gfwleak/tango-kni
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

初步调通maat扫描

Browse Source
This commit is contained in:
崔一鸣
2019-05-19 17:23:18 +08:00
parent f602997b90
commit 82efb303c0
7 changed files with 128 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
common/include/kni_utils.h
View File

@@ -86,6 +86,7 @@ struct kni_field_stat_handle{
int fields[KNI_FIELD_MAX]; int fields[KNI_FIELD_MAX];
}; };
uint16_t kni_ip_checksum(const void *buf, size_t hdr_len); uint16_t kni_ip_checksum(const void *buf, size_t hdr_len);
uint16_t kni_tcp_checksum(const void *_buf, size_t len, in_addr_t src_addr, in_addr_t dest_addr); uint16_t kni_tcp_checksum(const void *_buf, size_t len, in_addr_t src_addr, in_addr_t dest_addr);
uint16_t kni_udp_checksum(const void *_buf, size_t len, in_addr_t src_addr, in_addr_t dest_addr); uint16_t kni_udp_checksum(const void *_buf, size_t len, in_addr_t src_addr, in_addr_t dest_addr);

7
conf/kni.conf
View File

@@ -6,9 +6,14 @@ log_level = 10
readconf_mode = 1 readconf_mode = 1
tableinfo_path = ./conf/kni/maat_tableinfo.conf tableinfo_path = ./conf/kni/maat_tableinfo.conf
maatjson_path = ./conf/kni/maat_test.json maatjson_path = ./conf/kni/maat_test.json
tablename_intercept_compile = PXY_INTERCEPT_COMPILE tablename_intercept_ip = PXY_INTERCEPT_IP
tablename_intercept_domain = PXY_INTERCEPT_DOMAIN
compile_alias = COMPILE_ALIAS
[marsio] [marsio]
appsym = knifw appsym = knifw
dev_symbol = eth4 dev_symbol = eth4
[field_stat]
stat_path = ./fs2_kni.status

1
conf/maat/maat_tableinfo.conf
View File

@@ -2,3 +2,4 @@
2 PXY_INTERCEPT_GROUP group -- 2 PXY_INTERCEPT_GROUP group --
3 PXY_INTERCEPT_IP ip -- 3 PXY_INTERCEPT_IP ip --
4 PXY_INTERCEPT_DOMAIN expr utf8 utf8 yes 0 4 PXY_INTERCEPT_DOMAIN expr utf8 utf8 yes 0
5 COMPILE_ALIAS compile escape --

34
conf/maat/maat_test.json
View File

@@ -2,10 +2,37 @@
"compile_table": "PXY_INTERCEPT_COMPILE", "compile_table": "PXY_INTERCEPT_COMPILE",
"group_table": "PXY_INTERCEPT_GROUP", "group_table": "PXY_INTERCEPT_GROUP",
"rules": [ "rules": [
{
"compile_id": 0,
"service": 1,
"action": 1,
"do_blacklist": 1,
"do_log": 1,
"effective_rage": 0,
"user_region": "zone=pkt_payload;substitute=/AAAA/BBBB",
"is_valid": "yes",
"groups": [
{
"group_name": "Untitled",
"regions": [
{
"table_name": "HTTP_URL",
"table_type": "string",
"table_content": {
"keywords": "i.ytimg.com",
"expr_type": "none",
"match_method": "sub",
"format": "uncase plain"
}
}
]
}
]
},
{ {
"compile_id": 1, "compile_id": 1,
"service": 1, "service": 1,
"action":120, "action":2,
"do_blacklist": 1, "do_blacklist": 1,
"do_log": 1, "do_log": 1,
"effective_rage": 0, "effective_rage": 0,
@@ -20,7 +47,7 @@
"table_type": "ip", "table_type": "ip",
"table_content": { "table_content": {
"addr_type": "ipv4", "addr_type": "ipv4",
"src_ip": "192.168.192.135", "src_ip": "192.168.11.135",
"mask_src_ip": "255.255.255.255", "mask_src_ip": "255.255.255.255",
"src_port": "0", "src_port": "0",
"mask_src_port": "65535", "mask_src_port": "65535",
@@ -39,8 +66,9 @@
{ {
"compile_id": 2, "compile_id": 2,
"service": 1, "service": 1,
"action":120, "action":2,
"do_blacklist": 1, "do_blacklist": 1,
"table_name": "COMPILE_ALIAS",
"do_log": 1, "do_log": 1,
"effective_rage": 0, "effective_rage": 0,
"user_region": "zone=pkt_payload;substitute=/AAAA/BBBB", "user_region": "zone=pkt_payload;substitute=/AAAA/BBBB",

