20180716

2018-07-16 15:23:21 +08:00
parent 39d12fa2aa
commit a09d4f7cf4
2 changed files with 80 additions and 40 deletions
--- a/kni.c
+++ b/kni.c
@@ -571,6 +571,7 @@ int kni_keepalive_replay(struct stream_tuple4_v4* ipv4_addr,int iprever_flag,str
 	return 0;
 #endif

+
 	int index=1-iprever_flag;
 //	unsigned short ipid=random()%65535;
 	
@@ -912,7 +913,7 @@ int tcprepair_get_state(struct kni_tcp_state* fake_client,struct kni_tcp_state*
 int tcprepair_set_state(int sk,struct kni_tcp_state* tcp)
 {
 	int val,yes=1, onr = 0;
-	int mark = 1; 
+	int mark = 2; 
 	struct tcp_repair_opt opts[KNI_TCPREPAIR_OPT_NUM];
 	struct sockaddr_in addr;
 	
@@ -1031,7 +1032,7 @@ int tcprepair_set_state(int sk,struct kni_tcp_state* tcp)
 	onr++;
 */

-	MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","wscale_src:%d,wscale_dst:%d,wscale:%x,mss:%d,sack:%d",tcp->wscale_src,tcp->wscale_dst,opts[0].opt_val,opts[1].opt_val,opts[2].opt_val);
+	MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","onr:%d,wscale_src:%d,wscale_dst:%d,wscale:%x,mss:%d,sack:%d",onr,tcp->wscale_src,tcp->wscale_dst,opts[0].opt_val,opts[1].opt_val,opts[2].opt_val);

 	if (setsockopt(sk, SOL_TCP, TCP_REPAIR_OPTIONS,opts, onr * sizeof(struct tcp_repair_opt)) < 0) 
 	{
@@ -1122,26 +1123,25 @@ return :state_flag
 kni_bmd:STAT_FLAG_SNIBMD
 not kni_bmd:STAT_FLAG_SSL_NOBMD
 ***************************************************************************************/
-int kni_judge_sni(char* sni,int sni_len,int thread_seq)
+int kni_judge_sni(char* sni,int sni_len,int thread_seq,scan_status_t mid)
 {
+	int i=0;
 	int action=KNI_ACTION_NONE;
-	int state_flag=KNI_FLAG_SSL;
+	int state_flag=KNI_FLAG_NOTPROC;

 	int string_scan_num=0;
 	int found_pos;
-	scan_status_t mid=NULL;
-	struct Maat_rule_t maat_result;
+	struct Maat_rule_t maat_result[KNI_MAX_SAMENUM];

-	string_scan_num=Maat_full_scan_string(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_domain,CHARSET_GBK,sni,sni_len,&maat_result,&found_pos,1,&mid,thread_seq);
-	Maat_clean_status(&mid);
-
-	if(string_scan_num>0)
+	string_scan_num=Maat_full_scan_string(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_domain,CHARSET_GBK,sni,sni_len,maat_result,&found_pos,KNI_MAX_SAMENUM,&mid,thread_seq);
+	
+	for(i=0;i<string_scan_num;i++)
 	{
-		action=abs(maat_result.action);
-		MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,(char*)"kni_judge_sni","action:%d",action);
-		if((action==KNI_ACTION_WHITELIST)||((action!=KNI_ACTION_REJECT)&&(g_kni_switch_info.maat_default_switch==0)))
+		action=abs(maat_result[i].action);
+		if(action==KNI_ACTION_WHITELIST)
 		{
 			state_flag=KNI_FLAG_SNIBMD;
+			return state_flag;
 		}
 	}
 	
@@ -1296,20 +1296,23 @@ int kni_judge_ssl_bak(char* tcp_data,int tcp_datalen,char* sni,int* sni_len)
 return :action
 default:ipscan_num =0 or =1,not >1
 ***************************************************************************************/
-int kni_judge_ipbmd(struct ipaddr* addr,int thread_seq,int protocol)
+int kni_judge_ipbmd(struct ipaddr* addr,int thread_seq,int protocol,scan_status_t mid)
 {
+	int i=0;
 	int action=KNI_ACTION_NONE;

 	int ipscan_num=0;
-	scan_status_t mid=NULL;
-	struct Maat_rule_t maat_result;
+	struct Maat_rule_t maat_result[KNI_MAX_SAMENUM];

