gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix compile errors for adapting maat

Browse Source
This commit is contained in:
luwenpeng
2024-09-26 14:39:21 +08:00
parent ad96bf00c1
commit 5d3ee62d23
23 changed files with 263 additions and 218 deletions
Download Patch File Download Diff File Expand all files Collapse all files

207
common/src/intercept_policy.cpp
View File

@@ -10,19 +10,13 @@ struct intercept_param
uuid_t rule_id;
int do_log;
int ref_cnt;
int action;
int action_is_intercept;
uuid_t keyring_for_trusted;
uuid_t keyring_for_untrusted;
uuid_t decryption_profile;
uuid_t tcp_option_profile;
};
enum {
ACTION_NONE,
ACTION_INTERCEPT,
ACTION_NO_INTERCEPT,
};
struct intercept_policy_enforcer
{
struct maat *maat;
@@ -30,144 +24,175 @@ struct intercept_policy_enforcer
void *logger;
};
static int intercept_action_map(char *action)
{
if (strncasecmp(action, "intercept", strlen("intercept")) == 0)
return ACTION_INTERCEPT;
else if (strncasecmp(action, "no_intercept", strlen("no_intercept")) == 0)
return ACTION_NO_INTERCEPT;
else
return ACTION_NONE;
}
static void intercept_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp)
{
int action = 0;
int do_log = 0;
int vsys_id = 0;
cJSON * json_root = NULL;
cJSON * json_subroot = NULL;
cJSON * item = NULL;
cJSON *json_root = NULL;
cJSON *json_subroot = NULL;
cJSON *item = NULL;
struct intercept_param *param = NULL;
struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp;
json_root = cJSON_Parse(table_line);
if (unlikely(!json_root))
char *json_str = strdup(table_line);
json_root = cJSON_Parse(json_str);
if (json_root == NULL)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s %s", key, table_line);
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: (invlad json format) %s", table_line);
goto error_out;
}
param = ALLOC(struct intercept_param, 1);
param->ref_cnt = 1;
uuid_parse(key, param->rule_id);
uuid_clear(param->keyring_for_trusted);
uuid_clear(param->keyring_for_untrusted);
uuid_clear(param->decryption_profile);
uuid_clear(param->tcp_option_profile);
// action
item = cJSON_GetObjectItem(json_root, "action");
if (unlikely(!item || !cJSON_IsString(item)))
if (!item || !cJSON_IsString(item))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action format) %s.", key, table_line);
goto error_out;
}
if (strcmp(item->valuestring, "intercept") == 0)
{
param->action_is_intercept = 1;
}
else if (strcmp(item->valuestring, "no_intercept") == 0)
{
param->action_is_intercept = 0;
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action format) %s.", key, table_line);
goto error_out;
}
action = intercept_action_map(item->valueint);
// log_option
item = cJSON_GetObjectItem(json_root, "log_option");
if (!item || !cJSON_IsString(item))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid log_option format) %s.", key, table_line);
goto error_out;
}
if (strncasecmp(item->valueint, "none", strlen("none")) == 0)
if (0 == strcasecmp(item->valuestring, "none"))
{
do_log = 0;
param->do_log = 0;
}
else if (0 == strcasecmp(item->valuestring, "metadata"))
{
param->do_log = 1;
}
else if (0 == strcasecmp(item->valuestring, "all"))
{
param->do_log = 1;
}
else
{
do_log = 1;
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid log_option format) %s.", key, table_line);
goto error_out;
}
// action_parameter
json_subroot = cJSON_GetObjectItem(json_root, "action_parameter");
if (unlikely(!json_subroot))
if (!json_subroot || !cJSON_IsObject(json_subroot))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action_parameter format) %s.", key, table_line);
goto error_out;
}
item = cJSON_GetObjectItem(json_subroot, "vsys_id");
if (!item || !cJSON_IsNumber(item))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid vsys_id format) %s.", key, table_line);
goto error_out;
}
vsys_id = item->valueint;
param = ALLOC(struct intercept_param, 1);
param->ref_cnt = 1;
param->action = action;
param->do_log = do_log;
param->vsys_id = vsys_id;
uuid_parse(key, param->rule_id);
// keyring_for_trusted
item = cJSON_GetObjectItem(json_subroot, "keyring_for_trusted");
if (item)
{
if (item->type == cJSON_String)
if (cJSON_IsString(item))
{
uuid_parse(item->valuestring, param->keyring_for_trusted);
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: %s (invalid keyring_for_trusted format) %s.", key, table_line);
goto error_out;
}
}
else
{
// maybe not exist
}
item = cJSON_GetObjectItem(json_subroot, "keyring_for_untrusted");
if (item)
{
if (item->type == cJSON_String)
if (cJSON_IsString(item))
{
uuid_parse(item->valuestring, param->keyring_for_untrusted);
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: %s (invalid keyring_for_untrusted format) %s", key, table_line);
goto error_out;
}
}
else
{
// maybe not exist
}
item = cJSON_GetObjectItem(json_subroot, "decryption_profile");
if (item)
{
if (item->type == cJSON_String)
if (cJSON_IsString(item))
{
uuid_parse(item->valuestring, param->decryption_profile);
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid decryption_profile format) %s.", key, table_line);
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: %s (invalid decryption_profile format) %s", key, table_line);
goto error_out;
}
}
else
{
// maybe not exist
}
item = cJSON_GetObjectItem(json_subroot, "tcp_option_profile");
if (item)
if (!item || !cJSON_IsString(item))
{
if (item->type == cJSON_String)
{
uuid_parse(item->valuestring, param->tcp_option_profile);
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid tcp_option_profile format) %s.", key, table_line);
}
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid tcp_option_profile format) %s.", key, table_line);
goto error_out;
}
uuid_parse(item->valuestring, param->tcp_option_profile);
*ad = param;
TFE_LOG_INFO(enforcer->logger, "Add intercept rule: %s", key);
cJSON_Delete(json_root);
free(json_str);
return;
error_out:
if (json_root)
{
cJSON_Delete(json_root);
json_root = NULL;
}
if (json_str)
{
free(json_str);
json_str = NULL;
}
if (param)
{
free(param);
param = NULL;
}
}
static void intercept_param_free_cb(const char *table_name, void **ad, long argl, void *argp)
