diff --git a/common/include/kni_utils.h b/common/include/kni_utils.h index 0067546..10bddba 100644 --- a/common/include/kni_utils.h +++ b/common/include/kni_utils.h @@ -86,6 +86,7 @@ struct kni_field_stat_handle{ int fields[KNI_FIELD_MAX]; }; + uint16_t kni_ip_checksum(const void *buf, size_t hdr_len); uint16_t kni_tcp_checksum(const void *_buf, size_t len, in_addr_t src_addr, in_addr_t dest_addr); uint16_t kni_udp_checksum(const void *_buf, size_t len, in_addr_t src_addr, in_addr_t dest_addr); diff --git a/conf/kni.conf b/conf/kni.conf index 287222e..a15baa1 100644 --- a/conf/kni.conf +++ b/conf/kni.conf @@ -6,9 +6,14 @@ log_level = 10 readconf_mode = 1 tableinfo_path = ./conf/kni/maat_tableinfo.conf maatjson_path = ./conf/kni/maat_test.json -tablename_intercept_compile = PXY_INTERCEPT_COMPILE +tablename_intercept_ip = PXY_INTERCEPT_IP +tablename_intercept_domain = PXY_INTERCEPT_DOMAIN +compile_alias = COMPILE_ALIAS [marsio] appsym = knifw dev_symbol = eth4 +[field_stat] +stat_path = ./fs2_kni.status + diff --git a/conf/maat/maat_tableinfo.conf b/conf/maat/maat_tableinfo.conf index 8931b5a..f6f480a 100644 --- a/conf/maat/maat_tableinfo.conf +++ b/conf/maat/maat_tableinfo.conf @@ -1,4 +1,5 @@ 1 PXY_INTERCEPT_COMPILE compile escape -- 2 PXY_INTERCEPT_GROUP group -- 3 PXY_INTERCEPT_IP ip -- -4 PXY_INTERCEPT_DOMAIN expr utf8 utf8 yes 0 \ No newline at end of file +4 PXY_INTERCEPT_DOMAIN expr utf8 utf8 yes 0 +5 COMPILE_ALIAS compile escape -- \ No newline at end of file diff --git a/conf/maat/maat_test.json b/conf/maat/maat_test.json index 72a3b69..0815230 100644 --- a/conf/maat/maat_test.json +++ b/conf/maat/maat_test.json @@ -2,10 +2,37 @@ "compile_table": "PXY_INTERCEPT_COMPILE", "group_table": "PXY_INTERCEPT_GROUP", "rules": [ + { + "compile_id": 0, + "service": 1, + "action": 1, + "do_blacklist": 1, + "do_log": 1, + "effective_rage": 0, + "user_region": "zone=pkt_payload;substitute=/AAAA/BBBB", + "is_valid": "yes", + "groups": [ + { + "group_name": "Untitled", + "regions": [ + { + "table_name": "HTTP_URL", + "table_type": "string", + "table_content": { + "keywords": "i.ytimg.com", + "expr_type": "none", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] + }, { "compile_id": 1, "service": 1, - "action":120, + "action":2, "do_blacklist": 1, "do_log": 1, "effective_rage": 0, @@ -20,7 +47,7 @@ "table_type": "ip", "table_content": { "addr_type": "ipv4", - "src_ip": "192.168.192.135", + "src_ip": "192.168.11.135", "mask_src_ip": "255.255.255.255", "src_port": "0", "mask_src_port": "65535", @@ -39,8 +66,9 @@ { "compile_id": 2, "service": 1, - "action":120, + "action":2, "do_blacklist": 1, + "table_name": "COMPILE_ALIAS", "do_log": 1, "effective_rage": 0, "user_region": "zone=pkt_payload;substitute=/AAAA/BBBB", diff --git a/entry/include/kni_maat.h b/entry/include/kni_maat.h index 63bcc99..b4eccd1 100644 --- a/entry/include/kni_maat.h +++ b/entry/include/kni_maat.h @@ -6,7 +6,8 @@ struct kni_maat_handle{ Maat_feather_t feather; int default_action; - int tableid_intercept_compile; + int tableid_intercept_ip; + int tableid_intercept_domain; void *logger; }; @@ -17,5 +18,5 @@ enum kni_action{ }; struct kni_maat_handle* kni_maat_init(const char* profile, void *logger); void kni_maat_destroy(struct kni_maat_handle *handle); -int kni_maat_scan_ip(struct kni_maat_handle* handle, struct ipaddr *addr, int thread_seq, void *logger); -int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, void *logger); \ No newline at end of file +int kni_maat_scan_ip(struct kni_maat_handle* handle, struct ipaddr *addr, int thread_seq); +int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq); \ No newline at end of file diff --git a/entry/src/kni_entry.cpp b/entry/src/kni_entry.cpp index c0b1887..e0a7ed5 100644 --- a/entry/src/kni_entry.cpp +++ b/entry/src/kni_entry.cpp @@ -61,8 +61,13 @@ static int protocol_identify(const struct streaminfo* stream, char *buf, int len chello = ssl_chello_parse((const unsigned char*)buf, len, &chello_status); if(chello_status == CHELLO_PARSE_SUCCESS){ result->protocol = KNI_PROTOCOL_SSL; - result->domain_len = strnlen(chello->sni, KNI_DOMAIN_MAX); - memcpy(result->domain, chello->sni, result->domain_len); + if(chello->sni == NULL){ + result->domain_len = 0; + } + else{ + result->domain_len = strnlen(chello->sni, KNI_DOMAIN_MAX); + memcpy(result->domain, chello->sni, result->domain_len); + } ssl_chello_free(chello); return 0; } @@ -178,13 +183,11 @@ static int send_to_tfe(struct kni_marsio_handle *handle, char *raw_data, int raw static char pending_opstate(const struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo){ void *logger = g_kni_handle->logger; - FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_TOT_STM], 0, FS_OP_ADD, 1); if(!pktinfo->tcphdr->syn){ //TODO: pending_opstate 不是syn, bypass这个流 KNI_LOG_ERROR(logger, "pending opstate: not syn"); FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_NO_SYN_EXP], 0, FS_OP_ADD, 1); FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1); - FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_STM], 0, FS_OP_ADD, 1); return APP_STATE_FAWPKT | APP_STATE_DROPME; } pmeinfo->client_tcpopt = kni_get_tcpopt(pktinfo->tcphdr, pktinfo->tcphdr_len); @@ -194,11 +197,13 @@ static char pending_opstate(const struct streaminfo *stream, struct pme_info *pm static int get_action(struct ipaddr *addr, char *domain, int domain_len, int thread_seq){ //return KNI_ACTION_INTERCEPT; - int action = kni_maat_scan_ip(g_kni_handle->maat_handle, addr, thread_seq, g_kni_handle->logger); + int action = kni_maat_scan_ip(g_kni_handle->maat_handle, addr, thread_seq); if(action == KNI_ACTION_BYPASS){ return action; } - action = kni_maat_scan_domain(g_kni_handle->maat_handle, domain, domain_len, thread_seq, g_kni_handle->logger); + if(domain_len != 0){ + action = kni_maat_scan_domain(g_kni_handle->maat_handle, domain, domain_len, thread_seq); + } return action; } @@ -230,9 +235,10 @@ static char data_opstate(const struct streaminfo *stream, struct pme_info *pmein if(stream->dir != DIR_DOUBLE){ KNI_LOG_INFO(logger, "stream dir is %d, bypass", stream->dir); FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1); - FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_STM], 0, FS_OP_ADD, 1); return APP_STATE_FAWPKT | APP_STATE_DROPME; } + //三次握手成功才算一个流 + FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_TOT_STM], 0, FS_OP_ADD, 1); struct protocol_identify_result *result = ALLOC(struct protocol_identify_result, 1); protocol_identify(stream, pktinfo->data, pktinfo->data_len, result); pmeinfo->protocol = result->protocol; @@ -428,7 +434,7 @@ static struct kni_field_stat_handle * fs_init(const char *profile){ void *logger = g_kni_handle->logger; const char *section = "field_stat"; char stat_path[KNI_PATH_MAX]; - MESA_load_profile_string_def(profile, section, "stat_path", stat_path, KNI_PATH_MAX, "./fs2_kni.status"); + MESA_load_profile_string_def(profile, section, "stat_path", stat_path, KNI_PATH_MAX, "unknown"); KNI_LOG_INFO(logger, "MESA_prof_load, [%s]:\n