gfwleak/tango-kni
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-1484:将tfe 的dynamic bypass 移至kni

Browse Source
This commit is contained in:
fumingwei
2020-06-15 17:15:08 +08:00
parent 5bb0baa47a
commit 717f066b55
5 changed files with 1180 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

517
entry/src/kni_entry.cpp
View File

@@ -19,6 +19,7 @@ bypass: drome: pme_new_fail: destroy_pme
#include "tfe_mgr.h"
#include "tsg/tsg_rule.h"
#include "tsg/tsg_send_log.h"
#include "ssl_utils.h"
#ifdef __cplusplus
extern "C" {
@@ -41,6 +42,8 @@ int *arr_last_tfe_dispatch_index = NULL;
#define CALLER_SAPP 0
#define CALLER_TFE 1
#define SSL_INFO_LEN 2048
enum intercept_error{
INTERCEPT_ERROR_ASYM_ROUTING = -1,
INTERCEPT_ERROR_NO_SYN = -2,
@@ -128,6 +131,9 @@ struct pme_info{
struct dup_traffic_dabloom_key *syn_packet;
struct dup_traffic_dabloom_key *syn_ack_packet;
struct _traffic_info traffic_info;
//for kni dynamic bypass
int thread_seq;
int is_dynamic_bypass;
};
struct wrapped_packet{
@@ -166,6 +172,7 @@ struct thread_tfe_cmsg_receiver_args{
struct per_thread_handle{
MESA_htable_handle tuple2stream_htable;
MESA_htable_handle traceid2sslinfo_htable;
struct expiry_dablooms_handle *dabloom_handle;
};
@@ -194,6 +201,7 @@ struct kni_handle{
char dst_mac_addr[6];
int *arr_last_tfe_dispatch_index;
int secpolicyid_evenflow_self_check;
MESA_htable_handle sslinfo2bypass_htable;
};
struct traceid2pme_search_cb_args{
@@ -201,6 +209,11 @@ struct traceid2pme_search_cb_args{
void *logger;
};
struct dynamic_bypass_ssl_feature{
char value[SSL_INFO_LEN];
size_t vlen;
};
static char* stream_errmsg_session_record(enum intercept_error _errno){
switch(_errno){
case INTERCEPT_ERROR_ASYM_ROUTING:
@@ -928,6 +941,298 @@ static void traceid2pme_htable_del(struct pme_info *pmeinfo){
}
}
static int dabloom_add(struct pkt_info *pktinfo, int thread_seq){
void *logger = g_kni_handle->local_logger;
struct dup_traffic_dabloom_key bloom_key;
memset(&bloom_key, 0, sizeof(bloom_key));
dup_traffic_dabloom_key_get(pktinfo, &bloom_key);
int ret = expiry_dablooms_add(g_kni_handle->threads_handle[thread_seq].dabloom_handle, (const char*)&bloom_key, sizeof(bloom_key));
if(ret < 0){
KNI_LOG_ERROR(logger, "Failed at expiry_dablooms_add, errmsg = %s", expiry_dablooms_errno_trans((enum expiry_dablooms_errno)ret));
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BLOOM_ADD_FAIL], 0, FS_OP_ADD, 1);
}
//FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BLOOM_ADD_SUCC], 0, FS_OP_ADD, 1);
uint64_t count = 0;
expiry_dablooms_element_count_get(g_kni_handle->threads_handle[thread_seq].dabloom_handle, &count);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->line_ids[0], g_kni_fs_handle->column_ids[thread_seq], FS_OP_SET, count);
return ret;
}
int stream_addr_str_split(char* addr_str, const char** sip, const char** sport, const char** dip, const char** dport)
{
const char* seps=" ";
char* saveptr=NULL, *subtoken=NULL, *str=NULL;
int i=0;
for (str = addr_str, i=0; ; str = NULL, i++)
{
subtoken = strtok_r(str, seps, &saveptr);
if (subtoken == NULL)
break;
switch(i)
