去除中文注释

common/src/kni_cmsg.cpp

@@ -82,14 +82,11 @@ uint16_t kni_cmsg_serialize_size_get(struct kni_cmsg *cmsg)
 
 int kni_cmsg_serialize(struct kni_cmsg *cmsg, unsigned char *buff, uint16_t bufflen, uint16_t *serialize_len)
 {
-	//size是serialize之后的实际长度
 	uint16_t size = cmsg->size;
-	//传入buff是否够长
 	if(bufflen < size)
 	{
 		return KNI_CMSG_BUFF_NOT_ENOUGH;
 	}
-	//size是否正确
 	if(size < sizeof(struct kni_cmsg_serialize_header))
 	{
 		return KNI_CMSG_INVALID_FORMAT;
@@ -99,7 +96,6 @@ int kni_cmsg_serialize(struct kni_cmsg *cmsg, unsigned char *buff, uint16_t buff
 	header->__magic__[1] = 0x5a;
 	header->nr_tlvs = htons(cmsg->nr_tlvs);
 	uint16_t offset = sizeof(struct kni_cmsg_serialize_header);
-	//检查nr_tlvs是否合法
 	int count = 0;
 	for(int i = 0; i < KNI_CMSG_TLV_NR_MAX; i++){
 		if(cmsg->tlvs[i] != NULL)
@@ -111,7 +107,6 @@ int kni_cmsg_serialize(struct kni_cmsg *cmsg, unsigned char *buff, uint16_t buff
 	{
 		return KNI_CMSG_INVALID_FORMAT;
 	}
-	//序列化
 	for(int i = 0; i < KNI_CMSG_TLV_NR_MAX; i++)
 	{
 		struct kni_cmsg_tlv *tlv = cmsg->tlvs[i];
@@ -134,7 +129,6 @@ int kni_cmsg_serialize(struct kni_cmsg *cmsg, unsigned char *buff, uint16_t buff
 		tlv1->length = htons(tlv->length);
 		offset += length;
 	}
-	//检查size是否正确
 	if(offset != size)
 	{
 		return KNI_CMSG_INVALID_FORMAT;
@@ -143,7 +137,6 @@ int kni_cmsg_serialize(struct kni_cmsg *cmsg, unsigned char *buff, uint16_t buff
 	return 0;
 }
 
-//反序列化
 int kni_cmsg_deserialize(const unsigned char *data, uint16_t len, struct kni_cmsg** pcmsg)
 {
 	struct kni_cmsg *cmsg = NULL;

common/src/ssl_utils.cpp

@@ -132,7 +132,6 @@ struct cipher_suite cipher_suite_list_tls13[] =
 	{0x1305, "TLS_AES_128_CCM_8_SHA256"}
 };
 
-//TODO: parse完记得调用free,防止内存泄漏
 void ssl_chello_free(struct ssl_chello* chello)
 {
 	if(chello==NULL)

entry/include/kni_maat.h

@@ -17,8 +17,12 @@ struct kni_maat_handle;
 */
 enum kni_action{
 	KNI_ACTION_NONE = 0x00,
+	KNI_ACTION_MONITOR = 0x01,
 	KNI_ACTION_INTERCEPT = 0x02,
-	KNI_ACTION_BYPASS = 0x80,
+	KNI_ACTION_REJECT = 0x10,
+	KNI_ACTION_MANIPULATE = 0x30,
+	KNI_ACTION_STEER = 0x60,
+	KNI_ACTION_BYPASS = 0x80
 };
 
 struct kni_maat_handle* kni_maat_init(const char* profile, void *logger);

entry/src/kni_entry.cpp

@@ -10,43 +10,10 @@
 
 extern int g_iThreadNum;
 
-//APP_STATE_DROPME/GIVEME: 当前tcp会话的剩下包是否回调
-//APP_STATE_FAWPKT/DROPPKT: 当前包是否丢弃or转发，如果是丢弃，当前包不会给后面的插件
-//PROT_STATE_GIVEME/DROPME: 当前http会话的剩下包是否回调
 
