TCP协议SNAT和DNAT测试完成。通过在网关192.168.10.5捕包确认；DNAT在虚拟服务器上捕包确认；

2018-12-17 10:26:39 +08:00
parent dba56c9e4b
commit 2a477df49f
3 changed files with 193 additions and 24 deletions
--- a/kni_comm.c
+++ b/kni_comm.c
@@ -129,6 +129,7 @@ int kni_log_debug(int level,char* module,const void* a_packet,const char* format
 	struct ip* ipv4_hdr = (struct ip*)a_packet;
    struct kni_ipv6_hdr* ipv6_hdr = (struct kni_ipv6_hdr*)a_packet;
 	struct tcphdr* tcphdr = NULL;
+	struct udphdr* udphdr = NULL;


 	char buf[4096] = {0};
@@ -475,7 +476,7 @@ int kni_filestate2_init()
 	g_kni_fs2_info.field_id[FS_WHITELIST]=FS_register(g_kni_fs2_info.handler, FS_STYLE_FIELD, FS_CALC_CURRENT,"link_whitelist");
 	g_kni_fs2_info.field_id[FS_INTERCEPT]=FS_register(g_kni_fs2_info.handler, FS_STYLE_FIELD, FS_CALC_CURRENT,"link_intercept");
 	g_kni_fs2_info.field_id[FS_REDIRECT]=FS_register(g_kni_fs2_info.handler, FS_STYLE_FIELD, FS_CALC_CURRENT,"link_redirect");
-	g_kni_fs2_info.field_id[FS_REDIRECT_REPLY]=FS_register(g_kni_fs2_info.handler, FS_STYLE_FIELD, FS_CALC_CURRENT,"link_redirect_reply");
+	g_kni_fs2_info.field_id[FS_REDIRECT_REPLY]=FS_register(g_kni_fs2_info.handler, FS_STYLE_FIELD, FS_CALC_CURRENT,"redirect_reply");
 	g_kni_fs2_info.field_id[FS_RATELIMIT]=FS_register(g_kni_fs2_info.handler, FS_STYLE_FIELD, FS_CALC_CURRENT,"link_ratelimit");
 	g_kni_fs2_info.field_id[FS_NOT_HIT]=FS_register(g_kni_fs2_info.handler, FS_STYLE_FIELD, FS_CALC_CURRENT,"link_not_hit");
 	g_kni_fs2_info.field_id[FS_RATELIMIT_UDP]=FS_register(g_kni_fs2_info.handler, FS_STYLE_FIELD, FS_CALC_CURRENT,"ratelimit_udp_pkt");
--- a/kni_entry.c
+++ b/kni_entry.c
@@ -1076,6 +1076,117 @@ extern "C" char kni_http_entry(stSessionInfo* session_info,  void **pme, int thr



