From 268b3ecac25d167cc7009bd59205099e45988179 Mon Sep 17 00:00:00 2001 From: fumingwei Date: Wed, 29 Jul 2020 13:56:58 +0800 Subject: [PATCH] =?UTF-8?q?1=E3=80=81=E5=A2=9E=E5=8A=A0proxy=20tcp=20optio?= =?UTF-8?q?n=20=E5=8A=9F=E8=83=BD=202=E3=80=81=20=E5=B0=86kni=5Fentry.cpp?= =?UTF-8?q?=20=E6=8B=86=E5=88=86=E5=87=BA=E6=9D=A5=20kni=5Fentry.h?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- common/include/kni_cmsg.h | 21 ++ conf/kni/kni.conf | 7 +- entry/CMakeLists.txt | 2 +- entry/include/kni_entry.h | 222 ++++++++++++ entry/include/kni_pxy_tcp_option.h | 14 + entry/src/kni_entry.cpp | 271 +++++--------- entry/src/kni_pxy_tcp_option.cpp | 556 +++++++++++++++++++++++++++++ 7 files changed, 913 insertions(+), 180 deletions(-) create mode 100644 entry/include/kni_entry.h create mode 100644 entry/include/kni_pxy_tcp_option.h create mode 100644 entry/src/kni_pxy_tcp_option.cpp diff --git a/common/include/kni_cmsg.h b/common/include/kni_cmsg.h index 3716f72..f4efe4c 100644 --- a/common/include/kni_cmsg.h +++ b/common/include/kni_cmsg.h @@ -43,6 +43,27 @@ enum tfe_cmsg_tlv_type TFE_CMSG_SSL_ERROR, //string TFE_CMSG_SRC_MAC, TFE_CMSG_DST_MAC, + + /* TCP option information */ + TFE_CMSG_DOWNSTREAM_TCP_MAXSEG = 0x40, //size int + TFE_CMSG_DOWNSTREAM_TCP_NODELAY = 0x41, //size int + TFE_CMSG_DOWNSTREAM_TCP_TTL = 0x42, //size int + TFE_CMSG_DOWNSTREAM_TCP_KEEPALIVE = 0x43, //size int + TFE_CMSG_DOWNSTREAM_TCP_KEEPCNT = 0x44, //size int + TFE_CMSG_DOWNSTREAM_TCP_KEEPIDLE = 0x45, //size int + TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL = 0x46, //size int + TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT = 0x47, //size int + + TFE_CMSG_UPSTREAM_TCP_MAXSEG = 0x50, //size int + TFE_CMSG_UPSTREAM_TCP_NODELAY = 0x51, //size int + TFE_CMSG_UPSTREAM_TCP_TTL = 0x52, //size int + TFE_CMSG_UPSTREAM_TCP_KEEPALIVE = 0x53, //size int + TFE_CMSG_UPSTREAM_TCP_KEEPCNT = 0x54, //size int + TFE_CMSG_UPSTREAM_TCP_KEEPIDLE = 0x55, //size int + TFE_CMSG_UPSTREAM_TCP_KEEPINTVL = 0x56, //size int + TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT = 0x57, //size int + + TFE_CMSG_TCP_PASSTHROUGH = 0x60, //size int }; struct kni_cmsg* kni_cmsg_init(); diff --git a/conf/kni/kni.conf b/conf/kni/kni.conf index 81ece45..ece8a44 100644 --- a/conf/kni/kni.conf +++ b/conf/kni/kni.conf @@ -93,4 +93,9 @@ mho_mutex_num = 160 mho_hash_slot_size = 640000 mho_hash_max_element_num = 2560000 mho_expire_time = 300 -mho_eliminate_type = FIFO \ No newline at end of file +mho_eliminate_type = FIFO + +[proxy_tcp_option] +maat_table_compile = PXY_TCP_OPTION_COMPILE +maat_table_addr = PXY_TCP_OPTION_ADDR +maat_table_sni = PXY_TCP_OPTION_SSL_SNI \ No newline at end of file diff --git a/entry/CMakeLists.txt b/entry/CMakeLists.txt index b9f76a5..34d3877 100644 --- a/entry/CMakeLists.txt +++ b/entry/CMakeLists.txt @@ -1,3 +1,3 @@ -add_library(kni SHARED src/kni_entry.cpp src/tfe_mgr.cpp src/ssl_utils.cpp src/kni_tun.cpp) +add_library(kni SHARED src/kni_entry.cpp src/tfe_mgr.cpp src/ssl_utils.cpp src/kni_tun.cpp src/kni_pxy_tcp_option.cpp) target_include_directories(kni PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include) target_link_libraries(kni common MESA_prof_load MESA_htable MESA_field_stat maatframe mrzcpd dabloom) \ No newline at end of file diff --git a/entry/include/kni_entry.h b/entry/include/kni_entry.h new file mode 100644 index 0000000..2508d77 --- /dev/null +++ b/entry/include/kni_entry.h @@ -0,0 +1,222 @@ +#pragma once +#ifndef __KNI_ENTRY_H__ +#define __KNI_ENTRY_H__ + +#include "tsg/tsg_rule.h" +#include "kni_utils.h" +#include "tsg/tsg_statistic.h" +#include "tfe_mgr.h" + +#define BURST_MAX 1 +#define CALLER_SAPP 0 +#define CALLER_TFE 1 + +#define SSL_INFO_LEN 2048 +#define _MAX_TABLE_NAME_LEN 64 + +enum intercept_error{ + INTERCEPT_ERROR_ASYM_ROUTING = -1, + INTERCEPT_ERROR_NO_SYN = -2, + INTERCEPT_ERROR_NO_SYN_ACK = -3, + INTERCEPT_ERROR_INVALID_IP_HDR = -4, + INTERCEPT_ERROR_EXCEED_MTU = -5, + //internal + INTERCEPT_ERROR_SENDTO_TFE_FAIL = -6, + INTERCEPT_ERROR_TUPLE2STM_ADD_FAIL = -7, + INTERCEPT_ERROR_NO_TFE = -8, + INTERCEPT_ERROR_DUP_TRAFFIC = -9, + INTERCEPT_ERROR_CMSG_ADD_FAIL = -10, +}; + +/* action + 0x00: none + 0x02: intercept + 0x80: bypass +*/ +enum kni_action{ + KNI_ACTION_NONE = 0x00, + KNI_ACTION_INTERCEPT = 0x02, + KNI_ACTION_BYPASS = 0x80 +}; + + +enum