1、增加proxy tcp option 功能 2、 将kni_entry.cpp 拆分出来 kni_entry.h
This commit is contained in:
fumingwei
@@ -31,189 +31,14 @@ extern "C" {
|
||||
#include "kni_tun.h"
|
||||
#include "tsg/tsg_statistic.h"
|
||||
#include <MESA/stream_inc/stream_control.h>
|
||||
#include "kni_entry.h"
|
||||
#include "kni_pxy_tcp_option.h"
|
||||
|
||||
struct kni_handle *g_kni_handle = NULL;
|
||||
struct kni_field_stat_handle *g_kni_fs_handle = NULL;
|
||||
int *arr_last_tfe_dispatch_index = NULL;
|
||||
|
||||
|
||||
|
||||
#define BURST_MAX 1
|
||||
#define CALLER_SAPP 0
|
||||
#define CALLER_TFE 1
|
||||
|
||||
#define SSL_INFO_LEN 2048
|
||||
|
||||
enum intercept_error{
|
||||
INTERCEPT_ERROR_ASYM_ROUTING = -1,
|
||||
INTERCEPT_ERROR_NO_SYN = -2,
|
||||
INTERCEPT_ERROR_NO_SYN_ACK = -3,
|
||||
INTERCEPT_ERROR_INVALID_IP_HDR = -4,
|
||||
INTERCEPT_ERROR_EXCEED_MTU = -5,
|
||||
//internal
|
||||
INTERCEPT_ERROR_SENDTO_TFE_FAIL = -6,
|
||||
INTERCEPT_ERROR_TUPLE2STM_ADD_FAIL = -7,
|
||||
INTERCEPT_ERROR_NO_TFE = -8,
|
||||
INTERCEPT_ERROR_DUP_TRAFFIC = -9,
|
||||
INTERCEPT_ERROR_CMSG_ADD_FAIL = -10,
|
||||
};
|
||||
|
||||
/* action
|
||||
0x00: none
|
||||
0x02: intercept
|
||||
0x80: bypass
|
||||
*/
|
||||
enum kni_action{
|
||||
KNI_ACTION_NONE = 0x00,
|
||||
KNI_ACTION_INTERCEPT = 0x02,
|
||||
KNI_ACTION_BYPASS = 0x80
|
||||
};
|
||||
|
||||
|
||||
//memset 0
|
||||
struct dup_traffic_dabloom_key{
|
||||
union{
|
||||
struct stream_tuple4_v4 v4;
|
||||
struct stream_tuple4_v6 v6;
|
||||
}addr;
|
||||
uint16_t ipid;
|
||||
uint32_t seq;
|
||||
uint32_t ack_seq;
|
||||
uint32_t timestamp;
|
||||
};
|
||||
|
||||
struct pme_info{
|
||||
addr_type_t addr_type;
|
||||
char stream_addr[KNI_ADDR_MAX];
|
||||
int do_log;
|
||||
int policy_id;
|
||||
tsg_protocol_t protocol;
|
||||
enum kni_action action;
|
||||
int service;
|
||||
struct kni_tcpopt_info client_tcpopt;
|
||||
struct kni_tcpopt_info server_tcpopt;
|
||||
char has_syn;
|
||||
char has_syn_ack;
|
||||
uint16_t client_window;
|
||||
uint16_t server_window;
|
||||
int tfe_id;
|
||||
pthread_mutex_t lock;
|
||||
enum intercept_error intcp_error;
|
||||
char stream_traceid[24];
|
||||
//cjson check protocol
|
||||
union{
|
||||
char host[MAX_DOAMIN_LEN]; //http only
|
||||
char sni[MAX_DOAMIN_LEN]; //ssl only
|
||||
}domain;
|
||||
int domain_len;
|
||||
//tfe_release = 1: tfe don't need pmeinfo
|
||||
int tfe_release;
|
||||
int sapp_release;
|
||||
//kafka log
|
||||
struct TLD_handle_t *tld_handle;
|
||||
const struct streaminfo *stream;
|
||||
int maat_result_num;
|
||||
Maat_rule_t maat_result;
|
||||
//from tfe, kafka log
|
||||
uint64_t ssl_intercept_state;
|
||||
uint64_t ssl_pinningst; //defalut 0
|
||||
uint64_t ssl_server_side_latency;
|
||||
uint64_t ssl_client_side_latency;
|
||||
char ssl_server_side_version[KNI_SYMBOL_MAX];
|
||||
char ssl_client_side_version[KNI_SYMBOL_MAX];
|
||||
int64_t ssl_cert_verify;
|
||||
char ssl_error[KNI_STRING_MAX];
|
||||
|
||||
//for dup traffic detect
|
||||
uint64_t has_dup_traffic;
|
||||
int has_dup_syn;
|
||||
int has_dup_syn_ack;
|
||||
struct dup_traffic_dabloom_key *syn_packet;
|
||||
struct dup_traffic_dabloom_key *syn_ack_packet;
|
||||
struct _traffic_info traffic_info;
|
||||
//for kni dynamic bypass
|
||||
int thread_seq;
|
||||
int is_dynamic_bypass;
|
||||
};
|
||||
|
||||
struct wrapped_packet{
|
||||
char data[KNI_MTU];
|
||||
};
|
||||
|
||||
struct tcp_option_restore{
|
||||
uint8_t kind;
|
||||
uint8_t len;
|
||||
uint16_t offset;
|
||||
};
|
||||
|
||||
struct tfe_enabled_node{
|
||||
int tfe_id;
|
||||
struct mr_vdev *dev_eth_handler;
|
||||
struct mr_sendpath *dev_eth_sendpath;
|
||||
};
|
||||
|
||||
struct kni_marsio_handle{
|
||||
