gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix compile errors for adapting maat

Browse Source
This commit is contained in:
luwenpeng
2024-09-26 14:39:21 +08:00
parent ad96bf00c1
commit 5d3ee62d23
23 changed files with 263 additions and 218 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
common/include/intercept_policy.h
View File

@@ -7,7 +7,7 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger)
void intercept_policy_enforce_destory(struct intercept_policy_enforcer *enforcer);
// return 0 : success
// return -1 : error (need passthrough)
int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t selected_rule_id);
int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t *selected_rule_id);
// return 0 : success
// return -1 : error (need passthrough)
int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct tfe_cmsg *cmsg);

1
common/include/ssl_stream.h
View File

@@ -1,6 +1,7 @@
#pragma once
#include <stdlib.h>
#include <tfe_cmsg.h>
#include <uuid/uuid.h>
struct ssl_stream;
enum ssl_stream_action

207
common/src/intercept_policy.cpp
View File

@@ -10,19 +10,13 @@ struct intercept_param
uuid_t rule_id;
int do_log;
int ref_cnt;
int action;
int action_is_intercept;
uuid_t keyring_for_trusted;
uuid_t keyring_for_untrusted;
uuid_t decryption_profile;
uuid_t tcp_option_profile;
};
enum {
ACTION_NONE,
ACTION_INTERCEPT,
ACTION_NO_INTERCEPT,
};
struct intercept_policy_enforcer
{
struct maat *maat;
@@ -30,144 +24,175 @@ struct intercept_policy_enforcer
void *logger;
};
static int intercept_action_map(char *action)
{
if (strncasecmp(action, "intercept", strlen("intercept")) == 0)
return ACTION_INTERCEPT;
else if (strncasecmp(action, "no_intercept", strlen("no_intercept")) == 0)
return ACTION_NO_INTERCEPT;
else
return ACTION_NONE;
}
static void intercept_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp)
{
int action = 0;
int do_log = 0;
int vsys_id = 0;
cJSON * json_root = NULL;
cJSON * json_subroot = NULL;
cJSON * item = NULL;
cJSON *json_root = NULL;
cJSON *json_subroot = NULL;
cJSON *item = NULL;
struct intercept_param *param = NULL;
struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp;
json_root = cJSON_Parse(table_line);
if (unlikely(!json_root))
char *json_str = strdup(table_line);
json_root = cJSON_Parse(json_str);
if (json_root == NULL)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s %s", key, table_line);
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: (invlad json format) %s", table_line);
goto error_out;
}
param = ALLOC(struct intercept_param, 1);
param->ref_cnt = 1;
uuid_parse(key, param->rule_id);
uuid_clear(param->keyring_for_trusted);
uuid_clear(param->keyring_for_untrusted);
uuid_clear(param->decryption_profile);
uuid_clear(param->tcp_option_profile);
// action
item = cJSON_GetObjectItem(json_root, "action");
if (unlikely(!item || !cJSON_IsString(item)))
if (!item || !cJSON_IsString(item))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action format) %s.", key, table_line);
goto error_out;
}
if (strcmp(item->valuestring, "intercept") == 0)
{
param->action_is_intercept = 1;
}
else if (strcmp(item->valuestring, "no_intercept") == 0)
{
param->action_is_intercept = 0;
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action format) %s.", key, table_line);
goto error_out;
}
action = intercept_action_map(item->valueint);
// log_option
item = cJSON_GetObjectItem(json_root, "log_option");
if (!item || !cJSON_IsString(item))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid log_option format) %s.", key, table_line);
goto error_out;
}
if (strncasecmp(item->valueint, "none", strlen("none")) == 0)
if (0 == strcasecmp(item->valuestring, "none"))
{
do_log = 0;
param->do_log = 0;
}
else if (0 == strcasecmp(item->valuestring, "metadata"))
{
param->do_log = 1;
}
else if (0 == strcasecmp(item->valuestring, "all"))
{
param->do_log = 1;
}
else
{
do_log = 1;
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid log_option format) %s.", key, table_line);
goto error_out;
}
// action_parameter
json_subroot = cJSON_GetObjectItem(json_root, "action_parameter");
if (unlikely(!json_subroot))
if (!json_subroot || !cJSON_IsObject(json_subroot))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action_parameter format) %s.", key, table_line);
goto error_out;
}
item = cJSON_GetObjectItem(json_subroot, "vsys_id");
if (!item || !cJSON_IsNumber(item))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid vsys_id format) %s.", key, table_line);
goto error_out;
}
vsys_id = item->valueint;
param = ALLOC(struct intercept_param, 1);
param->ref_cnt = 1;
param->action = action;
param->do_log = do_log;
param->vsys_id = vsys_id;
uuid_parse(key, param->rule_id);
// keyring_for_trusted
item = cJSON_GetObjectItem(json_subroot, "keyring_for_trusted");
if (item)
{
if (item->type == cJSON_String)
if (cJSON_IsString(item))
{
uuid_parse(item->valuestring, param->keyring_for_trusted);
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: %s (invalid keyring_for_trusted format) %s.", key, table_line);
goto error_out;
}
}
else
{
// maybe not exist
}
item = cJSON_GetObjectItem(json_subroot, "keyring_for_untrusted");
if (item)
{
if (item->type == cJSON_String)
if (cJSON_IsString(item))
{
uuid_parse(item->valuestring, param->keyring_for_untrusted);
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: %s (invalid keyring_for_untrusted format) %s", key, table_line);
goto error_out;
}
}
else
{
// maybe not exist
}
item = cJSON_GetObjectItem(json_subroot, "decryption_profile");
if (item)
{
if (item->type == cJSON_String)
if (cJSON_IsString(item))
{
uuid_parse(item->valuestring, param->decryption_profile);
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid decryption_profile format) %s.", key, table_line);
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: %s (invalid decryption_profile format) %s", key, table_line);
goto error_out;
}
}
else
{
// maybe not exist
}
item = cJSON_GetObjectItem(json_subroot, "tcp_option_profile");
if (item)
if (!item || !cJSON_IsString(item))
{
if (item->type == cJSON_String)
{
uuid_parse(item->valuestring, param->tcp_option_profile);
}
else
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid tcp_option_profile format) %s.", key, table_line);
}
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid tcp_option_profile format) %s.", key, table_line);
goto error_out;
}
uuid_parse(item->valuestring, param->tcp_option_profile);
