diff --git a/src/maat_ip.c b/src/maat_ip.c index 73e650d..33c8729 100644 --- a/src/maat_ip.c +++ b/src/maat_ip.c @@ -681,7 +681,7 @@ long long ip_runtime_ipv6_rule_count(void *ip_runtime) return ip_rt->ipv6_rule_num; } -static int validate_port(struct ip_item *item, uint16_t port, int proto) +static int validate_port_proto(struct ip_item *item, uint16_t port, int proto) { uint16_t host_port = ntohs(port); @@ -696,15 +696,6 @@ static int validate_port(struct ip_item *item, uint16_t port, int proto) return 0; } -static int validate_proto(struct ip_item *item, int proto) -{ - if (item->proto != -1 && item->proto != proto) { - return -1; - } - - return 0; -} - int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type, uint8_t *ip_addr, uint16_t port, int proto, int vtable_id, struct maat_state *state) @@ -714,105 +705,56 @@ int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type, return 0; } - /* if ip_addr = "0.0.0.0" means any ip */ - int any_ip_flag = 0; struct ip_data scan_data; struct scan_result ip_results[MAX_SCANNER_HIT_ITEM_NUM]; if (ip_type == IPv4) { scan_data.type = IPv4; scan_data.ipv4 = ntohl(*(uint32_t *)ip_addr); - if (0 == scan_data.ipv4) { - any_ip_flag = 1; - } } else { scan_data.type = IPv6; for (int i = 0; i < 4; i++) { scan_data.ipv6[i] = *((uint32_t *)ip_addr + i); } ipv6_ntoh(scan_data.ipv6); - if (0 == scan_data.ipv6[0] && 0 == scan_data.ipv6[1] && - 0 == scan_data.ipv6[2] && 0 == scan_data.ipv6[3]) { - any_ip_flag = 1; - } } int ret = 0; size_t real_hit_item_cnt = 0; struct maat_item hit_maat_items[MAX_SCANNER_HIT_ITEM_NUM]; - // any ip, so scan port+proto - if (1 == any_ip_flag) { - struct interval_result port_results[MAX_SCANNER_HIT_ITEM_NUM]; - uint16_t host_port = ntohs(port); + if (NULL == ip_rt->ip_matcher) { + return 0; + } - if (NULL == ip_rt->intval_matcher) { - return 0; + int n_hit_ip_item = ip_matcher_match(ip_rt->ip_matcher, &scan_data, + ip_results, MAX_SCANNER_HIT_ITEM_NUM); + if (n_hit_ip_item <= 0) { + return n_hit_ip_item; + } + + if (n_hit_ip_item > MAX_SCANNER_HIT_ITEM_NUM) { + n_hit_ip_item = MAX_SCANNER_HIT_ITEM_NUM; + } + + for (size_t i = 0; i < n_hit_ip_item; i++) { + long long item_id = ip_results[i].rule_id; + struct ip_item *ip_item = (struct ip_item *)rcu_hash_find(ip_rt->item_hash, + (char *)&item_id, + sizeof(long long)); + if (!ip_item) { + // item config has been deleted + continue; } - int n_hit_port_item = interval_matcher_match(ip_rt->intval_matcher, host_port, - port_results, MAX_SCANNER_HIT_ITEM_NUM); - if (n_hit_port_item <= 0) { - return n_hit_port_item; + ret = validate_port_proto(ip_item, port, proto); + if (ret < 0) { + continue; } - if (n_hit_port_item > MAX_SCANNER_HIT_ITEM_NUM) { - n_hit_port_item = MAX_SCANNER_HIT_ITEM_NUM; - } - - for (int i = 0; i < n_hit_port_item; i++) { - long long item_id = port_results[i].rule_id; - struct ip_item *ip_item = (struct ip_item *)rcu_hash_find(ip_rt->item_hash, - (char *)&item_id, - sizeof(long long)); - if (!ip_item) { - // item config has been deleted - continue; - } - - ret = validate_proto(ip_item, proto); - if (ret < 0) { - continue; - } - - hit_maat_items[real_hit_item_cnt].item_id = port_results[i].rule_id; - hit_maat_items[real_hit_item_cnt].group_id = ip_item->group_id; - real_hit_item_cnt++; - } - } else { - if (NULL == ip_rt->ip_matcher) { - return 0; - } - - int n_hit_ip_item = ip_matcher_match(ip_rt->ip_matcher, &scan_data, - ip_results, MAX_SCANNER_HIT_ITEM_NUM); - if (n_hit_ip_item <= 0) { - return n_hit_ip_item; - } - - if (n_hit_ip_item > MAX_SCANNER_HIT_ITEM_NUM) { - n_hit_ip_item = MAX_SCANNER_HIT_ITEM_NUM; - } - - for (size_t i = 0; i < n_hit_ip_item; i++) { - long long item_id = ip_results[i].rule_id; - struct ip_item *ip_item = (struct ip_item *)rcu_hash_find(ip_rt->item_hash, - (char *)&item_id, - sizeof(long long)); - if (!ip_item) { - // item config has been deleted - continue; - } - - ret = validate_port(ip_item, port, proto); - if (ret < 0) { - continue; - } - - hit_maat_items[real_hit_item_cnt].item_id = ip_results[i].rule_id; - hit_maat_items[real_hit_item_cnt].group_id = ip_item->group_id; - real_hit_item_cnt++; - } + hit_maat_items[real_hit_item_cnt].item_id = ip_results[i].rule_id; + hit_maat_items[real_hit_item_cnt].group_id = ip_item->group_id; + real_hit_item_cnt++; } maat_compile_state_update(vtable_id, hit_maat_items, real_hit_item_cnt, state); diff --git a/test/maat_framework_gtest.cpp b/test/maat_framework_gtest.cpp index 46be3fc..9858b96 100644 --- a/test/maat_framework_gtest.cpp +++ b/test/maat_framework_gtest.cpp @@ -1551,6 +1551,180 @@ protected: struct maat *MaatIPScan::_shared_maat_inst; struct log_handle *MaatIPScan::logger; +TEST_F(MaatIPScan, IPv4ScanDataFull_0) { + const char *table_name = "IP_PLUS_CONFIG"; + struct maat *maat_inst = MaatIPScan::_shared_maat_inst; + int thread_id = 0; + + int table_id = maat_get_table_id(maat_inst, table_name); + ASSERT_GT(table_id, 0); + + char ip_str1[32] = "0.0.0.0"; + uint32_t sip1; + int ret = inet_pton(AF_INET, ip_str1, &sip1); + EXPECT_EQ(ret, 1); + uint16_t port = htons(65530); + int proto = 6; + + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + ret = maat_scan_ipv4(maat_inst, table_id, sip1, port, proto, + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + EXPECT_EQ(n_hit_result, 0); + + maat_state_free(state); + state = NULL; +} + +TEST_F(MaatIPScan, IPv4ScanDataFull_1) { + const char *table_name = "IP_PLUS_CONFIG"; + struct maat *maat_inst = MaatIPScan::_shared_maat_inst; + int thread_id = 0; + + int table_id = maat_get_table_id(maat_inst, table_name); + ASSERT_GT(table_id, 0); + + char ip_str1[32] = "255.255.255.255"; + uint32_t sip1; + int ret = inet_pton(AF_INET, ip_str1, &sip1); + EXPECT_EQ(ret, 1); + uint16_t port = htons(5210); + int proto = 6; + + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + ret = maat_scan_ipv4(maat_inst, table_id, sip1, port, proto, + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + EXPECT_EQ(n_hit_result, 0); + + maat_state_free(state); + state = NULL; +} + +TEST_F(MaatIPScan, IPv4RuleFull_0) { + const char *table_name = "IP_PLUS_CONFIG"; + struct maat *maat_inst = MaatIPScan::_shared_maat_inst; + int thread_id = 0; + + int table_id = maat_get_table_id(maat_inst, table_name); + ASSERT_GT(table_id, 0); + + char ip_str[32] = "100.64.3.1"; + uint32_t sip; + int ret = inet_pton(AF_INET, ip_str, &sip); + EXPECT_EQ(ret, 1); + uint16_t port = htons(20303); + int proto = 6; + + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + ret = maat_scan_ipv4(maat_inst, table_id, sip, port, proto, + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + maat_state_reset(state); + + port = htons(64999); + ret = maat_scan_ipv4(maat_inst, table_id, sip, port, proto, + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 169); + + maat_state_free(state); + state = NULL; +} + +TEST_F(MaatIPScan, IPv6ScanDataFull_0) { + const char *table_name = "IP_PLUS_CONFIG"; + struct maat *maat_inst = MaatIPScan::_shared_maat_inst; + int thread_id = 0; + + int table_id = maat_get_table_id(maat_inst, table_name); + ASSERT_GT(table_id, 0); + + char ip_str[32] = "::"; + uint8_t sip[16]; + int ret = inet_pton(AF_INET6, ip_str, sip); + EXPECT_EQ(ret, 1); + uint16_t port = htons(65510); + int proto = 6; + + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + ret = maat_scan_ipv6(maat_inst, table_id, sip, port, proto, + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + EXPECT_EQ(n_hit_result, 0); + + maat_state_free(state); +} + +TEST_F(MaatIPScan, IPv6ScanDataFull_1) { + const char *table_name = "IP_PLUS_CONFIG"; + struct maat *maat_inst = MaatIPScan::_shared_maat_inst; + int thread_id = 0; + + int table_id = maat_get_table_id(maat_inst, table_name); + ASSERT_GT(table_id, 0); + + char ip_str[64] = "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF"; + uint8_t sip[16]; + int ret = inet_pton(AF_INET6, ip_str, sip); + EXPECT_EQ(ret, 1); + uint16_t port = htons(65510); + int proto = 6; + + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + ret = maat_scan_ipv6(maat_inst, table_id, sip, port, proto, + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + EXPECT_EQ(n_hit_result, 0); + + maat_state_free(state); +} + +TEST_F(MaatIPScan, IPv6RuleFull_0) { + const char *table_name = "IP_PLUS_CONFIG"; + struct maat *maat_inst = MaatIPScan::_shared_maat_inst; + int thread_id = 0; + + int table_id = maat_get_table_id(maat_inst, table_name); + ASSERT_GT(table_id, 0); + + char ip_str[64] = "1:1:1:1:1:1:1:1"; + uint8_t sip[16]; + int ret = inet_pton(AF_INET6, ip_str, sip); + EXPECT_EQ(ret, 1); + uint16_t port = htons(20303); + int proto = 6; + + long long results[ARRAY_SIZE] = {0}; + size_t n_hit_result = 0; + struct maat_state *state = maat_state_new(maat_inst, thread_id); + ret = maat_scan_ipv6(maat_inst, table_id, sip, port, proto, + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_OK); + maat_state_reset(state); + + port = htons(64999); + ret = maat_scan_ipv6(maat_inst, table_id, sip, port, proto, + results, ARRAY_SIZE, &n_hit_result, state); + EXPECT_EQ(ret, MAAT_SCAN_HIT); + EXPECT_EQ(n_hit_result, 1); + EXPECT_EQ(results[0], 210); + + maat_state_free(state); + state = NULL; +} + TEST_F(MaatIPScan, IPv4_IPPort) { const char *table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = MaatIPScan::_shared_maat_inst; @@ -1579,40 +1753,6 @@ TEST_F(MaatIPScan, IPv4_IPPort) { state = NULL; } -TEST_F(MaatIPScan, IPv4_Port) { - const char *table_name = "IP_PLUS_CONFIG"; - struct maat *maat_inst = MaatIPScan::_shared_maat_inst; - int thread_id = 0; - - int table_id = maat_get_table_id(maat_inst, table_name); - ASSERT_GT(table_id, 0); - - char ip_str[32] = "0.0.0.0"; - uint32_t sip; - int ret = inet_pton(AF_INET, ip_str, &sip); - EXPECT_EQ(ret, 1); - uint16_t port = htons(20303); - int proto = 6; - - long long results[ARRAY_SIZE] = {0}; - size_t n_hit_result = 0; - struct maat_state *state = maat_state_new(maat_inst, thread_id); - ret = maat_scan_ipv4(maat_inst, table_id, sip, port, proto, - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_OK); - maat_state_reset(state); - - port = htons(64999); - ret = maat_scan_ipv4(maat_inst, table_id, sip, port, proto, - results, ARRAY_SIZE, &n_hit_result, state); - EXPECT_EQ(ret, MAAT_SCAN_HIT); - EXPECT_EQ(n_hit_result, 1); - EXPECT_EQ(results[0], 169); - - maat_state_free(state); - state = NULL; -} - TEST_F(MaatIPScan, IPv6_IPPort) { const char *table_name = "IP_PLUS_CONFIG"; struct maat *maat_inst = MaatIPScan::_shared_maat_inst; @@ -5877,7 +6017,7 @@ TEST_F(MaatCmdTest, SameScanStatusWhenClauseUpdate_TSG6419) { ret = intval_table_set_line(maat_inst, app_id_table_name, MAAT_OP_ADD, item21_id, group21_id, 31, 31, NULL, 0); EXPECT_EQ(ret, 1); - sleep(WAIT_FOR_EFFECTIVE_S); + sleep(WAIT_FOR_EFFECTIVE_S * 2); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; @@ -5918,7 +6058,7 @@ TEST_F(MaatCmdTest, SameScanStatusWhenClauseUpdate_TSG6419) { group22_id, 32, 32, NULL, 0); EXPECT_EQ(ret, 1); - sleep(WAIT_FOR_EFFECTIVE_S); + sleep(WAIT_FOR_EFFECTIVE_S * 2); table_id = maat_get_table_id(maat_inst, app_id_table_name); ret = maat_scan_integer(maat_inst, table_id, 31, results, ARRAY_SIZE, @@ -5971,7 +6111,7 @@ TEST_F(MaatCmdTest, GroupEdit) { group21_id, 41, 41, NULL, 0); EXPECT_EQ(ret, 1); - sleep(WAIT_FOR_EFFECTIVE_S); + sleep(WAIT_FOR_EFFECTIVE_S * 2); uint32_t ip_addr; inet_pton(AF_INET, "192.168.3.2", &ip_addr); @@ -6149,7 +6289,7 @@ TEST_F(MaatCmdTest, UpdateDeadLockDetection) { "part-1", NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); - sleep(WAIT_FOR_EFFECTIVE_S); + sleep(WAIT_FOR_EFFECTIVE_S * 2); const char* scan_data1 = "scan string part-1."; const char* scan_data2 = "scan string part-2."; @@ -6238,7 +6378,7 @@ TEST_F(MaatCmdTest, StreamScanWhenExprTableIncUpdate) { "stream-keywords-001-inc-update", NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); - sleep(WAIT_FOR_EFFECTIVE_S); + sleep(WAIT_FOR_EFFECTIVE_S * 2); /* maat_stream store expr_runtime version when maat_stream_new(). Add new expr_item has changed expr_runtime version which has been sensed by maat_stream_scan. @@ -6286,7 +6426,7 @@ TEST_F(MaatCmdTest, StreamScanSegfaultWhenVersionRollBack_TSG6324) { "stream-keywords-002", NULL, 0, 0, 0, 0); /*EXPR_TYPE_STRING MATCH_METHOD_SUB*/ EXPECT_EQ(ret, 1); - sleep(WAIT_FOR_EFFECTIVE_S); + sleep(WAIT_FOR_EFFECTIVE_S * 2); const char *scan_data = "Here is a stream-keywords-002, this should hit."; long long results[ARRAY_SIZE] = {0}; @@ -6360,7 +6500,7 @@ TEST_F(MaatCmdTest, IPAndStreamScanWhenIncUpdate) { compile1_id, 0, "null", 1, 0); EXPECT_EQ(ret, 1); - sleep(WAIT_FOR_EFFECTIVE_S); + sleep(WAIT_FOR_EFFECTIVE_S * 2); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; @@ -6385,7 +6525,7 @@ TEST_F(MaatCmdTest, IPAndStreamScanWhenIncUpdate) { "null", 1, 0); EXPECT_EQ(ret, 1); - sleep(WAIT_FOR_EFFECTIVE_S); + sleep(WAIT_FOR_EFFECTIVE_S * 2); const char *scan_data = "Here is a stream-keywords-003, this should hit."; table_id = maat_get_table_id(maat_inst, expr_table_name); @@ -6452,7 +6592,7 @@ TEST_F(MaatCmdTest, IPAndStreamScanWhenFullUpdate) { compile1_id, 0, "null", 1, 0); EXPECT_EQ(ret, 1); - sleep(WAIT_FOR_EFFECTIVE_S); + sleep(WAIT_FOR_EFFECTIVE_S * 2); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; @@ -6543,7 +6683,7 @@ TEST_F(MaatCmdTest, IPAndStringScanWhenIncUpdate) { compile1_id, 0, "null", 1, 0); EXPECT_EQ(ret, 1); - sleep(WAIT_FOR_EFFECTIVE_S); + sleep(WAIT_FOR_EFFECTIVE_S * 2); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; @@ -6568,7 +6708,7 @@ TEST_F(MaatCmdTest, IPAndStringScanWhenIncUpdate) { "null", 1, 0); EXPECT_EQ(ret, 1); - sleep(WAIT_FOR_EFFECTIVE_S); + sleep(WAIT_FOR_EFFECTIVE_S * 2); const char *scan_data = "Here is a IP and stringinc, this should hit."; table_id = maat_get_table_id(maat_inst, expr_table_name); @@ -6634,7 +6774,7 @@ TEST_F(MaatCmdTest, IPAndStringScanWhenFullupdate) { compile1_id, 0, "null", 1, 0); EXPECT_EQ(ret, 1); - sleep(WAIT_FOR_EFFECTIVE_S); + sleep(WAIT_FOR_EFFECTIVE_S * 2); long long results[ARRAY_SIZE] = {0}; size_t n_hit_result = 0; diff --git a/test/maat_json.json b/test/maat_json.json index 142487e..d4c65ba 100644 --- a/test/maat_json.json +++ b/test/maat_json.json @@ -2942,7 +2942,38 @@ ] } ] - } + }, + { + "compile_id": 210, + "service": 0, + "action": 0, + "do_blacklist": 0, + "do_log": 0, + "effective_rage": 0, + "user_region": "ipv6_::", + "is_valid": "yes", + "groups": [ + { + "regions": [ + { + "table_type": "ip_plus", + "table_name": "IP_PLUS_CONFIG", + "table_content": { + "addr_type": "ipv6", + "addr_format": "CIDR", + "ip1": "::", + "ip2": "0", + "port_format": "range", + "port1": "64000", + "port2": "64999", + "protocol": 6 + } + } + ], + "not_flag": 0 + } + ] + } ], "plugin_table": [ {