diff --git a/src/entry/Maat_api.cpp b/src/entry/Maat_api.cpp index f59c258..37322d7 100644 --- a/src/entry/Maat_api.cpp +++ b/src/entry/Maat_api.cpp @@ -16,7 +16,7 @@ #include "rulescan.h" #include "json2iris.h" -struct Maat_table_desc * acqurie_table(struct _Maat_feather_t* _feather,int table_id,enum MAAT_TABLE_TYPE expect_type) +struct Maat_table_desc * acqurie_table(struct _Maat_feather_t* _feather, int table_id, enum MAAT_TABLE_TYPE expect_type) { struct Maat_table_desc *p_table=NULL; if(table_id>MAX_TABLE_NUM) @@ -34,8 +34,8 @@ struct Maat_table_desc * acqurie_table(struct _Maat_feather_t* _feather,int tabl } if(p_table->table_type!=expect_type) { - if(expect_type!=TABLE_TYPE_EXPR|| - p_table->table_type!=TABLE_TYPE_EXPR_PLUS) + if((expect_type==TABLE_TYPE_EXPR && p_table->table_type!=TABLE_TYPE_EXPR_PLUS)|| + (expect_type==TABLE_TYPE_IP && p_table->table_type!=TABLE_TYPE_IP_PLUS)) { return NULL; } diff --git a/src/entry/Maat_command.cpp b/src/entry/Maat_command.cpp index 8ea15d2..c31d259 100644 --- a/src/entry/Maat_command.cpp +++ b/src/entry/Maat_command.cpp @@ -192,6 +192,9 @@ int get_valid_flag_offset(const char* line, enum MAAT_TABLE_TYPE type,int valid_ case TABLE_TYPE_IP: column_seq=14; break; + case TABLE_TYPE_IP_PLUS: + column_seq=18; + break; case TABLE_TYPE_COMPILE: column_seq=8; break; diff --git a/src/entry/Maat_rule.cpp b/src/entry/Maat_rule.cpp index 4490a0f..bd7378d 100644 --- a/src/entry/Maat_rule.cpp +++ b/src/entry/Maat_rule.cpp @@ -706,7 +706,8 @@ int read_table_description(struct Maat_table_desc** p_table_info,int num,const c string2int_map=map_create(); map_register(string2int_map,"expr", TABLE_TYPE_EXPR); - map_register(string2int_map,"ip", TABLE_TYPE_IP); + map_register(string2int_map,"ip", TABLE_TYPE_IP); + map_register(string2int_map,"ip_plus", TABLE_TYPE_IP_PLUS); map_register(string2int_map,"compile", TABLE_TYPE_COMPILE); map_register(string2int_map,"plugin", TABLE_TYPE_PLUGIN); map_register(string2int_map,"intval", TABLE_TYPE_INTERVAL); @@ -1598,6 +1599,7 @@ void rulescan_batch_update(rule_scanner_t rs_handle,MESA_lqueue_head expr_queue, assert(table_rt->expr.regex_rule_cnt>=0); break; case TABLE_TYPE_IP: + case TABLE_TYPE_IP_PLUS: table_rt->ip.ipv4_rule_cnt+=region_counter[i].ipv4_rule_cnt; table_rt->ip.ipv6_rule_cnt+=region_counter[i].ipv6_rule_cnt; break; @@ -2306,6 +2308,7 @@ int del_region_rule(struct Maat_table_desc* table,int region_id,int group_id,int switch(table->table_type) { case TABLE_TYPE_IP: + case TABLE_TYPE_IP_PLUS: case TABLE_TYPE_EXPR: case TABLE_TYPE_EXPR_PLUS: case TABLE_TYPE_INTERVAL: @@ -2761,90 +2764,269 @@ error_out: free(maat_str_rule); maat_str_rule=NULL; } -void update_ip_rule(struct Maat_table_desc* table,const char* table_line,struct Maat_scanner_t *scanner,void* logger,int group_mode_on) +enum MAAT_IP_FORMAT +{ + FORMAT_RANGE, + FORMAT_MASK, + FORMAT_UNKNOWN +}; +enum MAAT_IP_FORMAT ip_format_str2int(const char* format) +{ + if(0==strcasecmp(format, "range")) + { + return FORMAT_RANGE; + } + else if(0==strcasecmp(format, "mask")) + { + return FORMAT_MASK; + } + else + { + assert(0); + } + return FORMAT_UNKNOWN; +} +void ipv6_mask2range(const unsigned int ip[], unsigned int mask[], unsigned int range_begin[], unsigned int range_end[]) +{ + int i=0; + for(i=0; i<4; i++) + { + range_begin[i]=ip[i]&mask[i]; + range_end[i] = ip[i]|~mask[i]; + } + return; +} +void update_ip_rule(struct Maat_table_desc* table, const char* table_line, struct Maat_scanner_t *scanner, void* logger, int