diff --git a/Makefile b/Makefile index 928e735..422db9f 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ #CC = gcc CC = g++ -CFLAGS = -g -Wall -fPIC -shared +CFLAGS = -g -Wall -fPIC -shared OBJECTS = kni.o libforge_socket.o TARGET = kni.so @@ -15,18 +15,15 @@ MODULES = -lMESA_htable -lMESA_prof_load -lMESA_handle_logger -lrulescan -lmaatf .c.o: $(CC) -c -o $@ $(CFLAGS) $(INCS) $< -.cc.o: - $(CC) -c -o $@ $(CFLAGS) $(INCS) $< - .PHONY: all clean all: $(TARGET) $(TARGET):$(OBJECTS) $(CC) -o $(TARGET) $(CFLAGS) $(OBJECTS) $(MODULES) $(LD_DICTATOR) +# $(CC) -o $(TARGET) $(CFLAGS) $(OBJECTS) $(MODULES) -Wl,--whole-archive $(WHOLE_MODULES) -wL,--NO-WHOLE-ARCHIVE $(LD_DICTATOR) kni.o:kni.c libforge_socket.o:libforge_socket.c - clean: rm -f $(TARGET) $(OBJECTS) diff --git a/bin/kni/kni.inf b/bin/kni/kni.inf index f57a18a..69947f6 100644 --- a/bin/kni/kni.inf +++ b/bin/kni/kni.inf @@ -4,14 +4,14 @@ SO_PATH=./plug/business/kni/kni.so INIT_FUNC=kni_init DESTROY_FUNC= -[IP] -FUNC_FLAG=all -FUNC_NAME=kni_ip_entry - - -#[TCP_ALL] +#[IP] #FUNC_FLAG=all -#FUNC_NAME=kni_tcpall_entry +#FUNC_NAME=kni_ip_entry + + +[TCP_ALL] +FUNC_FLAG=all +FUNC_NAME=kni_tcpall_entry diff --git a/bin/kni/kni.so b/bin/kni/kni.so deleted file mode 100644 index d252dc6..0000000 Binary files a/bin/kni/kni.so and /dev/null differ diff --git a/bin/kni_set_cmd b/bin/kni_set_cmd index 9ef362a..c27c13a 100644 --- a/bin/kni_set_cmd +++ b/bin/kni_set_cmd @@ -6,19 +6,6 @@ #ifconfig tun0 up echo 1 > /proc/sys/net/ipv4/ip_forward -#route add default dev tun0 - -iptables -t mangle -N DIVERT -iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT -iptables -t mangle -A DIVERT -j MARK --set-mark 1 -iptables -t mangle -A DIVERT -j ACCEPT - -ip rule add fwmark 1 lookup 100 -#ip route add local 0.0.0.0/0 dev tun0 table 100 -ip route add local 0.0.0.0/0 dev lo table 100 - -#iptables -t mangle -A PREROUTING -p tcp -i tun0 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50080 - ethtool -K p7p1 lro off ethtool -K p7p1 tso off @@ -28,3 +15,18 @@ ethtool -K em2 lro off ethtool -K em2 tso off ethtool -K em2 gro off +ip tuntap add dev tun0 mode tun multi_queue +ifconfig tun0 up +route add default dev tun0 + +iptables -F -t mangle +iptables -t mangle -N DIVERT +iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT +iptables -t mangle -A DIVERT -j MARK --set-mark 1 +iptables -t mangle -A DIVERT -j ACCEPT + +ip rule add fwmark 1 lookup 100 +#ip route add local 0.0.0.0/0 dev tun0 table 100 +ip route add local 0.0.0.0/0 dev lo table 100 + +iptables -t mangle -A PREROUTING -p tcp -i tun0 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50080 diff --git a/kni.c b/kni.c index ff03f50..6f53c3b 100644 --- a/kni.c +++ b/kni.c @@ -28,15 +28,19 @@ #include "MESA_htable.h" #include "MESA_list_queue.h" #include "Maat_rule.h" +#include "field_stat2.h" #include "kni.h" -int g_kni_version_VERSION_20180620; + +int g_kni_version_VERSION_20180710; struct kni_var_comm g_kni_comminfo; struct kni_var_struct g_kni_structinfo; struct kni_var_maat g_kni_maatinfo; +struct kni_fs2_info g_kni_fs2_info; -int g_kni_fds[2]; +int g_kni_threadseq[KNI_MAX_THREADNUM]; +const char *g_kni_fs2_name[FS2_COLUMN_NUM] ={"RECV_PKTS","FWD_PKTS","DROP_PKTS","WRITE_PKTS","READ_PKTS","SEND_PKTS"}; extern int g_iThreadNum; @@ -52,16 +56,10 @@ return: *********************************************************************************************************************/ int kni_debug_info_v4(char* module,int state_flag,struct ip* a_packet) { - -// return 0; - - struct timeval cur_time; - int iplen=ntohs(a_packet->ip_len); struct tcphdr* tcphdr=(struct tcphdr*)((char*)a_packet+4*(a_packet->ip_hl)); unsigned int seq=ntohl(tcphdr->seq); - unsigned int ack=ntohl(tcphdr->ack_seq); unsigned short sport=0; unsigned short dport=0; @@ -73,14 +71,77 @@ int kni_debug_info_v4(char* module,int state_flag,struct ip* a_packet) inet_ntop(AF_INET, (void *)&((a_packet->ip_src).s_addr), saddr_v4, INET_ADDRSTRLEN); inet_ntop(AF_INET, (void *)&((a_packet->ip_dst).s_addr), daddr_v4, INET_ADDRSTRLEN); - gettimeofday(&cur_time,NULL); - - MESA_handle_runtime_log(g_kni_comminfo.logger,RLOG_LV_DEBUG,module,"addr:%s,%d,%s,%d,state_flag:%d,ip_len:%d,seq:%u,ack:%u,tv_sec:%lu,tv_usec:%lu",saddr_v4,sport,daddr_v4,dport,state_flag,iplen,seq,ack,cur_time.tv_sec,cur_time.tv_usec); + MESA_handle_runtime_log(g_kni_comminfo.logger,RLOG_LV_DEBUG,module,"addr:%s,%d,%s,%d,state_flag:%d,ip_len:%d,seq:%u",saddr_v4,sport,daddr_v4,dport,state_flag,iplen,seq); return 0; } +/* +int kni_filestate2_init() +{ + int i=0; + int j=0; + int value=1; + unsigned int fs2_sport; + char fs2_filename[KNI_MAX_BUFLEN]={0}; + char fs2_sip[KNI_MAX_BUFLEN]={0}; + + MESA_load_profile_string_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"filestat2_filename",fs2_filename,KNI_MAX_BUFLEN,(char*)"./log/kni_fs2.log"); + MESA_load_profile_string_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"filestat2_sip",fs2_sip,KNI_MAX_BUFLEN,(char*)"10.127.208.15"); + MESA_load_profile_uint_def((char*)KNI_CONF_FILENAME,(char*)KNI_CONF_MODE,(char*)"filestat2_sport",(unsigned int*)&fs2_sport,8125); + + g_kni_fs2_info.handler=FS_create_handle(); + + FS_set_para(g_kni_comminfo.fs2_handler, OUTPUT_DEVICE,fs2_filename, strlen(fs2_filename)+1); + FS_set_para(g_kni_comminfo.fs2_handler, PRINT_MODE, &value, sizeof(value)); + FS_set_para(g_kni_comminfo.fs2_handler, STAT_CYCLE, &value, sizeof(value)); + FS_set_para(g_kni_comminfo.fs2_handler, CREATE_THREAD, &value, sizeof(value)); + FS_set_para(g_kni_comminfo.fs2_handler, APP_NAME, STEWARD_FS2_APPNAME, strlen(STEWARD_FS2_APPNAME)+1); + FS_set_para(g_kni_comminfo.fs2_handler, STATS_SERVER_IP, fs2_sip, strlen(fs2_sip)+1); + FS_set_para(g_kni_comminfo.fs2_handler, STATS_SERVER_PORT,&fs2_sport,sizeof(int)); + + for(i=0;iwin; - unsigned short win_scale=datainfo->wnscal[1]; - unsigned short ipid=random()%65535; +// unsigned short ipid=random()%65535; struct