PXY_INTERCEPT_RULE,SERVICE_CHAINING_RULE adapt uuid

common/src/intercept_policy.cpp

@@ -11,10 +11,16 @@ struct intercept_param
     int do_log;
     int ref_cnt;
     int action;
-    int keyring_for_trusted;
+    uuid_t keyring_for_trusted;
-    int keyring_for_untrusted;
+    uuid_t keyring_for_untrusted;
-    int decryption_profile;
+    uuid_t decryption_profile;
-    int tcp_option_profile;
+    uuid_t tcp_option_profile;
+};
+
+enum {
+    ACTION_NONE,
+    ACTION_INTERCEPT,
+    ACTION_NO_INTERCEPT,
 };
 
 struct intercept_policy_enforcer
@@ -24,6 +30,16 @@ struct intercept_policy_enforcer
     void *logger;
 };
 
+static int intercept_action_map(char *action)
+{
+    if (strncasecmp(action, "intercept", strlen("intercept")) == 0)
+        return ACTION_INTERCEPT;
+    else if (strncasecmp(action, "no_intercept", strlen("no_intercept")) == 0)
+        return ACTION_NO_INTERCEPT;
+    else
+        return ACTION_NONE;
+}
+
 static void intercept_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp)
 {
     int action = 0;
@@ -42,32 +58,33 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons
         goto error_out;
     }
 
-    item = cJSON_GetObjectItem(json_root, "ACTION");
+    item = cJSON_GetObjectItem(json_root, "action");
-    if (unlikely(!item || !cJSON_IsNumber(item)))
+    if (unlikely(!item || !cJSON_IsString(item)))
     {
-        TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid ACTION format) %s.", key, table_line);
+        TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action format) %s.", key, table_line);
         goto error_out;
     }
+    action = intercept_action_map(item->valueint);
 
-    if (item->valueint != 2 && item->valueint != 3)
+    item = cJSON_GetObjectItem(json_root, "log_option");
+    if (!item || !cJSON_IsString(item))
     {
-        TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid ACTION format) %s.", key, table_line);
+        TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid log_option format) %s.", key, table_line);
         goto error_out;
     }
-    action = item->valueint;
+    if (strncasecmp(item->valueint, "none", strlen("none")) == 0)
-
-    item = cJSON_GetObjectItem(json_root, "DO_LOG");
-    if (!item || !cJSON_IsNumber(item))
     {
-        TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid DO_LOG format) %s.", key, table_line);
+        do_log = 0;
-        goto error_out;
+    }
+    else
+    {
+        do_log = 1;
     }
-    param->do_log = !!item->valueint;
 
-    json_subroot = cJSON_GetObjectItem(json_root, "USER_REGION");
+    json_subroot = cJSON_GetObjectItem(json_root, "action_parameter");
     if (unlikely(!json_subroot))
     {
-        TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid USER_REGION format) %s.", key, table_line);
+        TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action_parameter format) %s.", key, table_line);
         goto error_out;
     }
 
@@ -85,21 +102,13 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons
     param->do_log = do_log;
     param->vsys_id = vsys_id;
     uuid_parse(key, param->rule_id);
-    param->keyring_for_trusted = 1;
-    param->keyring_for_untrusted = 0;
-    param->decryption_profile = 0;
-    param->tcp_option_profile = 0;
 
     item = cJSON_GetObjectItem(json_subroot, "keyring_for_trusted");
     if (item)
     {
-        if (item->type == cJSON_Number)
+        if (item->type == cJSON_String)
         {
-            param->keyring_for_trusted = item->valueint;
+            uuid_parse(item->valuestring, param->keyring_for_trusted);
-        }
-        else if (item->type == cJSON_String)
-        {
-            param->keyring_for_trusted = atoi(item->valuestring);
         }
         else
         {
@@ -110,13 +119,9 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons
     item = cJSON_GetObjectItem(json_subroot, "keyring_for_untrusted");
     if (item)
     {
-        if (item->type == cJSON_Number)
+        if (item->type == cJSON_String)
         {
-            param->keyring_for_untrusted = item->valueint;
+            uuid_parse(item->valuestring, param->keyring_for_untrusted);
-        }
-        else if (item->type == cJSON_String)
-        {
-            param->keyring_for_untrusted = atoi(item->valuestring);
         }
         else
         {
@@ -127,13 +132,9 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons
     item = cJSON_GetObjectItem(json_subroot, "decryption_profile");
     if (item)
     {
-        if (item->type == cJSON_Number)
+        if (item->type == cJSON_String)
         {
-            param->decryption_profile = item->valueint;
+            uuid_parse(item->valuestring, param->decryption_profile);
-        }
-        else if (item->type == cJSON_String)
-        {
-            param->decryption_profile = atoi(item->valuestring);
         }
         else
         {
@@ -144,13 +145,9 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons
     item = cJSON_GetObjectItem(json_subroot, "tcp_option_profile");
     if (item)
     {
-        if (item->type == cJSON_Number)
+        if (item->type == cJSON_String)
         {
-            param->tcp_option_profile = item->valueint;
+            uuid_parse(item->valuestring, param->tcp_option_profile);
-        }
-        else if (item->type == cJSON_String)
-        {
-            param->tcp_option_profile = atoi(item->valuestring);
         }
         else
         {
@@ -212,7 +209,7 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger)
     struct intercept_policy_enforcer *enforcer = ALLOC(struct intercept_policy_enforcer, 1);
     enforcer->maat = tfe_get_maat_handle();
     enforcer->logger = logger;
-    snprintf(enforcer->table_name, sizeof(enforcer->table_name), "PXY_INTERCEPT_COMPILE");
+    snprintf(enforcer->table_name, sizeof(enforcer->table_name), "PXY_INTERCEPT_RULE");
 
