-
Notifications
You must be signed in to change notification settings - Fork 51
/
interfaces.go
323 lines (289 loc) · 9.44 KB
/
interfaces.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
package collector
import (
"fmt"
"time"
"go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packettracing"
"go.aporeto.io/enforcerd/trireme-lib/policy"
"go.aporeto.io/gaia"
)
// Flow event description
const (
// FlowReject indicates that a flow was rejected
FlowReject = "reject"
// FlowAccept logs that a flow is accepted
FlowAccept = "accept"
// MissingToken indicates that the token was missing
MissingToken = "missingtoken"
// InvalidToken indicates that the token was invalid
InvalidToken = "token"
// InvalidFormat indicates that the packet metadata were not correct
InvalidFormat = "format"
// InvalidHeader indicates that the TCP header was not there.
InvalidHeader = "header"
// InvalidPayload indicates that the TCP payload was not there or bad.
InvalidPayload = "payload"
// InvalidContext indicates that there was no context in the metadata
InvalidContext = "context"
// InvalidConnection indicates that there was no connection found
InvalidConnection = "connection"
// InvalidState indicates that a packet was received without proper state information
InvalidState = "state"
// InvalidNonse indicates that the nonse check failed
InvalidNonse = "nonse"
// PolicyDrop indicates that the flow is rejected because of the policy decision
PolicyDrop = "policy"
// APIPolicyDrop indicates that the request was dropped because of failed API validation.
APIPolicyDrop = "api"
// UnableToDial indicates that the proxy cannot dial out the connection
UnableToDial = "dial"
// CompressedTagMismatch indicates that the compressed tag version is dissimilar
CompressedTagMismatch = "compressedtagmismatch"
// EncryptionMismatch indicates that the policy encryption varies between client and server enforcer
EncryptionMismatch = "encryptionmismatch"
// DatapathVersionMismatch indicates that the datapath version is dissimilar
DatapathVersionMismatch = "datapathversionmismatch"
// PacketDrop indicate a single packet drop
PacketDrop = "packetdrop"
)
// Container event description
const (
// ContainerStart indicates a container start event
ContainerStart = "start"
// ContainerStop indicates a container stop event
ContainerStop = "stop"
// ContainerCreate indicates a container create event
ContainerCreate = "create"
// ContainerDelete indicates a container delete event
ContainerDelete = "delete"
// ContainerUpdate indicates a container policy update event
ContainerUpdate = "update"
// ContainerFailed indicates an event that a container was stopped because of policy issues
ContainerFailed = "forcestop"
// ContainerIgnored indicates that the container will be ignored by Trireme
ContainerIgnored = "ignore"
// ContainerDeleteUnknown indicates that policy for an unknown container was deleted
ContainerDeleteUnknown = "unknowncontainer"
)
const (
// PolicyValid Normal flow accept
PolicyValid = "V"
// DefaultEndPoint provides a string for unknown container sources
DefaultEndPoint = "default"
// SomeClaimsSource provides a string for some claims flow source.
SomeClaimsSource = "some-claims"
)
// EventCollector is the interface for collecting events.
type EventCollector interface {
// CollectFlowEvent collect a flow event.
CollectFlowEvent(record *FlowRecord)
// CollectContainerEvent collects a container events
CollectContainerEvent(record *ContainerRecord)
// CollectUserEvent collects a user event
CollectUserEvent(record *UserRecord)
// CollectTraceEvent collects a set of trace messages generated with Iptables trace command
CollectTraceEvent(records []string)
// CollectPacketEvent collects packet event from nfqdatapath
CollectPacketEvent(report *PacketReport)
// CollectCounterEvent collects the counters from
CollectCounterEvent(counterReport *CounterReport)
// CollectDNSRequests collects the dns requests
CollectDNSRequests(request *DNSRequestReport)
// CollectPingEvent collects the ping events
CollectPingEvent(report *PingReport)
// CollectConnectionExceptionReport collects the connection exception report
CollectConnectionExceptionReport(report *ConnectionExceptionReport)
}
// EndPointType is the type of an endpoint (PU or an external IP address )
type EndPointType byte
const (
// EndPointTypeExternalIP indicates that the endpoint is an external IP address
EndPointTypeExternalIP EndPointType = iota
// EndPointTypePU indicates that the endpoint is a PU.
EndPointTypePU
// EndPointTypeClaims indicates that the endpoint is of type claims.
