diff --git a/conf/kni.conf b/conf/kni.conf index f4b54fe..86e5530 100644 --- a/conf/kni.conf +++ b/conf/kni.conf @@ -5,7 +5,8 @@ tfe_count = 1 local_eth = enp8s0 [maat] -readconf_mode = 2 +#readconf_mode: 0 = iris, 1 = json, 2 = redis +readconf_mode = 1 tableinfo_path = ./conf/kni/maat_tableinfo.conf maatjson_path = ./conf/kni/maat_test.json redis_ip = 192.168.10.120 @@ -14,6 +15,8 @@ redis_index = 4 tablename_intercept_ip = PXY_INTERCEPT_IP tablename_intercept_domain = PXY_INTERCEPT_DOMAIN compile_alias = COMPILE_ALIAS +#default_action: 0x80 = bypass, 0x02 = intercept +default_action = 128 [marsio] appsym = knifw @@ -38,7 +41,7 @@ stat_path = ./fs2_kni.status [send_logger] switch = 1 kafka_topic = SESSION-RECORD-LOG -kafka_brokerlist = 192.168.10.121:9092,192.168.10.122:9092,192.168.10.123:9092 +kafka_brokerlist = 192.168.10.119:9092,192.168.10.122:9092,192.168.10.123:9092 [kafka] queue.buffering.max.messages = 1000000 diff --git a/conf/maat/maat_test.json b/conf/maat/maat_test.json index 18ba692..769d3f7 100644 --- a/conf/maat/maat_test.json +++ b/conf/maat/maat_test.json @@ -33,7 +33,7 @@ { "compile_id": 1, "service": 1, - "action":2, + "action": 2, "do_blacklist": 1, "do_log": 1, "effective_rage": 0, @@ -48,7 +48,7 @@ "table_type": "ip", "table_content": { "addr_type": "ipv4", - "src_ip": "192.168.11.135", + "src_ip": "192.168.50.156", "mask_src_ip": "255.255.255.255", "src_port": "0", "mask_src_port": "65535", diff --git a/entry/include/kni_maat.h b/entry/include/kni_maat.h index ae339d3..c135cd4 100644 --- a/entry/include/kni_maat.h +++ b/entry/include/kni_maat.h @@ -5,6 +5,16 @@ #define KNI_MAAT_RULE_NUM_MAX 8 struct kni_maat_handle; + +/* action + 0x00: none + 0x01: monitor + 0x02: intercept + 0x10: reject + 0x30: Manipulate + 0x60: steer + 0x80: bypass +*/ enum kni_action{ KNI_ACTION_NONE = 0x00, KNI_ACTION_INTERCEPT = 0x02, @@ -13,5 +23,6 @@ enum kni_action{ struct kni_maat_handle* kni_maat_init(const char* profile, void *logger); void kni_maat_destroy(struct kni_maat_handle *handle); -int kni_maat_scan_ip(struct kni_maat_handle* handle, struct ipaddr *addr, int thread_seq, int *policy_id); -int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, int *policy_id); \ No newline at end of file +int kni_maat_scan_ip(struct kni_maat_handle* handle, struct ipaddr *addr, int thread_seq, int *policy_id, int *maat_hit); +int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, int *policy_id, int *maat_hit); +int kni_maat_action_trans(int action, char *action_str); \ No newline at end of file diff --git a/entry/src/kni_entry.cpp b/entry/src/kni_entry.cpp index 65d7ea2..4d8c5b8 100644 --- a/entry/src/kni_entry.cpp +++ b/entry/src/kni_entry.cpp @@ -66,6 +66,7 @@ struct http_project{ struct pme_info{ int protocol; int policy_id; + int maat_hit; int action; int service; struct kni_tcpopt_info *client_tcpopt; @@ -509,14 +510,14 @@ static char pending_opstate(const struct streaminfo *stream, struct pme_info *pm return APP_STATE_FAWPKT | APP_STATE_GIVEME; } -static int get_action(struct ipaddr *addr, char *domain, int domain_len, int thread_seq, int *policy_id){ +static int get_action(struct ipaddr *addr, char *domain, int domain_len, int thread_seq, int *policy_id, int *maat_hit){ //return KNI_ACTION_INTERCEPT; - int action = kni_maat_scan_ip(g_kni_handle->maat_handle, addr, thread_seq, policy_id); + int ret = kni_maat_scan_ip(g_kni_handle->maat_handle, addr, thread_seq, policy_id, maat_hit); if(action == KNI_ACTION_BYPASS){ return action; } if(domain_len != 0){ - action = kni_maat_scan_domain(g_kni_handle->maat_handle, domain, domain_len, thread_seq, policy_id); + action = kni_maat_scan_domain(g_kni_handle->maat_handle, domain, domain_len, thread_seq, policy_id, maat_hit); } return action; } @@ -592,12 +593,15 @@ static char data_opstate(const struct streaminfo *stream, struct pme_info *pmein memcpy(pmeinfo->host, result->domain, result->domain_len); FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_HTTP_STM], 0, FS_OP_ADD, 1); } - pmeinfo->action = get_action((struct ipaddr*)(&stream->addr), result->domain, result->domain_len, thread_seq, &(pmeinfo->policy_id)); + pmeinfo->action = get_action((struct ipaddr*)(&stream->addr), result->domain, result->domain_len, + thread_seq, &(pmeinfo->policy_id), &(pmeinfo->maat_hit)); //输出maat拦截日志 char domain_str[KNI_DOMAIN_MAX] = ""; memcpy(domain_str, result->domain, result->domain_len); - KNI_LOG_DEBUG(logger, "get_action: %s, %s, policy_id = %d, action = %s", - stream_addr, domain_str, pmeinfo->policy_id, pmeinfo->action == KNI_ACTION_BYPASS ? "bypass" : "intercept"); + char action_str[KNI_SYMBOL_MAX]; + kni_maat_action_trans(pmeinfo->action, action_str); + KNI_LOG_DEBUG(logger, "get_action: %s, %s, policy_id = %d, action = %d(%s), maat_hit = %d", + stream_addr, domain_str, pmeinfo->policy_id, pmeinfo->action, action_str, pmeinfo->maat_hit); FREE(&result); //TODO: 这块比较奇怪, 收到client hello, 但是没有syn/ack包, 直接bypass了 if(pmeinfo->client_tcpopt == NULL || pmeinfo->server_tcpopt == NULL){ diff --git a/entry/src/kni_maat.cpp b/entry/src/kni_maat.cpp index 8128953..2a06774 100644 --- a/entry/src/kni_maat.cpp +++ b/entry/src/kni_maat.cpp @@ -5,11 +5,11 @@ extern int g_iThreadNum; /* 关于没有命中配置情况下的默认配置 - 1. g_maat_default_action = KNI_ACTION_INTERCEPT, policy_id = 0 + 1. g_maat_default_action: 读配置文件, policy_id = 0 2. 如果maat的编译配置表中有policy_id = 0的配置,则将 g_maat_default_action设为对应的action, policy_id = 0 */ -int g_maat_default_action = KNI_ACTION_INTERCEPT; +int g_maat_default_action; struct kni_maat_handle{ Maat_feather_t feather; @@ -89,8 +89,14 @@ struct kni_maat_handle* kni_maat_init(const char* profile, void *logger){ KNI_LOG_ERROR(logger, "MESA_prof_load: compile_alias not set, profile is %s, section is %s", profile, section); goto error_out; } + ret = MESA_load_profile_int_nodef(profile, section, "default_action", &g_maat_default_action); + if(ret < 0){ + KNI_LOG_ERROR(logger, "MESA_prof_load: default_action not set, profile is %s, section is %s", profile, section); + goto error_out; + } KNI_LOG_INFO(logger, "MESA_prof_load, [%s]:\n readconf_mode: %d\n tableinfo_path: %s\n tablename_intercept_ip: %s\n tablename_intercept_domain: %s\n" - "compile_alias: %s\n", section, readconf_mode, tableinfo_path, tablename_intercept_ip, tablename_intercept_domain, compile_alias); + "compile_alias: %s\n