria(driverHandle, filterName, criteriaName, ruleSpec, ipsetRuleSpecs, ipsetRuleSpecCount uintptr) (uintptr, error) {
	ret, _, err := appendFilterCriteriaProc.Call(driverHandle, filterName, criteriaName, ruleSpec, ipsetRuleSpecs, ipsetRuleSpecCount)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) DeleteFilterCriteria(driverHandle, filterName, criteriaName uintptr) (uintptr, error) {
	ret, _, err := deleteFilterCriteriaProc.Call(driverHandle, filterName, criteriaName)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

func (d *driver) GetCriteriaList(driverHandle, format, criteriaList, criteriaListSize, bytesReturned uintptr) (uintptr, error) {
	ret, _, err := getCriteriaListProc.Call(driverHandle, format, criteriaList, criteriaListSize, bytesReturned)
	if err == syscall.Errno(0) {
		err = nil
	}
	return ret, err
}

// Frontman.dll procs to be called from Go
var (
	driverDll        = syscall.NewLazyDLL("Frontman.dll")
	frontManOpenProc = driverDll.NewProc("FrontmanOpenShared")

	// Frontman procs needed for app proxy. The pattern to follow is
	// - call FrontmanGetDestInfo to get original ip/port
	// - create new proxy socket
	// - call FrontmanApplyDestHandle to update WFP redirect data
	// - connect on the new proxy socket
	// - free kernel data by calling FrontmanFreeDestHandle
	getDestInfoProc     = driverDll.NewProc("FrontmanGetDestInfo")
	applyDestHandleProc = driverDll.NewProc("FrontmanApplyDestHandle")
	freeDestHandleProc  = driverDll.NewProc("FrontmanFreeDestHandle")

	newIpsetProc         = driverDll.NewProc("IpsetProvider_NewIpset")
	getIpsetProc         = driverDll.NewProc("IpsetProvider_GetIpset")
	destroyAllIpsetsProc = driverDll.NewProc("IpsetProvider_DestroyAll")
	listIpsetsProc       = driverDll.NewProc("IpsetProvider_ListIPSets")
	listIpsetsDetailProc = driverDll.NewProc("IpsetProvider_ListIPSetsDetail")
	ipsetAddProc         = driverDll.NewProc("Ipset_Add")
	ipsetAddOptionProc   = driverDll.NewProc("Ipset_AddOption")
	ipsetDeleteProc      = driverDll.NewProc("Ipset_Delete")
	ipsetDestroyProc     = driverDll.NewProc("Ipset_Destroy")
	ipsetFlushProc       = driverDll.NewProc("Ipset_Flush")
	ipsetTestProc        = driverDll.NewProc("Ipset_Test")

	packetFilterStartProc   = driverDll.NewProc("PacketFilterStart")
	packetFilterCloseProc   = driverDll.NewProc("PacketFilterClose")
	packetFilterForwardProc = driverDll.NewProc("PacketFilterForwardPacket")

	appendFilterProc         = driverDll.NewProc("AppendFilter")
	insertFilterProc         = driverDll.NewProc("InsertFilter")
	destroyFilterProc        = driverDll.NewProc("DestroyFilter")
	emptyFilterProc          = driverDll.NewProc("EmptyFilter")
	getFilterListProc        = driverDll.NewProc("GetFilterList")
	appendFilterCriteriaProc = driverDll.NewProc("AppendFilterCriteria")
	deleteFilterCriteriaProc = driverDll.NewProc("DeleteFilterCriteria")
	getCriteriaListProc      = driverDll.NewProc("GetCriteriaList")
)

// See frontmanIO.h for #defines
const (
	FilterActionContinue = iota
	FilterActionAllow
	FilterActionBlock
	FilterActionProxy
	FilterActionNfq
	FilterActionForceNfq
	FilterActionAllowOnce
	FilterActionGotoFilter
	FilterActionSetMark
)

// See frontmanIO.h for #defines
const (
	BytesMatchStartIPHeader = iota + 1
	BytesMatchStartProtocolHeader
	BytesMatchStartPayload
)

// ProcessMatch constants
const (
	ProcessMatchProcess  = iota + 1 // Match the process id
	ProcessMatchChildren            // Match the child processes
)

// See Filter_set.h
const (
	CriteriaListFormatString = iota + 1
	CriteriaListFormatJSON
)

// See Ipset.h
const (
	IpsetsDetailFormatString = iota + 1
	IpsetsDetailFormatJSON
)

// See frontmanIO.h
const (
	MatchTypeMatch   = uint8(1)
	MatchTypeNoMatch = uint8(2)
)

// See frontmanIO.h
const (
	IPVersionAny = uint8(0) // Rule is for Ipv4 or Ipv6
	IPVersion4   = uint8(1) // Rule is just for Ipv4
	IPVersion6   = uint8(2) // Rule is just for Ipv6
)

// DestInfo mirrors frontman's DEST_INFO struct
type DestInfo struct {
	IPAddr     *uint16 // WCHAR* IPAddress		Destination address allocated and will be free by FrontmanFreeDestHandle
	Port       uint16  // USHORT Port			Destination port
	Outbound   int32   // INT32 Outbound		Whether or not this is an outbound or inbound connection
	ProcessID  uint64  // UINT64 ProcessId		Process id.  Only available for outbound connections
	DestHandle uintptr // LPVOID DestHandle		Handle to memory that must be freed by called ProxyDestConnected when connection is established.
}

// PacketInfo mirrors frontman's FRONTMAN_PACKET_INFO struct
type PacketInfo struct {
	Ipv4                         uint8
	Protocol                     uint8
	Outbound                     uint8
	Drop                         uint8
	IgnoreFlow                   uint8
	HandleLoopback               uint8 // Not to be set by go code, but is for outbound loopback packets
	NewPacket                    uint8 // Set to 1 if packet did not originate from the driver.
	NoPidMatchOnFlow             uint8 // Set to 1 to ignore process ID rule matches.
	DropFlow                     uint8
	SetMark                      uint8
	Reserved                     [2]uint8
	SetMarkValue                 uint32
	LocalPort                    uint16
	RemotePort                   uint16
	LocalAddr                    [4]uint32
	RemoteAddr                   [4]uint32
	IfIdx                        uint32
	SubIfIdx                     uint32
	CompartmentID                uint32
	PacketSize                   uint32
	Mark                         uint32
	StartTimeReceivedFromNetwork uint64
	StartTimeSentToUserLand      uint64
}

// LogPacketInfo mirrors frontman's FRONTMAN_LOG_PACKET_INFO struct
type LogPacketInfo struct {
	Ipv4       uint8
	Protocol   uint8
	Outbound   uint8
	Reserved1  uint8
	LocalPort  uint16
	RemotePort uint16
	LocalAddr  [4]uint32
	RemoteAddr [4]uint32
	PacketSize uint32
	GroupID    uint32
	LogPrefix  [64]uint16
}

// IpsetRuleSpec mirrors frontman's IPSET_RULE_SPEC struct
type IpsetRuleSpec struct {
	NotIpset     uint8
	IpsetDstIP   uint8
	IpsetDstPort uint8
	IpsetSrcIP   uint8
	IpsetSrcPort uint8
	Reserved1    uint8
	Reserved2    uint8
	Reserved3    uint8
	IpsetName    uintptr // const wchar_t*
}

// PortRange mirrors frontman's PORT_RANGE struct
type PortRange struct {
	PortStart uint16
	PortEnd   uint16
}

// IcmpRange mirrors frontman's ICMP_RANGE struct
type IcmpRange struct {
	IcmpTypeSpecified uint8
	IcmpType          uint8
	IcmpCodeSpecified uint8
	IcmpCodeLower     uint8
	IcmpCodeUpper     uint8
}

// RuleSpec mirrors frontman's RULE_SPEC struct
type RuleSpec struct {
	Action                 uint8
	Log                    uint8
	Protocol               uint8
	ProtocolSpecified      uint8
	AleAuthConnect         uint8 // not used by us
	ProcessFlags           uint8 // See frontmanIO.h bit mask PROCESS_MATCH_PROCESS and/or PROCESS_MATCH_CHILDREN
	TCPFlags               uint8
	TCPFlagsMask           uint8
	TCPFlagsSpecified      uint8
	TCPOption              uint8
	TCPOptionSpecified     uint8
	CompartmentIDSpecified uint8
	BytesNoMatch           uint8
	FlowMarkMatchType      uint8 // MATCH_TYPE_MATCH = 1 MATCH_TYPE_NOMATCH = 2
	IPVersionMatch         uint8 // IP_VERSION_ANY, IP_VERSION_4, or IP_VERSION_6
	Reserved               uint8
	FlowMark               uint32
	CompartmentID          uint32
	IcmpRanges             *IcmpRange
	IcmpRangeCount         int32
	ProxyPort              uint16
	BytesMatchStart        int16 // See frontmanIO.h for BYTESMATCH defines.
	BytesMatchOffset       int32
	BytesMatchSize         int32
	BytesMatch             *byte
	Mark                   uint32
	GroupID                uint32
	SrcPortCount           int32
	DstPortCount           int32
	SrcPorts               *PortRange
	DstPorts               *PortRange
	LogPrefix              uintptr // const wchar_t*
	Application            uintptr // const wchar_t*
	ProcessID              uint64
	GotoFilterName         uintptr // const wchar_t*
}


================================================
FILE: utils/frontman/driver_windows_test.go
================================================
// +build windows,ignore

package frontman

// TODO(windows): these tests need to be moved to integration tests when possible

import (
	"testing"
	"unsafe"

	. "github.com/smartystreets/goconvey/convey"
)

func TestFrontmanStructLayout(t *testing.T) {

	Convey("Given a Frontman PDB", t, func() {

		pdb, err := abi.FindFrontmanPdb()
		So(err, ShouldBeNil)

		Convey("The layout of DestInfo and DEST_INFO should be the same", func() {
			layout, err := pdb.GetStructLayout("_DEST_INFO")
			So(err, ShouldBeNil)
			So(unsafe.Sizeof(DestInfo{}), ShouldEqual, layout.Size)
			// WCHAR* IPAddress
			index := 0
			So("IPAddress", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(DestInfo{}.IpAddr), ShouldEqual, layout.Members[index].Offset)
			// USHORT Port
			index++
			So("Port", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(DestInfo{}.Port), ShouldEqual, layout.Members[index].Offset)
			// INT32 Outbound
			index++
			So("Outbound", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(DestInfo{}.Outbound), ShouldEqual, layout.Members[index].Offset)
			// UINT64 ProcessId
			index++
			So("ProcessId", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(DestInfo{}.ProcessId), ShouldEqual, layout.Members[index].Offset)
			// LPVOID DestHandle
			index++
			So("DestHandle", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(DestInfo{}.DestHandle), ShouldEqual, layout.Members[index].Offset)
		})

		Convey("The layout of PacketInfo and FRONTMAN_PACKET_INFO should be the same", func() {
			layout, err := pdb.GetStructLayout("FRONTMAN_PACKET_INFO")
			So(err, ShouldBeNil)
			So(unsafe.Sizeof(PacketInfo{}), ShouldEqual, layout.Size)
			// UINT8 Ipv4
			index := 0
			So("Ipv4", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.Ipv4), ShouldEqual, layout.Members[index].Offset)
			// UINT8 Protocol
			index++
			So("Protocol", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.Protocol), ShouldEqual, layout.Members[index].Offset)
			// UINT8 Outbound
			index++
			So("Outbound", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.Outbound), ShouldEqual, layout.Members[index].Offset)
			// UINT8 Drop
			index++
			So("Drop", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.Drop), ShouldEqual, layout.Members[index].Offset)
			// UINT8 IngoreFlow [sic]
			index++
			So("IngoreFlow", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.IgnoreFlow), ShouldEqual, layout.Members[index].Offset)
			// skip reserved
			index += 3
			// UINT16 LocalPort
			index++
			So("LocalPort", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.LocalPort), ShouldEqual, layout.Members[index].Offset)
			// UINT16 RemotePort
			index++
			So("RemotePort", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.RemotePort), ShouldEqual, layout.Members[index].Offset)
			// UINT32 LocalAddr[4]
			index++
			So("LocalAddr", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.LocalAddr), ShouldEqual, layout.Members[index].Offset)
			// UINT32 RemoteAddr[4]
			index++
			So("RemoteAddr", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.RemoteAddr), ShouldEqual, layout.Members[index].Offset)
			// UINT32 IfIdx
			index++
			So("IfIdx", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.IfIdx), ShouldEqual, layout.Members[index].Offset)
			// UINT32 SubIfIdx
			index++
			So("SubIfIdx", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.SubIfIdx), ShouldEqual, layout.Members[index].Offset)
			// UINT32 PacketSize
			index++
			So("PacketSize", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.PacketSize), ShouldEqual, layout.Members[index].Offset)
			// UINT32 Mark
			index++
			So("Mark", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.Mark), ShouldEqual, layout.Members[index].Offset)
			// UINT64 StartTimeReceivedFromNetwork
			index++
			So("StartTimeReceivedFromNetwork", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.StartTimeReceivedFromNetwork), ShouldEqual, layout.Members[index].Offset)
			// UINT64 StartTimeSentToUserLand
			index++
			So("StartTimeSentToUserLand", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PacketInfo{}.StartTimeSentToUserLand), ShouldEqual, layout.Members[index].Offset)
		})

