gfwleak/tango-kni
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feature:TSG-14915:kni适配新版本tfe cmsg修改

Browse Source
This commit is contained in:
fumingwei
2023-04-28 18:03:22 +08:00
parent 19d0a2bd48
commit 2e19f0a9d7
4 changed files with 30 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
common/include/kni_cmsg.h
View File

@@ -32,8 +32,12 @@ enum tfe_cmsg_tlv_type
TFE_CMSG_TCP_RESTORE_TS_CLIENT_VAL = 0xe,
TFE_CMSG_TCP_RESTORE_TS_SERVER_VAL = 0xf,
TFE_CMSG_POLICY_ID = 0x10,
TFE_CMSG_POLICY_ID = 0x10, // size uint64_t
TFE_CMSG_STREAM_TRACE_ID = 0x11,
TFE_CMSG_TCP_OPTION_PROFILE_ID, // size int
TFE_CMSG_DECRYPTION_PROFILE_ID, // size int
TFE_CMSG_KEYRING_FOR_TRUSTED_ID, // size int
TFE_CMSG_KEYRING_FOR_UNTRUSTED, // size int
TFE_CMSG_SSL_INTERCEPT_STATE, //size uint64_t, 0-passthrough, 1-intercept, 2-shutdown, referer from enum ssl_stream_action
TFE_CMSG_SSL_UPSTREAM_LATENCY, //size uint64_t, milisecond
@@ -47,6 +51,8 @@ enum tfe_cmsg_tlv_type
TFE_CMSG_DST_MAC,
/* TCP option information */
TFE_CMSG_DOWNSTREAM_TCP_MSS_ENABLE,
TFE_CMSG_DOWNSTREAM_TCP_MSS_VALUE,
TFE_CMSG_DOWNSTREAM_TCP_NODELAY,
TFE_CMSG_DOWNSTREAM_TCP_TTL,
TFE_CMSG_DOWNSTREAM_TCP_KEEPALIVE,
@@ -54,6 +60,9 @@ enum tfe_cmsg_tlv_type
TFE_CMSG_DOWNSTREAM_TCP_KEEPIDLE,
TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL,
TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT,
TFE_CMSG_UPSTREAM_TCP_MSS_ENABLE,
TFE_CMSG_UPSTREAM_TCP_MSS_VALUE,
TFE_CMSG_UPSTREAM_TCP_NODELAY,
TFE_CMSG_UPSTREAM_TCP_TTL,
TFE_CMSG_UPSTREAM_TCP_KEEPALIVE,
@@ -61,7 +70,10 @@ enum tfe_cmsg_tlv_type
TFE_CMSG_UPSTREAM_TCP_KEEPIDLE,
TFE_CMSG_UPSTREAM_TCP_KEEPINTVL,
TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT,
TFE_CMSG_HIT_NO_INTERCEPT, // size uint8_t
TFE_CMSG_TCP_PASSTHROUGH,
TFE_CMSG_TCP_DECRYPTED_TRAFFIC_STEERING,
// share session attribute
TFE_CMSG_SRC_SUB_ID, // string max size 256

8
entry/include/kni_entry.h
View File

@@ -101,7 +101,7 @@ struct pme_info{
addr_type_t addr_type;
char stream_addr[KNI_ADDR_MAX];
int do_log;
int policy_id;
long long policy_id;
enum TSG_PROTOCOL protocol;
enum kni_action action;
int service;
@@ -131,13 +131,13 @@ struct pme_info{
int n_maat_rule;
struct maat_rule maat_rule;
//from tfe, kafka log
uint64_t ssl_intercept_state;
uint64_t ssl_pinningst; //defalut 0
uint8_t ssl_intercept_state;
uint8_t ssl_pinningst; //defalut 0
uint64_t ssl_server_side_latency;
uint64_t ssl_client_side_latency;
char ssl_server_side_version[KNI_SYMBOL_MAX];
char ssl_client_side_version[KNI_SYMBOL_MAX];
int64_t ssl_cert_verify;
int8_t ssl_cert_verify;
char ssl_error[KNI_STRING_MAX];
//for dup traffic detect

