修正redirect功能处理流程的若干问题，增加拦截协议识别过滤单项流的流程

* 将在pending状态下判断报文是否存在在redirect表中的逻辑提前，因修改后的SYN-ACK会单独成为一个流，再次触发pending状态。 * 修正读入控制域时内存越界的问题； * 增加拦截协议识别过滤单项流的流程，如需要拦截的流量为单项流，则不执行拦截流程直接转发。
2018-12-19 10:48:25 +06:00
parent a011f87f21
commit eb5dd08323
3 changed files with 57 additions and 71 deletions
--- a/kni_entry.c
+++ b/kni_entry.c
@@ -563,7 +563,12 @@ char kni_first_tcpdata(const struct streaminfo* pstream,const void* a_packet,str
 	int domain_len=0;
 	char domain[KNI_DEFAULT_MTU]={0};
-	
+
 	if(pstream->dir != DIR_DOUBLE)
    {
        kni_log_info((char*)KNI_MODULE_INFO,&(pstream->addr),pmeinfo->protocol,domain,(char*)"NOT-DOUBLE",(char*)"BYPASS",pmeinfo);
        return ret;
    }
 	pmeinfo->protocol=kni_protocol_identify(pstream,a_packet,data,datalen,domain,&domain_len);
 	assert(domain_len<(int)sizeof(domain));
@@ -703,20 +708,21 @@ char kni_pending_opstate(const struct streaminfo* pstream,struct kni_pme_info* p
 		kni_filestate2_set(thread_seq,FS_WHITELIST,0,1);
 		return ret;	
 	}
 //add kni_action_redirect  20181216 start
 	else if(redirect_search_htable(pstream->addr.addrtype,pmeinfo,thread_seq,a_packet,protocol) == 1)
 	{
 		ret = process_redirect_data(pstream,pmeinfo,thread_seq,a_packet,protocol,pstream->routedir);
 		return ret;			
 	}
 	else if(pmeinfo->action == KNI_ACTION_REDIRECT)
 	{
 		ret = process_redirect_pending(pstream,pmeinfo,thread_seq,a_packet,protocol,pstream->routedir);
 		return ret;
 	}
 	else if(redirect_search_htable(pstream->addr.addrtype,pmeinfo,thread_seq,a_packet,protocol) == 1)
 	{
 		ret = process_redirect_data(pstream,pmeinfo,thread_seq,a_packet,protocol,pstream->routedir);
 		return ret;	
 	}
 //end
 //end
 	pmeinfo->protocol=KNI_FLAG_UNKNOW;
 	if(protocol == PROTO_TYPE_TCP)
@@ -1073,10 +1079,6 @@ extern "C" char kni_http_entry(stSessionInfo* session_info,  void **pme, int thr
 	return ret;
 }
 extern "C" char kni_ipv4_entry(const struct streaminfo *pstream,unsigned char routedir,int thread_seq, struct ip* ipv4_hdr)
 {
 	if(ipv4_hdr->ip_p !=IPPROTO_ICMP )
--- a/kni_redirect.c
+++ b/kni_redirect.c
@@ -311,70 +311,56 @@ int redirect_get_service_define(char* service_defined,int ser_def_len,struct red
 int redirect_get_service_define(char* service_defined,int ser_def_len,struct redirect_serdef_info* out)
 {
-	int ip_pool_len =0;
+	int ret = sscanf(service_defined, "nat_type=%[^;];spoofing_ip_pool=%[^\n]", out->nat_type, out->ip_pool);
-	int nat_type_len = 0;
+	assert(ret == 2);
 	char* ip_pool = NULL;
 	char* nat_type = NULL;
 	char* tmp = NULL;
 	ip_pool = kni_memncasemem(service_defined, ser_def_len,(char*)"=", strlen("="));
 	if(ip_pool == NULL)
 	{		
 		return -1;
 	}
 	ip_pool += 1;
 	ip_pool_len = strlen(ip_pool);
 	nat_type = kni_memncasemem(ip_pool,ip_pool_len,(char*)"=", strlen("="));
 	if(nat_type == NULL)
 	{
 		return -1;
 	}
 	nat_type += 1;
 	nat_type_len = strlen(nat_type);
