#pragma once #ifndef __KNI_ENTRY_H__ #define __KNI_ENTRY_H__ #include "tsg/tsg_rule.h" #include "kni_utils.h" #include #include "tfe_mgr.h" #include #include "kni_iouring.h" #define BURST_MAX 1 #define CALLER_SAPP 0 #define CALLER_TFE 1 #define _MAX_MAAT_TABLE_NAME_LEN 64 #define MAX_STRING_LEN 32 #define TSG_DIAGNOSE_POLICY_CNT 32 #define MAX_DOMAIN_LEN 2048 enum intercept_error{ INTERCEPT_ERROR_ASYM_ROUTING = -1, INTERCEPT_ERROR_NO_SYN = -2, INTERCEPT_ERROR_NO_SYN_ACK = -3, INTERCEPT_ERROR_INVALID_IP_HDR = -4, INTERCEPT_ERROR_EXCEED_MTU = -5, //internal INTERCEPT_ERROR_SENDTO_TFE_FAIL = -6, INTERCEPT_ERROR_TUPLE2STM_ADD_FAIL = -7, INTERCEPT_ERROR_NO_TFE = -8, INTERCEPT_ERROR_DUP_TRAFFIC = -9, INTERCEPT_ERROR_CMSG_ADD_FAIL = -10, INTERCEPT_ERROR_NOT_TCP_LINK_BYSYN = -11, INTERCEPT_ERROR_GET_TCP_LINK_MODE_ERR= -12, INTERCEPT_ERROR_STREAM_TUNNLE_TYPE= -13, INTERCEPT_ERROR_GET_STREAM_TUNNLE_TYPE_ERR= -14, INTERCEPT_ERROR_GET_HAVE_DUP_PKT_ERR= -15, INTERCEPT_ERROR_DUP_PKT_NOT_SURE_ERR= -16, }; /* action 0x00: none 0x02: intercept 0x80: bypass */ enum kni_action{ KNI_ACTION_NONE = 0x00, KNI_ACTION_INTERCEPT = 0x02, KNI_ACTION_BYPASS = 0x80 }; enum PXY_TCP_OPTION_MAAT_TABLE{ TABLE_IP_ADDR=0, TABLE_SSL_FQDN, TABLE_COMPILE, TABLE_MAX }; //memset 0 struct dup_traffic_dabloom_key{ union{ struct stream_tuple4_v4 v4; struct stream_tuple4_v6 v6; }addr; uint16_t ipid; uint32_t seq; uint32_t ack_seq; uint32_t timestamp; }; struct proxy_tcp_option{ int client_tcp_maxseg_enable; int client_tcp_maxseg; int client_tcp_nodelay; int client_tcp_ttl; int client_tcp_keepalive_enable; int client_tcp_keepalive_keepcnt; int client_tcp_keepalive_keepidle; int client_tcp_keepalive_keepintvl; int client_tcp_user_timeout; int server_tcp_maxseg_enable; int server_tcp_maxseg; int server_tcp_nodelay; int server_tcp_ttl; int server_tcp_keepalive_enable; int server_tcp_keepalive_keepcnt; int server_tcp_keepalive_keepidle; int server_tcp_keepalive_keepintvl; int server_tcp_user_timeout; int bypass_duplicated_packet; int tcp_passthrough; }; struct pme_info{ addr_type_t addr_type; char stream_addr[KNI_ADDR_MAX]; int do_log; long long policy_id; enum TSG_PROTOCOL protocol; enum kni_action action; int service; struct kni_tcpopt_info client_tcpopt; struct kni_tcpopt_info server_tcpopt; char has_syn; char has_syn_ack; uint16_t client_window; uint16_t server_window; int tfe_id; pthread_mutex_t lock; enum intercept_error intcp_error; char stream_traceid[24]; //cjson check protocol union{ char host[MAX_DOMAIN_LEN]; //http only char sni[MAX_DOMAIN_LEN]; //ssl only }domain; int domain_len; //tfe_release = 1: tfe don't need pmeinfo int tfe_release; int sapp_release; //kafka log struct TLD_handle_t *tld_handle; const struct streaminfo *stream; //int maat_result_num; int n_maat_rule; struct maat_rule maat_rule; //from tfe, kafka log uint8_t ssl_intercept_state; uint8_t