		Convey("The layout of RuleSpec and RULE_SPEC should be the same", func() {
			layout, err := pdb.GetStructLayout("RULE_SPEC")
			So(err, ShouldBeNil)
			So(unsafe.Sizeof(RuleSpec{}), ShouldEqual, layout.Size)
			// UINT8 Action
			index := 0
			So("Action", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.Action), ShouldEqual, layout.Members[index].Offset)
			// UINT8 Log
			index++
			So("Log", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.Log), ShouldEqual, layout.Members[index].Offset)
			// UINT8 Protocol
			index++
			So("Protocol", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.Protocol), ShouldEqual, layout.Members[index].Offset)
			// UINT8 ProtocolSpecified
			index++
			So("ProtocolSpecified", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.ProtocolSpecified), ShouldEqual, layout.Members[index].Offset)
			// UINT8 IcmpType
			index++
			So("IcmpType", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.IcmpType), ShouldEqual, layout.Members[index].Offset)
			// UINT8 IcmpTypeSpecified
			index++
			So("IcmpTypeSpecified", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.IcmpTypeSpecified), ShouldEqual, layout.Members[index].Offset)
			// UINT8 IcmpCode
			index++
			So("IcmpCode", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.IcmpCode), ShouldEqual, layout.Members[index].Offset)
			// UINT8 IcmpCodeSpecified
			index++
			So("IcmpCodeSpecified", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.IcmpCodeSpecified), ShouldEqual, layout.Members[index].Offset)
			// UINT8 AleAuthConnect
			index++
			So("AleAuthConnect", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.AleAuthConnect), ShouldEqual, layout.Members[index].Offset)
			// skip reserved
			index++
			// UINT16 ProxyPort
			index++
			So("ProxyPort", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.ProxyPort), ShouldEqual, layout.Members[index].Offset)
			// INT16 BytesMatchStart
			index++
			So("BytesMatchStart", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.BytesMatchStart), ShouldEqual, layout.Members[index].Offset)
			// INT32 BytesMatchOffset
			index++
			So("BytesMatchOffset", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.BytesMatchOffset), ShouldEqual, layout.Members[index].Offset)
			// INT32 BytesMatchSize
			index++
			So("BytesMatchSize", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.BytesMatchSize), ShouldEqual, layout.Members[index].Offset)
			// PBYTE BytesMatch
			index++
			So("BytesMatch", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.BytesMatch), ShouldEqual, layout.Members[index].Offset)
			// UINT32 Mark
			index++
			So("Mark", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.Mark), ShouldEqual, layout.Members[index].Offset)
			// UINT32 GroupId
			index++
			So("GroupId", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.GroupId), ShouldEqual, layout.Members[index].Offset)
			// INT32 SrcPortCount
			index++
			So("SrcPortCount", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.SrcPortCount), ShouldEqual, layout.Members[index].Offset)
			// INT32 DstPortCount
			index++
			So("DstPortCount", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.DstPortCount), ShouldEqual, layout.Members[index].Offset)
			// PPORT_RANGE SrcPorts
			index++
			So("SrcPorts", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.SrcPorts), ShouldEqual, layout.Members[index].Offset)
			// PPORT_RANGE DstPorts
			index++
			So("DstPorts", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.DstPorts), ShouldEqual, layout.Members[index].Offset)
			// LPCWCH LogPrefix
			index++
			So("LogPrefix", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.LogPrefix), ShouldEqual, layout.Members[index].Offset)
			// LPCWCH Application
			index++
			So("Application", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(RuleSpec{}.Application), ShouldEqual, layout.Members[index].Offset)
		})

		Convey("The layout of IpsetRuleSpec and IPSET_RULE_SPEC should be the same", func() {
			layout, err := pdb.GetStructLayout("IPSET_RULE_SPEC")
			So(err, ShouldBeNil)
			So(unsafe.Sizeof(IpsetRuleSpec{}), ShouldEqual, layout.Size)
			// UINT8 NotIpset
			index := 0
			So("NotIpset", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(IpsetRuleSpec{}.NotIpset), ShouldEqual, layout.Members[index].Offset)
			// UINT8 IpsetDstIp
			index++
			So("IpsetDstIp", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(IpsetRuleSpec{}.IpsetDstIp), ShouldEqual, layout.Members[index].Offset)
			// UINT8 IpsetDstPort
			index++
			So("IpsetDstPort", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(IpsetRuleSpec{}.IpsetDstPort), ShouldEqual, layout.Members[index].Offset)
			// UINT8 IpsetSrcIp
			index++
			So("IpsetSrcIp", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(IpsetRuleSpec{}.IpsetSrcIp), ShouldEqual, layout.Members[index].Offset)
			// UINT8 IpsetSrcPort
			index++
			So("IpsetSrcPort", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(IpsetRuleSpec{}.IpsetSrcPort), ShouldEqual, layout.Members[index].Offset)
			// skip reserved
			index++
			// LPCWCH IpsetName
			index++
			So("IpsetName", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(IpsetRuleSpec{}.IpsetName), ShouldEqual, layout.Members[index].Offset)
		})

		Convey("The layout of PortRange and PORT_RANGE should be the same", func() {
			layout, err := pdb.GetStructLayout("PORT_RANGE")
			So(err, ShouldBeNil)
			So(unsafe.Sizeof(PortRange{}), ShouldEqual, layout.Size)
			// UINT16 PortStart
			index := 0
			So("PortStart", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PortRange{}.PortStart), ShouldEqual, layout.Members[index].Offset)
			// UINT16 PortEnd
			index++
			So("PortEnd", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(PortRange{}.PortEnd), ShouldEqual, layout.Members[index].Offset)
		})

		Convey("The layout of LogPacketInfo and FRONTMAN_LOG_PACKET_INFO should be the same", func() {
			layout, err := pdb.GetStructLayout("FRONTMAN_LOG_PACKET_INFO")
			So(err, ShouldBeNil)
			So(unsafe.Sizeof(LogPacketInfo{}), ShouldEqual, layout.Size)
			// UINT8 Ipv4
			index := 0
			So("Ipv4", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(LogPacketInfo{}.Ipv4), ShouldEqual, layout.Members[index].Offset)
			// UINT8 Protocol
			index++
			So("Protocol", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(LogPacketInfo{}.Protocol), ShouldEqual, layout.Members[index].Offset)
			// UINT8 Outbound
			index++
			So("Outbound", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(LogPacketInfo{}.Outbound), ShouldEqual, layout.Members[index].Offset)
			// skip reserved
			index++
			// UINT16 LocalPort
			index++
			So("LocalPort", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(LogPacketInfo{}.LocalPort), ShouldEqual, layout.Members[index].Offset)
			// UINT16 RemotePort
			index++
			So("RemotePort", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(LogPacketInfo{}.RemotePort), ShouldEqual, layout.Members[index].Offset)
			// UINT32 LocalAddr[4]
			index++
			So("LocalAddr", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(LogPacketInfo{}.LocalAddr), ShouldEqual, layout.Members[index].Offset)
			// // UINT32 RemoteAddr[4]
			index++
			So("RemoteAddr", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(LogPacketInfo{}.RemoteAddr), ShouldEqual, layout.Members[index].Offset)
			// UINT32 PacketSize
			index++
			So("PacketSize", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(LogPacketInfo{}.PacketSize), ShouldEqual, layout.Members[index].Offset)
			// UINT32 GroupId
			index++
			So("GroupId", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(LogPacketInfo{}.GroupId), ShouldEqual, layout.Members[index].Offset)
			// WCHAR LogPrefix[LOGPREFIX_MAX_LENGTH]
			index++
			So("LogPrefix", ShouldEqual, layout.Members[index].Name)
			So(unsafe.Offsetof(LogPacketInfo{}.LogPrefix), ShouldEqual, layout.Members[index].Offset)
		})

	})

}

func TestFrontmanFunctionArguments(t *testing.T) {

	const pointerSize = unsafe.Sizeof(uintptr(0))

	Convey("Given a Frontman PDB", t, func() {

		pdb, err := abi.FindFrontmanPdb()
		So(err, ShouldBeNil)

		Convey("The arguments to FrontmanGetDestInfo should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("FrontmanGetDestInfo")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 3)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to FrontmanApplyDestHandle should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("FrontmanApplyDestHandle")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 2)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to FrontmanFreeDestHandle should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("FrontmanFreeDestHandle")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 1)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to IpsetProvider_NewIpset should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("IpsetProvider_NewIpset")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 4)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
			So(funcArgs[3].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to IpsetProvider_GetIpset should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("IpsetProvider_GetIpset")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 3)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to IpsetProvider_DestroyAll should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("IpsetProvider_DestroyAll")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 2)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to IpsetProvider_ListIPSets should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("IpsetProvider_ListIPSets")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 4)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
			So(funcArgs[2].Size, ShouldEqual, unsafe.Sizeof(uint32(0)))
			So(funcArgs[3].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to IpsetProvider_ListIPSetsDetail should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("IpsetProvider_ListIPSetsDetail")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 5)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, unsafe.Sizeof(int32(0)))
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
			So(funcArgs[3].Size, ShouldEqual, unsafe.Sizeof(uint32(0)))
			So(funcArgs[4].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to Ipset_Add should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("Ipset_Add")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 4)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
			So(funcArgs[3].Size, ShouldEqual, unsafe.Sizeof(uint32(0)))
		})

		Convey("The arguments to Ipset_AddOption should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("Ipset_AddOption")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 5)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
			So(funcArgs[3].Size, ShouldEqual, pointerSize)
			So(funcArgs[4].Size, ShouldEqual, unsafe.Sizeof(uint32(0)))
		})

		Convey("The arguments to Ipset_Delete should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("Ipset_Delete")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 3)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to Ipset_Destroy should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("Ipset_Destroy")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 2)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to Ipset_Flush should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("Ipset_Flush")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 2)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to Ipset_Test should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("Ipset_Test")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 3)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to PacketFilterStart should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("PacketFilterStart")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 4)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
			So(funcArgs[3].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to PacketFilterClose should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("PacketFilterClose")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 0)
		})

		Convey("The arguments to PacketFilterForwardPacket should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("PacketFilterForwardPacket")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 2)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to AppendFilter should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("AppendFilter")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 3)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, unsafe.Sizeof(uint32(0)))
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to InsertFilter should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("InsertFilter")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 4)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, unsafe.Sizeof(uint32(0)))
			So(funcArgs[2].Size, ShouldEqual, unsafe.Sizeof(uint32(0)))
			So(funcArgs[3].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to DestroyFilter should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("DestroyFilter")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 2)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to EmptyFilter should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("EmptyFilter")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 2)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to GetFilterList should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("GetFilterList")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 5)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, unsafe.Sizeof(uint32(0)))
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
			So(funcArgs[3].Size, ShouldEqual, unsafe.Sizeof(uint32(0)))
			So(funcArgs[4].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to AppendFilterCriteria should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("AppendFilterCriteria")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 6)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
			So(funcArgs[3].Size, ShouldEqual, pointerSize)
			So(funcArgs[4].Size, ShouldEqual, pointerSize)
			So(funcArgs[5].Size, ShouldEqual, unsafe.Sizeof(uint32(0)))
		})

		Convey("The arguments to DeleteFilterCriteria should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("DeleteFilterCriteria")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 3)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, pointerSize)
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
		})

		Convey("The arguments to GetCriteriaList should be as expected", func() {
			funcArgs, err := pdb.GetFunctionArguments("GetCriteriaList")
			So(err, ShouldBeNil)
			So(len(funcArgs), ShouldEqual, 5)
			So(funcArgs[0].Size, ShouldEqual, pointerSize)
			So(funcArgs[1].Size, ShouldEqual, unsafe.Sizeof(int32(0)))
			So(funcArgs[2].Size, ShouldEqual, pointerSize)
			So(funcArgs[3].Size, ShouldEqual, unsafe.Sizeof(uint32(0)))
			So(funcArgs[4].Size, ShouldEqual, pointerSize)
		})

	})

}


================================================
FILE: utils/frontman/rulecleanup_windows.go
================================================
// +build windows

package frontman

import (
	"strings"
)

type ruleCleanup interface {
	mapIpsetToRule(ipsetName string, filterName, criteriaName string)
	deleteRulesForIpset(wrapDriver WrapDriver, ipsetName string) error
	deleteRuleForIpsetByPrefix(wrapDriver WrapDriver, prefix string) error
	deleteRuleFromIpsetMap(filterName, criteriaName string)
	getRulesForIpset(ipsetName string) []*filterRulePair
}

type ruleCleaner struct {
	ipsetToRule map[string][]*filterRulePair
}

type filterRulePair struct {
	filterName   string
	ruleCriteria string
}

func newRuleCleanup() ruleCleanup {
	return &ruleCleaner{
		ipsetToRule: make(map[string][]*filterRulePair),
	}
}

