diff --git a/Makefile b/Makefile index 422db9f..928e735 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ #CC = gcc CC = g++ -CFLAGS = -g -Wall -fPIC -shared +CFLAGS = -g -Wall -fPIC -shared OBJECTS = kni.o libforge_socket.o TARGET = kni.so @@ -15,15 +15,18 @@ MODULES = -lMESA_htable -lMESA_prof_load -lMESA_handle_logger -lrulescan -lmaatf .c.o: $(CC) -c -o $@ $(CFLAGS) $(INCS) $< +.cc.o: + $(CC) -c -o $@ $(CFLAGS) $(INCS) $< + .PHONY: all clean all: $(TARGET) $(TARGET):$(OBJECTS) $(CC) -o $(TARGET) $(CFLAGS) $(OBJECTS) $(MODULES) $(LD_DICTATOR) -# $(CC) -o $(TARGET) $(CFLAGS) $(OBJECTS) $(MODULES) -Wl,--whole-archive $(WHOLE_MODULES) -wL,--NO-WHOLE-ARCHIVE $(LD_DICTATOR) kni.o:kni.c libforge_socket.o:libforge_socket.c + clean: rm -f $(TARGET) $(OBJECTS) diff --git a/bin/kni/kni.inf b/bin/kni/kni.inf new file mode 100644 index 0000000..f57a18a --- /dev/null +++ b/bin/kni/kni.inf @@ -0,0 +1,18 @@ +[PLUGINFO] +PLUGNAME=KNI +SO_PATH=./plug/business/kni/kni.so +INIT_FUNC=kni_init +DESTROY_FUNC= + +[IP] +FUNC_FLAG=all +FUNC_NAME=kni_ip_entry + + +#[TCP_ALL] +#FUNC_FLAG=all +#FUNC_NAME=kni_tcpall_entry + + + + diff --git a/bin/kni/kni.so b/bin/kni/kni.so new file mode 100644 index 0000000..d252dc6 Binary files /dev/null and b/bin/kni/kni.so differ diff --git a/bin/kni_set_cmd b/bin/kni_set_cmd new file mode 100644 index 0000000..9ef362a --- /dev/null +++ b/bin/kni_set_cmd @@ -0,0 +1,30 @@ +#!/bin/sh + +# cd /home/liuyang/src/forge_socket-master/;insmod forge_socket.ko + +#ip tuntap add dev tun0 mode tun +#ifconfig tun0 up + +echo 1 > /proc/sys/net/ipv4/ip_forward +#route add default dev tun0 + +iptables -t mangle -N DIVERT +iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT +iptables -t mangle -A DIVERT -j MARK --set-mark 1 +iptables -t mangle -A DIVERT -j ACCEPT + +ip rule add fwmark 1 lookup 100 +#ip route add local 0.0.0.0/0 dev tun0 table 100 +ip route add local 0.0.0.0/0 dev lo table 100 + +#iptables -t mangle -A PREROUTING -p tcp -i tun0 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50080 + + +ethtool -K p7p1 lro off +ethtool -K p7p1 tso off +ethtool -K p7p1 gro off + +ethtool -K em2 lro off +ethtool -K em2 tso off +ethtool -K em2 gro off + diff --git a/bin/kniconf/kni.conf b/bin/kniconf/kni.conf new file mode 100644 index 0000000..59d42fc --- /dev/null +++ b/bin/kniconf/kni.conf @@ -0,0 +1,9 @@ +[MOUDLE] +table_info_path=./kniconf/maat_table_info.conf +ful_cfg_dir=/home/liuyang/run/sapp_run/config/index +inc_cfg_dir=/home/liuyang/run/sapp_run/config/inc/index +logger_filepath=./log/kni.log +logger_level=10 + +maat_json_switch=1 + diff --git a/bin/kniconf/maat_table_info.conf b/bin/kniconf/maat_table_info.conf new file mode 100644 index 0000000..5dd4738 --- /dev/null +++ b/bin/kniconf/maat_table_info.conf @@ -0,0 +1,5 @@ +1 MATT_CONFIG_COMPILE compile GBK GBK no 0 +#2 MATT_CONFIG_GROUP group GBK GBK no 0 +3 IP_BMD ip GBK GBK no 0 +4 USER_AREA ip GBK GBK no 0 +5 SNI_BMD expr GBK GBK yes 0 diff --git a/bin/kniconf/maat_test.json b/bin/kniconf/maat_test.json new file mode 100644 index 0000000..0f781db --- /dev/null +++ b/bin/kniconf/maat_test.json @@ -0,0 +1,67 @@ +{ + "compile_table": "MATT_CONFIG_COMPILE", + "group_table": "MATT_CONFIG_GROUP", + "rules": [ + { + "compile_id": 1, + "service": 1, + "action": 2, + "do_blacklist": 1, + "do_log": 1, + "effective_rage": 0, + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "group_name": "group_1", + "regions": [ + { + "table_name": "IP_BMD", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "src_ip": "192.168.11.199", + "mask_src_ip": "255.255.255.255", + "src_port": "0", + "mask_src_port": "65535", + "dst_ip": "0.0.0.0", + "mask_dst_ip": "255.255.255.255", + "dst_port": "0", + "mask_dst_port": "65535", + "protocol": 0, + "direction": "double" + } + } + ] + } + ] + }, + { + "compile_id": 2, + "service": 48, + "action": 