feature:TSG-14915:kni适配新版本tfe cmsg修改
This commit is contained in:
fumingwei
@@ -32,8 +32,12 @@ enum tfe_cmsg_tlv_type
|
|||||||
TFE_CMSG_TCP_RESTORE_TS_CLIENT_VAL = 0xe,
|
TFE_CMSG_TCP_RESTORE_TS_CLIENT_VAL = 0xe,
|
||||||
TFE_CMSG_TCP_RESTORE_TS_SERVER_VAL = 0xf,
|
TFE_CMSG_TCP_RESTORE_TS_SERVER_VAL = 0xf,
|
||||||
|
|
||||||
TFE_CMSG_POLICY_ID = 0x10,
|
TFE_CMSG_POLICY_ID = 0x10, // size uint64_t
|
||||||
TFE_CMSG_STREAM_TRACE_ID = 0x11,
|
TFE_CMSG_STREAM_TRACE_ID = 0x11,
|
||||||
|
TFE_CMSG_TCP_OPTION_PROFILE_ID, // size int
|
||||||
|
TFE_CMSG_DECRYPTION_PROFILE_ID, // size int
|
||||||
|
TFE_CMSG_KEYRING_FOR_TRUSTED_ID, // size int
|
||||||
|
TFE_CMSG_KEYRING_FOR_UNTRUSTED, // size int
|
||||||
|
|
||||||
TFE_CMSG_SSL_INTERCEPT_STATE, //size uint64_t, 0-passthrough, 1-intercept, 2-shutdown, referer from enum ssl_stream_action
|
TFE_CMSG_SSL_INTERCEPT_STATE, //size uint64_t, 0-passthrough, 1-intercept, 2-shutdown, referer from enum ssl_stream_action
|
||||||
TFE_CMSG_SSL_UPSTREAM_LATENCY, //size uint64_t, milisecond
|
TFE_CMSG_SSL_UPSTREAM_LATENCY, //size uint64_t, milisecond
|
||||||
@@ -47,6 +51,8 @@ enum tfe_cmsg_tlv_type
|
|||||||
TFE_CMSG_DST_MAC,
|
TFE_CMSG_DST_MAC,
|
||||||
|
|
||||||
/* TCP option information */
|
/* TCP option information */
|
||||||
|
TFE_CMSG_DOWNSTREAM_TCP_MSS_ENABLE,
|
||||||
|
TFE_CMSG_DOWNSTREAM_TCP_MSS_VALUE,
|
||||||
TFE_CMSG_DOWNSTREAM_TCP_NODELAY,
|
TFE_CMSG_DOWNSTREAM_TCP_NODELAY,
|
||||||
TFE_CMSG_DOWNSTREAM_TCP_TTL,
|
TFE_CMSG_DOWNSTREAM_TCP_TTL,
|
||||||
TFE_CMSG_DOWNSTREAM_TCP_KEEPALIVE,
|
TFE_CMSG_DOWNSTREAM_TCP_KEEPALIVE,
|
||||||
@@ -54,6 +60,9 @@ enum tfe_cmsg_tlv_type
|
|||||||
TFE_CMSG_DOWNSTREAM_TCP_KEEPIDLE,
|
TFE_CMSG_DOWNSTREAM_TCP_KEEPIDLE,
|
||||||
TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL,
|
TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL,
|
||||||
TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT,
|
TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT,
|
||||||
|
|
||||||
|
TFE_CMSG_UPSTREAM_TCP_MSS_ENABLE,
|
||||||
|
TFE_CMSG_UPSTREAM_TCP_MSS_VALUE,
|
||||||
TFE_CMSG_UPSTREAM_TCP_NODELAY,
|
TFE_CMSG_UPSTREAM_TCP_NODELAY,
|
||||||
TFE_CMSG_UPSTREAM_TCP_TTL,
|
TFE_CMSG_UPSTREAM_TCP_TTL,
|
||||||
TFE_CMSG_UPSTREAM_TCP_KEEPALIVE,
|
TFE_CMSG_UPSTREAM_TCP_KEEPALIVE,
|
||||||
@@ -61,7 +70,10 @@ enum tfe_cmsg_tlv_type
|
|||||||
TFE_CMSG_UPSTREAM_TCP_KEEPIDLE,
|
TFE_CMSG_UPSTREAM_TCP_KEEPIDLE,
|
||||||
TFE_CMSG_UPSTREAM_TCP_KEEPINTVL,
|
TFE_CMSG_UPSTREAM_TCP_KEEPINTVL,
|
||||||
TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT,
|
TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT,
|
||||||
|
|
||||||
|
TFE_CMSG_HIT_NO_INTERCEPT, // size uint8_t
|
||||||
TFE_CMSG_TCP_PASSTHROUGH,
|
TFE_CMSG_TCP_PASSTHROUGH,
|