struct mr_instance *instance;
|
||||
int tfe_enabled_node_count;
|
||||
struct tfe_enabled_node tfe_enabled_nodes[TFE_COUNT_MAX];
|
||||
};
|
||||
|
||||
struct protocol_identify_result{
|
||||
int protocol;
|
||||
char domain[MAX_DOAMIN_LEN];
|
||||
int domain_len;
|
||||
};
|
||||
|
||||
struct thread_tfe_cmsg_receiver_args{
|
||||
void *logger;
|
||||
char profile[KNI_SYMBOL_MAX];
|
||||
};
|
||||
|
||||
|
||||
struct per_thread_handle{
|
||||
MESA_htable_handle tuple2stream_htable;
|
||||
MESA_htable_handle traceid2sslinfo_htable;
|
||||
struct expiry_dablooms_handle *dabloom_handle;
|
||||
};
|
||||
|
||||
struct tuple2stream_htable_value{
|
||||
struct streaminfo *stream;
|
||||
struct pme_info *pmeinfo;
|
||||
int route_dir;
|
||||
int reversed;
|
||||
};
|
||||
|
||||
|
||||
struct kni_handle{
|
||||
struct kni_marsio_handle *marsio_handle;
|
||||
struct kni_tun_handle *tun_handle;
|
||||
struct kni_maat_handle *maat_handle;
|
||||
struct kni_send_logger *send_logger;
|
||||
MESA_htable_handle traceid2pme_htable;
|
||||
struct per_thread_handle *threads_handle;
|
||||
void *local_logger;
|
||||
struct tfe_mgr *_tfe_mgr;
|
||||
int thread_count;
|
||||
int dup_traffic_switch;
|
||||
int dup_traffic_action;
|
||||
enum kni_deploy_mode deploy_mode;
|
||||
char src_mac_addr[6];
|
||||
char dst_mac_addr[6];
|
||||
int *arr_last_tfe_dispatch_index;
|
||||
int secpolicyid_evenflow_self_check;
|
||||
MESA_htable_handle sslinfo2bypass_htable;
|
||||
};
|
||||
|
||||
struct traceid2pme_search_cb_args{
|
||||
struct kni_cmsg *cmsg;
|
||||
void *logger;
|
||||
};
|
||||
|
||||
struct dynamic_bypass_ssl_feature{
|
||||
char value[SSL_INFO_LEN];
|
||||
size_t vlen;
|
||||
};
|
||||
|
||||
static char* stream_errmsg_session_record(enum intercept_error _errno){
|
||||
switch(_errno){
|
||||
case INTERCEPT_ERROR_ASYM_ROUTING:
|
||||
@@ -529,6 +354,81 @@ static unsigned char* kni_cmsg_serialize_header_new(struct pme_info *pmeinfo, st
|
||||
ret = wrapped_kni_cmsg_set(cmsg, TFE_CMSG_STREAM_TRACE_ID, (const unsigned char*)trace_id,
|
||||
strnlen(pmeinfo->stream_traceid, sizeof(pmeinfo->stream_traceid)), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
/*
|
||||
TFE_CMSG_DOWNSTREAM_TCP_MAXSEG = 0x40, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_NODELAY = 0x41, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_TTL = 0x42, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_KEEPALIVE = 0x43, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_KEEPCNT = 0x44, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_KEEPIDLE = 0x45, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL = 0x46, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT = 0x47, //size int
|
||||
|
||||
TFE_CMSG_UPSTREAM_TCP_MAXSEG = 0x50, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_NODELAY = 0x51, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_TTL = 0x52, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_KEEPALIVE = 0x53, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_KEEPCNT = 0x54, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_KEEPIDLE = 0x55, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_KEEPINTVL = 0x56, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT = 0x57, //size int
|
||||
|
||||
TFE_CMSG_TCP_PASSTHROUGH = 0x60, //size int
|
||||
*/
|
||||
// proxy tcp option start
