gfwleak/tango-maat
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[PATCH]maat_scan_ip remove port & protocol parameter

Browse Source
This commit is contained in:
liuwentan
2024-01-05 17:24:06 +08:00
parent 18843fafa7
commit 7e159477ac
16 changed files with 294 additions and 871 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/inc_internal/maat_ip.h
View File

@@ -42,8 +42,7 @@ long long ip_runtime_ipv6_rule_count(void *ip_runtime);
/* ip runtime scan API */
int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type,
uint8_t *ip_addr, uint16_t port, int proto,
int vtable_id, struct maat_state *state);
uint8_t *ip_addr, int vtable_id, struct maat_state *state);
void ip_runtime_perf_stat(struct ip_runtime *ip_rt, struct timespec *start,
struct timespec *end, int thread_id);

8
src/inc_internal/maat_utils.h
View File

@@ -70,18 +70,10 @@ enum ip_format {
IP_FORMAT_UNKNOWN
};
enum port_format {
PORT_FORMAT_SINGLE = 1,
PORT_FORMAT_RANGE,
PORT_FORMAT_UNKNOWN
};
enum ip_format ip_format_str2int(const char *format);
int ip_format2range(int ip_type, enum ip_format format, const char *ip1, const char *ip2,
uint32_t range_begin[], uint32_t range_end[]);
enum port_format port_format_str2int(const char *format);
#define UNUSED __attribute__((unused))
const char *module_name_str(const char *name);

24
src/json2iris.c
View File

@@ -539,30 +539,6 @@ static int write_ip_plus_line(cJSON *region_json, struct iris_description *p_iri
json_cmd[cmd_cnt].default_string = "255.255.255.255";
cmd_cnt++;
json_cmd[cmd_cnt].json_string = "port_format";
json_cmd[cmd_cnt].json_type = cJSON_String;
json_cmd[cmd_cnt].empty_allowed = 1;
json_cmd[cmd_cnt].default_string = "mask";
cmd_cnt++;
json_cmd[cmd_cnt].json_string = "port1";
json_cmd[cmd_cnt].json_type = cJSON_String;
json_cmd[cmd_cnt].empty_allowed = 1;
json_cmd[cmd_cnt].default_string = "0";
cmd_cnt++;
json_cmd[cmd_cnt].json_string = "port2";
json_cmd[cmd_cnt].json_type = cJSON_String;
json_cmd[cmd_cnt].empty_allowed = 1;
json_cmd[cmd_cnt].default_string = "65535";
cmd_cnt++;
json_cmd[cmd_cnt].json_string = "protocol";
json_cmd[cmd_cnt].json_type = cJSON_Number;
json_cmd[cmd_cnt].empty_allowed = 1;
json_cmd[cmd_cnt].default_int = 0;
cmd_cnt++;
json_cmd[cmd_cnt].json_string = "is_valid";
json_cmd[cmd_cnt].json_type = cJSON_Number;
cmd_cnt++;

