1、增加proxy tcp option 功能 2、 将kni_entry.cpp 拆分出来 kni_entry.h
This commit is contained in:
fumingwei
@@ -31,189 +31,14 @@ extern "C" {
|
||||
#include "kni_tun.h"
|
||||
#include "tsg/tsg_statistic.h"
|
||||
#include <MESA/stream_inc/stream_control.h>
|
||||
#include "kni_entry.h"
|
||||
#include "kni_pxy_tcp_option.h"
|
||||
|
||||
struct kni_handle *g_kni_handle = NULL;
|
||||
struct kni_field_stat_handle *g_kni_fs_handle = NULL;
|
||||
int *arr_last_tfe_dispatch_index = NULL;
|
||||
|
||||
|
||||
|
||||
#define BURST_MAX 1
|
||||
#define CALLER_SAPP 0
|
||||
#define CALLER_TFE 1
|
||||
|
||||
#define SSL_INFO_LEN 2048
|
||||
|
||||
enum intercept_error{
|
||||
INTERCEPT_ERROR_ASYM_ROUTING = -1,
|
||||
INTERCEPT_ERROR_NO_SYN = -2,
|
||||
INTERCEPT_ERROR_NO_SYN_ACK = -3,
|
||||
INTERCEPT_ERROR_INVALID_IP_HDR = -4,
|
||||
INTERCEPT_ERROR_EXCEED_MTU = -5,
|
||||
//internal
|
||||
INTERCEPT_ERROR_SENDTO_TFE_FAIL = -6,
|
||||
INTERCEPT_ERROR_TUPLE2STM_ADD_FAIL = -7,
|
||||
INTERCEPT_ERROR_NO_TFE = -8,
|
||||
INTERCEPT_ERROR_DUP_TRAFFIC = -9,
|
||||
INTERCEPT_ERROR_CMSG_ADD_FAIL = -10,
|
||||
};
|
||||
|
||||
/* action
|
||||
0x00: none
|
||||
0x02: intercept
|
||||
0x80: bypass
|
||||
*/
|
||||
enum kni_action{
|
||||
KNI_ACTION_NONE = 0x00,
|
||||
KNI_ACTION_INTERCEPT = 0x02,
|
||||
KNI_ACTION_BYPASS = 0x80
|
||||
};
|
||||
|
||||
|
||||
//memset 0
|
||||
struct dup_traffic_dabloom_key{
|
||||
union{
|
||||
struct stream_tuple4_v4 v4;
|
||||
struct stream_tuple4_v6 v6;
|
||||
}addr;
|
||||
uint16_t ipid;
|
||||
uint32_t seq;
|
||||
uint32_t ack_seq;
|
||||
uint32_t timestamp;
|
||||
};
|
||||
|
||||
struct pme_info{
|
||||
addr_type_t addr_type;
|
||||
char stream_addr[KNI_ADDR_MAX];
|
||||
int do_log;
|
||||
int policy_id;
|
||||
tsg_protocol_t protocol;
|
||||
enum kni_action action;
|
||||
int service;
|
||||
struct kni_tcpopt_info client_tcpopt;
|
||||
struct kni_tcpopt_info server_tcpopt;
|
||||
char has_syn;
|
||||
char has_syn_ack;
|
||||
uint16_t client_window;
|
||||
uint16_t server_window;
|
||||
int tfe_id;
|
||||
pthread_mutex_t lock;
|
||||
enum intercept_error intcp_error;
|
||||
char stream_traceid[24];
|
||||
//cjson check protocol
|
||||
union{
|
||||
char host[MAX_DOAMIN_LEN]; //http only
|
||||
char sni[MAX_DOAMIN_LEN]; //ssl only
|
||||
}domain;
|
||||
int domain_len;
|
||||
//tfe_release = 1: tfe don't need pmeinfo
|
||||
int tfe_release;
|
||||
int sapp_release;
|
||||
//kafka log
|
||||
struct TLD_handle_t *tld_handle;
|
||||
const struct streaminfo *stream;
|
||||
int maat_result_num;
|
||||
Maat_rule_t maat_result;
|
||||
//from tfe, kafka log
|
||||
uint64_t ssl_intercept_state;
|
||||
uint64_t ssl_pinningst; //defalut 0
|
||||
uint64_t ssl_server_side_latency;
|
||||
uint64_t ssl_client_side_latency;
|
||||
char ssl_server_side_version[KNI_SYMBOL_MAX];
|
||||
char ssl_client_side_version[KNI_SYMBOL_MAX];
|
||||
int64_t ssl_cert_verify;
|
||||
char ssl_error[KNI_STRING_MAX];
|
||||
|
||||
//for dup traffic detect
|
||||
uint64_t has_dup_traffic;
|
||||
int has_dup_syn;
|
||||
int has_dup_syn_ack;
|
||||
struct dup_traffic_dabloom_key *syn_packet;
|
||||
struct dup_traffic_dabloom_key *syn_ack_packet;
|
||||
struct _traffic_info traffic_info;
|
||||
//for kni dynamic bypass
|
||||
int thread_seq;
|
||||
int is_dynamic_bypass;
|
||||
};
|
||||
|
||||
struct wrapped_packet{
|
||||
char data[KNI_MTU];
|
||||
};
|
||||
|
||||
struct tcp_option_restore{
|
||||
uint8_t kind;
|
||||
uint8_t len;
|
||||
uint16_t offset;
|
||||
};
|
||||
|
||||
struct tfe_enabled_node{
|
||||
int tfe_id;
|
||||
struct mr_vdev *dev_eth_handler;
|
||||
struct mr_sendpath *dev_eth_sendpath;
|
||||
};
|
||||
|
||||
struct kni_marsio_handle{
|
||||
struct mr_instance *instance;
|
||||
int tfe_enabled_node_count;
|
||||
struct tfe_enabled_node tfe_enabled_nodes[TFE_COUNT_MAX];
|
||||
};
|
||||
|
||||
struct protocol_identify_result{
|
||||
int protocol;
|
||||
