gfwleak/tango-maat
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

support ip+port+proto scan

Browse Source
This commit is contained in:
liuwentan
2023-03-27 15:52:47 +08:00
parent 7b49d7d52f
commit 73060d1c35
28 changed files with 1954 additions and 1447 deletions
Download Patch File Download Diff File Expand all files Collapse all files

401
src/maat_ip.c
View File

@@ -15,6 +15,7 @@
#include "maat_utils.h"
#include "maat_ex_data.h"
#include "ip_matcher.h"
#include "interval_matcher.h"
#include "maat_ip.h"
#include "maat_rule.h"
#include "maat_compile.h"
@@ -27,21 +28,25 @@ struct ip_schema {
int item_id_column;
int group_id_column;
int addr_type_column;
int saddr_format_column;
int sip1_column;
int sip2_column;
int addr_format_column;
int ip1_column;
int ip2_column;
int port_format_column;
int port1_column;
int port2_column;
int protocol_column;
int table_id; //ugly
struct table_manager *ref_tbl_mgr;
};
struct ipv4_item_rule {
uint32_t min_sip; /* 源地址下界0表示忽略本字段 */
uint32_t max_sip; /* 源地址上界0表示固定IP=min_saddr */
uint32_t min_ip; /* 源地址下界0表示忽略本字段 */
uint32_t max_ip; /* 源地址上界0表示固定IP=min_addr */
};
struct ipv6_item_rule {
uint32_t min_sip[4]; /* 源地址下界全0表示忽略本字段 */
uint32_t max_sip[4]; /* 源地址上界全0表示固定IP=min_saddr */
uint32_t min_ip[4]; /* 源地址下界全0表示忽略本字段 */
uint32_t max_ip[4]; /* 源地址上界全0表示固定IP=min_addr */
};
struct ip_item {
@@ -52,11 +57,17 @@ struct ip_item {
struct ipv4_item_rule ipv4;
struct ipv6_item_rule ipv6;
};
enum ip_format ip_format;
enum port_format port_format;
uint16_t min_port;
uint16_t max_port;
int proto;
};
struct ip_runtime {
struct ip_matcher* ip_matcher;
struct rcu_hash_table* htable; //store ip rule for rebuild ip_matcher instance
struct ip_matcher *ip_matcher;
struct interval_matcher *intval_matcher;
struct rcu_hash_table *htable; //store ip rule for rebuild ip_matcher instance
struct rcu_hash_table *item_htable; //store this ip table's all maat_item which will be used in ip_runtime_scan
uint32_t rule_num;
struct maat_garbage_bin *ref_garbage_bin;
@@ -69,14 +80,12 @@ struct ip_runtime {
void *ip_schema_new(cJSON *json, struct table_manager *tbl_mgr,
const char *table_name, struct log_handle *logger)
{
size_t read_cnt = 0;
struct ip_schema *ip_schema = ALLOC(struct ip_schema, 1);
cJSON *custom_item = NULL;
cJSON *item = cJSON_GetObjectItem(json, "table_id");
if (item != NULL && item->type == cJSON_Number) {
ip_schema->table_id = item->valueint;
read_cnt++;
}
item = cJSON_GetObjectItem(json, "custom");
@@ -90,45 +99,104 @@ void *ip_schema_new(cJSON *json, struct table_manager *tbl_mgr,
custom_item = cJSON_GetObjectItem(item, "item_id");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->item_id_column = custom_item->valueint;
read_cnt++;
} else {
log_error(logger, MODULE_IP,
"[%s:%d] table %s has no item_id column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
custom_item = cJSON_GetObjectItem(item, "group_id");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->group_id_column = custom_item->valueint;
read_cnt++;
} else {
log_error(logger, MODULE_IP,
"[%s:%d] table %s has no group_id column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
