20180712：

调整配置库表名称，根据action决定处理动作： 1、命中whitelist：回注不再处理 2、命中reject：进行业务处理 3、default：回注不再处理
2018-07-12 17:49:00 +08:00
parent 2a4832a48f
commit 39d12fa2aa
9 changed files with 90 additions and 89 deletions
--- a/bin/kniconf/maat_table_info.conf
+++ b/bin/kniconf/maat_table_info.conf
@@ -1,5 +1,8 @@
-1	MATT_CONFIG_COMPILE	compile	GBK	GBK	no	0
-#2	MATT_CONFIG_GROUP	group	GBK	GBK	no	0
-3	IP_BMD	ip	GBK	GBK	no	0
-4	USER_AREA	ip	GBK	GBK	no	0
-5	SNI_BMD	expr	GBK	GBK	yes	0
+1	WHITE_LIST_COMPILE	compile	GBK	GBK	no	0
+1	PXY_INTERCEPT_COMPILE	compile	GBK	GBK	no	0
+2	WHITE_LIST_GROUP	group	GBK	GBK	no	0
+2	PXY_INTERCEPT_GROUP	group	GBK	GBK	no	0
+3	WHITE_LIST_IP	ip	GBK	GBK	no	0
+3	PXY_INTERCEPT_IP	ip	GBK	GBK	no	0
+4	WHITE_LIST_DOMAIN	expr	GBK	GBK	yes	0
+4	PXY_INTERCEPT_DOMAIN	expr	GBK	GBK	yes	0
--- a/bin/kniconf/maat_test.json
+++ b/bin/kniconf/maat_test.json
@@ -1,11 +1,11 @@
 {
-    "compile_table": "MATT_CONFIG_COMPILE",
-    "group_table": "MATT_CONFIG_GROUP",
+    "compile_table": "WHITE_LIST_COMPILE",
+    "group_table": "WHITE_LIST_GROUP",
    "rules": [
        {
            "compile_id": 1,
            "service": 1,
-            "action": 2,
+            "action":128,
            "do_blacklist": 1,
            "do_log": 1,
            "effective_rage": 0,
@@ -16,11 +16,11 @@
                    "group_name": "group_1",
                    "regions": [
                        {
-                            "table_name": "IP_BMD",
+                            "table_name": "WHITE_LIST_IP",
                            "table_type": "ip",
                            "table_content": {
                                "addr_type": "ipv4",
-                                "src_ip": "192.168.11.199",
+                                "src_ip": "192.168.10.1",
                                "mask_src_ip": "255.255.255.255",
                                "src_port": "0",
                                "mask_src_port": "65535",
@@ -39,7 +39,7 @@
 	{
            "compile_id": 2,
            "service": 48,
-            "action": 2,
+            "action": 128,
            "do_blacklist": 1,
            "do_log": 1,
            "effective_rage": 0,
@@ -50,10 +50,10 @@
                    "group_name": "group_2",
                    "regions": [
                        {
-                            "table_name": "SNI_BMD",
+                            "table_name": "WHITE_LIST_DOMAIN",
                            "table_type": "string",
                            "table_content": {
-                                "keywords": "www.baidu.com",
+                                "keywords": "baidu",
                                "expr_type": "regex",
                                "match_method": "sub",
 				"format":"uncase plain"
--- a/bin/kniconf/maat_test.json_iris_tmp/.local
+++ b/bin/kniconf/maat_test.json_iris_tmp/.local
@@ -1,3 +0,0 @@
-0000000002
-0	1	1
-1	2	1
--- a/bin/kniconf/maat_test.json_iris_tmp/IP_BMD.local
+++ b/bin/kniconf/maat_test.json_iris_tmp/IP_BMD.local
@@ -1,2 +0,0 @@
-0000000001
-0	0	4	192.168.11.199	255.255.255.255	0	65535	0.0.0.0	255.255.255.255	0	65535	0	0	1	
--- a/bin/kniconf/maat_test.json_iris_tmp/MATT_CONFIG_COMPILE.local
+++ b/bin/kniconf/maat_test.json_iris_tmp/MATT_CONFIG_COMPILE.local
@@ -1,3 +0,0 @@
-0000000002
-1	1	2	1	1	0	anything	1	
-2	48	2	1	1	0	anything	1	
--- a/bin/kniconf/maat_test.json_iris_tmp/SNI_BMD.local
+++ b/bin/kniconf/maat_test.json_iris_tmp/SNI_BMD.local
@@ -1,2 +0,0 @@
-0000000001
-1	1	www.baidu.com	2	0	0	1	
--- a/bin/kniconf/maat_test.json_iris_tmp/index/full_config_index.0000000001
+++ b/bin/kniconf/maat_test.json_iris_tmp/index/full_config_index.0000000001
@@ -1,4 +0,0 @@
-MATT_CONFIG_COMPILE	2	./kniconf/maat_test.json_iris_tmp/MATT_CONFIG_COMPILE.local
-	2	./kniconf/maat_test.json_iris_tmp/.local
-IP_BMD	1	./kniconf/maat_test.json_iris_tmp/IP_BMD.local
-SNI_BMD	1	./kniconf/maat_test.json_iris_tmp/SNI_BMD.local
--- a/kni.c
+++ b/kni.c
@@ -12,7 +12,6 @@
 #include <fcntl.h>
 #include <sys/socket.h>
 #include <linux/socket.h>
-//#include <linux/tcp.h>
 #include <sys/types.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
@@ -32,12 +31,13 @@
 #include "kni.h"