*ad = param;
TFE_LOG_INFO(enforcer->logger, "Add intercept rule: %s", key);
cJSON_Delete(json_root);
free(json_str);
return;
error_out:
if (json_root)
{
cJSON_Delete(json_root);
json_root = NULL;
}
if (json_str)
{
free(json_str);
json_str = NULL;
}
if (param)
{
free(param);
param = NULL;
}
}
static void intercept_param_free_cb(const char *table_name, void **ad, long argl, void *argp)
{
char str_rule_id[UUID_STR_LEN] = {0};
char str_rule_id[UUID_STRING_SIZE] = {0};
struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp;
struct intercept_param *param = (struct intercept_param *)*ad;
if (param == NULL)
@@ -200,7 +225,7 @@ static void intercept_param_dup_cb(const char *table_name, void **to, void **fro
static void intercept_param_free(struct intercept_param *param)
{
intercept_param_free_cb(0, (void **)&param, 0, NULL);
intercept_param_free_cb(NULL, (void **)&param, 0, NULL);
}
struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger)
@@ -220,7 +245,7 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger)
enforcer);
if (ret != 0)
{
TFE_LOG_ERROR(enforcer->logger, "failed at register callback of PXY_INTERCEPT_COMPILE, ret = %d", ret);
TFE_LOG_ERROR(enforcer->logger, "failed at register callback of PXY_INTERCEPT_RULE, ret = %d", ret);
goto error_out;
}
@@ -242,21 +267,26 @@ void intercept_policy_enforce_destory(struct intercept_policy_enforcer *enforcer
// return 0 : success
// return -1 : error (need passthrough)
int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t selected_rule_id)
int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t *selected_rule_id)
{
uuid_t rule_id;
char str_rule_id[UUID_STR_LEN] = {0};
uuid_t *curr_rule_id;
char str_rule_id[UUID_STRING_SIZE] = {0};
uint8_t is_hit_intercept_rule = 0;
uint8_t is_hit_no_intercept_rule = 0;
uuid_t max_intercept_rule_id = {0};
uuid_t max_no_intercept_rule_id = {0};
uuid_t max_intercept_rule_id;
uuid_t max_no_intercept_rule_id;
uuid_clear(*selected_rule_id);
uuid_clear(max_intercept_rule_id);
uuid_clear(max_no_intercept_rule_id);
struct intercept_param *param = NULL;
for (int i = 0; i < rule_id_num; i++)
{
memcpy(rule_id, rule_id_array[i], UUID_LEN);
uuid_unparse(rule_id, str_rule_id);
param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1);
curr_rule_id = &rule_id_array[i];
uuid_unparse(*curr_rule_id, str_rule_id);
param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, (const char *)curr_rule_id, sizeof(uuid_t));
if (param == NULL)
{
TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %s.", str_rule_id);
@@ -264,32 +294,36 @@ int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *
}
// intercept
if (param->action == ACTION_INTERCEPT)
if (param->action_is_intercept)
{
is_hit_intercept_rule = 1;
if (uuid_compare(max_intercept_rule_id, rule_id) < 0)
memcpy(max_intercept_rule_id, rule_id, UUID_LEN);
if (uuid_compare(max_intercept_rule_id, *curr_rule_id) < 0)
{
uuid_copy(max_intercept_rule_id, *curr_rule_id);
}
TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %s is intercept.", i, rule_id_num, str_rule_id);
}
// not intercept
else
{
is_hit_no_intercept_rule = 1;
if (uuid_compare(max_no_intercept_rule_id, rule_id) < 0)
memcpy(max_no_intercept_rule_id, rule_id, UUID_LEN);
if (uuid_compare(max_no_intercept_rule_id, *curr_rule_id) < 0)
{
uuid_copy(max_no_intercept_rule_id, *curr_rule_id);
}
TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %s is no intercept.", i, rule_id_num, str_rule_id);
}
}
if (is_hit_no_intercept_rule)
{
memcpy(selected_rule_id, max_no_intercept_rule_id, UUID_LEN);
uuid_copy(*selected_rule_id, max_no_intercept_rule_id);
return 0;
}
if (is_hit_intercept_rule)
{
memcpy(selected_rule_id, max_intercept_rule_id, UUID_LEN);
uuid_copy(*selected_rule_id, max_intercept_rule_id);
return 0;
}
@@ -304,14 +338,14 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
int ret = 0;
uint16_t size = 0;
uuid_t rule_id;
char str_rule_id[UUID_STR_LEN] = {0};
char str_rule_id[UUID_STRING_SIZE] = {0};
struct intercept_param *param = NULL;
uint8_t hit_no_intercept = 0;
int tcp_passthrough = 0;
char reason_hit_no_intercept[] = "Hit No Intercept";
char reason_invalid_intercept_param[] = "Invalid Intercept Param";
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)rule_id, UUID_LEN, &size);
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(uuid_t), &size);
if (ret < 0)
{
TFE_LOG_ERROR(g_default_logger, "Failed at fetch intercept rule_id from cmsg: %s", strerror(-ret));
@@ -319,7 +353,7 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
}
uuid_unparse(rule_id, str_rule_id);
param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1);
param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, (const char *)&rule_id, sizeof(uuid_t));
if (param == NULL)
{
TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %s.", str_rule_id);
@@ -327,7 +361,7 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
}
// intercept
if (param->action == ACTION_INTERCEPT)
if (param->action_is_intercept)
{
tcp_passthrough = 0;
hit_no_intercept = 0;
@@ -344,10 +378,11 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
tfe_cmsg_set(cmsg, TFE_CMSG_POLICY_VSYS_ID, (const unsigned char *)&param->vsys_id, sizeof(param->vsys_id));
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&tcp_passthrough, sizeof(tcp_passthrough));
tfe_cmsg_set(cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (const unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept));
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)param->tcp_option_profile, UUID_LEN);
tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)param->decryption_profile, UUID_LEN);
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)param->keyring_for_trusted, UUID_LEN);
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_UNTRUSTED, (const unsigned char *)param->keyring_for_untrusted, UUID_LEN);
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)&(param->tcp_option_profile), sizeof(param->tcp_option_profile));
tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)&(param->decryption_profile), sizeof(param->decryption_profile));
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)&param->keyring_for_trusted, sizeof(param->keyring_for_trusted));
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_UNTRUSTED, (const unsigned char *)&(param->keyring_for_untrusted), sizeof(param->keyring_for_untrusted));
intercept_param_free(param);