2, + "do_blacklist": 1, + "do_log": 1, + "effective_rage": 0, + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "group_name": "group_2", + "regions": [ + { + "table_name": "SNI_BMD", + "table_type": "string", + "table_content": { + "keywords": "www.baidu.com", + "expr_type": "regex", + "match_method": "sub", + "format":"uncase plain" + } + } + ] + } + ] + } + ] +} diff --git a/bin/kniconf/maat_test.json_iris_tmp/.local b/bin/kniconf/maat_test.json_iris_tmp/.local new file mode 100644 index 0000000..86bfaf1 --- /dev/null +++ b/bin/kniconf/maat_test.json_iris_tmp/.local @@ -0,0 +1,3 @@ +0000000002 +0 1 1 +1 2 1 diff --git a/bin/kniconf/maat_test.json_iris_tmp/IP_BMD.local b/bin/kniconf/maat_test.json_iris_tmp/IP_BMD.local new file mode 100644 index 0000000..fa22130 --- /dev/null +++ b/bin/kniconf/maat_test.json_iris_tmp/IP_BMD.local @@ -0,0 +1,2 @@ +0000000001 +0 0 4 192.168.11.199 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 0 0 1 diff --git a/bin/kniconf/maat_test.json_iris_tmp/MATT_CONFIG_COMPILE.local b/bin/kniconf/maat_test.json_iris_tmp/MATT_CONFIG_COMPILE.local new file mode 100644 index 0000000..5d70e38 --- /dev/null +++ b/bin/kniconf/maat_test.json_iris_tmp/MATT_CONFIG_COMPILE.local @@ -0,0 +1,3 @@ +0000000002 +1 1 2 1 1 0 anything 1 +2 48 2 1 1 0 anything 1 diff --git a/bin/kniconf/maat_test.json_iris_tmp/SNI_BMD.local b/bin/kniconf/maat_test.json_iris_tmp/SNI_BMD.local new file mode 100644 index 0000000..9f6deb4 --- /dev/null +++ b/bin/kniconf/maat_test.json_iris_tmp/SNI_BMD.local @@ -0,0 +1,2 @@ +0000000001 +1 1 www.baidu.com 2 0 0 1 diff --git a/bin/kniconf/maat_test.json_iris_tmp/index/full_config_index.0000000001 b/bin/kniconf/maat_test.json_iris_tmp/index/full_config_index.0000000001 new file mode 100644 index 0000000..a2abac2 --- /dev/null +++ b/bin/kniconf/maat_test.json_iris_tmp/index/full_config_index.0000000001 @@ -0,0 +1,4 @@ +MATT_CONFIG_COMPILE 2 ./kniconf/maat_test.json_iris_tmp/MATT_CONFIG_COMPILE.local + 2 ./kniconf/maat_test.json_iris_tmp/.local +IP_BMD 1 ./kniconf/maat_test.json_iris_tmp/IP_BMD.local +SNI_BMD 1 ./kniconf/maat_test.json_iris_tmp/SNI_BMD.local diff --git a/kni.c b/kni.c index 9a28015..ff03f50 100644 --- a/kni.c +++ b/kni.c @@ -1,6 +1,7 @@ #include #include #include +#include #include #include #include @@ -10,6 +11,8 @@ #include #include #include +#include +//#include #include #include #include @@ -33,7 +36,7 @@ struct kni_var_comm g_kni_comminfo; struct kni_var_struct g_kni_structinfo; struct kni_var_maat g_kni_maatinfo; - +int g_kni_fds[2]; extern int g_iThreadNum; @@ -49,10 +52,16 @@ return: *********************************************************************************************************************/ int kni_debug_info_v4(char* module,int state_flag,struct ip* a_packet) { + +// return 0; + + struct timeval cur_time; + int iplen=ntohs(a_packet->ip_len); struct tcphdr* tcphdr=(struct tcphdr*)((char*)a_packet+4*(a_packet->ip_hl)); unsigned int seq=ntohl(tcphdr->seq); + unsigned int ack=ntohl(tcphdr->ack_seq); unsigned short sport=0; unsigned short dport=0; @@ -64,7 +73,9 @@ int kni_debug_info_v4(char* module,int state_flag,struct ip* a_packet) inet_ntop(AF_INET, (void *)&((a_packet->ip_src).s_addr), saddr_v4, INET_ADDRSTRLEN); inet_ntop(AF_INET, (void *)&((a_packet->ip_dst).s_addr), daddr_v4, INET_ADDRSTRLEN); - MESA_handle_runtime_log(g_kni_comminfo.logger,RLOG_LV_DEBUG,module,"addr:%s,%d,%s,%d,state_flag:%d,ip_len:%d,seq:%u",saddr_v4,sport,daddr_v4,dport,state_flag,iplen,seq); + gettimeofday(&cur_time,NULL); + + MESA_handle_runtime_log(g_kni_comminfo.logger,RLOG_LV_DEBUG,module,"addr:%s,%d,%s,%d,state_flag:%d,ip_len:%d,seq:%u,ack:%u,tv_sec:%lu,tv_usec:%lu",saddr_v4,sport,daddr_v4,dport,state_flag,iplen,seq,ack,cur_time.tv_sec,cur_time.tv_usec); return 0; @@ -233,7 +244,8 @@ int tun_alloc_mq(char *dev, int