{
case 0:
if(sip!=NULL) *sip=subtoken;
break;
case 1:
if(sport!=NULL) *sport=subtoken;
break;
case 2:
if(dip!=NULL) *dip=subtoken;
break;
case 3:
if(dport!=NULL) *dport=subtoken;
break;
default:
return -1;
break;
}
}
return 0;
}
char * stream_addr_to_str(struct pme_info *pmeinfo,struct pkt_info *pktinfo)
{
char * __str_ret = NULL;
if(pmeinfo==NULL || pktinfo == NULL) return NULL;
if (pmeinfo->addr_type == ADDR_TYPE_IPV4)
{
char __src_addr[INET_ADDRSTRLEN];
char __dst_addr[INET_ADDRSTRLEN];
uint16_t __src_port;
uint16_t __dst_port;
if(pktinfo->iphdr.v4->saddr < pktinfo->iphdr.v4->daddr){
__src_port = ntohs((uint16_t) pmeinfo->stream->addr.tuple4_v4->source);
__dst_port = ntohs((uint16_t) pmeinfo->stream->addr.tuple4_v4->dest);
inet_ntop(AF_INET, &(pmeinfo->stream->addr.tuple4_v4->saddr), __src_addr, sizeof(__src_addr));
inet_ntop(AF_INET, &(pmeinfo->stream->addr.tuple4_v4->daddr), __dst_addr, sizeof(__dst_addr));
}
else
{
__src_port = ntohs((uint16_t) pmeinfo->stream->addr.tuple4_v4->dest);
__dst_port = ntohs((uint16_t) pmeinfo->stream->addr.tuple4_v4->source);
inet_ntop(AF_INET, &(pmeinfo->stream->addr.tuple4_v4->daddr), __src_addr, sizeof(__src_addr));
inet_ntop(AF_INET, &(pmeinfo->stream->addr.tuple4_v4->saddr), __dst_addr, sizeof(__dst_addr));
}
asprintf(&__str_ret, "%s %u %s %u", __src_addr, __src_port, __dst_addr, __dst_port);
}
if (pmeinfo->addr_type == ADDR_TYPE_IPV6)
{
char __src_addr[INET6_ADDRSTRLEN];
char __dst_addr[INET6_ADDRSTRLEN];
uint16_t __src_port;
uint16_t __dst_port;
if(memcmp((void*)&(pktinfo->iphdr.v6->ip6_src), (void*)&(pktinfo->iphdr.v6->ip6_dst), IPV6_ADDR_LEN) < 0){
__src_port = ntohs((uint16_t) pktinfo->tcphdr->source);
__dst_port = ntohs((uint16_t) pktinfo->tcphdr->dest);
memcpy(__src_addr, &(pktinfo->iphdr.v6->ip6_src), sizeof(__src_addr));
memcpy(__dst_addr, &(pktinfo->iphdr.v6->ip6_dst), sizeof(__dst_addr));
}
else
{
__src_port = ntohs((uint16_t) pktinfo->tcphdr->dest);
__dst_port = ntohs((uint16_t) pktinfo->tcphdr->source);
memcpy(__src_addr, &(pktinfo->iphdr.v6->ip6_dst), sizeof(__src_addr));
memcpy(__dst_addr, &(pktinfo->iphdr.v6->ip6_src), sizeof(__dst_addr));
}
asprintf(&__str_ret, "%s %u %s %u", __src_addr, __src_port, __dst_addr, __dst_port);
}
return __str_ret;
}
static size_t ssl_svc_app_st_mk_key(struct ssl_chello* chello, struct pkt_info *pktinfo, struct pme_info *pmeinfo, char* key_buff, size_t sz)
{
size_t key_len=0;
const char* sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL;
char * addr_str= stream_addr_to_str(pmeinfo,pktinfo);
stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport);
key_len=snprintf(key_buff, sz, "%d:%d:%s:%s", chello->min_version.ossl_format,
chello->max_version.ossl_format,
chello->sni?chello->sni: dip ,
chello->alpn?chello->alpn:"null");
if(chello->cipher_suites && sz-key_len>chello->cipher_suites_len)
{
memcpy(key_buff+key_len, chello->cipher_suites, chello->cipher_suites_len);
key_len+=chello->cipher_suites_len;
}
if(chello->sign_algos && sz-key_len > chello->sign_algos_len)
{
memcpy(key_buff+key_len, chello->sign_algos, chello->sign_algos_len);
