gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TFE适配MAAT4,编译表只注册一次

Browse Source
This commit is contained in:
luwenpeng
2023-04-23 16:35:42 +08:00
parent 97a4386bc4
commit 2138d7f13e
12 changed files with 411 additions and 368 deletions
Download Patch File Download Diff File Expand all files Collapse all files

215
plugin/business/ssl-policy/src/ssl_policy.cpp
View File

@@ -10,18 +10,9 @@
struct ssl_policy_enforcer
{
struct maat *maat;
int policy_table_id;
int profile_table_id;
void* logger;
};
struct intercept_param
{
uint64_t policy_id;
int ref_cnt;
int keyring_for_trusted;
int keyring_for_untrusted;
int decryption_profile_id;
};
struct decryption_param
{
@@ -43,147 +34,6 @@ struct decryption_param
int mirror_client_version;
};
void intercept_param_dup_cb(int table_id, void **to, void **from, long argl, void* argp)
{
struct intercept_param* param= (struct intercept_param*) *from;
if(param)
{
__sync_add_and_fetch(&(param->ref_cnt), 1);
*to = param;
}
else
{
*to=NULL;
}
return;
}
void intercept_param_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0;
size_t intercept_user_region_offset=0, len=0;
char* json_str=NULL;
cJSON *json=NULL, *item=NULL;
struct intercept_param* param=NULL;
struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
ret=maat_helper_read_column(table_line, 7, &intercept_user_region_offset, &len);
if(ret<0)
{
TFE_LOG_ERROR(enforcer->logger, "Get intercept user region: %s", table_line);
return;
}
json_str=ALLOC(char, len+1);
memcpy(json_str, table_line+intercept_user_region_offset, len);
json=cJSON_Parse(json_str);
if(json==NULL)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: id = %s", key);
goto error_out;
}
item=cJSON_GetObjectItem(json, "protocol");
if(unlikely(!item || !cJSON_IsString(item)))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %s invalid protocol format", key);
goto error_out;
}
if(0!=strcasecmp(item->valuestring, "SSL")&& 0!=strcasecmp(item->valuestring, "HTTP"))
{
goto error_out;
}
param=ALLOC(struct intercept_param, 1);
param->policy_id=atoll(key);
param->ref_cnt=1;
/*
param->bypass_mutual_auth=1;
param->bypass_pinning=1;
param->mirror_client_version=1;
*/
param->keyring_for_trusted=1;
param->keyring_for_untrusted=0;
param->decryption_profile_id=0;
item=cJSON_GetObjectItem(json, "keyring_for_trusted");
if(item)
{
if(item->type==cJSON_Number)
{
param->keyring_for_trusted=item->valueint;
}
else if(item->type==cJSON_String)
{
param->keyring_for_trusted=atoi(item->valuestring);
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid keyring_for_trusted format", param->policy_id);
}
}
item=cJSON_GetObjectItem(json, "keyring_for_untrusted");
if(item)
{
if(item->type==cJSON_Number)
{
param->keyring_for_untrusted=item->valueint;
}
else if(item->type==cJSON_String)
{
param->keyring_for_untrusted=atoi(item->valuestring);
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid keyring_for_untrusted format", param->policy_id);
}
}
item=cJSON_GetObjectItem(json, "decryption");
if(item)
{
if(item->type==cJSON_Number)
{
param->decryption_profile_id=item->valueint;
}
else if(item->type==cJSON_String)
{
param->decryption_profile_id=atoi(item->valuestring);
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid decryption format", param->policy_id);
}
}
*ad=param;
TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %lu", param->policy_id);
error_out:
cJSON_Delete(json);
free(json_str);
return;
}
void intercept_param_free_cb(int table_id, void **ad, long argl, void* argp)
{
struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
struct intercept_param* param= (struct intercept_param*) *ad;
if(param==NULL)
{
return;
}
if ((__sync_sub_and_fetch(&param->ref_cnt, 1) == 0))
{
TFE_LOG_INFO(enforcer->logger, "Del intercept policy %lu", param->policy_id);
free(param);
*ad=NULL;