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_MAXSEG, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_maxseg), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_NODELAY, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_nodelay), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_TTL, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_ttl), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_KEEPALIVE, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_keepalive_enable), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_KEEPCNT, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_keepalive_keepcnt), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_KEEPIDLE, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_keepalive_keepidle), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_keepalive_keepintvl), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_user_timeout), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_MAXSEG, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_maxseg), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_NODELAY, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_nodelay), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_TTL, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_ttl), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_KEEPALIVE, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_keepalive_enable), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_KEEPCNT , (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_keepalive_keepcnt), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_KEEPIDLE, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_keepalive_keepidle), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_KEEPINTVL, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_keepalive_keepintvl), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_user_timeout), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char*)&(pmeinfo->pxy_tcp_option.tcp_passthrough), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
// proxy tcp option end
|
||||
|
||||
|
||||
//src mac
|
||||
ret = get_rawpkt_opt_from_streaminfo(stream, RAW_PKT_GET_VXLAN_OUTER_GDEV_MAC, src_mac);
|
||||
if(ret < 0){
|
||||
@@ -1305,6 +1205,12 @@ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmei
|
||||
}
|
||||
}
|
||||
|
||||
//Bypass Duplicated Packet
|
||||
if(pmeinfo->has_dup_traffic == 1 && pmeinfo->pxy_tcp_option.bypass_duplicated_packet == 1)
|
||||
{
|
||||
KNI_LOG_DEBUG(g_kni_handle->local_logger, "Proxy tcp option: bypass Duplicated Packet first data, streamid = %d", pmeinfo->stream_traceid);
|
||||
return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
|
||||
}
|
||||
//dynamic bypass
|
||||
if(first_data_ssl_dynamic_bypass(stream, pmeinfo, pktinfo, thread_seq) == 0)
|
||||
{
|
||||
@@ -1447,6 +1353,9 @@ char next_data_intercept(struct pme_info *pmeinfo, const void *a_packet, struct
|
||||
if(g_kni_handle->dup_traffic_switch == 1){
|
||||
if(pmeinfo->has_dup_traffic == 1){
|
||||
//ret = 1, = dup packet, bypass the packet
|
||||
if(pmeinfo->pxy_tcp_option.bypass_duplicated_packet == 1){ //Bypass Duplicated Packet
|
||||
return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
|
||||
}
|
||||
ret = dabloom_search(pktinfo, thread_seq);
|
||||
if(ret == 1){
|
||||
return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
|
||||
@@ -1518,6 +1427,7 @@ char first_data_process(struct streaminfo *stream, struct pme_info *pmeinfo, str
|
||||
pmeinfo->ssl_intercept_state = 1;
|
||||
//only action = intercept, need sendlog
|
||||
pmeinfo->tld_handle = TLD_create(-1);
|
||||
pxy_tcp_option_get_param(g_tsg_maat_feather,(const struct streaminfo *)stream,pmeinfo,logger);
|
||||
return first_data_intercept(stream, pmeinfo, pktinfo, thread_seq);
|
||||
default:
|
||||
//action != intercept,bypass and dropme
|
||||
@@ -2658,7 +2568,12 @@ extern "C" int kni_init(){
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(local_logger, "Fail get sec_policy_id for self_test, Now sec_policy_id = -1");
|
||||
}
|
||||
|
||||