key_len+=chello->sign_algos_len;
}
if(chello->supported_groups && sz-key_len > chello->supported_groups_len)
{
memcpy(key_buff+key_len, chello->supported_groups, chello->supported_groups_len);
key_len+=chello->supported_groups_len;
}
free(addr_str);
return key_len;
}
static size_t ssl_svc_client_st_mk_key(struct ssl_chello* chello,struct pme_info *pmeinfo, struct pkt_info *pktinfo,char* key_buff, size_t sz)
{
size_t key_len=0;
const char *sip=NULL, *sport=NULL, *dip=NULL, *dport=NULL;
char *addr_str = stream_addr_to_str(pmeinfo,pktinfo);
stream_addr_str_split(addr_str, &sip, &sport, &dip, &dport);
char chello_id_buff[sz];
size_t chello_id_len=0;
key_len=snprintf(key_buff, sz, "%s:", sip);
chello_id_len=ssl_svc_app_st_mk_key(chello, pktinfo,pmeinfo, chello_id_buff, sizeof(chello_id_buff));
memcpy(key_buff+key_len, chello_id_buff, MIN(chello_id_len, sz-key_len));
key_len += MIN(chello_id_len, sz-key_len);
FREE(&addr_str);
return key_len;
}
static struct ssl_chello * ssl_get_chello_info(struct streaminfo *stream)
{
enum chello_parse_result chello_status = CHELLO_PARSE_INVALID_FORMAT;
struct ssl_chello *chello = NULL;
chello = ssl_chello_parse((unsigned char *)stream->ptcpdetail->pdata, (unsigned int)stream->ptcpdetail->datalen, &chello_status);
if(chello_status == CHELLO_PARSE_SUCCESS)
{
return chello;
}
else
{
if(chello)
ssl_chello_free(chello);
return NULL;
}
}
static long sslinfo2bypass_htable_search_cb(void *data, const uchar *key, uint size, void *user_args){
if(data != NULL)
return 0;
else
return -1;
}
static int sslinfo2bypass_htable_search(MESA_htable_handle htable,char *key, int klen, struct pme_info *pmeinfo)
{
void *logger = g_kni_handle->local_logger;
long cb_ret = -1;
void *value;
value = MESA_htable_search_cb(htable, (const unsigned char *)key, (unsigned int )klen, sslinfo2bypass_htable_search_cb, NULL, &cb_ret);
if(cb_ret == 0)
{
pmeinfo->ssl_pinningst = *((uint64_t *)value);
KNI_LOG_DEBUG(logger, "MESA_htable: success to search, table = sslinfo2bypass_htable,key = %s, key_size = %d, ret =%d", key, klen,cb_ret);
}
else
{
KNI_LOG_DEBUG(logger, "MESA_htable:Search result value is null, table = sslinfo2bypass_htable,key = %s, key_size = %d, ret =%d", key, klen,cb_ret);
}
return cb_ret;
}
static int traceid2sslinfo_htable_add(char *key, uint klen, void * value,int thread_seq)
{
void *logger = g_kni_handle->local_logger;
int ret;
MESA_htable_handle traceid2sslinfo_htable = g_kni_handle->threads_handle[thread_seq].traceid2sslinfo_htable;
ret = MESA_htable_add(traceid2sslinfo_htable, (const unsigned char *)key, klen, (const void*)value);
if(ret >= 0)
{
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_ID2SSL_ADD_SUCC], 0, FS_OP_ADD, 1);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_ID2SSL_CNT], 0, FS_OP_ADD, 1);
KNI_LOG_DEBUG(logger, "MESA_htable:Success to add, table = traceid2sslinfo_htable,key = %s, key_size = %d, ret =%d , thread_seq=%d", key, klen,ret, thread_seq);
}
else
{
KNI_LOG_ERROR(logger, "MESA_htable:Fail to add, table = traceid2sslinfo_htable,key = %s, key_size = %d, ret =%d , thread_seq=%d", key, klen,ret, thread_seq);