-	ipscan_num=Maat_scan_proto_addr(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_ip,addr,protocol,&maat_result,1,&mid,thread_seq);
-	Maat_clean_status(&mid);
+	ipscan_num=Maat_scan_proto_addr(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_ip,addr,protocol,maat_result,KNI_MAX_SAMENUM,&mid,thread_seq);

-	if(ipscan_num>0)
+	for(i=0;i<ipscan_num;i++)
 	{
-		action=abs(maat_result.action);
+		action=abs(maat_result[i].action);
+		if(action==KNI_ACTION_WHITELIST)
+		{
+			return action;
+		}
 	}

 	return action;
@@ -1357,35 +1360,47 @@ int kni_get_tcpopt(struct kni_tcp_hdr* tcphdr,int tcp_hdr_len,unsigned short* ms
 			remain_len-=tcp_opt->len;
 			*mss=htons(*(unsigned short*)(tcp_opt->content));
 			tcp_opt=(struct kni_tcp_opt_format*)((char*)tcp_opt+tcp_opt->len);
+
+			continue;
 		}
 		else if(tcp_opt->type==KNI_TCPOPT_WINSCALE)			//winscale
 		{
 			remain_len-=tcp_opt->len;
 			*winscale=*(unsigned char*)(tcp_opt->content);
 			tcp_opt=(struct kni_tcp_opt_format*)((char*)tcp_opt+tcp_opt->len);
+
+			continue;
 		}
 		else if(tcp_opt->type==KNI_TCPOPT_SACKOK)			//scak
 		{
 			remain_len-=tcp_opt->len;
 			*scak=1;
 			tcp_opt=(struct kni_tcp_opt_format*)((char*)tcp_opt+tcp_opt->len);
+
+			continue;
 		}
 		else if(tcp_opt->type==KNI_TCPOPT_TIMESTAMP)			//timestamp
 		{
 			remain_len-=tcp_opt->len;
 			*timestamps=1;
 			tcp_opt=(struct kni_tcp_opt_format*)((char*)tcp_opt+tcp_opt->len);
+
+			continue;
 		}
 		else if((tcp_opt->type==0)||(tcp_opt->type==1))
 		{
 			remain_len-=1;
 			tcp_opt=(struct kni_tcp_opt_format*)((char*)tcp_opt+1);
+
+			continue;
 			
 		}
 		else
 		{
 			remain_len-=tcp_opt->len;
 			tcp_opt=(struct kni_tcp_opt_format*)((char*)tcp_opt+tcp_opt->len);
+
+			continue;
 			
 		}
 	}
@@ -1651,7 +1666,7 @@ char kni_first_tcpdata(const struct streaminfo* pstream,const struct ip* ip_hdr,

 	if(pmeinfo->status_flag==KNI_FLAG_SSL)
 	{
-		pmeinfo->status_flag=kni_judge_sni(sni,sni_len,pstream->threadnum);
+		pmeinfo->status_flag=kni_judge_sni(sni,sni_len,pstream->threadnum,pmeinfo->mid);
 		MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_DEBUG,(char*)"kni_judge_sni","status_flag:%d",pmeinfo->status_flag);
 	}
 	
@@ -1673,7 +1688,31 @@ char kni_first_tcpdata(const struct streaminfo* pstream,const struct ip* ip_hdr,
 	
