gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-23925 Supports scanning of source_zone and destination_zone, and removes internal and external

Browse Source
This commit is contained in:
fengweihao
2024-11-27 17:26:57 +08:00
parent 43cbb3745f
commit dd4e2e6d66
7 changed files with 58 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
common/include/tfe_resource.h
View File

@@ -38,29 +38,7 @@ struct library_tag_ctx
void app_id_dict_free(struct app_id_dict *app_dict);
void library_tag_free(struct library_tag_ctx *library_tags);
enum scan_common_table
{
PXY_CTRL_SOURCE_IP,
PXY_CTRL_DESTINATION_IP,
PXY_CTRL_INTERNAL_IP,
PXY_CTRL_EXTERNAL_IP,
PXY_CTRL_SOURCE_PORT,
PXY_CTRL_DESTINATION_PORT,
PXY_CTRL_INTERNAL_PORT,
PXY_CTRL_EXTERNAL_PORT,
PXY_CTRL_IP_PROTOCOL,
PXY_CTRL_SUBSCRIBER_ID,
PXY_CTRL_APP_ID_DICT,
PXY_CTRL_LIBRARY_TAG,
PXY_CTRL_IMSI,
PXY_CTRL_APN,
PXY_CTRL_PHONE_NUMBER,
PXY_CTRL_GTP_IMEI,
__SCAN_COMMON_TABLE_MAX
};
int tfe_env_init();
int tfe_bussiness_tableid_get(enum scan_common_table type);
int tfe_get_vsys_id();
const char *tfe_get_device_id();

1
common/include/tfe_scan.h
View File

@@ -12,5 +12,6 @@ int tfe_scan_ipv4_addr(const struct tfe_stream *stream, uuid_t *result, struct m
int tfe_scan_ipv6_addr(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr);
int tfe_scan_port(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, uint16_t source, uint16_t dest);
int tfe_scan_device(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, void *logger);
int tfe_scan_zone(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt);
int tfe_get_library_tags(const struct tfe_stream *stream, cJSON *common_obj, tfe_cmsg_tlv_type tlv_type, const char *tag_key);

5
common/src/tfe_resource.cpp
View File

@@ -9,7 +9,6 @@
#define MAAT_INPUT_JSON 0
#define MAAT_INPUT_REDIS 1
static int scan_table_id[__SCAN_COMMON_TABLE_MAX];
static struct tfe_fieldstat_easy_t *fieldstat4_easy = NULL;
static char *device_tag=NULL;
@@ -454,7 +453,3 @@ int tfe_env_init()
return 0;
}
int tfe_bussiness_tableid_get(enum scan_common_table type)
{
return scan_table_id[type];
}

