gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-14898 TFE适配PXY_INTERCEPT_COMPILE,执行Intercept或No Intercept

Browse Source
This commit is contained in:
luwenpeng
2023-04-25 10:49:36 +08:00
parent 3523e8a951
commit ba64327e2f
7 changed files with 55 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
common/include/tfe_cmsg.h
View File

@@ -75,6 +75,7 @@ enum tfe_cmsg_tlv_type
TFE_CMSG_UPSTREAM_TCP_KEEPINTVL, TFE_CMSG_UPSTREAM_TCP_KEEPINTVL,
TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT, TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT,
TFE_CMSG_HIT_NO_INTERCEPT, // size uint8_t
TFE_CMSG_TCP_PASSTHROUGH, TFE_CMSG_TCP_PASSTHROUGH,
TFE_CMSG_TCP_DECRYPTED_TRAFFIC_STEERING, TFE_CMSG_TCP_DECRYPTED_TRAFFIC_STEERING,

54
common/src/intercept_policy.cpp
View File

@@ -8,6 +8,7 @@ struct intercept_param
{ {
uint64_t rule_id; uint64_t rule_id;
int ref_cnt; int ref_cnt;
int action;
int keyring_for_trusted; int keyring_for_trusted;
int keyring_for_untrusted; int keyring_for_untrusted;
int decryption_profile; int decryption_profile;
@@ -23,14 +24,30 @@ struct intercept_policy_enforcer
static void intercept_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) static void intercept_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp)
{ {
int action = 0;
size_t len = 0; size_t len = 0;
size_t offset = 0; size_t offset = 0;
char buffer[8] = {0};
char *json_str = NULL; char *json_str = NULL;
cJSON *json = NULL; cJSON *json = NULL;
cJSON *item = NULL; cJSON *item = NULL;
struct intercept_param *param = NULL; struct intercept_param *param = NULL;
struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp; struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp;
if (maat_helper_read_column(table_line, 3, &offset, &len) < 0)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept action: %s", table_line);
goto error_out;
}
memcpy(buffer, table_line + offset, MIN(sizeof(buffer), len));
action = atoi(buffer);
if (action != 2 && action != 3)
{
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept action: %s", table_line);
goto error_out;
}
if (maat_helper_read_column(table_line, 7, &offset, &len) < 0) if (maat_helper_read_column(table_line, 7, &offset, &len) < 0)
{ {
TFE_LOG_ERROR(enforcer->logger, "Invalid intercept user region: %s", table_line); TFE_LOG_ERROR(enforcer->logger, "Invalid intercept user region: %s", table_line);
@@ -60,6 +77,7 @@ static void intercept_param_new_cb(const char *table_name, int table_id, const c
param = ALLOC(struct intercept_param, 1); param = ALLOC(struct intercept_param, 1);
param->rule_id = atoll(key); param->rule_id = atoll(key);
param->ref_cnt = 1; param->ref_cnt = 1;
param->action = action;
param->keyring_for_trusted = 1; param->keyring_for_trusted = 1;
param->keyring_for_untrusted = 0; param->keyring_for_untrusted = 0;
param->decryption_profile = 0; param->decryption_profile = 0;
@@ -189,16 +207,16 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger)
struct intercept_policy_enforcer *enforcer = ALLOC(struct intercept_policy_enforcer, 1); struct intercept_policy_enforcer *enforcer = ALLOC(struct intercept_policy_enforcer, 1);
enforcer->maat = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT); enforcer->maat = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT);
enforcer->logger = logger; enforcer->logger = logger;
enforcer->table_id = maat_get_table_id(enforcer->maat, "TSG_SECURITY_COMPILE"); enforcer->table_id = maat_get_table_id(enforcer->maat, "PXY_INTERCEPT_COMPILE");
if (enforcer->table_id < 0) if (enforcer->table_id < 0)
{ {
