diff --git a/common/include/tfe_resource.h b/common/include/tfe_resource.h index e99f54f..91a42fa 100644 --- a/common/include/tfe_resource.h +++ b/common/include/tfe_resource.h @@ -17,7 +17,7 @@ struct app_id_dict { int ref_cnt; int app_id; - long long int group_id; + int object_id; pthread_mutex_t lock; }; @@ -25,7 +25,7 @@ struct app_id_dict struct library_tag_ctx { int ref_cnt; - int tag_id; + char *uuid; char *tag_key; char *tag_value; enum category_type category; diff --git a/common/include/tfe_scan.h b/common/include/tfe_scan.h index a7c528b..67a6740 100644 --- a/common/include/tfe_scan.h +++ b/common/include/tfe_scan.h @@ -4,13 +4,13 @@ #include #define MAX_SCAN_RESULT 16 -int tfe_scan_subscribe_id(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, void *logger); -int tfe_scan_ip_tags(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, void *logger); -int tfe_scan_fqdn_tags(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, int table_id, void *logger); -int tfe_scan_app_id(long long *result, struct maat_state *scan_mid, int hit_cnt, long long app_id, int table_id); -int tfe_scan_ipv4_addr(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr); -int tfe_scan_ipv6_addr(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr); -int tfe_scan_port(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, uint16_t source, uint16_t dest); -int tfe_scan_device(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, void *logger); +int tfe_scan_subscribe_id(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, void *logger); +int tfe_scan_ip_tags(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, void *logger); +int tfe_scan_fqdn_tags(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, void *logger); +int tfe_scan_app_id(uuid_t *result, struct maat_state *scan_mid, int hit_cnt, long long app_id); +int tfe_scan_ipv4_addr(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr); +int tfe_scan_ipv6_addr(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr); +int tfe_scan_port(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, uint16_t source, uint16_t dest); +int tfe_scan_device(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, void *logger); int tfe_get_library_tags(const struct tfe_stream *stream, cJSON *common_obj, tfe_cmsg_tlv_type tlv_type, const char *tag_key); diff --git a/common/src/tfe_resource.cpp b/common/src/tfe_resource.cpp index 0dda9b1..07295c2 100644 --- a/common/src/tfe_resource.cpp +++ b/common/src/tfe_resource.cpp @@ -232,38 +232,35 @@ static char* create_device_tag(const char *profile, const char *section, void *l return device_tag; } -void app_dict_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +void app_dict_table_new_cb(const char *table_name, const char* key, const char* table_line, void **ad, long argl, void* argp) { - int ret=0; - size_t offset=0, len=0; - char *app_id_str=NULL, *group_id_str=NULL; + cJSON* app_id_dict_json = cJSON_Parse(table_line); + if(app_id_dict_json == NULL) + { + return; + } + struct app_id_dict *app_dict=ALLOC(struct app_id_dict, 1); - - ret = maat_helper_read_column(table_line, 1, &offset, &len); - if(ret >= 0) + cJSON *item = cJSON_GetObjectItem(app_id_dict_json, "app_id"); + if(item && item->type==cJSON_Number) { - app_id_str=ALLOC(char, len+1); - memcpy(app_id_str, table_line+offset, len); - app_dict->app_id=atoi(app_id_str); - FREE(&app_id_str); - } - - ret = maat_helper_read_column(table_line, 18, &offset, &len); - if(ret >= 0) - { - group_id_str=ALLOC(char, len+1); - memcpy(group_id_str, table_line+offset, len); - app_dict->group_id=atoll(group_id_str); - FREE(&group_id_str); + app_dict->app_id = item->valueint; } + item = cJSON_GetObjectItem(app_id_dict_json, "object_id"); + if(item && item->type==cJSON_Number) + { + app_dict->object_id = item->valueint; + } + + cJSON_Delete(app_id_dict_json); app_dict->ref_cnt=1; pthread_mutex_init(&(app_dict->lock), NULL); *ad=app_dict; return; } -void app_dict_table_free_cb(int table_id, void **ad, long argl, void* argp) +void app_dict_table_free_cb(const char *table_name, void **ad, long argl, void* argp) { if(*ad==NULL) { @@ -291,7 +288,7 @@ void app_id_dict_free(struct app_id_dict *app_dict) app_dict_table_free_cb(0, (void **)&app_dict, 0, NULL); } -void app_dict_table_dup_cb(int table_id, void **to, void **from, long argl, void* argp) +void app_dict_table_dup_cb(const char *table_name, void **to, void **from, long argl, void* argp) { struct app_id_dict *app_dict=(struct app_id_dict *)(*from); pthread_mutex_lock(&(app_dict->lock)); @@ -314,52 +311,47 @@ int get_category_type_str2idx(const char *category) return i; } -void library_tag_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +void library_tag_new_cb(const char *table_name, const char* key, const char* table_line, void **ad, long argl, void* argp) { - int ret=0; - size_t offset=0, len=0; - char category[256]={0}; + cJSON* library_tag_json = cJSON_Parse(table_line); + if(library_tag_json == NULL) + { + return; + } struct library_tag_ctx *library_tags = ALLOC(struct library_tag_ctx, 1); - - ret = maat_helper_read_column(table_line, 1, &offset, &len); - if(ret >= 0) + cJSON *item = cJSON_GetObjectItem(library_tag_json, "uuid"); + if(item && item->type==cJSON_String) { - char *tag_id_str=ALLOC(char, len+1); - memcpy(tag_id_str, table_line+offset, len); - library_tags->tag_id=atoi(tag_id_str); - FREE(&tag_id_str); + library_tags->uuid=strdup(item->valuestring); } - ret = maat_helper_read_column(table_line, 3, &offset, &len); - if(ret >= 0) + item = cJSON_GetObjectItem(library_tag_json, "category"); + if(item && item->type==cJSON_String) { - memcpy(category, table_line+offset, len); - library_tags->category=(enum category_type)get_category_type_str2idx(category); + library_tags->category=(enum category_type)get_category_type_str2idx(item->valuestring); } - ret = maat_helper_read_column(table_line, 4, &offset, &len); - if(ret >= 0) + item = cJSON_GetObjectItem(library_tag_json, "tag_key"); + if(item && item->type==cJSON_String) { - library_tags->tag_key=ALLOC(char, len+1); - memcpy(library_tags->tag_key, table_line+offset, len); + library_tags->tag_key=strdup(item->valuestring); } - ret = maat_helper_read_column(table_line, 5, &offset, &len); - if(ret >= 0) + item = cJSON_GetObjectItem(library_tag_json, "tag_value"); + if(item && item->type==cJSON_String) { - library_tags->tag_value=ALLOC(char, len+1); - memcpy(library_tags->tag_value, table_line+offset, len); + library_tags->tag_value=strdup(item->valuestring); } - library_tags->ref_cnt=1; pthread_mutex_init(&(library_tags->lock), NULL); + cJSON_Delete(library_tag_json); *ad=library_tags; return; } -void library_tag_free_cb(int table_id, void **ad, long argl, void* argp) +void library_tag_free_cb(const char *table_name, void **ad, long argl, void* argp) { if(*ad==NULL) { @@ -385,13 +377,17 @@ void library_tag_free_cb(int table_id, void **ad, long argl, void* argp) { FREE(&library_tags->tag_value); } + if(library_tags->uuid) + { + FREE(&library_tags->uuid); + } FREE(&library_tags); *ad=NULL; return; } -void library_tag_dup_cb(int table_id, void **to, void **from, long argl, void* argp) +void library_tag_dup_cb(const char *table_name, void **to, void **from, long argl, void* argp) { struct library_tag_ctx *library_tags=(struct library_tag_ctx *)(*from); pthread_mutex_lock(&(library_tags->lock)); @@ -408,33 +404,6 @@ void library_tag_free(struct library_tag_ctx *library_tags) static int maat_common_table_init() { - const char * table_name[__SCAN_COMMON_TABLE_MAX]; - table_name[PXY_CTRL_SOURCE_IP] = "ATTR_SOURCE_IP"; - table_name[PXY_CTRL_DESTINATION_IP]="ATTR_DESTINATION_IP"; - table_name[PXY_CTRL_INTERNAL_IP] = "ATTR_INTERNAL_IP"; - table_name[PXY_CTRL_EXTERNAL_IP] = "ATTR_EXTERNAL_IP"; - table_name[PXY_CTRL_SOURCE_PORT] = "ATTR_SOURCE_PORT"; - table_name[PXY_CTRL_DESTINATION_PORT] = "ATTR_DESTINATION_PORT"; - table_name[PXY_CTRL_INTERNAL_PORT] = "ATTR_INTERNAL_PORT"; - table_name[PXY_CTRL_EXTERNAL_PORT] = "ATTR_EXTERNAL_PORT"; - table_name[PXY_CTRL_IP_PROTOCOL] = "ATTR_IP_PROTOCOL"; - table_name[PXY_CTRL_SUBSCRIBER_ID] = "ATTR_SUBSCRIBER_ID"; - table_name[PXY_CTRL_APP_ID_DICT] = "APP_ID_DICT"; - table_name[PXY_CTRL_LIBRARY_TAG] = "LIBRARY_TAG"; - table_name[PXY_CTRL_IMSI]="ATTR_GTP_IMSI"; - table_name[PXY_CTRL_APN]="ATTR_GTP_APN"; - table_name[PXY_CTRL_PHONE_NUMBER]="ATTR_GTP_PHONE_NUMBER"; - table_name[PXY_CTRL_GTP_IMEI]="ATTR_GTP_IMEI"; - - for (int i = 0; i < __SCAN_COMMON_TABLE_MAX; i++) - { - scan_table_id[i] = maat_get_table_id(maat_handle, table_name[i]); - if (scan_table_id[i] < 0) - { - TFE_LOG_ERROR(g_default_logger, "Maat table %s register failed.", table_name[i]); - return -1; - } - } maat_plugin_table_ex_schema_register(maat_handle, "APP_ID_DICT", app_dict_table_new_cb, app_dict_table_free_cb, app_dict_table_dup_cb, 0, NULL); maat_plugin_table_ex_schema_register(maat_handle, "LIBRARY_TAG", library_tag_new_cb, library_tag_free_cb, library_tag_dup_cb, 0, NULL); diff --git a/common/src/tfe_scan.cpp b/common/src/tfe_scan.cpp index 8191630..10ec11f 100644 --- a/common/src/tfe_scan.cpp +++ b/common/src/tfe_scan.cpp @@ -3,18 +3,18 @@ #include #include -static int scan_group(struct maat_hit_group hit_group, long long *result, struct maat_state *scan_mid, int hit_cnt, int table_id) +static int scan_string(uuid_t *result, struct maat_state *scan_mid, int hit_cnt,const char *data, const char *table_name, const char *attribute_name) { size_t n_hit_result=0; int scan_ret=0, hit_cnt_group=0; - scan_ret = maat_scan_group(tfe_get_maat_handle(), table_id, &hit_group, 1, - result+hit_cnt+hit_cnt_group, MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, scan_mid); + scan_ret = maat_scan_string(tfe_get_maat_handle(), table_name, attribute_name, data, strlen(data), result+hit_cnt+hit_cnt_group, + MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, scan_mid); if(scan_ret == MAAT_SCAN_HIT) { hit_cnt_group+=n_hit_result; } - scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), table_id, result+hit_cnt+hit_cnt_group, + scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), table_name, attribute_name, result+hit_cnt+hit_cnt_group, MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { @@ -23,27 +23,6 @@ static int scan_group(struct maat_hit_group hit_group, long long *result, struct return hit_cnt_group; } -int tfe_get_tags_id_array(char *tag_ids, long long *tag_id_array) -{ - if(tag_ids==NULL) - { - return 0; - } - - int n_tag_ids=0; - char *tag_ids_tmp = ALLOC(char, strlen(tag_ids)+1); - strcpy(tag_ids_tmp, tag_ids); - - char *tag_ids_str=strtok(tag_ids_tmp, ","); - while(tag_ids_str!=NULL && n_tag_ids < 128) - { - tag_id_array[n_tag_ids++]=strtoll(tag_ids_str, NULL, 10); - tag_ids_str=strtok(NULL, ","); - } - FREE(&tag_ids_tmp); - return n_tag_ids; -} - static int get_route_dir(const struct tfe_stream * stream) { uint16_t out_size; @@ -61,9 +40,10 @@ static int get_route_dir(const struct tfe_stream * stream) return (route_dir==69) ? 1 : 0; } -int get_table_id(const struct tfe_stream *stream, enum scan_common_table table_type) -{ - int table_id = 0, c2s = 0; +const char *get_attribute_name(const struct tfe_stream *stream, enum scan_common_table table_type) +{ + int c2s = 0; + const char *attribute_name=NULL; int dir_is_e2i = get_route_dir(stream); if (table_type == PXY_CTRL_SOURCE_IP || table_type == PXY_CTRL_DESTINATION_IP || table_type == PXY_CTRL_SOURCE_PORT || table_type == PXY_CTRL_DESTINATION_PORT) @@ -72,40 +52,65 @@ int get_table_id(const struct tfe_stream *stream, enum scan_common_table table_t if(table_type == PXY_CTRL_SOURCE_IP || table_type == PXY_CTRL_DESTINATION_IP) { - table_id = (c2s == dir_is_e2i) ? tfe_bussiness_tableid_get(PXY_CTRL_INTERNAL_IP) : tfe_bussiness_tableid_get(PXY_CTRL_EXTERNAL_IP); + attribute_name = (c2s == dir_is_e2i) ? "ATTR_INTERNAL_IP" : "ATTR_EXTERNAL_IP"; } if(table_type == PXY_CTRL_SOURCE_PORT || table_type == PXY_CTRL_DESTINATION_PORT) { - table_id = (c2s == dir_is_e2i) ? tfe_bussiness_tableid_get(PXY_CTRL_INTERNAL_PORT) : tfe_bussiness_tableid_get(PXY_CTRL_EXTERNAL_PORT); + attribute_name = (c2s == dir_is_e2i) ? "ATTR_INTERNAL_PORT" : "ATTR_EXTERNAL_PORT"; } } - return table_id; + return attribute_name; } -int tfe_scan_internal_exteral_by_last_group(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, enum scan_common_table table_type) +const char *get_table_name(const struct tfe_stream *stream, enum scan_common_table table_type) +{ + const char *table_name=NULL; + switch (table_type) + { + case PXY_CTRL_SOURCE_IP: + case PXY_CTRL_DESTINATION_IP: + table_name = "TSG_OBJ_IP_ADDR"; + break; + case PXY_CTRL_SOURCE_PORT: + case PXY_CTRL_DESTINATION_PORT: + table_name = "TSG_OBJ_PORT"; + break; + default: + break; + } + return table_name; +} + +int tfe_scan_internal_exteral_by_last_group(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, enum scan_common_table table_type) { size_t array_size=256, n_hit_result = 0; - int hit_cnt_group = 0, scan_ret = 0, table_id = 0; - struct maat_hit_group last_hit_groups[256] = {0}; - - table_id = get_table_id(stream, table_type); - if(table_id <= 0) + int hit_cnt_group = 0, scan_ret = 0; + struct maat_hit_object last_hit_objects[128] = {0}; + + const char *table_name = get_table_name(stream, table_type); + if(table_name == NULL) { return hit_cnt_group; } - size_t n_last_hit_group = maat_state_get_last_hit_group_cnt(scan_mid); - if(n_last_hit_group > 0) + const char *attribute_name = get_attribute_name(stream, table_type); + if(attribute_name == NULL) { - maat_state_get_last_hit_groups(scan_mid, last_hit_groups, array_size); - scan_ret = maat_scan_group(tfe_get_maat_handle(), table_id, last_hit_groups, array_size, result+hit_cnt+hit_cnt_group, - MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, scan_mid); + return hit_cnt_group; + } + + size_t n_last_hit_object = maat_state_get_last_hit_object_cnt(scan_mid); + if(n_last_hit_object > 0) + { + maat_state_get_last_hit_objects(scan_mid, last_hit_objects, array_size); + scan_ret = maat_scan_object(tfe_get_maat_handle(), table_name, attribute_name, last_hit_objects, array_size, result+hit_cnt+hit_cnt_group, + MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, scan_mid); if(scan_ret == MAAT_SCAN_HIT) { hit_cnt_group += n_hit_result; } - scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), table_id, - result+hit_cnt+hit_cnt_group, MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, scan_mid); + scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), table_name, attribute_name, + result+hit_cnt+hit_cnt_group, MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt_group += n_hit_result; @@ -114,7 +119,7 @@ int tfe_scan_internal_exteral_by_last_group(const struct tfe_stream *stream, lon return hit_cnt_group; } -int tfe_get_entry_tags(const struct tfe_stream * stream, enum tfe_cmsg_tlv_type tlv_type, char *opt_val, long long *tag_id_array) +int tfe_get_entry_tags(const struct tfe_stream * stream, enum tfe_cmsg_tlv_type tlv_type, uuid_t *opt_val, char **tag_id_array) { int n_tag_ids = 0; uint16_t opt_out_size = 0; @@ -124,22 +129,41 @@ int tfe_get_entry_tags(const struct tfe_stream * stream, enum tfe_cmsg_tlv_type { return 0; } - + int ret = tfe_cmsg_get_value(cmsg, tlv_type, (unsigned char *)opt_val, 128, &opt_out_size); if(ret == 0 && opt_out_size > 0) { - n_tag_ids = tfe_get_tags_id_array(opt_val, tag_id_array); + n_tag_ids = opt_out_size/(int)sizeof(uuid_t); + for (int i=0; icategory == CATEGORY_TYPE_ASN && tlv_type == TFE_CMSG_SRC_IP_TAGS_IDS_ARR && atol(library_tag->tag_value) > 0) @@ -183,33 +207,33 @@ int tfe_get_library_tags(const struct tfe_stream *stream, cJSON *common_obj, tfe return 0; } -int tfe_scan_ip_tags(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, void *logger) +int tfe_scan_ip_tags(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, void *logger) { size_t n_hit_result = 0; - long long tag_id_array[128]={0}; + char tag_id_array[128][UUID_STRING_SIZE]; + char result_str[UUID_STRING_SIZE]={0}; int scan_ret = 0, hit_cnt_ip = 0, n_tag_ids = 0; - char opt_val[128]={0}; + uuid_t opt_val[128]={0}; - n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_SRC_IP_TAGS_IDS_ARR, opt_val, tag_id_array); + n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_SRC_IP_TAGS_IDS_ARR, opt_val, (char **)tag_id_array); if(n_tag_ids == 0) { + TFE_LOG_DEBUG(logger, "fetch src ip tags: NULL"); return hit_cnt_ip; } - TFE_LOG_DEBUG(logger, "fetch src ip tags: %s", opt_val); + tfe_tags_log((char **)tag_id_array, n_tag_ids, "src ip", logger); - struct maat_hit_group hit_group; for (int i = 0; i < n_tag_ids; i++) { - memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=tag_id_array[i]; - - scan_ret = maat_scan_group(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_SOURCE_IP), &hit_group, 1, result+hit_cnt+hit_cnt_ip, - MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); - if(scan_ret==MAAT_SCAN_HIT) - { - TFE_LOG_INFO(logger, "Scan Src TAGS, Hit scan ret: %d policy_id: %lld addr: %s", scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info); - hit_cnt_ip += scan_ret; - } + scan_ret = maat_scan_string(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "ATTR_SOURCE_IP", tag_id_array[i], strlen(tag_id_array[i]), result+hit_cnt+hit_cnt_ip, + MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); + if(scan_ret == MAAT_SCAN_HIT) + { + memset(result_str, 0, sizeof(result_str)); + uuid_unparse(result[hit_cnt + hit_cnt_ip], result_str); + TFE_LOG_INFO(logger, "Scan Src TAGS, Hit scan ret: %d policy_id: %s addr: %s", scan_ret, result_str, stream->str_stream_info); + hit_cnt_ip+=n_hit_result; + } else { TFE_LOG_INFO(logger, "Scan Src TAGS, NO hit scan ret: %d addr: %s", scan_ret, stream->str_stream_info); @@ -224,22 +248,23 @@ int tfe_scan_ip_tags(const struct tfe_stream *stream, long long *result, struct memset(opt_val, 0, sizeof(opt_val)); memset(tag_id_array, 0, sizeof(tag_id_array)); - n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_DST_IP_TAGS_IDS_ARR, opt_val, tag_id_array); + n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_DST_IP_TAGS_IDS_ARR, opt_val, (char **)tag_id_array); if(n_tag_ids == 0) { + TFE_LOG_DEBUG(logger, "fetch dst ip tags: NULL"); return hit_cnt_ip; } - TFE_LOG_DEBUG(logger, "fetch dst ip tags: %s", opt_val); + tfe_tags_log((char **)tag_id_array, n_tag_ids, "dst ip", logger); for (int i = 0; i < n_tag_ids; i++) { - memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=tag_id_array[i]; - scan_ret = maat_scan_group(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_DESTINATION_IP), &hit_group, 1, result+hit_cnt+hit_cnt_ip, - MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); + scan_ret = maat_scan_string(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "ATTR_DESTINATION_IP", tag_id_array[i], strlen(tag_id_array[i]), result+hit_cnt+hit_cnt_ip, + MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); if(scan_ret==MAAT_SCAN_HIT) { - TFE_LOG_INFO(logger, "Scan Dst TAGS, Hit scan ret: %d policy_id: %lld addr: %s", scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info); + memset(result_str, 0, sizeof(result_str)); + uuid_unparse(result[hit_cnt + hit_cnt_ip], result_str); + TFE_LOG_INFO(logger, "Scan Dst TAGS, Hit scan ret: %d policy_id: %s addr: %s", scan_ret, result_str, stream->str_stream_info); hit_cnt_ip += scan_ret; } else @@ -255,28 +280,28 @@ int tfe_scan_ip_tags(const struct tfe_stream *stream, long long *result, struct return hit_cnt_ip; } -int tfe_scan_fqdn_tags(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, int table_id, void *logger) +int tfe_scan_fqdn_tags(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, void *logger) { - char opt_val[128]={0}; - long long tag_id_array[128]={0}; + uuid_t opt_val[128]={0}; + char tag_id_array[128][UUID_STRING_SIZE]; int scan_ret = 0, hit_cnt_fqdn = 0, n_tag_ids = 0; - n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_FQDN_TAGS_IDS_ARR, opt_val, tag_id_array); + n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_FQDN_TAGS_IDS_ARR, opt_val, (char **)tag_id_array); if(n_tag_ids == 0) { + TFE_LOG_DEBUG(logger, "fetch fqdn tags: NULL"); return hit_cnt_fqdn; } - TFE_LOG_DEBUG(logger, "fetch fqdn tags: %s", opt_val); + tfe_tags_log((char **)tag_id_array, n_tag_ids, "fqdn", logger); - struct maat_hit_group hit_group; for (int i = 0; i < n_tag_ids; i++) { - memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=tag_id_array[i]; - scan_ret = scan_group(hit_group, result, scan_mid, hit_cnt, table_id); + scan_ret = scan_string(result, scan_mid, hit_cnt, tag_id_array[i], "TSG_OBJ_FQDN", "ATTR_SERVER_FQDN"); if (scan_ret > 0) { - TFE_LOG_INFO(logger, "Scan Fqdn TAGS, Hit scan ret: %d policy_id: %lld addr: %s", scan_ret, result[hit_cnt + hit_cnt_fqdn], stream->str_stream_info); + char result_str[UUID_STRING_SIZE]={0}; + uuid_unparse( result[hit_cnt + hit_cnt_fqdn], result_str); + TFE_LOG_INFO(logger, "Scan Fqdn TAGS, Hit scan ret: %d policy_id: %s addr: %s", scan_ret, result_str, stream->str_stream_info); hit_cnt_fqdn += scan_ret; } else @@ -287,26 +312,22 @@ int tfe_scan_fqdn_tags(const struct tfe_stream *stream, long long *result, struc return hit_cnt_fqdn; } -int tfe_scan_app_id(long long *result, struct maat_state *scan_mid, int hit_cnt, long long app_id, int table_id) +int tfe_scan_app_id(uuid_t *result, struct maat_state *scan_mid, int hit_cnt, long long app_id) { int scan_ret = 0; int hit_app_id = 0; size_t n_hit_result = 0; - struct maat_hit_group hit_group; - - struct app_id_dict *app_dict = (struct app_id_dict*)maat_plugin_table_get_ex_data(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_APP_ID_DICT), - (const char *)&app_id, sizeof(long long)); + + struct app_id_dict *app_dict = (struct app_id_dict*)maat_plugin_table_get_ex_data(tfe_get_maat_handle(), "APP_ID_DICT", (const char *)&app_id, sizeof(long long)); if(app_dict!=NULL) { - memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=app_dict->group_id; - scan_ret = maat_scan_group(tfe_get_maat_handle(), table_id, &hit_group, 1, result+hit_cnt+hit_app_id, - MAX_SCAN_RESULT-hit_cnt-hit_app_id, &n_hit_result, scan_mid); + scan_ret=maat_scan_integer(tfe_get_maat_handle(), "APP_ID_DICT", "ATTR_APP_ID", app_dict->object_id, result+hit_cnt+hit_app_id, + MAX_SCAN_RESULT-hit_cnt-hit_app_id, &n_hit_result, scan_mid); if(scan_ret==MAAT_SCAN_HIT) { hit_app_id += n_hit_result; } - scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), table_id, result+hit_cnt+hit_app_id, MAX_SCAN_RESULT-hit_cnt-hit_app_id, &n_hit_result, scan_mid); + scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "APP_ID_DICT", "ATTR_APP_ID", result+hit_cnt+hit_app_id, MAX_SCAN_RESULT-hit_cnt-hit_app_id, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_app_id += n_hit_result; @@ -316,7 +337,7 @@ int tfe_scan_app_id(long long *result, struct maat_state *scan_mid, int hit_cnt, return hit_app_id; } -int tfe_scan_value_by_cmsg(const struct tfe_stream *stream, enum tfe_cmsg_tlv_type tlv_type, long long *result, struct maat_state *scan_mid, int hit_cnt, int table_id, char *opt_val, void *logger) +int tfe_scan_value_by_cmsg(const struct tfe_stream *stream, enum tfe_cmsg_tlv_type tlv_type, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, const char *table_name, const char *attribute_name, char *opt_val) { uint16_t opt_out_size = 0; int hit_cnt_string=0; @@ -332,13 +353,13 @@ int tfe_scan_value_by_cmsg(const struct tfe_stream *stream, enum tfe_cmsg_tlv_ty { size_t n_hit_result=0; - int scan_ret = maat_scan_string(tfe_get_maat_handle(), table_id, opt_val, strlen(opt_val), result+hit_cnt+hit_cnt_string, MAX_SCAN_RESULT-hit_cnt-hit_cnt_string, + int scan_ret = maat_scan_string(tfe_get_maat_handle(), table_name, attribute_name, opt_val, strlen(opt_val), result+hit_cnt+hit_cnt_string, MAX_SCAN_RESULT-hit_cnt-hit_cnt_string, &n_hit_result,scan_mid); if(scan_ret == MAAT_SCAN_HIT) { hit_cnt_string+=n_hit_result; } - scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), table_id, result+hit_cnt+hit_cnt_string, MAX_SCAN_RESULT-hit_cnt-hit_cnt_string, &n_hit_result, scan_mid); + scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), table_name, attribute_name, result+hit_cnt+hit_cnt_string, MAX_SCAN_RESULT-hit_cnt-hit_cnt_string, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt_string+=n_hit_result; @@ -347,30 +368,30 @@ int tfe_scan_value_by_cmsg(const struct tfe_stream *stream, enum tfe_cmsg_tlv_ty return hit_cnt_string; } -int tfe_scan_device(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, void *logger) +int tfe_scan_device(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, void *logger) { - char opt_val[4][128]={0}; + char opt_val[4][128]={0}; int scan_ret = 0, htt_cnt_device = 0; - - scan_ret = tfe_scan_value_by_cmsg(stream, TFE_CMSG_SRC_IMSI_STR, result, scan_mid, hit_cnt, tfe_bussiness_tableid_get(PXY_CTRL_IMSI), opt_val[0], logger); + + scan_ret = tfe_scan_value_by_cmsg(stream, TFE_CMSG_SRC_IMSI_STR, result, scan_mid, hit_cnt, "TSG_OBJ_IMSI", "ATTR_GTP_IMSI", opt_val[0]); if(scan_ret > 0) { htt_cnt_device += scan_ret; } - scan_ret = tfe_scan_value_by_cmsg(stream, TFE_CMSG_SRC_IMEI_STR, result, scan_mid, hit_cnt, tfe_bussiness_tableid_get(PXY_CTRL_GTP_IMEI), opt_val[1], logger); + scan_ret = tfe_scan_value_by_cmsg(stream, TFE_CMSG_SRC_IMEI_STR, result, scan_mid, hit_cnt, "TSG_OBJ_IMEI","ATTR_GTP_IMEI", opt_val[1]); if(scan_ret > 0) { htt_cnt_device += scan_ret; } - scan_ret = tfe_scan_value_by_cmsg(stream, TFE_CMSG_SRC_PHONE_NUM_STR, result, scan_mid, hit_cnt, tfe_bussiness_tableid_get(PXY_CTRL_PHONE_NUMBER), opt_val[2], logger); + scan_ret = tfe_scan_value_by_cmsg(stream, TFE_CMSG_SRC_PHONE_NUM_STR, result, scan_mid, hit_cnt, "TSG_OBJ_PHONE_NUMBER","ATTR_GTP_PHONE_NUMBER", opt_val[2]); if(scan_ret > 0) { htt_cnt_device += scan_ret; } - scan_ret = tfe_scan_value_by_cmsg(stream, TFE_CMSG_SRC_APN_STR, result, scan_mid, hit_cnt, tfe_bussiness_tableid_get(PXY_CTRL_APN), opt_val[3], logger); + scan_ret = tfe_scan_value_by_cmsg(stream, TFE_CMSG_SRC_APN_STR, result, scan_mid, hit_cnt, "TSG_OBJ_APN", "ATTR_GTP_APN", opt_val[3]); if(scan_ret > 0) { htt_cnt_device += scan_ret; @@ -381,13 +402,13 @@ int tfe_scan_device(const struct tfe_stream *stream, long long *result, struct m return htt_cnt_device; } -int tfe_scan_port(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, uint16_t source, uint16_t dest) +int tfe_scan_port(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, uint16_t source, uint16_t dest) { int scan_ret = 0; int hit_cnt_port = 0; size_t n_hit_result = 0; - scan_ret=maat_scan_integer(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_SOURCE_PORT), ntohs(source), + scan_ret=maat_scan_integer(tfe_get_maat_handle(), "TSG_OBJ_PORT", "ATTR_SOURCE_PORT", ntohs(source), result+hit_cnt+hit_cnt_port, MAX_SCAN_RESULT-hit_cnt-hit_cnt_port, &n_hit_result, scan_mid); if(scan_ret == MAAT_SCAN_HIT) { @@ -398,14 +419,14 @@ int tfe_scan_port(const struct tfe_stream *stream, long long *result, struct maa { hit_cnt_port+=scan_ret; } - scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_SOURCE_PORT), + scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_PORT", "ATTR_SOURCE_PORT", result+hit_cnt+hit_cnt_port, MAX_SCAN_RESULT-hit_cnt-hit_cnt_port, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt_port+=n_hit_result; } - scan_ret=maat_scan_integer(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_DESTINATION_PORT), ntohs(dest), + scan_ret=maat_scan_integer(tfe_get_maat_handle(), "TSG_OBJ_PORT", "ATTR_DESTINATION_PORT", ntohs(dest), result+hit_cnt+hit_cnt_port, MAX_SCAN_RESULT-hit_cnt-hit_cnt_port, &n_hit_result, scan_mid); if(scan_ret == MAAT_SCAN_HIT) { @@ -416,8 +437,8 @@ int tfe_scan_port(const struct tfe_stream *stream, long long *result, struct maa { hit_cnt_port+=scan_ret; } - scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_DESTINATION_PORT), - result+hit_cnt+hit_cnt_port, MAX_SCAN_RESULT-hit_cnt-hit_cnt_port, &n_hit_result, scan_mid); + scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_PORT", "ATTR_DESTINATION_PORT", result+hit_cnt+hit_cnt_port, + MAX_SCAN_RESULT-hit_cnt-hit_cnt_port, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt_port+=n_hit_result; @@ -426,30 +447,28 @@ int tfe_scan_port(const struct tfe_stream *stream, long long *result, struct maa return hit_cnt_port; } -#define PROTOCOL_TCP_GROUP_ID 6 -int tfe_scan_ipv4_addr(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr) +#define PROTOCOL_TCP_UUID_ID "6" +int tfe_scan_ipv4_addr(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr) { int scan_ret = 0; int hit_cnt_ip = 0; size_t n_hit_result = 0; - struct maat_hit_group hit_group; - memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=PROTOCOL_TCP_GROUP_ID; - scan_ret = maat_scan_group(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_IP_PROTOCOL), &hit_group, 1, - result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); + const char *protocol_uuid =PROTOCOL_TCP_UUID_ID; + scan_ret = maat_scan_string(tfe_get_maat_handle(), "TSG_OBJ_IP_PROTOCOL", "ATTR_IP_PROTOCOL", protocol_uuid, strlen(protocol_uuid), result+hit_cnt+hit_cnt_ip, + MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); if(scan_ret==MAAT_SCAN_HIT) { hit_cnt_ip += n_hit_result; } - scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_IP_PROTOCOL), - result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); + scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_IP_PROTOCOL", "ATTR_IP_PROTOCOL", result+hit_cnt+hit_cnt_ip, + MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt_ip += n_hit_result; } - - scan_ret = maat_scan_ipv4_port(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_SOURCE_IP), sapp_addr.v4->saddr, ntohs(sapp_addr.v4->source), + + scan_ret = maat_scan_ipv4_port(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "ATTR_SOURCE_IP", sapp_addr.v4->saddr, ntohs(sapp_addr.v4->source), result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { @@ -460,14 +479,14 @@ int tfe_scan_ipv4_addr(const struct tfe_stream *stream, long long *result, struc { hit_cnt_ip += scan_ret; } - scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_SOURCE_IP), - result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); + scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "ATTR_SOURCE_IP", result+hit_cnt+hit_cnt_ip, + MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt_ip += n_hit_result; } - scan_ret = maat_scan_ipv4_port(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_DESTINATION_IP), sapp_addr.v4->daddr, ntohs(sapp_addr.v4->dest), + scan_ret = maat_scan_ipv4_port(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "ATTR_DESTINATION_IP", sapp_addr.v4->daddr, ntohs(sapp_addr.v4->dest), result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); if(scan_ret == MAAT_SCAN_HIT) { @@ -478,7 +497,7 @@ int tfe_scan_ipv4_addr(const struct tfe_stream *stream, long long *result, struc { hit_cnt_ip += scan_ret; } - scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_DESTINATION_IP), + scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "ATTR_DESTINATION_IP", result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { @@ -488,28 +507,26 @@ int tfe_scan_ipv4_addr(const struct tfe_stream *stream, long long *result, struc return hit_cnt_ip; } -int tfe_scan_ipv6_addr(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr) +int tfe_scan_ipv6_addr(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr) { int scan_ret = 0; int hit_cnt_ip = 0; size_t n_hit_result = 0; - struct maat_hit_group hit_group; - memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=PROTOCOL_TCP_GROUP_ID; - scan_ret = maat_scan_group(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_IP_PROTOCOL), &hit_group, 1, - result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); + const char *protocol_uuid =PROTOCOL_TCP_UUID_ID; + scan_ret = maat_scan_string(tfe_get_maat_handle(), "TSG_OBJ_IP_PROTOCOL", "ATTR_IP_PROTOCOL", protocol_uuid, strlen(protocol_uuid), result+hit_cnt+hit_cnt_ip, + MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); if(scan_ret==MAAT_SCAN_HIT) { hit_cnt_ip += n_hit_result; } - scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_IP_PROTOCOL), + scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_IP_PROTOCOL", "ATTR_IP_PROTOCOL", result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt_ip += n_hit_result; } - scan_ret = maat_scan_ipv6_port(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_SOURCE_IP), sapp_addr.v6->saddr, ntohs(sapp_addr.v6->source), + scan_ret = maat_scan_ipv6_port(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "ATTR_SOURCE_IP", sapp_addr.v6->saddr, ntohs(sapp_addr.v6->source), result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { @@ -520,14 +537,14 @@ int tfe_scan_ipv6_addr(const struct tfe_stream *stream, long long *result, struc { hit_cnt_ip += scan_ret; } - scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_SOURCE_IP), + scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "ATTR_SOURCE_IP", result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt_ip += n_hit_result; } - scan_ret = maat_scan_ipv6_port(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_DESTINATION_IP), sapp_addr.v6->daddr, ntohs(sapp_addr.v6->dest), + scan_ret = maat_scan_ipv6_port(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "ATTR_DESTINATION_IP", sapp_addr.v6->daddr, ntohs(sapp_addr.v6->dest), result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { @@ -538,7 +555,7 @@ int tfe_scan_ipv6_addr(const struct tfe_stream *stream, long long *result, struc { hit_cnt_ip += scan_ret; } - scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_DESTINATION_IP), + scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "ATTR_DESTINATION_IP", result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { @@ -548,7 +565,7 @@ int tfe_scan_ipv6_addr(const struct tfe_stream *stream, long long *result, struc return hit_cnt_ip; } -int tfe_scan_subscribe_id(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, void *logger) +int tfe_scan_subscribe_id(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, void *logger) { int scan_ret = 0; int hit_cnt_ip = 0; @@ -568,13 +585,15 @@ int tfe_scan_subscribe_id(const struct tfe_stream *stream, long long *result, st if (strlen(source_subscribe_id)) { - scan_ret = maat_scan_string(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_SUBSCRIBER_ID), + scan_ret = maat_scan_string(tfe_get_maat_handle(), "TSG_OBJ_SUBSCRIBER_ID", "ATTR_SUBSCRIBER_ID", source_subscribe_id, strlen(source_subscribe_id),result + hit_cnt + hit_cnt_ip, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { - TFE_LOG_INFO(logger, "Scan src TSG_OBJ_SUBSCRIBER_ID, Hit subid: %s scan ret: %d policy_id: %lld addr: %s", - source_subscribe_id, scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info); + char result_str[UUID_STRING_SIZE]={0}; + uuid_unparse(result[hit_cnt + hit_cnt_ip], result_str); + TFE_LOG_INFO(logger, "Scan src TSG_OBJ_SUBSCRIBER_ID, Hit subid: %s scan ret: %d policy_id: %s addr: %s", + source_subscribe_id, scan_ret, result_str, stream->str_stream_info); hit_cnt_ip += n_hit_result; } else @@ -582,7 +601,7 @@ int tfe_scan_subscribe_id(const struct tfe_stream *stream, long long *result, st TFE_LOG_INFO(logger, "Scan src TSG_OBJ_SUBSCRIBER_ID, NO hit subid: %s scan ret: %d addr: %s", source_subscribe_id, scan_ret, stream->str_stream_info); } - scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_SUBSCRIBER_ID), + scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_SUBSCRIBER_ID", "ATTR_SUBSCRIBER_ID", result + hit_cnt + hit_cnt_ip, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, &n_hit_result, scan_mid); if (scan_ret == MAAT_SCAN_HIT) { diff --git a/plugin/business/doh/src/doh.cpp b/plugin/business/doh/src/doh.cpp index f0370ed..f09ac0f 100644 --- a/plugin/business/doh/src/doh.cpp +++ b/plugin/business/doh/src/doh.cpp @@ -118,7 +118,7 @@ static cJSON *doh_get_answer_records(struct doh_ctx *ctx, cJSON *object, int qty return NULL; } -void doh_action_param_free_cb(int table_id, void **ad, long argl, void *argp) +void doh_action_param_free_cb(const char *table_name, void **ad, long argl, void *argp) { if(*ad==NULL) { @@ -135,14 +135,14 @@ void doh_action_param_free_cb(int table_id, void **ad, long argl, void *argp) pthread_mutex_unlock(&(param->lock)); pthread_mutex_destroy(&(param->lock)); - if(param->hit_rule.srv_def_large) - FREE(&(param->hit_rule.srv_def_large)) + if(param->hit_rule.action_parameter) + FREE(&(param->hit_rule.action_parameter)) FREE(&(param)); return; } -static void doh_get_cheat_data(long long p_result, int qtype, struct doh_ctx *ctx, const char *str_stream_info) +static void doh_get_cheat_data(uuid_t p_result, int qtype, struct doh_ctx *ctx, const char *str_stream_info) { int i; int answer_size = 0; @@ -150,28 +150,24 @@ static void doh_get_cheat_data(long long p_result, int qtype, struct doh_ctx *ct cJSON *item = NULL; cJSON *object = NULL; cJSON *answer_array = NULL; - int table_id=0; - table_id=maat_get_table_id(g_doh_conf->maat, "PXY_CTRL_COMPILE_PLUGIN"); - if(table_id < 0) - { - return; - } - struct doh_action_param *get_ex_param=(struct doh_action_param *)maat_plugin_table_get_ex_data(g_doh_conf->maat, table_id, (const char *)&p_result, sizeof(p_result)); + char result_str[UUID_STRING_SIZE]={0}; + uuid_unparse(p_result, result_str); + struct doh_action_param *get_ex_param=(struct doh_action_param *)maat_plugin_table_get_ex_data(g_doh_conf->maat, "PXY_CTRL_RULE_PLUGIN", result_str, strlen(result_str)); if(get_ex_param==NULL) { return; } struct doh_maat_rule_t *hit_rule = &(get_ex_param->hit_rule); - if(hit_rule==NULL || hit_rule->srv_def_large==NULL) + if(hit_rule==NULL || hit_rule->action_parameter==NULL) { goto end; } memcpy(ctx->result, hit_rule, sizeof(struct doh_maat_rule_t)); - TFE_LOG_INFO(g_doh_conf->local_logger, "%s hit %lld %s", str_stream_info, p_result, hit_rule->srv_def_large); + TFE_LOG_INFO(g_doh_conf->local_logger, "%s hit %s %s", str_stream_info, result_str, hit_rule->action_parameter); - object = cJSON_Parse(hit_rule->srv_def_large); + object = cJSON_Parse(hit_rule->action_parameter); if (object == NULL) { goto end; @@ -240,26 +236,25 @@ end: } } -static long long doh_fetch_rule(long long *result, int result_num) +static int doh_fetch_rule(uuid_t *result, uuid_t p_result, int result_num) { - int i = 0; - long long p_result = 0; + uuid_clear(p_result); - for (i = 0; i < result_num && i < MAX_SCAN_RESULT; i++) + for (int i = 0; i < result_num && i < MAX_SCAN_RESULT; i++) { - if (p_result == 0) + if (uuid_is_null(p_result) == 1) { - p_result = result[i]; + uuid_copy(p_result, result[i]); continue; } - if (result[i] > p_result) + if(uuid_compare(result[i], p_result) > 0) { - p_result = result[i]; + uuid_copy(p_result, result[i]); } } - return p_result; + return 0; } static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http_session *session, struct doh_ctx *ctx, char *qname, int qtype) @@ -268,8 +263,9 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http int scan_ret = 0; size_t n_hit_result; struct ipaddr sapp_addr; - long long p_result = 0; - long long result[MAX_SCAN_RESULT]; + uuid_t p_result; + uuid_t result[MAX_SCAN_RESULT]={0}; + char result_str[UUID_STRING_SIZE]={0}; scan_ret = tfe_scan_subscribe_id(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger); if (scan_ret > 0) @@ -287,27 +283,29 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http const char *host = session->req->req_spec.host; if (host) { - scan_ret = maat_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_HOST].id,host, strlen(host), + scan_ret = maat_scan_string(g_doh_conf->maat, "TSG_OBJ_FQDN", "ATTR_SERVER_FQDN", host, strlen(host), result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { - TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit host: %s scan ret: %d policy_id: %lld addr: %s", - g_doh_conf->tables[TYPE_HOST].name, host, scan_ret, result[hit_cnt], stream->str_stream_info); + memset(result_str, 0, sizeof(result_str)); + uuid_unparse(result[hit_cnt], result_str); + TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit host: %s scan ret: %d policy_id: %s addr: %s", + "ATTR_SERVER_FQDN", host, scan_ret, result_str, stream->str_stream_info); hit_cnt += n_hit_result; } else { TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, NO hit host: %s scan ret: %d addr: %s", - g_doh_conf->tables[TYPE_HOST].name, host, scan_ret, stream->str_stream_info); + "ATTR_SERVER_FQDN", host, scan_ret, stream->str_stream_info); } - scan_ret = maat_scan_not_logic(g_doh_conf->maat, g_doh_conf->tables[TYPE_HOST].id, + scan_ret = maat_scan_not_logic(g_doh_conf->maat, "TSG_OBJ_FQDN", "ATTR_SERVER_FQDN", result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt += n_hit_result; } - scan_ret = tfe_scan_fqdn_tags(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->tables[TYPE_HOST].id, g_doh_conf->local_logger); + scan_ret = tfe_scan_fqdn_tags(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger); if (scan_ret > 0) { hit_cnt += scan_ret; @@ -344,7 +342,7 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http } // scan appid long long app_id = 8006; - scan_ret = tfe_scan_app_id(result, ctx->scan_mid, hit_cnt, app_id, g_doh_conf->tables[TYPE_APPID].id); + scan_ret = tfe_scan_app_id(result, ctx->scan_mid, hit_cnt, app_id); if(scan_ret > 0) { hit_cnt += scan_ret; @@ -355,22 +353,24 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http { hit_cnt += scan_ret; } - + // scan qname - scan_ret = maat_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_QNAME].id, qname, strlen(qname), + scan_ret = maat_scan_string(g_doh_conf->maat, "TSG_OBJ_FQDN", "ATTR_DOH_QNAME", qname, strlen(qname), result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { - TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit domain: %s scan ret: %d qtype: %d policy_id: %lld addr: %s", - g_doh_conf->tables[TYPE_QNAME].name, qname, scan_ret, qtype, result[hit_cnt], stream->str_stream_info); + memset(result_str, 0, sizeof(result_str)); + uuid_unparse(result[hit_cnt], result_str); + TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit domain: %s scan ret: %d qtype: %d policy_id: %s addr: %s", + "ATTR_DOH_QNAME", qname, scan_ret, qtype, result_str, stream->str_stream_info); hit_cnt += n_hit_result; } else { TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, NO hit domain: %s scan ret: %d addr: %s", - g_doh_conf->tables[TYPE_QNAME].name, qname, scan_ret, stream->str_stream_info); + "ATTR_DOH_QNAME", qname, scan_ret, stream->str_stream_info); } - scan_ret = maat_scan_not_logic(g_doh_conf->maat, g_doh_conf->tables[TYPE_QNAME].id, + scan_ret = maat_scan_not_logic(g_doh_conf->maat, "TSG_OBJ_FQDN", "ATTR_DOH_QNAME", result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { @@ -379,8 +379,8 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http if (hit_cnt) { - p_result = doh_fetch_rule(result, hit_cnt); - if (p_result != 0) + doh_fetch_rule(result, p_result, hit_cnt); + if (uuid_is_null(p_result) != 1) { ctx->result_num = 1; ctx->result = ALLOC(struct doh_maat_rule_t, ctx->result_num); @@ -389,26 +389,6 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http } } -static int doh_maat_init(const char *profile, const char *section) -{ - g_doh_conf->maat = tfe_get_maat_handle(); - MESA_load_profile_string_def(profile, section, "table_appid", g_doh_conf->tables[TYPE_APPID].name, TFE_STRING_MAX, "ATTR_APP_ID"); - MESA_load_profile_string_def(profile, section, "table_qname", g_doh_conf->tables[TYPE_QNAME].name, TFE_STRING_MAX, "ATTR_DOH_QNAME"); - MESA_load_profile_string_def(profile, section, "table_host", g_doh_conf->tables[TYPE_HOST].name, TFE_STRING_MAX, "ATTR_SERVER_FQDN"); - - for (int i = 0; i < TYPE_MAX; i++) - { - g_doh_conf->tables[i].id = maat_get_table_id(g_doh_conf->maat, g_doh_conf->tables[i].name); - if (g_doh_conf->tables[i].id < 0) - { - TFE_LOG_ERROR(g_doh_conf->local_logger, "maat_get_table_id failed, table_name: %s", g_doh_conf->tables[i].name); - return -1; - } - } - - return 0; -} - static void doh_gc_cb(evutil_socket_t fd, short what, void *arg) { int i = 0; @@ -664,12 +644,6 @@ int doh_on_init(struct tfe_proxy *proxy) TFE_LOG_ERROR(NULL, "Doh init kafka failed."); goto error; } - - if (doh_maat_init(profile, "maat") != 0) - { - TFE_LOG_ERROR(NULL, "Doh init maat failed."); - goto error; - } TFE_LOG_INFO(g_doh_conf->local_logger, "Doh init success."); success: @@ -838,7 +812,7 @@ void doh_send_metric_log(const struct tfe_stream * stream, struct doh_ctx *ctx, } fieldstat->tags[thread_id][TAG_VSYS_ID].value_longlong = ctx->result->vsys_id; - fieldstat->tags[thread_id][TAG_RULE_ID].value_longlong = ctx->result->config_id; + fieldstat->tags[thread_id][TAG_RULE_ID].value_str = ctx->result->config_uuid_string; fieldstat->tags[thread_id][TAG_ACTION].value_longlong = 48; fieldstat->tags[thread_id][TAG_SUB_ACTION].value_str = "redirect"; diff --git a/plugin/business/doh/src/logger.cpp b/plugin/business/doh/src/logger.cpp index ae0ddf5..f11335c 100644 --- a/plugin/business/doh/src/logger.cpp +++ b/plugin/business/doh/src/logger.cpp @@ -8,20 +8,6 @@ struct json_spec enum tfe_http_std_field field_id; }; -enum _log_action //Bigger action number is prior. -{ - LG_ACTION_NONE = 0x00, - LG_ACTION_MONIT = 0x01, - LG_ACTION_FORWARD = 0x02, /* N/A */ - LG_ACTION_REJECT = 0x10, - LG_ACTION_DROP = 0x20, /* N/A */ - LG_ACTION_MANIPULATE = 0x30, - LG_ACTION_RATELIMIT = 0x40, /* N/A */ - LG_ACTION_WHITELIST = 0x60, - LG_ACTION_SHUNT = 0x80, - __LG_ACTION_MAX -}; - #define get_time_ms(tv) ((long long)(tv.tv_sec) * 1000 + (long long)(tv.tv_usec) / 1000) static int get_rr_str2json(cJSON *object, dns_info_t *dns_info, int *dns_sec) @@ -473,9 +459,9 @@ int doh_send_log(struct doh_conf *handle, const struct tfe_http_session *http, c for (size_t i = 0; i < result_num; i++) { - TFE_LOG_DEBUG(handle->local_logger, "URL: %s, policy_id: %lld, service: %d, do_log:%d", + TFE_LOG_DEBUG(handle->local_logger, "URL: %s, policy_id: %s, service: %d, do_log:%d", http->req->req_spec.url, - result[i].config_id, + result[i].config_uuid_string, result[i].service_id, result[i].do_log); @@ -485,11 +471,11 @@ int doh_send_log(struct doh_conf *handle, const struct tfe_http_session *http, c } cJSON *proxy_rule_list=NULL; - int config_id[1]={0}; + char *config_id[1]={0}; per_hit_obj = cJSON_Duplicate(common_obj, 1); - config_id[0]=result[i].config_id; - proxy_rule_list = cJSON_CreateIntArray(config_id, 1); + config_id[0]=result[i].config_uuid_string; + proxy_rule_list = cJSON_CreateStringArray((const char **)config_id, 1); cJSON_AddItemToObject(per_hit_obj, "proxy_rule_list", proxy_rule_list); cJSON_AddStringToObject(per_hit_obj, "proxy_action", "redirect"); diff --git a/plugin/business/doh/src/pub.h b/plugin/business/doh/src/pub.h index a0b7d5b..1b19dbf 100644 --- a/plugin/business/doh/src/pub.h +++ b/plugin/business/doh/src/pub.h @@ -41,12 +41,6 @@ enum doh_content_type DOH_TYPE_UDPWIREFORMAT, }; -struct maat_table -{ - int id; - char name[TFE_STRING_MAX]; -}; - struct doh_conf { int enable; @@ -65,18 +59,19 @@ struct doh_conf screen_stat_handle_t fs_handle; struct maat *maat; - struct maat_table tables[TYPE_MAX]; }; struct doh_maat_rule_t { - long long config_id; - int service_id; - unsigned char do_log; - unsigned char do_blacklist; - unsigned char action; - char *srv_def_large; int vsys_id; + long long config_id; + uuid_t config_uuid; + char *config_uuid_string; + int service_id; + unsigned char do_log; + unsigned char do_blacklist; + unsigned char action; + char *action_parameter; }; struct doh_ctx diff --git a/plugin/business/tsg-http/include/http_lua.h b/plugin/business/tsg-http/include/http_lua.h index 545166e..8fe3061 100644 --- a/plugin/business/tsg-http/include/http_lua.h +++ b/plugin/business/tsg-http/include/http_lua.h @@ -11,13 +11,13 @@ struct tsg_lua_script { int lua_is_cache; struct elua_vm **http_lua_handle; - int (*http_lua_profile)(int profile_id, struct elua_script ***elua_ctx, char **profile_msg, size_t *msg_len, int *timeout); + int (*http_lua_profile)(char *profile_uuid_str, struct elua_script ***elua_ctx, char **profile_msg, size_t *msg_len, int *timeout); }; struct tsg_script_ctx { - int config_id; - int profile_id; + char *config_uuid_str; + char *profile_uuid_str; int http_req_uri; int rewrite_header; char *rewrite_uri; @@ -37,6 +37,6 @@ struct elua_context * http_lua_ctx_new(struct tsg_lua_script *lua_script, unsign void http_lua_ctx_free(struct tsg_lua_script *lua_script, unsigned int thread_id, struct elua_context * lua_ctx); struct elua_script *http_lua_map_cache_script(struct elua_vm *vm, const char *script, size_t script_len, size_t timeout_ms); -size_t execute_lua_script_rule(struct tsg_lua_script *lua_script, int profile_id, struct elua_context * lua_ctx, unsigned int thread_id, void *user_data); +size_t execute_lua_script_rule(struct tsg_lua_script *lua_script, char *profile_uuid_str, struct elua_context * lua_ctx, unsigned int thread_id, void *user_data); int http_lua_handle_create(struct tsg_lua_script *lua_script, int thread_num, const char *name_space); diff --git a/plugin/business/tsg-http/include/tsg_proxy_logger.h b/plugin/business/tsg-http/include/tsg_proxy_logger.h index 1eb0eb3..225edae 100644 --- a/plugin/business/tsg-http/include/tsg_proxy_logger.h +++ b/plugin/business/tsg-http/include/tsg_proxy_logger.h @@ -5,13 +5,14 @@ struct log_rule_t { - long long config_id; + int vsys_id; + uuid_t config_uuid; + char *config_uuid_string; int service_id; unsigned char do_log; unsigned char do_blacklist; unsigned char action; - char *srv_def_large; - int vsys_id; + char *action_parameter; }; struct proxy_log diff --git a/plugin/business/tsg-http/src/http_lua.cpp b/plugin/business/tsg-http/src/http_lua.cpp index 1832645..3087c40 100644 --- a/plugin/business/tsg-http/src/http_lua.cpp +++ b/plugin/business/tsg-http/src/http_lua.cpp @@ -125,7 +125,7 @@ static int http_lua_log_debug(struct elua_vm *vm) p += snprintf(p, sizeof(buff) - (p - buff), " %s", in); } - TFE_LOG_DEBUG(tsg_ctx->local_logger, "policy_id:%d, profile_id:%d, message:%20s", tsg_ctx->config_id, tsg_ctx->profile_id, buff); + TFE_LOG_DEBUG(tsg_ctx->local_logger, "policy_id:%s, profile_id:%s, message:%20s", tsg_ctx->config_uuid_str, tsg_ctx->profile_uuid_str, buff); http_free_params(out_lua_argv); return 1; @@ -161,7 +161,7 @@ static int http_lua_log_info(struct elua_vm *vm) p += snprintf(p, sizeof(buff) - (p - buff), " %s", in); } - TFE_LOG_INFO(tsg_ctx->local_logger, "policy_id:%d, profile_id:%d, message:%s", tsg_ctx->config_id, tsg_ctx->profile_id, buff); + TFE_LOG_INFO(tsg_ctx->local_logger, "policy_id:%s, profile_id:%s, message:%s", tsg_ctx->config_uuid_str, tsg_ctx->profile_uuid_str, buff); http_free_params(out_lua_argv); return 1; @@ -197,7 +197,7 @@ static int http_lua_log_error(struct elua_vm *vm) p += snprintf(p, sizeof(buff) - (p - buff), " %s", in); } - TFE_LOG_ERROR(tsg_ctx->local_logger, "policy_id:%d, profile_id:%d, message:%s", tsg_ctx->config_id, tsg_ctx->profile_id, buff); + TFE_LOG_ERROR(tsg_ctx->local_logger, "policy_id:%s, profile_id:%s, message:%s", tsg_ctx->config_uuid_str, tsg_ctx->profile_uuid_str, buff); http_free_params(out_lua_argv); return 1; @@ -683,7 +683,7 @@ static int http_lua_get_body(struct elua_vm *vm) if(tsg_ctx->http_body == NULL) { - TFE_LOG_ERROR(tsg_ctx->local_logger, "policy_id:%d, profile_id:%d, message:%s", tsg_ctx->config_id, tsg_ctx->profile_id, "Can't to get req/resp body data"); + TFE_LOG_ERROR(tsg_ctx->local_logger, "policy_id:%s, profile_id:%s, message:%s", tsg_ctx->config_uuid_str, tsg_ctx->profile_uuid_str, "Can't to get req/resp body data"); return 0; } @@ -829,14 +829,14 @@ finish: return 0; } -size_t execute_lua_script_rule(struct tsg_lua_script *lua_script, int profile_id, struct elua_context *elua_ctx, unsigned int thread_id, void *user_data) +size_t execute_lua_script_rule(struct tsg_lua_script *lua_script, char *profile_uuid_str, struct elua_context *elua_ctx, unsigned int thread_id, void *user_data) { int ret=0; char *profile_msg=NULL; size_t msg_len=0; int timeout=0; struct elua_script **escript=NULL; - ret=lua_script->http_lua_profile(profile_id, &escript, &profile_msg, &msg_len, &timeout); + ret=lua_script->http_lua_profile(profile_uuid_str, &escript, &profile_msg, &msg_len, &timeout); if(ret<0) { return ret; @@ -856,7 +856,7 @@ size_t execute_lua_script_rule(struct tsg_lua_script *lua_script, int profile_id struct tsg_script_ctx *tsg_ctx= (struct tsg_script_ctx *)user_data; if(tsg_ctx != NULL && tsg_ctx->local_logger != NULL) { - TFE_LOG_ERROR(tsg_ctx->local_logger, "policy_id:%d, profile_id:%d, error_code:%d, error: %s", tsg_ctx->config_id, tsg_ctx->profile_id, ret, elua_get_last_error_string(lua_script->http_lua_handle[thread_id])); + TFE_LOG_ERROR(tsg_ctx->local_logger, "policy_id:%s, profile_id:%s, error_code:%d, error: %s", tsg_ctx->config_uuid_str, tsg_ctx->profile_uuid_str, ret, elua_get_last_error_string(lua_script->http_lua_handle[thread_id])); } } if(profile_msg != NULL) diff --git a/plugin/business/tsg-http/src/tsg_http.cpp b/plugin/business/tsg-http/src/tsg_http.cpp index 9c57c56..4e365b1 100644 --- a/plugin/business/tsg-http/src/tsg_http.cpp +++ b/plugin/business/tsg-http/src/tsg_http.cpp @@ -33,17 +33,21 @@ #define MAX_EDIT_ZONE_NUM 64 #define MAX_SCAN_DATA_SIZE ((1 << 16) - 1) -enum proxy_action //Bigger action number is prior. +enum proxy_action { - PX_ACTION_NONE = 0x00, - PX_ACTION_MONIT = 0x01, - PX_ACTION_FORWARD = 0x02, /* N/A */ - PX_ACTION_REJECT = 0x10, - PX_ACTION_DROP = 0x20, /* N/A */ - PX_ACTION_MANIPULATE = 0x30, - PX_ACTION_RATELIMIT = 0x40, /* N/A */ - PX_ACTION_WHITELIST = 0x60, - PX_ACTION_SHUNT = 0x80, + PX_ACTION_NONE = 0, + PX_ACTION_MONIT = 1, + PX_ACTION_INTERCEPT = 2, /* N/A */ + PX_ACTION_NO_INTERCEPT = 3, + PX_ACTION_ACTIVE_DEFENCE = 4, + PX_ACTION_WANNAT = 8, + PX_ACTION_REJECT = 16, + PX_ACTION_SHAPING = 32, + PX_ACTION_MANIPULATE = 48, + PX_ACTION_SERVICE_CHAINING=64, + PX_ACTION_WHITELIST = 96, + PX_ACTION_SHUNT = 128, + PX_STATISTICS = 129, __PX_ACTION_MAX }; @@ -103,7 +107,7 @@ enum manipulate_profile_table struct manipulate_profile { - int profile_id; + char *profile_uuid; int ref_cnt; size_t msg_len; char *profile_name; @@ -118,13 +122,14 @@ struct manipulate_profile struct maat_rule_t { - long long config_id; + int vsys_id; + uuid_t config_uuid; + char *config_uuid_string; int service_id; unsigned char do_log; unsigned char do_blacklist; unsigned char action; - char *srv_def_large; - int vsys_id; + char *action_parameter; }; struct policy_action_param @@ -134,7 +139,8 @@ struct policy_action_param char *message; char *position; float enforcement_ratio; - int profile_id; + char *profile_uuid_str; + int status_code; size_t n_rule; @@ -230,28 +236,54 @@ void trusted_CA_update_start_cb(int update_type, void* u_para) } g_proxy_rt->ca_store_reseting++; } - } -void trusted_CA_update_cert_cb(int table_id, const char* table_line, void* u_para) + +void trusted_CA_update_cert_cb(const char *table_name, const char *table_line, enum maat_operation op, void *u_para) { - int ret=0, cfg_id=0, is_valid=0; - char cert_name[128]={0}, cert_file[1024]={0}; - ret=sscanf(table_line, "%d\t%s\t%s\t%d", &cfg_id, cert_name, cert_file, &is_valid); - if(ret!