亦庄测试版本

2018-09-18 17:13:28 +08:00
parent 09488ce1eb
commit 46ad62925b
6 changed files with 51 additions and 20 deletions
--- a/kni_comm.c
+++ b/kni_comm.c
@@ -12,7 +12,7 @@



-const char *g_kni_fs2_name[FS2_COLUMN_NUM] ={"RECV_PKTS","WRITE_PKTS","READ_PKTS","SEND_PKTS","BMD_IP","BMD_DOMAIN","HTTP_PKTS","SSL_PKTS","DROP_PKTS"};
+const char *g_kni_fs2_name[FS2_COLUMN_NUM] ={"RECV_PKTS","WRITE_PKTS","READ_PKTS","SEND_PKTS","BMD_IP","BMD_DOMAIN","HTTP_PKTS","SSL_PKTS","DROP_PKTS","CLIENT_HELLO","SSL_SNI"};


 int kni_log_info_v4(char* module,struct stream_tuple4_v4* addr,unsigned short protocol,char* domain,char* scan_result,char* action)
--- a/kni_comm.h
+++ b/kni_comm.h
@@ -7,7 +7,7 @@
 #endif


-#define FS2_COLUMN_NUM					9
+#define FS2_COLUMN_NUM					11
 #define FS2_APPNAME						"KNI"


@@ -22,6 +22,8 @@ enum kni_FS_COLUME
 	FS2_COLUME_HTTP,
 	FS2_COLUME_SSL,
 	FS2_COLUME_DROPPKT,
+	FS2_COLUME_CLIENTHELLO,
+	FS2_COLUME_SNI,
 };


--- a/kni_connect.c
+++ b/kni_connect.c
@@ -571,8 +571,8 @@ long kni_readtun_htable_cb_v4(void* data,const unsigned char* key,unsigned int s
 		}
 		else
 		{
-//			args->routdir=MESA_dir_reverse(datainfo->route_dir);
-			args->routdir=1-datainfo->route_dir;
+			args->routdir=MESA_dir_reverse(datainfo->route_dir);
+//			args->routdir=1-datainfo->route_dir;

 		}

@@ -621,7 +621,7 @@ long kni_readtun_htable_cb_v4(void* data,const unsigned char* key,unsigned int s



-int kni_process_readdata(int thread_seq,int buflen,char* buf)
+int kni_process_readdata(int thread_seq,int sendpkt_threadid,int buflen,char* buf)
 {
 	int iprever_flag=0;
 	long result=0;
@@ -643,9 +643,9 @@ int kni_process_readdata(int thread_seq,int buflen,char* buf)
 		MESA_htable_search_cb(g_kni_structinfo.htable_to_tun_v4,(unsigned char*)&ipv4_addr,sizeof(struct stream_tuple4_v4),kni_readtun_htable_cb_v4,(void*)&args,&result);
 		if(result==1)
 		{
-	
-//			kni_sendpkt_eth(thread_seq,buflen,buf,&ipv4_addr,iprever_flag,args.routdir,args.smac,args.dmac);
-			kni_sendpkt_routdir(thread_seq,buflen,buf,&ipv4_addr,iprever_flag,args.routdir,args.smac,args.dmac);
+//			kni_sendpkt_routdir(thread_seq,buflen,buf,&ipv4_addr,iprever_flag,args.routdir,args.smac,args.dmac);
+			MESA_sendpacket_iplayer_options(sendpkt_threadid,buf,buflen,args.routdir,NULL,0);
+
 		}

 	}
@@ -666,10 +666,14 @@ return:
 void* kni_read_tun(void* arg)
 {
 	int thread_seq=*(int*)arg;
-	
 	int recv_len=0;
 	char recv_buf[KNI_MAX_BUFLEN] = {0};

+	int sendpkt_threadid=0;
+	int sendpkt_threadid_len = sizeof(int);
+
+	sapp_get_platform_opt(SPO_INDEPENDENT_THREAD_ID,&sendpkt_threadid,&sendpkt_threadid_len);
+

 	while(1)
 	{
@@ -691,7 +695,7 @@ void* kni_read_tun(void* arg)
 		else if(recv_len>0)
 		{
 			kni_filestate2_set(thread_seq,FS2_COLUME_READ,0,1);
-			kni_process_readdata(thread_seq,recv_len,recv_buf);
+			kni_process_readdata(thread_seq,sendpkt_threadid,recv_len,recv_buf);
 		}
 	}

--- a/kni_entry.c
+++ b/kni_entry.c
@@ -9,7 +9,7 @@



-int g_kni_version_VERSION_20180822;
+int g_kni_version_VERSION_20180809_info_log_select;

 struct kni_var_comm g_kni_comminfo;
 struct kni_var_struct g_kni_structinfo;
@@ -125,8 +125,8 @@ int kni_htable_add(const struct streaminfo* pstream,const struct ip* ip_hdr,stru
 	}
 	else
 	{
-//		datainfo->route_dir=MESA_dir_reverse(pstream->routedir);
-		datainfo->route_dir=1-pstream->routedir;
+		datainfo->route_dir=MESA_dir_reverse(pstream->routedir);
+//		datainfo->route_dir=1-pstream->routedir;
 		memcpy(datainfo->smac,mac_addr->dst_mac,MAC_ADDR_LEN);
 		memcpy(datainfo->dmac,mac_addr->src_mac,MAC_ADDR_LEN);
 	}
@@ -150,7 +150,7 @@ return :state_flag
 ssl:STAT_FLAG_SSL_NOBMD
 not ssl:STAT_FLAG_NOTSSL
 ***************************************************************************************/
-int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
+int kni_judge_ssl(int thread_seq,char* tcp_data,int tcp_datalen,char* sni,int* sni_len,int* clienthello_flag,int* sni_flag)
 {
 	int ssl_header_len=0;
 	char* ssl_header=NULL;
@@ -208,6 +208,10 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
 		return KNI_FLAG_UNKNOW;
 	}
 	ssl_body_len+=1;
+	
+	*clienthello_flag = 1;
+	kni_filestate2_set(thread_seq,FS2_COLUME_CLIENTHELLO,0,1);
+