{
char str_rule_id[UUID_STR_LEN] = {0};
char str_rule_id[UUID_STRING_SIZE] = {0};
struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp;
struct intercept_param *param = (struct intercept_param *)*ad;
if (param == NULL)
@@ -200,7 +225,7 @@ static void intercept_param_dup_cb(const char *table_name, void **to, void **fro
static void intercept_param_free(struct intercept_param *param)
{
intercept_param_free_cb(0, (void **)&param, 0, NULL);
intercept_param_free_cb(NULL, (void **)&param, 0, NULL);
}
struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger)
@@ -220,7 +245,7 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger)
enforcer);
if (ret != 0)
{
TFE_LOG_ERROR(enforcer->logger, "failed at register callback of PXY_INTERCEPT_COMPILE, ret = %d", ret);
TFE_LOG_ERROR(enforcer->logger, "failed at register callback of PXY_INTERCEPT_RULE, ret = %d", ret);
goto error_out;
}
@@ -242,21 +267,26 @@ void intercept_policy_enforce_destory(struct intercept_policy_enforcer *enforcer
// return 0 : success
// return -1 : error (need passthrough)
int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t selected_rule_id)
int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t *selected_rule_id)
{
uuid_t rule_id;
char str_rule_id[UUID_STR_LEN] = {0};
uuid_t *curr_rule_id;
char str_rule_id[UUID_STRING_SIZE] = {0};
uint8_t is_hit_intercept_rule = 0;
uint8_t is_hit_no_intercept_rule = 0;
uuid_t max_intercept_rule_id = {0};
uuid_t max_no_intercept_rule_id = {0};
uuid_t max_intercept_rule_id;
uuid_t max_no_intercept_rule_id;
uuid_clear(*selected_rule_id);
uuid_clear(max_intercept_rule_id);
uuid_clear(max_no_intercept_rule_id);
struct intercept_param *param = NULL;
for (int i = 0; i < rule_id_num; i++)
{
memcpy(rule_id, rule_id_array[i], UUID_LEN);
uuid_unparse(rule_id, str_rule_id);
param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1);
curr_rule_id = &rule_id_array[i];
uuid_unparse(*curr_rule_id, str_rule_id);
param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, (const char *)curr_rule_id, sizeof(uuid_t));
if (param == NULL)
{
TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %s.", str_rule_id);
@@ -264,32 +294,36 @@ int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *
}
// intercept
if (param->action == ACTION_INTERCEPT)
if (param->action_is_intercept)
{
is_hit_intercept_rule = 1;
if (uuid_compare(max_intercept_rule_id, rule_id) < 0)
memcpy(max_intercept_rule_id, rule_id, UUID_LEN);
if (uuid_compare(max_intercept_rule_id, *curr_rule_id) < 0)
{
uuid_copy(max_intercept_rule_id, *curr_rule_id);
}
TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %s is intercept.", i, rule_id_num, str_rule_id);
}
// not intercept
else
{
is_hit_no_intercept_rule = 1;
if (uuid_compare(max_no_intercept_rule_id, rule_id) < 0)
memcpy(max_no_intercept_rule_id, rule_id, UUID_LEN);
if (uuid_compare(max_no_intercept_rule_id, *curr_rule_id) < 0)
{
uuid_copy(max_no_intercept_rule_id, *curr_rule_id);
}
TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %s is no intercept.", i, rule_id_num, str_rule_id);
}
}
if (is_hit_no_intercept_rule)
{
memcpy(selected_rule_id, max_no_intercept_rule_id, UUID_LEN);
uuid_copy(*selected_rule_id, max_no_intercept_rule_id);
return 0;
}
if (is_hit_intercept_rule)
{
memcpy(selected_rule_id, max_intercept_rule_id, UUID_LEN);
uuid_copy(*selected_rule_id, max_intercept_rule_id);
return 0;
}
@@ -304,14 +338,14 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
int ret = 0;
uint16_t size = 0;
uuid_t rule_id;
char str_rule_id[UUID_STR_LEN] = {0};
char str_rule_id[UUID_STRING_SIZE] = {0};
struct intercept_param *param = NULL;
uint8_t hit_no_intercept = 0;
int tcp_passthrough = 0;
char reason_hit_no_intercept[] = "Hit No Intercept";
char reason_invalid_intercept_param[] = "Invalid Intercept Param";
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)rule_id, UUID_LEN, &size);
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(uuid_t), &size);
if (ret < 0)
{
TFE_LOG_ERROR(g_default_logger, "Failed at fetch intercept rule_id from cmsg: %s", strerror(-ret));
@@ -319,7 +353,7 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
}
uuid_unparse(rule_id, str_rule_id);
param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1);
param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, (const char *)&rule_id, sizeof(uuid_t));
if (param == NULL)
{
TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %s.", str_rule_id);
@@ -327,7 +361,7 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
}
// intercept
if (param->action == ACTION_INTERCEPT)
if (param->action_is_intercept)
{
tcp_passthrough = 0;
hit_no_intercept = 0;
@@ -344,10 +378,11 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
tfe_cmsg_set(cmsg, TFE_CMSG_POLICY_VSYS_ID, (const unsigned char *)&param->vsys_id, sizeof(param->vsys_id));
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&tcp_passthrough, sizeof(tcp_passthrough));
tfe_cmsg_set(cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (const unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept));
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)param->tcp_option_profile, UUID_LEN);
tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)param->decryption_profile, UUID_LEN);
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)param->keyring_for_trusted, UUID_LEN);
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_UNTRUSTED, (const unsigned char *)param->keyring_for_untrusted, UUID_LEN);
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)&(param->tcp_option_profile), sizeof(param->tcp_option_profile));
tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)&(param->decryption_profile), sizeof(param->decryption_profile));
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)&param->keyring_for_trusted, sizeof(param->keyring_for_trusted));
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_UNTRUSTED, (const unsigned char *)&(param->keyring_for_untrusted), sizeof(param->keyring_for_untrusted));
intercept_param_free(param);

