gfwleak/tango-kni
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

更改wndscale设置顺序及判断;增加BYPASS模式下IP和DOMAIN都未命中直接返回判断;

Browse Source
This commit is contained in:
liuyang
2018-08-04 13:13:02 +08:00
parent 353d56a455
commit c35eb79785
2 changed files with 40 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
kni.c
View File

@@ -631,9 +631,11 @@ int kni_keepalive_replay(struct stream_tuple4_v4* ipv4_addr,int iprever_flag,str
#ifdef KNI_DEBUG_TCPREPAIR
return 0;
#endif
#ifdef KNI_DEBUG_KEEPALIVE
return 0;
#endif
if(!g_kni_switch_info.replay_win_update)
{
return 0;
}
int index=1-iprever_flag;
@@ -1097,11 +1099,21 @@ int tcprepair_set_state(int sk,struct kni_tcp_state* tcp)
MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","connect() error,errno:%d,%s",errno,strerror(errno));
return -1;
}
/*
opts[onr].opt_code = TCPOPT_WINDOW;
opts[onr].opt_val = tcp->wscale_src+ (tcp->wscale_dst<< 16);
onr++;
*/
if((tcp->wscale_dst)&&(tcp->wscale_src))
{
opts[onr].opt_code = TCPOPT_WINDOW;
opts[onr].opt_val = tcp->wscale_dst+ (tcp->wscale_src<< 16);
onr++;
}
opts[onr].opt_code = TCPOPT_MAXSEG;
opts[onr].opt_val = (tcp->mss_src<tcp->mss_dst)?tcp->mss_src:tcp->mss_dst;
onr++;
@@ -1118,7 +1130,7 @@ int tcprepair_set_state(int sk,struct kni_tcp_state* tcp)
onr++;
*/
MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","onr:%d,wscale_src:%d,wscale_dst:%d,wscale:%x,mss:%d,sack:%d",onr,tcp->wscale_src,tcp->wscale_dst,opts[0].opt_val,opts[1].opt_val,opts[2].opt_val);
MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","src_port:%d,dst_port:%d,onr:%d,wscale_src:%d,wscale_dst:%d,wscale:%x,mss:%d,sack:%d",ntohs(tcp->sport),ntohs(tcp->dport),onr,tcp->wscale_src,tcp->wscale_dst,opts[0].opt_val,opts[1].opt_val,opts[2].opt_val);
if (setsockopt(sk, SOL_TCP, TCP_REPAIR_OPTIONS,opts, onr * sizeof(struct tcp_repair_opt)) < 0)
{
@@ -1218,19 +1230,18 @@ int kni_scan_whitelist_domain(char* domain,int domain_len,int thread_seq,scan_st
struct Maat_rule_t maat_result[KNI_MAX_SAMENUM];
string_scan_num=Maat_full_scan_string(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_domain,CHARSET_GBK,domain,domain_len,maat_result,&found_pos,KNI_MAX_SAMENUM,&mid,thread_seq);
/*
if((g_kni_switch_info.maat_default_mode==KNI_DEFAULT_MODE_BYPASS)&&(string_scan_num==0))
{
action=KNI_ACTION_WHITELIST;
return action;
}
*/
for(i=0;i<string_scan_num;i++)
{
action=abs(maat_result[i].action);
if(action==KNI_ACTION_WHITELIST)
{
action=KNI_ACTION_WHITELIST;
return action;
}
}
@@ -1260,6 +1271,7 @@ int kni_scan_whitelist_ip(struct ipaddr* addr,int thread_seq,int protocol,scan_s
return action;
}
*/
for(i=0;i<ipscan_num;i++)
{
action=abs(maat_result[i].action);
@@ -1648,7 +1660,15 @@ char kni_first_tcpdata(const struct streaminfo* pstream,const struct ip* ip_hdr,
pmeinfo->status_flag=KNI_FLAG_NOTPROC;
return ret;
