tango-kni/entry/include/kni_entry.h

#pragma once 
#ifndef __KNI_ENTRY_H__
#define __KNI_ENTRY_H__

#include "tsg/tsg_rule.h"
#include "kni_utils.h"
#include <tsg/tsg_statistic.h>
#include "tfe_mgr.h"
#include <tsg/tsg_label.h>
#include "kni_iouring.h"

#define BURST_MAX   1
#define CALLER_SAPP 0
#define CALLER_TFE  1

#define	_MAX_MAAT_TABLE_NAME_LEN	64

#define	MAX_STRING_LEN	32

#define TSG_DIAGNOSE_POLICY_CNT 32


enum intercept_error{
	INTERCEPT_ERROR_ASYM_ROUTING = -1,
	INTERCEPT_ERROR_NO_SYN = -2,
	INTERCEPT_ERROR_NO_SYN_ACK = -3,
	INTERCEPT_ERROR_INVALID_IP_HDR = -4,
	INTERCEPT_ERROR_EXCEED_MTU = -5,
	//internal
	INTERCEPT_ERROR_SENDTO_TFE_FAIL = -6,
	INTERCEPT_ERROR_TUPLE2STM_ADD_FAIL = -7,
	INTERCEPT_ERROR_NO_TFE = -8, 
	INTERCEPT_ERROR_DUP_TRAFFIC = -9,
	INTERCEPT_ERROR_CMSG_ADD_FAIL = -10,
	INTERCEPT_ERROR_NOT_TCP_LINK_BYSYN = -11,
	INTERCEPT_ERROR_GET_TCP_LINK_MODE_ERR= -12,
	INTERCEPT_ERROR_STREAM_TUNNLE_TYPE= -13,
	INTERCEPT_ERROR_GET_STREAM_TUNNLE_TYPE_ERR= -14,
	INTERCEPT_ERROR_GET_HAVE_DUP_PKT_ERR= -15,
	INTERCEPT_ERROR_DUP_PKT_NOT_SURE_ERR= -16,
};

/* action
	0x00: none
	0x02: intercept
	0x80: bypass
*/
enum kni_action{
	KNI_ACTION_NONE = 0x00,
	KNI_ACTION_INTERCEPT = 0x02,
	KNI_ACTION_BYPASS = 0x80
};


enum PXY_TCP_OPTION_MAAT_TABLE{
	TABLE_IP_ADDR=0,
	TABLE_SSL_FQDN,
    TABLE_COMPILE,
	TABLE_MAX
};

//memset 0
struct dup_traffic_dabloom_key{
	union{
		struct stream_tuple4_v4 v4;
    	struct stream_tuple4_v6 v6;
	}addr;
	uint16_t ipid;
	uint32_t seq;
	uint32_t ack_seq;
	uint32_t timestamp;	
};

struct proxy_tcp_option{
	int client_tcp_maxseg_enable;
    int client_tcp_maxseg;
    int client_tcp_nodelay;
    int client_tcp_ttl;
    int client_tcp_keepalive_enable;
    int client_tcp_keepalive_keepcnt;
    int client_tcp_keepalive_keepidle;
    int client_tcp_keepalive_keepintvl;
    int client_tcp_user_timeout;

	int server_tcp_maxseg_enable;
    int server_tcp_maxseg;
    int server_tcp_nodelay;
    int server_tcp_ttl;
    int server_tcp_keepalive_enable;
    int server_tcp_keepalive_keepcnt;
    int server_tcp_keepalive_keepidle;
    int server_tcp_keepalive_keepintvl;
    int server_tcp_user_timeout;  

    int bypass_duplicated_packet;
    int tcp_passthrough;
};