queues, int *fds) char *clonedev = (char*)"/dev/net/tun"; memset(&ifr, 0, sizeof(ifr)); - ifr.ifr_flags = IFF_TUN | IFF_NO_PI | IFF_MULTI_QUEUE; +// ifr.ifr_flags = IFF_TUN | IFF_NO_PI | IFF_MULTI_QUEUE; + ifr.ifr_flags = IFF_TUN | IFF_NO_PI; if (*dev) { strncpy(ifr.ifr_name, dev, IFNAMSIZ); @@ -309,7 +321,7 @@ int tun_read_data(int fd,char* recv_buf,int max_buflen) if(recv_len <0) { - printf("tun_read_data error,msg is: %s\n",strerror(errno)); + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_READTUN,"tun_read_data error,msg is: %s\n",strerror(errno)); } return recv_len; @@ -399,17 +411,18 @@ int kni_sendpkt_eth(int thread_seq,int iplen,char* ip,struct stream_tuple4_v4* i size_t ifname_len=strlen(if_name); if(ifname_lenwin; + unsigned short win_scale=datainfo->wnscal[1]; + unsigned short ipid=random()%65535; + + struct ip* iphdr=(struct ip*)a_packet; + struct tcphdr* tcphdr=(struct tcphdr*)((char*)iphdr+4*(iphdr->ip_hl)); + + struct ip* snd_iphdr=NULL; + struct tcphdr* snd_tcphdr=NULL; + char* sendbuf=(char*)malloc(iplen); + memcpy(sendbuf,a_packet,iplen); + + snd_iphdr=(struct ip*)sendbuf; + snd_tcphdr=(struct tcphdr*)((char*)snd_iphdr+4*(snd_iphdr->ip_hl)); + + (snd_iphdr->ip_src).s_addr=(iphdr->ip_dst).s_addr; + (snd_iphdr->ip_dst).s_addr=(iphdr->ip_src).s_addr; + snd_iphdr->ip_id=htons(datainfo->ipid[index]+1); +// snd_iphdr->ip_ttl=datainfo->ttl[index]; + snd_tcphdr->source=tcphdr->dest; + snd_tcphdr->dest=tcphdr->source; + snd_tcphdr->seq=htonl(datainfo->seq[index]+datainfo->len[index]); + snd_tcphdr->ack_seq=htonl(datainfo->ack[index]); +/* + if(iprever_flag==0) + { + snd_iphdr->ip_id=ipid; + snd_tcphdr->window=htons((win>>win_scale)+1); + } +*/ + sendpacket_do_checksum((unsigned char*)sendbuf,IPPROTO_TCP,(iplen-4*(iphdr->ip_hl))); + sendpacket_do_checksum((unsigned char*)sendbuf,IPPROTO_IP,sizeof(struct ip)); + + tun_write_data(g_kni_comminfo.fd_tun[thread_seq],sendbuf,iplen,ipv4_addr); + + kni_debug_info_v4((char*)"recv_keepalive_request",STAT_FLAG_SSL_NOBMD,(struct ip*)a_packet); + kni_debug_info_v4((char*)"send_keepalive_replay",STAT_FLAG_SSL_NOBMD,(struct ip*)sendbuf); + + free(sendbuf); + sendbuf=NULL; + + + datainfo->pro_reply[iprever_flag]=1; + + + return 1; + + +} + + long kni_readtun_htable_cb_v4(void* data,const unsigned char* key,unsigned int size,void* user_arg) { long result=0; - struct datainfo_to_tun* ret_data=(struct datainfo_to_tun*)user_arg; + struct stream_tuple4_v4* ipv4_addr=(struct stream_tuple4_v4*)key; + struct args_read_tun* args=(struct args_read_tun*)user_arg; +// struct datainfo_to_tun* ret_data=(struct datainfo_to_tun*)user_arg; struct datainfo_to_tun* datainfo=(struct datainfo_to_tun*)data; if(datainfo!=NULL) { - ret_data->route_dir=datainfo->route_dir; - ret_data->mss=datainfo->mss; - ret_data->state_flag=datainfo->state_flag; - memcpy(ret_data->smac,datainfo->smac,MAC_ADDR_LEN); - memcpy(ret_data->dmac,datainfo->dmac,MAC_ADDR_LEN); +// memcpy(ret_data,datainfo,sizeof(struct datainfo_to_tun)); + memcpy(args->smac,datainfo->smac,KNI_MACADDR_LEN); + memcpy(args->dmac,datainfo->dmac,KNI_MACADDR_LEN); + + + if(datainfo->pro_reply[args->iprevers]>0) + { + result=1; + } + else + { + kni_keepalive_replay(ipv4_addr,args->iprevers,datainfo,args->a_packet,args->iplen,args->thread_seq); + result=0; + } + + - result=1; } +/* +#ifdef KNI_DEBUG_SWITCH + else if(ipv4_addr->saddr==1698867392) + { + printf("sip is 192.168.66.101\n"); + ret_data->route_dir=0; + ret_data->smac[0]=0x18; + ret_data->smac[1]=0x66; + ret_data->smac[2]=0xda; + ret_data->smac[3]=0xe5; + ret_data->smac[4]=0xfa; + ret_data->smac[5]=0xa1; - + ret_data->dmac[0]=0xe8; + ret_data->dmac[1]=0x61; + ret_data->dmac[2]=0x1f; + ret_data->dmac[3]=0x13; + ret_data->dmac[4]=0x70; + ret_data->dmac[5]=0x7a; + result=0; + } +#endif +*/ return result; } @@ -473,12 +575,12 @@ long