diff --git a/common/include/intercept_policy.h b/common/include/intercept_policy.h index b4d1cfc..cde9e0b 100644 --- a/common/include/intercept_policy.h +++ b/common/include/intercept_policy.h @@ -7,7 +7,7 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger) void intercept_policy_enforce_destory(struct intercept_policy_enforcer *enforcer); // return 0 : success // return -1 : error (need passthrough) -int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t selected_rule_id); +int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t *selected_rule_id); // return 0 : success // return -1 : error (need passthrough) int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct tfe_cmsg *cmsg); \ No newline at end of file diff --git a/common/include/ssl_stream.h b/common/include/ssl_stream.h index 9354f8f..2f2a43e 100644 --- a/common/include/ssl_stream.h +++ b/common/include/ssl_stream.h @@ -1,6 +1,7 @@ #pragma once #include #include +#include struct ssl_stream; enum ssl_stream_action diff --git a/common/src/intercept_policy.cpp b/common/src/intercept_policy.cpp index 5e5bd6f..1b1e33c 100644 --- a/common/src/intercept_policy.cpp +++ b/common/src/intercept_policy.cpp @@ -10,19 +10,13 @@ struct intercept_param uuid_t rule_id; int do_log; int ref_cnt; - int action; + int action_is_intercept; uuid_t keyring_for_trusted; uuid_t keyring_for_untrusted; uuid_t decryption_profile; uuid_t tcp_option_profile; }; -enum { - ACTION_NONE, - ACTION_INTERCEPT, - ACTION_NO_INTERCEPT, -}; - struct intercept_policy_enforcer { struct maat *maat; @@ -30,144 +24,175 @@ struct intercept_policy_enforcer void *logger; }; -static int intercept_action_map(char *action) -{ - if (strncasecmp(action, "intercept", strlen("intercept")) == 0) - return ACTION_INTERCEPT; - else if (strncasecmp(action, "no_intercept", strlen("no_intercept")) == 0) - return ACTION_NO_INTERCEPT; - else - return ACTION_NONE; -} - static void intercept_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp) { - int action = 0; - int do_log = 0; - int vsys_id = 0; - cJSON * json_root = NULL; - cJSON * json_subroot = NULL; - cJSON * item = NULL; + cJSON *json_root = NULL; + cJSON *json_subroot = NULL; + cJSON *item = NULL; struct intercept_param *param = NULL; struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp; - json_root = cJSON_Parse(table_line); - if (unlikely(!json_root)) + char *json_str = strdup(table_line); + json_root = cJSON_Parse(json_str); + if (json_root == NULL) { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s %s", key, table_line); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: (invlad json format) %s", table_line); goto error_out; } + param = ALLOC(struct intercept_param, 1); + param->ref_cnt = 1; + uuid_parse(key, param->rule_id); + uuid_clear(param->keyring_for_trusted); + uuid_clear(param->keyring_for_untrusted); + uuid_clear(param->decryption_profile); + uuid_clear(param->tcp_option_profile); + + // action item = cJSON_GetObjectItem(json_root, "action"); - if (unlikely(!item || !cJSON_IsString(item))) + if (!item || !cJSON_IsString(item)) + { + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action format) %s.", key, table_line); + goto error_out; + } + if (strcmp(item->valuestring, "intercept") == 0) + { + param->action_is_intercept = 1; + } + else if (strcmp(item->valuestring, "no_intercept") == 0) + { + param->action_is_intercept = 0; + } + else { TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action format) %s.", key, table_line); goto error_out; } - action = intercept_action_map(item->valueint); + // log_option item = cJSON_GetObjectItem(json_root, "log_option"); if (!item || !cJSON_IsString(item)) { TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid log_option format) %s.", key, table_line); goto error_out; } - if (strncasecmp(item->valueint, "none", strlen("none")) == 0) + if (0 == strcasecmp(item->valuestring, "none")) { - do_log = 0; + param->do_log = 0; + } + else if (0 == strcasecmp(item->valuestring, "metadata")) + { + param->do_log = 1; + } + else if (0 == strcasecmp(item->valuestring, "all")) + { + param->do_log = 1; } else { - do_log = 1; + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid log_option format) %s.", key, table_line); + goto error_out; } + // action_parameter json_subroot = cJSON_GetObjectItem(json_root, "action_parameter"); - if (unlikely(!json_subroot)) + if (!json_subroot || !cJSON_IsObject(json_subroot)) { TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action_parameter format) %s.", key, table_line); goto error_out; } - item = cJSON_GetObjectItem(json_subroot, "vsys_id"); - if (!item || !cJSON_IsNumber(item)) - { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid vsys_id format) %s.", key, table_line); - goto error_out; - } - vsys_id = item->valueint; - - param = ALLOC(struct intercept_param, 1); - param->ref_cnt = 1; - param->action = action; - param->do_log = do_log; - param->vsys_id = vsys_id; - uuid_parse(key, param->rule_id); - + // keyring_for_trusted item = cJSON_GetObjectItem(json_subroot, "keyring_for_trusted"); if (item) { - if (item->type == cJSON_String) + if (cJSON_IsString(item)) { uuid_parse(item->valuestring, param->keyring_for_trusted); } else { TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: %s (invalid keyring_for_trusted format) %s.", key, table_line); + goto error_out; } } + else + { + // maybe not exist + } item = cJSON_GetObjectItem(json_subroot, "keyring_for_untrusted"); if (item) { - if (item->type == cJSON_String) + if (cJSON_IsString(item)) { uuid_parse(item->valuestring, param->keyring_for_untrusted); } else { TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: %s (invalid keyring_for_untrusted format) %s", key, table_line); + goto error_out; } } + else + { + // maybe not exist + } item = cJSON_GetObjectItem(json_subroot, "decryption_profile"); if (item) { - if (item->type == cJSON_String) + if (cJSON_IsString(item)) { uuid_parse(item->valuestring, param->decryption_profile); } else { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid decryption_profile