diff --git a/conf/kni/kni.conf b/conf/kni/kni.conf index 1ed8911..991b597 100644 --- a/conf/kni/kni.conf +++ b/conf/kni/kni.conf @@ -73,8 +73,9 @@ stat_cycle = 1 print_mode = 1 #self test Shunt rules security policy id -[self_test] -sec_policy_id = -1 +[tsg_diagnose] +enabled = 1 +security_policy_id = 3 #kni dynamic bypass [traceid2sslinfo_htable] diff --git a/entry/include/kni_entry.h b/entry/include/kni_entry.h index 2a4e347..7c47c0a 100644 --- a/entry/include/kni_entry.h +++ b/entry/include/kni_entry.h @@ -17,6 +17,8 @@ #define MAX_STRING_LEN 32 +#define TSG_DIAGNOSE_POLICY_CNT 32 + enum intercept_error{ INTERCEPT_ERROR_ASYM_ROUTING = -1, INTERCEPT_ERROR_NO_SYN = -2, @@ -192,6 +194,11 @@ struct tuple2stream_htable_value{ int reversed; }; +struct security_policy_shunt_tsg_diagnose{ + int id_arr[TSG_DIAGNOSE_POLICY_CNT]; + int id_num; +}; + struct kni_handle{ struct kni_marsio_handle *marsio_handle; struct kni_tun_handle *tun_handle; @@ -207,8 +214,9 @@ struct kni_handle{ enum kni_deploy_mode deploy_mode; char src_mac_addr[6]; char dst_mac_addr[6]; + int tsg_diagnose_enable; int *arr_last_tfe_dispatch_index; - int secpolicyid_evenflow_self_check; + struct security_policy_shunt_tsg_diagnose secpolicyid_shunt_tsg_diagnose; MESA_htable_handle sslinfo2bypass_htable; int pxy_tcp_option_enable; //for proxy tcp option enable int pxy_tcp_option_enable_override; diff --git a/entry/include/tfe_mgr.h b/entry/include/tfe_mgr.h index e90756f..fecc350 100644 --- a/entry/include/tfe_mgr.h +++ b/entry/include/tfe_mgr.h @@ -6,4 +6,4 @@ struct tfe_mgr; struct tfe_mgr* tfe_mgr_init(int tfe_node_count, const char* profile, enum kni_deploy_mode depoly_mode, void *logger); void tfe_mgr_destroy(struct tfe_mgr* mgr); int tfe_mgr_alive_node_get(struct tfe_mgr *mgr, int thread_seq); -int tfe_mgr_alive_node_RR_get(struct tfe_mgr *mgr,int *last_tfe_id_index); \ No newline at end of file +int tfe_mgr_alive_node_cycle_get(struct tfe_mgr *mgr,int *last_tfe_id_index); \ No newline at end of file diff --git a/entry/src/kni_entry.cpp b/entry/src/kni_entry.cpp index 8ef5b3f..ce86bb4 100644 --- a/entry/src/kni_entry.cpp +++ b/entry/src/kni_entry.cpp @@ -256,7 +256,7 @@ int wrapped_kni_cmsg_set(struct kni_cmsg *cmsg, uint16_t type, const unsigned ch void *logger = g_kni_handle->local_logger; int ret = kni_cmsg_set(cmsg, type, value, size); if(ret < 0){ - KNI_LOG_ERROR(logger, "Failed set cmsg, type = %d/%s, stream traceid = %s, stream addr = %s", type, tfe_cmsg_tlv_type_to_string[type], pmeinfo->stream_traceid, pmeinfo->stream_addr); + KNI_LOG_ERROR(logger, "Failed set cmsg, type = %d/%s, stream traceid = %s, stream addr = %s", type, tfe_cmsg_tlv_type_to_string[type],pmeinfo->stream_traceid, pmeinfo->stream_addr); } else { @@ -1242,6 +1242,35 @@ static struct _session_attribute_label_t * kni_pull_session_attribute_results(st } +static int tsg_diagnose_judge_streamshunt(int maat_rule_config_id,struct pme_info *pmeinfo) +{ + int i = 0 ,ret = 0; + void *logger = g_kni_handle->local_logger; + + if(g_kni_handle->tsg_diagnose_enable == 0){ + KNI_LOG_DEBUG(logger, "Tsg diagnose: enabled is 0, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr); + return 0; + } + + + if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num == 0){ + KNI_LOG_DEBUG(logger, "Tsg diagnose: no security policy from profile to shunt, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr); + return 0; + } + for(i = 0; i < g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num; i ++){ + if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i] == 0){ + KNI_LOG_DEBUG(logger, "Tsg diagnose: security policy 0 is not allowd shunt, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr); + continue; + } + if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i] == maat_rule_config_id){ + ret = 1; + KNI_LOG_DEBUG(logger, "Tsg diagnose: security policy id %d shunt, stream traceid = %s, stream addr = %s", maat_rule_config_id, pmeinfo->stream_traceid, pmeinfo->stream_addr); + break; + } + } + return ret; +} + static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo, int thread_seq){ FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_STM], 