gfwleak/tango-kni
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修改自检配置项2、增加读自检多条拦截策略

Browse Source
This commit is contained in:
fumingwei
2020-09-11 18:50:51 +08:00
parent 8f2c00fd6e
commit 1abdb335e4
6 changed files with 66 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
conf/kni/kni.conf
View File

@@ -73,8 +73,9 @@ stat_cycle = 1
print_mode = 1 print_mode = 1
#self test Shunt rules security policy id #self test Shunt rules security policy id
[self_test] [tsg_diagnose]
sec_policy_id = -1 enabled = 1
security_policy_id = 3
#kni dynamic bypass #kni dynamic bypass
[traceid2sslinfo_htable] [traceid2sslinfo_htable]

10
entry/include/kni_entry.h
View File

@@ -17,6 +17,8 @@
#define MAX_STRING_LEN 32 #define MAX_STRING_LEN 32
#define TSG_DIAGNOSE_POLICY_CNT 32
enum intercept_error{ enum intercept_error{
INTERCEPT_ERROR_ASYM_ROUTING = -1, INTERCEPT_ERROR_ASYM_ROUTING = -1,
INTERCEPT_ERROR_NO_SYN = -2, INTERCEPT_ERROR_NO_SYN = -2,
@@ -192,6 +194,11 @@ struct tuple2stream_htable_value{
int reversed; int reversed;
}; };
struct security_policy_shunt_tsg_diagnose{
int id_arr[TSG_DIAGNOSE_POLICY_CNT];
int id_num;
};
struct kni_handle{ struct kni_handle{
struct kni_marsio_handle *marsio_handle; struct kni_marsio_handle *marsio_handle;
struct kni_tun_handle *tun_handle; struct kni_tun_handle *tun_handle;
@@ -207,8 +214,9 @@ struct kni_handle{
enum kni_deploy_mode deploy_mode; enum kni_deploy_mode deploy_mode;
char src_mac_addr[6]; char src_mac_addr[6];
char dst_mac_addr[6]; char dst_mac_addr[6];
int tsg_diagnose_enable;
int *arr_last_tfe_dispatch_index; int *arr_last_tfe_dispatch_index;
int secpolicyid_evenflow_self_check; struct security_policy_shunt_tsg_diagnose secpolicyid_shunt_tsg_diagnose;
MESA_htable_handle sslinfo2bypass_htable; MESA_htable_handle sslinfo2bypass_htable;
int pxy_tcp_option_enable; //for proxy tcp option enable int pxy_tcp_option_enable; //for proxy tcp option enable
int pxy_tcp_option_enable_override; int pxy_tcp_option_enable_override;

2
entry/include/tfe_mgr.h
View File

@@ -6,4 +6,4 @@ struct tfe_mgr;
struct tfe_mgr* tfe_mgr_init(int tfe_node_count, const char* profile, enum kni_deploy_mode depoly_mode, void *logger); struct tfe_mgr* tfe_mgr_init(int tfe_node_count, const char* profile, enum kni_deploy_mode depoly_mode, void *logger);
void tfe_mgr_destroy(struct tfe_mgr* mgr); void tfe_mgr_destroy(struct tfe_mgr* mgr);
int tfe_mgr_alive_node_get(struct tfe_mgr *mgr, int thread_seq); int tfe_mgr_alive_node_get(struct tfe_mgr *mgr, int thread_seq);
int tfe_mgr_alive_node_RR_get(struct tfe_mgr *mgr,int *last_tfe_id_index); int tfe_mgr_alive_node_cycle_get(struct tfe_mgr *mgr,int *last_tfe_id_index);

