connections

package
v1.15.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 25, 2024 License: Apache-2.0 Imports: 32 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NetlinkFlowToAntreaConnection 

func NetlinkFlowToAntreaConnection(conn *conntrack.Flow) *flowexporter.Connection

func NewConnTrackOvsAppCtl 

func NewConnTrackOvsAppCtl(nodeConfig *config.NodeConfig, serviceCIDRv4 netip.Prefix, serviceCIDRv6 netip.Prefix, isAntreaProxyEnabled bool) *connTrackOvsCtl

func NewConnTrackSystem 

func NewConnTrackSystem(nodeConfig *config.NodeConfig, serviceCIDRv4 netip.Prefix, serviceCIDRv6 netip.Prefix, isAntreaProxyEnabled bool) *connTrackSystem

TODO: detect the endianness of the system when initializing conntrack dumper to handle situations on big-endian platforms. All connection labels are required to store in little endian format in conntrack dumper.

func NewConnectionStore 

func NewConnectionStore(
	podStore podstore.Interface,
	proxier proxy.Proxier,
	o *flowexporter.FlowExporterOptions) connectionStore

func SetupConntrackParameters 

func SetupConntrackParameters() error

Types

type ConnTrackDumper 

type ConnTrackDumper interface {
	// DumpFlows returns a list of filtered connections and the number of total connections.
	DumpFlows(zoneFilter uint16) ([]*flowexporter.Connection, int, error)
	// GetMaxConnections returns the size of the connection tracking table.
	GetMaxConnections() (int, error)
}

ConnTrackDumper is an interface that is used to dump connections from conntrack module. This supports dumping through netfilter socket (OVS kernel datapath) and ovs-appctl command (OVS userspace datapath). In future, support will be extended to Windows.

func InitializeConnTrackDumper 

func InitializeConnTrackDumper(nodeConfig *config.NodeConfig, serviceCIDRv4 *net.IPNet, serviceCIDRv6 *net.IPNet, ovsDatapathType ovsconfig.OVSDatapathType, isAntreaProxyEnabled bool) ConnTrackDumper

InitializeConnTrackDumper initializes the ConnTrackDumper interface for different OS and datapath types.

type ConntrackConnectionStore 

type ConntrackConnectionStore struct {
	// contains filtered or unexported fields
}

func NewConntrackConnectionStore 

func NewConntrackConnectionStore(
	connTrackDumper ConnTrackDumper,
	v4Enabled bool,
	v6Enabled bool,
	npQuerier querier.AgentNetworkPolicyInfoQuerier,
	podStore podstore.Interface,
	proxier proxy.Proxier,
	l7EventMapGetterFunc L7EventMapGetter,
	o *flowexporter.FlowExporterOptions,
) *ConntrackConnectionStore

func (*ConntrackConnectionStore) AcquireConnStoreLock added in v1.4.0 

func (cs *ConntrackConnectionStore) AcquireConnStoreLock()

func (*ConntrackConnectionStore) AddConnToMap added in v1.2.0 

func (cs *ConntrackConnectionStore) AddConnToMap(connKey *flowexporter.ConnectionKey, conn *flowexporter.Connection)

AddConnToMap adds the connection to connections map given connection key. This is used only for unit tests.

func (*ConntrackConnectionStore) AddOrUpdateConn 

func (cs *ConntrackConnectionStore) AddOrUpdateConn(conn *flowexporter.Connection)

AddOrUpdateConn updates the connection if it is already present, i.e., update timestamp, counters etc., or adds a new connection with the resolved K8s metadata.

func (*ConntrackConnectionStore) ForAllConnectionsDo 

func (cs *ConntrackConnectionStore) ForAllConnectionsDo(callback flowexporter.ConnectionMapCallBack) error

ForAllConnectionsDo execute the callback for each connection in connection map.

func (*ConntrackConnectionStore) ForAllConnectionsDoWithoutLock added in v1.7.0 

func (cs *ConntrackConnectionStore) ForAllConnectionsDoWithoutLock(callback flowexporter.ConnectionMapCallBack) error

ForAllConnectionsDoWithoutLock execute the callback for each connection in connection map, without grabbing the lock. Caller is expected to grab lock.