7
entry/include/kni_maat.h
View File

@@ -6,7 +6,8 @@
struct kni_maat_handle{ struct kni_maat_handle{
Maat_feather_t feather; Maat_feather_t feather;
int default_action; int default_action;
int tableid_intercept_compile; int tableid_intercept_ip;
int tableid_intercept_domain;
void *logger; void *logger;
}; };
@@ -17,5 +18,5 @@ enum kni_action{
}; };
struct kni_maat_handle* kni_maat_init(const char* profile, void *logger); struct kni_maat_handle* kni_maat_init(const char* profile, void *logger);
void kni_maat_destroy(struct kni_maat_handle *handle); void kni_maat_destroy(struct kni_maat_handle *handle);
int kni_maat_scan_ip(struct kni_maat_handle* handle, struct ipaddr *addr, int thread_seq, void *logger); int kni_maat_scan_ip(struct kni_maat_handle* handle, struct ipaddr *addr, int thread_seq);
int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, void *logger); int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq);

20
entry/src/kni_entry.cpp
View File

@@ -61,8 +61,13 @@ static int protocol_identify(const struct streaminfo* stream, char *buf, int len
chello = ssl_chello_parse((const unsigned char*)buf, len, &chello_status); chello = ssl_chello_parse((const unsigned char*)buf, len, &chello_status);
if(chello_status == CHELLO_PARSE_SUCCESS){ if(chello_status == CHELLO_PARSE_SUCCESS){
result->protocol = KNI_PROTOCOL_SSL; result->protocol = KNI_PROTOCOL_SSL;
if(chello->sni == NULL){
result->domain_len = 0;
}
else{
result->domain_len = strnlen(chello->sni, KNI_DOMAIN_MAX); result->domain_len = strnlen(chello->sni, KNI_DOMAIN_MAX);
memcpy(result->domain, chello->sni, result->domain_len); memcpy(result->domain, chello->sni, result->domain_len);
}
ssl_chello_free(chello); ssl_chello_free(chello);
return 0; return 0;
} }
@@ -178,13 +183,11 @@ static int send_to_tfe(struct kni_marsio_handle *handle, char *raw_data, int raw
static char pending_opstate(const struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo){ static char pending_opstate(const struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo){
void *logger = g_kni_handle->logger; void *logger = g_kni_handle->logger;
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_TOT_STM], 0, FS_OP_ADD, 1);
if(!pktinfo->tcphdr->syn){ if(!pktinfo->tcphdr->syn){
//TODO: pending_opstate 不是syn, bypass这个流 //TODO: pending_opstate 不是syn, bypass这个流
KNI_LOG_ERROR(logger, "pending opstate: not syn"); KNI_LOG_ERROR(logger, "pending opstate: not syn");
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_NO_SYN_EXP], 0, FS_OP_ADD, 1); FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_NO_SYN_EXP], 0, FS_OP_ADD, 1);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1); FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_STM], 0, FS_OP_ADD, 1);
return APP_STATE_FAWPKT | APP_STATE_DROPME; return APP_STATE_FAWPKT | APP_STATE_DROPME;
} }
pmeinfo->client_tcpopt = kni_get_tcpopt(pktinfo->tcphdr, pktinfo->tcphdr_len); pmeinfo->client_tcpopt = kni_get_tcpopt(pktinfo->tcphdr, pktinfo->tcphdr_len);
@@ -194,11 +197,13 @@ static char pending_opstate(const struct streaminfo *stream, struct pme_info *pm
static int get_action(struct ipaddr *addr, char *domain, int domain_len, int thread_seq){ static int get_action(struct ipaddr *addr, char *domain, int domain_len, int thread_seq){
