diff --git a/bin/kniconf/maat_table_info.conf b/bin/kniconf/maat_table_info.conf index 5dd4738..309cc7e 100644 --- a/bin/kniconf/maat_table_info.conf +++ b/bin/kniconf/maat_table_info.conf @@ -1,5 +1,8 @@ -1 MATT_CONFIG_COMPILE compile GBK GBK no 0 -#2 MATT_CONFIG_GROUP group GBK GBK no 0 -3 IP_BMD ip GBK GBK no 0 -4 USER_AREA ip GBK GBK no 0 -5 SNI_BMD expr GBK GBK yes 0 +1 WHITE_LIST_COMPILE compile GBK GBK no 0 +1 PXY_INTERCEPT_COMPILE compile GBK GBK no 0 +2 WHITE_LIST_GROUP group GBK GBK no 0 +2 PXY_INTERCEPT_GROUP group GBK GBK no 0 +3 WHITE_LIST_IP ip GBK GBK no 0 +3 PXY_INTERCEPT_IP ip GBK GBK no 0 +4 WHITE_LIST_DOMAIN expr GBK GBK yes 0 +4 PXY_INTERCEPT_DOMAIN expr GBK GBK yes 0 diff --git a/bin/kniconf/maat_test.json b/bin/kniconf/maat_test.json index 0f781db..71fbb6c 100644 --- a/bin/kniconf/maat_test.json +++ b/bin/kniconf/maat_test.json @@ -1,11 +1,11 @@ { - "compile_table": "MATT_CONFIG_COMPILE", - "group_table": "MATT_CONFIG_GROUP", + "compile_table": "WHITE_LIST_COMPILE", + "group_table": "WHITE_LIST_GROUP", "rules": [ { "compile_id": 1, "service": 1, - "action": 2, + "action":128, "do_blacklist": 1, "do_log": 1, "effective_rage": 0, @@ -16,11 +16,11 @@ "group_name": "group_1", "regions": [ { - "table_name": "IP_BMD", + "table_name": "WHITE_LIST_IP", "table_type": "ip", "table_content": { "addr_type": "ipv4", - "src_ip": "192.168.11.199", + "src_ip": "192.168.10.1", "mask_src_ip": "255.255.255.255", "src_port": "0", "mask_src_port": "65535", @@ -39,7 +39,7 @@ { "compile_id": 2, "service": 48, - "action": 2, + "action": 128, "do_blacklist": 1, "do_log": 1, "effective_rage": 0, @@ -50,10 +50,10 @@ "group_name": "group_2", "regions": [ { - "table_name": "SNI_BMD", + "table_name": "WHITE_LIST_DOMAIN", "table_type": "string", "table_content": { - "keywords": "www.baidu.com", + "keywords": "baidu", "expr_type": "regex", "match_method": "sub", "format":"uncase plain" diff --git a/bin/kniconf/maat_test.json_iris_tmp/.local b/bin/kniconf/maat_test.json_iris_tmp/.local deleted file mode 100644 index 86bfaf1..0000000 --- a/bin/kniconf/maat_test.json_iris_tmp/.local +++ /dev/null @@ -1,3 +0,0 @@ -0000000002 -0 1 1 -1 2 1 diff --git a/bin/kniconf/maat_test.json_iris_tmp/IP_BMD.local b/bin/kniconf/maat_test.json_iris_tmp/IP_BMD.local deleted file mode 100644 index fa22130..0000000 --- a/bin/kniconf/maat_test.json_iris_tmp/IP_BMD.local +++ /dev/null @@ -1,2 +0,0 @@ -0000000001 -0 0 4 192.168.11.199 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1 diff --git a/bin/kniconf/maat_test.json_iris_tmp/MATT_CONFIG_COMPILE.local b/bin/kniconf/maat_test.json_iris_tmp/MATT_CONFIG_COMPILE.local deleted file mode 100644 index 5d70e38..0000000 --- a/bin/kniconf/maat_test.json_iris_tmp/MATT_CONFIG_COMPILE.local +++ /dev/null @@ -1,3 +0,0 @@ -0000000002 -1 1 2 1 1 0 anything 1 -2 48 2 1 1 0 anything 1 diff --git a/bin/kniconf/maat_test.json_iris_tmp/SNI_BMD.local b/bin/kniconf/maat_test.json_iris_tmp/SNI_BMD.local deleted file mode 100644 index 9f6deb4..0000000 --- a/bin/kniconf/maat_test.json_iris_tmp/SNI_BMD.local +++ /dev/null @@ -1,2 +0,0 @@ -0000000001 -1 1 www.baidu.com 2 0 0 1 diff --git a/bin/kniconf/maat_test.json_iris_tmp/index/full_config_index.0000000001 b/bin/kniconf/maat_test.json_iris_tmp/index/full_config_index.0000000001 deleted file mode 100644 index a2abac2..0000000 --- a/bin/kniconf/maat_test.json_iris_tmp/index/full_config_index.0000000001 +++ /dev/null @@ -1,4 +0,0 @@ -MATT_CONFIG_COMPILE 2 ./kniconf/maat_test.json_iris_tmp/MATT_CONFIG_COMPILE.local - 2 ./kniconf/maat_test.json_iris_tmp/.local -IP_BMD 1 ./kniconf/maat_test.json_iris_tmp/IP_BMD.local -SNI_BMD 1 ./kniconf/maat_test.json_iris_tmp/SNI_BMD.local diff --git a/kni.c b/kni.c index 60be0b6..f9c2485 100644 --- a/kni.c +++ b/kni.c @@ -12,7 +12,6 @@ #include #include #include -//#include #include #include #include @@ -32,12 +31,13 @@ #include "kni.h" -int g_kni_version_VERSION_20180710_2; +int g_kni_version_VERSION_20180711_3; struct kni_var_comm g_kni_comminfo; struct kni_var_struct g_kni_structinfo; struct kni_var_maat g_kni_maatinfo; struct kni_fs2_info g_kni_fs2_info; +struct kni_switch_info g_kni_switch_info; int g_kni_threadseq[KNI_MAX_THREADNUM]; const char *g_kni_fs2_name[FS2_COLUMN_NUM] ={"RECV_PKTS","FWD_PKTS","DROP_PKTS","WRITE_PKTS","READ_PKTS","SEND_PKTS"}; @@ -1124,19 +1124,25 @@ not kni_bmd:STAT_FLAG_SSL_NOBMD ***************************************************************************************/ int kni_judge_sni(char* sni,int sni_len,int thread_seq) { + int action=KNI_ACTION_NONE; int state_flag=KNI_FLAG_SSL; int string_scan_num=0; int found_pos; scan_status_t mid=NULL; - struct Maat_rule_t maat_result[KNI_MAX_CFGNUM]; + struct Maat_rule_t maat_result; - string_scan_num=Maat_full_scan_string(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_snibmd,CHARSET_GBK,sni,sni_len,maat_result,&found_pos,KNI_MAX_CFGNUM,&mid,thread_seq); + string_scan_num=Maat_full_scan_string(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_domain,CHARSET_GBK,sni,sni_len,&maat_result,&found_pos,1,&mid,thread_seq); Maat_clean_status(&mid); if(string_scan_num>0) { - state_flag=KNI_FLAG_SNIBMD; + action=abs(maat_result.action); + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,(char*)"kni_judge_sni","action:%d",action); + if((action==KNI_ACTION_WHITELIST)||((action!=KNI_ACTION_REJECT)&&(g_kni_switch_info.maat_default_switch==0))) + { + state_flag=KNI_FLAG_SNIBMD; + } } return state_flag; @@ -1151,7 +1157,7 @@ not ssl:STAT_FLAG_NOTSSL /* int kni_judge_ssl_bak(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) { -// int state_flag=KNI_FLAG_SSL_HALF; +// int state_flag=KNI_FLAG_UNKNOW; // return STAT_FLAG_SSL_NOBMD; @@ -1287,27 +1293,26 @@ int kni_judge_ssl_bak(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) */ /*************************************************************************************** -return :state_flag -ipbmd:STAT_FLAG_IPBMD -not ipbmd:STAT_FLAG_NONE +return :action +default:ipscan_num =0 or =1,not >1 ***************************************************************************************/ int kni_judge_ipbmd(struct ipaddr* addr,int thread_seq,int protocol) { - int state_flag=KNI_FLAG_UNKNOW; + int action=KNI_ACTION_NONE; int ipscan_num=0; scan_status_t mid=NULL; - struct Maat_rule_t maat_result[KNI_MAX_CFGNUM]; + struct Maat_rule_t maat_result; - ipscan_num=Maat_scan_proto_addr(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_ipbmd,addr,protocol,maat_result,KNI_MAX_CFGNUM,&mid,thread_seq); + ipscan_num=Maat_scan_proto_addr(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_ip,addr,protocol,&maat_result,1,&mid,thread_seq); Maat_clean_status(&mid); if(ipscan_num>0) { - state_flag=KNI_FLAG_IPBMD; + action=abs(maat_result.action); } - return state_flag; + return action; } int kni_get_tcpinfo(struct