gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-2489 DOH 支持 IP 归属地

Browse Source 
* tfe maat IP 归属地回调表的注册从 pangu 移动到 tfe_resource 中
	* 修复 Pangu IP 归属地 SRC && DST 同时命中时 maat 计数的 bug
This commit is contained in:
luwenpeng
2020-07-15 11:30:11 +08:00
parent 39bff0023c
commit 444b9c7935
11 changed files with 518 additions and 264 deletions
Download Patch File Download Diff File Expand all files Collapse all files

212
plugin/business/doh/src/doh.cpp
View File

@@ -199,6 +199,172 @@ static struct Maat_rule_t *doh_fetch_rule(Maat_rule_t *result, int result_num)
return p_result;
}
static int doh_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, struct ip_address *dip, int hit_cnt, unsigned int thread_id, struct doh_ctx *ctx)
{
int scan_ret = 0, hit_cnt_ip = 0;
char buff[TFE_STRING_MAX] = {0};
struct ip_data_table *ip_location_client = NULL, *ip_location_server = NULL;
int is_src_use_user_defined = 1;
int is_dst_use_user_defined = 1;
Maat_ip_plugin_get_EX_data(g_doh_conf->maat, tfe_bussiness_tableid_get(TABLE_IP_LOCATION_USER_DEFINED), sip, (void **)&ip_location_client, 1);
Maat_ip_plugin_get_EX_data(g_doh_conf->maat, tfe_bussiness_tableid_get(TABLE_IP_LOCATION_USER_DEFINED), dip, (void **)&ip_location_server, 1);
if (ip_location_client == NULL)
{
is_src_use_user_defined = 0;
Maat_ip_plugin_get_EX_data(g_doh_conf->maat, tfe_bussiness_tableid_get(TABLE_IP_LOCATION_BUILT_IN), sip, (void **)&ip_location_client, 1);
}
if (ip_location_server == NULL)
{
is_dst_use_user_defined = 0;
Maat_ip_plugin_get_EX_data(g_doh_conf->maat, tfe_bussiness_tableid_get(TABLE_IP_LOCATION_BUILT_IN), dip, (void **)&ip_location_server, 1);
}
if (ip_location_server != NULL)
{
TFE_LOG_INFO(g_doh_conf->local_logger, "scan dst ip use IP_LOCATION_%s, profile_id: %d ref_cnt: %d asn: %s organization: %s country: %s province: %s city: %s addr: %s",
(is_dst_use_user_defined ? "USER_DEFINED" : "BUILT_IN"), ip_location_server->profile_id, ip_location_server->ref_cnt, ip_location_server->asn,
ip_location_server->organization, ip_location_server->country_full, ip_location_server->province_full, ip_location_server->city_full, ctx->addr_string);
snprintf(buff, sizeof(buff), "%s.%s.", ip_location_server->country_full, ip_location_server->city_full);
scan_ret = Maat_full_scan_string(g_doh_conf->maat, tfe_bussiness_tableid_get(TABLE_SECURITY_DESTINATION_LOCATION),
CHARSET_GBK, buff, strlen(buff),
result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
&(ctx->scan_mid), (int)thread_id);
if (scan_ret > 0)
{
TFE_LOG_INFO(g_doh_conf->local_logger, "SCAN_DST_LOCATION, Hit location: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
buff, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, ctx->addr_string);
hit_cnt_ip += scan_ret;
}
else
{
TFE_LOG_INFO(g_doh_conf->local_logger, "SCAN_DST_LOCATION, NO hit location: %s scan ret: %d addr: %s",
buff, scan_ret, ctx->addr_string);
}
memset(buff, 0, sizeof(buff));
snprintf(buff, sizeof(buff), "%s,%s,%s", ip_location_server->city_full, ip_location_server->province_full, ip_location_server->country_full);
ctx->location_server = tfe_strdup(buff);
}
if (ip_location_client != NULL)
{
TFE_LOG_INFO(g_doh_conf->local_logger, "scan src ip use IP_LOCATION_%s, profile_id: %d ref_cnt: %d asn: %s organization: %s country: %s province: %s city: %s addr: %s",
(is_src_use_user_defined ? "USER_DEFINED" : "BUILT_IN"), ip_location_client->profile_id, ip_location_client->ref_cnt, ip_location_client->asn,
ip_location_client->organization, ip_location_client->country_full, ip_location_client->province_full, ip_location_client->city_full, ctx->addr_string);
snprintf(buff, sizeof(buff), "%s.%s.", ip_location_client->country_full, ip_location_client->city_full);