ip* iphdr=(struct ip*)a_packet; struct tcphdr* tcphdr=(struct tcphdr*)((char*)iphdr+4*(iphdr->ip_hl)); + struct kni_wndpro_reply_info* tcpinfo=&(datainfo->lastpkt_info[index]); struct ip* snd_iphdr=NULL; struct tcphdr* snd_tcphdr=NULL; @@ -482,12 +582,20 @@ int kni_keepalive_replay(struct stream_tuple4_v4* ipv4_addr,int iprever_flag,str (snd_iphdr->ip_src).s_addr=(iphdr->ip_dst).s_addr; (snd_iphdr->ip_dst).s_addr=(iphdr->ip_src).s_addr; - snd_iphdr->ip_id=htons(datainfo->ipid[index]+1); -// snd_iphdr->ip_ttl=datainfo->ttl[index]; +// snd_iphdr->ip_id=ipid; +// snd_iphdr->ip_id=htons(datainfo->lastpkt_info[index].ipid+1); +// snd_iphdr->ip_ttl=datainfo->lastpkt_info[index].ttl; + snd_tcphdr->source=tcphdr->dest; snd_tcphdr->dest=tcphdr->source; - snd_tcphdr->seq=htonl(datainfo->seq[index]+datainfo->len[index]); - snd_tcphdr->ack_seq=htonl(datainfo->ack[index]); + snd_tcphdr->seq=htonl(tcpinfo->seq+tcpinfo->len); + snd_tcphdr->ack_seq=htonl(tcpinfo->ack); + + + if(tcpinfo->syn_flag==1) + { + snd_tcphdr->seq=htonl(ntohl(snd_tcphdr->seq)+1); + } /* if(iprever_flag==0) { @@ -498,16 +606,15 @@ int kni_keepalive_replay(struct stream_tuple4_v4* ipv4_addr,int iprever_flag,str sendpacket_do_checksum((unsigned char*)sendbuf,IPPROTO_TCP,(iplen-4*(iphdr->ip_hl))); sendpacket_do_checksum((unsigned char*)sendbuf,IPPROTO_IP,sizeof(struct ip)); - tun_write_data(g_kni_comminfo.fd_tun[thread_seq],sendbuf,iplen,ipv4_addr); + tun_write_data(g_kni_comminfo.fd_tun[thread_seq],sendbuf,iplen,NULL); - kni_debug_info_v4((char*)"recv_keepalive_request",STAT_FLAG_SSL_NOBMD,(struct ip*)a_packet); - kni_debug_info_v4((char*)"send_keepalive_replay",STAT_FLAG_SSL_NOBMD,(struct ip*)sendbuf); + kni_debug_info_v4((char*)"recv_keepalive_request",5,(struct ip*)a_packet); + kni_debug_info_v4((char*)"send_keepalive_replay",5,(struct ip*)sendbuf); free(sendbuf); sendbuf=NULL; - - datainfo->pro_reply[iprever_flag]=1; + datainfo->wndpro_flag[index]=1; return 1; @@ -521,74 +628,76 @@ long kni_readtun_htable_cb_v4(void* data,const unsigned char* key,unsigned int s long result=0; struct stream_tuple4_v4* ipv4_addr=(struct stream_tuple4_v4*)key; struct args_read_tun* args=(struct args_read_tun*)user_arg; -// struct datainfo_to_tun* ret_data=(struct datainfo_to_tun*)user_arg; - struct datainfo_to_tun* datainfo=(struct datainfo_to_tun*)data; + struct kni_htable_datainfo* datainfo=(struct kni_htable_datainfo*)data; if(datainfo!=NULL) { -// memcpy(ret_data,datainfo,sizeof(struct datainfo_to_tun)); memcpy(args->smac,datainfo->smac,KNI_MACADDR_LEN); memcpy(args->dmac,datainfo->dmac,KNI_MACADDR_LEN); - - if(datainfo->pro_reply[args->iprevers]>0) + if(datainfo->wndpro_flag[1-args->iprevers]>0) { result=1; } else { kni_keepalive_replay(ipv4_addr,args->iprevers,datainfo,args->a_packet,args->iplen,args->thread_seq); - result=0; + result=1; } } -/* -#ifdef KNI_DEBUG_SWITCH - else if(ipv4_addr->saddr==1698867392) - { - printf("sip is 192.168.66.101\n"); - ret_data->route_dir=0; - ret_data->smac[0]=0x18; - ret_data->smac[1]=0x66; - ret_data->smac[2]=0xda; - ret_data->smac[3]=0xe5; - ret_data->smac[4]=0xfa; - ret_data->smac[5]=0xa1; - - ret_data->dmac[0]=0xe8; - ret_data->dmac[1]=0x61; - ret_data->dmac[2]=0x1f; - ret_data->dmac[3]=0x13; - ret_data->dmac[4]=0x70; - ret_data->dmac[5]=0x7a; - result=0; - } -#endif -*/ return result; } +int init_domain_fd() +{ + + int i_fd = 0; + struct sockaddr_un addr; + char serverpath[32] = "/home/server_unixsocket_file"; + int i_addr_len = sizeof( struct sockaddr_un ); + + if ( ( i_fd = socket( AF_UNIX, SOCK_STREAM, 0 ) ) < 0 ) +// if ( ( i_fd = socket( AF_UNIX, SOCK_DGRAM, 0 ) ) < 0 ) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"init_domain_fd():socket error,errno is %d,action:%s",errno,KNI_ACTION_EXIT); + return -1; + } + + //fill socket adress structure with server's address + memset( &addr, 0, sizeof( addr ) ); + addr.sun_family = AF_UNIX; + strncpy( addr.sun_path, serverpath, sizeof( addr.sun_path ) - 1 ); + + if ( connect( i_fd, ( struct sockaddr * )&addr, i_addr_len ) < 0 ) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"init_domain_fd():connect error,errno is %d,action:%s",errno,KNI_ACTION_EXIT); + return -1; + } + + return i_fd; +} + + int kni_process_readdata(int thread_seq,int buflen,char* buf) { - int ret; int iprever_flag=0; long result=0; -// struct datainfo_to_tun datainfo; - struct args_read_tun args; struct ip* iphdr=(struct ip*)buf; struct stream_tuple4_v4 ipv4_addr; - struct stream_tuple4_v6 ipv6_addr; + + struct args_read_tun args; if(iphdr->ip_v==4) { iprever_flag=kni_get_ipaddr_v4((void*)buf,&ipv4_addr); - kni_debug_info_v4((char*)KNI_MODULE_READTUN,STAT_FLAG_SSL_NOBMD,(struct ip*)buf); + kni_debug_info_v4((char*)KNI_MODULE_READTUN,KNI_FLAG_SSL,(struct ip*)buf); args.a_packet=buf; args.iplen=buflen; @@ -598,15 +707,11 @@ int kni_process_readdata(int thread_seq,int buflen,char* buf) MESA_htable_search_cb(g_kni_structinfo.htable_to_tun_v4,(unsigned char*)&ipv4_addr,sizeof(struct stream_tuple4_v4),kni_readtun_htable_cb_v4,(void*)&args,&result); if(result==1) { + kni_sendpkt_eth(thread_seq,buflen,buf,&ipv4_addr,iprever_flag,args.smac,args.dmac); } } - else - { - iprever_flag=kni_get_ipaddr_v6((void*)buf,&ipv6_addr); - } - return 0; @@ -620,26 +725,111 @@ return: *********************************************************************************************************************/ void* kni_read_tun(void* arg) { - int i=0; + int thread_seq=*(int*)arg; + int recv_len=0; char recv_buf[KNI_MAX_BUFLEN] = {0}; while(1) { - for(i=0;itstamp_ok = 0; - st->sack_ok = 0; - st->wscale_ok = 0; - st->ecn_ok = 0; -// st->snd_wscale = 0; -// st->rcv_wscale = 0; - st->snd_wscale = 128; - st->rcv_wscale = 128; - - st->snd_wnd = 0x1000; - st->rcv_wnd = 0x1000; - st->inet_ttl=-1; - //make sure you set snd_una = seq (TODO: fix this in module) - - return st; -} - -/******************************************************************************************************************** -name: -function: -return: -*********************************************************************************************************************/ -int fs_set_state(int sock, struct tcp_state *st) -{ - struct sockaddr_in sin; - sin.sin_family = AF_INET; - sin.sin_addr.s_addr = st->src_ip; - sin.sin_port = st->sport; - - st->snd_una = st->seq; - - - int value = 1; - if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &value, sizeof(value)) < 0) { - perror("setsockopt SO_REUSEADDR"); - return -1; - } - - if (setsockopt(sock, SOL_IP, IP_TRANSPARENT, &value, sizeof(value)) < 0) { - perror("setsockopt IP_TRANSPARENT"); - return -1; - } - - if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) { - perror("bind"); - return -1; - } - - if (setsockopt(sock, IPPROTO_TCP, TCP_STATE, st, sizeof(struct tcp_state)) < 0) { - perror("setsockopt TCP_STATE"); - return -1; - } - - return 0; -} - - - -//default:a_packet is c2s; -/******************************************************************************************************************** -name: -function: -return: -*********************************************************************************************************************/ -int fs_get_modify_state(struct tcp_state* fake_client,struct tcp_state* fake_server,void* a_packet,unsigned int mss) +int tcprepair_get_state(struct kni_tcp_state* fake_client,struct kni_tcp_state* fake_server,void* a_packet,struct kni_pme_info* pmeinfo) { struct ip* iphdr=(struct ip*)a_packet; @@ -740,10 +852,9 @@ int fs_get_modify_state(struct tcp_state* fake_client,struct tcp_state* fake_ser fake_client->dport =tcphdr->dest; fake_client->seq=ntohl(tcphdr->seq); fake_client->ack=ntohl(tcphdr->ack_seq); - fake_client->snd_una = fake_client->seq; - fake_client->snd_wnd = 0x1000; - fake_client->rcv_wnd = 0x1000; - fake_client->mss_clamp=mss; + fake_client->mss_src=pmeinfo->mss[KNI_DIR_C2S]; + fake_client->wscale_src=pmeinfo->wnscal[KNI_DIR_C2S]; + fake_client->wscale_dst=pmeinfo->wnscal[KNI_DIR_S2C]; fake_server->src_ip=(iphdr->ip_dst).s_addr; fake_server->sport=tcphdr->dest; @@ -751,155 +862,15 @@ int fs_get_modify_state(struct tcp_state* fake_client,struct tcp_state* fake_ser fake_server->dport =tcphdr->source; fake_server->seq=ntohl(tcphdr->ack_seq); fake_server->ack=ntohl(tcphdr->seq); - fake_server->snd_una = fake_server->seq; - fake_server->snd_wnd = 0x1000; - fake_server->rcv_wnd = 0x1000; - fake_server->mss_clamp=mss; + fake_server->mss_src=pmeinfo->mss[KNI_DIR_S2C]; + fake_server->wscale_src=pmeinfo->wnscal[KNI_DIR_S2C]; + fake_server->wscale_dst=pmeinfo->wnscal[KNI_DIR_C2S]; return 0; } -/******************************************************************************************************************** -name:kni_process_fs() -function: -return: - 0:succ - -1:error -*********************************************************************************************************************/ -int kni_process_fs(void* a_packet,unsigned int mss) -{ - int fds[2]={0}; - - fds[KNI_FDS_INDEX_CLIENT]=socket(AF_INET, SOCK_FORGE, 0); - fds[KNI_FDS_INDEX_SERVER]=socket(AF_INET, SOCK_FORGE, 0); - if (fds[KNI_FDS_INDEX_CLIENT] < 0 || fds[KNI_FDS_INDEX_SERVER]< 0) - { - perror("SOCK_FORGE socket"); - fprintf(stderr, "(Did you insmod forge_socket.ko?)\n"); - return -1; - } - - struct tcp_state* fake_client=fs_get_default_state(); - struct tcp_state* fake_server=fs_get_default_state(); - - fs_get_modify_state(fake_client,fake_server,a_packet,mss); - - fs_set_state(fds[KNI_FDS_INDEX_CLIENT],fake_server); - fs_set_state(fds[KNI_FDS_INDEX_SERVER],fake_client); - - kni_send_fds(g_kni_comminfo.fd_domain,fds,2); - - -// kni_debug_info_v4((char*)KNI_MODULE_SENDFD,STAT_FLAG_SSL_NOBMD,(struct ip*)a_packet); - close(fds[KNI_FDS_INDEX_CLIENT]); - close(fds[KNI_FDS_INDEX_SERVER]); - - return 0; - -} - -int tcprepair_set_state_bak(int sk,struct kni_state_info* tcp) -{ - int val,yes=1, onr = 0; - int src=KNI_INDEX_SRC; - int dst=KNI_INDEX_DST; - struct tcp_repair_opt opts[KNI_TCPREPAIR_OPT_NUM]; - struct sockaddr_in addr; - - if (setsockopt(sk, SOL_TCP, TCP_REPAIR, &yes, sizeof(yes))==-1) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_REPAIR error"); - return -1; - } - - if (setsockopt(sk, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)) == -1) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() SO_REUSEADDR error"); - return -1; - } - - /* ============= Restore TCP properties ==================*/ - val = TCP_SEND_QUEUE; - if (setsockopt(sk, SOL_TCP, TCP_REPAIR_QUEUE, &val, sizeof(val))) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_REPAIR_QUEUE,TCP_SEND_QUEUE error"); - return -1; - } - - val = tcp[src].seq; - if (setsockopt(sk, SOL_TCP, TCP_QUEUE_SEQ, &val, sizeof(val))) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); - return -1; - } - - val = TCP_RECV_QUEUE; - if (setsockopt(sk, SOL_TCP, TCP_REPAIR_QUEUE, &val, sizeof(val))) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_REPAIR_QUEUE,TCP_RECV_QUEUE error"); - return -1; - } - - val = tcp[dst].seq; - if (setsockopt(sk, SOL_TCP, TCP_QUEUE_SEQ, &val, sizeof(val))) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); - return -1; - } - - /* ============= Bind and connect ================ */ - memset(&addr,0,sizeof(addr)); - addr.sin_family = AF_INET; - addr.sin_port = htons(tcp[src].port); - if (inet_pton(AF_INET, tcp[src].addr, &(addr.sin_addr)) < 0) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); - return -1; - } - - if (bind(sk, (struct sockaddr *) &addr, sizeof(addr))) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); - return -1; - } - - memset(&addr,0,sizeof(addr)); - addr.sin_family = AF_INET; - addr.sin_port = htons(tcp[dst].port); - if (inet_pton(AF_INET, tcp[dst].addr, &(addr.sin_addr)) < 0) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); - return -1; - } - - if (connect(sk, (struct sockaddr *) &addr, sizeof(addr))) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); - return -1; - } - - opts[onr].opt_code = TCPOPT_WINDOW; - opts[onr].opt_val = tcp[src].wscale + (tcp[dst].wscale << 16); - onr++; - - opts[onr].opt_code = TCPOPT_MAXSEG; - opts[onr].opt_val = tcp[src].mss_clamp; - onr++; - - if (setsockopt(sk, SOL_TCP, TCP_REPAIR_OPTIONS,opts, onr * sizeof(struct tcp_repair_opt)) < 0) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_QUEUE_SEQ error"); - return -1; - } - - return 0; - - -} - - -int tcprepair_set_state(int sk,struct kni_tcp_state* tcp,struct tcp_repair_window win) +int tcprepair_set_state(int sk,struct kni_tcp_state* tcp) { int val,yes=1, onr = 0; struct tcp_repair_opt opts[KNI_TCPREPAIR_OPT_NUM]; @@ -954,37 +925,27 @@ int tcprepair_set_state(int sk,struct kni_tcp_state* tcp,struct tcp_repair_windo return -1; } - -/* if (setsockopt(sk, SOL_TCP, TCP_REPAIR_WINDOW, &win, sizeof(win))) +/* + struct tcp_repair_window win; + + win.snd_wl1=tcp->seq; + win.snd_wnd=tcp->wnscale[KNI_DIR_C2S]<wnscale[KNI_DIR_S2C]; + win.max_window=win.snd_wnd; + win.rcv_wnd=win.snd_wnd; + win.rcv_wup=win.snd_wl1; + + if (setsockopt(sk, SOL_TCP, TCP_REPAIR_WINDOW, &win, sizeof(win))) { MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","setsockopt() TCP_REPAIR_WINDOW error,errno:%d",errno); return -1; } - -//test - -// MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","snd_wl1:%u,snd_wnd:%u,max_wnd:%u,rcv_wnd:%u,rcv_wup:%u",win.snd_wl1,win.snd_wnd,win.max_window,win.rcv_wnd,win.rcv_wup); - - struct tcp_repair_window win_tmp; - socklen_t opt_len=sizeof(win_tmp); - - if (getsockopt(sk, SOL_TCP, TCP_REPAIR_WINDOW, &win_tmp,&opt_len)) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","getsockopt() TCP_REPAIR_WINDOW error,errno:%d",errno); - return -1; - } - - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","snd_wl1:%u,snd_wnd:%u,max_wnd:%u,rcv_wnd:%u,rcv_wup:%u",win_tmp.snd_wl1,win_tmp.snd_wnd,win_tmp.max_window,win_tmp.rcv_wnd,win_tmp.rcv_wup); - -//end -*/ + */ /* ============= Bind and connect ================ */ memset(&addr,0,sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = tcp->sport; addr.sin_addr.s_addr=tcp->src_ip; -// addr.sin_addr.s_addr= g_kni_comminfo.local_ip; if (bind(sk, (struct sockaddr *) &addr, sizeof(addr))) { @@ -1030,43 +991,9 @@ int tcprepair_set_state(int sk,struct kni_tcp_state* tcp,struct tcp_repair_windo } -int tcprepair_get_state(struct kni_tcp_state* fake_client,struct kni_tcp_state* fake_server,void* a_packet,unsigned short* mss,unsigned short* wnscale,unsigned short win) - { - - struct ip* iphdr=(struct ip*)a_packet; - struct tcphdr* tcphdr=(struct tcphdr*)((char*)a_packet+4*(iphdr->ip_hl)); - - fake_client->src_ip=(iphdr->ip_src).s_addr; - fake_client->sport=tcphdr->source; - fake_client->dst_ip=(iphdr->ip_dst).s_addr; - fake_client->dport =tcphdr->dest; - fake_client->seq=ntohl(tcphdr->seq); - fake_client->ack=ntohl(tcphdr->ack_seq); -// fake_client->win=ntohs(tcphdr->window); - fake_client->win=win; - fake_client->mss_src=mss[KNI_INDEX_SRC]; - fake_client->mss_dst=mss[KNI_INDEX_DST]; - fake_client->wscale_src=wnscale[KNI_INDEX_SRC]; - fake_client->wscale_dst=wnscale[KNI_INDEX_DST]; - - fake_server->src_ip=(iphdr->ip_dst).s_addr; - fake_server->sport=tcphdr->dest; - fake_server->dst_ip=(iphdr->ip_src).s_addr; - fake_server->dport =tcphdr->source; - fake_server->seq=ntohl(tcphdr->ack_seq); - fake_server->ack=ntohl(tcphdr->seq); - fake_server->win=ntohs(tcphdr->window); - fake_server->mss_src=mss[KNI_INDEX_DST]; - fake_server->mss_dst=mss[KNI_INDEX_SRC]; - fake_server->wscale_src=wnscale[KNI_INDEX_DST]; - fake_server->wscale_dst=wnscale[KNI_INDEX_SRC]; - - return 0; - } - - -int kni_process_tcprepair(void* a_packet,unsigned short* mss,unsigned short* wnscale,unsigned short win) +int tcp_repair_process(const struct streaminfo* pstream,const struct ip* a_packet,struct kni_pme_info* pmeinfo,int protocol) { + int ret=0; int fds[2]; int fd_client,fd_server; struct kni_tcp_state fake_client; @@ -1074,9 +1001,7 @@ int kni_process_tcprepair(void* a_packet,unsigned short* mss,unsigned short* wns struct ip* iphdr=(struct ip*)a_packet; struct tcphdr* tcphdr=(struct tcphdr*)((char*)a_packet+4*(iphdr->ip_hl)); - int tcplen=ntohs(iphdr->ip_len)-4*iphdr->ip_hl-4*tcphdr->doff; - struct tcp_repair_window fclient_win; - struct tcp_repair_window fserver_win; +// int tcplen=ntohs(iphdr->ip_len)-4*iphdr->ip_hl-4*tcphdr->doff; fd_client = socket(AF_INET, SOCK_STREAM, 0); fd_server = socket(AF_INET, SOCK_STREAM, 0); @@ -1086,38 +1011,28 @@ int kni_process_tcprepair(void* a_packet,unsigned short* mss,unsigned short* wns return -1; } - tcprepair_get_state(&fake_client,&fake_server,a_packet,mss,wnscale,win); + tcprepair_get_state(&fake_client,&fake_server,(void*)a_packet,pmeinfo); - fserver_win.snd_wl1=ntohl(tcphdr->seq); - fserver_win.snd_wnd=ntohs(tcphdr->window)<seq); - - fclient_win.snd_wl1=ntohl(tcphdr->ack_seq)-1; - fclient_win.snd_wnd=win; - fclient_win.max_window=fclient_win.snd_wnd; - fclient_win.rcv_wnd=ntohs(tcphdr->window)<ack_seq); + ret=tcprepair_set_state(fd_client,&fake_server); + if(ret<0) + { + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,"tcprepair_set_state","fd_client tcprepair_set_state() error,dropme and fwdpkt"); + return -1; + } -/* -//c has get - fclient_win.snd_wl1=ntohl(tcphdr->ack_seq); - fclient_win.snd_wnd=ntohs(tcphdr->window)<0) { - state_flag=STAT_FLAG_SNIBMD; + state_flag=KNI_FLAG_SNIBMD; } return state_flag; @@ -1156,10 +1071,11 @@ return :state_flag ssl:STAT_FLAG_SSL_NOBMD not ssl:STAT_FLAG_NOTSSL ***************************************************************************************/ -int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) +/* +int kni_judge_ssl_bak(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) { -// int state_flag=STAT_FLAG_NONE; - return STAT_FLAG_SSL_NOBMD; +// int state_flag=KNI_FLAG_SSL_HALF; +// return STAT_FLAG_SSL_NOBMD; int ssl_header_len=0; @@ -1291,75 +1207,91 @@ int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) return STAT_FLAG_NOTSSL; } - +*/ /*************************************************************************************** return :state_flag ipbmd:STAT_FLAG_IPBMD not ipbmd:STAT_FLAG_NONE ***************************************************************************************/ -int kni_judge_ipbmd(struct ipaddr* addr,int thread_seq) +int kni_judge_ipbmd(struct ipaddr* addr,int thread_seq,int protocol) { - int state_flag=STAT_FLAG_NONE; + int state_flag=KNI_FLAG_UNKNOW; int ipscan_num=0; scan_status_t mid=NULL; struct Maat_rule_t maat_result[KNI_MAX_CFGNUM]; - ipscan_num=Maat_scan_proto_addr(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_ipbmd,addr,PROTO_TYPE_TCP,maat_result,KNI_MAX_CFGNUM,&mid,thread_seq); + ipscan_num=Maat_scan_proto_addr(g_kni_maatinfo.maat_feather,g_kni_maatinfo.tableid_ipbmd,addr,protocol,maat_result,KNI_MAX_CFGNUM,&mid,thread_seq); Maat_clean_status(&mid); if(ipscan_num>0) { - state_flag=STAT_FLAG_IPBMD; + state_flag=KNI_FLAG_IPBMD; } return state_flag; } -int kni_get_mss(struct kni_tcp_hdr* tcphdr,int tcp_hdr_len,unsigned short* mss,unsigned char* winscale) +int kni_get_tcpinfo(struct kni_wndpro_reply_info* lastpkt_info,struct kni_tcp_hdr* tcphdr,int tcplen,struct ip* ip_hdr) { -// unsigned short mss=KNI_DEFAULT_MSS; + lastpkt_info->seq=ntohl(tcphdr->th_seq); + lastpkt_info->ack=ntohl(tcphdr->th_ack); + lastpkt_info->ipid=ntohs(ip_hdr->ip_id); + lastpkt_info->ttl=ip_hdr->ip_ttl; + lastpkt_info->len=tcplen; + lastpkt_info->wndsize=ntohs(tcphdr->th_win); + + if(tcphdr->th_flags&TH_SYN) + { + lastpkt_info->syn_flag=1; + } + + return 0; +} + +int kni_get_tcpopt(struct kni_tcp_hdr* tcphdr,int tcp_hdr_len,unsigned short* mss,unsigned char* winscale) +{ + *mss=KNI_DEFAULT_MSS; *winscale=KNI_DEFAULT_WINSCLE; -// return 0; int remain_len=tcp_hdr_len; - struct kni_tcp_opt* tcp_opt=NULL; + struct kni_tcp_opt_format* tcp_opt=NULL; if((tcp_hdr_len<=20)||(tcp_hdr_len>64)) { return 0; } - tcp_opt=(struct kni_tcp_opt*)((char*)tcphdr+TCPHDR_DEFAULT_LEN); + tcp_opt=(struct kni_tcp_opt_format*)((char*)tcphdr+TCPHDR_DEFAULT_LEN); remain_len-=TCPHDR_DEFAULT_LEN; while(remain_len) { - if(tcp_opt->type==2) //MSS + if(tcp_opt->type==KNI_TCPOPT_MSS) //MSS { remain_len-=tcp_opt->len; *mss=htons(*(unsigned short*)(tcp_opt->content)); - tcp_opt=(struct kni_tcp_opt*)((char*)tcp_opt+tcp_opt->len); + tcp_opt=(struct kni_tcp_opt_format*)((char*)tcp_opt+tcp_opt->len); } - else if(tcp_opt->type==3) //winscale + else if(tcp_opt->type==KNI_TCPOPT_WINSCALE) //winscale { remain_len-=tcp_opt->len; *winscale=*(unsigned char*)(tcp_opt->content); - tcp_opt=(struct kni_tcp_opt*)((char*)tcp_opt+tcp_opt->len); + tcp_opt=(struct kni_tcp_opt_format*)((char*)tcp_opt+tcp_opt->len); } else if((tcp_opt->type==0)||(tcp_opt->type==1)) { remain_len-=1; - tcp_opt=(struct kni_tcp_opt*)((char*)tcp_opt+1); + tcp_opt=(struct kni_tcp_opt_format*)((char*)tcp_opt+1); } else { remain_len-=tcp_opt->len; - tcp_opt=(struct kni_tcp_opt*)((char*)tcp_opt+tcp_opt->len); + tcp_opt=(struct kni_tcp_opt_format*)((char*)tcp_opt+tcp_opt->len); } } @@ -1368,137 +1300,419 @@ int kni_get_mss(struct kni_tcp_hdr* tcphdr,int tcp_hdr_len,unsigned short* mss,u } - -long kni_state_htable_cb_v4(void* data,const unsigned char* key,unsigned int size,void* user_arg) +int kni_get_data(const struct streaminfo* pstream,char* data,int* datalen) { - long state_flag=STAT_FLAG_NONE; - - int iprevers; - - int sni_len=0; - char sni[KNI_MAX_BUFLEN]={0}; - - struct ipaddr addr_ipbmd; - - struct datainfo_to_tun* datainfo=(struct datainfo_to_tun*)data; - struct args_to_tun* arg=(struct args_to_tun*)user_arg; - - - struct ip* iphdr=(struct ip*)(arg->a_packet); - struct kni_tcp_hdr* tcphdr=(struct kni_tcp_hdr*)((char*)iphdr+4*(iphdr->ip_hl)); - struct layer_addr_mac* mac_addr=(struct layer_addr_mac*)((char*)iphdr-KNI_ETHER_LEN); - -// if((datainfo==NULL)&&(tcphdr->th_flags&TH_SYN)&&!(tcphdr->th_flags&TH_ACK)) - if(datainfo==NULL) + if(pstream->type==STREAM_TYPE_TCP) { - datainfo=(struct datainfo_to_tun*)malloc(sizeof(struct datainfo_to_tun)); - memset(datainfo,0,sizeof(struct datainfo_to_tun)); - datainfo->route_dir=arg->routdir; + data=(char*)(pstream->ptcpdetail->pdata); + *datalen=pstream->ptcpdetail->datalen; + } + else if(pstream->type==STREAM_TYPE_UDP) + { + data=(char*)(pstream->pudpdetail->pdata); + *datalen=pstream->pudpdetail->datalen; + } + else + { + data=NULL; + *datalen=0; + } + + return 0; + + +} + +int kni_htable_add(const struct streaminfo* pstream,const struct ip* ip_hdr,struct kni_pme_info* pmeinfo) +{ + int iprevers=0; + struct stream_tuple4_v4 ipv4_addr; + struct layer_addr_mac* mac_addr=(struct layer_addr_mac*)((char*)ip_hdr-KNI_ETHER_LEN); + struct kni_htable_datainfo* datainfo=(struct kni_htable_datainfo*)malloc(sizeof(struct kni_htable_datainfo)); + memset(datainfo,0,sizeof(struct kni_htable_datainfo)); + + iprevers=kni_get_ipaddr_v4((void*)ip_hdr,&ipv4_addr); + +//send pkt info + if(iprevers==0) + { + datainfo->route_dir=pstream->routedir; + memcpy(datainfo->smac,mac_addr->src_mac,MAC_ADDR_LEN); + memcpy(datainfo->dmac,mac_addr->dst_mac,MAC_ADDR_LEN); + } + else + { + datainfo->route_dir=MESA_dir_reverse(pstream->routedir); + memcpy(datainfo->smac,mac_addr->dst_mac,MAC_ADDR_LEN); + memcpy(datainfo->dmac,mac_addr->src_mac,MAC_ADDR_LEN); + } + +//send wnd_pro_reply info + memcpy(datainfo->wnscal,pmeinfo->wnscal,KNI_DIR_DOUBLE*sizeof(unsigned char)); + memcpy(datainfo->mss,pmeinfo->mss,KNI_DIR_DOUBLE*sizeof(unsigned short)); + memcpy(&(datainfo->lastpkt_info),&(pmeinfo->lastpkt_info),KNI_DIR_DOUBLE*sizeof(struct kni_wndpro_reply_info)); + + MESA_htable_add(g_kni_structinfo.htable_to_tun_v4,(unsigned char*)&ipv4_addr,sizeof(struct stream_tuple4_v4),(void*)datainfo); + + return 0; +} + + + + + +/*************************************************************************************** +return :state_flag +ssl:STAT_FLAG_SSL_NOBMD +not ssl:STAT_FLAG_NOTSSL +***************************************************************************************/ +int kni_judge_ssl(char* tcp_data,int tcp_datalen,char* sni,int* sni_len) +{ +// int state_flag=KNI_FLAG_SSL_HALF; + return KNI_FLAG_SSL; + + + int ssl_header_len=0; + char* ssl_header=NULL; + unsigned char content_type=0; + unsigned short version_in_header=0; + unsigned short len_in_header=0; + + + int ssl_body_len=0; + char* ssl_body=NULL; + unsigned char handshark_type=0; + unsigned int len_in_body=0; + unsigned short version_in_body=0; + unsigned char session_id_len=0; + unsigned short ciphersuite_len=0; + unsigned char compression_method_len=0; + + + int ssl_extention_len=0; + char* ssl_extention=NULL; + unsigned short extension_len_less=0; + unsigned short type_in_extension=0; + unsigned short len_in_extension=0; + +//ssl header + ssl_header=tcp_data; + + content_type=*(unsigned char*)&ssl_header[ssl_header_len]; + if(content_type!=SSL_CONTENTTYPE_HANDSHAKE) + { + return KNI_FLAG_SSL_HALF; + } + ssl_header_len+=1; + + version_in_header=ntohs(*(unsigned short*)&(ssl_header[ssl_header_len])); + if((version_in_header!=SSL_VERSION_TLS1_0)&&(version_in_header!=SSL_VERSION_TLS1_1)&&(version_in_header!=SSL_VERSION_TLS1_2)) + { + return KNI_FLAG_SSL_HALF; + } + ssl_header_len+=2; + + len_in_header=ntohs(*(unsigned short*)&(ssl_header[ssl_header_len])); + if(len_in_header!=tcp_datalen-SSL_HEADER_LEN) + { + return KNI_FLAG_SSL_HALF; + } + ssl_header_len+=2; + +//ssl body + ssl_body=ssl_header+ssl_header_len; + + handshark_type=*(unsigned char*)&(ssl_body[ssl_body_len]); + if(handshark_type!=SSL_HANDSHAR_TYPE_CLIENTHELLO) + { + return KNI_FLAG_SSL_HALF; + } + ssl_body_len+=1; + +// memcpy(&len_in_body,&ssl_body[ssl_body_len],3); + len_in_body=*(unsigned char*)&ssl_body[ssl_body_len+2]+256*(*(unsigned char*)&ssl_body[ssl_body_len+1])+65536*(*(unsigned char*)&ssl_body[ssl_body_len]); + if(len_in_body!=(len_in_header-SSL_BODY_LEN)) + { + return KNI_FLAG_SSL_HALF; + } + + ssl_body_len+=3; + + version_in_body=ntohs(*(unsigned short*)&(ssl_body[ssl_body_len])); + if((version_in_body!=SSL_VERSION_TLS1_0)&&(version_in_body!=SSL_VERSION_TLS1_1)&&(version_in_body!=SSL_VERSION_TLS1_2)) + { + return KNI_FLAG_SSL_HALF; + } + ssl_body_len+=2; + + ssl_body_len+=32; //4byte time,28bytes random + + session_id_len=*(unsigned char*)&(ssl_body[ssl_body_len]); + ssl_body_len+=1; + ssl_body_len+=session_id_len; + + ciphersuite_len=ntohs(*(unsigned short*)&(ssl_body[ssl_body_len])); + ssl_body_len+=2; + ssl_body_len+=ciphersuite_len; + + compression_method_len=*(unsigned char*)&(ssl_body[ssl_body_len]); + ssl_body_len+=1; + ssl_body_len+=compression_method_len; + +//ssl extention + ssl_extention=ssl_body+ssl_body_len; + + extension_len_less=ntohs(*(unsigned short*)&ssl_extention[ssl_extention_len]); + if(extension_len_less!=len_in_body-2-32-1-session_id_len-2-ciphersuite_len-1-compression_method_len-2) + { + return KNI_FLAG_SSL_HALF; + } + ssl_extention_len+=2; + + while(ssl_extention_lenmss[0]=KNI_DEFAULT_MSS; - datainfo->mss[1]=KNI_DEFAULT_MSS; - datainfo->wnscal[0]=KNI_DEFAULT_WINSCLE; - datainfo->wnscal[1]=KNI_DEFAULT_WINSCLE; - -*/ - - memset(&addr_ipbmd,0,sizeof(struct ipaddr)); - addr_ipbmd.addrtype=ADDR_TYPE_IPV4; - addr_ipbmd.v4=(struct stream_tuple4_v4*)key; - - datainfo->state_flag=kni_judge_ipbmd(&addr_ipbmd,arg->thread_seq); - kni_get_mss(tcphdr,ntohs(iphdr->ip_len)-4*(iphdr->ip_hl)-arg->tcpdata_len,&(datainfo->mss[KNI_INDEX_SRC]),(unsigned char*)&(datainfo->wnscal[KNI_INDEX_SRC])); -//for sendpkt - if(arg->iprevers==0) + if(type_in_extension==SSL_EXTENSION_TYPE_SNI) { - memcpy(datainfo->smac,mac_addr->src_mac,MAC_ADDR_LEN); - memcpy(datainfo->dmac,mac_addr->dst_mac,MAC_ADDR_LEN); + if(len_in_extension>KNI_SNI_MAXLEN) + { + //error + return KNI_FLAG_SSL_HALF; + } + + memcpy(sni,&ssl_extention[ssl_extention_len],len_in_extension); + *sni_len=len_in_extension; + + return KNI_FLAG_SSL; } else { - memcpy(datainfo->smac,mac_addr->dst_mac,MAC_ADDR_LEN); - memcpy(datainfo->dmac,mac_addr->src_mac,MAC_ADDR_LEN); - } -//end - MESA_htable_add(g_kni_structinfo.htable_to_tun_v4, key,size,(void*)datainfo); + ssl_extention_len+=len_in_extension; - } - - if(datainfo==NULL) - { - return state_flag; - } - - datainfo->pktnum++; - - iprevers=arg->iprevers; - - if(datainfo->pro_reply[iprevers]==0) - { - datainfo->seq[iprevers]=ntohl(tcphdr->th_seq); - datainfo->ack[iprevers]=ntohl(tcphdr->th_ack); - datainfo->ipid[iprevers]=ntohs(iphdr->ip_id); - datainfo->ttl[iprevers]=iphdr->ip_ttl; - datainfo->len[iprevers]=ntohs(iphdr->ip_len)-4*iphdr->ip_hl-4*tcphdr->th_off; - - if(tcphdr->th_flags&TH_SYN) - { - datainfo->len[iprevers]=1; - } - - } - - -// if((datainfo->state_flag==STAT_FLAG_NONE)&&(arg->iprevers==1)) - if((datainfo->state_flag==STAT_FLAG_NONE)&&(datainfo->pktnum==2)) - { - datainfo->win=ntohs(tcphdr->th_win); - kni_get_mss(tcphdr,ntohs(iphdr->ip_len)-4*(iphdr->ip_hl)-arg->tcpdata_len,&(datainfo->mss[KNI_INDEX_DST]),(unsigned char*)&(datainfo->wnscal[KNI_INDEX_DST])); - } - - /* - - if((datainfo->state_flag==STAT_FLAG_NONE)&&(tcphdr->th_flags&TH_SYN)&&(tcphdr->th_flags&TH_ACK)) - { - mss=kni_get_mss(tcphdr,ntohs(iphdr->ip_len)-4*(iphdr->ip_hl)-arg->tcpdata_len); - datainfo->mss=(datainfo->mssmss:mss; - } -*/ - -#ifdef KNI_DEBUG_SWITCH - return STAT_FLAG_SSL_NOBMD; -#endif - -//only process full stream pkt,star from syn,double dir; - if((datainfo->state_flag==STAT_FLAG_NONE)&&(arg->tcpdata_len>0)) - { - datainfo->state_flag=kni_judge_ssl(arg->tcpdata,arg->tcpdata_len,sni,&sni_len); - if(datainfo->state_flag==STAT_FLAG_SSL_NOBMD) - { - datainfo->state_flag=kni_judge_sni(sni,sni_len,arg->thread_seq); - if(datainfo->state_flag==STAT_FLAG_SSL_NOBMD) - { -// kni_process_fs(arg->a_packet,datainfo->mss); - kni_process_tcprepair(arg->a_packet,datainfo->mss,datainfo->wnscal,datainfo->win); - - } + continue; } } - - - return datainfo->state_flag; + + return