-
-//seq, ack 是当拿到client hello时传给秋秋，取client hello的 seq, ack, 时间戳和sack没有解, 不用解，只需要知道enable/disable即可
-//TODO: 注意内存泄漏，ALLOC对应的FREE, 还有calloc
-//函数加static 
-//统计syn/syn/ack个数，流个数， pending not syn个数, not syn/ack个数, 单向流数量, 发往tfe的包数，流数，收到的包数，流数 done
-
-//多个tcpall插件，APP_STATE_DROPPKT, APP_STATE_FAWPKT? 有一个droppkt，就不给后面的插件了
-//一个tcp流中有多个http，ssl会话的情况，只扫描第一个
-//TODO: 统计增加多个tfe实例
-//TODO: kafka写日志
-//TODO: taobao穿了？？
-//TODO: 捕的包里面第一个client hello是没有控制信息的
-//TODO: bypass之后继续统计，不要dropme, dropme之后会立即调用close
-//TODO: 
-
-/*
-	1. 对pme来说，只有sapp和tfe都release之后才会释放内存
-		1.1. sapp有自己的超时淘汰，所以肯定会release
-		1.2. 当收到tfe的cmsg信息时, set tfe_release = 1
-		1.3  从收到sapp的release信息之后开始计时(查一下hash表)，超时之后 set tfe_release = 1
-	2. 对traceid2pme的hash表来说
-		2.1 收到tfe的cmsg信息之后需要查询，查完就可以删掉了
-		2.2 hash表的超时淘汰函数: 
-			sapp_release = 0表示计时未开始，不能删除
-			sapp_release = 1表示已经收到sapp的release信息, 确定超时
-*/ 
 struct kni_handle *g_kni_handle = NULL;
 struct kni_field_stat_handle *g_kni_fs_handle = NULL;
 
-//int g_http_project_id;
-//struct kni_marsio_handle *g_kni_marsio_handle;
-//g_iThreadNum 为sapp线程数
-
 #define HTTP_PROJECT_NAME "kni_http_tag"
 #define BURST_MAX   1
 #define STREAM_TRACE_ID_LEN 37
@@ -87,7 +54,7 @@ struct pme_info{
 	uint64_t con_duration;  
 	//from tfe, kafka log
 	int intercept_state;
-	int pinningst;  //默认为0, 表示没有从tfe收到
+	int pinningst;  //defalut 0
 	uint64_t ssl_server_side_latency;
 	uint64_t ssl_client_side_latency;
 	char ssl_server_side_version[KNI_SYMBOL_MAX];
@@ -138,7 +105,6 @@ struct thread_tfe_cmsg_receiver_args{
 	char profile[KNI_SYMBOL_MAX];
 };
 
-//TODO: 有些字段可以不要
 struct pkt_info{
 	struct iphdr *iphdr;
 	int iphdr_len;
@@ -179,7 +145,7 @@ static struct pme_info* pme_info_new(const struct streaminfo *stream, int thread
 }
 
 static int sendlog_to_kafka(struct pme_info *pmeinfo, void *local_logger){
-	//创建cjson对象
+	//create cjson
 	cJSON *log_obj = cJSON_CreateObject();
 	//stream_trace_id
 	cJSON_AddStringToObject(log_obj, "stream_trace_id", pmeinfo->stream_trace_id);
@@ -251,7 +217,7 @@ static int sendlog_to_kafka(struct pme_info *pmeinfo, void *local_logger){
 	cJSON_AddNumberToObject(log_obj, "direction", 0);
 	//stream_dir: from sapp
 	cJSON_AddNumberToObject(log_obj, "stream_dir", pmeinfo->stream->dir);
-	//cap_ip: 从网卡名得到
+	//cap_ip: kni ip
 	char local_ipv4_str[INET6_ADDRSTRLEN];
 	inet_ntop(AF_INET, &(g_kni_handle->local_ipv4), local_ipv4_str, sizeof(local_ipv4_str));
 	cJSON_AddStringToObject(log_obj, "cap_ip", local_ipv4_str);
@@ -281,14 +247,13 @@ static int sendlog_to_kafka(struct pme_info *pmeinfo, void *local_logger){
 	if(ret < 0){
 		KNI_LOG_ERROR(local_logger, "Failed at kni_send_logger_sendlog, ret is %d", ret);
 		goto error_out;
-		//重试逻辑？
 	}
-	FREE(&log_msg);
+	cJSON_free(log_msg);
 	return 0;
 
 error_out:
 	if(log_msg != NULL){
-		FREE(&log_msg);
+		cJSON_free(log_msg);
 	}
 	return -1;
 }
@@ -316,16 +281,16 @@ static void pme_info_destroy(struct pme_info *pmeinfo){
 }
 
 static int protocol_identify(const struct streaminfo* stream, char *buf, int len, struct protocol_identify_result *result){
-	//判断是http
+	//http
 	struct http_project* project = (struct http_project*)project_req_get_struct(stream, g_kni_handle->http_project_id);
 	if(project != NULL){
 		result->protocol = KNI_PROTOCOL_HTTP;
 		result->domain_len = project->host_len;
-		memcpy(result->domain, project->host, result->domain_len);
+		strncpy(result->domain, project->host, strnlen(project->host, sizeof(result->domain)));
 		return 0;
 	}
 