4
entry/src/kni_dynamic_bypass.cpp
View File

@@ -109,7 +109,7 @@ static int sslinfo2bypass_htable_search(MESA_htable_handle htable,char *key, int
value = MESA_htable_search_cb(htable, (const unsigned char *)key, (unsigned int )klen, sslinfo2bypass_htable_search_cb, NULL, &cb_ret);
if(cb_ret == 0)
{
pmeinfo->ssl_pinningst = *((uint64_t *)value);
pmeinfo->ssl_pinningst = *((uint8_t *)value);
KNI_LOG_DEBUG(logger, "MESA_htable: success to search, table = sslinfo2bypass_htable,key = %s, key_size = %d, ret =%d", key, klen,cb_ret);
}
else
@@ -309,7 +309,7 @@ int ssl_dynamic_bypass_htable_add(struct pme_info *pmeinfo)
MESA_htable_handle traceid2sslinfo_htable = g_kni_handle->threads_handle[pmeinfo->thread_seq].traceid2sslinfo_htable;
if(pmeinfo->ssl_intercept_state == 0)
{
cb_ret = traceid2sslinfo_htable_search(traceid2sslinfo_htable,pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), pmeinfo->thread_seq, pmeinfo->ssl_pinningst);
cb_ret = traceid2sslinfo_htable_search(traceid2sslinfo_htable,pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), pmeinfo->thread_seq, (uint64_t)pmeinfo->ssl_pinningst);
if(cb_ret >= 0)
{
cb_ret = MESA_htable_del(traceid2sslinfo_htable, (const unsigned char *)pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), NULL);

12
entry/src/kni_entry.cpp
View File

@@ -199,9 +199,9 @@ static int log_generate(struct pme_info *pmeinfo){
if(pmeinfo->protocol == PROTO_SSL){
TLD_append(tld_handle, (char*)"ssl_sni", (void*)pmeinfo->domain.sni, TLD_TYPE_STRING);
//pinning state: from tfe
TLD_append(tld_handle, (char*)"ssl_pinningst", (void*)pmeinfo->ssl_pinningst, TLD_TYPE_LONG);
TLD_append(tld_handle, (char*)"ssl_pinningst", (void*)(long)pmeinfo->ssl_pinningst, TLD_TYPE_LONG);
//intercept state: from tfe
TLD_append(tld_handle, (char*)"ssl_intercept_state", (void*)pmeinfo->ssl_intercept_state, TLD_TYPE_LONG);
TLD_append(tld_handle, (char*)"ssl_intercept_state", (void*)(long)pmeinfo->ssl_intercept_state, TLD_TYPE_LONG);
//ssl upstream latency: from tfe
TLD_append(tld_handle, (char*)"ssl_server_side_latency", (void*)pmeinfo->ssl_server_side_latency, TLD_TYPE_LONG);
//ssl downstream latency: from tfe
@@ -215,7 +215,7 @@ static int log_generate(struct pme_info *pmeinfo){
TLD_append(tld_handle, (char*)"ssl_error", (void*)pmeinfo->ssl_error, TLD_TYPE_STRING);
//ssl cert verify
if(pmeinfo->ssl_cert_verify != -1){
TLD_append(tld_handle, (char*)"ssl_cert_verify", (void*)pmeinfo->ssl_cert_verify, TLD_TYPE_LONG);
TLD_append(tld_handle, (char*)"ssl_cert_verify", (void*)(long)pmeinfo->ssl_cert_verify, TLD_TYPE_LONG);
}
if (pmeinfo->ssl_intercept_state == 0){
if (strlen(pmeinfo->ssl_passthrough_reason))
@@ -619,7 +619,7 @@ static unsigned char* kni_cmsg_serialize_header_new(struct pme_info *pmeinfo, st
char src_mac[6] = {0};
char dst_mac[6] = {0};
int policy_id;
uint64_t policy_id;
unsigned int stream_common_direction;
switch(pmeinfo->protocol)
@@ -688,7 +688,7 @@ static unsigned char* kni_cmsg_serialize_header_new(struct pme_info *pmeinfo, st
ret = wrapped_kni_cmsg_set(cmsg, TFE_CMSG_TCP_RESTORE_INFO_PACKET_CUR_DIR, (const unsigned char*)&stream_curdir, 1, pmeinfo);
if(ret < 0) goto error_out;
//maat policy id
policy_id = pmeinfo->policy_id;
policy_id = (uint64_t)pmeinfo->policy_id;
ret = wrapped_kni_cmsg_set(cmsg, TFE_CMSG_POLICY_ID, (const unsigned char*)&policy_id, sizeof(policy_id), pmeinfo);
if(ret < 0) goto error_out;
//stream trace id
@@ -1736,7 +1736,7 @@ char first_data_process(struct streaminfo *stream, struct pme_info *pmeinfo, str
pmeinfo->session_attribute = kni_pull_session_attribute_results(stream,pmeinfo);
maat_hit = 1;
char *action_str = kni_maat_action_trans(pmeinfo->action);
KNI_LOG_INFO(logger, "intercept_policy_scan: %s, %s, maat_hit = %d, rule_id = %d, action = %d(%s), stream traceid = %s",
KNI_LOG_INFO(logger, "intercept_policy_scan: %s, %s, maat_hit = %d, rule_id = %u, action = %d(%s), stream traceid = %s",
pmeinfo->stream_addr, (char*)&(pmeinfo->domain), maat_hit, pmeinfo->policy_id, pmeinfo->action, action_str, pmeinfo->stream_traceid);
}
switch(pmeinfo->action){