 }

-char kni_pending_opstate(const struct streaminfo* pstream,void** pme,int thread_seq,const struct ip* ip_hdr,int protocol)
+int kni_init_pmeinfo(void** pme)
+{
+	struct kni_pme_info* pmeinfo=(struct kni_pme_info*)malloc(sizeof(struct kni_pme_info));
+	memset(pmeinfo,0,sizeof(struct kni_pme_info));
+	*pme=pmeinfo;
+
+	return 0;
+
+}
+
+int kni_free_pmeinfo(void** pme)
+{
+	
+	struct kni_pme_info* pmeinfo=(struct kni_pme_info*)*pme;
+
+	Maat_clean_status(&(pmeinfo->mid));
+	free(pmeinfo);
+
+	pmeinfo=NULL;
+
+	return 0;
+
+}
+
+char kni_pending_opstate(const struct streaminfo* pstream,struct kni_pme_info* pmeinfo,int thread_seq,const struct ip* ip_hdr,int protocol)
 {
 	char ret=APP_STATE_FAWPKT|APP_STATE_DROPME;	

@@ -1682,19 +1721,16 @@ char kni_pending_opstate(const struct streaminfo* pstream,void** pme,int thread_
 	
 	int ipscan_action=0;	
 	int iplen=ntohs(ip_hdr->ip_len);
-	struct kni_pme_info* pmeinfo=NULL;
 	struct kni_tcp_hdr* tcphdr=(struct kni_tcp_hdr*)((char*)ip_hdr+4*(ip_hdr->ip_hl));

-	ipscan_action=kni_judge_ipbmd((struct ipaddr*)&(pstream->addr),thread_seq,protocol);
+
+	ipscan_action=kni_judge_ipbmd((struct ipaddr*)&(pstream->addr),thread_seq,protocol,pmeinfo->mid);
 	MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_DEBUG,(char*)"kni_judge_ipbmd","action:%d",ipscan_action);
-	if((ipscan_action==KNI_ACTION_WHITELIST)||((ipscan_action!=KNI_ACTION_REJECT)&&(g_kni_switch_info.maat_default_switch==0)))
+	if(ipscan_action==KNI_ACTION_WHITELIST)
 	{
 		return ret;	
 	}

-	pmeinfo=(struct kni_pme_info*)malloc(sizeof(struct kni_pme_info));
-	memset(pmeinfo,0,sizeof(struct kni_pme_info));
-	*pme=pmeinfo;
 	
 	pmeinfo->status_flag=KNI_FLAG_UNKNOW;
 //	pmeinfo->wndsize[pstream->curdir-1]=ntohs(tcphdr->th_win);
@@ -1729,7 +1765,7 @@ char kni_pending_opstate(const struct streaminfo* pstream,void** pme,int thread_
 }


-char kni_data_opstate(const struct streaminfo* pstream,void** pme,int thread_seq,const struct ip* ip_hdr)
+char kni_data_opstate(const struct streaminfo* pstream,struct kni_pme_info* pmeinfo,int thread_seq,const struct ip* ip_hdr)
 {
 	char ret=APP_STATE_DROPPKT|APP_STATE_GIVEME;	

@@ -1737,7 +1773,7 @@ char kni_data_opstate(const struct streaminfo* pstream,void** pme,int thread_seq
 	int datalen=0;

 	int iplen=ntohs(ip_hdr->ip_len);
-	struct kni_pme_info* pmeinfo=(struct kni_pme_info*)*pme;
+//	struct kni_pme_info* pmeinfo=(struct kni_pme_info*)*pme;
 	struct kni_tcp_hdr* tcphdr=(struct kni_tcp_hdr*)((char*)ip_hdr+4*(ip_hdr->ip_hl));

 	data=kni_get_data(pstream,&datalen);
@@ -1771,7 +1807,7 @@ char kni_data_opstate(const struct streaminfo* pstream,void** pme,int thread_seq

 }

-char kni_close_opstate(const struct streaminfo* pstream,void** pme,int thread_seq,const struct ip* ip_hdr)
+char kni_close_opstate(const struct streaminfo* pstream,struct kni_pme_info* pmeinfo,int thread_seq,const struct ip* ip_hdr)
 {
 	
 	char ret=APP_STATE_FAWPKT|APP_STATE_DROPME;	
@@ -1781,7 +1817,7 @@ char kni_close_opstate(const struct streaminfo* pstream,void** pme,int thread_se
 		return ret;
 	}