}
return ret;
}
static int first_data_ssl_dynamic_bypass(struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo, int thread_seq)
{
struct dynamic_bypass_ssl_feature *ssl_feature = NULL;
struct ssl_chello *chello = NULL;
void *logger = g_kni_handle->local_logger;
int ret = -1;
if(pmeinfo->protocol != PROTO_SSL)
{
KNI_LOG_DEBUG(logger, "Dynamic bypass: stream protocol is not ssl: protocol = %d", pmeinfo->protocol);
return ret;
}
chello = ssl_get_chello_info(stream);
if(!chello)
{
KNI_LOG_ERROR(logger, "Dynamic bypass: fail to get ssl stream client hello info, stream traceid = %s", pmeinfo->stream_traceid);
return ret;
}
ssl_feature = ALLOC(struct dynamic_bypass_ssl_feature,1);
ssl_feature->vlen = ssl_svc_client_st_mk_key(chello, pmeinfo, pktinfo,ssl_feature->value,SSL_INFO_LEN);
KNI_LOG_DEBUG(logger, "Dynamic bypass: chello info=%s, info len = %d", ssl_feature->value, ssl_feature->vlen);
ssl_chello_free(chello);
if(sslinfo2bypass_htable_search(g_kni_handle->sslinfo2bypass_htable,ssl_feature->value, ssl_feature->vlen,pmeinfo) == 0)
{
KNI_LOG_DEBUG(logger, "Dynamic bypass: passthrough ok, stream traceid = %s", pmeinfo->stream_traceid);
ret = 0;
}
else
{
KNI_LOG_DEBUG(logger, "Dynamic bypass: not passthrough, stream traceid = %s", pmeinfo->stream_traceid);
if(traceid2sslinfo_htable_add(pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid),ssl_feature,thread_seq) >=0)
{
ret = 1;
}
else
{
FREE(&ssl_feature);
}
}
if(ret == 0)
{
//dynamic bypass fs stat
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DY_PASS_STM], 0, FS_OP_ADD, 1);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DY_PASS_BYTE], 0, FS_OP_ADD, pktinfo->ip_totlen);
//dynamic bypass ipv4 or ipv6
if(stream->addr.addrtype == ADDR_TYPE_IPV6){
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DY_PASS_IPV6_STM], 0, FS_OP_ADD, 1);
}
else{
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DY_PASS_IPV4_STM], 0, FS_OP_ADD, 1);
}
if(pmeinfo->has_dup_traffic == 1){
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_DUP_TFC_STM], 0, FS_OP_ADD, 1);
KNI_LOG_DEBUG(logger, "stream has dup traffic, traceid = %s", pmeinfo->stream_traceid);
}
pmeinfo->ssl_intercept_state = 0;
pmeinfo->is_dynamic_bypass = 1;
if(g_kni_handle->dup_traffic_switch == 1){
if(pmeinfo->has_dup_traffic == 1){
ret = dabloom_add(pktinfo, thread_seq);
if(ret < 0){
return -1;
}
}
}
}
return ret;
}
static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo, int thread_seq){
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_STM], 0, FS_OP_ADD, 1);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_BYTE], 0, FS_OP_ADD, pktinfo->ip_totlen);
@@ -999,6 +1304,13 @@ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmei
}
}
}
//dynamic bypass
if(first_data_ssl_dynamic_bypass(stream, pmeinfo, pktinfo, thread_seq) == 0)
{
return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
}
//add cmsg
len = 0;
buff = add_cmsg_to_packet(pmeinfo, stream, pktinfo, &len);
@@ -1113,21 +1425,12 @@ char* kni_maat_action_trans(enum kni_action action){
}
}
