TSG-6332 日志字段增加common_service_category
TSG-6438 策略优先级修复
This commit is contained in:
fengweihao
@@ -945,6 +945,8 @@ struct pangu_http_ctx
|
|||||||
int magic_num;
|
int magic_num;
|
||||||
enum pangu_action action;
|
enum pangu_action action;
|
||||||
char * action_para;
|
char * action_para;
|
||||||
|
int hit_cnt;
|
||||||
|
struct Maat_rule_t result[MAX_SCAN_RESULT];
|
||||||
scan_status_t scan_mid;
|
scan_status_t scan_mid;
|
||||||
stream_para_t sp;
|
stream_para_t sp;
|
||||||
struct cache_mid* cmid;
|
struct cache_mid* cmid;
|
||||||
@@ -1931,10 +1933,10 @@ enum pangu_action http_scan(const struct tfe_http_session * session, enum tfe_ht
|
|||||||
const char * field_val = NULL;
|
const char * field_val = NULL;
|
||||||
struct http_field_name field_name;
|
struct http_field_name field_name;
|
||||||
struct tfe_http_half * http_half;
|
struct tfe_http_half * http_half;
|
||||||
struct Maat_rule_t result[MAX_SCAN_RESULT];
|
struct Maat_rule_t *result = ctx->result;
|
||||||
char buff[TFE_STRING_MAX], * p = NULL;
|
char buff[TFE_STRING_MAX], * p = NULL;
|
||||||
int scan_ret = 0, table_id = 0;
|
int scan_ret = 0, table_id = 0;
|
||||||
size_t hit_cnt = 0, i = 0;
|
size_t hit_cnt = ctx->hit_cnt, i = 0;
|
||||||
|
|
||||||
if (events & EV_HTTP_REQ_HDR)
|
if (events & EV_HTTP_REQ_HDR)
|
||||||
{
|
{
|
||||||
@@ -1943,7 +1945,7 @@ enum pangu_action http_scan(const struct tfe_http_session * session, enum tfe_ht
|
|||||||
{
|
{
|
||||||
int str_host_length = (int) (strlen(session->req->req_spec.host));
|
int str_host_length = (int) (strlen(session->req->req_spec.host));
|
||||||
scan_ret = Maat_full_scan_string(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_FQDN],
|
scan_ret = Maat_full_scan_string(g_pangu_rt->maat, g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_FQDN],
|
||||||
CHARSET_UTF8, str_host, str_host_length, result, NULL, MAX_SCAN_RESULT, &(ctx->scan_mid), ctx->thread_id);
|
CHARSET_UTF8, str_host, str_host_length, result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
|
||||||
if (scan_ret > 0)
|
if (scan_ret > 0)
|
||||||
{
|
{
|
||||||
hit_cnt += scan_ret;
|
hit_cnt += scan_ret;
|
||||||
@@ -2338,7 +2340,6 @@ void cache_write(const struct tfe_http_session * session, enum tfe_http_event ev
|
|||||||
{
|
{
|
||||||
ctx->cache_wirte_result=web_cache_write_end(ctx->cache_write_ctx);
|
ctx->cache_wirte_result=web_cache_write_end(ctx->cache_write_ctx);
|
||||||
ctx->cache_write_ctx=NULL;
|
ctx->cache_write_ctx=NULL;
|
||||||
//printf("cache update success: %s\n", ctx->ref_session->req->req_spec.url);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2351,12 +2352,12 @@ void pangu_on_http_begin(const struct tfe_stream * stream,
|
|||||||
}
|
}
|
||||||
|
|
||||||
struct pangu_http_ctx * ctx = *(struct pangu_http_ctx **) pme;
|
struct pangu_http_ctx * ctx = *(struct pangu_http_ctx **) pme;
|
||||||
struct Maat_rule_t result[MAX_SCAN_RESULT];
|
|
||||||
struct ipaddr sapp_addr;
|
struct ipaddr sapp_addr;
|
||||||
int hit_cnt = 0, scan_ret=0;
|
int hit_cnt = 0, scan_ret=0;
|
||||||
assert(ctx == NULL);
|
assert(ctx == NULL);
|
||||||
ATOMIC_INC(&(g_pangu_rt->stat_val[STAT_SESSION]));
|
ATOMIC_INC(&(g_pangu_rt->stat_val[STAT_SESSION]));
|
||||||
ctx = pangu_http_ctx_new(thread_id);
|
ctx = pangu_http_ctx_new(thread_id);
|
||||||
|
struct Maat_rule_t *result = ctx->result;
|
||||||
|
|
||||||
scan_ret = tfe_scan_subscribe_id(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_pangu_rt->local_logger);
|
scan_ret = tfe_scan_subscribe_id(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_pangu_rt->local_logger);
