gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fqdn服务划分接口适配修改

Browse Source
This commit is contained in:
fengweihao
2020-10-12 11:04:35 +08:00
committed by luwenpeng
parent e16931d7c5
commit 40aab0a298
8 changed files with 106 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
common/include/tfe_cmsg.h
View File

@@ -78,6 +78,9 @@ enum tfe_cmsg_tlv_type
/* SSL ja3 fingerprint */
TFE_CMSG_SSL_CLIENT_JA3_FINGERPRINT, // string max size 32
TFE_CMSG_SRC_FQDN_ID,
TFE_CMSG_SRC_FQDN_NUM,
/* Add new cmsg here */
/* Add new cmsg here */
/* Add new cmsg here */

4
common/include/tfe_scan.h
View File

@@ -8,4 +8,6 @@ int tfe_scan_subscribe_id(const struct tfe_stream *stream, struct Maat_rule_t *r
int tfe_scan_ip_asn(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid,
int hit_cnt, unsigned int thread_id, void *logger, const char *addr, char **asn_server, char **asn_client);
int tfe_scan_ip_location(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid,
int hit_cnt, unsigned int thread_id, void *logger, const char *addr, char **location_server, char **location_client);
int hit_cnt, unsigned int thread_id, void *logger, const char *addr, char **location_server, char **location_client);
int tfe_scan_fqdn_cat(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid,
int hit_cnt, unsigned int thread_id, void *logger, int table_id);

24
common/src/tfe_resource.cpp
View File

@@ -13,9 +13,6 @@ struct maat_table_info
{
int id;
const char *name;
Maat_plugin_EX_new_func_t *new_func;
Maat_plugin_EX_dup_func_t *dup_func;
Maat_plugin_EX_free_func_t *free_func;
};
static Maat_feather_t static_maat = NULL;
static tfe_kafka_logger_t *kafka_logger = NULL;
@@ -235,16 +232,11 @@ finish:
}
static struct maat_table_info maat_pub_tables[TABLE_TYPE_MAX] = {
// TABLE_SECURITY_SOURCE_ASN
{0, "TSG_SECURITY_SOURCE_ASN", NULL, NULL, NULL},
// TABLE_SECURITY_DESTINATION_ASN
{0, "TSG_SECURITY_DESTINATION_ASN", NULL, NULL, NULL},
// TABLE_SECURITY_SOURCE_LOCATION
{0, "TSG_SECURITY_SOURCE_LOCATION", NULL, NULL, NULL},
// TABLE_SECURITY_DESTINATION_LOCATION
{0, "TSG_SECURITY_DESTINATION_LOCATION", NULL, NULL, NULL},
// TABLE_OBJ_SUBSCRIBER_ID
{0, "TSG_OBJ_SUBSCRIBER_ID", NULL, NULL, NULL}};
{0, "TSG_SECURITY_SOURCE_ASN"},
{0, "TSG_SECURITY_DESTINATION_ASN"},
{0, "TSG_SECURITY_SOURCE_LOCATION"},
{0, "TSG_SECURITY_DESTINATION_LOCATION"},
{0, "TSG_OBJ_SUBSCRIBER_ID"}};
static int register_maat_table()
{
@@ -256,12 +248,6 @@ static int register_maat_table()
TFE_LOG_ERROR(g_default_logger, "Maat table %s register failed.", maat_pub_tables[i].name);
return -1;
}
if (maat_pub_tables[i].new_func || maat_pub_tables[i].dup_func || maat_pub_tables[i].free_func)
{
Maat_ip_plugin_EX_register(static_maat, maat_pub_tables[i].id, maat_pub_tables[i].new_func,
maat_pub_tables[i].free_func, maat_pub_tables[i].dup_func, 0, NULL);
}
}
return 0;