6
common/src/tfe_ctrl_packet.cpp
View File

@@ -581,14 +581,14 @@ void ctrl_packet_parser_dump(struct ctrl_pkt_parser *handler, void *logger)
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", tfe policy_id_num: %d, tfe policy_ids[", handler->tfe_policy_id_num);
for (int i = 0; i < handler->tfe_policy_id_num; i++) {
char str_tfe_policy_ids[UUID_STR_LEN] = {0};
char str_tfe_policy_ids[UUID_STRING_SIZE] = {0};
uuid_unparse(handler->tfe_policy_ids[i], str_tfe_policy_ids);
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%s, ", str_tfe_policy_ids);
}
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "], sce policy_id_num: %d, sce policy_ids[", handler->sce_policy_id_num);
for (int i = 0; i < handler->sce_policy_id_num; i++) {
char str_sce_policy_ids[UUID_STR_LEN] = {0};
char str_sce_policy_ids[UUID_STRING_SIZE] = {0};
uuid_unparse(handler->sce_policy_ids[i], str_sce_policy_ids);
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%s, ", str_sce_policy_ids);
}
@@ -628,7 +628,7 @@ void ctrl_packet_parser_dump(struct ctrl_pkt_parser *handler, void *logger)
break;
}
for (int i = 0; i < size/UUID_LEN; i++) {
char str_tags_ids[UUID_STR_LEN] = {0};
char str_tags_ids[UUID_STRING_SIZE] = {0};
uuid_unparse(tags_ids_array[i], str_tags_ids);
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", %s:%s", tags_ids_cmsg_name_maps[map_index], str_tags_ids);
}

2
common/src/tfe_fieldstat.cpp
View File

@@ -43,7 +43,7 @@ int tfe_fieldstat_intercept_incrby(struct fieldstat_easy_intercept *metrics, voi
}
uuid_t rule_id;
char str_rule_id[UUID_STR_LEN] = {0};
char str_rule_id[UUID_STRING_SIZE] = {0};
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)rule_id, UUID_LEN, &out_size);
if (ret != 0)
{

14
common/src/tfe_packet_io.cpp
View File

@@ -156,7 +156,7 @@ struct packet_identify
extern int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg *cmsg);
extern int tfe_proxy_fds_accept(struct tfe_proxy * ctx, int fd_downstream, int fd_upstream, int fd_fake_c, int fd_fake_s, struct tfe_cmsg * cmsg);
extern void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t rule_id);
extern void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t *rule_id);
/******************************************************************************
* dup packet filter
@@ -1128,8 +1128,8 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
tfe_cmsg_get_value(parser->cmsg, TFE_CMSG_TCP_RESTORE_PROTOCOL, (unsigned char *)&stream_protocol_in_char, sizeof(stream_protocol_in_char), &size);
uuid_t rule_id = {0};
char str_rule_id[UUID_STR_LEN] = {0};
ret = intercept_policy_select(thread->ref_proxy->int_ply_enforcer, parser->tfe_policy_ids, parser->tfe_policy_id_num, rule_id);
char str_rule_id[UUID_STRING_SIZE] = {0};
ret = intercept_policy_select(thread->ref_proxy->int_ply_enforcer, parser->tfe_policy_ids, parser->tfe_policy_id_num, &rule_id);
uuid_unparse(rule_id, str_rule_id);
if (ret != 0)
{
@@ -1169,7 +1169,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
}
for (int i = 0; i < parser->sce_policy_id_num; i++) {
chaining_policy_enforce(thread->ref_proxy->chain_ply_enforcer, parser->cmsg, parser->sce_policy_ids[i]);
chaining_policy_enforce(thread->ref_proxy->chain_ply_enforcer, parser->cmsg, &parser->sce_policy_ids[i]);
}
tcp_restore_set_from_cmsg(parser->cmsg, &restore_info);
@@ -1346,7 +1346,7 @@ static int handle_session_closing(struct metadata *meta, marsio_buff_t *rx_buff,
struct packet_io *packet_io = thread->ref_io;
struct packet_io_fs *packet_io_fs = thread->ret_fs_state;
void * logger = thread->logger;
char str_policy_id[UUID_STR_LEN] = {0};
char str_policy_id[UUID_STRING_SIZE] = {0};
struct session_node *node = session_table_search_by_id(thread->session_table, meta->session_id);
if (node)
@@ -1373,7 +1373,7 @@ static int handle_session_resetall(struct metadata *meta, marsio_buff_t *rx_buff
struct packet_io *packet_io = thread->ref_io;
struct packet_io_fs *packet_io_fs = thread->ret_fs_state;
void * logger = thread->logger;
char str_policy_id[UUID_STR_LEN] = {0};
char str_policy_id[UUID_STRING_SIZE] = {0};
TFE_LOG_ERROR(logger, "%s: session %lu resetall: notification clears all session tables !!!", LOG_TAG_PKTIO, meta->session_id);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_policy_id, meta->session_id, "resetall", NULL, NULL);
@@ -1457,7 +1457,7 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx
char *header = NULL;
int header_len = 0;
void * logger = thread->logger;
char str_policy_id[UUID_STR_LEN] = {0};
char str_policy_id[UUID_STRING_SIZE] = {0};
int raw_len = marsio_buff_datalen(rx_buff);
char *raw_data = marsio_buff_mtod(rx_buff);

2
common/test/test_mpack.cpp
View File

@@ -48,7 +48,7 @@ void build_mpack_data(char **data, size_t *size)
uint8_t ack_header[] = {0x80, 0x90, 0xA0, 0xB0, 0xC0, 0xD0, 0xE0, 0xF0};
uint8_t tfe_flag = 0;
uuid_t uuid;
char str_uuid[UUID_STR_LEN] = {0};
char str_uuid[UUID_STRING_SIZE] = {0};
mpack_writer_init_growable(&writer, data, size);
mpack_build_map(&writer);

4
conf/tfe/tfe.conf
View File

@@ -1,9 +1,5 @@
[system]
nr_worker_threads=8
enable_kni_v1=0
enable_kni_v2=0
enable_kni_v3=0
enable_kni_v4=1
# Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally
disable_coredump=0

4
platform/CMakeLists.txt
View File

@@ -1,7 +1,9 @@
find_package(SYSTEMD REQUIRED)
find_package(NFNETLINK REQUIRED)
add_executable(tfe src/acceptor_kni_v1.cpp src/acceptor_kni_v2.cpp src/acceptor_kni_v3.cpp src/acceptor_kni_v4.cpp src/ssl_stream.cpp src/key_keeper.cpp src/ssl_fetch_cert.cpp
add_executable(tfe
#src/acceptor_kni_v1.cpp src/acceptor_kni_v2.cpp src/acceptor_kni_v3.cpp
src/acceptor_kni_v4.cpp src/ssl_stream.cpp src/key_keeper.cpp src/ssl_fetch_cert.cpp
src/ssl_sess_cache.cpp src/ssl_sess_ticket.cpp src/ssl_service_cache.cpp
src/ssl_trusted_cert_storage.cpp src/ev_root_ca_metadata.cpp src/ssl_utils.cpp
src/tcp_stream.cpp src/main.cpp src/proxy.cpp src/sender_scm.cpp src/watchdog_kni.cpp src/watchdog_tfe.cpp src/ssl_ja3.cpp src/watchdog_3rd_device.cpp)