custom_item = cJSON_GetObjectItem(item, "addr_type");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->addr_type_column = custom_item->valueint;
read_cnt++;
}
custom_item = cJSON_GetObjectItem(item, "saddr_format");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->saddr_format_column = custom_item->valueint;
read_cnt++;
}
custom_item = cJSON_GetObjectItem(item, "sip1");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->sip1_column = custom_item->valueint;
read_cnt++;
}
custom_item = cJSON_GetObjectItem(item, "sip2");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->sip2_column = custom_item->valueint;
read_cnt++;
}
ip_schema->ref_tbl_mgr = tbl_mgr;
if (read_cnt < 7) {
} else {
log_error(logger, MODULE_IP,
"[%s:%d] table %s has no add_type column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
custom_item = cJSON_GetObjectItem(item, "addr_format");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->addr_format_column = custom_item->valueint;
} else {
log_error(logger, MODULE_IP,
"[%s:%d] table %s has no addr_format column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
custom_item = cJSON_GetObjectItem(item, "ip1");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->ip1_column = custom_item->valueint;
} else {
log_error(logger, MODULE_IP,
"[%s:%d] table %s has no ip1 column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
custom_item = cJSON_GetObjectItem(item, "ip2");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->ip2_column = custom_item->valueint;
} else {
log_error(logger, MODULE_IP,
"[%s:%d] table %s has no ip2 column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
custom_item = cJSON_GetObjectItem(item, "port_format");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->port_format_column = custom_item->valueint;
} else {
log_error(logger, MODULE_IP,
"[%s:%d] table %s has no port_format column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
custom_item = cJSON_GetObjectItem(item, "port1");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->port1_column = custom_item->valueint;
} else {
log_error(logger, MODULE_IP,
"[%s:%d] table %s has no port1 column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
custom_item = cJSON_GetObjectItem(item, "port2");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->port2_column = custom_item->valueint;
} else {
log_error(logger, MODULE_IP,
"[%s:%d] table %s has no port2 column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
custom_item = cJSON_GetObjectItem(item, "protocol");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->protocol_column = custom_item->valueint;
} else {
log_error(logger, MODULE_IP,
"[%s:%d] table %s has no protocol column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
ip_schema->ref_tbl_mgr = tbl_mgr;
return ip_schema;
error:
FREE(ip_schema);
@@ -145,9 +213,10 @@ struct ip_item *ip_item_new(const char *line, struct ip_schema *ip_schema,
{
size_t column_offset = 0;
size_t column_len = 0;
char saddr_format[16] = {0};
char sip1_str[40] = {0};
char sip2_str[40] = {0};