     ret = maat_plugin_table_ex_schema_register(enforcer->maat,
                                                enforcer->table_name,
@@ -267,7 +264,7 @@ int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *
         }
 
         // intercept
-        if (param->action == 2)
+        if (param->action == ACTION_INTERCEPT)
         {
             is_hit_intercept_rule = 1;
             if (uuid_compare(max_intercept_rule_id, rule_id) < 0)
@@ -330,7 +327,7 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
     }
 
     // intercept
-    if (param->action == 2)
+    if (param->action == ACTION_INTERCEPT)
     {
         tcp_passthrough = 0;
         hit_no_intercept = 0;
@@ -347,10 +344,10 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
     tfe_cmsg_set(cmsg, TFE_CMSG_POLICY_VSYS_ID, (const unsigned char *)&param->vsys_id, sizeof(param->vsys_id));
     tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&tcp_passthrough, sizeof(tcp_passthrough));
     tfe_cmsg_set(cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (const unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept));
-    tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)&(param->tcp_option_profile), sizeof(param->tcp_option_profile));
+    tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)param->tcp_option_profile, UUID_LEN);
-    tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)&(param->decryption_profile), sizeof(param->decryption_profile));
+    tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)param->decryption_profile, UUID_LEN);
-    tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)&(param->keyring_for_trusted), sizeof(param->keyring_for_trusted));
+    tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)param->keyring_for_trusted, UUID_LEN);
-    tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_UNTRUSTED, (const unsigned char *)&(param->keyring_for_untrusted), sizeof(param->keyring_for_untrusted));
+    tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_UNTRUSTED, (const unsigned char *)param->keyring_for_untrusted, UUID_LEN);
 
     intercept_param_free(param);
 

plugin/business/chaining-policy/src/chaining_policy.cpp

@@ -46,10 +46,10 @@ static void chaining_param_new_cb(const char *table_name, const char *key, const
         goto error_out;
     }
 
-    json_subroot = cJSON_GetObjectItem(json_root, "USER_REGION");
+    json_subroot = cJSON_GetObjectItem(json_root, "action_parameter");
     if (unlikely(!json_subroot))
     {
-        TFE_LOG_ERROR(enforcer->logger, "Invalid chaining rule: %s (invalid USER_REGION format) %s.", key, table_line);
+        TFE_LOG_ERROR(enforcer->logger, "Invalid chaining rule: %s (invalid action_parameter format) %s.", key, table_line);
         goto error_out;
     }
 
@@ -139,7 +139,7 @@ struct chaining_policy_enforcer *chaining_policy_enforcer_create(void *logger)
     struct chaining_policy_enforcer *enforcer = ALLOC(struct chaining_policy_enforcer, 1);
     enforcer->maat = tfe_get_maat_handle();
     enforcer->logger = logger;
-    snprintf(enforcer->table_name, sizeof(enforcer->table_name), "SERVICE_CHAINING_COMPILE");
+    snprintf(enforcer->table_name, sizeof(enforcer->table_name), "SERVICE_CHAINING_RULE");
 
     ret = maat_plugin_table_ex_schema_register(enforcer->maat, enforcer->table_name,
                                                chaining_param_new_cb,
@@ -148,7 +148,7 @@ struct chaining_policy_enforcer *chaining_policy_enforcer_create(void *logger)
                                                0, enforcer);
     if (ret < 0)
     {
-        TFE_LOG_ERROR(enforcer->logger, "failed at register callback of SERVICE_CHAINING_COMPILE, ret = %d", ret);
+        TFE_LOG_ERROR(enforcer->logger, "failed at register callback of SERVICE_CHAINING_RULE, ret = %d", ret);
         goto error_out;
     }
     return enforcer;