kni_wndpro_reply_info* lastpkt_info,struct kni_tcp_hdr* tcphdr,int tcplen,struct ip* ip_hdr) @@ -1389,8 +1394,10 @@ int kni_get_tcpopt(struct kni_tcp_hdr* tcphdr,int tcp_hdr_len,unsigned short* ms } -int kni_get_data(const struct streaminfo* pstream,char* data,int* datalen) +char* kni_get_data(const struct streaminfo* pstream,int* datalen) { + char* data=NULL; + if(pstream->type==STREAM_TYPE_TCP) { data=(char*)(pstream->ptcpdetail->pdata); @@ -1407,7 +1414,7 @@ int kni_get_data(const struct streaminfo* pstream,char* data,int* datalen) *datalen=0; } - return 0; + return data; } @@ -1457,7 +1464,7 @@ not ssl:STAT_FLAG_NOTSSL ***************************************************************************************/ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) { -// int state_flag=KNI_FLAG_SSL_HALF; +// int state_flag=KNI_FLAG_UNKNOW; // return KNI_FLAG_SSL; @@ -1490,21 +1497,21 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) content_type=*(unsigned char*)&ssl_header[ssl_header_len]; if(content_type!=SSL_CONTENTTYPE_HANDSHAKE) { - return KNI_FLAG_SSL_HALF; + return KNI_FLAG_UNKNOW; } ssl_header_len+=1; version_in_header=ntohs(*(unsigned short*)&(ssl_header[ssl_header_len])); if((version_in_header!=SSL_VERSION_TLS1_0)&&(version_in_header!=SSL_VERSION_TLS1_1)&&(version_in_header!=SSL_VERSION_TLS1_2)) { - return KNI_FLAG_SSL_HALF; + return KNI_FLAG_UNKNOW; } ssl_header_len+=2; len_in_header=ntohs(*(unsigned short*)&(ssl_header[ssl_header_len])); if(len_in_header!=tcp_datalen-SSL_HEADER_LEN) { - return KNI_FLAG_SSL_HALF; + return KNI_FLAG_UNKNOW; } ssl_header_len+=2; @@ -1514,7 +1521,7 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) handshark_type=*(unsigned char*)&(ssl_body[ssl_body_len]); if(handshark_type!=SSL_HANDSHAR_TYPE_CLIENTHELLO) { - return KNI_FLAG_SSL_HALF; + return KNI_FLAG_UNKNOW; } ssl_body_len+=1; @@ -1522,7 +1529,7 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) len_in_body=*(unsigned char*)&ssl_body[ssl_body_len+2]+256*(*(unsigned char*)&ssl_body[ssl_body_len+1])+65536*(*(unsigned char*)&ssl_body[ssl_body_len]); if(len_in_body!=(len_in_header-SSL_BODY_LEN)) { - return KNI_FLAG_SSL_HALF; + return KNI_FLAG_UNKNOW; } ssl_body_len+=3; @@ -1530,7 +1537,7 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) version_in_body=ntohs(*(unsigned short*)&(ssl_body[ssl_body_len])); if((version_in_body!=SSL_VERSION_TLS1_0)&&(version_in_body!=SSL_VERSION_TLS1_1)&&(version_in_body!=SSL_VERSION_TLS1_2)) { - return KNI_FLAG_SSL_HALF; + return KNI_FLAG_UNKNOW; } ssl_body_len+=2; @@ -1554,7 +1561,7 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) extension_len_less=ntohs(*(unsigned short*)&ssl_extention[ssl_extention_len]); if(extension_len_less!=len_in_body-2-32-1-session_id_len-2-ciphersuite_len-1-compression_method_len-2) { - return KNI_FLAG_SSL_HALF; + return KNI_FLAG_UNKNOW; } ssl_extention_len+=2; @@ -1571,7 +1578,7 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) if(len_in_extension>KNI_SNI_MAXLEN) { //error - return KNI_FLAG_SSL_HALF; + return KNI_FLAG_UNKNOW; } memcpy(sni,&ssl_extention[ssl_extention_len],len_in_extension); @@ -1587,7 +1594,7 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) } } - return KNI_FLAG_SSL_HALF; + return KNI_FLAG_UNKNOW; } int kni_judge_http(const struct streaminfo *stream) @@ -1624,7 +1631,7 @@ int kni_protocol_identify_bak(const struct streaminfo* pstream,const struct ip* } else