-	//判断是ssl
+	//ssl
 	enum chello_parse_result chello_status = CHELLO_PARSE_INVALID_FORMAT;
 	struct ssl_chello *chello = NULL;
 	chello = ssl_chello_parse((const unsigned char*)buf, len, &chello_status);
@@ -336,7 +301,7 @@ static int protocol_identify(const struct streaminfo* stream, char *buf, int len
 		}
 		else{
 			result->domain_len = strnlen(chello->sni, KNI_DOMAIN_MAX);
-			memcpy(result->domain, chello->sni, result->domain_len);
+			strncpy(result->domain, chello->sni, strnlen(chello->sni, sizeof(result->domain)));
 		}
 		ssl_chello_free(chello);
 		return 0;
@@ -458,8 +423,7 @@ static char* add_cmsg_to_packet(struct pme_info *pmeinfo, struct pkt_info *pktin
 	FREE(&header);
 	//iphdr: tot_len
 	iphdr->tot_len = htons(offset);
-	//iphdr: checksum
+	//must set check = 0
-	//计算校验和之前一定要先置0
 	iphdr->check = 0;
 	iphdr->check = kni_ip_checksum((void*)iphdr, pktinfo->iphdr_len);
 	//tcphdr: checkdum
@@ -473,8 +437,6 @@ static int send_to_tfe(struct kni_marsio_handle *handle, char *raw_data, int raw
 	void *logger = g_kni_handle->local_logger;
 	marsio_buff_t *tx_buffs[BURST_MAX];
 	unsigned int ret = 1;
-	//TODO: marsio配置文件: 2500
-	//thread_seq实际上是网卡队列，一个线程对应一个网卡队列, 并不是线程号和网卡队列号一一对应，假设线程号是tid，网卡队列为n，那么tid % n就是网卡队列号
 	struct mr_vdev *dev_eth_handler = handle->tfe_instance_list[tfe_id]->dev_eth_handler;
 	struct mr_sendpath *dev_eth_sendpath = handle->tfe_instance_list[tfe_id]->dev_eth_sendpath;
 	char *src_mac = handle->src_mac_addr;
@@ -498,12 +460,11 @@ static int send_to_tfe(struct kni_marsio_handle *handle, char *raw_data, int raw
 static char pending_opstate(const struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo){
 	void *logger = g_kni_handle->local_logger;
 	if(!pktinfo->tcphdr->syn){
-		//pending_opstate 不是syn, bypass这个流
+		//pending_opstate not syn, bypass and dropme
 		KNI_LOG_ERROR(logger, "pending opstate: not syn");
 		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_NO_SYN_EXP], 0, FS_OP_ADD, 1);
 		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_STM], 0, FS_OP_ADD, 1);
 		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1);
-		//异常情况，不需要等tfe release, 直接释放
 		pmeinfo->tfe_release = 1;
 		return APP_STATE_FAWPKT | APP_STATE_DROPME;
 	}
@@ -512,7 +473,6 @@ static char pending_opstate(const struct streaminfo *stream, struct pme_info *pm
 	return APP_STATE_FAWPKT | APP_STATE_GIVEME;	
 }
 