=4) + int ret = 0; + + cJSON* trust_ca_cert = cJSON_Parse(table_line); + if(trust_ca_cert == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Trusted CA Store parse cert config failed: %s", table_line); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_PROFILE_TRUSTED_CA_CERT parse table_line failed. table_line:%s", table_line); return; } + + char *uuid_sring=NULL; + int is_valid=0; + char cert_name[128]={0}, cert_file[1024]={0}; + + cJSON *uuid = cJSON_GetObjectItem(trust_ca_cert, "uuid"); + if(uuid && uuid->type==cJSON_String) + { + uuid_sring = uuid->valuestring; + } + cJSON *item = cJSON_GetObjectItem(trust_ca_cert, "cert_name"); + if(item && item->type==cJSON_String) + { + memcpy(cert_name, item->valuestring, strlen(item->valuestring)); + } + item = cJSON_GetObjectItem(trust_ca_cert, "cert_file"); + if(item && item->type==cJSON_String) + { + memcpy(cert_file, item->valuestring, strlen(item->valuestring)); + } + item = cJSON_GetObjectItem(trust_ca_cert, "is_valid"); + if(item && item->type==cJSON_Number) + { + is_valid=item->valueint; + } + if(is_valid==1) { ret=tfe_proxy_ssl_add_trust_ca(cert_file); if(ret<0) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Trusted CA Store add cert failed %d:%s:%s", cfg_id, cert_name, cert_file); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Trusted CA Store add cert failed %s:%s:%s", uuid_sring, cert_name, cert_file); } else { - TFE_LOG_INFO(g_proxy_rt->local_logger, "Trusted CA Store add cert success %d:%s:%s", cfg_id, cert_name, cert_file); + TFE_LOG_INFO(g_proxy_rt->local_logger, "Trusted CA Store add cert success %s:%s:%s", uuid_sring, cert_name, cert_file); } } else @@ -259,13 +291,16 @@ void trusted_CA_update_cert_cb(int table_id, const char* table_line, void* u_par ret=tfe_proxy_ssl_del_trust_ca(cert_file); if(ret<0) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Trusted CA Store del cert failed %d:%s:%s", cfg_id, cert_name, cert_file); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Trusted CA Store del cert failed %s:%s:%s", uuid_sring, cert_name, cert_file); } else { - TFE_LOG_INFO(g_proxy_rt->local_logger, "Trusted CA Store del cert success %d:%s:%s", cfg_id, cert_name, cert_file); + TFE_LOG_INFO(g_proxy_rt->local_logger, "Trusted CA Store del cert success %s:%s:%s", uuid_sring, cert_name, cert_file); } } + + cJSON_Delete(trust_ca_cert); + trust_ca_cert=NULL; return; } void trusted_CA_update_crl_cb(int table_id,const char* table_line,void* u_para) @@ -413,83 +448,128 @@ char* str_unescape(char* s) return s; } -void policy_action_param_new(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +unsigned char action_type_str2idx(const char *action_str) { - int ret=0, group_num=0; - long long config_id=0; - int service_id=0, action=0; - int do_log=0,do_blacklist=0,is_valid=0; - char effective_range[1024]={0}; - char srv_def_large[8192]={0}; - struct policy_action_param* param=NULL; + const char * action_name[__PX_ACTION_MAX]; + action_name[PX_ACTION_NONE] = "none"; + action_name[PX_ACTION_MONIT] = "monitor"; + action_name[PX_ACTION_INTERCEPT] = "intercept"; + action_name[PX_ACTION_NO_INTERCEPT] = "no_intercept"; + action_name[PX_ACTION_ACTIVE_DEFENCE] = "active_defence"; + action_name[PX_ACTION_WANNAT] = "wannat"; + action_name[PX_ACTION_REJECT] = "deny"; + action_name[PX_ACTION_SHAPING] = "shaping"; + action_name[PX_ACTION_MANIPULATE] = "manipulate"; + action_name[PX_ACTION_SERVICE_CHAINING] = "service_chaining"; + action_name[PX_ACTION_WHITELIST] = "allow"; + action_name[PX_ACTION_SHUNT] = "shunt"; + action_name[PX_STATISTICS] = "statistics"; - ret=sscanf(table_line, "%lld\t%d\t%d\t%d\t%d\t%s\t%s\t%d\t%d", &config_id, &service_id, &action, &do_blacklist, &do_log, effective_range, srv_def_large, &group_num, &is_valid); - if(ret!=9) + int action = 0; + for ( action = PX_ACTION_NONE; action < __PX_ACTION_MAX; action++) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "ctrl policy table parse failed, ret:%d, %s", ret, table_line); + if (0 == strcasecmp(action_str, action_name[action])) + break; + } + return action; +} + +unsigned char log_option_type_str2idx(const char *log_option) +{ + size_t i = 0; + const char *log_option_name[] = {"none", "metadata", "all"}; + for (i = 0; i < sizeof(log_option_name) / sizeof(const char *); i++) + { + if (0 == strcasecmp(log_option, log_option_name[i])) + break; + } + return i; + +} + +void policy_action_param_new(const char *table_name, const char* key, const char* table_line, void **ad, long argl, void* argp) +{ + cJSON* pxy_ctrl_rule = cJSON_Parse(table_line); + if(pxy_ctrl_rule == NULL) + { + TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_CTRL_RULE parse table_line failed. table_line:%s", table_line); return; } - *ad=NULL; + struct policy_action_param* param=ALLOC(struct policy_action_param, 1); - str_unescape(srv_def_large); - int serv_def_len=strlen(srv_def_large); - if((unsigned int)serv_def_lentype==cJSON_String) { + param->hit_rule.config_uuid_string = strdup(uuid->valuestring); + uuid_parse(uuid->valuestring, param->hit_rule.config_uuid); + } + + cJSON *action = cJSON_GetObjectItem(pxy_ctrl_rule, "action"); + if(action && action->type==cJSON_String) + { + param->hit_rule.action=action_type_str2idx(action->valuestring); + } + + cJSON *blacklist_option = cJSON_GetObjectItem(pxy_ctrl_rule, "blacklist_option"); + if(blacklist_option && blacklist_option->type==cJSON_Number) + { + param->hit_rule.do_blacklist=blacklist_option->valueint; + } + + cJSON *log_option = cJSON_GetObjectItem(pxy_ctrl_rule, "log_option"); + if(log_option && log_option->type==cJSON_String) + { + param->hit_rule.do_log=log_option_type_str2idx(log_option->valuestring); + } + + cJSON *action_parameter = cJSON_GetObjectItem(pxy_ctrl_rule, "action_parameter"); + if(action_parameter == NULL || action_parameter->type!=cJSON_Object) + { + FREE(¶m); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "invalid policy parameter: id = %s", param->hit_rule.config_uuid_string); return; } - int rule_id; - cJSON *json=NULL, *rules=NULL, *item=NULL, *sub_item=NULL; - json=cJSON_Parse(srv_def_large); - if(json==NULL) - { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "invalid policy parameter: id = %lld", config_id); - return; - } - - param=ALLOC(struct policy_action_param, 1); param->ref_cnt=1; - param->hit_rule.action=action; - param->hit_rule.config_id=config_id; - param->hit_rule.do_blacklist=do_blacklist; - param->hit_rule.do_log=do_log; - param->hit_rule.srv_def_large=tfe_strdup(srv_def_large); pthread_mutex_init(&(param->lock), NULL); + param->hit_rule.action_parameter = cJSON_PrintUnformatted(action_parameter); - item=cJSON_GetObjectItem(json,"method"); - if(item && item->type==cJSON_String) + cJSON *method=cJSON_GetObjectItem(action_parameter,"method"); + if(method && method->type==cJSON_String) { - param->action=manipulate_action_str2idx(item->valuestring); + param->action=manipulate_action_str2idx(method->valuestring); } + int rule_id=0; + cJSON *rules=NULL, *item=NULL, *sub_item=NULL; switch(param->action) { case MA_ACTION_ALLOW: case MA_ACTION_MONITOR: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } break; case MA_ACTION_REDIRECT: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - item=cJSON_GetObjectItem(json,"code"); + item=cJSON_GetObjectItem(action_parameter,"code"); if(item && item->type==cJSON_Number) { param->status_code = item->valueint; } - item=cJSON_GetObjectItem(json,"to"); + item=cJSON_GetObjectItem(action_parameter,"to"); if(item && item->type==cJSON_String) { param->message = tfe_strdup(item->valuestring); } - item=cJSON_GetObjectItem(json,"enforcement_ratio"); + item=cJSON_GetObjectItem(action_parameter,"enforcement_ratio"); if(item && item->type==cJSON_Number) { param->enforcement_ratio = item->valuedouble; @@ -500,34 +580,34 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k } break; case MA_ACTION_BLOCK: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - item=cJSON_GetObjectItem(json,"code"); + item=cJSON_GetObjectItem(action_parameter,"code"); if(item && item->type==cJSON_Number) { param->status_code = item->valueint; } - item=cJSON_GetObjectItem(json,"message"); + item=cJSON_GetObjectItem(action_parameter,"message"); if(item && item->type==cJSON_String) { param->message = tfe_strdup(item->valuestring); } - item=cJSON_GetObjectItem(json,"html_profile"); - if(item && item->type==cJSON_Number) + item=cJSON_GetObjectItem(action_parameter,"html_profile"); + if(item && item->type==cJSON_String) { - param->profile_id = item->valueint; + param->profile_uuid_str = tfe_strdup(item->valuestring); } break; case MA_ACTION_REPLACE: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - item=cJSON_GetObjectItem(json,"enforcement_ratio"); + item=cJSON_GetObjectItem(action_parameter,"enforcement_ratio"); if(item && item->type==cJSON_Number) { param->enforcement_ratio = item->valuedouble; @@ -536,7 +616,7 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k { param->enforcement_ratio = 1; } - rules = cJSON_GetObjectItem(json, "rules"); + rules = cJSON_GetObjectItem(action_parameter, "rules"); if(rules == NULL) { break; @@ -562,16 +642,17 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k param->n_rule = rule_id; break; case MA_ACTION_HIJACK: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - item=cJSON_GetObjectItem(json,"hijack_profile"); - if(item && item->type==cJSON_Number){ - param->profile_id = item->valueint; + item=cJSON_GetObjectItem(action_parameter,"hijack_profile"); + if(item && item->type==cJSON_String) + { + param->profile_uuid_str =tfe_strdup(item->valuestring); } - item=cJSON_GetObjectItem(json,"enforcement_ratio"); + item=cJSON_GetObjectItem(action_parameter,"enforcement_ratio"); if(item && item->type==cJSON_Number) { param->enforcement_ratio = item->valuedouble; @@ -582,20 +663,21 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k } break; case MA_ACTION_INSERT: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - item=cJSON_GetObjectItem(json,"insert_profile"); - if(item && item->type==cJSON_Number){ - param->profile_id = item->valueint; + item=cJSON_GetObjectItem(action_parameter,"insert_profile"); + if(item && item->type==cJSON_String) + { + param->profile_uuid_str =tfe_strdup(item->valuestring); } - item=cJSON_GetObjectItem(json,"position"); + item=cJSON_GetObjectItem(action_parameter,"position"); if(item && item->type==cJSON_String){ param->position = tfe_strdup(item->valuestring); } - item=cJSON_GetObjectItem(json,"enforcement_ratio"); + item=cJSON_GetObjectItem(action_parameter,"enforcement_ratio"); if(item && item->type==cJSON_Number) { param->enforcement_ratio = item->valuedouble; @@ -606,12 +688,12 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k } break; case MA_ACTION_ELEMENT: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - rules = cJSON_GetObjectItem(json, "rules"); + rules = cJSON_GetObjectItem(action_parameter, "rules"); if(rules == NULL) { break; @@ -649,16 +731,17 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k param->e_rule = rule_id; break; case MA_ACTION_LUA_SCRIPT: - item=cJSON_GetObjectItem(json,"vsys_id"); + item=cJSON_GetObjectItem(action_parameter,"vsys_id"); if(item && item->type==cJSON_Number) { param->hit_rule.vsys_id=item->valueint; } - item=cJSON_GetObjectItem(json,"run_script_profile"); - if(item && item->type==cJSON_Number){ - param->profile_id = item->valueint; + item=cJSON_GetObjectItem(action_parameter,"run_script_profile"); + if(item && item->type==cJSON_String) + { + param->profile_uuid_str =tfe_strdup(item->valuestring); } - item=cJSON_GetObjectItem(json,"enforcement_ratio"); + item=cJSON_GetObjectItem(action_parameter,"enforcement_ratio"); if(item && item->type==cJSON_Number) { param->enforcement_ratio = item->valuedouble; @@ -672,12 +755,12 @@ void policy_action_param_new(const char *table_name, int table_id, const char* k break; } *ad=param; - TFE_LOG_INFO(g_proxy_rt->local_logger, "Add ctrl policy: %lld", config_id); - cJSON_Delete(json); + TFE_LOG_INFO(g_proxy_rt->local_logger, "Add ctrl policy: %s", param->hit_rule.config_uuid_string); + cJSON_Delete(pxy_ctrl_rule); return; } -void policy_action_param_free_cb(int table_id, void **ad, long argl, void *argp) +void policy_action_param_free_cb(const char *table_name, void **ad, long argl, void *argp) { unsigned int i=0; if(*ad==NULL) @@ -717,8 +800,12 @@ void policy_action_param_free_cb(int table_id, void **ad, long argl, void *argp) FREE(&(param->message)); if (param->position) FREE(&(param->position)); - if(param->hit_rule.srv_def_large) - FREE(&(param->hit_rule.srv_def_large)) + if(param->profile_uuid_str) + FREE(&(param->profile_uuid_str)); + if(param->hit_rule.config_uuid_string) + FREE(&(param->hit_rule.config_uuid_string)); + if(param->hit_rule.action_parameter) + FREE(¶m->hit_rule.action_parameter); FREE(&(param)); return; @@ -726,11 +813,11 @@ void policy_action_param_free_cb(int table_id, void **ad, long argl, void *argp) void policy_action_param_free(struct policy_action_param* param) { - policy_action_param_free_cb(0, (void**)¶m, 0, NULL); + policy_action_param_free_cb("PXY_CTRL_RULE_PLUGIN", (void**)¶m, 0, NULL); return; } -void policy_action_param_dup(int idx, void **to, void **from, long argl, void *argp) +void policy_action_param_dup(const char *table_name, void **to, void **from, long argl, void *argp) { struct policy_action_param* from_param=*((struct policy_action_param**)from); if(from_param==NULL) @@ -745,27 +832,42 @@ void policy_action_param_dup(int idx, void **to, void **from, long argl, void *a return; } -void ma_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +void ma_profile_table_new_cb(const char *table_name, const char* key, const char* table_line, void **ad, long argl, void* argp) { - int ret=0, profile_id=0, is_valid=0; - char profile_name[512]={0}, formate[128]={0}; - char profile_path[TFE_PATH_MAX]={0}; - - ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%d", &profile_id, profile_name, formate, profile_path, &is_valid); - if(ret!=5) + cJSON* response_pages = cJSON_Parse(table_line); + if(response_pages == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Policy table parse config failed: %s", table_line); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "TSG_PROFILE_RESPONSE_PAGES parse table_line failed. table_line:%s", table_line); return; } + char *profile_path=NULL; struct manipulate_profile* ply_profile=ALLOC(struct manipulate_profile, 1); - memset(ply_profile, 0, sizeof(struct manipulate_profile)); + cJSON *uuid = cJSON_GetObjectItem(response_pages, "uuid"); + if(uuid && uuid->type==cJSON_String) + { + ply_profile->profile_uuid = tfe_strdup(uuid->valuestring); + } + cJSON *profile_name = cJSON_GetObjectItem(response_pages, "profile_name"); + if(profile_name && profile_name->type==cJSON_String) + { + ply_profile->profile_name=tfe_strdup(profile_name->valuestring); + } + cJSON *format = cJSON_GetObjectItem(response_pages, "format"); + if(format && format->type==cJSON_String) + { + ply_profile->profile_type=tfe_strdup(format->valuestring); + } + cJSON *item = cJSON_GetObjectItem(response_pages, "path"); + if(item && item->type==cJSON_String) + { + profile_path=item->valuestring; + } - ply_profile->profile_id=profile_id; ply_profile->ref_cnt=1; pthread_mutex_init(&(ply_profile->lock), NULL); - if(strcasecmp(formate, "template") == 0) + if(strcasecmp(ply_profile->profile_type, "template") == 0) { ply_profile->tpl = ctemplate::Template::GetTemplate(profile_path, ctemplate::DO_NOT_STRIP); }else @@ -773,38 +875,59 @@ void ma_profile_table_new_cb(const char *table_name, int table_id, const char* k ply_profile->profile_msg = tfe_read_file(profile_path, &ply_profile->msg_len); if (ply_profile->profile_msg == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Read file failed %d:%s:%s", profile_id, profile_name, profile_path); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Read file failed %s:%s:%s", ply_profile->profile_uuid, ply_profile->profile_name, profile_path); } } - ply_profile->profile_name=tfe_strdup(profile_name); - ply_profile->profile_type=tfe_strdup(formate); - TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %d", profile_id); + cJSON_Delete(response_pages); + response_pages=NULL; + TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %s", ply_profile->profile_uuid); *ad = ply_profile; return; } -void ma_insert_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +void ma_insert_profile_table_new_cb(const char *table_name, const char* key, const char* table_line, void **ad, long argl, void* argp) { - int ret=0, profile_id=0, is_valid=0; - char profile_name[512]={0}, formate[128]={0}; - char profile_path[TFE_PATH_MAX]={0},profile_position[TFE_PATH_MAX]={0}; - - ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%d", &profile_id, profile_name, formate, profile_path, profile_position, &is_valid); - if(ret!