-int g_kni_version_VERSION_20180710_2;
+int g_kni_version_VERSION_20180711_3;

 struct kni_var_comm g_kni_comminfo;
 struct kni_var_struct g_kni_structinfo;
 struct kni_var_maat g_kni_maatinfo;
 struct kni_fs2_info g_kni_fs2_info;
+struct kni_switch_info g_kni_switch_info;

 int g_kni_threadseq[KNI_MAX_THREADNUM];
 const char *g_kni_fs2_name[FS2_COLUMN_NUM] ={"RECV_PKTS","FWD_PKTS","DROP_PKTS","WRITE_PKTS","READ_PKTS","SEND_PKTS"};
@@ -1124,19 +1124,25 @@ not kni_bmd:STAT_FLAG_SSL_NOBMD
 ***************************************************************************************/
 int kni_judge_sni(char* sni,int sni_len,int thread_seq)
 {
+	int action=KNI_ACTION_NONE;
 	int state_flag=KNI_FLAG_SSL;

 	int string_scan_num=0;
 	int found_pos;
 	scan_status_t mid=NULL;
-	struct Maat_rule_t maat_result[KNI_MAX_CFGNUM];
+	struct Maat_rule_t maat_result;

-	string_scan_num=Maat_full_scan_string(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_snibmd,CHARSET_GBK,sni,sni_len,maat_result,&found_pos,KNI_MAX_CFGNUM,&mid,thread_seq);
+	string_scan_num=Maat_full_scan_string(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_domain,CHARSET_GBK,sni,sni_len,&maat_result,&found_pos,1,&mid,thread_seq);
 	Maat_clean_status(&mid);

 	if(string_scan_num>0)
 	{
-		state_flag=KNI_FLAG_SNIBMD;
+		action=abs(maat_result.action);
+		MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,(char*)"kni_judge_sni","action:%d",action);
+		if((action==KNI_ACTION_WHITELIST)||((action!=KNI_ACTION_REJECT)&&(g_kni_switch_info.maat_default_switch==0)))
+		{
+			state_flag=KNI_FLAG_SNIBMD;
+		}
 	}
 	
 	return state_flag;
@@ -1151,7 +1157,7 @@ not ssl:STAT_FLAG_NOTSSL
 /*
 int kni_judge_ssl_bak(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
 {
-//	int state_flag=KNI_FLAG_SSL_HALF;
+//	int state_flag=KNI_FLAG_UNKNOW;
 //	return STAT_FLAG_SSL_NOBMD;


@@ -1287,27 +1293,26 @@ int kni_judge_ssl_bak(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
 */