static int dabloom_add(struct pkt_info *pktinfo, int thread_seq){
void *logger = g_kni_handle->local_logger;
struct dup_traffic_dabloom_key bloom_key;
memset(&bloom_key, 0, sizeof(bloom_key));
dup_traffic_dabloom_key_get(pktinfo, &bloom_key);
int ret = expiry_dablooms_add(g_kni_handle->threads_handle[thread_seq].dabloom_handle, (const char*)&bloom_key, sizeof(bloom_key));
if(ret < 0){
KNI_LOG_ERROR(logger, "Failed at expiry_dablooms_add, errmsg = %s", expiry_dablooms_errno_trans((enum expiry_dablooms_errno)ret));
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BLOOM_ADD_FAIL], 0, FS_OP_ADD, 1);
}
//FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BLOOM_ADD_SUCC], 0, FS_OP_ADD, 1);
uint64_t count = 0;
expiry_dablooms_element_count_get(g_kni_handle->threads_handle[thread_seq].dabloom_handle, &count);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->line_ids[0], g_kni_fs_handle->column_ids[thread_seq], FS_OP_SET, count);
return ret;
static void next_data_ssl_dynamic_bypass(struct pkt_info *pktinfo)
{
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_BYTE], 0, FS_OP_ADD, pktinfo->ip_totlen);
}
char next_data_intercept(struct pme_info *pmeinfo, const void *a_packet, struct pkt_info *pktinfo, int thread_seq){
@@ -1163,6 +1466,12 @@ char next_data_intercept(struct pme_info *pmeinfo, const void *a_packet, struct
pmeinfo->stream_traceid, pmeinfo->stream_addr);
return APP_STATE_DROPPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
}
if(pmeinfo->is_dynamic_bypass)
{
next_data_ssl_dynamic_bypass(pktinfo);
return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;
}
ret = send_to_tfe((char*)a_packet, len, thread_seq, pmeinfo->tfe_id, pmeinfo->addr_type);
if(ret < 0){
KNI_LOG_ERROR(logger, "Failed at send continue packet to tfe%d, stream traceid = %s, stream addr = %s",
@@ -1197,6 +1506,8 @@ char first_data_process(struct streaminfo *stream, struct pme_info *pmeinfo, str
pmeinfo->action = (enum kni_action)(pmeinfo->maat_result.action);
pmeinfo->policy_id = pmeinfo->maat_result.config_id;
pmeinfo->do_log = pmeinfo->maat_result.do_log;
pmeinfo->thread_seq = thread_seq;
pmeinfo->is_dynamic_bypass = 0;
maat_hit = 1;
char *action_str = kni_maat_action_trans(pmeinfo->action);
KNI_LOG_INFO(logger, "intercept_policy_scan: %s, %s, maat_hit = %d, policy_id = %d, action = %d(%s), stream traceid = %s",
@@ -1319,9 +1630,12 @@ static char close_opstate(const struct streaminfo *stream, struct pme_info *pmei
TLD_append_streaminfo(g_tsg_log_instance, pmeinfo->tld_handle, (struct streaminfo*)pmeinfo->stream);
kni_set_policy_into_pem_info(stream,pmeinfo);
//reset clock: when sapp end, start clock
MESA_htable_search(g_kni_handle->traceid2pme_htable, (const unsigned char*)pmeinfo->stream_traceid,
if(pmeinfo->is_dynamic_bypass != 1)
{
MESA_htable_search(g_kni_handle->traceid2pme_htable, (const unsigned char*)pmeinfo->stream_traceid,
strnlen(pmeinfo->stream_traceid, sizeof(pmeinfo->stream_traceid)));
tuple2stream_htable_del(stream, thread_seq);
tuple2stream_htable_del(stream, thread_seq);
}
return APP_STATE_FAWPKT | APP_STATE_DROPME;
//stream has no data.