}
}
void intercept_param_free(struct intercept_param* param)
{
intercept_param_free_cb(0, (void**)&param, 0, NULL);
return;
}
void profile_param_dup_cb(int table_id, void **to, void **from, long argl, void* argp)
{
struct decryption_param* param= (struct decryption_param*) *from;
@@ -319,21 +169,12 @@ error_out:
}
struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger)
{
UNUSED int ret=0;
struct ssl_policy_enforcer* enforcer=ALLOC(struct ssl_policy_enforcer, 1);
enforcer->maat=(struct maat*)tfe_bussiness_resouce_get(STATIC_MAAT);;
enforcer->logger=logger;
enforcer->policy_table_id=maat_get_table_id(enforcer->maat, "TSG_SECURITY_COMPILE");
assert(enforcer->policy_table_id >= 0);
enforcer->profile_table_id=maat_get_table_id(enforcer->maat, "PXY_PROFILE_DECRYPTION");
assert(enforcer->profile_table_id >= 0);
UNUSED int ret=maat_plugin_table_ex_schema_register(enforcer->maat,
"TSG_SECURITY_COMPILE",
intercept_param_new_cb,
intercept_param_free_cb,
intercept_param_dup_cb,
0,
enforcer);
assert(ret==0);
ret=maat_plugin_table_ex_schema_register(enforcer->maat,
"PXY_PROFILE_DECRYPTION",
profile_param_new_cb,
@@ -347,32 +188,24 @@ struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger)
enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_para)
{
UNUSED struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)u_para;
struct intercept_param *policy_param=NULL;
struct decryption_param *profile_param=NULL;
enum ssl_stream_action action=SSL_ACTION_PASSTHROUGH;
UNUSED int ret=0;
uint64_t policy_id=0;
char policy_id_str[16]={0};
char sni[512];
char addr_string[512];
char profile_id_str[16]={0};
char sni[512], addr_string[512];
policy_id = ssl_stream_get_policy_id(upstream);
snprintf(policy_id_str, sizeof(policy_id_str), "%lu", policy_id);
policy_param=(struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->policy_table_id, policy_id_str);
if(policy_param==NULL)
{
TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %lu.", policy_id);
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Invalid Intercept Param");
return SSL_ACTION_PASSTHROUGH;
}
else
{
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_SNI, sni, sizeof(sni));
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy %lu", addr_string, sni, policy_id);
}
snprintf(profile_id_str, sizeof(profile_id_str), "%u", policy_param->decryption_profile_id);
profile_param=(struct decryption_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->profile_table_id, profile_id_str);
uint64_t policy_id = ssl_stream_get_policy_id(upstream);
int decryption_profile_id = ssl_stream_get_decrypted_profile_id(upstream);
int keyring_for_trusted = ssl_stream_get_trusted_keyring_profile_id(upstream);
int keyring_for_untrusted = ssl_stream_get_untrusted_keyring_profile_id(upstream);
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_SNI, sni, sizeof(sni));
ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy %lu", addr_string, sni, policy_id);
snprintf(profile_id_str, sizeof(profile_id_str), "%u", decryption_profile_id);
struct decryption_param *profile_param=(struct decryption_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->profile_table_id, profile_id_str);
if (profile_param==NULL)
{
TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str);
@@ -397,8 +230,8 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
{
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_BLOCK_FAKE_CERT, 1);
}
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_TRUSTED, policy_param->keyring_for_trusted);
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED, policy_param->keyring_for_untrusted);
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_TRUSTED, keyring_for_trusted);
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED, keyring_for_untrusted);
