diff --git a/bin/kniconf/kni.conf b/bin/kniconf/kni.conf index e982212..67c2fac 100644 --- a/bin/kniconf/kni.conf +++ b/bin/kniconf/kni.conf @@ -3,21 +3,23 @@ table_info_path=./kniconf/maat_table_info.conf full_cfg_dir=/home/mesasoft/tango_rules/full/index inc_cfg_dir=/home/mesasoft/tango_rules/inc/index logger_filepath=./log/kni.log -logger_level=20 - -tun_name=tun0 -tun_path=/dev/net/tun -socketopt_mark=101 +logger_level=30 #0:intercept;1:bypass default_work_mode=1 #0:not replay;1:replay -replay_win_update=0 +replay_win_update=1 #0:iris;1:json;2:redis maat_readconf_mode=2 -redis_server=192.168.11.243 +redis_server=10.3.34.1 redis_port=6379 redis_db_index=4 scandir_interval=1000 -effect_interval=60000 +effect_interval=1000 + +//dyn_domain +dyn_maat_readconf_mode=1 +dyn_redis_server=192.168.11.243 +dyn_redis_port=6379 +dyn_redis_db_index=5 diff --git a/bin/kniconf/maat_table_info.conf b/bin/kniconf/maat_table_info.conf index 5a6c8dc..0f98f97 100644 --- a/bin/kniconf/maat_table_info.conf +++ b/bin/kniconf/maat_table_info.conf @@ -7,6 +7,6 @@ 4 WHITE_LIST_DOMAIN expr GBK GBK yes 0 4 PXY_INTERCEPT_DOMAIN expr GBK GBK yes 0 5 PXY_INTERCEPT_PKT_BIN expr GBK GBK yes 0 -6 IPD_DYN_COMPILE compile GBK GBK no 0 +6 IPD_DYN_COMPILE compile GBK GBK no 0 7 IPD_DYN_GROUP group GBK GBK no 0 8 IPD_RELATED_DOMAIN expr GBK GBK yes 0 diff --git a/bin/kniconf/maat_test.json b/bin/kniconf/maat_test.json index 44f227c..66d2678 100644 --- a/bin/kniconf/maat_test.json +++ b/bin/kniconf/maat_test.json @@ -1,26 +1,26 @@ { - "compile_table": "PXY_ INTERCEPT _COMPILE", - "group_table": "PXY_ INTERCEPT_GROUP", + "compile_table": "WHITE_LIST_COMPILE", + "group_table": "WHITE_LIST_GROUP", "rules": [ { "compile_id": 1, "service": 1, - "action":64, + "action":123, "do_blacklist": 1, "do_log": 1, "effective_rage": 0, - "user_region": "Droprate=0.50", + "user_region": "anything", "is_valid": "yes", "groups": [ { - "group_name": "Untitled", + "group_name": "group_1", "regions": [ { - "table_name": "PXY_INTERCEPT_IP", + "table_name": "WHITE_LIST_IP", "table_type": "ip", "table_content": { "addr_type": "ipv4", - "src_ip": "192.168.66.123", + "src_ip": "192.168.11.119", "mask_src_ip": "255.255.255.255", "src_port": "0", "mask_src_port": "65535", @@ -39,7 +39,7 @@ { "compile_id": 2, "service": 48, - "action": 80, + "action": 123, "do_blacklist": 1, "do_log": 1, "effective_rage": 0, @@ -47,14 +47,14 @@ "is_valid": "yes", "groups": [ { - "group_name": "Untitled", + "group_name": "group_2", "regions": [ { - "table_name": "PXY_INTERCEPT_DOMAIN", + "table_name": "WHITE_LIST_DOMAIN", "table_type": "string", "table_content": { - "keywords": "abcdddfedfe", - "expr_type": "none", + "keywords": "www.baidu.com", + "expr_type": "regex", "match_method": "sub", "format":"uncase plain" } @@ -62,33 +62,6 @@ ] } ] - }, - { - "compile_id": 3, - "service": 48, - "action": 80, - "do_blacklist": 1, - "do_log": 1, - "effective_rage": 0, - "user_region": "zone=pkt_payload;substitute=/baidu/qq", - "is_valid": "yes", - "groups": [ - { - "group_name": "Untitled", - "regions": [ - { - "table_name": "PXY_INTERCEPT_PKT_BIN", - "table_type": "string", - "table_content": { - "keywords": "dfek;fdfkds;", - "expr_type": "none", - "match_method": "sub", - "format":"hexbin" - } - } - ] - } - ] } ] } diff --git a/kni_comm.c b/kni_comm.c index 4ad9efa..6142e37 100644 --- a/kni_comm.c +++ b/kni_comm.c @@ -54,7 +54,11 @@ const char *g_kni_fs2_name[FS2_COLUMN_NUM] = "PENDING", "CLOSE_TIMEOUT", "CLOSE_FIN", - "REPLAY_WIN" + "CLOSE_DROPME", + "PEM_NUM", + "REPLAY_WIN", + "HTABLE_ADD_NUM", + "HTABLE_DEL_NUM" }; @@ -159,6 +163,11 @@ int kni_log_info(char* module,const struct layer_addr* addr,unsigned short proto int kni_log_debug(int level,char* module,const void* a_packet,const char* format,...) { + if(a_packet == NULL) + { + return 0; + } + unsigned short sport=0; unsigned short dport=0; diff --git a/kni_comm.h b/kni_comm.h index 7e3e9d8..bfa1690 100644 --- a/kni_comm.h +++ b/kni_comm.h @@ -7,7 +7,7 @@ #endif -#define FS2_COLUMN_NUM 39 +#define FS2_COLUMN_NUM 43 #define FS2_APPNAME "KNI" @@ -51,7 +51,11 @@ enum kni_FS_COLUME COLUME_PENDING, COLUME_CLOSE_TIMEOUT, COLUME_CLOSE_FIN, - COLUME_REPLAY_WINDOW + COLUME_CLOSE_DROPME, + COLUME_PMENUM, + COLUME_REPLAY_WINDOW, + COLUME_HTABLE_ADD, + COLUME_HTABLE_DEL }; diff --git a/kni_entry.c b/kni_entry.c index ce3c66f..ed45883 100644 --- a/kni_entry.c +++ b/kni_entry.c @@ -116,6 +116,131 @@ int kni_scan_ip(struct ipaddr* addr,int thread_seq,int protocol,struct kni_pme_i +void kni_free_htable(void* htable_data) +{ + struct kni_htable_datainfo* datainfo = (struct kni_htable_datainfo*)htable_data; + + if(datainfo != NULL) + { + free(datainfo); + datainfo = NULL; + } + + return; +} + + +int kni_htable_del(const struct streaminfo* pstream,const void* a_packet) +{ + int ret = 0; + struct stream_tuple4_v4 ipv4_addr; + struct stream_tuple4_v6 ipv6_addr; + + if((pstream->addr.addrtype == ADDR_TYPE_IPV4)) + { + kni_get_ipaddr_v4((void*)a_packet,&ipv4_addr); + + ret = MESA_htable_del(g_kni_structinfo.htable_to_tun_v4,(unsigned char*)&ipv4_addr,sizeof(struct stream_tuple4_v4),kni_free_htable); + if(ret < 0) + { + kni_log_debug(RLOG_LV_FATAL,(char*)"MESA_htable_del",a_packet,"IPv4 MESA_htable_del() error,ret:%d",ret); + return -1; + } + else + { + kni_filestate2_set(pstream->threadnum,COLUME_HTABLE_DEL,0,1); + } + } + else + { + kni_get_ipaddr_v6((void*)a_packet,&ipv6_addr); + ret = MESA_htable_del(g_kni_structinfo.htable_to_tun_v6,(unsigned char*)&ipv6_addr,sizeof(struct stream_tuple4_v6),kni_free_htable); + if(ret < 0) + { + kni_log_debug(RLOG_LV_FATAL,(char*)"MESA_htable_del",a_packet,"IPv6 MESA_htable_del() error,ret:%d",ret); + return -1; + } + + } + + return 0; +} + + +int kni_htable_add(const struct streaminfo* pstream,const void* a_packet,struct kni_pme_info* pmeinfo) +{ + int ret = 0; + int iprevers=0; + struct stream_tuple4_v4 ipv4_addr; + struct stream_tuple4_v6 ipv6_addr; + struct layer_addr_mac* mac_addr=(struct layer_addr_mac*)((char*)a_packet-KNI_ETHER_LEN); + struct kni_htable_datainfo* datainfo=(struct kni_htable_datainfo*)malloc(sizeof(struct kni_htable_datainfo)); + memset(datainfo,0,sizeof(struct kni_htable_datainfo)); + + +//send pkt info by self + if(iprevers==0) + { + datainfo->route_dir=pstream->routedir; + memcpy(datainfo->smac,mac_addr->src_mac,MAC_ADDR_LEN); + memcpy(datainfo->dmac,mac_addr->dst_mac,MAC_ADDR_LEN); + } + else + { + if(g_kni_switch_info.sendpkt_mode == 1) + { + datainfo->route_dir=1-pstream->routedir; + + } + else + { + datainfo->route_dir=MESA_dir_reverse(pstream->routedir); + } + memcpy(datainfo->smac,mac_addr->dst_mac,MAC_ADDR_LEN); + memcpy(datainfo->dmac,mac_addr->src_mac,MAC_ADDR_LEN); + } + +//send wnd_pro_reply info +// memcpy(&(datainfo->tcpopt_info),&(pmeinfo->tcpopt_info),KNI_DIR_DOUBLE*sizeof(struct kni_tcpopt_info)); + memcpy(&(datainfo->lastpkt_info),&(pmeinfo->lastpkt_info),KNI_DIR_DOUBLE*sizeof(struct kni_wndpro_reply_info)); + + + if(pstream->addr.addrtype == ADDR_TYPE_IPV4) + { + iprevers=kni_get_ipaddr_v4((void*)a_packet,&ipv4_addr); + ret = MESA_htable_add(g_kni_structinfo.htable_to_tun_v4,(unsigned char*)&ipv4_addr,sizeof(struct stream_tuple4_v4),(void*)datainfo); + if(ret == MESA_HTABLE_RET_DUP_ITEM) + { + kni_log_debug(RLOG_LV_FATAL,(char*)"kni_htable_add dup",a_packet,"-5"); + return -1; + } + else if(ret < 0) + { + kni_log_debug(RLOG_LV_FATAL,(char*)"kni_htable_add",a_packet,"IPv4 MESA_htable_add() error,ret:%d",ret); + return -1; + } + else + { + kni_filestate2_set(pstream->threadnum,COLUME_HTABLE_ADD,0,1); + } + } + else + { + iprevers=kni_get_ipaddr_v6((void*)a_packet,&ipv6_addr); + ret = MESA_htable_add(g_kni_structinfo.htable_to_tun_v6,(unsigned char*)&ipv6_addr,sizeof(struct stream_tuple4_v6),(void*)datainfo); + if(ret < 0) + { + kni_log_debug(RLOG_LV_FATAL,(char*)"kni_htable_add",a_packet,"IPv6 MESA_htable_add() error,ret:%d",ret); + return -1; + } + + } + + + return 0; +} + +/* int kni_htable_add(const struct streaminfo* pstream,const void* a_packet,struct kni_pme_info* pmeinfo) { int ret = 0; @@ -160,7 +285,7 @@ int kni_htable_add(const struct streaminfo* pstream,const void* a_packet,struct ret = MESA_htable_add(g_kni_structinfo.htable_to_tun_v4,(unsigned char*)&ipv4_addr,sizeof(struct stream_tuple4_v4),(void*)datainfo); if(ret < 0) { - kni_log_debug(RLOG_LV_INFO,(char*)"kni_htable_add",a_packet,"IPv4 MESA_htable_add() error,ret:%d",ret); + kni_log_debug(RLOG_LV_FATAL,(char*)"kni_htable_add",a_packet,"IPv4 MESA_htable_add() error,ret:%d",ret); return -1; } } @@ -170,7 +295,7 @@ int kni_htable_add(const struct streaminfo* pstream,const void* a_packet,struct ret = MESA_htable_add(g_kni_structinfo.htable_to_tun_v6,(unsigned char*)&ipv6_addr,sizeof(struct stream_tuple4_v6),(void*)datainfo); if(ret < 0) { - kni_log_debug(RLOG_LV_INFO,(char*)"kni_htable_add",a_packet,"IPv6 MESA_htable_add() error,ret:%d",ret); + kni_log_debug(RLOG_LV_FATAL,(char*)"kni_htable_add",a_packet,"IPv6 MESA_htable_add() error,ret:%d",ret); return -1; } @@ -180,7 +305,7 @@ int kni_htable_add(const struct streaminfo* pstream,const void* a_packet,struct return 0; } - +*/ @@ -412,12 +537,12 @@ char kni_process_udppkt(unsigned char routdir,struct kni_pme_info* pmeinfo,int t char kni_first_tcpdata(const struct streaminfo* pstream,const void* a_packet,struct kni_pme_info* pmeinfo,char* data,int