//init proxy tcp option maat
|
||||
ret = pxy_tcp_option_rule_init(profile, local_logger);
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(local_logger, "Failed at init pxy_tcp_option_rule");
|
||||
goto error_out;
|
||||
}
|
||||
//init tfe_mgr
|
||||
_tfe_mgr = tfe_mgr_init(tfe_node_count, profile, g_kni_handle->deploy_mode, local_logger);
|
||||
if(_tfe_mgr == NULL){
|
||||
|
||||
556
entry/src/kni_pxy_tcp_option.cpp
Normal file
556
entry/src/kni_pxy_tcp_option.cpp
Normal file
@@ -0,0 +1,556 @@
|
||||
#include <MESA/cJSON.h>
|
||||
#include "kni_pxy_tcp_option.h"
|
||||
#include "kni_utils.h"
|
||||
|
||||
extern struct kni_handle *g_kni_handle;
|
||||
|
||||
int pxy_tcp_option_parse_json(const struct Maat_rule_t* rule, const char* srv_def_large,struct proxy_tcp_option *pxy_tcpop, void *logger)
|
||||
{
|
||||
int ret = 0;
|
||||
cJSON *json=NULL, *item=NULL, *client_side = NULL, *server_side = NULL, *client_side_keepalive = NULL, *server_side_keepalive = NULL;
|
||||
json=cJSON_Parse(srv_def_large);
|
||||
if(json==NULL)
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Data format error,please check it: id = %d", rule->config_id);
|
||||
return 0;
|
||||
}
|
||||
do{
|
||||
client_side = cJSON_GetObjectItem(json, "client_side_conn_param");
|
||||
if(client_side == NULL)
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param");
|
||||
break;
|
||||
}
|
||||
else
|
||||
{
|
||||
client_side_keepalive = cJSON_GetObjectItem(client_side, "keep_alive");
|
||||
if(client_side_keepalive == NULL)
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.keep_alive");
|
||||
break;
|
||||
}
|
||||
else
|
||||
{
|
||||
item=cJSON_GetObjectItem(client_side_keepalive,"enable");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->client_tcp_keepalive_enable = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.keep_alive.enable");
|
||||
break;
|
||||
}
|
||||
|
||||
item=cJSON_GetObjectItem(client_side_keepalive,"tcp_keepcnt");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->client_tcp_keepalive_keepcnt = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.keep_alive.tcp_keepcnt");
|
||||
break;
|
||||
}
|
||||
|
||||
item=cJSON_GetObjectItem(client_side_keepalive,"tcp_keepidle");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->client_tcp_keepalive_keepidle = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.keep_alive.tcp_keepidle");
|
||||
break;
|
||||
}
|
||||
|
||||
item=cJSON_GetObjectItem(client_side_keepalive,"tcp_keepintvl");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->client_tcp_keepalive_keepintvl = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.keep_alive.tcp_keepintvl");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
item=cJSON_GetObjectItem(client_side,"tcp_maxseg");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->client_tcp_maxseg = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.tcp_maxseg");
|
||||
break;
|
||||
}
|
||||
|
||||
item=cJSON_GetObjectItem(client_side,"nodelay");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->client_tcp_nodelay = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.nodelay");
|
||||
break;
|
||||
}
|
||||
|
||||
item=cJSON_GetObjectItem(client_side,"ttl");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->client_tcp_ttl = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.ttl");
|
||||
break;
|
||||
}
|
||||
|
||||
item=cJSON_GetObjectItem(client_side,"user_timeout");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->client_tcp_user_timeout = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = client_side_conn_param.user_timeout");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
server_side = cJSON_GetObjectItem(json, "server_side_conn_param");
