TSG-22751 Adaptation of Proxy Manipulation Policy actions and changes to action parameters.

2024-10-25 17:00:57 +08:00
parent ccf1186058
commit edd0209fcd
5 changed files with 215 additions and 127 deletions
--- a/plugin/business/tsg-http/src/tsg_http.cpp
+++ b/plugin/business/tsg-http/src/tsg_http.cpp
@@ -36,18 +36,25 @@
 enum proxy_action
 {
 	PX_ACTION_NONE = 0,
-	PX_ACTION_DENY = 1,
+	PX_ACTION_ALLOW = 1,
-	PX_ACTION_ALLOW = 2,
+	PX_ACTION_DENY = 2,
 	PX_ACTION_MONITOR = 3,
 	PX_ACTION_REDIRECT = 4,
-	PX_ACTION_REPLACE = 5,
+	PX_ACTION_EXECUTE = 5,
-	PX_ACTION_HIJACK = 6,
+	PX_ACTION_MANIPULATE = 6,
 	PX_ACTION_REJECT = 7,
 	PX_ACTION_EDIT_ELEMENT = 8,
 	PX_ACTION_RUN_SCRIPT = 9,
 	__PX_ACTION_MAX
 };
 enum manipulate_action
 {
 	MA_ACTION_REPLACE_TEXT,
 	MA_ACTION_REPLACE_FILE,
 	MA_ACTION_EDIT_ELEMENT,
 	MA_ACTION_INJECT_JAVESCRIPT,
 	MA_ACTION_INJECT_CSS,
 	__MA_ACTION_MAX
 };
 enum scan_table
 {
 	PXY_CTRL_HTTP_URL,
@@ -82,7 +89,8 @@ enum proxy_http_stat
 enum manipulate_profile_table
 {
 	POLICY_PROFLIE_TABLE_REJECT,
-	POLICY_PROFILE_TABLE_INSERT,
+	POLICY_PROFILE_TABLE_JS,
 	POLICY_PROFILE_TABLE_CSS,
 	POLICY_PROFILE_TABLE_HIJACK,
 	POLICY_PROFILE_TABLE_LUA,
 	POLICY_PROFILE_TABLE_MAX
@@ -118,7 +126,7 @@ struct maat_rule_t
 struct policy_action_param
 {
 	int ref_cnt;
-	enum proxy_action action;
+	enum manipulate_action action;
 	char *message;
 	char *position;
 	float enforcement_ratio;
@@ -329,6 +337,25 @@ void trusted_CA_update_finish_cb(void* u_para)
 	}
 }
 static enum manipulate_action manipulate_action_str2idx(const char *action_str)
 {
 	const char *clue_action_map[__MA_ACTION_MAX];
 	clue_action_map[MA_ACTION_REPLACE_TEXT]= "replace_text";
 	clue_action_map[MA_ACTION_REPLACE_FILE]= "replace_file";
 	clue_action_map[MA_ACTION_EDIT_ELEMENT]= "edit_element";
 	clue_action_map[MA_ACTION_INJECT_JAVESCRIPT]= "inject_javascript";
 	clue_action_map[MA_ACTION_INJECT_CSS]= "inject_css";
 	size_t i = 0;
 	for (i = 0; i < sizeof(clue_action_map) / sizeof(const char *); i++)
 	{
 		if (0 == strcasecmp(action_str, clue_action_map[i]))
 			break;
 	}
 	return (enum manipulate_action)i;
 }
 void octal_utf8_escapes(char *input)
 {
 #define AFMTSIZE (67+2+1+2)
@@ -406,15 +433,12 @@ unsigned char action_type_str2idx(const char *action_str)
 {
 	const char * action_name[__PX_ACTION_MAX] ={0};
 	action_name[PX_ACTION_NONE] = "none";
 	action_name[PX_ACTION_DENY] = "deny";
 	action_name[PX_ACTION_ALLOW] = "allow";
 	action_name[PX_ACTION_DENY] = "deny";
 	action_name[PX_ACTION_MONITOR] = "monitor";
 	action_name[PX_ACTION_REDIRECT] = "redirect";
-	action_name[PX_ACTION_REPLACE] = "replace";
+	action_name[PX_ACTION_EXECUTE] = "execute";
-	action_name[PX_ACTION_HIJACK] = "hijack";
+	action_name[PX_ACTION_MANIPULATE] = "modify";
 	action_name[PX_ACTION_REJECT] = "inject";
 	action_name[PX_ACTION_EDIT_ELEMENT] = "edit_element";
 	action_name[PX_ACTION_RUN_SCRIPT] = "run_script";
 	int action = 0;
 	for ( action = PX_ACTION_NONE; action < __PX_ACTION_MAX; action++)
@@ -435,7 +459,6 @@ unsigned char log_option_type_str2idx(const char *log_option)
 			break;
 	}
 	return i;
 }
 void policy_action_param_new(const char *table_name, const char* key, const char* table_line, void **ad, long argl, void* argp)
@@ -482,23 +505,15 @@ void policy_action_param_new(const char *table_name, const char* key, const char
 		return;
 	}
- 	param->ref_cnt=1;