-//TODO: 这一块逻辑需要和洋姐和秋秋讨论一下
 static char data_opstate(const struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo, int thread_seq){
 	void *logger = g_kni_handle->local_logger;
 	char *buf = (char*)pktinfo->iphdr;
@@ -520,7 +480,7 @@ static char data_opstate(const struct streaminfo *stream, struct pme_info *pmein
 	char stream_addr[KNI_SYMBOL_MAX] = "";
 	int ret;
 	kni_stream_addr_trans((struct ipaddr*)(&stream->addr), stream_addr, sizeof(stream_addr));
-	//保证pmeinfo->action只有KNI_ACTION_NONE， KNI_ACTION_INTERCEPT， KNI_ACTION_BYPASS三种情况
+	//pmeinfo->action has only 3 value: KNI_ACTION_NONE， KNI_ACTION_INTERCEPT， KNI_ACTION_BYPASS
 	switch (pmeinfo->action){
 		case KNI_ACTION_NONE:
 			break;
@@ -529,9 +489,6 @@ static char data_opstate(const struct streaminfo *stream, struct pme_info *pmein
 			if(ret < 0){
 				KNI_LOG_ERROR(logger, "Failed at send continue packet to tfe%d, stream_addr is %s", pmeinfo->tfe_id, stream_addr);
 			}
-			else{
-				KNI_LOG_DEBUG(logger, "Succeed at send continue packet to tfe%d, stream_addr is %s", pmeinfo->tfe_id, stream_addr);
-			}
 			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_PKT], 0, FS_OP_ADD, 1);
 			return APP_STATE_DROPPKT | APP_STATE_GIVEME;
 		case KNI_ACTION_BYPASS:
@@ -540,9 +497,7 @@ static char data_opstate(const struct streaminfo *stream, struct pme_info *pmein
 		default:
 			break;
 	}
-	//TODO: client hello如果跨包怎么办？client hello后面一个包先到，这个包该丢掉还是bypass
+	// syn/ack
-	//此时 action = KNI_ACTION_UNKNOWN, 说明还没收到第一个数据包
-	// syn/ack包
 	if(pktinfo->tcphdr->syn && pktinfo->tcphdr->ack){
 		pmeinfo->server_tcpopt = kni_get_tcpopt(pktinfo->tcphdr, pktinfo->tcphdr_len);
 		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1);
@@ -552,7 +507,7 @@ static char data_opstate(const struct streaminfo *stream, struct pme_info *pmein
 		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1);
 		return APP_STATE_FAWPKT | APP_STATE_GIVEME;
 	}
-	//单向流, bypass and dropme
+	//not double dir, bypass and dropme
 	if(stream->dir != DIR_DOUBLE){
 		KNI_LOG_INFO(logger, "dir is %d, bypass, stream addr is %s", stream->dir, stream_addr);
 		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_STM], 0, FS_OP_ADD, 1);
@@ -560,40 +515,40 @@ static char data_opstate(const struct streaminfo *stream, struct pme_info *pmein
 		pmeinfo->tfe_release = 1;
 		return APP_STATE_FAWPKT | APP_STATE_DROPME;
 	}
-	struct protocol_identify_result *result = ALLOC(struct protocol_identify_result, 1);
+	struct protocol_identify_result protocol_identify_res;
-	protocol_identify(stream, pktinfo->data, pktinfo->data_len, result);
+	memset(&protocol_identify_res, 0, sizeof(struct protocol_identify_result));
-	pmeinfo->protocol = result->protocol;
+	protocol_identify(stream, pktinfo->data, pktinfo->data_len, &protocol_identify_res);
-	//第一个数据包: 如果从第一个数据包判断不出协议, bypass and dropme
+	pmeinfo->protocol = protocol_identify_res.protocol;
-	if(pmeinfo->protocol == KNI_PROTOCOL_UNKNOWN){
+	switch(pmeinfo->protocol){
-		KNI_LOG_INFO(logger, "Failed at protocol_identify, bypass and dropme, stream addr is %s\n", 
+		//can not identify protocol from first data packet, bypass and dropme
+		case KNI_PROTOCOL_UNKNOWN:
+			KNI_LOG_INFO(logger, "Failed at protocol_identify, bypass and dropme, stream addr is %s\n", 
 						pmeinfo->protocol, stream_addr);
-		FREE(&result);
+			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1);
-		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1);
+			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_STM], 0, FS_OP_ADD, 1);
-		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_STM], 0, FS_OP_ADD, 1);
+			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_UNKNOWN_STM], 0, FS_OP_ADD, 1);
-		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_UNKNOWN_STM], 0, FS_OP_ADD, 1);
+			pmeinfo->tfe_release = 1;
-		pmeinfo->tfe_release = 1;
+			return APP_STATE_FAWPKT | APP_STATE_DROPME;
-		return APP_STATE_FAWPKT | APP_STATE_DROPME;
+		case KNI_PROTOCOL_SSL:
+			strncpy(pmeinfo->sni, protocol_identify_res.domain, strnlen(protocol_identify_res.domain, sizeof(pmeinfo->sni)));
+			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_SSL_STM], 0, FS_OP_ADD, 1);	
+			break;
+		case KNI_PROTOCOL_HTTP:
+			strncpy(pmeinfo->host, protocol_identify_res.domain, strnlen(protocol_identify_res.domain, sizeof(pmeinfo->host)));
+			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_HTTP_STM], 0, FS_OP_ADD, 1);
+			break;
+		default:
+			break;
 	}
-	//protocol = KNI_PROTOCOL_SSL/KNI_PROTOCOL_HTTP, 判断action, action返回值: KNI_ACTION_INTERCEPT/KNI_ACTION_BYPASS
+	pmeinfo->action = intercept_policy_scan(g_kni_handle->maat_handle, (struct ipaddr*)(&stream->addr), 
-	if(pmeinfo->protocol == KNI_PROTOCOL_SSL){
+				protocol_identify_res.domain, protocol_identify_res.domain_len, 
-		memcpy(pmeinfo->sni, result->domain, result->domain_len);
-		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_SSL_STM], 0, FS_OP_ADD, 1);	
-	}
-	else if(pmeinfo->protocol == KNI_PROTOCOL_HTTP){
-		memcpy(pmeinfo->host, result->domain, result->domain_len);
-		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_HTTP_STM], 0, FS_OP_ADD, 1);
-	}
-	pmeinfo->action = intercept_policy_scan(g_kni_handle->maat_handle, (struct ipaddr*)(&stream->addr), result->domain, result->domain_len, 
 				thread_seq, &(pmeinfo->policy_id), &(pmeinfo->maat_hit));
-	//输出maat拦截日志
+	//policy scan log
-	char domain_str[KNI_DOMAIN_MAX] = "";
-	memcpy(domain_str, result->domain, result->domain_len);
 	char action_str[KNI_SYMBOL_MAX];
 	kni_maat_action_trans(pmeinfo->action, action_str);
 	KNI_LOG_DEBUG(logger, "intercept_policy_scan: %s, %s, policy_id = %d, action = %d(%s), maat_hit = %d", 
-			stream_addr, domain_str, pmeinfo->policy_id, pmeinfo->action, action_str, pmeinfo->maat_hit);
+			stream_addr, protocol_identify_res.domain, pmeinfo->policy_id, pmeinfo->action, action_str, pmeinfo->maat_hit);
-	FREE(&result);
+	//receive client hello, but no syn/ack, bypass and dropme
-	//TODO: 这块比较奇怪, 收到client hello, 但是没有syn/ack包, 直接bypass了
 	if(pmeinfo->client_tcpopt == NULL || pmeinfo->server_tcpopt == NULL){
 		KNI_LOG_ERROR(logger, "Failed at intercept, %s, %s", pmeinfo->client_tcpopt == NULL ? "no syn" : "", 
 								pmeinfo->server_tcpopt == NULL ? "no syn/ack" : "");
@@ -609,22 +564,23 @@ static char data_opstate(const struct streaminfo *stream, struct pme_info *pmein
 			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_STM], 0, FS_OP_ADD, 1);
 			return APP_STATE_FAWPKT | APP_STATE_GIVEME;
 		case KNI_ACTION_INTERCEPT: 
-			//action = KNI_ACTION_INTERCEPT, 带上控制信息发送给qq, 要修改ip, tcp的校验和
+			//action = KNI_ACTION_INTERCEPT, sendto tfe
 			buf = add_cmsg_to_packet(pmeinfo, pktinfo, &len);
 			ret = send_to_tfe(g_kni_handle->marsio_handle, buf, len, thread_seq, pmeinfo->tfe_id);
 			if(ret < 0){
-				KNI_LOG_ERROR(logger, "Failed at send first packet to tfe%d, stream_trace_id is %s", pmeinfo->tfe_id, pmeinfo->stream_trace_id);
+				KNI_LOG_ERROR(logger, "Failed at send first packet to tfe%d, stream addr is %s", pmeinfo->tfe_id, stream_addr);
 			}
 			else{
-				KNI_LOG_DEBUG(logger, "Succeed at send first packet to tfe%d, stream_trace_id is %s", pmeinfo->tfe_id, pmeinfo->stream_trace_id);
+				//KNI_LOG_DEBUG(logger, "Succeed at send first packet to tfe%d, stream addr is %s", pmeinfo->tfe_id, stream_addr);
 			}
 			FREE(&buf);
 			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_PKT], 0, FS_OP_ADD, 1);
 			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_STM], 0, FS_OP_ADD, 1);
 			return APP_STATE_DROPPKT | APP_STATE_GIVEME;
 		default:
-			//action非法，bypass and dropme
+			//action != intercept && action != bypass，bypass and dropme
-			KNI_LOG_ERROR(logger, "Action %d is Invalid, policy_id is %d, bypass(dropme)", pmeinfo->action, pmeinfo->policy_id);
+			KNI_LOG_ERROR(logger, "Action %d(%s) is invalid, bypass(dropme): policy_id is %d, stream addr is %s, domain is ",
+				 pmeinfo->action, action_str, pmeinfo->policy_id, stream_addr, protocol_identify_res.domain);
 			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1);
 			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_STM], 0, FS_OP_ADD, 1);
 			pmeinfo->tfe_release = 1;
@@ -633,7 +589,7 @@ static char data_opstate(const struct streaminfo *stream, struct pme_info *pmein
 }
 