+
+extern "C" char kni_ipv4_entry(const struct streaminfo *pstream,unsigned char routedir,int thread_seq, struct ip* ipv4_hdr)
+{
+	if(ipv4_hdr->ip_p !=IPPROTO_ICMP )
+	{
+		return APP_STATE_DROPME;
+	}
+
+
+	char ret = APP_STATE_GIVEME;
+	scan_status_t mid = NULL;
+	struct kni_pme_info pmeinfo;
+
+	
+	struct ipaddr addr;
+	struct tuple4 ipv4_addr;
+
+	addr.addrtype = ADDR_TYPE_IPV4;
+	addr.paddr = (void*)(&ipv4_addr);
+
+	memset(&ipv4_addr,0,sizeof(ipv4_addr));
+	ipv4_addr.daddr = *((unsigned int*)&(ipv4_hdr->ip_dst));
+	ipv4_addr.saddr = *((unsigned int*)&(ipv4_hdr->ip_src));
+
+
+	memset(&pmeinfo,0,sizeof(pmeinfo));
+	pmeinfo.mid = mid;
+	
+	kni_scan_ip(&addr,thread_seq,ipv4_hdr->ip_p,&pmeinfo);
+	Maat_clean_status(&(pmeinfo.mid));
+	
+//add kni_action_redirect  20181216 start
+	if(pmeinfo.action == KNI_ACTION_REDIRECT)
+	{
+		ret = process_redirect_pending(pstream,&pmeinfo,thread_seq,ipv4_hdr,0,routedir);
+		return ret;
+	}
+	else if(redirect_search_htable(pstream->addr.addrtype,&pmeinfo,thread_seq,ipv4_hdr,0) == 1)
+	{
+		ret = process_redirect_data(pstream,&pmeinfo,thread_seq,ipv4_hdr,0,routedir);
+		return ret; 
+			
+	}
+//end
+	
+
+
+	return ret;
+	
+}
+
+extern "C" char kni_ipv6_entry(const struct streaminfo *pstream,unsigned char routedir,int thread_seq, struct kni_ipv6_hdr* ipv6_hdr)
+{
+	if((ipv6_hdr->ip6_flags[0] & 0xF0) != 0x60) 
+	{
+		return -1;
+	}
+
+	char ret = APP_STATE_GIVEME;
+	scan_status_t mid = NULL;
+	struct kni_pme_info pmeinfo;
+
+	struct ipaddr addr;
+	struct tuple6 ipv6_addr;
+	unsigned char next_hdr_type = ipv6_hdr->ip6_nex_hdr;
+
+	if(next_hdr_type != IPPROTO_ICMP)
+	{
+		return ret;
+	}
+
+	addr.addrtype = ADDR_TYPE_IPV6;
+	addr.paddr = (void*)(&ipv6_addr);
+
+	memset(&ipv6_addr,0,sizeof(ipv6_addr));
+	memcpy(ipv6_addr.saddr,&(ipv6_hdr->ip6_src),sizeof(ipv6_addr.saddr));
+	memcpy(ipv6_addr.daddr,&(ipv6_hdr->ip6_dst),sizeof(ipv6_addr.saddr));
+	
+
+	memset(&pmeinfo,0,sizeof(pmeinfo));
+	pmeinfo.mid = mid;
+	
+	kni_scan_ip(&addr,thread_seq,next_hdr_type,&pmeinfo);
+
+	Maat_clean_status(&(pmeinfo.mid));
+
+	
+//add kni_action_redirect  20181216 start
+	if(pmeinfo.action == KNI_ACTION_REDIRECT)
+	{
+		ret = process_redirect_pending(pstream,&pmeinfo,thread_seq,ipv6_hdr,0,routedir);
+		return ret;
+	}
+	else if(redirect_search_htable(pstream->addr.addrtype,&pmeinfo,thread_seq,ipv6_hdr,0) == 1)
+	{
+		ret = process_redirect_data(pstream,&pmeinfo,thread_seq,ipv6_hdr,0,routedir);
+		return ret; 
+			
+	}
+//end
+	
+
+	return ret;
+	
+
+}
+
+
+
+
+/*
 extern "C" char kni_ipv4_entry(const struct streaminfo *pstream,unsigned char routedir,int thread_seq, struct ip* ipv4_hdr)
 {
 	if((ipv4_hdr->ip_p == IPPROTO_TCP) || (ipv4_hdr->ip_p == IPPROTO_UDP) || ((g_kni_switch_info.replace_switch == 0) && (g_kni_switch_info.ratelimit_switch == 0)))
@@ -1089,10 +1200,10 @@ extern "C" char kni_ipv4_entry(const struct streaminfo *pstream,unsigned char ro
 	char ret = APP_STATE_GIVEME;
 	scan_status_t mid = NULL;
 	struct kni_pme_info pmeinfo;
-/*
-	int payload_len = ntohs(ipv4_hdr->ip_len) - 4*(ipv4_hdr->ip_hl);
-	char* payload = (char*)ipv4_hdr + 4*(ipv4_hdr->ip_hl);
-*/
+
+//	int payload_len = ntohs(ipv4_hdr->ip_len) - 4*(ipv4_hdr->ip_hl);
+//	char* payload = (char*)ipv4_hdr + 4*(ipv4_hdr->ip_hl);
+
 	
 	struct ipaddr addr;
 	struct tuple4 ipv4_addr;
@@ -1169,6 +1280,7 @@ extern "C" char kni_ipv6_entry(const struct streaminfo *pstream,unsigned char ro
 	

 }
+*/



--- a/kni_redirect.c
+++ b/kni_redirect.c
@@ -40,6 +40,7 @@ int redirect_search_htable(unsigned char addr_type,struct kni_pme_info* pmeinfo,
 	struct ip* ipv4_hdr = NULL;
 	struct kni_ipv6_hdr* ipv6_hdr = NULL;
 	struct kni_tcp_hdr* tcphdr=NULL;
+	struct kni_udp_hdr* udphdr=NULL;

 	long result = 0;
 	struct stream_tuple4_v4 htable_key_v4;
@@ -48,24 +49,54 @@ int redirect_search_htable(unsigned char addr_type,struct kni_pme_info* pmeinfo,
 	if(addr_type==ADDR_TYPE_IPV4)
 	{
 		ipv4_hdr = (struct ip*)a_packet;
-		tcphdr=(struct kni_tcp_hdr*)((char*)ipv4_hdr+4*(ipv4_hdr->ip_hl));

