重构maat扫描部分代码
This commit is contained in:
zhengchao
@@ -23,6 +23,5 @@ enum kni_action{
|
||||
|
||||
struct kni_maat_handle* kni_maat_init(const char* profile, void *logger);
|
||||
void kni_maat_destroy(struct kni_maat_handle *handle);
|
||||
int kni_maat_scan_ip(struct kni_maat_handle* handle, struct ipaddr *addr, int thread_seq, int *policy_id, int *maat_hit);
|
||||
int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, int *policy_id, int *maat_hit);
|
||||
enum kni_action intercept_policy_scan(struct kni_maat_handle* handle, struct ipaddr *addr, char *domain, int domain_len, int thread_seq, int *policy_id, int *is_hit_policy);
|
||||
int kni_maat_action_trans(int action, char *action_str);
|
||||
@@ -67,15 +67,17 @@ struct pme_info{
|
||||
int protocol;
|
||||
int policy_id;
|
||||
int maat_hit;
|
||||
int action;
|
||||
enum kni_action action;
|
||||
int service;
|
||||
struct kni_tcpopt_info *client_tcpopt;
|
||||
struct kni_tcpopt_info *server_tcpopt;
|
||||
int tfe_id;
|
||||
void *logger;
|
||||
char stream_trace_id[STREAM_TRACE_ID_LEN];
|
||||
union{
|
||||
char host[KNI_DOMAIN_MAX]; //http only
|
||||
char sni[KNI_DOMAIN_MAX]; //ssl only
|
||||
};
|
||||
//tfe_release = 1: tfe don't need pmeinfo
|
||||
int tfe_release;
|
||||
int sapp_release;
|
||||
@@ -510,18 +512,6 @@ static char pending_opstate(const struct streaminfo *stream, struct pme_info *pm
|
||||
return APP_STATE_FAWPKT | APP_STATE_GIVEME;
|
||||
}
|
||||
|
||||
static int get_action(struct ipaddr *addr, char *domain, int domain_len, int thread_seq, int *policy_id, int *maat_hit){
|
||||
//return KNI_ACTION_INTERCEPT;
|
||||
int ret = kni_maat_scan_ip(g_kni_handle->maat_handle, addr, thread_seq, policy_id, maat_hit);
|
||||
if(action == KNI_ACTION_BYPASS){
|
||||
return action;
|
||||
}
|
||||
if(domain_len != 0){
|
||||
action = kni_maat_scan_domain(g_kni_handle->maat_handle, domain, domain_len, thread_seq, policy_id, maat_hit);
|
||||
}
|
||||
return action;
|
||||
}
|
||||
|
||||
//TODO: 这一块逻辑需要和洋姐和秋秋讨论一下
|
||||
static char data_opstate(const struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo, int thread_seq){
|
||||
void *logger = g_kni_handle->local_logger;
|
||||
@@ -589,18 +579,18 @@ static char data_opstate(const struct streaminfo *stream, struct pme_info *pmein
|
||||
memcpy(pmeinfo->sni, result->domain, result->domain_len);
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_SSL_STM], 0, FS_OP_ADD, 1);
|
||||
}
|
||||
if(pmeinfo->protocol == KNI_PROTOCOL_HTTP){
|
||||
else if(pmeinfo->protocol == KNI_PROTOCOL_HTTP){
|
||||
memcpy(pmeinfo->host, result->domain, result->domain_len);
|
||||
FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_HTTP_STM], 0, FS_OP_ADD, 1);
|
||||
}
|
||||
pmeinfo->action = get_action((struct ipaddr*)(&stream->addr), result->domain, result->domain_len,
|
||||
pmeinfo->action = intercept_policy_scan(g_kni_handle->maat_handle, (struct ipaddr*)(&stream->addr), result->domain, result->domain_len,
|
||||
thread_seq, &(pmeinfo->policy_id), &(pmeinfo->maat_hit));
|
||||
//输出maat拦截日志
|
||||
char domain_str[KNI_DOMAIN_MAX] = "";
|
||||
memcpy(domain_str, result->domain, result->domain_len);
|
||||
char action_str[KNI_SYMBOL_MAX];
|
||||
kni_maat_action_trans(pmeinfo->action, action_str);
|
||||