79
src/maat_api.c
View File

@@ -1080,33 +1080,6 @@ static int interval_scan(struct table_manager *tbl_mgr, int thread_id, long long
}
static int ipv4_scan(struct table_manager *tbl_mgr, int thread_id, uint32_t ip_addr,
uint16_t port, int proto, int phy_table_id, int vtable_id,
struct maat_state *state)
{
enum table_type table_type = table_manager_get_table_type(tbl_mgr, phy_table_id);
if (table_type != TABLE_TYPE_IP_PLUS) {
return -1;
}
void *ip_rt = table_manager_get_runtime(tbl_mgr, phy_table_id);
if (NULL == ip_rt) {
return -1;
}
int group_hit_cnt = ip_runtime_scan((struct ip_runtime *)ip_rt, thread_id, IPv4,
(uint8_t *)&ip_addr, port, proto, vtable_id, state);
if (group_hit_cnt <= 0) {
return group_hit_cnt;
}
ip_runtime_hit_times_inc((struct ip_runtime *)ip_rt, thread_id);
return group_hit_cnt;
}
static int ipv6_scan(struct table_manager *tbl_mgr, int thread_id,
uint8_t *ip_addr, uint16_t port, int proto,
int phy_table_id, int vtable_id, struct maat_state *state)
{
@@ -1120,8 +1093,34 @@ static int ipv6_scan(struct table_manager *tbl_mgr, int thread_id,
return -1;
}
int group_hit_cnt = ip_runtime_scan((struct ip_runtime *)ip_rt, thread_id, IPv4,
(uint8_t *)&ip_addr, vtable_id, state);
if (group_hit_cnt <= 0) {
return group_hit_cnt;
}
ip_runtime_hit_times_inc((struct ip_runtime *)ip_rt, thread_id);
return group_hit_cnt;
}
static int ipv6_scan(struct table_manager *tbl_mgr, int thread_id,
uint8_t *ip_addr, int phy_table_id, int vtable_id,
struct maat_state *state)
{
enum table_type table_type = table_manager_get_table_type(tbl_mgr, phy_table_id);
if (table_type != TABLE_TYPE_IP_PLUS) {
return -1;
}
void *ip_rt = table_manager_get_runtime(tbl_mgr, phy_table_id);
if (NULL == ip_rt) {
return -1;
}
int group_hit_cnt = ip_runtime_scan((struct ip_runtime *)ip_rt, thread_id, IPv6,
ip_addr, port, proto, vtable_id, state);
ip_addr, vtable_id, state);
if (group_hit_cnt <= 0) {
return group_hit_cnt;
}
@@ -1351,12 +1350,12 @@ int maat_scan_integer(struct maat *maat_inst, int table_id,
}
int maat_scan_ipv4(struct maat *maat_inst, int table_id, uint32_t ip_addr,
uint16_t port, int protocol, long long *results, size_t n_result,
size_t *n_hit_result, struct maat_state *state)
long long *results, size_t n_result, size_t *n_hit_result,
struct maat_state *state)
{
if ((NULL == maat_inst) || table_id < 0 || table_id >= MAX_TABLE_NUM ||
(protocol < -1) || (NULL == results) || (0 == n_result) ||
(NULL == n_hit_result) || (NULL == state) || (state->thread_id < 0)) {
(NULL == results) || (0 == n_result) || (NULL == n_hit_result) ||
(NULL == state) || (state->thread_id < 0)) {
return MAAT_SCAN_ERR;
}
@@ -1395,7 +1394,7 @@ int maat_scan_ipv4(struct maat *maat_inst, int table_id, uint32_t ip_addr,
alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1);
int hit_group_cnt = ipv4_scan(maat_inst->tbl_mgr, state->thread_id, ip_addr,
port, protocol, phy_table_id, vtable_id, state);
phy_table_id, vtable_id, state);
if (hit_group_cnt < 0) {
maat_inst->stat->scan_err_cnt++;
return MAAT_SCAN_ERR;
@@ -1435,15 +1434,13 @@ int maat_scan_ipv4(struct maat *maat_inst, int table_id, uint32_t ip_addr,
}
}
int maat_scan_ipv6(struct maat *maat_inst, int table_id,
uint8_t *ip_addr, uint16_t port, int protocol,
long long *results, size_t n_result,
size_t *n_hit_result, struct maat_state *state)
int maat_scan_ipv6(struct maat *maat_inst, int table_id, uint8_t *ip_addr,
long long *results, size_t n_result, size_t *n_hit_result,
struct maat_state *state)
{
if ((NULL == maat_inst) || table_id < 0 || table_id >= MAX_TABLE_NUM ||
(protocol < -1) || (NULL == ip_addr) || (NULL == results) ||
(0 == n_result) || (NULL == n_hit_result) || (NULL == state) ||
(state->thread_id < 0)) {
(NULL == ip_addr) || (NULL == results) || (0 == n_result) ||
(NULL == n_hit_result) || (NULL == state) || (state->thread_id < 0)) {
return MAAT_SCAN_ERR;
}
@@ -1482,7 +1479,7 @@ int maat_scan_ipv6(struct maat *maat_inst, int table_id,
alignment_int64_array_add(maat_inst->stat->thread_call_cnt, state->thread_id, 1);
int hit_group_cnt = ipv6_scan(maat_inst->tbl_mgr, state->thread_id, ip_addr,
port, protocol, phy_table_id, vtable_id, state);
phy_table_id, vtable_id, state);
if (hit_group_cnt < 0) {
maat_inst->stat->scan_err_cnt++;
return MAAT_SCAN_ERR;

