gfwleak/tango-maat
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加IP composition的测试用例,确认端口范围的起始不能为1。

Browse Source
This commit is contained in:
zhengchao
2020-11-17 16:44:49 +06:00
parent 17c450f8c3
commit e9a9c89116
4 changed files with 278 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/entry/Maat_command.cpp
View File

@@ -745,7 +745,7 @@ FULL_UPDATE:
*list=s_rule_array; *list=s_rule_array;
*update_type=CM_UPDATE_TYPE_FULL; *update_type=CM_UPDATE_TYPE_FULL;
MESA_handle_runtime_log(logger, RLOG_LV_INFO, maat_redis_monitor, MESA_handle_runtime_log(logger, RLOG_LV_INFO, maat_redis_monitor,
"Full update %d keys of version %lld.", rule_num, new_version); "Full update %d keys of version %lld.", rule_num, *new_version);
return rule_num ; return rule_num ;
} }

43
test/maat_json.json
View File

@@ -70,6 +70,32 @@
} }
] ]
}, },
{
"group_name": "IPv4-composition-source-only",
"regions": [
{
"table_type": "ip_plus",
"table_name": "IP_PLUS_CONFIG",
"table_content": {
"addr_type": "ipv4",
"saddr_format": "range",
"src_ip1": "192.168.50.24",
"src_ip2": "192.168.50.24",
"sport_format": "range",
"src_port1": "1",
"src_port2": "40000",
"daddr_format": "mask",
"dst_ip1": "0.0.0.0",
"dst_ip2": "255.255.255.0",
"dport_format": "range",
"dst_port1": "0",
"dst_port2": "65535",
"protocol": 6,
"direction": "double"
}
}
]
},
{ {
"group_name": "FQDN_OBJ1", "group_name": "FQDN_OBJ1",
"regions": [ "regions": [
@@ -1903,6 +1929,23 @@
"clause_index":0 "clause_index":0
} }
] ]
},
{
"compile_id": 181,
"service": 0,
"action": 0,
"do_blacklist": 0,
"do_log": 0,
"effective_rage": 0,
"user_region": "ipv4_composition.match",
"is_valid": "yes",
"groups": [
{
"group_name":"IPv4-composition-source-only",
"virtual_table":"COMPOSITION_IP_SOURCE",
"not_flag":0
}
]
} }
], ],
"plugin_table": [ "plugin_table": [

