gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-14484 Pxoxy支持Maat4

Browse Source
This commit is contained in:
fengweihao
2023-03-30 19:39:18 +08:00
parent a2a4c32384
commit df39fcda90
23 changed files with 1219 additions and 564 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ci/travis.sh
View File

@@ -34,8 +34,8 @@ env | sort
# Install dependency from YUM
yum install -y mrzcpd numactl-devel zlib-devel librdkafka-devel systemd-devel
yum install -y libcjson-devel libmaatframe-devel libMESA_field_stat2-devel libMESA_handle_logger-devel libelua-devel
yum install -y libMESA_htable-devel libMESA_prof_load-devel librulescan-devel libwiredcfg-devel libWiredLB-devel sapp-devel libbreakpad_mini-devel
yum install -y libcjson-devel libmaat4-devel libMESA_field_stat2-devel libMESA_handle_logger-devel libelua-devel
yum install -y libMESA_htable-devel libMESA_prof_load-devel libwiredcfg-devel libWiredLB-devel sapp-devel libbreakpad_mini-devel
yum install -y libasan
if [ $ASAN_OPTION ];then

16
common/include/tfe_scan.h
View File

@@ -3,11 +3,11 @@
#include <tfe_stream.h>
#define MAX_SCAN_RESULT 16
int tfe_scan_subscribe_id(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid,
int hit_cnt, unsigned int thread_id, void *logger);
int tfe_scan_ip_asn(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid,
int hit_cnt, unsigned int thread_id, void *logger, char **asn_server, char **asn_client);
int tfe_scan_ip_location(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid,
int hit_cnt, unsigned int thread_id, void *logger, char **location_server, char **location_client);
int tfe_scan_fqdn_cat(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid,
int hit_cnt, unsigned int thread_id, void *logger, int table_id);
int tfe_scan_subscribe_id(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid,
int hit_cnt, void *logger);
int tfe_scan_ip_asn(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid,
int hit_cnt, void *logger, char **asn_server, char **asn_client);
int tfe_scan_ip_location(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid,
int hit_cnt, void *logger, char **location_server, char **location_client);
int tfe_scan_fqdn_cat(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid,
int hit_cnt, void *logger, int table_id);

68
common/src/tfe_resource.cpp
View File

@@ -1,5 +1,5 @@
#include <MESA/MESA_prof_load.h>
#include <MESA/Maat_rule.h>
#include <MESA/maat.h>
#include <cjson/cJSON.h>
#include <tfe_kafka_logger.h>
#include <tfe_proxy.h>
@@ -15,16 +15,16 @@ struct maat_table_info
const char *name;
};
static Maat_feather_t static_maat = NULL;
static struct maat *static_maat = NULL;
static tfe_kafka_logger_t *kafka_logger = NULL;
static char *device_id = NULL;
static char *effective_device_tag=NULL;
static Maat_feather_t create_maat_feather(const char *instance_name, const char *profile, const char *section, int max_thread, void *logger)
static struct maat *create_maat_feather(const char *instance_name, const char *profile, const char *section, int max_thread, void *logger)
{
Maat_feather_t target;
struct maat *target=NULL;
int input_mode = 0, maat_stat_on = 0, maat_perf_on = 0;
int ret = 0, scan_detail = 0, effect_interval = 60;
int ret = 0, effect_interval = 60, log_level=0;
char table_info[TFE_STRING_MAX] = {0}, inc_cfg_dir[TFE_STRING_MAX] = {0}, ful_cfg_dir[TFE_STRING_MAX] = {0};
char redis_server[TFE_STRING_MAX] = {0};
char redis_port_range[TFE_STRING_MAX] = {0};
@@ -50,11 +50,14 @@ static Maat_feather_t create_maat_feather(const char *instance_name, const char
MESA_load_profile_string_def(profile, section, "stat_file", maat_stat_file, sizeof(maat_stat_file), "");
MESA_load_profile_int_def(profile, section, "effect_interval_s", &(effect_interval), 60);
MESA_load_profile_int_def(profile, section, "deferred_load_on", &(deferred_load_on), 0);
MESA_load_profile_int_def(profile, section, "log_level", &(log_level), LOG_LEVEL_FATAL);
effect_interval *= 1000; //convert s to ms
target = Maat_feather(max_thread, table_info, logger);
Maat_set_feather_opt(target, MAAT_OPT_INSTANCE_NAME, instance_name, strlen(instance_name) + 1);
struct maat_options *opts = maat_options_new();
maat_options_set_logger(opts, "log/maat.log", (enum log_level)log_level);
maat_options_set_instance_name(opts, instance_name);
maat_options_set_caller_thread_number(opts, max_thread);
switch (input_mode)
{
case MAAT_INPUT_JSON:
@@ -63,8 +66,7 @@ static Maat_feather_t create_maat_feather(const char *instance_name, const char
TFE_LOG_ERROR(logger, "Invalid json_cfg_file, MAAT init failed.");
goto error_out;
}
Maat_set_feather_opt(target, MAAT_OPT_JSON_FILE_PATH, json_cfg_file, strlen(json_cfg_file) + 1);
maat_options_set_json_file(opts, json_cfg_file);
break;
case MAAT_INPUT_REDIS:
if (!strlen(redis_server))
@@ -89,10 +91,7 @@ static Maat_feather_t create_maat_feather(const char *instance_name, const char
goto error_out;
}
Maat_set_feather_opt(target, MAAT_OPT_REDIS_IP, redis_server, strlen(redis_server) + 1);
Maat_set_feather_opt(target, MAAT_OPT_REDIS_PORT, &redis_port_select, sizeof(redis_port_select));
Maat_set_feather_opt(target, MAAT_OPT_REDIS_INDEX, &redis_db_idx, sizeof(redis_db_idx));
maat_options_set_redis(opts, redis_server, redis_port_select, redis_db_idx);
break;
case MAAT_INPUT_FILE:
if (!strlen(ful_cfg_dir))
@@ -106,50 +105,47 @@ static Maat_feather_t create_maat_feather(const char *instance_name, const char
TFE_LOG_ERROR(logger, "Invalid inc_cfg_dir, MAAT init failed.");
goto error_out;
}
Maat_set_feather_opt(target, MAAT_OPT_FULL_CFG_DIR, ful_cfg_dir, strlen(ful_cfg_dir) + 1);
Maat_set_feather_opt(target, MAAT_OPT_INC_CFG_DIR, inc_cfg_dir, strlen(inc_cfg_dir) + 1);
maat_options_set_iris(opts, ful_cfg_dir, inc_cfg_dir);
break;
default:
TFE_LOG_ERROR(logger, "Invalid MAAT Input Mode: %d.", input_mode);
goto error_out;
break;
}
Maat_set_feather_opt(target, MAAT_OPT_FOREIGN_CONT_DIR, "./pangu_files", strlen("./pangu_files") + 1);
if (maat_stat_on)
{
Maat_set_feather_opt(target, MAAT_OPT_STAT_FILE_PATH, maat_stat_file, strlen(maat_stat_file) + 1);
Maat_set_feather_opt(target, MAAT_OPT_STAT_ON, NULL, 0);
if (maat_perf_on)
{
Maat_set_feather_opt(target, MAAT_OPT_PERF_ON, NULL, 0);
}
}
maat_options_set_foreign_cont_dir(opts, "./pangu_files");
if (maat_stat_on)
{
maat_options_set_stat_on(opts);
if (maat_perf_on)
{
maat_options_set_perf_on(opts);
}
}
if (deferred_load_on)
{
Maat_set_feather_opt(target, MAAT_OPT_DEFERRED_LOAD, &deferred_load_on, sizeof(deferred_load_on));
maat_options_set_deferred_load_on(opts);
}
Maat_set_feather_opt(target, MAAT_OPT_EFFECT_INVERVAL_MS, &effect_interval, sizeof(effect_interval));
Maat_set_feather_opt(target, MAAT_OPT_SCAN_DETAIL, &scan_detail, sizeof(scan_detail));
maat_options_set_rule_effect_interval_ms(opts, effect_interval);
if (strlen(accept_path) > 0)
{
MESA_load_profile_string_def(accept_path, "maat", "ACCEPT_TAGS", accept_tags, sizeof(accept_tags), "{\"tags\":[{\"tag\":\"device_id\",\"value\":\"device_1\"}]}");
Maat_set_feather_opt(target, MAAT_OPT_ACCEPT_TAGS, &accept_tags, sizeof(accept_tags));
maat_options_set_accept_tags(opts, accept_tags);
TFE_LOG_INFO(logger, "tfe accept tags : %s", accept_tags);
}
ret = Maat_initiate_feather(target);
if (ret < 0)
target = maat_new(opts, table_info);
if (!target)
{
TFE_LOG_ERROR(logger, "%s MAAT init failed.", __FUNCTION__);
goto error_out;
}
return target;
maat_options_free(opts);
return target;
error_out:
Maat_burn_feather(target);
maat_options_free(opts);
return NULL;
}
@@ -277,7 +273,7 @@ static int register_maat_table()
{
for (int i = 0; i < TABLE_TYPE_MAX; i++)
{
maat_pub_tables[i].id = Maat_table_register(static_maat, maat_pub_tables[i].name);
maat_pub_tables[i].id = maat_get_table_id(static_maat, maat_pub_tables[i].name);
if (maat_pub_tables[i].id < 0)
{
TFE_LOG_ERROR(g_default_logger, "Maat table %s register failed.", maat_pub_tables[i].name);

124
common/src/tfe_scan.cpp
View File

@@ -1,12 +1,13 @@
#include <MESA/Maat_rule.h>
#include <MESA/maat.h>
#include <tfe_resource.h>
#include <tfe_scan.h>
int tfe_scan_subscribe_id(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid,
int hit_cnt, unsigned int thread_id, void *logger)
int tfe_scan_subscribe_id(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid,
int hit_cnt, void *logger)
{
int scan_ret = 0;
int hit_cnt_ip = 0;
size_t n_hit_result = 0;
uint16_t opt_out_size;
char dest_subscribe_id[TFE_STRING_MAX] = {0};
char source_subscribe_id[TFE_STRING_MAX] = {0};
@@ -28,15 +29,14 @@ int tfe_scan_subscribe_id(const struct tfe_stream *stream, struct Maat_rule_t *r
if (strlen(source_subscribe_id))
{
scan_ret = Maat_full_scan_string(tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_OBJ_SUBSCRIBER_ID),
CHARSET_UTF8, source_subscribe_id, strlen(source_subscribe_id),
result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
scan_mid, (int)thread_id);
if (scan_ret > 0)
scan_ret = maat_scan_string((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_OBJ_SUBSCRIBER_ID),
source_subscribe_id, strlen(source_subscribe_id),result + hit_cnt + hit_cnt_ip,
MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
TFE_LOG_INFO(logger, "Scan src TSG_OBJ_SUBSCRIBER_ID, Hit subid: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
source_subscribe_id, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, stream->str_stream_info);
hit_cnt_ip += scan_ret;
TFE_LOG_INFO(logger, "Scan src TSG_OBJ_SUBSCRIBER_ID, Hit subid: %s scan ret: %d policy_id: %lld addr: %s",
source_subscribe_id, scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info);
hit_cnt_ip += n_hit_result;
}
else
{
@@ -47,15 +47,14 @@ int tfe_scan_subscribe_id(const struct tfe_stream *stream, struct Maat_rule_t *r
if (strlen(dest_subscribe_id))
{
scan_ret = Maat_full_scan_string(tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_OBJ_SUBSCRIBER_ID),
CHARSET_UTF8, dest_subscribe_id, strlen(dest_subscribe_id),
result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
scan_mid, (int)thread_id);
if (scan_ret > 0)
scan_ret = maat_scan_string((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_OBJ_SUBSCRIBER_ID),
dest_subscribe_id, strlen(dest_subscribe_id),result + hit_cnt + hit_cnt_ip,
MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,&n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
TFE_LOG_INFO(logger, "Scan dst TSG_OBJ_SUBSCRIBER_ID, Hit subid: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
dest_subscribe_id, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, stream->str_stream_info);
hit_cnt_ip += scan_ret;
TFE_LOG_INFO(logger, "Scan dst TSG_OBJ_SUBSCRIBER_ID, Hit subid: %s scan ret: %d policy_id: %lld addr: %s",
dest_subscribe_id, scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info);
hit_cnt_ip += n_hit_result;
}
else
{
@@ -67,13 +66,14 @@ int tfe_scan_subscribe_id(const struct tfe_stream *stream, struct Maat_rule_t *r
return hit_cnt_ip;
}
int tfe_scan_fqdn_cat(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid,
int hit_cnt, unsigned int thread_id, void *logger, int table_id)
int tfe_scan_fqdn_cat(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid,
int hit_cnt, void *logger, int table_id)
{
int scan_ret = 0;
unsigned int i = 0;
uint16_t opt_out_size;
int hit_cnt_fqdn = 0;
size_t n_hit_result = 0;
unsigned int category_id_num = 0;
unsigned int category_id_val[TFE_SYMBOL_MAX] = {0};
@@ -104,13 +104,13 @@ int tfe_scan_fqdn_cat(const struct tfe_stream *stream, struct Maat_rule_t *resul
for (i = 0; i < category_id_num && i < 8; i++)
{
scan_ret = Maat_scan_intval(tfe_bussiness_resouce_get(STATIC_MAAT), table_id, category_id_val[i], result + hit_cnt + hit_cnt_fqdn,
MAX_SCAN_RESULT - hit_cnt - hit_cnt_fqdn, scan_mid, (int)thread_id);
if (scan_ret > 0)
scan_ret = maat_scan_integer((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id, category_id_val[i], result + hit_cnt + hit_cnt_fqdn,
MAX_SCAN_RESULT - hit_cnt - hit_cnt_fqdn, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
TFE_LOG_INFO(logger, "Scan FQDN_CAT, Hit catid: %d scan ret: %d policy_id: %d service: %d action: %d addr: %s",
category_id_val[i], scan_ret, result[hit_cnt + hit_cnt_fqdn].config_id, result[hit_cnt + hit_cnt_fqdn].service_id, result[hit_cnt + hit_cnt_fqdn].action, stream->str_stream_info);
hit_cnt_fqdn += scan_ret;
TFE_LOG_INFO(logger, "Scan FQDN_CAT, Hit catid: %d scan ret: %d policy_id: %lld addr: %s",
category_id_val[i], scan_ret, result[hit_cnt + hit_cnt_fqdn], stream->str_stream_info);
hit_cnt_fqdn += n_hit_result;
}
else
{
@@ -121,11 +121,12 @@ int tfe_scan_fqdn_cat(const struct tfe_stream *stream, struct Maat_rule_t *resul
return hit_cnt_fqdn;
}
int tfe_scan_ip_location(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid,
int hit_cnt, unsigned int thread_id, void *logger, char **location_server, char **location_client)
int tfe_scan_ip_location(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid,
int hit_cnt, void *logger, char **location_server, char **location_client)
{
int scan_ret = 0;
int hit_cnt_ip = 0;
size_t n_hit_result = 0;
uint16_t opt_out_size;
char buff[TFE_STRING_MAX] = {0};
char src_city[TFE_STRING_MAX] = {0};
@@ -187,15 +188,14 @@ int tfe_scan_ip_location(const struct tfe_stream *stream, struct Maat_rule_t *re
memset(buff, 0, sizeof(buff));
snprintf(buff, sizeof(buff),"%s.%s.%s.%s.", dst_country, dst_provine, dst_city, dst_subdivsion);
scan_ret = Maat_full_scan_string(tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_DESTINATION_LOCATION),
CHARSET_GBK, buff, strlen(buff),
result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
scan_mid, (int)thread_id);
if (scan_ret > 0)
scan_ret = maat_scan_string((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_DESTINATION_LOCATION),
buff, strlen(buff), result + hit_cnt + hit_cnt_ip,MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
&n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
TFE_LOG_INFO(logger, "Scan TSG_SECURITY_DESTINATION_LOCATION, Hit location: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
buff, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, stream->str_stream_info);
hit_cnt_ip += scan_ret;
TFE_LOG_INFO(logger, "Scan TSG_SECURITY_DESTINATION_LOCATION, Hit location: %s scan ret: %d policy_id: %lld addr: %s",
buff, scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info);
hit_cnt_ip += n_hit_result;
}
else
{
@@ -218,15 +218,14 @@ int tfe_scan_ip_location(const struct tfe_stream *stream, struct Maat_rule_t *re
memset(buff, 0, sizeof(buff));
snprintf(buff, sizeof(buff), "%s.%s.%s.%s.", src_country, src_provine, src_city, src_subdivsion);
scan_ret = Maat_full_scan_string(tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_SOURCE_LOCATION),
CHARSET_GBK, buff, strlen(buff),
result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
scan_mid, (int)thread_id);
if (scan_ret > 0)
scan_ret = maat_scan_string((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_SOURCE_LOCATION),
buff, strlen(buff),result + hit_cnt + hit_cnt_ip, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
&n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
TFE_LOG_INFO(logger, "Scan TSG_SECURITY_SOURCE_LOCATION, Hit location: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
buff, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, stream->str_stream_info);
hit_cnt_ip += scan_ret;
TFE_LOG_INFO(logger, "Scan TSG_SECURITY_SOURCE_LOCATION, Hit location: %s scan ret: %d policy_id: %lld addr: %s",
buff, scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info);
hit_cnt_ip += n_hit_result;
}
else
{
@@ -249,11 +248,12 @@ int tfe_scan_ip_location(const struct tfe_stream *stream, struct Maat_rule_t *re
return hit_cnt_ip;
}
int tfe_scan_ip_asn(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid,
int hit_cnt, unsigned int thread_id, void *logger, char **asn_server, char **asn_client)
int tfe_scan_ip_asn(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid,
int hit_cnt, void *logger, char **asn_server, char **asn_client)
{
int scan_ret = 0;
int hit_cnt_ip = 0;
size_t n_hit_result = 0;
uint16_t opt_out_size;
char buff[TFE_STRING_MAX] = {0};
char src_asn[TFE_STRING_MAX] = {0};
@@ -288,15 +288,14 @@ int tfe_scan_ip_asn(const struct tfe_stream *stream, struct Maat_rule_t *result,
if (strlen(dst_asn))
{
scan_ret = Maat_full_scan_string(tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_DESTINATION_ASN),
CHARSET_UTF8, dst_asn, strlen(dst_asn),
result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
scan_mid, (int)thread_id);
if (scan_ret > 0)
scan_ret = maat_scan_string((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_DESTINATION_ASN),
dst_asn, strlen(dst_asn), result + hit_cnt + hit_cnt_ip, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
&n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
TFE_LOG_INFO(logger, "Scan TSG_SECURITY_DESTINATION_ASN, Hit asn: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
dst_asn, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, stream->str_stream_info);
hit_cnt_ip += scan_ret;
TFE_LOG_INFO(logger, "Scan TSG_SECURITY_DESTINATION_ASN, Hit asn: %s scan ret: %d policy_id: %lld addr: %s",
dst_asn, scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info);
hit_cnt_ip += n_hit_result;
}
else
{
@@ -309,15 +308,14 @@ int tfe_scan_ip_asn(const struct tfe_stream *stream, struct Maat_rule_t *result,
}
if (strlen(src_asn))
{
scan_ret = Maat_full_scan_string(tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_SOURCE_ASN),
CHARSET_UTF8, src_asn, strlen(src_asn),
result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
scan_mid, (int)thread_id);
if (scan_ret > 0)
scan_ret = maat_scan_string((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_SOURCE_ASN),
src_asn, strlen(src_asn),result + hit_cnt + hit_cnt_ip, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,
&n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
TFE_LOG_INFO(logger, "Scan TSG_SECURITY_SOURCE_ASN, Hit asn: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
src_asn, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, stream->str_stream_info);
hit_cnt_ip += scan_ret;
TFE_LOG_INFO(logger, "Scan TSG_SECURITY_SOURCE_ASN, Hit asn: %s scan ret: %d policy_id: %lld addr: %s",
src_asn, scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info);
hit_cnt_ip += n_hit_result;
}
else
{

