修改自检配置项2、增加读自检多条拦截策略

conf/kni/kni.conf

@@ -73,8 +73,9 @@ stat_cycle = 1
 print_mode = 1
 
 #self test Shunt rules security policy id
-[self_test]
-sec_policy_id = -1
+[tsg_diagnose]
+enabled = 1
+security_policy_id = 3
 
 #kni dynamic bypass
 [traceid2sslinfo_htable]

entry/include/kni_entry.h

@@ -17,6 +17,8 @@
 
 #define	MAX_STRING_LEN	32
 
+#define TSG_DIAGNOSE_POLICY_CNT 32
+
 enum intercept_error{
 	INTERCEPT_ERROR_ASYM_ROUTING = -1,
 	INTERCEPT_ERROR_NO_SYN = -2,
@@ -192,6 +194,11 @@ struct tuple2stream_htable_value{
 	int reversed;
 };
 
+struct security_policy_shunt_tsg_diagnose{
+	int id_arr[TSG_DIAGNOSE_POLICY_CNT];
+	int id_num;
+};
+
 struct kni_handle{
 	struct kni_marsio_handle *marsio_handle;
 	struct kni_tun_handle *tun_handle;
@@ -207,8 +214,9 @@ struct kni_handle{
 	enum kni_deploy_mode deploy_mode;
 	char src_mac_addr[6];
 	char dst_mac_addr[6];
+	int tsg_diagnose_enable;
 	int *arr_last_tfe_dispatch_index;
-	int secpolicyid_evenflow_self_check; 
+	struct  security_policy_shunt_tsg_diagnose secpolicyid_shunt_tsg_diagnose; 
 	MESA_htable_handle sslinfo2bypass_htable;
 	int pxy_tcp_option_enable;  //for proxy tcp option  enable
 	int pxy_tcp_option_enable_override;

entry/include/tfe_mgr.h

@@ -6,4 +6,4 @@ struct tfe_mgr;
 struct tfe_mgr* tfe_mgr_init(int tfe_node_count, const char* profile, enum kni_deploy_mode depoly_mode, void *logger);
 void tfe_mgr_destroy(struct tfe_mgr* mgr);
 int tfe_mgr_alive_node_get(struct tfe_mgr *mgr, int thread_seq);
-int tfe_mgr_alive_node_RR_get(struct tfe_mgr *mgr,int *last_tfe_id_index);
+int tfe_mgr_alive_node_cycle_get(struct tfe_mgr *mgr,int *last_tfe_id_index);

entry/src/kni_entry.cpp

@@ -256,7 +256,7 @@ int wrapped_kni_cmsg_set(struct kni_cmsg *cmsg, uint16_t type, const unsigned ch
 	void *logger = g_kni_handle->local_logger;
 	int ret = kni_cmsg_set(cmsg, type, value, size);
 	if(ret < 0){
-		KNI_LOG_ERROR(logger, "Failed set cmsg, type = %d/%s, stream traceid = %s, stream addr = %s", type, tfe_cmsg_tlv_type_to_string[type], pmeinfo->stream_traceid, pmeinfo->stream_addr);
+		KNI_LOG_ERROR(logger, "Failed set cmsg, type = %d/%s, stream traceid = %s, stream addr = %s", type, tfe_cmsg_tlv_type_to_string[type],pmeinfo->stream_traceid, pmeinfo->stream_addr);
 	}
 	else
 	{
@@ -1242,6 +1242,35 @@ static struct _session_attribute_label_t * kni_pull_session_attribute_results(st
 }
 
 
+static int tsg_diagnose_judge_streamshunt(int maat_rule_config_id,struct pme_info *pmeinfo)
+{
+	int i = 0 ,ret = 0;
+	void *logger = g_kni_handle->local_logger;
+
+	if(g_kni_handle->tsg_diagnose_enable == 0){
+		KNI_LOG_DEBUG(logger, "Tsg diagnose: enabled is 0, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
+		return 0;
+	}
+
+
+	if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num == 0){
+		KNI_LOG_DEBUG(logger, "Tsg diagnose: no security policy from profile to shunt, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
+		return 0;
+	}
+	for(i = 0; i < g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num; i ++){
+		if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i] == 0){
+			KNI_LOG_DEBUG(logger, "Tsg diagnose: security policy 0 is not allowd shunt, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
+			continue;
+		}
+		if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i] == maat_rule_config_id){
+			ret = 1;
+			KNI_LOG_DEBUG(logger, "Tsg diagnose: security policy id %d shunt, stream traceid = %s, stream addr = %s", maat_rule_config_id, pmeinfo->stream_traceid, pmeinfo->stream_addr);
+			break;
+		}
+	}
+	return ret;
+}
+
 static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo, int thread_seq){
 	FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_STM], 0, FS_OP_ADD, 1);
 	FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_BYTE], 0, FS_OP_ADD, pktinfo->ip_totlen);
@@ -1249,10 +1278,10 @@ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmei
 	char *buff = NULL;
 	int ret, len;
 	//intercept_error: no tfe
-	if( g_kni_handle->secpolicyid_evenflow_self_check == -1 || pmeinfo->maat_result.config_id != g_kni_handle->secpolicyid_evenflow_self_check) //  even flow for self test
+	if(tsg_diagnose_judge_streamshunt(pmeinfo->maat_result.config_id,pmeinfo) == 0) // tsg  diagnose shunt
 		pmeinfo->tfe_id = tfe_mgr_alive_node_get(g_kni_handle->_tfe_mgr, thread_seq);
 	else
-		pmeinfo->tfe_id = tfe_mgr_alive_node_RR_get(g_kni_handle->_tfe_mgr, (int *)&(g_kni_handle->arr_last_tfe_dispatch_index[thread_seq]));
+		pmeinfo->tfe_id = tfe_mgr_alive_node_cycle_get(g_kni_handle->_tfe_mgr, (int *)&(g_kni_handle->arr_last_tfe_dispatch_index[thread_seq]));
 	if(pmeinfo->tfe_id < 0){
 		KNI_LOG_DEBUG(logger, "Intercept error: no available tfe, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
 		pmeinfo->intcp_error = INTERCEPT_ERROR_NO_TFE;
@@ -2694,13 +2723,27 @@ extern "C" int kni_init(){
 		goto error_out;
 	}
 