+	param->ref_cnt=1;
 	pthread_mutex_init(&(param->lock), NULL);
 	param->hit_rule.action_parameter = cJSON_PrintUnformatted(action_parameter);
 	param->action = (enum proxy_action)param->hit_rule.action;
 	int rule_id=0;
 	cJSON *rules=NULL, *item=NULL, *sub_item=NULL;
-	switch(param->action)
+
 	switch(param->hit_rule.action)
 	{
 		case PX_ACTION_ALLOW:
 		case PX_ACTION_MONITOR:
 			item=cJSON_GetObjectItem(action_parameter,"vsys_id");
 			if(item && item->type==cJSON_Number)
 			{
 				param->hit_rule.vsys_id=item->valueint;
 			}
 			break;
 		case PX_ACTION_REDIRECT:
 			item=cJSON_GetObjectItem(action_parameter,"vsys_id");
 			if(item && item->type==cJSON_Number)
@@ -547,7 +562,40 @@ void policy_action_param_new(const char *table_name, const char* key, const char
 				param->profile_uuid_str = tfe_strdup(item->valuestring);
 			}
 			break;
-		case PX_ACTION_REPLACE:
+		case PX_ACTION_EXECUTE:
 			item=cJSON_GetObjectItem(action_parameter,"vsys_id");
 			if(item && item->type==cJSON_Number)
 			{
 				param->hit_rule.vsys_id=item->valueint;
 			}
 			item=cJSON_GetObjectItem(action_parameter,"lua_script");
 			if(item && item->type==cJSON_String)
 			{
 				param->profile_uuid_str =tfe_strdup(item->valuestring);
 			}
 			item=cJSON_GetObjectItem(action_parameter,"enforcement_ratio");
 			if(item && item->type==cJSON_Number)
 			{
 				param->enforcement_ratio = item->valuedouble;
 			}
 			else
 			{
 				param->enforcement_ratio = 1;
 			}
 			break;
 		default:
 			break;
 	}
 	cJSON *method=cJSON_GetObjectItem(action_parameter, "sub_action");
 	if(method && method->type==cJSON_String)
 	{
 		param->action=manipulate_action_str2idx(method->valuestring);
 	}
 	switch(param->action)
 	{
 		case MA_ACTION_REPLACE_TEXT:
 			item=cJSON_GetObjectItem(action_parameter,"vsys_id");
 			if(item && item->type==cJSON_Number)
 			{
@@ -587,13 +635,13 @@ void policy_action_param_new(const char *table_name, const char* key, const char
 			}
 			param->n_rule = rule_id;
 			break;
-		case PX_ACTION_HIJACK:
+		case MA_ACTION_REPLACE_FILE:
 			item=cJSON_GetObjectItem(action_parameter,"vsys_id");
 			if(item && item->type==cJSON_Number)
 			{
 				param->hit_rule.vsys_id=item->valueint;
 			}
-			item=cJSON_GetObjectItem(action_parameter,"hijack_profile");
+			item=cJSON_GetObjectItem(action_parameter,"replacement_file");
 			if(item && item->type==cJSON_String)
 			{
 				param->profile_uuid_str =tfe_strdup(item->valuestring);
@@ -608,18 +656,18 @@ void policy_action_param_new(const char *table_name, const char* key, const char
 				param->enforcement_ratio = 1;
 			}
 			break;
-		case PX_ACTION_REJECT:
+		case MA_ACTION_INJECT_JAVESCRIPT:
 			item=cJSON_GetObjectItem(action_parameter,"vsys_id");
 			if(item && item->type==cJSON_Number)
 			{
 				param->hit_rule.vsys_id=item->valueint;
 			}
-			item=cJSON_GetObjectItem(action_parameter,"inject_profile");
+			item=cJSON_GetObjectItem(action_parameter,"js_file");
 			if(item && item->type==cJSON_String)
 			{
 				param->profile_uuid_str =tfe_strdup(item->valuestring);
 			}
-			item=cJSON_GetObjectItem(action_parameter,"position");
+			item=cJSON_GetObjectItem(action_parameter,"injection_section");
 			if(item && item->type==cJSON_String){
 				param->position = tfe_strdup(item->valuestring);
 			}
@@ -633,7 +681,28 @@ void policy_action_param_new(const char *table_name, const char* key, const char