6
common/src/tfe_ctrl_packet.cpp
View File

@@ -581,14 +581,14 @@ void ctrl_packet_parser_dump(struct ctrl_pkt_parser *handler, void *logger)
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", tfe policy_id_num: %d, tfe policy_ids[", handler->tfe_policy_id_num);
for (int i = 0; i < handler->tfe_policy_id_num; i++) {
char str_tfe_policy_ids[UUID_STR_LEN] = {0};
char str_tfe_policy_ids[UUID_STRING_SIZE] = {0};
uuid_unparse(handler->tfe_policy_ids[i], str_tfe_policy_ids);
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%s, ", str_tfe_policy_ids);
}
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "], sce policy_id_num: %d, sce policy_ids[", handler->sce_policy_id_num);
for (int i = 0; i < handler->sce_policy_id_num; i++) {
char str_sce_policy_ids[UUID_STR_LEN] = {0};
char str_sce_policy_ids[UUID_STRING_SIZE] = {0};
uuid_unparse(handler->sce_policy_ids[i], str_sce_policy_ids);
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%s, ", str_sce_policy_ids);
}
@@ -628,7 +628,7 @@ void ctrl_packet_parser_dump(struct ctrl_pkt_parser *handler, void *logger)
break;
}
for (int i = 0; i < size/UUID_LEN; i++) {
char str_tags_ids[UUID_STR_LEN] = {0};
char str_tags_ids[UUID_STRING_SIZE] = {0};
uuid_unparse(tags_ids_array[i], str_tags_ids);
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", %s:%s", tags_ids_cmsg_name_maps[map_index], str_tags_ids);
}