218
test/perf_test_maatframe.cpp
View File

@@ -5,6 +5,7 @@
#include <gtest/gtest.h> #include <gtest/gtest.h>
#include <stdlib.h> #include <stdlib.h>
#include <arpa/inet.h> #include <arpa/inet.h>
#define WAIT_FOR_EFFECTIVE_SECOND 4
void ipv4_addr_set_copy(struct ipaddr *ipv4_addr, struct stream_tuple4_v4* v4_addr, void ipv4_addr_set_copy(struct ipaddr *ipv4_addr, struct stream_tuple4_v4* v4_addr,
const char* src_ip, unsigned short sport, const char* dest_ip, unsigned short dport) const char* src_ip, unsigned short sport, const char* dest_ip, unsigned short dport)
@@ -26,7 +27,8 @@ void random_keyword_generate(char* keyword_buf, size_t sz)
len=random()%(sz-1-MIN_KEYWORD_LEN)+MIN_KEYWORD_LEN; len=random()%(sz-1-MIN_KEYWORD_LEN)+MIN_KEYWORD_LEN;
for(i=0; i<len; i++) for(i=0; i<len; i++)
{ {
keyword_buf[i]='0'+random()%('~' - '0'); //keyword_buf[i]='0'+random()%('~' - '0');
keyword_buf[i]='a'+random()%('z' - 'a');
} }
keyword_buf[i]='\0'; keyword_buf[i]='\0';
return; return;
@@ -165,8 +167,8 @@ void* MaatCMDPerfTest::logger;
//Following tests must be coded/tested at last, for they stalled the maat update thread and interrupt other tests. //Following tests must be coded/tested at last, for they stalled the maat update thread and interrupt other tests.
TEST_F(MaatCMDPerfTest, SetExpr200K) TEST_F(MaatCMDPerfTest, SetExpr200K)
{ {
const int CMD_EXPR_NUM=2*1000*1000; const int CMD_EXPR_NUM=2*100*1000;
const int CMD_IP_NUM=13*1000*1000; const int CMD_IP_NUM=3*1000;
const char* expr_table_name="HTTP_URL"; const char* expr_table_name="HTTP_URL";
const char* ip_table_name="IP_CONFIG"; const char* ip_table_name="IP_CONFIG";
@@ -229,6 +231,216 @@ TEST_F(MaatCMDPerfTest, SetExpr200K)
Maat_clean_status(&mid); Maat_clean_status(&mid);
return; return;
} }
#define IP_PLUGIN_EX_DATA
struct ip_plugin_ud
{
int rule_id;
char* buffer;
int ref_cnt;
};
void ip_plugin_EX_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp)
{
int *counter=(int *)argp, ret=0;
size_t column_offset=0, column_len=0;
struct ip_plugin_ud* ud=(struct ip_plugin_ud*)calloc(sizeof(struct ip_plugin_ud), 1);
ret=Maat_helper_read_column(table_line, 1, &column_offset, &column_len);
EXPECT_EQ(ret, 0);
ud->rule_id=atoi(table_line+column_offset);
ret=Maat_helper_read_column(table_line, 5, &column_offset, &column_len);
EXPECT_EQ(ret, 0);
ud->buffer=(char*)calloc(sizeof(char), column_len+1);
strncpy(ud->buffer, table_line+column_offset, column_len);
ud->ref_cnt=1;
*ad=ud;
(*counter)++;
return;
}
void ip_plugin_EX_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp)
{
struct ip_plugin_ud* u=(struct ip_plugin_ud*)(*ad);
u->ref_cnt--;
if(u->ref_cnt>0) return;
free(u->buffer);
free(u);
*ad=NULL;
}
void ip_plugin_EX_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp)
{
struct ip_plugin_ud* u=(struct ip_plugin_ud*)(*from);
u->ref_cnt++;
*to=u;
}
TEST_F(MaatCMDPerfTest, UpdateIPPlugin)
{
#define IP_Plugin_EX_data
Maat_feather_t feather=MaatCMDPerfTest::_shared_feather;
int ret=0, i=0;
int table_id=0, ip_plugin_ex_data_counter=0;
const char* table_name="TEST_IP_PLUGIN_WITH_EXDATA";
const int TEST_CMD_LINE_NUM=4;
const struct Maat_cmd_line *p_line[TEST_CMD_LINE_NUM];
struct Maat_cmd_line line_rule[TEST_CMD_LINE_NUM];
const char* table_line[TEST_CMD_LINE_NUM]={
"101\t4\t192.168.30.99\t192.168.30.101\tSomething-like-json\t1",
"102\t4\t192.168.30.90\t192.168.30.128\tBigger-range-should-in-the-back\t1",
"103\t6\t2001:db8:1234::\t2001:db8:1235::\tBigger-range-should-in-the-back\t1",
"104\t6\t2001:db8:1234::1\t2001:db8:1234::5210\tSomething-like-json\t1"
};
table_id=Maat_table_register(feather, table_name);
ASSERT_GT(table_id, 0);
memset(&line_rule,0,sizeof(line_rule));
for(i=0;i<TEST_CMD_LINE_NUM;i++)
{
line_rule[i].label_id=0;
line_rule[i].rule_id=(int)Maat_cmd_incrby(feather,"TEST_PLUG_SEQ", 1);
line_rule[i].table_name=table_name;
line_rule[i].table_line=table_line[i];
line_rule[i].expire_after=0;