||||||
|
TFE_CMSG_TCP_DECRYPTED_TRAFFIC_STEERING,
|
||||||
|
|
||||||
// share session attribute
|
// share session attribute
|
||||||
TFE_CMSG_SRC_SUB_ID, // string max size 256
|
TFE_CMSG_SRC_SUB_ID, // string max size 256
|
||||||
|
|||||||
@@ -101,7 +101,7 @@ struct pme_info{
|
|||||||
addr_type_t addr_type;
|
addr_type_t addr_type;
|
||||||
char stream_addr[KNI_ADDR_MAX];
|
char stream_addr[KNI_ADDR_MAX];
|
||||||
int do_log;
|
int do_log;
|
||||||
int policy_id;
|
long long policy_id;
|
||||||
enum TSG_PROTOCOL protocol;
|
enum TSG_PROTOCOL protocol;
|
||||||
enum kni_action action;
|
enum kni_action action;
|
||||||
int service;
|
int service;
|
||||||
@@ -131,13 +131,13 @@ struct pme_info{
|
|||||||
int n_maat_rule;
|
int n_maat_rule;
|
||||||
struct maat_rule maat_rule;
|
struct maat_rule maat_rule;
|
||||||
//from tfe, kafka log
|
//from tfe, kafka log
|
||||||
uint64_t ssl_intercept_state;
|
uint8_t ssl_intercept_state;
|
||||||
uint64_t ssl_pinningst; //defalut 0
|
uint8_t ssl_pinningst; //defalut 0
|
||||||
uint64_t ssl_server_side_latency;
|
uint64_t ssl_server_side_latency;
|
||||||
uint64_t ssl_client_side_latency;
|
uint64_t ssl_client_side_latency;
|
||||||
char ssl_server_side_version[KNI_SYMBOL_MAX];
|
char ssl_server_side_version[KNI_SYMBOL_MAX];
|
||||||
char ssl_client_side_version[KNI_SYMBOL_MAX];
|
char ssl_client_side_version[KNI_SYMBOL_MAX];
|
||||||
int64_t ssl_cert_verify;
|
int8_t ssl_cert_verify;
|
||||||
char ssl_error[KNI_STRING_MAX];
|
char ssl_error[KNI_STRING_MAX];
|
||||||
|
|
||||||
//for dup traffic detect
|
//for dup traffic detect
|
||||||
|
|||||||
@@ -109,7 +109,7 @@ static int sslinfo2bypass_htable_search(MESA_htable_handle htable,char *key, int
|
|||||||
value = MESA_htable_search_cb(htable, (const unsigned char *)key, (unsigned int )klen, sslinfo2bypass_htable_search_cb, NULL, &cb_ret);
|
value = MESA_htable_search_cb(htable, (const unsigned char *)key, (unsigned int )klen, sslinfo2bypass_htable_search_cb, NULL, &cb_ret);
|
||||||
if(cb_ret == 0)
|
if(cb_ret == 0)
|
||||||
{
|
{
|
||||||
pmeinfo->ssl_pinningst = *((uint64_t *)value);
|
pmeinfo->ssl_pinningst = *((uint8_t *)value);
|
||||||
KNI_LOG_DEBUG(logger, "MESA_htable: success to search, table = sslinfo2bypass_htable,key = %s, key_size = %d, ret =%d", key, klen,cb_ret);
|
KNI_LOG_DEBUG(logger, "MESA_htable: success to search, table = sslinfo2bypass_htable,key = %s, key_size = %d, ret =%d", key, klen,cb_ret);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
@@ -309,7 +309,7 @@ int ssl_dynamic_bypass_htable_add(struct pme_info *pmeinfo)
|
|||||||
MESA_htable_handle traceid2sslinfo_htable = g_kni_handle->threads_handle[pmeinfo->thread_seq].traceid2sslinfo_htable;
|