}
//20180803 add
else if((g_kni_switch_info.maat_default_mode==KNI_DEFAULT_MODE_BYPASS)&&(action==KNI_ACTION_NONE)&&(pmeinfo->ip_not_hit))
{
kni_debug_info_v4((char*)"BYPASS_NOTHIT",0,(struct ip*)ip_hdr);
pmeinfo->status_flag=KNI_FLAG_NOTPROC;
return ret;
}
//end
if(tcp_repair_process(pstream,ip_hdr,pmeinfo,pmeinfo->status_flag)<0)
{
@@ -1708,7 +1728,12 @@ char kni_pending_opstate(const struct streaminfo* pstream,struct kni_pme_info* p
kni_set_filestate2(thread_seq,FS2_COLUME_WITELIST_IP,0,1);
return ret;
}
//20180803 add
else if((g_kni_switch_info.maat_default_mode==KNI_DEFAULT_MODE_BYPASS)&&(ipscan_action==KNI_ACTION_NONE))
{
pmeinfo->ip_not_hit=1;
}
//end
pmeinfo->status_flag=KNI_FLAG_UNKNOW;
// pmeinfo->wndsize[pstream->curdir-1]=ntohs(tcphdr->th_win);
@@ -1716,7 +1741,7 @@ char kni_pending_opstate(const struct streaminfo* pstream,struct kni_pme_info* p
{
data=kni_get_data(pstream,&datalen);
kni_get_tcpopt(tcphdr,iplen-4*(ip_hdr->ip_hl)-datalen,&(pmeinfo->mss[pstream->curdir-1]),&(pmeinfo->wnscal[pstream->curdir-1]),&(pmeinfo->sack[pstream->curdir-1]),&(pmeinfo->timestamps[pstream->curdir-1]));
}
}
kni_get_tcpinfo(&(pmeinfo->lastpkt_info[pstream->curdir-1]),tcphdr,ntohs(ip_hdr->ip_len)-4*ip_hdr->ip_hl-4*tcphdr->th_off,(struct ip*)ip_hdr);
@@ -1759,8 +1784,8 @@ char kni_data_opstate(const struct streaminfo* pstream,struct kni_pme_info* pmei
{
if((tcphdr->th_flags&TH_SYN)&&(tcphdr->th_flags&TH_ACK))
{
kni_get_tcpopt(tcphdr,iplen-4*(ip_hdr->ip_hl)-datalen,&(pmeinfo->mss[pstream->curdir-1]),&(pmeinfo->wnscal[pstream->curdir-1]),&(pmeinfo->sack[pstream->curdir-1]),&(pmeinfo->timestamps[pstream->curdir-1]));
}
kni_get_tcpinfo(&(pmeinfo->lastpkt_info[pstream->curdir-1]),tcphdr,ntohs(ip_hdr->ip_len)-4*ip_hdr->ip_hl-4*tcphdr->th_off,(struct ip*)ip_hdr);
@@ -1884,6 +1909,7 @@ int init_profile_info(int* scandir_interval,int* effect_interval,int* logger_lev
//kni.conf
MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"replay_win_update",&(g_kni_switch_info.replay_win_update),1);
MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"default_work_mode",&(g_kni_switch_info.maat_default_mode),KNI_DEFAULT_MODE_INTERCEPT);
MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"logger_level",logger_level,RLOG_LV_INFO);
MESA_load_profile_int_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"maat_readconf_mode",maat_readconf_mode,KNI_READCONF_IRIS);

2
kni.h
View File

@@ -191,6 +191,7 @@ enum kni_flag
struct kni_switch_info
{
int maat_default_mode; //0:INTERCEPT 1:BYPASS
int replay_win_update; //0:not replay;1:replay
};
struct kni_http_project
@@ -336,6 +337,7 @@ struct kni_wndpro_reply_info
struct kni_pme_info
{
unsigned int ip_not_hit;
unsigned short status_flag;
unsigned short mss[KNI_DIR_DOUBLE]; //host order
unsigned char wnscal[KNI_DIR_DOUBLE]; //host order