diff --git a/entry/include/kni_maat.h b/entry/include/kni_maat.h index c135cd4..03663f2 100644 --- a/entry/include/kni_maat.h +++ b/entry/include/kni_maat.h @@ -23,6 +23,5 @@ enum kni_action{ struct kni_maat_handle* kni_maat_init(const char* profile, void *logger); void kni_maat_destroy(struct kni_maat_handle *handle); -int kni_maat_scan_ip(struct kni_maat_handle* handle, struct ipaddr *addr, int thread_seq, int *policy_id, int *maat_hit); -int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, int *policy_id, int *maat_hit); -int kni_maat_action_trans(int action, char *action_str); \ No newline at end of file +enum kni_action intercept_policy_scan(struct kni_maat_handle* handle, struct ipaddr *addr, char *domain, int domain_len, int thread_seq, int *policy_id, int *is_hit_policy); +int kni_maat_action_trans(int action, char *action_str); diff --git a/entry/src/kni_entry.cpp b/entry/src/kni_entry.cpp index 4d8c5b8..9bcb7b2 100644 --- a/entry/src/kni_entry.cpp +++ b/entry/src/kni_entry.cpp @@ -67,15 +67,17 @@ struct pme_info{ int protocol; int policy_id; int maat_hit; - int action; + enum kni_action action; int service; struct kni_tcpopt_info *client_tcpopt; struct kni_tcpopt_info *server_tcpopt; int tfe_id; void *logger; char stream_trace_id[STREAM_TRACE_ID_LEN]; - char host[KNI_DOMAIN_MAX]; //http only - char sni[KNI_DOMAIN_MAX]; //ssl only + union{ + char host[KNI_DOMAIN_MAX]; //http only + char sni[KNI_DOMAIN_MAX]; //ssl only + }; //tfe_release = 1: tfe don't need pmeinfo int tfe_release; int sapp_release; @@ -510,18 +512,6 @@ static char pending_opstate(const struct streaminfo *stream, struct pme_info *pm return APP_STATE_FAWPKT | APP_STATE_GIVEME; } -static int get_action(struct ipaddr *addr, char *domain, int domain_len, int thread_seq, int *policy_id, int *maat_hit){ - //return KNI_ACTION_INTERCEPT; - int ret = kni_maat_scan_ip(g_kni_handle->maat_handle, addr, thread_seq, policy_id, maat_hit); - if(action == KNI_ACTION_BYPASS){ - return action; - } - if(domain_len != 0){ - action = kni_maat_scan_domain(g_kni_handle->maat_handle, domain, domain_len, thread_seq, policy_id, maat_hit); - } - return action; -} - //TODO: 这一块逻辑需要和洋姐和秋秋讨论一下 static char data_opstate(const struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo, int thread_seq){ void *logger = g_kni_handle->local_logger; @@ -589,18 +579,18 @@ static char data_opstate(const struct streaminfo *stream, struct pme_info *pmein memcpy(pmeinfo->sni, result->domain, result->domain_len); FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_SSL_STM], 0, FS_OP_ADD, 1); } - if(pmeinfo->protocol == KNI_PROTOCOL_HTTP){ + else if(pmeinfo->protocol == KNI_PROTOCOL_HTTP){ memcpy(pmeinfo->host, result->domain, result->domain_len); FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_HTTP_STM], 0, FS_OP_ADD, 1); } - pmeinfo->action = get_action((struct ipaddr*)(&stream->addr), result->domain, result->domain_len, + pmeinfo->action = intercept_policy_scan(g_kni_handle->maat_handle, (struct ipaddr*)(&stream->addr), result->domain, result->domain_len, thread_seq, &(pmeinfo->policy_id), &(pmeinfo->maat_hit)); //输出maat拦截日志 char domain_str[KNI_DOMAIN_MAX] = ""; memcpy(domain_str, result->domain, result->domain_len); char action_str[KNI_SYMBOL_MAX]; kni_maat_action_trans(pmeinfo->action, action_str); - KNI_LOG_DEBUG(logger, "get_action: %s, %s, policy_id = %d, action = %d(%s), maat_hit = %d", + KNI_LOG_DEBUG(logger, "intercept_policy_scan: %s, %s, policy_id = %d, action = %d(%s), maat_hit = %d", stream_addr, domain_str, pmeinfo->policy_id, pmeinfo->action, action_str, pmeinfo->maat_hit); FREE(&result); //TODO: 这块比较奇怪, 收到client hello, 但是没有syn/ack包, 直接bypass了 @@ -1322,4 +1312,4 @@ extern "C" int kni_init(){ error_out: kni_destroy(g_kni_handle); return -1; -} \ No newline at end of file +} diff --git a/entry/src/kni_maat.cpp b/entry/src/kni_maat.cpp index 2a06774..6d2f396 100644 --- a/entry/src/kni_maat.cpp +++ b/entry/src/kni_maat.cpp @@ -9,7 +9,7 @@ extern int g_iThreadNum; 2. 