6
common/src/tfe_tcp_restore.cpp
View File

@@ -95,20 +95,20 @@ int tfe_tcp_restore_fd_create(const struct tcp_restore_endpoint *endpoint, const
TFE_LOG_ERROR(g_default_logger, "failed at setsockopt(SO_MARK), %d: %s", errno, strerror(errno));
goto errout;
}
if (strlen(devname))
{
result = setsockopt(sockfd, SOL_SOCKET, SO_BINDTODEVICE, devname, strlen(devname));
if (result < 0)
{
TFE_LOG_ERROR(g_default_logger, "failed at setsockopt(SO_BINDTODEVICE) on %d, %d: %s", devname, errno, strerror(errno));
TFE_LOG_ERROR(g_default_logger, "failed at setsockopt(SO_BINDTODEVICE) on %s, %d: %s", devname, errno, strerror(errno));
goto errout;
}
result = getsockopt(sockfd, SOL_SOCKET, SO_BINDTODEVICE, buffer, &buffer_len);
if (result < 0)
{
TFE_LOG_ERROR(g_default_logger, "failed at getsockopt(SO_BINDTODEVICE) on %d, %d: %s", devname, errno, strerror(errno));
TFE_LOG_ERROR(g_default_logger, "failed at getsockopt(SO_BINDTODEVICE) on %s, %d: %s", devname, errno, strerror(errno));
goto errout;
}
TFE_LOG_DEBUG(g_default_logger, "sockfd %d successfully bound to %s device, so_mask: %x", sockfd, buffer, fd_so_mask);

32
platform/src/ssl_service_cache.cpp
View File

@@ -1,11 +1,11 @@
#include <ssl_service_cache.h>
#include <MESA/Maat_rule.h>
#include <MESA/maat.h>
#include <tfe_resource.h>
#include <ssl_stream.h>
struct ssl_ja3_enforcer
{
Maat_feather_t maat;
struct maat *maat;
int table_id;
};
@@ -28,7 +28,7 @@ struct ssl_svc_addr
static struct ssl_ja3_enforcer g_static_enforcer = {0};
static void ssl_svc_ja3_param_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp)
static void ssl_svc_ja3_param_dup_cb(int table_id, void **to, void **from, long argl, void *argp)
{
struct ssl_svc_ja3 *param = (struct ssl_svc_ja3 *)*from;
if (param)
@@ -43,7 +43,7 @@ static void ssl_svc_ja3_param_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT
return;
}
static void ssl_svc_ja3_param_new_cb(int table_id, const char *key, const char *table_line, MAAT_PLUGIN_EX_DATA *ad, long argl, void *argp)
static void ssl_svc_ja3_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp)
{
int is_valid = 0;
int pinning_state = 0;
@@ -68,7 +68,7 @@ static void ssl_svc_ja3_param_new_cb(int table_id, const char *key, const char *
param->fingerprint_id, param->ja3_hash, param->pinning_state, param->is_valid, param->ref_cnt);
}
static void ssl_svc_ja3_param_free_cb(int table_id, MAAT_PLUGIN_EX_DATA *ad, long argl, void *argp)
static void ssl_svc_ja3_param_free_cb(int table_id, void **ad, long argl, void *argp)
{
struct ssl_svc_ja3 *param = (struct ssl_svc_ja3 *)*ad;
if (param == NULL)
@@ -93,21 +93,20 @@ static void ssl_svc_ja3_param_free(struct ssl_svc_ja3 *param)
static int ssl_svc_ja3_init(const char *table_name)
{
g_static_enforcer.maat = (Maat_feather_t)tfe_bussiness_resouce_get(STATIC_MAAT);
g_static_enforcer.table_id = Maat_table_register(g_static_enforcer.maat, table_name);
g_static_enforcer.maat = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT);
g_static_enforcer.table_id = maat_get_table_id(g_static_enforcer.maat, table_name);
if (g_static_enforcer.table_id < 0)
{
TFE_LOG_ERROR(g_default_logger, "Maat table %s register failed.", table_name);
return 0;
}
int ret = Maat_plugin_EX_register(g_static_enforcer.maat,
g_static_enforcer.table_id,
ssl_svc_ja3_param_new_cb,
ssl_svc_ja3_param_free_cb,
ssl_svc_ja3_param_dup_cb,
NULL,
0,
&g_static_enforcer);
int ret = maat_plugin_table_ex_schema_register(g_static_enforcer.maat,
table_name,
ssl_svc_ja3_param_new_cb,
ssl_svc_ja3_param_free_cb,
ssl_svc_ja3_param_dup_cb,
0,
&g_static_enforcer);
if (ret < 0)
{
TFE_LOG_ERROR(g_default_logger, "failed at Maat_plugin_EX_register(%s), table_id = %d, ret = %d",
@@ -122,7 +121,8 @@ enum ssl_ja3_pinning_status ssl_svc_ja3_scan(char *ja3_hash, const char *addr_st
{
enum ssl_ja3_pinning_status ret = JA3_PINNING_STATUS_UNKNOWN;
struct ssl_svc_ja3 *param = NULL;
param = (struct ssl_svc_ja3 *)Maat_plugin_get_EX_data(g_static_enforcer.maat, g_static_enforcer.table_id, ja3_hash);
param = (struct ssl_svc_ja3 *)maat_plugin_table_get_ex_data(g_static_enforcer.maat, g_static_enforcer.table_id, ja3_hash);
if (param == NULL)
{
ret = JA3_PINNING_STATUS_UNKNOWN;

203
plugin/business/doh/src/doh.cpp
View File

@@ -1,5 +1,6 @@
#include "logger.h"
#include <tfe_scan.h>
#include <MESA/stream.h>
extern void increase_redirect_policy_hit_num(void);
@@ -99,21 +100,78 @@ static cJSON *doh_get_answer_records(struct doh_ctx *ctx, cJSON *object, int qty
return NULL;
}
static void doh_get_cheat_data(Maat_rule_t *p_result, int qtype, struct doh_ctx *ctx, const char *str_stream_info)
struct doh_action_param
{
int ref_cnt;
int action;
char *message;
char *position;
float enforcement_ratio;
int vsys_id;
int profile_id;
int status_code;
size_t n_rule;
void *repl_rule;
size_t e_rule;
void *elem_rule;
struct doh_maat_rule_t hit_rule;
pthread_mutex_t lock;
};
void doh_action_param_free_cb(int table_id, void **ad, long argl, void *argp)
{
if(*ad==NULL)
{
return;
}
struct doh_action_param* param=(struct doh_action_param*)*ad;
pthread_mutex_lock(&(param->lock));
param->ref_cnt--;
if(param->ref_cnt>0)
{
pthread_mutex_unlock(&(param->lock));
return;
}
pthread_mutex_unlock(&(param->lock));
pthread_mutex_destroy(&(param->lock));
if(param->hit_rule.srv_def_large)
FREE(&(param->hit_rule.srv_def_large))
FREE(&(param));
return;
}
static void doh_get_cheat_data(long long p_result, int qtype, struct doh_ctx *ctx, const char *str_stream_info)
{
int i;
int answer_size = 0;
char *tmp = NULL;
cJSON *items = NULL;
cJSON *item = NULL;
cJSON *object = NULL;
cJSON *answer_array = NULL;
int table_id=0;
tmp = (char *)calloc(1, p_result->serv_def_len + 1);
Maat_read_rule(g_doh_conf->maat, p_result, MAAT_RULE_SERV_DEFINE, tmp, p_result->serv_def_len);
TFE_LOG_INFO(g_doh_conf->local_logger, "%s hit %d %s", str_stream_info, p_result->config_id, tmp);
table_id=maat_get_table_id(g_doh_conf->maat, "PXY_CTRL_COMPILE");
if(table_id < 0)
{
return;
}
struct doh_action_param *get_ex_param=(struct doh_action_param *)maat_plugin_table_get_ex_data(g_doh_conf->maat, table_id, (const char *)&p_result);
if(get_ex_param==NULL)
{
return;
}
object = cJSON_Parse(tmp);
struct doh_maat_rule_t *hit_rule = &(get_ex_param->hit_rule);
if(hit_rule==NULL || hit_rule->srv_def_large==NULL)
{
goto end;
}
memcpy(ctx->result, hit_rule, sizeof(struct doh_maat_rule_t));
TFE_LOG_INFO(g_doh_conf->local_logger, "%s hit %lld %s", str_stream_info, p_result, hit_rule->srv_def_large);
object = cJSON_Parse(hit_rule->srv_def_large);
if (object == NULL)
{
goto end;
@@ -176,30 +234,28 @@ end:
cJSON_Delete(object);
object = NULL;
}
if (tmp)
if(get_ex_param)
{
free(tmp);
tmp = NULL;
doh_action_param_free_cb(0, (void**)&get_ex_param, 0, NULL);
}
}
static struct Maat_rule_t *doh_fetch_rule(Maat_rule_t *result, int result_num)
static long long doh_fetch_rule(long long *result, int result_num)
{
int i = 0;
Maat_rule_t *p_result = NULL;
long long p_result = 0;
for (i = 0; i < result_num && i < MAX_SCAN_RESULT; i++)
{
if (p_result == NULL)
if (p_result == 0)
{
p_result = &result[i];
p_result = result[i];
continue;
}
if (result[i].config_id > p_result->config_id)
if (result[i] > p_result)
{
p_result = &result[i];
p_result = result[i];
}
}
@@ -211,23 +267,24 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
int hit_cnt = 0;
int scan_ret = 0;
int app_id = 8006;
size_t n_hit_result;
struct ipaddr sapp_addr;
struct Maat_rule_t *p_result = NULL;
struct Maat_rule_t result[MAX_SCAN_RESULT];
long long p_result = 0;
long long result[MAX_SCAN_RESULT];
scan_ret = tfe_scan_subscribe_id(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger);
scan_ret = tfe_scan_subscribe_id(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
scan_ret = tfe_scan_ip_location(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger, &(ctx->location_server), &(ctx->location_client));
scan_ret = tfe_scan_ip_location(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger, &(ctx->location_server), &(ctx->location_client));
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
scan_ret = tfe_scan_ip_asn(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger, &(ctx->asn_server), &(ctx->asn_client));
scan_ret = tfe_scan_ip_asn(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger, &(ctx->asn_server), &(ctx->asn_client));
if (scan_ret > 0)
{
hit_cnt += scan_ret;
@@ -237,13 +294,13 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
const char *host = session->req->req_spec.host;
if (host)
{
scan_ret = Maat_full_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_HOST].id, CHARSET_UTF8,
host, strlen(host), result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
scan_ret = maat_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_HOST].id,host, strlen(host),
result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit host: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
g_doh_conf->tables[TYPE_HOST].name, host, scan_ret, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action, stream->str_stream_info);
hit_cnt += scan_ret;
TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit host: %s scan ret: %d policy_id: %lld addr: %s",
g_doh_conf->tables[TYPE_HOST].name, host, scan_ret, result[hit_cnt], stream->str_stream_info);
hit_cnt += n_hit_result;
}
else
{
@@ -251,7 +308,7 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
g_doh_conf->tables[TYPE_HOST].name, host, scan_ret, stream->str_stream_info);
}
scan_ret = tfe_scan_fqdn_cat(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger, g_doh_conf->tables[TYPE_HOST].id);
scan_ret = tfe_scan_fqdn_cat(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger, g_doh_conf->tables[TYPE_HOST_CAT].id);
if( scan_ret > 0)
{
hit_cnt += scan_ret;
@@ -260,27 +317,48 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
// scan addr
doh_addr_tfe2sapp(stream->addr, &sapp_addr);
scan_ret = Maat_scan_proto_addr(g_doh_conf->maat, g_doh_conf->tables[TYPE_ADDR].id, &sapp_addr,
0, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
if (sapp_addr.addrtype == ADDR_TYPE_IPV4)
{
TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit addr: %s scan ret: %d policy_id: %d service: %d action: %d",
g_doh_conf->tables[TYPE_ADDR].name, stream->str_stream_info, scan_ret, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action);
hit_cnt += scan_ret;
}
else
{
TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, NO hit addr: %s scan ret: %d",
g_doh_conf->tables[TYPE_ADDR].name, stream->str_stream_info, scan_ret);
}
scan_ret = maat_scan_ipv4(g_doh_conf->maat, g_doh_conf->tables[TYPE_SRC_ADDR].id,sapp_addr.v4->saddr,
sapp_addr.v4->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid);
if (n_hit_result == MAAT_SCAN_HIT)
{
hit_cnt += n_hit_result;
}
scan_ret = maat_scan_ipv4(g_doh_conf->maat, g_doh_conf->tables[TYPE_DST_ADDR].id,sapp_addr.v4->daddr,
sapp_addr.v4->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid);
// scan appid
scan_ret=Maat_scan_intval(g_doh_conf->maat, g_doh_conf->tables[TYPE_APPID].id, app_id, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
if(scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += n_hit_result;
}
}
if (sapp_addr.addrtype == ADDR_TYPE_IPV6)
{
TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit proto: %d scan ret: %d policy_id: %d service: %d action: %d addr: %s",
g_doh_conf->tables[TYPE_APPID].name, app_id, scan_ret, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action, stream->str_stream_info);
hit_cnt += scan_ret;
scan_ret = maat_scan_ipv6(g_doh_conf->maat, g_doh_conf->tables[TYPE_SRC_ADDR].id, sapp_addr.v6->saddr,
sapp_addr.v6->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += n_hit_result;
}
scan_ret = maat_scan_ipv6(g_doh_conf->maat,g_doh_conf->tables[TYPE_DST_ADDR].id, sapp_addr.v6->daddr,
sapp_addr.v6->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += n_hit_result;
}
}
// scan appid
scan_ret=maat_scan_integer(g_doh_conf->maat, g_doh_conf->tables[TYPE_APPID].id, app_id, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit proto: %d scan ret: %d policy_id: %lld addr: %s",
g_doh_conf->tables[TYPE_APPID].name, app_id, scan_ret, result[hit_cnt], stream->str_stream_info);
hit_cnt += n_hit_result;
}
else
{
@@ -289,13 +367,13 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
}
// scan qname
scan_ret = Maat_full_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_QNAME].id, CHARSET_UTF8,
qname, strlen(qname), result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
scan_ret = maat_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_QNAME].id, qname, strlen(qname),
result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit domain: %s scan ret: %d qtype: %d policy_id: %d service: %d action: %d addr: %s",
g_doh_conf->tables[TYPE_QNAME].name, qname, scan_ret, qtype, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action, stream->str_stream_info);
hit_cnt += scan_ret;
TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit domain: %s scan ret: %d qtype: %d policy_id: %lld addr: %s",
g_doh_conf->tables[TYPE_QNAME].name, qname, scan_ret, qtype, result[hit_cnt], stream->str_stream_info);
hit_cnt += n_hit_result;
}
else
{
@@ -306,11 +384,10 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
if (hit_cnt)
{
p_result = doh_fetch_rule(result, hit_cnt);
if (p_result)
if (p_result != 0)
{
ctx->result_num = 1;
ctx->result = ALLOC(struct Maat_rule_t, ctx->result_num);
memcpy(ctx->result, p_result, sizeof(struct Maat_rule_t));
ctx->result = ALLOC(struct doh_maat_rule_t, ctx->result_num);
doh_get_cheat_data(p_result, qtype, ctx, stream->str_stream_info);
}
}
@@ -318,18 +395,20 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
static int doh_maat_init(const char *profile, const char *section)
{
g_doh_conf->maat = (Maat_feather_t)tfe_bussiness_resouce_get(STATIC_MAAT);
g_doh_conf->maat = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT);
MESA_load_profile_string_def(profile, section, "table_appid", g_doh_conf->tables[TYPE_APPID].name, TFE_STRING_MAX, "TSG_OBJ_APP_ID");
MESA_load_profile_string_def(profile, section, "table_addr", g_doh_conf->tables[TYPE_ADDR].name, TFE_STRING_MAX, "TSG_SECURITY_ADDR");
MESA_load_profile_string_def(profile, section, "table_src_addr", g_doh_conf->tables[TYPE_SRC_ADDR].name, TFE_STRING_MAX, "TSG_SECURITY_SOURCE_ADDR");
MESA_load_profile_string_def(profile, section, "table_dst_addr", g_doh_conf->tables[TYPE_DST_ADDR].name, TFE_STRING_MAX, "TSG_SECURITY_DESTINATION_ADDR");
MESA_load_profile_string_def(profile, section, "table_qname", g_doh_conf->tables[TYPE_QNAME].name, TFE_STRING_MAX, "TSG_FIELD_DOH_QNAME");
MESA_load_profile_string_def(profile, section, "table_host", g_doh_conf->tables[TYPE_HOST].name, TFE_STRING_MAX, "TSG_FIELD_HTTP_HOST");
MESA_load_profile_string_def(profile, section, "table_host", g_doh_conf->tables[TYPE_HOST].name, TFE_STRING_MAX, "TSG_FIELD_DOH_HOST");
MESA_load_profile_string_def(profile, section, "table_host_cat", g_doh_conf->tables[TYPE_HOST_CAT].name, TFE_STRING_MAX, "TSG_FIELD_DOH_HOST_CAT");
for (int i = 0; i < TYPE_MAX; i++)
{
g_doh_conf->tables[i].id = Maat_table_register(g_doh_conf->maat, g_doh_conf->tables[i].name);
g_doh_conf->tables[i].id = maat_get_table_id(g_doh_conf->maat, g_doh_conf->tables[i].name);
if (g_doh_conf->tables[i].id < 0)
{
TFE_LOG_ERROR(g_doh_conf->local_logger, "Maat_table_register failed, table_name: %s", g_doh_conf->tables[i].name);
TFE_LOG_ERROR(g_doh_conf->local_logger, "maat_get_table_id failed, table_name: %s", g_doh_conf->tables[i].name);
return -1;
}
}
@@ -377,7 +456,7 @@ static struct doh_ctx *doh_ctx_new(unsigned int thread_id)
ctx->magic_num = DOH_CTX_MAGIC_NUM;
ctx->thread_id = (int)thread_id;
ctx->scan_mid = NULL;
ctx->scan_mid = maat_state_new(g_doh_conf->maat, thread_id);
ctx->opts_num = 0;
ctx->opts = NULL;
ctx->min_ttl = 0;
@@ -524,7 +603,7 @@ static void doh_process_req(const struct tfe_stream *stream, const struct tfe_ht
}
doh_maat_scan(stream, session, ctx, (char *)ctx->doh_req->query_question.qname, ctx->doh_req->query_question.qtype);
Maat_clean_status(&(ctx->scan_mid));
maat_state_free(ctx->scan_mid);
ctx->scan_mid = NULL;
if (!ctx->opts_num)
{