group_mode_on) { struct db_ip_rule_t* ip_rule=(struct db_ip_rule_t*)calloc(sizeof(struct db_ip_rule_t),1); - char src_ip[40],mask_src_ip[40],dst_ip[40],mask_dst_ip[40]; + char src_ip1[40]={0}, src_ip2[40]={0}, dst_ip1[40]={0}, dst_ip2[40]={0}; + char saddr_format[16]={0}, sport_format[16]={0}, daddr_format[16]={0}, dport_format[16]={0}; struct Maat_table_runtime* table_rt=scanner->table_rt[table->table_id]; - unsigned short i_src_port,i_sport_mask,i_dst_port,i_dport_mask; + unsigned short src_port1=0, src_port2=0, dst_port1=0, dst_port2=0; int protocol=0,direction=0; - int ret=0,rule_type=0; + int ret=0; int ret_array[8]={1},i=0; - ret=sscanf(table_line,"%d\t%d\t%d\t%s\t%s\t%hu\t%hu\t%s\t%s\t%hu\t%hu\t%d\t%d\t%d" - ,&(ip_rule->region_id) - ,&(ip_rule->group_id) - ,&(ip_rule->addr_type) - ,src_ip - ,mask_src_ip - ,&i_src_port - ,&i_sport_mask - ,dst_ip - ,mask_dst_ip - ,&i_dst_port - ,&i_dport_mask - ,&protocol - ,&direction - ,&(ip_rule->is_valid)); - if(ret!=14||(ip_rule->addr_type!=4&&ip_rule->addr_type!=6) - ||protocol>65535||protocol<0 - ||(direction!=0&&direction!=1)) + + unsigned int ipv4_addr1=0, ipv4_addr2=0, ipv6_addr1[4]={0}, ipv6_addr2[4]={0}; + switch(table->table_type) { - MESA_handle_runtime_log(logger,RLOG_LV_FATAL,maat_module , - "update error,invalid format of ip table %s:%s" - ,table->table_name[table->updating_name],table_line); + case TABLE_TYPE_IP: + strncpy(saddr_format, "mask", sizeof(saddr_format)); + strncpy(sport_format, "mask", sizeof(sport_format)); + strncpy(daddr_format, "mask", sizeof(daddr_format)); + strncpy(dport_format, "mask", sizeof(dport_format)); + + ret=sscanf(table_line,"%d\t%d\t%d\t%s\t%s\t%hu\t%hu\t%s\t%s\t%hu\t%hu\t%d\t%d\t%d", + &(ip_rule->region_id), + &(ip_rule->group_id), + &(ip_rule->addr_type), + src_ip1, + src_ip2, + &src_port1, + &src_port2, + dst_ip1, + dst_ip2, + &dst_port1, + &dst_port2, + &protocol, + &direction, + &(ip_rule->is_valid)); + if(ret!=14) + { + MESA_handle_runtime_log(logger,RLOG_LV_FATAL,maat_module , + "update error, invalid column number of ip table %s:%s" + ,table->table_name[table->updating_name],table_line); + table->udpate_err_cnt++; + goto error_out; + } + break; + case TABLE_TYPE_IP_PLUS: + ret=sscanf(table_line,"%d\t%d\t%d\t%s\t%s\t%s\t%s\t%hu\t%hu\t%s\t%s\t%s\t%s\t%hu\t%hu\t%d\t%d\t%d", + &(ip_rule->region_id), + &(ip_rule->group_id), + &(ip_rule->addr_type), + saddr_format, + src_ip1, + src_ip2, + sport_format, + &src_port1, + &src_port2, + daddr_format, + dst_ip1, + dst_ip2, + dport_format, + &dst_port1, + &dst_port2, + &protocol, + &direction, + &(ip_rule->is_valid)); + if(ret!=18) + { + MESA_handle_runtime_log(logger,RLOG_LV_FATAL,maat_module , + "update error, invalid column number of ip_plus table %s:%s" + ,table->table_name[table->updating_name],table_line); + table->udpate_err_cnt++; + goto error_out; + } + break; + default: + table->udpate_err_cnt++; + goto error_out; + break; + } + if(ip_rule->addr_type!=4&&ip_rule->addr_type!=6) + { + MESA_handle_runtime_log(logger,RLOG_LV_FATAL,maat_module, + "update error, invalid addr type %d of ip/ip_plus table %s:%s", + ip_rule->addr_type, + table->table_name[table->updating_name], table_line); + table->udpate_err_cnt++; + goto error_out; + } + if(protocol>65535 || protocol<0) + { + MESA_handle_runtime_log(logger,RLOG_LV_FATAL,maat_module, + "update error, invalid protocol value %d of ip/ip_plus table %s:%s", + protocol, + table->table_name[table->updating_name],table_line); + table->udpate_err_cnt++; + goto error_out; + } + if(direction!