1
platform/include/internal/key_keeper.h
View File

@@ -2,6 +2,7 @@
#include <event2/event.h>
#include <openssl/ssl.h>
#include <tfe_future.h>
#include <uuid/uuid.h>
struct keyring
{

14
platform/include/internal/proxy.h
View File

@@ -137,14 +137,14 @@ struct tfe_proxy
struct chaining_policy_enforcer *chain_ply_enforcer;
struct key_keeper * key_keeper_handler;
unsigned int en_kni_v1_acceptor;
unsigned int en_kni_v2_acceptor;
unsigned int en_kni_v3_acceptor;
unsigned int en_kni_v4_acceptor;
//unsigned int en_kni_v1_acceptor;
//unsigned int en_kni_v2_acceptor;
//unsigned int en_kni_v3_acceptor;
//unsigned int en_kni_v4_acceptor;
struct acceptor_kni_v1 * kni_v1_acceptor;
struct acceptor_kni_v2 * kni_v2_acceptor;
struct acceptor_kni_v3 * kni_v3_acceptor;
//struct acceptor_kni_v1 * kni_v1_acceptor;
//struct acceptor_kni_v2 * kni_v2_acceptor;
//struct acceptor_kni_v3 * kni_v3_acceptor;
struct acceptor_kni_v4 * kni_v4_acceptor;
struct sender_scm * scm_sender;
struct watchdog_kni * watchdog_kni;

2
platform/src/key_keeper.cpp
View File

@@ -692,7 +692,7 @@ static uchar* get_key_by_cert(X509* cert, const char *keyring_uuid_str, unsigned
}
char* key = ALLOC(char, HTABLE_MAX_KEY_LEN);
memset(key, 0, HTABLE_MAX_KEY_LEN);
snprintf(key, HTABLE_MAX_KEY_LEN, "%d:%d:", keyring_uuid_str, is_cert_valid);
snprintf(key, HTABLE_MAX_KEY_LEN, "%s:%d:", keyring_uuid_str, is_cert_valid);
strncat(key, cert_fingerprint, HTABLE_MAX_KEY_LEN);
*len = strnlen(key, HTABLE_MAX_KEY_LEN);
free(cert_fingerprint);

57
platform/src/proxy.cpp
View File

@@ -45,9 +45,9 @@
#include <platform.h>
#include <proxy.h>
#include <tcp_stream.h>
#include <acceptor_kni_v1.h>
#include <acceptor_kni_v2.h>
#include <acceptor_kni_v3.h>
//#include <acceptor_kni_v1.h>
//#include <acceptor_kni_v2.h>
//#include <acceptor_kni_v3.h>
#include <acceptor_kni_v4.h>
#include <watchdog_kni.h>
#include <watchdog_tfe.h>
@@ -549,41 +549,46 @@ int tfe_stat_init(struct tfe_proxy * proxy, const char * profile)
return 0;
}
void tfe_proxy_acceptor_init(struct tfe_proxy * proxy, const char * profile)
void tfe_proxy_acceptor_init(struct tfe_proxy *proxy, const char *profile)
{
MESA_load_profile_uint_def(profile, "system", "enable_kni_v1", &proxy->en_kni_v1_acceptor, 0);
MESA_load_profile_uint_def(profile, "system", "enable_kni_v2", &proxy->en_kni_v2_acceptor, 0);
#if 0
MESA_load_profile_uint_def(profile, "system", "enable_kni_v1", &proxy->en_kni_v1_acceptor, 0);
MESA_load_profile_uint_def(profile, "system", "enable_kni_v2", &proxy->en_kni_v2_acceptor, 0);
MESA_load_profile_uint_def(profile, "system", "enable_kni_v3", &proxy->en_kni_v3_acceptor, 0);
MESA_load_profile_uint_def(profile, "system", "enable_kni_v4", &proxy->en_kni_v4_acceptor, 0);
int ret = proxy->en_kni_v1_acceptor + proxy->en_kni_v2_acceptor + proxy->en_kni_v3_acceptor + proxy->en_kni_v4_acceptor;
CHECK_OR_EXIT((ret == 1), "Invalid KNI acceptor. Exit.");
if (proxy->en_kni_v1_acceptor)
{
g_default_proxy->kni_v1_acceptor = acceptor_kni_v1_create(proxy, profile, proxy->logger);
CHECK_OR_EXIT(g_default_proxy->kni_v1_acceptor, "Failed at init KNIv1 acceptor. Exit. ");
}
if (proxy->en_kni_v1_acceptor)
{
g_default_proxy->kni_v1_acceptor = acceptor_kni_v1_create(proxy, profile, proxy->logger);
CHECK_OR_EXIT(g_default_proxy->kni_v1_acceptor, "Failed at init KNIv1 acceptor. Exit. ");
}
if (proxy->en_kni_v2_acceptor)
{
g_default_proxy->kni_v2_acceptor = acceptor_kni_v2_create(g_default_proxy, profile, g_default_logger);
CHECK_OR_EXIT(g_default_proxy->kni_v2_acceptor, "Failed at init KNIv2 acceptor. Exit. ");
}
if (proxy->en_kni_v2_acceptor)
{
g_default_proxy->kni_v2_acceptor = acceptor_kni_v2_create(g_default_proxy, profile, g_default_logger);
CHECK_OR_EXIT(g_default_proxy->kni_v2_acceptor, "Failed at init KNIv2 acceptor. Exit. ");
}
if (proxy->en_kni_v3_acceptor)
{
g_default_proxy->kni_v3_acceptor = acceptor_kni_v3_create(g_default_proxy, profile, g_default_logger);
CHECK_OR_EXIT(g_default_proxy->kni_v3_acceptor, "Failed at init KNIv3 acceptor. Exit. ");
}
{
g_default_proxy->kni_v3_acceptor = acceptor_kni_v3_create(g_default_proxy, profile, g_default_logger);
CHECK_OR_EXIT(g_default_proxy->kni_v3_acceptor, "Failed at init KNIv3 acceptor. Exit. ");
}
if (proxy->en_kni_v4_acceptor)
{
g_default_proxy->kni_v4_acceptor = acceptor_kni_v4_create(g_default_proxy, profile);
CHECK_OR_EXIT(g_default_proxy->kni_v4_acceptor, "Failed at init KNIv4 acceptor. Exit. ");
}
{
g_default_proxy->kni_v4_acceptor = acceptor_kni_v4_create(g_default_proxy, profile);
CHECK_OR_EXIT(g_default_proxy->kni_v4_acceptor, "Failed at init KNIv4 acceptor. Exit. ");
}
#endif
return;
g_default_proxy->kni_v4_acceptor = acceptor_kni_v4_create(g_default_proxy, profile);
CHECK_OR_EXIT(g_default_proxy->kni_v4_acceptor, "Failed at init KNIv4 acceptor. Exit. ");
return;
}
static void usage(char *cmd)
@@ -732,7 +737,7 @@ int main(int argc, char * argv[])
g_default_proxy->tcp_ply_enforcer = tcp_policy_enforcer_create(g_default_logger);
CHECK_OR_EXIT(g_default_proxy->tcp_ply_enforcer != NULL, "Failed at creating tcp policy enforcer. Exit.");
g_default_proxy->ssl_ply_enforcer = ssl_policy_enforcer_create(g_default_logger);
g_default_proxy->ssl_ply_enforcer = ssl_policy_enforcer_create();
CHECK_OR_EXIT(g_default_proxy->ssl_ply_enforcer != NULL, "Failed at creating ssl policy enforcer. Exit.");
g_default_proxy->chain_ply_enforcer = chaining_policy_enforcer_create(g_default_logger);

