kni适配firewall
This commit is contained in:
崔一鸣
File diff suppressed because it is too large
Load Diff
@@ -1,405 +0,0 @@
|
||||
#include "kni_utils.h"
|
||||
#include "kni_maat.h"
|
||||
|
||||
|
||||
enum scan_table
|
||||
{
|
||||
PXY_INTERCEPT_IP,
|
||||
PXY_INTERCEPT_DOMAIN,
|
||||
TSG_OBJ_SUBSCRIBER_ID,
|
||||
SCAN_TABLE_MAX
|
||||
};
|
||||
|
||||
enum kni_action g_maat_default_action = KNI_ACTION_BYPASS;
|
||||
int g_maat_default_log_option=1;
|
||||
struct kni_maat_handle{
|
||||
Maat_feather_t static_maat;
|
||||
Maat_feather_t dynamic_maat;
|
||||
int scan_tableid[SCAN_TABLE_MAX];
|
||||
int subscriber_id_tableid;
|
||||
void *logger;
|
||||
};
|
||||
|
||||
void kni_maat_destroy(struct kni_maat_handle *handle){
|
||||
if(handle != NULL){
|
||||
if(handle->static_maat != NULL){
|
||||
Maat_burn_feather(handle->static_maat);
|
||||
}
|
||||
if(handle->dynamic_maat != NULL){
|
||||
Maat_burn_feather(handle->dynamic_maat);
|
||||
}
|
||||
}
|
||||
FREE(&handle);
|
||||
}
|
||||
|
||||
|
||||
void compile_ex_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp){
|
||||
void *logger = argp;
|
||||
unsigned char tmp=0;
|
||||
KNI_LOG_DEBUG(logger, "call compile_ex_param_new");
|
||||
if(rule->config_id == 0){
|
||||
tmp=(unsigned char)rule->action;
|
||||
enum kni_action action = (enum kni_action)tmp;
|
||||
if(action==KNI_ACTION_INTERCEPT)
|
||||
{
|
||||
g_maat_default_action = KNI_ACTION_INTERCEPT;
|
||||
KNI_LOG_INFO(logger, "Set default intercept action to intercept.");
|
||||
}
|
||||
else
|
||||
{
|
||||
g_maat_default_action = KNI_ACTION_BYPASS;
|
||||
KNI_LOG_INFO(logger, "Set default intercept action to bypass.");
|
||||
}
|
||||
g_maat_default_log_option=rule->do_log;
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
void compile_ex_param_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp){
|
||||
void *logger = argp;
|
||||
KNI_LOG_DEBUG(logger, "call compile_ex_param_free");
|
||||
return;
|
||||
}
|
||||
|
||||
void compile_ex_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp){
|
||||
void *logger = argp;
|
||||
KNI_LOG_DEBUG(logger, "call compile_ex_param_dup");
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
static Maat_feather_t create_maat_feather(const char *instance_name, const char* profile, const char *section, void *logger, int thread_count){
|
||||
int readconf_mode;
|
||||
char tableinfo_path[KNI_PATH_MAX];
|
||||
char maatjson_path[KNI_PATH_MAX];
|
||||
char redis_ip[INET_ADDRSTRLEN];
|
||||
int redis_port;
|
||||
int redis_index;
|
||||
Maat_feather_t feather = NULL;
|
||||
int effective_interval_ms = 1000;//1s
|
||||
int ret = MESA_load_profile_int_nodef(profile, section, "readconf_mode", &readconf_mode);
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(logger, "MESA_prof_load: readconf_mode not set, profile = %s, section = %s", profile, section);
|
||||
goto error_out;
|
||||
}
|
||||
ret = MESA_load_profile_string_nodef(profile, section, "tableinfo_path", tableinfo_path, sizeof(tableinfo_path));
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(logger, "MESA_prof_load: tableinfo_path not set, profile = %s, section = %s", profile, section);
|
||||
goto error_out;
|
||||
}
|
||||