char domain[MAX_DOAMIN_LEN];
|
||||
int domain_len;
|
||||
};
|
||||
|
||||
struct thread_tfe_cmsg_receiver_args{
|
||||
void *logger;
|
||||
char profile[KNI_SYMBOL_MAX];
|
||||
};
|
||||
|
||||
|
||||
struct per_thread_handle{
|
||||
MESA_htable_handle tuple2stream_htable;
|
||||
MESA_htable_handle traceid2sslinfo_htable;
|
||||
struct expiry_dablooms_handle *dabloom_handle;
|
||||
};
|
||||
|
||||
struct tuple2stream_htable_value{
|
||||
struct streaminfo *stream;
|
||||
struct pme_info *pmeinfo;
|
||||
int route_dir;
|
||||
int reversed;
|
||||
};
|
||||
|
||||
|
||||
struct kni_handle{
|
||||
struct kni_marsio_handle *marsio_handle;
|
||||
struct kni_tun_handle *tun_handle;
|
||||
struct kni_maat_handle *maat_handle;
|
||||
struct kni_send_logger *send_logger;
|
||||
MESA_htable_handle traceid2pme_htable;
|
||||
struct per_thread_handle *threads_handle;
|
||||
void *local_logger;
|
||||
struct tfe_mgr *_tfe_mgr;
|
||||
int thread_count;
|
||||
int dup_traffic_switch;
|
||||
int dup_traffic_action;
|
||||
enum kni_deploy_mode deploy_mode;
|
||||
char src_mac_addr[6];
|
||||
char dst_mac_addr[6];
|
||||
int *arr_last_tfe_dispatch_index;
|
||||
int secpolicyid_evenflow_self_check;
|
||||
MESA_htable_handle sslinfo2bypass_htable;
|
||||
};
|
||||
|
||||
struct traceid2pme_search_cb_args{
|
||||
struct kni_cmsg *cmsg;
|
||||
void *logger;
|
||||
};
|
||||
|
||||
struct dynamic_bypass_ssl_feature{
|
||||
char value[SSL_INFO_LEN];
|
||||
size_t vlen;
|
||||
};
|
||||
|
||||
static char* stream_errmsg_session_record(enum intercept_error _errno){
|
||||
switch(_errno){
|
||||
case INTERCEPT_ERROR_ASYM_ROUTING:
|
||||
@@ -529,6 +354,81 @@ static unsigned char* kni_cmsg_serialize_header_new(struct pme_info *pmeinfo, st
|
||||
ret = wrapped_kni_cmsg_set(cmsg, TFE_CMSG_STREAM_TRACE_ID, (const unsigned char*)trace_id,
|
||||
strnlen(pmeinfo->stream_traceid, sizeof(pmeinfo->stream_traceid)), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
/*
|
||||
TFE_CMSG_DOWNSTREAM_TCP_MAXSEG = 0x40, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_NODELAY = 0x41, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_TTL = 0x42, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_KEEPALIVE = 0x43, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_KEEPCNT = 0x44, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_KEEPIDLE = 0x45, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL = 0x46, //size int
|
||||
TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT = 0x47, //size int
|
||||
|
||||
TFE_CMSG_UPSTREAM_TCP_MAXSEG = 0x50, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_NODELAY = 0x51, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_TTL = 0x52, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_KEEPALIVE = 0x53, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_KEEPCNT = 0x54, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_KEEPIDLE = 0x55, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_KEEPINTVL = 0x56, //size int
|
||||
TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT = 0x57, //size int
|
||||
|
||||
TFE_CMSG_TCP_PASSTHROUGH = 0x60, //size int
|
||||
*/
|
||||
// proxy tcp option start
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_MAXSEG, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_maxseg), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_NODELAY, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_nodelay), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_TTL, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_ttl), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_KEEPALIVE, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_keepalive_enable), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_KEEPCNT, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_keepalive_keepcnt), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_KEEPIDLE, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_keepalive_keepidle), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_keepalive_keepintvl), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT, (const