kni_readtun_htable_cb_v4(void* data,const unsigned char* key,unsigned int s int kni_process_readdata(int thread_seq,int buflen,char* buf) { -// int ret=0; + int ret; int iprever_flag=0; -// unsigned char routdir=0; long result=0; - struct datainfo_to_tun datainfo; +// struct datainfo_to_tun datainfo; + struct args_read_tun args; struct ip* iphdr=(struct ip*)buf; struct stream_tuple4_v4 ipv4_addr; struct stream_tuple4_v6 ipv6_addr; @@ -488,15 +590,15 @@ int kni_process_readdata(int thread_seq,int buflen,char* buf) iprever_flag=kni_get_ipaddr_v4((void*)buf,&ipv4_addr); kni_debug_info_v4((char*)KNI_MODULE_READTUN,STAT_FLAG_SSL_NOBMD,(struct ip*)buf); - MESA_htable_search_cb(g_kni_structinfo.htable_to_tun_v4,(unsigned char*)&ipv4_addr,sizeof(struct stream_tuple4_v4),kni_readtun_htable_cb_v4,(void*)&datainfo,&result); + args.a_packet=buf; + args.iplen=buflen; + args.iprevers=iprever_flag; + args.thread_seq=thread_seq; + + MESA_htable_search_cb(g_kni_structinfo.htable_to_tun_v4,(unsigned char*)&ipv4_addr,sizeof(struct stream_tuple4_v4),kni_readtun_htable_cb_v4,(void*)&args,&result); if(result==1) { - if(iprever_flag==1) - { - // routdir=MESA_dir_reverse(datainfo.route_dir); - } - - kni_sendpkt_eth(thread_seq,buflen,buf,&ipv4_addr,iprever_flag,datainfo.smac,datainfo.dmac); + kni_sendpkt_eth(thread_seq,buflen,buf,&ipv4_addr,iprever_flag,args.smac,args.dmac); } } @@ -505,6 +607,7 @@ int kni_process_readdata(int thread_seq,int buflen,char* buf) iprever_flag=kni_get_ipaddr_v6((void*)buf,&ipv6_addr); } + return 0; } @@ -563,8 +666,11 @@ struct tcp_state* fs_get_default_state() st->sack_ok = 0; st->wscale_ok = 0; st->ecn_ok = 0; - st->snd_wscale = 0; - st->rcv_wscale = 0; +// st->snd_wscale = 0; +// st->rcv_wscale = 0; + st->snd_wscale = 128; + st->rcv_wscale = 128; + st->snd_wnd = 0x1000; st->rcv_wnd = 0x1000; st->inet_ttl=-1; @@ -663,8 +769,6 @@ return: *********************************************************************************************************************/ int kni_process_fs(void* a_packet,unsigned int mss) { -// int ret=0; -// int val = 1; int fds[2]={0}; fds[KNI_FDS_INDEX_CLIENT]=socket(AF_INET, SOCK_FORGE, 0); @@ -681,16 +785,13 @@ int kni_process_fs(void* a_packet,unsigned int mss) fs_get_modify_state(fake_client,fake_server,a_packet,mss); - fs_set_state(fds[KNI_FDS_INDEX_CLIENT],fake_server); fs_set_state(fds[KNI_FDS_INDEX_SERVER],fake_client); - - kni_send_fds(g_kni_comminfo.fd_domain,fds,2); - kni_debug_info_v4((char*)KNI_MODULE_SENDFD,STAT_FLAG_SSL_NOBMD,(struct ip*)a_packet); +// kni_debug_info_v4((char*)KNI_MODULE_SENDFD,STAT_FLAG_SSL_NOBMD,(struct ip*)a_packet); close(fds[KNI_FDS_INDEX_CLIENT]); close(fds[KNI_FDS_INDEX_SERVER]); @@ -698,6 +799,331 @@ int kni_process_fs(void* a_packet,unsigned int mss) } +int tcprepair_set_state_bak(int sk,struct kni_state_info* tcp) +{ + int val,yes=1, onr = 0; + int src=KNI_INDEX_SRC; + int dst=KNI_INDEX_DST; + struct tcp_repair_opt opts[KNI_TCPREPAIR_OPT_NUM]; + struct sockaddr_in addr; + + if (setsockopt(sk, SOL_TCP, TCP_REPAIR, &yes, sizeof(yes))==-1) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_REPAIR error"); + return -1; + } + + if (setsockopt(sk, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)) == -1) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() SO_REUSEADDR error"); + return -1; + } + + /* ============= Restore TCP properties ==================*/ + val = TCP_SEND_QUEUE; + if (setsockopt(sk, SOL_TCP, TCP_REPAIR_QUEUE, &val, sizeof(val))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_REPAIR_QUEUE,TCP_SEND_QUEUE error"); + return -1; + } + + val = tcp[src].seq; + if (setsockopt(sk, SOL_TCP, TCP_QUEUE_SEQ, &val, sizeof(val))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); + return -1; + } + + val = TCP_RECV_QUEUE; + if (setsockopt(sk, SOL_TCP, TCP_REPAIR_QUEUE, &val, sizeof(val))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_REPAIR_QUEUE,TCP_RECV_QUEUE