PXY_TCP_OPTION_MAAT_TABLE{ + TABLE_IP_ADDR=0, + TABLE_SSL_SNI, + TABLE_COMPILE, + TABLE_MAX +}; + +//memset 0 +struct dup_traffic_dabloom_key{ + union{ + struct stream_tuple4_v4 v4; + struct stream_tuple4_v6 v6; + }addr; + uint16_t ipid; + uint32_t seq; + uint32_t ack_seq; + uint32_t timestamp; +}; + +struct proxy_tcp_option{ + int client_tcp_maxseg; + int client_tcp_nodelay; + int client_tcp_ttl; + int client_tcp_keepalive_enable; + int client_tcp_keepalive_keepcnt; + int client_tcp_keepalive_keepidle; + int client_tcp_keepalive_keepintvl; + int client_tcp_user_timeout; + + int server_tcp_maxseg; + int server_tcp_nodelay; + int server_tcp_ttl; + int server_tcp_keepalive_enable; + int server_tcp_keepalive_keepcnt; + int server_tcp_keepalive_keepidle; + int server_tcp_keepalive_keepintvl; + int server_tcp_user_timeout; + + int bypass_duplicated_packet; + int tcp_passthrough; +}; + +struct pme_info{ + addr_type_t addr_type; + char stream_addr[KNI_ADDR_MAX]; + int do_log; + int policy_id; + tsg_protocol_t protocol; + enum kni_action action; + int service; + struct kni_tcpopt_info client_tcpopt; + struct kni_tcpopt_info server_tcpopt; + char has_syn; + char has_syn_ack; + uint16_t client_window; + uint16_t server_window; + int tfe_id; + pthread_mutex_t lock; + enum intercept_error intcp_error; + char stream_traceid[24]; + //cjson check protocol + union{ + char host[MAX_DOAMIN_LEN]; //http only + char sni[MAX_DOAMIN_LEN]; //ssl only + }domain; + int domain_len; + //tfe_release = 1: tfe don't need pmeinfo + int tfe_release; + int sapp_release; + //kafka log + struct TLD_handle_t *tld_handle; + const struct streaminfo *stream; + int maat_result_num; + Maat_rule_t maat_result; + //from tfe, kafka log + uint64_t ssl_intercept_state; + uint64_t ssl_pinningst; //defalut 0 + uint64_t ssl_server_side_latency; + uint64_t ssl_client_side_latency; + char ssl_server_side_version[KNI_SYMBOL_MAX]; + char ssl_client_side_version[KNI_SYMBOL_MAX]; + int64_t ssl_cert_verify; + char ssl_error[KNI_STRING_MAX]; + + //for dup traffic detect + uint64_t has_dup_traffic; + int has_dup_syn; + int has_dup_syn_ack; + struct dup_traffic_dabloom_key *syn_packet; + struct dup_traffic_dabloom_key *syn_ack_packet; + struct _traffic_info traffic_info; + //for kni dynamic bypass + int thread_seq; + int is_dynamic_bypass; + //for proxy tcp option + struct proxy_tcp_option pxy_tcp_option; +}; + +struct wrapped_packet{ + char data[KNI_MTU]; +}; + +struct tcp_option_restore{ + uint8_t kind; + uint8_t len; + uint16_t offset; +}; + +struct tfe_enabled_node{ + int tfe_id; + struct mr_vdev *dev_eth_handler; + struct mr_sendpath *dev_eth_sendpath; +}; + +struct kni_marsio_handle{ + struct mr_instance *instance; + int tfe_enabled_node_count; + struct tfe_enabled_node tfe_enabled_nodes[TFE_COUNT_MAX]; +}; + +struct protocol_identify_result{ + int protocol; + char domain[MAX_DOAMIN_LEN]; + int domain_len; +}; + +struct thread_tfe_cmsg_receiver_args{ + void *logger; + char profile[KNI_SYMBOL_MAX]; +}; + + +struct per_thread_handle{ + MESA_htable_handle tuple2stream_htable; + MESA_htable_handle traceid2sslinfo_htable; + struct expiry_dablooms_handle *dabloom_handle; +}; + +struct tuple2stream_htable_value{ + struct streaminfo *stream; + struct pme_info *pmeinfo; + int route_dir; + int reversed; +}; + +struct kni_handle{ + struct kni_marsio_handle *marsio_handle; + struct kni_tun_handle *tun_handle; + struct kni_maat_handle *maat_handle; + struct kni_send_logger *send_logger; + MESA_htable_handle traceid2pme_htable; + struct per_thread_handle *threads_handle; + void *local_logger; + struct tfe_mgr *_tfe_mgr; + int thread_count; + int dup_traffic_switch; + int dup_traffic_action; + enum kni_deploy_mode deploy_mode; + char src_mac_addr[6]; + char dst_mac_addr[6]; + int *arr_last_tfe_dispatch_index; + int secpolicyid_evenflow_self_check; + MESA_htable_handle sslinfo2bypass_htable; + char table_name[TABLE_MAX][_MAX_TABLE_NAME_LEN]; // for proxy tcp option maat name + int table_id[TABLE_MAX]; + struct proxy_tcp_option pxy_tcp_option; +}; + +struct traceid2pme_search_cb_args{ + struct kni_cmsg *cmsg; + void *logger; +}; + +struct dynamic_bypass_ssl_feature{ + char value[SSL_INFO_LEN]; + size_t vlen; +}; + +#endif + diff --git a/entry/include/kni_pxy_tcp_option.h b/entry/include/kni_pxy_tcp_option.h new file mode 100644 