func (*ConntrackConnectionStore) GetConnByKey 

func (cs *ConntrackConnectionStore) GetConnByKey(connKey flowexporter.ConnectionKey) (*flowexporter.Connection, bool)

GetConnByKey gets the connection in connection map given the connection key.

func (*ConntrackConnectionStore) GetExpiredConns added in v1.4.0 

func (cs *ConntrackConnectionStore) GetExpiredConns(expiredConns []flowexporter.Connection, currTime time.Time, maxSize int) ([]flowexporter.Connection, time.Duration)

func (*ConntrackConnectionStore) GetPriorityQueue added in v1.5.0 

func (cs *ConntrackConnectionStore) GetPriorityQueue() *priorityqueue.ExpirePriorityQueue

func (*ConntrackConnectionStore) Poll 

func (cs *ConntrackConnectionStore) Poll() ([]int, error)

Poll calls into conntrackDumper interface to dump conntrack flows. It returns the number of connections for each address family, as a slice. In dual-stack clusters, the slice will contain 2 values (number of IPv4 connections first, then number of IPv6 connections). TODO: As optimization, only poll invalid/closed connections during every poll, and poll the established connections right before the export.

func (*ConntrackConnectionStore) ReleaseConnStoreLock added in v1.4.0 

func (cs *ConntrackConnectionStore) ReleaseConnStoreLock()

func (*ConntrackConnectionStore) Run 

func (cs *ConntrackConnectionStore) Run(stopCh <-chan struct{})

Run enables the periodical polling of conntrack connections at a given flowPollInterval.

func (*ConntrackConnectionStore) UpdateConnAndQueue added in v1.4.0 

func (cs *ConntrackConnectionStore) UpdateConnAndQueue(pqItem *flowexporter.ItemToExpire, currTime time.Time)

UpdateConnAndQueue deletes the inactive connection from keyToItem map, without adding it back to the PQ. In this way, we can avoid to reset the item's expire time every time we encounter it in the PQ. The method also updates active connection's stats fields and adds it back to the PQ. Layer 7 fields should be set to default to prevent from re-exporting same values.

type DenyConnectionStore 

type DenyConnectionStore struct {
	// contains filtered or unexported fields
}

func NewDenyConnectionStore 

func NewDenyConnectionStore(podStore podstore.Interface, proxier proxy.Proxier, o *flowexporter.FlowExporterOptions) *DenyConnectionStore

func (*DenyConnectionStore) AcquireConnStoreLock added in v1.4.0 

func (cs *DenyConnectionStore) AcquireConnStoreLock()

func (*DenyConnectionStore) AddConnToMap added in v1.2.0 

func (cs *DenyConnectionStore) AddConnToMap(connKey *flowexporter.ConnectionKey, conn *flowexporter.Connection)

AddConnToMap adds the connection to connections map given connection key. This is used only for unit tests.

func (*DenyConnectionStore) AddOrUpdateConn 

func (ds *DenyConnectionStore) AddOrUpdateConn(conn *flowexporter.Connection, timeSeen time.Time, bytes uint64)

AddOrUpdateConn updates the connection if it is already present, i.e., update timestamp, counters etc., or adds a new connection with the resolved K8s metadata.

func (*DenyConnectionStore) ForAllConnectionsDo 

func (cs *DenyConnectionStore) ForAllConnectionsDo(callback flowexporter.ConnectionMapCallBack) error

ForAllConnectionsDo execute the callback for each connection in connection map.

func (*DenyConnectionStore) ForAllConnectionsDoWithoutLock added in v1.7.0 

func (cs *DenyConnectionStore) ForAllConnectionsDoWithoutLock(callback flowexporter.ConnectionMapCallBack) error

ForAllConnectionsDoWithoutLock execute the callback for each connection in connection map, without grabbing the lock. Caller is expected to grab lock.

func (*DenyConnectionStore) GetConnByKey 

func (cs *DenyConnectionStore) GetConnByKey(connKey flowexporter.ConnectionKey) (*flowexporter.Connection, bool)

GetConnByKey gets the connection in connection map given the connection key.