 				param->enforcement_ratio = 1;
 			}
 			break;
-		case PX_ACTION_EDIT_ELEMENT:
+		case MA_ACTION_INJECT_CSS:
 			item=cJSON_GetObjectItem(action_parameter,"vsys_id");
 			if(item && item->type==cJSON_Number)
 			{
 				param->hit_rule.vsys_id=item->valueint;
 			}
 			item=cJSON_GetObjectItem(action_parameter,"css_file");
 			if(item && item->type==cJSON_String)
 			{
 				param->profile_uuid_str =tfe_strdup(item->valuestring);
 			}
 			item=cJSON_GetObjectItem(action_parameter,"enforcement_ratio");
 			if(item && item->type==cJSON_Number)
 			{
 				param->enforcement_ratio = item->valuedouble;
 			}
 			else
 			{
 				param->enforcement_ratio = 1;
 			}
 			break;
 		case MA_ACTION_EDIT_ELEMENT:
 			item=cJSON_GetObjectItem(action_parameter,"vsys_id");
 			if(item && item->type==cJSON_Number)
 			{
@@ -676,29 +745,7 @@ void policy_action_param_new(const char *table_name, const char* key, const char
 			}
 			param->e_rule = rule_id;
 			break;
-		case PX_ACTION_RUN_SCRIPT:
+		default:
 			item=cJSON_GetObjectItem(action_parameter,"vsys_id");
 			if(item && item->type==cJSON_Number)
 			{
 				param->hit_rule.vsys_id=item->valueint;
 			}
 			item=cJSON_GetObjectItem(action_parameter,"run_script_profile");
 			if(item && item->type==cJSON_String)
 			{
 				param->profile_uuid_str =tfe_strdup(item->valuestring);
 			}
 			item=cJSON_GetObjectItem(action_parameter,"enforcement_ratio");
 			if(item && item->type==cJSON_Number)
 			{
 				param->enforcement_ratio = item->valuedouble;
 			}
 			else
 			{
 				param->enforcement_ratio = 1;
 			}
 			break;
 		default: 
 			assert(0);
 			break;
 	}
 	*ad=param;
@@ -874,10 +921,7 @@ void ma_insert_profile_table_new_cb(const char *table_name, const char* key, con
 	ply_profile->ref_cnt=1;
 	pthread_mutex_init(&(ply_profile->lock), NULL);
-	if(strcasecmp(ply_profile->profile_type, "template") == 0)
+	if(profile_path != NULL)
 	{
 		ply_profile->tpl = ctemplate::Template::GetTemplate(profile_path, ctemplate::DO_NOT_STRIP);
 	}else
 	{
 		ply_profile->profile_msg = tfe_read_file(profile_path, &ply_profile->msg_len);
 		if (ply_profile->profile_msg == NULL)
@@ -899,7 +943,7 @@ void ma_hijack_profile_table_new_cb(const char *table_name, const char* key, con
 	cJSON* hihijack_files = cJSON_Parse(table_line);
 	if(hihijack_files == NULL)
 	{
-		TFE_LOG_ERROR(g_proxy_rt->local_logger, "PROXY_HIJACK_FILE parse table_line failed. table_line:%s", table_line);
+		TFE_LOG_ERROR(g_proxy_rt->local_logger, "PROXY_REPLACEMENT_FILE parse table_line failed. table_line:%s", table_line);
 		return;
 	}
@@ -941,7 +985,7 @@ void ma_lua_profile_table_new_cb(const char *table_name, const char* key, const
 	cJSON* run_scripts = cJSON_Parse(table_line);
 	if(run_scripts == NULL)
 	{
-		TFE_LOG_ERROR(g_proxy_rt->local_logger, "HTTP_MANIPULATION_SCRIPT parse table_line failed. table_line:%s", table_line);
+		TFE_LOG_ERROR(g_proxy_rt->local_logger, "PROXY_LUA_SCRIPT parse table_line failed. table_line:%s", table_line);
 		return;
 	}
@@ -1056,9 +1100,10 @@ void ma_profile_table_dup_cb(const char *table_name, void **to, void **from, lon
 const char* table_name_idx2str(int profile_idx)
 {
 	const char *table_name_map[] = {"RESPONSE_PAGE",
-									"PROXY_INJECT_SCRIPT",
+									"PROXY_JS_FILE",
-									"PROXY_HIJACK_FILE",
+									"PROXY_CSS_FILE",
-									"HTTP_MANIPULATION_SCRIPT"};
+									"PROXY_REPLACEMENT_FILE",