=0 && direction!=1) + { + MESA_handle_runtime_log(logger,RLOG_LV_FATAL,maat_module, + "update error, invalid direction value %d of ip/ip_plus table %s:%s", + direction, + table->table_name[table->updating_name],table_line); + table->udpate_err_cnt++; + goto error_out; + } + if(FORMAT_UNKNOWN==ip_format_str2int(saddr_format)|| + FORMAT_UNKNOWN==ip_format_str2int(sport_format)|| + FORMAT_UNKNOWN==ip_format_str2int(daddr_format)|| + FORMAT_UNKNOWN==ip_format_str2int(dport_format)) + { + MESA_handle_runtime_log(logger,RLOG_LV_FATAL,maat_module, + "update error, invalid addr format of ip/ip_plus table %s:%s, should be range or mask", + table->table_name[table->updating_name],table_line); table->udpate_err_cnt++; goto error_out; } if(ip_rule->addr_type==4) { - ret_array[0]=inet_pton(AF_INET,src_ip,&(ip_rule->ipv4_rule.saddr)); - ip_rule->ipv4_rule.saddr=ntohl(ip_rule->ipv4_rule.saddr); - ret_array[1]=inet_pton(AF_INET,mask_src_ip,&(ip_rule->ipv4_rule.smask)); - ip_rule->ipv4_rule.smask=ntohl(ip_rule->ipv4_rule.smask); - - ret_array[2]=inet_pton(AF_INET,dst_ip,&(ip_rule->ipv4_rule.daddr)); - ip_rule->ipv4_rule.daddr=ntohl(ip_rule->ipv4_rule.daddr); - ret_array[3]=inet_pton(AF_INET,mask_dst_ip,&(ip_rule->ipv4_rule.dmask)); - ip_rule->ipv4_rule.dmask=ntohl(ip_rule->ipv4_rule.dmask); - - ip_rule->ipv4_rule.min_sport=i_src_port&i_sport_mask; - ip_rule->ipv4_rule.max_sport=(i_src_port&i_sport_mask)+(~i_sport_mask); - - ip_rule->ipv4_rule.min_dport=i_dst_port&i_dport_mask; - ip_rule->ipv4_rule.max_dport=(i_dst_port&i_dport_mask)+(~i_dport_mask); + ret_array[0]=inet_pton(AF_INET, src_ip1, &ipv4_addr1); + ipv4_addr1=ntohl(ipv4_addr1); + ret_array[1]=inet_pton(AF_INET, src_ip2, &ipv4_addr2); + ipv4_addr2=ntohl(ipv4_addr2); + if(FORMAT_MASK==ip_format_str2int(saddr_format)) + { + // min_saddr=(saddr&mask) max_saddr=(saddr|~mask) + ip_rule->ipv4_rule.min_saddr=ipv4_addr1&ipv4_addr2; + ip_rule->ipv4_rule.max_saddr=ipv4_addr1|~ipv4_addr2; + } + else + { + ip_rule->ipv4_rule.min_saddr=ipv4_addr1; + ip_rule->ipv4_rule.max_saddr=ipv4_addr2; + } + if(FORMAT_MASK==ip_format_str2int(sport_format)) + { + ip_rule->ipv4_rule.min_sport=src_port1&src_port2; + ip_rule->ipv4_rule.max_sport=src_port1|~src_port2; + } + else + { + ip_rule->ipv4_rule.min_sport=src_port1; + ip_rule->ipv4_rule.max_sport=src_port2; + } + ret_array[2]=inet_pton(AF_INET, dst_ip1, &ipv4_addr1); + ipv4_addr1=ntohl(ipv4_addr1); + ret_array[3]=inet_pton(AF_INET, dst_ip2, &ipv4_addr2); + ipv4_addr2=ntohl(ipv4_addr2); + if(FORMAT_MASK==ip_format_str2int(daddr_format)) + { + ip_rule->ipv4_rule.min_daddr=ipv4_addr1&ipv4_addr2; + ip_rule->ipv4_rule.max_daddr=ipv4_addr1|~ipv4_addr2; + } + else + { + ip_rule->ipv4_rule.min_daddr=ipv4_addr1; + ip_rule->ipv4_rule.max_daddr=ipv4_addr2; + } + if(FORMAT_MASK==ip_format_str2int(dport_format)) + { + ip_rule->ipv4_rule.min_dport=dst_port1&dst_port2; + ip_rule->ipv4_rule.max_dport=dst_port1|~dst_port2; + } + else + { + ip_rule->ipv4_rule.min_dport=dst_port1; + ip_rule->ipv4_rule.max_dport=dst_port2; + } ip_rule->ipv4_rule.proto=protocol; ip_rule->ipv4_rule.direction=direction; - rule_type=RULETYPE_IPv4; } else { - ret_array[0]=inet_pton(AF_INET6,src_ip,&(ip_rule->ipv6_rule.saddr)); - ipv6_ntoh(ip_rule->ipv6_rule.saddr); - ret_array[1]=inet_pton(AF_INET6,mask_src_ip,&(ip_rule->ipv6_rule.smask)); - ipv6_ntoh(ip_rule->ipv6_rule.smask); + ret_array[0]=inet_pton(AF_INET6, src_ip1, ipv6_addr1); + ipv6_ntoh(ipv6_addr1); + ret_array[1]=inet_pton(AF_INET6, src_ip2, ipv6_addr2); + ipv6_ntoh(ipv6_addr2); + if(FORMAT_MASK==ip_format_str2int(saddr_format)) + { + // min_saddr=(saddr&mask) max_saddr=(saddr|~mask) + ipv6_mask2range(ipv6_addr1, ipv6_addr2, ip_rule->ipv6_rule.min_saddr, ip_rule->ipv6_rule.max_saddr); + } + else + { + memcpy(ip_rule->ipv6_rule.min_saddr, ipv6_addr1, sizeof(ip_rule->ipv6_rule.min_saddr)); + memcpy(ip_rule->ipv6_rule.max_saddr, ipv6_addr2, sizeof(ip_rule->ipv6_rule.max_saddr)); + } + if(FORMAT_MASK==ip_format_str2int(sport_format)) + { + ip_rule->ipv6_rule.min_sport=src_port1&src_port2; + ip_rule->ipv6_rule.max_sport=src_port1|~src_port2; + } + else + { + ip_rule->ipv6_rule.min_sport=src_port1; + ip_rule->ipv6_rule.max_sport=src_port2; + } - ret_array[2]=inet_pton(AF_INET6,dst_ip,&(ip_rule->ipv6_rule.daddr)); - ipv6_ntoh(ip_rule->ipv6_rule.daddr); - ret_array[3]=inet_pton(AF_INET6,mask_dst_ip,&(ip_rule->ipv6_rule.dmask)); - ipv6_ntoh(ip_rule->ipv6_rule.dmask); - - ip_rule->ipv6_rule.min_sport=i_src_port&i_sport_mask; - ip_rule->ipv6_rule.max_sport=(i_src_port&i_sport_mask)+(~i_sport_mask); - - ip_rule->ipv6_rule.min_dport=i_dst_port&i_dport_mask; - ip_rule->ipv6_rule.max_dport=(i_dst_port&i_dport_mask)+~(i_dport_mask); - + ret_array[2]=inet_pton(AF_INET6, dst_ip1, &ipv6_addr1); + ipv6_ntoh(ipv6_addr1); + ret_array[3]=inet_pton(AF_INET6, dst_ip2, &ipv6_addr2); + ipv6_ntoh(ipv6_addr2); + if(FORMAT_MASK==ip_format_str2int(daddr_format)) + { + // min_saddr=(saddr&mask) max_saddr=(saddr|~mask) + ipv6_mask2range(ipv6_addr1, ipv6_addr2, ip_rule->ipv6_rule.min_daddr, ip_rule->ipv6_rule.max_daddr); + } + else + { + memcpy(ip_rule->ipv6_rule.min_daddr, ipv6_addr1, sizeof(ip_rule->ipv6_rule.min_daddr)); + memcpy(ip_rule->ipv6_rule.max_daddr, ipv6_addr2, sizeof(ip_rule->ipv6_rule.max_daddr)); + } + if(FORMAT_MASK==ip_format_str2int(dport_format)) + { + ip_rule->ipv6_rule.min_dport=dst_port1&dst_port2; + ip_rule->ipv6_rule.max_dport=dst_port1|~dst_port2; + } + else + { + ip_rule->ipv6_rule.min_sport=dst_port1; + ip_rule->ipv6_rule.max_sport=dst_port2; + } ip_rule->ipv6_rule.proto=protocol; ip_rule->ipv6_rule.direction=direction; - rule_type=RULETYPE_IPv6; } for(i=0;i<4;i++) { if(ret_array[i]<=0) { MESA_handle_runtime_log(logger,RLOG_LV_FATAL,maat_module , - "update error,invalid format of ip table %s:%s" + "update error, invalid IP address format of ip table %s:%s" ,table->table_name[table->updating_name],table_line); table->udpate_err_cnt++; goto error_out; @@ -2861,19 +3043,19 @@ void update_ip_rule(struct Maat_table_desc* table,const char* table_line,struct } if(group_mode_on==FALSE)//for compatible old version { - compatible_group_udpate(table - ,ip_rule->region_id - ,ip_rule->group_id - ,ip_rule->is_valid - ,scanner - ,logger); + compatible_group_udpate(table, + ip_rule->region_id, + ip_rule->group_id, + ip_rule->is_valid, + scanner, + logger); ip_rule->group_id=ip_rule->region_id; } if(ip_rule->is_valid==FALSE) { - ret=del_region_rule(table - ,ip_rule->region_id,ip_rule->group_id,rule_type - ,scanner, logger); + ret=del_region_rule(table, + ip_rule->region_id, ip_rule->group_id, ip_rule->addr_type==6?RULETYPE_IPv6:RULETYPE_IPv4, + scanner, logger); if(ret<0) { table->udpate_err_cnt++; @@ -2886,7 +3068,7 @@ void update_ip_rule(struct Maat_table_desc* table,const char* table_line,struct else { - ret=add_ip_rule(table, ip_rule,scanner, logger); + ret=add_ip_rule(table, ip_rule, scanner, logger); if(ret<0) { MESA_handle_runtime_log(logger,RLOG_LV_INFO,maat_module , @@ -3689,6 +3871,7 @@ int maat_update_cb(const