struct pme_info{
	addr_type_t addr_type;
	char stream_addr[KNI_ADDR_MAX];
	int do_log;
	int policy_id;
	tsg_protocol_t protocol;
	enum kni_action action;
	int service;
	struct kni_tcpopt_info client_tcpopt;
	struct kni_tcpopt_info server_tcpopt;
	char has_syn;
	char has_syn_ack;
	uint16_t client_window;
	uint16_t server_window;
	int tfe_id;      
	pthread_mutex_t lock;
	enum intercept_error intcp_error;
	char stream_traceid[24];
	//cjson check protocol
	union{
		char host[MAX_DOMAIN_LEN]; //http only
		char sni[MAX_DOMAIN_LEN]; //ssl only
	}domain;
	int domain_len;
	//tfe_release = 1: tfe don't need pmeinfo
	int tfe_release;
	int sapp_release;
	//kafka log
	struct TLD_handle_t *tld_handle;
	const struct streaminfo *stream;
	int maat_result_num;
	Maat_rule_t maat_result;
	//from tfe, kafka log
	uint64_t ssl_intercept_state;
	uint64_t ssl_pinningst;  //defalut 0
	uint64_t ssl_server_side_latency;
	uint64_t ssl_client_side_latency;
	char ssl_server_side_version[KNI_SYMBOL_MAX];
	char ssl_client_side_version[KNI_SYMBOL_MAX];
	int64_t ssl_cert_verify;
	char ssl_error[KNI_STRING_MAX];

	//for dup traffic detect
	uint64_t has_dup_traffic;
	int has_dup_syn;
	int has_dup_syn_ack;
	struct dup_traffic_dabloom_key *syn_packet;
	struct dup_traffic_dabloom_key *syn_ack_packet;
	struct _traffic_info traffic_info;
	//for kni dynamic bypass
	int thread_seq;
	int is_dynamic_bypass;
    //for proxy tcp option
    struct proxy_tcp_option pxy_tcp_option;
	int pxy_tcp_option_is_scan;
	struct session_attribute_label *session_attribute;
	//for ssl passthrough reason
	char ssl_passthrough_reason[KNI_SYMBOL_MAX];
};

struct wrapped_packet{
	char data[KNI_MTU];
};

struct tcp_option_restore{
	uint8_t kind;
	uint8_t len;
	uint16_t offset;
};

struct tfe_enabled_node{
	int tfe_id;
	struct mr_vdev *dev_eth_handler;
	struct mr_sendpath *dev_eth_sendpath;
};

struct kni_marsio_handle{ 
	struct mr_instance *instance;
	int tfe_enabled_node_count;
	struct tfe_enabled_node tfe_enabled_nodes[TFE_COUNT_MAX];
};

struct protocol_identify_result{
	int protocol;
	char domain[MAX_DOMAIN_LEN];
	int domain_len;
};

struct thread_tfe_cmsg_receiver_args{
	void *logger;
	char profile[KNI_SYMBOL_MAX];
};


struct per_thread_handle{
	int tap_fd;
	int buff_size;
	char *buff;
	MESA_htable_handle tuple2stream_htable;
	MESA_htable_handle traceid2sslinfo_htable;
	struct expiry_dablooms_handle *dabloom_handle;
#if (SUPPORT_LIBURING)
	struct io_uring_handle *iouring_handle;
#endif
};

struct tuple2stream_htable_value{
	struct streaminfo *stream;
	struct pme_info *pmeinfo;
	int route_dir;  
	int reversed;
};

struct security_policy_shunt_tsg_diagnose{
	int id_arr[TSG_DIAGNOSE_POLICY_CNT];
	int id_num;
};

struct kni_handle{
	struct io_uring_conf iouring_conf;
	struct kni_marsio_handle *marsio_handle;
	struct bpf_ctx *tap_bpf_ctx;
	struct kni_maat_handle *maat_handle;
	struct kni_send_logger *send_logger;
	MESA_htable_handle traceid2pme_htable;
	struct per_thread_handle *threads_handle;
	void *local_logger;
	struct tfe_mgr *_tfe_mgr;
	int thread_count;
	int dup_traffic_switch;
	int dup_traffic_action;
	enum kni_deploy_mode deploy_mode;
	char src_mac_addr[6];
	char dst_mac_addr[6];
	int tsg_diagnose_enable;
	int *arr_last_tfe_dispatch_index;
	struct  security_policy_shunt_tsg_diagnose secpolicyid_shunt_tsg_diagnose;
	int ssl_dynamic_bypass_enable;
	MESA_htable_handle sslinfo2bypass_htable;
	int pxy_tcp_option_enable;  //for proxy tcp option  enable
	int pxy_tcp_option_enable_override;
    char maat_table_name[TABLE_MAX][_MAX_MAAT_TABLE_NAME_LEN]; // for proxy tcp option  maat name
    int maat_table_id[TABLE_MAX];
    struct proxy_tcp_option pxy_tcp_option;
	int session_attribute_id;
	int log_level;
};

struct traceid2pme_search_cb_args{
	struct kni_cmsg *cmsg;
	void *logger;
};



#endif