gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-22699 适配控制报文修改

Browse Source
This commit is contained in:
wangmenglan
2024-09-23 18:35:47 +08:00
committed by luwenpeng
parent a571c85b47
commit 707b418250
21 changed files with 325 additions and 265 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ci/travis.sh
View File

@@ -39,6 +39,7 @@ yum install -y libMESA_htable-devel libMESA_prof_load-devel libwiredcfg-devel li
yum install -y libasan yum install -y libasan
yum install -y numactl-libs # required by mrzcpd yum install -y numactl-libs # required by mrzcpd
yum install -y libibverbs # required by mrzcpd yum install -y libibverbs # required by mrzcpd
yum install -y libuuid-devel
if [ $ASAN_OPTION ];then if [ $ASAN_OPTION ];then
source /opt/rh/devtoolset-7/enable source /opt/rh/devtoolset-7/enable

2
common/CMakeLists.txt
View File

@@ -11,7 +11,7 @@ target_include_directories(common PUBLIC ${CMAKE_CURRENT_LIST_DIR}/../bpf/)
target_include_directories(common PRIVATE ${CMAKE_CURRENT_LIST_DIR}/../platform/include/internal) target_include_directories(common PRIVATE ${CMAKE_CURRENT_LIST_DIR}/../platform/include/internal)
target_link_libraries(common PUBLIC libevent-static libevent-static-openssl libevent-static-pthreads rdkafka) target_link_libraries(common PUBLIC libevent-static libevent-static-openssl libevent-static-pthreads rdkafka)
target_link_libraries(common PUBLIC MESA_handle_logger cjson bpf_obj mrzcpd MESA_prof_load maatframe fieldstat4) target_link_libraries(common PUBLIC MESA_handle_logger cjson bpf_obj mrzcpd MESA_prof_load maatframe fieldstat4)
target_link_libraries(common PUBLIC pthread) target_link_libraries(common PUBLIC pthread uuid)
if (SUPPORT_LIBURING) if (SUPPORT_LIBURING)
target_link_libraries(common PUBLIC uring) target_link_libraries(common PUBLIC uring)

3
common/include/intercept_policy.h
View File

@@ -1,12 +1,13 @@
#pragma once #pragma once
#include <tfe_cmsg.h> #include <tfe_cmsg.h>
#include <uuid/uuid.h>
struct intercept_policy_enforcer; struct intercept_policy_enforcer;
struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger); struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger);
void intercept_policy_enforce_destory(struct intercept_policy_enforcer *enforcer); void intercept_policy_enforce_destory(struct intercept_policy_enforcer *enforcer);
// return 0 : success // return 0 : success
// return -1 : error (need passthrough) // return -1 : error (need passthrough)
int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uint64_t *rule_id_array, int rule_id_num, uint64_t *selected_rule_id); int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t selected_rule_id);
// return 0 : success // return 0 : success
// return -1 : error (need passthrough) // return -1 : error (need passthrough)
int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct tfe_cmsg *cmsg); int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct tfe_cmsg *cmsg);

6
common/include/tfe_cmsg.h
View File

@@ -100,9 +100,9 @@ enum tfe_cmsg_tlv_type
TFE_CMSG_SRC_PHONE_NUM_STR, // string max size 256 TFE_CMSG_SRC_PHONE_NUM_STR, // string max size 256
TFE_CMSG_SRC_APN_STR, // string max size 256 TFE_CMSG_SRC_APN_STR, // string max size 256
TFE_CMSG_SRC_IP_TAGS_IDS_STR, // string max size 21 * 128 = 2688, example: "1,2,3,4,5" TFE_CMSG_SRC_IP_TAGS_IDS_ARR, // uuid_t array
TFE_CMSG_DST_IP_TAGS_IDS_STR, // string max size 21 * 128 = 2688, example: "1,2,3,4,5" TFE_CMSG_DST_IP_TAGS_IDS_ARR, // uuid_t array
TFE_CMSG_FQDN_TAGS_IDS_STR, // string max size 21 * 128 = 2688, example: "1,2,3,4,5" TFE_CMSG_FQDN_TAGS_IDS_ARR, // uuid_t array
/* Add new cmsg here */ /* Add new cmsg here */
/* Add new cmsg here */ /* Add new cmsg here */

5
common/include/tfe_ctrl_packet.h
View File

@@ -7,6 +7,7 @@ extern "C"
#endif #endif
#include <stdint.h> #include <stdint.h>
#include <uuid/uuid.h>
enum session_state enum session_state
{ {
@@ -24,9 +25,9 @@ struct ctrl_pkt_parser
uint64_t session_id; uint64_t session_id;
enum session_state state; enum session_state state;
char method[32]; char method[32];
uint64_t tfe_policy_ids[MAX_HIT_RULES]; uuid_t tfe_policy_ids[MAX_HIT_RULES];
int tfe_policy_id_num; int tfe_policy_id_num;
uint64_t sce_policy_ids[MAX_HIT_RULES]; uuid_t sce_policy_ids[MAX_HIT_RULES];
int sce_policy_id_num; int sce_policy_id_num;
struct tfe_cmsg *cmsg; struct tfe_cmsg *cmsg;

12
common/include/tfe_dp_trace.h
View File

@@ -8,9 +8,9 @@ extern "C"
#include <marsio.h> #include <marsio.h>
static inline void record_msg_on_ctrl_pkt(char *buff, int size, uint64_t rule_id, uint64_t session_id, const char *state, const char *action, const char *reason) static inline void record_msg_on_ctrl_pkt(char *buff, int size, char *rule_id, uint64_t session_id, const char *state, const char *action, const char *reason)
{ {
int n = snprintf(buff, size, "intercept rule id=%lu, session=%lu, state=%s", rule_id, session_id, state); int n = snprintf(buff, size, "intercept rule id=%s, session=%lu, state=%s", rule_id, session_id, state);
if (action) if (action)
{ {
n += snprintf(buff + n, size - n, ", action=%s", action); n += snprintf(buff + n, size - n, ", action=%s", action);
@@ -21,16 +21,16 @@ static inline void record_msg_on_ctrl_pkt(char *buff, int size, uint64_t rule_id
} }
} }
static inline void record_msg_on_raw_pkt(char *buff, int size, uint64_t rule_id, const char *traffic, const char *action, const char *reason) static inline void record_msg_on_raw_pkt(char *buff, int size, char *rule_id, const char *traffic, const char *action, const char *reason)
{ {
int n = snprintf(buff, size, "intercept rule id=%lu, traffic=%s, action=%s", rule_id, traffic, action); int n = snprintf(buff, size, "intercept rule id=%s, traffic=%s, action=%s", rule_id, traffic, action);
if (reason) if (reason)
{ {
snprintf(buff + n, size - n, ", reason=%s", reason); snprintf(buff + n, size - n, ", reason=%s", reason);
} }
} }
static inline void tfe_dp_telemetry_on_ctrl_pkt(mr_instance *mr_ins, marsio_buff_t *mr_buff, uint64_t rule_id, uint64_t session_id, const char *state, const char *action, const char *reason) static inline void tfe_dp_telemetry_on_ctrl_pkt(mr_instance *mr_ins, marsio_buff_t *mr_buff, char *rule_id, uint64_t session_id, const char *state, const char *action, const char *reason)
{ {
if (marsio_dp_trace_measurements_can_emit(mr_ins, mr_buff, DP_TRACE_MEASUREMENT_TYPE_TRACE)) if (marsio_dp_trace_measurements_can_emit(mr_ins, mr_buff, DP_TRACE_MEASUREMENT_TYPE_TRACE))
{ {
@@ -46,7 +46,7 @@ static inline void tfe_dp_telemetry_on_ctrl_pkt(mr_instance *mr_ins, marsio_buff
} }
} }
static inline void tfe_dp_on_raw_pkt(mr_instance *mr_ins, marsio_buff_t *mr_buff, uint64_t rule_id, const char *traffic, const char *action, const char *reason) static inline void tfe_dp_on_raw_pkt(mr_instance *mr_ins, marsio_buff_t *mr_buff, char *rule_id, const char *traffic, const char *action, const char *reason)
{ {
if (marsio_dp_trace_measurements_can_emit(mr_ins, mr_buff, DP_TRACE_MEASUREMENT_TYPE_TRACE)) if (marsio_dp_trace_measurements_can_emit(mr_ins, mr_buff, DP_TRACE_MEASUREMENT_TYPE_TRACE))
{ {

2
common/include/tfe_fieldstat.h
View File

@@ -11,6 +11,8 @@ extern "C"
#define FIELDSTAT_TAG_INIT(ptr, index, _key, _type, _value) \ #define FIELDSTAT_TAG_INIT(ptr, index, _key, _type, _value) \
do { ptr[index].key = _key; ptr[index].type = _type; ptr[index].value_longlong = _value; } while(0) do { ptr[index].key = _key; ptr[index].type = _type; ptr[index].value_longlong = _value; } while(0)
#define FIELDSTAT_TAG_STR(ptr, index, _key, _type, _value) \
do { ptr[index].key = _key; ptr[index].type = _type; ptr[index].value_str = _value; } while(0)
enum metric_columns_index enum metric_columns_index
{ {

3
common/include/tfe_packet_io.h
View File

@@ -6,6 +6,7 @@ extern "C"
{ {
#endif #endif
#include <uuid/uuid.h>
#include "tuple.h" #include "tuple.h"
#include "tfe_packet_io_fs.h" #include "tfe_packet_io_fs.h"
@@ -58,7 +59,7 @@ struct packet_info
struct session_ctx struct session_ctx
{ {
uint64_t policy_ids; uuid_t policy_ids;
uint64_t session_id; uint64_t session_id;
uint8_t is_passthrough; uint8_t is_passthrough;
uint8_t protocol; uint8_t protocol;

1
common/include/tfe_utils.h
View File

@@ -22,6 +22,7 @@
#define TFE_THREAD_MAX 256 #define TFE_THREAD_MAX 256
#define TFE_FAKE_C_DEFAULT_TTL 60 #define TFE_FAKE_C_DEFAULT_TTL 60
#define TFE_FAKE_S_DEFAULT_TTL 65 #define TFE_FAKE_S_DEFAULT_TTL 65
#define UUID_LEN 16
#define UUID_STRING_SIZE 37 #define UUID_STRING_SIZE 37