MESA_htable_handle traceid2sslinfo_htable = g_kni_handle->threads_handle[pmeinfo->thread_seq].traceid2sslinfo_htable;
|
||||||
if(pmeinfo->ssl_intercept_state == 0)
|
if(pmeinfo->ssl_intercept_state == 0)
|
||||||
{
|
{
|
||||||
cb_ret = traceid2sslinfo_htable_search(traceid2sslinfo_htable,pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), pmeinfo->thread_seq, pmeinfo->ssl_pinningst);
|
cb_ret = traceid2sslinfo_htable_search(traceid2sslinfo_htable,pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), pmeinfo->thread_seq, (uint64_t)pmeinfo->ssl_pinningst);
|
||||||
if(cb_ret >= 0)
|
if(cb_ret >= 0)
|
||||||
{
|
{
|
||||||
cb_ret = MESA_htable_del(traceid2sslinfo_htable, (const unsigned char *)pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), NULL);
|
cb_ret = MESA_htable_del(traceid2sslinfo_htable, (const unsigned char *)pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), NULL);
|
||||||
|
|||||||
@@ -199,9 +199,9 @@ static int log_generate(struct pme_info *pmeinfo){
|
|||||||
if(pmeinfo->protocol == PROTO_SSL){
|
if(pmeinfo->protocol == PROTO_SSL){
|
||||||
TLD_append(tld_handle, (char*)"ssl_sni", (void*)pmeinfo->domain.sni, TLD_TYPE_STRING);
|
TLD_append(tld_handle, (char*)"ssl_sni", (void*)pmeinfo->domain.sni, TLD_TYPE_STRING);
|
||||||
//pinning state: from tfe
|
//pinning state: from tfe
|
||||||
TLD_append(tld_handle, (char*)"ssl_pinningst", (void*)pmeinfo->ssl_pinningst, TLD_TYPE_LONG);
|
TLD_append(tld_handle, (char*)"ssl_pinningst", (void*)(long)pmeinfo->ssl_pinningst, TLD_TYPE_LONG);
|
||||||
//intercept state: from tfe
|
//intercept state: from tfe
|
||||||
TLD_append(tld_handle, (char*)"ssl_intercept_state", (void*)pmeinfo->ssl_intercept_state, TLD_TYPE_LONG);
|
TLD_append(tld_handle, (char*)"ssl_intercept_state", (void*)(long)pmeinfo->ssl_intercept_state, TLD_TYPE_LONG);
|
||||||
//ssl upstream latency: from tfe
|
//ssl upstream latency: from tfe
|
||||||
TLD_append(tld_handle, (char*)"ssl_server_side_latency", (void*)pmeinfo->ssl_server_side_latency, TLD_TYPE_LONG);
|
TLD_append(tld_handle, (char*)"ssl_server_side_latency", (void*)pmeinfo->ssl_server_side_latency, TLD_TYPE_LONG);
|
||||||
//ssl downstream latency: from tfe
|
//ssl downstream latency: from tfe
|
||||||
@@ -215,7 +215,7 @@ static int log_generate(struct pme_info *pmeinfo){
|
|||||||
TLD_append(tld_handle, (char*)"ssl_error", (void*)pmeinfo->ssl_error, TLD_TYPE_STRING);
|
TLD_append(tld_handle, (char*)"ssl_error", (void*)pmeinfo->ssl_error, TLD_TYPE_STRING);
|
||||||
//ssl cert verify
|
//ssl cert verify
|
||||||
if(pmeinfo->ssl_cert_verify != -1){
|
if(pmeinfo->ssl_cert_verify != -1){
|
||||||
TLD_append(tld_handle, (char*)"ssl_cert_verify", (void*)pmeinfo->ssl_cert_verify, TLD_TYPE_LONG);
|