stat_path: %s\n", "field_stat", stat_path); screen_stat_handle_t handle = FS_create_handle(); if(handle == NULL){ @@ -464,6 +470,8 @@ static struct kni_field_stat_handle * fs_init(const char *profile){ fs_handle->fields[KNI_FIELD_SSL_STM] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "ssl_stm"); fs_handle->fields[KNI_FIELD_HTTP_STM] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "http_stm"); fs_handle->fields[KNI_FIELD_UNKNOWN_STM] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "unknown_stm"); + fs_handle->handle = handle; + FS_start(handle); return fs_handle; } diff --git a/entry/src/kni_maat.cpp b/entry/src/kni_maat.cpp index e10eec5..fead6dd 100644 --- a/entry/src/kni_maat.cpp +++ b/entry/src/kni_maat.cpp @@ -12,16 +12,38 @@ void kni_maat_destroy(struct kni_maat_handle *handle){ FREE(&handle); } + +void compile_ex_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp){ + printf("call compile_ex_param_new\n"); + if(rule->config_id == 0){ + int *action = (int*)argp; + *action = rule->action; + } + return; +} + +void compile_ex_param_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp){ + return; +} + +void compile_ex_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp){ + return; +} + struct kni_maat_handle* kni_maat_init(const char* profile, void *logger){ const char *section = "maat"; int readconf_mode; char tableinfo_path[KNI_PATH_MAX]; - char tablename_intercept_compile[KNI_SYMBOL_MAX]; + char tablename_intercept_ip[KNI_SYMBOL_MAX]; + char tablename_intercept_domain[KNI_SYMBOL_MAX]; + char compile_alias[KNI_SYMBOL_MAX]; MESA_load_profile_int_def(profile, section, "readconf_mode", &readconf_mode, KNI_MAAT_READCONF_IRIS); MESA_load_profile_string_def(profile, section, "tableinfo_path", tableinfo_path, sizeof(tableinfo_path), "unknown"); - MESA_load_profile_string_def(profile, section, "tablename_intercept_compile", tablename_intercept_compile, sizeof(tablename_intercept_compile), "unknown"); - KNI_LOG_INFO(logger, "MESA_prof_load, [%s]:\n readconf_mode: %d\n tableinfo_path: %s\n tablename_intercept_compile: %s\n", - section, readconf_mode, tableinfo_path, tablename_intercept_compile); + MESA_load_profile_string_def(profile, section, "tablename_intercept_ip", tablename_intercept_ip, sizeof(tablename_intercept_ip), "unknown"); + MESA_load_profile_string_def(profile, section, "tablename_intercept_domain", tablename_intercept_domain, sizeof(tablename_intercept_domain), "unknown"); + MESA_load_profile_string_def(profile, section, "compile_alias", compile_alias, sizeof(compile_alias), "unknown"); + KNI_LOG_INFO(logger, "MESA_prof_load, [%s]:\n readconf_mode: %d\n tableinfo_path: %s\n tablename_intercept_ip: %s\n tablename_intercept_domain: %s\n" + "compile_alias: %s\n", section, readconf_mode, tableinfo_path, tablename_intercept_ip, tablename_intercept_domain, compile_alias); Maat_feather_t feather = Maat_feather(g_iThreadNum, tableinfo_path, logger); if(feather == NULL){ KNI_LOG_ERROR(logger, "Failed at Maat_feather, max_thread_num is %d, tableinfo_path is %s", g_iThreadNum, tableinfo_path); @@ -54,16 +76,29 @@ struct kni_maat_handle* kni_maat_init(const char* profile, void *logger){ KNI_LOG_ERROR(logger, "Failed at Maat_initiate_feather"); return NULL; } - int tableid_intercept_compile = Maat_table_register(feather, tablename_intercept_compile); - if(tableid_intercept_compile < 0){ + int tableid_intercept_ip = Maat_table_register(feather, tablename_intercept_ip); + int tableid_intercept_domain = Maat_table_register(feather, tablename_intercept_domain); + if(tableid_intercept_ip < 0){ KNI_LOG_ERROR(logger, "Failed at Maat_table_register, tablename is %d, ret is %d", - tablename_intercept_compile, tableid_intercept_compile); + tablename_intercept_ip, tableid_intercept_ip); + return NULL; + } + if(tableid_intercept_domain < 0){ + KNI_LOG_ERROR(logger, "Failed at Maat_table_register, tablename is %d, ret is %d", + tablename_intercept_domain, tableid_intercept_domain); return NULL; } struct kni_maat_handle *handle = ALLOC(struct kni_maat_handle, 1); + ret = Maat_rule_get_ex_new_index(feather, "COMPILE_ALIAS", compile_ex_param_new, compile_ex_param_free, compile_ex_param_dup, 0, (void*)&(handle->default_action)); + if(ret < 0){ + KNI_LOG_ERROR(logger, "Failed at Maat_rule_get_ex_new_index, ret is %d", ret); + kni_maat_destroy(handle); + return NULL; + } handle->feather = feather; - handle->tableid_intercept_compile = tableid_intercept_compile; - handle->default_action = KNI_ACTION_INTERCEPT; + handle->tableid_intercept_ip = tableid_intercept_ip; + handle->tableid_intercept_domain = tableid_intercept_domain; + //handle->default_action = KNI_ACTION_INTERCEPT; handle->logger = logger; return handle; } @@ -85,26 +120,43 @@ static int maat_process_scan_result(struct kni_maat_handle *handle, int num, str int kni_maat_scan_ip(struct kni_maat_handle *handle, struct ipaddr *addr, int thread_seq){ void *logger = handle->logger; struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX]; - int ret = Maat_scan_proto_addr(handle->feather, handle->tableid_intercept_compile, addr, 0, result, - KNI_MAAT_RULE_NUM_MAX, NULL, thread_seq); + scan_status_t mid = NULL; + int ret = Maat_scan_proto_addr(handle->feather, handle->tableid_intercept_ip, addr, 0, result, + KNI_MAAT_RULE_NUM_MAX, &mid, thread_seq); if(ret < 0){ KNI_LOG_ERROR(logger, "Failed at Maat_scan_proto_addr, ret is %d", ret); return handle->default_action; } - return maat_process_scan_result(handle, ret, result); + int action = maat_process_scan_result(handle, ret, result); + + //for debug + char saddr[INET_ADDRSTRLEN]; + inet_ntop(AF_INET, &(addr->v4->saddr), saddr, INET_ADDRSTRLEN); + KNI_LOG_DEBUG(logger, "ip is %s, ret is %d, action is %d\n", saddr, ret, action); + + return action; } int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq){ void *logger = handle->logger; struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX]; - //TODO: GBK - int ret = Maat_full_scan_string(handle->feather, handle->tableid_intercept_compile, CHARSET_GBK, - domain, domain_len, result, NULL, KNI_MAAT_RULE_NUM_MAX, NULL, thread_seq); + //必须要初始化为NULL, 不懂为什么 + scan_status_t mid = NULL; + int ret = Maat_full_scan_string(handle->feather, handle->tableid_intercept_domain, CHARSET_UTF8, + domain, domain_len, result, NULL, KNI_MAAT_RULE_NUM_MAX, &mid, thread_seq); if(ret < 0){ KNI_LOG_ERROR(logger, "Failed at Maat_full_scan_string, ret is %d", ret); return handle->default_action; } - return maat_process_scan_result(handle, ret, result); + int action = maat_process_scan_result(handle, ret, result); + + //for debug + char domain1[100] = ""; + memcpy(domain1, domain, domain_len); + domain1[domain_len] = '\0'; + KNI_LOG_DEBUG(logger, "domain is %s, ret is %d, action is %d\n", domain, ret, action); + + return action; }