format) %s.", key, table_line); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: %s (invalid decryption_profile format) %s", key, table_line); + goto error_out; } } + else + { + // maybe not exist + } item = cJSON_GetObjectItem(json_subroot, "tcp_option_profile"); - if (item) + if (!item || !cJSON_IsString(item)) { - if (item->type == cJSON_String) - { - uuid_parse(item->valuestring, param->tcp_option_profile); - } - else - { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid tcp_option_profile format) %s.", key, table_line); - } + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid tcp_option_profile format) %s.", key, table_line); + goto error_out; } + uuid_parse(item->valuestring, param->tcp_option_profile); *ad = param; TFE_LOG_INFO(enforcer->logger, "Add intercept rule: %s", key); + cJSON_Delete(json_root); + free(json_str); + return; + error_out: if (json_root) { cJSON_Delete(json_root); + json_root = NULL; + } + if (json_str) + { + free(json_str); + json_str = NULL; + } + if (param) + { + free(param); + param = NULL; } } static void intercept_param_free_cb(const char *table_name, void **ad, long argl, void *argp) { - char str_rule_id[UUID_STR_LEN] = {0}; + char str_rule_id[UUID_STRING_SIZE] = {0}; struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp; struct intercept_param *param = (struct intercept_param *)*ad; if (param == NULL) @@ -200,7 +225,7 @@ static void intercept_param_dup_cb(const char *table_name, void **to, void **fro static void intercept_param_free(struct intercept_param *param) { - intercept_param_free_cb(0, (void **)¶m, 0, NULL); + intercept_param_free_cb(NULL, (void **)¶m, 0, NULL); } struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger) @@ -220,7 +245,7 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger) enforcer); if (ret != 0) { - TFE_LOG_ERROR(enforcer->logger, "failed at register callback of PXY_INTERCEPT_COMPILE, ret = %d", ret); + TFE_LOG_ERROR(enforcer->logger, "failed at register callback of PXY_INTERCEPT_RULE, ret = %d", ret); goto error_out; } @@ -242,21 +267,26 @@ void intercept_policy_enforce_destory(struct intercept_policy_enforcer *enforcer // return 0 : success // return -1 : error (need passthrough) -int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t selected_rule_id) +int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t *selected_rule_id) { - uuid_t rule_id; - char str_rule_id[UUID_STR_LEN] = {0}; + uuid_t *curr_rule_id; + char str_rule_id[UUID_STRING_SIZE] = {0}; uint8_t is_hit_intercept_rule = 0; uint8_t is_hit_no_intercept_rule = 0; - uuid_t max_intercept_rule_id = {0}; - uuid_t max_no_intercept_rule_id = {0}; + uuid_t max_intercept_rule_id; + uuid_t max_no_intercept_rule_id; + + uuid_clear(*selected_rule_id); + uuid_clear(max_intercept_rule_id); + uuid_clear(max_no_intercept_rule_id); + struct intercept_param *param = NULL; for (int i = 0; i < rule_id_num; i++) { - memcpy(rule_id, rule_id_array[i], UUID_LEN); - uuid_unparse(rule_id, str_rule_id); - param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1); + curr_rule_id = &rule_id_array[i]; + uuid_unparse(*curr_rule_id, str_rule_id); + param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, (const char *)curr_rule_id, sizeof(uuid_t)); if (param == NULL) { TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %s.", str_rule_id); @@ -264,32 +294,36 @@ int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t * } // intercept - if (param->action == ACTION_INTERCEPT) + if (param->action_is_intercept) { is_hit_intercept_rule = 1; - if (uuid_compare(max_intercept_rule_id, rule_id) < 0) - memcpy(max_intercept_rule_id, rule_id, UUID_LEN); + if (uuid_compare(max_intercept_rule_id, *curr_rule_id) < 0) + { + uuid_copy(max_intercept_rule_id, *curr_rule_id); + } TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %s is intercept.", i, rule_id_num, str_rule_id); } // not intercept else { is_hit_no_intercept_rule = 1; - if (uuid_compare(max_no_intercept_rule_id, rule_id) < 0) - memcpy(max_no_intercept_rule_id, rule_id, UUID_LEN); + if (uuid_compare(max_no_intercept_rule_id, *curr_rule_id) < 0) + { + uuid_copy(max_no_intercept_rule_id, *curr_rule_id); + } TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %s is no intercept.", i, rule_id_num, str_rule_id); } } if (is_hit_no_intercept_rule) { - memcpy(selected_rule_id, max_no_intercept_rule_id, UUID_LEN); + uuid_copy(*selected_rule_id, max_no_intercept_rule_id); return 0; } if (is_hit_intercept_rule) { - memcpy(selected_rule_id, max_intercept_rule_id, UUID_LEN); + uuid_copy(*selected_rule_id, max_intercept_rule_id); return 0; } @@ -304,14 +338,14 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct int ret = 0; uint16_t size = 0; uuid_t rule_id; - char str_rule_id[UUID_STR_LEN] = {0}; + char str_rule_id[UUID_STRING_SIZE] = {0}; struct intercept_param *param = NULL; uint8_t hit_no_intercept = 0; int tcp_passthrough = 0; char reason_hit_no_intercept[] = "Hit No Intercept"; char reason_invalid_intercept_param[] = "Invalid Intercept Param"; - ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)rule_id, UUID_LEN, &size); + ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(uuid_t), &size); if (ret < 0) { TFE_LOG_ERROR(g_default_logger, "Failed at fetch intercept rule_id from cmsg: %s", strerror(-ret)); @@ -319,7 +353,7 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct } uuid_unparse(rule_id, str_rule_id); - param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1); + param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, (const char *)&rule_id, sizeof(uuid_t)); if (param == NULL) { TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %s.", str_rule_id); @@ -327,7 +361,7 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct } // intercept - if (param->action == ACTION_INTERCEPT) + if (param->action_is_intercept) { tcp_passthrough = 0; hit_no_intercept = 0; @@ -344,10 +378,11 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct tfe_cmsg_set(cmsg, TFE_CMSG_POLICY_VSYS_ID, (const unsigned char *)¶m->vsys_id, sizeof(param->vsys_id)); tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&tcp_passthrough, sizeof(tcp_passthrough)); tfe_cmsg_set(cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (const unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept)); - tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)param->tcp_option_profile, UUID_LEN); - tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)param->decryption_profile, UUID_LEN); - tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)param->keyring_for_trusted, UUID_LEN); - tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_UNTRUSTED, (const unsigned char *)param->keyring_for_untrusted, UUID_LEN); + tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)&(param->tcp_option_profile), sizeof(param->tcp_option_profile)); + + tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)&(param->decryption_profile), sizeof(param->decryption_profile)); + tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)¶m->keyring_for_trusted, sizeof(param->keyring_for_trusted)); + tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_UNTRUSTED, (const unsigned char *)&(param->keyring_for_untrusted), sizeof(param->keyring_for_untrusted)); intercept_param_free(param); diff --git a/common/src/tfe_ctrl_packet.cpp b/common/src/tfe_ctrl_packet.cpp index 2941d81..44dd337 100644 --- a/common/src/tfe_ctrl_packet.cpp +++ b/common/src/tfe_ctrl_packet.cpp @@ -581,14 +581,14 @@ void ctrl_packet_parser_dump(struct ctrl_pkt_parser *handler, void *logger) log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", tfe policy_id_num: %d, tfe policy_ids[", handler->tfe_policy_id_num); for (int i = 0; i < handler->tfe_policy_id_num; i++) { - char str_tfe_policy_ids[UUID_STR_LEN] = {0}; + char str_tfe_policy_ids[UUID_STRING_SIZE] = {0}; uuid_unparse(handler->tfe_policy_ids[i], str_tfe_policy_ids); log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%s, ", str_tfe_policy_ids); } log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "], sce policy_id_num: %d, sce policy_ids[", handler->sce_policy_id_num); for (int i = 0; i < handler->sce_policy_id_num; i++) { - char str_sce_policy_ids[UUID_STR_LEN] = {0}; + char str_sce_policy_ids[UUID_STRING_SIZE] = {0}; uuid_unparse(handler->sce_policy_ids[i], str_sce_policy_ids); log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%s, ", str_sce_policy_ids); } @@ -628,7 +628,7 @@ void ctrl_packet_parser_dump(struct ctrl_pkt_parser *handler, void *logger) break; } for (int i = 0; i < size/UUID_LEN; i++) { - char str_tags_ids[UUID_STR_LEN] = {0}; + char str_tags_ids[UUID_STRING_SIZE] = {0}; uuid_unparse(tags_ids_array[i], str_tags_ids); log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", %s:%s", tags_ids_cmsg_name_maps[map_index], str_tags_ids); } diff --git a/common/src/tfe_fieldstat.cpp b/common/src/tfe_fieldstat.cpp index beab100..2f5b8f8 100644 --- a/common/src/tfe_fieldstat.cpp +++ b/common/src/tfe_fieldstat.cpp @@ -43,7 +43,7 @@ int tfe_fieldstat_intercept_incrby(struct fieldstat_easy_intercept *metrics, voi } uuid_t rule_id; - char str_rule_id[UUID_STR_LEN] = {0}; + char str_rule_id[UUID_STRING_SIZE] = {0}; ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)rule_id, UUID_LEN, &out_size); if (ret != 0) { diff --git a/common/src/tfe_packet_io.cpp b/common/src/tfe_packet_io.cpp index 2d02213..6ee97d3 100644 --- a/common/src/tfe_packet_io.cpp +++ b/common/src/tfe_packet_io.cpp @@ -156,7 +156,7 @@ struct packet_identify extern int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg *cmsg); extern int tfe_proxy_fds_accept(struct tfe_proxy * ctx, int fd_downstream, int fd_upstream, int fd_fake_c, int fd_fake_s, struct tfe_cmsg * cmsg); -extern void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t rule_id); +extern void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t *rule_id); /****************************************************************************** * dup packet filter @@ -1128,8 +1128,8 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff, tfe_cmsg_get_value(parser->cmsg, TFE_CMSG_TCP_RESTORE_PROTOCOL, (unsigned char *)&stream_protocol_in_char, sizeof(stream_protocol_in_char), &size); uuid_t rule_id = {0}; - char str_rule_id[UUID_STR_LEN] = {0}; - ret = intercept_policy_select(thread->ref_proxy->int_ply_enforcer, parser->tfe_policy_ids, parser->tfe_policy_id_num, rule_id); + char str_rule_id[UUID_STRING_SIZE] = {0}; + ret = intercept_policy_select(thread->ref_proxy->int_ply_enforcer, parser->tfe_policy_ids, parser->tfe_policy_id_num, &rule_id); uuid_unparse(rule_id, str_rule_id); if (ret != 0) { @@ -1169,7 +1169,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff, } for (int i = 0; i < parser->sce_policy_id_num; i++) { - chaining_policy_enforce(thread->ref_proxy->chain_ply_enforcer, parser->cmsg, parser->sce_policy_ids[i]); + chaining_policy_enforce(thread->ref_proxy->chain_ply_enforcer, parser->cmsg, &parser->sce_policy_ids[i]); } tcp_restore_set_from_cmsg(parser->cmsg, &restore_info); @@ -1346,7 +1346,7 @@ static int handle_session_closing(struct metadata *meta, marsio_buff_t *rx_buff, struct packet_io *packet_io = thread->ref_io; struct packet_io_fs *packet_io_fs = thread->ret_fs_state; void * logger = thread->logger; - char str_policy_id[UUID_STR_LEN] = {0}; + char str_policy_id[UUID_STRING_SIZE] = {0}; struct session_node *node = session_table_search_by_id(thread->session_table, meta->session_id); if (node) @@ -1373,7 +1373,7 @@ static int handle_session_resetall(struct metadata *meta, marsio_buff_t *rx_buff struct packet_io *packet_io = thread->ref_io; struct packet_io_fs *packet_io_fs = thread->ret_fs_state; void * logger = thread->logger; - char str_policy_id[UUID_STR_LEN] = {0}; + char str_policy_id[UUID_STRING_SIZE] = {0}; TFE_LOG_ERROR(logger, "%s: session %lu resetall: notification clears all session tables !!!", LOG_TAG_PKTIO, meta->session_id); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_policy_id, meta->session_id, "resetall", NULL, NULL); @@ -1457,7 +1457,7 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx char *header = NULL; int header_len = 0; void * logger = thread->logger; - char str_policy_id[UUID_STR_LEN] = {0}; + char