 static char close_opstate(const struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo, int thread_seq){
-	//close 数据也要发送给tfe
+	//close: sendto tfe
 	void *logger = g_kni_handle->local_logger;
 	char *buf = (char*)pktinfo->iphdr;
 	char stream_addr[KNI_SYMBOL_MAX] = "";
@@ -642,14 +598,13 @@ static char close_opstate(const struct streaminfo *stream, struct pme_info *pmei
 	int ret;
 	switch(pmeinfo->action){
 		case KNI_ACTION_INTERCEPT:
-			ret =send_to_tfe(g_kni_handle->marsio_handle, buf, len, thread_seq, pmeinfo->tfe_id);
+			ret = send_to_tfe(g_kni_handle->marsio_handle, buf, len, thread_seq, pmeinfo->tfe_id);
 			if(ret < 0){
 				KNI_LOG_ERROR(logger, "Failed at send last packet to tfe%d, stream addr is %s", 
 						pmeinfo->tfe_id, stream_addr);
 			}
 			else{
-				KNI_LOG_DEBUG(logger, "Succeed at send last packet to tfe%d, stream addr is %s", 
+				//KNI_LOG_DEBUG(logger, "Succeed at send last packet to tfe%d, stream addr is %s", pmeinfo->tfe_id, stream_addr);
-						pmeinfo->tfe_id, stream_addr);
 			}
 			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_PKT], 0, FS_OP_ADD, 1);
 			return APP_STATE_DROPPKT | APP_STATE_DROPME;
@@ -659,19 +614,17 @@ static char close_opstate(const struct streaminfo *stream, struct pme_info *pmei
 	}
 }
 