36
src/maat_interval.c
View File

@@ -25,8 +25,8 @@ struct interval_schema {
int item_id_column;
int group_id_column;
int district_column;
int low_bound_column;
int up_bound_column;
int low_boundary_column;
int up_boundary_column;
int table_id;
struct table_manager *ref_tbl_mgr;
};
@@ -34,8 +34,8 @@ struct interval_schema {
struct interval_item {
long long item_id;
long long group_id;
int low_bound;
int up_bound;
int low_boundary;
int up_boundary;
void *user_data;
int district_id;
};
@@ -124,22 +124,22 @@ void *interval_schema_new(cJSON *json, struct table_manager *tbl_mgr,
}
}
custom_item = cJSON_GetObjectItem(item, "low_bound");
custom_item = cJSON_GetObjectItem(item, "low_boundary");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
schema->low_bound_column = custom_item->valueint;
schema->low_boundary_column = custom_item->valueint;
} else {
log_fatal(logger, MODULE_INTERVAL,
"[%s:%d] interval table:<%s> schema has no low_bound column",
"[%s:%d] interval table:<%s> schema has no low_boundary column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
custom_item = cJSON_GetObjectItem(item, "up_bound");
custom_item = cJSON_GetObjectItem(item, "up_boundary");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
schema->up_bound_column = custom_item->valueint;
schema->up_boundary_column = custom_item->valueint;
} else {
log_fatal(logger, MODULE_INTERVAL,
"[%s:%d] interval table:<%s> schema has no up_bound column",
"[%s:%d] interval table:<%s> schema has no up_boundary column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
@@ -334,23 +334,23 @@ interval_item_new(struct interval_schema *schema, const char *table_name,
item->district_id = DISTRICT_ANY;
}
ret = get_column_pos(line, schema->low_bound_column, &column_offset, &column_len);
ret = get_column_pos(line, schema->low_boundary_column, &column_offset, &column_len);
if (ret < 0) {
log_fatal(interval_rt->logger, MODULE_INTERVAL,
"[%s:%d] interval table:<%s> has no low_bound in line:%s",
"[%s:%d] interval table:<%s> has no low_boundary in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
item->low_bound = atoi(line + column_offset);
item->low_boundary = atoi(line + column_offset);
ret = get_column_pos(line, schema->up_bound_column, &column_offset, &column_len);
ret = get_column_pos(line, schema->up_boundary_column, &column_offset, &column_len);
if (ret < 0) {
log_fatal(interval_rt->logger, MODULE_INTERVAL,
"[%s:%d] interval table:<%s> has no up_bound in line:%s",
"[%s:%d] interval table:<%s> has no up_boundary in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
item->up_bound = atoi(line + column_offset);
item->up_boundary = atoi(line + column_offset);
return item;
error:
@@ -363,8 +363,8 @@ interval_item_to_interval_rule(struct interval_item *item)
{
struct interval_rule rule;
rule.start = item->low_bound;
rule.end = item->up_bound;
rule.start = item->low_boundary;
rule.end = item->up_boundary;
rule.result.rule_id = item->item_id;
rule.result.user_tag = item->user_data;