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
assert(ret==0);
@@ -415,46 +248,44 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Not Installed");
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Not Installed", addr_string, sni, policy_param->policy_id);
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Not Installed", addr_string, sni, policy_id);
}
else if ((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning)
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Pinning");
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Pinning", addr_string, sni, policy_param->policy_id);
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Pinning", addr_string, sni, policy_id);
}
else if (is_mauth && profile_param->bypass_mutual_auth)
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Mutual Authentication");
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Mutual Authentication", addr_string, sni, policy_param->policy_id);
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Mutual Authentication", addr_string, sni, policy_id);
}
else if (is_ev && profile_param->bypass_ev_cert)
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "EV Certificate");
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to EV Certificate", addr_string, sni, policy_param->policy_id);
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to EV Certificate", addr_string, sni, policy_id);
}
else if (is_ct && profile_param->bypass_ct_cert)
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Transparency");
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Transparency", addr_string, sni, policy_param->policy_id);
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Transparency", addr_string, sni, policy_id);
}
else if (has_error && profile_param->bypass_protocol_errors)
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Protocol Errors");
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Protocol Errors", addr_string, sni, policy_param->policy_id);
TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Protocol Errors", addr_string, sni, policy_id);
}
else
{
action = SSL_ACTION_INTERCEPT;
}
intercept_param_free(policy_param);
profile_param_free(profile_param);
policy_param=NULL;
profile_param=NULL;
return action;
}

216
plugin/business/tcp-policy/src/tcp_policy.cpp
View File

@@ -1,7 +1,6 @@
#include <assert.h>
#include <tfe_cmsg.h>
#include <tfe_utils.h>
#include <tfe_stream.h>
#include <tfe_resource.h>
#include <cjson/cJSON.h>
#include <MESA/maat.h>
@@ -11,8 +10,7 @@
struct tcp_policy_enforcer
{
struct maat *maat;
int policy_table_id;
int profile_table_id;
int table_id;
void *logger;
};
@@ -39,100 +37,6 @@ struct tcp_profile_param
struct side_conn_param server_side;
};
struct intercept_param
{
uint64_t rule_id;
int ref_cnt;
int tcp_option_profile;
};
static void intercept_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp)
{
size_t offset = 0;
size_t len = 0;
char *json_str = NULL;
cJSON *json = NULL;
cJSON *item = NULL;
struct intercept_param *policy_param = NULL;
struct tcp_policy_enforcer *enforcer = (struct tcp_policy_enforcer *)argp;
if (maat_helper_read_column(table_line, 7, &offset, &len) < 0)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept user region: %s", table_line);
goto error_out;
}
json_str = ALLOC(char, len + 1);
memcpy(json_str, table_line + offset, len);
json = cJSON_Parse(json_str);
if (json == NULL)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: id = %s", key);
goto error_out;
}
item = cJSON_GetObjectItem(json, "tcp_option_profile");
if (item == NULL || item->type != cJSON_Number)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %s invalid tcp_option_profile format", key);
goto error_out;
}
policy_param = ALLOC(struct intercept_param, 1);
policy_param->rule_id = atoll(key);