KNI_FLAG_SSL_HALF; } +int kni_protocol_identify(const struct streaminfo* pstream,const struct ip* ip_hdr) +{ + int pro_flag=KNI_FLAG_NOTPROC; + + unsigned short sport=ntohs(pstream->addr.tuple4_v4->source); + unsigned short dport=ntohs(pstream->addr.tuple4_v4->dest); + + if((sport==80)||(dport==80)) + { + pro_flag=KNI_FLAG_HTTP; + } + else if((sport==443)||(dport==443)) + { + pro_flag=KNI_FLAG_SSL_HALF; + } + + + return pro_flag; +} + + +char kni_first_tcpdata(const struct streaminfo* pstream,const struct ip* ip_hdr,struct kni_pme_info* pmeinfo,char* data,int datalen) +{ + char ret=APP_STATE_FAWPKT|APP_STATE_DROPME; + + int sni_len=0; + char sni[KNI_MAX_BUFLEN]={0}; + + pmeinfo->status_flag=kni_protocol_identify(pstream,ip_hdr); + + if(pmeinfo->status_flag==KNI_FLAG_SSL_HALF) + { + pmeinfo->status_flag=kni_judge_ssl(data,datalen,sni,&sni_len); //has kni:SSL_HALF;no kni:NOT_PROC + if(pmeinfo->status_flag==KNI_FLAG_SSL_HALF) + { + pmeinfo->status_flag=kni_judge_sni(sni,sni_len,pstream->threadnum); //SNI_BMD:NOT_PROC;or SSL + } + } + + if((pmeinfo->status_flag==KNI_FLAG_HTTP) ||(pmeinfo->status_flag==KNI_FLAG_SSL)) + { + + if(tcp_repair_process(pstream,ip_hdr,pmeinfo,pmeinfo->status_flag)<0) + { + return ret; + } + + kni_htable_add(pstream,ip_hdr,pmeinfo); + + ret=APP_STATE_DROPPKT|APP_STATE_GIVEME; + } + + return ret; + + +} + +char kni_pending_opstate(const struct streaminfo* pstream,void** pme,int thread_seq,const struct ip* ip_hdr,int protocol) +{ + char ret=APP_STATE_FAWPKT|APP_STATE_DROPME; + + char* data=NULL; + int datalen=0; + + int ipscan_action=0; + int iplen=ntohs(ip_hdr->ip_len); + struct kni_pme_info* pmeinfo=NULL; + struct kni_tcp_hdr* tcphdr=(struct kni_tcp_hdr*)((char*)ip_hdr+4*(ip_hdr->ip_hl)); + + ipscan_action=kni_judge_ipbmd((struct ipaddr*)&(pstream->addr),thread_seq,protocol); + if(ipscan_action==KNI_ACTION_IPBMD) + { + return ret; + } + + + pmeinfo=(struct kni_pme_info*)malloc(sizeof(struct kni_pme_info)); + memset(pmeinfo,0,sizeof(struct kni_pme_info)); + *pme=pmeinfo; + + pmeinfo->status_flag=KNI_FLAG_UNKNOW; +// pmeinfo->wndsize[pstream->curdir-1]=ntohs(tcphdr->th_win); +// if((tcphdr->th_flags&TH_SYN)&&!(tcphdr->th_flags&TH_ACK)) //get wndscale and mss from tcpopt only in syn and syn/ack + { + kni_get_data(pstream,data,&datalen); + kni_get_tcpopt(tcphdr,iplen-4*(ip_hdr->ip_hl)-datalen,&(pmeinfo->mss[pstream->curdir-1]),&(pmeinfo->wnscal[pstream->curdir-1])); + + } + + kni_get_tcpinfo(&(pmeinfo->lastpkt_info[pstream->curdir-1]),tcphdr,ntohs(ip_hdr->ip_len)-4*ip_hdr->ip_hl-4*tcphdr->th_off,(struct ip*)ip_hdr); + + if(datalen>0) + { + ret=kni_first_tcpdata(pstream,ip_hdr,pmeinfo,data,datalen); + if((pmeinfo->status_flag==KNI_FLAG_HTTP) ||(pmeinfo->status_flag==KNI_FLAG_SSL)) + { + ret=tun_write_data(g_kni_comminfo.fd_tun[thread_seq],(char*)ip_hdr,iplen,(struct streaminfo*)pstream); + } + } + else + { + ret=APP_STATE_FAWPKT|APP_STATE_GIVEME; + } + + return ret; + +} + + +char kni_data_opstate(const struct streaminfo* pstream,void** pme,int thread_seq,const struct ip* ip_hdr) +{ + char ret=APP_STATE_DROPPKT|APP_STATE_GIVEME; + + char* data=NULL; + int datalen=0; + + int iplen=ntohs(ip_hdr->ip_len); + struct kni_pme_info* pmeinfo=(struct kni_pme_info*)*pme; + struct kni_tcp_hdr* tcphdr=(struct kni_tcp_hdr*)((char*)ip_hdr+4*(ip_hdr->ip_hl)); + + kni_get_data(pstream,data,&datalen); + + if(pmeinfo->status_flag==KNI_FLAG_UNKNOW) + { + if((tcphdr->th_flags&TH_SYN)&&(tcphdr->th_flags&TH_ACK)) + { + + kni_get_tcpopt(tcphdr,iplen-4*(ip_hdr->ip_hl)-datalen,&(pmeinfo->mss[pstream->curdir-1]),&(pmeinfo->wnscal[pstream->curdir-1])); + } + + kni_get_tcpinfo(&(pmeinfo->lastpkt_info[pstream->curdir-1]),tcphdr,ntohs(ip_hdr->ip_len)-4*ip_hdr->ip_hl-4*tcphdr->th_off,(struct ip*)ip_hdr); + + if(datalen>0) + { + ret=kni_first_tcpdata(pstream,ip_hdr,pmeinfo,data,datalen); + } + else + { + ret=APP_STATE_FAWPKT|APP_STATE_GIVEME; + } + } + + if((pmeinfo->status_flag==KNI_FLAG_HTTP)||(pmeinfo->status_flag==KNI_FLAG_SSL)) + { + ret=tun_write_data(g_kni_comminfo.fd_tun[thread_seq],(char*)ip_hdr,iplen,(struct streaminfo*)pstream); + } + + return ret; + +} + +char kni_close_opstate(const struct streaminfo* pstream,void** pme,int thread_seq,const struct ip* ip_hdr) +{ + + char ret=APP_STATE_FAWPKT|APP_STATE_DROPME; + + if(ip_hdr==NULL) + { + return ret; + } + + ret=kni_data_opstate(pstream,pme,thread_seq,ip_hdr); + + return ret|APP_STATE_DROPME; +} + + +extern "C" char kni_tcpall_entry(const struct streaminfo* pstream,void** pme,int thread_seq,const void* ip_hdr) +{ + char ret=APP_STATE_FAWPKT|APP_STATE_DROPME; + if((g_kni_comminfo.kni_mode_cur==KNI_MODE_BYPASS)||(pstream->addr.addrtype==ADDR_TYPE_IPV6)) + { + return ret; + } + + switch(pstream->pktstate) + { + case OP_STATE_PENDING: + ret=kni_pending_opstate(pstream,pme,thread_seq,(struct ip*)ip_hdr,PROTO_TYPE_TCP); + break; + + case OP_STATE_DATA: + ret=kni_data_opstate(pstream,pme,thread_seq,(struct ip*)ip_hdr); + break; + + case OP_STATE_CLOSE: + ret=kni_close_opstate(pstream,pme,thread_seq,(struct ip*)ip_hdr); + break; + + default: + break; + } + + if((ret&APP_STATE_DROPME)&&(*pme!