KNI_LOG_ERROR(logger, "MESA_prof_load, [%s]:\n readconf_mode: %d\n tableinfo_path: %s" , section, readconf_mode, tableinfo_path);
|
||||
feather = Maat_feather(thread_count, tableinfo_path, logger);
|
||||
if(feather == NULL){
|
||||
KNI_LOG_ERROR(logger, "Failed at Maat_feather, max_thread_num = %d, tableinfo_path = %s", thread_count, tableinfo_path);
|
||||
goto error_out;
|
||||
}
|
||||
Maat_set_feather_opt(feather, MAAT_OPT_INSTANCE_NAME, instance_name, strlen(instance_name) + 1);
|
||||
Maat_set_feather_opt(feather, MAAT_OPT_EFFECT_INVERVAL_MS, &effective_interval_ms, sizeof(effective_interval_ms));
|
||||
switch(readconf_mode){
|
||||
case KNI_MAAT_READCONF_JSON:
|
||||
ret = MESA_load_profile_string_nodef(profile, section, "maatjson_path", maatjson_path, sizeof(maatjson_path));
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(logger, "MESA_prof_load: maatjson_path not set, profile = %s, section = %s", profile, section);
|
||||
goto error_out;
|
||||
}
|
||||
KNI_LOG_ERROR(logger, "MESA_prof_load, [%s]:\n maatjson_path: %s", section, maatjson_path);
|
||||
Maat_set_feather_opt(feather, MAAT_OPT_JSON_FILE_PATH, maatjson_path, strlen(maatjson_path));
|
||||
break;
|
||||
case KNI_MAAT_READCONF_IRIS:
|
||||
break;
|
||||
case KNI_MAAT_READCONF_REDIS:
|
||||
ret = MESA_load_profile_string_nodef(profile, section, "redis_ip", redis_ip, sizeof(redis_ip));
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(logger, "MESA_prof_load: redis_ip not set, profile = %s, section = %s", profile, section);
|
||||
goto error_out;
|
||||
}
|
||||
ret = MESA_load_profile_int_nodef(profile, section, "redis_port", &redis_port);
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(logger, "MESA_prof_load: redis_port not set, profile = %s, section = %s", profile, section);
|
||||
goto error_out;
|
||||
}
|
||||
ret = MESA_load_profile_int_nodef(profile, section, "redis_index", &redis_index);
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(logger, "MESA_prof_load: redis_index not set, profile = %s, section = %s", profile, section);
|
||||
goto error_out;
|
||||
}
|
||||
KNI_LOG_ERROR(logger, "MESA_prof_load, [%s]:\n redis_ip: %s\n redis_port: %d\n redis_index: %d",
|
||||
section, redis_ip, redis_port, redis_index);
|
||||
Maat_set_feather_opt(feather, MAAT_OPT_REDIS_IP, (void*)redis_ip, strlen(redis_ip) + 1);
|
||||
Maat_set_feather_opt(feather, MAAT_OPT_REDIS_PORT, (void*)&redis_port, sizeof(redis_port));
|
||||
Maat_set_feather_opt(feather, MAAT_OPT_REDIS_INDEX, (void*)&redis_index, sizeof(redis_index));
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
ret = Maat_initiate_feather(feather);
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(logger, "Failed at Maat_initiate_feather");
|
||||
goto error_out;
|
||||
}
|
||||
return feather;
|
||||
|
||||
error_out:
|
||||
if(feather != NULL){
|
||||
Maat_burn_feather(feather);
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
//copy from tfe
|
||||
static int get_column_pos(const char* line, int column_seq, size_t *offset, size_t *len){
|
||||
const char* seps=" \t";
|
||||
char* saveptr=NULL, *subtoken=NULL, *str=NULL;
|
||||
char* dup_line=kni_strdup(line);
|
||||
int i=0, ret=-1;