160
common/src/tfe_scan.cpp
View File

@@ -40,85 +40,6 @@ static int get_route_dir(const struct tfe_stream * stream)
return (route_dir==69) ? 1 : 0;
}
const char *get_filed_name(const struct tfe_stream *stream, enum scan_common_table table_type)
{
int c2s = 0;
const char *filed_name=NULL;
int dir_is_e2i = get_route_dir(stream);
if (table_type == PXY_CTRL_SOURCE_IP || table_type == PXY_CTRL_DESTINATION_IP || table_type == PXY_CTRL_SOURCE_PORT || table_type == PXY_CTRL_DESTINATION_PORT)
{
c2s = (table_type == PXY_CTRL_SOURCE_IP || table_type == PXY_CTRL_SOURCE_PORT) ? 1 : 0;
if(table_type == PXY_CTRL_SOURCE_IP || table_type == PXY_CTRL_DESTINATION_IP)
{
filed_name = (c2s == dir_is_e2i) ? "INTERNAL_IP" : "EXTERNAL_IP";
}
if(table_type == PXY_CTRL_SOURCE_PORT || table_type == PXY_CTRL_DESTINATION_PORT)
{
filed_name = (c2s == dir_is_e2i) ? "INTERNAL_PORT" : "EXTERNAL_PORT";
}
}
return filed_name;
}
const char *get_table_name(const struct tfe_stream *stream, enum scan_common_table table_type)
{
const char *table_name=NULL;
switch (table_type)
{
case PXY_CTRL_SOURCE_IP:
case PXY_CTRL_DESTINATION_IP:
table_name = "TSG_OBJ_IP_ADDR";
break;
case PXY_CTRL_SOURCE_PORT:
case PXY_CTRL_DESTINATION_PORT:
table_name = "TSG_OBJ_PORT";
break;
default:
break;
}
return table_name;
}
int tfe_scan_internal_exteral_by_last_group(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, enum scan_common_table table_type)
{
size_t array_size=256, n_hit_result = 0;
int hit_cnt_group = 0, scan_ret = 0;
struct maat_hit_object last_hit_objects[256] = {0};
const char *table_name = get_table_name(stream, table_type);
if(table_name == NULL)
{
return hit_cnt_group;
}
const char *filed_name = get_filed_name(stream, table_type);
if(filed_name == NULL)
{
return hit_cnt_group;
}
size_t n_last_hit_object = maat_state_get_last_hit_object_cnt(scan_mid);
if(n_last_hit_object > 0)
{
maat_state_get_last_hit_objects(scan_mid, last_hit_objects, array_size);
scan_ret = maat_scan_object(tfe_get_maat_handle(), table_name, filed_name, last_hit_objects, array_size, result+hit_cnt+hit_cnt_group,
MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, scan_mid);
if(scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_group += n_hit_result;
}
scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), table_name, filed_name,
result+hit_cnt+hit_cnt_group, MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_group += n_hit_result;
}
}
return hit_cnt_group;
}
int tfe_get_entry_tags(const struct tfe_stream * stream, enum tfe_cmsg_tlv_type tlv_type, uuid_t *opt_val)
{
int n_tag_ids = 0;
@@ -240,11 +161,6 @@ int tfe_scan_ip_tags(const struct tfe_stream *stream, uuid_t *result, struct maa
{
TFE_LOG_INFO(logger, "Scan Src TAGS, NO hit scan ret: %d addr: %s", scan_ret, stream->str_stream_info);
}
scan_ret = tfe_scan_internal_exteral_by_last_group(stream, result, scan_mid, hit_cnt, PXY_CTRL_SOURCE_IP);
if(scan_ret > 0)
{
hit_cnt_ip += scan_ret;
}
}
memset(opt_val, 0, sizeof(opt_val));
@@ -273,11 +189,6 @@ int tfe_scan_ip_tags(const struct tfe_stream *stream, uuid_t *result, struct maa
{
TFE_LOG_INFO(logger, "Scan Dst TAGS, NO hit scan ret: %d addr: %s", scan_ret, stream->str_stream_info);
}
scan_ret = tfe_scan_internal_exteral_by_last_group(stream, result, scan_mid, hit_cnt, PXY_CTRL_DESTINATION_IP);
if(scan_ret > 0)
{
hit_cnt_ip += scan_ret;
}
}
return hit_cnt_ip;
}
@@ -420,11 +331,6 @@ int tfe_scan_port(const struct tfe_stream *stream, uuid_t *result, struct maat_s
if(scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_port+=n_hit_result;
}
scan_ret = tfe_scan_internal_exteral_by_last_group(stream, result, scan_mid, hit_cnt, PXY_CTRL_SOURCE_PORT);
if(scan_ret > 0)
{
hit_cnt_port+=scan_ret;
}
scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_PORT", "SOURCE_PORT",
result+hit_cnt+hit_cnt_port, MAX_SCAN_RESULT-hit_cnt-hit_cnt_port, &n_hit_result, scan_mid);
@@ -438,11 +344,6 @@ int tfe_scan_port(const struct tfe_stream *stream, uuid_t *result, struct maat_s
if(scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_port+=n_hit_result;
}
scan_ret = tfe_scan_internal_exteral_by_last_group(stream, result, scan_mid, hit_cnt, PXY_CTRL_DESTINATION_PORT);
if(scan_ret > 0)
{
hit_cnt_port+=scan_ret;
}
scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_PORT", "DESTINATION_PORT", result+hit_cnt+hit_cnt_port,
MAX_SCAN_RESULT-hit_cnt-hit_cnt_port, &n_hit_result, scan_mid);
@@ -454,6 +355,47 @@ int tfe_scan_port(const struct tfe_stream *stream, uuid_t *result, struct maat_s
return hit_cnt_port;
}
#define INTERNAL_ZONE_OBJECT_UUID "00000000-0000-0000-0000-000000000008"
#define EXTERNAL_ZONE_OBJECT_UUID "00000000-0000-0000-0000-000000000009"
int tfe_scan_zone(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt)
{
int scan_ret = 0;
int hit_cnt_zone = 0;
struct maat_hit_object source_zone_objects, dest_zone_objects;
uuid_t internal_objects_uuid;
const char *internal_objects_uuid_str = INTERNAL_ZONE_OBJECT_UUID;
uuid_parse(internal_objects_uuid_str, internal_objects_uuid);
uuid_t external_objects_uuid;
const char *external_objects_uuid_str = EXTERNAL_ZONE_OBJECT_UUID;
uuid_parse(external_objects_uuid_str, external_objects_uuid);
if(get_route_dir(stream))
{
uuid_copy(source_zone_objects.object_uuid, internal_objects_uuid);
uuid_copy(dest_zone_objects.object_uuid, external_objects_uuid);
}
else
{
uuid_copy(source_zone_objects.object_uuid, external_objects_uuid);
uuid_copy(dest_zone_objects.object_uuid, internal_objects_uuid);
}
scan_ret = scan_object(result, scan_mid, hit_cnt, source_zone_objects, "TSG_OBJ_ZONE", "SOURCE_ZONE");
if (scan_ret > 0)
{
hit_cnt_zone += scan_ret;
}
scan_ret = scan_object(result, scan_mid, hit_cnt, source_zone_objects, "TSG_OBJ_ZONE", "DESTINATION_ZONE");
if (scan_ret > 0)
{
hit_cnt_zone += scan_ret;
}
return hit_cnt_zone;
}
#define PROTOCOL_TCP_UUID_ID "00000000-0000-0000-0000-000000000006"
int tfe_scan_ipv4_addr(const struct tfe_stream *stream, uuid_t *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr)
{
@@ -485,11 +427,6 @@ int tfe_scan_ipv4_addr(const struct tfe_stream *stream, uuid_t *result, struct m
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
scan_ret = tfe_scan_internal_exteral_by_last_group(stream, result, scan_mid, hit_cnt, PXY_CTRL_SOURCE_IP);
if(scan_ret > 0)
{
hit_cnt_ip += scan_ret;
}
scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "SOURCE_IP", result+hit_cnt+hit_cnt_ip,
MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
@@ -503,11 +440,6 @@ int tfe_scan_ipv4_addr(const struct tfe_stream *stream, uuid_t *result, struct m
if(scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
scan_ret = tfe_scan_internal_exteral_by_last_group(stream, result, scan_mid, hit_cnt, PXY_CTRL_DESTINATION_IP);
if(scan_ret > 0)
{
hit_cnt_ip += scan_ret;
}
scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "DESTINATION_IP",
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
@@ -548,11 +480,6 @@ int tfe_scan_ipv6_addr(const struct tfe_stream *stream, uuid_t *result, struct m
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
scan_ret = tfe_scan_internal_exteral_by_last_group(stream, result, scan_mid, hit_cnt, PXY_CTRL_SOURCE_IP);
if(scan_ret > 0)
{
hit_cnt_ip += scan_ret;
}
scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "SOURCE_IP",
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
@@ -566,11 +493,6 @@ int tfe_scan_ipv6_addr(const struct tfe_stream *stream, uuid_t *result, struct m
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
scan_ret = tfe_scan_internal_exteral_by_last_group(stream, result, scan_mid, hit_cnt, PXY_CTRL_DESTINATION_IP);
if(scan_ret > 0)
{
hit_cnt_ip += scan_ret;
}
scan_ret = maat_scan_not_logic(tfe_get_maat_handle(), "TSG_OBJ_IP_ADDR", "DESTINATION_IP",
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);