166
common/src/intercept_policy.cpp
View File

@@ -7,7 +7,7 @@
struct intercept_param struct intercept_param
{ {
int vsys_id; int vsys_id;
uint64_t rule_id; uuid_t rule_id;
int do_log; int do_log;
int ref_cnt; int ref_cnt;
int action; int action;
@@ -20,82 +20,77 @@ struct intercept_param
struct intercept_policy_enforcer struct intercept_policy_enforcer
{ {
struct maat *maat; struct maat *maat;
int table_id; char table_name[32];
void *logger; void *logger;
}; };
static void intercept_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) static void intercept_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp)
{ {
int action = 0; int action = 0;
int do_log = 0;
int vsys_id = 0; int vsys_id = 0;
size_t len = 0; cJSON * json_root = NULL;
size_t offset = 0; cJSON * json_subroot = NULL;
size_t do_log = 0; cJSON * item = NULL;
char buffer[8] = {0};
char *json_str = NULL;
cJSON *json = NULL;
cJSON *item = NULL;
struct intercept_param *param = NULL; struct intercept_param *param = NULL;
struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp; struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp;
if (maat_helper_read_column(table_line, 3, &offset, &len) < 0) json_root = cJSON_Parse(table_line);
if (unlikely(!json_root))
{ {
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept action: %s", table_line); TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s %s", key, table_line);
goto error_out; goto error_out;
} }
memcpy(buffer, table_line + offset, MIN(sizeof(buffer), len)); item = cJSON_GetObjectItem(json_root, "ACTION");
action = atoi(buffer); if (unlikely(!item || !cJSON_IsNumber(item)))
if (action != 2 && action != 3)
{ {
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept action: %s", table_line); TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid ACTION format) %s.", key, table_line);
goto error_out; goto error_out;
} }
if (maat_helper_read_column(table_line, 5, &offset, &len) < 0) if (item->valueint != 2 && item->valueint != 3)
{ {
TFE_LOG_ERROR(enforcer->logger, "Invalid do log: %s", table_line); TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid ACTION format) %s.", key, table_line);
goto error_out; goto error_out;
} }
memset(buffer, 0, sizeof(buffer)); action = item->valueint;
memcpy(buffer, table_line + offset, MIN(sizeof(buffer), len));
do_log = atoi(buffer);
if (maat_helper_read_column(table_line, 7, &offset, &len) < 0) item = cJSON_GetObjectItem(json_root, "DO_LOG");
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept user region: %s", table_line);
goto error_out;
}
json_str = ALLOC(char, len + 1);
memcpy(json_str, table_line + offset, len);
json = cJSON_Parse(json_str);
if (json == NULL)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: id = %s", key);
goto error_out;
}
item = cJSON_GetObjectItem(json, "vsys_id");
if (!item || !cJSON_IsNumber(item)) if (!item || !cJSON_IsNumber(item))
{ {
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %s invalid vsys_id format", key); TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid DO_LOG format) %s.", key, table_line);
goto error_out;
}
param->do_log = !!item->valueint;
json_subroot = cJSON_GetObjectItem(json_root, "USER_REGION");
if (unlikely(!json_subroot))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid USER_REGION format) %s.", key, table_line);
goto error_out;
}
item = cJSON_GetObjectItem(json_subroot, "vsys_id");
if (!item || !cJSON_IsNumber(item))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid vsys_id format) %s.", key, table_line);
goto error_out; goto error_out;
} }
vsys_id = item->valueint; vsys_id = item->valueint;
param = ALLOC(struct intercept_param, 1); param = ALLOC(struct intercept_param, 1);
param->vsys_id = vsys_id;
param->rule_id = atoll(key);
param->do_log = (do_log == 0 ? 0 : 1);
param->ref_cnt = 1; param->ref_cnt = 1;
param->action = action; param->action = action;
param->do_log = do_log;
param->vsys_id = vsys_id;
uuid_parse(key, param->rule_id);
param->keyring_for_trusted = 1; param->keyring_for_trusted = 1;
param->keyring_for_untrusted = 0; param->keyring_for_untrusted = 0;
param->decryption_profile = 0; param->decryption_profile = 0;
param->tcp_option_profile = 0; param->tcp_option_profile = 0;
item = cJSON_GetObjectItem(json, "keyring_for_trusted"); item = cJSON_GetObjectItem(json_subroot, "keyring_for_trusted");
if (item) if (item)
{ {
if (item->type == cJSON_Number) if (item->type == cJSON_Number)
@@ -108,11 +103,11 @@ static void intercept_param_new_cb(const char *table_name, int table_id, const c
} }
else else
{ {
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid keyring_for_trusted format", param->rule_id); TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: %s (invalid keyring_for_trusted format) %s.", key, table_line);
} }
} }
item = cJSON_GetObjectItem(json, "keyring_for_untrusted"); item = cJSON_GetObjectItem(json_subroot, "keyring_for_untrusted");
if (item) if (item)
{ {
if (item->type == cJSON_Number) if (item->type == cJSON_Number)
@@ -125,11 +120,11 @@ static void intercept_param_new_cb(const char *table_name, int table_id, const c
} }
else else
{ {
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid keyring_for_untrusted format", param->rule_id); TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: %s (invalid keyring_for_untrusted format) %s", key, table_line);
} }
} }
item = cJSON_GetObjectItem(json, "decryption_profile"); item = cJSON_GetObjectItem(json_subroot, "decryption_profile");
if (item) if (item)
{ {
if (item->type == cJSON_Number) if (item->type == cJSON_Number)
@@ -142,11 +137,11 @@ static void intercept_param_new_cb(const char *table_name, int table_id, const c
} }
else else
{ {
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid decryption_profile format", param->rule_id); TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid decryption_profile format) %s.", key, table_line);
} }
} }
item = cJSON_GetObjectItem(json, "tcp_option_profile"); item = cJSON_GetObjectItem(json_subroot, "tcp_option_profile");
if (item) if (item)
{ {
if (item->type == cJSON_Number) if (item->type == cJSON_Number)
@@ -159,26 +154,23 @@ static void intercept_param_new_cb(const char *table_name, int table_id, const c
} }
else else
{ {
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid tcp_option_profile format", param->rule_id); TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid tcp_option_profile format) %s.", key, table_line);
} }
} }
*ad = param; *ad = param;
TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %lu", param->rule_id); TFE_LOG_INFO(enforcer->logger, "Add intercept rule: %s", key);
error_out: error_out:
if (json) if (json_root)
{ {
cJSON_Delete(json); cJSON_Delete(json_root);
}
if (json_str)
{
free(json_str);
} }
} }
static void intercept_param_free_cb(int table_id, void **ad, long argl, void *argp) static void intercept_param_free_cb(const char *table_name, void **ad, long argl, void *argp)
{ {
char str_rule_id[UUID_STR_LEN] = {0};
struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp; struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp;
struct intercept_param *param = (struct intercept_param *)*ad; struct intercept_param *param = (struct intercept_param *)*ad;
if (param == NULL) if (param == NULL)
@@ -188,13 +180,14 @@ static void intercept_param_free_cb(int table_id, void **ad, long argl, void *ar
if ((__sync_sub_and_fetch(&param->ref_cnt, 1) == 0)) if ((__sync_sub_and_fetch(&param->ref_cnt, 1) == 0))
{ {
TFE_LOG_INFO(enforcer->logger, "Del intercept policy %lu", param->rule_id); uuid_unparse(param->rule_id, str_rule_id);
TFE_LOG_INFO(enforcer->logger, "Del intercept policy %s", str_rule_id);
free(param); free(param);
*ad = NULL; *ad = NULL;
} }
} }
static void intercept_param_dup_cb(int table_id, void **to, void **from, long argl, void *argp) static void intercept_param_dup_cb(const char *table_name, void **to, void **from, long argl, void *argp)
{ {
struct intercept_param *param = (struct intercept_param *)*from; struct intercept_param *param = (struct intercept_param *)*from;
if (param) if (param)
@@ -219,16 +212,10 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger)
struct intercept_policy_enforcer *enforcer = ALLOC(struct intercept_policy_enforcer, 1); struct intercept_policy_enforcer *enforcer = ALLOC(struct intercept_policy_enforcer, 1);
enforcer->maat = tfe_get_maat_handle(); enforcer->maat = tfe_get_maat_handle();
enforcer->logger = logger; enforcer->logger = logger;
enforcer->table_id = maat_get_table_id(enforcer->maat, "PXY_INTERCEPT_COMPILE"); snprintf(enforcer->table_name, sizeof(enforcer->table_name), "PXY_INTERCEPT_COMPILE");
if (enforcer->table_id < 0)
{
TFE_LOG_ERROR(enforcer->logger, "failed at register table of PXY_INTERCEPT_COMPILE, ret = %d", enforcer->table_id);
goto error_out;
}
ret = maat_plugin_table_ex_schema_register(enforcer->maat, ret = maat_plugin_table_ex_schema_register(enforcer->maat,
"PXY_INTERCEPT_COMPILE", enforcer->table_name,
intercept_param_new_cb, intercept_param_new_cb,
intercept_param_free_cb, intercept_param_free_cb,
intercept_param_dup_cb, intercept_param_dup_cb,
@@ -258,25 +245,24 @@ void intercept_policy_enforce_destory(struct intercept_policy_enforcer *enforcer
// return 0 : success // return 0 : success
// return -1 : error (need passthrough) // return -1 : error (need passthrough)
int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uint64_t *rule_id_array, int rule_id_num, uint64_t *selected_rule_id) int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t selected_rule_id)
{ {
uint64_t rule_id = 0; uuid_t rule_id;
char str_rule_id[UUID_STR_LEN] = {0};
uint8_t is_hit_intercept_rule = 0; uint8_t is_hit_intercept_rule = 0;
uint8_t is_hit_no_intercept_rule = 0; uint8_t is_hit_no_intercept_rule = 0;
uint64_t max_intercept_rule_id = 0; uuid_t max_intercept_rule_id = {0};
uint64_t max_no_intercept_rule_id = 0; uuid_t max_no_intercept_rule_id = {0};
char buff[16] = {0};
struct intercept_param *param = NULL; struct intercept_param *param = NULL;
for (int i = 0; i < rule_id_num; i++) for (int i = 0; i < rule_id_num; i++)
{ {
rule_id = rule_id_array[i]; memcpy(rule_id, rule_id_array[i], UUID_LEN);
snprintf(buff, sizeof(buff), "%lu", rule_id); uuid_unparse(rule_id, str_rule_id);
param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_id, buff, strlen(buff)); param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1);
if (param == NULL) if (param == NULL)
{ {
TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %lu.", rule_id); TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %s.", str_rule_id);
continue; continue;
} }
@@ -284,27 +270,29 @@ int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uint64_t
if (param->action == 2) if (param->action == 2)
{ {
is_hit_intercept_rule = 1; is_hit_intercept_rule = 1;
max_intercept_rule_id = MAX(max_intercept_rule_id, rule_id); if (uuid_compare(max_intercept_rule_id, rule_id) < 0)
TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %lu is intercept.", i, rule_id_num, rule_id); memcpy(max_intercept_rule_id, rule_id, UUID_LEN);
TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %s is intercept.", i, rule_id_num, str_rule_id);
} }
// not intercept // not intercept
else else
{ {
is_hit_no_intercept_rule = 1; is_hit_no_intercept_rule = 1;
max_no_intercept_rule_id = MAX(max_no_intercept_rule_id, rule_id); if (uuid_compare(max_no_intercept_rule_id, rule_id) < 0)
TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %lu is no intercept.", i, rule_id_num, rule_id); memcpy(max_no_intercept_rule_id, rule_id, UUID_LEN);
TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %s is no intercept.", i, rule_id_num, str_rule_id);
} }
} }
if (is_hit_no_intercept_rule) if (is_hit_no_intercept_rule)
{ {
*selected_rule_id = max_no_intercept_rule_id; memcpy(selected_rule_id, max_no_intercept_rule_id, UUID_LEN);
return 0; return 0;
} }
if (is_hit_intercept_rule) if (is_hit_intercept_rule)
{ {
*selected_rule_id = max_intercept_rule_id; memcpy(selected_rule_id, max_intercept_rule_id, UUID_LEN);
return 0; return 0;
} }
@@ -318,26 +306,26 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
{ {
int ret = 0; int ret = 0;
uint16_t size = 0; uint16_t size = 0;
uint64_t rule_id = 0; uuid_t rule_id;
char buff[16] = {0}; char str_rule_id[UUID_STR_LEN] = {0};
struct intercept_param *param = NULL; struct intercept_param *param = NULL;
uint8_t hit_no_intercept = 0; uint8_t hit_no_intercept = 0;
int tcp_passthrough = 0; int tcp_passthrough = 0;
char reason_hit_no_intercept[] = "Hit No Intercept"; char reason_hit_no_intercept[] = "Hit No Intercept";
char reason_invalid_intercept_param[] = "Invalid Intercept Param"; char reason_invalid_intercept_param[] = "Invalid Intercept Param";
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(rule_id), &size); ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)rule_id, UUID_LEN, &size);
if (ret < 0) if (ret < 0)
{ {
TFE_LOG_ERROR(g_default_logger, "Failed at fetch intercept rule_id from cmsg: %s", strerror(-ret)); TFE_LOG_ERROR(g_default_logger, "Failed at fetch intercept rule_id from cmsg: %s", strerror(-ret));
goto error_passthrough; goto error_passthrough;
} }
snprintf(buff, sizeof(buff), "%lu", rule_id); uuid_unparse(rule_id, str_rule_id);
param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_id, buff, strlen(buff)); param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1);
if (param == NULL) if (param == NULL)
{ {
TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %lu.", rule_id); TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %s.", str_rule_id);
goto error_passthrough; goto error_passthrough;
} }