 //	memcpy(&len_in_body,&ssl_body[ssl_body_len],3);
 	len_in_body=*(unsigned char*)&ssl_body[ssl_body_len+2]+256*(*(unsigned char*)&ssl_body[ssl_body_len+1])+65536*(*(unsigned char*)&ssl_body[ssl_body_len]);
@@ -259,6 +263,9 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
 		
 		if(type_in_extension==SSL_EXTENSION_TYPE_SNI)
 		{
+			*sni_flag = 1;
+			kni_filestate2_set(thread_seq,FS2_COLUME_SNI,0,1);
+
 			if(len_in_extension>KNI_SNI_MAXLEN)
 			{
 				//error
@@ -305,18 +312,29 @@ int kni_judge_http(const struct streaminfo *stream,char* domain,int* domain_len)



-int kni_protocol_identify(const struct streaminfo* pstream,char* tcp_data,int tcp_datalen,char* domain,int* domain_len)
+int kni_protocol_identify(const struct streaminfo* pstream,const struct ip* ip_hdr,char* tcp_data,int tcp_datalen,char* domain,int* domain_len)
 {
+	int clienthello_flag = 0;
+	int sni_flag = 0;
+
+
 	if(kni_judge_http(pstream,domain,domain_len)==1)
 	{
 		kni_filestate2_set(pstream->threadnum,FS2_COLUME_HTTP,0,1);
 		return KNI_FLAG_HTTP;
 	}
-	else if(kni_judge_ssl(tcp_data,tcp_datalen,domain,domain_len)==KNI_FLAG_SSL) 
+	else if(kni_judge_ssl(pstream->threadnum,tcp_data,tcp_datalen,domain,domain_len,&clienthello_flag,&sni_flag)==KNI_FLAG_SSL) 
 	{
 		kni_filestate2_set(pstream->threadnum,FS2_COLUME_SSL,0,1);
 		return KNI_FLAG_SSL;
 	}
+//modify by liuyang 20180911 for client_hello but no sni
+	else if((clienthello_flag == 1)&&(sni_flag == 0))
+	{
+		kni_log_debug_v4(RLOG_LV_FATAL,(char*)"SSL_IDENTIFY",(struct ip*)ip_hdr,(char*)"this ssl has client_hello,but no sni!");
+		return KNI_FLAG_SSL;
+	}	
+

 	return KNI_FLAG_NOTPROC;

@@ -334,11 +352,15 @@ char kni_first_tcpdata(const struct streaminfo* pstream,const struct ip* ip_hdr,

 	int action=KNI_ACTION_NONE;

-	pmeinfo->status_flag=kni_protocol_identify(pstream,data,datalen,domain,&domain_len);
+	pmeinfo->status_flag=kni_protocol_identify(pstream,ip_hdr,data,datalen,domain,&domain_len);

 	if((pmeinfo->status_flag==KNI_FLAG_HTTP) ||(pmeinfo->status_flag==KNI_FLAG_SSL))
 	{
-		action=kni_scan_domain(domain,domain_len,pstream->threadnum,pmeinfo->mid);
+		if(domain_len != 0)
+		{
+			action=kni_scan_domain(domain,domain_len,pstream->threadnum,pmeinfo->mid);
+		}
+		
 		if(action==KNI_ACTION_WHITELIST)
 		{
 			kni_filestate2_set(pstream->threadnum,FS2_COLUME_WITELIST_DOMAIN,0,1);
@@ -830,8 +852,8 @@ int init_kni_sendpkt()
 		}

 		g_kni_threadseq[i]=i;
-
 		pthread_create(&pid_read_tun,NULL,kni_read_tun,&(g_kni_threadseq[i]));
+
 	}

 	return 0;
--- a/kni_entry.h
+++ b/kni_entry.h
@@ -51,7 +51,7 @@

 #define LOCAL_IP_ADDR   			"192.168.100.1"

-#define KNI_MAX_BUFLEN				1500
+#define KNI_MAX_BUFLEN				2000

 //fds index
 #define KNI_FDS_NUM						3
--- a/kni_repair.c
+++ b/kni_repair.c
@@ -180,6 +180,9 @@ int tcprepair_set_state(int sk,struct kni_tcp_state* tcp)
 		opts[onr].opt_val = 0;
 		onr++;
 	}
+
+	MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_DEBUG,"tcprepair_set_option","sip:%d,dip:%d,sport:%d,dport:%d,wscale:%d,mss:%d",
+				ntohl(tcp->src_ip),ntohl(tcp->dst_ip),ntohs(tcp->sport),ntohs(tcp->dport),opts[0].opt_val,opts[1].opt_val);
 /*
 	opts[onr].opt_code = TCPOPT_TIMESTAMP;
 	opts[onr].opt_val = (tcp->timestamps_src)&&(tcp->timestamps_dst);