-//从syn包开始回调	
+//from syn
 extern "C" char kni_tcpall_entry(const struct streaminfo *stream, void** pme, int thread_seq, const void* a_packet){
 	void *logger = g_kni_handle->local_logger;
-	//KNI_LOG_DEBUG(logger, "call kni_tcpall_entry");
 	FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_TOT_PKT], 0, FS_OP_ADD, 1);
-    //当前包bypass, 剩下包bypass
+	//TODO: ipv6
-	//TODO: ipv6暂时不处理, ipv6: 通过nexthdr链式寻找tcp头(IPPROTO_TCP)
 	if(stream->addr.addrtype == ADDR_TYPE_IPV6){
 		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_IPV6_PKT], 0, FS_OP_ADD, 1);
 		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1);
 		return APP_STATE_FAWPKT | APP_STATE_DROPME;
 	}
-	//a_packet == NULL, 不处理这个包
+	//a_packet == NULL, continue
 	if(a_packet == NULL){
 		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_NULL_PKT], 0, FS_OP_ADD, 1);
 		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_BYP_PKT], 0, FS_OP_ADD, 1);
@@ -743,7 +696,7 @@ static int http_project_init(){
 
 extern "C" char kni_http_entry(stSessionInfo* session_info,  void **pme, int thread_seq, struct streaminfo *a_stream, const void *a_packet){
 	http_infor* http_info = (http_infor*)(session_info->app_info);
-	//http_session_seq = 1表示只处理tcp链接中的第一个http会话
+	//only process first http session
 	if(http_info->http_session_seq != 1){
 		return PROT_STATE_DROPME;
 	}
@@ -762,7 +715,6 @@ extern "C" char kni_http_entry(stSessionInfo* session_info,  void **pme, int thr
 }
 