//return KNI_ACTION_INTERCEPT; //return KNI_ACTION_INTERCEPT;
int action = kni_maat_scan_ip(g_kni_handle->maat_handle, addr, thread_seq, g_kni_handle->logger); int action = kni_maat_scan_ip(g_kni_handle->maat_handle, addr, thread_seq);
if(action == KNI_ACTION_BYPASS){ if(action == KNI_ACTION_BYPASS){
return action; return action;
} }
action = kni_maat_scan_domain(g_kni_handle->maat_handle, domain, domain_len, thread_seq, g_kni_handle->logger); if(domain_len != 0){
action = kni_maat_scan_domain(g_kni_handle->maat_handle, domain, domain_len, thread_seq);
}
return action; return action;
} }
@@ -230,9 +235,10 @@ static char data_opstate(const struct streaminfo *stream, struct pme_info *pmein
if(stream->dir != DIR_DOUBLE){ if(stream->dir != DIR_DOUBLE){
KNI_LOG_INFO(logger, "stream dir is %d, bypass", stream->dir); KNI_LOG_INFO(logger, "stream dir is %d, bypass", stream->dir);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1); FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1);
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_STM], 0, FS_OP_ADD, 1);
return APP_STATE_FAWPKT | APP_STATE_DROPME; return APP_STATE_FAWPKT | APP_STATE_DROPME;
} }
//三次握手成功才算一个流
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_TOT_STM], 0, FS_OP_ADD, 1);
struct protocol_identify_result *result = ALLOC(struct protocol_identify_result, 1); struct protocol_identify_result *result = ALLOC(struct protocol_identify_result, 1);
protocol_identify(stream, pktinfo->data, pktinfo->data_len, result); protocol_identify(stream, pktinfo->data, pktinfo->data_len, result);
pmeinfo->protocol = result->protocol; pmeinfo->protocol = result->protocol;
@@ -428,7 +434,7 @@ static struct kni_field_stat_handle * fs_init(const char *profile){
void *logger = g_kni_handle->logger; void *logger = g_kni_handle->logger;
const char *section = "field_stat"; const char *section = "field_stat";
char stat_path[KNI_PATH_MAX]; char stat_path[KNI_PATH_MAX];
MESA_load_profile_string_def(profile, section, "stat_path", stat_path, KNI_PATH_MAX, "./fs2_kni.status"); MESA_load_profile_string_def(profile, section, "stat_path", stat_path, KNI_PATH_MAX, "unknown");
KNI_LOG_INFO(logger, "MESA_prof_load, [%s]:\n stat_path: %s\n", "field_stat", stat_path); KNI_LOG_INFO(logger, "MESA_prof_load, [%s]:\n stat_path: %s\n", "field_stat", stat_path);
screen_stat_handle_t handle = FS_create_handle(); screen_stat_handle_t handle = FS_create_handle();
if(handle == NULL){ if(handle == NULL){
@@ -464,6 +470,8 @@ static struct kni_field_stat_handle * fs_init(const char *profile){
fs_handle->fields[KNI_FIELD_SSL_STM] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "ssl_stm"); fs_handle->fields[KNI_FIELD_SSL_STM] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "ssl_stm");
fs_handle->fields[KNI_FIELD_HTTP_STM] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "http_stm"); fs_handle->fields[KNI_FIELD_HTTP_STM] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "http_stm");
fs_handle->fields[KNI_FIELD_UNKNOWN_STM] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "unknown_stm"); fs_handle->fields[KNI_FIELD_UNKNOWN_STM] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "unknown_stm");
fs_handle->handle = handle;
FS_start(handle);
return fs_handle; return fs_handle;
} }