// We keep a map of ipset name to rules. This is a safeguard to ensure that rules are deleted.
// Normally, during policy update, rules and ipsets are deleted explicitly and all works well.
// There are some instances though (Discovery Mode) where criteria name strings use in deletion
// do not align with criteria name strings used during addition. This will result in rules
// stranded in our driver, which is really bad for multiple reasons.
// Since deletion of ipsets is more orderly than deletion of rules by criteria name, and since
// the rules that are subject to being stranded are all so far associated with an ephemeral ipset,
// we can use the deletion of an ipset to trigger a cleanup of all rules associated with it.

func (r *ruleCleaner) mapIpsetToRule(ipsetName string, filterName, criteriaName string) {
	r.ipsetToRule[ipsetName] = append(r.ipsetToRule[ipsetName], &filterRulePair{filterName: filterName, ruleCriteria: criteriaName})
}

func (r *ruleCleaner) deleteRulesForIpset(wrapDriver WrapDriver, ipsetName string) error {
	for _, frpair := range r.ipsetToRule[ipsetName] {
		// In recent changes, these rule are already gone, so don't log an error if this fails.
		wrapDriver.DeleteFilterCriteria(frpair.filterName, frpair.ruleCriteria) //nolint
	}
	delete(r.ipsetToRule, ipsetName)
	return nil
}

func (r *ruleCleaner) deleteRuleForIpsetByPrefix(wrapDriver WrapDriver, prefix string) error {

	ipsets, err := wrapDriver.ListIpsets()
	if err != nil {
		return err
	}
	for _, ipsetName := range ipsets {
		if strings.HasPrefix(ipsetName, prefix) {
			if err := r.deleteRulesForIpset(wrapDriver, ipsetName); err != nil {
				return err
			}
		}
	}
	return nil
}

func (r *ruleCleaner) deleteRuleFromIpsetMap(filterName, criteriaName string) {
	// quadratic for now, optimize later if we need to
	for ipsetName, frpairs := range r.ipsetToRule {
		for i, frpair := range frpairs {
			if frpair.filterName == filterName && frpair.ruleCriteria == criteriaName {
				// delete pair from slice
				frpairs[i] = frpairs[len(frpairs)-1]
				r.ipsetToRule[ipsetName] = frpairs[:len(frpairs)-1]
				// rule can be mapped from multiple ipsets, so continue our outer loop
				break
			}
		}
	}
}

func (r *ruleCleaner) getRulesForIpset(ipsetName string) []*filterRulePair {
	frpairs := r.ipsetToRule[ipsetName]
	result := make([]*filterRulePair, len(frpairs))
	copy(result, frpairs)
	return result
}


================================================
FILE: utils/frontman/rulecleanup_windows_test.go
================================================
// +build windows

package frontman

import (
	"fmt"
	"strings"
	"testing"
)

const (
	ipset1  = "ipset-1"
	ipset2  = "ipset-2"
	ipset3  = "ipset-3"
	ipset4  = "ipset-4"
	ipset5  = "ipset-5"
	ipset6a = "ipset-6a"
	ipset6b = "ipset-6b"
	filter1 = "filter 1"
	filter2 = "filter 2"
	filter3 = "filter 3"
	filter4 = "filter 4"
)

var (
	rule1 = fmt.Sprintf("rule 1 for %s", ipset1)
	rule2 = fmt.Sprintf("rule 2 for %s and %s", ipset1, ipset2)
	rule3 = fmt.Sprintf("rule 3 for %s", ipset2)
	rule4 = fmt.Sprintf("rule 4 for %s", ipset3)
	rule5 = fmt.Sprintf("rule 5 for %s", ipset4)
	rule6 = fmt.Sprintf("rule 6 for %s and %s and two different filters", ipset4, ipset5)
	rule7 = fmt.Sprintf("rule 7 for %s and two different filters", ipset4)
	rule8 = fmt.Sprintf("rule 8 for %s", ipset6a)
	rule9 = fmt.Sprintf("rule 9 for %s", ipset6b)
)

type wrapperForTest struct {
	cleaner ruleCleanup
	ipsets  map[string]bool
	rules   map[string]map[string]bool
}

func (w *wrapperForTest) addRule(ipsetName, filterName, ruleCriteria string) {
	w.cleaner.mapIpsetToRule(ipsetName, filterName, ruleCriteria)
	w.ipsets[ipsetName] = true
	if _, ok := w.rules[filterName]; !ok {
		w.rules[filterName] = make(map[string]bool)
	}
	w.rules[filterName][ruleCriteria] = true
}

func (w *wrapperForTest) deleteIpset(ipsetName string) error {
	if err := w.cleaner.deleteRulesForIpset(w, ipsetName); err != nil {
		return err
	}
	delete(w.ipsets, ipsetName)
	return nil
}

func (w *wrapperForTest) deleteIpsetByPrefix(ipsetNamePrefix string) error {
	if err := w.cleaner.deleteRuleForIpsetByPrefix(w, ipsetNamePrefix); err != nil {
		return err
	}
	for ipsetName := range w.ipsets {
		if strings.HasPrefix(ipsetName, ipsetNamePrefix) {
			delete(w.ipsets, ipsetName)
		}
	}
	return nil
}

func (w *wrapperForTest) ruleExists(filterName, ruleCriteria string) bool {
	_, ok := w.rules[filterName][ruleCriteria]
	return ok
}

func (w *wrapperForTest) deleteRule(filterName, ruleCriteria string) {
	w.cleaner.deleteRuleFromIpsetMap(filterName, ruleCriteria)
	delete(w.rules[filterName], ruleCriteria)
}

func Test_ruleCleaner(t *testing.T) {

	wrapper := &wrapperForTest{
		ipsets:  make(map[string]bool),
		rules:   make(map[string]map[string]bool),
		cleaner: newRuleCleanup(),
	}

	// Add some ipsets and rules
	wrapper.addRule(ipset1, filter1, rule1)
	wrapper.addRule(ipset1, filter2, rule2)
	wrapper.addRule(ipset2, filter2, rule2)
	wrapper.addRule(ipset2, filter1, rule3)
	wrapper.addRule(ipset2, filter2, rule3)
	wrapper.addRule(ipset3, filter3, rule4)
	wrapper.addRule(ipset1, filter3, rule1)
	wrapper.addRule(ipset1, filter4, rule1)
	wrapper.addRule(ipset4, filter1, rule5)
	wrapper.addRule(ipset4, filter1, rule6)
	wrapper.addRule(ipset5, filter1, rule6)
	wrapper.addRule(ipset4, filter2, rule7)
	wrapper.addRule(ipset4, filter2, rule6)
	wrapper.addRule(ipset5, filter2, rule6)
	wrapper.addRule(ipset6a, filter3, rule8)
	wrapper.addRule(ipset6b, filter3, rule9)

	// I delete an ipset. Its rules should be deleted.
	if err := wrapper.deleteIpset(ipset2); err != nil {
		t.Errorf("deleteIpset failed: %w", err)
	}
	if wrapper.ruleExists(filter2, rule2) || wrapper.ruleExists(filter1, rule3) || wrapper.ruleExists(filter2, rule3) {
		t.Errorf("deleting ipset 2 did not delete all its rules")
	}
	if !wrapper.ruleExists(filter1, rule1) {
		t.Errorf("deleting ipset 2 deleted extra rules")
	}

	// Delete by prefix
	if err := wrapper.deleteIpsetByPrefix("ipset-6"); err != nil {
		t.Errorf("deleteIpsetByPrefix failed: %w", err)
	}
	if wrapper.ruleExists(filter3, rule8) || wrapper.ruleExists(filter3, rule9) {
		t.Errorf("deleting by prefix did not work")
	}

	// Delete another ipset associated with different filters and other ipsets
	if err := wrapper.deleteIpset(ipset4); err != nil {
		t.Errorf("deleteIpset failed: %w", err)
	}
	if wrapper.ruleExists(filter1, rule5) || wrapper.ruleExists(filter1, rule6) || wrapper.ruleExists(filter2, rule6) || wrapper.ruleExists(filter2, rule7) {
		t.Errorf("deleting ipset 4 did not delete all its rules")
	}

	// Rules 1 and 4 should be remaining
	if !wrapper.ruleExists(filter1, rule1) || !wrapper.ruleExists(filter3, rule1) || !wrapper.ruleExists(filter4, rule1) {
		t.Errorf("expected rule 1 to exist but does not")
	}
	if !wrapper.ruleExists(filter3, rule4) {
		t.Errorf("expected rule 4 to exist but does not")
	}

	// Delete rules 1 and 4 and verify
	wrapper.deleteRule(filter1, rule1)
	wrapper.deleteRule(filter3, rule1)
	wrapper.deleteRule(filter4, rule1)
	wrapper.deleteRule(filter3, rule4)
	if wrapper.ruleExists(filter1, rule1) || wrapper.ruleExists(filter3, rule1) || wrapper.ruleExists(filter4, rule1) || wrapper.ruleExists(filter3, rule4) {
		t.Errorf("deleting rules 1 and 4 did not work")
	}

	// Rules should be gone
	for filterName, ruleCriterias := range wrapper.rules {
		for ruleCriteria := range ruleCriterias {
			t.Errorf("deleted rules but this one for filter %s remains: %s", filterName, ruleCriteria)
		}
	}

	// Now we still have some ipsets not deleted, so their maps may not be empty. Explicitly delete these rules.
	wrapper.deleteRule(filter2, rule2) // in ipset1 map
	wrapper.deleteRule(filter1, rule6) // in ipset5 map
	wrapper.deleteRule(filter2, rule6) // in ipset5 map

	// Verify nothing left in cleaner
	remainingRules := make([]*filterRulePair, 0)
	remainingRules = append(remainingRules,
		append(wrapper.cleaner.getRulesForIpset(ipset1),
			append(wrapper.cleaner.getRulesForIpset(ipset2),
				append(wrapper.cleaner.getRulesForIpset(ipset3),
					append(wrapper.cleaner.getRulesForIpset(ipset4),
						append(wrapper.cleaner.getRulesForIpset(ipset5),
							append(wrapper.cleaner.getRulesForIpset(ipset6a),
								wrapper.cleaner.getRulesForIpset(ipset6b)...)...)...)...)...)...)...)
	for _, frpair := range remainingRules {
		t.Errorf("deleted rules but cleaner still has this one for filter %s: %s", frpair.filterName, frpair.ruleCriteria)
	}
}

// WrapDriver implementation for the test only needs to implement the functions called by the rule cleaner

func (w *wrapperForTest) ListIpsets() ([]string, error) {
	ipsetNames := make([]string, 0, len(w.ipsets))
	for ipsetName := range w.ipsets {
		ipsetNames = append(ipsetNames, ipsetName)
	}
	return ipsetNames, nil
}

func (w *wrapperForTest) DeleteFilterCriteria(filterName, criteriaName string) error {
	delete(w.rules[filterName], criteriaName)
	return nil
}

// Dummy implementations below

func (w *wrapperForTest) GetDestInfo(socket uintptr, destInfo *DestInfo) error {
	return nil
}

func (w *wrapperForTest) ApplyDestHandle(socket, destHandle uintptr) error {
	return nil
}

func (w *wrapperForTest) FreeDestHandle(destHandle uintptr) error {
	return nil
}

func (w *wrapperForTest) NewIpset(name, ipsetType string) (uintptr, error) {
	return 1, nil
}

func (w *wrapperForTest) GetIpset(name string) (uintptr, error) {
	return 1, nil
}

func (w *wrapperForTest) DestroyAllIpsets(prefix string) error {
	return nil
}

func (w *wrapperForTest) ListIpsetsDetail(format int) (string, error) {
	return "", nil
}

func (w *wrapperForTest) IpsetAdd(ipsetHandle uintptr, entry string, timeout int) error {
	return nil
}

func (w *wrapperForTest) IpsetAddOption(ipsetHandle uintptr, entry, option string, timeout int) error {
	return nil
}

func (w *wrapperForTest) IpsetDelete(ipsetHandle uintptr, entry string) error {
	return nil
}

func (w *wrapperForTest) IpsetDestroy(ipsetHandle uintptr, name string) error {
	return nil
}

func (w *wrapperForTest) IpsetFlush(ipsetHandle uintptr) error {
	return nil
}

func (w *wrapperForTest) IpsetTest(ipsetHandle uintptr, entry string) (bool, error) {
	return false, nil
}

func (w *wrapperForTest) PacketFilterStart(firewallName string, receiveCallback, loggingCallback func(uintptr, uintptr) uintptr) error {
	return nil
}

func (w *wrapperForTest) PacketFilterClose() error {
	return nil
}

func (w *wrapperForTest) PacketFilterForward(info *PacketInfo, packetBytes []byte) error {
	return nil
}

func (w *wrapperForTest) AppendFilter(outbound bool, filterName string, isGotoFilter bool) error {
	return nil
}

func (w *wrapperForTest) InsertFilter(outbound bool, priority int, filterName string, isGotoFilter bool) error {
	return nil
}

func (w *wrapperForTest) DestroyFilter(filterName string) error {
	return nil
}

func (w *wrapperForTest) EmptyFilter(filterName string) error {
	return nil
}

func (w *wrapperForTest) GetFilterList(outbound bool) ([]string, error) {
	return nil, nil
}

func (w *wrapperForTest) AppendFilterCriteria(filterName, criteriaName string, ruleSpec *RuleSpec, ipsetRuleSpecs []IpsetRuleSpec) error {
	return nil
}

func (w *wrapperForTest) GetCriteriaList(format int) (string, error) {
	return "", nil
}