59
entry/src/kni_entry.cpp
View File

@@ -256,7 +256,7 @@ int wrapped_kni_cmsg_set(struct kni_cmsg *cmsg, uint16_t type, const unsigned ch
void *logger = g_kni_handle->local_logger; void *logger = g_kni_handle->local_logger;
int ret = kni_cmsg_set(cmsg, type, value, size); int ret = kni_cmsg_set(cmsg, type, value, size);
if(ret < 0){ if(ret < 0){
KNI_LOG_ERROR(logger, "Failed set cmsg, type = %d/%s, stream traceid = %s, stream addr = %s", type, tfe_cmsg_tlv_type_to_string[type], pmeinfo->stream_traceid, pmeinfo->stream_addr); KNI_LOG_ERROR(logger, "Failed set cmsg, type = %d/%s, stream traceid = %s, stream addr = %s", type, tfe_cmsg_tlv_type_to_string[type],pmeinfo->stream_traceid, pmeinfo->stream_addr);
} }
else else
{ {
@@ -1242,6 +1242,35 @@ static struct _session_attribute_label_t * kni_pull_session_attribute_results(st
} }
static int tsg_diagnose_judge_streamshunt(int maat_rule_config_id,struct pme_info *pmeinfo)
{
int i = 0 ,ret = 0;
void *logger = g_kni_handle->local_logger;
if(g_kni_handle->tsg_diagnose_enable == 0){
KNI_LOG_DEBUG(logger, "Tsg diagnose: enabled is 0, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
return 0;
}
if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num == 0){
KNI_LOG_DEBUG(logger, "Tsg diagnose: no security policy from profile to shunt, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
return 0;
}
for(i = 0; i < g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num; i ++){
if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i] == 0){
KNI_LOG_DEBUG(logger, "Tsg diagnose: security policy 0 is not allowd shunt, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
continue;
}
if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i] == maat_rule_config_id){
ret = 1;
KNI_LOG_DEBUG(logger, "Tsg diagnose: security policy id %d shunt, stream traceid = %s, stream addr = %s", maat_rule_config_id, pmeinfo->stream_traceid, pmeinfo->stream_addr);
break;
}
}
return ret;
}
static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo, int thread_seq){ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo, int thread_seq){
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_STM], 0, FS_OP_ADD, 1); FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_STM], 0, FS_OP_ADD, 1);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_BYTE], 0, FS_OP_ADD, pktinfo->ip_totlen); FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_BYTE], 0, FS_OP_ADD, pktinfo->ip_totlen);
@@ -1249,10 +1278,10 @@ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmei
char *buff = NULL; char *buff = NULL;
int ret, len; int ret, len;
//intercept_error: no tfe //intercept_error: no tfe
if( g_kni_handle->secpolicyid_evenflow_self_check == -1 || pmeinfo->maat_result.config_id != g_kni_handle->secpolicyid_evenflow_self_check) // even flow for self test if(tsg_diagnose_judge_streamshunt(pmeinfo->maat_result.config_id,pmeinfo) == 0) // tsg diagnose shunt
pmeinfo->tfe_id = tfe_mgr_alive_node_get(g_kni_handle->_tfe_mgr, thread_seq); pmeinfo->tfe_id = tfe_mgr_alive_node_get(g_kni_handle->_tfe_mgr, thread_seq);
else else
pmeinfo->tfe_id = tfe_mgr_alive_node_RR_get(g_kni_handle->_tfe_mgr, (int *)&(g_kni_handle->arr_last_tfe_dispatch_index[thread_seq])); pmeinfo->tfe_id = tfe_mgr_alive_node_cycle_get(g_kni_handle->_tfe_mgr, (int *)&(g_kni_handle->arr_last_tfe_dispatch_index[thread_seq]));
if(pmeinfo->tfe_id < 0){ if(pmeinfo->tfe_id < 0){
KNI_LOG_DEBUG(logger, "Intercept error: no available tfe, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr); KNI_LOG_DEBUG(logger, "Intercept error: no available tfe, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
pmeinfo->intcp_error = INTERCEPT_ERROR_NO_TFE; pmeinfo->intcp_error = INTERCEPT_ERROR_NO_TFE;
@@ -2694,13 +2723,27 @@ extern "C" int kni_init(){
goto error_out; goto error_out;
} }
//init array last_tfe_dispatch_index and read security policy id for self test even flow //init array last_tfe_dispatch_index and read security policy id for tsg-diagnose shunt
MESA_load_profile_int_def(profile, "tsg_diagnose", "enabled", &g_kni_handle->tsg_diagnose_enable, 1);
KNI_LOG_ERROR(local_logger, "tsg_diagnose: MESA_prof_load, tsg_diagnose:\n enabled: %d", g_kni_handle->tsg_diagnose_enable);
g_kni_handle->arr_last_tfe_dispatch_index = ALLOC(int,g_kni_handle->thread_count); g_kni_handle->arr_last_tfe_dispatch_index = ALLOC(int,g_kni_handle->thread_count);
g_kni_handle->secpolicyid_evenflow_self_check = -1; memset(&g_kni_handle->secpolicyid_shunt_tsg_diagnose, 0, sizeof(g_kni_handle->secpolicyid_shunt_tsg_diagnose));
ret = MESA_load_profile_int_nodef(profile, "self_test", "sec_policy_id", &g_kni_handle->secpolicyid_evenflow_self_check); ret = MESA_load_profile_uint_range(profile, "tsg_diagnose", "security_policy_id", TSG_DIAGNOSE_POLICY_CNT, (unsigned int *)g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr);
if(ret < 0){ g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num = ret;
KNI_LOG_ERROR(local_logger, "Fail get sec_policy_id for self_test, Now sec_policy_id = -1"); if(ret <= 0){
KNI_LOG_ERROR(local_logger, "Fail get security_policy_id for tsg diagnose, tsg_diagnose no action to security policy id");
} }
else{
for(int i = 0; i < g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num; i++){
if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i] <= 0)
KNI_LOG_ERROR(local_logger, "Tsg diagnose, security policy id is not allowed to be equal to and to be lesser than 0");
else{
KNI_LOG_ERROR(local_logger, "tsg_diagnose: MESA_prof_load, tsg_diagnose: policy id:%d",g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i]);
}
}
}
//init proxy tcp option maat //init proxy tcp option maat
ret = pxy_tcp_option_rule_init(profile, local_logger); ret = pxy_tcp_option_rule_init(profile, local_logger);
if(ret < 0){ if(ret < 0){