default_action: %d", section, readconf_mode, tableinfo_path, tablename_intercept_ip, + tablename_intercept_domain, compile_alias, g_maat_default_action); feather = Maat_feather(g_iThreadNum, tableinfo_path, logger); handle = ALLOC(struct kni_maat_handle, 1); handle->feather = feather; @@ -171,7 +177,7 @@ error_out: static int maat_process_scan_result(struct kni_maat_handle *handle, int num, struct Maat_rule_t *result, int *policy_id){ //void *logger = handle->logger; int action = g_maat_default_action; - *policy_id = 0; //默认动作是编译表中policy_id=0的字段,所以默认policy_id=0; + *policy_id = 0; //默认动作是编译表中policy_id=0的字段,所以默认policy_id=0; for(int i = 0; i < num; i++){ action = result[i].action; *policy_id = result[i].config_id; @@ -184,7 +190,7 @@ static int maat_process_scan_result(struct kni_maat_handle *handle, int num, str //TODO: Maat_rule_get_ex_new_index compile_ex_param_new: config_id = 0, 取action即为全局变量, 一旦配置更新就回调, tableinfo怎么写,回调表, 编译配置表 -int kni_maat_scan_ip(struct kni_maat_handle *handle, struct ipaddr *addr, int thread_seq, int *policy_id){ +int kni_maat_scan_ip(struct kni_maat_handle *handle, struct ipaddr *addr, int thread_seq, int *policy_id, int *maat_hit){ //printf("default action is %d\n", g_maat_default_action); void *logger = handle->logger; struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX]; @@ -195,6 +201,10 @@ int kni_maat_scan_ip(struct kni_maat_handle *handle, struct ipaddr *addr, int th KNI_LOG_ERROR(logger, "Failed at Maat_scan_proto_addr, ret is %d", ret); return g_maat_default_action; } + if(ret == 0){ + return g_maat_default_action; + } + *maat_hit = 1; int action = maat_process_scan_result(handle, ret, result, policy_id); /*for debug @@ -206,7 +216,7 @@ int kni_maat_scan_ip(struct kni_maat_handle *handle, struct ipaddr *addr, int th return action; } -int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, int *policy_id){ +int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, int *policy_id, int *maat_hit){ void *logger = handle->logger; struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX]; //必须要初始化为NULL, 不懂为什么 @@ -217,6 +227,10 @@ int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domai KNI_LOG_ERROR(logger, "Failed at Maat_full_scan_string, ret is %d", ret); return g_maat_default_action; } + if(ret == 0){ + return g_maat_default_action; + } + *maat_hit = 1; int action = maat_process_scan_result(handle, ret, result, policy_id); //for debug @@ -229,3 +243,43 @@ int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domai } +/* action + 0x00: none + 0x01: monitor + 0x02: intercept + 0x10: reject + 0x30: Manipulate + 0x60: steer + 0x80: bypass +*/ +int kni_maat_action_trans(int action, char *action_str){ + switch(action){ + case 0x00: + strcpy(action_str, "none"); + break; + case 0x01: + strcpy(action_str, "monitor"); + break; + case 0x02: + strcpy(action_str, "intercept"); + break; + case 0x10: + strcpy(action_str, "reject"); + break; + case 0x30: + strcpy(action_str, "manipulate"); + break; + case 0x60: + strcpy(action_str, "steer"); + break; + case 0x80: + strcpy(action_str, "bypass"); + break; + default: + strcpy(action_str, "unknown"); + break; + } + return 0; +} + +