TSG-2846: 增加 kni 对共享tsg_master 扫描maat 结果给tfe的支持

2020-08-24 11:33:41 +08:00
parent 5313a04d93
commit dca9c67275
5 changed files with 265 additions and 5 deletions
--- a/common/include/kni_cmsg.h
+++ b/common/include/kni_cmsg.h
@@ -45,7 +45,6 @@ enum tfe_cmsg_tlv_type
    TFE_CMSG_DST_MAC,
    
    /* TCP option information */
-//    TFE_CMSG_DOWNSTREAM_TCP_MAXSEG,
    TFE_CMSG_DOWNSTREAM_TCP_NODELAY, 
    TFE_CMSG_DOWNSTREAM_TCP_TTL,
    TFE_CMSG_DOWNSTREAM_TCP_KEEPALIVE,
@@ -53,8 +52,6 @@ enum tfe_cmsg_tlv_type
    TFE_CMSG_DOWNSTREAM_TCP_KEEPIDLE,
    TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL, 
    TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT,
-
-//    TFE_CMSG_UPSTREAM_TCP_MAXSEG, 
    TFE_CMSG_UPSTREAM_TCP_NODELAY , 
    TFE_CMSG_UPSTREAM_TCP_TTL, 
    TFE_CMSG_UPSTREAM_TCP_KEEPALIVE, 
@@ -62,8 +59,22 @@ enum tfe_cmsg_tlv_type
    TFE_CMSG_UPSTREAM_TCP_KEEPIDLE,
    TFE_CMSG_UPSTREAM_TCP_KEEPINTVL, 
    TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT,
-
    TFE_CMSG_TCP_PASSTHROUGH,
+
+    // share session attribute
+    TFE_CMSG_SRC_SUB_ID,              // string max size 256
+    TFE_CMSG_DST_SUB_ID,              // string max size 256
+    TFE_CMSG_SRC_ASN,                 // string max size 64
+    TFE_CMSG_DST_ASN,                 // string max size 64
+    TFE_CMSG_SRC_ORGANIZATION,        // string max size 256
+    TFE_CMSG_DST_ORGANIZATION,        // string max size 256
+    TFE_CMSG_SRC_IP_LOCATION_COUNTRY, // string max size 256
+    TFE_CMSG_DST_IP_LOCATION_COUNTRY, // string max size 256
+    TFE_CMSG_SRC_IP_LOCATION_PROVINE, // string max size 256
+    TFE_CMSG_DST_IP_LOCATION_PROVINE, // string max size 256
+    TFE_CMSG_SRC_IP_LOCATION_CITY,    // string max size 256
+    TFE_CMSG_DST_IP_LOCATION_CITY,    // string max size 256
+    //cmsg tlv max
    KNI_CMSG_TLV_NR_MAX,
 };

--- a/conf/kni/kni.conf
+++ b/conf/kni/kni.conf
@@ -121,3 +121,6 @@ server_tcp_keepalive_keepintvl = 15
 server_tcp_user_timeout = 600
 bypass_duplicated_packet = 0
 tcp_passthrough = 0
+
+[share_session_attribute]
+SESSION_ATTRIBUTE_LABEL=TSG_MASTER_INTERNAL_LABEL
--- a/entry/include/kni_entry.h
+++ b/entry/include/kni_entry.h
@@ -6,6 +6,7 @@
 #include "kni_utils.h"
 #include "tsg/tsg_statistic.h"
 #include "tfe_mgr.h"
+#include "tsg/tsg_label.h"

 #define BURST_MAX   1
 #define CALLER_SAPP 0
@@ -14,6 +15,8 @@
 #define SSL_INFO_LEN 2048
 #define	_MAX_MAAT_TABLE_NAME_LEN	64