datalen) -{ - +{ struct timespec start, end; long elapse=0; char ret=APP_STATE_FAWPKT|APP_STATE_DROPME; + int htable_ret = 0; int domain_len=0; char domain[KNI_DEFAULT_MTU]={0}; @@ -462,12 +587,17 @@ char kni_first_tcpdata(const struct streaminfo* pstream,const void* a_packet,str break; } + default: + pmeinfo->action = KNI_ACTION_MONITOR; + break; + } kni_filestate2_set(pstream->threadnum,COLUME_INTERCEPT,0,1); if(kni_htable_add(pstream,a_packet,pmeinfo) < 0) { + pmeinfo->action = KNI_ACTION_NOTPROC; kni_filestate2_set(pstream->threadnum,COLUME_DROP_ADDHTABLE_ERROR,0,1); return ret; } @@ -476,7 +606,9 @@ char kni_first_tcpdata(const struct streaminfo* pstream,const void* a_packet,str if(tcp_repair_process(pstream,a_packet,pmeinfo,pmeinfo->protocol)<0) { - + kni_htable_del(pstream,a_packet); + + pmeinfo->action = KNI_ACTION_NOTPROC; clock_gettime(CLOCK_MONOTONIC, &end); elapse=(end.tv_sec-start.tv_sec)*1000000+(end.tv_nsec-start.tv_nsec)/1000; @@ -565,10 +697,17 @@ char kni_pending_opstate(const struct streaminfo* pstream,struct kni_pme_info* p #endif { ret=kni_first_tcpdata(pstream,a_packet,pmeinfo,data,datalen); - if((pmeinfo->protocol==KNI_FLAG_HTTP) ||(pmeinfo->protocol==KNI_FLAG_SSL)) + if((pmeinfo->action == KNI_ACTION_MONITOR) && (pmeinfo->protocol==KNI_FLAG_HTTP) ||(pmeinfo->protocol==KNI_FLAG_SSL)) { - kni_add_lqueue(ADDR_TYPE_IPV4,thread_seq,(char*)ipv4_hdr,iplen); -// ret=tun_write_data(g_kni_comminfo.fd_tun[thread_seq],(char*)ipv4_hdr,iplen,(struct streaminfo*)pstream,thread_seq); + if(g_kni_switch_info.write_listq_switch == 1) + { + ret = kni_add_lqueue(ADDR_TYPE_IPV4,thread_seq,(char*)ipv4_hdr,iplen,pstream); + } + else + { + ret=tun_write_data(g_kni_comminfo.fd_tun[thread_seq],(char*)ipv4_hdr,iplen,(struct streaminfo*)pstream,thread_seq); + } + } } #ifndef KNI_DEBUG_TCPREPAIR @@ -654,8 +793,15 @@ char kni_data_opstate(const struct streaminfo* pstream,struct kni_pme_info* pmei if((pmeinfo->action == KNI_ACTION_MONITOR) && ((pmeinfo->protocol==KNI_FLAG_HTTP)||(pmeinfo->protocol==KNI_FLAG_SSL))) { kni_filestate2_set(pstream->threadnum,COLUME_INTERCEPT,0,1); - kni_add_lqueue(ADDR_TYPE_IPV4,thread_seq,(char*)a_packet,iplen); -// ret=tun_write_data(g_kni_comminfo.fd_tun[thread_seq],(char*)a_packet,iplen,(struct streaminfo*)pstream,thread_seq); + if(g_kni_switch_info.write_listq_switch == 1) + { + ret = kni_add_lqueue(ADDR_TYPE_IPV4,thread_seq,(char*)a_packet,iplen,pstream); + } + else + { + ret=tun_write_data(g_kni_comminfo.fd_tun[thread_seq],(char*)a_packet,iplen,(struct streaminfo*)pstream,thread_seq); + } + } else if(pmeinfo->action == KNI_ACTION_RATELIMIT) { @@ -681,20 +827,40 @@ char kni_data_opstate(const struct streaminfo* pstream,struct kni_pme_info* pmei } - - char kni_close_opstate(const struct streaminfo* pstream,struct kni_pme_info* pmeinfo,int thread_seq,const void* a_packet,int protocol) { - char ret=APP_STATE_FAWPKT|APP_STATE_DROPME; + int htable_ret = 0; + struct stream_tuple4_v4 ipv4_addr; + struct stream_tuple4_v6 ipv6_addr; + if(a_packet==NULL) { + if(pmeinfo->action == KNI_ACTION_MONITOR) + { + htable_ret = MESA_htable_del(g_kni_structinfo.htable_to_tun_v4,(unsigned char*)(pstream->addr.tuple4_v4),sizeof(struct stream_tuple4_v4),kni_free_htable); + if(htable_ret < 0) + { + kni_log_debug(RLOG_LV_FATAL,(char*)"MESA_htable_del",a_packet,"IPv4 MESA_htable_del() error,ret:%d",ret); + } + else + { + kni_filestate2_set(pstream->threadnum,COLUME_HTABLE_DEL,0,1); + } + } + return ret; } ret=kni_data_opstate(pstream,pmeinfo,thread_seq,a_packet,protocol); +//del htable + if(pmeinfo->action==KNI_ACTION_MONITOR) + { + kni_htable_del(pstream,a_packet); + } + return ret|APP_STATE_DROPME; } @@ -788,6 +954,7 @@ extern "C" char kni_tcpall_entry(const struct streaminfo* pstream,void** pme,int { case OP_STATE_PENDING: kni_filestate2_set(thread_seq,COLUME_PENDING,0,1); + kni_filestate2_set(thread_seq,COLUME_PMENUM,0,1); kni_init_pmeinfo(pme); ret=kni_pending_opstate(pstream,(struct kni_pme_info*)*pme,thread_seq,a_packet,PROTO_TYPE_TCP); break; @@ -815,8 +982,14 @@ extern "C" char kni_tcpall_entry(const struct streaminfo* pstream,void** pme,int if((ret&APP_STATE_DROPME)&&(*pme!=NULL)) { + kni_filestate2_set(thread_seq,COLUME_PMENUM,0,-1); kni_free_pmeinfo(pme); *pme=NULL; + + if(pstream->pktstate != OP_STATE_CLOSE) + { + kni_filestate2_set(thread_seq,COLUME_CLOSE_DROPME,0,1); + } } clock_gettime(CLOCK_MONOTONIC, &end); @@ -1040,6 +1213,8 @@ int init_profile_info() MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"ratelimit_switch",&(g_kni_switch_info.ratelimit_switch),1); MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"replace_switch",&(g_kni_switch_info.replace_switch),1); MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"sendpkt_mode",&(g_kni_switch_info.sendpkt_mode),0); + MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"write_listqueue_switch",&(g_kni_switch_info.write_listq_switch),0); + MESA_load_profile_string_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"domain_path",g_kni_comminfo.domain_path,KNI_CONF_MAXLEN,"/home/server_unixsocket_file"); MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"socketopt_mark",&(g_kni_comminfo.mark),101); @@ -1378,14 +1553,14 @@ extern "C" char kni_init() init_kni_unixdomain(); - + + pthread_create(&pid_kni_filestat2,NULL,kni_filestat2,NULL); if(init_kni_sendpkt() < 0) { return -1; } - pthread_create(&pid_kni_filestat2,NULL,kni_filestat2,NULL); if(g_kni_switch_info.maat_default_mode==0) { diff --git a/kni_entry.h b/kni_entry.h index b94e6d2..15a5688 100644 --- a/kni_entry.h +++ b/kni_entry.h @@ -91,6 +91,7 @@ #define KNI_ACTION_REPLACE 0x50 #define KNI_ACTION_WHITELIST 0x80 #define KNI_ACTION_HALFHIT -2 +#define KNI_ACTION_NOTPROC -1 #define KNI_MAX_SAMENUM 10 #define KNI_TABLENAME_IP "WHITE_LIST_IP" @@ -237,6 +238,7 @@ struct kni_switch_info int ratelimit_switch; int replace_switch; int sendpkt_mode; //0:mesa_sendpkt_option;1:socket + int write_listq_switch; //0:no listq;1:has listq }; struct kni_http_project @@ -478,6 +480,8 @@ extern struct kni_switch_info g_kni_switch_info; extern int g_iThreadNum; extern char g_kni_cardname[KNI_CARD_NUM][KNI_CONF_MAXLEN]; +int kni_htable_del(const struct streaminfo* pstream,const void* a_packet); + #endif