修改自检配置项2、增加读自检多条拦截策略
This commit is contained in:
fumingwei
@@ -256,7 +256,7 @@ int wrapped_kni_cmsg_set(struct kni_cmsg *cmsg, uint16_t type, const unsigned ch
|
||||
void *logger = g_kni_handle->local_logger;
|
||||
int ret = kni_cmsg_set(cmsg, type, value, size);
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(logger, "Failed set cmsg, type = %d/%s, stream traceid = %s, stream addr = %s", type, tfe_cmsg_tlv_type_to_string[type], pmeinfo->stream_traceid, pmeinfo->stream_addr);
|
||||
KNI_LOG_ERROR(logger, "Failed set cmsg, type = %d/%s, stream traceid = %s, stream addr = %s", type, tfe_cmsg_tlv_type_to_string[type],pmeinfo->stream_traceid, pmeinfo->stream_addr);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -1242,6 +1242,35 @@ static struct _session_attribute_label_t * kni_pull_session_attribute_results(st
|
||||
}
|
||||
|
||||
|
||||
static int tsg_diagnose_judge_streamshunt(int maat_rule_config_id,struct pme_info *pmeinfo)
|
||||
{
|
||||
int i = 0 ,ret = 0;
|
||||
void *logger = g_kni_handle->local_logger;
|
||||
|
||||
if(g_kni_handle->tsg_diagnose_enable == 0){
|
||||
KNI_LOG_DEBUG(logger, "Tsg diagnose: enabled is 0, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num == 0){
|
||||
KNI_LOG_DEBUG(logger, "Tsg diagnose: no security policy from profile to shunt, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
|
||||
return 0;
|
||||
}
|
||||
for(i = 0; i < g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num; i ++){
|
||||
if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i] == 0){
|
||||
KNI_LOG_DEBUG(logger, "Tsg diagnose: security policy 0 is not allowd shunt, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
|
||||
continue;
|
||||
}
|
||||
if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i] == maat_rule_config_id){
|
||||
ret = 1;
|
||||
KNI_LOG_DEBUG(logger, "Tsg diagnose: security policy id %d shunt, stream traceid = %s, stream addr = %s", maat_rule_config_id, pmeinfo->stream_traceid, pmeinfo->stream_addr);
|
||||
break;
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo, int thread_seq){
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_STM], 0, FS_OP_ADD, 1);
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_BYTE], 0, FS_OP_ADD, pktinfo->ip_totlen);
|
||||
@@ -1249,10 +1278,10 @@ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmei
|
||||
char *buff = NULL;
|
||||
int ret, len;
|
||||
//intercept_error: no tfe
|
||||
if( g_kni_handle->secpolicyid_evenflow_self_check == -1 || pmeinfo->maat_result.config_id != g_kni_handle->secpolicyid_evenflow_self_check) // even flow for self test
|
||||
if(tsg_diagnose_judge_streamshunt(pmeinfo->maat_result.config_id,pmeinfo) == 0) // tsg diagnose shunt
|
||||
pmeinfo->tfe_id = tfe_mgr_alive_node_get(g_kni_handle->_tfe_mgr, thread_seq);
|
||||
else
|
||||
pmeinfo->tfe_id = tfe_mgr_alive_node_RR_get(g_kni_handle->_tfe_mgr, (int *)&(g_kni_handle->arr_last_tfe_dispatch_index[thread_seq]));
|
||||
pmeinfo->tfe_id = tfe_mgr_alive_node_cycle_get(g_kni_handle->_tfe_mgr, (int *)&(g_kni_handle->arr_last_tfe_dispatch_index[thread_seq]));
|
||||
if(pmeinfo->tfe_id < 0){
|
||||
KNI_LOG_DEBUG(logger, "Intercept error: no available tfe, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
|
||||
pmeinfo->intcp_error = INTERCEPT_ERROR_NO_TFE;
|
||||
@@ -2694,13 +2723,27 @@ extern "C" int kni_init(){
|
||||
goto error_out;
|
||||
}
|
||||
|
||||
//init array last_tfe_dispatch_index and read security policy id for self test even flow
|
||||
//init array last_tfe_dispatch_index and read security policy id for tsg-diagnose shunt
|
||||
MESA_load_profile_int_def(profile, "tsg_diagnose", "enabled", &g_kni_handle->tsg_diagnose_enable, 1);
|
||||
KNI_LOG_ERROR(local_logger, "tsg_diagnose: MESA_prof_load, tsg_diagnose:\n enabled: %d", g_kni_handle->tsg_diagnose_enable);
|
||||
g_kni_handle->arr_last_tfe_dispatch_index = ALLOC(int,g_kni_handle->thread_count);
|
||||
g_kni_handle->secpolicyid_evenflow_self_check = -1;
|
||||
ret = MESA_load_profile_int_nodef(profile, "self_test", "sec_policy_id", &g_kni_handle->secpolicyid_evenflow_self_check);
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(local_logger, "Fail get sec_policy_id for self_test, Now sec_policy_id = -1");
|
||||
memset(&g_kni_handle->secpolicyid_shunt_tsg_diagnose, 0, sizeof(g_kni_handle->secpolicyid_shunt_tsg_diagnose));
|
||||
ret = MESA_load_profile_uint_range(profile, "tsg_diagnose", "security_policy_id", TSG_DIAGNOSE_POLICY_CNT, (unsigned int *)g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr);
|
||||
g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num = ret;
|
||||
if(ret <= 0){
|
||||
KNI_LOG_ERROR(local_logger, "Fail get security_policy_id for tsg diagnose, tsg_diagnose no action to security policy id");
|
||||
}
|
||||
else{
|
||||
for(int i = 0; i < g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num; i++){
|
||||
if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i] <= 0)
|
||||
KNI_LOG_ERROR(local_logger, "Tsg diagnose, security policy id is not allowed to be equal to and to be lesser than 0");
|
||||
else{
|
||||
KNI_LOG_ERROR(local_logger, "tsg_diagnose: MESA_prof_load, tsg_diagnose: policy id:%d",g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i]);
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
//init proxy tcp option maat
|
||||
ret = pxy_tcp_option_rule_init(profile, local_logger);
|
||||
if(ret < 0){
|
||||
|
||||
Reference in New Issue
Block a user