75
common/src/tfe_ctrl_packet.cpp
View File

@@ -59,15 +59,15 @@ enum {
}; };
int tags_ids_cmsg_maps[] = { int tags_ids_cmsg_maps[] = {
[INDEX_SRC_IP_TAGS_IDS] = TFE_CMSG_SRC_IP_TAGS_IDS_STR, [INDEX_SRC_IP_TAGS_IDS] = TFE_CMSG_SRC_IP_TAGS_IDS_ARR,
[INDEX_DST_IP_TAGS_IDS] = TFE_CMSG_DST_IP_TAGS_IDS_STR, [INDEX_DST_IP_TAGS_IDS] = TFE_CMSG_DST_IP_TAGS_IDS_ARR,
[INDEX_FQDN_TAGS_IDS] = TFE_CMSG_FQDN_TAGS_IDS_STR, [INDEX_FQDN_TAGS_IDS] = TFE_CMSG_FQDN_TAGS_IDS_ARR,
}; };
const char *tags_ids_cmsg_name_maps[] = { const char *tags_ids_cmsg_name_maps[] = {
[INDEX_SRC_IP_TAGS_IDS] = "TFE_CMSG_SRC_IP_TAGS_IDS_STR", [INDEX_SRC_IP_TAGS_IDS] = "TFE_CMSG_SRC_IP_TAGS_IDS_ARR",
[INDEX_DST_IP_TAGS_IDS] = "TFE_CMSG_DST_IP_TAGS_IDS_STR", [INDEX_DST_IP_TAGS_IDS] = "TFE_CMSG_DST_IP_TAGS_IDS_ARR",
[INDEX_FQDN_TAGS_IDS] = "TFE_CMSG_FQDN_TAGS_IDS_STR", [INDEX_FQDN_TAGS_IDS] = "TFE_CMSG_FQDN_TAGS_IDS_ARR",
}; };
struct mpack_mmap_id2type struct mpack_mmap_id2type
@@ -118,6 +118,15 @@ struct mpack_mmap_id2type
extern void * g_packet_io_logger; extern void * g_packet_io_logger;
static int mpack_parse_uuid(mpack_node_t node, uuid_t uuid)
{
size_t len = mpack_node_bin_size(node);
if (len != UUID_LEN)
return -1;
memcpy(uuid, mpack_node_bin_data(node), len);
return 0;
}
static int sids_array_parse_mpack(struct ctrl_pkt_parser *handler, mpack_node_t node, int is_seq) static int sids_array_parse_mpack(struct ctrl_pkt_parser *handler, mpack_node_t node, int is_seq)
{ {
struct sids *sid = is_seq ? &handler->seq_sids : &handler->ack_sids; struct sids *sid = is_seq ? &handler->seq_sids : &handler->ack_sids;
@@ -169,21 +178,23 @@ static int pkt_header_parse_mpack(struct ctrl_pkt_parser *handler, mpack_node_t
static int tags_ids_array_parse_mpack(struct ctrl_pkt_parser *handler, mpack_node_t node, int map_index) static int tags_ids_array_parse_mpack(struct ctrl_pkt_parser *handler, mpack_node_t node, int map_index)
{ {
uint64_t value = 0;
int tags_ids_len = 0;
char tags_ids_str[TAGS_IDS_STR_LEN] = {0};
uint32_t array_cnt = mpack_node_array_length(node); uint32_t array_cnt = mpack_node_array_length(node);
if (!array_cnt) if (!array_cnt)
return 0; return 0;
int tags_ids_len = UUID_LEN*array_cnt;
uuid_t *tags_ids = (uuid_t *)calloc(tags_ids_len, 1);
for (uint32_t i = 0; i < array_cnt; i++) for (uint32_t i = 0; i < array_cnt; i++)
{ {
value = mpack_node_u64(mpack_node_array_at(node, i)); if (mpack_parse_uuid(mpack_node_array_at(node, i), tags_ids[i]) != 0)
tags_ids_len += snprintf(tags_ids_str+tags_ids_len, TAGS_IDS_STR_LEN-tags_ids_len, "%s%lu", i==0?"":",", value); {
TFE_LOG_ERROR(g_packet_io_logger, "%s: session %lu unexpected control packet: (%s[%d] len != uuid_t[%d])", LOG_TAG_CTRLPKT, handler->session_id, tags_ids_cmsg_name_maps[map_index], i, UUID_LEN);
return -1;
}
} }
tfe_cmsg_set(handler->cmsg, (enum tfe_cmsg_tlv_type)tags_ids_cmsg_maps[map_index], (const unsigned char*)tags_ids_str, tags_ids_len); tfe_cmsg_set(handler->cmsg, (enum tfe_cmsg_tlv_type)tags_ids_cmsg_maps[map_index], (const unsigned char*)tags_ids, tags_ids_len);
return 0; return 0;
} }
@@ -336,8 +347,13 @@ static int proxy_parse_messagepack(mpack_node_t node, void *ctx, void *logger)
return -1; return -1;
} }
handler->tfe_policy_id_num = mpack_node_array_length(mpack_node_map_cstr(node, "rule_ids")); handler->tfe_policy_id_num = mpack_node_array_length(mpack_node_map_cstr(node, "rule_ids"));
for (int i = 0; i < handler->tfe_policy_id_num; i++) { for (int i = 0; i < handler->tfe_policy_id_num; i++)
handler->tfe_policy_ids[i] = mpack_node_u64(mpack_node_array_at(mpack_node_map_cstr(node, "rule_ids"), i)); {
if (mpack_parse_uuid(mpack_node_array_at(mpack_node_map_cstr(node, "rule_ids"), i), handler->tfe_policy_ids[i]) != 0)
{
TFE_LOG_ERROR(g_packet_io_logger, "%s: session %lu unexpected control packet: (proxy rule_ids[index:%d] len != uuid_t[16])", LOG_TAG_CTRLPKT, handler->session_id, i);
return -1;
}
} }
mpack_node_t tcp_handshake = mpack_node_map_cstr(node, "tcp_handshake"); mpack_node_t tcp_handshake = mpack_node_map_cstr(node, "tcp_handshake");
@@ -466,8 +482,13 @@ int ctrl_packet_parser_parse(void *ctx, const char* data, size_t length, void *l
goto error; goto error;
} }
handler->sce_policy_id_num = mpack_node_array_length(mpack_node_map_cstr(sce_map, "rule_ids")); handler->sce_policy_id_num = mpack_node_array_length(mpack_node_map_cstr(sce_map, "rule_ids"));
for (int i = 0; i < handler->sce_policy_id_num; i++) { for (int i = 0; i < handler->sce_policy_id_num; i++)
handler->sce_policy_ids[i] = mpack_node_u64(mpack_node_array_at(mpack_node_map_cstr(sce_map, "rule_ids"), i)); {
if (mpack_parse_uuid(mpack_node_array_at(mpack_node_map_cstr(sce_map, "rule_ids"), i), handler->sce_policy_ids[i]) != 0)
{
TFE_LOG_ERROR(logger, "%s: session %lu unexpected control packet: (sce rule_ids[index:%d] len != uuid_t[16])", LOG_TAG_CTRLPKT, handler->session_id, i);
goto error;
}
} }
} }
@@ -545,7 +566,7 @@ void ctrl_packet_parser_dump(struct ctrl_pkt_parser *handler, void *logger)
struct sids *sid = NULL; struct sids *sid = NULL;
int map_index = 0; int map_index = 0;
char *log_str = NULL; char *log_str = NULL;
char tags_ids_str[4096] = {0}; uuid_t tags_ids_array[128];
int log_len = 0; int log_len = 0;
log_str = (char *)calloc(1, LOG_STR_LEN); log_str = (char *)calloc(1, LOG_STR_LEN);
@@ -560,12 +581,16 @@ void ctrl_packet_parser_dump(struct ctrl_pkt_parser *handler, void *logger)
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", tfe policy_id_num: %d, tfe policy_ids[", handler->tfe_policy_id_num); log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", tfe policy_id_num: %d, tfe policy_ids[", handler->tfe_policy_id_num);
for (int i = 0; i < handler->tfe_policy_id_num; i++) { for (int i = 0; i < handler->tfe_policy_id_num; i++) {
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%03lu ", handler->tfe_policy_ids[i]); char str_tfe_policy_ids[UUID_STR_LEN] = {0};
uuid_unparse(handler->tfe_policy_ids[i], str_tfe_policy_ids);
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%s, ", str_tfe_policy_ids);
} }
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "], sce policy_id_num: %d, sce policy_ids[", handler->sce_policy_id_num); log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "], sce policy_id_num: %d, sce policy_ids[", handler->sce_policy_id_num);
for (int i = 0; i < handler->sce_policy_id_num; i++) { for (int i = 0; i < handler->sce_policy_id_num; i++) {
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%03lu ", handler->sce_policy_ids[i]); char str_sce_policy_ids[UUID_STR_LEN] = {0};
uuid_unparse(handler->sce_policy_ids[i], str_sce_policy_ids);
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%s, ", str_sce_policy_ids);
} }
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "]"); log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "]");
@@ -596,13 +621,17 @@ void ctrl_packet_parser_dump(struct ctrl_pkt_parser *handler, void *logger)
else if (mpack_table[i].type == MPACK_ARRAY_FQDN_TAGS_IDS) else if (mpack_table[i].type == MPACK_ARRAY_FQDN_TAGS_IDS)
map_index = INDEX_FQDN_TAGS_IDS; map_index = INDEX_FQDN_TAGS_IDS;
memset(tags_ids_str, 0, sizeof(tags_ids_str)); memset(tags_ids_array, 0, sizeof(tags_ids_array));
ret = tfe_cmsg_get_value(handler->cmsg, (enum tfe_cmsg_tlv_type)tags_ids_cmsg_maps[map_index], (unsigned char *)tags_ids_str, sizeof(tags_ids_str), &size); ret = tfe_cmsg_get_value(handler->cmsg, (enum tfe_cmsg_tlv_type)tags_ids_cmsg_maps[map_index], (unsigned char *)tags_ids_array, sizeof(tags_ids_array), &size);
if (ret < 0) { if (ret < 0) {
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", %s:null", tags_ids_cmsg_name_maps[map_index]); log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", %s:null", tags_ids_cmsg_name_maps[map_index]);
break; break;
} }
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", %s:%s", tags_ids_cmsg_name_maps[map_index], tags_ids_str); for (int i = 0; i < size/UUID_LEN; i++) {
char str_tags_ids[UUID_STR_LEN] = {0};
uuid_unparse(tags_ids_array[i], str_tags_ids);
log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", %s:%s", tags_ids_cmsg_name_maps[map_index], str_tags_ids);
}
break; break;
case MPACK_ARRAY_SEQ_ROUTE_CTX: case MPACK_ARRAY_SEQ_ROUTE_CTX:
case MPACK_ARRAY_ACK_ROUTE_CTX: case MPACK_ARRAY_ACK_ROUTE_CTX:

9
common/src/tfe_fieldstat.cpp
View File

@@ -1,5 +1,6 @@
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include <uuid/uuid.h>
#include <tfe_fieldstat.h> #include <tfe_fieldstat.h>
#include "tfe_stream.h" #include "tfe_stream.h"
@@ -41,13 +42,15 @@ int tfe_fieldstat_intercept_incrby(struct fieldstat_easy_intercept *metrics, voi
return 0; return 0;
} }
uint64_t rule_id = 0; uuid_t rule_id;
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(rule_id), &out_size); char str_rule_id[UUID_STR_LEN] = {0};
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)rule_id, UUID_LEN, &out_size);
if (ret != 0) if (ret != 0)
{ {
TFE_LOG_ERROR(g_default_logger, "failed at fetch rule_id from cmsg: %s", strerror(-ret)); TFE_LOG_ERROR(g_default_logger, "failed at fetch rule_id from cmsg: %s", strerror(-ret));
return 0; return 0;
} }
uuid_unparse(rule_id, str_rule_id);
uint8_t hit_no_intercept = 0; uint8_t hit_no_intercept = 0;
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept), &out_size); ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept), &out_size);
@@ -98,7 +101,7 @@ int tfe_fieldstat_intercept_incrby(struct fieldstat_easy_intercept *metrics, voi
struct field tags[5] = {0}; struct field tags[5] = {0};
FIELDSTAT_TAG_INIT(tags, nr_tags, "vsys_id", FIELD_VALUE_INTEGER, vsys_id); FIELDSTAT_TAG_INIT(tags, nr_tags, "vsys_id", FIELD_VALUE_INTEGER, vsys_id);
nr_tags++; nr_tags++;
FIELDSTAT_TAG_INIT(tags, nr_tags, "rule_id", FIELD_VALUE_INTEGER, rule_id); FIELDSTAT_TAG_STR(tags, nr_tags, "rule_uuid", FIELD_VALUE_CSTRING, str_rule_id);
nr_tags++; nr_tags++;
uint8_t pinning_status = 0; uint8_t pinning_status = 0;
if (tfe_cmsg_get_value(cmsg, TFE_CMSG_SSL_PINNING_STATE, (unsigned char *)&pinning_status, sizeof(pinning_status), &out_size) == 0) if (tfe_cmsg_get_value(cmsg, TFE_CMSG_SSL_PINNING_STATE, (unsigned char *)&pinning_status, sizeof(pinning_status), &out_size) == 0)