str_policy_id[UUID_STRING_SIZE] = {0}; int raw_len = marsio_buff_datalen(rx_buff); char *raw_data = marsio_buff_mtod(rx_buff); diff --git a/common/test/test_mpack.cpp b/common/test/test_mpack.cpp index addbc33..c1e225b 100644 --- a/common/test/test_mpack.cpp +++ b/common/test/test_mpack.cpp @@ -48,7 +48,7 @@ void build_mpack_data(char **data, size_t *size) uint8_t ack_header[] = {0x80, 0x90, 0xA0, 0xB0, 0xC0, 0xD0, 0xE0, 0xF0}; uint8_t tfe_flag = 0; uuid_t uuid; - char str_uuid[UUID_STR_LEN] = {0}; + char str_uuid[UUID_STRING_SIZE] = {0}; mpack_writer_init_growable(&writer, data, size); mpack_build_map(&writer); diff --git a/conf/tfe/tfe.conf b/conf/tfe/tfe.conf index 1a61296..d70188c 100644 --- a/conf/tfe/tfe.conf +++ b/conf/tfe/tfe.conf @@ -1,9 +1,5 @@ [system] nr_worker_threads=8 -enable_kni_v1=0 -enable_kni_v2=0 -enable_kni_v3=0 -enable_kni_v4=1 # Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally disable_coredump=0 diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt index fa3d079..79481ef 100644 --- a/platform/CMakeLists.txt +++ b/platform/CMakeLists.txt @@ -1,7 +1,9 @@ find_package(SYSTEMD REQUIRED) find_package(NFNETLINK REQUIRED) -add_executable(tfe src/acceptor_kni_v1.cpp src/acceptor_kni_v2.cpp src/acceptor_kni_v3.cpp src/acceptor_kni_v4.cpp src/ssl_stream.cpp src/key_keeper.cpp src/ssl_fetch_cert.cpp +add_executable(tfe + #src/acceptor_kni_v1.cpp src/acceptor_kni_v2.cpp src/acceptor_kni_v3.cpp + src/acceptor_kni_v4.cpp src/ssl_stream.cpp src/key_keeper.cpp src/ssl_fetch_cert.cpp src/ssl_sess_cache.cpp src/ssl_sess_ticket.cpp src/ssl_service_cache.cpp src/ssl_trusted_cert_storage.cpp src/ev_root_ca_metadata.cpp src/ssl_utils.cpp src/tcp_stream.cpp src/main.cpp src/proxy.cpp src/sender_scm.cpp src/watchdog_kni.cpp src/watchdog_tfe.cpp src/ssl_ja3.cpp src/watchdog_3rd_device.cpp) diff --git a/platform/include/internal/key_keeper.h b/platform/include/internal/key_keeper.h index ae288ec..7dceec7 100644 --- a/platform/include/internal/key_keeper.h +++ b/platform/include/internal/key_keeper.h @@ -2,6 +2,7 @@ #include #include #include +#include struct keyring { diff --git a/platform/include/internal/proxy.h b/platform/include/internal/proxy.h index 8257c0d..6a76b37 100644 --- a/platform/include/internal/proxy.h +++ b/platform/include/internal/proxy.h @@ -137,14 +137,14 @@ struct tfe_proxy struct chaining_policy_enforcer *chain_ply_enforcer; struct key_keeper * key_keeper_handler; - unsigned int en_kni_v1_acceptor; - unsigned int en_kni_v2_acceptor; - unsigned int en_kni_v3_acceptor; - unsigned int en_kni_v4_acceptor; + //unsigned int en_kni_v1_acceptor; + //unsigned int en_kni_v2_acceptor; + //unsigned int en_kni_v3_acceptor; + //unsigned int en_kni_v4_acceptor; - struct acceptor_kni_v1 * kni_v1_acceptor; - struct acceptor_kni_v2 * kni_v2_acceptor; - struct acceptor_kni_v3 * kni_v3_acceptor; + //struct acceptor_kni_v1 * kni_v1_acceptor; + //struct acceptor_kni_v2 * kni_v2_acceptor; + //struct acceptor_kni_v3 * kni_v3_acceptor; struct acceptor_kni_v4 * kni_v4_acceptor; struct sender_scm * scm_sender; struct watchdog_kni * watchdog_kni; diff --git a/platform/src/key_keeper.cpp b/platform/src/key_keeper.cpp index a093802..8a982bc 100644 --- a/platform/src/key_keeper.cpp +++ b/platform/src/key_keeper.cpp @@ -692,7 +692,7 @@ static uchar* get_key_by_cert(X509* cert, const char *keyring_uuid_str, unsigned } char* key = ALLOC(char, HTABLE_MAX_KEY_LEN); memset(key, 0, HTABLE_MAX_KEY_LEN); - snprintf(key, HTABLE_MAX_KEY_LEN, "%d:%d:", keyring_uuid_str, is_cert_valid); + snprintf(key, HTABLE_MAX_KEY_LEN, "%s:%d:", keyring_uuid_str, is_cert_valid); strncat(key, cert_fingerprint, HTABLE_MAX_KEY_LEN); *len = strnlen(key, HTABLE_MAX_KEY_LEN); free(cert_fingerprint); diff --git a/platform/src/proxy.cpp b/platform/src/proxy.cpp index bcbc47b..07b6bd4 100644 --- a/platform/src/proxy.cpp +++ b/platform/src/proxy.cpp @@ -45,9 +45,9 @@ #include #include #include -#include -#include -#include +//#include +//#include +//#include #include #include #include @@ -549,41 +549,46 @@ int tfe_stat_init(struct tfe_proxy * proxy, const char * profile) return 0; } -void tfe_proxy_acceptor_init(struct tfe_proxy * proxy, const char * profile) +void tfe_proxy_acceptor_init(struct tfe_proxy *proxy, const char *profile) { - MESA_load_profile_uint_def(profile, "system", "enable_kni_v1", &proxy->en_kni_v1_acceptor, 0); - MESA_load_profile_uint_def(profile, "system", "enable_kni_v2", &proxy->en_kni_v2_acceptor, 0); +#if 0 + MESA_load_profile_uint_def(profile, "system", "enable_kni_v1", &proxy->en_kni_v1_acceptor, 0); + MESA_load_profile_uint_def(profile, "system", "enable_kni_v2", &proxy->en_kni_v2_acceptor, 0); MESA_load_profile_uint_def(profile, "system", "enable_kni_v3", &proxy->en_kni_v3_acceptor, 0); MESA_load_profile_uint_def(profile, "system", "enable_kni_v4", &proxy->en_kni_v4_acceptor, 0); int ret = proxy->en_kni_v1_acceptor + proxy->en_kni_v2_acceptor + proxy->en_kni_v3_acceptor + proxy->en_kni_v4_acceptor; CHECK_OR_EXIT((ret == 1), "Invalid KNI acceptor. Exit."); - if (proxy->en_kni_v1_acceptor) - { - g_default_proxy->kni_v1_acceptor = acceptor_kni_v1_create(proxy, profile, proxy->logger); - CHECK_OR_EXIT(g_default_proxy->kni_v1_acceptor, "Failed at init KNIv1 acceptor. Exit. "); - } + if (proxy->en_kni_v1_acceptor) + { + g_default_proxy->kni_v1_acceptor = acceptor_kni_v1_create(proxy, profile, proxy->logger); + CHECK_OR_EXIT(g_default_proxy->kni_v1_acceptor, "Failed at init KNIv1 acceptor. Exit. "); + } - if (proxy->en_kni_v2_acceptor) - { - g_default_proxy->kni_v2_acceptor = acceptor_kni_v2_create(g_default_proxy, profile, g_default_logger); - CHECK_OR_EXIT(g_default_proxy->kni_v2_acceptor, "Failed at init KNIv2 acceptor. Exit. "); - } + if (proxy->en_kni_v2_acceptor) + { + g_default_proxy->kni_v2_acceptor = acceptor_kni_v2_create(g_default_proxy, profile, g_default_logger); + CHECK_OR_EXIT(g_default_proxy->kni_v2_acceptor, "Failed at init KNIv2 acceptor. Exit. "); + } if (proxy->en_kni_v3_acceptor) - { - g_default_proxy->kni_v3_acceptor = acceptor_kni_v3_create(g_default_proxy, profile, g_default_logger); - CHECK_OR_EXIT(g_default_proxy->kni_v3_acceptor, "Failed at init KNIv3 acceptor. Exit. "); - } + { + g_default_proxy->kni_v3_acceptor = acceptor_kni_v3_create(g_default_proxy, profile, g_default_logger); + CHECK_OR_EXIT(g_default_proxy->kni_v3_acceptor, "Failed at init KNIv3 acceptor. Exit. "); + } if (proxy->en_kni_v4_acceptor) - { - g_default_proxy->kni_v4_acceptor = acceptor_kni_v4_create(g_default_proxy, profile); - CHECK_OR_EXIT(g_default_proxy->kni_v4_acceptor, "Failed at init KNIv4 acceptor. Exit. "); - } + { + g_default_proxy->kni_v4_acceptor = acceptor_kni_v4_create(g_default_proxy, profile); + CHECK_OR_EXIT(g_default_proxy->kni_v4_acceptor, "Failed at init KNIv4 acceptor. Exit. "); + } +#endif - return; + g_default_proxy->kni_v4_acceptor = acceptor_kni_v4_create(g_default_proxy, profile); + CHECK_OR_EXIT(g_default_proxy->kni_v4_acceptor, "Failed at init KNIv4 acceptor. Exit. "); + + return; } static void usage(char *cmd) @@ -732,7 +737,7 @@ int main(int argc, char * argv[]) g_default_proxy->tcp_ply_enforcer = tcp_policy_enforcer_create(g_default_logger); CHECK_OR_EXIT(g_default_proxy->tcp_ply_enforcer != NULL, "Failed at creating tcp policy enforcer. Exit."); - g_default_proxy->ssl_ply_enforcer = ssl_policy_enforcer_create(g_default_logger); + g_default_proxy->ssl_ply_enforcer = ssl_policy_enforcer_create(); CHECK_OR_EXIT(g_default_proxy->ssl_ply_enforcer != NULL, "Failed at creating ssl policy enforcer. Exit."); g_default_proxy->chain_ply_enforcer = chaining_policy_enforcer_create(g_default_logger); diff --git a/platform/src/ssl_service_cache.cpp b/platform/src/ssl_service_cache.cpp index 7313965..2a9f59d 100644 --- a/platform/src/ssl_service_cache.cpp +++ b/platform/src/ssl_service_cache.cpp @@ -2,6 +2,7 @@ #include #include #include +#include struct ssl_svc_ja3 { @@ -138,7 +139,7 @@ static int ssl_svc_ja3_init() NULL) != 0) { TFE_LOG_ERROR(g_default_logger, "failed at Maat_plugin_EX_register(PXY_SSL_FINGERPRINT)"); - return -1 + return -1; } else { diff --git a/plugin/business/chaining-policy/src/chaining_policy.cpp b/plugin/business/chaining-policy/src/chaining_policy.cpp index 4edfc92..87d42f2 100644 --- a/plugin/business/chaining-policy/src/chaining_policy.cpp +++ b/plugin/business/chaining-policy/src/chaining_policy.cpp @@ -31,23 +31,21 @@ struct chaining_policy_enforcer static void chaining_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp) { - cJSON * json_root = NULL; - cJSON * json_subroot = NULL; - cJSON * item = NULL; - size_t user_region_offset = 0; - size_t user_region_len = 0; + cJSON *json_root = NULL; + cJSON *json_subroot = NULL; + cJSON *item = NULL; struct chaining_param *param = NULL; struct chaining_policy_enforcer *enforcer = (struct chaining_policy_enforcer *)argp; - json_root = cJSON_Parse(table_line); + char *json_str = strdup(table_line); + json_root = cJSON_Parse(json_str); if (unlikely(!json_root)) { TFE_LOG_ERROR(enforcer->logger, "Invalid chaining profile: %s", table_line); goto error_out; } - json_subroot = cJSON_GetObjectItem(json_root, "action_parameter"); - if (unlikely(!json_subroot)) + if (unlikely(!json_subroot || !cJSON_IsObject(json_subroot))) { TFE_LOG_ERROR(enforcer->logger, "Invalid chaining rule: %s (invalid action_parameter format) %s.", key, table_line); goto error_out; @@ -80,6 +78,7 @@ static void chaining_param_new_cb(const char *table_name, const char *key, const *ad = param; TFE_LOG_INFO(enforcer->logger, "Add chaining rule: %s", key); cJSON_Delete(json_root); + free(json_str); return; error_out: @@ -88,6 +87,11 @@ error_out: cJSON_Delete(json_root); json_root = NULL; } + if (json_str) + { + free(json_str); + json_str = NULL; + } if (param) { free(param); @@ -97,7 +101,7 @@ error_out: static void chaining_param_free_cb(const char *table_name, void **ad, long argl, void *argp) { - char str_rule_id[UUID_STR_LEN] = {0}; + char str_rule_id[UUID_STRING_SIZE] = {0}; struct chaining_policy_enforcer *enforcer = (struct chaining_policy_enforcer *)argp; struct chaining_param *param = (struct chaining_param *)*ad; if (param == NULL) @@ -116,7 +120,7 @@ static void chaining_param_free_cb(const char *table_name, void **ad, long argl, static void chaining_param_free(struct chaining_param *param) { - chaining_param_free_cb(0, (void **)¶m, 0, NULL); + chaining_param_free_cb(NULL, (void **)¶m, 0, NULL); } static void chaining_param_dup_cb(const char *table_name, void **to, void **from, long argl, void *argp) @@ -167,10 +171,10 @@ void chaining_policy_enforcer_destory(struct chaining_policy_enforcer *enforcer) } } -void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t rule_id) +void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t *rule_id) { uint16_t size = 0; - char str_rule_id[UUID_STR_LEN] = {0}; + char str_rule_id[UUID_STRING_SIZE] = {0}; uint8_t enalbe_decrypted_traffic_steering = 0; tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_DECRYPTED_TRAFFIC_STEERING, (unsigned char *)&enalbe_decrypted_traffic_steering, sizeof(enalbe_decrypted_traffic_steering), &size); @@ -179,8 +183,8 @@ void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct t return; } - uuid_unparse(rule_id, str_rule_id); - struct chaining_param *param = (struct chaining_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1); + uuid_unparse(*rule_id, str_rule_id); + struct chaining_param *param = (struct chaining_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, (const char *)rule_id, sizeof(uuid_t)); if (param == NULL) { TFE_LOG_INFO(enforcer->logger, "Failed to get chaining parameter of policy %s.", str_rule_id); diff --git a/plugin/business/chaining-policy/src/chaining_policy.h b/plugin/business/chaining-policy/src/chaining_policy.h index e7fa485..df8c837 100644 --- a/plugin/business/chaining-policy/src/chaining_policy.h +++ b/plugin/business/chaining-policy/src/chaining_policy.h @@ -5,4 +5,4 @@ struct chaining_policy_enforcer; struct chaining_policy_enforcer *chaining_policy_enforcer_create(void *logger); void chaining_policy_enforcer_destory(struct chaining_policy_enforcer *enforcer); -void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t rule_id); \ No newline at end of file +void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t *rule_id); \ No newline at end of file diff --git a/plugin/business/ssl-policy/src/ssl_policy.cpp b/plugin/business/ssl-policy/src/ssl_policy.cpp index 826b03d..6820c28 100644 --- a/plugin/business/ssl-policy/src/ssl_policy.cpp +++ b/plugin/business/ssl-policy/src/ssl_policy.cpp @@ -74,7 +74,6 @@ static void profile_param_free(struct decryption_param *param) static void profile_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp) { - int ret = 0; cJSON *json = NULL; cJSON *object = NULL; cJSON *exclusions = NULL; diff --git a/plugin/business/tcp-policy/src/tcp_policy.cpp b/plugin/business/tcp-policy/src/tcp_policy.cpp index 26e54a2..4443840 100644 --- a/plugin/business/tcp-policy/src/tcp_policy.cpp +++ b/plugin/business/tcp-policy/src/tcp_policy.cpp @@ -37,7 +37,7 @@ struct tcp_profile_param struct side_conn_param server_side; }; -static int parser_side_conn_param(cJSON * json, struct side_conn_param *out_val, void *logger) +static int parser_side_conn_param(cJSON *json, struct side_conn_param *out_val, void *logger) { cJSON *object = NULL; cJSON *item = NULL; @@ -113,21 +113,21 @@ static int parser_side_conn_param(cJSON * json, struct side_conn_param *out_val, out_val->user_timeout = 0; } } - cJSON_Delete(json); return 0; } static void profile_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp) { - cJSON * json_root = NULL; - cJSON * json_subroot = NULL; - cJSON * item = NULL; + cJSON *json_root = NULL; + cJSON *json_subroot = NULL; + cJSON *item = NULL; struct tcp_profile_param *param = NULL; struct tcp_policy_enforcer *enforcer = (struct tcp_policy_enforcer *)argp; - json_root = cJSON_Parse(table_line); - if (unlikely(!json_root)) + char *json_str = strdup(table_line); + json_root = cJSON_Parse(json_str); + if (json_root == NULL) { TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option profile: %s", table_line); goto error_out; @@ -139,7 +139,7 @@ static void profile_param_new_cb(const char *table_name, const char *key, const item = cJSON_GetObjectItem(json_root, "tcp_passthrough"); if (unlikely(!item || !cJSON_IsNumber(item))) { - TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid tcp_passthrough format.", key); + TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: (invalid tcp_passthrough format) %s", table_line); goto error_out; } param->tcp_passthrough = item->valueint; @@ -147,15 +147,15 @@ static void profile_param_new_cb(const char *table_name, const char *key, const item = cJSON_GetObjectItem(json_root, "bypass_duplicated_packet"); if (unlikely(!item || !cJSON_IsNumber(item))) { - TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid bypass_duplicated_packet format.", key); + TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: (invalid bypass_duplicated_packet format) %s", table_line); goto error_out; } param->bypass_duplicated_packet = item->valueint; json_subroot = cJSON_GetObjectItem(json_root, "client_side_conn_param"); - if (unlikely(!json_subroot)) + if (unlikely(!json_subroot || !cJSON_IsObject(json_subroot))) { - TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid client_side_conn_param format.", key); + TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: (invalid client_side_conn_param format) %s", table_line); goto error_out; } if (parser_side_conn_param(json_subroot, ¶m->client_side, enforcer->logger) == -1) @@ -164,9 +164,9 @@ static void profile_param_new_cb(const char *table_name, const char *key, const } json_subroot = cJSON_GetObjectItem(json_root, "server_side_conn_param"); - if (unlikely(!json_subroot)) + if (unlikely(!json_subroot || !cJSON_IsObject(json_subroot))) { - TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid server_side_conn_param format.", key); + TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: (invalid server_side_conn_param format) %s", table_line); goto error_out; } if (parser_side_conn_param(json_subroot, ¶m->server_side, enforcer->logger) == -1) @@ -176,18 +176,24 @@ static void profile_param_new_cb(const char *table_name, const char *key, const *ad = param; TFE_LOG_INFO(enforcer->logger, "Add tcp option profile: %s", key); + cJSON_Delete(json_root); + free(json_str); return; error_out: - if (param) - { - free(param); - } if (json_root) { cJSON_Delete(json_root); } + if (json_str) + { + free(json_str); + } + if (param) + { + free(param); + } } static void profile_param_free_cb(const char *table_name, void **ad, long argl, void *argp) @@ -221,7 +227,7 @@ static void profile_param_dup_cb(const char *table_name, void **to, void **from, static void profile_param_free(struct tcp_profile_param *param) { - profile_param_free_cb(0, (void **)¶m, 0, NULL); + profile_param_free_cb(NULL, (void **)¶m, 0, NULL); } struct tcp_policy_enforcer *tcp_policy_enforcer_create(void *logger) @@ -263,22 +269,22 @@ void tcp_policy_enforcer_destory(struct tcp_policy_enforcer *enforcer) int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg *cmsg) { int ret = 0; - int profile_id = 0; + uuid_t profile_uuid; uint16_t size = 0; - char buffer[16] = {0}; + char profile_uuid_str[UUID_STRING_SIZE] = {0}; - ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (unsigned char *)&profile_id, sizeof(profile_id), &size); + ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (unsigned char *)&profile_uuid, sizeof(uuid_t), &size); if (ret < 0) { TFE_LOG_ERROR(g_default_logger, "Failed at fetch tcp_option_profile from cmsg: %s", strerror(-ret)); return -1; } - snprintf(buffer, sizeof(buffer), "%d", profile_id); - struct tcp_profile_param *param = (struct tcp_profile_param *)maat_plugin_table_get_ex_data(tcp_enforcer->maat, tcp_enforcer->table_name, buffer, strlen(buffer)); + uuid_unparse(profile_uuid, profile_uuid_str); + struct tcp_profile_param *param = (struct tcp_profile_param *)maat_plugin_table_get_ex_data(tcp_enforcer->maat, tcp_enforcer->table_name, (const char *)&profile_uuid, sizeof(uuid_t)); if (param == NULL) { - TFE_LOG_INFO(tcp_enforcer->logger, "Failed