policy_param->ref_cnt = 1;
policy_param->tcp_option_profile = item->valueint;
*ad = policy_param;
TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %lu", policy_param->rule_id);
error_out:
if (json)
{
cJSON_Delete(json);
}
if (json_str)
{
free(json_str);
}
}
static void intercept_param_free_cb(int table_id, void **ad, long argl, void *argp)
{
struct tcp_policy_enforcer *enforcer = (struct tcp_policy_enforcer *)argp;
struct intercept_param *policy_param = (struct intercept_param *)*ad;
if (policy_param == NULL)
{
return;
}
if ((__sync_sub_and_fetch(&policy_param->ref_cnt, 1) == 0))
{
TFE_LOG_INFO(enforcer->logger, "Del intercept policy %lu", policy_param->rule_id);
free(policy_param);
*ad = NULL;
}
}
static void intercept_param_free(struct intercept_param *policy_param)
{
intercept_param_free_cb(0, (void **)&policy_param, 0, NULL);
}
static void intercept_param_dup_cb(int table_id, void **to, void **from, long argl, void *argp)
{
struct intercept_param *policy_param = (struct intercept_param *)*from;
if (policy_param)
{
__sync_add_and_fetch(&(policy_param->ref_cnt), 1);
*to = policy_param;
}
else
{
*to = NULL;
}
}
static int parser_side_conn_param(const char *json_str, struct side_conn_param *out_val, void *logger)
{
cJSON *json = NULL;
@@ -217,7 +121,7 @@ static void profile_param_new_cb(const char *table_name, int table_id, const cha
char client_side_conn_param[512] = {0};
char server_side_conn_param[512] = {0};
int is_valid = 0;
struct tcp_profile_param *profile_param = NULL;
struct tcp_profile_param *param = NULL;
struct tcp_policy_enforcer *enforcer = (struct tcp_policy_enforcer *)argp;
ret = sscanf(table_line, "%d\t%d\t%d\t%s\t%s\t%d", &profile_id, &tcp_passthrough, &bypass_duplicated_packet, client_side_conn_param, server_side_conn_param, &is_valid);
@@ -227,60 +131,54 @@ static void profile_param_new_cb(const char *table_name, int table_id, const cha
goto error_out;
}
profile_param = ALLOC(struct tcp_profile_param, 1);
profile_param->ref_cnt = 1;
profile_param->tcp_passthrough = tcp_passthrough;
profile_param->bypass_duplicated_packet = bypass_duplicated_packet;
param = ALLOC(struct tcp_profile_param, 1);
param->ref_cnt = 1;
param->tcp_passthrough = tcp_passthrough;
param->bypass_duplicated_packet = bypass_duplicated_packet;
if (parser_side_conn_param(client_side_conn_param, &profile_param->client_side, enforcer->logger) == -1)
if (parser_side_conn_param(client_side_conn_param, &param->client_side, enforcer->logger) == -1)
{
goto error_out;
}
if (parser_side_conn_param(server_side_conn_param, &profile_param->server_side, enforcer->logger) == -1)
if (parser_side_conn_param(server_side_conn_param, &param->server_side, enforcer->logger) == -1)
{
goto error_out;
}
*ad = profile_param;
*ad = param;
TFE_LOG_INFO(enforcer->logger, "Add tcp option profile: %s", key);
return;
error_out:
if (profile_param)
if (param)
{
free(profile_param);
free(param);
}
return;
}
static void profile_param_free_cb(int table_id, void **ad, long argl, void *argp)
{
struct tcp_profile_param *profile_param = (struct tcp_profile_param *)*ad;
if (profile_param == NULL)
struct tcp_profile_param *param = (struct tcp_profile_param *)*ad;
if (param == NULL)
{
return;
}
if ((__sync_sub_and_fetch(&profile_param->ref_cnt, 1) == 0))
if ((__sync_sub_and_fetch(&param->ref_cnt, 1) == 0))
{
free(profile_param);
free(param);
*ad = NULL;
}
}
static void profile_param_free(struct tcp_profile_param *profile_param)
{
profile_param_free_cb(0, (void **)&profile_param, 0, NULL);
}
static void profile_param_dup_cb(int table_id, void **to, void **from, long argl, void *argp)
{
struct tcp_profile_param *profile_param = (struct tcp_profile_param *)*from;
if (profile_param)
struct tcp_profile_param *param = (struct tcp_profile_param *)*from;
if (param)
{