67
common/src/tfe_packet_io.cpp
View File

@@ -156,7 +156,7 @@ struct packet_identify
extern int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg *cmsg); extern int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg *cmsg);
extern int tfe_proxy_fds_accept(struct tfe_proxy * ctx, int fd_downstream, int fd_upstream, int fd_fake_c, int fd_fake_s, struct tfe_cmsg * cmsg); extern int tfe_proxy_fds_accept(struct tfe_proxy * ctx, int fd_downstream, int fd_upstream, int fd_fake_c, int fd_fake_s, struct tfe_cmsg * cmsg);
extern void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id); extern void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t rule_id);
/****************************************************************************** /******************************************************************************
* dup packet filter * dup packet filter
@@ -821,7 +821,7 @@ static void send_event_log(struct session_ctx *s_ctx, int thread_seq, void *ctx)
int ret = 0; int ret = 0;
int do_log = 0; int do_log = 0;
uint8_t hit_no_intercept = 0; uint8_t hit_no_intercept = 0;
uint64_t rule_id = 0; uuid_t rule_id;
uint16_t length = 0; uint16_t length = 0;
uint8_t ssl_intercept_status = 0; uint8_t ssl_intercept_status = 0;
uint64_t ssl_upstream_latency = 0; uint64_t ssl_upstream_latency = 0;
@@ -844,7 +844,7 @@ static void send_event_log(struct session_ctx *s_ctx, int thread_seq, void *ctx)
ret = tfe_cmsg_get_value(s_ctx->cmsg, TFE_CMSG_POLICY_DO_LOG, (unsigned char *)&do_log, sizeof(do_log), &length); ret = tfe_cmsg_get_value(s_ctx->cmsg, TFE_CMSG_POLICY_DO_LOG, (unsigned char *)&do_log, sizeof(do_log), &length);
if (ret < 0 || do_log == 0) if (ret < 0 || do_log == 0)
return; return;
ret = tfe_cmsg_get_value(s_ctx->cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(rule_id), &length); ret = tfe_cmsg_get_value(s_ctx->cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)rule_id, UUID_LEN, &length);
if (ret < 0) if (ret < 0)
return; return;
ret = tfe_cmsg_get_value(s_ctx->cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept), &length); ret = tfe_cmsg_get_value(s_ctx->cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept), &length);
@@ -881,7 +881,7 @@ static void send_event_log(struct session_ctx *s_ctx, int thread_seq, void *ctx)
// proxy rule list // proxy rule list
mpack_build_array(&writer); mpack_build_array(&writer);
mpack_write_u64(&writer, rule_id); mpack_write_bin(&writer, (const char*)rule_id, UUID_LEN);
mpack_complete_array(&writer); mpack_complete_array(&writer);
tfe_cmsg_get_value(s_ctx->cmsg, TFE_CMSG_SSL_INTERCEPT_STATE, (unsigned char *)&ssl_intercept_status, sizeof(ssl_intercept_status), &length); tfe_cmsg_get_value(s_ctx->cmsg, TFE_CMSG_SSL_INTERCEPT_STATE, (unsigned char *)&ssl_intercept_status, sizeof(ssl_intercept_status), &length);
@@ -1127,22 +1127,24 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
packet_get_innermost_tuple4(&pkt, &inner_tuple4); packet_get_innermost_tuple4(&pkt, &inner_tuple4);
tfe_cmsg_get_value(parser->cmsg, TFE_CMSG_TCP_RESTORE_PROTOCOL, (unsigned char *)&stream_protocol_in_char, sizeof(stream_protocol_in_char), &size); tfe_cmsg_get_value(parser->cmsg, TFE_CMSG_TCP_RESTORE_PROTOCOL, (unsigned char *)&stream_protocol_in_char, sizeof(stream_protocol_in_char), &size);
uint64_t rule_id = 0; uuid_t rule_id = {0};
ret = intercept_policy_select(thread->ref_proxy->int_ply_enforcer, parser->tfe_policy_ids, parser->tfe_policy_id_num, &rule_id); char str_rule_id[UUID_STR_LEN] = {0};
ret = intercept_policy_select(thread->ref_proxy->int_ply_enforcer, parser->tfe_policy_ids, parser->tfe_policy_id_num, rule_id);
uuid_unparse(rule_id, str_rule_id);
if (ret != 0) if (ret != 0)
{ {
is_passthrough = 1; is_passthrough = 1;
set_passthrough_reason(parser->cmsg, reason_invalid_intercept_param); set_passthrough_reason(parser->cmsg, reason_invalid_intercept_param);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, 0, meta->session_id, "active", "passthrough", "invalid intercept param"); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid intercept param");
goto passthrough; goto passthrough;
} }
tfe_cmsg_set(parser->cmsg, TFE_CMSG_POLICY_ID, (const unsigned char *)&rule_id, sizeof(uint64_t)); tfe_cmsg_set(parser->cmsg, TFE_CMSG_POLICY_ID, (const unsigned char *)rule_id, UUID_LEN);
ret = intercept_policy_enforce(thread->ref_proxy->int_ply_enforcer, parser->cmsg); ret = intercept_policy_enforce(thread->ref_proxy->int_ply_enforcer, parser->cmsg);
if (ret != 0) { if (ret != 0) {
is_passthrough = 1; is_passthrough = 1;
set_passthrough_reason(parser->cmsg, reason_invalid_intercept_param); set_passthrough_reason(parser->cmsg, reason_invalid_intercept_param);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid intercept param"); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid intercept param");
goto passthrough; goto passthrough;
} }
@@ -1151,7 +1153,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
is_passthrough = 1; is_passthrough = 1;
__atomic_fetch_add(&packet_io_fs->hit_no_intercept_num, 1, __ATOMIC_RELAXED); __atomic_fetch_add(&packet_io_fs->hit_no_intercept_num, 1, __ATOMIC_RELAXED);
set_passthrough_reason(parser->cmsg, reason_no_intercept_param); set_passthrough_reason(parser->cmsg, reason_no_intercept_param);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "hit no intercept"); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "hit no intercept");
goto passthrough; goto passthrough;
} }
__atomic_fetch_add(&packet_io_fs->hit_intercept_num, 1, __ATOMIC_RELAXED); __atomic_fetch_add(&packet_io_fs->hit_intercept_num, 1, __ATOMIC_RELAXED);
@@ -1162,7 +1164,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
is_passthrough = 1; is_passthrough = 1;
__atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED);
set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param");
goto passthrough; goto passthrough;
} }
@@ -1177,7 +1179,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
is_passthrough = 1; is_passthrough = 1;
__atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED);
set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param");
goto passthrough; goto passthrough;
} }
tcp_restore_info_dump(&restore_info, meta->session_id, logger); tcp_restore_info_dump(&restore_info, meta->session_id, logger);
@@ -1189,7 +1191,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
is_passthrough = 1; is_passthrough = 1;
__atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED);
set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param");
goto passthrough; goto passthrough;
} }
@@ -1201,7 +1203,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
is_passthrough = 1; is_passthrough = 1;
__atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED);
set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param");
goto passthrough; goto passthrough;
} }
@@ -1219,7 +1221,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
is_passthrough = 1; is_passthrough = 1;
__atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED);
set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param");
goto passthrough; goto passthrough;
} }
@@ -1230,7 +1232,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
is_passthrough = 1; is_passthrough = 1;
__atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED);
set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param");
goto passthrough; goto passthrough;
} }
} }
@@ -1248,7 +1250,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
is_passthrough = 1; is_passthrough = 1;
__atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED);
set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param");
goto passthrough; goto passthrough;
} }
__atomic_fetch_add(&packet_io_fs->can_intercept_num, 1, __ATOMIC_RELAXED); __atomic_fetch_add(&packet_io_fs->can_intercept_num, 1, __ATOMIC_RELAXED);
@@ -1258,11 +1260,11 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff,
set_passthrough_reason(parser->cmsg, reason_underlying_stream_error); set_passthrough_reason(parser->cmsg, reason_underlying_stream_error);
if (parser->intercpet_data & IS_SINGLE) { if (parser->intercpet_data & IS_SINGLE) {
__atomic_fetch_add(&packet_io_fs->asymmetric_num, 1, __ATOMIC_RELAXED); __atomic_fetch_add(&packet_io_fs->asymmetric_num, 1, __ATOMIC_RELAXED);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "asymmetric traffic"); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "asymmetric traffic");
} }
else if (parser->intercpet_data & IS_TUNNEL) { else if (parser->intercpet_data & IS_TUNNEL) {
__atomic_fetch_add(&packet_io_fs->tunnel_num, 1, __ATOMIC_RELAXED); __atomic_fetch_add(&packet_io_fs->tunnel_num, 1, __ATOMIC_RELAXED);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "tunnel traffic"); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "tunnel traffic");
} }
} }
@@ -1275,7 +1277,7 @@ passthrough:
s_ctx->session_id = meta->session_id; s_ctx->session_id = meta->session_id;
tuple4_tostring(&inner_tuple4, s_ctx->session_addr, sizeof(s_ctx->session_addr)); tuple4_tostring(&inner_tuple4, s_ctx->session_addr, sizeof(s_ctx->session_addr));
s_ctx->cmsg = parser->cmsg; s_ctx->cmsg = parser->cmsg;
s_ctx->policy_ids = rule_id; memcpy(s_ctx->policy_ids, rule_id, UUID_LEN);
s_ctx->is_passthrough = is_passthrough; s_ctx->is_passthrough = is_passthrough;
metadata_deep_copy(s_ctx->ctrl_meta, meta); metadata_deep_copy(s_ctx->ctrl_meta, meta);
sids_copy(&s_ctx->ctrl_meta->sids, &meta->sids); sids_copy(&s_ctx->ctrl_meta->sids, &meta->sids);
@@ -1306,7 +1308,7 @@ passthrough:
sids_copy(&s_ctx->s2c_info.sids, &parser->ack_sids); sids_copy(&s_ctx->s2c_info.sids, &parser->ack_sids);
route_ctx_copy(&s_ctx->s2c_info.route_ctx, &parser->ack_route_ctx); route_ctx_copy(&s_ctx->s2c_info.route_ctx, &parser->ack_route_ctx);
TFE_LOG_INFO(logger, "%s: session %lu %s active first, hit rule %lu", LOG_TAG_PKTIO, s_ctx->session_id, s_ctx->session_addr, rule_id); TFE_LOG_INFO(logger, "%s: session %lu %s active first, hit rule %s", LOG_TAG_PKTIO, s_ctx->session_id, s_ctx->session_addr, str_rule_id);
session_table_insert(thread->session_table, s_ctx->session_id, &(s_ctx->c2s_info.tuple4), s_ctx, session_value_free_cb); session_table_insert(thread->session_table, s_ctx->session_id, &(s_ctx->c2s_info.tuple4), s_ctx, session_value_free_cb);
ATOMIC_INC(&(packet_io_fs->session_num)); ATOMIC_INC(&(packet_io_fs->session_num));
if (parser->seq_header) if (parser->seq_header)
@@ -1316,7 +1318,7 @@ passthrough:
if (is_passthrough == 0) if (is_passthrough == 0)
{ {
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "intercept", NULL); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "intercept", NULL);
} }
return 0; return 0;
} }
@@ -1344,6 +1346,7 @@ static int handle_session_closing(struct metadata *meta, marsio_buff_t *rx_buff,
struct packet_io *packet_io = thread->ref_io; struct packet_io *packet_io = thread->ref_io;
struct packet_io_fs *packet_io_fs = thread->ret_fs_state; struct packet_io_fs *packet_io_fs = thread->ret_fs_state;
void * logger = thread->logger; void * logger = thread->logger;
char str_policy_id[UUID_STR_LEN] = {0};
struct session_node *node = session_table_search_by_id(thread->session_table, meta->session_id); struct session_node *node = session_table_search_by_id(thread->session_table, meta->session_id);
if (node) if (node)
@@ -1351,7 +1354,8 @@ static int handle_session_closing(struct metadata *meta, marsio_buff_t *rx_buff,
struct session_ctx *s_ctx = (struct session_ctx *)node->val_data; struct session_ctx *s_ctx = (struct session_ctx *)node->val_data;
tfe_fieldstat_intercept_incrby(thread->ref_acceptor_ctx->metrics, s_ctx, thread->thread_index); tfe_fieldstat_intercept_incrby(thread->ref_acceptor_ctx->metrics, s_ctx, thread->thread_index);
TFE_LOG_INFO(logger, "%s: session %lu closing", LOG_TAG_PKTIO, s_ctx->session_id); TFE_LOG_INFO(logger, "%s: session %lu closing", LOG_TAG_PKTIO, s_ctx->session_id);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, s_ctx->policy_ids, meta->session_id, "closing", NULL, NULL); uuid_unparse(s_ctx->policy_ids, str_policy_id);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_policy_id, meta->session_id, "closing", NULL, NULL);
session_table_delete_by_id(thread->session_table, meta->session_id); session_table_delete_by_id(thread->session_table, meta->session_id);
ATOMIC_DEC(&(packet_io_fs->session_num)); ATOMIC_DEC(&(packet_io_fs->session_num));
return 0; return 0;
@@ -1369,9 +1373,10 @@ static int handle_session_resetall(struct metadata *meta, marsio_buff_t *rx_buff
struct packet_io *packet_io = thread->ref_io; struct packet_io *packet_io = thread->ref_io;
struct packet_io_fs *packet_io_fs = thread->ret_fs_state; struct packet_io_fs *packet_io_fs = thread->ret_fs_state;
void * logger = thread->logger; void * logger = thread->logger;
char str_policy_id[UUID_STR_LEN] = {0};
TFE_LOG_ERROR(logger, "%s: session %lu resetall: notification clears all session tables !!!", LOG_TAG_PKTIO, meta->session_id); TFE_LOG_ERROR(logger, "%s: session %lu resetall: notification clears all session tables !!!", LOG_TAG_PKTIO, meta->session_id);
tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, 0, meta->session_id, "resetall", NULL, NULL); tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_policy_id, meta->session_id, "resetall", NULL, NULL);
ATOMIC_ZERO(&(packet_io_fs->session_num)); ATOMIC_ZERO(&(packet_io_fs->session_num));
for (int i = 0; i < acceptor_ctx->nr_worker_threads; i++) for (int i = 0; i < acceptor_ctx->nr_worker_threads; i++)
{ {
@@ -1452,6 +1457,7 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx
char *header = NULL; char *header = NULL;
int header_len = 0; int header_len = 0;
void * logger = thread->logger; void * logger = thread->logger;
char str_policy_id[UUID_STR_LEN] = {0};
int raw_len = marsio_buff_datalen(rx_buff); int raw_len = marsio_buff_datalen(rx_buff);
char *raw_data = marsio_buff_mtod(rx_buff); char *raw_data = marsio_buff_mtod(rx_buff);
@@ -1466,7 +1472,7 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx
LOG_TAG_PKTIO, meta.session_id, meta.raw_len, meta.is_e2i_dir, meta.is_ctrl_pkt, meta.l7offset, meta.is_decrypted, meta.sids.num); LOG_TAG_PKTIO, meta.session_id, meta.raw_len, meta.is_e2i_dir, meta.is_ctrl_pkt, meta.l7offset, meta.is_decrypted, meta.sids.num);
throughput_metrics_inc(&packet_io_fs->raw_pkt_rx, 1, raw_len); throughput_metrics_inc(&packet_io_fs->raw_pkt_rx, 1, raw_len);
throughput_metrics_inc(&packet_io_fs->raw_bypass, 1, raw_len); throughput_metrics_inc(&packet_io_fs->raw_bypass, 1, raw_len);
tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, 0, "raw", "passthrough", "miss metadata"); tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, str_policy_id, "raw", "passthrough", "miss metadata");
marsio_send_burst(handle->dev_nf_interface.mr_path, thread_seq, &rx_buff, 1); marsio_send_burst(handle->dev_nf_interface.mr_path, thread_seq, &rx_buff, 1);
return -1; return -1;
} }
@@ -1478,7 +1484,7 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx
throughput_metrics_inc(&packet_io_fs->raw_pkt_rx, 1, raw_len); throughput_metrics_inc(&packet_io_fs->raw_pkt_rx, 1, raw_len);
throughput_metrics_inc(&packet_io_fs->raw_bypass, 1, raw_len); throughput_metrics_inc(&packet_io_fs->raw_bypass, 1, raw_len);
throughput_metrics_inc(&packet_io_fs->dup_bypass, 1, raw_len); throughput_metrics_inc(&packet_io_fs->dup_bypass, 1, raw_len);
tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, 0, "duplicated", "passthrough", NULL); tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, str_policy_id, "duplicated", "passthrough", NULL);
marsio_send_burst(handle->dev_nf_interface.mr_path, thread_seq, &rx_buff, 1); marsio_send_burst(handle->dev_nf_interface.mr_path, thread_seq, &rx_buff, 1);
return -1; return -1;
} }
@@ -1501,12 +1507,13 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx
tuple4_tostring(&inner_addr, buffer, sizeof(buffer)); tuple4_tostring(&inner_addr, buffer, sizeof(buffer));
TFE_LOG_ERROR(logger, "packet from nf %lu: %s (ipid: %u) miss session table", meta.session_id, buffer, ipid); TFE_LOG_ERROR(logger, "packet from nf %lu: %s (ipid: %u) miss session table", meta.session_id, buffer, ipid);
} }
tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, 0, "decrypted", "passthrough", "miss session"); tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, str_policy_id, "decrypted", "passthrough", "miss session");
marsio_send_burst(handle->dev_nf_interface.mr_path, thread_seq, &rx_buff, 1); marsio_send_burst(handle->dev_nf_interface.mr_path, thread_seq, &rx_buff, 1);
return -1; return -1;
} }
struct session_ctx *s_ctx = (struct session_ctx *)node->val_data; struct session_ctx *s_ctx = (struct session_ctx *)node->val_data;
uuid_unparse(s_ctx->policy_ids, str_policy_id);
if (s_ctx->is_passthrough > 0) { if (s_ctx->is_passthrough > 0) {
throughput_metrics_inc(&packet_io_fs->raw_pkt_rx, 1, raw_len); throughput_metrics_inc(&packet_io_fs->raw_pkt_rx, 1, raw_len);
@@ -1525,14 +1532,14 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx
send_event_log(s_ctx, thread_seq, ctx); send_event_log(s_ctx, thread_seq, ctx);
tfe_cmsg_set_flag(s_ctx->cmsg, TFE_CMSG_FLAG_INIT); tfe_cmsg_set_flag(s_ctx->cmsg, TFE_CMSG_FLAG_INIT);
} }
tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, s_ctx->policy_ids, "decrypted", "passthrough", NULL); tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, str_policy_id, "decrypted", "passthrough", NULL);
marsio_send_burst(handle->dev_nf_interface.mr_path, thread_seq, &rx_buff, 1); marsio_send_burst(handle->dev_nf_interface.mr_path, thread_seq, &rx_buff, 1);
return 0; return 0;
} }
if (meta.is_decrypted) if (meta.is_decrypted)
{ {
tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, s_ctx->policy_ids, "decrypted", "intercept", NULL); tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, str_policy_id, "decrypted", "intercept", NULL);
throughput_metrics_inc(&packet_io_fs->decrypt_rx, 1, raw_len); throughput_metrics_inc(&packet_io_fs->decrypt_rx, 1, raw_len);
if (memcmp(&inner_addr, &s_ctx->c2s_info.tuple4, sizeof(struct tuple4)) == 0) { if (memcmp(&inner_addr, &s_ctx->c2s_info.tuple4, sizeof(struct tuple4)) == 0) {
add_ether_header(raw_data, packet_io->config.tap_c_mac, packet_io->config.tap_s_mac); add_ether_header(raw_data, packet_io->config.tap_c_mac, packet_io->config.tap_s_mac);
@@ -1557,7 +1564,7 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx
} }
else else
{ {
tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, s_ctx->policy_ids, "raw", "intercept", NULL); tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, str_policy_id, "raw", "intercept", NULL);
throughput_metrics_inc(&packet_io_fs->raw_pkt_rx, 1, raw_len); throughput_metrics_inc(&packet_io_fs->raw_pkt_rx, 1, raw_len);
if (memcmp(&inner_addr, &s_ctx->c2s_info.tuple4, sizeof(struct tuple4)) == 0) { if (memcmp(&inner_addr, &s_ctx->c2s_info.tuple4, sizeof(struct tuple4)) == 0) {
s_ctx->c2s_info.sids = meta.sids; s_ctx->c2s_info.sids = meta.sids;