3
platform/src/ssl_service_cache.cpp
View File

@@ -2,6 +2,7 @@
#include <MESA/maat.h>
#include <tfe_resource.h>
#include <ssl_stream.h>
#include <cjson/cJSON.h>
struct ssl_svc_ja3
{
@@ -138,7 +139,7 @@ static int ssl_svc_ja3_init()
NULL) != 0)
{
TFE_LOG_ERROR(g_default_logger, "failed at Maat_plugin_EX_register(PXY_SSL_FINGERPRINT)");
return -1
return -1;
}
else
{

32
plugin/business/chaining-policy/src/chaining_policy.cpp
View File

@@ -31,23 +31,21 @@ struct chaining_policy_enforcer
static void chaining_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp)
{
cJSON * json_root = NULL;
cJSON * json_subroot = NULL;
cJSON * item = NULL;
size_t user_region_offset = 0;
size_t user_region_len = 0;
cJSON *json_root = NULL;
cJSON *json_subroot = NULL;
cJSON *item = NULL;
struct chaining_param *param = NULL;
struct chaining_policy_enforcer *enforcer = (struct chaining_policy_enforcer *)argp;
json_root = cJSON_Parse(table_line);
char *json_str = strdup(table_line);
json_root = cJSON_Parse(json_str);
if (unlikely(!json_root))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid chaining profile: %s", table_line);
goto error_out;
}
json_subroot = cJSON_GetObjectItem(json_root, "action_parameter");
if (unlikely(!json_subroot))
if (unlikely(!json_subroot || !cJSON_IsObject(json_subroot)))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid chaining rule: %s (invalid action_parameter format) %s.", key, table_line);
goto error_out;
@@ -80,6 +78,7 @@ static void chaining_param_new_cb(const char *table_name, const char *key, const
*ad = param;
TFE_LOG_INFO(enforcer->logger, "Add chaining rule: %s", key);
cJSON_Delete(json_root);
free(json_str);
return;
error_out:
@@ -88,6 +87,11 @@ error_out:
cJSON_Delete(json_root);
json_root = NULL;
}
if (json_str)
{
free(json_str);
json_str = NULL;
}
if (param)
{
free(param);
@@ -97,7 +101,7 @@ error_out:
static void chaining_param_free_cb(const char *table_name, void **ad, long argl, void *argp)
{
char str_rule_id[UUID_STR_LEN] = {0};
char str_rule_id[UUID_STRING_SIZE] = {0};
struct chaining_policy_enforcer *enforcer = (struct chaining_policy_enforcer *)argp;
struct chaining_param *param = (struct chaining_param *)*ad;
if (param == NULL)
@@ -116,7 +120,7 @@ static void chaining_param_free_cb(const char *table_name, void **ad, long argl,
static void chaining_param_free(struct chaining_param *param)
{
chaining_param_free_cb(0, (void **)&param, 0, NULL);
chaining_param_free_cb(NULL, (void **)&param, 0, NULL);
}
static void chaining_param_dup_cb(const char *table_name, void **to, void **from, long argl, void *argp)
@@ -167,10 +171,10 @@ void chaining_policy_enforcer_destory(struct chaining_policy_enforcer *enforcer)
}
}
void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t rule_id)
void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t *rule_id)
{
uint16_t size = 0;
char str_rule_id[UUID_STR_LEN] = {0};
char str_rule_id[UUID_STRING_SIZE] = {0};
uint8_t enalbe_decrypted_traffic_steering = 0;
tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_DECRYPTED_TRAFFIC_STEERING, (unsigned char *)&enalbe_decrypted_traffic_steering, sizeof(enalbe_decrypted_traffic_steering), &size);
@@ -179,8 +183,8 @@ void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct t
return;
}
uuid_unparse(rule_id, str_rule_id);
struct chaining_param *param = (struct chaining_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1);
uuid_unparse(*rule_id, str_rule_id);
struct chaining_param *param = (struct chaining_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, (const char *)rule_id, sizeof(uuid_t));
if (param == NULL)
{
TFE_LOG_INFO(enforcer->logger, "Failed to get chaining parameter of policy %s.", str_rule_id);

2
plugin/business/chaining-policy/src/chaining_policy.h
View File

@@ -5,4 +5,4 @@
struct chaining_policy_enforcer;
struct chaining_policy_enforcer *chaining_policy_enforcer_create(void *logger);
void chaining_policy_enforcer_destory(struct chaining_policy_enforcer *enforcer);
void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t rule_id);
void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t *rule_id);

1
plugin/business/ssl-policy/src/ssl_policy.cpp
View File

@@ -74,7 +74,6 @@ static void profile_param_free(struct decryption_param *param)
static void profile_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp)
{
int ret = 0;
cJSON *json = NULL;
cJSON *object = NULL;
cJSON *exclusions = NULL;