p_line[i]=line_rule+i;
}
ret=Maat_cmd_set_lines(feather, p_line,TEST_CMD_LINE_NUM, MAAT_OP_ADD);
EXPECT_GT(ret, 0);
sleep(WAIT_FOR_EFFECTIVE_SECOND);
ret=Maat_ip_plugin_EX_register(feather, table_id,
ip_plugin_EX_new_cb,
ip_plugin_EX_free_cb,
ip_plugin_EX_dup_cb,
0, &ip_plugin_ex_data_counter);
ASSERT_TRUE(ret>=0);
EXPECT_EQ(ip_plugin_ex_data_counter, 4);
struct ip_address ipv4, ipv6;
struct ip_plugin_ud* result[4];
ipv4.ip_type=4;
inet_pton(AF_INET, "192.168.30.100", &(ipv4.ipv4));
memset(&result, 0, sizeof(result));
ret=Maat_ip_plugin_get_EX_data(feather, table_id, &ipv4, (void**)result, 4);
ASSERT_EQ(ret, 2);
EXPECT_EQ(result[0]->rule_id, 101);
EXPECT_EQ(result[1]->rule_id, 102);
for(i=0; i<ret; i++)
{
ip_plugin_EX_free_cb(0, (void**)&(result[i]), 0, NULL);
}
ipv6.ip_type=6;
inet_pton(AF_INET6,"2001:db8:1234::5210",&(ipv6.ipv6));
memset(&result, 0, sizeof(result));
ret=Maat_ip_plugin_get_EX_data(feather, table_id, &ipv6, (void**)result, 4);
ASSERT_EQ(ret, 2);
EXPECT_EQ(result[0]->rule_id, 104);
EXPECT_EQ(result[1]->rule_id, 103);
for(i=0; i<ret; i++)
{
ip_plugin_EX_free_cb(0, (void**)&(result[i]), 0, NULL);
}
return;
}
#define FQDN_PLUGIN_EX_DATA
struct fqdn_plugin_ud
{
int rule_id;
int catid;
int ref_cnt;
};
void fqdn_plugin_EX_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp)
{
int *counter=(int *)argp, ret=0;
size_t column_offset=0, column_len=0;
struct fqdn_plugin_ud* ud=(struct fqdn_plugin_ud*)calloc(sizeof(struct fqdn_plugin_ud), 1);
ret=Maat_helper_read_column(table_line, 1, &column_offset, &column_len);
EXPECT_EQ(ret, 0);
ud->rule_id=atoi(table_line+column_offset);
ret=Maat_helper_read_column(table_line, 4, &column_offset, &column_len);
EXPECT_EQ(ret, 0);
sscanf(table_line+column_offset, "catid=%d",&ud->catid);
ud->ref_cnt=1;
*ad=ud;
(*counter)++;
return;
}
void fqdn_plugin_EX_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp)
{
struct fqdn_plugin_ud* u=(struct fqdn_plugin_ud*)(*ad);
u->ref_cnt--;
if(u->ref_cnt>0) return;
free(u);
*ad=NULL;
}
void fqdn_plugin_EX_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp)
{
struct fqdn_plugin_ud* u=(struct fqdn_plugin_ud*)(*from);
u->ref_cnt++;
*to=u;
}
TEST_F(MaatCMDPerfTest, UpdateFQDNPlugin)
{
#define FQDN_Plugin_EX_data
Maat_feather_t feather=MaatCMDPerfTest::_shared_feather;
int ret=0, i=0;
int table_id=0, fqdn_plugin_ex_data_counter=0;
const char* table_name="TEST_FQDN_PLUGIN_WITH_EXDATA";
const int TEST_CMD_LINE_NUM=5;
const struct Maat_cmd_line *p_line[TEST_CMD_LINE_NUM];
struct Maat_cmd_line line_rule[TEST_CMD_LINE_NUM];
const char* table_line[TEST_CMD_LINE_NUM]={
"201\t0\twww.example1.com\tcatid=1\t1",
"202\t1\t.example1.com\tcatid=1\t1",
"203\t0\tnews.example1.com\tcatid=2\t1",
"204\t0\tr3---sn-i3belne6.example2.com\tcatid=3\t1",
"205\t0\tr3---sn-i3belne6.example2.com\tcatid=3\t1"
};
table_id=Maat_table_register(feather, table_name);
ASSERT_GT(table_id, 0);
memset(&line_rule,0,sizeof(line_rule));
for(i=0;i<TEST_CMD_LINE_NUM;i++)
{
line_rule[i].label_id=0;
line_rule[i].rule_id=(int)Maat_cmd_incrby(feather,"TEST_PLUG_SEQ", 1);
line_rule[i].table_name=table_name;
line_rule[i].table_line=table_line[i];
line_rule[i].expire_after=0;
p_line[i]=line_rule+i;
}
ret=Maat_cmd_set_lines(feather, p_line,TEST_CMD_LINE_NUM, MAAT_OP_ADD);
EXPECT_GT(ret, 0);
sleep(WAIT_FOR_EFFECTIVE_SECOND);
ret=Maat_fqdn_plugin_EX_register(feather, table_id,
fqdn_plugin_EX_new_cb,
fqdn_plugin_EX_free_cb,
fqdn_plugin_EX_dup_cb,
0, &fqdn_plugin_ex_data_counter);
ASSERT_TRUE(ret>=0);
EXPECT_EQ(fqdn_plugin_ex_data_counter, 5);
struct fqdn_plugin_ud* result[4];
ret=Maat_fqdn_plugin_get_EX_data(feather, table_id, "r3---sn-i3belne6.example2.com", (void**)result, 4);
ASSERT_EQ(ret, 2);
for(i=0; i<ret; i++)
{
fqdn_plugin_EX_free_cb(0, (void**)&(result[i]), 0, NULL);
}
printf("ready to sleep\n");
sleep(300);
return;
}
int main(int argc, char ** argv) int main(int argc, char ** argv)
{ {