=6) + cJSON* insert_script = cJSON_Parse(table_line); + if(insert_script == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Policy table parse config failed: %s", table_line); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_PROFILE_INSERT_SCRIPTS parse table_line failed. table_line:%s", table_line); return; } - struct manipulate_profile* ply_profile=ALLOC(struct manipulate_profile, 1); - memset(ply_profile, 0, sizeof(struct manipulate_profile)); - ply_profile->profile_id=profile_id; + char *profile_path=NULL; + struct manipulate_profile* ply_profile=ALLOC(struct manipulate_profile, 1); + cJSON *uuid = cJSON_GetObjectItem(insert_script, "uuid"); + if(uuid && uuid->type==cJSON_String) + { + ply_profile->profile_uuid = tfe_strdup(uuid->valuestring); + } + cJSON *profile_name = cJSON_GetObjectItem(insert_script, "profile_name"); + if(profile_name && profile_name->type==cJSON_String) + { + ply_profile->profile_name=tfe_strdup(profile_name->valuestring); + } + cJSON *format = cJSON_GetObjectItem(insert_script, "format"); + if(format && format->type==cJSON_String) + { + ply_profile->profile_type=tfe_strdup(format->valuestring); + } + cJSON *insert_on = cJSON_GetObjectItem(insert_script, "insert_on"); + if(insert_on && insert_on->type==cJSON_String) + { + ply_profile->profile_position=tfe_strdup(insert_on->valuestring); + } + cJSON *item = cJSON_GetObjectItem(insert_script, "path"); + if(item && item->type==cJSON_String) + { + profile_path=item->valuestring; + } + ply_profile->ref_cnt=1; pthread_mutex_init(&(ply_profile->lock), NULL); - if(strcasecmp(formate, "template") == 0) + if(strcasecmp(ply_profile->profile_type, "template") == 0) { ply_profile->tpl = ctemplate::Template::GetTemplate(profile_path, ctemplate::DO_NOT_STRIP); }else @@ -812,82 +935,114 @@ void ma_insert_profile_table_new_cb(const char *table_name, int table_id, const ply_profile->profile_msg = tfe_read_file(profile_path, &ply_profile->msg_len); if (ply_profile->profile_msg == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Read file failed %d:%s:%s", profile_id, profile_name, profile_path); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Read file failed %s:%s:%s", ply_profile->profile_uuid, ply_profile->profile_name, profile_path); } } - ply_profile->profile_name=tfe_strdup(profile_name); - ply_profile->profile_type=tfe_strdup(formate); - ply_profile->profile_position=tfe_strdup(profile_position); - TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %d", profile_id); + cJSON_Delete(insert_script); + insert_script=NULL; + TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %s", ply_profile->profile_uuid); + *ad = ply_profile; + + return; +} + +void ma_hijack_profile_table_new_cb(const char *table_name, const char* key, const char* table_line, void **ad, long argl, void* argp) +{ + cJSON* hihijack_files = cJSON_Parse(table_line); + if(hihijack_files == NULL) + { + TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_PROFILE_HIJACK_FILES parse table_line failed. table_line:%s", table_line); + return; + } + + struct manipulate_profile* ply_profile=ALLOC(struct manipulate_profile, 1); + cJSON *uuid = cJSON_GetObjectItem(hihijack_files, "uuid"); + if(uuid && uuid->type==cJSON_String) + { + ply_profile->profile_uuid = tfe_strdup(uuid->valuestring); + } + cJSON *profile_name = cJSON_GetObjectItem(hihijack_files, "profile_name"); + if(profile_name && profile_name->type==cJSON_String) + { + ply_profile->profile_name=tfe_strdup(profile_name->valuestring); + } + cJSON *content_type = cJSON_GetObjectItem(hihijack_files, "content_type"); + if(content_type && content_type->type==cJSON_String) + { + ply_profile->profile_type=tfe_strdup(content_type->valuestring); + } + cJSON *path = cJSON_GetObjectItem(hihijack_files, "path"); + if(path && path->type==cJSON_String) + { + ply_profile->profile_msg=tfe_strdup(path->valuestring); + } + + ply_profile->ref_cnt=1; + pthread_mutex_init(&(ply_profile->lock), NULL); + + cJSON_Delete(hihijack_files); + hihijack_files=NULL; + TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %s", ply_profile->profile_uuid); *ad = ply_profile; return; } -void ma_hijack_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +void ma_lua_profile_table_new_cb(const char *table_name, const char* key, const char* table_line, void **ad, long argl, void* argp) { - int ret=0, profile_id=0, is_valid=0; - char profile_name[512]={0}, formate[128]={0}; - char profile_path[TFE_PATH_MAX]={0},hijack_name[512]={0}; - - ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%d", &profile_id, profile_name, hijack_name, formate, profile_path, &is_valid); - if(ret!=6) + cJSON* run_scripts = cJSON_Parse(table_line); + if(run_scripts == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Policy table parse config failed: %s", table_line); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "PXY_PROFILE_RUN_SCRIPTS parse table_line failed. table_line:%s", table_line); return; } + + char *profile_path=NULL; + struct manipulate_profile* ply_profile=ALLOC(struct manipulate_profile, 1); + cJSON *uuid = cJSON_GetObjectItem(run_scripts, "uuid"); + if(uuid && uuid->type==cJSON_String) + { + ply_profile->profile_uuid = tfe_strdup(uuid->valuestring); + } + cJSON *max_exec_time = cJSON_GetObjectItem(run_scripts, "max_exec_time"); + if(max_exec_time && max_exec_time->type==cJSON_Number) + { + ply_profile->timeout=max_exec_time->valueint; + } + cJSON *path = cJSON_GetObjectItem(run_scripts, "path"); + if(path && path->type==cJSON_String) + { + profile_path=path->valuestring; + } + ply_profile->ref_cnt=1; pthread_mutex_init(&(ply_profile->lock), NULL); - ply_profile->profile_id=profile_id; - ply_profile->profile_msg=tfe_strdup(profile_path); - ply_profile->profile_name=tfe_strdup(hijack_name); - ply_profile->profile_type=tfe_strdup(formate); - - TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %d", profile_id); - - *ad = ply_profile; - return; -} - -void ma_lua_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) -{ - int timeout=0; - int ret=0, profile_id=0, is_valid=0; - char profile_name[512]={0}, profile_path[TFE_PATH_MAX]={0}; - - ret=sscanf(table_line, "%d\t%s\t%d\t%d", &profile_id, profile_path, &timeout, &is_valid); - if(ret!=4) - { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Policy table parse config failed: %s", table_line); - return; - } - struct manipulate_profile* ply_profile=ALLOC(struct manipulate_profile, 1); - ply_profile->ref_cnt=1; - pthread_mutex_init(&(ply_profile->lock), NULL); - - ply_profile->profile_id=profile_id; ply_profile->profile_name=tfe_strdup(profile_path); ply_profile->profile_msg = tfe_read_file(profile_path, &ply_profile->msg_len); - ply_profile->timeout=timeout; + if (ply_profile->profile_msg == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Read file failed %d:%s:%s", profile_id, profile_name, profile_path); + cJSON_Delete(run_scripts); + run_scripts=NULL; + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Read file failed %s:%s:%s", ply_profile->profile_uuid, ply_profile->profile_name, profile_path); *ad = ply_profile; return; } int thread_num = g_proxy_rt->thread_num; ply_profile->escript_ctx = ALLOC(struct elua_script *, thread_num); - TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %d", profile_id); + TFE_LOG_INFO(g_proxy_rt->local_logger, "Policy table add success %s", ply_profile->profile_uuid); + cJSON_Delete(run_scripts); + run_scripts=NULL; *ad = ply_profile; return; } -void ma_profile_table_free_cb(int table_id, void **ad, long argl, void *argp) +void ma_profile_table_free_cb(const char *table_name, void **ad, long argl, void *argp) { if(*ad==NULL) { @@ -904,6 +1059,9 @@ void ma_profile_table_free_cb(int table_id, void **ad, long argl, void *argp) pthread_mutex_unlock(&(ply_obj->lock)); pthread_mutex_destroy(&(ply_obj->lock)); + if(ply_obj->profile_uuid) + FREE(&ply_obj->profile_uuid); + if(ply_obj->profile_type) FREE(&ply_obj->profile_type); @@ -939,7 +1097,7 @@ void ma_profile_table_free(struct manipulate_profile* ply_obj) ma_profile_table_free_cb(0, (void **)&ply_obj, 0, NULL); } -void ma_profile_table_dup_cb(int table_id, void **to, void **from, long argl, void *argp) +void ma_profile_table_dup_cb(const char *table_name, void **to, void **from, long argl, void *argp) { struct manipulate_profile* ply_obj=(struct manipulate_profile*)(*from); pthread_mutex_lock(&(ply_obj->lock)); @@ -948,21 +1106,6 @@ void ma_profile_table_dup_cb(int table_id, void **to, void **from, long argl, vo *to=ply_obj; } -int maat_table_init(const char* table_name, - maat_start_callback_t *start, maat_update_callback_t *update, maat_finish_callback_t *finish, - void *u_para) -{ - int table_id=0; - - table_id=maat_get_table_id(g_proxy_rt->feather, table_name); - if(table_id>=0) - { - maat_table_callback_register(g_proxy_rt->feather, table_id, - start, update, finish, u_para); - } - return table_id; -} - const char* table_name_idx2str(int profile_idx) { const char *table_name_map[] = {"TSG_PROFILE_RESPONSE_PAGES", @@ -977,7 +1120,7 @@ int maat_table_ex_init(int profile_idx, maat_ex_free_func_t* free_func, maat_ex_dup_func_t* dup_func) { - int table_id = 0; + int ret = 0; const char *table_name = table_name_idx2str(profile_idx); maat_ex_new_func_t *new_func[] = { @@ -987,18 +1130,17 @@ int maat_table_ex_init(int profile_idx, [POLICY_PROFILE_TABLE_LUA] = ma_lua_profile_table_new_cb, }; - table_id=g_proxy_rt->plolicy_table_id[profile_idx]=maat_get_table_id(g_proxy_rt->feather, table_name); - if(table_id >= 0) + ret=maat_plugin_table_ex_schema_register(g_proxy_rt->feather, table_name, + new_func[profile_idx], + free_func, + dup_func, + 0, NULL); + if(ret < 0) { - table_id=maat_plugin_table_ex_schema_register(g_proxy_rt->feather, table_name, - new_func[profile_idx], - free_func, - dup_func, - 0, NULL); - return 0; + TFE_LOG_INFO(NULL, "Pangu HTTP register table %s failed.", table_name); + return -1; } - TFE_LOG_INFO(NULL, "Pangu HTTP register table %s failed.", table_name); - return -1; + return ret; } int proxy_policy_init(const char* profile_path, const char* static_section, const char* dynamic_section) @@ -1006,51 +1148,25 @@ int proxy_policy_init(const char* profile_path, const char* static_section, cons int ret = 0; g_proxy_rt->feather = tfe_get_maat_handle(); - const char * table_name[__SCAN_TABLE_MAX]; - table_name[PXY_CTRL_HTTP_URL] = "ATTR_HTTP_URL"; - table_name[PXY_CTRL_HTTP_FQDN] = "ATTR_SERVER_FQDN"; - table_name[PXY_CTRL_HTTP_REQ_HDR] = "ATTR_HTTP_REQ_HDR"; - table_name[PXY_CTRL_HTTP_REQ_BODY] = "ATTR_HTTP_REQ_BODY"; - table_name[PXY_CTRL_HTTP_RES_HDR] = "ATTR_HTTP_RES_HDR"; - table_name[PXY_CTRL_HTTP_RES_BODY] = "ATTR_HTTP_RES_BODY"; - table_name[PXY_CTRL_APP_ID] = "ATTR_APP_ID"; - - for (int i = 0; i < __SCAN_TABLE_MAX; i++) - { - g_proxy_rt->scan_table_id[i] = maat_get_table_id(g_proxy_rt->feather, table_name[i]); - if (g_proxy_rt->scan_table_id[i] < 0) - { - TFE_LOG_ERROR(NULL, "Pangu HTTP Maat table %s register failed.", table_name[i]); - goto error_out; - } - } - - g_proxy_rt->ctrl_plugin_idx=maat_get_table_id(g_proxy_rt->feather, "PXY_CTRL_COMPILE_PLUGIN"); - maat_plugin_table_ex_schema_register(g_proxy_rt->feather, "PXY_CTRL_COMPILE_PLUGIN", + ret = maat_plugin_table_ex_schema_register(g_proxy_rt->feather, "PXY_CTRL_RULE_PLUGIN", policy_action_param_new, policy_action_param_free_cb, policy_action_param_dup, 0, NULL); - - ret = maat_table_init("PXY_PROFILE_TRUSTED_CA_CERT", - trusted_CA_update_start_cb, - trusted_CA_update_cert_cb, - trusted_CA_update_finish_cb, - g_proxy_rt); if(ret<0) { - TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CERT failed."); + TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_CTRL_RULE_PLUGIN failed."); goto error_out; } - ret = maat_table_init("PXY_OBJ_TRUSTED_CA_CRL", - trusted_CA_update_start_cb, - trusted_CA_update_crl_cb, - trusted_CA_update_finish_cb, - g_proxy_rt); + ret = maat_table_callback_register(g_proxy_rt->feather, "PXY_PROFILE_TRUSTED_CA_CERT", + trusted_CA_update_start_cb, + trusted_CA_update_cert_cb, + trusted_CA_update_finish_cb, + g_proxy_rt); if(ret<0) { - TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CRL failed."); + TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CERT failed."); goto error_out; } @@ -1155,7 +1271,7 @@ struct proxy_http_ctx enum proxy_action action; char * action_para; int hit_cnt; - long long result[MAX_SCAN_RESULT]; + uuid_t result[MAX_SCAN_RESULT]; struct maat_state *scan_mid; struct maat_stream *sp; struct maat_rule_t * enforce_rules; @@ -1292,6 +1408,14 @@ void http_element_ctx_free(struct edit_element_ctx *edit_ctx) void http_tsg_ctx_free(struct tsg_script_ctx *tsg_ctx, int thread_id) { + if(tsg_ctx->config_uuid_str) + { + FREE(&tsg_ctx->config_uuid_str) + } + if(tsg_ctx->profile_uuid_str) + { + FREE(&tsg_ctx->profile_uuid_str) + } if (tsg_ctx->http_body) { evbuffer_free(tsg_ctx->http_body); @@ -1383,15 +1507,10 @@ static inline void addr_tfe2sapp(const struct tfe_stream_addr * tfe_addr, struct return; } -static struct manipulate_profile* get_profile_by_id(int profile_table, int profile_id) +static struct manipulate_profile* get_profile_by_id(const char *table_name, char *cfg_id_str) { struct manipulate_profile* result=NULL; - - char cfg_id_str[16] = {0}; - snprintf(cfg_id_str, sizeof(cfg_id_str), "%d", profile_id); - int table_id = g_proxy_rt->plolicy_table_id[profile_table]; - - result = (struct manipulate_profile*)maat_plugin_table_get_ex_data(g_proxy_rt->feather, table_id, (const char*)cfg_id_str, strlen(cfg_id_str)); + result = (struct manipulate_profile*)maat_plugin_table_get_ex_data(g_proxy_rt->feather, table_name, (const char*)cfg_id_str, strlen(cfg_id_str)); return result; } @@ -1414,7 +1533,7 @@ void proxy_send_metric_log(const struct tfe_stream * stream, struct proxy_http_c for(i=0; i< ctx->n_enforce; i++) { fieldstat->tags[thread_id][TAG_VSYS_ID].value_longlong = ctx->enforce_rules[i].vsys_id; - fieldstat->tags[thread_id][TAG_RULE_ID].value_longlong = ctx->enforce_rules[i].config_id; + fieldstat->tags[thread_id][TAG_RULE_ID].value_str = ctx->enforce_rules[i].config_uuid_string; fieldstat->tags[thread_id][TAG_ACTION].value_longlong = PX_ACTION_MANIPULATE; if(ctx->enforce_rules[i].action == PX_ACTION_MANIPULATE) { @@ -1508,10 +1627,11 @@ static inline int action_cmp(enum proxy_action a1, enum proxy_action a2) } //enforce_rules[0] contains execute action. -static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit, +static enum proxy_action decide_ctrl_action(uuid_t *result, size_t n_hit, struct maat_rule_t** enforce_rules, size_t * n_enforce, struct policy_action_param **param) { void *ex_data=NULL; + char result_uuid_string[UUID_STRING_SIZE]={0}; size_t n_monit = 0, exist_enforce_num = 0, i = 0; struct policy_action_param *get_ex_param=NULL; @@ -1520,7 +1640,8 @@ static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit, hit_rules=ALLOC(struct maat_rule_t, n_hit); for (i = 0; i < n_hit && ifeather, g_proxy_rt->ctrl_plugin_idx, (const char *)&results[i], sizeof(results[i])); + uuid_unparse(result[i], result_uuid_string); + get_ex_param =(struct policy_action_param *)maat_plugin_table_get_ex_data(g_proxy_rt->feather, "PXY_CTRL_RULE_PLUGIN", result_uuid_string, strlen(result_uuid_string)); if(get_ex_param==NULL) { continue; @@ -1550,7 +1671,7 @@ static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit, } else if (action_cmp(__action, prior_action) == 0) { - if (hit_rules[i].config_id > prior_rule->config_id) + if(uuid_compare(hit_rules[i].config_uuid, prior_rule->config_uuid) > 0) { prior_rule = hit_rules + i; } @@ -1569,7 +1690,8 @@ static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit, } *enforce_rules[0]=*prior_rule; *n_enforce=1; - ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_plugin_idx, (const char *)&prior_rule->config_id, sizeof(prior_rule->config_id)); + + ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, "PXY_CTRL_RULE_PLUGIN", prior_rule->config_uuid_string, strlen(prior_rule->config_uuid_string)); if(ex_data!=NULL) { *param=(struct policy_action_param*)ex_data; @@ -1603,7 +1725,7 @@ static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit, memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct maat_rule_t)); } - ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_plugin_idx, (const char *)&prior_rule->config_id, sizeof(prior_rule->config_id)); + ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, "PXY_CTRL_RULE_PLUGIN", prior_rule->config_uuid_string, strlen(prior_rule->config_uuid_string)); if(ex_data!