14
common/src/tfe_scan.cpp
View File

@@ -152,22 +152,22 @@ int tfe_get_library_tags(const struct tfe_stream *stream, cJSON *common_obj, tfe
struct library_tag_ctx *library_tag =(struct library_tag_ctx *)maat_plugin_table_get_ex_data(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_LIBRARY_TAG), (const char *)&tag_id_array[i], sizeof(long long)); struct library_tag_ctx *library_tag =(struct library_tag_ctx *)maat_plugin_table_get_ex_data(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_LIBRARY_TAG), (const char *)&tag_id_array[i], sizeof(long long));
if(library_tag != NULL) if(library_tag != NULL)
{ {
if(library_tag->category == CATEGORY_TYPE_ASN && tlv_type == TFE_CMSG_SRC_IP_TAGS_IDS_STR && atol(library_tag->tag_value) > 0) if(library_tag->category == CATEGORY_TYPE_ASN && tlv_type == TFE_CMSG_SRC_IP_TAGS_IDS_ARR && atol(library_tag->tag_value) > 0)
{ {
cJSON_AddNumberToObject(common_obj, "client_asn", atol(library_tag->tag_value)); cJSON_AddNumberToObject(common_obj, "client_asn", atol(library_tag->tag_value));
} }
if(library_tag->category == CATEGORY_TYPE_CONTRY_CODE && tlv_type== TFE_CMSG_SRC_IP_TAGS_IDS_STR) if(library_tag->category == CATEGORY_TYPE_CONTRY_CODE && tlv_type== TFE_CMSG_SRC_IP_TAGS_IDS_ARR)
{ {
cJSON_AddStringToObject(common_obj, "client_country", library_tag->tag_value); cJSON_AddStringToObject(common_obj, "client_country", library_tag->tag_value);
} }
if(library_tag->category == CATEGORY_TYPE_ASN && tlv_type == TFE_CMSG_DST_IP_TAGS_IDS_STR && atol(library_tag->tag_value) > 0) if(library_tag->category == CATEGORY_TYPE_ASN && tlv_type == TFE_CMSG_DST_IP_TAGS_IDS_ARR && atol(library_tag->tag_value) > 0)
{ {
cJSON_AddNumberToObject(common_obj, "server_asn", atol(library_tag->tag_value)); cJSON_AddNumberToObject(common_obj, "server_asn", atol(library_tag->tag_value));
} }
if(library_tag->category == CATEGORY_TYPE_CONTRY_CODE && tlv_type== TFE_CMSG_DST_IP_TAGS_IDS_STR) if(library_tag->category == CATEGORY_TYPE_CONTRY_CODE && tlv_type== TFE_CMSG_DST_IP_TAGS_IDS_ARR)
{ {
cJSON_AddStringToObject(common_obj, "server_country", library_tag->tag_value); cJSON_AddStringToObject(common_obj, "server_country", library_tag->tag_value);
} }
@@ -190,7 +190,7 @@ int tfe_scan_ip_tags(const struct tfe_stream *stream, long long *result, struct
int scan_ret = 0, hit_cnt_ip = 0, n_tag_ids = 0; int scan_ret = 0, hit_cnt_ip = 0, n_tag_ids = 0;
char opt_val[128]={0}; char opt_val[128]={0};
n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_SRC_IP_TAGS_IDS_STR, opt_val, tag_id_array); n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_SRC_IP_TAGS_IDS_ARR, opt_val, tag_id_array);
if(n_tag_ids == 0) if(n_tag_ids == 0)
{ {
return hit_cnt_ip; return hit_cnt_ip;
@@ -224,7 +224,7 @@ int tfe_scan_ip_tags(const struct tfe_stream *stream, long long *result, struct
memset(opt_val, 0, sizeof(opt_val)); memset(opt_val, 0, sizeof(opt_val));
memset(tag_id_array, 0, sizeof(tag_id_array)); memset(tag_id_array, 0, sizeof(tag_id_array));
n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_DST_IP_TAGS_IDS_STR, opt_val, tag_id_array); n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_DST_IP_TAGS_IDS_ARR, opt_val, tag_id_array);
if(n_tag_ids == 0) if(n_tag_ids == 0)
{ {
return hit_cnt_ip; return hit_cnt_ip;
@@ -261,7 +261,7 @@ int tfe_scan_fqdn_tags(const struct tfe_stream *stream, long long *result, struc
long long tag_id_array[128]={0}; long long tag_id_array[128]={0};
int scan_ret = 0, hit_cnt_fqdn = 0, n_tag_ids = 0; int scan_ret = 0, hit_cnt_fqdn = 0, n_tag_ids = 0;
n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_FQDN_TAGS_IDS_STR, opt_val, tag_id_array); n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_FQDN_TAGS_IDS_ARR, opt_val, tag_id_array);
if(n_tag_ids == 0) if(n_tag_ids == 0)
{ {
return hit_cnt_fqdn; return hit_cnt_fqdn;

1
common/test/CMakeLists.txt
View File

@@ -29,6 +29,7 @@ target_link_libraries(gtest_session_table common gtest)
add_executable(gtest_mpack test_mpack.cpp) add_executable(gtest_mpack test_mpack.cpp)
target_include_directories(gtest_mpack PUBLIC ${CMAKE_SOURCE_DIR}/common/include) target_include_directories(gtest_mpack PUBLIC ${CMAKE_SOURCE_DIR}/common/include)
target_link_libraries(gtest_mpack common gtest) target_link_libraries(gtest_mpack common gtest)
target_link_libraries(gtest_mpack common uuid)
############################################################################### ###############################################################################
# gtest_discover_tests # gtest_discover_tests

45
common/test/test_mpack.cpp
View File

@@ -1,5 +1,6 @@
#include <gtest/gtest.h> #include <gtest/gtest.h>
#include <arpa/inet.h> #include <arpa/inet.h>
#include <uuid/uuid.h>
#include "mpack.h" #include "mpack.h"
#include "tfe_cmsg.h" #include "tfe_cmsg.h"
@@ -38,8 +39,6 @@ void build_mpack_data(char **data, size_t *size)
char src_imei[256] = "25762917001364"; char src_imei[256] = "25762917001364";
char src_phone_number[256] = "623335886431"; char src_phone_number[256] = "623335886431";
char src_apn[256] = "www.lytest.com"; char src_apn[256] = "www.lytest.com";
uint64_t dst_ip_tags_ids[] = {324119, 18446744073709551615ULL, 324137, 324129};
uint64_t fqdn_tags_ids[] = {324109, 324105, 18446744073709551615ULL, 324137, 324129};
uint8_t ja3_fingerprint[32] = {0}; uint8_t ja3_fingerprint[32] = {0};
uint16_t seq_sid[] = {1000, 1001, 1002, 1003}; uint16_t seq_sid[] = {1000, 1001, 1002, 1003};
uint16_t ack_sid[] = {1003, 1002, 1001, 1000}; uint16_t ack_sid[] = {1003, 1002, 1001, 1000};
@@ -48,6 +47,8 @@ void build_mpack_data(char **data, size_t *size)
uint8_t seq_header[] = {0x00, 0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70}; uint8_t seq_header[] = {0x00, 0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70};
uint8_t ack_header[] = {0x80, 0x90, 0xA0, 0xB0, 0xC0, 0xD0, 0xE0, 0xF0}; uint8_t ack_header[] = {0x80, 0x90, 0xA0, 0xB0, 0xC0, 0xD0, 0xE0, 0xF0};
uint8_t tfe_flag = 0; uint8_t tfe_flag = 0;
uuid_t uuid;
char str_uuid[UUID_STR_LEN] = {0};
mpack_writer_init_growable(&writer, data, size); mpack_writer_init_growable(&writer, data, size);
mpack_build_map(&writer); mpack_build_map(&writer);
@@ -72,7 +73,12 @@ void build_mpack_data(char **data, size_t *size)
mpack_build_map(&writer); mpack_build_map(&writer);
mpack_write_cstr(&writer, "rule_ids"); mpack_write_cstr(&writer, "rule_ids");
mpack_build_array(&writer); mpack_build_array(&writer);
mpack_write_u64(&writer, 1); for (int i = 0; i < 2; i++) {
uuid_generate(uuid);
uuid_unparse(uuid, str_uuid);
printf("sce rule id:%s\n", str_uuid);
mpack_write_bin(&writer, (const char*)uuid, sizeof(uuid));
}
mpack_complete_array(&writer); mpack_complete_array(&writer);
mpack_complete_map(&writer); mpack_complete_map(&writer);
@@ -80,7 +86,12 @@ void build_mpack_data(char **data, size_t *size)
mpack_build_map(&writer); mpack_build_map(&writer);
mpack_write_cstr(&writer, "rule_ids"); mpack_write_cstr(&writer, "rule_ids");
mpack_build_array(&writer); mpack_build_array(&writer);
mpack_write_u64(&writer, 3); for (int i = 0; i < 2; i++) {
uuid_generate(uuid);
uuid_unparse(uuid, str_uuid);
printf("proxy rule id:%s\n", str_uuid);
mpack_write_bin(&writer, (const char*)uuid, sizeof(uuid));
}
mpack_complete_array(&writer); mpack_complete_array(&writer);
mpack_write_cstr(&writer, "tcp_handshake"); mpack_write_cstr(&writer, "tcp_handshake");
@@ -112,17 +123,29 @@ void build_mpack_data(char **data, size_t *size)
mpack_write_str(&writer, (const char*)src_apn, strlen(src_apn)); mpack_write_str(&writer, (const char*)src_apn, strlen(src_apn));
mpack_build_array(&writer); mpack_build_array(&writer);
mpack_complete_array(&writer); for (int i = 0; i < 3; i++) {
uuid_generate(uuid);
mpack_build_array(&writer); uuid_unparse(uuid, str_uuid);
for (size_t i = 0; i < sizeof(dst_ip_tags_ids)/sizeof(dst_ip_tags_ids[0]); i++) { printf("src ip tags uuid:%s\n", str_uuid);
mpack_write_u64(&writer, dst_ip_tags_ids[i]); mpack_write_bin(&writer, (const char*)uuid, sizeof(uuid));
} }
mpack_complete_array(&writer); mpack_complete_array(&writer);
mpack_build_array(&writer); mpack_build_array(&writer);
for (size_t i = 0; i < sizeof(fqdn_tags_ids)/sizeof(fqdn_tags_ids[0]); i++) { for (int i = 0; i < 4; i++) {
mpack_write_u64(&writer, fqdn_tags_ids[i]); uuid_generate(uuid);
uuid_unparse(uuid, str_uuid);
printf("dst ip tags uuid:%s\n", str_uuid);
mpack_write_bin(&writer, (const char*)uuid, sizeof(uuid));
}
mpack_complete_array(&writer);
mpack_build_array(&writer);
for (int i = 0; i < 5; i++) {
uuid_generate(uuid);
uuid_unparse(uuid, str_uuid);
printf("fqdn ip tags uuid:%s\n", str_uuid);
mpack_write_bin(&writer, (const char*)uuid, sizeof(uuid));
} }
mpack_complete_array(&writer); mpack_complete_array(&writer);