char addr_format[16] = {0};
char port_format[16] = {0};
char ip1_str[40] = {0};
char ip2_str[40] = {0};
struct ip_item *ip_item = ALLOC(struct ip_item, 1);
int ret = get_column_pos(line, ip_schema->item_id_column, &column_offset, &column_len);
@@ -184,42 +253,42 @@ struct ip_item *ip_item_new(const char *line, struct ip_schema *ip_schema,
goto error;
}
ret = get_column_pos(line, ip_schema->saddr_format_column, &column_offset, &column_len);
ret = get_column_pos(line, ip_schema->addr_format_column, &column_offset, &column_len);
if (ret < 0) {
log_error(logger, MODULE_IP,
"[%s:%d] ip table(table_id:%d) line:%s has no saddr_format",
"[%s:%d] ip table(table_id:%d) line:%s has no addr_format",
__FUNCTION__, __LINE__, ip_schema->table_id, line);
goto error;
}
memcpy(saddr_format, (line + column_offset), column_len);
if (IP_FORMAT_UNKNOWN == ip_format_str2int(saddr_format)) {
memcpy(addr_format, (line + column_offset), column_len);
if (IP_FORMAT_UNKNOWN == ip_format_str2int(addr_format)) {
log_error(logger, MODULE_IP,
"[%s:%d] ip table(table_id:%d) line:%s has invalid saddr_format, should be range/mask/CIDR",
"[%s:%d] ip table(table_id:%d) line:%s has invalid saddr_format, should be single/range/CIDR",
__FUNCTION__, __LINE__, ip_schema->table_id, line);
goto error;
}
ret = get_column_pos(line, ip_schema->sip1_column, &column_offset, &column_len);
ret = get_column_pos(line, ip_schema->ip1_column, &column_offset, &column_len);
if (ret < 0) {
log_error(logger, MODULE_IP,
"[%s:%d] ip table(table_id:%d) line:%s has no sip1",
"[%s:%d] ip table(table_id:%d) line:%s has no ip1",
__FUNCTION__, __LINE__, ip_schema->table_id, line);
goto error;
}
memcpy(sip1_str, (line + column_offset), column_len);
memcpy(ip1_str, (line + column_offset), column_len);
ret = get_column_pos(line, ip_schema->sip2_column, &column_offset, &column_len);
ret = get_column_pos(line, ip_schema->ip2_column, &column_offset, &column_len);
if (ret < 0) {
log_error(logger, MODULE_IP,
"[%s:%d] ip table(table_id:%d) line:%s has no sip2",
"[%s:%d] ip table(table_id:%d) line:%s has no ip2",
__FUNCTION__, __LINE__, ip_schema->table_id, line);
goto error;
}
memcpy(sip2_str, (line + column_offset), column_len);
memcpy(ip2_str, (line + column_offset), column_len);
if (IPv4 == ip_item->addr_type) {
ret = ip_format2range(ip_item->addr_type, ip_format_str2int(saddr_format), sip1_str, sip2_str,
&ip_item->ipv4.min_sip, &ip_item->ipv4.max_sip);
ret = ip_format2range(ip_item->addr_type, ip_format_str2int(addr_format), ip1_str, ip2_str,
&ip_item->ipv4.min_ip, &ip_item->ipv4.max_ip);
if (ret < 0) {
log_error(logger, MODULE_IP,
"[%s:%d] ip table(table_id:%d) line:%s ip_format2range(ip4) failed",
@@ -228,8 +297,8 @@ struct ip_item *ip_item_new(const char *line, struct ip_schema *ip_schema,
}
} else {
//ipv6
ret = ip_format2range(ip_item->addr_type, ip_format_str2int(saddr_format), sip1_str, sip2_str,
ip_item->ipv6.min_sip, ip_item->ipv6.max_sip);
ret = ip_format2range(ip_item->addr_type, ip_format_str2int(addr_format), ip1_str, ip2_str,
ip_item->ipv6.min_ip, ip_item->ipv6.max_ip);
if (ret < 0) {
log_error(logger, MODULE_IP,
