diff --git a/conf/maat/dynamic_maat_tableinfo.conf b/conf/maat/dynamic_maat_tableinfo.conf deleted file mode 100644 index b7a9450..0000000 --- a/conf/maat/dynamic_maat_tableinfo.conf +++ /dev/null @@ -1 +0,0 @@ -1 TSG_DYN_SUBSCRIBER_IP plugin {"key":3,"valid":5} \ No newline at end of file diff --git a/conf/maat/maat_test.json b/conf/maat/maat_test.json deleted file mode 100644 index 3180a11..0000000 --- a/conf/maat/maat_test.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "compile_table": "PXY_INTERCEPT_COMPILE", - "group_table": "PXY_INTERCEPT_GROUP", - "rules": [ - { - "compile_id": 0, - "service": 1, - "action": 2, - "do_blacklist": 1, - "do_log": 1, - "effective_rage": 0, - "user_region": "zone=pkt_payload;substitute=/AAAA/BBBB", - "is_valid": "yes", - "groups": [ - { - "group_name": "Untitled", - "regions": [ - { - "table_name": "HTTP_URL", - "table_type": "string", - "table_content": { - "keywords": "i.ytimg.com", - "expr_type": "none", - "match_method": "sub", - "format": "uncase plain" - } - } - ] - } - ] - }, - { - "compile_id": 1, - "service": 1, - "action": 2, - "do_blacklist": 1, - "do_log": 1, - "effective_rage": 0, - "user_region": "zone=pkt_payload;substitute=/AAAA/BBBB", - "is_valid": "yes", - "groups": [ - { - "group_name": "Untitled", - "regions": [ - { - "table_name": "PXY_INTERCEPT_IP", - "table_type": "ip", - "table_content": { - "addr_type": "ipv4", - "src_ip": "192.168.50.156", - "mask_src_ip": "255.255.255.255", - "src_port": "0", - "mask_src_port": "65535", - "dst_ip": "0.0.0.0", - "mask_dst_ip": "255.255.255.255", - "dst_port": "0", - "mask_dst_port": "65535", - "protocol": 0, - "direction": "double" - } - } - ] - } - ] - }, - { - "compile_id": 2, - "service": 1, - "action":2, - "do_blacklist": 1, - "do_log": 1, - "effective_rage": 0, - "user_region": "zone=pkt_payload;substitute=/AAAA/BBBB", - "is_valid": "yes", - "groups": [ - { - "group_name": "Untitled", - "regions": [ - { - "table_name": "PXY_INTERCEPT_DOMAIN", - "table_type": "string", - "table_content": { - "keywords": "www.google.com", - "expr_type": "none", - "match_method": "sub", - "format": "uncase plain" - } - } - ] - } - ] - } - ] -} diff --git a/conf/maat/static_maat_tableinfo.conf b/conf/maat/static_maat_tableinfo.conf deleted file mode 100644 index 73bdac0..0000000 --- a/conf/maat/static_maat_tableinfo.conf +++ /dev/null @@ -1,10 +0,0 @@ -1 PXY_INTERCEPT_COMPILE compile escape -- -2 PXY_INTERCEPT_GROUP group -- -2 GROUP_COMPILE_RELATION group -- -3 PXY_INTERCEPT_IP ip_plus -- -3 TSG_OBJ_IP_ADDR ip_plus -- -4 PXY_INTERCEPT_DOMAIN expr utf8 utf8 yes 0 -4 TSG_OBJ_FQDN expr utf8 utf8 yes 0 -4 TSG_OBJ_FQDN_CAT expr utf8 utf8 yes 0 -5 COMPILE_ALIAS compile escape -- -6 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 yes 0 quickon diff --git a/conf/sapp/kni/kni.conf b/conf/sapp/kni/kni.conf index 8dc6287..d892a51 100644 --- a/conf/sapp/kni/kni.conf +++ b/conf/sapp/kni/kni.conf @@ -36,23 +36,6 @@ keepalive_idle = 2 keepalive_intvl = 1 keepalive_cnt = 3 -[static_maat] -#readconf_mode: 0 = iris, 1 = json, 2 = redis -readconf_mode = 2 -tableinfo_path = ./etc/kni/static_maat_tableinfo.conf -maatjson_path = ./etc/kni/maat_test.json -redis_ip = 192.168.10.31 -redis_port = 6379 -redis_index = 0 - -[dynamic_maat] -#readconf_mode: 0 = iris, 1 = json, 2 = redis -readconf_mode = 2 -tableinfo_path = ./etc/kni/dynamic_maat_tableinfo.conf -redis_ip = 192.168.10.31 -redis_port = 6379 -redis_index = 0 - [send_logger] switch = 0 kafka_topic = SESSION-RECORD-LOG diff --git a/entry/include/tsg_rule.h b/entry/include/tsg_rule.h index f7cfcf3..7fd7a93 100644 --- a/entry/include/tsg_rule.h +++ b/entry/include/tsg_rule.h @@ -2,13 +2,27 @@ #define __TSG_RULE_H__ #include -#include "tsg_types.h" -#ifdef __cplusplus -extern "C" +typedef enum _tsg_protocol { -#endif + PROTO_UNKONWN=0, + PROTO_IPv4=1, + PROTO_IPv6, + PROTO_TCP, + PROTO_UDP, + PROTO_HTTP, + PROTO_MAIL, + PROTO_DNS, + PROTO_FTP, + PROTO_SSL, + PROTO_SIP, + PROTO_BGP, + PROTO_STREAMING_MEDIA, + PROTO_MAX +}tsg_protocol_t; + +#define MAX_RESULT_NUM 8 #define MAX_DOAMIN_LEN 2048 struct _identify_info @@ -24,9 +38,11 @@ typedef enum _PULL_RESULT_TYPE PULL_FW_RESULT }PULL_RESULT_TYPE; +#define TSG_DOMAIN_MAX 256 + extern Maat_feather_t g_tsg_maat_feather; -int tsg_rule_init(const char *conffile); +int tsg_rule_init(const char *conffile, void *logger); int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *a_stream, tsg_protocol_t proto, scan_status_t *mid, Maat_rule_t*result, int result_num); @@ -39,8 +55,7 @@ int tsg_shared_table_init(const char *conffile, Maat_feather_t maat_feather, voi //return value: -1: failed, 0: not hit, >0: hit count int tsg_scan_shared_policy(Maat_feather_t maat_feather, void *pkt, int pkt_len, Maat_rule_t *result, int result_num, struct _identify_info *identify_info, scan_status_t *mid, void *logger, int thread_seq); -#ifdef __cplusplus -} -#endif +//return NULL if none exists, otherwise return one deny rule; +Maat_rule_t *tsg_fetch_deny_rule(Maat_rule_t *result, int result_num); #endif diff --git a/entry/include/tsg_types.h b/entry/include/tsg_types.h deleted file mode 100644 index 0967ef3..0000000 --- a/entry/include/tsg_types.h +++ /dev/null @@ -1,109 +0,0 @@ -#ifndef __TSG_TYPES_H__ -#define __TSG_TYPES_H__ - -typedef enum _tsg_opt -{ - LOG_OPT_HTTP_URL=1, - LOG_OPT_HTTP_HOST, - LOG_OPT_HTTP_REQUEST_LINE, - LOG_OPT_HTTP_RESPONSE_LINE, - LOG_OPT_HTTP_REQUEST_HEADER, - LOG_OPT_HTTP_RESPONSE_HEADER, - LOG_OPT_HTTP_REQUEST_BODY, - LOG_OPT_HTTP_RESPONSE_BODY, - LOG_OPT_HTTP_PROXY_FLAG, - LOG_OPT_HTTP_SEQUENCE, - LOG_OPT_HTTP_SNAPSHOT, - LOG_OPT_HTTP_COOKIE, - LOG_OPT_HTTP_REFERER, - LOG_OPT_HTTP_USER_AGENT, - LOG_OPT_HTTP_CONTENT_LENGTH, - LOG_OPT_HTTP_CONTENT_TYPE, - LOG_OPT_HTTP_SET_COOKIE, - LOG_OPT_HTTP_VERSION, - - LOG_OPT_MAIL_PROTOCOL_TYPE, - LOG_OPT_MAIL_SENDER, - LOG_OPT_MAIL_RECEIVER, - LOG_OPT_MAIL_SUBJECT, - LOG_OPT_MAIL_CONTENT, - LOG_OPT_MAIL_ATTACHMENT_NAME, - LOG_OPT_MAIL_ATTACHMENT_CONTENT, - LOG_OPT_MAIL_EML_FILE, - LOG_OPT_MAIL_SNAPSHOT, - LOG_OPT_MAIL_SUBJECT_CHARSET, - - LOG_OPT_DNS_MESSAGE_ID, - LOG_OPT_DNS_QR, - LOG_OPT_DNS_OPCODE, - LOG_OPT_DNS_AA, - LOG_OPT_DNS_TC, - LOG_OPT_DNS_RD, - LOG_OPT_DNS_RA, - LOG_OPT_DNS_RCODE, - LOG_OPT_DNS_QDCOUNT, - LOG_OPT_DNS_ANCOUNT, - LOG_OPT_DNS_NSCOUNT, - LOG_OPT_DNS_ARCOUNT, - LOG_OPT_DNS_QNAME, - LOG_OPT_DNS_QTYPE, - LOG_OPT_DNS_QCLASS, - LOG_OPT_DNS_CNAME, - LOG_OPT_DNS_SUB, - LOG_OPT_DNS_RR, - - LOG_OPT_SSL_VERSION, - LOG_OPT_SSL_SNI, - LOG_OPT_SSL_SAN, - LOG_OPT_SSL_CN, - LOG_OPT_SSL_PINNINGST, - LOG_OPT_SSL_INTERCEPT_STATE, - LOG_OPT_SSL_SERVER_SIDE_LATENCY, - LOG_OPT_SSL_CLINET_SIDE_LATENCY, - LOG_OPT_SSL_SERVER_SIDE_VERSION, - LOG_OPT_SSL_CLIENT_SIDE_VERSION, - LOG_OPT_SSL_CERT_VERIFY, - LOG_OPT_SSL_ERROR, - LOG_OPT_SSL_CON_LATENCY_MS, - - LOG_OPT_FTP_URL, - LOG_OPT_FTP_CONTENT, - - LOG_OPT_BGP_TYPE, - LOG_OPT_BGP_AS_NUM, - LOG_OPT_BGP_ROUTE, - - LOG_OPT_VOIP_CALLING_ACCOUNT, - LOG_OPT_VOIP_CALLED_ACCOUNT, - LOG_OPT_VOIP_CALLING_NUMBER, - LOG_OPT_VOIP_CALLED_NUMBER, - - LOG_OPT_RADIUS_PACKET_TYPE, - LOG_OPT_RADIUS_NAS_IP, - LOG_OPT_RADIUS_FRAMED_IP, - LOG_OPT_RADIUS_ACCOUNT, - LOG_OPT_RADIUS_SEESION_TIMEOUT, - LOG_OPT_RADIUS_IDLE_TIMEOUT, - LOG_OPT_RADIUS_ACCT_STATUS_TYPE, - LOG_OPT_RADIUS_ACCT_TERMINATE_CAUSE, - LOG_OPT_MAX -}tsg_opt_t; - -typedef enum _tsg_protocol -{ - PROTO_IPv4, - PROTO_IPv6, - PROTO_TCP, - PROTO_UDP, - PROTO_HTTP, - PROTO_MAIL, - PROTO_DNS, - PROTO_FTP, - PROTO_SSL, - PROTO_SIP, - PROTO_BGP, - PROTO_STREAMING_MEDIA, - PROTO_MAX -}tsg_protocol_t; - -#endif diff --git a/entry/src/kni_entry.cpp b/entry/src/kni_entry.cpp index c9f8fa6..acc4f59 100644 --- a/entry/src/kni_entry.cpp +++ b/entry/src/kni_entry.cpp @@ -11,7 +11,6 @@ bypass: drome: pme_new_fail: destroy_pme #include "kni_utils.h" #include "marsio.h" -#include "MESA/http.h" #include "MESA/stream_inc/sapp_inject.h" #include "kni_cmsg.h" #include "uuid/uuid.h" @@ -35,7 +34,6 @@ extern "C" { struct kni_handle *g_kni_handle = NULL; struct kni_field_stat_handle *g_kni_fs_handle = NULL; -#define HTTP_PROJECT_NAME "kni_http_tag" #define BURST_MAX 1 #define STREAM_TRACEID_LEN 37 #define CALLER_SAPP 0 @@ -74,10 +72,6 @@ enum kni_action{ KNI_ACTION_BYPASS = 0x80 }; -struct http_project{ - int host_len; - char host[MAX_DOAMIN_LEN]; -}; //memset 0 struct dup_traffic_dabloom_key{ @@ -195,7 +189,6 @@ struct tuple2stream_htable_value{ struct kni_handle{ - int http_project_id; struct kni_marsio_handle *marsio_handle; struct kni_tun_handle *tun_handle; struct kni_maat_handle *maat_handle; @@ -511,7 +504,6 @@ static unsigned char* kni_cmsg_serialize_header_new(struct pme_info *pmeinfo, st unsigned char *buff = NULL; uint8_t protocol_type = pmeinfo->protocol == PROTO_SSL ? 0x1 : 0x0; struct kni_cmsg *cmsg = kni_cmsg_init(); - int policy_id = -1; char *trace_id = NULL; uint32_t seq = pktinfo->tcphdr->seq; uint32_t ack = pktinfo->tcphdr->ack_seq; @@ -521,6 +513,7 @@ static unsigned char* kni_cmsg_serialize_header_new(struct pme_info *pmeinfo, st uint16_t server_window = htons(pmeinfo->server_window); char src_mac[6] = {0}; char dst_mac[6] = {0}; + int policy_id; //seq int ret = wrapped_kni_cmsg_set(cmsg, TFE_CMSG_TCP_RESTORE_SEQ, (const unsigned char*)&seq, 4, pmeinfo); if(ret < 0) goto error_out; @@ -758,7 +751,7 @@ static void wrapped_kni_header_parse(const void *a_packet, struct pme_info *pmei int ret = kni_ipv6_header_parse(a_packet, pktinfo); if(ret < 0){ char *errmsg = kni_ipv6_errmsg_get((enum kni_ipv6hdr_parse_error)ret); - KNI_LOG_DEBUG(logger, "Intercept error: failed at parse ipv6 header, errmsg = %s, stream treaceid = %s", + KNI_LOG_ERROR(logger, "Failed at parse ipv6 header, errmsg = %s, stream treaceid = %s", errmsg, pmeinfo->stream_traceid); pktinfo->parse_failed = 1; } @@ -767,7 +760,7 @@ static void wrapped_kni_header_parse(const void *a_packet, struct pme_info *pmei int ret = kni_ipv4_header_parse(a_packet, pktinfo); if(ret < 0){ char *errmsg = kni_ipv4_errmsg_get((enum kni_ipv4hdr_parse_error)ret); - KNI_LOG_ERROR(logger, "Intercept error: failed at parse ipv4 header, errmsg = %s, stream treaceid = %s", + KNI_LOG_ERROR(logger, "Failed at parse ipv4 header, errmsg = %s, stream treaceid = %s", errmsg, pmeinfo->stream_traceid); pktinfo->parse_failed = 1; } @@ -1023,6 +1016,8 @@ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmei } if(pktinfo->parse_failed == 1){ pmeinfo->intcp_error = INTERCEPT_ERROR_INVALID_IP_HDR; + KNI_LOG_DEBUG(logger, "Intercept error: invalid ip header, stream traceid = %s, stream addr = %s", + pmeinfo->stream_traceid, pmeinfo->stream_addr); FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCPERR_INVALID_IP_HDR], 0, FS_OP_ADD, 1); goto error_out; } @@ -1115,7 +1110,7 @@ error_out: if(buff != NULL){ FREE(&buff); } - return APP_STATE_FAWPKT | APP_STATE_DROPME; + return APP_STATE_DROPPKT | APP_STATE_DROPME; } static int dabloom_search(struct pkt_info *pktinfo, int thread_seq){ @@ -1243,25 +1238,25 @@ char first_data_process(struct streaminfo *stream, struct pme_info *pmeinfo, str int ret = 0; struct _identify_info identify_info; ret = tsg_pull_policy_result(stream, PULL_KNI_RESULT, &result, 1, &identify_info); - pmeinfo->protocol = identify_info.proto; - strncpy((char*)&(pmeinfo->domain), identify_info.domain, identify_info.domain_len); - pmeinfo->domain_len = MAX(pmeinfo->domain_len, (int)sizeof(pmeinfo->domain) - 1); - pmeinfo->domain_len = '\0'; //ret == 0, bypass and dropme if(ret == 0){ pmeinfo->action = KNI_ACTION_NONE; - pmeinfo->policy_id = -1; maat_hit = 0; + KNI_LOG_INFO(logger, "intercept_policy_scan: %s, %s, maat_hit = %d, stream traceid = %s", + pmeinfo->stream_addr, (char*)&(pmeinfo->domain), maat_hit, pmeinfo->stream_traceid); } else{ + pmeinfo->protocol = identify_info.proto; + pmeinfo->domain_len = MIN(identify_info.domain_len, (int)sizeof(pmeinfo->domain) - 1); + strncpy(pmeinfo->domain.sni, identify_info.domain, pmeinfo->domain_len); pmeinfo->action = (enum kni_action)(result.action); pmeinfo->policy_id = result.config_id; pmeinfo->do_log = result.do_log; maat_hit = 1; + char *action_str = kni_maat_action_trans(pmeinfo->action); + KNI_LOG_INFO(logger, "intercept_policy_scan: %s, %s, maat_hit = %d, policy_id = %d, action = %d(%s), stream traceid = %s", + pmeinfo->stream_addr, (char*)&(pmeinfo->domain), maat_hit, pmeinfo->policy_id, pmeinfo->action, action_str, pmeinfo->stream_traceid); } - char *action_str = kni_maat_action_trans(pmeinfo->action); - KNI_LOG_INFO(logger, "intercept_policy_scan: %s, %s, maat_hit = %d, policy_id = %d, action = %d(%s), stream traceid = %s, stream addr = %s", - pmeinfo->stream_addr, (char*)&(pmeinfo->domain), maat_hit, pmeinfo->policy_id, pmeinfo->action, action_str, pmeinfo->stream_traceid, pmeinfo->stream_addr); switch(pmeinfo->action){ case KNI_ACTION_INTERCEPT: pmeinfo->intercept_state = 1; @@ -1283,6 +1278,7 @@ static char data_opstate(struct streaminfo *stream, struct pme_info *pmeinfo, co } //parse ipv4/6 header struct