unsigned char*)&(pmeinfo->pxy_tcp_option.client_tcp_user_timeout), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_MAXSEG, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_maxseg), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_NODELAY, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_nodelay), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_TTL, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_ttl), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_KEEPALIVE, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_keepalive_enable), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_KEEPCNT , (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_keepalive_keepcnt), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_KEEPIDLE, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_keepalive_keepidle), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_KEEPINTVL, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_keepalive_keepintvl), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT, (const unsigned char*)&(pmeinfo->pxy_tcp_option.server_tcp_user_timeout), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
|
||||
ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char*)&(pmeinfo->pxy_tcp_option.tcp_passthrough), sizeof(int), pmeinfo);
|
||||
if(ret < 0) goto error_out;
|
||||
// proxy tcp option end
|
||||
|
||||
|
||||
//src mac
|
||||
ret = get_rawpkt_opt_from_streaminfo(stream, RAW_PKT_GET_VXLAN_OUTER_GDEV_MAC, src_mac);
|
||||
if(ret < 0){
|
||||
@@ -1305,6 +1205,12 @@ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmei
|
||||
}
|
||||
}
|
||||
|
||||
//Bypass Duplicated Packet
|
||||
if(pmeinfo->has_dup_traffic == 1 && pmeinfo->pxy_tcp_option.bypass_duplicated_packet == 1)
|
||||
{
|
||||
KNI_LOG_DEBUG(g_kni_handle->local_logger, "Proxy tcp option: bypass Duplicated Packet first data, streamid = %d", pmeinfo->stream_traceid);
|
||||
return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
|
||||
}
|
||||
//dynamic bypass
|
||||
if(first_data_ssl_dynamic_bypass(stream, pmeinfo, pktinfo, thread_seq) == 0)
|
||||
{
|
||||
@@ -1447,6 +1353,9 @@ char next_data_intercept(struct pme_info *pmeinfo, const void *a_packet, struct
|
||||
if(g_kni_handle->dup_traffic_switch == 1){
|
||||
if(pmeinfo->has_dup_traffic == 1){
|
||||
//ret = 1, = dup packet, bypass the packet
|
||||
if(pmeinfo->pxy_tcp_option.bypass_duplicated_packet == 1){ //Bypass Duplicated Packet
|
||||
return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
|
||||
}
|
||||
ret = dabloom_search(pktinfo, thread_seq);
|
||||
if(ret == 1){
|
||||
return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
|
||||
@@ -1518,6 +1427,7 @@ char first_data_process(struct streaminfo *stream, struct pme_info *pmeinfo, str
|
||||
pmeinfo->ssl_intercept_state = 1;
|
||||
//only action = intercept, need sendlog
|
||||
pmeinfo->tld_handle = TLD_create(-1);
|
||||
pxy_tcp_option_get_param(g_tsg_maat_feather,(const struct streaminfo *)stream,pmeinfo,logger);
|
||||
return first_data_intercept(stream, pmeinfo, pktinfo, thread_seq);
|
||||
default:
|
||||
//action != intercept,bypass and dropme
|
||||
@@ -2658,7 +2568,12 @@ extern "C" int kni_init(){
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(local_logger, "Fail get sec_policy_id for self_test, Now sec_policy_id = -1");
|
||||
}
|
||||
|
||||
//init proxy tcp option maat
|
||||
ret = pxy_tcp_option_rule_init(profile, local_logger);
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(local_logger, "Failed at init pxy_tcp_option_rule");
|
||||
goto error_out;
|
||||
}
|
||||
//init tfe_mgr
|
||||
_tfe_mgr = tfe_mgr_init(tfe_node_count, profile, g_kni_handle->deploy_mode, local_logger);
|
||||
if(_tfe_mgr == NULL){
|
||||
|
||||
Reference in New Issue
Block a user