"[%s:%d] ip table(table_id:%d) line:%s ip_format2range(ip6) failed",
@@ -238,6 +307,50 @@ struct ip_item *ip_item_new(const char *line, struct ip_schema *ip_schema,
}
}
ret = get_column_pos(line, ip_schema->port_format_column, &column_offset, &column_len);
if (ret < 0) {
log_error(logger, MODULE_IP,
"[%s:%d] ip table(table_id:%d) line:%s has no port_format",
__FUNCTION__, __LINE__, ip_schema->table_id, line);
goto error;
}
memcpy(port_format, (line + column_offset), column_len);
if (PORT_FORMAT_UNKNOWN == port_format_str2int(port_format)) {
log_error(logger, MODULE_IP,
"[%s:%d] ip table(table_id:%d) line:%s has invalid port_format, should be single/range",
__FUNCTION__, __LINE__, ip_schema->table_id, line);
goto error;
}
ip_item->port_format = port_format_str2int(port_format);
ret = get_column_pos(line, ip_schema->port1_column, &column_offset, &column_len);
if (ret < 0) {
log_error(logger, MODULE_IP,
"[%s:%d] ip table(table_id:%d) line:%s has no port1",
__FUNCTION__, __LINE__, ip_schema->table_id, line);
goto error;
}
ip_item->min_port = atoi(line + column_offset);
ret = get_column_pos(line, ip_schema->port2_column, &column_offset, &column_len);
if (ret < 0) {
log_error(logger, MODULE_IP,
"[%s:%d] ip table(table_id:%d) line:%s has no port2",
__FUNCTION__, __LINE__, ip_schema->table_id, line);
goto error;
}
ip_item->max_port = atoi(line + column_offset);
ret = get_column_pos(line, ip_schema->protocol_column, &column_offset, &column_len);
if (ret < 0) {
log_error(logger, MODULE_IP,
"[%s:%d] ip table(table_id:%d) line:%s has no protocol",
__FUNCTION__, __LINE__, ip_schema->table_id, line);
goto error;
}
ip_item->proto = atoi(line + column_offset);
return ip_item;
error:
FREE(ip_item);
@@ -317,18 +430,25 @@ void ip_item_to_ip_rule(struct ip_item *item, struct ip_rule *rule)
{
if (IPv4 == item->addr_type) {
rule->type = IPv4;
rule->ipv4_rule.start_ip = item->ipv4.min_sip;
rule->ipv4_rule.end_ip = item->ipv4.max_sip;
rule->ipv4_rule.start_ip = item->ipv4.min_ip;
rule->ipv4_rule.end_ip = item->ipv4.max_ip;
} else {
rule->type = IPv6;
memcpy(rule->ipv6_rule.start_ip, item->ipv6.min_sip,
sizeof(item->ipv6.min_sip));
memcpy(rule->ipv6_rule.end_ip, item->ipv6.max_sip,
sizeof(item->ipv6.max_sip));
memcpy(rule->ipv6_rule.start_ip, item->ipv6.min_ip,
sizeof(item->ipv6.min_ip));
memcpy(rule->ipv6_rule.end_ip, item->ipv6.max_ip,
sizeof(item->ipv6.max_ip));
}
rule->rule_id = item->item_id;
}
void ip_item_to_port_rule(struct ip_item *item, struct interval_rule *rule)
{
rule->start = item->min_port;
rule->end = item->max_port;
rule->result.rule_id = item->item_id;
}
int ip_runtime_update_row(struct ip_runtime *ip_rt, char *key, size_t key_len,
struct ip_item *item, int is_valid)
{
@@ -370,7 +490,6 @@ int ip_runtime_update(void *ip_runtime, void *ip_schema,
}
int is_valid = get_column_value(line, valid_column);
//printf("<ip_runtime_update> item_id:%lld is_valid:%d\n", item_id, is_valid);
if (is_valid < 0) {
return -1;
} else if (0 == is_valid) {
@@ -425,14 +544,16 @@ int ip_runtime_commit(void *ip_runtime, const char *table_name)
rcu_hash_commit(ip_rt->htable);
