From 92436d0c1b34c08fa59f55c0019665bc7025922a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B4=94=E4=B8=80=E9=B8=A3?= Date: Tue, 24 Sep 2019 16:49:31 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0subscribe=20ip=E6=89=AB?= =?UTF-8?q?=E6=8F=8F,=20=E9=87=8D=E6=9E=84maat=E9=83=A8=E5=88=86=E4=BB=A3?= =?UTF-8?q?=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cmake/Package.cmake | 2 +- common/include/kni_utils.h | 2 +- common/src/kni_utils.cpp | 11 + conf/maat/dynamic_maat_tableinfo.conf | 1 + ...leinfo.conf => static_maat_tableinfo.conf} | 1 + conf/sapp/kni/kni.conf | 16 +- entry/src/kni_maat.cpp | 305 ++++++++++++------ 7 files changed, 231 insertions(+), 107 deletions(-) create mode 100644 conf/maat/dynamic_maat_tableinfo.conf rename conf/maat/{maat_tableinfo.conf => static_maat_tableinfo.conf} (85%) diff --git a/cmake/Package.cmake b/cmake/Package.cmake index 53731b7..2e74af6 100644 --- a/cmake/Package.cmake +++ b/cmake/Package.cmake @@ -32,7 +32,7 @@ install(FILES conf/sapp/gdev/gdev.conf DESTINATION ./etc) install(FILES conf/sapp/http/http.conf DESTINATION ./conf/http) install(FILES conf/sapp/http/http.inf DESTINATION ./plug/protocol/http) install(FILES conf/sapp/kni/kni.inf DESTINATION ./plug/business/kni) -install(FILES conf/sapp/kni/kni.conf conf/maat/maat_tableinfo.conf +install(FILES conf/sapp/kni/kni.conf conf/maat/static_maat_tableinfo.conf conf/maat/dynamic_maat_tableinfo.conf conf/maat/maat_test.json DESTINATION ./etc/kni) # Must uninstall the debug package before install release package diff --git a/common/include/kni_utils.h b/common/include/kni_utils.h index cadbdad..13e0424 100644 --- a/common/include/kni_utils.h +++ b/common/include/kni_utils.h @@ -184,6 +184,6 @@ int kni_ipv4_header_parse(const void *a_packet, struct pkt_info *pktinfo); int kni_ipv6_header_parse(const void *a_packet, struct pkt_info *pktinfo); char* kni_ipv4_errmsg_get(enum kni_ipv4hdr_parse_error _errno); char* kni_ipv6_errmsg_get(enum kni_ipv6hdr_parse_error _errno); - +char* kni_strdup(const char* s); MESA_htable_handle kni_create_htable(const char *profile, const char *section, void *free_data_cb, void *expire_notify_cb, void *logger); \ No newline at end of file diff --git a/common/src/kni_utils.cpp b/common/src/kni_utils.cpp index b7ba83e..3150ac1 100644 --- a/common/src/kni_utils.cpp +++ b/common/src/kni_utils.cpp @@ -22,6 +22,17 @@ int kni_addr_trans_v6(struct stream_tuple4_v6 *tuple4, char *output, int len){ return 0; } +char* kni_strdup(const char* s){ + char*d=NULL; + if(s==NULL){ + return NULL; + } + + d=(char*)malloc(strlen(s)+1); + memcpy(d,s,strlen(s)+1); + return d; +} + uint16_t kni_ip_checksum(const void *buf, size_t hdr_len){ unsigned long sum = 0; const uint16_t *ip1; diff --git a/conf/maat/dynamic_maat_tableinfo.conf b/conf/maat/dynamic_maat_tableinfo.conf new file mode 100644 index 0000000..9f9b93d --- /dev/null +++ b/conf/maat/dynamic_maat_tableinfo.conf @@ -0,0 +1 @@ +1 TSG_DYN_SUBSCRIBE_IP plugin {"key":1,"valid":5} \ No newline at end of file diff --git a/conf/maat/maat_tableinfo.conf b/conf/maat/static_maat_tableinfo.conf similarity index 85% rename from conf/maat/maat_tableinfo.conf rename to conf/maat/static_maat_tableinfo.conf index 0fa5b6a..01b6d6f 100644 --- a/conf/maat/maat_tableinfo.conf +++ b/conf/maat/static_maat_tableinfo.conf @@ -7,3 +7,4 @@ 4 TSG_OBJ_FQDN expr utf8 utf8 yes 0 4 TSG_OBJ_FQDN_CAT