-
Notifications
You must be signed in to change notification settings - Fork 51
/
interfaces.go
233 lines (206 loc) · 6.77 KB
/
interfaces.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
package collector
import (
"fmt"
"time"
"go.aporeto.io/trireme-lib/controller/pkg/packettracing"
"go.aporeto.io/trireme-lib/policy"
)
// Flow event description
const (
// FlowReject indicates that a flow was rejected
FlowReject = "reject"
// FlowAccept logs that a flow is accepted
FlowAccept = "accept"
// MissingToken indicates that the token was missing
MissingToken = "missingtoken"
// InvalidToken indicates that the token was invalid
InvalidToken = "token"
// InvalidFormat indicates that the packet metadata were not correct
InvalidFormat = "format"
// InvalidHeader indicates that the TCP header was not there.
InvalidHeader = "header"
// InvalidPayload indicates that the TCP payload was not there or bad.
InvalidPayload = "payload"
// InvalidContext indicates that there was no context in the metadata
InvalidContext = "context"
// InvalidConnection indicates that there was no connection found
InvalidConnection = "connection"
// InvalidState indicates that a packet was received without proper state information
InvalidState = "state"
// InvalidNonse indicates that the nonse check failed
InvalidNonse = "nonse"
// PolicyDrop indicates that the flow is rejected because of the policy decision
PolicyDrop = "policy"
// APIPolicyDrop indicates that the request was dropped because of failed API validation.
APIPolicyDrop = "api"
// UnableToDial indicates that the proxy cannot dial out the connection
UnableToDial = "dial"
// CompressedTagMismatch indicates that the compressed tag version is dissimilar
CompressedTagMismatch = "compressedtagmismatch"
// EncryptionMismatch indicates that the policy encryption varies between client and server enforcer
EncryptionMismatch = "encryptionmismatch"
// DatapathVersionMismatch indicates that the datapath version is dissimilar
DatapathVersionMismatch = "datapathversionmismatch"
// PacketDrop indicate a single packet drop
PacketDrop = "packetdrop"
)
// Container event description
const (
// ContainerStart indicates a container start event
ContainerStart = "start"
// ContainerStop indicates a container stop event
ContainerStop = "stop"
// ContainerCreate indicates a container create event
ContainerCreate = "create"
// ContainerDelete indicates a container delete event
ContainerDelete = "delete"
// ContainerUpdate indicates a container policy update event
ContainerUpdate = "update"
// ContainerFailed indicates an event that a container was stopped because of policy issues
ContainerFailed = "forcestop"
// ContainerIgnored indicates that the container will be ignored by Trireme
ContainerIgnored = "ignore"
// ContainerDeleteUnknown indicates that policy for an unknown container was deleted
ContainerDeleteUnknown = "unknowncontainer"
)
const (
// PolicyValid Normal flow accept
PolicyValid = "V"
// DefaultEndPoint provides a string for unknown container sources
DefaultEndPoint = "default"
// SomeClaimsSource provides a string for some claims flow source.
SomeClaimsSource = "some-claims"
)
// EventCollector is the interface for collecting events.
type EventCollector interface {
// CollectFlowEvent collect a flow event.
CollectFlowEvent(record *FlowRecord)
// CollectContainerEvent collects a container events
CollectContainerEvent(record *ContainerRecord)
// CollectUserEvent collects a user event
CollectUserEvent(record *UserRecord)
// CollectTraceEvent collects a set of trace messages generated with Iptables trace command
CollectTraceEvent(records []string)
// CollectPacketEvent collects packet event from nfqdatapath
CollectPacketEvent(report *PacketReport)
// CollectCounterEvent collects the counters from
CollectCounterEvent(counterReport *CounterReport)
// CollectDNSRequests collects the dns requests
CollectDNSRequests(request *DNSRequestReport)
}
// EndPointType is the type of an endpoint (PU or an external IP address )
type EndPointType byte
const (
// EndPointTypeExternalIP indicates that the endpoint is an external IP address
EndPointTypeExternalIP EndPointType = iota
// EnpointTypePU indicates that the endpoint is a PU.
EnpointTypePU
// EndpointTypeClaims indicates that the endpoint is of type claims.
EndpointTypeClaims
)
func (e *EndPointType) String() string {
switch *e {
case EndPointTypeExternalIP:
return "ext"
case EnpointTypePU:
return "pu"
case EndpointTypeClaims:
return "claims"
}
return "pu" // backward compatibility (CS: 04/24/2018)
}
// EndPoint is a structure that holds all the endpoint information
type EndPoint struct {
ID string
IP string
URI string
HTTPMethod string
UserID string
Type EndPointType
Port uint16
}
// FlowRecord describes a flow record for statistis
type FlowRecord struct {
ContextID string
Namespace string
Source *EndPoint
Destination *EndPoint
Tags *policy.TagStore
DropReason string
PolicyID string
ObservedPolicyID string
ServiceType policy.ServiceType
ServiceID string
Count int
Action policy.ActionType
ObservedAction policy.ActionType
L4Protocol uint8
}
func (f *FlowRecord) String() string {
return fmt.Sprintf("<flowrecord contextID:%s namespace:%s count:%d sourceID:%s destinationID:%s sourceIP: %s destinationIP:%s destinationPort:%d action:%s mode:%s>",
f.ContextID,
f.Namespace,
f.Count,
f.Source.ID,
f.Destination.ID,
f.Source.IP,
f.Destination.IP,
f.Destination.Port,
f.Action.String(),
f.DropReason,
)
}
// ContainerRecord is a statistics record for a container
type ContainerRecord struct {
ContextID string
IPAddress policy.ExtendedMap
Tags *policy.TagStore
Event string
}
// UserRecord reports a new user access. These will be reported
// periodically.
type UserRecord struct {
ID string
Namespace string
Claims []string
}
// PacketReport is the struct which is used to report packets captured in datapath
type PacketReport struct {
TCPFlags int
Claims []string
DestinationIP string
DestinationPort int
DropReason string
Encrypt bool
Event packettracing.PacketEvent
Length int
Mark int
Namespace string
PacketID int
Protocol int
PUID string
SourceIP string
SourcePort int
TriremePacket bool
Payload []byte
}
// DNSRequestReport object is used to report dns requests being made by PU's
type DNSRequestReport struct {
Namespace string
Source *EndPoint
NameLookup string
Error string
Count int
Ts time.Time
}
// Counters represent a single entry with name and current val
type Counters struct {
Name string
Value uint32
}
// CounterReport is called from the PU which reports Counters from the datapath
type CounterReport struct {
Namespace string
ContextID string
Counters []Counters
}