================================================
FILE: utils/frontman/utils_windows.go
================================================
// +build windows

package frontman

import (
	"syscall"
	"unsafe"
)

// WideCharPointerToString converts a pointer to a zero-terminated wide character string to a golang string
func WideCharPointerToString(pszWide *uint16) string {

	ptr := uintptr(unsafe.Pointer(pszWide)) // nolint:govet
	buf := make([]uint16, 0, 256)
	for {
		ch := *((*uint16)(unsafe.Pointer(ptr))) // nolint:govet
		buf = append(buf, ch)
		if ch == 0 {
			break
		}

		ptr += 2
	}
	return syscall.UTF16ToString(buf)
}


================================================
FILE: utils/frontman/wrapper_windows.go
================================================
// +build windows

package frontman

import (
	"fmt"
	"strings"
	"syscall"
	"unsafe"

	"go.uber.org/zap"
	"golang.org/x/sys/windows"
)

// WrapDriver represents convenience wrapper methods for calling our Windows Frontman DLL
type WrapDriver interface {
	GetDestInfo(socket uintptr, destInfo *DestInfo) error
	ApplyDestHandle(socket, destHandle uintptr) error
	FreeDestHandle(destHandle uintptr) error
	NewIpset(name, ipsetType string) (uintptr, error)
	GetIpset(name string) (uintptr, error)
	DestroyAllIpsets(prefix string) error
	ListIpsets() ([]string, error)
	ListIpsetsDetail(format int) (string, error)
	IpsetAdd(ipsetHandle uintptr, entry string, timeout int) error
	IpsetAddOption(ipsetHandle uintptr, entry, option string, timeout int) error
	IpsetDelete(ipsetHandle uintptr, entry string) error
	IpsetDestroy(ipsetHandle uintptr, name string) error
	IpsetFlush(ipsetHandle uintptr) error
	IpsetTest(ipsetHandle uintptr, entry string) (bool, error)
	PacketFilterStart(firewallName string, receiveCallback, loggingCallback func(uintptr, uintptr) uintptr) error
	PacketFilterClose() error
	PacketFilterForward(info *PacketInfo, packetBytes []byte) error
	AppendFilter(outbound bool, filterName string, isGotoFilter bool) error
	InsertFilter(outbound bool, priority int, filterName string, isGotoFilter bool) error
	DestroyFilter(filterName string) error
	EmptyFilter(filterName string) error
	GetFilterList(outbound bool) ([]string, error)
	AppendFilterCriteria(filterName, criteriaName string, ruleSpec *RuleSpec, ipsetRuleSpecs []IpsetRuleSpec) error
	DeleteFilterCriteria(filterName, criteriaName string) error
	GetCriteriaList(format int) (string, error)
}

type wrapper struct {
	driverHandle uintptr
	ruleCleaner  ruleCleanup
}

// Wrapper is the driver/dll wrapper implementation
var Wrapper = WrapDriver(&wrapper{
	driverHandle: uintptr(syscall.InvalidHandle),
	ruleCleaner:  newRuleCleanup(),
})

func (w *wrapper) initDriverHandle() {
	if w.driverHandle == 0 || syscall.Handle(w.driverHandle) == syscall.InvalidHandle {
		ret, err := Driver.FrontmanOpenShared()
		if err != nil {
			zap.L().Fatal("Unable to initialize Frontman driver. Check Windows Event Viewer System logs for errors, and ensure that no other instances are currently running.", zap.Error(err))
		}
		w.driverHandle = ret
	}
}

func (w *wrapper) GetDestInfo(socket uintptr, destInfo *DestInfo) error {
	w.initDriverHandle()
	if ret, err := Driver.GetDestInfo(w.driverHandle, socket, uintptr(unsafe.Pointer(destInfo))); ret == 0 {
		return fmt.Errorf("GetDestInfo failed: %v", err)
	}
	return nil
}

func (w *wrapper) ApplyDestHandle(socket, destHandle uintptr) error {
	w.initDriverHandle()
	if ret, err := Driver.ApplyDestHandle(socket, destHandle); ret == 0 {
		return fmt.Errorf("ApplyDestHandle failed: %v", err)
	}
	return nil
}

func (w *wrapper) FreeDestHandle(destHandle uintptr) error {
	w.initDriverHandle()
	if ret, err := Driver.FreeDestHandle(destHandle); ret == 0 {
		return fmt.Errorf("FreeDestHandle failed: %v", err)
	}
	return nil
}

func (w *wrapper) NewIpset(name, ipsetType string) (uintptr, error) {
	w.initDriverHandle()
	var ipsetHandle uintptr
	if ret, err := Driver.NewIpset(w.driverHandle, marshalString(name), marshalString(ipsetType), uintptr(unsafe.Pointer(&ipsetHandle))); ret == 0 {
		return 0, fmt.Errorf("NewIpset failed: %v", err)
	}
	return ipsetHandle, nil
}

func (w *wrapper) GetIpset(name string) (uintptr, error) {
	w.initDriverHandle()
	var ipsetHandle uintptr
	if ret, err := Driver.GetIpset(w.driverHandle, marshalString(name), uintptr(unsafe.Pointer(&ipsetHandle))); ret == 0 {
		return 0, fmt.Errorf("GetIpset failed: %v", err)
	}
	return ipsetHandle, nil
}

func (w *wrapper) DestroyAllIpsets(prefix string) error {
	w.initDriverHandle()
	// order important: we must call cleaner routine before telling driver to delete the ipsets
	errCleaner := w.ruleCleaner.deleteRuleForIpsetByPrefix(w, prefix)
	if ret, err := Driver.DestroyAllIpsets(w.driverHandle, marshalString(prefix)); ret == 0 {
		return fmt.Errorf("DestroyAllIpsets failed: %v", err)
	}
	return errCleaner
}

func (w *wrapper) ListIpsets() ([]string, error) {
	w.initDriverHandle()
	// first query for needed buffer size
	var bytesNeeded, ignore uint32
	ret, err := Driver.ListIpsets(w.driverHandle, 0, 0, uintptr(unsafe.Pointer(&bytesNeeded)))
	if ret != 0 && bytesNeeded == 0 {
		return []string{}, nil
	}
	if err != windows.ERROR_INSUFFICIENT_BUFFER {
		return nil, fmt.Errorf("ListIpsets failed: %v", err)
	}
	if bytesNeeded%2 != 0 {
		return nil, fmt.Errorf("ListIpsets failed: odd result (%d)", bytesNeeded)
	}
	// then allocate buffer for wide string and call again
	buf := make([]uint16, bytesNeeded/2)
	ret, err = Driver.ListIpsets(w.driverHandle, uintptr(unsafe.Pointer(&buf[0])), uintptr(bytesNeeded), uintptr(unsafe.Pointer(&ignore)))
	if ret == 0 {
		return nil, fmt.Errorf("ListIpsets failed: %v", err)
	}
	str := syscall.UTF16ToString(buf)
	return strings.Split(str, ","), nil
}

func (w *wrapper) ListIpsetsDetail(format int) (string, error) {
	w.initDriverHandle()
	// first query for needed buffer size
	var bytesNeeded, ignore uint32
	emptyStr := ""
	ret, err := Driver.ListIpsetsDetail(w.driverHandle, uintptr(format), 0, 0, uintptr(unsafe.Pointer(&bytesNeeded)))
	if ret != 0 && bytesNeeded == 0 {
		return emptyStr, nil
	}
	if err != windows.ERROR_INSUFFICIENT_BUFFER {
		return emptyStr, fmt.Errorf("ListIpsetsDetail failed: %v", err)
	}
	if bytesNeeded%2 != 0 {
		return emptyStr, fmt.Errorf("ListIpsetsDetail failed: odd result (%d)", bytesNeeded)
	}
	// then allocate buffer for wide string and call again
	buf := make([]uint16, bytesNeeded/2)
	ret, err = Driver.ListIpsetsDetail(w.driverHandle, uintptr(format), uintptr(unsafe.Pointer(&buf[0])), uintptr(bytesNeeded), uintptr(unsafe.Pointer(&ignore)))
	if ret == 0 {
		return emptyStr, fmt.Errorf("ListIpsetsDetail failed: %v", err)
	}
	str := syscall.UTF16ToString(buf)
	return str, nil
}

func (w *wrapper) IpsetAdd(ipsetHandle uintptr, entry string, timeout int) error {
	w.initDriverHandle()
	if ret, err := Driver.IpsetAdd(w.driverHandle, ipsetHandle, marshalString(entry), uintptr(timeout)); ret == 0 {
		// no error if already exists
		if err == windows.ERROR_ALREADY_EXISTS {
			return nil
		}
		return fmt.Errorf("IpsetAdd failed: %v", err)
	}
	return nil
}

func (w *wrapper) IpsetAddOption(ipsetHandle uintptr, entry, option string, timeout int) error {
	w.initDriverHandle()
	if ret, err := Driver.IpsetAddOption(w.driverHandle, ipsetHandle, marshalString(entry), marshalString(option), uintptr(timeout)); ret == 0 {
		// no error if already exists
		if err == windows.ERROR_ALREADY_EXISTS {
			return nil
		}
		return fmt.Errorf("IpsetAddOption failed: %v", err)
	}
	return nil
}

func (w *wrapper) IpsetDelete(ipsetHandle uintptr, entry string) error {
	w.initDriverHandle()
	if ret, err := Driver.IpsetDelete(w.driverHandle, ipsetHandle, marshalString(entry)); ret == 0 {
		return fmt.Errorf("IpsetDelete failed: %v", err)
	}
	return nil
}

func (w *wrapper) IpsetDestroy(ipsetHandle uintptr, name string) error {
	w.initDriverHandle()
	errCleaner := w.ruleCleaner.deleteRulesForIpset(w, name)
	if ret, err := Driver.IpsetDestroy(w.driverHandle, ipsetHandle); ret == 0 {
		return fmt.Errorf("IpsetDestroy failed: %v", err)
	}
	return errCleaner
}

func (w *wrapper) IpsetFlush(ipsetHandle uintptr) error {
	w.initDriverHandle()
	if ret, err := Driver.IpsetFlush(w.driverHandle, ipsetHandle); ret == 0 {
		return fmt.Errorf("IpsetFlush failed: %v", err)
	}
	return nil
}

func (w *wrapper) IpsetTest(ipsetHandle uintptr, entry string) (bool, error) {
	w.initDriverHandle()
	if ret, err := Driver.IpsetTest(w.driverHandle, ipsetHandle, marshalString(entry)); ret == 0 {
		if err == nil {
			return false, nil
		}
		return false, fmt.Errorf("IpsetTest failed: %v", err)
	}
	return true, nil
}

func (w *wrapper) PacketFilterStart(firewallName string, receiveCallback, loggingCallback func(uintptr, uintptr) uintptr) error {
	w.initDriverHandle()
	if ret, err := Driver.PacketFilterStart(w.driverHandle, marshalString(firewallName), syscall.NewCallbackCDecl(receiveCallback), syscall.NewCallbackCDecl(loggingCallback)); ret == 0 {
		return fmt.Errorf("PacketFilterStart failed: %v", err)
	}
	return nil
}

func (w *wrapper) PacketFilterClose() error {
	w.initDriverHandle()
	if ret, err := Driver.PacketFilterClose(); ret == 0 {
		return fmt.Errorf("PacketFilterClose failed: %v", err)
	}
	return nil
}

func (w *wrapper) PacketFilterForward(info *PacketInfo, packetBytes []byte) error {
	w.initDriverHandle()
	if ret, err := Driver.PacketFilterForward(uintptr(unsafe.Pointer(info)), uintptr(unsafe.Pointer(&packetBytes[0]))); ret == 0 {
		return fmt.Errorf("PacketFilterForward failed: %v", err)
	}
	return nil
}

func (w *wrapper) AppendFilter(outbound bool, filterName string, isGotoFilter bool) error {
	w.initDriverHandle()
	if ret, err := Driver.AppendFilter(w.driverHandle, marshalBool(outbound), marshalString(filterName), marshalBool(isGotoFilter)); ret == 0 {
		// no error if already exists
		if err == windows.ERROR_ALREADY_EXISTS {
			return nil
		}
		return fmt.Errorf("AppendFilter failed: %v", err)
	}
	return nil
}

func (w *wrapper) InsertFilter(outbound bool, priority int, filterName string, isGotoFilter bool) error {
	w.initDriverHandle()
	if ret, err := Driver.InsertFilter(w.driverHandle, marshalBool(outbound), uintptr(priority), marshalString(filterName), marshalBool(isGotoFilter)); ret == 0 {
		return fmt.Errorf("InsertFilter failed: %v", err)
	}
	return nil
}

func (w *wrapper) DestroyFilter(filterName string) error {
	w.initDriverHandle()
	if ret, err := Driver.DestroyFilter(w.driverHandle, marshalString(filterName)); ret == 0 {
		return fmt.Errorf("DestroyFilter failed: %v", err)
	}
	return nil
}

func (w *wrapper) EmptyFilter(filterName string) error {
	w.initDriverHandle()
	if ret, err := Driver.EmptyFilter(w.driverHandle, marshalString(filterName)); ret == 0 {
		return fmt.Errorf("EmptyFilter failed: %v", err)
	}
	return nil
}

func (w *wrapper) GetFilterList(outbound bool) ([]string, error) {
	w.initDriverHandle()
	// first query for needed buffer size
	var bytesNeeded, ignore uint32
	ret, err := Driver.GetFilterList(w.driverHandle, marshalBool(outbound), 0, 0, uintptr(unsafe.Pointer(&bytesNeeded)))
	if ret != 0 && bytesNeeded == 0 {
		return []string{}, nil
	}
	if err != windows.ERROR_INSUFFICIENT_BUFFER {
		return nil, fmt.Errorf("GetFilterList failed: %v", err)
	}
	if bytesNeeded%2 != 0 {
		return nil, fmt.Errorf("GetFilterList failed: odd result (%d)", bytesNeeded)
	}
	// then allocate buffer for wide string and call again
	buf := make([]uint16, bytesNeeded/2)