 static void kni_marsio_destroy(struct kni_marsio_handle *handle){
-	//TODO: dev_handler, dev_sendpath不需要free吗
 	if(handle != NULL){
 		if(handle->instance != NULL){
 			marsio_destory(handle->instance);
@@ -777,28 +729,26 @@ static void kni_marsio_destroy(struct kni_marsio_handle *handle){
 
 void* thread_tfe_data_receiver(void *args){
 	struct thread_tfe_data_receiver_args *_args = (struct thread_tfe_data_receiver_args*)args;
-	//void *logger = _args->logger;
 	struct kni_marsio_handle *marsio_handle = _args->marsio_handle;
 	int tfe_id = _args->tfe_id;
 	struct mr_vdev *dev_eth_handler = marsio_handle->tfe_instance_list[tfe_id]->dev_eth_handler;
 	FREE(&args);
 	marsio_buff_t * rx_buff[BURST_MAX];
 	int nr_burst = 1;
-	//实际上是网卡队列id
 	int thread_seq = 0;
 	while(true){
-		//从tfe上收
+		//receive from tfe
 		int ret = marsio_recv_burst(dev_eth_handler, thread_seq, rx_buff, nr_burst);	
 		if(ret <= 0){
 			continue;
 		}
-		//打上标签
+		//tag
 		struct mr_tunnat_ctrlzone mr_ctrlzone;
 		mr_ctrlzone.action |= TUNNAT_CZ_ACTION_ENCAP_INNER | TUNNAT_CZ_ACTION_ENCAP_OUTER;
 		for(int i = 0; i < ret; i++){
 			marsio_buff_ctrlzone_set(rx_buff[i], 0, &mr_ctrlzone, sizeof(struct mr_tunnat_ctrlzone));
 		}
-		//发送给vxlan
+		//send to vxlan
 		marsio_send_burst_with_options(marsio_handle->dev_vxlan_sendpath, thread_seq, rx_buff, 1, MARSIO_SEND_OPT_FAST);
 	}
     return NULL;
@@ -1009,10 +959,8 @@ static struct kni_marsio_handle* kni_marsio_init(const char* profile){
 		goto error_out;
 	}
     marsio_option_set(mr_inst, MARSIO_OPT_EXIT_WHEN_ERR, &opt_value, sizeof(opt_value));
-	//uint64_t cpu_mask = 0x3c;  //??
-    //marsio_option_set(handle->instance, MARSIO_OPT_THREAD_MASK, &cpu_mask, sizeof(cpu_mask));
     marsio_init(mr_inst, appsym);
-	//eth_handler有一个线程收, g_iThreadNum个线程发
+	//eth_handler receive thread = 1, send thread =  g_iThreadNum
 	tfe_count = g_kni_handle->tfe_count;
 	for(int i = 0; i < tfe_count; i++){
 		//load tfe conf
@@ -1026,7 +974,7 @@ static struct kni_marsio_handle* kni_marsio_init(const char* profile){
 			goto error_out;
 		}
 		tfe_inst = ALLOC(struct tfe_instance, 1);
-		//转化mac地址, ff:ee:dd:cc:bb:aa --->  0xff 0xee 0xdd 0xcc 0xbb 0xaa
+		//ff:ee:dd:cc:bb:aa --->  0xff 0xee 0xdd 0xcc 0xbb 0xaa
 		ret = sscanf(mac_addr_str, "%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx",
     		&tfe_inst->mac_addr[0], &tfe_inst->mac_addr[1],
     		&tfe_inst->mac_addr[2], &tfe_inst->mac_addr[3],
@@ -1059,7 +1007,7 @@ static struct kni_marsio_handle* kni_marsio_init(const char* profile){
 		tfe_inst->dev_eth_sendpath = dev_eth_sendpath;
 		handle->tfe_instance_list[i] = tfe_inst;
 	}
-	//vxlan_handler有0个线程收, 1个线程发
+	//vxlan_handler: receive: 0 thread, send: 1
 	dev_vxlan_handler = marsio_open_device(mr_inst, dev_vxlan_symbol, 0, 1);
 	if(dev_vxlan_handler == NULL){
 		KNI_LOG_ERROR(logger, "Failed at marsio_open_device, dev_symbol is %s", dev_vxlan_symbol);
@@ -1073,7 +1021,6 @@ static struct kni_marsio_handle* kni_marsio_init(const char* profile){
 		goto error_out;
 	}	
 	handle->dev_vxlan_sendpath = dev_vxlan_sendpath;
-	//暂时不用调
 	//marsio_thread_init(mr_instance); 
 	return handle;
 