84
entry/src/kni_maat.cpp
View File

@@ -12,16 +12,38 @@ void kni_maat_destroy(struct kni_maat_handle *handle){
FREE(&handle); FREE(&handle);
} }
void compile_ex_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp){
printf("call compile_ex_param_new\n");
if(rule->config_id == 0){
int *action = (int*)argp;
*action = rule->action;
}
return;
}
void compile_ex_param_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp){
return;
}
void compile_ex_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp){
return;
}
struct kni_maat_handle* kni_maat_init(const char* profile, void *logger){ struct kni_maat_handle* kni_maat_init(const char* profile, void *logger){
const char *section = "maat"; const char *section = "maat";
int readconf_mode; int readconf_mode;
char tableinfo_path[KNI_PATH_MAX]; char tableinfo_path[KNI_PATH_MAX];
char tablename_intercept_compile[KNI_SYMBOL_MAX]; char tablename_intercept_ip[KNI_SYMBOL_MAX];
char tablename_intercept_domain[KNI_SYMBOL_MAX];
char compile_alias[KNI_SYMBOL_MAX];
MESA_load_profile_int_def(profile, section, "readconf_mode", &readconf_mode, KNI_MAAT_READCONF_IRIS); MESA_load_profile_int_def(profile, section, "readconf_mode", &readconf_mode, KNI_MAAT_READCONF_IRIS);
MESA_load_profile_string_def(profile, section, "tableinfo_path", tableinfo_path, sizeof(tableinfo_path), "unknown"); MESA_load_profile_string_def(profile, section, "tableinfo_path", tableinfo_path, sizeof(tableinfo_path), "unknown");
MESA_load_profile_string_def(profile, section, "tablename_intercept_compile", tablename_intercept_compile, sizeof(tablename_intercept_compile), "unknown"); MESA_load_profile_string_def(profile, section, "tablename_intercept_ip", tablename_intercept_ip, sizeof(tablename_intercept_ip), "unknown");
KNI_LOG_INFO(logger, "MESA_prof_load, [%s]:\n readconf_mode: %d\n tableinfo_path: %s\n tablename_intercept_compile: %s\n", MESA_load_profile_string_def(profile, section, "tablename_intercept_domain", tablename_intercept_domain, sizeof(tablename_intercept_domain), "unknown");
section, readconf_mode, tableinfo_path, tablename_intercept_compile); MESA_load_profile_string_def(profile, section, "compile_alias", compile_alias, sizeof(compile_alias), "unknown");
KNI_LOG_INFO(logger, "MESA_prof_load, [%s]:\n readconf_mode: %d\n tableinfo_path: %s\n tablename_intercept_ip: %s\n tablename_intercept_domain: %s\n"
"compile_alias: %s\n", section, readconf_mode, tableinfo_path, tablename_intercept_ip, tablename_intercept_domain, compile_alias);
Maat_feather_t feather = Maat_feather(g_iThreadNum, tableinfo_path, logger); Maat_feather_t feather = Maat_feather(g_iThreadNum, tableinfo_path, logger);
if(feather == NULL){ if(feather == NULL){
KNI_LOG_ERROR(logger, "Failed at Maat_feather, max_thread_num is %d, tableinfo_path is %s", g_iThreadNum, tableinfo_path); KNI_LOG_ERROR(logger, "Failed at Maat_feather, max_thread_num is %d, tableinfo_path is %s", g_iThreadNum, tableinfo_path);
@@ -54,16 +76,29 @@ struct kni_maat_handle* kni_maat_init(const char* profile, void *logger){
KNI_LOG_ERROR(logger, "Failed at Maat_initiate_feather"); KNI_LOG_ERROR(logger, "Failed at Maat_initiate_feather");
return NULL; return NULL;
} }
int tableid_intercept_compile = Maat_table_register(feather, tablename_intercept_compile); int tableid_intercept_ip = Maat_table_register(feather, tablename_intercept_ip);
if(tableid_intercept_compile < 0){ int tableid_intercept_domain = Maat_table_register(feather, tablename_intercept_domain);
if(tableid_intercept_ip < 0){
KNI_LOG_ERROR(logger, "Failed at Maat_table_register, tablename is %d, ret is %d", KNI_LOG_ERROR(logger, "Failed at Maat_table_register, tablename is %d, ret is %d",