expr utf8 utf8 yes 0 5 COMPILE_ALIAS compile escape -- +6 TSG_OBJ_SUBSCRIBE_ID expr UTF8 UTF8 yes 0 quickon diff --git a/conf/sapp/kni/kni.conf b/conf/sapp/kni/kni.conf index 9565b7a..71e0ce6 100644 --- a/conf/sapp/kni/kni.conf +++ b/conf/sapp/kni/kni.conf @@ -36,18 +36,22 @@ keepalive_idle = 2 keepalive_intvl = 1 keepalive_cnt = 3 -[maat] +[static_maat] #readconf_mode: 0 = iris, 1 = json, 2 = redis readconf_mode = 2 -tableinfo_path = ./etc/kni/maat_tableinfo.conf +tableinfo_path = ./etc/kni/static_maat_tableinfo.conf maatjson_path = ./etc/kni/maat_test.json redis_ip = 192.168.10.31 redis_port = 6379 redis_index = 0 -tablename_intercept_ip = PXY_INTERCEPT_IP -tablename_intercept_domain = PXY_INTERCEPT_DOMAIN -#default_action: 0x80 = bypass, 0x02 = intercept -default_action = 128 + +[dynamic_maat] +#readconf_mode: 0 = iris, 1 = json, 2 = redis +readconf_mode = 2 +tableinfo_path = ./etc/kni/dynamic_maat_tableinfo.conf +redis_ip = 192.168.10.31 +redis_port = 6379 +redis_index = 0 [send_logger] switch = 0 diff --git a/entry/src/kni_maat.cpp b/entry/src/kni_maat.cpp index 58592aa..cb9c5a2 100644 --- a/entry/src/kni_maat.cpp +++ b/entry/src/kni_maat.cpp @@ -2,24 +2,31 @@ #include "kni_maat.h" -/* default action: - 1. read kni.conf - 2. compile_id = 0 -*/ +enum scan_table +{ + PXY_INTERCEPT_IP, + PXY_INTERCEPT_DOMAIN, + TSG_OBJ_SUBSCRIBE_ID, + SCAN_TABLE_MAX +}; -enum kni_action g_maat_default_action; +enum kni_action g_maat_default_action = KNI_ACTION_BYPASS; int g_maat_default_log_option=1; struct kni_maat_handle{ - Maat_feather_t feather; - int tableid_intercept_ip; - int tableid_intercept_domain; + Maat_feather_t static_maat; + Maat_feather_t dynamic_maat; + int scan_tableid[SCAN_TABLE_MAX]; + int subscriber_id_tableid; void *logger; }; void kni_maat_destroy(struct kni_maat_handle *handle){ if(handle != NULL){ - if(handle->feather != NULL){ - Maat_burn_feather(handle->feather); + if(handle->static_maat != NULL){ + Maat_burn_feather(handle->static_maat); + } + if(handle->dynamic_maat != NULL){ + Maat_burn_feather(handle->dynamic_maat); } } FREE(&handle); @@ -60,62 +67,39 @@ void compile_ex_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *fro return; } -struct kni_maat_handle* kni_maat_init(const char* profile, void *logger, int thread_count){ - const char *section = "maat"; + +static Maat_feather_t create_maat_feather(const char *instance_name, const char* profile, const char *section, void *logger, int thread_count){ int readconf_mode; char tableinfo_path[KNI_PATH_MAX]; - char tablename_intercept_ip[KNI_SYMBOL_MAX]; - char tablename_intercept_domain[KNI_SYMBOL_MAX]; char maatjson_path[KNI_PATH_MAX]; char redis_ip[INET_ADDRSTRLEN]; int redis_port; int redis_index; Maat_feather_t feather = NULL; - int effective_interval_ms=1000;//1s - int tableid_intercept_ip = -1; - int tableid_intercept_domain = -1; - struct kni_maat_handle *handle = NULL; + int effective_interval_ms = 1000;//1s int ret = MESA_load_profile_int_nodef(profile, section, "readconf_mode", &readconf_mode); if(ret < 0){ - KNI_LOG_ERROR(logger, "MESA_prof_load: readconf_mode not set, profile is %s, section is %s", profile, section); + KNI_LOG_ERROR(logger, "MESA_prof_load: readconf_mode not set, profile = %s, section = %s", profile, section); goto error_out; } ret = MESA_load_profile_string_nodef(profile, section, "tableinfo_path", tableinfo_path, sizeof(tableinfo_path)); if(ret < 0){ - KNI_LOG_ERROR(logger, "MESA_prof_load: tableinfo_path not set, profile is %s, section is %s", profile, section); + KNI_LOG_ERROR(logger, "MESA_prof_load: tableinfo_path not set, profile = %s, section = %s", profile, section); goto error_out; } - ret = MESA_load_profile_string_nodef(profile, section, "tablename_intercept_ip", tablename_intercept_ip, sizeof(tablename_intercept_ip)); - if(ret < 0){ - KNI_LOG_ERROR(logger, "MESA_prof_load: tablename_intercept_ip not set, profile is %s, section is %s", profile, section); - goto error_out; - } - ret = MESA_load_profile_string_nodef(profile, section, "tablename_intercept_domain", tablename_intercept_domain, sizeof(tablename_intercept_domain)); - if(ret < 0){ - KNI_LOG_ERROR(logger, "MESA_prof_load: tablename_intercept_domain not set, profile is %s, section is %s", profile, section); - goto error_out; - } - ret = MESA_load_profile_int_nodef(profile, section, "default_action", (int*)&g_maat_default_action); - if(ret < 0){ - KNI_LOG_ERROR(logger, "MESA_prof_load: default_action not set, profile is %s, section is %s", profile, section); - goto error_out; - } - KNI_LOG_ERROR(logger, "MESA_prof_load, [%s]:\n readconf_mode: %d\n tableinfo_path: %s\n tablename_intercept_ip: %s\n tablename_intercept_domain: %s\n" - "default_action: %d", section, readconf_mode, tableinfo_path, tablename_intercept_ip, - tablename_intercept_domain, g_maat_default_action); + KNI_LOG_ERROR(logger, "MESA_prof_load, [%s]:\n readconf_mode: %d\n tableinfo_path: %s" , section, readconf_mode, tableinfo_path); feather = Maat_feather(thread_count, tableinfo_path, logger); - handle = ALLOC(struct kni_maat_handle, 1); - handle->feather = feather; if(feather == NULL){ - KNI_LOG_ERROR(logger, "Failed at Maat_feather, max_thread_num is %d, tableinfo_path is %s", thread_count, tableinfo_path); - return NULL; + KNI_LOG_ERROR(logger, "Failed at Maat_feather, max_thread_num = %d, tableinfo_path = %s", thread_count, tableinfo_path); + goto error_out; } + Maat_set_feather_opt(feather, MAAT_OPT_INSTANCE_NAME, instance_name, strlen(instance_name) + 1); Maat_set_feather_opt(feather, MAAT_OPT_EFFECT_INVERVAL_MS, &effective_interval_ms, sizeof(effective_interval_ms)); switch(readconf_mode){ case KNI_MAAT_READCONF_JSON: ret = MESA_load_profile_string_nodef(profile, section, "maatjson_path", maatjson_path, sizeof(maatjson_path)); if(ret < 0){ - KNI_LOG_ERROR(logger, "MESA_prof_load: maatjson_path not set, profile is %s, section is %s", profile, section); + KNI_LOG_ERROR(logger, "MESA_prof_load: maatjson_path not set, profile = %s, section = %s", profile, section); goto error_out; } KNI_LOG_ERROR(logger, "MESA_prof_load, [%s]:\n maatjson_path: %s", section, maatjson_path); @@ -126,17 +110,17 @@ struct kni_maat_handle* kni_maat_init(const char* profile, void *logger, int thr case KNI_MAAT_READCONF_REDIS: ret = MESA_load_profile_string_nodef(profile, section, "redis_ip", redis_ip, sizeof(redis_ip)); if(ret < 0){ - KNI_LOG_ERROR(logger, "MESA_prof_load: redis_ip not set, profile is %s, section is %s", profile, section); + KNI_LOG_ERROR(logger, "MESA_prof_load: redis_ip not set, profile = %s, section = %s", profile, section); goto error_out; } ret = MESA_load_profile_int_nodef(profile, section, "redis_port", &redis_port); if(ret < 0){ - KNI_LOG_ERROR(logger, "MESA_prof_load: redis_port not set, profile is %s, section is %s", profile, section); + KNI_LOG_ERROR(logger, "MESA_prof_load: redis_port not set, profile = %s, section = %s", profile, section); goto error_out; } ret = MESA_load_profile_int_nodef(profile, section, "redis_index", &redis_index); if(ret < 0){ - KNI_LOG_ERROR(logger, "MESA_prof_load: redis_index not set, profile is %s, section is %s", profile, section); + KNI_LOG_ERROR(logger, "MESA_prof_load: redis_index not set, profile = %s, section = %s", profile, section); goto error_out; } KNI_LOG_ERROR(logger, "MESA_prof_load, [%s]:\n redis_ip: %s\n redis_port: %d\n redis_index: %d", @@ -153,27 +137,116 @@ struct kni_maat_handle* kni_maat_init(const char* profile, void *logger, int thr KNI_LOG_ERROR(logger, "Failed at Maat_initiate_feather"); goto error_out; } - tableid_intercept_ip = Maat_table_register(feather, tablename_intercept_ip); - tableid_intercept_domain = Maat_table_register(feather, tablename_intercept_domain); - if(tableid_intercept_ip < 0){ - KNI_LOG_ERROR(logger, "Failed at Maat_table_register, tablename is %d, ret is %d", - tablename_intercept_ip, tableid_intercept_ip); - goto error_out; + return feather; + +error_out: + if(feather != NULL){ + Maat_burn_feather(feather); } - if(tableid_intercept_domain < 0){ - KNI_LOG_ERROR(logger, "Failed at Maat_table_register, tablename is %d, ret is %d", - tablename_intercept_domain, tableid_intercept_domain); - goto error_out; + return NULL; +} + +//copy from tfe +static int get_column_pos(const char* line, int column_seq, size_t *offset, size_t *len){ + const char* seps=" \t"; + char* saveptr=NULL, *subtoken=NULL, *str=NULL; + char* dup_line=kni_strdup(line); + int i=0, ret=-1; + for (str = dup_line; ; str = NULL){ + subtoken = strtok_r(str, seps, &saveptr); + if (subtoken == NULL) + break; + if(i==column_seq-1){ + *offset=subtoken-dup_line; + *len=strlen(subtoken); + ret=0; + break; + } + i++; } - ret = Maat_rule_get_ex_new_index(feather, "PXY_INTERCEPT_COMPILE", compile_ex_param_new, compile_ex_param_free, compile_ex_param_dup, 0, logger); - if(ret < 0){ - KNI_LOG_ERROR(logger, "Failed at Maat_rule_get_ex_new_index, ret is %d", ret); - kni_maat_destroy(handle); - goto error_out; + free(dup_line); + return ret; +} + +void subscribe_id_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_DATA* from, long argl, void* argp){ + *to = kni_strdup((char*)*from); + return; +} + +void subscribe_id_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp){ + int ret = 0; + size_t subscribe_id_offset, len; + void *logger = argp; + ret = get_column_pos(table_line, 7, &subscribe_id_offset, &len); + if(ret<0){ + KNI_LOG_ERROR(logger, "Add subscribe ID faild: %s", table_line); + return; } - handle->tableid_intercept_ip = tableid_intercept_ip; - handle->tableid_intercept_domain = tableid_intercept_domain; + *ad = ALLOC(char, len+1); + memcpy(*ad, table_line+subscribe_id_offset, len); + KNI_LOG_INFO(logger, "Add subscribe ID: %s", (char*)*ad); + return; +} + +void subscribe_id_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp){ + void *logger = argp; + KNI_LOG_INFO(logger, "Delete subscribe ID: %s", (char*)*ad); + free(*ad); + *ad = NULL; +} + +struct kni_maat_handle* kni_maat_init(const char* profile, void *logger, int thread_count){ + struct kni_maat_handle *handle = ALLOC(struct kni_maat_handle, 1); handle->logger = logger; + //static maat + const char *table_name[SCAN_TABLE_MAX]; + char