+#define	MAX_STRING_LEN	32
+
 enum intercept_error{
 	INTERCEPT_ERROR_ASYM_ROUTING = -1,
 	INTERCEPT_ERROR_NO_SYN = -2,
@@ -139,6 +142,7 @@ struct pme_info{
    //for proxy tcp option
    struct proxy_tcp_option pxy_tcp_option;
 	int pxy_tcp_option_is_scan;
+	struct _session_attribute_label_t *session_attribute_label;
 };

 struct wrapped_packet{
@@ -211,6 +215,7 @@ struct kni_handle{
    char maat_table_name[TABLE_MAX][_MAX_MAAT_TABLE_NAME_LEN]; // for proxy tcp option  maat name
    int maat_table_id[TABLE_MAX];
    struct proxy_tcp_option pxy_tcp_option;
+	int session_attribute_id;
 };

 struct traceid2pme_search_cb_args{
--- a/entry/include/tsg/tsg_label.h
+++ b/entry/include/tsg/tsg_label.h
@@ -0,0 +1,60 @@
+#ifndef	__TSG_LABEL_H__
+#define	__TSG_LABEL_H__
+
+#include "tsg_rule.h"
+#define	MAX_STR_FIELD_LEN	64
+
+
+struct _asn_info_t
+{
+	int ref_cnt;
+	int addr_type;
+	int table_id;
+	char start_ip[MAX_STR_FIELD_LEN];
+	char end_ip[MAX_STR_FIELD_LEN];
+	char asn[MAX_STR_FIELD_LEN];
+	char organization[MAX_STR_FIELD_LEN*4];
+};
+
+struct _location_info_t
+{
+	int geoname_id;
+	int table_id;
+	int ref_cnt;
+	int addr_type;
+	double latitude;
+	double longitude;
+	double coords;
+	char start_ip[MAX_STR_FIELD_LEN];
+	char end_ip[MAX_STR_FIELD_LEN];
+	char language[MAX_STR_FIELD_LEN];
+	char continent_abbr[MAX_STR_FIELD_LEN*4];
+	char continent_full[MAX_STR_FIELD_LEN*4];
+	char country_abbr[MAX_STR_FIELD_LEN*4];
+	char country_full[MAX_STR_FIELD_LEN*4];
+	char province_abbr[MAX_STR_FIELD_LEN*4];
+	char province_full[MAX_STR_FIELD_LEN*4];
+	char city_full[MAX_STR_FIELD_LEN*4];
+	char time_zone[MAX_STR_FIELD_LEN*4];
+};
+
+struct _subscribe_id_info_t
+{
+	int ref_cnt;
+	int table_id;
+	char subscribe_id[MAX_STR_FIELD_LEN*4];
+};
+
+struct _session_attribute_label_t
+{
+	tsg_protocol_t proto;
+	long establish_latency_ms;
+	struct _asn_info_t *client_asn;
+	struct _asn_info_t *server_asn;
+	struct _location_info_t *client_location;
+	struct _location_info_t *server_location;
+	struct _subscribe_id_info_t *client_subscribe_id;
+	struct _subscribe_id_info_t *server_subscribe_id;
+};
+
+#endif
--- a/entry/src/kni_entry.cpp
+++ b/entry/src/kni_entry.cpp
@@ -261,6 +261,96 @@ int wrapped_kni_cmsg_set(struct kni_cmsg *cmsg, uint16_t type, const unsigned ch
 	return ret;
 }