tablename_intercept_compile, tableid_intercept_compile); tablename_intercept_ip, tableid_intercept_ip);
return NULL;
}
if(tableid_intercept_domain < 0){
KNI_LOG_ERROR(logger, "Failed at Maat_table_register, tablename is %d, ret is %d",
tablename_intercept_domain, tableid_intercept_domain);
return NULL; return NULL;
} }
struct kni_maat_handle *handle = ALLOC(struct kni_maat_handle, 1); struct kni_maat_handle *handle = ALLOC(struct kni_maat_handle, 1);
ret = Maat_rule_get_ex_new_index(feather, "COMPILE_ALIAS", compile_ex_param_new, compile_ex_param_free, compile_ex_param_dup, 0, (void*)&(handle->default_action));
if(ret < 0){
KNI_LOG_ERROR(logger, "Failed at Maat_rule_get_ex_new_index, ret is %d", ret);
kni_maat_destroy(handle);
return NULL;
}
handle->feather = feather; handle->feather = feather;
handle->tableid_intercept_compile = tableid_intercept_compile; handle->tableid_intercept_ip = tableid_intercept_ip;
handle->default_action = KNI_ACTION_INTERCEPT; handle->tableid_intercept_domain = tableid_intercept_domain;
//handle->default_action = KNI_ACTION_INTERCEPT;
handle->logger = logger; handle->logger = logger;
return handle; return handle;
} }
@@ -85,26 +120,43 @@ static int maat_process_scan_result(struct kni_maat_handle *handle, int num, str
int kni_maat_scan_ip(struct kni_maat_handle *handle, struct ipaddr *addr, int thread_seq){ int kni_maat_scan_ip(struct kni_maat_handle *handle, struct ipaddr *addr, int thread_seq){
void *logger = handle->logger; void *logger = handle->logger;
struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX]; struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX];
int ret = Maat_scan_proto_addr(handle->feather, handle->tableid_intercept_compile, addr, 0, result, scan_status_t mid = NULL;
KNI_MAAT_RULE_NUM_MAX, NULL, thread_seq); int ret = Maat_scan_proto_addr(handle->feather, handle->tableid_intercept_ip, addr, 0, result,
KNI_MAAT_RULE_NUM_MAX, &mid, thread_seq);
if(ret < 0){ if(ret < 0){
KNI_LOG_ERROR(logger, "Failed at Maat_scan_proto_addr, ret is %d", ret); KNI_LOG_ERROR(logger, "Failed at Maat_scan_proto_addr, ret is %d", ret);
return handle->default_action; return handle->default_action;
} }
return maat_process_scan_result(handle, ret, result); int action = maat_process_scan_result(handle, ret, result);
//for debug
char saddr[INET_ADDRSTRLEN];
inet_ntop(AF_INET, &(addr->v4->saddr), saddr, INET_ADDRSTRLEN);
KNI_LOG_DEBUG(logger, "ip is %s, ret is %d, action is %d\n", saddr, ret, action);
return action;
} }
int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq){ int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq){
void *logger = handle->logger; void *logger = handle->logger;
struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX]; struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX];
//TODO: GBK //必须要初始化为NULL, 不懂为什么
int ret = Maat_full_scan_string(handle->feather, handle->tableid_intercept_compile, CHARSET_GBK, scan_status_t mid = NULL;
domain, domain_len, result, NULL, KNI_MAAT_RULE_NUM_MAX, NULL, thread_seq); int ret = Maat_full_scan_string(handle->feather, handle->tableid_intercept_domain, CHARSET_UTF8,
domain, domain_len, result, NULL, KNI_MAAT_RULE_NUM_MAX, &mid, thread_seq);
if(ret < 0){ if(ret < 0){
KNI_LOG_ERROR(logger, "Failed at Maat_full_scan_string, ret is %d", ret); KNI_LOG_ERROR(logger, "Failed at Maat_full_scan_string, ret is %d", ret);
return handle->default_action; return handle->default_action;
} }
return maat_process_scan_result(handle, ret, result); int action = maat_process_scan_result(handle, ret, result);
//for debug
char domain1[100] = "";
memcpy(domain1, domain, domain_len);
domain1[domain_len] = '\0';
KNI_LOG_DEBUG(logger, "domain is %s, ret is %d, action is %d\n", domain, ret, action);
return action;
} }