|
||||||
if(scan_ret>0)
|
if(scan_ret>0)
|
||||||
@@ -2388,16 +2389,10 @@ void pangu_on_http_begin(const struct tfe_stream * stream,
|
|||||||
{
|
{
|
||||||
hit_cnt+=scan_ret;
|
hit_cnt+=scan_ret;
|
||||||
}
|
}
|
||||||
if (hit_cnt > 0)
|
|
||||||
|
if(hit_cnt > 0)
|
||||||
{
|
{
|
||||||
ctx->action = decide_ctrl_action(result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce, &ctx->param);
|
ctx->hit_cnt = hit_cnt;
|
||||||
}
|
|
||||||
if (ctx->action == PG_ACTION_WHITELIST)
|
|
||||||
{
|
|
||||||
ATOMIC_INC(&(g_pangu_rt->stat_val[STAT_ACTION_WHITELSIT]));
|
|
||||||
TFE_LOG_INFO(g_pangu_rt->local_logger, "Bypass rules matched on http begin: url=%s policy id=%d.",
|
|
||||||
session->req->req_spec.url, ctx->enforce_rules[0].config_id);
|
|
||||||
tfe_http_session_detach(session);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
*pme = ctx;
|
*pme = ctx;
|
||||||
|
|||||||
@@ -81,6 +81,34 @@ error_out:
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int pangu_log_get_fqdn_cat(struct tfe_cmsg *cmsg, char *fqdn_cat_buff)
|
||||||
|
{
|
||||||
|
int ret=0;
|
||||||
|
unsigned int i=0, category_id_num=0;
|
||||||
|
uint16_t opt_out_size;
|
||||||
|
unsigned int category_id_val[TFE_SYMBOL_MAX]={0};
|
||||||
|
|
||||||
|
char *p = fqdn_cat_buff;
|
||||||
|
|
||||||
|
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_FQDN_CAT_ID_NUM, (unsigned char *)&category_id_num, sizeof(category_id_num), &opt_out_size);
|
||||||
|
if (ret != 0 || category_id_num == 0)
|
||||||
|
{
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_FQDN_CAT_ID_VAL, (unsigned char *)category_id_val, sizeof(category_id_val), &opt_out_size);
|
||||||
|
if (ret != 0)
|
||||||
|
{
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < category_id_num && i < 8; i++)
|
||||||
|
{
|
||||||
|
p += snprintf(p, sizeof(fqdn_cat_buff) - (p - fqdn_cat_buff), "%s%d", i>0 ? "," : "", category_id_val[i]);
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
|
int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
|
||||||
{
|
{
|
||||||
const struct tfe_http_session* http=log_msg->http;
|
const struct tfe_http_session* http=log_msg->http;
|
||||||
@@ -126,6 +154,7 @@ int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
|
|||||||
cJSON_AddStringToObject(common_obj, "common_schema_type", "HTTP");
|
cJSON_AddStringToObject(common_obj, "common_schema_type", "HTTP");
|
||||||
|
|
||||||
unsigned int common_direction=0;
|
unsigned int common_direction=0;
|
||||||
|
char category_id_val[TFE_SYMBOL_MAX];
|
||||||
char opt_val[24] = { 0 }; uint16_t opt_out_size;
|
char opt_val[24] = { 0 }; uint16_t opt_out_size;
|
||||||
struct tfe_cmsg * cmsg = tfe_stream_get0_cmsg(log_msg->stream);
|
struct tfe_cmsg * cmsg = tfe_stream_get0_cmsg(log_msg->stream);
|
||||||
if (cmsg!=NULL)
|
if (cmsg!=NULL)
|
||||||
@@ -140,6 +169,11 @@ int pangu_send_log(struct pangu_logger* handle, const struct pangu_log* log_msg)
|
|||||||
{
|
{
|
||||||
cJSON_AddNumberToObject(common_obj, "common_direction", common_direction); //0:域内->域外,1:域外->域内,描述的是CLIENT_IP信息
|
cJSON_AddNumberToObject(common_obj, "common_direction", common_direction); //0:域内->域外,1:域外->域内,描述的是CLIENT_IP信息
|
||||||
}
|
}
|
||||||
|
ret = pangu_log_get_fqdn_cat(cmsg, category_id_val);
|
||||||
|
if (ret==0)
|
||||||
|
{
|
||||||
|
cJSON_AddStringToObject(common_obj, "common_service_category", category_id_val);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (http->req)
|
if (http->req)
|
||||||
|
|||||||
Reference in New Issue
Block a user