TLD_append(tld_handle, (char*)"ssl_cert_verify", (void*)(long)pmeinfo->ssl_cert_verify, TLD_TYPE_LONG);
|
||||||
}
|
}
|
||||||
if (pmeinfo->ssl_intercept_state == 0){
|
if (pmeinfo->ssl_intercept_state == 0){
|
||||||
if (strlen(pmeinfo->ssl_passthrough_reason))
|
if (strlen(pmeinfo->ssl_passthrough_reason))
|
||||||
@@ -619,7 +619,7 @@ static unsigned char* kni_cmsg_serialize_header_new(struct pme_info *pmeinfo, st
|
|||||||
|
|
||||||
char src_mac[6] = {0};
|
char src_mac[6] = {0};
|
||||||
char dst_mac[6] = {0};
|
char dst_mac[6] = {0};
|
||||||
int policy_id;
|
uint64_t policy_id;
|
||||||
unsigned int stream_common_direction;
|
unsigned int stream_common_direction;
|
||||||
|
|
||||||
switch(pmeinfo->protocol)
|
switch(pmeinfo->protocol)
|
||||||
@@ -688,7 +688,7 @@ static unsigned char* kni_cmsg_serialize_header_new(struct pme_info *pmeinfo, st
|
|||||||
ret = wrapped_kni_cmsg_set(cmsg, TFE_CMSG_TCP_RESTORE_INFO_PACKET_CUR_DIR, (const unsigned char*)&stream_curdir, 1, pmeinfo);
|
ret = wrapped_kni_cmsg_set(cmsg, TFE_CMSG_TCP_RESTORE_INFO_PACKET_CUR_DIR, (const unsigned char*)&stream_curdir, 1, pmeinfo);
|
||||||
if(ret < 0) goto error_out;
|
if(ret < 0) goto error_out;
|
||||||
//maat policy id
|
//maat policy id
|
||||||
policy_id = pmeinfo->policy_id;
|
policy_id = (uint64_t)pmeinfo->policy_id;
|
||||||
ret = wrapped_kni_cmsg_set(cmsg, TFE_CMSG_POLICY_ID, (const unsigned char*)&policy_id, sizeof(policy_id), pmeinfo);
|
ret = wrapped_kni_cmsg_set(cmsg, TFE_CMSG_POLICY_ID, (const unsigned char*)&policy_id, sizeof(policy_id), pmeinfo);
|
||||||
if(ret < 0) goto error_out;
|
if(ret < 0) goto error_out;
|
||||||
//stream trace id
|
//stream trace id
|
||||||
@@ -1736,7 +1736,7 @@ char first_data_process(struct streaminfo *stream, struct pme_info *pmeinfo, str
|
|||||||
pmeinfo->session_attribute = kni_pull_session_attribute_results(stream,pmeinfo);
|
pmeinfo->session_attribute = kni_pull_session_attribute_results(stream,pmeinfo);
|
||||||
maat_hit = 1;
|
maat_hit = 1;
|
||||||
char *action_str = kni_maat_action_trans(pmeinfo->action);
|
char *action_str = kni_maat_action_trans(pmeinfo->action);
|
||||||
KNI_LOG_INFO(logger, "intercept_policy_scan: %s, %s, maat_hit = %d, rule_id = %d, action = %d(%s), stream traceid = %s",
|
KNI_LOG_INFO(logger, "intercept_policy_scan: %s, %s, maat_hit = %d, rule_id = %u, action = %d(%s), stream traceid = %s",
|
||||||
pmeinfo->stream_addr, (char*)&(pmeinfo->domain), maat_hit, pmeinfo->policy_id, pmeinfo->action, action_str, pmeinfo->stream_traceid);
|
pmeinfo->stream_addr, (char*)&(pmeinfo->domain), maat_hit, pmeinfo->policy_id, pmeinfo->action, action_str, pmeinfo->stream_traceid);
|
||||||
}
|
}
|
||||||
switch(pmeinfo->action){
|
switch(pmeinfo->action){
|
||||||
|
|||||||
Reference in New Issue
Block a user