如果maat的编译配置表中有policy_id = 0的配置,则将 g_maat_default_action设为对应的action, policy_id = 0 */ -int g_maat_default_action; +enum kni_action g_maat_default_action; struct kni_maat_handle{ Maat_feather_t feather; @@ -32,7 +32,7 @@ void compile_ex_param_new(int idx, const struct Maat_rule_t* rule, const char* s void *logger = argp; KNI_LOG_DEBUG(logger, "call compile_ex_param_new"); if(rule->config_id == 0){ - g_maat_default_action = rule->action; + g_maat_default_action = (enum kni_action)rule->action; } return; } @@ -89,7 +89,7 @@ struct kni_maat_handle* kni_maat_init(const char* profile, void *logger){ KNI_LOG_ERROR(logger, "MESA_prof_load: compile_alias not set, profile is %s, section is %s", profile, section); goto error_out; } - ret = MESA_load_profile_int_nodef(profile, section, "default_action", &g_maat_default_action); + ret = MESA_load_profile_int_nodef(profile, section, "default_action", (int*)&g_maat_default_action); if(ret < 0){ KNI_LOG_ERROR(logger, "MESA_prof_load: default_action not set, profile is %s, section is %s", profile, section); goto error_out; @@ -174,72 +174,63 @@ error_out: return NULL; } -static int maat_process_scan_result(struct kni_maat_handle *handle, int num, struct Maat_rule_t *result, int *policy_id){ - //void *logger = handle->logger; - int action = g_maat_default_action; - *policy_id = 0; //默认动作是编译表中policy_id=0的字段,所以默认policy_id=0; - for(int i = 0; i < num; i++){ - action = result[i].action; - *policy_id = result[i].config_id; - if(action == KNI_ACTION_BYPASS){ - return action; +static int index_of_enforce_policy(struct Maat_rule_t* result, size_t size) +{ + size_t i=0; + int biggest_policy_id=0, ret_intercept_idx=0; + for(i=0; iaction==KNI_ACTION_BYPASS) + { + return i; + } + else + { + if(result->config_id>biggest_policy_id) + { + biggest_policy_id=result->config_id; + ret_intercept_idx=i; + } } } - return action; + return ret_intercept_idx; } - - -//TODO: Maat_rule_get_ex_new_index compile_ex_param_new: config_id = 0, 取action即为全局变量, 一旦配置更新就回调, tableinfo怎么写,回调表, 编译配置表 -int kni_maat_scan_ip(struct kni_maat_handle *handle, struct ipaddr *addr, int thread_seq, int *policy_id, int *maat_hit){ - //printf("default action is %d\n", g_maat_default_action); - void *logger = handle->logger; - struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX]; - scan_status_t mid = NULL; - int ret = Maat_scan_proto_addr(handle->feather, handle->tableid_intercept_ip, addr, 0, result, - KNI_MAAT_RULE_NUM_MAX, &mid, thread_seq); - if(ret < 0){ - KNI_LOG_ERROR(logger, "Failed at Maat_scan_proto_addr, ret is %d", ret); - return g_maat_default_action; - } - if(ret == 0){ - return g_maat_default_action; - } - *maat_hit = 1; - int action = maat_process_scan_result(handle, ret, result, policy_id); +enum kni_action intercept_policy_scan(struct kni_maat_handle* handle, struct ipaddr *addr, char *domain, int domain_len, int thread_seq, int *policy_id, int *is_hit_policy){ + //return KNI_ACTION_INTERCEPT; + Maat_feather_t maat_feather=handle->feather; + int table_intercept_ip=handle->tableid_intercept_ip; + int table_intercept_domain=handle->tableid_intercept_domain; + struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX]; + scan_status_t scan_mid = NULL; + int scan_ret=0, hit_policy_cnt=0, enforced_policy_idx=0; - /*for debug - char stream_addr[KNI_SYMBOL_MAX] = ""; - kni_stream_addr_trans(addr, stream_addr, sizeof(stream_addr)); - KNI_LOG_DEBUG(logger, "maat_scan_ip, %s, policy_id = %d, action = %s\n", - stream_addr, *policy_id, action == KNI_ACTION_BYPASS ? "bypss" : "intercept"); - */ - return action; -} - -int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, int *policy_id, int *maat_hit){ - void *logger = handle->logger; - struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX]; - //必须要初始化为NULL, 不懂为什么 - scan_status_t mid = NULL; - int ret = Maat_full_scan_string(handle->feather, handle->tableid_intercept_domain, CHARSET_UTF8, - domain, domain_len, result, NULL, KNI_MAAT_RULE_NUM_MAX, &mid, thread_seq); - if(ret < 0){ - KNI_LOG_ERROR(logger, "Failed at Maat_full_scan_string, ret is %d", ret); + scan_ret = Maat_scan_proto_addr(maat_feather, table_intercept_ip, addr, 0, + result+hit_policy_cnt, KNI_MAAT_RULE_NUM_MAX-hit_policy_cnt, + &scan_mid, thread_seq); + if(scan_ret>0) + { + hit_policy_cnt+=scan_ret; + } + scan_ret = Maat_full_scan_string(maat_feather, table_intercept_domain, CHARSET_UTF8, + domain, domain_len, + result+hit_policy_cnt, NULL, KNI_MAAT_RULE_NUM_MAX-hit_policy_cnt, + &scan_mid, thread_seq); + if(scan_ret>0) + { + hit_policy_cnt+=scan_ret; + } + Maat_clean_status(&scan_mid); + if(hit_policy_cnt>0) + { + enforced_policy_idx=index_of_enforce_policy(result, hit_policy_cnt); + *policy_id=result[enforced_policy_idx].config_id; + *is_hit_policy=1; + return (enum kni_action)result[enforced_policy_idx].action; + } + else + { return g_maat_default_action; } - if(ret == 0){ - return g_maat_default_action; - } - *maat_hit = 1; - int action = maat_process_scan_result(handle, ret, result, policy_id); - - //for debug - char domain1[100] = ""; - memcpy(domain1, domain, domain_len); - domain1[domain_len] = '\0'; - KNI_LOG_DEBUG(logger, "maat_scan_domain: %s, policy_id = %d, action = %s\n", - domain, *policy_id, action == KNI_ACTION_BYPASS ? "bypss" : "intercept"); - return action; }