43
common/src/tfe_scan.cpp
View File

@@ -67,6 +67,49 @@ int tfe_scan_subscribe_id(const struct tfe_stream *stream, struct Maat_rule_t *r
return hit_cnt_ip;
}
int tfe_scan_fqdn_cat(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid,
int hit_cnt, unsigned int thread_id, void *logger, int table_id)
{
int scan_ret = 0, i, fqdn_len =0;
uint16_t opt_out_size;
int category_num = 0, hit_cnt_fqdn = 0;
char category_id_num[24] = {0};
char category_id_val[TFE_SYMBOL_MAX] = {0};
struct tfe_cmsg *cmsg = tfe_stream_get0_cmsg(stream);
if (cmsg != NULL)
{
scan_ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_SRC_FQDN_ID, (unsigned char *)category_id_val, sizeof(category_id_val), &opt_out_size);
if (scan_ret != 0)
{
TFE_LOG_ERROR(logger, "fetch fqdn cat id from cmsg failed, ret: %d", scan_ret);
}
scan_ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_SRC_FQDN_NUM, (unsigned char *)category_id_num, sizeof(category_id_num), &opt_out_size);
if (scan_ret != 0)
{
TFE_LOG_ERROR(logger, "fetch fqdn cat id from cmsg failed, ret: %d", scan_ret);
}
category_num = atoll(category_id_num);
}
for(i = 0; i< category_num && i < 8; i++)
{
int fqdn_id =0;
char fqdn_val[16]={0};
snprintf(fqdn_val, sizeof(int), "%s", category_id_val + fqdn_len);
fqdn_id = atoi(fqdn_val);
scan_ret=Maat_scan_intval(tfe_bussiness_resouce_get(STATIC_MAAT), table_id, fqdn_id, result + hit_cnt + hit_cnt_fqdn,
MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, scan_mid, (int) thread_id);
if(scan_ret>0)
{
hit_cnt_fqdn+=scan_ret;
}
fqdn_len += sizeof(int);
}
return hit_cnt_fqdn;
}
int tfe_scan_ip_location(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid,
int hit_cnt, unsigned int thread_id, void *logger, const char *addr, char **location_server, char **location_client)
{

11
plugin/business/doh/src/doh.cpp
View File

@@ -243,6 +243,12 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, NO hit host: %s scan ret: %d addr: %s",
g_doh_conf->tables[TYPE_HOST].name, host, scan_ret, ctx->addr_string);
}
scan_ret = tfe_scan_fqdn_cat(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger, g_doh_conf->tables[TYPE_HOST].id);
if( scan_ret > 0)
{
hit_cnt += scan_ret;
}
}
// scan addr
@@ -289,6 +295,11 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, NO hit domain: %s scan ret: %d addr: %s",
g_doh_conf->tables[TYPE_QNAME].name, qname, scan_ret, ctx->addr_string);
}
scan_ret = tfe_scan_fqdn_cat(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger, g_doh_conf->tables[TYPE_QNAME].id);
if( scan_ret > 0)
{
hit_cnt += scan_ret;
}
if (hit_cnt)
{

11
plugin/business/pangu-http/src/pangu_http.cpp
View File

@@ -1934,7 +1934,7 @@ static void http_manipulate(const struct tfe_stream * stream, const struct tfe_h
}
enum pangu_action http_scan(const struct tfe_http_session * session, enum tfe_http_event events,
const unsigned char * body_frag, size_t frag_size, struct pangu_http_ctx * ctx)
const unsigned char * body_frag, size_t frag_size, struct pangu_http_ctx * ctx, const struct tfe_stream * stream)
{
void * iterator = NULL;
const char * field_val = NULL;
@@ -1957,6 +1957,11 @@ enum pangu_action http_scan(const struct tfe_http_session * session, enum tfe_ht
{
hit_cnt += scan_ret;
}
scan_ret = tfe_scan_fqdn_cat(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_pangu_rt->local_logger, g_pangu_rt->scan_table_id[PXY_CTRL_HTTP_FQDN]);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
}
const char * str_url = session->req->req_spec.url;
@@ -2046,8 +2051,6 @@ enum pangu_action http_scan(const struct tfe_http_session * session, enum tfe_ht
session->req->req_spec.url, hit_cnt, buff, ctx->enforce_rules[0].config_id);
}
}
__out:
return ctx->action;
}
@@ -2059,7 +2062,7 @@ void enforce_control_policy(const struct tfe_stream * stream, const struct tfe_h
if(ctx->action==PG_ACTION_NONE||ctx->action==PG_ACTION_MONIT)
{
//ctx->action changed in http_scan.
http_scan(session, events, body_frag, frag_size, ctx);
http_scan(session, events, body_frag, frag_size, ctx, stream);
}
switch (ctx->action)
{