char* table_name,const char* line,void *u_para) update_expr_rule(feather->p_table_info[table_id], line, scanner,feather->logger,feather->GROUP_MODE_ON); break; case TABLE_TYPE_IP: + case TABLE_TYPE_IP_PLUS: update_ip_rule(feather->p_table_info[table_id], line, scanner,feather->logger,feather->GROUP_MODE_ON); break; case TABLE_TYPE_INTERVAL: diff --git a/src/entry/Maat_stat.cpp b/src/entry/Maat_stat.cpp index c5e4daf..112c612 100644 --- a/src/entry/Maat_stat.cpp +++ b/src/entry/Maat_stat.cpp @@ -234,6 +234,7 @@ void maat_stat_output(struct _Maat_feather_t* feather) total_iconv_error=p_table->expr.iconv_err_cnt; break; case TABLE_TYPE_IP: + case TABLE_TYPE_IP_PLUS: table_regex_ipv6_num=table_rt->ip.ipv6_rule_cnt; break; default: diff --git a/src/entry/json2iris.cpp b/src/entry/json2iris.cpp index 8632f50..8150230 100644 --- a/src/entry/json2iris.cpp +++ b/src/entry/json2iris.cpp @@ -141,6 +141,7 @@ int set_iris_descriptor(const char* json_file,cJSON *json,const char*compile_tn, map_register(iris_cfg->str2int_map, "no",0); map_register(iris_cfg->str2int_map, "ip",TABLE_TYPE_IP); + map_register(iris_cfg->str2int_map, "ip_plus",TABLE_TYPE_IP_PLUS); map_register(iris_cfg->str2int_map, "string",TABLE_TYPE_EXPR); map_register(iris_cfg->str2int_map, "expr",TABLE_TYPE_EXPR); map_register(iris_cfg->str2int_map, "expr_plus",TABLE_TYPE_EXPR_PLUS); @@ -407,6 +408,118 @@ int write_ip_line(cJSON *region_json, struct iris_description_t *p_iris, const c return direct_write_rule(region_json, p_iris->str2int_map,json_cmd, cmd_cnt,path,logger); } +int write_ip_plus_line(cJSON *region_json, struct iris_description_t *p_iris, const char* path, void * logger) +{ + struct traslate_command_t json_cmd[MAX_COLUMN_NUM]; + int cmd_cnt=0; + memset(json_cmd,0,sizeof(json_cmd)); + + json_cmd[cmd_cnt].json_string="region_id"; + json_cmd[cmd_cnt].json_type=cJSON_Number; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="group_id"; + json_cmd[cmd_cnt].json_type=cJSON_Number; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="addr_type"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].str2int_flag=1; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="saddr_format"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_string="mask"; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="src_ip1"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_string="0.0.0.0"; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="src_ip2"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_string="255.255.255.255"; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="sport_format"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_string="mask"; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="src_port1"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_string="0"; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="src_port2"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_string="65535"; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="daddr_format"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_string="mask"; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="dst_ip1"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_string="0.0.0.0"; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="dst_ip2"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_string="255.255.255.255"; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="dport_format"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_string="mask"; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