	// Not sure how this happens, but sometimes on shutdown we get a panic because the len(buf) is zero
	if len(buf) <= 0 {
		return nil, fmt.Errorf("GetFilterList returned unexpected bytes needed value: %d", bytesNeeded)
	}

	ret, err = Driver.GetFilterList(w.driverHandle, marshalBool(outbound), uintptr(unsafe.Pointer(&buf[0])), uintptr(bytesNeeded), uintptr(unsafe.Pointer(&ignore)))
	if ret == 0 {
		return nil, fmt.Errorf("GetFilterList failed: %v", err)
	}
	str := syscall.UTF16ToString(buf)
	return strings.Split(str, ","), nil
}

func (w *wrapper) AppendFilterCriteria(filterName, criteriaName string, ruleSpec *RuleSpec, ipsetRuleSpecs []IpsetRuleSpec) error {
	w.initDriverHandle()
	if len(ipsetRuleSpecs) > 0 {
		if ret, err := Driver.AppendFilterCriteria(w.driverHandle,
			marshalString(filterName),
			marshalString(criteriaName),
			uintptr(unsafe.Pointer(ruleSpec)),
			uintptr(unsafe.Pointer(&ipsetRuleSpecs[0])),
			uintptr(len(ipsetRuleSpecs))); ret == 0 {
			return fmt.Errorf("AppendFilterCriteria failed: %v", err)
		}
		for _, ipsrs := range ipsetRuleSpecs {
			if ipsrs.IpsetName != 0 {
				ipsetName := WideCharPointerToString((*uint16)(unsafe.Pointer(ipsrs.IpsetName))) // nolint:govet
				w.ruleCleaner.mapIpsetToRule(ipsetName, filterName, criteriaName)
			}
		}
	} else {
		if ret, err := Driver.AppendFilterCriteria(w.driverHandle,
			marshalString(filterName),
			marshalString(criteriaName),
			uintptr(unsafe.Pointer(ruleSpec)), 0, 0); ret == 0 {
			return fmt.Errorf("AppendFilterCriteria failed: %v", err)
		}
	}
	return nil
}

func (w *wrapper) DeleteFilterCriteria(filterName, criteriaName string) error {
	w.initDriverHandle()
	w.ruleCleaner.deleteRuleFromIpsetMap(filterName, criteriaName)
	if ret, err := Driver.DeleteFilterCriteria(w.driverHandle, marshalString(filterName), marshalString(criteriaName)); ret == 0 {
		return fmt.Errorf("DeleteFilterCriteria failed - could not delete %s: %v", criteriaName, err)
	}
	return nil
}

func (w *wrapper) GetCriteriaList(format int) (string, error) {
	w.initDriverHandle()
	// first query for needed buffer size
	var bytesNeeded, ignore uint32
	emptyStr := ""
	ret, err := Driver.GetCriteriaList(w.driverHandle, uintptr(format), 0, 0, uintptr(unsafe.Pointer(&bytesNeeded)))
	if ret != 0 && bytesNeeded == 0 {
		return emptyStr, nil
	}
	if err != windows.ERROR_INSUFFICIENT_BUFFER {
		return emptyStr, fmt.Errorf("GetCriteriaList failed: %v", err)
	}
	if bytesNeeded%2 != 0 {
		return emptyStr, fmt.Errorf("GetCriteriaList failed: odd result (%d)", bytesNeeded)
	}
	// then allocate buffer for wide string and call again
	buf := make([]uint16, bytesNeeded/2)
	ret, err = Driver.GetCriteriaList(w.driverHandle, uintptr(format), uintptr(unsafe.Pointer(&buf[0])), uintptr(bytesNeeded), uintptr(unsafe.Pointer(&ignore)))
	if ret == 0 {
		return emptyStr, fmt.Errorf("GetCriteriaList failed: %v", err)
	}
	str := syscall.UTF16ToString(buf)
	return str, nil
}

func marshalString(str string) uintptr {
	return uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(str))) // nolint
}

func marshalBool(b bool) uintptr {
	if b {
		return 1
	}
	return 0
}


================================================
FILE: utils/ipprefix/ipprefix.go
================================================
package ipprefix

import (
	"encoding/binary"
	"net"
	"sync"
)

// FuncOnLpmIP is the type of func which will operate on the value associated with the lpm ip.
type FuncOnLpmIP func(val interface{}) bool

// FuncOnVals is the type of the func which will operate on each value and will return a new value
// for each associated value.
type FuncOnVals func(val interface{}) interface{}

//IPcache is an interface which provides functionality to store ip's and do longest prefix match
type IPcache interface {
	// Put takes an argument an ip address, mask and value.
	Put(net.IP, int, interface{})
	// Get takes an argument the IP address and mask and returns the value that is stored for
	// that key.
	Get(net.IP, int) (interface{}, bool)
	// RunFuncOnLpmIP function takes as an argument an IP address and a function. It finds the
	// subnet to which this IP belongs with the longest prefix match. It then calls the
	// function supplied by the user on the value stored and if it succeeds then it returns.
	RunFuncOnLpmIP(net.IP, FuncOnLpmIP)
	// RunFuncOnVals takes an argument a function which is called on all the values stored in
	// the cache. This can be used to update the old values with the new values. If the new
	// value is nil, it will delete the key.
	RunFuncOnVals(FuncOnVals)
}

const (
	ipv4MaskSize = 32 + 1
	ipv6MaskSize = 128 + 1
)

type ipcacheV4 struct {
	ipv4 []map[uint32]interface{}
	sync.RWMutex
}

type ipcacheV6 struct {
	ipv6 []map[[16]byte]interface{}
	sync.RWMutex
}

type ipcache struct {
	ipv4 *ipcacheV4
	ipv6 *ipcacheV6
}

func (cache *ipcacheV4) Put(ip net.IP, mask int, val interface{}) {
	cache.Lock()
	defer cache.Unlock()

	if cache.ipv4[mask] == nil {
		cache.ipv4[mask] = map[uint32]interface{}{}
	}

	m := cache.ipv4[mask]
	// the following expression is ANDing the ip with the mask
	key := binary.BigEndian.Uint32(ip) & binary.BigEndian.Uint32(net.CIDRMask(mask, 32))
	if val == nil {
		delete(m, key)
	} else {
		m[key] = val
	}
}

func (cache *ipcacheV4) Get(ip net.IP, mask int) (interface{}, bool) {
	cache.RLock()
	defer cache.RUnlock()

	m := cache.ipv4[mask]
	if m != nil {
		val, ok := m[binary.BigEndian.Uint32(ip)&binary.BigEndian.Uint32(net.CIDRMask(mask, 32))]
		if ok {
			return val, true
		}
	}

	return nil, false
}

func (cache *ipcacheV4) RunFuncOnLpmIP(ip net.IP, f func(val interface{}) bool) {
	cache.Lock()
	defer cache.Unlock()

	for i := len(cache.ipv4) - 1; i >= 0; i-- {
		m := cache.ipv4[i]
		if m != nil {
			val, ok := m[binary.BigEndian.Uint32(ip)&binary.BigEndian.Uint32(net.CIDRMask(i, 32))]
			if ok && f(val) {
				return
			}
		}
	}

}

func (cache *ipcacheV4) RunFuncOnVals(f func(val interface{}) interface{}) {
	cache.Lock()
	defer cache.Unlock()

	for mask, m := range cache.ipv4 {
		if m == nil {
			continue
		}

		for ip, val := range m {
			v := f(val)
			if v == nil {
				delete(m, ip)
				continue
			}

			m[ip] = v
		}

		if len(m) == 0 {
			cache.ipv4[mask] = nil
		}
	}

}

func (cache *ipcacheV6) Put(ip net.IP, mask int, val interface{}) {
	cache.Lock()
	defer cache.Unlock()

	if cache.ipv6[mask] == nil {
		cache.ipv6[mask] = map[[16]byte]interface{}{}
	}

	m := cache.ipv6[mask]
	// the following expression is ANDing the ip with the mask
	var maskip [16]byte
	copy(maskip[:], ip.Mask(net.CIDRMask(mask, 128)))

	if val == nil {
		delete(m, maskip)
	} else {
		m[maskip] = val
	}
}

func (cache *ipcacheV6) Get(ip net.IP, mask int) (interface{}, bool) {
	cache.RLock()
	defer cache.RUnlock()

	m := cache.ipv6[mask]
	if m != nil {
		var maskip [16]byte
		copy(maskip[:], ip.Mask(net.CIDRMask(mask, 128)))
		val, ok := m[maskip]
		if ok {
			return val, true
		}
	}

	return nil, false
}

func (cache *ipcacheV6) RunFuncOnLpmIP(ip net.IP, f func(val interface{}) bool) {
	cache.Lock()
	defer cache.Unlock()

	for i := len(cache.ipv6) - 1; i >= 0; i-- {
		m := cache.ipv6[i]
		if m != nil {
			var maskip [16]byte
			copy(maskip[:], ip.Mask(net.CIDRMask(i, 128)))
			val, ok := m[maskip]
			if ok && f(val) {
				return
			}
		}
	}
}

func (cache *ipcacheV6) RunFuncOnVals(f func(val interface{}) interface{}) {
	cache.Lock()
	defer cache.Unlock()

	for mask, m := range cache.ipv6 {
		if m == nil {
			continue
		}

		for ip, val := range m {
			v := f(val)
			if v == nil {
				delete(m, ip)
				continue
			}

			m[ip] = v
		}

		if len(m) == 0 {
			cache.ipv6[mask] = nil
		}
	}
}

//NewIPCache creates an object which is implementing the interface IPcache
func NewIPCache() IPcache {
	return &ipcache{
		ipv4: &ipcacheV4{ipv4: make([]map[uint32]interface{}, ipv4MaskSize)},
		ipv6: &ipcacheV6{ipv6: make([]map[[16]byte]interface{}, ipv6MaskSize)},
	}
}

func (cache *ipcache) Put(ip net.IP, mask int, val interface{}) {
	if ip.To4() != nil {
		cache.ipv4.Put(ip.To4(), mask, val)
		return
	}

	cache.ipv6.Put(ip.To16(), mask, val)
}

func (cache *ipcache) Get(ip net.IP, mask int) (interface{}, bool) {

	if ip.To4() != nil {
		return cache.ipv4.Get(ip.To4(), mask)
	}

	return cache.ipv6.Get(ip.To16(), mask)
}

func (cache *ipcache) RunFuncOnLpmIP(ip net.IP, f FuncOnLpmIP) {
	if ip.To4() != nil {
		cache.ipv4.RunFuncOnLpmIP(ip.To4(), f)
		return
	}

	cache.ipv6.RunFuncOnLpmIP(ip.To16(), f)
}

func (cache *ipcache) RunFuncOnVals(f FuncOnVals) {

	cache.ipv4.RunFuncOnVals(f)
	cache.ipv6.RunFuncOnVals(f)
}


================================================
FILE: utils/ipprefix/ipprefix_test.go
================================================
// +build !windows

package ipprefix

import (
	"fmt"
	"net"
	"testing"