80
plugin/business/chaining-policy/src/chaining_policy.cpp
View File

@@ -17,7 +17,7 @@ enum traffic_type
struct chaining_param struct chaining_param
{ {
uint64_t rule_id; uuid_t rule_id;
int ref_cnt; int ref_cnt;
enum traffic_type type; enum traffic_type type;
}; };
@@ -25,42 +25,42 @@ struct chaining_param
struct chaining_policy_enforcer struct chaining_policy_enforcer
{ {
struct maat *maat; struct maat *maat;
int table_id; char table_name[32];
void *logger; void *logger;
}; };
static void chaining_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) static void chaining_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp)
{ {
cJSON *json = NULL; cJSON * json_root = NULL;
cJSON *item = NULL; cJSON * json_subroot = NULL;
cJSON * item = NULL;
size_t user_region_offset = 0; size_t user_region_offset = 0;
size_t user_region_len = 0; size_t user_region_len = 0;
struct chaining_param *param = NULL; struct chaining_param *param = NULL;
struct chaining_policy_enforcer *enforcer = (struct chaining_policy_enforcer *)argp; struct chaining_policy_enforcer *enforcer = (struct chaining_policy_enforcer *)argp;
if (maat_helper_read_column(table_line, 7, &user_region_offset, &user_region_len) < 0) json_root = cJSON_Parse(table_line);
if (unlikely(!json_root))
{ {
TFE_LOG_ERROR(enforcer->logger, "unexpected chaining rule: (invalid user region) %s", table_line); TFE_LOG_ERROR(enforcer->logger, "Invalid chaining profile: %s", table_line);
return; goto error_out;
} }
char *json_str = (char *)calloc(user_region_len + 1, sizeof(char)); json_subroot = cJSON_GetObjectItem(json_root, "USER_REGION");
memcpy(json_str, table_line + user_region_offset, user_region_len); if (unlikely(!json_subroot))
json = cJSON_Parse(json_str);
if (json == NULL)
{ {
TFE_LOG_ERROR(enforcer->logger, "unexpected chaining rule: (invalid json format) %s", table_line); TFE_LOG_ERROR(enforcer->logger, "Invalid chaining rule: %s (invalid USER_REGION format) %s.", key, table_line);
goto error_out; goto error_out;
} }
param = (struct chaining_param *)calloc(1, sizeof(struct chaining_param)); param = (struct chaining_param *)calloc(1, sizeof(struct chaining_param));
param->rule_id = atoll(key);
param->ref_cnt = 1; param->ref_cnt = 1;
uuid_parse(key, param->rule_id);
item = cJSON_GetObjectItem(json, "targeted_traffic"); item = cJSON_GetObjectItem(json_subroot, "targeted_traffic");
if (!item || !cJSON_IsString(item)) if (!item || !cJSON_IsString(item))
{ {
TFE_LOG_ERROR(enforcer->logger, "unexpected chaining rule: (invalid targeted_traffic param) %s", table_line); TFE_LOG_ERROR(enforcer->logger, "Invalid chaining rule: %s (invalid targeted_traffic format) %s.", key, table_line);
goto error_out; goto error_out;
} }
if (strcasecmp(item->valuestring, "raw") == 0) if (strcasecmp(item->valuestring, "raw") == 0)
@@ -73,30 +73,21 @@ static void chaining_param_new_cb(const char *table_name, int table_id, const ch
} }
else else
{ {
TFE_LOG_ERROR(enforcer->logger, "unexpected chaining rule: (invalid targeted_traffic param) %s", table_line); TFE_LOG_ERROR(enforcer->logger, "Invalid chaining rule: %s (invalid targeted_traffic format) %s", key, table_line);
goto error_out; goto error_out;
} }
*ad = param; *ad = param;
TFE_LOG_INFO(enforcer->logger, "Add chaining rule: %lu", param->rule_id); TFE_LOG_INFO(enforcer->logger, "Add chaining rule: %s", key);
cJSON_Delete(json_root);
cJSON_Delete(json);
free(json_str);
return; return;
error_out: error_out:
if (json) if (json_root)
{ {
cJSON_Delete(json); cJSON_Delete(json_root);
json = NULL; json_root = NULL;
} }
if (json_str)
{
free(json_str);
json_str = NULL;
}
if (param) if (param)
{ {
free(param); free(param);
@@ -104,8 +95,9 @@ error_out:
} }
} }
static void chaining_param_free_cb(int table_id, void **ad, long argl, void *argp) static void chaining_param_free_cb(const char *table_name, void **ad, long argl, void *argp)
{ {
char str_rule_id[UUID_STR_LEN] = {0};
struct chaining_policy_enforcer *enforcer = (struct chaining_policy_enforcer *)argp; struct chaining_policy_enforcer *enforcer = (struct chaining_policy_enforcer *)argp;
struct chaining_param *param = (struct chaining_param *)*ad; struct chaining_param *param = (struct chaining_param *)*ad;
if (param == NULL) if (param == NULL)
@@ -115,7 +107,8 @@ static void chaining_param_free_cb(int table_id, void **ad, long argl, void *arg
if ((__sync_sub_and_fetch(&param->ref_cnt, 1) == 0)) if ((__sync_sub_and_fetch(&param->ref_cnt, 1) == 0))
{ {
TFE_LOG_INFO(enforcer->logger, "Del chaining policy %lu", param->rule_id); uuid_unparse(param->rule_id, str_rule_id);
TFE_LOG_INFO(enforcer->logger, "Del chaining policy %s", str_rule_id);
free(param); free(param);
*ad = NULL; *ad = NULL;
} }
@@ -126,7 +119,7 @@ static void chaining_param_free(struct chaining_param *param)
chaining_param_free_cb(0, (void **)&param, 0, NULL); chaining_param_free_cb(0, (void **)&param, 0, NULL);
} }
static void chaining_param_dup_cb(int table_id, void **to, void **from, long argl, void *argp) static void chaining_param_dup_cb(const char *table_name, void **to, void **from, long argl, void *argp)
{ {
struct chaining_param *param = (struct chaining_param *)*from; struct chaining_param *param = (struct chaining_param *)*from;
if (param) if (param)
@@ -146,14 +139,9 @@ struct chaining_policy_enforcer *chaining_policy_enforcer_create(void *logger)
struct chaining_policy_enforcer *enforcer = ALLOC(struct chaining_policy_enforcer, 1); struct chaining_policy_enforcer *enforcer = ALLOC(struct chaining_policy_enforcer, 1);
enforcer->maat = tfe_get_maat_handle(); enforcer->maat = tfe_get_maat_handle();
enforcer->logger = logger; enforcer->logger = logger;
enforcer->table_id = maat_get_table_id(enforcer->maat, "SERVICE_CHAINING_COMPILE"); snprintf(enforcer->table_name, sizeof(enforcer->table_name), "SERVICE_CHAINING_COMPILE");
if (enforcer->table_id < 0)
{
TFE_LOG_ERROR(enforcer->logger, "failed at register table of SERVICE_CHAINING_COMPILE, ret = %d", enforcer->table_id);
goto error_out;
}
ret = maat_plugin_table_ex_schema_register(enforcer->maat, "SERVICE_CHAINING_COMPILE", ret = maat_plugin_table_ex_schema_register(enforcer->maat, enforcer->table_name,
chaining_param_new_cb, chaining_param_new_cb,
chaining_param_free_cb, chaining_param_free_cb,
chaining_param_dup_cb, chaining_param_dup_cb,
@@ -179,10 +167,10 @@ void chaining_policy_enforcer_destory(struct chaining_policy_enforcer *enforcer)
} }
} }
void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id) void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t rule_id)
{ {
uint16_t size = 0; uint16_t size = 0;
char rule_id_str[16] = {0}; char str_rule_id[UUID_STR_LEN] = {0};
uint8_t enalbe_decrypted_traffic_steering = 0; uint8_t enalbe_decrypted_traffic_steering = 0;
tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_DECRYPTED_TRAFFIC_STEERING, (unsigned char *)&enalbe_decrypted_traffic_steering, sizeof(enalbe_decrypted_traffic_steering), &size); tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_DECRYPTED_TRAFFIC_STEERING, (unsigned char *)&enalbe_decrypted_traffic_steering, sizeof(enalbe_decrypted_traffic_steering), &size);
@@ -191,11 +179,11 @@ void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct t
return; return;
} }
snprintf(rule_id_str, sizeof(rule_id_str), "%lu", rule_id); uuid_unparse(rule_id, str_rule_id);
struct chaining_param *param = (struct chaining_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_id, rule_id_str, strlen(rule_id_str)); struct chaining_param *param = (struct chaining_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1);
if (param == NULL) if (param == NULL)
{ {
TFE_LOG_INFO(enforcer->logger, "Failed to get chaining parameter of policy %lu.", rule_id); TFE_LOG_INFO(enforcer->logger, "Failed to get chaining parameter of policy %s.", str_rule_id);
return; return;
} }