default:
@@ -1408,11 +1722,19 @@ extern "C" char kni_tcpall_entry(struct streaminfo *stream, void** pme, int thre
}
}
else{
can_destroy = judge_stream_can_destroy(pmeinfo, CALLER_SAPP);
if(can_destroy == 1){
traceid2pme_htable_del(pmeinfo);
stream_destroy(pmeinfo);
if(pmeinfo->is_dynamic_bypass == 0) // stream is dynamic bypass 0: not dynamic bypass 1: dynamic bypass
{
can_destroy = judge_stream_can_destroy(pmeinfo, CALLER_SAPP);
if(can_destroy == 1){
traceid2pme_htable_del(pmeinfo);
stream_destroy(pmeinfo);
}
}
else
{
stream_destroy(pmeinfo);
}
}
}
}
@@ -1593,6 +1915,94 @@ static int wrapped_kni_cmsg_get(struct pme_info *pmeinfo, struct kni_cmsg *cmsg,
return 0;
}
static int sslinfo2bypass_htable_add(char *key, uint klen, void * value, void *logger)
{
int ret = -1;
MESA_htable_handle sslinfo2bypass_htable = g_kni_handle->sslinfo2bypass_htable;
ret = MESA_htable_add(sslinfo2bypass_htable, (const unsigned char *)key, klen, (const void*)value);
if(ret < 0)
{
KNI_LOG_ERROR(logger, "MESA_htable: Failed at add, table = sslinfo2bypass_htable, key = %s, key_size = %d, ret = %d",key, klen, ret);
}
else
{
KNI_LOG_DEBUG(logger, "MESA_htable: Success at add, table = sslinfo2bypass_htable, key = %s, key_size = %d, ret = %d",key, klen, ret);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_SSL2PASS_ADD_SUCC], 0, FS_OP_ADD, 1);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_SSL2PASS_CNT], 0, FS_OP_ADD, 1);
}
return ret;
}
static long traceid2sslinfo_htable_search_cb(void *data, const uchar *key, uint size, void *user_args)
{
struct dynamic_bypass_ssl_feature * ssl_feature = (struct dynamic_bypass_ssl_feature *)data;
void *logger = g_kni_handle->local_logger;
uint64_t * p_ssl_pinningst = (uint64_t *)user_args;
uint64_t *value = NULL;
long cb_ret = -1;
if(ssl_feature != NULL)
{
value = ALLOC(uint64_t, 1);
*value = *p_ssl_pinningst;
if(sslinfo2bypass_htable_add(ssl_feature->value, ssl_feature->vlen, (void *)value, logger) >= 0)
{
KNI_LOG_ERROR(logger, "Dynamic bypass, fail add to table = sslinfo2bypass_htable, key = %s, key_size = %d",
ssl_feature->value, ssl_feature->vlen);
}
cb_ret = 0;
}
return cb_ret;
}
static int traceid2sslinfo_htable_search(MESA_htable_handle htable,char *key, int klen, int thread_seq,uint64_t ssl_pinningst)
{
long cb_ret = -1;
void *logger = g_kni_handle->local_logger;
MESA_htable_search_cb(htable, (const unsigned char *)key, (unsigned int )klen, traceid2sslinfo_htable_search_cb, &ssl_pinningst, &cb_ret);
if(cb_ret >= 0)
{
KNI_LOG_DEBUG(logger, "MESA_htable: success to search, table = traceid2sslinfo_htable,thread_seq = %d,key = %s, key_size = %d, ret = %d",
thread_seq, key, klen,cb_ret);
}
else
{
KNI_LOG_ERROR(logger, "MESA_htable: Fail to search, table = traceid2sslinfo_htable,thread_seq = %d,key = %s, key_size = %d, ret = %d",
thread_seq, key, klen,cb_ret);
}
return cb_ret;
}
static int ssl_dynamic_bypass_htable_add(struct pme_info *pmeinfo,void *logger)
{
long cb_ret;
long ret = -1;
MESA_htable_handle traceid2sslinfo_htable = g_kni_handle->threads_handle[pmeinfo->thread_seq].traceid2sslinfo_htable;