	"github.com/magiconair/properties/assert"
)

const (
	mask24  = "24mask"
	mask32  = "32mask"
	mask128 = "128mask"
	mask0   = "mask0"
)

func TestPutGetV4(t *testing.T) {
	ipcache := NewIPCache()

	ip := net.ParseIP("10.0.0.1")
	ipcache.Put(ip, 32, mask32)
	ipcache.Put(ip, 24, mask24)
	ipcache.Put(ip, 0, mask0)

	val, ok := ipcache.Get(ip, 32)
	assert.Equal(t, ok, true, "Get should return Success")
	assert.Equal(t, val.(string), mask32, fmt.Sprintf("Returned value should be %s", mask32))
	val, ok = ipcache.Get(net.ParseIP("10.0.0.2"), 24)
	assert.Equal(t, ok, true, "Get should return Success")
	assert.Equal(t, val.(string), mask24, fmt.Sprintf("Returned value should be %s", mask24))

	_, ok = ipcache.Get(net.ParseIP("8.8.8.8"), 0)
	assert.Equal(t, ok, true, "should be found in cache")

	_, ok = ipcache.Get(ip, 10)
	assert.Equal(t, ok, false, "Get should return nil")

	ipcache.Put(ip, 32, nil)
	_, ok = ipcache.Get(ip, 32)
	assert.Equal(t, ok, false, "Should not be found in cache")
}

func TestPutGetV6(t *testing.T) {
	ipcache := NewIPCache()

	ip := net.ParseIP("8000::220")
	ipcache.Put(ip, 128, mask128)
	ipcache.Put(ip, 24, mask24)
	ipcache.Put(ip, 0, mask0)

	val, ok := ipcache.Get(ip, 128)
	assert.Equal(t, ok, true, "Get should return success")
	assert.Equal(t, val.(string), mask128, fmt.Sprintf("Returned value should be %s", mask128))
	val, ok = ipcache.Get(ip, 24)
	assert.Equal(t, ok, true, "Get should return success")
	assert.Equal(t, val.(string), mask24, fmt.Sprintf("Returned value should be %s", mask24))

	_, ok = ipcache.Get(net.ParseIP("abcd::200"), 0)
	assert.Equal(t, ok, true, "Get should return success")

	_, ok = ipcache.Get(ip, 10)
	assert.Equal(t, ok, false, "Get should return nil")

	ipcache.Put(ip, 128, nil)
	_, ok = ipcache.Get(ip, 128)
	assert.Equal(t, ok, false, "Get should return nil")
}

func TestRunIPV4(t *testing.T) {
	var found bool

	ipcache := NewIPCache()

	ip := net.ParseIP("10.0.0.1")
	ipcache.Put(ip, 32, mask32)
	ipcache.Put(ip, 24, mask24)

	testRunIP := func(val interface{}) bool {
		found = false
		if val != nil {
			str := val.(string)

			if str == mask32 {
				found = true
			}
		}
		return true
	}

	ipcache.RunFuncOnLpmIP(ip, testRunIP)
	assert.Equal(t, found, true, "found should be true")
}

func TestRunIPv6(t *testing.T) {

	var found bool

	ipcache := NewIPCache()

	ip := net.ParseIP("8000::220")
	ipcache.Put(ip, 128, mask128)
	ipcache.Put(ip, 24, mask24)

	testRunIP := func(val interface{}) bool {
		found = false
		if val != nil {
			str := val.(string)

			if str == mask128 {
				found = true
			}
		}
		return true
	}

	ipcache.RunFuncOnLpmIP(ip, testRunIP)
	assert.Equal(t, found, true, "found should be true")
}

func TestRunValIPv4(t *testing.T) {

	ipcache := NewIPCache()

	ip := net.ParseIP("10.0.0.1")
	ipcache.Put(ip, 32, mask32)
	ipcache.Put(ip, 24, mask24)

	m := map[string]bool{}
	m[mask32] = true
	m[mask24] = true

	testRunVal := func(val interface{}) interface{} {
		if val != nil {
			s := val.(string)
			if s == mask32 {
				delete(m, s)
				return nil
			}
		}

		return val
	}

	ipcache.RunFuncOnVals(testRunVal)
	assert.Equal(t, len(m), 1, "map should be of length 0")
	_, ok := ipcache.Get(ip, 32)
	assert.Equal(t, ok, false, "Get should return nil")
	_, ok = ipcache.Get(ip, 24)
	assert.Equal(t, ok, true, "Get should return true")

}

func TestRunValIPv6(t *testing.T) {

	ipcache := NewIPCache()

	ip := net.ParseIP("8000::220")
	ipcache.Put(ip, 128, mask128)
	ipcache.Put(ip, 24, mask24)

	m := map[string]bool{}
	m[mask128] = true
	m[mask24] = true

	testRunVal := func(val interface{}) interface{} {
		if val != nil {
			s := val.(string)
			if s == mask128 {
				delete(m, s)
				return nil
			}
		}

		return val
	}

	ipcache.RunFuncOnVals(testRunVal)
	assert.Equal(t, len(m), 1, "map should be of length 0")
	_, ok := ipcache.Get(ip, 128)
	assert.Equal(t, ok, false, "Get should return nil")
	_, ok = ipcache.Get(ip, 24)
	assert.Equal(t, ok, true, "Get should return true")
}


================================================
FILE: utils/netinterfaces/netinterfaces.go
================================================
package netinterfaces

import (
	"fmt"
	"net"

	"go.uber.org/zap"
)

// NetworkInterface holds info of a network interface
type NetworkInterface struct {
	Name   string
	IPs    []net.IP
	IPNets []*net.IPNet
	Flags  net.Flags
}

// GetInterfacesInfo returns interface info
func GetInterfacesInfo() ([]NetworkInterface, error) {

	netInterfaces := []NetworkInterface{}

	// List interfaces
	ifaces, err := net.Interfaces()
	if err != nil {
		return nil, fmt.Errorf("unable to get interfaces: %v", err)
	}

	for _, intf := range ifaces {
		ipList := []net.IP{}
		ipNetList := []*net.IPNet{}

		// List interface addresses
		addrs, err := intf.Addrs()
		if err != nil {
			zap.L().Warn("unable to get interface addresses",
				zap.String("interface", intf.Name),
				zap.Error(err))
			continue
		}

		for _, addr := range addrs {
			ip, ipNet, err := net.ParseCIDR(addr.String())
			if err != nil {
				zap.L().Warn("unable to parse address",
					zap.String("interface", intf.Name),
					zap.String("addr", addr.String()),
					zap.Error(err))
				continue
			}

			ipList = append(ipList, ip)
			ipNetList = append(ipNetList, ipNet)
		}

		netInterface := NetworkInterface{
			Name:   intf.Name,
			IPs:    ipList,
			IPNets: ipNetList,
			Flags:  intf.Flags,
		}

		netInterfaces = append(netInterfaces, netInterface)
	}

	return netInterfaces, nil
}


================================================
FILE: utils/nfqparser/constants.go
================================================
package nfqparser

const (
	nfqFilePath = "/proc/net/netfilter/nfnetlink_queue"
)


================================================
FILE: utils/nfqparser/nfqlayout.go
================================================
package nfqparser

import "fmt"

// NFQLayout is the layout of /proc/net/netfilter/nfnetlink_queue
type NFQLayout struct {
	QueueNum string
	// process ID of software listening to the queue
	PeerPortID string
	// current number of packets waiting in the queue
	QueueTotal string
	// 0 and 1 only message only provide meta data. If 2, the message provides a part of packet of size copy range.
	CopyMode string
	// length of packet data to put in message
	CopyRange string
	// number of packets dropped because queue was full
	QueueDropped string
	// number of packets dropped because netlink message could not be sent to userspace.
	// If this counter is not zero, try to increase netlink buffer size. On the application side,
	// you will see gap in packet id if netlink message are lost.
	UserDropped string
	// packet id of last packet
	IDSequence string
}

//  String returns string representation of particular queue
func (n *NFQLayout) String() string {

	if n == nil {
		return ""
	}

	return fmt.Sprintf("%v", *n)
}


================================================
FILE: utils/nfqparser/nfqparser.go
================================================
package nfqparser

import (
	"bufio"
	"bytes"
	"io/ioutil"
	"strings"
	"sync"
)

// NFQParser holds nfqparser fields
type NFQParser struct {
	nfqStr string
	// NOTE: For unit test
	filePath string
	contents map[string]NFQLayout

	sync.Mutex
}

// NewNFQParser returns nfqparser handler
func NewNFQParser() *NFQParser {

	return &NFQParser{
		contents: make(map[string]NFQLayout),
		filePath: nfqFilePath,
	}
}

// Synchronize reads from file and parses it
func (n *NFQParser) Synchronize() error {

	n.Lock()
	defer n.Unlock()

	data, err := ioutil.ReadFile(n.filePath)
	if err != nil {
		return err
	}

	n.nfqStr = string(data)

	scanner := bufio.NewScanner(bytes.NewReader(data))
	for scanner.Scan() {
		line := scanner.Text()
		lineParts := strings.Fields(line)
		newNFQ := makeNFQLayout(lineParts)

		n.contents[newNFQ.QueueNum] = newNFQ
	}

	return nil
}

// RetrieveByQueue returns layout for a specific queue number
func (n *NFQParser) RetrieveByQueue(queueNum string) *NFQLayout {

	n.Lock()
	defer n.Unlock()

	content, ok := n.contents[queueNum]
	if ok {
		return &content
	}

	return nil
}

// RetrieveAll returns all layouts
func (n *NFQParser) RetrieveAll() map[string]NFQLayout {

	n.Lock()
	defer n.Unlock()

	return n.contents
}

// String returns string renresentation of nfqueue data
func (n *NFQParser) String() string {

	n.Lock()
	defer n.Unlock()

	return n.nfqStr
}

func makeNFQLayout(data []string) NFQLayout {

	newNFQ := NFQLayout{}
	newNFQ.QueueNum = data[0]
	newNFQ.PeerPortID = data[1]
	newNFQ.QueueTotal = data[2]
	newNFQ.CopyMode = data[3]
	newNFQ.CopyRange = data[4]
	newNFQ.QueueDropped = data[5]
	newNFQ.UserDropped = data[6]
	newNFQ.IDSequence = data[7]

	return newNFQ
}


================================================
FILE: utils/nfqparser/nfqparser_test.go
================================================
// +build !windows

package nfqparser

import (
	"fmt"
	"io/ioutil"
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

const (
	testFilePath = "/tmp/nfqdrops"
	testNFQData  = `      0  13206     0 2 65531     0     0        0  1
    1 3333107750     0 2 65531     0     0        0  1
    2 3881398569     0 2 65531     0     0        1  1
    3 2633750685     0 2 65531     0     0        0  1
    4 3605545056     0 2 65531     0     0        0  1
    5 3473230188     0 2 65531     0     0        2  1
    6 4025478776     0 2 65531     0     0        3  1
    7 2806986372     0 2 65531     0     0        1  1`
)

func init() {
	testCreateFile()
}

func testProperLayout() *NFQLayout {

	return &NFQLayout{
		QueueNum:     "6",
		PeerPortID:   "4025478776",
		QueueTotal:   "0",
		CopyMode:     "2",
		CopyRange:    "65531",
		QueueDropped: "0",
		UserDropped:  "0",
		IDSequence:   "3",
	}
}

func testCreateFile() {

	if err := ioutil.WriteFile(testFilePath, []byte(testNFQData), 0777); err != nil {
		panic(err)
	}
}

func TestNFQParserRetrieveByQueue(t *testing.T) {

	Convey("Given I create a new nfqparser instance", t, func() {
		nfqParser := NewNFQParser()
		nfqParser.filePath = testFilePath

		Convey("Given I try to synchronize data", func() {
			err := nfqParser.Synchronize()

			Convey("Then I should not get any errors", func() {
				So(err, ShouldBeNil)
			})

			Convey("Given I try to retrieve data for a queue", func() {
				queueData := nfqParser.RetrieveByQueue("6")

				Convey("Then queue data should match", func() {
					So(queueData, ShouldResemble, testProperLayout())
				})
			})

			Convey("Given I try to retrieve data for a queue and compare a specific field", func() {
				queueData := nfqParser.RetrieveByQueue("6")

				Convey("Then queue data should match", func() {
					So(queueData.CopyRange, ShouldEqual, testProperLayout().CopyRange)
				})
			})

			Convey("Given I try to retrieve data for a queue with different expected data", func() {
				queueData := nfqParser.RetrieveByQueue("1")

				Convey("Then queue data should match", func() {
					So(queueData, ShouldNotResemble, testProperLayout())
				})
			})

			Convey("Given I try to retrieve data for a invalid queue num", func() {
				queueData := nfqParser.RetrieveByQueue("9")

				Convey("Then queue data should match", func() {
					So(queueData, ShouldBeNil)
				})
			})
		})
	})
}

func TestNFQParserRetrieveAll(t *testing.T) {

	Convey("Given I create a new nfqparser instance", t, func() {
		nfqParser := NewNFQParser()
		nfqParser.filePath = testFilePath

		Convey("Given I try to synchronize data", func() {
			err := nfqParser.Synchronize()

