gfwleak/tango-kni
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1、批量write到tun,流量可以到达4-5Gbps左右,但是仍有丢包。2、细节参数待优化,通过配置文件指定

Browse Source
This commit is contained in:
liuyang
2018-11-26 09:10:54 +08:00
parent 9117a85409
commit 6bdd3d0ed0
9 changed files with 295 additions and 1793 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@@ -1,6 +1,6 @@
CC = g++
CFLAGS = -g -Wall -fPIC
OBJECTS = kni_entry.o kni_comm.o kni_connect.o kni_ratelimit.o kni_replace.o
OBJECTS = kni_entry.o kni_comm.o kni_intercept.o kni_ratelimit.o kni_replace.o
TARGET = kni.so
#INCS = -I./inc
@@ -22,7 +22,7 @@ $(TARGET):$(OBJECTS)
kni_entry.o:kni_entry.c
kni_comm.o:kni_comm.c
kni_connect.o:kni_connect.c
kni_intercept.o:kni_intercept.c
kni_ratelimit.o:kni_ratelimit.c
kni_replace.o:kni_replace.c

67
kni_comm.c
View File

@@ -16,32 +16,45 @@
const char *g_kni_fs2_name[FS2_COLUMN_NUM] =
{
"tcp/udp_entry",
"write_tun",
"read_tun",
"send_masio",
"whitelist_ip",
"whitelist_domain",
"http_protocol",
"ssl_protocol",
"droppkt_other",
"client_hello",
"ssl_sni",
"ipv6_option",
"not_in_htable",
"tcprepair_total",
"tcprepair_error",
"send_fds_succ",
"send_fds_error",
"pengding",
"close_timeout",
"close_fin",
"add_lqueue_succ",
"add_lqueue_err",
"get_lqueue_succ",
"get_lqueue_err",
"write_tun_succ",
"write_tun_err"
"TAPALL",
"UDP",
"IP",
"WHITE_IP",
"WHITE_DOMAIN",
"INTERCEPT",
"RATELIMIT",
"REPLACE",
"HTTP",
"SSL",
"NOT_PROC",
"TUN_WRITE",
"TUN_READ",
"SEND_MASION",
"CLIENT_HELLO",
"SSL_SNI(P)",
"D_IPV6_OPT",
"D_NOT_HTABLE",
"D_NOT_IPV4/6",
"D_NOT_IPV4/6",
"D_E_ADDHTABLE",
"D_OTHER",
"FD_TOTAL",
"FD_SOCKET_ERR",
"FD_ERROR",
"FD_JOINLQ_ERR",
"FD_GETLQ_ERR",
"FD_SEND_SUCC",
"FD_SEND_ERR",
"PKT_ADDLQ_SUC",
"PKT_ADDLQ_ERR",
"PKT_GETLQ_SUCC",
"PKT_GETLQ_ERR",
"PKT_WRITE_SUCC",
"PKT_WRITE_ERR",
"PENDING",
"CLOSE_TIMEOUT",
"CLOSE_FIN",
"REPLAY_WIN"
};
@@ -423,7 +436,7 @@ int kni_get_tcpopt(struct kni_tcp_hdr* tcphdr,int tcp_hdr_len,unsigned short* ms
}
char* kni_get_data(const struct streaminfo* pstream,int* datalen)
char* kni_get_payload(const struct streaminfo* pstream,int* datalen)
{
char* data=NULL;