struct ip_rule *rules = NULL;
struct interval_rule *intval_rules = NULL;
void **ex_data_array = NULL;
size_t rule_cnt = rcu_hash_list(ip_rt->htable, &ex_data_array);
if (rule_cnt > 0) {
rules = ALLOC(struct ip_rule, rule_cnt);
intval_rules = ALLOC(struct interval_rule, rule_cnt);
for (size_t i = 0; i < rule_cnt; i++) {
struct ip_item *item = (struct ip_item *)ex_data_array[i];
//printf("<ip_runtime_commit> item_id:%lld\n", item->item_id);
ip_item_to_ip_rule(item, &rules[i]);
ip_item_to_port_rule(item, &intval_rules[i]);
}
}
@@ -445,20 +566,40 @@ int ip_runtime_commit(void *ip_runtime, const char *table_name)
struct ip_matcher *new_ip_matcher = NULL;
struct ip_matcher *old_ip_matcher = NULL;
new_ip_matcher = ip_matcher_new(rules, rule_cnt, &mem_used, ip_rt->logger);
if (NULL == new_ip_matcher) {
log_error(ip_rt->logger, MODULE_IP,
"[%s:%d] table[%s] rebuild ip_matcher engine failed when update %zu ip rules",
__FUNCTION__, __LINE__, table_name, rule_cnt);
ret = -1;
struct interval_matcher *new_intval_matcher = NULL;
struct interval_matcher *old_intval_matcher = NULL;
if (rule_cnt > 0) {
new_ip_matcher = ip_matcher_new(rules, rule_cnt, &mem_used, ip_rt->logger);
if (NULL == new_ip_matcher) {
log_error(ip_rt->logger, MODULE_IP,
"[%s:%d] table[%s] rebuild ip_matcher engine failed when update %zu ip rules",
__FUNCTION__, __LINE__, table_name, rule_cnt);
ret = -1;
}
new_intval_matcher = interval_matcher_new(intval_rules, rule_cnt);
if (NULL == new_intval_matcher) {
log_error(ip_rt->logger, MODULE_IP,
"[%s:%d] table[%s] rebuild interval_matcher engine failed when update %zu ip rules",
__FUNCTION__, __LINE__, table_name, rule_cnt);
ret = -1;
}
}
old_ip_matcher = ip_rt->ip_matcher;
ip_rt->ip_matcher = new_ip_matcher;
if (old_ip_matcher != NULL) {
maat_garbage_bagging(ip_rt->ref_garbage_bin, old_ip_matcher,
(void (*)(void*))ip_matcher_free);
(void (*)(void *))ip_matcher_free);
}
old_intval_matcher = ip_rt->intval_matcher;
ip_rt->intval_matcher = new_intval_matcher;
if (old_intval_matcher != NULL) {
maat_garbage_bagging(ip_rt->ref_garbage_bin, old_intval_matcher,
(void (*)(void *))interval_matcher_free);
}
rcu_hash_commit(ip_rt->item_htable);
ip_rt->rule_num = rule_cnt;
@@ -473,50 +614,130 @@ int ip_runtime_commit(void *ip_runtime, const char *table_name)
return ret;
}
int validate_port(struct rcu_hash_table *htable, const char *key, size_t key_len,
uint16_t port, int proto)
{
struct ip_item *ip_item = (struct ip_item *)rcu_hash_find(htable, key, key_len);
if (NULL == ip_item) {
return -1;
}
uint16_t host_port = ntohs(port);
if (ip_item->min_port > host_port || ip_item->max_port < host_port) {
return -1;
}
if (ip_item->proto != -1 && ip_item->proto != proto) {
return -1;
}
return 0;
}
int validate_proto(struct rcu_hash_table *htable, const char *key, size_t key_len, int proto)
{
struct ip_item *ip_item = (struct ip_item *)rcu_hash_find(htable, key, key_len);
if (NULL == ip_item) {
return -1;
}
if (ip_item->proto != -1 && ip_item->proto != proto) {
return -1;
}
return 0;
}
int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type,
uint8_t *ip_addr, int vtable_id, struct maat_state *state)