|
||||
if(server_side == NULL)
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param");
|
||||
break;
|
||||
}
|
||||
else
|
||||
{
|
||||
server_side_keepalive = cJSON_GetObjectItem(server_side, "keep_alive");
|
||||
if(server_side_keepalive == NULL)
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.keep_alive");
|
||||
break;
|
||||
}
|
||||
else
|
||||
{
|
||||
item=cJSON_GetObjectItem(server_side_keepalive,"enable");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->server_tcp_keepalive_enable = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.keep_alive.enable");
|
||||
break;
|
||||
}
|
||||
|
||||
item=cJSON_GetObjectItem(server_side_keepalive,"tcp_keepcnt");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->server_tcp_keepalive_keepcnt = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.keep_alive.tcp_keepcnt");
|
||||
break;
|
||||
}
|
||||
|
||||
item=cJSON_GetObjectItem(server_side_keepalive,"tcp_keepidle");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->server_tcp_keepalive_keepidle = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.keep_alive.tcp_keepidle");
|
||||
break;
|
||||
}
|
||||
|
||||
item=cJSON_GetObjectItem(server_side_keepalive,"tcp_keepintvl");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->server_tcp_keepalive_keepintvl = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.keep_alive.tcp_keepintvl");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
item=cJSON_GetObjectItem(server_side,"tcp_maxseg");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->server_tcp_maxseg = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.tcp_maxseg");
|
||||
break;
|
||||
}
|
||||
|
||||
item=cJSON_GetObjectItem(server_side,"nodelay");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->server_tcp_nodelay = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.nodelay");
|
||||
break;
|
||||
}
|
||||
|
||||
item=cJSON_GetObjectItem(server_side,"ttl");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->server_tcp_ttl = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.ttl");
|
||||
break;
|
||||
}
|
||||
|
||||
item=cJSON_GetObjectItem(server_side,"user_timeout");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->server_tcp_user_timeout = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = server_side_conn_param.user_timeout");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
item = cJSON_GetObjectItem(json, "bypass_duplicated_packet");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->bypass_duplicated_packet = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = bypass_duplicated_packet");
|
||||
break;
|
||||
}
|
||||
|
||||
item = cJSON_GetObjectItem(json, "tcp_passthrough");
|
||||
if(item && item->type==cJSON_Number)
|
||||
{
|
||||
pxy_tcpop->tcp_passthrough = item->valueint;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Failed to parse json data, json key = tcp_passthrough");
|
||||
break;
|
||||
}
|
||||
ret = 1;
|
||||
} while(0);
|
||||
cJSON_Delete(json);
|
||||
return ret;
|
||||
}
|
||||
|
||||
void pxy_tcp_option_default_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large,MAAT_RULE_EX_DATA* ad, long argl, void *argp)
|
||||
{
|
||||
void *logger = argp;
|
||||
struct proxy_tcp_option pxy_tcp_option;
|
||||
int ret = 0;
|
||||
|
||||
if( rule->service_id == 0)
|
||||
return;
|
||||
|
||||
if((unsigned int)rule->serv_def_len<strlen("{}")+1)
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "PXY_TCP_OPTION_COMPILE's USER_REGION no data");
|
||||
return;
|
||||
}
|
||||
|
||||
ret = pxy_tcp_option_parse_json(rule, srv_def_large, &pxy_tcp_option, logger);
|
||||
|
||||
if(ret == 1)
|
||||
{
|
||||