@@ -1244,7 +1191,7 @@ extern "C" int kni_init(){
 		goto error_out;
 	}
 
-	//创建线程从tfe收包然后打上标签发送给vxlan_user
+	//create thread_tfe_data_receiver
 	for(int i = 0; i < tfe_count; i++){
 		struct thread_tfe_data_receiver_args *args = ALLOC(struct thread_tfe_data_receiver_args, 1);
 		args->logger = local_logger;
@@ -1258,10 +1205,10 @@ extern "C" int kni_init(){
 		}
 	}
 
-	//创建线程从tfe收取cmsg控制信息
+	//create thread_tfe_cmsg_receiver
 	cmsg_receiver_args = ALLOC(struct thread_tfe_cmsg_receiver_args, 1);
 	cmsg_receiver_args->logger = local_logger;
-	memcpy(cmsg_receiver_args->profile, profile, strlen(profile));
+	strncpy(cmsg_receiver_args->profile, profile, strnlen(profile, sizeof(cmsg_receiver_args->profile)));
 	ret = pthread_create(&thread_id, NULL, thread_tfe_cmsg_receiver, (void *)cmsg_receiver_args);
 	if(unlikely(ret != 0)){
 		KNI_LOG_ERROR(local_logger, "Failed at pthread_create, thread_func is thread_tfe_cmsg_receiver, ret is %d", ret);

entry/src/kni_maat.cpp

@@ -4,9 +4,9 @@
 extern int g_iThreadNum;
 
 
-/* 关于没有命中配置情况下的默认配置
+/* default action: 
-	1. g_maat_default_action: 读配置文件, policy_id = 0
+	1. read kni.conf
-	2. 如果maat的编译配置表中有policy_id = 0的配置，则将 g_maat_default_action设为对应的action, policy_id = 0
+	2. compile_id = 0
 */
 
 enum kni_action g_maat_default_action;
@@ -30,7 +30,7 @@ void kni_maat_destroy(struct kni_maat_handle *handle){
 
 void compile_ex_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp){
 	void *logger = argp;
-	KNI_LOG_DEBUG(logger, "call compile_ex_param_new");
+	KNI_LOG_INFO(logger, "call compile_ex_param_new");
 	if(rule->config_id == 0){
 		g_maat_default_action = (enum kni_action)rule->action;
 	}
@@ -39,13 +39,13 @@ void compile_ex_param_new(int idx, const struct Maat_rule_t* rule, const char* s
 
 void compile_ex_param_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp){
 	void *logger = argp;
-	KNI_LOG_DEBUG(logger, "call compile_ex_param_free");
+	KNI_LOG_INFO(logger, "call compile_ex_param_free");
 	return;
 }
 
 void compile_ex_param_dup(int idx,	MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp){
 	void *logger = argp;
-	KNI_LOG_DEBUG(logger, "call compile_ex_param_dup");
+	KNI_LOG_INFO(logger, "call compile_ex_param_dup");
 	return;
 }
 
@@ -203,8 +203,8 @@ enum kni_action intercept_policy_scan(struct kni_maat_handle* handle, struct ipa
 	struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX];	
 	scan_status_t scan_mid = NULL;
 	int scan_ret=0, hit_policy_cnt=0, enforced_policy_idx=0;
-	
+	//tcp: 6, udp: 17, can't be 0
-	scan_ret = Maat_scan_proto_addr(maat_feather, table_intercept_ip, addr, 0,
+	scan_ret = Maat_scan_proto_addr(maat_feather, table_intercept_ip, addr, 6,
 								result+hit_policy_cnt, KNI_MAAT_RULE_NUM_MAX-hit_policy_cnt,
 								&scan_mid, thread_seq);
 	if(scan_ret>0)

entry/src/kni_send_logger.cpp

@@ -103,7 +103,7 @@ struct kni_send_logger* kni_send_logger_init(const char *profile, void *local_lo
 					section, sendlog_switch, kafka_topic, kafka_brokerlist);
     handle = ALLOC(struct kni_send_logger, 1);
     handle->local_logger = local_logger;
-    //sendlog_switch = 0, 不发送日志给kafka
+    //sendlog_switch = 0, do not sendto kafka
     if(sendlog_switch == 0){
         handle->sendlog_switch = 0;
         return handle;