index 0000000..492f044 --- /dev/null +++ b/entry/include/kni_pxy_tcp_option.h @@ -0,0 +1,14 @@ +#pragma once +#ifndef __KNI_PXY_TCP_OPTION_H__ +#define __KNI_PXY_TCP_OPTION_H__ + +#include +#include "kni_entry.h" +#include "tsg/tsg_rule.h" + +int pxy_tcp_option_rule_init(const char* conffile, void *logger); + +int pxy_tcp_option_get_param(Maat_feather_t maat_feather,const struct streaminfo *a_stream,struct pme_info *pmeinfo, void *logger); + +#endif + diff --git a/entry/src/kni_entry.cpp b/entry/src/kni_entry.cpp index 5b27600..1526645 100644 --- a/entry/src/kni_entry.cpp +++ b/entry/src/kni_entry.cpp @@ -31,189 +31,14 @@ extern "C" { #include "kni_tun.h" #include "tsg/tsg_statistic.h" #include +#include "kni_entry.h" +#include "kni_pxy_tcp_option.h" struct kni_handle *g_kni_handle = NULL; struct kni_field_stat_handle *g_kni_fs_handle = NULL; int *arr_last_tfe_dispatch_index = NULL; - -#define BURST_MAX 1 -#define CALLER_SAPP 0 -#define CALLER_TFE 1 - -#define SSL_INFO_LEN 2048 - -enum intercept_error{ - INTERCEPT_ERROR_ASYM_ROUTING = -1, - INTERCEPT_ERROR_NO_SYN = -2, - INTERCEPT_ERROR_NO_SYN_ACK = -3, - INTERCEPT_ERROR_INVALID_IP_HDR = -4, - INTERCEPT_ERROR_EXCEED_MTU = -5, - //internal - INTERCEPT_ERROR_SENDTO_TFE_FAIL = -6, - INTERCEPT_ERROR_TUPLE2STM_ADD_FAIL = -7, - INTERCEPT_ERROR_NO_TFE = -8, - INTERCEPT_ERROR_DUP_TRAFFIC = -9, - INTERCEPT_ERROR_CMSG_ADD_FAIL = -10, -}; - -/* action - 0x00: none - 0x02: intercept - 0x80: bypass -*/ -enum kni_action{ - KNI_ACTION_NONE = 0x00, - KNI_ACTION_INTERCEPT = 0x02, - KNI_ACTION_BYPASS = 0x80 -}; - - -//memset 0 -struct dup_traffic_dabloom_key{ - union{ - struct stream_tuple4_v4 v4; - struct stream_tuple4_v6 v6; - }addr; - uint16_t ipid; - uint32_t seq; - uint32_t ack_seq; - uint32_t timestamp; -}; - -struct pme_info{ - addr_type_t addr_type; - char stream_addr[KNI_ADDR_MAX]; - int do_log; - int policy_id; - tsg_protocol_t protocol; - enum kni_action action; - int service; - struct kni_tcpopt_info client_tcpopt; - struct kni_tcpopt_info server_tcpopt; - char has_syn; - char has_syn_ack; - uint16_t client_window; - uint16_t server_window; - int tfe_id; - pthread_mutex_t lock; - enum intercept_error intcp_error; - char stream_traceid[24]; - //cjson check protocol - union{ - char host[MAX_DOAMIN_LEN]; //http only - char sni[MAX_DOAMIN_LEN]; //ssl only - }domain; - int domain_len; - //tfe_release = 1: tfe don't need pmeinfo - int tfe_release; - int sapp_release; - //kafka log - struct TLD_handle_t *tld_handle; - const struct streaminfo *stream; - int maat_result_num; - Maat_rule_t maat_result; - //from tfe, kafka log - uint64_t ssl_intercept_state; - uint64_t ssl_pinningst; //defalut 0 - uint64_t ssl_server_side_latency; - uint64_t ssl_client_side_latency; - char ssl_server_side_version[KNI_SYMBOL_MAX]; - char ssl_client_side_version[KNI_SYMBOL_MAX]; - int64_t ssl_cert_verify; - char ssl_error[KNI_STRING_MAX]; - - //for dup traffic detect - uint64_t has_dup_traffic; - int has_dup_syn; - int has_dup_syn_ack; - struct dup_traffic_dabloom_key *syn_packet; - struct dup_traffic_dabloom_key *syn_ack_packet; - struct _traffic_info traffic_info; - //for kni dynamic bypass - int thread_seq; - int is_dynamic_bypass; -}; - -struct wrapped_packet{ - char data[KNI_MTU]; -}; - -struct tcp_option_restore{ - uint8_t kind; - uint8_t len; - uint16_t offset; -}; - -struct tfe_enabled_node{ - int tfe_id; - struct mr_vdev *dev_eth_handler; - struct mr_sendpath *dev_eth_sendpath; -}; - -struct kni_marsio_handle{ - struct mr_instance *instance; - int tfe_enabled_node_count; - struct tfe_enabled_node tfe_enabled_nodes[TFE_COUNT_MAX]; -}; - -struct protocol_identify_result{ - int protocol; - char domain[MAX_DOAMIN_LEN]; - int domain_len; -}; - -struct thread_tfe_cmsg_receiver_args{ - void *logger; - char profile[KNI_SYMBOL_MAX]; -}; - - -struct per_thread_handle{ - MESA_htable_handle tuple2stream_htable; - MESA_htable_handle traceid2sslinfo_htable; - struct expiry_dablooms_handle *dabloom_handle; -}; - -struct tuple2stream_htable_value{ - struct streaminfo *stream; - struct pme_info *pmeinfo; - int route_dir; - int reversed; -}; - - -struct kni_handle{ - struct kni_marsio_handle *marsio_handle; - struct kni_tun_handle *tun_handle; - struct kni_maat_handle *maat_handle; - struct kni_send_logger *send_logger; - MESA_htable_handle traceid2pme_htable; - struct