157
src/maat_ip.c
View File

@@ -15,7 +15,6 @@
#include "maat_utils.h"
#include "maat_ex_data.h"
#include "ip_matcher.h"
#include "interval_matcher.h"
#include "maat_ip.h"
#include "maat_rule.h"
#include "maat_compile.h"
@@ -24,11 +23,6 @@
#define MODULE_IP module_name_str("maat.ip")
#define IP_PROTO_ANY -1
#define IP_PROTO_ICMP 1
#define IP_PROTO_TCP 6
#define IP_PROTO_UDP 17
struct ip_schema {
int item_id_column;
int group_id_column;
@@ -36,10 +30,6 @@ struct ip_schema {
int addr_format_column;
int ip1_column;
int ip2_column;
int port_format_column;
int port1_column;
int port2_column;
int protocol_column;
int table_id;
struct table_manager *ref_tbl_mgr;
};
@@ -63,10 +53,6 @@ struct ip_item {
struct ipv6_item_rule ipv6;
};
enum ip_format ip_format;
enum port_format port_format;
uint16_t min_port;
uint16_t max_port;
int proto;
};
struct ip_runtime {
@@ -172,46 +158,6 @@ void *ip_schema_new(cJSON *json, struct table_manager *tbl_mgr,
goto error;
}
custom_item = cJSON_GetObjectItem(item, "port_format");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->port_format_column = custom_item->valueint;
} else {
log_fatal(logger, MODULE_IP,
"[%s:%d] ip table:<%s> schema has no port_format column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
custom_item = cJSON_GetObjectItem(item, "port1");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->port1_column = custom_item->valueint;
} else {
log_fatal(logger, MODULE_IP,
"[%s:%d] ip table:<%s> schema has no port1 column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
custom_item = cJSON_GetObjectItem(item, "port2");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->port2_column = custom_item->valueint;
} else {
log_fatal(logger, MODULE_IP,
"[%s:%d] ip table:<%s> schema has no port2 column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
custom_item = cJSON_GetObjectItem(item, "protocol");
if (custom_item != NULL && custom_item->type == cJSON_Number) {
ip_schema->protocol_column = custom_item->valueint;
} else {
log_fatal(logger, MODULE_IP,
"[%s:%d] ip table:<%s> schema has no protocol column",
__FUNCTION__, __LINE__, table_name);
goto error;
}
ip_schema->ref_tbl_mgr = tbl_mgr;
return ip_schema;
error:
@@ -231,7 +177,6 @@ ip_item_new(struct ip_schema *ip_schema, const char *table_name,
size_t column_offset = 0;
size_t column_len = 0;
char addr_format[16] = {0};
char port_format[16] = {0};
char ip1_str[40] = {0};
char ip2_str[40] = {0};
struct ip_item *ip_item = ALLOC(struct ip_item, 1);
@@ -331,71 +276,6 @@ ip_item_new(struct ip_schema *ip_schema, const char *table_name,
}
}
ret = get_column_pos(line, ip_schema->port_format_column, &column_offset,
&column_len);
if (ret < 0) {
log_fatal(logger, MODULE_IP,
"[%s:%d] ip table:<%s> has no port_format in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
memcpy(port_format, (line + column_offset), column_len);
if (PORT_FORMAT_UNKNOWN == port_format_str2int(port_format)) {
log_fatal(logger, MODULE_IP,
"[%s:%d] ip table:<%s> has invalid port_format, "
"should be single/range in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
ip_item->port_format = port_format_str2int(port_format);
ret = get_column_pos(line, ip_schema->port1_column, &column_offset,
&column_len);
if (ret < 0) {
log_fatal(logger, MODULE_IP,
"[%s:%d] ip table:<%s>) has no port1 in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
ip_item->min_port = atoi(line + column_offset);
ret = get_column_pos(line, ip_schema->port2_column, &column_offset,
&column_len);
if (ret < 0) {
log_fatal(logger, MODULE_IP,
"[%s:%d] ip table:<%s> has no port2 in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
ip_item->max_port = atoi(line + column_offset);
ret = get_column_pos(line, ip_schema->protocol_column, &column_offset,