-	//init array last_tfe_dispatch_index and read security policy id for self test even flow
+	//init array last_tfe_dispatch_index and read security policy id for tsg-diagnose shunt
+	MESA_load_profile_int_def(profile, "tsg_diagnose", "enabled", &g_kni_handle->tsg_diagnose_enable, 1);
+	KNI_LOG_ERROR(local_logger, "tsg_diagnose: MESA_prof_load, tsg_diagnose:\n enabled: %d", g_kni_handle->tsg_diagnose_enable);
 	g_kni_handle->arr_last_tfe_dispatch_index = ALLOC(int,g_kni_handle->thread_count);
-	g_kni_handle->secpolicyid_evenflow_self_check = -1;
-	ret = MESA_load_profile_int_nodef(profile, "self_test", "sec_policy_id", &g_kni_handle->secpolicyid_evenflow_self_check);
-	if(ret < 0){
-		KNI_LOG_ERROR(local_logger, "Fail get sec_policy_id for self_test, Now sec_policy_id = -1");
+	memset(&g_kni_handle->secpolicyid_shunt_tsg_diagnose, 0, sizeof(g_kni_handle->secpolicyid_shunt_tsg_diagnose));
+	ret = MESA_load_profile_uint_range(profile, "tsg_diagnose", "security_policy_id", TSG_DIAGNOSE_POLICY_CNT, (unsigned int *)g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr);
+	g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num = ret;
+	if(ret <= 0){
+		KNI_LOG_ERROR(local_logger, "Fail get security_policy_id for tsg diagnose, tsg_diagnose no action to security policy id");
 	}
+	else{
+		for(int i = 0; i < g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_num; i++){
+			if(g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i] <= 0)
+				KNI_LOG_ERROR(local_logger, "Tsg diagnose, security policy id  is not allowed to be equal to and to be lesser than 0");
+			else{
+				KNI_LOG_ERROR(local_logger, "tsg_diagnose: MESA_prof_load, tsg_diagnose: policy id:%d",g_kni_handle->secpolicyid_shunt_tsg_diagnose.id_arr[i]);
+			}
+			
+		}
+	}
+	
 	//init proxy tcp option maat 
 	ret = pxy_tcp_option_rule_init(profile, local_logger);
 	if(ret < 0){

entry/src/kni_pxy_tcp_option.cpp

@@ -595,7 +595,7 @@ int pxy_tcp_option_get_param(Maat_feather_t maat_feather,const struct streaminfo
 		}
 		KNI_LOG_DEBUG(logger,"Proxy-tcp-option: Scan hit, hit_num = %d, streamid = %s", hit_num, pmeinfo->stream_traceid);	
 
-		tmp_buff=(char *)calloc(1, p_result->serv_def_len+1);
+		tmp_buff=(char *)calloc(sizeof(char), p_result->serv_def_len+1);
 
 		Maat_read_rule(g_tsg_maat_feather, p_result, MAAT_RULE_SERV_DEFINE, tmp_buff, p_result->serv_def_len);
 		if( strlen(tmp_buff) < strlen("{}") + 1)

entry/src/tfe_mgr.cpp

@@ -407,7 +407,7 @@ int tfe_mgr_alive_node_get(struct tfe_mgr *mgr, int thread_seq){
      return tfe_id;
 }
 
-int tfe_mgr_alive_node_RR_get(struct tfe_mgr *mgr,int *last_tfe_id_index){
+int tfe_mgr_alive_node_cycle_get(struct tfe_mgr *mgr,int *last_tfe_id_index){
     int tfe_id = -1;
      if(mgr->watch_dog_switch == 0){
          if(mgr->tfe_enabled_node_count > 0){