per_thread_handle *threads_handle; - void *local_logger; - struct tfe_mgr *_tfe_mgr; - int thread_count; - int dup_traffic_switch; - int dup_traffic_action; - enum kni_deploy_mode deploy_mode; - char src_mac_addr[6]; - char dst_mac_addr[6]; - int *arr_last_tfe_dispatch_index; - int secpolicyid_evenflow_self_check; - MESA_htable_handle sslinfo2bypass_htable; -}; - -struct traceid2pme_search_cb_args{ - struct kni_cmsg *cmsg; - void *logger; -}; - -struct dynamic_bypass_ssl_feature{ - char value[SSL_INFO_LEN]; - size_t vlen; -}; - static char* stream_errmsg_session_record(enum intercept_error _errno){ switch(_errno){ case INTERCEPT_ERROR_ASYM_ROUTING: @@ -529,6 +354,81 @@ static unsigned char* kni_cmsg_serialize_header_new(struct pme_info *pmeinfo, st ret = wrapped_kni_cmsg_set(cmsg, TFE_CMSG_STREAM_TRACE_ID, (const unsigned char*)trace_id, strnlen(pmeinfo->stream_traceid, sizeof(pmeinfo->stream_traceid)), pmeinfo); if(ret < 0) goto error_out; +/* + TFE_CMSG_DOWNSTREAM_TCP_MAXSEG = 0x40, //size int + TFE_CMSG_DOWNSTREAM_TCP_NODELAY = 0x41, //size int + TFE_CMSG_DOWNSTREAM_TCP_TTL = 0x42, //size int + TFE_CMSG_DOWNSTREAM_TCP_KEEPALIVE = 0x43, //size int + TFE_CMSG_DOWNSTREAM_TCP_KEEPCNT = 0x44, //size int + TFE_CMSG_DOWNSTREAM_TCP_KEEPIDLE = 0x45, //size int + TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL = 0x46, //size int + TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT = 0x47, //size int + + TFE_CMSG_UPSTREAM_TCP_MAXSEG = 0x50, //size int + TFE_CMSG_UPSTREAM_TCP_NODELAY = 0x51, //size int + TFE_CMSG_UPSTREAM_TCP_TTL = 0x52, //size int + TFE_CMSG_UPSTREAM_TCP_KEEPALIVE = 0x53, //size int + TFE_CMSG_UPSTREAM_TCP_KEEPCNT = 0x54, //size int + TFE_CMSG_UPSTREAM_TCP_KEEPIDLE = 0x55, //size int + TFE_CMSG_UPSTREAM_TCP_KEEPINTVL = 0x56, //size int + TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT = 0x57, //size int + + TFE_CMSG_TCP_PASSTHROUGH = 0x60, //size int +*/ + // proxy tcp option start + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_MAXSEG, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_maxseg), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_NODELAY, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_nodelay), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_TTL, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_ttl), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_KEEPALIVE, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_keepalive_enable), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_KEEPCNT, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_keepalive_keepcnt), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_KEEPIDLE, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_keepalive_keepidle), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_keepalive_keepintvl), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_user_timeout), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_MAXSEG, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_maxseg), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_NODELAY, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_nodelay), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_TTL, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_ttl), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_KEEPALIVE, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_keepalive_enable), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_KEEPCNT , (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_keepalive_keepcnt), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_KEEPIDLE, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_keepalive_keepidle), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_KEEPINTVL, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_keepalive_keepintvl), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_user_timeout), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + + ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char*)&(pmeinfo->pxy_tcp_option.tcp_passthrough), sizeof(int), pmeinfo); + if(ret < 0) goto error_out; + // proxy tcp option end + + //src mac ret = get_rawpkt_opt_from_streaminfo(stream, RAW_PKT_GET_VXLAN_OUTER_GDEV_MAC, src_mac); if(ret < 0){ @@ -1305,6 +1205,12 @@ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmei } } + //Bypass Duplicated Packet + if(pmeinfo->has_dup_traffic == 1 && pmeinfo->pxy_tcp_option.bypass_duplicated_packet == 1) + { + KNI_LOG_DEBUG(g_kni_handle->local_logger, "Proxy tcp option: bypass Duplicated Packet first data, streamid = %d", pmeinfo->stream_traceid); + return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME; + } //dynamic bypass if(first_data_ssl_dynamic_bypass(stream, pmeinfo, pktinfo, thread_seq) == 0) { @@ -1447,6 +1353,9 @@ char next_data_intercept(struct pme_info *pmeinfo, const void *a_packet, struct if(g_kni_handle->dup_traffic_switch == 1){ if(pmeinfo->has_dup_traffic == 1){ //ret = 1, = dup packet, bypass the packet + if(pmeinfo->pxy_tcp_option.bypass_duplicated_packet == 1){ //Bypass Duplicated Packet + return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME; + } ret = dabloom_search(pktinfo, thread_seq); if(ret == 1){ return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME; @@ -1518,6 +1427,7 @@ char first_data_process(struct streaminfo *stream, struct pme_info *pmeinfo, str pmeinfo->ssl_intercept_state = 1; //only action = intercept, need sendlog pmeinfo->tld_handle = TLD_create(-1); + pxy_tcp_option_get_param(g_tsg_maat_feather,(const struct streaminfo *)stream,pmeinfo,logger); return first_data_intercept(stream, pmeinfo, pktinfo, thread_seq); default: //action != intercept,bypass and dropme @@ -2658,7 +2568,12 @@ extern "C" int kni_init(){ if(ret < 0){ KNI_LOG_ERROR(local_logger, "Fail get sec_policy_id for self_test, Now sec_policy_id = -1"); } - + //init proxy tcp option maat + ret = pxy_tcp_option_rule_init(profile, local_logger); + if(ret < 0){ + KNI_LOG_ERROR(local_logger, "Failed at init pxy_tcp_option_rule"); + goto error_out; + } //init tfe_mgr _tfe_mgr = tfe_mgr_init(tfe_node_count, profile, g_kni_handle->deploy_mode, local_logger); if(_tfe_mgr == NULL){ diff --git a/entry/src/kni_pxy_tcp_option.cpp b/entry/src/kni_pxy_tcp_option.cpp new file mode 100644 index 0000000..1621268 --- /dev/null +++ b/entry/src/kni_pxy_tcp_option.cpp @@ -0,0 +1,556 @@ +#include +#include "kni_pxy_tcp_option.h" +#include "kni_utils.h" + +extern struct kni_handle *g_kni_handle; + +int pxy_tcp_option_parse_json(const struct Maat_rule_t* rule, const char* srv_def_large,struct proxy_tcp_option *pxy_tcpop, void *logger) +{ + int ret = 0; + cJSON *json=NULL, *item=NULL, *client_side = NULL, *server_side = NULL, *client_side_keepalive = NULL, *server_side_keepalive = NULL; + json=cJSON_Parse(srv_def_large); + if(json==NULL) + { + KNI_LOG_ERROR(logger, "Data format error,please check it: id = %d", rule->config_id); + return 0; + } + do{ + client_side = cJSON_GetObjectItem(json, "client_side_conn_param"); + if(client_side == NULL) + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param"); + break; + } + else + { + client_side_keepalive = cJSON_GetObjectItem(client_side, "keep_alive"); + if(client_side_keepalive == NULL) + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.keep_alive"); + break; + } + else + { + item=cJSON_GetObjectItem(client_side_keepalive,"enable"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->client_tcp_keepalive_enable = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.keep_alive.enable"); + break; + } + + item=cJSON_GetObjectItem(client_side_keepalive,"tcp_keepcnt"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->client_tcp_keepalive_keepcnt = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.keep_alive.tcp_keepcnt"); + break; + } + + item=cJSON_GetObjectItem(client_side_keepalive,"tcp_keepidle"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->client_tcp_keepalive_keepidle = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.keep_alive.tcp_keepidle"); + break; + } + + item=cJSON_GetObjectItem(client_side_keepalive,"tcp_keepintvl"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->client_tcp_keepalive_keepintvl = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.keep_alive.tcp_keepintvl"); + break; + } + } + + + item=cJSON_GetObjectItem(client_side,"tcp_maxseg"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->client_tcp_maxseg = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.tcp_maxseg"); + break; + } + + item=cJSON_GetObjectItem(client_side,"nodelay"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->client_tcp_nodelay = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.nodelay"); + break; + } + + item=cJSON_GetObjectItem(client_side,"ttl"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->client_tcp_ttl = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.ttl"); + break; + } + + item=cJSON_GetObjectItem(client_side,"user_timeout"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->client_tcp_user_timeout = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.user_timeout"); + break; + } + } + + server_side = cJSON_GetObjectItem(json, "server_side_conn_param"); + if(server_side == NULL) + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param"); + break; + } + else + { + server_side_keepalive = cJSON_GetObjectItem(server_side, "keep_alive"); + if(server_side_keepalive == NULL) + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.keep_alive"); + break; + } + else + { + item=cJSON_GetObjectItem(server_side_keepalive,"enable"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->server_tcp_keepalive_enable = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.keep_alive.enable"); + break; + } + + item=cJSON_GetObjectItem(server_side_keepalive,"tcp_keepcnt"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->server_tcp_keepalive_keepcnt = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.keep_alive.tcp_keepcnt"); + break; + } + + item=cJSON_GetObjectItem(server_side_keepalive,"tcp_keepidle"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->server_tcp_keepalive_keepidle = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.keep_alive.tcp_keepidle"); + break; + } + + item=cJSON_GetObjectItem(server_side_keepalive,"tcp_keepintvl"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->server_tcp_keepalive_keepintvl = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.keep_alive.tcp_keepintvl"); + break; + } + } + + + item=cJSON_GetObjectItem(server_side,"tcp_maxseg"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->server_tcp_maxseg = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.tcp_maxseg"); + break; + } + + item=cJSON_GetObjectItem(server_side,"nodelay"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->server_tcp_nodelay = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.nodelay"); + break; + } + + item=cJSON_GetObjectItem(server_side,"ttl"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->server_tcp_ttl = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.ttl"); + break; + } + + item=cJSON_GetObjectItem(server_side,"user_timeout"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->server_tcp_user_timeout = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.user_timeout"); + break; + } + } + + item = cJSON_GetObjectItem(json, "bypass_duplicated_packet"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->bypass_duplicated_packet = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = bypass_duplicated_packet"); + break; + } + + item = cJSON_GetObjectItem(json, "tcp_passthrough"); + if(item && item->type==cJSON_Number) + { + pxy_tcpop->tcp_passthrough = item->valueint; + } + else + { + KNI_LOG_ERROR(logger, "Failed to parse json data, json key = tcp_passthrough"); + break; + } + ret = 1; + } while(0); + cJSON_Delete(json); + return ret; +} + +void pxy_tcp_option_default_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large,MAAT_RULE_EX_DATA* ad, long argl, void *argp) +{ + void *logger = argp; + struct proxy_tcp_option pxy_tcp_option; + int ret = 0; + + if( rule->service_id == 0) + return; + + if((unsigned int)rule->serv_def_lenpxy_tcp_option, (const void *)&pxy_tcp_option, sizeof(pxy_tcp_option)); + KNI_LOG_INFO(logger, "Proxy tcp option default Policy: " + "{client_side_conn_param:{tcp_maxseg:%d,nodelay=%d,keep_alive:" + "{enable:%d,tcp_keepcnt:%d,tcp_keepidle:%d,tcp_keepintvl:%d}ttl:%d,user_timeout:%d}," + "server_side_conn_param:{tcp_maxseg:%d,nodelay=%d,keep_alive:" + "{enable:%d,tcp_keepcnt:%d,tcp_keepidle:%d,tcp_keepintvl:%d}ttl:%d,user_timeout:%d}," + "bypass_duplicated_packet:%d,tcp_passthrough:%d}", + pxy_tcp_option.client_tcp_maxseg, pxy_tcp_option.client_tcp_nodelay, + pxy_tcp_option.client_tcp_keepalive_enable, pxy_tcp_option.client_tcp_keepalive_keepcnt, + pxy_tcp_option.client_tcp_keepalive_keepidle, pxy_tcp_option.client_tcp_keepalive_keepintvl, + pxy_tcp_option.client_tcp_ttl, pxy_tcp_option.client_tcp_user_timeout, + pxy_tcp_option.server_tcp_maxseg, pxy_tcp_option.server_tcp_nodelay, + pxy_tcp_option.server_tcp_keepalive_enable, pxy_tcp_option.server_tcp_keepalive_keepcnt, + pxy_tcp_option.server_tcp_keepalive_keepidle, pxy_tcp_option.server_tcp_keepalive_keepintvl, + pxy_tcp_option.server_tcp_ttl, pxy_tcp_option.server_tcp_user_timeout, + pxy_tcp_option.bypass_duplicated_packet, pxy_tcp_option.tcp_passthrough); + } + else{ + KNI_LOG_ERROR(logger, "Fail to get proxy tcp option default policy, Error: json data parse fail"); + } + return; +} + +void pxy_tcp_option_default_param_free_cb(int table_id, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp) +{ + void *logger = argp; + if( rule->service_id == 1) + { + KNI_LOG_ERROR(logger, "Call pxy_tcp_option_default_param_free_cb when the default proxy tcp policy change or add"); + } + return; +} + +void pxy_tcp_option_default_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp) +{ + void *logger = argp; + + KNI_LOG_ERROR(logger, "Call pxy_tcp_option_default_param_dup when the default proxy tcp policy change or add"); + + return; +} + +int pxy_tcp_option_rule_init(const char* conffile, void *logger) +{ + int i=0; + MESA_load_profile_string_def(conffile, "proxy_tcp_option", "maat_table_compile", g_kni_handle->table_name[TABLE_COMPILE], _MAX_TABLE_NAME_LEN, "PXY_TCP_OPTION_COMPILE"); + MESA_load_profile_string_def(conffile, "proxy_tcp_option", "maat_table_addr", g_kni_handle->table_name[TABLE_IP_ADDR], _MAX_TABLE_NAME_LEN, "PXY_TCP_OPTION_COMPILE"); + MESA_load_profile_string_def(conffile, "proxy_tcp_option", "maat_table_sni", g_kni_handle->table_name[TABLE_SSL_SNI], _MAX_TABLE_NAME_LEN, "PXY_TCP_OPTION_COMPILE"); + + for(i=0; itable_id[i]=Maat_table_register(g_tsg_maat_feather, g_kni_handle->table_name[i]); + if(g_kni_handle->table_id[i]<0) + { + KNI_LOG_ERROR(logger, "Maat_table_register %s failed, Please check etc/kni/kni.conf", g_kni_handle->table_name[i]); + return -1; + } + } + + g_kni_handle->table_id[TABLE_COMPILE] = Maat_rule_get_ex_new_index(g_tsg_maat_feather, + g_kni_handle->table_name[TABLE_COMPILE], + pxy_tcp_option_default_param_new, + pxy_tcp_option_default_param_free_cb, + pxy_tcp_option_default_param_dup, + 0, logger); + if(g_kni_handle->table_id[TABLE_COMPILE] < 0) + { + KNI_LOG_ERROR(logger, "Maat_rule_get_ex_new_index %s failed, Please check etc/kni/kni.conf", g_kni_handle->table_id[TABLE_COMPILE]); + return -1; + } + return 0; +} + + +static int pxy_tcp_option_scan_addr(Maat_feather_t maat_feather,const struct streaminfo *a_stream, Maat_rule_t *result, int result_num,scan_status_t *mid,struct pme_info *pmeinfo, void *logger) +{ + struct ipaddr t_addr; + struct ipaddr* p_addr=NULL; + int hit_num=0; + int is_scan_addr=1, maat_ret=0; + const struct streaminfo *cur_stream = a_stream; + + if(a_stream==NULL || maat_feather==NULL || result_num <=0 || result == NULL) + { + KNI_LOG_ERROR(logger,"SCAN_ADDR a_stream==NULL || maat_feather==NULL || result_num <= 0 || result == NULL ,streamid=%d ", pmeinfo->stream_traceid); + return 0; + } + + do + { + if(cur_stream->addr.addrtype == __ADDR_TYPE_IP_PAIR_V4 || cur_stream->addr.addrtype == ADDR_TYPE_IPV4 || cur_stream->addr.addrtype == __ADDR_TYPE_IP_PAIR_V6 || cur_stream->addr.addrtype == ADDR_TYPE_IPV6) + { + is_scan_addr = 1; + if(cur_stream->addr.addrtype == __ADDR_TYPE_IP_PAIR_V4 || cur_stream->addr.addrtype == __ADDR_TYPE_IP_PAIR_V6) + { + memcpy(&t_addr, &cur_stream->addr, sizeof(t_addr)); + if(cur_stream->addr.addrtype == __ADDR_TYPE_IP_PAIR_V4) + t_addr.addrtype = ADDR_TYPE_IPV4; + else + t_addr.addrtype = ADDR_TYPE_IPV6; + p_addr = &t_addr; + } + else + { + p_addr = (struct ipaddr *)&cur_stream->addr; + } + } + else + { + is_scan_addr = 0; + p_addr = NULL; + } + + if(is_scan_addr==1 && p_addr!=NULL) + { + + maat_ret=Maat_scan_addr(maat_feather, + g_kni_handle->table_id[TABLE_IP_ADDR], + p_addr, + result+hit_num, + result_num-hit_num, + mid, + cur_stream->threadnum); + + if(maat_ret > 0) + { + KNI_LOG_DEBUG(logger,"SCAN_IP,Hit streamid: %d",pmeinfo->stream_traceid); + hit_num+=maat_ret; + } + else + { + KNI_LOG_DEBUG(logger,"SCAN_IP,Not hit streamid: %d,scan ret: %d", + pmeinfo->stream_traceid, + maat_ret); + } + } + + cur_stream = cur_stream->pfather; + + }while(cur_stream != NULL && hit_num < result_num); + + return hit_num; +} + +static int pxy_tcp_option_scan_domain(Maat_feather_t maat_feather, Maat_rule_t *result, int result_num,scan_status_t *mid, struct pme_info *pmeinfo, void *logger) +{ + int hit_num = 0, maat_ret = 0; + if(pmeinfo->protocol != PROTO_HTTP || pmeinfo->protocol != PROTO_SSL) + return hit_num; + if(hit_num < result_num) + { + maat_ret = Maat_full_scan_string(maat_feather, + g_kni_handle->table_id[TABLE_SSL_SNI], + CHARSET_UTF8, + (const char *)&pmeinfo->domain, + pmeinfo->domain_len, + result, + NULL, + result_num - hit_num, + mid, + pmeinfo->thread_seq); + if(maat_ret > 0) + { + KNI_LOG_DEBUG(logger,"SCAN_DOMAIN,Hit streamid: %d, domain: %s", + pmeinfo->stream_traceid, + pmeinfo->domain); + hit_num += maat_ret; + } + else + { + KNI_LOG_DEBUG(logger,"SCAN_DOMAIN,Not hit stream_traceid: %d ,domain :%s scan ret: %d", + pmeinfo->stream_traceid, + pmeinfo->domain, + maat_ret); + } + + } + return hit_num; +} + +static struct Maat_rule_t *pxy_tcp_option_decision_criteria(Maat_rule_t *result, int result_num) +{ + int i=0; + Maat_rule_t *p_result=NULL; + + if(result==NULL || result_num <= 0) + { + return NULL; + } + for(i = 0; i < result_num; i ++) + { + if(p_result==NULL) + { + p_result=&result[i]; + continue; + } + + if( result[i].config_id > p_result->config_id ) + { + p_result = &result[i]; + } + } + return p_result; +} + +int pxy_tcp_option_get_param(Maat_feather_t maat_feather,const struct streaminfo *a_stream,struct pme_info *pmeinfo, void *logger) +{ + int scan_ret = 0, hit_num = 0, is_not_default = 0, ret = 0; + scan_status_t mid=NULL; + Maat_rule_t *p_result=NULL; + Maat_rule_t all_result[MAX_RESULT_NUM]; + struct proxy_tcp_option *pxy_tcpop = &pmeinfo->pxy_tcp_option; + char *tmp_buff=NULL; + scan_ret = pxy_tcp_option_scan_addr(maat_feather,a_stream, all_result + hit_num, MAX_RESULT_NUM - hit_num, &mid, pmeinfo, logger); + if(scan_ret > 0) + { + hit_num += scan_ret; + } + scan_ret = pxy_tcp_option_scan_domain(maat_feather, all_result + hit_num, MAX_RESULT_NUM - hit_num,&mid,pmeinfo,logger); + if(scan_ret > 0) + { + hit_num += scan_ret; + } + p_result = pxy_tcp_option_decision_criteria(all_result, hit_num); + do { + if(p_result == NULL) + { + KNI_LOG_DEBUG(logger,"Scan not hit, Proxy tcp option using default param, streamid = %d", pmeinfo->stream_traceid); + break; + } + KNI_LOG_DEBUG(logger,"Scan hit, hit_num = %d, streamid = %d", hit_num, pmeinfo->stream_traceid); + + tmp_buff=(char *)calloc(1, p_result->serv_def_len+1); + + Maat_read_rule(g_tsg_maat_feather, p_result, MAAT_RULE_SERV_DEFINE, tmp_buff, p_result->serv_def_len); + if( strlen(tmp_buff) < strlen("{}") + 1) + { + KNI_LOG_DEBUG(logger, "Scan hit, Get extra data error: No json data or data is null,streamid = %d", pmeinfo->stream_traceid); + break; + } + ret = pxy_tcp_option_parse_json((const struct Maat_rule_t*)p_result, (const char*)tmp_buff, pxy_tcpop, logger); + if(ret != 1) + { + KNI_LOG_DEBUG(logger,"Scan hit, json parse error,Proxy tcp option using default param,streamid = %d", pmeinfo->stream_traceid); + break; + } + is_not_default = 1; + free(tmp_buff); + tmp_buff = NULL; + } while(0); + + if(is_not_default != 1) + { + memcpy((void *)pxy_tcpop, (const void *)&g_kni_handle->pxy_tcp_option, sizeof(g_kni_handle->pxy_tcp_option)); + } + KNI_LOG_DEBUG(logger, "Proxy tcp option, streamid: %d,param: " + "{client_side_conn_param:{tcp_maxseg:%d,nodelay=%d,keep_alive:" + "{enable:%d,tcp_keepcnt:%d,tcp_keepidle:%d,tcp_keepintvl:%d}ttl:%d,user_timeout:%d}," + "server_side_conn_param:{tcp_maxseg:%d,nodelay=%d,keep_alive:" + "{enable:%d,tcp_keepcnt:%d,tcp_keepidle:%d,tcp_keepintvl:%d}ttl:%d,user_timeout:%d}," + "bypass_duplicated_packet:%d,tcp_passthrough:%d}", + pmeinfo->stream_traceid, + pxy_tcpop->client_tcp_maxseg, pxy_tcpop->client_tcp_nodelay, + pxy_tcpop->client_tcp_keepalive_enable, pxy_tcpop->client_tcp_keepalive_keepcnt, + pxy_tcpop->client_tcp_keepalive_keepidle, pxy_tcpop->client_tcp_keepalive_keepintvl, + pxy_tcpop->client_tcp_ttl, pxy_tcpop->client_tcp_user_timeout, + pxy_tcpop->server_tcp_maxseg, pxy_tcpop->server_tcp_nodelay, + pxy_tcpop->server_tcp_keepalive_enable, pxy_tcpop->server_tcp_keepalive_keepcnt, + pxy_tcpop->server_tcp_keepalive_keepidle, pxy_tcpop->server_tcp_keepalive_keepintvl, + pxy_tcpop->server_tcp_ttl, pxy_tcpop->server_tcp_user_timeout, + pxy_tcpop->bypass_duplicated_packet, pxy_tcpop->tcp_passthrough); + + if(mid!=NULL) + { + Maat_clean_status(&mid); + mid=NULL; + } + return ret; +}