59
kni_comm.h
View File

@@ -7,38 +7,51 @@
#endif
#define FS2_COLUMN_NUM 26
#define FS2_COLUMN_NUM 39
#define FS2_APPNAME "KNI"
enum kni_FS_COLUME
{
FS2_COLUME_RECV=0,
FS2_COLUME_WRITE,
FS2_COLUME_READ,
FS2_COLUME_SEND,
FS2_COLUME_WITELIST_IP,
FS2_COLUME_WITELIST_DOMAIN,
FS2_COLUME_HTTP,
FS2_COLUME_SSL,
FS2_COLUME_DROPPKT,
FS2_COLUME_CLIENTHELLO,
FS2_COLUME_SNI,
FS2_COLUME_DROP_SAPP,
FS2_COLUME_DROP_TUN,
FS2_COLUME_TCPREPAIR_TOTAL,
FS2_COLUME_TCPREPAIR_ERROR,
FS2_COLUME_SENDTP_SUCC,
FS2_COLUME_SENDTP_ERROR,
FS2_COLUME_PENDING,
FS2_COLUME_CLOSE_TIMEOUT,
FS2_COLUME_CLOSE_FIN,
COLUME_TCPALL_ENTRY=0,
COLUME_UDP_ENTRY,
COLUME_IP_ENTRY,
COLUME_WITELIST_IP,
COLUME_WITELIST_DOMAIN,
COLUME_INTERCEPT,
COLUME_RATELIMIT,
COLUME_REPLACE,
COLUME_HTTP,
COLUME_SSL,
COLUME_TCP_NOT_HTTPSSL,
COLUME_TUN_WRITE,
COLUME_TUN_READ,
COLUME_SEND_PKT,
COLUME_CLIENTHELLO,
COLUME_SNI,
COLUME_DROP_IPV6OPT,
COLUME_DROP_NOIN_HTABLE,
COLUME_DROP_NOTIPV46_SAPP,
COLUME_DROP_NOTIPV46_TUN,
COLUME_DROP_ADDHTABLE_ERROR,
COLUME_DROPPKT_OTHER,
COLUME_TCPREPAIR_TOTAL,
COLUME_TCPREPAIR_SOCKET_ERR,
COLUME_TCPREPAIR_ERROR,
COLUME_TCPREPAIR_JOINLQ_ERR,
COLUME_TCPREPAIR_GETLQ_ERR,
COLUME_TCPREPAIR_SEND_SUCC,
COLUME_TCPREPAIR_SEND_ERR,
COLUME_ADD_LQUEUE_SUCC,
COLUME_ADD_LQUEUE_ERR,
COLUME_GET_LQUEUE_SUCC,
COLUME_GET_LQUEUE_ERR,
COLUME_WRITE_TUN_SUCC,
COLUME_WRITE_TUN_ERR
COLUME_WRITE_TUN_ERR,
COLUME_PENDING,
COLUME_CLOSE_TIMEOUT,
COLUME_CLOSE_FIN,
COLUME_REPLAY_WINDOW
};
@@ -66,7 +79,7 @@ int kni_get_ipaddr_v6(void* a_packet,struct stream_tuple4_v6* ipaddr);
int kni_get_tcpinfo(struct kni_wndpro_reply_info* lastpkt_info,struct kni_tcp_hdr* tcphdr,int tcplen);
int kni_get_tcpopt(struct kni_tcp_hdr* tcphdr,int tcp_hdr_len,unsigned short* mss,unsigned char* winscale,unsigned char* scak,unsigned char* timestamps);
char* kni_get_data(const struct streaminfo* pstream,int* datalen);
char* kni_get_payload(const struct streaminfo* pstream,int* datalen);
int kni_filestate2_set(int thread_seq,int colum_index,int bytes,int pktnum);
void* kni_filestat2(void* arg);

1481
kni_connect.c
View File

File diff suppressed because it is too large Load Diff

24
kni_connect.h
View File

@@ -1,24 +0,0 @@
#ifndef KNI_CONNECT_H
#define KNI_CONNECT_H
#define KNI_SENDFD_NUM 2
int kni_send_fds(int socket, int *fds, int n,int protocol);
//char tun_write_data(int fd,char* send_buf,int send_buflen,struct streaminfo* pstream,int thread_seq);
char tun_write_data(int fd,char* send_buf,int send_buflen,int thread_seq);
int init_domain_fd();
int init_kni_domain();
int init_kni_tun();
void* kni_read_tun(void* arg);
int kni_add_lqueue(int addrtype,int thread_seq,char* send_buf,int send_buflen);
int tcp_repair_process(const struct streaminfo* pstream,const void* a_packet,struct kni_pme_info* pmeinfo,int protocol);
#endif