if(pmeinfo->ssl_intercept_state == 0)
{
cb_ret = traceid2sslinfo_htable_search(traceid2sslinfo_htable,pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), pmeinfo->thread_seq, pmeinfo->ssl_pinningst);
if(cb_ret >= 0)
{
cb_ret = MESA_htable_del(traceid2sslinfo_htable, (const unsigned char *)pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), NULL);
if(cb_ret < 0)
{
KNI_LOG_ERROR(logger, "Delete traceid2sslinfo_htable fail,key=%s",pmeinfo->stream_traceid);
}
else
{
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_ID2SSL_DEL_SUCC], 0, FS_OP_ADD, 1);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_ID2SSL_CNT], 0, FS_OP_ADD, -1);
}
ret = 0;
}
}
return ret;
}
static long traceid2pme_htable_search_cb(void *data, const uchar *key, uint size, void *user_args){
struct traceid2pme_search_cb_args *args = (struct traceid2pme_search_cb_args*)user_args;
void *logger = args->logger;
@@ -1608,7 +2018,10 @@ static long traceid2pme_htable_search_cb(void *data, const uchar *key, uint size
wrapped_kni_cmsg_get(pmeinfo, cmsg, TFE_CMSG_SSL_PINNING_STATE, sizeof(pmeinfo->ssl_pinningst), logger);
wrapped_kni_cmsg_get(pmeinfo, cmsg, TFE_CMSG_SSL_CERT_VERIFY, sizeof(pmeinfo->ssl_cert_verify), logger);
wrapped_kni_cmsg_get(pmeinfo, cmsg, TFE_CMSG_SSL_ERROR, sizeof(pmeinfo->ssl_error), logger);
KNI_LOG_DEBUG(logger, "recv cmsg from tfe, stream traceid = %s, stream addr = %s", pmeinfo->stream_traceid, pmeinfo->stream_addr);
KNI_LOG_DEBUG(logger, "recv cmsg from tfe, stream traceid = %s, stream addr = %s, stream ssl intercept state = %d", pmeinfo->stream_traceid, pmeinfo->stream_addr,pmeinfo->ssl_intercept_state);
ssl_dynamic_bypass_htable_add(pmeinfo,logger);
can_destroy = judge_stream_can_destroy(pmeinfo, CALLER_TFE);
if(can_destroy == 1){
traceid2pme_htable_del(pmeinfo);
@@ -1902,6 +2315,20 @@ static struct kni_field_stat_handle * fs_init(const char *profile){
//dabloom
fs_handle->fields[KNI_FIELD_BLOOM_HIT] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "bloom_hit");
fs_handle->fields[KNI_FIELD_BLOOM_MISS] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "bloom_miss");
//dynamic bypass
fs_handle->fields[KNI_FIELD_ID2SSL_ADD_SUCC] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "id2ssl_add_S");
fs_handle->fields[KNI_FIELD_ID2SSL_DEL_SUCC] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "id2ssl_del_S");
fs_handle->fields[KNI_FIELD_ID2SSL_CNT] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "id2ssl_cnt");
fs_handle->fields[KNI_FIELD_SSL2PASS_ADD_SUCC] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "ssl2pass_add_S");
fs_handle->fields[KNI_FIELD_SSL2PASS_DEL_SUCC] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "ssl2pass_del_S");
fs_handle->fields[KNI_FIELD_SSL2PASS_CNT] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "ssl2pass_cnt");
fs_handle->fields[KNI_FIELD_DY_PASS_STM] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "dy_pass_stm");
fs_handle->fields[KNI_FIELD_DY_PASS_BYTE] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "dy_pass_B");
fs_handle->fields[KNI_FIELD_DY_PASS_IPV6_STM] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "dy_pass_ipv6_stm");