error"); + return -1; + } + + val = tcp[dst].seq; + if (setsockopt(sk, SOL_TCP, TCP_QUEUE_SEQ, &val, sizeof(val))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); + return -1; + } + + /* ============= Bind and connect ================ */ + memset(&addr,0,sizeof(addr)); + addr.sin_family = AF_INET; + addr.sin_port = htons(tcp[src].port); + if (inet_pton(AF_INET, tcp[src].addr, &(addr.sin_addr)) < 0) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); + return -1; + } + + if (bind(sk, (struct sockaddr *) &addr, sizeof(addr))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); + return -1; + } + + memset(&addr,0,sizeof(addr)); + addr.sin_family = AF_INET; + addr.sin_port = htons(tcp[dst].port); + if (inet_pton(AF_INET, tcp[dst].addr, &(addr.sin_addr)) < 0) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); + return -1; + } + + if (connect(sk, (struct sockaddr *) &addr, sizeof(addr))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); + return -1; + } + + opts[onr].opt_code = TCPOPT_WINDOW; + opts[onr].opt_val = tcp[src].wscale + (tcp[dst].wscale << 16); + onr++; + + opts[onr].opt_code = TCPOPT_MAXSEG; + opts[onr].opt_val = tcp[src].mss_clamp; + onr++; + + if (setsockopt(sk, SOL_TCP, TCP_REPAIR_OPTIONS,opts, onr * sizeof(struct tcp_repair_opt)) < 0) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); + return -1; + } + + return 0; + + +} + + +int tcprepair_set_state(int sk,struct kni_tcp_state* tcp,struct tcp_repair_window win) +{ + int val,yes=1, onr = 0; + struct tcp_repair_opt opts[KNI_TCPREPAIR_OPT_NUM]; + struct sockaddr_in addr; + + if (setsockopt(sk, SOL_TCP, TCP_REPAIR, &yes, sizeof(yes))==-1) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_REPAIR error,errno:%d",errno); + return -1; + } + + + if (setsockopt(sk, SOL_IP, IP_TRANSPARENT, &yes, sizeof(yes)) < 0) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() IP_TRANSPARENT error,errno:%d",errno); + return -1; + } + + + if (setsockopt(sk, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)) == -1) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() SO_REUSEADDR error,errno:%d",errno); + return -1; + } + + /* ============= Restore TCP properties ==================*/ + val = TCP_SEND_QUEUE; + if (setsockopt(sk, SOL_TCP, TCP_REPAIR_QUEUE, &val, sizeof(val))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_REPAIR_QUEUE,TCP_SEND_QUEUE error,errno:%d",errno); + return -1; + } + + val = tcp->seq; + if (setsockopt(sk, SOL_TCP, TCP_QUEUE_SEQ, &val, sizeof(val))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error,errno:%d",errno); + return -1; + } + + val = TCP_RECV_QUEUE; + if (setsockopt(sk, SOL_TCP, TCP_REPAIR_QUEUE, &val, sizeof(val))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_REPAIR_QUEUE,TCP_RECV_QUEUE error,errno:%d",errno); + return -1; + } + + val = tcp->ack; + if (setsockopt(sk, SOL_TCP, TCP_QUEUE_SEQ, &val, sizeof(val))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error,errno:%d",errno); + return -1; + } + + +/* if (setsockopt(sk, SOL_TCP, TCP_REPAIR_WINDOW, &win, sizeof(win))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_REPAIR_WINDOW error,errno:%d",errno); + return -1; + } + +//test + +// MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","snd_wl1:%u,snd_wnd:%u,max_wnd:%u,rcv_wnd:%u,rcv_wup:%u",win.snd_wl1,win.snd_wnd,win.max_window,win.rcv_wnd,win.rcv_wup); + + struct tcp_repair_window win_tmp; + socklen_t opt_len=sizeof(win_tmp); + + if (getsockopt(sk, SOL_TCP, TCP_REPAIR_WINDOW, &win_tmp,&opt_len)) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","getsockopt() TCP_REPAIR_WINDOW error,errno:%d",errno); + return -1; + } + + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","snd_wl1:%u,snd_wnd:%u,max_wnd:%u,rcv_wnd:%u,rcv_wup:%u",win_tmp.snd_wl1,win_tmp.snd_wnd,win_tmp.max_window,win_tmp.rcv_wnd,win_tmp.rcv_wup); + +//end +*/ + + /* ============= Bind and connect ================ */ + memset(&addr,0,sizeof(addr)); + addr.sin_family = AF_INET; + addr.sin_port = tcp->sport; + addr.sin_addr.s_addr=tcp->src_ip; +// addr.sin_addr.s_addr= g_kni_comminfo.local_ip; + + if (bind(sk, (struct sockaddr *) &addr, sizeof(addr))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","bind() error,errno:%d",errno); + return -1; + } + + memset(&addr,0,sizeof(addr)); + addr.sin_family = AF_INET; + addr.sin_port = tcp->dport; + addr.sin_addr.s_addr=tcp->dst_ip; + + if (connect(sk, (struct sockaddr *) &addr, sizeof(addr))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","connect() error,errno:%d",errno); + return -1; + } + + opts[onr].opt_code = TCPOPT_WINDOW; + opts[onr].opt_val = tcp->wscale_src+ (tcp->wscale_dst<< 16); + onr++; + + opts[onr].opt_code = TCPOPT_MAXSEG; + opts[onr].opt_val = tcp->mss_src; + onr++; + + if (setsockopt(sk, SOL_TCP, TCP_REPAIR_OPTIONS,opts, onr * sizeof(struct tcp_repair_opt)) < 0) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_REPAIR_OPTIONS error,errno:%d",errno); + return -1; + } + + val = 0; + if (setsockopt(sk, SOL_TCP, TCP_REPAIR, &val, sizeof(val))) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_REPAIR close error,errno:%d",errno); + return -1; + } + + return 0; + + +} + + +int tcprepair_get_state(struct kni_tcp_state* fake_client,struct kni_tcp_state* fake_server,void* a_packet,unsigned short* mss,unsigned short* wnscale,unsigned short win) + { + + struct ip* iphdr=(struct ip*)a_packet; + struct tcphdr* tcphdr=(struct tcphdr*)((char*)a_packet+4*(iphdr->ip_hl)); + + fake_client->src_ip=(iphdr->ip_src).s_addr; + fake_client->sport=tcphdr->source; + fake_client->dst_ip=(iphdr->ip_dst).s_addr; + fake_client->dport =tcphdr->dest; + fake_client->seq=ntohl(tcphdr->seq); + fake_client->ack=ntohl(tcphdr->ack_seq); +// fake_client->win=ntohs(tcphdr->window); + fake_client->win=win; + fake_client->mss_src=mss[KNI_INDEX_SRC]; + fake_client->mss_dst=mss[KNI_INDEX_DST]; + fake_client->wscale_src=wnscale[KNI_INDEX_SRC]; + fake_client->wscale_dst=wnscale[KNI_INDEX_DST]; + + fake_server->src_ip=(iphdr->ip_dst).s_addr; + fake_server->sport=tcphdr->dest; + fake_server->dst_ip=(iphdr->ip_src).s_addr; + fake_server->dport =tcphdr->source; + fake_server->seq=ntohl(tcphdr->ack_seq); + fake_server->ack=ntohl(tcphdr->seq); + fake_server->win=ntohs(tcphdr->window); + fake_server->mss_src=mss[KNI_INDEX_DST]; + fake_server->mss_dst=mss[KNI_INDEX_SRC]; + fake_server->wscale_src=wnscale[KNI_INDEX_DST]; + fake_server->wscale_dst=wnscale[KNI_INDEX_SRC]; + + return 0; + } + + +int kni_process_tcprepair(void* a_packet,unsigned short* mss,unsigned short* wnscale,unsigned short win) +{ + int fds[2]; + int fd_client,fd_server; + struct kni_tcp_state fake_client; + struct kni_tcp_state fake_server; + + struct ip* iphdr=(struct ip*)a_packet; + struct tcphdr* tcphdr=(struct tcphdr*)((char*)a_packet+4*(iphdr->ip_hl)); + int tcplen=ntohs(iphdr->ip_len)-4*iphdr->ip_hl-4*tcphdr->doff; + struct tcp_repair_window fclient_win; + struct tcp_repair_window fserver_win; + + fd_client = socket(AF_INET, SOCK_STREAM, 0); + fd_server = socket(AF_INET, SOCK_STREAM, 0); + if ((fd_client < 0)||(fd_server<0)) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","socket() error"); + return -1; + } + + tcprepair_get_state(&fake_client,&fake_server,a_packet,mss,wnscale,win); + + fserver_win.snd_wl1=ntohl(tcphdr->seq); + fserver_win.snd_wnd=ntohs(tcphdr->window)<seq); + + fclient_win.snd_wl1=ntohl(tcphdr->ack_seq)-1; + fclient_win.snd_wnd=win; + fclient_win.max_window=fclient_win.snd_wnd; + fclient_win.rcv_wnd=ntohs(tcphdr->window)<ack_seq); + +/* +//c has get + fclient_win.snd_wl1=ntohl(tcphdr->ack_seq); + fclient_win.snd_wnd=ntohs(tcphdr->window)<64)) { - return mss; + return 