Documentation
¶
Index ¶
Constants ¶
const (
SOCK_DESTROY = 21
)
const StateFilterUDP = 0xffff
StateFilterUDP is a mask of all states we consider for socket termination. There are no state omissions.
Variables ¶
var StateFilterTCP = stateMask( netlink.TCP_ESTABLISHED, netlink.TCP_CLOSE_WAIT, netlink.TCP_FIN_WAIT1, netlink.TCP_FIN_WAIT2, netlink.TCP_SYN_RECV, netlink.TCP_NEW_SYN_REC, netlink.TCP_CLOSE, netlink.TCP_SYN_SENT, netlink.TCP_CLOSING, netlink.TCP_LAST_ACK, netlink.TCP_LISTEN, )
StateFilterTCP is a mask of all states we consider for socket termination. Instead of destroying all states, we make some notable omissions which are documented below:
TCP_CLOSE: Calls to close a socket in TCP_CLOSE state will result in ENOENT, this is also confusing as it is the same err code returned when a socket that doesn't exist is destroyed.
TCP_TIME_WAIT: Socket may enter this state post close/FIN-wait states to catch any leftover traffic that may not have arrived yet. This is for security reasons, as well as avoiding late traffic from entering a new socket bound to the same addr/port. Technically, for the socket LB its not necessary as we remove the key from the rev NAT map in the cil_sock_release() hook, so these sockets won't be found. On the other hand we also do not need to waste time to iterate them.
Functions ¶
func DestroySocket ¶ added in v1.18.0
func DestroySocket(logger *slog.Logger, sock netlink.Socket, proto netlink.Proto, stateFilter uint32) error
DestroySocket sends a socket destroy message via netlink and waits for a ack response. This is implemented using primitives in vishvananda library, however the default SocketDestroy() function is insufficient for our purposes as it identifies socket only on src/dst address whereas this allows destroying socket precisely via the netlink.Socket object.
Types ¶
type DestroySocketCB ¶
type Socket ¶ added in v1.18.0
Socket is an alias of the netlink library Socket type but it implements deserialization functions.
func (*Socket) Deserialize ¶ added in v1.18.0
Deserialize accepts raw byte data of a netlink socket diag response and deserializes it into the target socket.
type SocketDestroyer ¶
type SocketDestroyer interface {
Destroy(logger *slog.Logger, filter SocketFilter) error
}
func NewSocketDestroyer ¶ added in v1.19.0
NewSocketDestroyer creates an instance of a SocketDestroyer based on the capabilities of the current system. By default, NewSocketDestroyer chooses a socket destruction strategy based on BPF socket iterators. If that is not supported, it falls back to a Netlink-based strategy based on sock_diag.
sockRevNat4 and sockRevNat6 must be provided to use the BPF-based strategy; otherwise, initialization falls back to Netlink.
type SocketFilter ¶
type SocketFilter struct {
DestIp net.IP
DestPort uint16
Family uint8
Protocol uint8
States uint32
// Optional callback function to determine whether a filtered socket needs to be destroyed
DestroyCB DestroySocketCB
}
func (*SocketFilter) MatchSocket ¶
func (f *SocketFilter) MatchSocket(socket netlink.SocketID) bool
type SocketRequest ¶ added in v1.18.0
type SocketRequest struct {
Family uint8
Protocol uint8
Ext uint8
States uint32
ID netlink.SocketID
// contains filtered or unexported fields
}
SocketRequest implements netlink.NetlinkRequestData to be used to send socket requests to netlink.
func (*SocketRequest) Len ¶ added in v1.18.0
func (r *SocketRequest) Len() int
func (SocketRequest) Serialize ¶ added in v1.18.0
func (r SocketRequest) Serialize() []byte
Source Files