 /***************************************************************************************
-return :state_flag
-ipbmd:STAT_FLAG_IPBMD
-not ipbmd:STAT_FLAG_NONE
+return :action
+default:ipscan_num =0 or =1,not >1
 ***************************************************************************************/
 int kni_judge_ipbmd(struct ipaddr* addr,int thread_seq,int protocol)
 {
-	int state_flag=KNI_FLAG_UNKNOW;
+	int action=KNI_ACTION_NONE;

 	int ipscan_num=0;
 	scan_status_t mid=NULL;
-	struct Maat_rule_t maat_result[KNI_MAX_CFGNUM];
+	struct Maat_rule_t maat_result;

-	ipscan_num=Maat_scan_proto_addr(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_ipbmd,addr,protocol,maat_result,KNI_MAX_CFGNUM,&mid,thread_seq);
+	ipscan_num=Maat_scan_proto_addr(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_ip,addr,protocol,&maat_result,1,&mid,thread_seq);
 	Maat_clean_status(&mid);

 	if(ipscan_num>0)
 	{
-		state_flag=KNI_FLAG_IPBMD;
+		action=abs(maat_result.action);
 	}

-	return state_flag;
+	return action;
 }

 int kni_get_tcpinfo(struct kni_wndpro_reply_info* lastpkt_info,struct kni_tcp_hdr* tcphdr,int tcplen,struct ip* ip_hdr)
@@ -1389,8 +1394,10 @@ int kni_get_tcpopt(struct kni_tcp_hdr* tcphdr,int tcp_hdr_len,unsigned short* ms

 }

-int kni_get_data(const struct streaminfo* pstream,char* data,int* datalen)
+char* kni_get_data(const struct streaminfo* pstream,int* datalen)
 {
+	char* data=NULL;
+
 	if(pstream->type==STREAM_TYPE_TCP)
 	{
 		data=(char*)(pstream->ptcpdetail->pdata);
@@ -1407,7 +1414,7 @@ int kni_get_data(const struct streaminfo* pstream,char* data,int* datalen)
 		*datalen=0;
 	}

-	return 0;
+	return data;
 	
 	
 }
@@ -1457,7 +1464,7 @@ not ssl:STAT_FLAG_NOTSSL
 ***************************************************************************************/
 int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
 {
-//	int state_flag=KNI_FLAG_SSL_HALF;
+//	int state_flag=KNI_FLAG_UNKNOW;
 //	return KNI_FLAG_SSL;


@@ -1490,21 +1497,21 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
 	content_type=*(unsigned char*)&ssl_header[ssl_header_len];
 	if(content_type!=SSL_CONTENTTYPE_HANDSHAKE)
 	{
-		return KNI_FLAG_SSL_HALF;
+		return KNI_FLAG_UNKNOW;
 	}
 	ssl_header_len+=1;

 	version_in_header=ntohs(*(unsigned short*)&(ssl_header[ssl_header_len]));
 	if((version_in_header!=SSL_VERSION_TLS1_0)&&(version_in_header!=SSL_VERSION_TLS1_1)&&(version_in_header!=SSL_VERSION_TLS1_2))
 	{
-		return KNI_FLAG_SSL_HALF;
+		return KNI_FLAG_UNKNOW;
 	}
 	ssl_header_len+=2;

 	len_in_header=ntohs(*(unsigned short*)&(ssl_header[ssl_header_len]));
 	if(len_in_header!=tcp_datalen-SSL_HEADER_LEN)
 	{
-		return KNI_FLAG_SSL_HALF;
+		return KNI_FLAG_UNKNOW;
 	}
 	ssl_header_len+=2;
 	
@@ -1514,7 +1521,7 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
 	handshark_type=*(unsigned char*)&(ssl_body[ssl_body_len]);
 	if(handshark_type!=SSL_HANDSHAR_TYPE_CLIENTHELLO)	
 	{
-		return KNI_FLAG_SSL_HALF;
+		return KNI_FLAG_UNKNOW;
 	}
 	ssl_body_len+=1;