fs_handle->fields[KNI_FIELD_DY_PASS_IPV4_STM] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "dy_pass_ipv4_stm");
if(g_kni_handle->deploy_mode == KNI_DEPLOY_MODE_NORMAL){
for(int i = 0; i < g_kni_handle->marsio_handle->tfe_enabled_node_count; i++){
int tfe_id = g_kni_handle->marsio_handle->tfe_enabled_nodes[i].tfe_id;
@@ -1963,6 +2390,29 @@ static void tuple2stream_htable_data_free_cb(void *data){
FREE(&data);
}
static void traceid2sslinfo_htable_data_free_cb(void *data){
FREE(&data);
}
static void sslinfo2bypass_htable_data_free_cb(void *data){
FREE(&data);
}
static int traceid2sslinfo_htable_expire_notify_cb(void *data, int eliminate_type)
{
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_ID2SSL_DEL_SUCC], 0, FS_OP_ADD, 1);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_ID2SSL_CNT], 0, FS_OP_ADD, -1);
return 1;
}
static int sslinfo2bypass_htable_expire_notify_cb(void *data, int eliminate_type)
{
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_SSL2PASS_DEL_SUCC], 0, FS_OP_ADD, 1);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_SSL2PASS_CNT], 0, FS_OP_ADD, -1);
return 1;
}
int dup_traffic_dabloom_init(const char *profile, void *logger){
const char *section = "dup_traffic";
MESA_load_profile_int_def(profile, section, "switch", &(g_kni_handle->dup_traffic_switch), 0);
@@ -2024,6 +2474,7 @@ extern "C" int kni_init(){
pthread_t thread_id = -1;
struct thread_tfe_cmsg_receiver_args *cmsg_receiver_args;
MESA_htable_handle traceid2pme_htable = NULL;
MESA_htable_handle sslinfo2bypass_htable = NULL;
struct tfe_mgr *_tfe_mgr = NULL;
int ret = MESA_load_profile_string_nodef(profile, section, "log_path", log_path, sizeof(log_path));
if(ret < 0){
@@ -2171,7 +2622,27 @@ extern "C" int kni_init(){
}
g_kni_handle->threads_handle[i].tuple2stream_htable = tuple2stream_htable;
}
//init traceid2sslinfo_htable
memset(&opt, 0, sizeof(opt));
kni_get_htable_opt(&opt, profile, "traceid2sslinfo_htable", (void*)traceid2sslinfo_htable_data_free_cb, (void *)traceid2sslinfo_htable_expire_notify_cb, local_logger);
for(int i = 0; i < g_kni_handle->thread_count; i++){
MESA_htable_handle traceid2sslinfo_htable = kni_create_htable((char*)"traceid2sslinfo_htable", &opt, local_logger);
if(traceid2sslinfo_htable == NULL){
KNI_LOG_ERROR(local_logger, "Failed at kni_create_htable, table = traceid2sslinfo_htable");
goto error_out;
}
g_kni_handle->threads_handle[i].traceid2sslinfo_htable = traceid2sslinfo_htable;
}
//init sslinfo2bypass_htable
memset(&opt, 0, sizeof(opt));
kni_get_htable_opt(&opt, profile, "sslinfo2bypass_htable", (void*)sslinfo2bypass_htable_data_free_cb, (void *)sslinfo2bypass_htable_expire_notify_cb, local_logger);
sslinfo2bypass_htable = kni_create_htable((char*)"sslinfo2bypass_htable", &opt, local_logger);
if(sslinfo2bypass_htable == NULL){
KNI_LOG_ERROR(local_logger, "Failed at create sslinfo2bypass_htable");
goto error_out;
}
g_kni_handle->sslinfo2bypass_htable = sslinfo2bypass_htable;
//init dabloom_handle
ret = dup_traffic_dabloom_init(profile, local_logger);
if(ret < 0){