if((sport==443)||(dport==443)) { - pro_flag=KNI_FLAG_SSL_HALF; + pro_flag=KNI_FLAG_UNKNOW; } @@ -1639,23 +1646,15 @@ char kni_first_tcpdata(const struct streaminfo* pstream,const struct ip* ip_hdr, int sni_len=0; char sni[KNI_MAX_BUFLEN]={0}; - pmeinfo->status_flag=kni_protocol_identify(pstream,data,datalen,sni,&sni_len); + pmeinfo->status_flag=kni_protocol_identify(pstream,data,datalen,sni,&sni_len); + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_DEBUG,(char*)"kni_protocol_identify","protocol:%d",pmeinfo->status_flag); if(pmeinfo->status_flag==KNI_FLAG_SSL) { pmeinfo->status_flag=kni_judge_sni(sni,sni_len,pstream->threadnum); + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_DEBUG,(char*)"kni_judge_sni","status_flag:%d",pmeinfo->status_flag); } -/* - if(pmeinfo->status_flag==KNI_FLAG_SSL_HALF) - { - pmeinfo->status_flag=kni_judge_ssl(data,datalen,sni,&sni_len); //has kni:SSL_HALF;no kni:NOT_PROC - if(pmeinfo->status_flag==KNI_FLAG_SSL_HALF) - { - pmeinfo->status_flag=kni_judge_sni(sni,sni_len,pstream->threadnum); //SNI_BMD:NOT_PROC;or SSL - } - } -*/ if((pmeinfo->status_flag==KNI_FLAG_HTTP) ||(pmeinfo->status_flag==KNI_FLAG_SSL)) { @@ -1687,12 +1686,12 @@ char kni_pending_opstate(const struct streaminfo* pstream,void** pme,int thread_ struct kni_tcp_hdr* tcphdr=(struct kni_tcp_hdr*)((char*)ip_hdr+4*(ip_hdr->ip_hl)); ipscan_action=kni_judge_ipbmd((struct ipaddr*)&(pstream->addr),thread_seq,protocol); - if(ipscan_action==KNI_ACTION_IPBMD) + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_DEBUG,(char*)"kni_judge_ipbmd","action:%d",ipscan_action); + if((ipscan_action==KNI_ACTION_WHITELIST)||((ipscan_action!=KNI_ACTION_REJECT)&&(g_kni_switch_info.maat_default_switch==0))) { return ret; } - pmeinfo=(struct kni_pme_info*)malloc(sizeof(struct kni_pme_info)); memset(pmeinfo,0,sizeof(struct kni_pme_info)); *pme=pmeinfo; @@ -1701,7 +1700,7 @@ char kni_pending_opstate(const struct streaminfo* pstream,void** pme,int thread_ // pmeinfo->wndsize[pstream->curdir-1]=ntohs(tcphdr->th_win); // if((tcphdr->th_flags&TH_SYN)&&!(tcphdr->th_flags&TH_ACK)) //get wndscale and mss from tcpopt only in syn and syn/ack { - kni_get_data(pstream,data,&datalen); + data=kni_get_data(pstream,&datalen); kni_get_tcpopt(tcphdr,iplen-4*(ip_hdr->ip_hl)-datalen,&(pmeinfo->mss[pstream->curdir-1]),&(pmeinfo->wnscal[pstream->curdir-1]),&(pmeinfo->sack[pstream->curdir-1]),&(pmeinfo->timestamps[pstream->curdir-1])); } @@ -1741,7 +1740,7 @@ char kni_data_opstate(const struct streaminfo* pstream,void** pme,int thread_seq struct kni_pme_info* pmeinfo=(struct kni_pme_info*)*pme; struct kni_tcp_hdr* tcphdr=(struct kni_tcp_hdr*)((char*)ip_hdr+4*(ip_hdr->ip_hl)); - kni_get_data(pstream,data,&datalen); + data=kni_get_data(pstream,&datalen); if(pmeinfo->status_flag==KNI_FLAG_UNKNOW) { @@ -1852,7 +1851,7 @@ long kni_state_htable_cb_v6(void* data,const unsigned char* key,unsigned int siz return datainfo->state_flag; } - +/* char kni_ipv6_entry(struct streaminfo *pstream,unsigned char routedir,int thread_seq,void *a_packet) { int ip_reverse=0; @@ -1895,7 +1894,7 @@ char kni_ipv6_entry(struct streaminfo *pstream,unsigned char routedir,int thread return APP_STATE_DROPPKT; } - +*/ extern "C" char kni_http_entry(stSessionInfo* session_info, void **pme, int thread_seq,struct streaminfo *a_stream,const void *a_packet) { char ret=PROT_STATE_DROPME; @@ -1913,7 +1912,7 @@ int