2
plugin/business/chaining-policy/src/chaining_policy.h
View File

@@ -5,4 +5,4 @@
struct chaining_policy_enforcer; struct chaining_policy_enforcer;
struct chaining_policy_enforcer *chaining_policy_enforcer_create(void *logger); struct chaining_policy_enforcer *chaining_policy_enforcer_create(void *logger);
void chaining_policy_enforcer_destory(struct chaining_policy_enforcer *enforcer); void chaining_policy_enforcer_destory(struct chaining_policy_enforcer *enforcer);
void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id); void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t rule_id);

6
plugin/business/doh/src/logger.cpp
View File

@@ -386,9 +386,9 @@ int doh_send_log(struct doh_conf *handle, const struct tfe_http_session *http, c
doh_get_integer_by_cmsg(common_obj, cmsg, TFE_CMSG_COMMON_DIRECTION, "direction"); doh_get_integer_by_cmsg(common_obj, cmsg, TFE_CMSG_COMMON_DIRECTION, "direction");
} }
tfe_get_library_tags(stream, common_obj, TFE_CMSG_SRC_IP_TAGS_IDS_STR, "client_ip_tags"); tfe_get_library_tags(stream, common_obj, TFE_CMSG_SRC_IP_TAGS_IDS_ARR, "client_ip_tags");
tfe_get_library_tags(stream, common_obj, TFE_CMSG_DST_IP_TAGS_IDS_STR, "server_ip_tags"); tfe_get_library_tags(stream, common_obj, TFE_CMSG_DST_IP_TAGS_IDS_ARR, "server_ip_tags");
tfe_get_library_tags(stream, common_obj, TFE_CMSG_FQDN_TAGS_IDS_STR, "server_fqdn_tags"); tfe_get_library_tags(stream, common_obj, TFE_CMSG_FQDN_TAGS_IDS_ARR, "server_fqdn_tags");
if (http->req) if (http->req)
{ {

82
plugin/business/tcp-policy/src/tcp_policy.cpp
View File

@@ -10,7 +10,7 @@
struct tcp_policy_enforcer struct tcp_policy_enforcer
{ {
struct maat *maat; struct maat *maat;
int table_id; char table_name[32];
void *logger; void *logger;
}; };
@@ -37,19 +37,11 @@ struct tcp_profile_param
struct side_conn_param server_side; struct side_conn_param server_side;
}; };
static int parser_side_conn_param(const char *json_str, struct side_conn_param *out_val, void *logger) static int parser_side_conn_param(cJSON * json, struct side_conn_param *out_val, void *logger)
{ {
cJSON *json = NULL;
cJSON *object = NULL; cJSON *object = NULL;
cJSON *item = NULL; cJSON *item = NULL;
json = cJSON_Parse(json_str);
if (json == NULL)
{
TFE_LOG_ERROR(logger, "Invalid tcp option param %s", json_str);
return -1;
}
object = cJSON_GetObjectItem(json, "tcp_maxseg"); object = cJSON_GetObjectItem(json, "tcp_maxseg");
if (object) if (object)
{ {
@@ -126,20 +118,16 @@ static int parser_side_conn_param(const char *json_str, struct side_conn_param *
return 0; return 0;
} }
static void profile_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) static void profile_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp)
{ {
int ret = 0; cJSON * json_root = NULL;
int profile_id = 0; cJSON * json_subroot = NULL;
int tcp_passthrough = 0; cJSON * item = NULL;
int bypass_duplicated_packet = 0;
char client_side_conn_param[512] = {0};
char server_side_conn_param[512] = {0};
int is_valid = 0;
struct tcp_profile_param *param = NULL; struct tcp_profile_param *param = NULL;
struct tcp_policy_enforcer *enforcer = (struct tcp_policy_enforcer *)argp; struct tcp_policy_enforcer *enforcer = (struct tcp_policy_enforcer *)argp;
ret = sscanf(table_line, "%d\t%d\t%d\t%s\t%s\t%d", &profile_id, &tcp_passthrough, &bypass_duplicated_packet, client_side_conn_param, server_side_conn_param, &is_valid); json_root = cJSON_Parse(table_line);
if (ret != 6) if (unlikely(!json_root))
{ {
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option profile: %s", table_line); TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option profile: %s", table_line);
goto error_out; goto error_out;
@@ -147,21 +135,48 @@ static void profile_param_new_cb(const char *table_name, int table_id, const cha
param = ALLOC(struct tcp_profile_param, 1); param = ALLOC(struct tcp_profile_param, 1);
param->ref_cnt = 1; param->ref_cnt = 1;
param->tcp_passthrough = tcp_passthrough;
param->bypass_duplicated_packet = bypass_duplicated_packet;
if (parser_side_conn_param(client_side_conn_param, &param->client_side, enforcer->logger) == -1) item = cJSON_GetObjectItem(json_root, "tcp_passthrough");
if (unlikely(!item || !cJSON_IsNumber(item)))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid tcp_passthrough format.", key);
goto error_out;
}
param->tcp_passthrough = item->valueint;
item = cJSON_GetObjectItem(json_root, "bypass_duplicated_packet");
if (unlikely(!item || !cJSON_IsNumber(item)))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid bypass_duplicated_packet format.", key);
goto error_out;
}
param->bypass_duplicated_packet = item->valueint;
json_subroot = cJSON_GetObjectItem(json_root, "client_side_conn_param");
if (unlikely(!json_subroot))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid client_side_conn_param format.", key);
goto error_out;
}
if (parser_side_conn_param(json_subroot, &param->client_side, enforcer->logger) == -1)
{ {
goto error_out; goto error_out;
} }
if (parser_side_conn_param(server_side_conn_param, &param->server_side, enforcer->logger) == -1) json_subroot = cJSON_GetObjectItem(json_root, "server_side_conn_param");
if (unlikely(!json_subroot))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid server_side_conn_param format.", key);
goto error_out;
}
if (parser_side_conn_param(json_subroot, &param->server_side, enforcer->logger) == -1)
{ {
goto error_out; goto error_out;
} }
*ad = param; *ad = param;
TFE_LOG_INFO(enforcer->logger, "Add tcp option profile: %s", key); TFE_LOG_INFO(enforcer->logger, "Add tcp option profile: %s", key);
cJSON_Delete(json_root);
return; return;
error_out: error_out:
@@ -169,9 +184,13 @@ error_out:
{ {
free(param); free(param);
} }
if (json_root)
{
cJSON_Delete(json_root);
}
} }
static void profile_param_free_cb(int table_id, void **ad, long argl, void *argp) static void profile_param_free_cb(const char *table_name, void **ad, long argl, void *argp)
{ {
struct tcp_profile_param *param = (struct tcp_profile_param *)*ad; struct tcp_profile_param *param = (struct tcp_profile_param *)*ad;
if (param == NULL) if (param == NULL)
@@ -186,7 +205,7 @@ static void profile_param_free_cb(int table_id, void **ad, long argl, void *argp
} }
} }
static void profile_param_dup_cb(int table_id, void **to, void **from, long argl, void *argp) static void profile_param_dup_cb(const char *table_name, void **to, void **from, long argl, void *argp)
{ {
struct tcp_profile_param *param = (struct tcp_profile_param *)*from; struct tcp_profile_param *param = (struct tcp_profile_param *)*from;
if (param) if (param)
@@ -211,14 +230,9 @@ struct tcp_policy_enforcer *tcp_policy_enforcer_create(void *logger)
struct tcp_policy_enforcer *enforcer = ALLOC(struct tcp_policy_enforcer, 1); struct tcp_policy_enforcer *enforcer = ALLOC(struct tcp_policy_enforcer, 1);
enforcer->maat = tfe_get_maat_handle(); enforcer->maat = tfe_get_maat_handle();
enforcer->logger = logger; enforcer->logger = logger;
enforcer->table_id = maat_get_table_id(enforcer->maat, "PXY_PROFILE_TCP_OPTION"); snprintf(enforcer->table_name, sizeof(enforcer->table_name), "PXY_PROFILE_TCP_OPTION");
if (enforcer->table_id < 0)
{
TFE_LOG_ERROR(enforcer->logger, "failed at register table of PXY_PROFILE_TCP_OPTION, ret = %d", enforcer->table_id);
goto error_out;
}
ret = maat_plugin_table_ex_schema_register(enforcer->maat, "PXY_PROFILE_TCP_OPTION", ret = maat_plugin_table_ex_schema_register(enforcer->maat, enforcer->table_name,
profile_param_new_cb, profile_param_new_cb,
profile_param_free_cb, profile_param_free_cb,
profile_param_dup_cb, profile_param_dup_cb,
@@ -261,7 +275,7 @@ int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg
} }
snprintf(buffer, sizeof(buffer), "%d", profile_id); snprintf(buffer, sizeof(buffer), "%d", profile_id);
struct tcp_profile_param *param = (struct tcp_profile_param *)maat_plugin_table_get_ex_data(tcp_enforcer->maat, tcp_enforcer->table_id, buffer, strlen(buffer)); struct tcp_profile_param *param = (struct tcp_profile_param *)maat_plugin_table_get_ex_data(tcp_enforcer->maat, tcp_enforcer->table_name, buffer, strlen(buffer));
if (param == NULL) if (param == NULL)
{ {
TFE_LOG_INFO(tcp_enforcer->logger, "Failed to get tcp option parameter of profile %d.", profile_id); TFE_LOG_INFO(tcp_enforcer->logger, "Failed to get tcp option parameter of profile %d.", profile_id);

6
plugin/business/tsg-http/src/tsg_logger.cpp
View File

@@ -257,9 +257,9 @@ int proxy_send_log(struct proxy_logger* handle, const struct proxy_log* log_msg)
tfe_get_integer_by_cmsg(common_obj, cmsg, TFE_CMSG_COMMON_DIRECTION, "direction"); tfe_get_integer_by_cmsg(common_obj, cmsg, TFE_CMSG_COMMON_DIRECTION, "direction");
} }
tfe_get_library_tags(log_msg->stream, common_obj, TFE_CMSG_SRC_IP_TAGS_IDS_STR, "client_ip_tags"); tfe_get_library_tags(log_msg->stream, common_obj, TFE_CMSG_SRC_IP_TAGS_IDS_ARR, "client_ip_tags");
tfe_get_library_tags(log_msg->stream, common_obj, TFE_CMSG_DST_IP_TAGS_IDS_STR, "server_ip_tags"); tfe_get_library_tags(log_msg->stream, common_obj, TFE_CMSG_DST_IP_TAGS_IDS_ARR, "server_ip_tags");
tfe_get_library_tags(log_msg->stream, common_obj, TFE_CMSG_FQDN_TAGS_IDS_STR, "server_fqdn_tags"); tfe_get_library_tags(log_msg->stream, common_obj, TFE_CMSG_FQDN_TAGS_IDS_ARR, "server_fqdn_tags");
if (http->req) if (http->req)
{ {