github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/enforcer/nfqdatapath/utils.go (about) 1 package nfqdatapath 2 3 import ( 4 "go.aporeto.io/enforcerd/trireme-lib/collector" 5 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/connection" 6 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet" 7 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pucontext" 8 "go.aporeto.io/enforcerd/trireme-lib/policy" 9 ) 10 11 func (d *Datapath) reportAcceptedFlow(p *packet.Packet, conn *connection.TCPConnection, sourceID string, destID string, context *pucontext.PUContext, report *policy.FlowPolicy, packet *policy.FlowPolicy, reverse bool) { // nolint:unparam 12 13 if sourceID == destID { 14 report = &policy.FlowPolicy{ 15 Action: policy.Accept | policy.Log, 16 PolicyID: "local", 17 } 18 packet = report 19 } 20 21 sourceController, destinationController := getTCPConnectionInfo(conn) 22 23 src, dst := d.generateEndpoints(p, sourceID, destID, reverse) 24 25 d.reportFlow(p, src, dst, context, "", report, packet, sourceController, destinationController) 26 } 27 28 func (d *Datapath) reportRejectedFlow(p *packet.Packet, conn *connection.TCPConnection, sourceID string, destID string, context *pucontext.PUContext, mode string, report *policy.FlowPolicy, packet *policy.FlowPolicy, reverse bool) { // nolint:unparam 29 30 if report == nil { 31 report = &policy.FlowPolicy{ 32 Action: policy.Reject | policy.Log, 33 PolicyID: "default", 34 } 35 } 36 if packet == nil { 37 packet = report 38 } 39 40 sourceController, destinationController := getTCPConnectionInfo(conn) 41 42 src, dst := d.generateEndpoints(p, sourceID, destID, reverse) 43 44 d.reportFlow(p, src, dst, context, mode, report, packet, sourceController, destinationController) 45 } 46 47 func (d *Datapath) reportUDPAcceptedFlow(p *packet.Packet, conn *connection.UDPConnection, sourceID string, destID string, context *pucontext.PUContext, report *policy.FlowPolicy, packet *policy.FlowPolicy, reverse bool) { // nolint:unparam 48 49 sourceController, destinationController := getUDPConnectionInfo(conn) 50 51 src, dst := d.generateEndpoints(p, sourceID, destID, reverse) 52 53 d.reportFlow(p, src, dst, context, "", report, packet, sourceController, destinationController) 54 } 55 56 func (d *Datapath) reportUDPRejectedFlow(p *packet.Packet, conn *connection.UDPConnection, sourceID string, destID string, context *pucontext.PUContext, mode string, report *policy.FlowPolicy, packet *policy.FlowPolicy, reverse bool) { // nolint:unparam 57 if report == nil { 58 report = &policy.FlowPolicy{ 59 Action: policy.Reject | policy.Log, 60 PolicyID: "default", 61 } 62 } 63 if packet == nil { 64 packet = report 65 } 66 67 sourceController, destinationController := getUDPConnectionInfo(conn) 68 69 src, dst := d.generateEndpoints(p, sourceID, destID, reverse) 70 d.reportFlow(p, src, dst, context, mode, report, packet, sourceController, destinationController) 71 } 72 73 func (d *Datapath) reportExternalServiceFlowCommon(context *pucontext.PUContext, report *policy.FlowPolicy, actual *policy.FlowPolicy, app bool, p *packet.Packet, src, dst *collector.EndPoint) { 74 if app { 75 // If you have an observe policy then its external network gets reported as the dest or src ID. 76 // Really we should has an oSrc and oDest ID but currently we don't. 77 src.ID = context.ManagementID() 78 src.Type = collector.EndPointTypePU 79 dst.ID = report.ServiceID 80 dst.Type = collector.EndPointTypeExternalIP 81 } else { 82 src.ID = report.ServiceID 83 src.Type = collector.EndPointTypeExternalIP 84 dst.ID = context.ManagementID() 85 dst.Type = collector.EndPointTypePU 86 } 87 88 dropReason := "" 89 if report.Action.Rejected() || actual.Action.Rejected() { 90 dropReason = collector.PolicyDrop 91 } 92 93 record := &collector.FlowRecord{ 94 ContextID: context.ID(), 95 Source: *src, 96 Destination: *dst, 97 DropReason: dropReason, 98 Action: actual.Action, 99 PolicyID: actual.PolicyID, 100 L4Protocol: p.IPProto(), 101 Namespace: context.ManagementNamespace(), 102 Count: 1, 103 RuleName: actual.RuleName, 104 } 105 106 if context.Annotations() != nil { 107 record.Tags = context.Annotations().GetSlice() 108 } 109 110 if report.ObserveAction.Observed() { 111 record.ObservedAction = report.Action 112 record.ObservedPolicyID = report.PolicyID 113 record.ObservedActionType = report.ObserveAction 114 } 115 116 d.collector.CollectFlowEvent(record) 117 } 118 119 func (d *Datapath) reportExternalServiceFlow(context *pucontext.PUContext, report *policy.FlowPolicy, packet *policy.FlowPolicy, app bool, p *packet.Packet) { 120 121 src := &collector.EndPoint{ 122 IP: p.SourceAddress().String(), 123 Port: p.SourcePort(), 124 } 125 126 dst := &collector.EndPoint{ 127 IP: p.DestinationAddress().String(), 128 Port: p.DestPort(), 129 } 130 131 d.reportExternalServiceFlowCommon(context, report, packet, app, p, src, dst) 132 } 133 134 func (d *Datapath) reportReverseExternalServiceFlow(context *pucontext.PUContext, report *policy.FlowPolicy, packet *policy.FlowPolicy, app bool, p *packet.Packet) { 135 136 src := &collector.EndPoint{ 137 IP: p.DestinationAddress().String(), 138 Port: p.DestPort(), 139 } 140 141 dst := &collector.EndPoint{ 142 IP: p.SourceAddress().String(), 143 Port: p.SourcePort(), 144 } 145 146 d.reportExternalServiceFlowCommon(context, report, packet, app, p, src, dst) 147 } 148 149 func (d *Datapath) generateEndpoints(p *packet.Packet, sourceID string, destID string, reverse bool) (*collector.EndPoint, *collector.EndPoint) { 150 151 src := &collector.EndPoint{ 152 ID: sourceID, 153 IP: p.SourceAddress().String(), 154 Port: p.SourcePort(), 155 Type: collector.EndPointTypePU, 156 } 157 158 dst := &collector.EndPoint{ 159 ID: destID, 160 IP: p.DestinationAddress().String(), 161 Port: p.DestPort(), 162 Type: collector.EndPointTypePU, 163 } 164 165 if src.ID == collector.DefaultEndPoint { 166 src.Type = collector.EndPointTypeExternalIP 167 } 168 if dst.ID == collector.DefaultEndPoint { 169 dst.Type = collector.EndPointTypeExternalIP 170 } 171 172 if reverse { 173 return dst, src 174 } 175 176 return src, dst 177 } 178 179 func getTCPConnectionInfo(conn *connection.TCPConnection) (string, string) { 180 sourceController, destinationController := "", "" 181 if conn != nil { 182 sourceController, destinationController = conn.SourceController, conn.DestinationController 183 } 184 return sourceController, destinationController 185 } 186 187 func getUDPConnectionInfo(conn *connection.UDPConnection) (string, string) { 188 sourceController, destinationController := "", "" 189 if conn != nil { 190 sourceController, destinationController = conn.SourceController, conn.DestinationController 191 } 192 return sourceController, destinationController 193 }