			Convey("Then I should not get any errors", func() {
				So(err, ShouldBeNil)
			})

			Convey("Given I try to retrieve all", func() {
				queueData := nfqParser.RetrieveAll()

				Convey("Then length of queue data should be equal", func() {
					So(len(queueData), ShouldEqual, 8)
				})
			})
		})
	})
}

func TestNFQParserString(t *testing.T) {

	Convey("Given I create a new nfqparser instance", t, func() {
		nfqParser := NewNFQParser()
		nfqParser.filePath = testFilePath

		Convey("Given I try to synchronize data", func() {
			err := nfqParser.Synchronize()

			Convey("Then I should not get any errors", func() {
				So(err, ShouldBeNil)
			})

			Convey("Given I try to get string representation", func() {
				strData := nfqParser.String()

				Convey("Then queue data should match", func() {
					So(strData, ShouldEqual, testNFQData)
				})
			})

			Convey("Given I try to retrieve data for a queue with different expected data", func() {
				queueData := nfqParser.RetrieveByQueue("6")

				Convey("Then queue data should match", func() {
					So(queueData, ShouldResemble, testProperLayout())
				})

				Convey("Given I try to get string representation of particular queue number", func() {
					queueData := nfqParser.RetrieveByQueue("6")

					Convey("Then queue data should match", func() {
						So(queueData.String(), ShouldEqual, fmt.Sprintf("%v", testProperLayout()))
					})
				})

				Convey("Given I try to get string representation of empty layout, it should not panic", func() {
					nfqParser := NewNFQParser()
					str := nfqParser.RetrieveByQueue("6").String()

					Convey("Then queue data should match", func() {
						So(str, ShouldEqual, "")
					})
				})
			})
		})
	})
}


================================================
FILE: utils/portcache/portcache.go
================================================
package portcache

import (
	"fmt"
	"sync"

	"go.aporeto.io/enforcerd/trireme-lib/utils/cache"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

// PortCache is a generic cache of port pairs or exact ports. It can store
// and do lookups of ports on exact matches or ranges. It returns the stored
// values
type PortCache struct {
	ports  cache.DataStore
	ranges []*portspec.PortSpec
	sync.Mutex
}

// NewPortCache creates a new port cache
func NewPortCache(name string) *PortCache {
	return &PortCache{
		ports:  cache.NewCache(name),
		ranges: []*portspec.PortSpec{},
	}
}

// AddPortSpec adds a port spec into the cache
func (p *PortCache) AddPortSpec(s *portspec.PortSpec) {
	if s.Min == s.Max {
		p.ports.AddOrUpdate(s.Min, s)
	} else {
		// Remove the range if it exists
		p.Remove(s) // nolint
		// Insert the portspec
		p.Lock()
		p.ranges = append([]*portspec.PortSpec{s}, p.ranges...)
		p.Unlock()
	}
}

// AddPortSpecToEnd adds a range at the end of the cache
func (p *PortCache) AddPortSpecToEnd(s *portspec.PortSpec) {

	// Remove the range if it exists
	p.Remove(s) // nolint

	p.Lock()
	p.ranges = append(p.ranges, s)
	p.Unlock()

}

// AddUnique adds a port spec into the cache and makes sure its unique
func (p *PortCache) AddUnique(s *portspec.PortSpec) error {
	p.Lock()
	defer p.Unlock()

	if s.Min == s.Max {
		if err, _ := p.ports.Get(s.Min); err != nil {
			return fmt.Errorf("Port already exists: %s", err)
		}
	}

	for _, r := range p.ranges {
		if r.Max <= s.Min || r.Min >= s.Max {
			continue
		}
		return fmt.Errorf("Overlap detected: %d %d", r.Max, r.Min)
	}

	if s.Min == s.Max {
		return p.ports.Add(s.Min, s)
	}

	p.ranges = append(p.ranges, s)
	return nil
}

// GetSpecValueFromPort searches the cache for a match based on a port
// It will return the first match found on exact ports or on the ranges
// of ports. If there are multiple intervals that match it will randomly
// return one of them.
func (p *PortCache) GetSpecValueFromPort(port uint16) (interface{}, error) {
	if spec, err := p.ports.Get(port); err == nil {
		return spec.(*portspec.PortSpec).Value(), nil
	}

	p.Lock()
	defer p.Unlock()
	for _, s := range p.ranges {
		if s.Min <= port && port <= s.Max {
			return s.Value(), nil
		}
	}

	return nil, fmt.Errorf("No match for port %d", port)
}

// GetAllSpecValueFromPort will return all the specs that potentially match. This
// will allow for overlapping ranges
func (p *PortCache) GetAllSpecValueFromPort(port uint16) ([]interface{}, error) {
	var allMatches []interface{}

	if spec, err := p.ports.Get(port); err == nil {
		allMatches = append(allMatches, spec.(*portspec.PortSpec).Value())
	}

	p.Lock()
	defer p.Unlock()
	for _, s := range p.ranges {
		if s.Min <= port && port < s.Max {
			allMatches = append(allMatches, s.Value())
		}
	}

	if len(allMatches) == 0 {
		return nil, fmt.Errorf("No match for port %d", port)
	}
	return allMatches, nil
}

// Remove will remove a port from the cache
func (p *PortCache) Remove(s *portspec.PortSpec) error {

	if s.Min == s.Max {
		return p.ports.Remove(s.Min)
	}

	p.Lock()
	defer p.Unlock()
	for i, r := range p.ranges {
		if r.Min == s.Min && r.Max == s.Max {
			left := p.ranges[:i]
			right := p.ranges[i+1:]
			p.ranges = append(left, right...)
			return nil
		}
	}

	return fmt.Errorf("port not found")
}

// RemoveStringPorts will remove a port from the cache
func (p *PortCache) RemoveStringPorts(ports string) error {

	s, err := portspec.NewPortSpecFromString(ports, nil)
	if err != nil {
		return err
	}

	return p.Remove(s)
}


================================================
FILE: utils/portcache/portcache_test.go
================================================
// +build !windows

package portcache

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
	"go.aporeto.io/enforcerd/trireme-lib/utils/portspec"
)

func TestNewPortCache(t *testing.T) {
	Convey("When I creat a new port cache", t, func() {
		p := NewPortCache("test")
		Convey("The cache must be initilized", func() {
			So(p, ShouldNotBeNil)
			So(p.ports, ShouldNotBeNil)
			So(p.ranges, ShouldNotBeNil)
		})
	})
}

func TestAddPortSpec(t *testing.T) {
	Convey("Given an initialized cached", t, func() {
		p := NewPortCache("test")
		Convey("When I add a port spec with a single port, it must added to the map", func() {
			s, err := portspec.NewPortSpec(10, 10, "10")
			So(err, ShouldBeNil)
			p.AddPortSpec(s)
			stored, err := p.ports.Get(uint16(10))
			So(err, ShouldBeNil)
			So(stored.(*portspec.PortSpec), ShouldNotBeNil)
			So(stored.(*portspec.PortSpec).Max, ShouldEqual, 10)
			So(stored.(*portspec.PortSpec).Min, ShouldEqual, 10)
			So(stored.(*portspec.PortSpec).Value().(string), ShouldResemble, "10")
		})

		Convey("When I add a port spec with a range of ports, be added to the list", func() {
			s, err := portspec.NewPortSpec(10, 20, "range")
			So(err, ShouldBeNil)
			p.AddPortSpec(s)
			So(len(p.ranges), ShouldEqual, 1)
			So(p.ranges[0].Min, ShouldEqual, 10)
			So(p.ranges[0].Max, ShouldEqual, 20)
			So(p.ranges[0].Value().(string), ShouldResemble, "range")
		})
	})
}

func TestSearch(t *testing.T) {
	Convey("Given an initialized cache", t, func() {
		p := NewPortCache("test")
		Convey("When I add both single ports and rages", func() {
			s, err := portspec.NewPortSpec(10, 20, "range1")
			So(err, ShouldBeNil)
			p.AddPortSpec(s)

			s, err = portspec.NewPortSpec(30, 40, "range2")
			So(err, ShouldBeNil)
			p.AddPortSpec(s)

			s, err = portspec.NewPortSpec(50, 60, "range3")
			So(err, ShouldBeNil)
			p.AddPortSpec(s)

			s, err = portspec.NewPortSpec(15, 15, "15")
			So(err, ShouldBeNil)
			p.AddPortSpec(s)

			s, err = portspec.NewPortSpec(25, 25, "25")
			So(err, ShouldBeNil)
			p.AddPortSpec(s)

			Convey("If I match both exact and range, I should get the exact", func() {
				s, err := p.GetSpecValueFromPort(15)
				So(err, ShouldBeNil)
				So(s.(string), ShouldResemble, "15")
				s, err = p.GetSpecValueFromPort(25)
				So(err, ShouldBeNil)
				So(s.(string), ShouldResemble, "25")
			})

			Convey("If I match the range beginning, I should get the result", func() {
				s, err := p.GetSpecValueFromPort(10)
				So(err, ShouldBeNil)
				So(s.(string), ShouldResemble, "range1")
			})

			Convey("If I match the range end , I should get the result", func() {
				s, err := p.GetSpecValueFromPort(19)
				So(err, ShouldBeNil)
				So(s.(string), ShouldResemble, "range1")
				s, err = p.GetSpecValueFromPort(39)
				So(err, ShouldBeNil)
				So(s.(string), ShouldResemble, "range2")
				s, err = p.GetSpecValueFromPort(59)
				So(err, ShouldBeNil)
				So(s.(string), ShouldResemble, "range3")
			})

			Convey("Last number is included ", func() {
				_, err := p.GetSpecValueFromPort(20)
				So(err, ShouldBeNil)
			})
		})
	})
}

func TestGetAll(t *testing.T) {
	Convey("Given an initialized cache", t, func() {
		p := NewPortCache("test")
		Convey("When I add both single ports and rages", func() {
			s, err := portspec.NewPortSpec(10, 20, "range1")
			So(err, ShouldBeNil)
			p.AddPortSpec(s)

			s, err = portspec.NewPortSpec(30, 40, "range2")
			So(err, ShouldBeNil)
			p.AddPortSpec(s)

			s, err = portspec.NewPortSpec(50, 60, "range3")
			So(err, ShouldBeNil)
			p.AddPortSpec(s)

			s, err = portspec.NewPortSpec(15, 15, "15")
			So(err, ShouldBeNil)
			p.AddPortSpec(s)

			s, err = portspec.NewPortSpec(25, 25, "25")
			So(err, ShouldBeNil)
			p.AddPortSpec(s)

			Convey("If I match both exact and range, I should get the exact", func() {
				s, err := p.GetAllSpecValueFromPort(15)
				So(err, ShouldBeNil)
				So(len(s), ShouldEqual, 2)

				So(s[0].(string), ShouldResemble, "15")
				So(s[1].(string), ShouldResemble, "range1")
			})
		})
	})
}

func TestAddUnique(t *testing.T) {
	Convey("Given an initialized cache", t, func() {
		p := NewPortCache("test")
		Convey("When I add unique entries, I should get no errors ", func() {
			s, err := portspec.NewPortSpec(10, 20, "range1")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldBeNil)

			s, err = portspec.NewPortSpec(30, 40, "range2")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldBeNil)

			s, err = portspec.NewPortSpec(50, 60, "range3")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldBeNil)
		})

		Convey("When I add non-unique entries, I should get  errors ", func() {
			s, err := portspec.NewPortSpec(10, 20, "range1")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldBeNil)

			s, err = portspec.NewPortSpec(30, 40, "range1")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldBeNil)

			s, err = portspec.NewPortSpec(5, 15, "range2")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldNotBeNil)

			s, err = portspec.NewPortSpec(15, 25, "range2")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldNotBeNil)

			s, err = portspec.NewPortSpec(5, 25, "range3")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldNotBeNil)

			s, err = portspec.NewPortSpec(5, 5, "range3")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldBeNil)

			s, err = portspec.NewPortSpec(15, 15, "range3")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldNotBeNil)

			s, err = portspec.NewPortSpec(25, 25, "range3")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldBeNil)
		})

		Convey("When I match error'd unique entries and a valid range, I should get the valid range only", func() {
			s, err := portspec.NewPortSpec(10, 20, "range1")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldBeNil)

			s, err = portspec.NewPortSpec(5, 15, "range2")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldNotBeNil)

			s, err = portspec.NewPortSpec(15, 15, "15")
			So(err, ShouldBeNil)
			So(p.AddUnique(s), ShouldNotBeNil)

			a, err := p.GetAllSpecValueFromPort(15)
			So(err, ShouldBeNil)
			So(len(a), ShouldEqual, 1)
			So(a[0].(string), ShouldResemble, "range1")
		})
	})
}

func TestRemoveStringPort(t *testing.T) {
	Convey("Given an initialized cache", t, func() {
		p := NewPortCache("test")

		s, err := portspec.NewPortSpec(10, 20, "range1")
		So(err, ShouldBeNil)
		So(p.AddUnique(s), ShouldBeNil)

		s, err = portspec.NewPortSpec(30, 40, "range2")
		So(err, ShouldBeNil)
		So(p.AddUnique(s), ShouldBeNil)

		s, err = portspec.NewPortSpec(100, 100, "range3")
		So(err, ShouldBeNil)
		So(p.AddUnique(s), ShouldBeNil)