@@ -1522,7 +1529,7 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
 	len_in_body=*(unsigned char*)&ssl_body[ssl_body_len+2]+256*(*(unsigned char*)&ssl_body[ssl_body_len+1])+65536*(*(unsigned char*)&ssl_body[ssl_body_len]);
 	if(len_in_body!=(len_in_header-SSL_BODY_LEN))
 	{
-		return KNI_FLAG_SSL_HALF;
+		return KNI_FLAG_UNKNOW;
 	}

 	ssl_body_len+=3;
@@ -1530,7 +1537,7 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
 	version_in_body=ntohs(*(unsigned short*)&(ssl_body[ssl_body_len]));
 	if((version_in_body!=SSL_VERSION_TLS1_0)&&(version_in_body!=SSL_VERSION_TLS1_1)&&(version_in_body!=SSL_VERSION_TLS1_2))
 	{
-		return KNI_FLAG_SSL_HALF;
+		return KNI_FLAG_UNKNOW;
 	}
 	ssl_body_len+=2;

@@ -1554,7 +1561,7 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
 	extension_len_less=ntohs(*(unsigned short*)&ssl_extention[ssl_extention_len]);
 	if(extension_len_less!=len_in_body-2-32-1-session_id_len-2-ciphersuite_len-1-compression_method_len-2)
 	{
-		return KNI_FLAG_SSL_HALF;
+		return KNI_FLAG_UNKNOW;
 	}
 	ssl_extention_len+=2;

@@ -1571,7 +1578,7 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
 			if(len_in_extension>KNI_SNI_MAXLEN)
 			{
 				//error
-				return KNI_FLAG_SSL_HALF;
+				return KNI_FLAG_UNKNOW;
 			}

 			memcpy(sni,&ssl_extention[ssl_extention_len],len_in_extension);
@@ -1587,7 +1594,7 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
 		}
 	}
 	                                                                  
-	return KNI_FLAG_SSL_HALF;
+	return KNI_FLAG_UNKNOW;
 }

 int kni_judge_http(const struct streaminfo *stream)
@@ -1624,7 +1631,7 @@ int kni_protocol_identify_bak(const struct streaminfo* pstream,const struct ip*
 	}
 	else if((sport==443)||(dport==443))
 	{
-		pro_flag=KNI_FLAG_SSL_HALF;
+		pro_flag=KNI_FLAG_UNKNOW;
 	}

 	
@@ -1639,23 +1646,15 @@ char kni_first_tcpdata(const struct streaminfo* pstream,const struct ip* ip_hdr,
 	int sni_len=0;
 	char sni[KNI_MAX_BUFLEN]={0};

-	pmeinfo->status_flag=kni_protocol_identify(pstream,data,datalen,sni,&sni_len);
+	pmeinfo->status_flag=kni_protocol_identify(pstream,data,datalen,sni,&sni_len);	
+	MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_DEBUG,(char*)"kni_protocol_identify","protocol:%d",pmeinfo->status_flag);

 	if(pmeinfo->status_flag==KNI_FLAG_SSL)
 	{
 		pmeinfo->status_flag=kni_judge_sni(sni,sni_len,pstream->threadnum);
+		MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_DEBUG,(char*)"kni_judge_sni","status_flag:%d",pmeinfo->status_flag);
 	}
 	
-/*
-	if(pmeinfo->status_flag==KNI_FLAG_SSL_HALF)
-	{
-		pmeinfo->status_flag=kni_judge_ssl(data,datalen,sni,&sni_len);				//has kni:SSL_HALF;no kni:NOT_PROC
-		if(pmeinfo->status_flag==KNI_FLAG_SSL_HALF)
-		{
-			pmeinfo->status_flag=kni_judge_sni(sni,sni_len,pstream->threadnum);	//SNI_BMD:NOT_PROC;or SSL
- 		}
-	}
-*/
 	if((pmeinfo->status_flag==KNI_FLAG_HTTP) ||(pmeinfo->status_flag==KNI_FLAG_SSL))
 	{
 		