 		htable_key_v4.saddr=(ipv4_hdr->ip_src).s_addr;
 		htable_key_v4.daddr=(ipv4_hdr->ip_dst).s_addr;
-		htable_key_v4.source=tcphdr->th_sport;
-		htable_key_v4.dest=tcphdr->th_dport;
+		
+		if(protocol==PROTO_TYPE_TCP)
+		{
+			tcphdr=(struct kni_tcp_hdr*)((char*)ipv4_hdr+4*(ipv4_hdr->ip_hl));
+			htable_key_v4.source=tcphdr->th_sport;
+			htable_key_v4.dest=tcphdr->th_dport;
+		}
+		else if(protocol == PROTO_TYPE_UDP)
+		{
+			udphdr=(struct kni_udp_hdr*)((char*)ipv4_hdr+4*(ipv4_hdr->ip_hl));
+			htable_key_v4.source=udphdr->uh_sport;
+			htable_key_v4.dest=udphdr->uh_dport;
+		}
+		else
+		{
+			htable_key_v4.source=0;
+			htable_key_v4.dest=0;
+		}
 		
 		MESA_htable_search_cb(g_kni_structinfo.htable_redirect,(unsigned char*)&htable_key_v4,sizeof(htable_key_v4),redirect_htable_search_cb,(void*)&(pmeinfo->redirect_info),&result);
 	}
 	else if(addr_type==ADDR_TYPE_IPV6)
 	{
 		ipv6_hdr = (struct kni_ipv6_hdr*)a_packet;
-		tcphdr =(struct kni_tcp_hdr*)( (unsigned char*)a_packet + sizeof(struct kni_ipv6_hdr));

 		memcpy(htable_key_v6.saddr,&(ipv6_hdr->ip6_src),sizeof(htable_key_v6.saddr));
 		memcpy(htable_key_v6.daddr,&(ipv6_hdr->ip6_dst),sizeof(htable_key_v6.daddr));
-		htable_key_v6.source=tcphdr->th_sport;
-		htable_key_v6.dest=tcphdr->th_dport;
+		
+		if(protocol==PROTO_TYPE_TCP)
+		{
+			tcphdr=(struct kni_tcp_hdr*)((char*)ipv4_hdr+4*(ipv4_hdr->ip_hl));
+			htable_key_v6.source=tcphdr->th_sport;
+			htable_key_v6.dest=tcphdr->th_dport;
+		}
+		else if(protocol == PROTO_TYPE_UDP)
+		{
+			udphdr=(struct kni_udp_hdr*)((char*)ipv4_hdr+4*(ipv4_hdr->ip_hl));
+			htable_key_v6.source=udphdr->uh_sport;
+			htable_key_v6.dest=udphdr->uh_dport;
+		}
+		else
+		{
+			htable_key_v6.source=0;
+			htable_key_v6.dest=0;
+		}
 		
 		MESA_htable_search_cb(g_kni_structinfo.htable_redirect,(unsigned char*)&htable_key_v6,sizeof(htable_key_v6),redirect_htable_search_cb,(void*)&(pmeinfo->redirect_info),&result);
 	}
@@ -90,6 +121,7 @@ int redirect_add_htable(unsigned char addr_type,struct kni_pme_info* pmeinfo,int
 	struct ip* ipv4_hdr = NULL;
 	struct kni_ipv6_hdr* ipv6_hdr = NULL;
 	struct kni_tcp_hdr* tcphdr=NULL;
+	struct kni_udp_hdr* udphdr=NULL;

 	struct stream_tuple4_v4 htable_key_v4;
 	struct stream_tuple4_v6 htable_key_v6;
@@ -102,7 +134,6 @@ int redirect_add_htable(unsigned char addr_type,struct kni_pme_info* pmeinfo,int
 	if(addr_type==4)
 	{
 		ipv4_hdr = (struct ip*)a_packet;
-		tcphdr=(struct kni_tcp_hdr*)((char*)ipv4_hdr+4*(ipv4_hdr->ip_hl));

 		if(pmeinfo->redirect_info.nat_type == REDIRECT_SNAT_TYPE)
 		{
@@ -111,8 +142,6 @@ int redirect_add_htable(unsigned char addr_type,struct kni_pme_info* pmeinfo,int

 			htable_key_v4.saddr=(ipv4_hdr->ip_dst).s_addr;
 			htable_key_v4.daddr=pmeinfo->redirect_info.ipv4;
-			htable_key_v4.source=tcphdr->th_dport;
-			htable_key_v4.dest=tcphdr->th_sport;
 		}
 		else if(pmeinfo->redirect_info.nat_type == REDIRECT_DNAT_TYPE)
 		{
@@ -121,8 +150,6 @@ int redirect_add_htable(unsigned char addr_type,struct kni_pme_info* pmeinfo,int

 			htable_key_v4.saddr=pmeinfo->redirect_info.ipv4;
 			htable_key_v4.daddr=(ipv4_hdr->ip_src).s_addr;
-			htable_key_v4.source=tcphdr->th_dport;
-			htable_key_v4.dest=tcphdr->th_sport;
 		}
 		else
 		{
@@ -130,6 +157,25 @@ int redirect_add_htable(unsigned char addr_type,struct kni_pme_info* pmeinfo,int
 			return -1;
 		}