__sync_add_and_fetch(&(profile_param->ref_cnt), 1);
*to = profile_param;
__sync_add_and_fetch(&(param->ref_cnt), 1);
*to = param;
}
else
{
@@ -288,35 +186,24 @@ static void profile_param_dup_cb(int table_id, void **to, void **from, long argl
}
}
static void profile_param_free(struct tcp_profile_param *param)
{
profile_param_free_cb(0, (void **)&param, 0, NULL);
}
struct tcp_policy_enforcer *tcp_policy_enforcer_create(void *logger)
{
int ret = 0;
struct tcp_policy_enforcer *enforcer = ALLOC(struct tcp_policy_enforcer, 1);
enforcer->maat = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT);
enforcer->logger = logger;
enforcer->policy_table_id = maat_get_table_id(enforcer->maat, "TSG_SECURITY_COMPILE");
if (enforcer->policy_table_id < 0)
enforcer->table_id = maat_get_table_id(enforcer->maat, "PXY_PROFILE_TCP_OPTION");
if (enforcer->table_id < 0)
{
TFE_LOG_ERROR(enforcer->logger, "failed at register table of TSG_SECURITY_COMPILE, ret = %d", enforcer->policy_table_id);
goto error_out;
}
enforcer->profile_table_id = maat_get_table_id(enforcer->maat, "PXY_PROFILE_TCP_OPTION");
if (enforcer->profile_table_id < 0)
{
TFE_LOG_ERROR(enforcer->logger, "failed at register table of PXY_PROFILE_TCP_OPTION, ret = %d", enforcer->profile_table_id);
TFE_LOG_ERROR(enforcer->logger, "failed at register table of PXY_PROFILE_TCP_OPTION, ret = %d", enforcer->table_id);
goto error_out;
}
ret = maat_plugin_table_ex_schema_register(enforcer->maat, "TSG_SECURITY_COMPILE",
intercept_param_new_cb,
intercept_param_free_cb,
intercept_param_dup_cb,
0, enforcer);
if (ret < 0)
{
TFE_LOG_ERROR(enforcer->logger, "failed at register callback of TSG_SECURITY_COMPILE, ret = %d", ret);
goto error_out;
}
ret = maat_plugin_table_ex_schema_register(enforcer->maat, "PXY_PROFILE_TCP_OPTION",
profile_param_new_cb,
profile_param_free_cb,
@@ -343,31 +230,33 @@ void tcp_policy_enforcer_destory(struct tcp_policy_enforcer *enforcer)
}
}
void tcp_policy_enforce(struct tcp_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id)
// return 0 : success
// return -1 : error (need passthrough)
int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg *cmsg)
{
char rule_id_str[16] = {0};
char profile_id_str[16] = {0};
int ret = 0;
int profile_id = 0;
uint16_t size = 0;
char buffer[16] = {0};
snprintf(rule_id_str, sizeof(rule_id_str), "%lu", rule_id);
struct intercept_param *policy_param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->policy_table_id, rule_id_str);
if (policy_param == NULL)
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (unsigned char *)&profile_id, sizeof(profile_id), &size);
if (ret < 0)
{
TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %lu.", rule_id);
return;
TFE_LOG_ERROR(g_default_logger, "Failed at fetch tcp_option_profile from cmsg: %s", strerror(-ret));
return -1;
}
snprintf(profile_id_str, sizeof(profile_id_str), "%d", policy_param->tcp_option_profile);
struct tcp_profile_param *profile_param = (struct tcp_profile_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->profile_table_id, profile_id_str);
if (profile_param == NULL)
snprintf(buffer, sizeof(buffer), "%d", profile_id);
struct tcp_profile_param *param = (struct tcp_profile_param *)maat_plugin_table_get_ex_data(tcp_enforcer->maat, tcp_enforcer->table_id, buffer);
if (param == NULL)
{
TFE_LOG_INFO(enforcer->logger, "Failed to get tcp option parameter of profile %lu.", rule_id);
intercept_param_free(policy_param);
return;
TFE_LOG_INFO(tcp_enforcer->logger, "Failed to get tcp option parameter of profile %d.", profile_id);
return -1;
}
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (unsigned char *)&profile_param->tcp_passthrough, sizeof(profile_param->tcp_passthrough));
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (unsigned char *)&param->tcp_passthrough, sizeof(param->tcp_passthrough));