+static int session_attribute_cmsg_set(struct kni_cmsg *cmsg, struct pme_info *pmeinfo)
+{
+	struct _session_attribute_label_t *session_attribute_label = pmeinfo->session_attribute_label;
+	int ret = 0;
+	char empty_arr[MAX_STR_FIELD_LEN] = {0};
+	do {
+		if(session_attribute_label->client_subscribe_id == NULL)
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SRC_SUB_ID, (const unsigned char*)empty_arr, strlen(empty_arr), pmeinfo);
+		else
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SRC_SUB_ID, (const unsigned char*)session_attribute_label->client_subscribe_id->subscribe_id, strlen(session_attribute_label->client_subscribe_id->subscribe_id), pmeinfo);
+		if(ret < 0) break;
+
+		if(session_attribute_label->server_subscribe_id == NULL)
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DST_SUB_ID, (const unsigned char*)empty_arr, strlen(empty_arr), pmeinfo);
+		else
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DST_SUB_ID, (const unsigned char*)session_attribute_label->server_subscribe_id->subscribe_id, strlen(session_attribute_label->server_subscribe_id->subscribe_id), pmeinfo);
+		if(ret < 0) break;
+
+		if(session_attribute_label->client_asn == NULL)
+		{
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SRC_ASN, (const unsigned char*)empty_arr, strlen(empty_arr), pmeinfo);
+			if(ret < 0) break;
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SRC_ORGANIZATION, (const unsigned char*)empty_arr, strlen(empty_arr), pmeinfo);
+			if(ret < 0) break;
+		}
+		else
+		{
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SRC_ASN, (const unsigned char*)session_attribute_label->client_asn->asn, strlen(session_attribute_label->client_asn->asn), pmeinfo);
+			if(ret < 0) break;
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SRC_ORGANIZATION, (const unsigned char*)session_attribute_label->client_asn->organization, strlen(session_attribute_label->client_asn->organization), pmeinfo);
+			if(ret < 0) break;
+		}
+
+		if(session_attribute_label->server_asn == NULL)
+		{
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SRC_ASN, (const unsigned char*)empty_arr, strlen(empty_arr), pmeinfo);
+			if(ret < 0) break;
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DST_ORGANIZATION, (const unsigned char*)empty_arr, strlen(empty_arr), pmeinfo);
+			if(ret < 0) break;
+		}
+		else
+		{
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DST_ASN, (const unsigned char*)session_attribute_label->server_asn->asn, strlen(session_attribute_label->server_asn->asn), pmeinfo);
+			if(ret < 0) break;
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DST_ORGANIZATION, (const unsigned char*)session_attribute_label->server_asn->organization, strlen(session_attribute_label->server_asn->organization), pmeinfo);
+			if(ret < 0) break;
+		}
+
+		if(session_attribute_label->client_location == NULL)
+		{
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SRC_IP_LOCATION_COUNTRY, (const unsigned char*)empty_arr, strlen(empty_arr), pmeinfo);
+			if(ret < 0) break;
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SRC_IP_LOCATION_PROVINE, (const unsigned char*)empty_arr, strlen(empty_arr), pmeinfo);
+			if(ret < 0) break;
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SRC_IP_LOCATION_CITY, (const unsigned char*)empty_arr, strlen(empty_arr), pmeinfo);
+			if(ret < 0) break;
+		}
+		else
+		{
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SRC_IP_LOCATION_COUNTRY, (const unsigned char*)session_attribute_label->client_location->country_full, strlen(session_attribute_label->client_location->country_full), pmeinfo);
+			if(ret < 0) break;
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SRC_IP_LOCATION_PROVINE, (const unsigned char*)session_attribute_label->client_location->province_full, strlen(session_attribute_label->client_location->province_full), pmeinfo);
+			if(ret < 0) break;
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_SRC_IP_LOCATION_CITY, (const unsigned char*)session_attribute_label->client_location->city_full, strlen(session_attribute_label->client_location->city_full), pmeinfo);
+			if(ret < 0) break;
+		}
+
+		if(session_attribute_label->server_location == NULL)
+		{
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DST_IP_LOCATION_COUNTRY, (const unsigned char*)empty_arr, strlen(empty_arr), pmeinfo);
+			if(ret < 0) break;
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DST_IP_LOCATION_PROVINE, (const unsigned char*)empty_arr, strlen(empty_arr), pmeinfo);
+			if(ret < 0) break;
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DST_IP_LOCATION_CITY, (const unsigned char*)empty_arr, strlen(empty_arr), pmeinfo);
+			if(ret < 0) break;
+		}
+		else
+		{
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DST_IP_LOCATION_COUNTRY, (const unsigned char*)session_attribute_label->server_location->country_full, strlen(session_attribute_label->server_location->country_full), pmeinfo);
+			if(ret < 0) break;
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DST_IP_LOCATION_PROVINE, (const unsigned char*)session_attribute_label->server_location->province_full, strlen(session_attribute_label->server_location->province_full), pmeinfo);
+			if(ret < 0) break;
+			ret = wrapped_kni_cmsg_set(cmsg,TFE_CMSG_DST_IP_LOCATION_CITY, (const unsigned char*)session_attribute_label->server_location->city_full, strlen(session_attribute_label->server_location->city_full), pmeinfo);
+			if(ret < 0) break;
+		}
+	}while(0);
+	return ret;
+}
+
+
 static unsigned char* kni_cmsg_serialize_header_new(struct pme_info *pmeinfo, struct streaminfo *stream, struct pkt_info *pktinfo, uint16_t *len){
 	void *logger = g_kni_handle->local_logger;
 	uint16_t bufflen = 0, serialize_len = 0;
@@ -368,6 +458,14 @@ static unsigned char* kni_cmsg_serialize_header_new(struct pme_info *pmeinfo, st
 		}
 	}