func (*DenyConnectionStore) GetExpiredConns added in v1.4.0 

func (ds *DenyConnectionStore) GetExpiredConns(expiredConns []flowexporter.Connection, currTime time.Time, maxSize int) ([]flowexporter.Connection, time.Duration)

func (*DenyConnectionStore) GetPriorityQueue added in v1.5.0 

func (ds *DenyConnectionStore) GetPriorityQueue() *priorityqueue.ExpirePriorityQueue

func (*DenyConnectionStore) ReleaseConnStoreLock added in v1.4.0 

func (cs *DenyConnectionStore) ReleaseConnStoreLock()

func (*DenyConnectionStore) RunPeriodicDeletion added in v1.2.1 

func (ds *DenyConnectionStore) RunPeriodicDeletion(stopCh <-chan struct{})

func (*DenyConnectionStore) UpdateConnAndQueue added in v1.4.0 

func (cs *DenyConnectionStore) UpdateConnAndQueue(pqItem *flowexporter.ItemToExpire, currTime time.Time)

UpdateConnAndQueue deletes the inactive connection from keyToItem map, without adding it back to the PQ. In this way, we can avoid to reset the item's expire time every time we encounter it in the PQ. The method also updates active connection's stats fields and adds it back to the PQ. Layer 7 fields should be set to default to prevent from re-exporting same values.

type Http added in v1.15.0 

type Http struct {
	Hostname      string `json:"hostname"`
	URL           string `json:"url"`
	UserAgent     string `json:"http_user_agent"`
	ContentType   string `json:"http_content_type"`
	Method        string `json:"http_method"`
	Protocol      string `json:"protocol"`
	Status        int32  `json:"status"`
	ContentLength int32  `json:"length"`
}

Http holds the L7 HTTP flow JSON values.

type JsonToEvent added in v1.15.0 

type JsonToEvent struct {
	Timestamp   string     `json:"timestamp"`
	FlowID      int64      `json:"flow_id"`
	InInterface string     `json:"in_iface"`
	EventType   string     `json:"event_type"`
	VLAN        []int32    `json:"vlan"`
	SrcIP       netip.Addr `json:"src_ip"`
	SrcPort     int32      `json:"src_port"`
	DestIP      netip.Addr `json:"dest_ip"`
	DestPort    int32      `json:"dest_port"`
	Proto       string     `json:"proto"`
	TxID        int32      `json:"tx_id"`
	HTTP        *Http      `json:"http"`
}

JsonToEvent holds Suricata event JSON values. See https://docs.suricata.io/en/latest/output/eve/eve-json-format.html?highlight=HTTP%20event#event-types

type L7EventMapGetter added in v1.15.0 

type L7EventMapGetter interface {
	ConsumeL7EventMap() map[flowexporter.ConnectionKey]L7ProtocolFields
}

type L7Listener added in v1.15.0 

type L7Listener struct {
	// contains filtered or unexported fields
}

func NewL7Listener added in v1.15.0 

func NewL7Listener(
	podL7FlowExporterAttrGetter PodL7FlowExporterAttrGetter,
	podStore podstore.Interface) *L7Listener

func (*L7Listener) ConsumeL7EventMap added in v1.15.0 

func (l *L7Listener) ConsumeL7EventMap() map[flowexporter.ConnectionKey]L7ProtocolFields

func (*L7Listener) Run added in v1.15.0 

func (l *L7Listener) Run(stopCh <-chan struct{})

type L7ProtocolFields added in v1.15.0 

type L7ProtocolFields struct {
	// contains filtered or unexported fields
}

L7ProtocolFields holds layer 7 protocols supported

type NetFilterConnTrack 

type NetFilterConnTrack interface {
	Dial() error
	DumpFlowsInCtZone(zoneFilter uint16) ([]*flowexporter.Connection, error)
}

NetFilterConnTrack interface helps for testing the code that contains the third party library functions ("github.com/ti-mo/conntrack")

type PodL7FlowExporterAttrGetter added in v1.15.0 

type PodL7FlowExporterAttrGetter interface {
	IsL7FlowExporterRequested(podNN string, ingress bool) bool
}

Source Files

View all Source files

Directories

Path Synopsis
Code generated by MockGen.
 Code generated by MockGen.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.