|
||||
for (str = dup_line; ; str = NULL){
|
||||
subtoken = strtok_r(str, seps, &saveptr);
|
||||
if (subtoken == NULL)
|
||||
break;
|
||||
if(i==column_seq-1){
|
||||
*offset=subtoken-dup_line;
|
||||
*len=strlen(subtoken);
|
||||
ret=0;
|
||||
break;
|
||||
}
|
||||
i++;
|
||||
}
|
||||
free(dup_line);
|
||||
return ret;
|
||||
}
|
||||
|
||||
void subscribe_id_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_DATA* from, long argl, void* argp){
|
||||
*to = kni_strdup((char*)*from);
|
||||
return;
|
||||
}
|
||||
|
||||
void subscribe_id_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp){
|
||||
int ret = 0;
|
||||
size_t subscribe_id_offset, len;
|
||||
void *logger = argp;
|
||||
ret = get_column_pos(table_line, 4, &subscribe_id_offset, &len);
|
||||
if(ret<0){
|
||||
KNI_LOG_ERROR(logger, "Add subscribe ID faild: %s", table_line);
|
||||
return;
|
||||
}
|
||||
*ad = ALLOC(char, len+1);
|
||||
memcpy(*ad, table_line+subscribe_id_offset, len);
|
||||
KNI_LOG_INFO(logger, "Add subscribe ID: %s", (char*)*ad);
|
||||
return;
|
||||
}
|
||||
|
||||
void subscribe_id_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp){
|
||||
void *logger = argp;
|
||||
KNI_LOG_INFO(logger, "Delete subscribe ID: %s", (char*)*ad);
|
||||
free(*ad);
|
||||
*ad = NULL;
|
||||
}
|
||||
|
||||
struct kni_maat_handle* kni_maat_init(const char* profile, void *logger, int thread_count){
|
||||
struct kni_maat_handle *handle = ALLOC(struct kni_maat_handle, 1);
|
||||
handle->logger = logger;
|
||||
//static maat
|
||||
const char *table_name[SCAN_TABLE_MAX];
|
||||
char tablename_intercept_compile[] = "PXY_INTERCEPT_COMPILE";
|
||||
char tablename_subscriber_id[] = "TSG_DYN_SUBSCRIBER_IP";
|
||||
int ret, i;
|
||||
handle->static_maat = create_maat_feather("static", profile, "static_maat", logger, thread_count);
|
||||
if(handle->static_maat == NULL){
|
||||
goto error_out;
|
||||
}
|
||||
table_name[PXY_INTERCEPT_IP] = "PXY_INTERCEPT_IP";
|
||||
table_name[PXY_INTERCEPT_DOMAIN] = "PXY_INTERCEPT_DOMAIN";
|
||||
table_name[TSG_OBJ_SUBSCRIBER_ID] = "TSG_OBJ_SUBSCRIBER_ID";
|
||||
for(i = 0; i < SCAN_TABLE_MAX; i++){
|
||||
handle->scan_tableid[i] = Maat_table_register(handle->static_maat, table_name[i]);
|
||||
if(handle->scan_tableid[i] < 0){
|
||||
KNI_LOG_ERROR(logger, "Failed at Maat_table_register, tablename = %s, ret = %d",
|
||||
table_name[i], handle->scan_tableid[i]);
|
||||
goto error_out;
|
||||
}
|
||||
}
|
||||
//get_ex
|
||||
ret = Maat_rule_get_ex_new_index(handle->static_maat, tablename_intercept_compile, compile_ex_param_new, compile_ex_param_free, compile_ex_param_dup, 0, logger);
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(logger, "Failed at Maat_rule_get_ex_new_index, tablename = %s, ret = %d", tablename_intercept_compile, ret);
|
||||
goto error_out;
|
||||
}
|
||||
//dynamic maat register
|
||||
handle->dynamic_maat = create_maat_feather("dynamic", profile, "dynamic_maat", logger, thread_count);
|
||||
if(handle->dynamic_maat == NULL){
|
||||
goto error_out;
|
||||
}
|
||||
handle->subscriber_id_tableid = Maat_table_register(handle->dynamic_maat, tablename_subscriber_id);
|
||||
if(handle->subscriber_id_tableid < 0){
|