init_profile_info(int* logger_level,char* logger_filepath,int* maat_json_swi { MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"thread_num",&(g_kni_comminfo.thread_num),1); - + MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"default_switch",&(g_kni_switch_info.maat_default_switch),1); MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"logger_level",logger_level,RLOG_LV_INFO); MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"maat_json_switch",maat_json_switch,0); @@ -1960,6 +1959,7 @@ int init_kni_stat_htable() extern "C" char kni_init() { + int i=0; int ret=0; @@ -2034,11 +2034,11 @@ extern "C" char kni_init() return -1; } - g_kni_maatinfo.tableid_ipbmd=Maat_table_register(g_kni_maatinfo.maat_feather,KNI_TABLENAME_IPBMD); - g_kni_maatinfo.tableid_snibmd=Maat_table_register(g_kni_maatinfo.maat_feather,KNI_TABLENAME_SNIBMD); - if((g_kni_maatinfo.tableid_ipbmd<0)||(g_kni_maatinfo.tableid_snibmd<0)) + g_kni_maatinfo.tableid_ip=Maat_table_register(g_kni_maatinfo.maat_feather,KNI_TABLENAME_IP); + g_kni_maatinfo.tableid_domain=Maat_table_register(g_kni_maatinfo.maat_feather,KNI_TABLENAME_DOMAIN); + if((g_kni_maatinfo.tableid_ip<0)||(g_kni_maatinfo.tableid_domain<0)) { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"Maat_table_register() error!ip_tableid:%d,sni_tableid:%d,action:%s",g_kni_maatinfo.tableid_ipbmd,g_kni_maatinfo.tableid_snibmd,KNI_ACTION_EXIT); + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"Maat_table_register() error!ip_tableid:%d,sni_tableid:%d,action:%s",g_kni_maatinfo.tableid_ip,g_kni_maatinfo.tableid_domain,KNI_ACTION_EXIT); return -1; } diff --git a/kni.h b/kni.h index 961f98f..643c6ee 100644 --- a/kni.h +++ b/kni.h @@ -65,8 +65,6 @@ #define KNI_CONF_MODE "MOUDLE" -//maat -#define KNI_ACTION_IPBMD 1 #define PROTO_TYPE_TCP 6 @@ -75,11 +73,21 @@ #define KNI_DEFAULT_WINSCLE 0 #define KNI_DEFAULT_MSS 1460 +//maat +#define KNI_ACTION_NONE 0x00 +#define KNI_ACTION_REJECT 0x10 +#define KNI_ACTION_DROP 0x20 +#define KNI_ACTION_REDIRECT 0x30 +#define KNI_ACTION_RATELIMIT 0x40 +#define KNI_ACTION_REPLACE 0x50 +#define KNI_ACTION_LOOP 0x60 +#define KNI_ACTION_WHITELIST 0x80 + +#define KNI_MAX_CFGNUM 50 +#define KNI_TABLENAME_AREA "USER_AREA" +#define KNI_TABLENAME_IP "WHITE_LIST_IP" +#define KNI_TABLENAME_DOMAIN "WHITE_LIST_DOMAIN" -#define KNI_MAX_CFGNUM 50 -#define KNI_TABLENAME_IPBMD "IP_BMD" -#define KNI_TABLENAME_AREA "USER_AREA" -#define KNI_TABLENAME_SNIBMD "SNI_BMD" #define KNI_MAATJSON_FILEPATH "./kniconf/maat_test.json" #define KNI_TABLEINFO_PATH "./kniconf/maat_table_info.conf" @@ -149,15 +157,20 @@ enum kni_flag { KNI_FLAG_UNKNOW=0, KNI_FLAG_HTTP, - KNI_FLAG_SSL, - KNI_FLAG_SSL_HALF, - KNI_FLAG_IPBMD, + KNI_FLAG_SSL, KNI_FLAG_OUTUSER, + KNI_FLAG_IPBMD, KNI_FLAG_SNIBMD, + KNI_FLAG_DROP, KNI_FLAG_NOTPROC, }; +struct kni_switch_info +{ + int maat_default_switch; //0:KNI_ACTION_NONE is fwdpkt;1:KNI_ACTION_NONE is reject +}; + //htable_data_info ipv6 struct datainfo_to_tun @@ -186,12 +199,11 @@ struct kni_var_comm { int project_id; int kni_mode_cur; //0:work 1:bypass - unsigned int local_ip; int thread_num; int fd_domain; + unsigned int local_ip; int* fd_tun; void* logger; -//sendpkt test int* ipv4_fd; }; @@ -208,9 +220,9 @@ struct kni_var_struct struct kni_var_maat { Maat_feather_t maat_feather; - short tableid_ipbmd; + short tableid_ip; short tableid_area; - short tableid_snibmd; + short tableid_domain; }; //field stat2