memcpy((void *)&g_kni_handle->pxy_tcp_option, (const void *)&pxy_tcp_option, sizeof(pxy_tcp_option));
|
||||
KNI_LOG_INFO(logger, "Proxy tcp option default Policy: "
|
||||
"{client_side_conn_param:{tcp_maxseg:%d,nodelay=%d,keep_alive:"
|
||||
"{enable:%d,tcp_keepcnt:%d,tcp_keepidle:%d,tcp_keepintvl:%d}ttl:%d,user_timeout:%d},"
|
||||
"server_side_conn_param:{tcp_maxseg:%d,nodelay=%d,keep_alive:"
|
||||
"{enable:%d,tcp_keepcnt:%d,tcp_keepidle:%d,tcp_keepintvl:%d}ttl:%d,user_timeout:%d},"
|
||||
"bypass_duplicated_packet:%d,tcp_passthrough:%d}",
|
||||
pxy_tcp_option.client_tcp_maxseg, pxy_tcp_option.client_tcp_nodelay,
|
||||
pxy_tcp_option.client_tcp_keepalive_enable, pxy_tcp_option.client_tcp_keepalive_keepcnt,
|
||||
pxy_tcp_option.client_tcp_keepalive_keepidle, pxy_tcp_option.client_tcp_keepalive_keepintvl,
|
||||
pxy_tcp_option.client_tcp_ttl, pxy_tcp_option.client_tcp_user_timeout,
|
||||
pxy_tcp_option.server_tcp_maxseg, pxy_tcp_option.server_tcp_nodelay,
|
||||
pxy_tcp_option.server_tcp_keepalive_enable, pxy_tcp_option.server_tcp_keepalive_keepcnt,
|
||||
pxy_tcp_option.server_tcp_keepalive_keepidle, pxy_tcp_option.server_tcp_keepalive_keepintvl,
|
||||
pxy_tcp_option.server_tcp_ttl, pxy_tcp_option.server_tcp_user_timeout,
|
||||
pxy_tcp_option.bypass_duplicated_packet, pxy_tcp_option.tcp_passthrough);
|
||||
}
|
||||
else{
|
||||
KNI_LOG_ERROR(logger, "Fail to get proxy tcp option default policy, Error: json data parse fail");
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
void pxy_tcp_option_default_param_free_cb(int table_id, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp)
|
||||
{
|
||||
void *logger = argp;
|
||||
if( rule->service_id == 1)
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Call pxy_tcp_option_default_param_free_cb when the default proxy tcp policy change or add");
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
void pxy_tcp_option_default_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp)
|
||||
{
|
||||
void *logger = argp;
|
||||
|
||||
KNI_LOG_ERROR(logger, "Call pxy_tcp_option_default_param_dup when the default proxy tcp policy change or add");
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
int pxy_tcp_option_rule_init(const char* conffile, void *logger)
|
||||
{
|
||||
int i=0;
|
||||
MESA_load_profile_string_def(conffile, "proxy_tcp_option", "maat_table_compile", g_kni_handle->table_name[TABLE_COMPILE], _MAX_TABLE_NAME_LEN, "PXY_TCP_OPTION_COMPILE");
|
||||
MESA_load_profile_string_def(conffile, "proxy_tcp_option", "maat_table_addr", g_kni_handle->table_name[TABLE_IP_ADDR], _MAX_TABLE_NAME_LEN, "PXY_TCP_OPTION_COMPILE");
|
||||
MESA_load_profile_string_def(conffile, "proxy_tcp_option", "maat_table_sni", g_kni_handle->table_name[TABLE_SSL_SNI], _MAX_TABLE_NAME_LEN, "PXY_TCP_OPTION_COMPILE");
|
||||
|
||||
for(i=0; i<TABLE_COMPILE; i++)
|
||||
{
|
||||
g_kni_handle->table_id[i]=Maat_table_register(g_tsg_maat_feather, g_kni_handle->table_name[i]);
|
||||
if(g_kni_handle->table_id[i]<0)
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Maat_table_register %s failed, Please check etc/kni/kni.conf", g_kni_handle->table_name[i]);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
g_kni_handle->table_id[TABLE_COMPILE] = Maat_rule_get_ex_new_index(g_tsg_maat_feather,
|
||||
g_kni_handle->table_name[TABLE_COMPILE],
|
||||
pxy_tcp_option_default_param_new,
|
||||
pxy_tcp_option_default_param_free_cb,
|
||||
pxy_tcp_option_default_param_dup,
|
||||
0, logger);
|
||||
if(g_kni_handle->table_id[TABLE_COMPILE] < 0)
|
||||
{
|
||||
KNI_LOG_ERROR(logger, "Maat_rule_get_ex_new_index %s failed, Please check etc/kni/kni.conf", g_kni_handle->table_id[TABLE_COMPILE]);