145
kni_entry.c
View File

@@ -10,7 +10,7 @@
int g_kni_version_VERSION_20181123_test;
int g_kni_version_VERSION_20181125_addlog;
struct kni_var_comm g_kni_comminfo;
struct kni_var_struct g_kni_structinfo;
@@ -118,6 +118,7 @@ int kni_scan_ip(struct ipaddr* addr,int thread_seq,int protocol,struct kni_pme_i
int kni_htable_add(const struct streaminfo* pstream,const void* a_packet,struct kni_pme_info* pmeinfo)
{
int ret = 0;
int iprevers=0;
struct stream_tuple4_v4 ipv4_addr;
struct stream_tuple4_v6 ipv6_addr;
@@ -126,7 +127,7 @@ int kni_htable_add(const struct streaminfo* pstream,const void* a_packet,struct
memset(datainfo,0,sizeof(struct kni_htable_datainfo));
//send pkt info
//send pkt info by self
if(iprevers==0)
{
datainfo->route_dir=pstream->routedir;
@@ -149,19 +150,30 @@ int kni_htable_add(const struct streaminfo* pstream,const void* a_packet,struct
}
//send wnd_pro_reply info
memcpy(&(datainfo->tcpopt_info),&(pmeinfo->tcpopt_info),KNI_DIR_DOUBLE*sizeof(struct kni_tcpopt_info));
// memcpy(&(datainfo->tcpopt_info),&(pmeinfo->tcpopt_info),KNI_DIR_DOUBLE*sizeof(struct kni_tcpopt_info));
memcpy(&(datainfo->lastpkt_info),&(pmeinfo->lastpkt_info),KNI_DIR_DOUBLE*sizeof(struct kni_wndpro_reply_info));
if(pstream->addr.addrtype == ADDR_TYPE_IPV4)
{
iprevers=kni_get_ipaddr_v4((void*)a_packet,&ipv4_addr);
MESA_htable_add(g_kni_structinfo.htable_to_tun_v4,(unsigned char*)&ipv4_addr,sizeof(struct stream_tuple4_v4),(void*)datainfo);
ret = MESA_htable_add(g_kni_structinfo.htable_to_tun_v4,(unsigned char*)&ipv4_addr,sizeof(struct stream_tuple4_v4),(void*)datainfo);
if(ret < 0)
{
kni_log_debug(RLOG_LV_INFO,(char*)"kni_htable_add",a_packet,"IPv4 MESA_htable_add() error,ret:%d",ret);
return -1;
}
}
else
{
iprevers=kni_get_ipaddr_v6((void*)a_packet,&ipv6_addr);
MESA_htable_add(g_kni_structinfo.htable_to_tun_v6,(unsigned char*)&ipv6_addr,sizeof(struct stream_tuple4_v6),(void*)datainfo);
ret = MESA_htable_add(g_kni_structinfo.htable_to_tun_v6,(unsigned char*)&ipv6_addr,sizeof(struct stream_tuple4_v6),(void*)datainfo);
if(ret < 0)
{
kni_log_debug(RLOG_LV_INFO,(char*)"kni_htable_add",a_packet,"IPv6 MESA_htable_add() error,ret:%d",ret);
return -1;
}
}
@@ -237,7 +249,7 @@ int kni_judge_ssl(int thread_seq,char* tcp_data,int tcp_datalen,char* sni,int* s
ssl_body_len+=1;
*clienthello_flag = 1;
kni_filestate2_set(thread_seq,FS2_COLUME_CLIENTHELLO,0,1);
kni_filestate2_set(thread_seq,COLUME_CLIENTHELLO,0,1);
// memcpy(&len_in_body,&ssl_body[ssl_body_len],3);
@@ -291,7 +303,7 @@ int kni_judge_ssl(int thread_seq,char* tcp_data,int tcp_datalen,char* sni,int* s
if(type_in_extension==SSL_EXTENSION_TYPE_SNI)
{
*sni_flag = 1;
kni_filestate2_set(thread_seq,FS2_COLUME_SNI,0,1);
kni_filestate2_set(thread_seq,COLUME_SNI,0,1);
if(len_in_extension>KNI_SNI_MAXLEN)
{
@@ -347,12 +359,12 @@ int kni_protocol_identify(const struct streaminfo* pstream,const void* a_packet,
if(kni_judge_http(pstream,domain,domain_len)==1)
{
kni_filestate2_set(pstream->threadnum,FS2_COLUME_HTTP,0,1);
kni_filestate2_set(pstream->threadnum,COLUME_HTTP,0,1);