@@ -1687,12 +1686,12 @@ char kni_pending_opstate(const struct streaminfo* pstream,void** pme,int thread_
 	struct kni_tcp_hdr* tcphdr=(struct kni_tcp_hdr*)((char*)ip_hdr+4*(ip_hdr->ip_hl));

 	ipscan_action=kni_judge_ipbmd((struct ipaddr*)&(pstream->addr),thread_seq,protocol);
-	if(ipscan_action==KNI_ACTION_IPBMD)
+	MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_DEBUG,(char*)"kni_judge_ipbmd","action:%d",ipscan_action);
+	if((ipscan_action==KNI_ACTION_WHITELIST)||((ipscan_action!=KNI_ACTION_REJECT)&&(g_kni_switch_info.maat_default_switch==0)))
 	{
 		return ret;	
 	}

-
 	pmeinfo=(struct kni_pme_info*)malloc(sizeof(struct kni_pme_info));
 	memset(pmeinfo,0,sizeof(struct kni_pme_info));
 	*pme=pmeinfo;
@@ -1701,7 +1700,7 @@ char kni_pending_opstate(const struct streaminfo* pstream,void** pme,int thread_
 //	pmeinfo->wndsize[pstream->curdir-1]=ntohs(tcphdr->th_win);
 //	if((tcphdr->th_flags&TH_SYN)&&!(tcphdr->th_flags&TH_ACK))				//get wndscale and mss from tcpopt only in syn and syn/ack
 	{
-		kni_get_data(pstream,data,&datalen);
+		data=kni_get_data(pstream,&datalen);
 		kni_get_tcpopt(tcphdr,iplen-4*(ip_hdr->ip_hl)-datalen,&(pmeinfo->mss[pstream->curdir-1]),&(pmeinfo->wnscal[pstream->curdir-1]),&(pmeinfo->sack[pstream->curdir-1]),&(pmeinfo->timestamps[pstream->curdir-1]));

 	}
@@ -1741,7 +1740,7 @@ char kni_data_opstate(const struct streaminfo* pstream,void** pme,int thread_seq
 	struct kni_pme_info* pmeinfo=(struct kni_pme_info*)*pme;
 	struct kni_tcp_hdr* tcphdr=(struct kni_tcp_hdr*)((char*)ip_hdr+4*(ip_hdr->ip_hl));

-	kni_get_data(pstream,data,&datalen);
+	data=kni_get_data(pstream,&datalen);
 	
 	if(pmeinfo->status_flag==KNI_FLAG_UNKNOW)
 	{
@@ -1852,7 +1851,7 @@ long kni_state_htable_cb_v6(void* data,const unsigned char* key,unsigned int siz
 	return datainfo->state_flag;
 }

-
+/*
 char kni_ipv6_entry(struct streaminfo *pstream,unsigned char routedir,int thread_seq,void *a_packet)
 {
 	int ip_reverse=0;
@@ -1895,7 +1894,7 @@ char kni_ipv6_entry(struct streaminfo *pstream,unsigned char routedir,int thread
 	return APP_STATE_DROPPKT;

 }
-
+*/
 extern "C" char kni_http_entry(stSessionInfo* session_info,  void **pme, int thread_seq,struct streaminfo *a_stream,const void *a_packet)
 {
 	char ret=PROT_STATE_DROPME;
@@ -1913,7 +1912,7 @@ int init_profile_info(int* logger_level,char* logger_filepath,int* maat_json_swi
 {
 	
 	MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"thread_num",&(g_kni_comminfo.thread_num),1);
-
+	MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"default_switch",&(g_kni_switch_info.maat_default_switch),1);

 	MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"logger_level",logger_level,RLOG_LV_INFO);
 	MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"maat_json_switch",maat_json_switch,0);
@@ -1960,6 +1959,7 @@ int init_kni_stat_htable()

 extern "C" char kni_init()
 {
+
 	int i=0;
 	int ret=0;