KNI_LOG_DEBUG(logger, "get_action: %s, %s, policy_id = %d, action = %d(%s), maat_hit = %d",
|
||||
KNI_LOG_DEBUG(logger, "intercept_policy_scan: %s, %s, policy_id = %d, action = %d(%s), maat_hit = %d",
|
||||
stream_addr, domain_str, pmeinfo->policy_id, pmeinfo->action, action_str, pmeinfo->maat_hit);
|
||||
FREE(&result);
|
||||
//TODO: 这块比较奇怪, 收到client hello, 但是没有syn/ack包, 直接bypass了
|
||||
|
||||
@@ -9,7 +9,7 @@ extern int g_iThreadNum;
|
||||
2. 如果maat的编译配置表中有policy_id = 0的配置,则将 g_maat_default_action设为对应的action, policy_id = 0
|
||||
*/
|
||||
|
||||
int g_maat_default_action;
|
||||
enum kni_action g_maat_default_action;
|
||||
|
||||
struct kni_maat_handle{
|
||||
Maat_feather_t feather;
|
||||
@@ -32,7 +32,7 @@ void compile_ex_param_new(int idx, const struct Maat_rule_t* rule, const char* s
|
||||
void *logger = argp;
|
||||
KNI_LOG_DEBUG(logger, "call compile_ex_param_new");
|
||||
if(rule->config_id == 0){
|
||||
g_maat_default_action = rule->action;
|
||||
g_maat_default_action = (enum kni_action)rule->action;
|
||||
}
|
||||
return;
|
||||
}
|
||||
@@ -89,7 +89,7 @@ struct kni_maat_handle* kni_maat_init(const char* profile, void *logger){
|
||||
KNI_LOG_ERROR(logger, "MESA_prof_load: compile_alias not set, profile is %s, section is %s", profile, section);
|
||||
goto error_out;
|
||||
}
|
||||
ret = MESA_load_profile_int_nodef(profile, section, "default_action", &g_maat_default_action);
|
||||
ret = MESA_load_profile_int_nodef(profile, section, "default_action", (int*)&g_maat_default_action);
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(logger, "MESA_prof_load: default_action not set, profile is %s, section is %s", profile, section);
|
||||
goto error_out;
|
||||
@@ -174,72 +174,63 @@ error_out:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static int maat_process_scan_result(struct kni_maat_handle *handle, int num, struct Maat_rule_t *result, int *policy_id){
|
||||
//void *logger = handle->logger;
|
||||
int action = g_maat_default_action;
|
||||
*policy_id = 0; //默认动作是编译表中policy_id=0的字段,所以默认policy_id=0;
|
||||
for(int i = 0; i < num; i++){
|
||||
action = result[i].action;
|
||||
*policy_id = result[i].config_id;
|
||||
if(action == KNI_ACTION_BYPASS){
|
||||
return action;
|
||||
static int index_of_enforce_policy(struct Maat_rule_t* result, size_t size)
|
||||
{
|
||||
size_t i=0;
|
||||
int biggest_policy_id=0, ret_intercept_idx=0;
|
||||
for(i=0; i<size; i++)
|
||||
{
|
||||
if(result->action==KNI_ACTION_BYPASS)
|
||||
{
|
||||
return i;
|
||||
}
|
||||
else
|
||||
{
|
||||
if(result->config_id>biggest_policy_id)
|
||||
{
|
||||
biggest_policy_id=result->config_id;
|
||||
ret_intercept_idx=i;
|
||||
}
|
||||
}
|
||||
return action;
|
||||
}
|
||||
return ret_intercept_idx;
|
||||
}
|
||||
|
||||
|
||||
//TODO: Maat_rule_get_ex_new_index compile_ex_param_new: config_id = 0, 取action即为全局变量, 一旦配置更新就回调, tableinfo怎么写,回调表, 编译配置表
|
||||
int kni_maat_scan_ip(struct kni_maat_handle *handle, struct ipaddr *addr, int thread_seq, int *policy_id, int *maat_hit){
|
||||
//printf("default action is %d\n", g_maat_default_action);
|
||||
void *logger = handle->logger;
|
||||
enum kni_action intercept_policy_scan(struct kni_maat_handle* handle, struct ipaddr *addr, char *domain, int domain_len, int thread_seq, int *policy_id, int *is_hit_policy){
|
||||