0, FS_OP_ADD, 1); FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_BYTE], 0, FS_OP_ADD, pktinfo->ip_totlen); @@ -1249,10 +1278,10 @@ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmei char *buff = NULL; int ret, len; //intercept_error: no tfe - if( g_kni_handle->secpolicyid_evenflow_self_check == -1 || pmeinfo->maat_result.config_id != g_kni_handle->secpolicyid_evenflow_self_check) // even flow for self test + if(tsg_diagnose_judge_streamshunt(pmeinfo->maat_result.config_id,pmeinfo) == 0) // tsg diagnose shunt pmeinfo->tfe_id = tfe_mgr_alive_node_get(g_kni_handle->_tfe_mgr, thread_seq); else - pmeinfo->tfe_id = tfe_mgr_alive_node_RR_get(g_kni_handle->_tfe_mgr, (int *)&(g_kni_handle->arr_last_tfe_dispatch_index[thread_seq])); + pmeinfo->tfe_id = tfe_mgr_alive_node_cycle_get(g_kni_handle->_tfe_mgr, (int *)&(g_kni_handle->arr_last_tfe_dispatch_index[thread_seq])); if(pmeinfo->tfe_id < 0){ KNI_LOG_DEBUG(logger, "Intercept error: no available tfe, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr); pmeinfo->intcp_error = INTERCEPT_ERROR_NO_TFE; @@ -2694,13 +2723,27 @@ extern "C" int kni_init(){ goto error_out; } - //init array last_tfe_dispatch_index and read security policy id for self test even flow + //init array last_tfe_dispatch_index and read security policy id for tsg-diagnose shunt + MESA_load_profile_int_def(profile, "tsg_diagnose", "enabled", &g_kni_handle->tsg_diagnose_enable, 1); + KNI_LOG_ERROR(local_logger, "tsg_diagnose: MESA_prof_load, tsg_diagnose:\n enabled: %d", g_kni_handle->tsg_diagnose_enable); g_kni_handle->arr_last_tfe_dispatch_index = ALLOC(int,g_kni_handle->thread_count); - g_kni_handle->secpolicyid_evenflow_self_check = -1; - ret = MESA_load_profile_int_nodef(profile, "self_test", "sec_policy_id", &g_kni_handle->secpolicyid_evenflow_self_check); - if(ret < 0){ - KNI_LOG_ERROR(local_logger, "Fail get sec_policy_id for self_test, Now sec_policy_id = -1"); + memset(&g_kni_handle->secpolicyid_shunt_tsg_diagnose, 0, sizeof(g_kni_handle->secpolicyid_shunt_tsg_diagnose)); + ret = MESA_load_profile_uint_range(profile, "tsg_diagnose", "security_policy_id", TSG_DIAGNOSE_POLICY_CNT, (unsigned int *)g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr); + g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num = ret; + if(ret <= 0){ + KNI_LOG_ERROR(local_logger, "Fail get security_policy_id for tsg diagnose, tsg_diagnose no action to security policy id"); } + else{ + for(int i = 0; i < g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num; i++){ + if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i] <= 0) + KNI_LOG_ERROR(local_logger, "Tsg diagnose, security policy id is not allowed to be equal to and to be lesser than 0"); + else{ + KNI_LOG_ERROR(local_logger, "tsg_diagnose: MESA_prof_load, tsg_diagnose: policy id:%d",g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i]); + } + + } + } + //init proxy tcp option maat ret = pxy_tcp_option_rule_init(profile, local_logger); if(ret < 0){ diff --git a/entry/src/kni_pxy_tcp_option.cpp b/entry/src/kni_pxy_tcp_option.cpp index 996d0a4..f61d94f 100644 --- a/entry/src/kni_pxy_tcp_option.cpp +++ b/entry/src/kni_pxy_tcp_option.cpp @@ -595,7 +595,7 @@ int pxy_tcp_option_get_param(Maat_feather_t maat_feather,const struct streaminfo } KNI_LOG_DEBUG(logger,"Proxy-tcp-option: Scan hit, hit_num = %d, streamid = %s", hit_num, pmeinfo->stream_traceid); - tmp_buff=(char *)calloc(1, p_result->serv_def_len+1); + tmp_buff=(char *)calloc(sizeof(char), p_result->serv_def_len+1); Maat_read_rule(g_tsg_maat_feather, p_result, MAAT_RULE_SERV_DEFINE, tmp_buff, p_result->serv_def_len); if( strlen(tmp_buff) < strlen("{}") + 1) diff --git a/entry/src/tfe_mgr.cpp b/entry/src/tfe_mgr.cpp index 847aed7..269dd88 100644 --- a/entry/src/tfe_mgr.cpp +++ b/entry/src/tfe_mgr.cpp @@ -407,7 +407,7 @@ int tfe_mgr_alive_node_get(struct tfe_mgr *mgr, int thread_seq){ return tfe_id; } -int tfe_mgr_alive_node_RR_get(struct tfe_mgr *mgr,int *last_tfe_id_index){ +int tfe_mgr_alive_node_cycle_get(struct tfe_mgr *mgr,int *last_tfe_id_index){ int tfe_id = -1; if(mgr->watch_dog_switch == 0){ if(mgr->tfe_enabled_node_count > 0){