4
plugin/protocol/http2/src/http2_stream.cpp
View File

@@ -448,9 +448,6 @@ void h2_half_ops_free(struct tfe_http_half * half)
delete_stream_half_data(&h2_private, 1, CONN_DIR_DOWNSTREAM);
free(h2_private);
h2_private = NULL;
return;
}
@@ -952,7 +949,6 @@ nghttp2_submit_frame_settings(struct tfe_h2_stream *connection,const nghttp2_fra
nghttp2_settings settings = frame->settings;
nghttp2_session *ngh2_session = tfe_h2_stream_get_nghttp2_session(connection, dir);
nghttp2_session *ngh2_peer_session = tfe_h2_stream_get_nghttp2_peer_session(connection, dir);
rv = nghttp2_submit_settings(ngh2_session, settings.hd.flags,
nghttp2_iv_packet(settings, iv), settings.niv);

68
resource/pangu/table_info.conf
View File

@@ -23,37 +23,37 @@
4 TSG_OBJ_URL expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff
5 TSG_FIELD_HTTP_URL virtual TSG_OBJ_URL --
6 TSG_OBJ_FQDN expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff
6 TSG_OBJ_FQDN_CAT expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff
7 TSG_FIELD_HTTP_HOST virtual TSG_OBJ_FQDN --
8 TSG_OBJ_HTTP_SIGNATURE expr_plus UTF8 UTF8 yes 0 quickoff
9 TSG_FIELD_HTTP_REQ_HDR virtual TSG_OBJ_HTTP_SIGNATURE --
10 TSG_FIELD_HTTP_RES_HDR virtual TSG_OBJ_HTTP_SIGNATURE --
11 TSG_OBJ_KEYWORDS expr UTF8 GBK/UNICODE/UTF8 yes 128 quickoff
12 TSG_FIELD_HTTP_REQ_CONTENT virtual TSG_OBJ_KEYWORDS --
13 TSG_FIELD_HTTP_RES_CONTENT virtual TSG_OBJ_KEYWORDS --
14 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 yes 0 quickon
15 TSG_OBJ_APP_ID intval UTF8 UTF8 yes 0
16 TSG_SECURITY_SOURCE_ADDR virtual TSG_OBJ_IP_ADDR --
17 TSG_SECURITY_DESTINATION_ADDR virtual TSG_OBJ_IP_ADDR --
18 TSG_SECURITY_ADDR composition {"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"}
19 PXY_CACHE_COMPILE compile escape --
20 PXY_CACHE_GROUP group --
21 PXY_CACHE_HTTP_URL expr UTF8 UTF8 yes 0 quickoff
22 PXY_CACHE_HTTP_COOKIE expr UTF8 UTF8 yes 0 quickoff
23 PXY_PROFILE_TRUSTED_CA_CERT plugin {"key":1,"valid":4,"foreign":"3"}
23 PXY_EXCH_INTERMEDIA_CERT plugin {"key":1,"valid":4,"foreign":"3"}
24 PXY_OBJ_TRUSTED_CA_CRL plugin {"valid":4,"foreign":"3"}
25 TSG_PROFILE_RESPONSE_PAGES plugin {"key":1,"foreign":"4","valid":5}
26 PXY_PROFILE_HIJACK_FILES plugin {"key":1,"foreign":"5","valid":6}
27 PXY_PROFILE_INSERT_SCRIPTS plugin {"key":1,"foreign":"4","valid":6}
28 TSG_SECURITY_COMPILE plugin {"key":1,"valid":8}
29 PXY_PROFILE_TRAFFIC_MIRROR plugin {"key":1,"valid":4}
30 TSG_PROFILE_DECRYPTION plugin {"key":1,"valid":4}
31 TSG_OBJ_AS_NUMBER expr UTF8 UTF8/GBK yes 0