scan_ret = Maat_full_scan_string(g_doh_conf->maat, tfe_bussiness_tableid_get(TABLE_SECURITY_SOURCE_LOCATION),
CHARSET_GBK, buff, strlen(buff),
result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
&(ctx->scan_mid), (int)thread_id);
if (scan_ret > 0)
{
TFE_LOG_INFO(g_doh_conf->local_logger, "SCAN_SRC_LOCATION, Hit location: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
buff, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, ctx->addr_string);
hit_cnt_ip += scan_ret;
}
else
{
TFE_LOG_INFO(g_doh_conf->local_logger, "SCAN_SRC_LOCATION, NO hit location: %s scan ret: %d addr: %s",
buff, scan_ret, ctx->addr_string);
}
memset(buff, 0, sizeof(buff));
snprintf(buff, sizeof(buff), "%s,%s,%s", ip_location_client->city_full, ip_location_client->province_full, ip_location_client->country_full);
ctx->location_client = tfe_strdup(buff);
}
if (ip_location_server)
ip_table_free(ip_location_server);
if (ip_location_client)
ip_table_free(ip_location_client);
return hit_cnt_ip;
}
static int doh_ip_asn_scan(struct Maat_rule_t *result, struct ip_address *sip, struct ip_address *dip, int hit_cnt, unsigned int thread_id, struct doh_ctx *ctx)
{
int scan_ret = 0, hit_cnt_ip = 0;
char buff[TFE_STRING_MAX] = {0};
struct ip_data_table *ip_asn_client = NULL, *ip_asn_server = NULL;
int is_src_use_user_defined = 1;
int is_dst_use_user_defined = 1;
Maat_ip_plugin_get_EX_data(g_doh_conf->maat, tfe_bussiness_tableid_get(TABLE_IP_ASN_USER_DEFINED), sip, (void **)&ip_asn_client, 1);
Maat_ip_plugin_get_EX_data(g_doh_conf->maat, tfe_bussiness_tableid_get(TABLE_IP_ASN_USER_DEFINED), dip, (void **)&ip_asn_server, 1);
if (ip_asn_client == NULL)
{
is_src_use_user_defined = 0;
Maat_ip_plugin_get_EX_data(g_doh_conf->maat, tfe_bussiness_tableid_get(TABLE_IP_ASN_BUILT_IN), sip, (void **)&ip_asn_client, 1);
}
if (ip_asn_server == NULL)
{
is_dst_use_user_defined = 0;
Maat_ip_plugin_get_EX_data(g_doh_conf->maat, tfe_bussiness_tableid_get(TABLE_IP_ASN_BUILT_IN), dip, (void **)&ip_asn_server, 1);
}
if (ip_asn_server != NULL)
{
TFE_LOG_INFO(g_doh_conf->local_logger, "scan dst ip use IP_ASN_%s, profile_id: %d ref_cnt: %d asn: %s organization: %s country: %s province: %s city: %s addr: %s",
(is_dst_use_user_defined ? "USER_DEFINED" : "BUILT_IN"), ip_asn_server->profile_id, ip_asn_server->ref_cnt, ip_asn_server->asn,
ip_asn_server->organization, ip_asn_server->country_full, ip_asn_server->province_full, ip_asn_server->city_full, ctx->addr_string);
scan_ret = Maat_full_scan_string(g_doh_conf->maat, tfe_bussiness_tableid_get(TABLE_SECURITY_DESTINATION_ASN),
CHARSET_UTF8, ip_asn_server->asn, strlen(ip_asn_server->asn),
result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
&(ctx->scan_mid), (int)thread_id);
if (scan_ret > 0)
{
TFE_LOG_INFO(g_doh_conf->local_logger, "SCAN_DST_ASN, Hit asn: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
ip_asn_server->asn, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, ctx->addr_string);
hit_cnt_ip += scan_ret;
}
else
{
TFE_LOG_INFO(g_doh_conf->local_logger, "SCAN_DST_ASN, NO hit asn: %s scan ret: %d addr: %s",
ip_asn_server->asn, scan_ret, ctx->addr_string);
}
memset(buff, 0, sizeof(buff));
snprintf(buff, sizeof(buff), "%s(%s)", ip_asn_server->asn, ip_asn_server->organization);
ctx->asn_server = tfe_strdup(buff);
}
if (ip_asn_client != NULL)
{
TFE_LOG_INFO(g_doh_conf->local_logger, "scan src ip use IP_ASN_%s, profile_id: %d ref_cnt: %d asn: %s organization: %s country: %s province: %s city: %s addr: %s",
(is_src_use_user_defined ? "USER_DEFINED" : "BUILT_IN"), ip_asn_client->profile_id, ip_asn_client->ref_cnt, ip_asn_client->asn,
ip_asn_client->organization, ip_asn_client->country_full, ip_asn_client->province_full, ip_asn_client->city_full, ctx->addr_string);
scan_ret = Maat_full_scan_string(g_doh_conf->maat, tfe_bussiness_tableid_get(TABLE_SECURITY_SOURCE_ASN),
CHARSET_UTF8, ip_asn_client->asn, strlen(ip_asn_client->asn),
result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
&(ctx->scan_mid), (int)thread_id);
if (scan_ret > 0)
{
TFE_LOG_INFO(g_doh_conf->local_logger, "SCAN_SRC_ASN, Hit asn: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
ip_asn_client->asn, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, ctx->addr_string);
hit_cnt_ip += scan_ret;
}
else
{
TFE_LOG_INFO(g_doh_conf->local_logger, "SCAN_SRC_ASN, NO hit asn: %s scan ret: %d addr: %s",
ip_asn_client->asn, scan_ret, ctx->addr_string);
}
memset(buff, 0, sizeof(buff));
snprintf(buff, sizeof(buff), "%s(%s)", ip_asn_client->asn, ip_asn_client->organization);
ctx->asn_client = tfe_strdup(buff);
}
if (ip_asn_server)
ip_table_free(ip_asn_server);
if (ip_asn_client)
ip_table_free(ip_asn_client);
return hit_cnt_ip;
}
static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http_session *session, struct doh_ctx *ctx, char *qname, int qtype)
{
int hit_cnt = 0;
@@ -208,6 +374,20 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
struct Maat_rule_t *p_result = NULL;
struct Maat_rule_t result[MAX_SCAN_RESULT];
struct ip_address dest_ip, source_ip;
tfe_stream_addr_to_address(stream->addr, &dest_ip, &source_ip);
scan_ret = doh_ip_location_scan(result, &source_ip, &dest_ip, hit_cnt, ctx->thread_id, ctx);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
scan_ret = doh_ip_asn_scan(result, &source_ip, &dest_ip, hit_cnt, ctx->thread_id, ctx);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
// scan server host
const char *host = session->req->req_spec.host;
if (host)
@@ -216,9 +396,9 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
host, strlen(host), result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
TFE_LOG_INFO(g_doh_conf->local_logger, "SCAN_HOST, Hit host: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
host, scan_ret, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action, ctx->addr_string);
hit_cnt += scan_ret;
}
else
{
@@ -233,9 +413,9 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
0, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
TFE_LOG_INFO(g_doh_conf->local_logger, "SCAN_ADDR, Hit addr: %s scan ret: %d policy_id: %d service: %d action: %d",
ctx->addr_string, scan_ret, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action);
hit_cnt += scan_ret;
}
else
{
@@ -248,9 +428,9 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
app_id, strlen(app_id), result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
TFE_LOG_INFO(g_doh_conf->local_logger, "SCAN_APPID, Hit proto: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
app_id, scan_ret, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action, ctx->addr_string);
hit_cnt += scan_ret;
}
else
{
@@ -263,9 +443,9 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
qname, strlen(qname), result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
TFE_LOG_INFO(g_doh_conf->local_logger, "SCAN_QNAME, Hit domain: %s scan ret: %d qtype: %d policy_id: %d service: %d action: %d addr: %s",
qname, scan_ret, qtype, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action, ctx->addr_string);
hit_cnt += scan_ret;
}
else
{
@@ -389,6 +569,30 @@ static void doh_ctx_free(struct doh_ctx *ctx)
ctx->addr_string = NULL;
}
if (ctx->asn_client)
{
free(ctx->asn_client);
ctx->asn_client = NULL;
}
if (ctx->asn_server)
{
free(ctx->asn_server);
ctx->asn_server = NULL;
}
if (ctx->location_client)
{
free(ctx->location_client);
ctx->location_client = NULL;
}
if (ctx->location_server)
{
free(ctx->location_server);
ctx->location_server = NULL;
}
FREE(&ctx);
}