20
test/test_maatframe.cpp
View File

@@ -942,6 +942,24 @@ TEST(IPScan, IPv4_composition)
EXPECT_EQ(c177, 1); EXPECT_EQ(c177, 1);
EXPECT_EQ(c175, 2);//two paths for source IP hit and destination IP hit EXPECT_EQ(c175, 2);//two paths for source IP hit and destination IP hit
Maat_clean_status(&mid); Maat_clean_status(&mid);
//rule source IP 192.168.50.24, source port 1-40000
ipv4_addr_set(&ipv4_addr, &v4_addr, "192.168.50.24", 30000, "23.78.217.119", 443);
ret=Maat_scan_proto_addr(g_feather, table_id, &ipv4_addr, 6, result, 4, &mid, 0);
EXPECT_EQ(ret, 1);
EXPECT_EQ(result[0].config_id, 181);
Maat_clean_status(&mid);
ipv4_addr_set(&ipv4_addr, &v4_addr, "192.168.50.25", 30000, "23.78.217.119", 443);
ret=Maat_scan_proto_addr(g_feather, table_id, &ipv4_addr, 6, result, 4, &mid, 0);
EXPECT_EQ(ret, 0);//Rule source ip is 192.168.50.24, should not match
Maat_clean_status(&mid);
ipv4_addr_set(&ipv4_addr, &v4_addr, "192.168.50.24", 56486, "23.78.217.119", 443);
ret=Maat_scan_proto_addr(g_feather, table_id, &ipv4_addr, 6, result, 4, &mid, 0);
EXPECT_EQ(ret, 0);//Rule source port is 0-40000, should not match
Maat_clean_status(&mid);
return; return;
} }
@@ -3381,7 +3399,7 @@ TEST_F(MaatCmdTest, UpdateFQDNPlugin)
struct fqdn_plugin_ud* result[4]; struct fqdn_plugin_ud* result[4];
ret=Maat_fqdn_plugin_get_EX_data(g_feather, table_id, "r3---sn-i3belne6.example2.com", (void**)result, 4); ret=Maat_fqdn_plugin_get_EX_data(feather, table_id, "r3---sn-i3belne6.example2.com", (void**)result, 4);
ASSERT_EQ(ret, 2); ASSERT_EQ(ret, 2);
for(i=0; i<ret; i++) for(i=0; i<ret; i++)
{ {