58
plugin/business/tcp-policy/src/tcp_policy.cpp
View File

@@ -37,7 +37,7 @@ struct tcp_profile_param
struct side_conn_param server_side;
};
static int parser_side_conn_param(cJSON * json, struct side_conn_param *out_val, void *logger)
static int parser_side_conn_param(cJSON *json, struct side_conn_param *out_val, void *logger)
{
cJSON *object = NULL;
cJSON *item = NULL;
@@ -113,21 +113,21 @@ static int parser_side_conn_param(cJSON * json, struct side_conn_param *out_val,
out_val->user_timeout = 0;
}
}
cJSON_Delete(json);
return 0;
}
static void profile_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp)
{
cJSON * json_root = NULL;
cJSON * json_subroot = NULL;
cJSON * item = NULL;
cJSON *json_root = NULL;
cJSON *json_subroot = NULL;
cJSON *item = NULL;
struct tcp_profile_param *param = NULL;
struct tcp_policy_enforcer *enforcer = (struct tcp_policy_enforcer *)argp;
json_root = cJSON_Parse(table_line);
if (unlikely(!json_root))
char *json_str = strdup(table_line);
json_root = cJSON_Parse(json_str);
if (json_root == NULL)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option profile: %s", table_line);
goto error_out;
@@ -139,7 +139,7 @@ static void profile_param_new_cb(const char *table_name, const char *key, const
item = cJSON_GetObjectItem(json_root, "tcp_passthrough");
if (unlikely(!item || !cJSON_IsNumber(item)))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid tcp_passthrough format.", key);
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: (invalid tcp_passthrough format) %s", table_line);
goto error_out;
}
param->tcp_passthrough = item->valueint;
@@ -147,15 +147,15 @@ static void profile_param_new_cb(const char *table_name, const char *key, const
item = cJSON_GetObjectItem(json_root, "bypass_duplicated_packet");
if (unlikely(!item || !cJSON_IsNumber(item)))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid bypass_duplicated_packet format.", key);
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: (invalid bypass_duplicated_packet format) %s", table_line);
goto error_out;
}
param->bypass_duplicated_packet = item->valueint;
json_subroot = cJSON_GetObjectItem(json_root, "client_side_conn_param");
if (unlikely(!json_subroot))
if (unlikely(!json_subroot || !cJSON_IsObject(json_subroot)))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid client_side_conn_param format.", key);
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: (invalid client_side_conn_param format) %s", table_line);
goto error_out;
}
if (parser_side_conn_param(json_subroot, &param->client_side, enforcer->logger) == -1)
@@ -164,9 +164,9 @@ static void profile_param_new_cb(const char *table_name, const char *key, const
}
json_subroot = cJSON_GetObjectItem(json_root, "server_side_conn_param");
if (unlikely(!json_subroot))
if (unlikely(!json_subroot || !cJSON_IsObject(json_subroot)))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid server_side_conn_param format.", key);
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: (invalid server_side_conn_param format) %s", table_line);
goto error_out;
}
if (parser_side_conn_param(json_subroot, &param->server_side, enforcer->logger) == -1)
@@ -176,18 +176,24 @@ static void profile_param_new_cb(const char *table_name, const char *key, const
*ad = param;
TFE_LOG_INFO(enforcer->logger, "Add tcp option profile: %s", key);
cJSON_Delete(json_root);
free(json_str);
return;
error_out:
if (param)
{
free(param);
}
if (json_root)
{
cJSON_Delete(json_root);
}
if (json_str)
{
free(json_str);
}
if (param)
{
free(param);
}
}
static void profile_param_free_cb(const char *table_name, void **ad, long argl, void *argp)
@@ -221,7 +227,7 @@ static void profile_param_dup_cb(const char *table_name, void **to, void **from,
static void profile_param_free(struct tcp_profile_param *param)
{
profile_param_free_cb(0, (void **)&param, 0, NULL);
profile_param_free_cb(NULL, (void **)&param, 0, NULL);
}
struct tcp_policy_enforcer *tcp_policy_enforcer_create(void *logger)
@@ -263,22 +269,22 @@ void tcp_policy_enforcer_destory(struct tcp_policy_enforcer *enforcer)
int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg *cmsg)
{
int ret = 0;
int profile_id = 0;
uuid_t profile_uuid;
uint16_t size = 0;
char buffer[16] = {0};
char profile_uuid_str[UUID_STRING_SIZE] = {0};
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (unsigned char *)&profile_id, sizeof(profile_id), &size);
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (unsigned char *)&profile_uuid, sizeof(uuid_t), &size);
if (ret < 0)
{
TFE_LOG_ERROR(g_default_logger, "Failed at fetch tcp_option_profile from cmsg: %s", strerror(-ret));
return -1;
}
snprintf(buffer, sizeof(buffer), "%d", profile_id);
struct tcp_profile_param *param = (struct tcp_profile_param *)maat_plugin_table_get_ex_data(tcp_enforcer->maat, tcp_enforcer->table_name, buffer, strlen(buffer));
uuid_unparse(profile_uuid, profile_uuid_str);
struct tcp_profile_param *param = (struct tcp_profile_param *)maat_plugin_table_get_ex_data(tcp_enforcer->maat, tcp_enforcer->table_name, (const char *)&profile_uuid, sizeof(uuid_t));
if (param == NULL)
{
TFE_LOG_INFO(tcp_enforcer->logger, "Failed to get tcp option parameter of profile %d.", profile_id);
TFE_LOG_INFO(tcp_enforcer->logger, "Failed to get tcp option parameter of profile %s.", profile_uuid_str);
return -1;
}
@@ -311,10 +317,10 @@ int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg
tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_KEEPINTVL, (unsigned char *)&server_side->keepintvl, sizeof(server_side->keepintvl));
tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT, (unsigned char *)&server_side->user_timeout, sizeof(server_side->user_timeout));
TFE_LOG_INFO(tcp_enforcer->logger, "hit tcp_option_profile %d tcp_passthrough %d "
TFE_LOG_INFO(tcp_enforcer->logger, "hit tcp_option_profile %s tcp_passthrough %d "
"client_side={maxseg_enable:%d, maxseg_vaule:%d, nodelay:%d, ttl:%d, keepalive:%d, keepcnt:%d, keepidle:%d, keepintvl:%d, user_timeout:%d} "
"server_side={maxseg_enable:%d, maxseg_vaule:%d, nodelay:%d, ttl:%d, keepalive:%d, keepcnt:%d, keepidle:%d, keepintvl:%d, user_timeout:%d} ",
profile_id, param->tcp_passthrough,
profile_uuid_str, param->tcp_passthrough,
client_side->maxseg_enable, client_side->maxseg_vaule, client_side->nodelay, client_side->ttl, client_side->keepalive, client_side->keepcnt, client_side->keepidle, client_side->keepintvl, client_side->user_timeout,
server_side->maxseg_enable, server_side->maxseg_vaule, server_side->nodelay, server_side->ttl, server_side->keepalive, server_side->keepcnt, server_side->keepidle, server_side->keepintvl, server_side->user_timeout);
profile_param_free(param);