||||
KNI_LOG_ERROR(logger, "Failed at Maat_table_register, tablename = %s, ret = %d",
|
||||
tablename_subscriber_id, handle->subscriber_id_tableid);
|
||||
goto error_out;
|
||||
}
|
||||
ret = Maat_plugin_EX_register(handle->dynamic_maat,
|
||||
handle->subscriber_id_tableid,
|
||||
subscribe_id_new_cb,
|
||||
subscribe_id_free_cb,
|
||||
subscribe_id_dup_cb,
|
||||
NULL,
|
||||
0,
|
||||
logger);
|
||||
if(ret != 0){
|
||||
KNI_LOG_ERROR(NULL, "Failed at Maat_plugin_EX_register, tablename = %s, ret = %d", tablename_subscriber_id, ret);
|
||||
goto error_out;
|
||||
}
|
||||
return handle;
|
||||
|
||||
error_out:
|
||||
kni_maat_destroy(handle);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static int index_of_enforce_policy(struct Maat_rule_t* result, size_t size){
|
||||
size_t i = 0;
|
||||
int biggest_intercept_policy_id = -1, ret_intercept_idx = -1;
|
||||
int biggest_bypass_policy_id = -1, ret_bypass_idx = -1;
|
||||
for(i = 0; i < size; i++){
|
||||
if((unsigned char)result[i].action == KNI_ACTION_BYPASS){
|
||||
if(result[i].config_id > biggest_bypass_policy_id){
|
||||
biggest_bypass_policy_id = result[i].config_id;
|
||||
ret_bypass_idx = i;
|
||||
}
|
||||
}
|
||||
else{
|
||||
if(result[i].config_id > biggest_intercept_policy_id){
|
||||
biggest_intercept_policy_id = result[i].config_id;
|
||||
ret_intercept_idx = i;
|
||||
}
|
||||
}
|
||||
}
|
||||
if(biggest_bypass_policy_id != -1){
|
||||
return ret_bypass_idx;
|
||||
}
|
||||
else{
|
||||
return ret_intercept_idx;
|
||||
}
|
||||
}
|
||||
|
||||
//type: 0 : sip, 1 : dip
|
||||
static void get_ip_from_ipaddr(struct ipaddr *addr, char *ip, int type){
|
||||
if(addr->addrtype == ADDR_TYPE_IPV4){
|
||||
struct stream_tuple4_v4 *v4 = addr->v4;
|
||||
if(type == 0){
|
||||
inet_ntop(AF_INET, &(v4->saddr), ip, INET_ADDRSTRLEN);
|
||||
}
|
||||
else{
|
||||
inet_ntop(AF_INET, &(v4->daddr), ip, INET_ADDRSTRLEN);
|
||||
}
|
||||
}
|
||||
else{
|
||||
struct stream_tuple4_v6 *v6 = addr->v6;
|
||||
if(type == 0){
|
||||
inet_ntop(AF_INET6, v6->saddr, ip, INET6_ADDRSTRLEN);
|
||||
}
|
||||
else{
|
||||
inet_ntop(AF_INET6, v6->daddr, ip, INET6_ADDRSTRLEN);
|
||||
}
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
enum kni_action intercept_policy_scan(struct kni_maat_handle* handle, struct ipaddr *addr, char *domain, int domain_len,
|
||||
int thread_seq, int *policy_id, int *do_log, int *is_hit_policy){
|
||||
//return KNI_ACTION_INTERCEPT;
|
||||
struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX];
|
||||
scan_status_t scan_mid = NULL;
|
||||
int scan_ret = 0, hit_policy_cnt = 0, enforced_policy_idx = 0;
|
||||
//scan subscribe_id
|
||||
char sip[INET6_ADDRSTRLEN] = "";
|
||||
char dip[INET6_ADDRSTRLEN] = "";
|
||||
get_ip_from_ipaddr(addr, sip, 0);
|
||||
get_ip_from_ipaddr(addr, dip, 1);
|
||||
char* source_subscribe_id = NULL, *dest_subscribe_id = NULL;
|
||||
source_subscribe_id = (char*)Maat_plugin_get_EX_data(handle->dynamic_maat, handle->subscriber_id_tableid, sip);
|
||||
dest_subscribe_id = (char*)Maat_plugin_get_EX_data(handle->dynamic_maat, handle->subscriber_id_tableid, dip);
|
||||
KNI_LOG_DEBUG(handle->logger, "sip = %s, source_subscribe_id = %s", sip, source_subscribe_id == NULL ? "null" : source_subscribe_id);