//return KNI_ACTION_INTERCEPT;
|
||||
Maat_feather_t maat_feather=handle->feather;
|
||||
int table_intercept_ip=handle->tableid_intercept_ip;
|
||||
int table_intercept_domain=handle->tableid_intercept_domain;
|
||||
struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX];
|
||||
scan_status_t mid = NULL;
|
||||
int ret = Maat_scan_proto_addr(handle->feather, handle->tableid_intercept_ip, addr, 0, result,
|
||||
KNI_MAAT_RULE_NUM_MAX, &mid, thread_seq);
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(logger, "Failed at Maat_scan_proto_addr, ret is %d", ret);
|
||||
return g_maat_default_action;
|
||||
}
|
||||
if(ret == 0){
|
||||
return g_maat_default_action;
|
||||
}
|
||||
*maat_hit = 1;
|
||||
int action = maat_process_scan_result(handle, ret, result, policy_id);
|
||||
scan_status_t scan_mid = NULL;
|
||||
int scan_ret=0, hit_policy_cnt=0, enforced_policy_idx=0;
|
||||
|
||||
/*for debug
|
||||
char stream_addr[KNI_SYMBOL_MAX] = "";
|
||||
kni_stream_addr_trans(addr, stream_addr, sizeof(stream_addr));
|
||||
KNI_LOG_DEBUG(logger, "maat_scan_ip, %s, policy_id = %d, action = %s\n",
|
||||
stream_addr, *policy_id, action == KNI_ACTION_BYPASS ? "bypss" : "intercept");
|
||||
*/
|
||||
return action;
|
||||
}
|
||||
|
||||
int kni_maat_scan_domain(struct kni_maat_handle* handle, char *domain, int domain_len, int thread_seq, int *policy_id, int *maat_hit){
|
||||
void *logger = handle->logger;
|
||||
struct Maat_rule_t result[KNI_MAAT_RULE_NUM_MAX];
|
||||
//必须要初始化为NULL, 不懂为什么
|
||||
scan_status_t mid = NULL;
|
||||
int ret = Maat_full_scan_string(handle->feather, handle->tableid_intercept_domain, CHARSET_UTF8,
|
||||
domain, domain_len, result, NULL, KNI_MAAT_RULE_NUM_MAX, &mid, thread_seq);
|
||||
if(ret < 0){
|
||||
KNI_LOG_ERROR(logger, "Failed at Maat_full_scan_string, ret is %d", ret);
|
||||
scan_ret = Maat_scan_proto_addr(maat_feather, table_intercept_ip, addr, 0,
|
||||
result+hit_policy_cnt, KNI_MAAT_RULE_NUM_MAX-hit_policy_cnt,
|
||||
&scan_mid, thread_seq);
|
||||
if(scan_ret>0)
|
||||
{
|
||||
hit_policy_cnt+=scan_ret;
|
||||
}
|
||||
scan_ret = Maat_full_scan_string(maat_feather, table_intercept_domain, CHARSET_UTF8,
|
||||
domain, domain_len,
|
||||
result+hit_policy_cnt, NULL, KNI_MAAT_RULE_NUM_MAX-hit_policy_cnt,
|
||||
&scan_mid, thread_seq);
|
||||
if(scan_ret>0)
|
||||
{
|
||||
hit_policy_cnt+=scan_ret;
|
||||
}
|
||||
Maat_clean_status(&scan_mid);
|
||||
if(hit_policy_cnt>0)
|
||||
{
|
||||
enforced_policy_idx=index_of_enforce_policy(result, hit_policy_cnt);
|
||||
*policy_id=result[enforced_policy_idx].config_id;
|
||||
*is_hit_policy=1;
|
||||
return (enum kni_action)result[enforced_policy_idx].action;
|
||||
}
|
||||
else
|
||||
{
|
||||
return g_maat_default_action;
|
||||
}
|
||||
if(ret == 0){
|
||||
return g_maat_default_action;
|
||||
}
|
||||
*maat_hit = 1;
|
||||
int action = maat_process_scan_result(handle, ret, result, policy_id);
|
||||
|
||||
//for debug
|
||||
char domain1[100] = "";
|
||||
memcpy(domain1, domain, domain_len);
|
||||
domain1[domain_len] = '\0';
|
||||
KNI_LOG_DEBUG(logger, "maat_scan_domain: %s, policy_id = %d, action = %s\n",
|
||||
domain, *policy_id, action == KNI_ACTION_BYPASS ? "bypss" : "intercept");
|
||||
return action;
|
||||
}
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user