30
plugin/business/traffic-mirror/src/entry.cpp
View File

@@ -106,7 +106,7 @@ void policy_table_ex_data_new_cb(const char *table_name, const char *key, const
char *str_json = NULL;
cJSON *json = NULL;
cJSON *object = NULL;
cjson *subobj = NULL;
cJSON *subobj = NULL;
cJSON *item = NULL;
struct policy_table_ex_data *ex_data = NULL;
@@ -132,7 +132,7 @@ void policy_table_ex_data_new_cb(const char *table_name, const char *key, const
}
subobj = cJSON_GetObjectItem(object, "traffic_mirror");
if (unlikely(!json_subroot))
if (unlikely(!subobj))
{
TFE_LOG_ERROR(instance->logger, "invalid format, traffic_mirror is not defined, %s", table_line);
goto error_out;
@@ -142,7 +142,7 @@ void policy_table_ex_data_new_cb(const char *table_name, const char *key, const
ex_data->atomic_refcnt = 1;
ex_data->enable = 0;
ex_data->is_profile_set = 0;
uuid_parse(key, ex_data->rule_id);
uuid_parse(key, ex_data->rule_uuid);
item = cJSON_GetObjectItem(subobj, "enable");
if (unlikely(!item || !cJSON_IsNumber(item)))
@@ -306,24 +306,22 @@ void profile_table_ex_data_new_cb(const char *table_name, const char *key, const
TFE_LOG_DEBUG(instance->logger, "Add traffic mirror profile: %s", key);
cJSON_Delete(json_root);
cJSON_Delete(json);
free(str_json);
return;
error_out:
if (ex_data)
if (json)
{
profile_table_ex_data_free(ex_data);
cJSON_Delete(json);
}
if (str_json)
{
free(str_json);
}
if (json_root)
if (ex_data)
{
cJSON_Delete(json_root);
profile_table_ex_data_free(ex_data);
}
}
@@ -513,13 +511,13 @@ int traffic_mirror_init(struct tfe_proxy * proxy)
goto errout;
}
result = maat_plugin_table_ex_schema_register(instance->maat_feather, "PXY_INTERCEPT_COMPILE",
result = maat_plugin_table_ex_schema_register(instance->maat_feather, "PXY_INTERCEPT_RULE",
policy_table_ex_data_new_cb, policy_table_ex_data_free_cb, policy_table_ex_data_dup_cb,
0, instance);
if(result < 0)
{
TFE_LOG_ERROR(instance->logger, "failed at maat_plugin_table_ex_schema_register(PXY_INTERCEPT_COMPILE)");
TFE_LOG_ERROR(instance->logger, "failed at maat_plugin_table_ex_schema_register(PXY_INTERCEPT_RULE)");
goto errout;
}
@@ -585,7 +583,7 @@ int traffic_mirror_on_open_cb(const struct tfe_stream * stream, unsigned int thr
}
uuid_unparse(rule_uuid, rule_uuid_str);
policy_ex_data = (struct policy_table_ex_data *)maat_plugin_table_get_ex_data(instance->maat_feather, PXY_INTERCEPT_COMPILE, rule_uuid, sizeof(uuid_t));
policy_ex_data = (struct policy_table_ex_data *)maat_plugin_table_get_ex_data(instance->maat_feather, "PXY_INTERCEPT_RULE", (const char *)&rule_uuid, sizeof(uuid_t));
if (!policy_ex_data || !policy_ex_data->enable)
{
goto detach;
@@ -612,7 +610,7 @@ int traffic_mirror_on_open_cb(const struct tfe_stream * stream, unsigned int thr
if (policy_ex_data->is_profile_set)
{
uuid_unparse(policy_ex_data->profile_uuid, profile_uuid_str);
profile_ex_data = (struct profile_table_ex_data *)maat_plugin_table_get_ex_data(instance->maat_feather, TSG_PROFILE_TRAFFIC_MIRROR, policy_ex_data->profile_uuid, sizeof(uuid_t));
profile_ex_data = (struct profile_table_ex_data *)maat_plugin_table_get_ex_data(instance->maat_feather, "TSG_PROFILE_TRAFFIC_MIRROR", (const char *)&policy_ex_data->profile_uuid, sizeof(uuid_t));
if (!profile_ex_data)
{
TFE_LOG_ERROR(instance->logger, "failed at getting policy %s's profile, profile id = %s, "
@@ -647,8 +645,8 @@ int traffic_mirror_on_open_cb(const struct tfe_stream * stream, unsigned int thr
rebuild_target = NULL;
traffic_mirror_rebuild_handshake(me->rebuild_ctx, thread_id);
TFE_LOG_DEBUG(instance->logger, "hit traffic mirror policy %s, profile %s, vlan %d",
rule_uuid_str, profile_uuid_str, me->rebuild_ctx->target.vlan_tci);
TFE_LOG_DEBUG(instance->logger, "hit traffic mirror policy %s, profile %s",
rule_uuid_str, profile_uuid_str);
return ACTION_FORWARD_DATA;
detach:

13
resource/pangu/doh.json
View File

@@ -153,17 +153,16 @@
{
"table_name": "PXY_PROFILE_DECRYPTION",
"table_content": [
"0\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1",
"3\ttest\t{\"dynamic_bypass\":{\"ev_cert\":1,\"cert_transparency\":1,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"fail-close\"}}\t1",
"4\ttest\t{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}}\t1"
"{\"uuid\":\"DECRYPT0-0000-0000-0000-000000000001\",\"decryption\":{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"}},\"is_valid\":1}",
"{\"uuid\":\"DECRYPT0-0000-0000-0000-000000000003\",\"decryption\":{\"dynamic_bypass\":{\"ev_cert\":1,\"cert_transparency\":1,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"fail-close\"}},\"is_valid\":1}",
"{\"uuid\":\"DECRYPT0-0000-0000-0000-000000000004\",\"decryption\":{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}},\"is_valid\":1}"
]
},
{
"table_name": "PXY_INTERCEPT_COMPILE",
"table_name": "PXY_INTERCEPT_RULE",
"table_content": [
"0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":765,\"decryption_profile\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2",
"656\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":1,\"decryption_profile\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2",
"49\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":1,\"decryption_profile\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2"
"{\"uuid\":\"INTERCEP-0000-0000-0000-000000000001\",\"action_parameter\":{\"vsys_id\":1,\"keyring_for_trusted\":\"KERING00-TRUS-0000-0000-000000000001\",\"keyring_for_untrusted\":\"KERING00-UNTR-0000-0000-000000000001\",\"decryption_profile\":\"DECRYPT0-0000-0000-0000-000000000001\",\"tcp_option_profile\":\"TCPOPT00-0000-0000-0000-000000000001\",\"traffic_mirror\":{\"enable\":0}},\"is_valid\":1}",
"{\"uuid\":\"INTERCEP-0000-0000-0000-000000000002\",\"action_parameter\":{\"vsys_id\":1,\"keyring_for_trusted\":\"KERING00-TRUS-0000-0000-000000000001\",\"keyring_for_untrusted\":\"KERING00-UNTR-0000-0000-000000000001\",\"decryption_profile\":\"DECRYPT0-0000-0000-0000-000000000001\",\"tcp_option_profile\":\"TCPOPT00-0000-0000-0000-000000000001\",\"traffic_mirror\":{\"enable\":1,\"mirror_profile\":\"TRAFFIC0-MIRR-0000-0000-000000000001\"}},\"is_valid\":1}"
]
}
]