="dst_port1"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_string="0"; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="dst_port2"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_string="65535"; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="protocol"; + json_cmd[cmd_cnt].json_type=cJSON_Number; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_int=0; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="direction"; + json_cmd[cmd_cnt].json_type=cJSON_String; + json_cmd[cmd_cnt].str2int_flag=1; + json_cmd[cmd_cnt].empty_allowed=1; + json_cmd[cmd_cnt].default_string="double"; + cmd_cnt++; + + json_cmd[cmd_cnt].json_string="is_valid"; + json_cmd[cmd_cnt].json_type=cJSON_Number; + cmd_cnt++; + + return direct_write_rule(region_json, p_iris->str2int_map,json_cmd, cmd_cnt,path,logger); + +} + int write_expr_line(cJSON *region_json,struct iris_description_t *p_iris,const char* path,enum MAAT_TABLE_TYPE table_type,void * logger) { struct traslate_command_t json_cmd[MAX_COLUMN_NUM]; @@ -670,6 +783,9 @@ int write_region_rule(cJSON* region_json,int compile_id,int group_id,iris_descri case TABLE_TYPE_IP: ret=write_ip_line(table_content, p_iris, table_info->table_path, logger); break; + case TABLE_TYPE_IP_PLUS: + write_ip_plus_line(table_content, p_iris, table_info->table_path, logger); + break; case TABLE_TYPE_INTERVAL: ret=write_intval_line(table_content, p_iris, table_info->table_path, logger); break; diff --git a/src/inc_internal/Maat_table_description.h b/src/inc_internal/Maat_table_description.h index 4e3fa3a..b924c34 100644 --- a/src/inc_internal/Maat_table_description.h +++ b/src/inc_internal/Maat_table_description.h @@ -18,6 +18,7 @@ enum MAAT_TABLE_TYPE { TABLE_TYPE_EXPR=0, TABLE_TYPE_IP, + TABLE_TYPE_IP_PLUS, TABLE_TYPE_INTERVAL, TABLE_TYPE_DIGEST, TABLE_TYPE_EXPR_PLUS, diff --git a/src/inc_internal/view_only/rulescan.h b/src/inc_internal/view_only/rulescan.h index f7a9a42..4397f18 100644 --- a/src/inc_internal/view_only/rulescan.h +++ b/src/inc_internal/view_only/rulescan.h @@ -28,7 +28,9 @@ extern "C" { RULESCAN_DETAIL_RESULT=1, /* 本标志位表示:返回详细命中位置等信息, optval设为NULL,optlen设为0。默认不返回详细信息*/ RULESCAN_REGEX_GROUP =2, /* 本标志位表示:返回正则表达式匹配的分组信息;开启本字段,需要先设置RULESCAN_DETAIL_RESULT标志位,optval设为NULL,optlen设为0。默认不返回分组信息 */ - RULESCAN_QUICK_SCAN /* 设置需要快速扫描模式的sub_type, 由用户自己定义,optval的值为0-4096,optlen设为4。默认设置是普通扫描模式。*/ + RULEACAN_ERRLOG_CLOSE, /* 本标志位表示:关闭Rulescan错误日志输出,optval设为NULL,optlen设为0。不设置的话默认打开Rulescan错误日志输出 */ + RULESCAN_ERRLOG_FILE_PATH, /* 设置Rulescan错误日志的路径名(包含文件名),由用户传入,optval的值为包含文件名的日志路径,optlen为路径长度。如果没有设定, + 则日志默认存储在可执行程序当前目录下的rulescan_tmp中 */ }; #define MAX_REGEX_GROUP_NUM 5 /* 对于正则表达式,所支持的最大分组的个数 */ @@ -45,7 +47,7 @@ extern "C" const unsigned int RULETYPE_IPv6 = 4; /* IPv6规则 */ const unsigned int MAX_RULETYPE = 5; /* 规则类型数量 */ - const unsigned int MAX_SUB_RULETYPE = 4096; /* 规则子类型数量 */ + const unsigned int MAX_SUB_RULETYPE = 4096; /* 规则子类型数量 */ /* 字符串类型规则(可表示文本字符串、二进制字符串、正则表达式) */ typedef struct _string_rule_t @@ -65,34 +67,34 @@ extern "C" unsigned int ub; /* 数据区间的下界(包含ub),无限制默认为0 */ }interval_rule_t; - /* 带掩码的IPv4规则 */ + /* IPv4规则 */ typedef struct _ipv4_rule_t { - unsigned int saddr; /* 源IP地址;0表示忽略本字段 */ - unsigned int smask; /* 源IP地址掩码;0表示固定IP=saddr */ - unsigned int daddr; /* 目的IP地址;0表示忽略本字段 */ - unsigned int dmask; /* 目的IP地址掩码;0表示固定IP=daddr */ - unsigned short int min_sport; /* 源端口范围下界;0表示忽略本字段 */ - unsigned short int max_sport; /* 源端口范围上界;0表示固定端口=min_sport */ - unsigned short int min_dport; /* 目的端口范围下界;0表示忽略本字段 */ - unsigned short int max_dport; /* 目的端口范围上界;0表示固定端口=min_dport */ - unsigned short int proto; /* 传输层协议,6表示TCP,17表示UDP;0表示忽略本字段 */ - unsigned short int direction; /* 方向,0表示双向,1表示单向 */ + unsigned int min_saddr; /* 源地址下界;0表示忽略本字段 */ + unsigned int max_saddr; /* 源地址上界;0表示固定IP=min_saddr */ + unsigned int min_daddr; /* 目的地址下界;0表示忽略本字段 */ + unsigned int max_daddr; /* 目的地址上界;0表示固定IP=min_daddr */ + unsigned short min_sport; /* 源端口范围下界;0表示忽略本字段 */ + unsigned short max_sport; /* 源端口范围上界;0表示固定端口=min_sport */ + unsigned short min_dport; /* 目的端口范围下界;0表示忽略本字段 */ + unsigned short max_dport; /* 目的端口范围上界;0表示固定端口=min_dport */ + unsigned short proto; /* 传输层协议,6表示TCP,17表示UDP;0表示忽略本字段 */ + unsigned short direction; /* 方向,0表示双向,1表示单向 */ }ipv4_rule_t; - /* 带掩码的IPv6规则 */ + /* IPv6规则 */ typedef struct _ipv6_rule_t { - unsigned int saddr[4]; /* 源IP地址;0表示忽略本字段 */ - unsigned int smask[4]; /* 源IP地址掩码;0表示固定IP=saddr */ - unsigned int daddr[4]; /* 目的IP地址;0表示忽略本字段 */ - unsigned int dmask[4]; /* 目的IP地址掩码;0表示固定IP=daddr */ - unsigned short int min_sport; /* 源端口范围下界;0表示忽略本字段 */ - unsigned short int max_sport; /* 源端口范围上界;0表示固定端口=min_sport */ - unsigned short int min_dport; /* 目的端口范围下界;0表示忽略本字段 */ - unsigned short int max_dport; /* 目的端口范围上界;0表示固定端口=min_dport */ - unsigned short int proto; /* 传输层协议,6表示TCP,17表示UDP,无限制默认为0 */ - unsigned short int direction; /* 方向,0表示双向,1表示单向 */ + unsigned int min_saddr[4]; /* 源地址下界;全0表示忽略本字段 */ + unsigned int max_saddr[4]; /* 源地址上界;全0表示固定IP=min_saddr */ + unsigned int min_daddr[4]; /* 目的地址下界;全0表示忽略本字段 */ + unsigned int max_daddr[4]; /* 目的地址上界;全0表示固定IP=min_daddr */ + unsigned short min_sport; /* 源端口范围下界;0表示忽略本字段 */ + unsigned short max_sport; /* 源端口范围上界;0表示固定端口=min_sport */ + unsigned short min_dport; /* 目的端口范围下界;0表示忽略本字段 */ + unsigned short max_dport; /* 目的端口范围上界;0表示固定端口=min_dport */ + unsigned short proto; /* 传输层协议,6表示TCP,17表示UDP,无限制默认为0 */ + unsigned short direction; /* 方向,0表示双向,1表示单向 */ }ipv6_rule_t; /* 通用的规则类型 */ @@ -188,7 +190,7 @@ extern "C" unsigned int length[MAX_MATCH_POS_NUM]; /* 该规则所有命中结果的长度;如果该命中结果是在以前的数据包中命中的,则设置对应的length=0, 对于整数区间与IP类,长度置为0*/ }rule_result_t; - /* 布尔表达式的扫描结果类型,quick模式下只有expr_id以及tag两项有效 */ + /* 布尔表达式的扫描结果类型 */ typedef struct _scan_result_t { unsigned int expr_id; /* 与表达式的ID */ diff --git a/test/maat_json.json b/test/maat_json.json index eb1da97..aab8dce 100644 --- a/test/maat_json.json +++ b/test/maat_json.json @@ -937,6 +937,82 @@ ] } ] + }, + { + "compile_id": 154, + "service": 0, + "action": 0, + "do_blacklist": 0, + "do_log": 0, + "effective_rage": 0, + "user_region": "ipv4_plus", + "is_valid": "yes", + "groups": [ + { + "regions": [ + { + "table_type": "ip_plus", + "table_name": "IP_PLUS_CONFIG", + "table_content": { + "addr_type": "ipv4", + "saddr_format": "range", + "src_ip1": "10.0.7.100", + "src_ip2": "10.0.7.106", + "sport_format": "range", + "src_port1": "5000", + "src_port2": "5001", + "daddr_format": "mask", + "dst_ip1": "123.56.104.218", + "dst_ip2": "255.255.255.0", + "dport_format": "range", + "dst_port1": "7400", + "dst_port2": "7400", + "protocol": 6, + "direction": "double" + } + } + ], + "not_flag" : 0 + } + ] + }, + { + "compile_id": 155, + "service": 0, + "action": 0, + "do_blacklist": 0, + "do_log": 0, + "effective_rage": 0, + "user_region": "ipv6_plus", + "is_valid": "yes", + "groups": [ + { + "regions": [ + { + "table_type": "ip_plus", + "table_name": "IP_PLUS_CONFIG", + "table_content": { + "addr_type": "ipv6", + "saddr_format": "range", + "src_ip1": "1001:da8:205:1::101", + "src_ip2": "1001:da8:205:1::201", + "sport_format": "mask", + "src_port1": "5210", + "src_port2": "65520", + "daddr_format": "mask", + "dst_ip1": "3001:da8:205:1::401", + "dst_ip2": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:0000", + "dport_format": "mask", + "dst_port1": "0", + "dst_port2": "65535", + "protocol": 6, + "direction": "double" + } + } + ], + "not_flag" : 0 + } + ] } ], "plugin_table": [ diff --git a/test/table_info.conf b/test/table_info.conf index 6bace4d..22c683e 100644 --- a/test/table_info.conf +++ b/test/table_info.conf @@ -1,7 +1,7 @@ #each collumn seperate with '\t' #id (0~65535) #name string -#type one of ip,expr,expr_plus,digest,intval,compile or plugin +#type one of ip, ip_plus, expr, expr_plus, digest, intval, compile or plugin #src_charset one of GBK,BIG5,UNICODE,UTF8 #dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/' #do_merege [yes/no] @@ -34,4 +34,5 @@ 15 IR_INTERCEPT_IP plugin {"valid":14,"tag":18} 16 APP_PAYLOAD expr_plus UTF8 UTF8 yes 0 quickoff 17 TROJAN_PAYLOAD expr UTF8 UTF8 yes 0 quickoff -18 MAIL_ADDR expr UTF8 UTF8 yes 0 quickoff \ No newline at end of file +18 MAIL_ADDR expr UTF8 UTF8 yes 0 quickoff +19 IP_PLUS_CONFIG ip_plus -- \ No newline at end of file diff --git a/test/test_maatframe.cpp b/test/test_maatframe.cpp index 3d856f6..f08efe4 100644 --- a/test/test_maatframe.cpp +++ b/test/test_maatframe.cpp @@ -422,7 +422,7 @@ TEST(StringScan, ExprPlusWithOffset) EXPECT_EQ(result[0].config_id, 148); return; } -TEST(IPScan, IPv4) +TEST(IPScan, IPv4_mask) { int table_id=0,ret=0; const char* table_name="IP_CONFIG"; @@ -455,7 +455,7 @@ TEST(IPScan, IPv4) Maat_clean_status(&mid); return; } -TEST(IPScan, IPv6) +TEST(IPScan, IPv6_mask) { int table_id=0,ret=0; struct Maat_rule_t result[4]; @@ -480,6 +480,63 @@ TEST(IPScan, IPv6) Maat_clean_status(&mid); return; } +TEST(IPScan, IPv4_range) +{ + int table_id=0,ret=0; + const char* table_name="IP_PLUS_CONFIG"; + struct Maat_rule_t result[4]; + scan_status_t mid=NULL; + struct ipaddr ipv4_addr; + struct stream_tuple4_v4 v4_addr; + ipv4_addr.addrtype=ADDR_TYPE_IPV4; + inet_pton(AF_INET, "10.0.7.106", &(v4_addr.saddr)); + v4_addr.source=htons(5000); + inet_pton(AF_INET, "123.56.104.254", &(v4_addr.daddr)); + v4_addr.dest=htons(7400); + ipv4_addr.v4=&v4_addr; + + + table_id=Maat_table_register(g_feather, table_name); + + EXPECT_GT(table_id, 0); + + ret=Maat_scan_proto_addr(g_feather, table_id, &ipv4_addr, 6, result, 4, &mid, 0); + + EXPECT_EQ(ret, 1); + EXPECT_EQ(result[0].config_id, 154); + + Maat_clean_status(&mid); + return; +} + +TEST(IPScan, IPv6_range) +{ + int table_id=0,ret=0; + struct Maat_rule_t result[4]; + struct ipaddr ipv6_addr; + struct stream_tuple4_v6 v6_addr; + scan_status_t mid=NULL; + + ipv6_addr.addrtype=ADDR_TYPE_IPV6; + inet_pton(AF_INET6,"1001:da8:205:1::151",&(v6_addr.saddr)); + v6_addr.source=htons(5204);//5200~5299? + inet_pton(AF_INET6,"3001:da8:205:1::901",&(v6_addr.daddr)); + v6_addr.dest=htons(80);//any + ipv6_addr.v6=&v6_addr; + const char* table_name="IP_PLUS_CONFIG"; + table_id=Maat_table_register(g_feather,table_name); + EXPECT_GT(table_id, 0); + + //for improving performance. + Maat_set_scan_status(g_feather, &mid, MAAT_SET_SCAN_LAST_REGION,NULL, 0); + ret=Maat_scan_proto_addr(g_feather, table_id, &ipv6_addr, 6, result,4, &mid, 0); + EXPECT_EQ(ret, 1); + EXPECT_EQ(result[0].config_id, 155); + Maat_clean_status(&mid); + return; + +} + TEST(NOTLogic, OneRegion) { const char* string_should_hit="This string ONLY contains must-contained-string-of-rule-143.";