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static int pxy_tcp_option_scan_addr(Maat_feather_t maat_feather,const struct streaminfo *a_stream, Maat_rule_t *result, int result_num,scan_status_t *mid,struct pme_info *pmeinfo, void *logger)
|
||||
{
|
||||
struct ipaddr t_addr;
|
||||
struct ipaddr* p_addr=NULL;
|
||||
int hit_num=0;
|
||||
int is_scan_addr=1, maat_ret=0;
|
||||
const struct streaminfo *cur_stream = a_stream;
|
||||
|
||||
if(a_stream==NULL || maat_feather==NULL || result_num <=0 || result == NULL)
|
||||
{
|
||||
KNI_LOG_ERROR(logger,"SCAN_ADDR a_stream==NULL || maat_feather==NULL || result_num <= 0 || result == NULL ,streamid=%d ", pmeinfo->stream_traceid);
|
||||
return 0;
|
||||
}
|
||||
|
||||
do
|
||||
{
|
||||
if(cur_stream->addr.addrtype == __ADDR_TYPE_IP_PAIR_V4 || cur_stream->addr.addrtype == ADDR_TYPE_IPV4 || cur_stream->addr.addrtype == __ADDR_TYPE_IP_PAIR_V6 || cur_stream->addr.addrtype == ADDR_TYPE_IPV6)
|
||||
{
|
||||
is_scan_addr = 1;
|
||||
if(cur_stream->addr.addrtype == __ADDR_TYPE_IP_PAIR_V4 || cur_stream->addr.addrtype == __ADDR_TYPE_IP_PAIR_V6)
|
||||
{
|
||||
memcpy(&t_addr, &cur_stream->addr, sizeof(t_addr));
|
||||
if(cur_stream->addr.addrtype == __ADDR_TYPE_IP_PAIR_V4)
|
||||
t_addr.addrtype = ADDR_TYPE_IPV4;
|
||||
else
|
||||
t_addr.addrtype = ADDR_TYPE_IPV6;
|
||||
p_addr = &t_addr;
|
||||
}
|
||||
else
|
||||
{
|
||||
p_addr = (struct ipaddr *)&cur_stream->addr;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
is_scan_addr = 0;
|
||||
p_addr = NULL;
|
||||
}
|
||||
|
||||
if(is_scan_addr==1 && p_addr!=NULL)
|
||||
{
|
||||
|
||||
maat_ret=Maat_scan_addr(maat_feather,
|
||||
g_kni_handle->table_id[TABLE_IP_ADDR],
|
||||
p_addr,
|
||||
result+hit_num,
|
||||
result_num-hit_num,
|
||||
mid,
|
||||
cur_stream->threadnum);
|
||||
|
||||
if(maat_ret > 0)
|
||||
{
|
||||
KNI_LOG_DEBUG(logger,"SCAN_IP,Hit streamid: %d",pmeinfo->stream_traceid);
|
||||
hit_num+=maat_ret;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_DEBUG(logger,"SCAN_IP,Not hit streamid: %d,scan ret: %d",
|
||||
pmeinfo->stream_traceid,
|
||||
maat_ret);
|
||||
}
|
||||
}
|
||||
|
||||
cur_stream = cur_stream->pfather;
|
||||
|
||||
}while(cur_stream != NULL && hit_num < result_num);
|
||||
|
||||
return hit_num;
|
||||
}
|
||||
|
||||
static int pxy_tcp_option_scan_domain(Maat_feather_t maat_feather, Maat_rule_t *result, int result_num,scan_status_t *mid, struct pme_info *pmeinfo, void *logger)
|
||||
{
|
||||
int hit_num = 0, maat_ret = 0;
|
||||
if(pmeinfo->protocol != PROTO_HTTP || pmeinfo->protocol != PROTO_SSL)
|
||||
return hit_num;
|
||||
if(hit_num < result_num)
|
||||
{
|
||||
maat_ret = Maat_full_scan_string(maat_feather,
|
||||
g_kni_handle->table_id[TABLE_SSL_SNI],
|
||||
CHARSET_UTF8,
|
||||
(const char *)&pmeinfo->domain,
|
||||
pmeinfo->domain_len,
|
||||
result,
|
||||
NULL,
|
||||
result_num - hit_num,
|
||||
mid,
|
||||
pmeinfo->thread_seq);
|
||||
if(maat_ret > 0)
|
||||
{
|
||||
KNI_LOG_DEBUG(logger,"SCAN_DOMAIN,Hit streamid: %d, domain: %s",
|
||||
pmeinfo->stream_traceid,
|
||||
pmeinfo->domain);
|
||||
hit_num += maat_ret;
|
||||
}
|
||||
else
|
||||
{
|
||||
KNI_LOG_DEBUG(logger,"SCAN_DOMAIN,Not hit stream_traceid: %d ,domain :%s scan ret: %d",
|
||||
pmeinfo->stream_traceid,
|
||||
pmeinfo->domain,
|
||||
maat_ret);
|
||||
}
|
||||
|
||||
}
|
||||
return hit_num;
|
||||
}
|
||||
|
||||
static struct Maat_rule_t *pxy_tcp_option_decision_criteria(Maat_rule_t *result, int result_num)
|
||||
{
|
||||
int i=0;
|
||||
Maat_rule_t *p_result=NULL;
|
||||
|
||||
if(result==NULL || result_num <= 0)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
for(i = 0; i < result_num; i ++)
|
||||
{
|
||||
if(p_result==NULL)
|
||||
{
|
||||
p_result=&result[i];
|
||||
continue;