EndPointTypeClaims
)
func (e *EndPointType) String() string {
switch *e {
case EndPointTypeExternalIP:
return "ext"
case EndPointTypePU:
return "pu"
case EndPointTypeClaims:
return "claims"
}
return "pu" // backward compatibility (CS: 04/24/2018)
}
// EndPoint is a structure that holds all the endpoint information
type EndPoint struct {
ID string
IP string
URI string
HTTPMethod string
UserID string
Type EndPointType
Port uint16
}
// FlowRecord describes a flow record for statistis
type FlowRecord struct {
ContextID string
Namespace string
Source EndPoint
Destination EndPoint
Tags []string
DropReason string
PolicyID string
ObservedPolicyID string
ServiceType policy.ServiceType
ServiceID string
Count int
Action policy.ActionType
ObservedAction policy.ActionType
ObservedActionType policy.ObserveActionType
L4Protocol uint8
SourceController string
DestinationController string
RuleName string
}
func (f *FlowRecord) String() string {
return fmt.Sprintf("<flowrecord contextID:%s namespace:%s count:%d sourceID:%s destinationID:%s sourceIP: %s destinationIP:%s destinationPort:%d action:%s mode:%s>",
f.ContextID,
f.Namespace,
f.Count,
f.Source.ID,
f.Destination.ID,
f.Source.IP,
f.Destination.IP,
f.Destination.Port,
f.Action.String(),
f.DropReason,
)
}
// ContainerRecord is a statistics record for a container
type ContainerRecord struct {
ContextID string
IPAddress policy.ExtendedMap
Tags *policy.TagStore
Event string
}
// UserRecord reports a new user access. These will be reported
// periodically.
type UserRecord struct {
ID string
Namespace string
Claims []string
}
// PacketReport is the struct which is used to report packets captured in datapath
type PacketReport struct {
TCPFlags int
Claims []string
DestinationIP string
DestinationPort int
DropReason string
Encrypt bool
Event packettracing.PacketEvent
Length int
Mark int
Namespace string
PacketID int
Protocol int
PUID string
SourceIP string
SourcePort int
TriremePacket bool
Timestamp int64
Payload []byte
}
// DNSRequestReport object is used to report dns requests being made by PU's
type DNSRequestReport struct {
ContextID string
Namespace string
Source *EndPoint
Destination *EndPoint
NameLookup string
Error string
Count int
Ts time.Time
IPs []string
}
// Counters represent a single entry with name and current val
type Counters uint32
// CounterReport is called from the PU which reports Counters from the datapath
type CounterReport struct {
Namespace string
PUID string
Timestamp int64
Counters []Counters
}
// PingReport represents a single ping report from datapath.
type PingReport struct {
PingID string
IterationID int
Type gaia.PingProbeTypeValue
PUID string
Namespace string
FourTuple string
RTT string
Protocol int
ServiceType string
PayloadSize int
PayloadSizeType gaia.PingProbePayloadSizeTypeValue
PolicyID string
PolicyAction policy.ActionType
AgentVersion string
ApplicationListening bool
SeqNum uint32
TargetTCPNetworks bool
ExcludedNetworks bool
Error string
Claims []string
ClaimsType gaia.PingProbeClaimsTypeValue
ACLPolicyID string
ACLPolicyAction policy.ActionType
PeerCertIssuer string
PeerCertSubject string
PeerCertExpiry time.Time
IsServer bool
ServiceID string
// Remote pu fields.
RemoteController string
RemotePUID string
RemoteEndpointType EndPointType
RemoteNamespace string
RemoteNamespaceType gaia.PingProbeRemoteNamespaceTypeValue
}
// IPTablesTrace is a bundle of iptables trace records
type IPTablesTrace struct {
Namespace string
Timestamp int64
Records []*IPTablesTraceRecord
}
// IPTablesTraceRecord is the info parsed out from a trace event message
type IPTablesTraceRecord struct {
TTL int
Chain string
DestinationIP string
DestinationInterface string
DestinationPort int
Length int
PacketID int
Protocol int
RuleID int
SourceIP string
SourceInterface string
SourcePort int
TableName string
}
// ConnectionExceptionReport represents a single connection exception report from datapath.
type ConnectionExceptionReport struct {
Timestamp time.Time
PUID string
Namespace string
Protocol int
SourceIP string
DestinationIP string
DestinationPort uint16
State string
Reason string
Value uint32
}