2
entry/src/kni_pxy_tcp_option.cpp
View File

@@ -595,7 +595,7 @@ int pxy_tcp_option_get_param(Maat_feather_t maat_feather,const struct streaminfo
} }
KNI_LOG_DEBUG(logger,"Proxy-tcp-option: Scan hit, hit_num = %d, streamid = %s", hit_num, pmeinfo->stream_traceid); KNI_LOG_DEBUG(logger,"Proxy-tcp-option: Scan hit, hit_num = %d, streamid = %s", hit_num, pmeinfo->stream_traceid);
tmp_buff=(char *)calloc(1, p_result->serv_def_len+1); tmp_buff=(char *)calloc(sizeof(char), p_result->serv_def_len+1);
Maat_read_rule(g_tsg_maat_feather, p_result, MAAT_RULE_SERV_DEFINE, tmp_buff, p_result->serv_def_len); Maat_read_rule(g_tsg_maat_feather, p_result, MAAT_RULE_SERV_DEFINE, tmp_buff, p_result->serv_def_len);
if( strlen(tmp_buff) < strlen("{}") + 1) if( strlen(tmp_buff) < strlen("{}") + 1)

2
entry/src/tfe_mgr.cpp
View File

@@ -407,7 +407,7 @@ int tfe_mgr_alive_node_get(struct tfe_mgr *mgr, int thread_seq){
return tfe_id; return tfe_id;
} }
int tfe_mgr_alive_node_RR_get(struct tfe_mgr *mgr,int *last_tfe_id_index){ int tfe_mgr_alive_node_cycle_get(struct tfe_mgr *mgr,int *last_tfe_id_index){
int tfe_id = -1; int tfe_id = -1;
if(mgr->watch_dog_switch == 0){ if(mgr->watch_dog_switch == 0){
if(mgr->tfe_enabled_node_count > 0){ if(mgr->tfe_enabled_node_count > 0){