return KNI_FLAG_HTTP;
}
else if(kni_judge_ssl(pstream->threadnum,tcp_data,tcp_datalen,domain,domain_len,&clienthello_flag,&sni_flag)==KNI_FLAG_SSL)
{
kni_filestate2_set(pstream->threadnum,FS2_COLUME_SSL,0,1);
kni_filestate2_set(pstream->threadnum,COLUME_SSL,0,1);
return KNI_FLAG_SSL;
}
//modify by liuyang 20180911 for client_hello but no sni
@@ -423,13 +435,14 @@ char kni_first_tcpdata(const struct streaminfo* pstream,const void* a_packet,str
switch(pmeinfo->action)
{
case KNI_ACTION_WHITELIST:
kni_filestate2_set(pstream->threadnum,FS2_COLUME_WITELIST_DOMAIN,0,1);
kni_filestate2_set(pstream->threadnum,COLUME_WITELIST_DOMAIN,0,1);
kni_log_info((char*)KNI_MODULE_INFO,&(pstream->addr),pmeinfo->protocol,domain,(char*)"WHITE_LIST_DOMAIN",(char*)"BYPASS",pmeinfo);
pmeinfo->protocol=KNI_FLAG_NOTPROC;
return ret;
case KNI_ACTION_RATELIMIT:
kni_filestate2_set(pstream->threadnum,COLUME_RATELIMIT,0,1);
kni_log_info((char*)KNI_MODULE_INFO,&(pstream->addr),pstream->type,NULL,(char*)"RATELIMITE",(char*)"RATELIMITE",pmeinfo);
ret = kni_process_ratelimit(pstream->threadnum,a_packet,pmeinfo);
return ret;
@@ -451,8 +464,13 @@ char kni_first_tcpdata(const struct streaminfo* pstream,const void* a_packet,str
}
// kni_get_keyring(pmeinfo);
kni_htable_add(pstream,a_packet,pmeinfo);
kni_filestate2_set(pstream->threadnum,COLUME_INTERCEPT,0,1);
if(kni_htable_add(pstream,a_packet,pmeinfo) < 0)
{
kni_filestate2_set(pstream->threadnum,COLUME_DROP_ADDHTABLE_ERROR,0,1);
return ret;
}
clock_gettime(CLOCK_MONOTONIC, &start);
@@ -467,7 +485,6 @@ char kni_first_tcpdata(const struct streaminfo* pstream,const void* a_packet,str
MESA_handle_runtime_log(g_kni_comminfo.logger,RLOG_LV_INFO,"tcp_repair_process","tcp_repair_process() error!");
return ret;
}
clock_gettime(CLOCK_MONOTONIC, &end);
@@ -481,6 +498,7 @@ char kni_first_tcpdata(const struct streaminfo* pstream,const void* a_packet,str
}
else
{
kni_filestate2_set(pstream->threadnum,COLUME_TCP_NOT_HTTPSSL,0,1);
kni_log_info((char*)KNI_MODULE_INFO,&(pstream->addr),pmeinfo->protocol,NULL,(char*)"NOT_HTTP_SSL",(char*)"BYPASS",pmeinfo);
}
@@ -504,7 +522,7 @@ char kni_pending_opstate(const struct streaminfo* pstream,struct kni_pme_info* p
struct kni_ipv6_hdr* ipv6_hdr = NULL;
struct kni_tcp_hdr* tcphdr=NULL;
data=kni_get_data(pstream,&datalen);
data=kni_get_payload(pstream,&datalen);
if(pstream->addr.addrtype==ADDR_TYPE_IPV4)
{
@@ -522,6 +540,7 @@ char kni_pending_opstate(const struct streaminfo* pstream,struct kni_pme_info* p
}
else
{
kni_filestate2_set(thread_seq,COLUME_DROP_NOTIPV46_SAPP,0,1);
return ret;
}
@@ -530,7 +549,7 @@ char kni_pending_opstate(const struct streaminfo* pstream,struct kni_pme_info* p
if(pmeinfo->action==KNI_ACTION_WHITELIST)
{
kni_log_info((char*)KNI_MODULE_INFO,&(pstream->addr),0,NULL,(char*)"WHITE_LIST_IP",(char*)"BYPASS",pmeinfo);
kni_filestate2_set(thread_seq,FS2_COLUME_WITELIST_IP,0,1);
kni_filestate2_set(thread_seq,COLUME_WITELIST_IP,0,1);
return ret;
}