tablename_intercept_compile[] = "PXY_INTERCEPT_COMPILE"; + char tablename_subscriber_id[] = "TSG_DYN_SUBSCRIBE_IP"; + int ret, i; + handle->static_maat = create_maat_feather("static", profile, "static_maat", logger, thread_count); + if(handle->static_maat == NULL){ + goto error_out; + } + table_name[PXY_INTERCEPT_IP] = "PXY_INTERCEPT_IP"; + table_name[PXY_INTERCEPT_DOMAIN] = "PXY_INTERCEPT_DOMAIN"; + table_name[TSG_OBJ_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBE_ID"; + for(i = 0; i < SCAN_TABLE_MAX; i++){ + handle->scan_tableid[i] = Maat_table_register(handle->static_maat, table_name[i]); + if(handle->scan_tableid[i] < 0){ + KNI_LOG_ERROR(logger, "Failed at Maat_table_register, tablename = %s, ret = %d", + table_name[i], handle->scan_tableid[i]); + goto error_out; + } + } + //get_ex + ret = Maat_rule_get_ex_new_index(handle->static_maat, tablename_intercept_compile, compile_ex_param_new, compile_ex_param_free, compile_ex_param_dup, 0, logger); + if(ret < 0){ + KNI_LOG_ERROR(logger, "Failed at Maat_rule_get_ex_new_index, tablename = %s, ret = %d", tablename_intercept_compile, ret); + goto error_out; + } + //dynamic maat register + handle->dynamic_maat = create_maat_feather("dynamic", profile, "dynamic_maat", logger, thread_count); + if(handle->dynamic_maat == NULL){ + goto error_out; + } + handle->subscriber_id_tableid = Maat_table_register(handle->dynamic_maat, tablename_subscriber_id); + if(handle->subscriber_id_tableid < 0){ + KNI_LOG_ERROR(logger, "Failed at Maat_table_register, tablename = %s, ret = %d", + tablename_subscriber_id, handle->subscriber_id_tableid); + goto error_out; + } + ret = Maat_plugin_EX_register(handle->dynamic_maat, + handle->subscriber_id_tableid, + subscribe_id_new_cb, + subscribe_id_free_cb, + subscribe_id_dup_cb, + NULL, + 0, + logger); + if(ret != 0){ + KNI_LOG_ERROR(NULL, "Failed at Maat_plugin_EX_register, tablename = %s, ret = %d", tablename_subscriber_id, ret); + goto error_out; + } return handle; error_out: @@ -181,79 +254,113 @@ error_out: return NULL; } -static int index_of_enforce_policy(struct Maat_rule_t* result, size_t size) -{ +static int index_of_enforce_policy(struct Maat_rule_t* result, size_t size){ size_t i = 0; int biggest_intercept_policy_id = -1, ret_intercept_idx = -1; int biggest_bypass_policy_id = -1, ret_bypass_idx = -1; - for(i = 0; i < size; i++) - { - if((unsigned char)result[i].action == KNI_ACTION_BYPASS) - { - if(result[i].config_id > biggest_bypass_policy_id) - { + for(i = 0; i < size; i++){ + if((unsigned char)result[i].action == KNI_ACTION_BYPASS){ + if(result[i].config_id > biggest_bypass_policy_id){ biggest_bypass_policy_id = result[i].config_id; ret_bypass_idx = i; } } - else - { - if(result[i].config_id > biggest_intercept_policy_id) - { + else{ + if(result[i].config_id > biggest_intercept_policy_id){ biggest_intercept_policy_id = result[i].config_id; ret_intercept_idx = i; } } } - if(biggest_bypass_policy_id != -1) - { + if(biggest_bypass_policy_id != -1){ return ret_bypass_idx; } - else - { + else{ return ret_intercept_idx; } } +//type: 0 : sip, 1 : dip +static void get_ip_from_ipaddr(struct ipaddr *addr, char *ip, int type){ + if(addr->addrtype == ADDR_TYPE_IPV4){ + struct stream_tuple4_v4 *v4 = addr->v4; + if(type == 0){ + inet_ntop(AF_INET, &(v4->saddr), ip, INET_ADDRSTRLEN); + } + else{ + inet_ntop(AF_INET, &(v4->daddr), ip, INET_ADDRSTRLEN); + } + } + else{ + struct stream_tuple4_v6 *v6 = addr->v6; + if(type == 0){ + inet_ntop(AF_INET6, v6->saddr, ip, INET6_ADDRSTRLEN); + } + else{ + inet_ntop(AF_INET6, v6->daddr, ip, INET6_ADDRSTRLEN); + } + } + return; +} + enum kni_action intercept_policy_scan(struct kni_maat_handle* handle, struct ipaddr *addr, char *domain, int domain_len, int thread_seq, int *policy_id, int *do_log, int *is_hit_policy){ //return KNI_ACTION_INTERCEPT; - Maat_feather_t maat_feather=handle->feather; - int table_intercept_ip=handle->tableid_intercept_ip; - int table_intercept_domain=handle->tableid_intercept_domain; struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX]; scan_status_t scan_mid = NULL; - int scan_ret=0, hit_policy_cnt=0, enforced_policy_idx=0; + int scan_ret = 0, hit_policy_cnt = 0, enforced_policy_idx = 0; + //scan subscribe_id + char sip[INET6_ADDRSTRLEN]; + char dip[INET6_ADDRSTRLEN]; + get_ip_from_ipaddr(addr, sip, 0); + get_ip_from_ipaddr(addr, dip, 1); + char* source_subscribe_id = NULL, *dest_subscribe_id = NULL; + source_subscribe_id = (char*)Maat_plugin_get_EX_data(handle->dynamic_maat, handle->subscriber_id_tableid, sip); + dest_subscribe_id = (char*)Maat_plugin_get_EX_data(handle->dynamic_maat, handle->subscriber_id_tableid, dip); + if(source_subscribe_id != NULL){ + scan_ret = Maat_full_scan_string(handle->static_maat, handle->scan_tableid[TSG_OBJ_SUBSCRIBE_ID], + CHARSET_UTF8, source_subscribe_id, strlen(source_subscribe_id), + result+hit_policy_cnt, NULL, KNI_MAAT_RULE_NUM_MAX-hit_policy_cnt, + &scan_mid, thread_seq); + if(scan_ret > 0){ + hit_policy_cnt += scan_ret; + } + } + if(dest_subscribe_id != NULL){ + scan_ret = Maat_full_scan_string(handle->static_maat, handle->scan_tableid[TSG_OBJ_SUBSCRIBE_ID], + CHARSET_UTF8, dest_subscribe_id, strlen(dest_subscribe_id), + result+hit_policy_cnt, NULL, KNI_MAAT_RULE_NUM_MAX-hit_policy_cnt, + &scan_mid, thread_seq); + if(scan_ret > 0){ + hit_policy_cnt += scan_ret; + } + } //tcp: 6, udp: 17, can't be 0 - scan_ret = Maat_scan_proto_addr(maat_feather, table_intercept_ip, addr, 6, + scan_ret = Maat_scan_proto_addr(handle->static_maat, handle->scan_tableid[PXY_INTERCEPT_IP], addr, 6, result+hit_policy_cnt, KNI_MAAT_RULE_NUM_MAX-hit_policy_cnt, &scan_mid, thread_seq); - if(scan_ret>0) - { - hit_policy_cnt+=scan_ret; + if(scan_ret > 0){ + hit_policy_cnt += scan_ret; } - scan_ret = Maat_full_scan_string(maat_feather, table_intercept_domain, CHARSET_UTF8, + scan_ret = Maat_full_scan_string(handle->static_maat, handle->scan_tableid[PXY_INTERCEPT_DOMAIN], CHARSET_UTF8, domain, domain_len, result+hit_policy_cnt, NULL, KNI_MAAT_RULE_NUM_MAX-hit_policy_cnt, &scan_mid, thread_seq); - if(scan_ret>0) - { - hit_policy_cnt+=scan_ret; + if(scan_ret > 0){ + hit_policy_cnt += scan_ret; } Maat_clean_status(&scan_mid); - if(hit_policy_cnt>0) - { - enforced_policy_idx=index_of_enforce_policy(result, hit_policy_cnt); + if(hit_policy_cnt > 0){ + enforced_policy_idx = index_of_enforce_policy(result, hit_policy_cnt); *policy_id = result[enforced_policy_idx].config_id; *do_log = result[enforced_policy_idx].do_log; - *is_hit_policy=1; + *is_hit_policy = 1; unsigned char action = (unsigned char)result[enforced_policy_idx].action; return (enum kni_action)action; } - else - { - *policy_id=0; - *do_log=g_maat_default_log_option; + else{ + *policy_id = 0; + *do_log = g_maat_default_log_option; return g_maat_default_action; } }