 	tmp = kni_memncasemem(ip_pool, ip_pool_len,(char*)";", strlen(";"));
 	if(ip_pool == NULL)
 	{		
 		return -1;
 	}
 	out->ip_pool_len= tmp-ip_pool;
 	assert((int)sizeof(out->ip_pool)>=out->ip_pool_len);
 	memcpy(out->ip_pool,ip_pool,out->ip_pool_len);
 	out->nat_type_len= nat_type_len-1;
 	assert((int)sizeof(out->nat_type)>=out->nat_type_len);
 	memcpy(out->nat_type,nat_type,out->nat_type_len);
 	return 0;
-
+}
 static int get_column_pos(const char* line, int column_seq, size_t *offset, size_t *len)
 {
 	const char* seps=" \t";
 	char* saveptr=NULL, *subtoken=NULL, *str=NULL;
 	char* dup_line = (char *)malloc(strlen(line) + 1);
 	strcpy(dup_line, line);
 	int i=0, ret=-1;
 	for (str = dup_line; ; str = NULL)
 	{
 		subtoken = strtok_r(str, seps, &saveptr);
 		if (subtoken == NULL)
 			break;
 		if(i==column_seq-1)
 		{
 			*offset=subtoken-dup_line;
 			*len=strlen(subtoken);
 			ret=0;
 			break;
 		}
 		i++;
 	}
 	free(dup_line);
 	return ret;
 }
 void plugin_EX_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp)
 {
 	struct redirect_plugin_ex_data* add_data = (struct redirect_plugin_ex_data*)calloc(sizeof(struct redirect_plugin_ex_data), 1);
-
+	int ret = 0;
-	int policy_group=0;
+	size_t offset=0, len=0;
-	int id,protocol,direction,location,is_valid,service,ret;
+	*ad=NULL;
-	char port[REDIRECT_SERDEF_LEN];
+	ret=get_column_pos(table_line, 2, &offset, &len);
-	char user_region[REDIRECT_SERDEF_LEN];
+	if(ret<0)
 	char effective_range[REDIRECT_SERDEF_LEN];
 	char op_time[REDIRECT_SERDEF_LEN];
 	ret=sscanf(table_line, "%d\t%d\t%d\t%s\t%s\t%d\t%s\t%d\t%d\t%d\t%d\t%s\t%s", 
 				&id,&(add_data->addr_type),&protocol,add_data->spoofing_ip,port,&direction,user_region,&location,&is_valid,&service,&policy_group,effective_range,op_time);
 	if(ret < 0)
 	{
-		*ad=NULL;
+		return;
 		return ;
 	}
 	sscanf(table_line+offset, "%d", &(add_data->addr_type));
 	ret=get_column_pos(table_line, 4, &offset, &len);
 	if(ret<0)
 	{
 		return;
 	}
 	assert(len<=sizeof(add_data->spoofing_ip));
 	strncpy(add_data->spoofing_ip, table_line+offset, len);
 	*ad=add_data;
 	return;
 }
@@ -567,11 +553,11 @@ char process_redirect_pending(const struct streaminfo* pstream,struct kni_pme_in
 	}
 //set pmeinfo->redirect_info
-	if(memcmp(redirect_args.nat_type,"snat",strlen("snat")) == 0)
+	if(strcasecmp(redirect_args.nat_type,"snat") == 0)
 	{
 		pmeinfo->redirect_info.nat_type=REDIRECT_SNAT_TYPE;
 	}
-	else if(memcmp(redirect_args.nat_type,"dnat",strlen("dnat")) == 0)
+	else if(strcasecmp(redirect_args.nat_type,"dnat") == 0)
 	{
 		pmeinfo->redirect_info.nat_type=REDIRECT_DNAT_TYPE;
 	}
--- a/kni_redirect.h
+++ b/kni_redirect.h
@@ -35,8 +35,6 @@ struct redirect_htable_data
 struct redirect_serdef_info
 {
 	int ip_pool_len;
 	int nat_type_len;
 	char ip_pool[REDIRECT_SERDEF_LEN];
 	char nat_type[REDIRECT_SERDEF_LEN];
 };