-	ret=kni_data_opstate(pstream,pme,thread_seq,ip_hdr);
+	ret=kni_data_opstate(pstream,pmeinfo,thread_seq,ip_hdr);

 	return ret|APP_STATE_DROPME;
 }
@@ -1792,23 +1828,25 @@ extern "C" char kni_tcpall_entry(const struct streaminfo* pstream,void** pme,int

 //	return APP_STATE_FAWPKT|APP_STATE_GIVEME;
 	char ret=APP_STATE_FAWPKT|APP_STATE_DROPME;	
-	if((g_kni_comminfo.kni_mode_cur==KNI_MODE_BYPASS)||(pstream->addr.addrtype==ADDR_TYPE_IPV6))
+/*	if((g_kni_comminfo.kni_mode_cur==KNI_MODE_BYPASS)||(pstream->addr.addrtype==ADDR_TYPE_IPV6))
 	{
 		return ret;
 	}
+*/

 	switch(pstream->pktstate)
 	{
 		case OP_STATE_PENDING:
-			ret=kni_pending_opstate(pstream,pme,thread_seq,(struct ip*)ip_hdr,PROTO_TYPE_TCP);
+			kni_init_pmeinfo(pme);
+			ret=kni_pending_opstate(pstream,(struct kni_pme_info*)*pme,thread_seq,(const struct ip*)ip_hdr,PROTO_TYPE_TCP);
 			break;

 		case OP_STATE_DATA:
-			ret=kni_data_opstate(pstream,pme,thread_seq,(struct ip*)ip_hdr);
+			ret=kni_data_opstate(pstream,(struct kni_pme_info*)*pme,thread_seq,(const struct ip*)ip_hdr);
 			break;

 		case OP_STATE_CLOSE:
-			ret=kni_close_opstate(pstream,pme,thread_seq,(struct ip*)ip_hdr);
+			ret=kni_close_opstate(pstream,(struct kni_pme_info*)*pme,thread_seq,(const struct ip*)ip_hdr);
 			break;

 		default:
@@ -1817,7 +1855,7 @@ extern "C" char kni_tcpall_entry(const struct streaminfo* pstream,void** pme,int

 	if((ret&APP_STATE_DROPME)&&(*pme!=NULL))
 	{
-		free(*pme);
+		kni_free_pmeinfo(pme);
 		*pme=NULL;
 	}

@@ -1825,6 +1863,7 @@ extern "C" char kni_tcpall_entry(const struct streaminfo* pstream,void** pme,int
 	return ret;
 	
 }
+/*

 long kni_state_htable_cb_v6(void* data,const unsigned char* key,unsigned int size,void* user_arg)
 {
@@ -1851,7 +1890,7 @@ long kni_state_htable_cb_v6(void* data,const unsigned char* key,unsigned int siz
 	return datainfo->state_flag;
 }

-/*
+
 char kni_ipv6_entry(struct streaminfo *pstream,unsigned char routedir,int thread_seq,void *a_packet)
 {
 	int ip_reverse=0;
--- a/kni.h
+++ b/kni.h
@@ -26,7 +26,7 @@
 #endif

 //#define KNI_DEBUG_TCPREPAIR				1
-//#define KNI_DEBUG_KEEPALIVE					1
+#define KNI_DEBUG_KEEPALIVE					1


 #define KNI_MAX_THREADNUM			64
@@ -83,7 +83,7 @@
 #define KNI_ACTION_LOOP					0x60
 #define KNI_ACTION_WHITELIST			0x80

-#define KNI_MAX_CFGNUM					50
+#define KNI_MAX_SAMENUM					50
 #define KNI_TABLENAME_AREA				"USER_AREA"
 #define KNI_TABLENAME_IP				"WHITE_LIST_IP"
 #define KNI_TABLENAME_DOMAIN			"WHITE_LIST_DOMAIN"
@@ -308,6 +308,7 @@ struct kni_pme_info
 	unsigned char sack[KNI_DIR_DOUBLE];
 	unsigned char timestamps[KNI_DIR_DOUBLE];
 	struct kni_wndpro_reply_info lastpkt_info[KNI_DIR_DOUBLE]; 			//for add htable
+	scan_status_t mid;											//for maat
 };

 //htable_data_info ipv4