struct side_conn_param *client_side = &profile_param->client_side;
struct side_conn_param *client_side = &param->client_side;
tfe_cmsg_set(cmsg, TFE_CMSG_DOWNSTREAM_TCP_MSS_ENABLE, (unsigned char *)&client_side->maxseg_enable, sizeof(client_side->maxseg_enable));
tfe_cmsg_set(cmsg, TFE_CMSG_DOWNSTREAM_TCP_MSS_VALUE, (unsigned char *)&client_side->maxseg_vaule, sizeof(client_side->maxseg_vaule));
tfe_cmsg_set(cmsg, TFE_CMSG_DOWNSTREAM_TCP_NODELAY, (unsigned char *)&client_side->nodelay, sizeof(client_side->nodelay));
@@ -378,7 +267,7 @@ void tcp_policy_enforce(struct tcp_policy_enforcer *enforcer, struct tfe_cmsg *c
tfe_cmsg_set(cmsg, TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL, (unsigned char *)&client_side->keepidle, sizeof(client_side->keepintvl));
tfe_cmsg_set(cmsg, TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT, (unsigned char *)&client_side->user_timeout, sizeof(client_side->user_timeout));
struct side_conn_param *server_side = &profile_param->server_side;
struct side_conn_param *server_side = &param->server_side;
tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_MSS_ENABLE, (unsigned char *)&server_side->maxseg_enable, sizeof(server_side->maxseg_enable));
tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_MSS_VALUE, (unsigned char *)&server_side->maxseg_vaule, sizeof(server_side->maxseg_vaule));
tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_NODELAY, (unsigned char *)&server_side->nodelay, sizeof(server_side->nodelay));
@@ -389,12 +278,13 @@ void tcp_policy_enforce(struct tcp_policy_enforcer *enforcer, struct tfe_cmsg *c
tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_KEEPINTVL, (unsigned char *)&server_side->keepintvl, sizeof(server_side->keepintvl));
tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT, (unsigned char *)&server_side->user_timeout, sizeof(server_side->user_timeout));
TFE_LOG_INFO(enforcer->logger, "hit rule_id %lu tcp_option_profile %d tcp_passthrough %d "
"client_side={maxseg_enable:%d, maxseg_vaule:%d, nodelay:%d, ttl:%d, keepalive:%d, keepcnt:%d, keepidle:%d, keepintvl:%d, user_timeout:%d} "
"server_side={maxseg_enable:%d, maxseg_vaule:%d, nodelay:%d, ttl:%d, keepalive:%d, keepcnt:%d, keepidle:%d, keepintvl:%d, user_timeout:%d} ",
rule_id, policy_param->tcp_option_profile, profile_param->tcp_passthrough,
TFE_LOG_INFO(tcp_enforcer->logger, "hit tcp_option_profile %d tcp_passthrough %d "
"client_side={maxseg_enable:%d, maxseg_vaule:%d, nodelay:%d, ttl:%d, keepalive:%d, keepcnt:%d, keepidle:%d, keepintvl:%d, user_timeout:%d} "
"server_side={maxseg_enable:%d, maxseg_vaule:%d, nodelay:%d, ttl:%d, keepalive:%d, keepcnt:%d, keepidle:%d, keepintvl:%d, user_timeout:%d} ",
profile_id, param->tcp_passthrough,
client_side->maxseg_enable, client_side->maxseg_vaule, client_side->nodelay, client_side->ttl, client_side->keepalive, client_side->keepcnt, client_side->keepidle, client_side->keepidle, client_side->user_timeout,
server_side->maxseg_enable, server_side->maxseg_vaule, server_side->nodelay, server_side->ttl, server_side->keepalive, server_side->keepcnt, server_side->keepidle, server_side->keepidle, server_side->user_timeout);
profile_param_free(profile_param);
intercept_param_free(policy_param);
profile_param_free(param);
return 0;
}

5
plugin/business/tcp-policy/src/tcp_policy.h
View File

@@ -1,8 +1,9 @@
#pragma once
#include <tfe_cmsg.h>
#include <MESA/maat.h>
struct tcp_policy_enforcer;
struct tcp_policy_enforcer *tcp_policy_enforcer_create(void *logger);
void tcp_policy_enforcer_destory(struct tcp_policy_enforcer *enforcer);
void tcp_policy_enforce(struct tcp_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id);
// return 0 : success
// return -1 : error (need passthrough)
int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg *cmsg);