5
plugin/business/doh/src/doh.cpp
View File

@@ -353,6 +353,11 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
{
hit_cnt += scan_ret;
}
scan_ret = tfe_scan_zone(stream, result, ctx->scan_mid, hit_cnt);
if(scan_ret > 0)
{
hit_cnt += scan_ret;
}
// scan qname
scan_ret = maat_scan_string(g_doh_conf->maat, "TSG_OBJ_FQDN", "DOH_QNAME", qname, strlen(qname),

6
plugin/business/tsg-http/src/tsg_http.cpp
View File

@@ -3073,6 +3073,12 @@ void proxy_on_http_begin(const struct tfe_stream *stream, const struct tfe_http_
hit_cnt += scan_ret;
}
scan_ret = tfe_scan_zone(stream, ctx->result, ctx->scan_mid, hit_cnt);
if(scan_ret > 0)
{
hit_cnt += scan_ret;
}
addr_tfe2sapp(stream->addr, &sapp_addr);
if (sapp_addr.addrtype == ADDR_TYPE_IPV4)
{

5
resource/pangu/table_info.conf
View File

@@ -246,5 +246,10 @@
"table_id":33,
"table_name":"TSG_OBJ_IMEI",
"table_type":"expr"
},
{
"table_id": 34,
"table_name": "TSG_OBJ_ZONE",
"table_type": "expr"
}
]