32 TSG_SECURITY_SOURCE_ASN virtual TSG_OBJ_AS_NUMBER --
33 TSG_SECURITY_DESTINATION_ASN virtual TSG_OBJ_AS_NUMBER --
34 TSG_OBJ_GEO_LOCATION expr UTF8 UTF8/GBK yes 0
35 TSG_SECURITY_SOURCE_LOCATION virtual TSG_OBJ_GEO_LOCATION --
36 TSG_SECURITY_DESTINATION_LOCATION virtual TSG_OBJ_GEO_LOCATION --
37 TSG_FIELD_DOH_QNAME virtual TSG_OBJ_FQDN --
38 TSG_FIELD_DOH_HOST virtual TSG_OBJ_FQDN --
7 TSG_OBJ_FQDN_CAT intval UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff
8 TSG_FIELD_HTTP_HOST virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
9 TSG_OBJ_HTTP_SIGNATURE expr_plus UTF8 UTF8 yes 0 quickoff
10 TSG_FIELD_HTTP_REQ_HDR virtual TSG_OBJ_HTTP_SIGNATURE --
11 TSG_FIELD_HTTP_RES_HDR virtual TSG_OBJ_HTTP_SIGNATURE --
12 TSG_OBJ_KEYWORDS expr UTF8 GBK/UNICODE/UTF8 yes 128 quickoff
13 TSG_FIELD_HTTP_REQ_CONTENT virtual TSG_OBJ_KEYWORDS --
14 TSG_FIELD_HTTP_RES_CONTENT virtual TSG_OBJ_KEYWORDS --
15 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 yes 0 quickon
16 TSG_OBJ_APP_ID intval UTF8 UTF8 yes 0
17 TSG_SECURITY_SOURCE_ADDR virtual TSG_OBJ_IP_ADDR --
18 TSG_SECURITY_DESTINATION_ADDR virtual TSG_OBJ_IP_ADDR --
19 TSG_SECURITY_ADDR composition {"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"}
20 PXY_CACHE_COMPILE compile escape --
21 PXY_CACHE_GROUP group --
22 PXY_CACHE_HTTP_URL expr UTF8 UTF8 yes 0 quickoff
23 PXY_CACHE_HTTP_COOKIE expr UTF8 UTF8 yes 0 quickoff
24 PXY_PROFILE_TRUSTED_CA_CERT plugin {"key":1,"valid":4,"foreign":"3"}
24 PXY_EXCH_INTERMEDIA_CERT plugin {"key":1,"valid":4,"foreign":"3"}
25 PXY_OBJ_TRUSTED_CA_CRL plugin {"valid":4,"foreign":"3"}
26 TSG_PROFILE_RESPONSE_PAGES plugin {"key":1,"foreign":"4","valid":5}
27 PXY_PROFILE_HIJACK_FILES plugin {"key":1,"foreign":"5","valid":6}
28 PXY_PROFILE_INSERT_SCRIPTS plugin {"key":1,"foreign":"4","valid":6}
29 TSG_SECURITY_COMPILE plugin {"key":1,"valid":8}
30 PXY_PROFILE_TRAFFIC_MIRROR plugin {"key":1,"valid":4}
31 TSG_PROFILE_DECRYPTION plugin {"key":1,"valid":4}
32 TSG_OBJ_AS_NUMBER expr UTF8 UTF8/GBK yes 0
33 TSG_SECURITY_SOURCE_ASN virtual TSG_OBJ_AS_NUMBER --
34 TSG_SECURITY_DESTINATION_ASN virtual TSG_OBJ_AS_NUMBER --
35 TSG_OBJ_GEO_LOCATION expr UTF8 UTF8/GBK yes 0
36 TSG_SECURITY_SOURCE_LOCATION virtual TSG_OBJ_GEO_LOCATION --
37 TSG_SECURITY_DESTINATION_LOCATION virtual TSG_OBJ_GEO_LOCATION --
38 TSG_FIELD_DOH_QNAME virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
39 TSG_FIELD_DOH_HOST virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --