diff --git a/common/include/tfe_cmsg.h b/common/include/tfe_cmsg.h index c6dbe5e..7e3447a 100644 --- a/common/include/tfe_cmsg.h +++ b/common/include/tfe_cmsg.h @@ -75,6 +75,7 @@ enum tfe_cmsg_tlv_type TFE_CMSG_UPSTREAM_TCP_KEEPINTVL, TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT, + TFE_CMSG_HIT_NO_INTERCEPT, // size uint8_t TFE_CMSG_TCP_PASSTHROUGH, TFE_CMSG_TCP_DECRYPTED_TRAFFIC_STEERING, diff --git a/common/src/intercept_policy.cpp b/common/src/intercept_policy.cpp index 1fbaafd..1175c42 100644 --- a/common/src/intercept_policy.cpp +++ b/common/src/intercept_policy.cpp @@ -8,6 +8,7 @@ struct intercept_param { uint64_t rule_id; int ref_cnt; + int action; int keyring_for_trusted; int keyring_for_untrusted; int decryption_profile; @@ -23,14 +24,30 @@ struct intercept_policy_enforcer static void intercept_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) { + int action = 0; size_t len = 0; size_t offset = 0; + char buffer[8] = {0}; char *json_str = NULL; cJSON *json = NULL; cJSON *item = NULL; struct intercept_param *param = NULL; struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp; + if (maat_helper_read_column(table_line, 3, &offset, &len) < 0) + { + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept action: %s", table_line); + goto error_out; + } + + memcpy(buffer, table_line + offset, MIN(sizeof(buffer), len)); + action = atoi(buffer); + if (action != 2 && action != 3) + { + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept action: %s", table_line); + goto error_out; + } + if (maat_helper_read_column(table_line, 7, &offset, &len) < 0) { TFE_LOG_ERROR(enforcer->logger, "Invalid intercept user region: %s", table_line); @@ -60,6 +77,7 @@ static void intercept_param_new_cb(const char *table_name, int table_id, const c param = ALLOC(struct intercept_param, 1); param->rule_id = atoll(key); param->ref_cnt = 1; + param->action = action; param->keyring_for_trusted = 1; param->keyring_for_untrusted = 0; param->decryption_profile = 0; @@ -189,16 +207,16 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger) struct intercept_policy_enforcer *enforcer = ALLOC(struct intercept_policy_enforcer, 1); enforcer->maat = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT); enforcer->logger = logger; - enforcer->table_id = maat_get_table_id(enforcer->maat, "TSG_SECURITY_COMPILE"); + enforcer->table_id = maat_get_table_id(enforcer->maat, "PXY_INTERCEPT_COMPILE"); if (enforcer->table_id < 0) { - TFE_LOG_ERROR(enforcer->logger, "failed at register table of TSG_SECURITY_COMPILE, ret = %d", enforcer->table_id); + TFE_LOG_ERROR(enforcer->logger, "failed at register table of PXY_INTERCEPT_COMPILE, ret = %d", enforcer->table_id); goto error_out; } ret = maat_plugin_table_ex_schema_register(enforcer->maat, - "TSG_SECURITY_COMPILE", + "PXY_INTERCEPT_COMPILE", intercept_param_new_cb, intercept_param_free_cb, intercept_param_dup_cb, @@ -206,7 +224,7 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger) enforcer); if (ret != 0) { - TFE_LOG_ERROR(enforcer->logger, "failed at register callback of TSG_SECURITY_COMPILE, ret = %d", ret); + TFE_LOG_ERROR(enforcer->logger, "failed at register callback of PXY_INTERCEPT_COMPILE, ret = %d", ret); goto error_out; } @@ -235,9 +253,10 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct uint64_t rule_id = 0; char buff[16] = {0}; struct intercept_param *param = NULL; - - int passthrough = 1; - char reason[] = "Invalid Intercept Param"; + uint8_t hit_no_intercept = 0; + int tcp_passthrough = 0; + char reason_hit_no_intercept[] = "Hit No Intercept"; + char reason_invalid_intercept_param[] = "Invalid Intercept Param"; ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(rule_id), &size); if (ret < 0) @@ -254,6 +273,22 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct goto error_passthrough; } + // intercept + if (param->action == 2) + { + tcp_passthrough = 0; + hit_no_intercept = 0; + } + // not intercept + else + { + tcp_passthrough = 1; + hit_no_intercept = 1; + tfe_cmsg_set(cmsg, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&reason_hit_no_intercept, strlen(reason_hit_no_intercept)); + } + + tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&tcp_passthrough, sizeof(tcp_passthrough)); + tfe_cmsg_set(cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (const unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept)); tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)&(param->tcp_option_profile), sizeof(param->tcp_option_profile)); tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)&(param->decryption_profile), sizeof(param->decryption_profile)); tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)&(param->keyring_for_trusted), sizeof(param->keyring_for_trusted)); @@ -264,8 +299,9 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct return 0; error_passthrough: - tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&passthrough, sizeof(passthrough)); - tfe_cmsg_set(cmsg, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&reason, strlen(reason)); + tcp_passthrough = 1; + tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&tcp_passthrough, sizeof(tcp_passthrough)); + tfe_cmsg_set(cmsg, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&reason_invalid_intercept_param, strlen(reason_invalid_intercept_param)); return -1; } \ No newline at end of file diff --git a/plugin/business/traffic-mirror/src/entry.cpp b/plugin/business/traffic-mirror/src/entry.cpp index abe7149..9e5b801 100644 --- a/plugin/business/traffic-mirror/src/entry.cpp +++ b/plugin/business/traffic-mirror/src/entry.cpp @@ -144,7 +144,7 @@ success: goto out; ignore: - TFE_LOG_ERROR(instance->logger, "table line in TSG_SECURITY_COMPILE ignored %s: %s", key, table_line); + TFE_LOG_ERROR(instance->logger, "table line in PXY_INTERCEPT_COMPILE ignored %s: %s", key, table_line); goto out; out: @@ -471,10 +471,10 @@ int traffic_mirror_init(struct tfe_proxy * proxy) } /* REGISTER MAAT FEATHER */ - instance->policy_table_id = maat_get_table_id(instance->maat_feather, "TSG_SECURITY_COMPILE"); + instance->policy_table_id = maat_get_table_id(instance->maat_feather, "PXY_INTERCEPT_COMPILE"); if (instance->policy_table_id < 0) { - TFE_LOG_ERROR(instance->logger, "failed at register table TSG_SECURITY_COMPILE, ret = %d", + TFE_LOG_ERROR(instance->logger, "failed at register table PXY_INTERCEPT_COMPILE, ret = %d", instance->policy_table_id); goto errout; } @@ -485,13 +485,13 @@ int traffic_mirror_init(struct tfe_proxy * proxy) instance->profile_table_id); goto errout; } - result = maat_plugin_table_ex_schema_register(instance->maat_feather, "TSG_SECURITY_COMPILE", + result = maat_plugin_table_ex_schema_register(instance->maat_feather, "PXY_INTERCEPT_COMPILE", policy_table_ex_data_new_cb, policy_table_ex_data_free_cb, policy_table_ex_data_dup_cb, 0, instance); if(result < 0) { - TFE_LOG_ERROR(instance->logger, "failed at maat_plugin_table_ex_schema_register(TSG_SECURITY_COMPILE), " + TFE_LOG_ERROR(instance->logger, "failed at maat_plugin_table_ex_schema_register(PXY_INTERCEPT_COMPILE), " "table_id = %d, ret = %d", instance->policy_table_id, result); goto errout; } diff --git a/resource/pangu/doh.json b/resource/pangu/doh.json index e0bbb82..1a4b4c7 100644 --- a/resource/pangu/doh.json +++ b/resource/pangu/doh.json @@ -159,7 +159,7 @@ ] }, { - "table_name": "TSG_SECURITY_COMPILE", + "table_name": "PXY_INTERCEPT_COMPILE", "table_content": [ "0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":765,\"decryption\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2", "656\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":1,\"decryption\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2", diff --git a/resource/pangu/pangu_http.json b/resource/pangu/pangu_http.json index d5324cf..c2eee89 100644 --- a/resource/pangu/pangu_http.json +++ b/resource/pangu/pangu_http.json @@ -259,7 +259,7 @@ ] }, { - "table_name": "TSG_SECURITY_COMPILE", + "table_name": "PXY_INTERCEPT_COMPILE", "table_content": [ "0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring_for_trusted\":765,\"keyring_for_untrusted\":10,\"decryption\":0,\"tcp_option_profile\":1,\"traffic_mirror\":{\"enable\":0}}\t1\t2", "4\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring_for_trusted\":1,\"keyring_for_untrusted\":10,\"decryption\":0,\"tcp_option_profile\":1,\"traffic_mirror\":{\"enable\":1,\"mirror_profile\":1234}}\t1\t2" diff --git a/resource/pangu/table_info.conf b/resource/pangu/table_info.conf index cf29160..351a98e 100644 --- a/resource/pangu/table_info.conf +++ b/resource/pangu/table_info.conf @@ -326,7 +326,7 @@ }, { "table_id":29, - "table_name":"TSG_SECURITY_COMPILE", + "table_name":"PXY_INTERCEPT_COMPILE", "table_type":"plugin", "valid_column":8, "custom": { diff --git a/resource/pangu/table_info_traffic_mirror.conf b/resource/pangu/table_info_traffic_mirror.conf index 3ec86f7..b9d3bb3 100644 --- a/resource/pangu/table_info_traffic_mirror.conf +++ b/resource/pangu/table_info_traffic_mirror.conf @@ -1,7 +1,7 @@ [ { "table_id":0, - "table_name":"TSG_SECURITY_COMPILE", + "table_name":"PXY_INTERCEPT_COMPILE", "table_type":"plugin", "valid_column":8, "custom": {