@@ -2034,11 +2034,11 @@ extern "C" char kni_init()
 		return -1;
 	}

-	g_kni_maatinfo.tableid_ipbmd=Maat_table_register(g_kni_maatinfo.maat_feather,KNI_TABLENAME_IPBMD);
-	g_kni_maatinfo.tableid_snibmd=Maat_table_register(g_kni_maatinfo.maat_feather,KNI_TABLENAME_SNIBMD);
-	if((g_kni_maatinfo.tableid_ipbmd<0)||(g_kni_maatinfo.tableid_snibmd<0))
+	g_kni_maatinfo.tableid_ip=Maat_table_register(g_kni_maatinfo.maat_feather,KNI_TABLENAME_IP);
+	g_kni_maatinfo.tableid_domain=Maat_table_register(g_kni_maatinfo.maat_feather,KNI_TABLENAME_DOMAIN);
+	if((g_kni_maatinfo.tableid_ip<0)||(g_kni_maatinfo.tableid_domain<0))
 	{
-		MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"Maat_table_register() error!ip_tableid:%d,sni_tableid:%d,action:%s",g_kni_maatinfo.tableid_ipbmd,g_kni_maatinfo.tableid_snibmd,KNI_ACTION_EXIT);
+		MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"Maat_table_register() error!ip_tableid:%d,sni_tableid:%d,action:%s",g_kni_maatinfo.tableid_ip,g_kni_maatinfo.tableid_domain,KNI_ACTION_EXIT);
 		return -1;
 	}

--- a/kni.h
+++ b/kni.h
@@ -65,8 +65,6 @@
 #define KNI_CONF_MODE			"MOUDLE"


-//maat
-#define KNI_ACTION_IPBMD		1


 #define PROTO_TYPE_TCP				6
@@ -75,11 +73,21 @@
 #define KNI_DEFAULT_WINSCLE			0
 #define KNI_DEFAULT_MSS				1460

+//maat
+#define KNI_ACTION_NONE					0x00
+#define KNI_ACTION_REJECT				0x10
+#define KNI_ACTION_DROP					0x20
+#define KNI_ACTION_REDIRECT				0x30
+#define KNI_ACTION_RATELIMIT			0x40
+#define KNI_ACTION_REPLACE				0x50
+#define KNI_ACTION_LOOP					0x60
+#define KNI_ACTION_WHITELIST			0x80
+
+#define KNI_MAX_CFGNUM					50
+#define KNI_TABLENAME_AREA				"USER_AREA"
+#define KNI_TABLENAME_IP				"WHITE_LIST_IP"
+#define KNI_TABLENAME_DOMAIN			"WHITE_LIST_DOMAIN"

-#define KNI_MAX_CFGNUM				50
-#define KNI_TABLENAME_IPBMD			"IP_BMD"
-#define KNI_TABLENAME_AREA			"USER_AREA"
-#define KNI_TABLENAME_SNIBMD		"SNI_BMD"

 #define KNI_MAATJSON_FILEPATH		"./kniconf/maat_test.json"
 #define KNI_TABLEINFO_PATH			"./kniconf/maat_table_info.conf"
@@ -149,15 +157,20 @@ enum kni_flag
 {
 	KNI_FLAG_UNKNOW=0,
 	KNI_FLAG_HTTP,
-	KNI_FLAG_SSL,
-	KNI_FLAG_SSL_HALF,
-	KNI_FLAG_IPBMD,
+	KNI_FLAG_SSL,	
 	KNI_FLAG_OUTUSER,
+	KNI_FLAG_IPBMD,
 	KNI_FLAG_SNIBMD,
+	KNI_FLAG_DROP,
 	KNI_FLAG_NOTPROC,
 };


+struct kni_switch_info
+{
+	int maat_default_switch;		//0:KNI_ACTION_NONE is fwdpkt;1:KNI_ACTION_NONE is reject
+};
+

 //htable_data_info ipv6
 struct datainfo_to_tun
@@ -186,12 +199,11 @@ struct kni_var_comm
 {
 	int project_id;
 	int kni_mode_cur;			//0:work	1:bypass
-	unsigned int local_ip;
 	int thread_num;
 	int fd_domain;
+	unsigned int local_ip;
 	int* fd_tun;
 	void* logger;
-//sendpkt test
 	int* ipv4_fd;
 };

@@ -208,9 +220,9 @@ struct kni_var_struct
 struct kni_var_maat
 {
 	Maat_feather_t maat_feather;
-	short tableid_ipbmd;
+	short tableid_ip;
 	short tableid_area;
-	short tableid_snibmd;
+	short tableid_domain;
 };

 //field stat2