pkt_info pktinfo; + memset(&pktinfo, 0, sizeof(pktinfo)); wrapped_kni_header_parse(a_packet, pmeinfo, &pktinfo); //pmeinfo->action has only 2 value: KNI_ACTION_NONE, KNI_ACTION_INTERCEPT if(pmeinfo->action == KNI_ACTION_INTERCEPT){ @@ -1339,7 +1335,7 @@ static char close_opstate(const struct streaminfo *stream, struct pme_info *pmei return APP_STATE_DROPPKT | APP_STATE_DROPME; //stream has no data. default: - return APP_STATE_DROPPKT | APP_STATE_DROPME; + return APP_STATE_FAWPKT | APP_STATE_DROPME; } } @@ -1430,7 +1426,7 @@ extern "C" char kni_tcpall_entry(struct streaminfo *stream, void** pme, int thre pmeinfo->intercept_state = 0; FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_INTCPERR], 0, FS_OP_ADD, 1); if(pmeinfo != NULL){ - pmeinfo->policy_id = -1; + //pmeinfo->policy_id = -1; stream_destroy(pmeinfo, 1); } } @@ -1446,45 +1442,6 @@ extern "C" char kni_tcpall_entry(struct streaminfo *stream, void** pme, int thre return ret; } -void http_project_free(int thread_seq, void *project_req_value){ - FREE(&project_req_value); -} - -static int http_project_init(){ - void *logger = g_kni_handle->local_logger; - int id = project_producer_register(HTTP_PROJECT_NAME, PROJECT_VAL_TYPE_STRUCT, http_project_free); - if(id < 0){ - KNI_LOG_ERROR(logger, "Failed at project_producer_register, project name = %s, ret = %d", HTTP_PROJECT_NAME, id); - return -1; - } - id = project_customer_register(HTTP_PROJECT_NAME, PROJECT_VAL_TYPE_STRUCT); - if(id < 0){ - KNI_LOG_ERROR(logger, "Failed at project_customer_register, project name = %s, ret = %d", HTTP_PROJECT_NAME, id); - return -1; - } - return id; -} - -extern "C" char kni_http_entry(stSessionInfo* session_info, void **pme, int thread_seq, struct streaminfo *a_stream, const void *a_packet){ - http_infor* http_info = (http_infor*)(session_info->app_info); - //only process first http session - if(http_info->http_session_seq != 1){ - return PROT_STATE_DROPME; - } - if(session_info->prot_flag != HTTP_HOST){ - return PROT_STATE_GIVEME; - } - int host_len = MIN(session_info->buflen, KNI_DEFAULT_MTU); - struct http_project* host_info = ALLOC(struct http_project, 1); - host_info->host_len = host_len; - memcpy(host_info->host, session_info->buf, host_len); - if(project_req_add_struct(a_stream, g_kni_handle->http_project_id, host_info) < 0){ - FREE(&host_info); - host_info = NULL; - } - return PROT_STATE_DROPME; -} - static void kni_marsio_destroy(struct kni_marsio_handle *handle){ if(handle != NULL){ if(handle->instance != NULL){ @@ -2087,7 +2044,6 @@ extern "C" int kni_init(){ char manage_eth[KNI_SYMBOL_MAX] = ""; struct kni_send_logger *send_logger = NULL; struct kni_field_stat_handle *fs_handle = NULL; - int id = -1; void *local_logger = NULL; int log_level = -1; pthread_t thread_id = -1; @@ -2172,13 +2128,6 @@ extern "C" int kni_init(){ KNI_LOG_ERROR(local_logger, "MESA_prof_load: dst_mac_addr = invalid, ret = %d, profile = %s, section = %s", ret, profile, section); goto error_out; } - //init http_project - id = http_project_init(); - if(id < 0){ - KNI_LOG_ERROR(local_logger, "Failed at init http project, ret = %d", id); - goto error_out; - } - g_kni_handle->http_project_id = id; // get thread count g_kni_handle->thread_count = get_thread_count();