uint8_t *ip_addr, uint16_t port, int proto, int vtable_id,
struct maat_state *state)
{
if (0 == ip_rt->rule_num) {
//empty ip table
return 0;
}
int n_hit_item = 0;
struct scan_result scan_results[MAX_SCANNER_HIT_ITEM_NUM] = {0};
struct scan_result ip_results[MAX_SCANNER_HIT_ITEM_NUM] = {0};
/* if ip_addr = "0.0.0.0" means any ip */
int any_ip_flag = 0;
struct ip_data scan_data;
if (ip_type == IPv4) {
scan_data.type = IPv4;
scan_data.ipv4 = ntohl(*(uint32_t *)ip_addr);
if (0 == scan_data.ipv4) {
any_ip_flag = 1;
}
} else {
scan_data.type = IPv6;
for (int i = 0; i < 4; i++) {
scan_data.ipv6[i] = *((uint32_t *)ip_addr + i);
}
ipv6_ntoh(scan_data.ipv6);
if (0 == scan_data.ipv6[0] && 0 == scan_data.ipv6[1] &&
0 == scan_data.ipv6[2] && 0 == scan_data.ipv6[3]) {
any_ip_flag = 1;
}
}
n_hit_item = ip_matcher_match(ip_rt->ip_matcher, &scan_data, scan_results, MAX_SCANNER_HIT_ITEM_NUM);
if (n_hit_item <= 0) {
return n_hit_item;
}
if (n_hit_item > MAX_SCANNER_HIT_ITEM_NUM) {
log_info(ip_rt->logger, MODULE_IP,
"hit ip item count:%d exceed maxium:%d",
n_hit_item, MAX_SCANNER_HIT_ITEM_NUM);
n_hit_item = MAX_SCANNER_HIT_ITEM_NUM;
}
int ret = 0;
size_t real_hit_index = 0;
long long hit_item_ids[MAX_SCANNER_HIT_ITEM_NUM];
memset(hit_item_ids, 0, sizeof(hit_item_ids));
for (int i = 0; i < n_hit_item; i++) {
hit_item_ids[i] = scan_results[i].rule_id;
// any ip, so scan port+proto
if (1 == any_ip_flag) {
struct interval_result port_results[MAX_SCANNER_HIT_ITEM_NUM] = {0};
uint16_t host_port = ntohs(port);
int n_hit_port_item = interval_matcher_match(ip_rt->intval_matcher, host_port,
port_results, MAX_SCANNER_HIT_ITEM_NUM);
if (n_hit_port_item <= 0) {
return n_hit_port_item;
}
if (n_hit_port_item > MAX_SCANNER_HIT_ITEM_NUM) {
log_info(ip_rt->logger, MODULE_IP,
"hit port item count:%d exceed maxium:%d",
n_hit_port_item, MAX_SCANNER_HIT_ITEM_NUM);
n_hit_port_item = MAX_SCANNER_HIT_ITEM_NUM;
}
for (size_t i = 0; i < n_hit_port_item; i++) {
long long item_id = port_results[i].rule_id;
ret = validate_proto(ip_rt->htable, (char *)&item_id, sizeof(item_id), proto);
if (ret < 0) {
continue;
}
hit_item_ids[real_hit_index++] = port_results[i].rule_id;
}
} else {
int n_hit_ip_item = ip_matcher_match(ip_rt->ip_matcher, &scan_data,
ip_results, MAX_SCANNER_HIT_ITEM_NUM);
if (n_hit_ip_item <= 0) {
return n_hit_ip_item;
}
if (n_hit_ip_item > MAX_SCANNER_HIT_ITEM_NUM) {
log_info(ip_rt->logger, MODULE_IP,
"hit ip item count:%d exceed maxium:%d",
n_hit_ip_item, MAX_SCANNER_HIT_ITEM_NUM);
n_hit_ip_item = MAX_SCANNER_HIT_ITEM_NUM;
}
for (size_t i = 0; i < n_hit_ip_item; i++) {
long long item_id = ip_results[i].rule_id;
ret = validate_port(ip_rt->htable, (char *)&item_id, sizeof(item_id), port, proto);
if (ret < 0) {
continue;
}
hit_item_ids[real_hit_index++] = ip_results[i].rule_id;
}
}
size_t group_hit_cnt = 0;
int ret = maat_compile_state_update(ip_rt->item_htable, vtable_id, hit_item_ids, n_hit_item,
&group_hit_cnt, state);
ret = maat_compile_state_update(ip_rt->item_htable, vtable_id, hit_item_ids,
real_hit_index, &group_hit_cnt, state);
if (ret < 0) {
return -1;
}