6
plugin/business/doh/src/logger.cpp
View File

@@ -15,8 +15,8 @@ enum _log_action //Bigger action number is prior.
LG_ACTION_DROP = 0x20, /* N/A */
LG_ACTION_MANIPULATE = 0x30,
LG_ACTION_RATELIMIT = 0x40, /* N/A */
LG_ACTION_LOOP = 0x60, /* N/A */
LG_ACTION_WHITELIST = 0x80,
LG_ACTION_WHITELIST = 0x60,
LG_ACTION_SHUNT = 0x80,
__LG_ACTION_MAX
};
@@ -299,7 +299,7 @@ int doh_kafka_init(const char *profile, struct doh_conf *conf)
int doh_send_log(struct doh_conf *handle, const struct tfe_http_session *http, const struct tfe_stream *stream, struct doh_ctx *ctx)
{
Maat_rule_t *result = ctx->result;
struct doh_maat_rule_t *result = ctx->result;
size_t result_num = ctx->result_num;
dns_info_t *dns_info = ctx->doh_req;
const struct tfe_stream_addr *addr = stream->addr;

22
plugin/business/doh/src/pub.h
View File

@@ -11,7 +11,7 @@ extern "C"
#include <tfe_resource.h>
#include <tfe_proxy.h>
#include <tfe_plugin.h>
#include <MESA/Maat_rule.h>
#include <MESA/maat.h>
#include <MESA/MESA_prof_load.h>
#include <tfe_kafka_logger.h>
@@ -30,10 +30,12 @@ enum pangu_http_stat
enum table_type
{
TYPE_ADDR,
TYPE_SRC_ADDR,
TYPE_DST_ADDR,
TYPE_APPID,
TYPE_QNAME,
TYPE_HOST,
TYPE_HOST_CAT,
TYPE_MAX
};
@@ -68,10 +70,20 @@ struct doh_conf
struct event_base *gc_evbase;
screen_stat_handle_t fs_handle;
Maat_feather_t maat;
struct maat *maat;
struct maat_table tables[TYPE_MAX];
};
struct doh_maat_rule_t
{
long long config_id;
int service_id;
unsigned char do_log;
unsigned char do_blacklist;
unsigned char action;
char *srv_def_large;
};
struct doh_ctx
{
int count;
@@ -82,9 +94,9 @@ struct doh_ctx
int opts_num;
int vsys_id;
size_t result_num;
Maat_rule_t *result;
struct doh_maat_rule_t *result;
cheat_pkt_opt_t *opts;
scan_status_t scan_mid;
struct maat_state *scan_mid;
enum doh_content_type type;
struct evbuffer *http_req_body;
dns_info_t *doh_req;

61
plugin/business/ssl-policy/src/ssl_policy.cpp
View File

@@ -1,6 +1,6 @@
#include <ssl_stream.h>
#include <tfe_utils.h>
#include <MESA/Maat_rule.h>
#include <MESA/maat.h>
#include <cjson/cJSON.h>
#include <openssl/ssl.h>
#include <assert.h>
@@ -9,7 +9,7 @@
struct ssl_policy_enforcer
{
Maat_feather_t maat;
struct maat *maat;
int policy_table_id;
int profile_table_id;
void* logger;
@@ -43,7 +43,7 @@ struct decryption_param
int mirror_client_version;
};
void intercept_param_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_DATA* from, long argl, void* argp)
void intercept_param_dup_cb(int table_id, void **to, void **from, long argl, void* argp)
{
struct intercept_param* param= (struct intercept_param*) *from;
if(param)
@@ -57,7 +57,8 @@ void intercept_param_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_E
}
return;
}
void intercept_param_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
void intercept_param_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0;
size_t intercept_user_region_offset=0, len=0;
@@ -66,7 +67,7 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
struct intercept_param* param=NULL;
struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
ret=Maat_helper_read_column(table_line, 7, &intercept_user_region_offset, &len);
ret=maat_helper_read_column(table_line, 7, &intercept_user_region_offset, &len);
if(ret<0)
{
TFE_LOG_ERROR(enforcer->logger, "Get intercept user region: %s", table_line);
@@ -161,7 +162,7 @@ error_out:
free(json_str);
return;
}
void intercept_param_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
void intercept_param_free_cb(int table_id, void **ad, long argl, void* argp)
{
struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
struct intercept_param* param= (struct intercept_param*) *ad;
@@ -183,7 +184,7 @@ void intercept_param_free(struct intercept_param* param)
return;
}
void profile_param_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_DATA* from, long argl, void* argp)
void profile_param_dup_cb(int table_id, void **to, void **from, long argl, void* argp)
{
struct decryption_param* param= (struct decryption_param*) *from;
if(param)
@@ -197,7 +198,7 @@ void profile_param_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_
}
return;
}
void profile_param_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
void profile_param_free_cb(int table_id, void **ad, long argl, void* argp)
{
struct decryption_param* param= (struct decryption_param*) *ad;
if(param==NULL)
@@ -216,7 +217,7 @@ void profile_param_free(struct decryption_param* param)
profile_param_free_cb(0, (void**)&param, 0, NULL);
return;
}
void profile_param_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
void profile_param_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0;
size_t offset=0, len=0;
@@ -225,7 +226,7 @@ void profile_param_new_cb(int table_id, const char* key, const char* table_line,
struct decryption_param* param=NULL;
struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
ret=Maat_helper_read_column(table_line, 3, &offset, &len);
ret=maat_helper_read_column(table_line, 3, &offset, &len);
if(ret<0)
{
TFE_LOG_ERROR(enforcer->logger, "Get decryption param: %s", table_line);
@@ -319,29 +320,27 @@ error_out:
struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger)
{
struct ssl_policy_enforcer* enforcer=ALLOC(struct ssl_policy_enforcer, 1);
enforcer->maat=(Maat_feather_t)tfe_bussiness_resouce_get(STATIC_MAAT);;
enforcer->maat=(struct maat*)tfe_bussiness_resouce_get(STATIC_MAAT);;
enforcer->logger=logger;
enforcer->policy_table_id=Maat_table_register(enforcer->maat, "TSG_SECURITY_COMPILE");
enforcer->policy_table_id=maat_get_table_id(enforcer->maat, "TSG_SECURITY_COMPILE");
assert(enforcer->policy_table_id >= 0);
enforcer->profile_table_id=Maat_table_register(enforcer->maat, "TSG_PROFILE_DECRYPTION");
enforcer->profile_table_id=maat_get_table_id(enforcer->maat, "TSG_PROFILE_DECRYPTION");
assert(enforcer->profile_table_id >= 0);
UNUSED int ret=Maat_plugin_EX_register(enforcer->maat,
enforcer->policy_table_id,
intercept_param_new_cb,
intercept_param_free_cb,
intercept_param_dup_cb,
NULL,
0,
enforcer);
UNUSED int ret=maat_plugin_table_ex_schema_register(enforcer->maat,
"TSG_SECURITY_COMPILE",
intercept_param_new_cb,
intercept_param_free_cb,
intercept_param_dup_cb,
0,
enforcer);
assert(ret==0);
ret=Maat_plugin_EX_register(enforcer->maat,
enforcer->profile_table_id,
profile_param_new_cb,
profile_param_free_cb,
profile_param_dup_cb,
NULL,
0,
enforcer);
ret=maat_plugin_table_ex_schema_register(enforcer->maat,
"TSG_PROFILE_DECRYPTION",
profile_param_new_cb,
profile_param_free_cb,
profile_param_dup_cb,
0,
enforcer);
assert(ret==0);
return enforcer;
}
@@ -359,7 +358,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_INTERCEPT_POLICY_ID, &policy_id);
assert(ret==0);
snprintf(policy_id_str, sizeof(policy_id_str), "%d", policy_id);
policy_param=(struct intercept_param *)Maat_plugin_get_EX_data(enforcer->maat, enforcer->policy_table_id, policy_id_str);
policy_param=(struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->policy_table_id, policy_id_str);
if(policy_param==NULL)
{
TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %d.", policy_id);
@@ -374,7 +373,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
}
snprintf(profile_id_str, sizeof(profile_id_str), "%u", policy_param->decryption_profile_id);
profile_param=(struct decryption_param *)Maat_plugin_get_EX_data(enforcer->maat, enforcer->profile_table_id, profile_id_str);
profile_param=(struct decryption_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->profile_table_id, profile_id_str);
if (profile_param==NULL)
{
TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str);

2
plugin/business/ssl-policy/src/ssl_policy.h
View File

@@ -1,6 +1,6 @@
#pragma once
#include <ssl_stream.h>
#include <MESA/Maat_rule.h>
#include <MESA/maat.h>
struct ssl_policy_enforcer;
struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger);

3
plugin/business/traffic-mirror/include/traffic_mirror.h
View File

@@ -4,6 +4,7 @@
#include <tfe_stream.h>
#include <netinet/ether.h>
#include <MESA/Maat_rule.h>
#include <MESA/maat.h>
#include <pcap/pcap.h>
enum traffic_mirror_ethdev_type
@@ -25,7 +26,7 @@ struct traffic_mirror_instance
unsigned int nr_threads;
unsigned int default_vlan_id;
Maat_feather_t maat_feather;
struct maat* maat_feather;
int policy_table_id;
int profile_table_id;

121
plugin/business/traffic-mirror/src/entry.cpp
View File

@@ -28,8 +28,8 @@ void policy_table_ex_data_free(struct policy_table_ex_data * object)
if ((__sync_sub_and_fetch(&object->atomic_refcnt, 1) == 0)) free(object);
}
void policy_table_ex_data_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA * to,
MAAT_PLUGIN_EX_DATA * from, long argl, void * argp)
void policy_table_ex_data_dup_cb(int table_id, void **to,
void **from, long argl, void * argp)
{
struct policy_table_ex_data * ex_data = (struct policy_table_ex_data *)*from;
if(ex_data==NULL)
@@ -43,7 +43,7 @@ void policy_table_ex_data_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA * to,
}
}
void policy_table_ex_data_free_cb(int table_id, MAAT_PLUGIN_EX_DATA * ad, long argl, void * argp)
void policy_table_ex_data_free_cb(int table_id, void **ad, long argl, void * argp)
{
struct policy_table_ex_data * ex_data = (struct policy_table_ex_data *)*ad;
if(ex_data)
@@ -52,8 +52,8 @@ void policy_table_ex_data_free_cb(int table_id, MAAT_PLUGIN_EX_DATA * ad, long a
}
}
void policy_table_ex_data_new_cb(int table_id, const char * key, const char * table_line,
MAAT_PLUGIN_EX_DATA * ad, long argl, void * argp)
void policy_table_ex_data_new_cb(const char *table_name, int table_id, const char * key, const char * table_line,
void **ad, long argl, void * argp)
{
struct traffic_mirror_instance * instance = (struct traffic_mirror_instance *) argp;
assert(instance != nullptr && instance->logger != nullptr);
@@ -68,7 +68,7 @@ void policy_table_ex_data_new_cb(int table_id, const char * key, const char * ta
size_t user_region_offset;
size_t user_region_len;
int result = Maat_helper_read_column(table_line, 7, &user_region_offset, &user_region_len);
int result = maat_helper_read_column(table_line, 7, &user_region_offset, &user_region_len);
if (unlikely(result < 0))
{
TFE_LOG_ERROR(instance->logger, "Failed at get policy table's user region.");
@@ -158,8 +158,8 @@ void profile_table_ex_data_free(struct profile_table_ex_data * object)
if ((__sync_sub_and_fetch(&object->atomic_refcnt, 1) == 0)) free(object);
}
void profile_table_ex_data_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA * to,
MAAT_PLUGIN_EX_DATA * from, long argl, void * argp)
void profile_table_ex_data_dup_cb(int table_id, void **to,
void **from, long argl, void * argp)
{
struct profile_table_ex_data * ex_data = (struct profile_table_ex_data *)*from;
if(ex_data)
@@ -173,7 +173,7 @@ void profile_table_ex_data_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA * to,
}
}
void profile_table_ex_data_free_cb(int table_id, MAAT_PLUGIN_EX_DATA * ad, long argl, void * argp)
void profile_table_ex_data_free_cb(int table_id, void **ad, long argl, void * argp)
{
struct profile_table_ex_data * ex_data = (struct profile_table_ex_data *)*ad;
if(ex_data)
@@ -182,8 +182,8 @@ void profile_table_ex_data_free_cb(int table_id, MAAT_PLUGIN_EX_DATA * ad, long
}
}
void profile_table_ex_data_new_cb(int table_id, const char * key, const char * table_line,
MAAT_PLUGIN_EX_DATA * ad, long argl, void * argp)
void profile_table_ex_data_new_cb(const char *table_name, int table_id, const char * key, const char * table_line,
void **ad, long argl, void * argp)
{
struct traffic_mirror_instance * instance = (struct traffic_mirror_instance *) argp;
assert(instance != nullptr && instance->logger != nullptr);
@@ -197,7 +197,7 @@ void profile_table_ex_data_new_cb(int table_id, const char * key, const char * t
size_t addr_list_offset;
size_t addr_list_len;
int result = Maat_helper_read_column(table_line, 3, &addr_list_offset, &addr_list_len);
int result = maat_helper_read_column(table_line, 3, &addr_list_offset, &addr_list_len);
if (unlikely(result < 0))
{
TFE_LOG_ERROR(instance->logger, "Failed at get profile table's addrlist.");
@@ -244,7 +244,7 @@ void profile_table_ex_data_new_cb(int table_id, const char * key, const char * t
goto ignore;
}
TFE_LOG_DEBUG(instance->logger, "traffic mirror profile %s: vlan id[%d] %d", key, iter, vlan_in_number);
TFE_LOG_DEBUG(instance->logger, "traffic mirror profile %s: vlan id[%d]£º %d", key, iter, vlan_in_number);
ex_data->rewrite_vlan = 1;
ex_data->vlans[iter] = vlan_in_number;
ex_data->ether_addrs[iter] = ether_addr_broadcast;
@@ -284,14 +284,13 @@ out:
#define MAAT_INPUT_REDIS 1
#define MAAT_INPUT_FILE 2
static Maat_feather_t maat_feather_create_with_override(const char * instance_name,
static struct maat* maat_feather_create_with_override(const char * instance_name,
const char * profile, const char * section, const char * override_section,
unsigned int max_thread, void * logger)
{
Maat_feather_t target;
struct maat *target=NULL;
int input_mode = 0, maat_stat_on = 0, maat_perf_on = 0;
int ret = 0, scan_detail = 0, effect_interval = 60;
int ret = 0, effect_interval = 60, log_level=0;
char table_info[TFE_STRING_MAX] = {0}, inc_cfg_dir[TFE_STRING_MAX] = {0}, ful_cfg_dir[TFE_STRING_MAX] = {0};
char redis_server[TFE_STRING_MAX] = {0};
char redis_port_range[TFE_STRING_MAX] = {0};
@@ -310,9 +309,9 @@ static Maat_feather_t maat_feather_create_with_override(const char * instance_na
MESA_load_profile_string_def(profile, section, "accept_tags", accept_tags, sizeof(accept_tags), "");
MESA_load_profile_string_def(profile, section, "json_cfg_file", json_cfg_file, sizeof(json_cfg_file), "");
MESA_load_profile_string_def(profile, section, "maat_redis_server", redis_server, sizeof(redis_server), "");
MESA_load_profile_string_def(profile, section, "maat_redis_port_range", redis_port_range, sizeof(redis_server),
"6379");
MESA_load_profile_string_def(profile, section, "maat_redis_port_range", redis_port_range, sizeof(redis_server),"6379");
MESA_load_profile_int_def(profile, section, "deferred_load_on", &(deferred_load_on), 0);
MESA_load_profile_int_def(profile, section, "log_level", &(log_level), LOG_LEVEL_FATAL);
ret = sscanf(redis_port_range, "%d-%d", &redis_port_begin, &redis_port_end);
if (ret == 1)
@@ -344,53 +343,57 @@ static Maat_feather_t maat_feather_create_with_override(const char * instance_na
assert(strlen(inc_cfg_dir) != 0 || strlen(ful_cfg_dir) != 0 || strlen(redis_server) != 0
|| strlen(json_cfg_file) != 0);
target = Maat_feather(max_thread, table_info, logger);
Maat_set_feather_opt(target, MAAT_OPT_INSTANCE_NAME, instance_name, strlen(instance_name) + 1);
struct maat_options *opts = maat_options_new();
maat_options_set_logger(opts, "log/maat.log", (enum log_level)log_level);
maat_options_set_caller_thread_number(opts, max_thread);
maat_options_set_instance_name(opts, instance_name);
switch (input_mode)
{
case MAAT_INPUT_JSON:
Maat_set_feather_opt(target, MAAT_OPT_JSON_FILE_PATH, json_cfg_file, strlen(json_cfg_file) + 1);
maat_options_set_json_file(opts, json_cfg_file);
break;
case MAAT_INPUT_REDIS:Maat_set_feather_opt(target, MAAT_OPT_REDIS_IP, redis_server, strlen(redis_server) + 1);
Maat_set_feather_opt(target, MAAT_OPT_REDIS_PORT, &redis_port_select, sizeof(redis_port_select));
Maat_set_feather_opt(target, MAAT_OPT_REDIS_INDEX, &redis_db_idx, sizeof(redis_db_idx));
case MAAT_INPUT_REDIS:
maat_options_set_redis(opts, redis_server, redis_port_select, redis_db_idx);
break;
case MAAT_INPUT_FILE: Maat_set_feather_opt(target, MAAT_OPT_FULL_CFG_DIR, ful_cfg_dir, strlen(ful_cfg_dir) + 1);
Maat_set_feather_opt(target, MAAT_OPT_INC_CFG_DIR, inc_cfg_dir, strlen(inc_cfg_dir) + 1);
case MAAT_INPUT_FILE:
maat_options_set_iris(opts, ful_cfg_dir, inc_cfg_dir);
break;
default: TFE_LOG_ERROR(logger, "Invalid MAAT Input Mode: %d.", input_mode);
goto error_out;
break;
}
if (maat_stat_on)
{
Maat_set_feather_opt(target, MAAT_OPT_STAT_FILE_PATH, maat_stat_file, strlen(maat_stat_file) + 1);
Maat_set_feather_opt(target, MAAT_OPT_STAT_ON, NULL, 0);
if (maat_perf_on)
{
Maat_set_feather_opt(target, MAAT_OPT_PERF_ON, NULL, 0);
}
}
if (maat_stat_on)
{
maat_options_set_stat_on(opts);
if (maat_perf_on)
{
maat_options_set_perf_on(opts);
}
}
Maat_set_feather_opt(target, MAAT_OPT_DEFERRED_LOAD, &deferred_load_on, sizeof(deferred_load_on));
Maat_set_feather_opt(target, MAAT_OPT_EFFECT_INVERVAL_MS, &effect_interval, sizeof(effect_interval));
Maat_set_feather_opt(target, MAAT_OPT_SCAN_DETAIL, &scan_detail, sizeof(scan_detail));
if(deferred_load_on)
{
maat_options_set_deferred_load_on(opts);
}
maat_options_set_rule_effect_interval_ms(opts, effect_interval);
if (strlen(accept_tags) > 0)
{
Maat_set_feather_opt(target, MAAT_OPT_ACCEPT_TAGS, &accept_tags, sizeof(accept_tags));
maat_options_set_accept_tags(opts, accept_tags);
}
ret = Maat_initiate_feather(target);
if (ret < 0)
target = maat_new(opts, table_info);
if (!target)
{
TFE_LOG_ERROR(logger, "%s MAAT init failed.", __FUNCTION__);
TFE_LOG_ERROR(logger, "%s MAAT init failed.", __FUNCTION__);
goto error_out;
}
maat_options_free(opts);
return target;
return target;
error_out:
Maat_burn_feather(target);
maat_options_free(opts);
return NULL;
}
@@ -467,34 +470,34 @@ int traffic_mirror_init(struct tfe_proxy * proxy)
}
/* REGISTER MAAT FEATHER */
instance->policy_table_id = Maat_table_register(instance->maat_feather, "TSG_SECURITY_COMPILE");
if (unlikely(instance->policy_table_id < 0))
instance->policy_table_id = maat_get_table_id(instance->maat_feather, "TSG_SECURITY_COMPILE");
if (instance->policy_table_id < 0)
{
TFE_LOG_ERROR(instance->logger, "failed at register table TSG_SECURITY_COMPILE, ret = %d",
instance->policy_table_id); goto errout;
}
instance->profile_table_id = Maat_table_register(instance->maat_feather, "TSG_PROFILE_TRAFFIC_MIRROR");
if (unlikely(instance->profile_table_id < 0))
instance->profile_table_id = maat_get_table_id(instance->maat_feather, "TSG_PROFILE_TRAFFIC_MIRROR");
if (instance->profile_table_id < 0)
{
TFE_LOG_ERROR(instance->logger, "failed at register table TSG_PROFILE_TRAFFIC_MIRROR, ret = %d",
instance->profile_table_id); goto errout;
}
result = Maat_plugin_EX_register(instance->maat_feather, instance->policy_table_id,
result = maat_plugin_table_ex_schema_register(instance->maat_feather, "TSG_SECURITY_COMPILE",
policy_table_ex_data_new_cb, policy_table_ex_data_free_cb, policy_table_ex_data_dup_cb,
nullptr, 0, instance);
0, instance);
if(unlikely(result < 0))
if(result < 0)
{
TFE_LOG_ERROR(instance->logger, "failed at Maat_plugin_EX_register(TSG_SECURITY_COMPILE), "
TFE_LOG_ERROR(instance->logger, "failed at maat_plugin_table_ex_schema_register(TSG_SECURITY_COMPILE), "
"table_id = %d, ret = %d", instance->policy_table_id, result);
goto errout;
}
result = Maat_plugin_EX_register(instance->maat_feather, instance->profile_table_id,
result = maat_plugin_table_ex_schema_register(instance->maat_feather, "TSG_PROFILE_TRAFFIC_MIRROR",
profile_table_ex_data_new_cb, profile_table_ex_data_free_cb, profile_table_ex_data_dup_cb,
nullptr, 0, instance);
0, instance);
if (unlikely(result < 0))
{
@@ -554,8 +557,7 @@ int traffic_mirror_on_open_cb(const struct tfe_stream * stream, unsigned int thr
}
snprintf(str_policy_id, sizeof(str_policy_id), "%u", opt_val);
policy_ex_data = (struct policy_table_ex_data *) Maat_plugin_get_EX_data(instance->maat_feather,
instance->policy_table_id, str_policy_id);
policy_ex_data = (struct policy_table_ex_data *)maat_plugin_table_get_ex_data(instance->maat_feather, instance->policy_table_id, str_policy_id);
if (!policy_ex_data || !policy_ex_data->enable)
{
goto detach;
@@ -582,8 +584,7 @@ int traffic_mirror_on_open_cb(const struct tfe_stream * stream, unsigned int thr
if (policy_ex_data->is_profile_set)
{
snprintf(str_profile_id, sizeof(str_policy_id), "%u", policy_ex_data->profile_id);
profile_ex_data = (struct profile_table_ex_data *)Maat_plugin_get_EX_data(instance->maat_feather,
instance->profile_table_id, str_profile_id);
profile_ex_data = (struct profile_table_ex_data *)maat_plugin_table_get_ex_data(instance->maat_feather, instance->profile_table_id, str_profile_id);
if (!profile_ex_data)
{
TFE_LOG_ERROR(instance->logger, "failed at getting policy %s's profile, profile id = %s, "
@@ -718,7 +719,7 @@ void traffic_mirror_on_close_cb(const struct tfe_stream * stream, unsigned int t
{
return;
}
struct traffic_mirror_me * me = (struct traffic_mirror_me *)(*pme);
traffic_mirror_rebuild_farewell(me->rebuild_ctx, thread_id);
traffic_mirror_rebuild_destroy(me->rebuild_ctx);

2
plugin/business/tsg-http/include/http_lua.h
View File

@@ -19,11 +19,13 @@ struct tsg_script_ctx
int config_id;
int profile_id;
int http_req_uri;
int rewrite_header;
char *rewrite_uri;
int execut_lua_sucess;
struct elua_context *elua_ctx;
enum tfe_http_event events;
void * local_logger;
struct tfe_stream_addr * addr;
const struct tfe_http_session *session;
struct tfe_http_half *replacing;
struct evbuffer *http_body;

13
plugin/business/tsg-http/include/tsg_proxy_logger.h
View File

@@ -2,13 +2,22 @@
#include <tfe_stream.h>
#include <tfe_http.h>
#include <MESA/Maat_rule.h>
struct log_rule_t
{
long long config_id;
int service_id;
unsigned char do_log;
unsigned char do_blacklist;
unsigned char action;
char *srv_def_large;
};
struct proxy_log
{
const struct tfe_stream *stream;
const struct tfe_http_session* http;
const Maat_rule_t*result;
const struct log_rule_t *result;
size_t result_num;
struct evbuffer* req_body, *resp_body;
unsigned char action;

8
plugin/business/tsg-http/include/tsg_proxy_web_cache.h
View File

@@ -2,12 +2,12 @@
#include <event2/event.h>
#include <event2/buffer.h>
#include <tfe_future.h>
#include <MESA/Maat_rule.h>
#include <MESA/maat.h>
struct cache_handle;
struct cache_handle* create_web_cache_handle(const char* profile_path, const char* section,
struct event_base* gc_evbase, Maat_feather_t feather, void *logger);
struct cache_handle* create_web_cache_handle(const char* profile_path, const char* section,
struct event_base* gc_evbase, struct maat *feather, void *logger);
struct cached_meta
{
@@ -56,7 +56,7 @@ enum cache_pending_result web_cache_async_pending(struct cache_handle* handle, u
struct cache_write_context;
struct cache_write_context* web_cache_write_start(struct cache_handle* handle, unsigned int thread_id,
struct cache_write_context* web_cache_write_start(struct cache_handle* handle, unsigned int thread_id,
const struct tfe_http_session * session, struct cache_mid **mid);
void web_cache_write(struct cache_write_context* ctx, const unsigned char * body_frag, size_t frag_size);
//return 1 on success