TFE_LOG_ERROR(enforcer->logger, "failed at register table of TSG_SECURITY_COMPILE, ret = %d", enforcer->table_id); TFE_LOG_ERROR(enforcer->logger, "failed at register table of PXY_INTERCEPT_COMPILE, ret = %d", enforcer->table_id);
goto error_out; goto error_out;
} }
ret = maat_plugin_table_ex_schema_register(enforcer->maat, ret = maat_plugin_table_ex_schema_register(enforcer->maat,
"TSG_SECURITY_COMPILE", "PXY_INTERCEPT_COMPILE",
intercept_param_new_cb, intercept_param_new_cb,
intercept_param_free_cb, intercept_param_free_cb,
intercept_param_dup_cb, intercept_param_dup_cb,
@@ -206,7 +224,7 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger)
enforcer); enforcer);
if (ret != 0) if (ret != 0)
{ {
TFE_LOG_ERROR(enforcer->logger, "failed at register callback of TSG_SECURITY_COMPILE, ret = %d", ret); TFE_LOG_ERROR(enforcer->logger, "failed at register callback of PXY_INTERCEPT_COMPILE, ret = %d", ret);
goto error_out; goto error_out;
} }
@@ -235,9 +253,10 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
uint64_t rule_id = 0; uint64_t rule_id = 0;
char buff[16] = {0}; char buff[16] = {0};
struct intercept_param *param = NULL; struct intercept_param *param = NULL;
uint8_t hit_no_intercept = 0;
int passthrough = 1; int tcp_passthrough = 0;
char reason[] = "Invalid Intercept Param"; char reason_hit_no_intercept[] = "Hit No Intercept";
char reason_invalid_intercept_param[] = "Invalid Intercept Param";
ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(rule_id), &size); ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(rule_id), &size);
if (ret < 0) if (ret < 0)
@@ -254,6 +273,22 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
goto error_passthrough; goto error_passthrough;
} }
// intercept
if (param->action == 2)
{
tcp_passthrough = 0;
hit_no_intercept = 0;
}
// not intercept
else
{
tcp_passthrough = 1;
hit_no_intercept = 1;
tfe_cmsg_set(cmsg, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&reason_hit_no_intercept, strlen(reason_hit_no_intercept));
}
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&tcp_passthrough, sizeof(tcp_passthrough));
tfe_cmsg_set(cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (const unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept));
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)&(param->tcp_option_profile), sizeof(param->tcp_option_profile)); tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)&(param->tcp_option_profile), sizeof(param->tcp_option_profile));
tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)&(param->decryption_profile), sizeof(param->decryption_profile)); tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)&(param->decryption_profile), sizeof(param->decryption_profile));
tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)&(param->keyring_for_trusted), sizeof(param->keyring_for_trusted)); tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)&(param->keyring_for_trusted), sizeof(param->keyring_for_trusted));
@@ -264,8 +299,9 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct
return 0; return 0;
error_passthrough: error_passthrough:
tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&passthrough, sizeof(passthrough)); tcp_passthrough = 1;
tfe_cmsg_set(cmsg, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&reason, strlen(reason)); tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&tcp_passthrough, sizeof(tcp_passthrough));
tfe_cmsg_set(cmsg, TFE_CMSG_SSL_PASSTHROUGH_REASON, (const unsigned char *)&reason_invalid_intercept_param, strlen(reason_invalid_intercept_param));
return -1; return -1;
} }