@@ -589,7 +608,7 @@ char kni_data_opstate(const struct streaminfo* pstream,struct kni_pme_info* pmei
struct kni_ipv6_hdr* ipv6_hdr = NULL;
struct kni_tcp_hdr* tcphdr=NULL;
data=kni_get_data(pstream,&datalen);
data=kni_get_payload(pstream,&datalen);
if(pstream->addr.addrtype==ADDR_TYPE_IPV4)
{
@@ -607,6 +626,7 @@ char kni_data_opstate(const struct streaminfo* pstream,struct kni_pme_info* pmei
}
else
{
kni_filestate2_set(thread_seq,COLUME_DROP_NOTIPV46_SAPP,0,1);
return ret;
}
@@ -633,6 +653,7 @@ char kni_data_opstate(const struct streaminfo* pstream,struct kni_pme_info* pmei
if((pmeinfo->action == KNI_ACTION_MONITOR) && ((pmeinfo->protocol==KNI_FLAG_HTTP)||(pmeinfo->protocol==KNI_FLAG_SSL)))
{
kni_filestate2_set(pstream->threadnum,COLUME_INTERCEPT,0,1);
kni_add_lqueue(ADDR_TYPE_IPV4,thread_seq,(char*)a_packet,iplen);
// ret=tun_write_data(g_kni_comminfo.fd_tun[thread_seq],(char*)a_packet,iplen,(struct streaminfo*)pstream,thread_seq);
}
@@ -701,7 +722,7 @@ extern "C" char kni_udp_entry(const struct streaminfo* pstream,void** pme,int th
}
kni_filestate2_set(thread_seq,FS2_COLUME_RECV,0,1);
kni_filestate2_set(thread_seq,COLUME_UDP_ENTRY,0,1);
switch(pstream->opstate)
{
@@ -755,18 +776,18 @@ extern "C" char kni_tcpall_entry(const struct streaminfo* pstream,void** pme,int
if((a_packet != NULL) && (ipv6_hdr->ip6_nex_hdr != NEXTHDR_TCP))
{
kni_filestate2_set(thread_seq,FS2_COLUME_DROP_SAPP,0,1);
kni_filestate2_set(thread_seq,COLUME_DROP_IPV6OPT,0,1);
return ret;
}
}
kni_filestate2_set(thread_seq,FS2_COLUME_RECV,0,1);
kni_filestate2_set(thread_seq,COLUME_TCPALL_ENTRY,0,1);
switch(pstream->pktstate)
{
case OP_STATE_PENDING:
kni_filestate2_set(thread_seq,FS2_COLUME_PENDING,0,1);
kni_filestate2_set(thread_seq,COLUME_PENDING,0,1);
kni_init_pmeinfo(pme);
ret=kni_pending_opstate(pstream,(struct kni_pme_info*)*pme,thread_seq,a_packet,PROTO_TYPE_TCP);
break;
@@ -778,11 +799,11 @@ extern "C" char kni_tcpall_entry(const struct streaminfo* pstream,void** pme,int
case OP_STATE_CLOSE:
if(a_packet == NULL)
{
kni_filestate2_set(thread_seq,FS2_COLUME_CLOSE_TIMEOUT,0,1);
kni_filestate2_set(thread_seq,COLUME_CLOSE_TIMEOUT,0,1);
}
else
{
kni_filestate2_set(thread_seq,FS2_COLUME_CLOSE_FIN,0,1);
kni_filestate2_set(thread_seq,COLUME_CLOSE_FIN,0,1);
}
ret=kni_close_opstate(pstream,(struct kni_pme_info*)*pme,thread_seq,a_packet,PROTO_TYPE_TCP);
@@ -832,6 +853,8 @@ extern "C" char kni_ipv4_entry(const struct streaminfo *pstream,unsigned char ro
return APP_STATE_DROPME;
}
kni_filestate2_set(thread_seq,COLUME_IP_ENTRY,0,1);
char ret = APP_STATE_GIVEME;
scan_status_t mid = NULL;
@@ -889,6 +912,8 @@ extern "C" char kni_ipv6_entry(const struct streaminfo *pstream,unsigned char ro
{
return ret;
}
kni_filestate2_set(thread_seq,COLUME_IP_ENTRY,0,1);
addr.addrtype = ADDR_TYPE_IPV6;
@@ -1015,7 +1040,6 @@ int init_profile_info()
MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"ratelimit_switch",&(g_kni_switch_info.ratelimit_switch),1);
MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"replace_switch",&(g_kni_switch_info.replace_switch),1);
MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"sendpkt_mode",&(g_kni_switch_info.sendpkt_mode),0);
MESA_load_profile_string_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"tun_name",g_kni_comminfo.tun_name,KNI_CONF_MAXLEN,"tun0");
MESA_load_profile_string_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"domain_path",g_kni_comminfo.domain_path,KNI_CONF_MAXLEN,"/home/server_unixsocket_file");
MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"socketopt_mark",&(g_kni_comminfo.mark),101);
@@ -1150,7 +1174,7 @@ int init_kni_dyn_maat_info()
}
int init_kni_maat_info()
int init_kni_static_maat_info()
{
int ret = 0;
@@ -1261,19 +1285,19 @@ int init_kni_sendpkt()
kni_read_cardname();
g_kni_comminfo.ipv4_fd=(int*)malloc(g_kni_comminfo.thread_num*sizeof(int));
g_kni_comminfo.fd_sendpkt=(int*)malloc(g_kni_comminfo.thread_num*sizeof(int));
for(i=0;i<g_kni_comminfo.thread_num;i++)
{
// g_kni_comminfo.ipv4_fd[i]=socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
g_kni_comminfo.ipv4_fd[i]=socket(AF_PACKET,SOCK_RAW,htons(ETH_P_IP));
if(g_kni_comminfo.ipv4_fd[i]<0)
g_kni_comminfo.fd_sendpkt[i]=socket(AF_PACKET,SOCK_RAW,htons(ETH_P_IP));
if(g_kni_comminfo.fd_sendpkt[i]<0)
{
MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"ipv4_raw_socket error,i:%d,action:%s",i,KNI_ACTION_EXIT);
return -1;
}
g_kni_threadseq[i]=i;
pthread_create(&pid_read_tun,NULL,kni_read_tun,&(g_kni_threadseq[i]));
pthread_create(&pid_read_tun,NULL,pthread_process_tun,&(g_kni_threadseq[i]));
}
@@ -1281,7 +1305,7 @@ int init_kni_sendpkt()
}
int kni_init_lqueue()
int init_kni_lqueue()
{
int i=0;
@@ -1294,7 +1318,7 @@ int kni_init_lqueue()
for(i=0;i<g_iThreadNum;i++)
{
g_kni_structinfo.lqueue_write_tun[i] = MESA_lqueue_create(0,KNI_LQUEUE_MAXNUM);
g_kni_structinfo.lqueue_write_tun[i] = MESA_lqueue_create(KNI_THREAD_SAFE,KNI_LQUEUE_MAXNUM);
if(g_kni_structinfo.lqueue_write_tun[i] == NULL)
{
MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"MESA_lqueue_create() error for lqueue_write_tun,thread_num:%d,action:%s",i,KNI_ACTION_EXIT);
@@ -1308,66 +1332,55 @@ int kni_init_lqueue()
extern "C" char kni_init()
{
int ret=0;
pthread_t pid_kni_filestat2;
inet_aton((const char *)&LOCAL_IP_ADDR,(struct in_addr*)&g_kni_comminfo.local_ip);
init_profile_info();
ret=init_kni_runtimelog();
if(ret < 0)
if(init_kni_runtimelog() < 0)
{
return -1;
}
ret = init_kni_project();
if(ret < 0)
{
return -1;
}
ret = init_kni_maat_info();
if(ret < 0)
{
return -1;
}
ret = init_kni_dyn_maat_info();
if(ret < 0)
{
return -1;
}
ret=init_kni_stat_htable();
if(ret<0)
if(init_kni_project() < 0)
{
return -1;
}
ret = kni_init_lqueue();
if(ret<0)
if(init_kni_static_maat_info() < 0)
{
return -1;
}
ret = init_kni_tun();
if(ret < 0)
if(init_kni_dyn_maat_info() < 0)
{
return -1;
}
init_kni_domain();
if(init_kni_stat_htable() < 0)
{
return -1;
}
ret = init_kni_sendpkt();
if(ret < 0)
if(init_kni_lqueue() < 0)
{
return -1;
}
if(init_kni_tun() < 0)
{
return -1;
}
init_kni_unixdomain();
if(init_kni_sendpkt() < 0)
{
return -1;
}