10
resource/pangu/pangu_http.json
View File

@@ -253,23 +253,23 @@
]
},
{
"table_name": "PXY_INTERCEPT_COMPILE",
"table_name": "PXY_INTERCEPT_RULE",
"table_content": [
"{\"uuid\":\"INTERCEP-0000-0000-0000-000000000001\",\"action_parameter\":{\"vsys_id\":1,\"keyring_for_trusted\":\"KERING00-TRUS-0000-0000-000000000001\",\"keyring_for_untrusted\":\"KERING00-UNTR-0000-0000-000000000001\",\"decryption_profile\":\"DECRYPT0-0000-0000-0000-000000000001\",\"tcp_option_profile\":\"TCPOPT00-0000-0000-0000-000000000001\",\"traffic_mirror\":{\"enable\":0}},\"is_valid\":1}",
"{\"uuid\":\"INTERCEP-0000-0000-0000-000000000002\",\"action_parameter\":{\"vsys_id\":1,\"keyring_for_trusted\":\"KERING00-TRUS-0000-0000-000000000001\",\"keyring_for_untrusted\":\"KERING00-UNTR-0000-0000-000000000001\",\"decryption_profile\":\"DECRYPT0-0000-0000-0000-000000000001\",\"tcp_option_profile\":\"TCPOPT00-0000-0000-0000-000000000001\",\"traffic_mirror\":{\"enable\":1,\"mirror_profile\":\"TRAFFIC0-MIRR-0000-0000-000000000001\"}},\"is_valid\":1}"
]
},
{
"table_name": "SERVICE_CHAINING_COMPILE",
"table_name": "SERVICE_CHAINING_RULE",
"table_content": [
"1\t0\t2\t1\t1\t{}\t{\"targeted_traffic\":\"raw\",\"sff_profiles\":[1]}\t1\t2",
"2\t0\t2\t1\t1\t{}\t{\"targeted_traffic\":\"decrypted\",\"sff_profiles\":[1]}\t1\t2"
"{\"uuid\":\"SC000000-0000-0000-1111-000000000001\",\"effective_range\":{},\"action_parameter\":{\"vsys_id\":1,\"targeted_traffic\":\"raw\",\"sff_profiles\":[\"00000000-0000-0000-2222-000000000001\"]},\"is_valid\":1}",
"{\"uuid\":\"SC000000-0000-0000-1111-000000000011\",\"effective_range\":{},\"action_parameter\":{\"vsys_id\":1,\"targeted_traffic\":\"decrypted\",\"sff_profiles\":[\"00000000-0000-0000-2222-000000000001\",]},\"is_valid\":1}"
]
},
{
"table_name": "PXY_PROFILE_TCP_OPTION",
"table_content": [
"1\t0\t0\t{\"tcp_maxseg\":{\"enable\":0,\"maxseg\":1500},\"nodelay\":1,\"keep_alive\":{\"enable\":1,\"tcp_keepcnt\":8,\"tcp_keepidle\":30,\"tcp_keepintvl\":15},\"ttl\":70,\"user_timeout\":{\"enable\":1,\"timeout_ms\":600}}\t{\"tcp_maxseg\":{\"enable\":0,\"maxseg\":1500},\"nodelay\":1,\"keep_alive\":{\"enable\":1,\"tcp_keepcnt\":8,\"tcp_keepidle\":30,\"tcp_keepintvl\":15},\"ttl\":75,\"user_timeout\":{\"enable\":1,\"timeout_ms\":600}}\t1"
"{\"uuid\":\"TCPOPT00-0000-0000-0000-000000000001\",\"tcp_passthrough\":0,\"bypass_duplicated_packet\":0,\"client_side_conn_param\":{\"tcp_maxseg\":{\"enable\":0,\"maxseg\":1500},\"nodelay\":1,\"keep_alive\":{\"enable\":1,\"tcp_keepcnt\":8,\"tcp_keepidle\":30,\"tcp_keepintvl\":15},\"ttl\":70,\"user_timeout\":{\"enable\":1,\"timeout_ms\":600}},\"server_side_conn_param\":{\"tcp_maxseg\":{\"enable\":0,\"maxseg\":1500},\"nodelay\":1,\"keep_alive\":{\"enable\":1,\"tcp_keepcnt\":8,\"tcp_keepidle\":30,\"tcp_keepintvl\":15},\"ttl\":70,\"user_timeout\":{\"enable\":1,\"timeout_ms\":600}},\"is_valid\":1}"
]
},
{

14
resource/pangu/table_info.conf
View File

@@ -334,7 +334,7 @@
},
{
"table_id":30,
"table_name":"PXY_INTERCEPT_COMPILE",
"table_name":"PXY_INTERCEPT_RULE",
"table_type":"plugin",
"custom": {
"key_type":"pointer",
@@ -389,20 +389,18 @@
"table_id":36,
"table_name":"PXY_PROFILE_TCP_OPTION",
"table_type":"plugin",
"valid_column":6,
"custom": {
"key":1,
"key_type":"pointer"
"key_type":"pointer",
"key_name":"uuid"
}
},
{
"table_id":37,
"table_name":"SERVICE_CHAINING_COMPILE",
"table_name":"SERVICE_CHAINING_RULE",
"table_type":"plugin",
"valid_column":9,
"custom":{
"key":1,
"key_type":"pointer"
"key_type":"pointer",
"key_name":"uuid"
}
},
{

2
resource/pangu/table_info_traffic_mirror.conf
View File

@@ -1,7 +1,7 @@
[
{
"table_id":0,
"table_name":"PXY_INTERCEPT_COMPILE",
"table_name":"PXY_INTERCEPT_RULE",
"table_type":"plugin",
"custom": {
"key_type":"pointer",