2
common/src/tfe_fieldstat.cpp
View File

@@ -43,7 +43,7 @@ int tfe_fieldstat_intercept_incrby(struct fieldstat_easy_intercept *metrics, voi
}
uuid_t rule_id;
char str_rule_id[UUID_STR_LEN] = {0};
char str_rule_id[UUID_STRING_SIZE] = {0};
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)rule_id, UUID_LEN, &out_size);
if (ret != 0)
{

14
common/src/tfe_packet_io.cpp
View File

@@ -156,7 +156,7 @@ struct packet_identify
extern int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg *cmsg);
extern int tfe_proxy_fds_accept(struct tfe_proxy * ctx, int fd_downstream, int fd_upstream, int fd_fake_c, int fd_fake_s, struct tfe_cmsg * cmsg);
extern void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t rule_id);
extern void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t *rule_id);
/******************************************************************************
* dup packet filter
@@ -1128,8 +1128,8 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
tfe_cmsg_get_value(parser->cmsg, TFE_CMSG_TCP_RESTORE_PROTOCOL, (unsigned char *)&stream_protocol_in_char, sizeof(stream_protocol_in_char), &size);
uuid_t rule_id = {0};
char str_rule_id[UUID_STR_LEN] = {0};
ret = intercept_policy_select(thread->ref_proxy->int_ply_enforcer, parser->tfe_policy_ids, parser->tfe_policy_id_num, rule_id);
char str_rule_id[UUID_STRING_SIZE] = {0};
ret = intercept_policy_select(thread->ref_proxy->int_ply_enforcer, parser->tfe_policy_ids, parser->tfe_policy_id_num, &rule_id);
uuid_unparse(rule_id, str_rule_id);
if (ret != 0)
{
@@ -1169,7 +1169,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
}
for (int i = 0; i < parser->sce_policy_id_num; i++) {
chaining_policy_enforce(thread->ref_proxy->chain_ply_enforcer, parser->cmsg, parser->sce_policy_ids[i]);
chaining_policy_enforce(thread->ref_proxy->chain_ply_enforcer, parser->cmsg, &parser->sce_policy_ids[i]);
}
tcp_restore_set_from_cmsg(parser->cmsg, &restore_info);
@@ -1346,7 +1346,7 @@ static int handle_session_closing(struct metadata *meta, marsio_buff_t *rx_buff,
struct packet_io *packet_io = thread->ref_io;
struct packet_io_fs *packet_io_fs = thread->ret_fs_state;
void * logger = thread->logger;
char str_policy_id[UUID_STR_LEN] = {0};
char str_policy_id[UUID_STRING_SIZE] = {0};
struct session_node *node = session_table_search_by_id(thread->session_table, meta->session_id);
if (node)
@@ -1373,7 +1373,7 @@ static int handle_session_resetall(struct metadata *meta, marsio_buff_t *rx_buff
struct packet_io *packet_io = thread->ref_io;
struct packet_io_fs *packet_io_fs = thread->ret_fs_state;
void * logger = thread->logger;
char str_policy_id[UUID_STR_LEN] = {0};
char str_policy_id[UUID_STRING_SIZE] = {0};
TFE_LOG_ERROR(logger, "%s: session %lu resetall: notification clears all session tables !!!", LOG_TAG_PKTIO, meta->session_id);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_policy_id, meta->session_id, "resetall", NULL, NULL);
@@ -1457,7 +1457,7 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx
char *header = NULL;
int header_len = 0;
void * logger = thread->logger;
char str_policy_id[UUID_STR_LEN] = {0};
char str_policy_id[UUID_STRING_SIZE] = {0};
int raw_len = marsio_buff_datalen(rx_buff);
char *raw_data = marsio_buff_mtod(rx_buff);