|
||||
KNI_LOG_DEBUG(handle->logger, "dip = %s, dest_subscribe_id = %s", dip, dest_subscribe_id == NULL ? "null" : dest_subscribe_id);
|
||||
if(source_subscribe_id != NULL){
|
||||
scan_ret = Maat_full_scan_string(handle->static_maat, handle->scan_tableid[TSG_OBJ_SUBSCRIBER_ID],
|
||||
CHARSET_UTF8, source_subscribe_id, strlen(source_subscribe_id),
|
||||
result+hit_policy_cnt, NULL, KNI_MAAT_RULE_NUM_MAX-hit_policy_cnt,
|
||||
&scan_mid, thread_seq);
|
||||
KNI_LOG_DEBUG(handle->logger, "source_subscribe_id = %s, scan_ret = %d", source_subscribe_id, scan_ret);
|
||||
if(scan_ret > 0){
|
||||
hit_policy_cnt += scan_ret;
|
||||
}
|
||||
free(source_subscribe_id);
|
||||
}
|
||||
if(dest_subscribe_id != NULL){
|
||||
scan_ret = Maat_full_scan_string(handle->static_maat, handle->scan_tableid[TSG_OBJ_SUBSCRIBER_ID],
|
||||
CHARSET_UTF8, dest_subscribe_id, strlen(dest_subscribe_id),
|
||||
result+hit_policy_cnt, NULL, KNI_MAAT_RULE_NUM_MAX-hit_policy_cnt,
|
||||
&scan_mid, thread_seq);
|
||||
KNI_LOG_DEBUG(handle->logger, "dest_subscribe_id = %s, scan_ret = %d", dest_subscribe_id, scan_ret);
|
||||
if(scan_ret > 0){
|
||||
hit_policy_cnt += scan_ret;
|
||||
}
|
||||
free(dest_subscribe_id);
|
||||
}
|
||||
//tcp: 6, udp: 17, can't be 0
|
||||
scan_ret = Maat_scan_proto_addr(handle->static_maat, handle->scan_tableid[PXY_INTERCEPT_IP], addr, 6,
|
||||
result+hit_policy_cnt, KNI_MAAT_RULE_NUM_MAX-hit_policy_cnt,
|
||||
&scan_mid, thread_seq);
|
||||
if(scan_ret > 0){
|
||||
hit_policy_cnt += scan_ret;
|
||||
}
|
||||
scan_ret = Maat_full_scan_string(handle->static_maat, handle->scan_tableid[PXY_INTERCEPT_DOMAIN], CHARSET_UTF8,
|
||||
domain, domain_len,
|
||||
result+hit_policy_cnt, NULL, KNI_MAAT_RULE_NUM_MAX-hit_policy_cnt,
|
||||
&scan_mid, thread_seq);
|
||||
if(scan_ret > 0){
|
||||
hit_policy_cnt += scan_ret;
|
||||
}
|
||||
Maat_clean_status(&scan_mid);
|
||||
if(hit_policy_cnt > 0){
|
||||
enforced_policy_idx = index_of_enforce_policy(result, hit_policy_cnt);
|
||||
*policy_id = result[enforced_policy_idx].config_id;
|
||||
*do_log = result[enforced_policy_idx].do_log;
|
||||
*is_hit_policy = 1;
|
||||
unsigned char action = (unsigned char)result[enforced_policy_idx].action;
|
||||
return (enum kni_action)action;
|
||||
}
|
||||
else{
|
||||
*policy_id = 0;
|
||||
*do_log = g_maat_default_log_option;
|
||||
return g_maat_default_action;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/* action
|
||||
0x00: none
|
||||
0x01: monitor
|
||||
0x02: intercept
|
||||
0x10: reject
|
||||
0x30: Manipulate
|
||||
0x60: steer
|
||||
0x80: bypass
|
||||
*/
|
||||
char* kni_maat_action_trans(enum kni_action action){
|
||||
switch(action){
|
||||
case 0x00:
|
||||
return (char*)"none";
|
||||
case 0x01:
|
||||
return (char*)"monitor";
|
||||
case 0x02:
|
||||
return (char*)"intercept";
|
||||
case 0x10:
|
||||
return (char*)"reject";
|
||||
case 0x30:
|
||||
return (char*)"manipulate";
|
||||
case 0x60:
|
||||
return (char*)"steer";
|
||||
case 0x80:
|
||||
return (char*)"bypass";
|
||||
default:
|
||||
return (char*)"unknown";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user