0; } tcp_opt=(struct kni_tcp_opt*)((char*)tcphdr+TCPHDR_DEFAULT_LEN); @@ -912,8 +1340,15 @@ unsigned short kni_get_mss(struct kni_tcp_hdr* tcphdr,int tcp_hdr_len) { if(tcp_opt->type==2) //MSS { - mss=*(unsigned short*)(tcp_opt->content); - return mss; + remain_len-=tcp_opt->len; + *mss=htons(*(unsigned short*)(tcp_opt->content)); + tcp_opt=(struct kni_tcp_opt*)((char*)tcp_opt+tcp_opt->len); + } + else if(tcp_opt->type==3) //winscale + { + remain_len-=tcp_opt->len; + *winscale=*(unsigned char*)(tcp_opt->content); + tcp_opt=(struct kni_tcp_opt*)((char*)tcp_opt+tcp_opt->len); } else if((tcp_opt->type==0)||(tcp_opt->type==1)) { @@ -929,16 +1364,17 @@ unsigned short kni_get_mss(struct kni_tcp_hdr* tcphdr,int tcp_hdr_len) } } - return mss; + return 0; } long kni_state_htable_cb_v4(void* data,const unsigned char* key,unsigned int size,void* user_arg) { -// unsigned short mss=KNI_DEFAULT_MSS; long state_flag=STAT_FLAG_NONE; + int iprevers; + int sni_len=0; char sni[KNI_MAX_BUFLEN]={0}; @@ -952,21 +1388,28 @@ long kni_state_htable_cb_v4(void* data,const unsigned char* key,unsigned int siz struct kni_tcp_hdr* tcphdr=(struct kni_tcp_hdr*)((char*)iphdr+4*(iphdr->ip_hl)); struct layer_addr_mac* mac_addr=(struct layer_addr_mac*)((char*)iphdr-KNI_ETHER_LEN); -//first stream pkt and syn and not syn/ack // if((datainfo==NULL)&&(tcphdr->th_flags&TH_SYN)&&!(tcphdr->th_flags&TH_ACK)) if(datainfo==NULL) { datainfo=(struct datainfo_to_tun*)malloc(sizeof(struct datainfo_to_tun)); + memset(datainfo,0,sizeof(struct datainfo_to_tun)); datainfo->route_dir=arg->routdir; + +/* + datainfo->mss[0]=KNI_DEFAULT_MSS; + datainfo->mss[1]=KNI_DEFAULT_MSS; + datainfo->wnscal[0]=KNI_DEFAULT_WINSCLE; + datainfo->wnscal[1]=KNI_DEFAULT_WINSCLE; + +*/ memset(&addr_ipbmd,0,sizeof(struct ipaddr)); addr_ipbmd.addrtype=ADDR_TYPE_IPV4; addr_ipbmd.v4=(struct stream_tuple4_v4*)key; - datainfo->state_flag=kni_judge_ipbmd(&addr_ipbmd,arg->thread_seq); - datainfo->mss=kni_get_mss(tcphdr,ntohs(iphdr->ip_len)-4*(iphdr->ip_hl)-arg->tcpdata_len); - -//for sendpkt test + datainfo->state_flag=kni_judge_ipbmd(&addr_ipbmd,arg->thread_seq); + kni_get_mss(tcphdr,ntohs(iphdr->ip_len)-4*(iphdr->ip_hl)-arg->tcpdata_len,&(datainfo->mss[KNI_INDEX_SRC]),(unsigned char*)&(datainfo->wnscal[KNI_INDEX_SRC])); +//for sendpkt if(arg->iprevers==0) { memcpy(datainfo->smac,mac_addr->src_mac,MAC_ADDR_LEN); @@ -978,8 +1421,8 @@ long kni_state_htable_cb_v4(void* data,const unsigned char* key,unsigned int siz memcpy(datainfo->dmac,mac_addr->src_mac,MAC_ADDR_LEN); } //end - MESA_htable_add(g_kni_structinfo.htable_to_tun_v4, key,size,(void*)datainfo); + } if(datainfo==NULL) @@ -987,7 +1430,35 @@ long kni_state_htable_cb_v4(void* data,const unsigned char* key,unsigned int siz return state_flag; } -/* + datainfo->pktnum++; + + iprevers=arg->iprevers; + + if(datainfo->pro_reply[iprevers]==0) + { + datainfo->seq[iprevers]=ntohl(tcphdr->th_seq); + datainfo->ack[iprevers]=ntohl(tcphdr->th_ack); + datainfo->ipid[iprevers]=ntohs(iphdr->ip_id); + datainfo->ttl[iprevers]=iphdr->ip_ttl; + datainfo->len[iprevers]=ntohs(iphdr->ip_len)-4*iphdr->ip_hl-4*tcphdr->th_off; + + if(tcphdr->th_flags&TH_SYN) + { + datainfo->len[iprevers]=1; + } + + } + + +// if((datainfo->state_flag==STAT_FLAG_NONE)&&(arg->iprevers==1)) + if((datainfo->state_flag==STAT_FLAG_NONE)&&(datainfo->pktnum==2)) + { + datainfo->win=ntohs(tcphdr->th_win); + kni_get_mss(tcphdr,ntohs(iphdr->ip_len)-4*(iphdr->ip_hl)-arg->tcpdata_len,&(datainfo->mss[KNI_INDEX_DST]),(unsigned char*)&(datainfo->wnscal[KNI_INDEX_DST])); + } + + /* + if((datainfo->state_flag==STAT_FLAG_NONE)&&(tcphdr->th_flags&TH_SYN)&&(tcphdr->th_flags&TH_ACK)) { mss=kni_get_mss(tcphdr,ntohs(iphdr->ip_len)-4*(iphdr->ip_hl)-arg->tcpdata_len); @@ -995,6 +1466,9 @@ long kni_state_htable_cb_v4(void* data,const unsigned char* key,unsigned int siz } */ +#ifdef