304
kni_entry.h
View File

@@ -10,7 +10,7 @@
#include "field_stat2.h"
#include "Maat_rule.h"
#include "kni_comm.h"
#include "kni_connect.h"
#include "kni_intercept.h"
#include "kni_ratelimit.h"
@@ -39,7 +39,7 @@
#define TH_URG 0x20
#endif
//#define KNI_DEBUG_TCPREPAIR 1
//#define KNI_DEBUG_TCPREPAIR 1
//#define KNI_DEBUG_KEEPALIVE 1
@@ -48,17 +48,11 @@
#define KNI_ETHER_LEN 14
#define TCPHDR_DEFAULT_LEN 20
//only for get domain_len
#define KNI_DEFAULT_MTU 1500
#define LOCAL_IP_ADDR "192.168.100.1"
//for read config and packet
#define KNI_MAX_BUFLEN 2000
//fds index
#define KNI_FDS_NUM 3
#define KNI_FDS_INDEX_CLIENT 0
#define KNI_FDS_INDEX_SERVER 1
#define KNI_FDS_INDEX_PROTOCOL 2
//work module
#define KNI_MODE_WORK 0
@@ -67,7 +61,7 @@
//runtime log
#define KNI_MODULE_INIT "kni_init"
#define KNI_MODULE_READTUN "kni_read_tun"
#define KNI_MODULE_READTUN "pthread_process_tun"
#define KNI_MODULE_SENDPKT "kni_sendpkt"
#define KNI_MODULE_WRITETUN "kni_write_tun"
#define KNI_MODULE_IPENTRY "kni_process"
@@ -89,8 +83,6 @@
#define PROTO_TYPE_TCP 6
#define PROTO_TYPE_UDP 17
#define KNI_DEFAULT_WINSCLE 0
#define KNI_DEFAULT_MSS 1460
//maat
#define KNI_ACTION_NONE 0x00
@@ -101,15 +93,12 @@
#define KNI_ACTION_HALFHIT -2
#define KNI_MAX_SAMENUM 10
#define KNI_TABLENAME_AREA "USER_AREA"
#define KNI_TABLENAME_IP "WHITE_LIST_IP"
#define KNI_TABLENAME_DOMAIN "WHITE_LIST_DOMAIN"
#define KNI_TABLENAME_PKTBIN "PXY_INTERCEPT_PKT_BIN"
#define KNI_TABLENAME_DNY_DOMAIN "IPD_RELATED_DOMAIN"
#define KNI_READCONF_IRIS 0
#define KNI_READCONF_JSON 1
#define KNI_READCONF_REDIS 2
@@ -153,6 +142,9 @@
#define KNI_MACADDR_LEN 6
//default tcp opt
#define KNI_DEFAULT_WINSCLE 0
#define KNI_DEFAULT_MSS 1460
//tcp opt type
@@ -174,11 +166,6 @@
#define KNI_SERVICE_LEN 4096
/*
#define KNI_TLV_TYPE_PRO 0x01
#define KNI_TLV_VALUE_HTTP 0x01
#define KNI_TLV_VALUE_SSL 0x02
*/
//tlv info
@@ -212,6 +199,7 @@ struct kni_tlv_info
// uint8_t value[0];
};
struct kni_lqueue_datainfo
{
int client_fd;
@@ -235,8 +223,8 @@ enum kni_flag
KNI_FLAG_HTTP,
KNI_FLAG_SSL,
KNI_FLAG_OUTUSER,
KNI_FLAG_IPBMD,
KNI_FLAG_SNIBMD,
KNI_FLAG_WHITELIST_IP,
KNI_FLAG_WHITELIST_DOMAIN,
KNI_FLAG_DROP,
KNI_FLAG_NOTPROC,
};
@@ -259,26 +247,6 @@ struct kni_http_project
};
//htable_data_info ipv6
struct datainfo_to_tun
{
int state_flag;
int route_dir;
unsigned int mss;
unsigned char smac[KNI_MACADDR_LEN];
unsigned char dmac[KNI_MACADDR_LEN];
};
struct args_to_tun
{
void* a_packet; //[IN] set fs's tcp_state
char* tcpdata; //[IN] judge ssl and get sni
int tcpdata_len; //[IN] judge ssl and get sni
int thread_seq; //[IN] arg
int routdir; //[IN] add datainfo
int iprevers;
};
//global variable
//comm
@@ -289,14 +257,13 @@ struct kni_var_comm
int thread_num;
int fd_domain;
int mark;
unsigned int local_ip;
char tun_name[KNI_CONF_MAXLEN];
char domain_path[KNI_CONF_MAXLEN];
char card_in[KNI_CONF_MAXLEN];
char card_out[KNI_CONF_MAXLEN];
int* fd_tun;
void* logger;
int* ipv4_fd;
int* fd_sendpkt;
};
//htable and lqueue
@@ -304,7 +271,6 @@ struct kni_var_struct
{
MESA_htable_handle htable_to_tun_v4;
MESA_htable_handle htable_to_tun_v6;
MESA_htable_handle htable_to_io_v6;
MESA_lqueue_head lqueue_send_fds;
MESA_lqueue_head lqueue_write_tun[KNI_MAX_THREADNUM];
};
@@ -322,6 +288,128 @@ struct kni_var_maat
};
//for get tcp option
struct kni_tcp_opt_format
{
char type;
char len;
char content[32];
};
struct common_tcp_opt
{
unsigned char sack_ok;
unsigned char wnscale;
unsigned short mss; //host order
unsigned int timestamp;
};
struct kni_wndpro_reply_info
{
unsigned int seq; //host order
unsigned int ack; //host order
unsigned int syn_flag;
unsigned int len; //tcp payload len:host order
unsigned short wndsize; //host order
};
struct kni_tcpopt_info
{
unsigned short mss; //host order
unsigned char wnscal; //host order
unsigned char sack;
unsigned char timestamps;
};
//tcp retelimit config
struct kni_ratelimit_info
{
int molecule;
int denominator;
};
//tcpall/udp_entry pmeinfo
struct kni_pme_info
{
int action;
int cfg_id;
int keyring_id;
int ipsscan_action;
int protocol;
int maat_result_num;
int ser_def_len;
int client_fd; //only for log,not real fd
int server_fd; //only for log,not read fd
scan_status_t mid;
char service_defined[KNI_SERVICE_LEN]; //for replace and ratelimited
struct kni_ratelimit_info ratelimit_info;