78
plugin/business/tsg-http/src/http_lua.cpp
View File

@@ -449,6 +449,35 @@ static int http_lua_get_current_stage(struct elua_vm *vm)
return 1;
}
static int http_lua_get_5tuple(struct elua_vm *vm)
{
struct tsg_script_ctx *tsg_ctx = (struct tsg_script_ctx *)elua_get_execute_userdata(vm);
if(tsg_ctx == NULL)
{
return 0;
}
struct tfe_stream_addr * addr = tsg_ctx->addr;
if(addr == NULL)
{
return 0;
}
char ip_addr[64]={0};
unsigned int source=0,dest=0,protocol;
char src_ip_str[MAX(INET6_ADDRSTRLEN,INET_ADDRSTRLEN)] = {0};
char dst_ip_str[MAX(INET6_ADDRSTRLEN,INET_ADDRSTRLEN)] = {0};
protocol = addr->addrtype;
source = ntohs(addr->tuple4_v4->source);
dest = ntohs(addr->tuple4_v4->dest);
inet_ntop(AF_INET, &addr->tuple4_v4->saddr, src_ip_str, sizeof(src_ip_str));
inet_ntop(AF_INET, &addr->tuple4_v4->daddr, dst_ip_str, sizeof(dst_ip_str));
snprintf(ip_addr, sizeof(ip_addr), "%d %s %d %s %d", protocol, src_ip_str, source, dst_ip_str, dest);
http_set_string_to_lua(vm, ip_addr, strlen(ip_addr));
return 1;
}
static int http_lua_get_headers(struct elua_vm *vm)
{
struct tsg_script_ctx *tsg_ctx = (struct tsg_script_ctx *)elua_get_execute_userdata(vm);
@@ -594,6 +623,48 @@ static int http_lua_set_headers(struct elua_vm *vm)
return 0;
}
static int http_lua_rewrite_header(struct elua_vm *vm)
{
struct tsg_script_ctx *tsg_ctx = (struct tsg_script_ctx *)elua_get_execute_userdata(vm);
if(tsg_ctx == NULL)
{
return 0;
}
const struct tfe_http_session * session = tsg_ctx->session;
if(session == NULL)
{
return 0;
}
struct tfe_http_half *replacing = tsg_ctx->replacing;
if(replacing == NULL)
{
return 0;
}
int out_lua_argc = 0;
struct elua_data *out_lua_argv = NULL;
out_lua_argc = http_get_param_from_lua(vm, &out_lua_argv);
if(out_lua_argc != 2 || out_lua_argv == NULL)
{
return 0;
}
char *field_name=out_lua_argv[0].buff, *field_value=out_lua_argv[1].buff;
if(field_name == NULL || field_value == NULL)
{
return 0;
}
tfe_http_nonstd_field_write(tsg_ctx->replacing, field_name, field_value);
tsg_ctx->execut_lua_sucess=1;
tsg_ctx->rewrite_header=1;
http_free_params(out_lua_argv);
return 0;
}
static int http_lua_get_body(struct elua_vm *vm)
{
struct tsg_script_ctx *tsg_ctx = (struct tsg_script_ctx *)elua_get_execute_userdata(vm);
@@ -669,6 +740,7 @@ void http_lua_ctx_free(struct tsg_lua_script *lua_script, unsigned int thread_id
void http_lua_inject_http_consts(struct elua_vm *vm)
{
elua_register_cbinding(vm, NULL, "get_current_stage", http_lua_get_current_stage);
elua_register_cbinding(vm, NULL, "get_5tuple", http_lua_get_5tuple);
elua_register_cbinding(vm, NULL, "log_debug", http_lua_log_debug);
elua_register_cbinding(vm, NULL, "log_info", http_lua_log_info);
elua_register_cbinding(vm, NULL, "log_error", http_lua_log_error);
@@ -682,6 +754,7 @@ void http_lua_inject_req_header_api(struct elua_vm *vm)
elua_register_cbinding(vm, "req", "set_uri", http_lua_set_uri);
elua_register_cbinding(vm, "req", "get_headers", http_lua_get_headers);
elua_register_cbinding(vm, "req", "set_header", http_lua_set_headers);
elua_register_cbinding(vm, "req", "rewrite_header", http_lua_rewrite_header);
}
void http_lua_inject_req_body_api(struct elua_vm *vm)
@@ -695,8 +768,9 @@ void http_lua_inject_resp_header_api(struct elua_vm *vm)
elua_register_cbinding(vm, "resp", "get_status_code", http_lua_get_status_code);
elua_register_cbinding(vm, "resp", "set_status_code", http_lua_set_status_code);
elua_register_cbinding(vm, "resp", "get_headers", http_lua_get_headers);
elua_register_cbinding(vm, "resp", "set_header", http_lua_set_headers);
elua_register_cbinding(vm, "resp", "get_headers", http_lua_get_headers);
elua_register_cbinding(vm, "resp", "set_header", http_lua_set_headers);
elua_register_cbinding(vm, "resp", "rewrite_header", http_lua_rewrite_header);
}
void http_lua_inject_resp_body_api(struct elua_vm *vm)

350
plugin/business/tsg-http/src/tsg_http.cpp
View File

@@ -13,10 +13,10 @@
#include <tfe_scan.h>
#include <tfe_types.h>
#include <MESA/Maat_rule.h>
#include <MESA/MESA_handle_logger.h>
#include <MESA/MESA_prof_load.h>
#include <MESA/stream.h>
#include <MESA/maat.h>
#include <event2/event.h>
#include <event2/buffer.h>
@@ -43,8 +43,8 @@ enum proxy_action //Bigger action number is prior.
PX_ACTION_DROP = 0x20, /* N/A */
PX_ACTION_MANIPULATE = 0x30,
PX_ACTION_RATELIMIT = 0x40, /* N/A */
PX_ACTION_LOOP = 0x60, /* N/A */
PX_ACTION_WHITELIST = 0x80,
PX_ACTION_WHITELIST = 0x60,
PX_ACTION_SHUNT = 0x80,
__PX_ACTION_MAX
};
@@ -64,9 +64,11 @@ enum manipulate_action
enum scan_table
{
PXY_CTRL_IP,
PXY_CTRL_SOURCE_ADDR,
PXY_CTRL_DESTINATION_ADDR,
PXY_CTRL_HTTP_URL,
PXY_CTRL_HTTP_FQDN,
PXY_CTRL_HTTP_FQDN_CAT,
PXY_CTRL_HTTP_REQ_HDR,
PXY_CTRL_HTTP_REQ_BODY,
PXY_CTRL_HTTP_RES_HDR,
@@ -118,14 +120,22 @@ struct manipulate_profile
pthread_mutex_t lock;
};
struct maat_rule_t
{
long long config_id;
int service_id;
unsigned char do_log;
unsigned char do_blacklist;
unsigned char action;
char *srv_def_large;
};
struct policy_action_param
{
int ref_cnt;
enum manipulate_action action;
char *message;
char *position;
float enforcement_ratio;
int vsys_id;
int profile_id;
@@ -133,16 +143,15 @@ struct policy_action_param
size_t n_rule;
struct replace_rule *repl_rule;
size_t e_rule;
struct edit_element_rule *elem_rule;
struct maat_rule_t hit_rule;
pthread_mutex_t lock;
};
struct tsg_proxy_rt
{
Maat_feather_t maat;
struct maat *feather;
struct proxy_logger * send_logger;
void * local_logger;
int thread_num;
@@ -223,7 +232,7 @@ void increase_redirect_policy_hit_num(void)
void trusted_CA_update_start_cb(int update_type, void* u_para)
{
if(update_type==MAAT_RULE_UPDATE_TYPE_FULL)
if(update_type==MAAT_UPDATE_TYPE_FULL)
{
if(g_proxy_rt->ca_store_reseting==0)
{
@@ -378,13 +387,25 @@ void octal_utf8_escapes(char *input)
return;
}
void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large,
MAAT_RULE_EX_DATA* ad, long argl, void *argp)
void policy_action_param_new(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0;
int config_id=0, service_id=0, action=0;
int do_log=0,do_blacklist=0,is_valid=0;
char effective_range[1024]={0};
char srv_def_large[8192]={0};
struct policy_action_param* param=NULL;
ret=sscanf(table_line, "%d\t%d\t%d\t%d\t%d\t%s\t%s\t%d", &config_id, &service_id, &action, &do_blacklist, &do_log,effective_range, srv_def_large, &is_valid);
if(ret!=8)
{
TFE_LOG_ERROR(g_proxy_rt->local_logger, "ctrl policy table parse failed, ret:%d, %s", ret, table_line);
return;
}
*ad=NULL;
if((unsigned int)rule->serv_def_len<strlen("{}")+1)
int serv_def_len=strlen(srv_def_large);
if((unsigned int)serv_def_len<strlen("{}")+1)
{
return;
}
@@ -394,29 +415,36 @@ void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char
json=cJSON_Parse(srv_def_large);
if(json==NULL)
{
TFE_LOG_ERROR(g_proxy_rt->local_logger, "invalid policy parameter: id = %d", rule->config_id);
TFE_LOG_ERROR(g_proxy_rt->local_logger, "invalid policy parameter: id = %d", config_id);
return;
}
item=cJSON_GetObjectItem(json, "protocol");
if(unlikely(!item || !cJSON_IsString(item)))
{
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid policy parameter: %d invalid protocol format", rule->config_id);
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid policy parameter: %d invalid protocol format", config_id);
goto error_out;
}
if(0!=strcasecmp(item->valuestring, "http"))
{
goto error_out;
}
param=ALLOC(struct policy_action_param, 1);
param->ref_cnt=1;
param->hit_rule.action=action;
param->hit_rule.config_id=config_id;
param->hit_rule.do_blacklist=do_blacklist;
param->hit_rule.do_log=do_log;
param->hit_rule.srv_def_large=tfe_strdup(srv_def_large);
pthread_mutex_init(&(param->lock), NULL);
if(0!=strcasecmp(item->valuestring, "http"))
{
*ad=param;
goto error_out;
}
item=cJSON_GetObjectItem(json,"method");
if(item && item->type==cJSON_String)
{
param->action =manipulate_action_str2idx(item->valuestring);
param->action=manipulate_action_str2idx(item->valuestring);
}
switch(param->action)
@@ -628,13 +656,13 @@ void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char
break;
}
*ad=param;
TFE_LOG_INFO(g_proxy_rt->local_logger, "Add ctrl policy: %d", rule->config_id);
TFE_LOG_INFO(g_proxy_rt->local_logger, "Add ctrl policy: %d", config_id);
error_out:
cJSON_Delete(json);
return;
}
void policy_action_param_free_cb(int table_id, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp)
void policy_action_param_free_cb(int table_id, void **ad, long argl, void *argp)
{
unsigned int i=0;
if(*ad==NULL)
@@ -674,17 +702,20 @@ void policy_action_param_free_cb(int table_id, const struct Maat_rule_t* rule, c
FREE(&(param->message));
if (param->position)
FREE(&(param->position));
if(param->hit_rule.srv_def_large)
FREE(&(param->hit_rule.srv_def_large))
FREE(&(param));
return;
}
void policy_action_param_free(struct policy_action_param* param)
{
policy_action_param_free_cb(0, NULL, NULL, (void**)&param, 0, NULL);
policy_action_param_free_cb(0, (void**)&param, 0, NULL);
return;
}
void policy_action_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp)
void policy_action_param_dup(int idx, void **to, void **from, long argl, void *argp)
{
struct policy_action_param* from_param=*((struct policy_action_param**)from);
if(from_param==NULL)
@@ -699,7 +730,7 @@ void policy_action_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *
return;
}
void ma_profile_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
void ma_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0, profile_id=0, is_valid=0;
char profile_name[128]={0}, formate[128]={0};
@@ -739,7 +770,7 @@ void ma_profile_table_new_cb(int table_id, const char* key, const char* table_li
return;
}
void ma_insert_profile_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
void ma_insert_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0, profile_id=0, is_valid=0;
char profile_name[128]={0}, formate[128]={0};
@@ -779,7 +810,7 @@ void ma_insert_profile_table_new_cb(int table_id, const char* key, const char* t
return;
}
void ma_hijack_profile_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
void ma_hijack_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0, profile_id=0, is_valid=0;
char profile_name[128]={0}, formate[128]={0};
@@ -806,7 +837,7 @@ void ma_hijack_profile_table_new_cb(int table_id, const char* key, const char* t
return;
}
void ma_lua_profile_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
void ma_lua_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int timeout=0;
int ret=0, profile_id=0, is_valid=0;
@@ -848,7 +879,7 @@ void ma_lua_profile_table_new_cb(int table_id, const char* key, const char* tabl
return;
}
void ma_profile_table_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp)
void ma_profile_table_free_cb(int table_id, void **ad, long argl, void *argp)
{
if(*ad==NULL)
{
@@ -895,7 +926,7 @@ void ma_profile_table_free(struct manipulate_profile* ply_obj)
ma_profile_table_free_cb(0, (void **)&ply_obj, 0, NULL);
}
void ma_profile_table_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp)
void ma_profile_table_dup_cb(int table_id, void **to, void **from, long argl, void *argp)
{
struct manipulate_profile* ply_obj=(struct manipulate_profile*)(*from);
pthread_mutex_lock(&(ply_obj->lock));
@@ -905,15 +936,15 @@ void ma_profile_table_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_
}
int maat_table_init(const char* table_name,
Maat_start_callback_t *start, Maat_update_callback_t *update,Maat_finish_callback_t *finish,
maat_start_callback_t *start, maat_update_callback_t *update, maat_finish_callback_t *finish,
void *u_para)
{
int table_id=0;
table_id=Maat_table_register(g_proxy_rt->maat, table_name);
table_id=maat_get_table_id(g_proxy_rt->feather, table_name);
if(table_id>=0)
{
Maat_table_callback_register(g_proxy_rt->maat, table_id,
maat_table_callback_register(g_proxy_rt->feather, table_id,
start, update, finish, u_para);
}
return table_id;
@@ -930,27 +961,27 @@ const char* table_name_idx2str(int profile_idx)
}
int maat_table_ex_init(int profile_idx,
Maat_plugin_EX_free_func_t* free_func,
Maat_plugin_EX_dup_func_t* dup_func)
maat_ex_free_func_t* free_func,
maat_ex_dup_func_t* dup_func)
{
int table_id = 0;
const char *table_name = table_name_idx2str(profile_idx);
Maat_plugin_EX_new_func_t *new_func[] = {
maat_ex_new_func_t *new_func[] = {
[POLICY_PROFLIE_TABLE_REJECT] = ma_profile_table_new_cb,
[POLICY_PROFILE_TABLE_INSERT] = ma_insert_profile_table_new_cb,
[POLICY_PROFILE_TABLE_HIJACK] = ma_hijack_profile_table_new_cb,
[POLICY_PROFILE_TABLE_LUA] = ma_lua_profile_table_new_cb,
};
table_id=g_proxy_rt->plolicy_table_id[profile_idx]=Maat_table_register(g_proxy_rt->maat, table_name);
table_id=g_proxy_rt->plolicy_table_id[profile_idx]=maat_get_table_id(g_proxy_rt->feather, table_name);
if(table_id >= 0)
{
table_id=Maat_plugin_EX_register(g_proxy_rt->maat, table_id,
new_func[profile_idx],
free_func,
dup_func,
NULL, 0, NULL);
table_id=maat_plugin_table_ex_schema_register(g_proxy_rt->feather, table_name,
new_func[profile_idx],
free_func,
dup_func,
0, NULL);
return 0;
}
TFE_LOG_INFO(NULL, "Pangu HTTP register table %s failed.", table_name);
@@ -960,12 +991,14 @@ int maat_table_ex_init(int profile_idx,
int proxy_policy_init(const char* profile_path, const char* static_section, const char* dynamic_section)
{
int ret = 0;
g_proxy_rt->maat = (Maat_feather_t)tfe_bussiness_resouce_get(STATIC_MAAT);
g_proxy_rt->feather = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT);
const char * table_name[__SCAN_TABLE_MAX];
table_name[PXY_CTRL_IP] = "TSG_SECURITY_ADDR";
table_name[PXY_CTRL_SOURCE_ADDR] = "TSG_SECURITY_SOURCE_ADDR";
table_name[PXY_CTRL_DESTINATION_ADDR]="TSG_SECURITY_DESTINATION_ADDR";
table_name[PXY_CTRL_HTTP_URL] = "TSG_FIELD_HTTP_URL";
table_name[PXY_CTRL_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST";
table_name[PXY_CTRL_HTTP_FQDN_CAT] = "TSG_FIELD_HTTP_HOST_CAT";
table_name[PXY_CTRL_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR";
table_name[PXY_CTRL_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_BODY";
table_name[PXY_CTRL_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR";
@@ -973,7 +1006,7 @@ int proxy_policy_init(const char* profile_path, const char* static_section, cons
table_name[PXY_CTRL_APP_ID] = "TSG_OBJ_APP_ID";
for (int i = 0; i < __SCAN_TABLE_MAX; i++)
{
g_proxy_rt->scan_table_id[i] = Maat_table_register(g_proxy_rt->maat, table_name[i]);
g_proxy_rt->scan_table_id[i] = maat_get_table_id(g_proxy_rt->feather, table_name[i]);
if (g_proxy_rt->scan_table_id[i] < 0)
{
TFE_LOG_ERROR(NULL, "Pangu HTTP Maat table %s register failed.", table_name[i]);
@@ -981,17 +1014,18 @@ int proxy_policy_init(const char* profile_path, const char* static_section, cons
}
}
g_proxy_rt->ctrl_compile_idx=Maat_rule_get_ex_new_index(g_proxy_rt->maat, "PXY_CTRL_COMPILE",
policy_action_param_new,
policy_action_param_free_cb,
policy_action_param_dup,
0, NULL);
g_proxy_rt->ctrl_compile_idx=maat_get_table_id(g_proxy_rt->feather, "PXY_CTRL_COMPILE");
maat_plugin_table_ex_schema_register(g_proxy_rt->feather, "PXY_CTRL_COMPILE",
policy_action_param_new,
policy_action_param_free_cb,
policy_action_param_dup,
0, NULL);
ret = maat_table_init("PXY_PROFILE_TRUSTED_CA_CERT",
trusted_CA_update_start_cb,
trusted_CA_update_cert_cb,
trusted_CA_update_finish_cb,
g_proxy_rt);
trusted_CA_update_start_cb,
trusted_CA_update_cert_cb,
trusted_CA_update_finish_cb,
g_proxy_rt);
if(ret<0)
{
TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CERT failed.");
@@ -999,10 +1033,10 @@ int proxy_policy_init(const char* profile_path, const char* static_section, cons
}
ret = maat_table_init("PXY_OBJ_TRUSTED_CA_CRL",
trusted_CA_update_start_cb,
trusted_CA_update_crl_cb,
trusted_CA_update_finish_cb,
g_proxy_rt);
trusted_CA_update_start_cb,
trusted_CA_update_crl_cb,
trusted_CA_update_finish_cb,
g_proxy_rt);
if(ret<0)
{
TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CRL failed.");
@@ -1131,7 +1165,7 @@ int proxy_http_init(struct tfe_proxy * proxy)
if(g_proxy_rt->cache_enabled)
{
g_proxy_rt->cache = create_web_cache_handle(profile_path, "TANGO_CACHE", g_proxy_rt->gc_evbase,
g_proxy_rt->maat, g_proxy_rt->local_logger);
g_proxy_rt->feather, g_proxy_rt->local_logger);
if(!g_proxy_rt->cache)
{
TFE_LOG_INFO(NULL, "Tango Cache init failed.");
@@ -1187,11 +1221,11 @@ struct proxy_http_ctx
enum proxy_action action;
char * action_para;
int hit_cnt;
struct Maat_rule_t result[MAX_SCAN_RESULT];
scan_status_t scan_mid;
stream_para_t sp;
long long result[MAX_SCAN_RESULT];
struct maat_state *scan_mid;
struct maat_stream *sp;
struct cache_mid* cmid;
struct Maat_rule_t * enforce_rules;
struct maat_rule_t * enforce_rules;
size_t n_enforce;
struct policy_action_param *param;
struct evbuffer* log_req_body, *log_resp_body;
@@ -1293,7 +1327,7 @@ static struct proxy_http_ctx * proxy_http_ctx_new(unsigned int thread_id)
{
struct proxy_http_ctx * ctx = ALLOC(struct proxy_http_ctx, 1);
ctx->magic_num=HTTP_CTX_MAGIC_NUM;
ctx->scan_mid = NULL;
ctx->scan_mid = maat_state_new(g_proxy_rt->feather, thread_id);
ctx->thread_id = (int) thread_id;
return ctx;
}
@@ -1327,12 +1361,14 @@ static void proxy_http_ctx_free(struct proxy_http_ctx * ctx)
FREE(&ctx->enforce_rules);
policy_action_param_free(ctx->param);
ctx->param=NULL;
Maat_clean_status(&(ctx->scan_mid));
maat_state_free(ctx->scan_mid);
ctx->scan_mid = NULL;
if(ctx->sp)
{
Maat_stream_scan_string_end(&(ctx->sp));
maat_stream_free(ctx->sp);
ctx->sp=NULL;
}
if(ctx->cache_write_ctx)
{
@@ -1398,7 +1434,7 @@ static struct manipulate_profile* get_profile_by_id(int profile_table, int profi
snprintf(cfg_id_str, sizeof(cfg_id_str), "%d", profile_id);
int table_id = g_proxy_rt->plolicy_table_id[profile_table];
result = (struct manipulate_profile*)Maat_plugin_get_EX_data(g_proxy_rt->maat, table_id, (const char*)cfg_id_str);
result = (struct manipulate_profile*)maat_plugin_table_get_ex_data(g_proxy_rt->feather, table_id, (const char*)cfg_id_str);
return result;
}
@@ -1428,13 +1464,29 @@ static inline int action_cmp(enum proxy_action a1, enum proxy_action a2)
}
//enforce_rules[0] contains execute action.
static enum proxy_action decide_ctrl_action(const struct Maat_rule_t * hit_rules, size_t n_hit,
struct Maat_rule_t ** enforce_rules, size_t * n_enforce, struct policy_action_param **param)
static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit,
struct maat_rule_t** enforce_rules, size_t * n_enforce, struct policy_action_param **param)
{
void *ex_data=NULL;
size_t n_monit = 0, exist_enforce_num = 0, i = 0;
const struct Maat_rule_t * prior_rule = hit_rules;
struct Maat_rule_t monit_rule[n_hit];
struct policy_action_param *get_ex_param=NULL;
struct maat_rule_t *hit_rules=NULL;
hit_rules=ALLOC(struct maat_rule_t, n_hit);
for (i = 0; i < n_hit && i<MAX_SCAN_RESULT; i++)
{
get_ex_param =(struct policy_action_param *)maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_compile_idx, (const char *)&results[i]);
if(get_ex_param==NULL)
{
continue;
}
memcpy(hit_rules+i, &get_ex_param->hit_rule, sizeof(struct maat_rule_t));
policy_action_param_free(get_ex_param);
}
const struct maat_rule_t * prior_rule = hit_rules;
struct maat_rule_t monit_rule[n_hit];
enum proxy_action prior_action = PX_ACTION_NONE;
for (i = 0; i < n_hit && i<MAX_SCAN_RESULT; i++)
@@ -1444,7 +1496,7 @@ static enum proxy_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
if (__action == PX_ACTION_MONIT)
{
memcpy(monit_rule + n_monit, hit_rules + i, sizeof(struct Maat_rule_t));
memcpy(monit_rule + n_monit, hit_rules + i, sizeof(struct maat_rule_t));
n_monit++;
}
if (action_cmp(__action, prior_action) > 0)
@@ -1469,11 +1521,11 @@ static enum proxy_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
{
if(*n_enforce==0)
{
*enforce_rules=ALLOC(struct Maat_rule_t, 1);
*enforce_rules=ALLOC(struct maat_rule_t, 1);
}
*enforce_rules[0]=*prior_rule;
*n_enforce=1;
ex_data=Maat_rule_get_ex_data(g_proxy_rt->maat, prior_rule, g_proxy_rt->ctrl_compile_idx);
ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_compile_idx, (const char *)&prior_rule->config_id);
if(ex_data!=NULL)
{
*param=(struct policy_action_param*)ex_data;
@@ -1491,19 +1543,19 @@ static enum proxy_action decide_ctrl_action(const struct Maat_rule_t * hit_rules
*n_enforce += n_monit + 1;
}
*enforce_rules = (struct Maat_rule_t *) realloc(*enforce_rules, sizeof(struct Maat_rule_t) * (*n_enforce));
*enforce_rules = (struct maat_rule_t *) realloc(*enforce_rules, sizeof(struct maat_rule_t) * (*n_enforce));
if (prior_action == PX_ACTION_MONIT)
{
memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct Maat_rule_t));
memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct maat_rule_t));
}
else
{
memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct Maat_rule_t));
memcpy(*enforce_rules, prior_rule, sizeof(struct Maat_rule_t));
memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct Maat_rule_t));
memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct maat_rule_t));
memcpy(*enforce_rules, prior_rule, sizeof(struct maat_rule_t));
memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct maat_rule_t));
}
ex_data=Maat_rule_get_ex_data(g_proxy_rt->maat, prior_rule, g_proxy_rt->ctrl_compile_idx);
ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_compile_idx, (const char *)&prior_rule->config_id);
if(ex_data!=NULL)
{
*param=(struct policy_action_param*)ex_data;
@@ -1644,6 +1696,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session *
struct policy_action_param *param = ctx->param;
ctx->tsg_ctx = tsg_ctx = ALLOC(struct tsg_script_ctx, 1);
tsg_ctx->profile_id = param->profile_id;
tsg_ctx->addr = stream->addr;
tsg_ctx->elua_ctx = http_lua_ctx_new(lua_script, ctx->thread_id);
}
else
@@ -1665,16 +1718,17 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session *
if ((events & EV_HTTP_REQ_HDR) || (events & EV_HTTP_RESP_HDR))
{
tsg_ctx->http_req_uri=1; tsg_ctx->execut_lua_sucess=0;
ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_id, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx);
if(ret==0 && tsg_ctx->execut_lua_sucess==1)
{
tsg_ctx->actually_executed =1;
}
tsg_ctx->http_req_uri=0;
tsg_ctx->execut_lua_sucess=0;
if (tfe_http_in_request(events))
{
tsg_ctx->http_req_uri=1; tsg_ctx->execut_lua_sucess=0;
ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_id, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx);
if(ret==0 && tsg_ctx->execut_lua_sucess==1)
{
tsg_ctx->actually_executed =1;
}
tsg_ctx->http_req_uri=0;
tsg_ctx->execut_lua_sucess=0;
tsg_ctx->replacing = tfe_http_session_request_create(to_write_sess, in_req_spec->method, tsg_ctx->rewrite_uri !=NULL ? tsg_ctx->rewrite_uri : in_req_spec->uri);
tfe_http_session_request_set(to_write_sess, tsg_ctx->replacing);
}
@@ -1694,14 +1748,13 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session *
{
tsg_ctx->actually_executed =1;
}
struct tfe_http_half * in_half = tfe_http_in_request(events) ? in_req_half : in_resp_half;
struct http_field_name in_header_field{};
const char * in_header_value = NULL;
void * iterator = NULL;
while (true)
while (true && tsg_ctx->rewrite_header!=1)
{
if ((in_header_value = tfe_http_field_iterate(in_half, &iterator, &in_header_field)) == NULL)
{
@@ -1709,6 +1762,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session *
}
tfe_http_field_write(tsg_ctx->replacing, &in_header_field, in_header_value);
}
tsg_ctx->rewrite_header=0;
}
if ((events & EV_HTTP_REQ_BODY_BEGIN) || (events & EV_HTTP_RESP_BODY_BEGIN))
@@ -2033,7 +2087,7 @@ static void http_redirect(const struct tfe_stream * stream, const struct tfe_htt
}
ctx->manipulate_replaced = 1;
if (resp_code <= 0 || rd_url == NULL){
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid redirect rule %d paramter",
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid redirect rule %lld paramter",
ctx->enforce_rules[0].config_id);
goto error_out;
}
@@ -2093,7 +2147,7 @@ static void http_block(const struct tfe_stream * stream, const struct tfe_http_s
char *message = param->message;
if (resp_code <= 0 || profile_id < 0){
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid block rule %d", ctx->enforce_rules[0].config_id);
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid block rule %lld", ctx->enforce_rules[0].config_id);
ctx->action = PX_ACTION_NONE;
return;
}
@@ -2149,7 +2203,7 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e
if (param->profile_id <= 0)
{
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid hijack rule %d",
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid hijack rule %lld",
ctx->enforce_rules[0].config_id);
ctx->action = PX_ACTION_NONE;
return;
@@ -2525,7 +2579,7 @@ static void http_manipulate(const struct tfe_stream * stream, const struct tfe_h
struct policy_action_param *param = ctx->param;
if (param == NULL)
{
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get the json format parsed. config_id = %d",
TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get the json format parsed. config_id = %lld",
ctx->enforce_rules[0].config_id);
ctx->action = PX_ACTION_NONE;
return;
@@ -2590,9 +2644,10 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
const char * field_val = NULL;
struct http_field_name field_name;
struct tfe_http_half * http_half;
struct Maat_rule_t *result = ctx->result;
long long *result = ctx->result;
char buff[TFE_STRING_MAX], * p = NULL;
int scan_ret = 0, table_id = 0;
size_t n_hit_result=0;
size_t hit_cnt = ctx->hit_cnt, i = 0;
if (events & EV_HTTP_REQ_HDR)
@@ -2601,13 +2656,13 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
int str_host_length = get_fqdn_len(str_host);
if (str_host != NULL && str_host_length != 0)
{
scan_ret = Maat_full_scan_string(g_proxy_rt->maat, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN],
CHARSET_UTF8, str_host, str_host_length, result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
scan_ret = maat_scan_string(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN],
str_host, str_host_length, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += scan_ret;
hit_cnt += n_hit_result;
}
scan_ret = tfe_scan_fqdn_cat(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_proxy_rt->local_logger, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN]);
scan_ret = tfe_scan_fqdn_cat(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN_CAT]);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
@@ -2617,12 +2672,12 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
const char * str_url = session->req->req_spec.url;
int str_url_length = (int) (strlen(session->req->req_spec.url));
scan_ret = Maat_full_scan_string(g_proxy_rt->maat, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_URL],
CHARSET_UTF8, str_url, str_url_length, result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
scan_ret = maat_scan_string(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_URL],
str_url, str_url_length, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
if (scan_ret > 0)
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += scan_ret;
hit_cnt += n_hit_result;
}
}
@@ -2640,16 +2695,14 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
}
const char * str_field_name = http_field_name_to_string(&field_name);
scan_ret = Maat_set_scan_status(g_proxy_rt->maat, &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT,
str_field_name, strlen(str_field_name));
scan_ret = maat_state_set_scan_district(ctx->scan_mid, str_field_name, strlen(str_field_name));
assert(scan_ret == 0);
scan_ret = Maat_full_scan_string(g_proxy_rt->maat, table_id,
CHARSET_UTF8, field_val, strlen(field_val),
result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
if (scan_ret > 0)
scan_ret = maat_scan_string(g_proxy_rt->feather, table_id, field_val, strlen(field_val),
result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += scan_ret;
hit_cnt += n_hit_result;
}
}
}
@@ -2659,22 +2712,22 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
assert(ctx->sp == NULL);
table_id = events & EV_HTTP_REQ_BODY_BEGIN ? g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_REQ_BODY] : g_proxy_rt
->scan_table_id[PXY_CTRL_HTTP_RES_BODY];
ctx->sp = Maat_stream_scan_string_start(g_proxy_rt->maat, table_id, ctx->thread_id);
ctx->sp = maat_stream_new(g_proxy_rt->feather, table_id, ctx->scan_mid);
}
if (body_frag != NULL)
{
scan_ret = Maat_stream_scan_string(&(ctx->sp), CHARSET_UTF8, (const char *) body_frag, (int) frag_size,
result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid));
if (scan_ret > 0)
scan_ret = maat_stream_scan(ctx->sp, (const char *)body_frag, (int)frag_size,
result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += scan_ret;
hit_cnt += n_hit_result;
}
}
if ((events & EV_HTTP_REQ_BODY_END) | (events & EV_HTTP_RESP_BODY_END))
{
Maat_stream_scan_string_end(&(ctx->sp));
maat_stream_free(ctx->sp);
ctx->sp = NULL;
}
@@ -2683,7 +2736,7 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
ctx->action = decide_ctrl_action(result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce, &ctx->param);
if (ctx->action == PX_ACTION_WHITELIST)
{
TFE_LOG_INFO(g_proxy_rt->local_logger, "Bypass rules matched: url=%s policy id=%d.",
TFE_LOG_INFO(g_proxy_rt->local_logger, "Bypass rules matched: url=%s policy id=%lld.",
session->req->req_spec.url, ctx->enforce_rules[0].config_id);
goto __out;
}
@@ -2692,12 +2745,12 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
p = buff;
for (i = 0; i < hit_cnt && i<MAX_SCAN_RESULT; i++)
{
p += snprintf(p, sizeof(buff) - (p - buff), "%d:", result[i].config_id);
p += snprintf(p, sizeof(buff) - (p - buff), "%lld:", result[i]);
}
*p = '\0';
TFE_LOG_INFO(g_proxy_rt->local_logger, "Multiple rules matched: url=%s num=%lu ids=%s execute=%d.",
TFE_LOG_INFO(g_proxy_rt->local_logger, "Multiple rules matched: url=%s num=%lu ids=%s execute=%lld.",
session->req->req_spec.url, hit_cnt, buff, ctx->enforce_rules[0].config_id);
}
ctx->hit_cnt=0;
@@ -3015,39 +3068,68 @@ void proxy_on_http_begin(const struct tfe_stream * stream,
assert(ctx == NULL);
ATOMIC_INC(&(g_proxy_rt->stat_val[STAT_SESSION]));
ctx = proxy_http_ctx_new(thread_id);
struct Maat_rule_t *result = ctx->result;
long long *result = ctx->result;
size_t n_hit_result=0;
scan_ret = tfe_scan_subscribe_id(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_proxy_rt->local_logger);
scan_ret = tfe_scan_subscribe_id(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger);
if(scan_ret>0)
{
hit_cnt+=scan_ret;
}
scan_ret = tfe_scan_ip_location(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_proxy_rt->local_logger, &(ctx->ip_ctx.location_server), &(ctx->ip_ctx.location_client));
scan_ret = tfe_scan_ip_location(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger, &(ctx->ip_ctx.location_server), &(ctx->ip_ctx.location_client));
if(scan_ret>0)
{
hit_cnt+=scan_ret;
}
scan_ret = tfe_scan_ip_asn(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_proxy_rt->local_logger, &(ctx->ip_ctx.asn_server), &(ctx->ip_ctx.asn_client));
scan_ret = tfe_scan_ip_asn(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger, &(ctx->ip_ctx.asn_server), &(ctx->ip_ctx.asn_client));
if(scan_ret>0)
{
hit_cnt+=scan_ret;
}
int scan_val=67;
scan_ret=Maat_scan_intval(g_proxy_rt->maat, g_proxy_rt->scan_table_id[PXY_CTRL_APP_ID], scan_val, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &(ctx->scan_mid), (int) thread_id);
if(scan_ret>0)
scan_ret=maat_scan_integer(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_APP_ID], scan_val, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &n_hit_result, ctx->scan_mid);
if(scan_ret==MAAT_SCAN_HIT)
{
hit_cnt+=scan_ret;
hit_cnt+=n_hit_result;
}
addr_tfe2sapp(stream->addr, &sapp_addr);
scan_ret = Maat_scan_proto_addr(g_proxy_rt->maat, g_proxy_rt->scan_table_id[PXY_CTRL_IP], &sapp_addr, 0,
result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &(ctx->scan_mid), (int) thread_id);
if(scan_ret>0)
if (sapp_addr.addrtype == ADDR_TYPE_IPV4)
{
hit_cnt+=scan_ret;
}
scan_ret = maat_scan_ipv4(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_SOURCE_ADDR],
sapp_addr.v4->saddr, sapp_addr.v4->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid);
if (n_hit_result == MAAT_SCAN_HIT)
{
hit_cnt += n_hit_result;
}
scan_ret = maat_scan_ipv4(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_DESTINATION_ADDR],
sapp_addr.v4->daddr, sapp_addr.v4->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid);
if(scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += n_hit_result;
}
}
if (sapp_addr.addrtype == ADDR_TYPE_IPV6)
{
scan_ret = maat_scan_ipv6(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_SOURCE_ADDR],
sapp_addr.v6->saddr, sapp_addr.v6->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += n_hit_result;
}
scan_ret = maat_scan_ipv6(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_DESTINATION_ADDR],
sapp_addr.v6->daddr, sapp_addr.v6->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
&n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt += n_hit_result;
}
}
if(hit_cnt > 0)
{
ctx->hit_cnt = hit_cnt;
@@ -3151,7 +3233,7 @@ void proxy_on_http_end(const struct tfe_stream * stream,
{
if(i+1 > ctx->n_enforce)
{
memmove(ctx->enforce_rules+i, ctx->enforce_rules+i+1, sizeof(struct Maat_rule_t));
memmove(ctx->enforce_rules+i, ctx->enforce_rules+i+1, sizeof(struct maat_rule_t));
}
j++;
}
@@ -3163,7 +3245,7 @@ void proxy_on_http_end(const struct tfe_stream * stream,
FREE(&(ctx->enforce_rules));
}
}
struct proxy_log log_msg = {.stream=stream, .http=session, .result=ctx->enforce_rules, .result_num=ctx->n_enforce,
struct proxy_log log_msg = {.stream=stream, .http=session, .result=(struct log_rule_t *)ctx->enforce_rules, .result_num=ctx->n_enforce,
.req_body=ctx->log_req_body, .resp_body=ctx->log_resp_body, .action=0, .inject_sz=ctx->inject_sz,
.asn_client=ctx->ip_ctx.asn_client, .asn_server=ctx->ip_ctx.asn_server, .location_client=ctx->ip_ctx.location_client,
.location_server=ctx->ip_ctx.location_server};