=NULL) { *param=(struct policy_action_param*)ex_data; @@ -1655,11 +1777,11 @@ void manipulate_profile_free(struct manipulate_profile* ma_profile) FREE(&ma_profile); } -static int html_generate(int profile_id, const char* msg, char ** page_buff, size_t * page_size) +static int html_generate(char *profile_uuid, const char* msg, char ** page_buff, size_t * page_size) { int ret = 0; - struct manipulate_profile* block_profile=get_profile_by_id(POLICY_PROFLIE_TABLE_REJECT, profile_id); + struct manipulate_profile* block_profile=get_profile_by_id("TSG_PROFILE_RESPONSE_PAGES", profile_uuid); if(block_profile==NULL) { ret=-1; @@ -1706,11 +1828,11 @@ static int http_enforcement_ratio(float enforcement_ratio) return 0; } -int http_lua_profile(int profile_id, struct elua_script ***elua_ctx, char **profile_msg, size_t *msg_len, int *timeout) +int http_lua_profile(char *profile_uuid_str, struct elua_script ***elua_ctx, char **profile_msg, size_t *msg_len, int *timeout) { int ret = 0; - struct manipulate_profile* lua_profile=get_profile_by_id(POLICY_PROFILE_TABLE_LUA, profile_id); + struct manipulate_profile* lua_profile=get_profile_by_id("PXY_PROFILE_RUN_SCRIPTS", profile_uuid_str); if(lua_profile==NULL) { ret=-1; @@ -1750,7 +1872,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * { struct policy_action_param *param = ctx->param; ctx->tsg_ctx = tsg_ctx = ALLOC(struct tsg_script_ctx, 1); - tsg_ctx->profile_id = param->profile_id; + tsg_ctx->profile_uuid_str = tfe_strdup(param->profile_uuid_str); tsg_ctx->addr = stream->addr; tsg_ctx->elua_ctx = http_lua_ctx_new(lua_script, ctx->thread_id); } @@ -1764,7 +1886,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * tsg_ctx->events = events; tsg_ctx->session = session; tsg_ctx->local_logger = g_proxy_rt->local_logger; - tsg_ctx->config_id = ctx->enforce_rules[0].config_id; + tsg_ctx->config_uuid_str = ctx->enforce_rules[0].config_uuid_string; struct tfe_http_half * in_req_half = session->req; struct tfe_http_half * in_resp_half = session->resp; @@ -1774,7 +1896,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * if ((events & EV_HTTP_REQ_HDR) || (events & EV_HTTP_RESP_HDR)) { tsg_ctx->http_req_uri=1; tsg_ctx->execut_lua_sucess=0; - ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_id, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); + ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_uuid_str, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); if(ret==0 && tsg_ctx->execut_lua_sucess==1) { tsg_ctx->actually_executed =1; @@ -1798,7 +1920,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * FREE(&tsg_ctx->rewrite_uri); } - ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_id, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); + ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_uuid_str, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); if(ret==0 && tsg_ctx->execut_lua_sucess==1) { tsg_ctx->actually_executed =1; @@ -1836,7 +1958,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * char * __http_body = (char *) evbuffer_pullup(tsg_ctx->http_body, -1); size_t __http_body_len = evbuffer_get_length(tsg_ctx->http_body); - ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_id, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); + ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_uuid_str, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); char * __http_lua_body = NULL; size_t __http_body_lua_len = 0; if(ret == 0 && tsg_ctx->http_lua_body != NULL) @@ -2072,7 +2194,7 @@ static void http_get_subscriber_id(const struct tfe_stream * stream, char *repla } } -static int http_regex_replace(const struct tfe_stream * stream, char *message, int profile_id, char **rewrite_message) +static int http_regex_replace(const struct tfe_stream * stream, char *message, char *profile_id_str, char **rewrite_message) { int i=0, n_rule=0; char replace_with[TFE_SYMBOL_MAX]={0}; @@ -2089,7 +2211,7 @@ static int http_regex_replace(const struct tfe_stream * stream, char *message, i { rule[n_rule].zone = kZoneRequestUri; rule[n_rule].find = tfe_strdup("{{tsg_policy_id}}"); - snprintf(replace_with, TFE_SYMBOL_MAX, "%d", profile_id); + snprintf(replace_with, TFE_SYMBOL_MAX, "%s", profile_id_str); rule[n_rule].replace_with = tfe_strdup(replace_with); n_rule++; } @@ -2144,8 +2266,7 @@ static void http_redirect(const struct tfe_stream * stream, const struct tfe_htt } ctx->manipulate_replaced = 1; if (resp_code <= 0 || rd_url == NULL){ - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid redirect rule %lld paramter", - ctx->enforce_rules[0].config_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid redirect rule %s paramter", ctx->enforce_rules[0].config_uuid_string); goto error_out; } @@ -2166,7 +2287,7 @@ static void http_redirect(const struct tfe_stream * stream, const struct tfe_htt response = tfe_http_session_response_create(to_write, resp_code); - rewrite_uri_sz = http_regex_replace(stream, rd_url, ctx->enforce_rules[0].config_id, &rewrite_uri); + rewrite_uri_sz = http_regex_replace(stream, rd_url, ctx->enforce_rules[0].config_uuid_string, &rewrite_uri); if(rewrite_uri_sz>0 && rewrite_uri!= NULL) { tfe_http_std_field_write(response, TFE_HTTP_LOCATION, rewrite_uri); @@ -2200,11 +2321,10 @@ static void http_block(const struct tfe_stream * stream, const struct tfe_http_s struct policy_action_param *param = ctx->param; int resp_code = param->status_code; - int profile_id = param->profile_id; char *message = param->message; - if (profile_id < 0){ - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid block rule %lld", ctx->enforce_rules[0].config_id); + if (param->profile_uuid_str< 0){ + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid block rule %s", ctx->enforce_rules[0].config_uuid_string); ctx->action = PX_ACTION_NONE; return; } @@ -2215,10 +2335,10 @@ static void http_block(const struct tfe_stream * stream, const struct tfe_http_s to_write_sess = tfe_http_session_allow_write(session); response = tfe_http_session_response_create(to_write_sess, resp_code); - ret = html_generate(profile_id, message, &page_buff, &page_size); + ret = html_generate(param->profile_uuid_str, message, &page_buff, &page_size); if (ret != 0) { - rewrite_message_sz = http_regex_replace(stream, message, ctx->enforce_rules[0].config_id, &rewrite_message); + rewrite_message_sz = http_regex_replace(stream, message, ctx->enforce_rules[0].config_uuid_string, &rewrite_message); if(rewrite_message_sz>0 && rewrite_message!= NULL) { message = rewrite_message; @@ -2258,10 +2378,9 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e struct tfe_http_half * response = NULL; struct tfe_http_session * to_write_sess = NULL; - if (param->profile_id <= 0) + if (param->profile_uuid_str == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid hijack rule %lld", - ctx->enforce_rules[0].config_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid hijack rule %s", ctx->enforce_rules[0].config_uuid_string); ctx->action = PX_ACTION_NONE; return; } @@ -2280,10 +2399,10 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e if(events & EV_HTTP_RESP_HDR) { - struct manipulate_profile* hijack_profile=get_profile_by_id(POLICY_PROFILE_TABLE_HIJACK, param->profile_id); + struct manipulate_profile* hijack_profile=get_profile_by_id("PXY_PROFILE_HIJACK_FILES", param->profile_uuid_str); if (NULL == hijack_profile) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "get table obj faild, profile_id = %d", param->profile_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "get table obj faild, profile_id = %s", param->profile_uuid_str); ctx->action = PX_ACTION_NONE; return; } @@ -2299,7 +2418,7 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e if (try_send_by_token(hijack_size) <= 0) { FREE(&hijack_buff); - TFE_LOG_ERROR(g_proxy_rt->local_logger, "No token is available to send data, profile_id = %d", param->profile_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "No token is available to send data, profile_id = %s", param->profile_uuid_str); ctx->action = PX_ACTION_NONE; return; } @@ -2346,11 +2465,11 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e return; } -static int format_insert_rule(int profile_id, struct insert_rule *rule) +static int format_insert_rule(char *profile_uuid, struct insert_rule *rule) { int ret = 0; - struct manipulate_profile* insert_profile=get_profile_by_id(POLICY_PROFILE_TABLE_INSERT, profile_id); + struct manipulate_profile* insert_profile=get_profile_by_id("PXY_PROFILE_INSERT_SCRIPTS", profile_uuid); if(insert_profile==NULL) { ret=-1; @@ -2398,16 +2517,16 @@ static void http_insert(const struct tfe_stream * stream, const struct tfe_http_ { ctx->ins_ctx = ins_ctx = ALLOC(struct insert_ctx, 1); ins_ctx->rule = ALLOC(struct insert_rule, 1); - int ret=format_insert_rule(param->profile_id, ins_ctx->rule); + int ret=format_insert_rule(param->profile_uuid_str, ins_ctx->rule); if (ret<0) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get policy table, profile_id = %d", param->profile_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get policy table, profile_id = %s", param->profile_uuid_str); ctx->action = PX_ACTION_NONE; return; } if (try_send_by_token(ins_ctx->rule->inject_sz) <= 0) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "No token is available to send data, profile_id = %d", param->profile_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "No token is available to send data, profile_id = %s", param->profile_uuid_str); ctx->action = PX_ACTION_NONE; return; } @@ -2636,8 +2755,7 @@ static void http_manipulate(const struct tfe_stream * stream, const struct tfe_h struct policy_action_param *param = ctx->param; if (param == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get the json format parsed. config_id = %lld", - ctx->enforce_rules[0].config_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get the json format parsed. config_id = %s",ctx->enforce_rules[0].config_uuid_string); ctx->action = PX_ACTION_NONE; return; } @@ -2698,12 +2816,13 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht const unsigned char * body_frag, size_t frag_size, struct proxy_http_ctx * ctx, const struct tfe_stream * stream) { void * iterator = NULL; + const char *attribute_name=NULL; const char * field_val = NULL; struct http_field_name field_name; struct tfe_http_half * http_half; - long long *result = ctx->result; + uuid_t *result = ctx->result; char buff[TFE_STRING_MAX], * p = NULL; - int scan_ret = 0, table_id = 0; + int scan_ret = 0; size_t n_hit_result=0; size_t hit_cnt = ctx->hit_cnt, i = 0; @@ -2713,20 +2832,20 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht int str_host_length = get_fqdn_len(str_host); if (str_host != NULL && str_host_length != 0) { - scan_ret = maat_scan_string(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN], - str_host, str_host_length, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + scan_ret = maat_scan_string(g_proxy_rt->feather, "TSG_OBJ_FQDN", "ATTR_SERVER_FQDN", str_host, str_host_length, + result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt += n_hit_result; } - scan_ret = maat_scan_not_logic(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN], + scan_ret = maat_scan_not_logic(g_proxy_rt->feather, "TSG_OBJ_FQDN", "ATTR_SERVER_FQDN", result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt += n_hit_result; } - scan_ret = tfe_scan_fqdn_tags(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN], g_proxy_rt->local_logger); + scan_ret = tfe_scan_fqdn_tags(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); if (scan_ret > 0) { hit_cnt += scan_ret; @@ -2735,14 +2854,14 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht const char * str_url = session->req->req_spec.url; int str_url_length = (int) (strlen(session->req->req_spec.url)); - scan_ret = maat_scan_string(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_URL], - str_url, str_url_length, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + scan_ret = maat_scan_string(g_proxy_rt->feather, "TSG_OBJ_URL", "ATTR_HTTP_URL", str_url, str_url_length, + result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt += n_hit_result; } - scan_ret = maat_scan_not_logic(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_URL], + scan_ret = maat_scan_not_logic(g_proxy_rt->feather, "TSG_OBJ_URL", "ATTR_HTTP_URL", result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { @@ -2752,8 +2871,8 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht if ((events & EV_HTTP_REQ_HDR) || (events & EV_HTTP_RESP_HDR)) { - table_id = events & EV_HTTP_REQ_HDR ? g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_REQ_HDR] : g_proxy_rt - ->scan_table_id[PXY_CTRL_HTTP_RES_HDR]; + attribute_name= events & EV_HTTP_REQ_HDR ? "ATTR_HTTP_REQ_HDR" : "ATTR_HTTP_RES_HDR"; + http_half = events & EV_HTTP_REQ_HDR ? session->req : session->resp; while (hit_cnt < MAX_SCAN_RESULT) { @@ -2763,18 +2882,15 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht break; } - const char * str_field_name = http_field_name_to_string(&field_name); - scan_ret = maat_state_set_scan_district(ctx->scan_mid, table_id, str_field_name, strlen(str_field_name)); - assert(scan_ret == 0); - scan_ret = maat_scan_string(g_proxy_rt->feather, table_id, field_val, strlen(field_val), - result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + scan_ret = maat_scan_string(g_proxy_rt->feather, "TSG_OBJ_KEYWORDS", attribute_name, field_val, strlen(field_val), + result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt += n_hit_result; } } - scan_ret = maat_scan_not_logic(g_proxy_rt->feather, table_id, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, - &n_hit_result, ctx->scan_mid); + scan_ret = maat_scan_not_logic(g_proxy_rt->feather, "TSG_OBJ_KEYWORDS", attribute_name, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, + &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt += n_hit_result; @@ -2784,12 +2900,11 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht if ((events & EV_HTTP_REQ_BODY_BEGIN) | (events & EV_HTTP_RESP_BODY_BEGIN)) { assert(ctx->sp == NULL); - table_id = events & EV_HTTP_REQ_BODY_BEGIN ? g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_REQ_BODY] : g_proxy_rt - ->scan_table_id[PXY_CTRL_HTTP_RES_BODY]; - ctx->sp = maat_stream_new(g_proxy_rt->feather, table_id, ctx->scan_mid); + attribute_name = events & EV_HTTP_REQ_BODY_BEGIN ? "ATTR_HTTP_REQ_BODY" : "ATTR_HTTP_RES_BODY"; + ctx->sp = maat_stream_new(g_proxy_rt->feather, "TSG_OBJ_KEYWORDS", attribute_name, ctx->scan_mid); } - const unsigned char *scan_body_frag=NULL; size_t scan_len=0; + const unsigned char *scan_body_frag=NULL; size_t scan_len=0; if (body_frag != NULL) { scan_body_frag = body_frag; @@ -2798,7 +2913,7 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht scan_len = (scan_body_frag + MAX_SCAN_DATA_SIZE < body_frag + frag_size) ? MAX_SCAN_DATA_SIZE : (body_frag + frag_size - scan_body_frag); scan_ret = maat_stream_scan(ctx->sp, (const char *)scan_body_frag, scan_len, - result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt += n_hit_result; @@ -2809,9 +2924,8 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht if ((events & EV_HTTP_REQ_BODY_END) | (events & EV_HTTP_RESP_BODY_END)) { - table_id = events & EV_HTTP_REQ_BODY_END ? g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_REQ_BODY] : g_proxy_rt - ->scan_table_id[PXY_CTRL_HTTP_RES_BODY]; - scan_ret = maat_scan_not_logic(g_proxy_rt->feather, table_id, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, + attribute_name = events & EV_HTTP_REQ_BODY_END ? "ATTR_HTTP_REQ_BODY" : "ATTR_HTTP_RES_BODY"; + scan_ret = maat_scan_not_logic(g_proxy_rt->feather, "TSG_OBJ_KEYWORDS", "attribute_name", result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { @@ -2826,8 +2940,8 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht ctx->action = decide_ctrl_action(result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce, &ctx->param); if (ctx->action == PX_ACTION_WHITELIST) { - TFE_LOG_INFO(g_proxy_rt->local_logger, "Bypass rules matched: url=%s policy id=%lld.", - session->req->req_spec.url, ctx->enforce_rules[0].config_id); + TFE_LOG_INFO(g_proxy_rt->local_logger, "Bypass rules matched: url=%s policy id=%s.", + session->req->req_spec.url, ctx->enforce_rules[0].config_uuid_string); goto __out; } if (hit_cnt > 1) @@ -2835,13 +2949,15 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht p = buff; for (i = 0; i < hit_cnt && ilocal_logger, "Multiple rules matched: url=%s num=%lu ids=%s execute=%lld.", - session->req->req_spec.url, hit_cnt, buff, ctx->enforce_rules[0].config_id); + TFE_LOG_INFO(g_proxy_rt->local_logger, "Multiple rules matched: url=%s num=%lu ids=%s execute=%s.", + session->req->req_spec.url, hit_cnt, buff, ctx->enforce_rules[0].config_uuid_string); } ctx->hit_cnt=0; } @@ -2898,7 +3014,7 @@ void enforce_control_policy(const struct tfe_stream * stream, const struct tfe_h evbuffer_add(ctx->log_resp_body, body_frag, frag_size); } - if((((ctx_actually_replaced(ctx)) || (ctx_actually_inserted(ctx)) || (ctx_actually_edited(ctx)) || (ctx_actually_manipulate(ctx)) + if((((ctx_actually_replaced(ctx)) || (ctx_actually_inserted(ctx)) || (ctx_actually_edited(ctx)) || (ctx_actually_manipulate(ctx)) || ctx_actually_ran_script(ctx)) || ctx->action == PX_ACTION_REJECT || (ctx->action == PX_ACTION_MONIT))) { proxy_send_metric_log(stream, ctx, thread_id, 1); @@ -2921,28 +3037,27 @@ void proxy_on_http_begin(const struct tfe_stream *stream, const struct tfe_http_ assert(ctx == NULL); ATOMIC_INC(&(g_proxy_rt->stat_val[STAT_SESSION])); ctx = proxy_http_ctx_new(thread_id); - long long *result = ctx->result; - scan_ret = tfe_scan_subscribe_id(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); + scan_ret = tfe_scan_subscribe_id(stream, ctx->result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); if(scan_ret>0) { hit_cnt += scan_ret; } - scan_ret = tfe_scan_ip_tags(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); + scan_ret = tfe_scan_ip_tags(stream, ctx->result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); if(scan_ret>0) { hit_cnt += scan_ret; } long long app_id=67; - scan_ret = tfe_scan_app_id(result, ctx->scan_mid, hit_cnt, app_id, g_proxy_rt->scan_table_id[PXY_CTRL_APP_ID]); + scan_ret = tfe_scan_app_id(ctx->result, ctx->scan_mid, hit_cnt, app_id); if(scan_ret > 0) { hit_cnt += scan_ret; } - - scan_ret = tfe_scan_device(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); + + scan_ret = tfe_scan_device(stream, ctx->result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); if(scan_ret > 0) { hit_cnt += scan_ret; @@ -2951,12 +3066,12 @@ void proxy_on_http_begin(const struct tfe_stream *stream, const struct tfe_http_ addr_tfe2sapp(stream->addr, &sapp_addr); if (sapp_addr.addrtype == ADDR_TYPE_IPV4) { - scan_ret = tfe_scan_ipv4_addr(stream, result, ctx->scan_mid, hit_cnt, sapp_addr); + scan_ret = tfe_scan_ipv4_addr(stream, ctx->result, ctx->scan_mid, hit_cnt, sapp_addr); if (scan_ret > 0) { hit_cnt += scan_ret; } - scan_ret = tfe_scan_port(stream, result, ctx->scan_mid, hit_cnt, sapp_addr.v4->source, sapp_addr.v4->dest); + scan_ret = tfe_scan_port(stream, ctx->result, ctx->scan_mid, hit_cnt, sapp_addr.v4->source, sapp_addr.v4->dest); if(scan_ret > 0) { hit_cnt += scan_ret; @@ -2964,12 +3079,12 @@ void proxy_on_http_begin(const struct tfe_stream *stream, const struct tfe_http_ } if (sapp_addr.addrtype == ADDR_TYPE_IPV6) { - scan_ret = tfe_scan_ipv6_addr(stream, result, ctx->scan_mid, hit_cnt, sapp_addr); + scan_ret = tfe_scan_ipv6_addr(stream, ctx->result, ctx->scan_mid, hit_cnt, sapp_addr); if (scan_ret > 0) { hit_cnt += scan_ret; } - scan_ret = tfe_scan_port(stream, result, ctx->scan_mid, hit_cnt, sapp_addr.v6->source, sapp_addr.v6->dest); + scan_ret = tfe_scan_port(stream, ctx->result, ctx->scan_mid, hit_cnt, sapp_addr.v6->source, sapp_addr.v6->dest); if(scan_ret > 0) { hit_cnt += scan_ret; diff --git a/plugin/business/tsg-http/src/tsg_logger.cpp b/plugin/business/tsg-http/src/tsg_logger.cpp index e79b80c..258c184 100644 --- a/plugin/business/tsg-http/src/tsg_logger.cpp +++ b/plugin/business/tsg-http/src/tsg_logger.cpp @@ -356,21 +356,21 @@ int proxy_send_log(struct proxy_logger* handle, const struct proxy_log* log_msg) } int j=0, enable_monit=0; - int monit_config_id[16]={0}; + char *monit_config_id[16]={0}; for(size_t i=0; iresult_num; i++) { if(log_msg->result[i].action == LG_ACTION_MONIT) { - monit_config_id[j]=log_msg->result[i].config_id; + monit_config_id[j]=log_msg->result[i].config_uuid_string; j++; } } for(size_t i=0; iresult_num; i++) { - TFE_LOG_DEBUG(handle->local_logger, "URL: %s, policy_id: %lld, service: %d, do_log:%d", + TFE_LOG_DEBUG(handle->local_logger, "URL: %s, policy_id: %s, service: %d, do_log:%d", http->req->req_spec.url, - log_msg->result[i].config_id, + log_msg->result[i].config_uuid_string, log_msg->result[i].service_id, log_msg->result[i].do_log); @@ -385,17 +385,17 @@ int proxy_send_log(struct proxy_logger* handle, const struct proxy_log* log_msg) } cJSON *proxy_rule_list=NULL; - int config_id[1]={0}; + char *config_id[1]={0}; per_hit_obj=cJSON_Duplicate(common_obj, 1); if(log_msg->result[i].action == LG_ACTION_MONIT) { - proxy_rule_list = cJSON_CreateIntArray(monit_config_id, j); + proxy_rule_list = cJSON_CreateStringArray((const char **)monit_config_id, j); enable_monit=1; } else { - config_id[0]=log_msg->result[i].config_id; - proxy_rule_list = cJSON_CreateIntArray(config_id, 1); + config_id[0]=log_msg->result[i].config_uuid_string; + proxy_rule_list = cJSON_CreateStringArray((const char **)config_id, 1); } cJSON_AddItemToObject(per_hit_obj, "proxy_rule_list", proxy_rule_list); cJSON_AddNumberToObject(per_hit_obj, "vsys_id", log_msg->result[i].vsys_id); diff --git a/plugin/business/tsg-http/test/test_http_lua.cpp b/plugin/business/tsg-http/test/test_http_lua.cpp index 14daf52..3b375f4 100644 --- a/plugin/business/tsg-http/test/test_http_lua.cpp +++ b/plugin/business/tsg-http/test/test_http_lua.cpp @@ -163,10 +163,11 @@ static int lua_http_default_headers_init(struct def_lua_http_headers *lua_http_h return 0; } -int http_lua_profile_for_test(int profile_id, struct elua_script ***elua_ctx, char **profile_msg, size_t *msg_len, int *timeout) +int http_lua_profile_for_test(char *profile_id_str, struct elua_script ***elua_ctx, char **profile_msg, size_t *msg_len, int *timeout) { size_t input_sz; const char *filename[]= {"./test_data/http_session.lua", "./test_data/header_filter_by_lua.lua"}; + int profile_id=atoi(profile_id_str); char *input= tfe_read_file(filename[profile_id], &input_sz); *profile_msg=tfe_strdup(input); @@ -221,7 +222,8 @@ const struct tfe_http_session *lua_http_session_init() TEST(TSG_LUA_SCRIPT, Lua_TimeOut) { int ret=0; - int profile_id=0,thread_id=0; + int thread_id=0; + const char *profile_id_str = "0"; struct tsg_script_ctx tsg_ctx; struct timespec start_time, end_time; @@ -235,7 +237,7 @@ TEST(TSG_LUA_SCRIPT, Lua_TimeOut) lua_script->http_lua_profile = http_lua_profile_for_test; clock_gettime(CLOCK_REALTIME, &(start_time)); - ret = execute_lua_script_rule(lua_script, profile_id, NULL, thread_id, (void *)&tsg_ctx); + ret = execute_lua_script_rule(lua_script, (char *)profile_id_str, NULL, thread_id, (void *)&tsg_ctx); EXPECT_TRUE(ret!