+	//share session attribute
+	ret = session_attribute_cmsg_set(cmsg, pmeinfo);
+	if(ret < 0)
+	{
+		KNI_LOG_ERROR(logger, "share-session-attribute:  Failed at set cmsg");
+		goto error_out;
+	}
+
 	//src mac
 	ret = get_rawpkt_opt_from_streaminfo(stream, RAW_PKT_GET_VXLAN_OUTER_GDEV_MAC, src_mac);
 	if(ret < 0){
@@ -1071,6 +1169,68 @@ static int first_data_ssl_dynamic_bypass(struct streaminfo *stream, struct pme_i
 }


+static struct _session_attribute_label_t * kni_pull_session_attribute_results(struct streaminfo *a_stream,struct pme_info *pmeinfo)
+{
+	struct _session_attribute_label_t *session_attribute_label = NULL;
+	void *logger = g_kni_handle->local_logger;
+	session_attribute_label =  (struct _session_attribute_label_t *)project_req_get_struct(a_stream, g_kni_handle->session_attribute_id);
+	if(session_attribute_label != NULL)
+	{
+		KNI_LOG_DEBUG(logger, "share-session-attribute: Success to get the session attribute results,stream traceid = %s", pmeinfo->stream_traceid);
+
+		if(session_attribute_label->client_subscribe_id == NULL)
+			KNI_LOG_DEBUG(logger, "share-session-attribute: source subscribe id is NULL,stream traceid = %s",pmeinfo->stream_traceid);
+		else
+			KNI_LOG_DEBUG(logger, "share-session-attribute: source subscribe id is: %s,stream traceid = %s",session_attribute_label->client_subscribe_id->subscribe_id,pmeinfo->stream_traceid);
+
+		if(session_attribute_label->server_subscribe_id == NULL)
+			KNI_LOG_DEBUG(logger, "share-session-attribute: destination subscribe id is NULL,stream traceid = %s",pmeinfo->stream_traceid);
+		else
+			KNI_LOG_DEBUG(logger, "share-session-attribute: destination subscribe id is: %s,stream traceid = %s",session_attribute_label->server_subscribe_id->subscribe_id,pmeinfo->stream_traceid);
+
+		if(session_attribute_label->client_asn == NULL)
+			KNI_LOG_DEBUG(logger, "share-session-attribute: source asn and organization is NULL,stream traceid = %s",pmeinfo->stream_traceid);
+		else
+		{
+			KNI_LOG_DEBUG(logger, "share-session-attribute: source asn is: %s,stream traceid = %s",session_attribute_label->client_asn->asn, pmeinfo->stream_traceid);
+			KNI_LOG_DEBUG(logger, "share-session-attribute: source organization is: %s,stream traceid = %s",session_attribute_label->client_asn->organization, pmeinfo->stream_traceid);
+		}
+
+		if(session_attribute_label->server_asn == NULL)
+			KNI_LOG_DEBUG(logger, "share-session-attribute: destination asn and organization is NULL,stream traceid = %s",pmeinfo->stream_traceid);
+		else
+		{
+			KNI_LOG_DEBUG(logger, "share-session-attribute: destination asn:%s,stream traceid = %s",session_attribute_label->server_asn->asn,pmeinfo->stream_traceid);
+			KNI_LOG_DEBUG(logger, "share-session-attribute: destination organization:%s,stream traceid = %s",session_attribute_label->server_asn->organization,pmeinfo->stream_traceid);
+		}
+
+		if(session_attribute_label->client_location == NULL)
+			KNI_LOG_DEBUG(logger, "share-session-attribute: source ip location is NULL,stream traceid = %s",pmeinfo->stream_traceid);
+		else
+		{
+			KNI_LOG_DEBUG(logger, "share-session-attribute: source ip location country is: %s,stream traceid = %s",session_attribute_label->client_location->country_full,pmeinfo->stream_traceid);
+			KNI_LOG_DEBUG(logger, "share-session-attribute: source ip location province is: %s,stream traceid = %s",session_attribute_label->client_location->province_full,pmeinfo->stream_traceid);
+			KNI_LOG_DEBUG(logger, "share-session-attribute: source ip location city is: %s,stream traceid = %s",session_attribute_label->client_location->city_full,pmeinfo->stream_traceid);
+		}
+
+		if(session_attribute_label->server_location == NULL)
+			KNI_LOG_DEBUG(logger, "share-session-attribute: destination ip location is NULL,stream traceid = %s",pmeinfo->stream_traceid);
+		else
+		{
+			KNI_LOG_DEBUG(logger, "share-session-attribute: destination ip location country is: %s,stream traceid = %s",session_attribute_label->server_location->country_full,pmeinfo->stream_traceid);
+			KNI_LOG_DEBUG(logger, "share-session-attribute: destination ip location province is: %s,stream traceid = %s",session_attribute_label->server_location->province_full,pmeinfo->stream_traceid);
+			KNI_LOG_DEBUG(logger, "share-session-attribute: destination ip location city is: %s,stream traceid = %s",session_attribute_label->server_location->city_full,pmeinfo->stream_traceid);
+		}
+
+	}
+	else
+	{
+		KNI_LOG_ERROR(logger, "share-session-attribute: Failed to get the session attribute results,stream traceid = %s", pmeinfo->stream_traceid);
+	}
+
+	return session_attribute_label;
+}
+