KNI_DEBUG_SWITCH + return STAT_FLAG_SSL_NOBMD; +#endif //only process full stream pkt,star from syn,double dir; if((datainfo->state_flag==STAT_FLAG_NONE)&&(arg->tcpdata_len>0)) @@ -1005,13 +1479,15 @@ long kni_state_htable_cb_v4(void* data,const unsigned char* key,unsigned int siz datainfo->state_flag=kni_judge_sni(sni,sni_len,arg->thread_seq); if(datainfo->state_flag==STAT_FLAG_SSL_NOBMD) { - kni_process_fs(arg->a_packet,datainfo->mss); +// kni_process_fs(arg->a_packet,datainfo->mss); + kni_process_tcprepair(arg->a_packet,datainfo->mss,datainfo->wnscal,datainfo->win); + } } } - return datainfo->state_flag;; + return datainfo->state_flag; } @@ -1041,10 +1517,34 @@ long kni_state_htable_cb_v6(void* data,const unsigned char* key,unsigned int siz return datainfo->state_flag; } + +int kni_recv_msg(int socket) +{ + struct msghdr msg = {0}; + struct cmsghdr *cmsg; + char buf[CMSG_SPACE(sizeof(int))], dup[256]; + memset(buf, 0, sizeof(buf)); + struct iovec io = { .iov_base = &dup, .iov_len = sizeof(dup) }; + + msg.msg_iov = &io; + msg.msg_iovlen = 1; + msg.msg_control = buf; + msg.msg_controllen = sizeof(buf); + + if (recvmsg (socket, &msg, 0) < 0) + { + printf("recvmsg() error,errno:%d\n",errno); + } + // handle_error ("Failed to receive message"); + + cmsg = CMSG_FIRSTHDR(&msg); + + return 0; +} + + extern "C" int kni_ip_entry(struct streaminfo* f_stream,unsigned char routedir,int thread_seq,struct ip* a_packet) { - printf("kni_ip_entry!\n"); - char ret=APP_STATE_FAWPKT; //ip/tcp info @@ -1057,7 +1557,6 @@ extern "C" int kni_ip_entry(struct streaminfo* f_stream,unsigned char routedir,i unsigned short dport=ntohs(tcphdr->dest); if((sport!=80)&&(sport!=443)&&(dport!=80)&&(dport!=443)) { - printf("kni_ip_entry return,ret:%d\n",ret); return ret; } @@ -1073,7 +1572,6 @@ extern "C" int kni_ip_entry(struct streaminfo* f_stream,unsigned char routedir,i usr_arg.iprevers=kni_get_ipaddr_v4(a_packet,&ipv4_addr); - if(usr_arg.iprevers==0) { usr_arg.routdir=routedir; @@ -1088,16 +1586,13 @@ extern "C" int kni_ip_entry(struct streaminfo* f_stream,unsigned char routedir,i if(state_flag==STAT_FLAG_SSL_NOBMD) { - tun_write_data(g_kni_comminfo.fd_tun[thread_seq],(char*)a_packet,iplen,&ipv4_addr); ret= APP_STATE_DROPPKT; } - kni_debug_info_v4((char*)KNI_MODULE_IPENTRY,state_flag,a_packet); - printf("kni_ip_entry return,ret:%d\n",ret); return ret; } @@ -1174,8 +1669,8 @@ int init_domain_fd() char serverpath[32] = "/home/server_unixsocket_file"; int i_addr_len = sizeof( struct sockaddr_un ); -// if ( ( i_fd = socket( AF_UNIX, SOCK_STREAM, 0 ) ) < 0 ) - if ( ( i_fd = socket( AF_UNIX, SOCK_DGRAM, 0 ) ) < 0 ) + if ( ( i_fd = socket( AF_UNIX, SOCK_STREAM, 0 ) ) < 0 ) +// if ( ( i_fd = socket( AF_UNIX, SOCK_DGRAM, 0 ) ) < 0 ) { MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"init_domain_fd():socket error,errno is %d,action:%s",errno,KNI_ACTION_EXIT); return -1; @@ -1261,10 +1756,6 @@ extern "C" char kni_init() return -1; } - -//sendpkt init -// wangyan_send_fake_pkt_init(); - //maat g_kni_maatinfo.maat_feather=Maat_feather(g_iThreadNum,table_info_path,g_kni_comminfo.logger); if(g_kni_maatinfo.maat_feather==NULL) @@ -1316,7 +1807,7 @@ extern "C" char kni_init() } g_kni_comminfo.fd_tun=(int*)malloc(g_kni_comminfo.thread_num*sizeof(int)); - memset(g_kni_comminfo.fd_tun,0,sizeof(g_kni_comminfo.thread_num*sizeof(int))); + memset(g_kni_comminfo.fd_tun,0,g_kni_comminfo.thread_num*sizeof(int)); ret=tun_alloc_mq(__tun_symbol,g_kni_comminfo.thread_num,g_kni_comminfo.fd_tun); if(ret<0) @@ -1334,11 +1825,10 @@ extern "C" char kni_init() if(g_kni_comminfo.fd_domain<0) { MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"init_domain_fd()error,action:%s",KNI_ACTION_EXIT); - return -1; +// return -1; } //test init raw_socket - g_kni_comminfo.ipv4_fd=(int*)malloc(g_kni_comminfo.thread_num*sizeof(int)); for(i=0;i