=0); clock_gettime(CLOCK_REALTIME, &(end_time)); @@ -250,7 +252,8 @@ TEST(TSG_LUA_SCRIPT, Lua_TimeOut) TEST(TSG_LUA_SCRIPT, Req_Uri) { int ret=0; - int profile_id=0,thread_id=0; + int thread_id=0; + const char *profile_id_str = "0"; struct tsg_script_ctx tsg_ctx; memset(&tsg_ctx, 0, sizeof(tsg_ctx)); @@ -262,7 +265,7 @@ TEST(TSG_LUA_SCRIPT, Req_Uri) lua_script->http_lua_profile = http_lua_profile_for_test; tsg_ctx.session->req->req_spec.uri = tfe_strdup("forecast"); - ret = execute_lua_script_rule(lua_script, profile_id, NULL, thread_id, (void *)&tsg_ctx); + ret = execute_lua_script_rule(lua_script, (char *)profile_id_str, NULL, thread_id, (void *)&tsg_ctx); EXPECT_TRUE(ret==0); EXPECT_STREQ(tsg_ctx.rewrite_uri,"team"); @@ -276,7 +279,8 @@ TEST(TSG_LUA_SCRIPT, Req_Uri) TEST(TSG_LUA_SCRIPT, Req_Header) { int ret=0; - int profile_id=0,thread_id=0; + int thread_id=0; + const char *profile_id_str = "0"; struct tsg_script_ctx tsg_ctx; memset(&tsg_ctx, 0, sizeof(tsg_ctx)); @@ -287,7 +291,7 @@ TEST(TSG_LUA_SCRIPT, Req_Header) lua_script->http_lua_profile = http_lua_profile_for_test; tsg_ctx.session->req->req_spec.method = TFE_HTTP_METHOD_GET; - ret = execute_lua_script_rule(lua_script, profile_id, NULL, thread_id, (void *)&tsg_ctx); + ret = execute_lua_script_rule(lua_script, (char *)profile_id_str, NULL, thread_id, (void *)&tsg_ctx); EXPECT_TRUE(ret==0); const char* user_agent_val=tfe_http_std_field_read(tsg_ctx.session->resp, TFE_HTTP_USER_AGENT); @@ -307,7 +311,8 @@ TEST(TSG_LUA_SCRIPT, Req_Header) TEST(TSG_LUA_SCRIPT, Resp_Header) { int ret=0; - int profile_id=0,thread_id=0; + int thread_id=0; + const char *profile_id_str = "0"; struct tsg_script_ctx tsg_ctx; memset(&tsg_ctx,0,sizeof(struct tsg_script_ctx)); @@ -318,7 +323,7 @@ TEST(TSG_LUA_SCRIPT, Resp_Header) lua_script->http_lua_profile = http_lua_profile_for_test; tsg_ctx.session->resp->resp_spec.resp_code = 200; - ret = execute_lua_script_rule(lua_script, profile_id, NULL, thread_id, (void *)&tsg_ctx); + ret = execute_lua_script_rule(lua_script, (char *)profile_id_str, NULL, thread_id, (void *)&tsg_ctx); EXPECT_TRUE(ret==0); const char* content_type_val=tfe_http_std_field_read(tsg_ctx.session->resp, TFE_HTTP_CONT_TYPE); @@ -334,7 +339,8 @@ TEST(TSG_LUA_SCRIPT, Resp_Header) TEST(TSG_LUA_SCRIPT, Req_Data) { int ret=0; - int profile_id=0,thread_id=0; + int thread_id=0; + const char *profile_id_str = "0"; struct tsg_script_ctx tsg_ctx; memset(&tsg_ctx,0,sizeof(struct tsg_script_ctx)); @@ -348,7 +354,7 @@ TEST(TSG_LUA_SCRIPT, Req_Data) tsg_ctx.http_body = evbuffer_new(); evbuffer_add(tsg_ctx.http_body, input, strlen(input)); - ret = execute_lua_script_rule(lua_script, profile_id, NULL, thread_id, (void *)&tsg_ctx); + ret = execute_lua_script_rule(lua_script, (char *)profile_id_str, NULL, thread_id, (void *)&tsg_ctx); EXPECT_TRUE(ret==0); ASSERT_TRUE(tsg_ctx.http_lua_body!=NULL); @@ -372,7 +378,8 @@ TEST(TSG_LUA_SCRIPT, Req_Data) TEST(TSG_LUA_SCRIPT, Resq_Data) { int ret=0; - int profile_id=0,thread_id=0; + int thread_id=0; + const char *profile_id_str = "0"; struct tsg_script_ctx tsg_ctx; memset(&tsg_ctx,0,sizeof(struct tsg_script_ctx)); @@ -386,7 +393,7 @@ TEST(TSG_LUA_SCRIPT, Resq_Data) tsg_ctx.http_body = evbuffer_new(); evbuffer_add(tsg_ctx.http_body, input, strlen(input)); - ret = execute_lua_script_rule(lua_script, profile_id, NULL, thread_id, (void *)&tsg_ctx); + ret = execute_lua_script_rule(lua_script, (char *)profile_id_str, NULL, thread_id, (void *)&tsg_ctx); EXPECT_TRUE(ret==0); ASSERT_TRUE(tsg_ctx.http_lua_body!=NULL); @@ -410,7 +417,8 @@ TEST(TSG_LUA_SCRIPT, Resq_Data) TEST(TSG_LUA_SCRIPT, Lua_Http_Session) { int ret=0; - int profile_id=0,thread_id=0; + int thread_id=0; + const char *profile_id_str = "0"; struct tsg_script_ctx tsg_ctx; memset(&tsg_ctx,0,sizeof(struct tsg_script_ctx)); @@ -421,7 +429,7 @@ TEST(TSG_LUA_SCRIPT, Lua_Http_Session) lua_script->http_lua_profile = http_lua_profile_for_test; tsg_ctx.elua_ctx=http_lua_ctx_new(lua_script, thread_id); - ret = execute_lua_script_rule(lua_script, profile_id, tsg_ctx.elua_ctx, thread_id, (void *)&tsg_ctx); + ret = execute_lua_script_rule(lua_script, (char *)profile_id_str, tsg_ctx.elua_ctx, thread_id, (void *)&tsg_ctx); EXPECT_TRUE(ret==0); const char* content_type_val=tfe_http_std_field_read(tsg_ctx.session->resp, TFE_HTTP_CONT_TYPE); @@ -433,7 +441,7 @@ TEST(TSG_LUA_SCRIPT, Lua_Http_Session) const char *user_input="This is response data"; evbuffer_add(tsg_ctx.http_body, user_input, strlen(user_input)); - ret = execute_lua_script_rule(lua_script, profile_id, tsg_ctx.elua_ctx, thread_id, (void *)&tsg_ctx); + ret = execute_lua_script_rule(lua_script, (char *)profile_id_str, tsg_ctx.elua_ctx, thread_id, (void *)&tsg_ctx); EXPECT_TRUE(ret==0); EXPECT_TRUE(tsg_ctx.http_lua_body!=NULL); @@ -458,7 +466,8 @@ TEST(TSG_LUA_SCRIPT, Lua_Http_Session) TEST(TSG_LUA_SCRIPT, Lua_Http_Header_Filter) { int ret=0; - int profile_id=1,thread_id=0; + int thread_id=0; + const char *profile_id_str = "1"; struct tsg_script_ctx tsg_ctx; memset(&tsg_ctx,0,sizeof(struct tsg_script_ctx)); @@ -471,7 +480,7 @@ TEST(TSG_LUA_SCRIPT, Lua_Http_Header_Filter) lua_http_headers_clear(); tsg_ctx.replacing=tsg_ctx.session->resp; - ret = execute_lua_script_rule(lua_script, profile_id, tsg_ctx.elua_ctx, thread_id, (void *)&tsg_ctx); + ret = execute_lua_script_rule(lua_script, (char *)profile_id_str, tsg_ctx.elua_ctx, thread_id, (void *)&tsg_ctx); EXPECT_TRUE(ret==0); const char *server_type_val=tfe_http_std_field_read(tsg_ctx.replacing, TFE_HTTP_SERVER); @@ -489,7 +498,7 @@ TEST(TSG_LUA_SCRIPT, Lua_Http_Header_Filter) const char *user_input="This is response data"; evbuffer_add(tsg_ctx.http_body, user_input, strlen(user_input)); - ret = execute_lua_script_rule(lua_script, profile_id, tsg_ctx.elua_ctx, thread_id, (void *)&tsg_ctx); + ret = execute_lua_script_rule(lua_script, (char *)profile_id_str, tsg_ctx.elua_ctx, thread_id, (void *)&tsg_ctx); EXPECT_TRUE(ret==0); EXPECT_TRUE(tsg_ctx.http_lua_body!=NULL); char *__http_body=(char *) evbuffer_pullup(tsg_ctx.http_lua_body, -1); diff --git a/resource/pangu/doh.json b/resource/pangu/doh.json index 4b31050..31595ff 100644 --- a/resource/pangu/doh.json +++ b/resource/pangu/doh.json @@ -1,5 +1,5 @@ { - "compile_table": "PXY_CTRL_COMPILE", + "compile_table": "PXY_CTRL_RULE", "group_table": "GROUP_COMPILE_RELATION", "rules": [ { diff --git a/resource/pangu/pangu_http.json b/resource/pangu/pangu_http.json index 1bb389e..84a4522 100644 --- a/resource/pangu/pangu_http.json +++ b/resource/pangu/pangu_http.json @@ -1,290 +1,102 @@ { - "compile_table": "PXY_CTRL_COMPILE", - "group2compile_table": "GROUP_PXY_CTRL_COMPILE_RELATION", - "group2group_table": "GROUP_GROUP_RELATION", + "rule_table": "PXY_CTRL_RULE", + "object2object_table": "OBJECT_GROUP", "rules": [ - { - "compile_id": 1021, + { + "uuid": "40c9c6a7-70a9-48ae-9fba-ec7966edd3c6", "service": 1, - "action": 48, + "action": 1, "do_blacklist": 1, - "do_log": 1, - "effective_range": 0, - "tags":"{\"tag_sets\":[[{\"tag\":\"device_id\",\"value\":[\"device_3\",\"device_4\"]}]]}", - "user_region": "{\"protocol\":\"http\",\"method\":\"redirect\",\"code\":302,\"to\":\"https://www.jd.com\"}", - "is_valid": "yes", - "groups": [ - { - "virtual_table":"ATTR_HTTP_URL", - "group_name":"http_url", - "group_id":101, - "not_flag":0, - "regions": [ - { - "table_name": "TSG_OBJ_URL", - "table_type": "expr", - "table_content": { - "keywords": "baidu.com", - "expr_type": "regex", - "match_method": "sub", - "format": "uncase plain" - } - } - ] - }, - { - "virtual_table":"ATTR_APP_ID", - "group_name":"app_id", - "group_id":201, - "not_flag":0 - } - ] - }, - { - "compile_id": 1022, - "service": 1, - "action": 48, - "do_blacklist": 1, - "do_log": 1, - "effective_range": 0, - "tags":"{\"tag_sets\":[[{\"tag\":\"device_id\",\"value\":[\"device_3\",\"device_4\"]}]]}", + "do_log": 1, "user_region": "{\"protocol\":\"http\",\"method\":\"redirect\",\"code\":302,\"to\":\"https://www.jd.com\"}", "is_valid": "yes", - "groups": [ + "conditions": [ { - "group_name":"http_url", - "virtual_table":"ATTR_HTTP_URL" - } - ] - }, - { - "compile_id": 1023, - "service": 1, - "action": 48, - "do_blacklist": 1, - "do_log": 1, - "effective_range": 0, - "user_region": "{\"protocol\":\"http\",\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_resp_body\",\"find\":\"邮箱\",\"replace_with\":\"test\"}]}", - "is_valid": "yes", - "groups": [ - { - "virtual_table":"ATTR_SERVER_FQDN", - "group_name":"http_fqdn", - "group_id":102, - "not_flag":0, - "regions": [ + "attribute_name": "ATTR_HTTP_URL", + "objects": [ { - "table_name": "TSG_OBJ_FQDN", - "table_type": "expr", - "table_content": { - "keywords": "www.126.com", - "expr_type": "regex", - "match_method": "sub", - "format": "uncase plain" - } + "items": [ + { + "table_name": "TSG_OBJ_URL", + "table_type": "expr", + "table_content": { + "keywords": "test123456", + "expr_type": "and" + } + } + ] } ] } ] - }, - { - "compile_id": 1024, - "service": 1, - "action": 48, - "do_blacklist": 1, - "do_log": 1, - "effective_range": 0, - "user_region":"{\"protocol\":\"http\",\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_resp_body\",\"find\":\"账号登录\",\"replace_with\":\"Login\"}]}", - "is_valid": "yes", - "groups": [ - { - "group_name":"http_fqdn", - "virtual_table":"ATTR_HTTP_HOST", - "not_flag":0 - } - ] - }, - { - "compile_id": 1025, - "service": 1, - "action": 48, - "do_blacklist": 1, - "do_log": 1, - "effective_range": 0, - "user_region": "{\"protocol\":\"http\",\"method\":\"replace\",\"rules\":[{\"search_in\":\"http_resp_body\",\"find\":\"会员\",\"replace_with\":\"用户\"}]}", - "is_valid": "yes", - "groups": [ - { - "group_name":"http_fqdn", - "virtual_table":"ATTR_DOH_QNAME", - "not_flag":0 - } - ] - }, - { - "compile_id": 1026, - "service": 1, - "action": 48, - "do_blacklist": 1, - "do_log": 1, - "effective_range": 0, - "user_region": "{\"protocol\":\"http\",\"method\":\"block\",\"code\":403,\"message\":\"error\"}", - "is_valid": "yes", - "groups": [ - { - "virtual_table":"ATTR_HTTP_REQ_HDR", - "group_name":"http_signature_ua", - "group_id":103, - "not_flag":0, - "regions": [ - { - "table_name": "TSG_OBJ_HTTP_SIGNATURE", - "table_type": "expr_plus", - "table_content": { - "district": "User-Agent", - "keywords": "Chrome", - "expr_type": "none", - "match_method": "sub", - "format": "uncase plain" - } - } - ] - }, - { - - "virtual_table":"ATTR_HTTP_REQ_HDR", - "group_name":"http_signature_cookie", - "group_id":104, - "not_flag":0, - "regions": [ - { - "table_name": "TSG_OBJ_HTTP_SIGNATURE", - "table_type": "expr_plus", - "table_content": { - "district": "Cookie", - "keywords": "uid=12345678", - "expr_type": "none", - "match_method": "sub", - "format": "uncase plain" - } - } - ] - } - ] - }, - { - "compile_id": 1027, - "service": 1, - "action": 48, - "do_blacklist": 1, - "do_log": 1, - "effective_range": 0, - "user_region": "test", - "is_valid": "yes", - "groups": [ - { - "virtual_table":"ATTR_HTTP_URL", - "group_name":"http_url_bing", - "group_id": 105, - "not_flag":0, - "regions": [ - { - "table_name": "TSG_OBJ_URL", - "table_type": "expr", - "table_content": { - "keywords": "bing.com", - "expr_type": "regex", - "match_method": "sub", - "format": "uncase plain" - } - } - ] - } - ] - }, - { - "compile_id": 1028, - "service": 1, - "action": 48, - "do_blacklist": 1, - "do_log": 1, - "effective_range": 0, - "user_region": "{\"protocol\":\"http\",\"method\":\"block\",\"code\":403,\"message\":\"error\"}", - "is_valid": "yes", - "groups": [ - { - "group_name":"http_url_bing", - "virtual_table":"ATTR_HTTP_URL" - } - ] } - ], + ], "plugin_table": [ { "table_name": "TSG_PROFILE_TRAFFIC_MIRROR", "table_content": [ - "{\"uuid\":\"TRAFFIC0-MIRR-0000-0000-000000000001\",\"vlan_ids\":[1,2,3,4,5,6,7,8,9],\"is_valid\":1}" + {"uuid":"TRAFFIC0-MIRR-0000-0000-000000000001","vlan_ids":[1,2,3,4,5,6,7,8,9],"is_valid":1} ] }, { "table_name": "TSG_PROFILE_RESPONSE_PAGES", "table_content": [ - "101\t404\thtml\t./resource/pangu/policy_file/404.html\t1" + {"uuid":"RESPONSE-PAGES-0000-0000-000000000001","profile_name":"404","format":"html","path":"./resource/pangu/policy_file/404.html","is_valid":1,"modified_time":"1716531859000000"} ] }, { "table_name": "PXY_PROFILE_HIJACK_FILES", "table_content": [ - "201\tchakanqi\tchakanqi-947KB.exe\tapplication/x-msdos-program\t./resource/pangu/policy_file/chakanqi-947KB.exe\t1" + {"uuid":"HIJACK-FILES-0000-0000-000000000001","profile_name":"chakanqi","content_name":"chakanqi-947KB.exe","content_type":"application/x-msdos-program","path":"./resource/pangu/policy_file/chakanqi-947KB.exe","is_valid":1,"modified_time":"1716531859000000"} ] }, - { + { "table_name": "PXY_PROFILE_INSERT_SCRIPTS", "table_content": [ - "301\ttime\tjs\t./resource/pangu/policy_file/time.js\tbefore_page_load\t1" + {"uuid":"INSERT-SCRIPTS-0000-0000-000000000001","profile_name":"time","format":"js","insert_on":"before_page_load","path":"./resource/pangu/policy_file/time.js","is_valid":1,"modified_time":"1716531859000000"} ] }, { "table_name": "PXY_PROFILE_DECRYPTION", "table_content": [ - "{\"uuid\":\"DECRYPT0-0000-0000-0000-000000000001\",\"decryption\":{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":1},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":0},\"fail_action\":\"pass-through\"}},\"is_valid\":1}", - "{\"uuid\":\"DECRYPT0-0000-0000-0000-000000000003\",\"decryption\":{\"dynamic_bypass\":{\"ev_cert\":1,\"cert_transparency\":1,\"mutual_authentication\":1,\"cert_pinning\":1,\"protocol_errors\":1,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"tls13\",\"mirror_client\":1,\"allow_http2\":1},\"certificate_checks\":{\"approach\":{\"cn\":1,\"issuer\":1,\"self-signed\":1,\"expiration\":1},\"fail_action\":\"fail-close\"}},\"is_valid\":1}", - "{\"uuid\":\"DECRYPT0-0000-0000-0000-000000000004\",\"decryption\":{\"dynamic_bypass\":{\"ev_cert\":0,\"cert_transparency\":0,\"mutual_authentication\":0,\"cert_pinning\":0,\"protocol_errors\":0,\"trusted_root_cert_is_not_installed_on_client\":0},\"protocol_version\":{\"min\":\"ssl3\",\"max\":\"ssl3\",\"mirror_client\":0,\"allow_http2\":0},\"certificate_checks\":{\"approach\":{\"cn\":0,\"issuer\":0,\"self-signed\":0,\"expiration\":0},\"fail_action\":\"pass-through\"}},\"is_valid\":1}" + {"uuid":"DECRYPT0-0000-0000-0000-000000000001","decryption":{"dynamic_bypass":{"ev_cert":0,"cert_transparency":0,"mutual_authentication":1,"cert_pinning":1,"protocol_errors":1,"trusted_root_cert_is_not_installed_on_client":1},"protocol_version":{"min":"ssl3","max":"ssl3","mirror_client":1,"allow_http2":1},"certificate_checks":{"approach":{"cn":1,"issuer":1,"self-signed":1,"expiration":0},"fail_action":"pass-through"}},"is_valid":1}, + {"uuid":"DECRYPT0-0000-0000-0000-000000000003","decryption":{"dynamic_bypass":{"ev_cert":1,"cert_transparency":1,"mutual_authentication":1,"cert_pinning":1,"protocol_errors":1,"trusted_root_cert_is_not_installed_on_client":0},"protocol_version":{"min":"ssl3","max":"tls13","mirror_client":1,"allow_http2":1},"certificate_checks":{"approach":{"cn":1,"issuer":1,"self-signed":1,"expiration":1},"fail_action":"fail-close"}},"is_valid":1}, + {"uuid":"DECRYPT0-0000-0000-0000-000000000004","decryption":{"dynamic_bypass":{"ev_cert":0,"cert_transparency":0,"mutual_authentication":0,"cert_pinning":0,"protocol_errors":0,"trusted_root_cert_is_not_installed_on_client":0},"protocol_version":{"min":"ssl3","max":"ssl3","mirror_client":0,"allow_http2":0},"certificate_checks":{"approach":{"cn":0,"issuer":0,"self-signed":0,"expiration":0},"fail_action":"pass-through"}},"is_valid":1} ] }, { "table_name": "PXY_INTERCEPT_RULE", "table_content": [ - "{\"uuid\":\"INTERCEP-0000-0000-0000-000000000001\",\"action_parameter\":{\"vsys_id\":1,\"keyring_for_trusted\":\"KERING00-TRUS-0000-0000-000000000001\",\"keyring_for_untrusted\":\"KERING00-UNTR-0000-0000-000000000001\",\"decryption_profile\":\"DECRYPT0-0000-0000-0000-000000000001\",\"tcp_option_profile\":\"TCPOPT00-0000-0000-0000-000000000001\",\"traffic_mirror\":{\"enable\":0}},\"is_valid\":1}", - "{\"uuid\":\"INTERCEP-0000-0000-0000-000000000002\",\"action_parameter\":{\"vsys_id\":1,\"keyring_for_trusted\":\"KERING00-TRUS-0000-0000-000000000001\",\"keyring_for_untrusted\":\"KERING00-UNTR-0000-0000-000000000001\",\"decryption_profile\":\"DECRYPT0-0000-0000-0000-000000000001\",\"tcp_option_profile\":\"TCPOPT00-0000-0000-0000-000000000001\",\"traffic_mirror\":{\"enable\":1,\"mirror_profile\":\"TRAFFIC0-MIRR-0000-0000-000000000001\"}},\"is_valid\":1}" + {"uuid":"INTERCEP-0000-0000-0000-000000000001","action_parameter":{"vsys_id":1,"keyring_for_trusted":"KERING00-TRUS-0000-0000-000000000001","keyring_for_untrusted":"KERING00-UNTR-0000-0000-000000000001","decryption_profile":"DECRYPT0-0000-0000-0000-000000000001","tcp_option_profile":"TCPOPT00-0000-0000-0000-000000000001","traffic_mirror":{"enable":0}},"is_valid":1}, + {"uuid":"INTERCEP-0000-0000-0000-000000000002","action_parameter":{"vsys_id":1,"keyring_for_trusted":"KERING00-TRUS-0000-0000-000000000001","keyring_for_untrusted":"KERING00-UNTR-0000-0000-000000000001","decryption_profile":"DECRYPT0-0000-0000-0000-000000000001","tcp_option_profile":"TCPOPT00-0000-0000-0000-000000000001","traffic_mirror":{"enable":1,"mirror_profile":"TRAFFIC0-MIRR-0000-0000-000000000001"}},"is_valid":1} ] }, { "table_name": "SERVICE_CHAINING_RULE", "table_content": [ - "{\"uuid\":\"SC000000-0000-0000-1111-000000000001\",\"effective_range\":{},\"action_parameter\":{\"vsys_id\":1,\"targeted_traffic\":\"raw\",\"sff_profiles\":[\"00000000-0000-0000-2222-000000000001\"]},\"is_valid\":1}", - "{\"uuid\":\"SC000000-0000-0000-1111-000000000011\",\"effective_range\":{},\"action_parameter\":{\"vsys_id\":1,\"targeted_traffic\":\"decrypted\",\"sff_profiles\":[\"00000000-0000-0000-2222-000000000001\",]},\"is_valid\":1}" + {"uuid":"SC000000-0000-0000-1111-000000000001","effective_range":{},"action_parameter":{"vsys_id":1,"targeted_traffic":"raw","sff_profiles":["00000000-0000-0000-2222-000000000001"]},"is_valid":1}, + {"uuid":"SC000000-0000-0000-1111-000000000011","effective_range":{},"action_parameter":{"vsys_id":1,"targeted_traffic":"decrypted","sff_profiles":["00000000-0000-0000-2222-000000000001",]},"is_valid":1} ] }, { "table_name": "PXY_PROFILE_TCP_OPTION", "table_content": [ - "{\"uuid\":\"TCPOPT00-0000-0000-0000-000000000001\",\"tcp_passthrough\":0,\"bypass_duplicated_packet\":0,\"client_side_conn_param\":{\"tcp_maxseg\":{\"enable\":0,\"maxseg\":1500},\"nodelay\":1,\"keep_alive\":{\"enable\":1,\"tcp_keepcnt\":8,\"tcp_keepidle\":30,\"tcp_keepintvl\":15},\"ttl\":70,\"user_timeout\":{\"enable\":1,\"timeout_ms\":600}},\"server_side_conn_param\":{\"tcp_maxseg\":{\"enable\":0,\"maxseg\":1500},\"nodelay\":1,\"keep_alive\":{\"enable\":1,\"tcp_keepcnt\":8,\"tcp_keepidle\":30,\"tcp_keepintvl\":15},\"ttl\":70,\"user_timeout\":{\"enable\":1,\"timeout_ms\":600}},\"is_valid\":1}" + {"uuid":"TCPOPT00-0000-0000-0000-000000000001","tcp_passthrough":0,"bypass_duplicated_packet":0,"client_side_conn_param":{"tcp_maxseg":{"enable":0,"maxseg":1500},"nodelay":1,"keep_alive":{"enable":1,"tcp_keepcnt":8,"tcp_keepidle":30,"tcp_keepintvl":15},"ttl":70,"user_timeout":{"enable":1,"timeout_ms":600}},"server_side_conn_param":{"tcp_maxseg":{"enable":0,"maxseg":1500},"nodelay":1,"keep_alive":{"enable":1,"tcp_keepcnt":8,"tcp_keepidle":30,"tcp_keepintvl":15},"ttl":70,"user_timeout":{"enable":1,"timeout_ms":600}},"is_valid":1} ] }, { "table_name": "PXY_SSL_FINGERPRINT", "table_content": [ - "{\"uuid\":\"JA300000-0000-0000-0000-000000000001\",\"ja3_hash\":\"599f223c2c9ee5702f5762913889dc21\",\"pinning_state\":1,\"is_valid\":1}", - "{\"uuid\":\"JA300000-0000-0000-0000-000000000002\",\"ja3_hash\":\"eb149984fc9c44d85ed7f12c90d818be\",\"pinning_state\":1,\"is_valid\":1}", - "{\"uuid\":\"JA300000-0000-0000-0000-000000000003\",\"ja3_hash\":\"e6573e91e6eb777c0933c5b8f97f10cd\",\"pinning_state\":1,\"is_valid\":1}" + {"uuid":"JA300000-0000-0000-0000-000000000001","ja3_hash":"599f223c2c9ee5702f5762913889dc21","pinning_state":1,"is_valid":1}, + {"uuid":"JA300000-0000-0000-0000-000000000002","ja3_hash":"eb149984fc9c44d85ed7f12c90d818be","pinning_state":1,"is_valid":1}, + {"uuid":"JA300000-0000-0000-0000-000000000003","ja3_hash":"e6573e91e6eb777c0933c5b8f97f10cd","pinning_state":1,"is_valid":1} ] }, { "table_name": "APP_ID_DICT", "table_content": [ - "67\thttp\t0\tnull\tnetworking\tinfrastructure\tnetwork-protocol\t3\tused-by-malware,vulnerability,widely-used\tnull\tnull\t{\"method\":\"drop\",\"after_n_packets\":0,\"send_icmp_unreachable\":1,\"send_tcp_reset\":1}\t0\t60\t120\t30\t30\t201\t1", - "68\thttps\t0\tnull\tnetworking\tinfrastructure\tnetwork-protocol\t3\tused-by-malware,vulnerability,widely-used\tnull\tnull\t{\"method\":\"rate_limit\",\"bps\":1000}\t0\t0\t0\t0\t0\t68000\t1" + {"app_id":67,"object_id":201,"app_name":"http","parent_app_id":0,"parent_app_name":null,"category":"general-internet","subcategory":"internet-utility","content":"unknown","risk":"1","characteristics":null,"deny_action":null,"depends_on_app_ids":"null","implicitly_uses_app_ids":"null","continue_scanning":0,"tcp_timeout":120,"udp_timeout":120,"tcp_half_close":0,"tcp_time_wait":0,"is_valid":1,"modified_time":"1716531859000000"}, + {"app_id":68,"object_id":68000,"app_name":"https","parent_app_id":0,"parent_app_name":null,"category":"general-internet","subcategory":"internet-utility","content":"unknown","risk":"1","characteristics":null,"deny_action":null,"depends_on_app_ids":"null","implicitly_uses_app_ids":"null","continue_scanning":0,"tcp_timeout":120,"udp_timeout":120,"tcp_half_close":0,"tcp_time_wait":0,"is_valid":1,"modified_time":"1716531859000000"} ] } ] diff --git a/resource/pangu/table_info.conf b/resource/pangu/table_info.conf index 0dd3077..4680eaf 100644 --- a/resource/pangu/table_info.conf +++ b/resource/pangu/table_info.conf @@ -1,339 +1,135 @@ [ - { + { "table_id":0, - "table_name":"PXY_CTRL_COMPILE", - "table_type":"compile", - "user_region_encoded":"escape", - "valid_column":9, - "custom": { - "compile_id":1, - "tags":6, - "clause_num":8 - } + "table_name":"PXY_CTRL_RULE", + "table_type":"rule" }, - { + { "table_id":1, - "table_name":"PXY_CTRL_COMPILE_CONJUNCTION", - "db_tables":["PXY_CTRL_COMPILE"], - "default_compile_table":1, - "table_type":"compile", - "user_region_encoded":"escape", - "valid_column":9, - "custom": { - "compile_id":1, - "tags":6, - "clause_num":8 - } + "table_name":"PXY_CTRL_RULE_CONJUNCTION", + "db_tables":["PXY_CTRL_RULE"], + "default_rule_table":1, + "table_type":"rule" }, - { + { "table_id":2, - "table_name":"PXY_CTRL_COMPILE_PLUGIN", - "db_tables":["PXY_CTRL_COMPILE"], + "table_name":"PXY_CTRL_RULE_PLUGIN", + "db_tables":["PXY_CTRL_RULE"], "table_type":"plugin", - "valid_column":9, "custom": { - "key":1, - "key_type":"integer", - "key_len": 8 + "key_name":"uuid", + "key_type":"pointer" } }, - { +{ "table_id":3, - "table_name":"GROUP_PXY_CTRL_COMPILE_RELATION", - "table_type":"group2compile", - "associated_compile_table_id":1, - "valid_column":6, - "custom": { - "group_id":1, - "compile_id":2, - "not_flag":3, - "virtual_table_name":4, - "clause_index":5 - } + "table_name":"OBJECT_GROUP", + "table_type":"object2object" }, { "table_id":4, - "table_name":"OBJECT_GROUP", - "table_type":"group2group", - "valid_column":4, - "custom": { - "group_id":1, - "included_sub_group_ids":2, - "excluded_sub_group_ids":3 - } - }, - { - "table_id":5, "table_name":"TSG_OBJ_IP", - "db_tables":["TSG_OBJ_IP_ADDR","TSG_OBJ_IP_LEARNING_ADDR"], - "table_type":"ip", - "valid_column":8, - "custom": { - "item_id":1, - "group_id":2, - "addr_type":3, - "addr_format":4, - "ip1":5, - "ip2":6, - "port":7 - } - }, + "table_type":"ip" + }, + { + "table_id":5, + "table_name":"TSG_OBJ_URL", + "table_type":"expr" + }, { "table_id":6, - "table_name":"TSG_OBJ_URL", - "table_type":"expr", - "valid_column":7, - "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 - } - }, + "table_name":"TSG_OBJ_FQDN", + "table_type":"expr" + }, { "table_id":7, - "table_name":"ATTR_HTTP_URL", - "table_type":"virtual", - "physical_table": "TSG_OBJ_URL" - }, + "table_name":"TSG_OBJ_KEYWORDS", + "table_type":"expr" + }, { "table_id":8, - "table_name":"TSG_OBJ_FQDN", - "table_type":"expr", - "valid_column":7, - "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 - } + "table_name":"TSG_OBJ_SUBSCRIBER_ID", + "table_type":"expr" }, { "table_id":9, - "table_name": "ATTR_SERVER_FQDN", - "table_type": "virtual", - "physical_table": "TSG_OBJ_FQDN" - }, - { + "table_name":"PXY_CACHE_COMPILE", + "table_type":"rule" + }, + { "table_id":10, - "table_name":"TSG_OBJ_HTTP_SIGNATURE", - "table_type":"expr_plus", - "valid_column":8, - "custom": { - "item_id":1, - "group_id":2, - "district":3, - "keywords":4, - "expr_type":5, - "match_method":6, - "is_hexbin":7 - } - }, - { + "table_name":"PXY_CACHE_COMPILE_CONJUNCTION", + "db_tables":["PXY_CACHE_COMPILE"], + "default_rule_table":1, + "table_type":"rule" + }, + { "table_id":11, - "table_name":"ATTR_HTTP_REQ_HDR", - "table_type":"virtual", - "physical_table": "TSG_OBJ_HTTP_SIGNATURE" - }, - { - "table_id":12, - "table_name":"ATTR_HTTP_RES_HDR", - "table_type":"virtual", - "physical_table": "TSG_OBJ_HTTP_SIGNATURE" - }, - { - "table_id":13, - "table_name":"TSG_OBJ_KEYWORDS", - "table_type":"expr", - "valid_column":7, + "table_name":"PXY_CACHE_COMPILE_PLUGIN", + "db_tables":["PXY_CACHE_COMPILE"], + "table_type":"plugin", "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 + "key_name":"uuid", + "key_type":"pointer" } - }, - { - "table_id":14, - "table_name":"ATTR_HTTP_REQ_BODY", - "table_type":"virtual", - "physical_table": "TSG_OBJ_KEYWORDS" }, - { + { + "table_id":12, + "table_name":"PXY_CACHE_HTTP_URL", + "table_type":"expr" + }, + { + "table_id":13, + "table_name":"PXY_CACHE_HTTP_COOKIE", + "table_type":"expr" + }, + { + "table_id":14, + "table_name": "PXY_PROFILE_TRUSTED_CA_CERT", + "table_type": "plugin", + "custom": { + "key_name":"uuid", + "key_type":"pointer" + } + }, + { "table_id":15, - "table_name":"ATTR_HTTP_RES_BODY", - "table_type":"virtual", - "physical_table": "TSG_OBJ_KEYWORDS" + "table_name": "PXY_OBJ_TRUSTED_CA_CRL", + "table_type": "plugin", + "custom": { + "key_name":"uuid", + "key_type":"pointer" + } }, { "table_id":16, - "table_name":"TSG_OBJ_SUBSCRIBER_ID", - "table_type":"expr", - "valid_column":7, + "table_name":"TSG_PROFILE_RESPONSE_PAGES", + "table_type":"plugin", "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 + "key_name":"uuid", + "key_type":"pointer" } }, { "table_id":17, - "table_name":"ATTR_SOURCE_IP", - "table_type":"virtual", - "physical_table": "TSG_OBJ_IP" + "table_name":"PXY_PROFILE_HIJACK_FILES", + "table_type":"plugin", + "custom": { + "key_name":"uuid", + "key_type":"pointer" + } }, { "table_id":18, - "table_name":"ATTR_DESTINATION_IP", - "table_type":"virtual", - "physical_table": "TSG_OBJ_IP" + "table_name":"PXY_PROFILE_INSERT_SCRIPTS", + "table_type":"plugin", + "custom": { + "key_name":"uuid", + "key_type":"pointer" + } }, { "table_id":19, - "table_name":"PXY_CACHE_COMPILE", - "table_type":"compile", - "user_region_encoded":"escape", - "valid_column":9, - "custom": { - "compile_id":1, - "tags":6, - "clause_num":8 - } - }, - { - "table_id":20, - "table_name":"PXY_CACHE_COMPILE_CONJUNCTION", - "db_tables":["PXY_CACHE_COMPILE"], - "default_compile_table":1, - "table_type":"compile", - "user_region_encoded":"escape", - "valid_column":9, - "custom": { - "compile_id":1, - "tags":6, - "clause_num":8 - } - }, - { - "table_id":21, - "table_name":"PXY_CACHE_COMPILE_PLUGIN", - "db_tables":["PXY_CACHE_COMPILE"], - "table_type":"plugin", - "valid_column":8, - "custom": { - "key":1, - "key_type":"integer", - "key_len": 8 - } - }, - { - "table_id":22, - "table_name":"PXY_CACHE_GROUP", - "table_type":"group2compile", - "associated_compile_table_id":0, - "valid_column":6, - "custom": { - "group_id":1, - "compile_id":2, - "not_flag":3, - "virtual_table_name":4, - "clause_index":5 - } - }, - { - "table_id":23, - "table_name":"PXY_CACHE_HTTP_URL", - "table_type":"expr", - "valid_column":7, - "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 - } - }, - { - "table_id":24, - "table_name":"PXY_CACHE_HTTP_COOKIE", - "table_type":"expr", - "valid_column":7, - "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 - } - }, - { - "table_id":25, - "table_name":"PXY_PROFILE_TRUSTED_CA_CERT", - "table_type":"plugin", - "valid_column":4, - "custom": { - "key":1, - "key_type":"pointer", - "foreign": [3] - } - }, - { - "table_id":26, - "table_name":"PXY_OBJ_TRUSTED_CA_CRL", - "table_type":"plugin", - "valid_column":4, - "custom": { - "key":1, - "key_type":"pointer", - "foreign": [3] - } - }, - { - "table_id":27, - "table_name":"TSG_PROFILE_RESPONSE_PAGES", - "table_type":"plugin", - "valid_column":5, - "custom": { - "key":1, - "key_type":"pointer", - "foreign": [4] - } - }, - { - "table_id":28, - "table_name":"PXY_PROFILE_HIJACK_FILES", - "table_type":"plugin", - "valid_column":6, - "custom": { - "key":1, - "key_type":"pointer", - "foreign": [5] - } - }, - { - "table_id":29, - "table_name":"PXY_PROFILE_INSERT_SCRIPTS", - "table_type":"plugin", - "valid_column":6, - "custom": { - "key":1, - "key_type":"pointer", - "foreign": [4] - } - }, - { - "table_id":30, "table_name":"PXY_INTERCEPT_RULE", "table_type":"plugin", "custom": { @@ -342,7 +138,7 @@ } }, { - "table_id":31, + "table_id":20, "table_name":"TSG_PROFILE_TRAFFIC_MIRROR", "table_type":"plugin", "custom": { @@ -351,7 +147,7 @@ } }, { - "table_id":32, + "table_id":21, "table_name":"PXY_PROFILE_DECRYPTION", "table_type":"plugin", "custom": { @@ -360,13 +156,13 @@ } }, { - "table_id":33, + "table_id":22, "table_name":"ATTR_DOH_QNAME", "table_type":"virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":34, + "table_id":23, "table_name":"PXY_SSL_FINGERPRINT", "table_type":"plugin", "custom": { @@ -375,18 +171,16 @@ } }, { - "table_id":35, + "table_id":24, "table_name":"PXY_PROFILE_RUN_SCRIPTS", "table_type":"plugin", - "valid_column":4, "custom": { - "key":1, - "key_type":"pointer", - "foreign": [2] + "key_type":"pointer", + "key_name":"uuid" } }, { - "table_id":36, + "table_id":25, "table_name":"PXY_PROFILE_TCP_OPTION", "table_type":"plugin", "custom": { @@ -395,7 +189,7 @@ } }, { - "table_id":37, + "table_id":26, "table_name":"SERVICE_CHAINING_RULE", "table_type":"plugin", "custom":{ @@ -404,182 +198,56 @@ } }, { - "table_id":38, + "table_id":27, "table_name": "APP_ID_DICT", "table_type": "plugin", - "valid_column": 19, "custom": { - "key": 1, - "key_type": "integer", - "key_len": 8 + "key_name":"app_id", + "key_type":"integer", + "key_len":8 } }, { - "table_id":39, - "table_name":"ATTR_APP_ID", - "table_type":"virtual", - "physical_table": "APP_ID_DICT" - }, - { - "table_id":40, - "table_name":"ATTR_SUBSCRIBER_ID", - "table_type":"virtual", - "physical_table": "TSG_OBJ_SUBSCRIBER_ID" - }, - { - "table_id":41, - "table_name":"ATTR_INTERNAL_IP", - "table_type":"virtual", - "physical_table": "TSG_OBJ_IP" - }, - { - "table_id":42, - "table_name":"ATTR_EXTERNAL_IP", - "table_type":"virtual", - "physical_table": "TSG_OBJ_IP" - }, - { - "table_id":43, + "table_id":28, "table_name": "TSG_IP_PROTOCOL", "table_type": "plugin", - "valid_column": 4, "custom": { - "key": 1, - "key_type": "integer", - "key_len": 8 + "key_name":"uuid", + "key_type":"pointer" } }, { - "table_id":44, + "table_id":29, "table_name":"TSG_OBJ_PORT", - "table_type":"interval", - "valid_column":5, - "custom": { - "item_id":1, - "group_id":2, - "low_boundary":3, - "up_boundary":4 - } + "table_type":"interval" }, { - "table_id":45, - "table_name": "ATTR_SOURCE_PORT", - "table_type": "virtual", - "physical_table": "TSG_OBJ_PORT" - }, - { - "table_id":46, - "table_name": "ATTR_DESTINATION_PORT", - "table_type": "virtual", - "physical_table": "TSG_OBJ_PORT" - }, - { - "table_id":47, - "table_name": "ATTR_INTERNAL_PORT", - "table_type": "virtual", - "physical_table": "TSG_OBJ_PORT" - }, - { - "table_id":48, - "table_name": "ATTR_EXTERNAL_PORT", - "table_type": "virtual", - "physical_table": "TSG_OBJ_PORT" - }, - { - "table_id":49, - "table_name": "ATTR_IP_PROTOCOL", - "table_type": "virtual", - "physical_table": "TSG_IP_PROTOCOL" - }, - { - "table_id": 50, + "table_id":30, "table_name": "LIBRARY_TAG", "table_type": "plugin", - "valid_column": 6, "custom": { - "key": 1, - "key_type": "integer", - "key_len": 8 + "key_name":"uuid", + "key_type":"pointer" } }, { - "table_id":51, + "table_id":31, "table_name":"TSG_OBJ_IMSI", - "table_type":"expr", - "valid_column":7, - "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 - } + "table_type":"expr" }, { - "table_id":52, + "table_id":32, "table_name":"TSG_OBJ_PHONE_NUMBER", - "table_type":"expr", - "valid_column":7, - "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 - } + "table_type":"expr" }, { - "table_id":53, + "table_id":33, "table_name":"TSG_OBJ_APN", - "table_type":"expr", - "valid_column":7, - "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 - } + "table_type":"expr" }, { - "table_id":54, + "table_id":34, "table_name":"TSG_OBJ_IMEI", - "table_type":"expr", - "valid_column":7, - "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 - } - }, - { - "table_id":55, - "table_name":"ATTR_GTP_IMSI", - "table_type":"virtual", - "physical_table": "TSG_OBJ_IMSI" - }, - { - "table_id":56, - "table_name":"ATTR_GTP_PHONE_NUMBER", - "table_type":"virtual", - "physical_table": "TSG_OBJ_PHONE_NUMBER" - }, - { - "table_id":57, - "table_name":"ATTR_GTP_APN", - "table_type":"virtual", - "physical_table": "TSG_OBJ_APN" - }, - { - "table_id":58, - "table_name":"ATTR_GTP_IMEI", - "table_type":"virtual", - "physical_table": "TSG_OBJ_IMEI" + "table_type":"expr" } ] \ No newline at end of file