struct kni_tcpopt_info tcpopt_info[KNI_DIR_DOUBLE]; //for monitor,tcp repair
struct kni_wndpro_reply_info lastpkt_info[KNI_DIR_DOUBLE]; //for monitor,reply windows update
};
//htable_data_info ipv4
struct kni_htable_datainfo
{
//for sendpkt
int route_dir;
unsigned char smac[KNI_MACADDR_LEN];
unsigned char dmac[KNI_MACADDR_LEN];
//send wnd pro reply
int wndpro_flag[KNI_DIR_DOUBLE];
struct kni_wndpro_reply_info lastpkt_info[KNI_DIR_DOUBLE];
};
//set tcp repair info
struct kni_tcp_state
{
struct sockaddr* src_addr;
struct sockaddr* dst_addr;
unsigned int seq;
unsigned int ack;
unsigned short win;
unsigned short mss_src;
unsigned short mss_dst;
unsigned char wscale_src;
unsigned char wscale_dst;
unsigned char sack_src;
unsigned char sack_dst;
unsigned char timestamps_src;
unsigned char timestamps_dst;
};
struct args_read_tun
{
int thread_seq; //in
int iprevers; //in
int iplen; //in
int routdir; //out
char* a_packet; //in
unsigned char smac[KNI_MACADDR_LEN]; //out
unsigned char dmac[KNI_MACADDR_LEN]; //ouit
};
/*
#ifndef TCP_REPAIR_WINDOW
#define TCP_REPAIR_WINDOW 29
#endif
struct tcp_repair_window {
__u32 snd_wl1;
__u32 snd_wnd;
__u32 max_window;
__u32 rcv_wnd;
__u32 rcv_wup;
};
*/
//as same as sapp
#define NEXTHDR_HOP 0 /* Hop-by-hop option header. */
#define NEXTHDR_IPIP 4 /* IPIP header. */
#define NEXTHDR_TCP 6 /* TCP segment. */
@@ -379,130 +467,6 @@ struct kni_tcp_hdr
unsigned short th_urp;
};
struct kni_tcp_opt_format
{
char type;
char len;
char content[32];
};
struct common_tcp_opt
{
unsigned char sack_ok;
unsigned char wnscale;
unsigned short mss; //host order
unsigned int timestamp;
};
struct kni_wndpro_reply_info
{
unsigned int seq; //host order
unsigned int ack; //host order
unsigned int syn_flag;
unsigned int len; //tcp payload len:host order
unsigned short wndsize; //host order
};
struct kni_tcpopt_info
{
unsigned short mss; //host order
unsigned char wnscal; //host order
unsigned char sack;
unsigned char timestamps;
};
struct kni_ratelimit_info
{
int molecule;
int denominator;
};
struct kni_pme_info
{
int action;
int cfg_id;
int keyring_id;
int ipsscan_action;
int protocol;
int maat_result_num;
int ser_def_len;
int client_fd; //only for log,not real fd
int server_fd; //only for log,not read fd
scan_status_t mid;
char service_defined[KNI_SERVICE_LEN]; //for replace and ratelimited
struct kni_ratelimit_info ratelimit_info;
struct kni_tcpopt_info tcpopt_info[KNI_DIR_DOUBLE]; //for monitor,tcp repair
struct kni_wndpro_reply_info lastpkt_info[KNI_DIR_DOUBLE]; //for monitor,reply windows update
struct Maat_rule_t maat_result[KNI_MAX_SAMENUM];
};
//htable_data_info ipv4
struct kni_htable_datainfo
{
//for sendpkt
int route_dir;
unsigned char smac[KNI_MACADDR_LEN];
unsigned char dmac[KNI_MACADDR_LEN];
//send wnd pro reply
int wndpro_flag[KNI_DIR_DOUBLE];
struct kni_tcpopt_info tcpopt_info[KNI_DIR_DOUBLE];
struct kni_wndpro_reply_info lastpkt_info[KNI_DIR_DOUBLE];
};
//set tcp repair info
struct kni_tcp_state
{
struct sockaddr* src_addr;
struct sockaddr* dst_addr;
unsigned int seq;
unsigned int ack;
unsigned short win;
unsigned short mss_src;
unsigned short mss_dst;
unsigned char wscale_src;
unsigned char wscale_dst;
unsigned char sack_src;
unsigned char sack_dst;
unsigned char timestamps_src;
unsigned char timestamps_dst;
};
struct args_read_tun
{
int thread_seq; //in
int iprevers; //in
int iplen; //in
int routdir; //out
char* a_packet; //in
unsigned char smac[KNI_MACADDR_LEN]; //out
unsigned char dmac[KNI_MACADDR_LEN]; //ouit
};
/*
#ifndef TCP_REPAIR_WINDOW
#define TCP_REPAIR_WINDOW 29
#endif
struct tcp_repair_window {
__u32 snd_wl1;
__u32 snd_wnd;
__u32 max_window;
__u32 rcv_wnd;
__u32 rcv_wup;
};
*/
extern struct kni_var_comm g_kni_comminfo;
extern struct kni_var_struct g_kni_structinfo;

2
kni_ratelimit.c
View File

@@ -87,6 +87,8 @@ char kni_process_ratelimit(int thread_seq,const void* a_packet,struct kni_pme_in
return APP_STATE_DROPME;
}
kni_filestate2_set(thread_seq,COLUME_RATELIMIT,0,1);
char ret = APP_STATE_GIVEME;
struct kni_ratelimit_info* ratelimit_info = &(pmeinfo->ratelimit_info);

2
kni_replace.c
View File

@@ -134,6 +134,8 @@ char kni_process_replace(unsigned char dir,int thread_seq,const void* a_packet,s
}
kni_filestate2_set(thread_seq,COLUME_REPLACE,0,1);
// char ret = APP_STATE_DROPPKT | APP_STATE_DROPME;
char ret = APP_STATE_DROPPKT | APP_STATE_GIVEME;