4
plugin/business/tsg-http/src/tsg_logger.cpp
View File

@@ -38,8 +38,8 @@ enum _log_action //Bigger action number is prior.
LG_ACTION_DROP = 0x20, /* N/A */
LG_ACTION_MANIPULATE = 0x30,
LG_ACTION_RATELIMIT = 0x40, /* N/A */
LG_ACTION_LOOP = 0x60, /* N/A */
LG_ACTION_WHITELIST = 0x80,
LG_ACTION_WHITELIST = 0x60,
LG_ACTION_SHUNT = 0x80,
__LG_ACTION_MAX
};

108
plugin/business/tsg-http/src/tsg_web_cache.cpp
View File

@@ -77,6 +77,8 @@ struct cache_param
char ignore_res_nocache;
char force_caching;
long long config_id;
int action;
int min_use;
time_t pinning_time_sec;
time_t inactive_time_sec;
@@ -114,8 +116,8 @@ struct cache_handle
int cache_policy_enabled; //otherwise use default cache policy
struct cache_param default_cache_policy;
Maat_feather_t ref_feather;
int cache_param_idx;
struct maat *ref_feather;
long long cache_param_idx;
int table_url_constraint;
int table_cookie_constraint;
@@ -517,14 +519,26 @@ char* get_cache_key(const struct tfe_http_half * request, const struct cache_key
return cache_key;
}
void cache_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large,
MAAT_RULE_EX_DATA* ad, long argl, void *argp)
void cache_param_new(const char *table_name, int idx, const char *key, const char *table_line, void **ad, long argl, void *argp)
{
struct cache_handle* cache=(struct cache_handle*) argp;
unsigned int i=0;
size_t len=0;
int ret=0;
int config_id=0, service_id=0, action=0;
int do_log=0,do_blacklist=0,is_valid=0;
char effective_range[1024]={0};
char srv_def_large[8192]={0};
ret=sscanf(table_line, "%d\t%d\t%d\t%d\t%d\t%s\t%s\t%d", &config_id, &service_id, &action, &do_blacklist, &do_log, effective_range, srv_def_large, &is_valid);
if(ret!=8)
{
return;
}
*ad=NULL;
if((unsigned int)rule->serv_def_len<strlen("{}")+1)
int serv_def_len=strlen(srv_def_large);
if((unsigned int)serv_def_len<strlen("{}")+1)
{
return;
}
@@ -532,13 +546,14 @@ void cache_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_de
json=cJSON_Parse(srv_def_large);
if(json==NULL)
{
TFE_LOG_ERROR(cache->logger, "invalid cache parameter: id = %d", rule->config_id);
TFE_LOG_ERROR(cache->logger, "invalid cache parameter: id = %d", config_id);
return;
}
struct cache_param* param=ALLOC(struct cache_param, 1);
*param=cache->default_cache_policy;
param->ref_cnt=1;
param->config_id=config_id;
param->action=action;
pthread_mutex_init(&(param->lock), NULL);
key_desc=cJSON_GetObjectItem(json,"cache_key");
if(key_desc && key_desc->type==cJSON_Object)
@@ -569,8 +584,6 @@ void cache_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_de
}
}
item=cJSON_GetObjectItem(json,"no_revalidate");
if(item && item->type==cJSON_Number) param->no_revalidate=item->valueint;
@@ -611,7 +624,7 @@ void cache_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_de
*ad=param;
return;
}
void cache_param_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp)
void cache_param_free(int table_id, void **ad, long argl, void *argp)
{
unsigned int i=0;
if(*ad==NULL)
@@ -637,7 +650,7 @@ void cache_param_free(int idx, const struct Maat_rule_t* rule, const char* srv_d
FREE(&(param));
return;
}
void cache_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp)
void cache_param_dup(int idx, void **to, void **from, long argl, void *argp)
{
struct cache_param* from_param=*((struct cache_param**)from);
pthread_mutex_lock(&(from_param->lock));
@@ -670,7 +683,7 @@ void cache_mid_clear(struct cache_mid **mid)
}
if((*mid)->is_using_exception_param)
{
cache_param_free(0, NULL, NULL, (void**)&((*mid)->param), 0, NULL);
cache_param_free(0, (void**)&((*mid)->param), 0, NULL);
}
FREE(&((*mid)->cache_key));
FREE(mid);
@@ -689,7 +702,7 @@ static void cache_key_bloom_gc_cb(evutil_socket_t fd, short what, void * arg)
}
struct cache_handle* create_web_cache_handle(const char* profile_path, const char* section,
struct event_base* gc_evbase, Maat_feather_t feather, void *logger)
struct event_base* gc_evbase, struct maat *feather, void *logger)
{
struct cache_handle* cache=ALLOC(struct cache_handle, 1);
int temp=0;
@@ -771,12 +784,12 @@ struct cache_handle* create_web_cache_handle(const char* profile_path, const cha
if(cache->cache_policy_enabled)
{
cache->table_url_constraint=Maat_table_register(feather, "PXY_CACHE_HTTP_URL");
cache->table_cookie_constraint=Maat_table_register(feather, "PXY_CACHE_HTTP_COOKIE");
cache->cache_param_idx=Maat_rule_get_ex_new_index(feather, "PXY_CACHE_COMPILE",
cache_param_new, cache_param_free, cache_param_dup,
0, cache);
cache->cache_param_idx=maat_get_table_id(feather, "PXY_CACHE_COMPILE");
cache->table_url_constraint=maat_get_table_id(feather, "PXY_CACHE_HTTP_URL");
cache->table_cookie_constraint=maat_get_table_id(feather, "PXY_CACHE_HTTP_COOKIE");
cache->cache_param_idx=maat_plugin_table_ex_schema_register(feather, "PXY_CACHE_COMPILE",
cache_param_new, cache_param_free, cache_param_dup,
0, cache);
cache->ref_feather=feather;
}
@@ -1044,11 +1057,12 @@ enum cache_pending_result web_cache_async_pending(struct cache_handle* handle, u
const struct tfe_http_half * request, struct cache_mid** mid, struct future* f_revalidate)
{
enum cache_pending_result result=PENDING_RESULT_FOBIDDEN;
struct Maat_rule_t cache_policy;
long long cache_policy;
struct cache_param* param=&(handle->default_cache_policy);
MAAT_RULE_EX_DATA ex_data=NULL;
scan_status_t scan_mid=NULL;
void *ex_data=NULL;
struct maat_state *scan_mid=maat_state_new(handle->ref_feather, thread_id);
int ret=0;
size_t n_hit_result=0;
const char* cookie=NULL;
struct cache_mid* _mid=ALLOC(struct cache_mid, 1);
*mid=_mid;
@@ -1060,44 +1074,42 @@ enum cache_pending_result web_cache_async_pending(struct cache_handle* handle, u
_mid->is_dyn_url=is_dynamic_url(request->req_spec.url);
if(handle->cache_policy_enabled)
{
ret=Maat_full_scan_string(handle->ref_feather, handle->table_url_constraint, CHARSET_UTF8,
request->req_spec.url, strlen(request->req_spec.url),
&cache_policy, NULL, 1, &scan_mid, thread_id);
ret=maat_scan_string(handle->ref_feather, handle->table_url_constraint, request->req_spec.url,
strlen(request->req_spec.url), &cache_policy, 1, &n_hit_result, scan_mid);
if(cookie && ret<=0)
if(cookie && ret<MAAT_SCAN_HIT)
{
ret=Maat_full_scan_string(handle->ref_feather, handle->table_cookie_constraint, CHARSET_UTF8,
cookie, strlen(cookie),
&cache_policy, NULL, 1, &scan_mid, thread_id);
ret=maat_scan_string(handle->ref_feather, handle->table_cookie_constraint, cookie, strlen(cookie),
&cache_policy, 1, &n_hit_result, scan_mid);
}
Maat_clean_status(&scan_mid);
maat_state_free(scan_mid);
scan_mid=NULL;
if(ret>0)
if(ret==MAAT_SCAN_HIT)
{
ex_data=Maat_rule_get_ex_data(handle->ref_feather, &cache_policy, handle->cache_param_idx);
ex_data=maat_plugin_table_get_ex_data(handle->ref_feather, handle->cache_param_idx, (const char *)&cache_policy);
if(ex_data!=NULL)
{
param=(struct cache_param*)ex_data;
_mid->is_using_exception_param=1;
_mid->param=param;
}
if((unsigned char)cache_policy.action==CACHE_ACTION_BYPASS)
{
_mid->shall_bypass=1;
}
_mid->cfg_id=cache_policy.config_id;
if(param->key_descr.is_not_empty)
{
_mid->cache_key=get_cache_key(request, &(param->key_descr));
}
TFE_LOG_DEBUG(handle->logger, "cache policy %d matched: url=%s alt-key=%s",
cache_policy.config_id,
request->req_spec.url,
_mid->cache_key!=NULL?_mid->cache_key:"null");
ATOMIC_INC(&(handle->stat_val[STAT_CACHE_POLICY_MATCH]));
if((unsigned char)param->action==CACHE_ACTION_BYPASS)
{
_mid->shall_bypass=1;
}
_mid->cfg_id=param->config_id;
if(param->key_descr.is_not_empty)
{
_mid->cache_key=get_cache_key(request, &(param->key_descr));
}
TFE_LOG_DEBUG(handle->logger, "cache policy %llu matched: url=%s alt-key=%s",
param->config_id,
request->req_spec.url,
_mid->cache_key!=NULL?_mid->cache_key:"null");
ATOMIC_INC(&(handle->stat_val[STAT_CACHE_POLICY_MATCH]));
}
}
if(_mid->shall_bypass ||
(!param->force_caching && !param->cache_dyn_url && _mid->is_dyn_url && param->key_descr.qs_num==0) ||