+		
+		if(protocol==PROTO_TYPE_TCP)
+		{
+			tcphdr=(struct kni_tcp_hdr*)((char*)ipv4_hdr+4*(ipv4_hdr->ip_hl));
+			htable_key_v4.source=tcphdr->th_dport;
+			htable_key_v4.dest=tcphdr->th_sport;
+		}
+		else if(protocol == PROTO_TYPE_UDP)
+		{
+			udphdr=(struct kni_udp_hdr*)((char*)ipv4_hdr+4*(ipv4_hdr->ip_hl));
+			htable_key_v4.source=udphdr->uh_dport;
+			htable_key_v4.dest=udphdr->uh_sport;
+		}
+		else
+		{
+			htable_key_v4.source=0;
+			htable_key_v4.dest=0;
+		}
+
 		pmeinfo->redirect_key_len=sizeof(htable_key_v4);
 		pmeinfo->redirect_htable_key=(char*)malloc(pmeinfo->redirect_key_len);
 		memcpy(pmeinfo->redirect_htable_key,&htable_key_v4,pmeinfo->redirect_key_len);
@@ -141,7 +187,6 @@ int redirect_add_htable(unsigned char addr_type,struct kni_pme_info* pmeinfo,int
 	else if(addr_type==6)
 	{
 		ipv6_hdr = (struct kni_ipv6_hdr*)a_packet;
-		tcphdr =(struct kni_tcp_hdr*)( (unsigned char*)a_packet + sizeof(struct kni_ipv6_hdr));

 		
 		if(pmeinfo->redirect_info.nat_type == REDIRECT_SNAT_TYPE)
@@ -152,8 +197,6 @@ int redirect_add_htable(unsigned char addr_type,struct kni_pme_info* pmeinfo,int
 			memcpy(htable_key_v6.saddr,&(ipv6_hdr->ip6_dst),sizeof(htable_key_v6.saddr));
 			memcpy(htable_key_v6.daddr,pmeinfo->redirect_info.ipv6,sizeof(htable_key_v6.daddr));

-			htable_key_v6.source=tcphdr->th_dport;
-			htable_key_v6.dest=tcphdr->th_sport;
 		}
 		else if(pmeinfo->redirect_info.nat_type == REDIRECT_DNAT_TYPE)
 		{
@@ -163,11 +206,6 @@ int redirect_add_htable(unsigned char addr_type,struct kni_pme_info* pmeinfo,int
 			memcpy(htable_key_v6.saddr,pmeinfo->redirect_info.ipv6,sizeof(htable_key_v6.saddr));
 			memcpy(htable_key_v6.daddr,&(ipv6_hdr->ip6_src),sizeof(htable_key_v6.daddr));

-			htable_key_v6.source=tcphdr->th_dport;
-			htable_key_v6.dest=tcphdr->th_sport;
-
-			htable_key_v4.saddr=pmeinfo->redirect_info.ipv4;
-			htable_key_v4.daddr=(ipv4_hdr->ip_src).s_addr;
 		}
 		else
 		{
@@ -176,6 +214,24 @@ int redirect_add_htable(unsigned char addr_type,struct kni_pme_info* pmeinfo,int
 		}

 		
+		if(protocol==PROTO_TYPE_TCP)
+		{
+			tcphdr=(struct kni_tcp_hdr*)((char*)ipv4_hdr+4*(ipv4_hdr->ip_hl));
+			htable_key_v6.source=tcphdr->th_dport;
+			htable_key_v6.dest=tcphdr->th_sport;
+		}
+		else if(protocol == PROTO_TYPE_UDP)
+		{
+			udphdr=(struct kni_udp_hdr*)((char*)ipv4_hdr+4*(ipv4_hdr->ip_hl));
+			htable_key_v6.source=udphdr->uh_dport;
+			htable_key_v6.dest=udphdr->uh_sport;
+		}
+		else
+		{
+			htable_key_v6.source=0;
+			htable_key_v6.dest=0;
+		}
+		
 		pmeinfo->redirect_key_len=sizeof(htable_key_v6);
 		pmeinfo->redirect_htable_key=(char*)malloc(pmeinfo->redirect_key_len);
 		memcpy(pmeinfo->redirect_htable_key,&htable_key_v6,pmeinfo->redirect_key_len);