		Convey("When I remove valid entries, there should be no errors", func() {
			So(p.RemoveStringPorts("10:20"), ShouldBeNil)
			So(p.RemoveStringPorts("30:40"), ShouldBeNil)
			So(p.RemoveStringPorts("100:100"), ShouldBeNil)
		})

		Convey("When I remove invalid entries, I should get an error", func() {
			So(p.RemoveStringPorts("100:200"), ShouldNotBeNil)
			So(p.RemoveStringPorts("10:40"), ShouldNotBeNil)
		})
	})
}


================================================
FILE: utils/portspec/portspec.go
================================================
package portspec

// This package manages all port spec functions and validations and can
// be reused by all other packages.

import (
	"errors"
	"strconv"
	"strings"
)

// PortSpec is the specification of a port or port range
type PortSpec struct {
	Min   uint16 `json:"Min,omitempty"`
	Max   uint16 `json:"Max,omitempty"`
	value interface{}
}

// NewPortSpec creates a new port spec
func NewPortSpec(min, max uint16, value interface{}) (*PortSpec, error) {

	if min > max {
		return nil, errors.New("Min port greater than max")
	}

	return &PortSpec{
		Min:   min,
		Max:   max,
		value: value,
	}, nil
}

// NewPortSpecFromString creates a new port spec
func NewPortSpecFromString(ports string, value interface{}) (*PortSpec, error) {

	var min, max int
	var err error
	if strings.Contains(ports, ":") {
		portMinMax := strings.SplitN(ports, ":", 2)
		if len(portMinMax) != 2 {
			return nil, errors.New("Invalid port specification")
		}

		min, err = strconv.Atoi(portMinMax[0])
		if err != nil || min < 0 {
			return nil, errors.New("Min is not a valid port")
		}

		max, err = strconv.Atoi(portMinMax[1])
		if err != nil || max >= 65536 {
			return nil, errors.New("Max is not a valid port")
		}
	} else {
		min, err = strconv.Atoi(ports)
		if err != nil || min >= 65536 || min < 0 {
			return nil, errors.New("Port is larger than 2^16 or invalid port")
		}
		max = min
	}

	return NewPortSpec(uint16(min), uint16(max), value)
}

// IsMultiPort returns true if the spec is for multiple ports.
func (s *PortSpec) IsMultiPort() bool {
	return s.Min != s.Max
}

// SinglePort returns the port of a non multi-port spec
func (s *PortSpec) SinglePort() (uint16, error) {
	if s.IsMultiPort() {
		return 0, errors.New("Not a single port specification")
	}

	return s.Min, nil
}

// Range returns the range of a spec.
func (s *PortSpec) Range() (uint16, uint16) {
	return s.Min, s.Max
}

// MultiPort returns the multi-port range as a string.
func (s *PortSpec) String() string {
	if s.IsMultiPort() {
		return strconv.Itoa(int(s.Min)) + ":" + strconv.Itoa(int(s.Max))
	}

	return strconv.Itoa(int(s.Min))
}

// Value returns the value of the portspec if one is there
func (s *PortSpec) Value() interface{} {
	return s.value
}

// Overlaps returns true if the provided port spec overlaps with the given one.
func (s *PortSpec) Overlaps(p *PortSpec) bool {
	a := p
	b := s
	if a.Min > b.Min {
		a = s
		b = p
	}
	if a.Max >= b.Min {
		return true
	}
	return false
}

// Intersects returns true if the provided port spec intersect with the given one.
func (s *PortSpec) Intersects(p *PortSpec) bool {
	if p.Min == p.Max {
		return s.IsIncluded(int(p.Min))
	}
	return s.IsIncluded(int(p.Min)) && s.IsIncluded(int(p.Max))
}

// IsIncluded returns trues if a port is within the range of the portspec
func (s *PortSpec) IsIncluded(port int) bool {
	p := uint16(port)
	if s.Min <= p && p <= s.Max {
		return true
	}
	return false
}


================================================
FILE: utils/portspec/portspec_test.go
================================================
// +build !windows

package portspec

import (
	"testing"

	. "github.com/smartystreets/goconvey/convey"
)

func TestNewPortSpec(t *testing.T) {
	Convey("When I create a new port spec", t, func() {
		p, err := NewPortSpec(0, 10, "portspec")
		So(err, ShouldBeNil)
		Convey("The correct values must be set", func() {
			So(p, ShouldNotBeNil)
			So(p.Min, ShouldEqual, 0)
			So(p.Max, ShouldEqual, 10)
			So(p.value.(string), ShouldResemble, "portspec")
		})
	})
}
func TestNewPortSpecFromString(t *testing.T) {
	Convey("When I create a valid single port spec from string it should succeed", t, func() {
		p, err := NewPortSpecFromString("10", "string")
		So(err, ShouldBeNil)
		So(p.Min, ShouldEqual, uint16(10))
		So(p.Max, ShouldEqual, uint16(10))
		So(p.value.(string), ShouldResemble, "string")
	})

	Convey("When I create a valid a range  port spec from string it should succeed", t, func() {
		p, err := NewPortSpecFromString("10:20", "string")
		So(err, ShouldBeNil)
		So(p.Min, ShouldEqual, uint16(10))
		So(p.Max, ShouldEqual, uint16(20))
		So(p.value.(string), ShouldResemble, "string")
	})

	Convey("When I create singe port with value greater than 2^16 it shoud fail ", t, func() {
		_, err := NewPortSpecFromString("70000", "string")
		So(err, ShouldNotBeNil)
	})

	Convey("When I create singe port with a negative value it should fail", t, func() {
		_, err := NewPortSpecFromString("-1", "string")
		So(err, ShouldNotBeNil)
	})

	Convey("When I create a range with min > max it shoud fail", t, func() {
		_, err := NewPortSpecFromString("20:10", "string")
		So(err, ShouldNotBeNil)
	})

	Convey("When I create a range with negative min or max  it shoud fail", t, func() {
		_, err := NewPortSpecFromString("-20:10", "string")
		So(err, ShouldNotBeNil)
		_, err = NewPortSpecFromString("-20:-110", "string")
		So(err, ShouldNotBeNil)
	})

	Convey("When I create a range with invalid characters it should fail", t, func() {
		_, err := NewPortSpecFromString("10,20", "string")
		So(err, ShouldNotBeNil)
	})
}

func TestIsMultiPort(t *testing.T) {
	Convey("Given a portspec", t, func() {
		s, err := NewPortSpecFromString("10:20", "string")
		So(err, ShouldBeNil)
		Convey("multiport should return true", func() {
			So(s.IsMultiPort(), ShouldBeTrue)
		})
	})
}

func TestRange(t *testing.T) {
	Convey("Given a portspec", t, func() {
		Convey("If it is multiport", func() {
			s, err := NewPortSpecFromString("10:20", "string")
			So(err, ShouldBeNil)
			Convey("Range  should return the value ranges", func() {
				min, max := s.Range()
				So(min, ShouldEqual, 10)
				So(max, ShouldEqual, 20)
			})
		})

		Convey("If it is not multiport, it should return the one port", func() {
			s, err := NewPortSpecFromString("10", "string")
			So(err, ShouldBeNil)
			Convey("Multiport should an error", func() {
				min, max := s.Range()
				So(min, ShouldEqual, 10)
				So(max, ShouldEqual, 10)
			})
		})
	})
}

func TestSinglePort(t *testing.T) {
	Convey("Given a portspec", t, func() {
		Convey("If it is singleport", func() {
			s, err := NewPortSpecFromString("10", "string")
			So(err, ShouldBeNil)
			Convey("Multiport should return the value ranges", func() {
				m, err := s.SinglePort()
				So(err, ShouldBeNil)
				So(m, ShouldEqual, uint16(10))
			})
		})

		Convey("If it is not multiport", func() {
			s, err := NewPortSpecFromString("10:20", "string")
			So(err, ShouldBeNil)
			Convey("Singleport  should an error", func() {
				_, err := s.SinglePort()
				So(err, ShouldNotBeNil)
			})
		})
	})
}

func TestValue(t *testing.T) {
	Convey("Given a portspec, value should return the correct value", t, func() {
		s, err := NewPortSpecFromString("10:20", "value")
		So(err, ShouldBeNil)
		So(s.value.(string), ShouldResemble, "value")
	})
}

func TestOVerlap(t *testing.T) {
	Convey("Given two portspecs that don't overlap", t, func() {
		a, err1 := NewPortSpecFromString("10:20", "value")
		b, err2 := NewPortSpecFromString("30:40", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get false", func() {
			So(a.Overlaps(b), ShouldBeFalse)
		})
	})

	Convey("Given two portspecs that overlap", t, func() {
		a, err1 := NewPortSpecFromString("10:50", "value")
		b, err2 := NewPortSpecFromString("30:40", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Overlaps(b), ShouldBeTrue)
		})
	})

	Convey("Given two portspecs that partially overlap", t, func() {
		a, err1 := NewPortSpecFromString("10:35", "value")
		b, err2 := NewPortSpecFromString("30:40", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Overlaps(b), ShouldBeTrue)
		})
	})

	Convey("Given two portspecs that partially overlap at the end", t, func() {
		a, err1 := NewPortSpecFromString("35:45", "value")
		b, err2 := NewPortSpecFromString("30:40", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Overlaps(b), ShouldBeTrue)
		})
	})

	Convey("Given two portspecs that partially overlap at a point", t, func() {
		a, err1 := NewPortSpecFromString("10:20", "value")
		b, err2 := NewPortSpecFromString("10", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Overlaps(b), ShouldBeTrue)
		})
	})

	Convey("Given two portspecs that partially overlap at the end point", t, func() {
		a, err1 := NewPortSpecFromString("10:20", "value")
		b, err2 := NewPortSpecFromString("20", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Overlaps(b), ShouldBeTrue)
		})
	})

	Convey("Given two portspecs that overlap", t, func() {
		a, err1 := NewPortSpecFromString("20", "value")
		b, err2 := NewPortSpecFromString("20", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Overlaps(b), ShouldBeTrue)
		})
	})

	Convey("Given two portspecs that do not overlap", t, func() {
		a, err1 := NewPortSpecFromString("80", "value")
		b, err2 := NewPortSpecFromString("443", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Overlaps(b), ShouldBeFalse)
		})
	})
}

func TestIntersect(t *testing.T) {
	Convey("Given two portspecs that don't intersect", t, func() {
		a, err1 := NewPortSpecFromString("10:20", "value")
		b, err2 := NewPortSpecFromString("30:40", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get false", func() {
			So(a.Intersects(b), ShouldBeFalse)
		})
	})

	Convey("Given two portspecs that intersect", t, func() {
		a, err1 := NewPortSpecFromString("10:50", "value")
		b, err2 := NewPortSpecFromString("30:40", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Intersects(b), ShouldBeTrue)
		})
	})

	Convey("Given two portspecs that intersect", t, func() {
		a, err1 := NewPortSpecFromString("10:50", "value")
		b, err2 := NewPortSpecFromString("45", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Intersects(b), ShouldBeTrue)
		})
	})

	Convey("Given two portspecs that partially overlap", t, func() {
		a, err1 := NewPortSpecFromString("10:35", "value")
		b, err2 := NewPortSpecFromString("30:40", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Intersects(b), ShouldBeFalse)
		})
	})

	Convey("Given two portspecs that partially overlap at the end", t, func() {
		a, err1 := NewPortSpecFromString("35:45", "value")
		b, err2 := NewPortSpecFromString("30:40", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Intersects(b), ShouldBeFalse)
		})
	})

	Convey("Given two portspecs that partially overlap at a point", t, func() {
		a, err1 := NewPortSpecFromString("10:20", "value")
		b, err2 := NewPortSpecFromString("10", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Intersects(b), ShouldBeTrue)
		})
	})

	Convey("Given two portspecs that partially overlap at the end point", t, func() {
		a, err1 := NewPortSpecFromString("10:20", "value")
		b, err2 := NewPortSpecFromString("20", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Intersects(b), ShouldBeTrue)
		})
	})

	Convey("Given two portspecs that overlap", t, func() {
		a, err1 := NewPortSpecFromString("20", "value")
		b, err2 := NewPortSpecFromString("20", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Intersects(b), ShouldBeTrue)
		})
	})

	Convey("Given two  portspecs that do not overlap", t, func() {
		a, err1 := NewPortSpecFromString("80", "value")
		b, err2 := NewPortSpecFromString("443", "value")
		So(err1, ShouldBeNil)
		So(err2, ShouldBeNil)
		Convey("I should get true", func() {
			So(a.Intersects(b), ShouldBeFalse)
		})
	})
}