gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PXY_INTERCEPT_RULE,SERVICE_CHAINING_RULE adapt uuid

Browse Source
This commit is contained in:
wangmenglan
2024-09-25 18:52:27 +08:00
parent 707b418250
commit ad96bf00c1
2 changed files with 54 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
common/src/intercept_policy.cpp
View File

@@ -11,10 +11,16 @@ struct intercept_param
int do_log;
int ref_cnt;
int action;
int keyring_for_trusted;
int keyring_for_untrusted;
int decryption_profile;
int tcp_option_profile;
uuid_t keyring_for_trusted;
uuid_t keyring_for_untrusted;
uuid_t decryption_profile;
uuid_t tcp_option_profile;
};
enum {
ACTION_NONE,
ACTION_INTERCEPT,
ACTION_NO_INTERCEPT,
};
struct intercept_policy_enforcer
@@ -24,6 +30,16 @@ struct intercept_policy_enforcer
void *logger;
};
static int intercept_action_map(char *action)
{
if (strncasecmp(action, "intercept", strlen("intercept")) == 0)
return ACTION_INTERCEPT;
else if (strncasecmp(action, "no_intercept", strlen("no_intercept")) == 0)
return ACTION_NO_INTERCEPT;
else
return ACTION_NONE;
}
static void intercept_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp)
{
int action = 0;
@@ -42,32 +58,33 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons
goto error_out;
}
item = cJSON_GetObjectItem(json_root, "ACTION");
if (unlikely(!item || !cJSON_IsNumber(item)))
item = cJSON_GetObjectItem(json_root, "action");
if (unlikely(!item || !cJSON_IsString(item)))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid ACTION format) %s.", key, table_line);
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action format) %s.", key, table_line);
goto error_out;
}
action = intercept_action_map(item->valueint);
if (item->valueint != 2 && item->valueint != 3)
item = cJSON_GetObjectItem(json_root, "log_option");
if (!item || !cJSON_IsString(item))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid ACTION format) %s.", key, table_line);
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid log_option format) %s.", key, table_line);
goto error_out;
}
action = item->valueint;
item = cJSON_GetObjectItem(json_root, "DO_LOG");
if (!item || !cJSON_IsNumber(item))
if (strncasecmp(item->valueint, "none", strlen("none")) == 0)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid DO_LOG format) %s.", key, table_line);
goto error_out;
do_log = 0;
}
else
{
do_log = 1;
}
param->do_log = !!item->valueint;
json_subroot = cJSON_GetObjectItem(json_root, "USER_REGION");
json_subroot = cJSON_GetObjectItem(json_root, "action_parameter");
if (unlikely(!json_subroot))
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid USER_REGION format) %s.", key, table_line);
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action_parameter format) %s.", key, table_line);
goto error_out;
}
@@ -85,21 +102,13 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons
param->do_log = do_log;
param->vsys_id = vsys_id;
uuid_parse(key, param->rule_id);
param->keyring_for_trusted = 1;
param->keyring_for_untrusted = 0;
param->decryption_profile = 0;
param->tcp_option_profile = 0;
item = cJSON_GetObjectItem(json_subroot, "keyring_for_trusted");
if (item)
{
if (item->type == cJSON_Number)
if (item->type == cJSON_String)
{
param->keyring_for_trusted = item->valueint;
}
else if (item->type == cJSON_String)
{
param->keyring_for_trusted = atoi(item->valuestring);
uuid_parse(item->valuestring, param->keyring_for_trusted);
}
else
{
@@ -110,13 +119,9 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons
item = cJSON_GetObjectItem(json_subroot, "keyring_for_untrusted");
if (item)
{
if (item->type == cJSON_Number)
if (item->type == cJSON_String)
{
param->keyring_for_untrusted = item->valueint;
}
else if (item->type == cJSON_String)
{
param->keyring_for_untrusted = atoi(item->valuestring);
uuid_parse(item->valuestring, param->keyring_for_untrusted);
}
else
{
@@ -127,13 +132,9 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons
item = cJSON_GetObjectItem(json_subroot, "decryption_profile");
if (item)
{
if (item->type == cJSON_Number)
if (item->type == cJSON_String)
{
param->decryption_profile = item->valueint;
}
else if (item->type == cJSON_String)
{
param->decryption_profile = atoi(item->valuestring);
uuid_parse(item->valuestring, param->decryption_profile);
}
else
{
@@ -144,13 +145,9 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons
item = cJSON_GetObjectItem(json_subroot, "tcp_option_profile");
if (item)
{
if (item->type == cJSON_Number)
if (item->type == cJSON_String)
{
param->tcp_option_profile = item->valueint;
}
else if (item->type == cJSON_String)
{
param->tcp_option_profile = atoi(item->valuestring);
uuid_parse(item->valuestring, param->tcp_option_profile);
}
else
{
@@ -212,7 +209,7 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger)
struct intercept_policy_enforcer *enforcer = ALLOC(struct intercept_policy_enforcer, 1);
enforcer->maat = tfe_get_maat_handle();
enforcer->logger = logger;
snprintf(enforcer->table_name, sizeof(enforcer->table_name), "PXY_INTERCEPT_COMPILE");
snprintf(enforcer->table_name, sizeof(enforcer->table_name), "PXY_INTERCEPT_RULE");
ret = maat_plugin_table_ex_schema_register(enforcer->maat,
enforcer->table_name,
@@ -267,7 +264,7 @@ int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *
}
// intercept
if (param->action == 2)
if (param->action == ACTION_INTERCEPT)
{
is_hit_intercept_rule = 1;
if (uuid_compare(max_intercept_rule_id, rule_id) < 0)
@@ -330,7 +327,7 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
}
// intercept
if (param->action == 2)
if (param->action == ACTION_INTERCEPT)
{
tcp_passthrough = 0;
hit_no_intercept = 0;
@@ -347,10 +344,10 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
tfe_cmsg_set(cmsg, TFE_CMSG_POLICY_VSYS_ID, (const unsigned char *)&param->vsys_id, sizeof(param->vsys_id));
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&tcp_passthrough, sizeof(tcp_passthrough));
tfe_cmsg_set(cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (const unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept));
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)&(param->tcp_option_profile), sizeof(param->tcp_option_profile));
tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)&(param->decryption_profile), sizeof(param->decryption_profile));
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)&(param->keyring_for_trusted), sizeof(param->keyring_for_trusted));
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_UNTRUSTED, (const unsigned char *)&(param->keyring_for_untrusted), sizeof(param->keyring_for_untrusted));
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)param->tcp_option_profile, UUID_LEN);
tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)param->decryption_profile, UUID_LEN);
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)param->keyring_for_trusted, UUID_LEN);
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_UNTRUSTED, (const unsigned char *)param->keyring_for_untrusted, UUID_LEN);
intercept_param_free(param);