ssl_pinningst; //defalut 0 uint64_t ssl_server_side_latency; uint64_t ssl_client_side_latency; char ssl_server_side_version[KNI_SYMBOL_MAX]; char ssl_client_side_version[KNI_SYMBOL_MAX]; int8_t ssl_cert_verify; char ssl_error[KNI_STRING_MAX]; //for dup traffic detect uint64_t has_dup_traffic; int has_dup_syn; int has_dup_syn_ack; struct dup_traffic_dabloom_key *syn_packet; struct dup_traffic_dabloom_key *syn_ack_packet; struct _traffic_info traffic_info; //for kni dynamic bypass int thread_seq; int is_dynamic_bypass; //for proxy tcp option struct proxy_tcp_option pxy_tcp_option; int pxy_tcp_option_is_scan; struct session_runtime_attribute *session_attribute; //for ssl passthrough reason char ssl_passthrough_reason[KNI_SYMBOL_MAX]; }; struct wrapped_packet{ char data[KNI_MTU]; }; struct tcp_option_restore{ uint8_t kind; uint8_t len; uint16_t offset; }; struct tfe_enabled_node{ int tfe_id; struct mr_vdev *dev_eth_handler; struct mr_sendpath *dev_eth_sendpath; }; struct kni_marsio_handle{ struct mr_instance *instance; int tfe_enabled_node_count; struct tfe_enabled_node tfe_enabled_nodes[TFE_COUNT_MAX]; }; struct protocol_identify_result{ int protocol; char domain[MAX_DOMAIN_LEN]; int domain_len; }; struct thread_tfe_cmsg_receiver_args{ void *logger; char profile[KNI_SYMBOL_MAX]; }; struct per_thread_handle{ int tap_fd; int buff_size; char *buff; MESA_htable_handle tuple2stream_htable; MESA_htable_handle traceid2sslinfo_htable; struct expiry_dablooms_handle *dabloom_handle; #if (SUPPORT_LIBURING) struct io_uring_handle *iouring_handle; #endif }; struct tuple2stream_htable_value{ struct streaminfo *stream; struct pme_info *pmeinfo; int route_dir; int reversed; }; struct security_policy_shunt_tsg_diagnose{ int id_arr[TSG_DIAGNOSE_POLICY_CNT]; int id_num; }; struct kni_handle{ int tap_rps_enable; char tap_rps_mask[KNI_SYMBOL_MAX]; struct io_uring_conf iouring_conf; struct kni_marsio_handle *marsio_handle; struct bpf_ctx *tap_bpf_ctx; struct kni_maat_handle *maat_handle; struct kni_send_logger *send_logger; MESA_htable_handle traceid2pme_htable; struct per_thread_handle *threads_handle; void *local_logger; struct tfe_mgr *_tfe_mgr; int thread_count; int dup_traffic_switch; int dup_traffic_action; enum kni_deploy_mode deploy_mode; char src_mac_addr[6]; char dst_mac_addr[6]; int tsg_diagnose_enable; int *arr_last_tfe_dispatch_index; struct security_policy_shunt_tsg_diagnose secpolicyid_shunt_tsg_diagnose; int ssl_dynamic_bypass_enable; MESA_htable_handle sslinfo2bypass_htable; int pxy_tcp_option_enable; //for proxy tcp option enable int pxy_tcp_option_enable_override; char maat_table_name[TABLE_MAX][_MAX_MAAT_TABLE_NAME_LEN]; // for proxy tcp option maat name int maat_table_id[TABLE_MAX]; struct proxy_tcp_option pxy_tcp_option; // int session_attribute_id; int log_level; }; struct traceid2pme_search_cb_args{ struct kni_cmsg *cmsg; void *logger; }; #endif