 static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmeinfo, struct pkt_info *pktinfo, int thread_seq){
 	FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCP_READY_STM], 0, FS_OP_ADD, 1);
@@ -1153,6 +1313,14 @@ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmei
 			return APP_STATE_FAWPKT | APP_STATE_KILL_OTHER | APP_STATE_GIVEME;	
 		}
 	}
+
+	//
+	if(pmeinfo->session_attribute_label == NULL)
+	{
+		KNI_LOG_DEBUG(g_kni_handle->local_logger, "Intercept error: Get share session attribute error,stream traceid = %s", pmeinfo->stream_traceid);
+		goto error_out;
+	}
+
 	//dynamic bypass
 	if(first_data_ssl_dynamic_bypass(stream, pmeinfo, pktinfo, thread_seq) == 0)
 	{
@@ -1362,6 +1530,7 @@ char first_data_process(struct streaminfo *stream, struct pme_info *pmeinfo, str
 		pmeinfo->do_log = pmeinfo->maat_result.do_log;
 		pmeinfo->thread_seq = thread_seq;
 		pmeinfo->is_dynamic_bypass = 0;
+		pmeinfo->session_attribute_label = kni_pull_session_attribute_results(stream,pmeinfo);
 		maat_hit = 1;
 		char *action_str = kni_maat_action_trans(pmeinfo->action);
 		KNI_LOG_INFO(logger, "intercept_policy_scan: %s, %s, maat_hit = %d, policy_id = %d, action = %d(%s), stream traceid = %s", 
@@ -2341,6 +2510,8 @@ extern "C" int kni_init(){
 	MESA_htable_handle traceid2pme_htable = NULL;
 	MESA_htable_handle sslinfo2bypass_htable = NULL;
 	struct tfe_mgr *_tfe_mgr = NULL;
+	char label_buff[MAX_STRING_LEN*4]={0};
+
 	int ret = MESA_load_profile_string_nodef(profile, section, "log_path", log_path, sizeof(log_path));
 	if(ret < 0){
 		printf("MESA_prof_load: log_path not set, profile = %s, section = %s", profile, section);
@@ -2527,6 +2698,16 @@ extern "C" int kni_init(){
 		KNI_LOG_ERROR(local_logger, "Failed at init pxy_tcp_option_rule");
 		goto error_out;
 	}
+
+	//register customer for share session attribute
+	MESA_load_profile_string_def(profile, "share_session_attribute", "SESSION_ATTRIBUTE_LABEL", label_buff, sizeof(label_buff), "POLICY_PRIORITY");
+	g_kni_handle->session_attribute_id = project_customer_register(label_buff, PROJECT_VAL_TYPE_STRUCT);
+	if(g_kni_handle->session_attribute_id < 0)
+	{
+		KNI_LOG_ERROR(local_logger,"Register %s failed; please check :%s ",label_buff,profile);
+		return -1;
+	}
+
 	//init tfe_mgr
 	_tfe_mgr = tfe_mgr_init(tfe_node_count, profile, g_kni_handle->deploy_mode, local_logger);
 	if(_tfe_mgr == NULL){