10
plugin/business/traffic-mirror/src/entry.cpp
View File

@@ -144,7 +144,7 @@ success:
goto out; goto out;
ignore: ignore:
TFE_LOG_ERROR(instance->logger, "table line in TSG_SECURITY_COMPILE ignored %s: %s", key, table_line); TFE_LOG_ERROR(instance->logger, "table line in PXY_INTERCEPT_COMPILE ignored %s: %s", key, table_line);
goto out; goto out;
out: out:
@@ -471,10 +471,10 @@ int traffic_mirror_init(struct tfe_proxy * proxy)
} }
/* REGISTER MAAT FEATHER */ /* REGISTER MAAT FEATHER */
instance->policy_table_id = maat_get_table_id(instance->maat_feather, "TSG_SECURITY_COMPILE"); instance->policy_table_id = maat_get_table_id(instance->maat_feather, "PXY_INTERCEPT_COMPILE");
if (instance->policy_table_id < 0) if (instance->policy_table_id < 0)
{ {
TFE_LOG_ERROR(instance->logger, "failed at register table TSG_SECURITY_COMPILE, ret = %d", TFE_LOG_ERROR(instance->logger, "failed at register table PXY_INTERCEPT_COMPILE, ret = %d",
instance->policy_table_id); goto errout; instance->policy_table_id); goto errout;
} }
@@ -485,13 +485,13 @@ int traffic_mirror_init(struct tfe_proxy * proxy)
instance->profile_table_id); goto errout; instance->profile_table_id); goto errout;
} }
result = maat_plugin_table_ex_schema_register(instance->maat_feather, "TSG_SECURITY_COMPILE", result = maat_plugin_table_ex_schema_register(instance->maat_feather, "PXY_INTERCEPT_COMPILE",
policy_table_ex_data_new_cb, policy_table_ex_data_free_cb, policy_table_ex_data_dup_cb, policy_table_ex_data_new_cb, policy_table_ex_data_free_cb, policy_table_ex_data_dup_cb,
0, instance); 0, instance);
if(result < 0) if(result < 0)
{ {
TFE_LOG_ERROR(instance->logger, "failed at maat_plugin_table_ex_schema_register(TSG_SECURITY_COMPILE), " TFE_LOG_ERROR(instance->logger, "failed at maat_plugin_table_ex_schema_register(PXY_INTERCEPT_COMPILE), "
"table_id = %d, ret = %d", instance->policy_table_id, result); "table_id = %d, ret = %d", instance->policy_table_id, result);
goto errout; goto errout;
} }

2
resource/pangu/doh.json
View File

@@ -159,7 +159,7 @@
] ]
}, },
{ {
"table_name": "TSG_SECURITY_COMPILE", "table_name": "PXY_INTERCEPT_COMPILE",
"table_content": [ "table_content": [
"0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":765,\"decryption\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2", "0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":765,\"decryption\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2",
"656\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":1,\"decryption\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2", "656\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring\":1,\"decryption\":0},\"traffic_mirror\":{\"enable\":0}}\t1\t2",

2
resource/pangu/pangu_http.json
View File

@@ -259,7 +259,7 @@
] ]
}, },
{ {
"table_name": "TSG_SECURITY_COMPILE", "table_name": "PXY_INTERCEPT_COMPILE",
"table_content": [ "table_content": [
"0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring_for_trusted\":765,\"keyring_for_untrusted\":10,\"decryption\":0,\"tcp_option_profile\":1,\"traffic_mirror\":{\"enable\":0}}\t1\t2", "0\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring_for_trusted\":765,\"keyring_for_untrusted\":10,\"decryption\":0,\"tcp_option_profile\":1,\"traffic_mirror\":{\"enable\":0}}\t1\t2",
"4\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring_for_trusted\":1,\"keyring_for_untrusted\":10,\"decryption\":0,\"tcp_option_profile\":1,\"traffic_mirror\":{\"enable\":1,\"mirror_profile\":1234}}\t1\t2" "4\t0\t2\t1\t1\t{}\t{\"protocol\":\"SSL\",\"keyring_for_trusted\":1,\"keyring_for_untrusted\":10,\"decryption\":0,\"tcp_option_profile\":1,\"traffic_mirror\":{\"enable\":1,\"mirror_profile\":1234}}\t1\t2"

2
resource/pangu/table_info.conf
View File

@@ -326,7 +326,7 @@
}, },
{ {
"table_id":29, "table_id":29,
"table_name":"TSG_SECURITY_COMPILE", "table_name":"PXY_INTERCEPT_COMPILE",
"table_type":"plugin", "table_type":"plugin",
"valid_column":8, "valid_column":8,
"custom": { "custom": {

2
resource/pangu/table_info_traffic_mirror.conf
View File

@@ -1,7 +1,7 @@
[ [
{ {
"table_id":0, "table_id":0,
"table_name":"TSG_SECURITY_COMPILE", "table_name":"PXY_INTERCEPT_COMPILE",
"table_type":"plugin", "table_type":"plugin",
"valid_column":8, "valid_column":8,
"custom": { "custom": {