509
resource/pangu/table_info.conf
View File

@@ -1,61 +1,448 @@
#each collumn seperate with '\t'
#id (0~65535)
#name string
#type one of ip,expr,expr_plus,digest,intval,compile or plugin
#src_charset one of GBK,BIG5,UNICODE,UTF8
#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/'
#do_merege [yes/no]
#cross cache [number]
#quick mode [quickon/quickoff], default [quickoff]
#For ip/intval/digest/compile/group
#id name type
#
#For plugin table
#id name type json_descr
#
#For expr/expr_plus Table
#id name type src_charset dst_charset do_merge cross_cache quick_mode
0 PXY_CTRL_COMPILE compile escape --
1 GROUP_COMPILE_RELATION group2compile --
2 GROUP_GROUP_RELATION group2group --
3 TSG_OBJ_IP_ADDR ip_plus ---
3 TSG_OBJ_IP_LEARNING_ADDR ip_plus UTF8 UTF8 no 0
4 TSG_OBJ_URL expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff
5 TSG_FIELD_HTTP_URL virtual TSG_OBJ_URL --
6 TSG_OBJ_FQDN expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff
7 TSG_OBJ_FQDN_CAT intval UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff
8 TSG_FIELD_HTTP_HOST virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
9 TSG_OBJ_HTTP_SIGNATURE expr_plus UTF8 UTF8 yes 0 quickoff
10 TSG_FIELD_HTTP_REQ_HDR virtual TSG_OBJ_HTTP_SIGNATURE --
11 TSG_FIELD_HTTP_RES_HDR virtual TSG_OBJ_HTTP_SIGNATURE --
12 TSG_OBJ_KEYWORDS expr UTF8 GBK/UNICODE/UTF8 yes 128 quickoff
13 TSG_FIELD_HTTP_REQ_BODY virtual TSG_OBJ_KEYWORDS --
14 TSG_FIELD_HTTP_RES_BODY virtual TSG_OBJ_KEYWORDS --
15 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 yes 0 quickon
16 TSG_OBJ_APP_ID intval UTF8 UTF8 yes 0
17 TSG_SECURITY_SOURCE_ADDR virtual TSG_OBJ_IP_ADDR --
18 TSG_SECURITY_DESTINATION_ADDR virtual TSG_OBJ_IP_ADDR --
19 TSG_SECURITY_ADDR composition {"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"}
20 PXY_CACHE_COMPILE compile escape --
21 PXY_CACHE_GROUP group --
22 PXY_CACHE_HTTP_URL expr UTF8 UTF8 yes 0 quickoff
23 PXY_CACHE_HTTP_COOKIE expr UTF8 UTF8 yes 0 quickoff
24 PXY_PROFILE_TRUSTED_CA_CERT plugin {"key":1,"valid":4,"foreign":"3"}
24 PXY_EXCH_INTERMEDIA_CERT plugin {"key":1,"valid":4,"foreign":"3"}
25 PXY_OBJ_TRUSTED_CA_CRL plugin {"valid":4,"foreign":"3"}
26 TSG_PROFILE_RESPONSE_PAGES plugin {"key":1,"foreign":"4","valid":5}
27 PXY_PROFILE_HIJACK_FILES plugin {"key":1,"foreign":"5","valid":6}
28 PXY_PROFILE_INSERT_SCRIPTS plugin {"key":1,"foreign":"4","valid":6}
29 TSG_SECURITY_COMPILE plugin {"key":1,"valid":8}
30 TSG_PROFILE_TRAFFIC_MIRROR plugin {"key":1,"valid":4}
31 TSG_PROFILE_DECRYPTION plugin {"key":1,"valid":4}
32 TSG_OBJ_AS_NUMBER expr UTF8 UTF8/GBK yes 0
33 TSG_SECURITY_SOURCE_ASN virtual TSG_OBJ_AS_NUMBER --
34 TSG_SECURITY_DESTINATION_ASN virtual TSG_OBJ_AS_NUMBER --
35 TSG_OBJ_GEO_LOCATION expr UTF8 UTF8/GBK yes 0
36 TSG_SECURITY_SOURCE_LOCATION virtual TSG_OBJ_GEO_LOCATION --
37 TSG_SECURITY_DESTINATION_LOCATION virtual TSG_OBJ_GEO_LOCATION --
38 TSG_FIELD_DOH_QNAME virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
39 TSG_FIELD_DOH_HOST virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
40 PXY_SSL_FINGERPRINT plugin {"key":2,"valid":4}
41 PXY_PROFILE_RUN_SCRIPTS plugin {"key":1,"foreign":"2","valid":4}
[
{
"table_id":0,
"table_name":"PXY_CTRL_COMPILE",
"table_type":"compile",
"user_region_encoded":"escape",
"valid_column":8,
"custom": {
"compile_id":1,
"service_id":2,
"action":3,
"do_blacklist":4,
"do_log":5,
"tags":6,
"user_region":7,
"clause_num":9,
"evaluation_order":10
}
},
{
"table_id":1,
"table_name":"GROUP_PXY_CTRL_COMPILE_RELATION",
"table_type":"group2compile",
"associated_compile_table_id":0,
"valid_column":3,
"custom": {
"group_id":1,
"compile_id":2,
"not_flag":4,
"virtual_table_name":5,
"clause_index":6
}
},
{
"table_id":2,
"table_name":"GROUP_GROUP_RELATION",
"table_type":"group2group",
"valid_column":3,
"custom": {
"group_id":1,
"super_group_id":2
}
},
{
"table_id":3,
"table_name":"TSG_OBJ_IP",
"db_tables":["TSG_OBJ_IP_ADDR","TSG_OBJ_IP_LEARNING_ADDR"],
"table_type":"ip_plus",
"valid_column":11,
"custom": {
"item_id":1,
"group_id":2,
"addr_type":3,
"addr_format":4,
"ip1":5,
"ip2":6,
"port_format":7,
"port1":8,
"port2":9,
"protocol":10
}
},
{
"table_id":4,
"table_name":"TSG_OBJ_URL",
"table_type":"expr",
"valid_column":7,
"custom": {
"item_id":1,
"group_id":2,
"keywords":3,
"expr_type":4,
"match_method":5,
"is_hexbin":6
}
},
{
"table_id":5,
"table_name":"TSG_FIELD_HTTP_URL",
"table_type":"virtual",
"physical_table": "TSG_OBJ_URL"
},
{
"table_id":6,
"table_name":"TSG_OBJ_FQDN",
"table_type":"expr",
"valid_column":7,
"custom": {
"item_id":1,
"group_id":2,
"keywords":3,
"expr_type":4,
"match_method":5,
"is_hexbin":6
}
},
{
"table_id":7,
"table_name":"TSG_OBJ_FQDN_CAT",
"table_type":"intval",
"valid_column":5,
"custom": {
"item_id":1,
"group_id":2,
"low_bound":3,
"up_bound":4
}
},
{
"table_id":8,
"table_name":"TSG_FIELD_HTTP_HOST",
"table_type":"virtual",
"physical_table": "TSG_OBJ_FQDN"
},
{
"table_id":9,
"table_name":"TSG_FIELD_HTTP_HOST_CAT",
"table_type":"virtual",
"physical_table": "TSG_OBJ_FQDN_CAT"
},
{
"table_id":10,
"table_name":"TSG_OBJ_HTTP_SIGNATURE",
"table_type":"expr_plus",
"valid_column":8,
"custom": {
"item_id":1,
"group_id":2,
"district":3,
"keywords":4,
"expr_type":5,
"match_method":6,
"is_hexbin":7
}
},
{
"table_id":11,
"table_name":"TSG_FIELD_HTTP_REQ_HDR",
"table_type":"virtual",
"physical_table": "TSG_OBJ_HTTP_SIGNATURE"
},
{
"table_id":12,
"table_name":"TSG_FIELD_HTTP_RES_HDR",
"table_type":"virtual",
"physical_table": "TSG_OBJ_HTTP_SIGNATURE"
},
{
"table_id":13,
"table_name":"TSG_OBJ_KEYWORDS",
"table_type":"expr",
"valid_column":7,
"custom": {
"item_id":1,
"group_id":2,
"keywords":3,
"expr_type":4,
"match_method":5,
"is_hexbin":6
}
},
{
"table_id":14,
"table_name":"TSG_FIELD_HTTP_REQ_BODY",
"table_type":"virtual",
"physical_table": "TSG_OBJ_KEYWORDS"
},
{
"table_id":15,
"table_name":"TSG_FIELD_HTTP_RES_BODY",
"table_type":"virtual",
"physical_table": "TSG_OBJ_KEYWORDS"
},
{
"table_id":16,
"table_name":"TSG_OBJ_SUBSCRIBER_ID",
"table_type":"expr",
"valid_column":7,
"custom": {
"item_id":1,
"group_id":2,
"keywords":3,
"expr_type":4,
"match_method":5,
"is_hexbin":6
}
},
{
"table_id":17,
"table_name":"TSG_OBJ_APP_ID",
"table_type":"intval",
"valid_column":5,
"custom": {
"item_id":1,
"group_id":2,
"low_bound":3,
"up_bound":4
}
},
{
"table_id":18,
"table_name":"TSG_SECURITY_SOURCE_ADDR",
"table_type":"virtual",
"physical_table": "TSG_OBJ_IP"
},
{
"table_id":19,
"table_name":"TSG_SECURITY_DESTINATION_ADDR",
"table_type":"virtual",
"physical_table": "TSG_OBJ_IP"
},
{
"table_id":20,
"table_name":"PXY_CACHE_COMPILE",
"table_type":"compile",
"user_region_encoded":"escape",
"valid_column":8,
"custom": {
"compile_id":1,
"service_id":2,
"action":3,
"do_blacklist":4,
"do_log":5,
"tags":6,
"user_region":7,
"clause_num":9,
"evaluation_order":10
}
},
{
"table_id":21,
"table_name":"PXY_CACHE_GROUP",
"table_type":"group2compile",
"associated_compile_table_id":0,
"valid_column":3,
"custom": {
"group_id":1,
"compile_id":2,
"not_flag":4,
"virtual_table_name":5,
"clause_index":6
}
},
{
"table_id":22,
"table_name":"PXY_CACHE_HTTP_URL",
"table_type":"expr",
"valid_column":7,
"custom": {
"item_id":1,
"group_id":2,
"keywords":3,
"expr_type":4,
"match_method":5,
"is_hexbin":6
}
},
{
"table_id":23,
"table_name":"PXY_CACHE_HTTP_COOKIE",
"table_type":"expr",
"valid_column":7,
"custom": {
"item_id":1,
"group_id":2,
"keywords":3,
"expr_type":4,
"match_method":5,
"is_hexbin":6
}
},
{
"table_id":24,
"table_name":"PXY_PROFILE_TRUSTED_CA_CERT",
"table_type":"plugin",
"valid_column":4,
"custom": {
"key":1,
"key_type":"pointer",
"foreign": [3]
}
},
{
"table_id":25,
"table_name":"PXY_OBJ_TRUSTED_CA_CRL",
"table_type":"plugin",
"valid_column":4,
"custom": {
"key":1,
"key_type":"pointer",
"foreign": [3]
}
},
{
"table_id":26,
"table_name":"TSG_PROFILE_RESPONSE_PAGES",
"table_type":"plugin",
"valid_column":5,
"custom": {
"key":1,
"key_type":"pointer",
"foreign": [4]
}
},
{
"table_id":27,
"table_name":"PXY_PROFILE_HIJACK_FILES",
"table_type":"plugin",
"valid_column":6,
"custom": {
"key":1,
"key_type":"pointer",
"foreign": [5]
}
},
{
"table_id":28,
"table_name":"PXY_PROFILE_INSERT_SCRIPTS",
"table_type":"plugin",
"valid_column":6,
"custom": {
"key":1,
"key_type":"pointer",
"foreign": [4]
}
},
{
"table_id":29,
"table_name":"TSG_SECURITY_COMPILE",
"table_type":"plugin",
"valid_column":8,
"custom": {
"key":1,
"key_type":"pointer"
}
},
{
"table_id":30,
"table_name":"TSG_PROFILE_TRAFFIC_MIRROR",
"table_type":"plugin",
"valid_column":4,
"custom": {
"key":1,
"key_type":"pointer"
}
},
{
"table_id":31,
"table_name":"TSG_PROFILE_DECRYPTION",
"table_type":"plugin",
"valid_column":4,
"custom": {
"key":1,
"key_type":"pointer"
}
},
{
"table_id":32,
"table_name":"TSG_OBJ_AS_NUMBER",
"table_type":"expr",
"valid_column":7,
"custom": {
"item_id":1,
"group_id":2,
"keywords":3,
"expr_type":4,
"match_method":5,
"is_hexbin":6
}
},
{
"table_id":33,
"table_name":"TSG_SECURITY_SOURCE_ASN",
"table_type":"virtual",
"physical_table": "TSG_OBJ_AS_NUMBER"
},
{
"table_id":34,
"table_name":"TSG_SECURITY_DESTINATION_ASN",
"table_type":"virtual",
"physical_table": "TSG_OBJ_AS_NUMBER"
},
{
"table_id":35,
"table_name":"TSG_OBJ_GEO_LOCATION",
"table_type":"expr",
"valid_column":7,
"custom": {
"item_id":1,
"group_id":2,
"keywords":3,
"expr_type":4,
"match_method":5,
"is_hexbin":6
}
},
{
"table_id":36,
"table_name":"TSG_SECURITY_SOURCE_LOCATION",
"table_type":"virtual",
"physical_table": "TSG_OBJ_GEO_LOCATION"
},
{
"table_id":37,
"table_name":"TSG_SECURITY_DESTINATION_LOCATION",
"table_type":"virtual",
"physical_table": "TSG_OBJ_GEO_LOCATION"
},
{
"table_id":38,
"table_name":"TSG_FIELD_DOH_QNAME",
"table_type":"virtual",
"physical_table": "TSG_OBJ_FQDN"
},
{
"table_id":39,
"table_name":"TSG_FIELD_DOH_HOST",
"table_type":"virtual",
"physical_table": "TSG_OBJ_FQDN"
},
{
"table_id":40,
"table_name":"TSG_FIELD_DOH_HOST_CAT",
"table_type":"virtual",
"physical_table": "TSG_OBJ_FQDN_CAT"
},
{
"table_id":41,
"table_name":"PXY_SSL_FINGERPRINT",
"table_type":"plugin",
"valid_column":4,
"custom": {
"key":2,
"key_type":"pointer"
}
},
{
"table_id":42,
"table_name":"PXY_PROFILE_RUN_SCRIPTS",
"table_type":"plugin",
"valid_column":4,
"custom": {
"key":1,
"key_type":"pointer",
"foreign": [2]
}
}
]

41
resource/pangu/table_info_traffic_mirror.conf
View File

@@ -1,19 +1,22 @@
#each collumn seperate with '\t'
#id (0~65535)
#name string
#type one of ip,expr,expr_plus,digest,intval,compile or plugin
#src_charset one of GBK,BIG5,UNICODE,UTF8
#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/'
#do_merege [yes/no]
#cross cache [number]
#quick mode [quickon/quickoff], default [quickoff]
#For ip/intval/digest/compile/group
#id name type
#
#For plugin table
#id name type json_descr
#
#For expr/expr_plus Table
#id name type src_charset dst_charset do_merge cross_cache quick_mode
0 TSG_SECURITY_COMPILE plugin {"key":1,"valid":8}
1 TSG_PROFILE_TRAFFIC_MIRROR plugin {"key":1,"valid":4}
[
{
"table_id":0,
"table_name":"TSG_SECURITY_COMPILE",
"table_type":"plugin",
"valid_column":8,
"custom": {
"key":1,
"key_type":"pointer"
}
},
{
"table_id":1,
"table_name":"TSG_PROFILE_TRAFFIC_MIRROR",
"table_type":"plugin",
"valid_column":4,
"custom": {
"key":1,
"key_type":"pointer"
}
}
]

2
vendor/CMakeLists.txt vendored
View File

@@ -162,7 +162,7 @@ set_property(TARGET wiredLB PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}
set_property(TARGET wiredLB PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR})
add_library(maatframe SHARED IMPORTED GLOBAL)
set_property(TARGET maatframe PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/libmaatframe.so)
set_property(TARGET maatframe PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/libmaat4.so)
set_property(TARGET maatframe PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR})
add_library(MESA_field_stat SHARED IMPORTED GLOBAL)