=NULL)) + { + free(*pme); + *pme=NULL; + } + + + return ret; + +} + long kni_state_htable_cb_v6(void* data,const unsigned char* key,unsigned int size,void* user_arg) { struct ipaddr addr_ipbmd; -// struct stream_tuple4_v6* ipv4_addr=(struct stream_tuple4_v6*)key; - struct datainfo_to_tun* datainfo=(struct datainfo_to_tun*)data; struct args_to_tun* arg=(struct args_to_tun*)user_arg; + struct kni_ipv6_hdr* ipv6_hdr=(struct kni_ipv6_hdr*)(arg->a_packet); if(datainfo==NULL) { @@ -1510,7 +1724,7 @@ long kni_state_htable_cb_v6(void* data,const unsigned char* key,unsigned int siz addr_ipbmd.addrtype=ADDR_TYPE_IPV6; addr_ipbmd.v4=(struct stream_tuple4_v4*)key; - datainfo->state_flag=kni_judge_ipbmd(&addr_ipbmd,arg->thread_seq); + datainfo->state_flag=kni_judge_ipbmd(&addr_ipbmd,arg->thread_seq,ipv6_hdr->ip6_nex_hdr); } @@ -1518,89 +1732,8 @@ long kni_state_htable_cb_v6(void* data,const unsigned char* key,unsigned int siz } -int kni_recv_msg(int socket) -{ - struct msghdr msg = {0}; - struct cmsghdr *cmsg; - char buf[CMSG_SPACE(sizeof(int))], dup[256]; - memset(buf, 0, sizeof(buf)); - struct iovec io = { .iov_base = &dup, .iov_len = sizeof(dup) }; - - msg.msg_iov = &io; - msg.msg_iovlen = 1; - msg.msg_control = buf; - msg.msg_controllen = sizeof(buf); - - if (recvmsg (socket, &msg, 0) < 0) - { - printf("recvmsg() error,errno:%d\n",errno); - } - // handle_error ("Failed to receive message"); - - cmsg = CMSG_FIRSTHDR(&msg); - - return 0; -} - - -extern "C" int kni_ip_entry(struct streaminfo* f_stream,unsigned char routedir,int thread_seq,struct ip* a_packet) -{ - char ret=APP_STATE_FAWPKT; - -//ip/tcp info - int iplen=ntohs(a_packet->ip_len); - struct tcphdr* tcphdr=(struct tcphdr*)((char*)a_packet+4*(a_packet->ip_hl)); - char* tcpdata=(char*)tcphdr+4*tcphdr->doff; - int tcplen=iplen-4*a_packet->ip_hl-4*tcphdr->doff; - - unsigned short sport=ntohs(tcphdr->source); - unsigned short dport=ntohs(tcphdr->dest); - if((sport!=80)&&(sport!=443)&&(dport!=80)&&(dport!=443)) - { - return ret; - } - -//htable info - long state_flag=0; - struct stream_tuple4_v4 ipv4_addr; - struct args_to_tun usr_arg; - - usr_arg.a_packet=(void*)a_packet; - usr_arg.tcpdata=tcpdata; - usr_arg.tcpdata_len=tcplen; - usr_arg.thread_seq=thread_seq; - usr_arg.iprevers=kni_get_ipaddr_v4(a_packet,&ipv4_addr); - - - if(usr_arg.iprevers==0) - { - usr_arg.routdir=routedir; - } - else - { - usr_arg.routdir=MESA_dir_reverse(routedir); - } - - MESA_htable_search_cb(g_kni_structinfo.htable_to_tun_v4,(unsigned char*)&ipv4_addr,sizeof(struct stream_tuple4_v4),kni_state_htable_cb_v4,(void*)&usr_arg,&state_flag); - - - if(state_flag==STAT_FLAG_SSL_NOBMD) - { - tun_write_data(g_kni_comminfo.fd_tun[thread_seq],(char*)a_packet,iplen,&ipv4_addr); - - ret= APP_STATE_DROPPKT; - } - - kni_debug_info_v4((char*)KNI_MODULE_IPENTRY,state_flag,a_packet); - - return ret; -} - - - char kni_ipv6_entry(struct streaminfo *pstream,unsigned char routedir,int thread_seq,void *a_packet) { -// int ret; int ip_reverse=0; @@ -1631,7 +1764,7 @@ char kni_ipv6_entry(struct streaminfo *pstream,unsigned char routedir,int thread } MESA_htable_search_cb(g_kni_structinfo.htable_to_tun_v6,(unsigned char*)&ipv6_addr,sizeof(struct stream_tuple4_v6),kni_state_htable_cb_v6,&usr_arg,&state_flag); - if(state_flag==STAT_FLAG_IPBMD) + if(state_flag==KNI_FLAG_IPBMD) { return APP_STATE_DROPPKT; } @@ -1661,35 +1794,6 @@ int init_profile_info(int* logger_level,char* logger_filepath,int* maat_json_swi return 0; } -int init_domain_fd() -{ - - int i_fd = 0; - struct sockaddr_un addr; - char serverpath[32] = "/home/server_unixsocket_file"; - int i_addr_len = sizeof( struct sockaddr_un ); - - if ( ( i_fd = socket( AF_UNIX, SOCK_STREAM, 0 ) ) < 0 ) -// if ( ( i_fd = socket( AF_UNIX, SOCK_DGRAM, 0 ) ) < 0 ) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"init_domain_fd():socket error,errno is %d,action:%s",errno,KNI_ACTION_EXIT); - return -1; - } - - //fill socket adress structure with server's address - memset( &addr, 0, sizeof( addr ) ); - addr.sun_family = AF_UNIX; - strncpy( addr.sun_path, serverpath, sizeof( addr.sun_path ) - 1 ); - - if ( connect( i_fd, ( struct sockaddr * )&addr, i_addr_len ) < 0 ) - { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"init_domain_fd():connect error,errno is %d,action:%s",errno,KNI_ACTION_EXIT); - return -1; - } - - return i_fd; -} - int init_kni_stat_htable() { MESA_htable_create_args_t hash_frags; @@ -1739,8 +1843,10 @@ extern "C" char kni_init() char full_cfg_dir[KNI_CONF_MAXLEN]={0}; char inc_cfg_dir[KNI_CONF_MAXLEN]={0}; -// pthread_t pid_write_tun; pthread_t pid_read_tun; + pthread_t pid_pro_domain; +// pthread_t pid_kni_filestat2; + inet_aton((const char *)&LOCAL_IP_ADDR,(struct in_addr*)&g_kni_comminfo.local_ip); @@ -1756,6 +1862,7 @@ extern "C" char kni_init() return -1; } + //maat g_kni_maatinfo.maat_feather=Maat_feather(g_iThreadNum,table_info_path,g_kni_comminfo.logger); if(g_kni_maatinfo.maat_feather==NULL) @@ -1798,6 +1905,15 @@ extern "C" char kni_init() return -1; } +//init lqueue for send fds + g_kni_structinfo.lqueue_for_domain=MESA_lqueue_create(KNI_THREAD_SAFE,KNI_LQUEUE_MAXNUM); + if(g_kni_structinfo.lqueue_for_domain==NULL) + { + printf("MESA_lqueue_create() error!\n"); + return -1; + } + + //init tun if(g_kni_comminfo.thread_num<=0) @@ -1807,7 +1923,7 @@ extern "C" char kni_init() } g_kni_comminfo.fd_tun=(int*)malloc(g_kni_comminfo.thread_num*sizeof(int)); - memset(g_kni_comminfo.fd_tun,0,g_kni_comminfo.thread_num*sizeof(int)); + memset(g_kni_comminfo.fd_tun,0,sizeof(g_kni_comminfo.thread_num*sizeof(int))); ret=tun_alloc_mq(__tun_symbol,g_kni_comminfo.thread_num,g_kni_comminfo.fd_tun); if(ret<0) @@ -1815,19 +1931,25 @@ extern "C" char kni_init() return -1; } - system("ifconfig tun0 192.168.100.1 up"); - system("route add default dev tun0"); - system("iptables -t mangle -A PREROUTING -p tcp -i tun0 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50080"); +// system("ifconfig tun0 192.168.100.1 up"); +// system("route add default dev tun0"); +// system("iptables -t mangle -A PREROUTING -p tcp -i tun0 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50080"); //init domain g_kni_comminfo.fd_domain=init_domain_fd(); if(g_kni_comminfo.fd_domain<0) { - MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"init_domain_fd()error,action:%s",KNI_ACTION_EXIT); -// return -1; + g_kni_comminfo.kni_mode_cur=KNI_MODE_BYPASS; + MESA_handle_runtime_log(g_kni_comminfo.logger, RLOG_LV_FATAL,KNI_MODULE_INIT,"init_domain_fd()error"); } + + pthread_create(&pid_pro_domain,NULL,kni_process_domain,NULL); +// pthread_create(&pid_kni_filestat2,NULL,kni_filestat2,NULL); + + + //test init raw_socket g_kni_comminfo.ipv4_fd=(int*)malloc(g_kni_comminfo.thread_num*sizeof(int)); for(i=0;i