|
||||
}
|
||||
|
||||
if( result[i].config_id > p_result->config_id )
|
||||
{
|
||||
p_result = &result[i];
|
||||
}
|
||||
}
|
||||
return p_result;
|
||||
}
|
||||
|
||||
int pxy_tcp_option_get_param(Maat_feather_t maat_feather,const struct streaminfo *a_stream,struct pme_info *pmeinfo, void *logger)
|
||||
{
|
||||
int scan_ret = 0, hit_num = 0, is_not_default = 0, ret = 0;
|
||||
scan_status_t mid=NULL;
|
||||
Maat_rule_t *p_result=NULL;
|
||||
Maat_rule_t all_result[MAX_RESULT_NUM];
|
||||
struct proxy_tcp_option *pxy_tcpop = &pmeinfo->pxy_tcp_option;
|
||||
char *tmp_buff=NULL;
|
||||
scan_ret = pxy_tcp_option_scan_addr(maat_feather,a_stream, all_result + hit_num, MAX_RESULT_NUM - hit_num, &mid, pmeinfo, logger);
|
||||
if(scan_ret > 0)
|
||||
{
|
||||
hit_num += scan_ret;
|
||||
}
|
||||
scan_ret = pxy_tcp_option_scan_domain(maat_feather, all_result + hit_num, MAX_RESULT_NUM - hit_num,&mid,pmeinfo,logger);
|
||||
if(scan_ret > 0)
|
||||
{
|
||||
hit_num += scan_ret;
|
||||
}
|
||||
p_result = pxy_tcp_option_decision_criteria(all_result, hit_num);
|
||||
do {
|
||||
if(p_result == NULL)
|
||||
{
|
||||
KNI_LOG_DEBUG(logger,"Scan not hit, Proxy tcp option using default param, streamid = %d", pmeinfo->stream_traceid);
|
||||
break;
|
||||
}
|
||||
KNI_LOG_DEBUG(logger,"Scan hit, hit_num = %d, streamid = %d", hit_num, pmeinfo->stream_traceid);
|
||||
|
||||
tmp_buff=(char *)calloc(1, p_result->serv_def_len+1);
|
||||
|
||||
Maat_read_rule(g_tsg_maat_feather, p_result, MAAT_RULE_SERV_DEFINE, tmp_buff, p_result->serv_def_len);
|
||||
if( strlen(tmp_buff) < strlen("{}") + 1)
|
||||
{
|
||||
KNI_LOG_DEBUG(logger, "Scan hit, Get extra data error: No json data or data is null,streamid = %d", pmeinfo->stream_traceid);
|
||||
break;
|
||||
}
|
||||
ret = pxy_tcp_option_parse_json((const struct Maat_rule_t*)p_result, (const char*)tmp_buff, pxy_tcpop, logger);
|
||||
if(ret != 1)
|
||||
{
|
||||
KNI_LOG_DEBUG(logger,"Scan hit, json parse error,Proxy tcp option using default param,streamid = %d", pmeinfo->stream_traceid);
|
||||
break;
|
||||
}
|
||||
is_not_default = 1;
|
||||
free(tmp_buff);
|
||||
tmp_buff = NULL;
|
||||
} while(0);
|
||||
|
||||
if(is_not_default != 1)
|
||||
{
|
||||
memcpy((void *)pxy_tcpop, (const void *)&g_kni_handle->pxy_tcp_option, sizeof(g_kni_handle->pxy_tcp_option));
|
||||
}
|
||||
KNI_LOG_DEBUG(logger, "Proxy tcp option, streamid: %d,param: "
|
||||
"{client_side_conn_param:{tcp_maxseg:%d,nodelay=%d,keep_alive:"
|
||||
"{enable:%d,tcp_keepcnt:%d,tcp_keepidle:%d,tcp_keepintvl:%d}ttl:%d,user_timeout:%d},"
|
||||
"server_side_conn_param:{tcp_maxseg:%d,nodelay=%d,keep_alive:"
|
||||
"{enable:%d,tcp_keepcnt:%d,tcp_keepidle:%d,tcp_keepintvl:%d}ttl:%d,user_timeout:%d},"
|
||||
"bypass_duplicated_packet:%d,tcp_passthrough:%d}",
|
||||
pmeinfo->stream_traceid,
|
||||
pxy_tcpop->client_tcp_maxseg, pxy_tcpop->client_tcp_nodelay,
|
||||
pxy_tcpop->client_tcp_keepalive_enable, pxy_tcpop->client_tcp_keepalive_keepcnt,
|
||||
pxy_tcpop->client_tcp_keepalive_keepidle, pxy_tcpop->client_tcp_keepalive_keepintvl,
|
||||
pxy_tcpop->client_tcp_ttl, pxy_tcpop->client_tcp_user_timeout,
|
||||
pxy_tcpop->server_tcp_maxseg, pxy_tcpop->server_tcp_nodelay,
|
||||
pxy_tcpop->server_tcp_keepalive_enable, pxy_tcpop->server_tcp_keepalive_keepcnt,
|
||||
pxy_tcpop->server_tcp_keepalive_keepidle, pxy_tcpop->server_tcp_keepalive_keepintvl,
|
||||
pxy_tcpop->server_tcp_ttl, pxy_tcpop->server_tcp_user_timeout,
|
||||
pxy_tcpop->bypass_duplicated_packet, pxy_tcpop->tcp_passthrough);
|
||||
|
||||
if(mid!=NULL)
|
||||
{
|
||||
Maat_clean_status(&mid);
|
||||
mid=NULL;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
Reference in New Issue
Block a user