to get tcp option parameter of profile %d.", profile_id); + TFE_LOG_INFO(tcp_enforcer->logger, "Failed to get tcp option parameter of profile %s.", profile_uuid_str); return -1; } @@ -311,10 +317,10 @@ int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_KEEPINTVL, (unsigned char *)&server_side->keepintvl, sizeof(server_side->keepintvl)); tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT, (unsigned char *)&server_side->user_timeout, sizeof(server_side->user_timeout)); - TFE_LOG_INFO(tcp_enforcer->logger, "hit tcp_option_profile %d tcp_passthrough %d " + TFE_LOG_INFO(tcp_enforcer->logger, "hit tcp_option_profile %s tcp_passthrough %d " "client_side={maxseg_enable:%d, maxseg_vaule:%d, nodelay:%d, ttl:%d, keepalive:%d, keepcnt:%d, keepidle:%d, keepintvl:%d, user_timeout:%d} " "server_side={maxseg_enable:%d, maxseg_vaule:%d, nodelay:%d, ttl:%d, keepalive:%d, keepcnt:%d, keepidle:%d, keepintvl:%d, user_timeout:%d} ", - profile_id, param->tcp_passthrough, + profile_uuid_str, param->tcp_passthrough, client_side->maxseg_enable, client_side->maxseg_vaule, client_side->nodelay, client_side->ttl, client_side->keepalive, client_side->keepcnt, client_side->keepidle, client_side->keepintvl, client_side->user_timeout, server_side->maxseg_enable, server_side->maxseg_vaule, server_side->nodelay, server_side->ttl, server_side->keepalive, server_side->keepcnt, server_side->keepidle, server_side->keepintvl, server_side->user_timeout); profile_param_free(param); diff --git a/plugin/business/traffic-mirror/src/entry.cpp b/plugin/business/traffic-mirror/src/entry.cpp index 929e50a..c5ff524 100644 --- a/plugin/business/traffic-mirror/src/entry.cpp +++ b/plugin/business/traffic-mirror/src/entry.cpp @@ -106,7 +106,7 @@ void policy_table_ex_data_new_cb(const char *table_name, const char *key, const char *str_json = NULL; cJSON *json = NULL; cJSON *object = NULL; - cjson *subobj = NULL; + cJSON *subobj = NULL; cJSON *item = NULL; struct policy_table_ex_data *ex_data = NULL; @@ -132,7 +132,7 @@ void policy_table_ex_data_new_cb(const char *table_name, const char *key, const } subobj = cJSON_GetObjectItem(object, "traffic_mirror"); - if (unlikely(!json_subroot)) + if (unlikely(!subobj)) { TFE_LOG_ERROR(instance->logger, "invalid format, traffic_mirror is not defined, %s", table_line); goto error_out; @@ -142,7 +142,7 @@ void policy_table_ex_data_new_cb(const char *table_name, const char *key, const ex_data->atomic_refcnt = 1; ex_data->enable = 0; ex_data->is_profile_set = 0; - uuid_parse(key, ex_data->rule_id); + uuid_parse(key, ex_data->rule_uuid); item = cJSON_GetObjectItem(subobj, "enable"); if (unlikely(!item || !cJSON_IsNumber(item))) @@ -306,24 +306,22 @@ void profile_table_ex_data_new_cb(const char *table_name, const char *key, const TFE_LOG_DEBUG(instance->logger, "Add traffic mirror profile: %s", key); - cJSON_Delete(json_root); + cJSON_Delete(json); free(str_json); return; error_out: - if (ex_data) + if (json) { - profile_table_ex_data_free(ex_data); + cJSON_Delete(json); } - if (str_json) { free(str_json); } - - if (json_root) + if (ex_data) { - cJSON_Delete(json_root); + profile_table_ex_data_free(ex_data); } } @@ -513,13 +511,13 @@ int traffic_mirror_init(struct tfe_proxy * proxy) goto errout; } - result = maat_plugin_table_ex_schema_register(instance->maat_feather, "PXY_INTERCEPT_COMPILE", + result = maat_plugin_table_ex_schema_register(instance->maat_feather, "PXY_INTERCEPT_RULE", policy_table_ex_data_new_cb, policy_table_ex_data_free_cb, policy_table_ex_data_dup_cb, 0, instance); if(result < 0) { - TFE_LOG_ERROR(instance->logger, "failed at maat_plugin_table_ex_schema_register(PXY_INTERCEPT_COMPILE)"); + TFE_LOG_ERROR(instance->logger, "failed at maat_plugin_table_ex_schema_register(PXY_INTERCEPT_RULE)"); goto errout; } @@ -585,7 +583,7 @@ int traffic_mirror_on_open_cb(const struct tfe_stream * stream, unsigned int thr } uuid_unparse(rule_uuid, rule_uuid_str); - policy_ex_data = (struct policy_table_ex_data *)maat_plugin_table_get_ex_data(instance->maat_feather, PXY_INTERCEPT_COMPILE, rule_uuid, sizeof(uuid_t)); + policy_ex_data = (struct policy_table_ex_data *)maat_plugin_table_get_ex_data(instance->maat_feather, "PXY_INTERCEPT_RULE", (const char *)&rule_uuid, sizeof(uuid_t)); if (!policy_ex_data || !policy_ex_data->enable) { goto detach; @@ -612,7 +610,7 @@ int traffic_mirror_on_open_cb(const struct tfe_stream * stream, unsigned int thr if (policy_ex_data->is_profile_set) { uuid_unparse(policy_ex_data->profile_uuid, profile_uuid_str); - profile_ex_data = (struct profile_table_ex_data *)maat_plugin_table_get_ex_data(instance->maat_feather, TSG_PROFILE_TRAFFIC_MIRROR, policy_ex_data->profile_uuid, sizeof(uuid_t)); + profile_ex_data = (struct profile_table_ex_data *)maat_plugin_table_get_ex_data(instance->maat_feather, "TSG_PROFILE_TRAFFIC_MIRROR", (const char *)&policy_ex_data->profile_uuid, sizeof(uuid_t)); if (!profile_ex_data) { TFE_LOG_ERROR(instance->logger, "failed at getting policy %s's profile, profile id = %s, " @@ -647,8 +645,8 @@ int traffic_mirror_on_open_cb(const struct tfe_stream * stream, unsigned int thr rebuild_target = NULL; traffic_mirror_rebuild_handshake(me->rebuild_ctx, thread_id); - TFE_LOG_DEBUG(instance->logger, "hit traffic mirror policy %s, profile %s, vlan %d", - rule_uuid_str, profile_uuid_str, me->rebuild_ctx->target.vlan_tci); + TFE_LOG_DEBUG(instance->logger, "hit traffic mirror policy %s, profile %s", + rule_uuid_str, profile_uuid_str); return ACTION_FORWARD_DATA; detach: diff --git a/resource/pangu/doh.json b/resource/pangu/doh.json index a0870c9..4b31050 100644 --- a/resource/pangu/doh.json +++ b/resource/pangu/doh.json @@ -153,17 +153,16 @@ { "table_name": "PXY_PROFILE_DECRYPTION", "table_content": [ - "0\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1", - "3\ttest\t{\"dynamic_bypass\":{\"ev_cert\":1,\"cert_transparency\":1,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"fail-close\"}}\t1", - "4\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1" + "{\"uuid\":\"DECRYPT0-0000-0000-0000-000000000001\",\"decryption\":{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"}},\"is_valid\":1}", + "{\"uuid\":\"DECRYPT0-0000-0000-0000-000000000003\",\"decryption\":{\"dynamic_bypass\":{\"ev_cert\":1,\"cert_transparency\":1,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"fail-close\"}},\"is_valid\":1}", + "{\"uuid\":\"DECRYPT0-0000-0000-0000-000000000004\",\"decryption\":{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}},\"is_valid\":1}" ] }, { - "table_name": "PXY_INTERCEPT_COMPILE", + "table_name": "PXY_INTERCEPT_RULE", "table_content": [ - "0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":765,\"decryption_profile\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2", - "656\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":1,\"decryption_profile\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2", - "49\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":1,\"decryption_profile\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2" + "{\"uuid\":\"INTERCEP-0000-0000-0000-000000000001\",\"action_parameter\":{\"vsys_id\":1,\"keyring_for_trusted\":\"KERING00-TRUS-0000-0000-000000000001\",\"keyring_for_untrusted\":\"KERING00-UNTR-0000-0000-000000000001\",\"decryption_profile\":\"DECRYPT0-0000-0000-0000-000000000001\",\"tcp_option_profile\":\"TCPOPT00-0000-0000-0000-000000000001\",\"traffic_mirror\":{\"enable\":0}},\"is_valid\":1}", + "{\"uuid\":\"INTERCEP-0000-0000-0000-000000000002\",\"action_parameter\":{\"vsys_id\":1,\"keyring_for_trusted\":\"KERING00-TRUS-0000-0000-000000000001\",\"keyring_for_untrusted\":\"KERING00-UNTR-0000-0000-000000000001\",\"decryption_profile\":\"DECRYPT0-0000-0000-0000-000000000001\",\"tcp_option_profile\":\"TCPOPT00-0000-0000-0000-000000000001\",\"traffic_mirror\":{\"enable\":1,\"mirror_profile\":\"TRAFFIC0-MIRR-0000-0000-000000000001\"}},\"is_valid\":1}" ] } ] diff --git a/resource/pangu/pangu_http.json b/resource/pangu/pangu_http.json index 997eee3..1bb389e 100644 --- a/resource/pangu/pangu_http.json +++ b/resource/pangu/pangu_http.json @@ -253,23 +253,23 @@ ] }, { - "table_name": "PXY_INTERCEPT_COMPILE", + "table_name": "PXY_INTERCEPT_RULE", "table_content": [ "{\"uuid\":\"INTERCEP-0000-0000-0000-000000000001\",\"action_parameter\":{\"vsys_id\":1,\"keyring_for_trusted\":\"KERING00-TRUS-0000-0000-000000000001\",\"keyring_for_untrusted\":\"KERING00-UNTR-0000-0000-000000000001\",\"decryption_profile\":\"DECRYPT0-0000-0000-0000-000000000001\",\"tcp_option_profile\":\"TCPOPT00-0000-0000-0000-000000000001\",\"traffic_mirror\":{\"enable\":0}},\"is_valid\":1}", "{\"uuid\":\"INTERCEP-0000-0000-0000-000000000002\",\"action_parameter\":{\"vsys_id\":1,\"keyring_for_trusted\":\"KERING00-TRUS-0000-0000-000000000001\",\"keyring_for_untrusted\":\"KERING00-UNTR-0000-0000-000000000001\",\"decryption_profile\":\"DECRYPT0-0000-0000-0000-000000000001\",\"tcp_option_profile\":\"TCPOPT00-0000-0000-0000-000000000001\",\"traffic_mirror\":{\"enable\":1,\"mirror_profile\":\"TRAFFIC0-MIRR-0000-0000-000000000001\"}},\"is_valid\":1}" ] }, { - "table_name": "SERVICE_CHAINING_COMPILE", + "table_name": "SERVICE_CHAINING_RULE", "table_content": [ - "1\t0\t2\t1\t1\t{}\t{\"targeted_traffic\":\"raw\",\"sff_profiles\":[1]}\t1\t2", - "2\t0\t2\t1\t1\t{}\t{\"targeted_traffic\":\"decrypted\",\"sff_profiles\":[1]}\t1\t2" + "{\"uuid\":\"SC000000-0000-0000-1111-000000000001\",\"effective_range\":{},\"action_parameter\":{\"vsys_id\":1,\"targeted_traffic\":\"raw\",\"sff_profiles\":[\"00000000-0000-0000-2222-000000000001\"]},\"is_valid\":1}", + "{\"uuid\":\"SC000000-0000-0000-1111-000000000011\",\"effective_range\":{},\"action_parameter\":{\"vsys_id\":1,\"targeted_traffic\":\"decrypted\",\"sff_profiles\":[\"00000000-0000-0000-2222-000000000001\",]},\"is_valid\":1}" ] }, { "table_name": "PXY_PROFILE_TCP_OPTION", "table_content": [ - "1\t0\t0\t{\"tcp_maxseg\":{\"enable\":0,\"maxseg\":1500},\"nodelay\":1,\"keep_alive\":{\"enable\":1,\"tcp_keepcnt\":8,\"tcp_keepidle\":30,\"tcp_keepintvl\":15},\"ttl\":70,\"user_timeout\":{\"enable\":1,\"timeout_ms\":600}}\t{\"tcp_maxseg\":{\"enable\":0,\"maxseg\":1500},\"nodelay\":1,\"keep_alive\":{\"enable\":1,\"tcp_keepcnt\":8,\"tcp_keepidle\":30,\"tcp_keepintvl\":15},\"ttl\":75,\"user_timeout\":{\"enable\":1,\"timeout_ms\":600}}\t1" + "{\"uuid\":\"TCPOPT00-0000-0000-0000-000000000001\",\"tcp_passthrough\":0,\"bypass_duplicated_packet\":0,\"client_side_conn_param\":{\"tcp_maxseg\":{\"enable\":0,\"maxseg\":1500},\"nodelay\":1,\"keep_alive\":{\"enable\":1,\"tcp_keepcnt\":8,\"tcp_keepidle\":30,\"tcp_keepintvl\":15},\"ttl\":70,\"user_timeout\":{\"enable\":1,\"timeout_ms\":600}},\"server_side_conn_param\":{\"tcp_maxseg\":{\"enable\":0,\"maxseg\":1500},\"nodelay\":1,\"keep_alive\":{\"enable\":1,\"tcp_keepcnt\":8,\"tcp_keepidle\":30,\"tcp_keepintvl\":15},\"ttl\":70,\"user_timeout\":{\"enable\":1,\"timeout_ms\":600}},\"is_valid\":1}" ] }, { diff --git a/resource/pangu/table_info.conf b/resource/pangu/table_info.conf index 0bc19f5..0dd3077 100644 --- a/resource/pangu/table_info.conf +++ b/resource/pangu/table_info.conf @@ -334,7 +334,7 @@ }, { "table_id":30, - "table_name":"PXY_INTERCEPT_COMPILE", + "table_name":"PXY_INTERCEPT_RULE", "table_type":"plugin", "custom": { "key_type":"pointer", @@ -389,20 +389,18 @@ "table_id":36, "table_name":"PXY_PROFILE_TCP_OPTION", "table_type":"plugin", - "valid_column":6, "custom": { - "key":1, - "key_type":"pointer" + "key_type":"pointer", + "key_name":"uuid" } }, { "table_id":37, - "table_name":"SERVICE_CHAINING_COMPILE", + "table_name":"SERVICE_CHAINING_RULE", "table_type":"plugin", - "valid_column":9, "custom":{ - "key":1, - "key_type":"pointer" + "key_type":"pointer", + "key_name":"uuid" } }, { diff --git a/resource/pangu/table_info_traffic_mirror.conf b/resource/pangu/table_info_traffic_mirror.conf index a7269cc..4b3efa0 100644 --- a/resource/pangu/table_info_traffic_mirror.conf +++ b/resource/pangu/table_info_traffic_mirror.conf @@ -1,7 +1,7 @@ [ { "table_id":0, - "table_name":"PXY_INTERCEPT_COMPILE", + "table_name":"PXY_INTERCEPT_RULE", "table_type":"plugin", "custom": { "key_type":"pointer",