&column_len);
if (ret < 0) {
log_fatal(logger, MODULE_IP,
"[%s:%d] ip table:<%s> has no protocol in line:%s",
__FUNCTION__, __LINE__, table_name, line);
goto error;
}
ip_item->proto = atoi(line + column_offset);
if (ip_item->proto != IP_PROTO_ANY && ip_item->proto != IP_PROTO_ICMP &&
ip_item->proto != IP_PROTO_TCP && ip_item->proto != IP_PROTO_UDP) {
log_fatal(logger, MODULE_IP,
"[%s:%d] ip table:<%s> protocol:%d is illegal in line:%s",
__FUNCTION__, __LINE__, table_name, ip_item->proto, line);
goto error;
}
if (ip_item->proto != IP_PROTO_ANY && ip_item->proto != IP_PROTO_ICMP &&
ip_item->proto != IP_PROTO_TCP && ip_item->proto != IP_PROTO_UDP) {
log_fatal(logger, MODULE_IP,
"[%s:%d] ip table:<%s> protocol:%d is illegal in line:%s",
__FUNCTION__, __LINE__, table_name, ip_item->proto, line);
goto error;
}
return ip_item;
error:
FREE(ip_item);
@@ -497,13 +377,6 @@ static void ip_item_to_ip_rule(struct ip_item *item, struct ip_rule *rule)
rule->rule_id = item->item_id;
}
static void ip_item_to_port_rule(struct ip_item *item, struct interval_rule *rule)
{
rule->start = item->min_port;
rule->end = item->max_port;
rule->result.rule_id = item->item_id;
}
static int ip_runtime_update_row(struct ip_runtime *ip_rt, char *key, size_t key_len,
struct ip_item *item, int is_valid)
{
@@ -603,13 +476,11 @@ int ip_runtime_commit(void *ip_runtime, const char *table_name,
ip_rt->ipv6_rule_num = 0;
struct ip_rule *rules = NULL;
struct interval_rule *interval_rules = NULL;
void **ex_data_array = NULL;
size_t rule_cnt = rcu_updating_hash_list(ip_rt->item_hash, &ex_data_array);
if (rule_cnt > 0) {
rules = ALLOC(struct ip_rule, rule_cnt);
interval_rules = ALLOC(struct interval_rule, rule_cnt);
for (size_t i = 0; i < rule_cnt; i++) {
struct ip_item *item = (struct ip_item *)ex_data_array[i];
if (item->addr_type == IPv6) {
@@ -617,7 +488,6 @@ int ip_runtime_commit(void *ip_runtime, const char *table_name,
}
ip_item_to_ip_rule(item, &rules[i]);
ip_item_to_port_rule(item, &interval_rules[i]);
}
}
@@ -663,10 +533,6 @@ int ip_runtime_commit(void *ip_runtime, const char *table_name,
FREE(rules);
}
if (interval_rules != NULL) {
FREE(interval_rules);
}
if (ex_data_array != NULL) {
FREE(ex_data_array);
}
@@ -694,24 +560,8 @@ long long ip_runtime_ipv6_rule_count(void *ip_runtime)
return ip_rt->ipv6_rule_num;
}
static int validate_port_proto(struct ip_item *item, uint16_t port, int proto)
{
uint16_t host_port = ntohs(port);
if (item->min_port > host_port || item->max_port < host_port) {
return -1;
}
if (item->proto != -1 && item->proto != proto) {
return -1;
}
return 0;
}
int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type,
uint8_t *ip_addr, uint16_t port, int proto,
int vtable_id, struct maat_state *state)
uint8_t *ip_addr, int vtable_id, struct maat_state *state)
{
if (0 == ip_rt->rule_num) {
//empty ip table
@@ -760,11 +610,6 @@ int ip_runtime_scan(struct ip_runtime *ip_rt, int thread_id, int ip_type,
continue;
}
ret = validate_port_proto(ip_item, port, proto);
if (ret < 0) {
continue;
}
hit_maat_items[real_hit_item_cnt].item_id = ip_results[i].rule_id;
hit_maat_items[real_hit_item_cnt].group_id = ip_item->group_id;
real_hit_item_cnt++;

12
src/maat_utils.c
View File

@@ -469,18 +469,6 @@ enum ip_format ip_format_str2int(const char *format)
return IP_FORMAT_UNKNOWN;
}
enum port_format port_format_str2int(const char *format)
{
if (0 == strcasecmp(format, "single")) {
return PORT_FORMAT_SINGLE;
} else if (0 == strcasecmp(format, "range")) {
return PORT_FORMAT_RANGE;
} else {
assert(0);
}
return PORT_FORMAT_UNKNOWN;
}
int ip_format2range(int ip_type, enum ip_format format, const char *ip1, const char *ip2,
uint32_t range_begin[], uint32_t range_end[])
{