 									"PROXY_LUA_SCRIPT"};
 	return table_name_map[profile_idx];
 }
@@ -1072,7 +1117,8 @@ int maat_table_ex_init(int profile_idx,
 	const char *table_name = table_name_idx2str(profile_idx);
 	maat_ex_new_func_t *new_func[] = {
 			[POLICY_PROFLIE_TABLE_REJECT] = ma_profile_table_new_cb,
-			[POLICY_PROFILE_TABLE_INSERT] = ma_insert_profile_table_new_cb,
+			[POLICY_PROFILE_TABLE_JS] = ma_insert_profile_table_new_cb,
 			[POLICY_PROFILE_TABLE_CSS] = ma_insert_profile_table_new_cb,
 			[POLICY_PROFILE_TABLE_HIJACK] = ma_hijack_profile_table_new_cb,
 			[POLICY_PROFILE_TABLE_LUA]    = ma_lua_profile_table_new_cb,
 	};
@@ -1245,7 +1291,9 @@ struct proxy_http_ctx
 static inline int ctx_actually_replaced(struct proxy_http_ctx * ctx)
 {
-	if(ctx->action == PX_ACTION_REPLACE && ctx->rep_ctx->actually_replaced==1)
+	if(ctx->action == PX_ACTION_MANIPULATE &&
 	   ctx->param->action == MA_ACTION_REPLACE_TEXT &&
 	   ctx->rep_ctx->actually_replaced==1)
 	{
 		return 1;
 	}
@@ -1257,7 +1305,7 @@ static inline int ctx_actually_replaced(struct proxy_http_ctx * ctx)
 static inline int ctx_actually_ran_script(struct proxy_http_ctx * ctx)
 {
-	if(ctx->action == PX_ACTION_RUN_SCRIPT && ctx->tsg_ctx->actually_executed==1)
+	if(ctx->action == PX_ACTION_EXECUTE &&  ctx->tsg_ctx->actually_executed==1)
 	{
 		return 1;
 	}
@@ -1269,7 +1317,8 @@ static inline int ctx_actually_ran_script(struct proxy_http_ctx * ctx)
 static inline int ctx_actually_inserted(struct proxy_http_ctx * ctx)
 {
-	if(ctx->action == PX_ACTION_REJECT && ctx->ins_ctx->actually_inserted==1)
+	if((ctx->action == PX_ACTION_MANIPULATE && ctx->param->action == MA_ACTION_INJECT_JAVESCRIPT && ctx->ins_ctx->actually_inserted==1)
 	  || (ctx->action == PX_ACTION_MANIPULATE && ctx->param->action == MA_ACTION_INJECT_CSS && ctx->ins_ctx->actually_inserted==1))
 	{
 		return 1;
 	}
@@ -1281,7 +1330,9 @@ static inline int ctx_actually_inserted(struct proxy_http_ctx * ctx)
 static inline int ctx_actually_edited(struct proxy_http_ctx * ctx)
 {
-	if(ctx->action == PX_ACTION_EDIT_ELEMENT && ctx->edit_ctx != NULL && ctx->edit_ctx->actually_edited==1)
+	if(ctx->action == PX_ACTION_MANIPULATE &&
 	   ctx->param->action == MA_ACTION_EDIT_ELEMENT && ctx->edit_ctx != NULL &&
 	   ctx->edit_ctx->actually_edited==1)
 	{
 		return 1;
 	}
@@ -1293,7 +1344,8 @@ static inline int ctx_actually_edited(struct proxy_http_ctx * ctx)
 static inline int ctx_actually_manipulate(struct proxy_http_ctx * ctx)
 {
-	if((ctx->action == PX_ACTION_REDIRECT || ctx->action == PX_ACTION_HIJACK) && ctx->manipulate_replaced==1)
+	if((ctx->action == PX_ACTION_REDIRECT && ctx->manipulate_replaced==1) ||
 		(ctx->action == PX_ACTION_MANIPULATE && ctx->param->action == MA_ACTION_REPLACE_FILE && ctx->manipulate_replaced==1))
 	{
 		return 1;
 	}
@@ -1454,7 +1506,8 @@ void proxy_send_metric_log(const struct tfe_stream * stream, struct proxy_http_c
 {
 	size_t i=0;
 	int hit_cnt=0;
-	const char *manipulate_action_map[]= {"none","deny","allow","monitor","redirect","replace","hijack","inject","edit_element","run_script"};
+	const char *manipulate_action_map[]= {"replace_text","replace_file","edit_element","inject_javascript","inject_css"};
 	const char *proxy_action_map[] = {"none", "allow", "deny", "monitor", "redirect", "execute", "modify"};
 	struct filedstat_easy_manipulation *fieldstat = tfe_get_fieldstat_handle()->manipulation;
 	if(fieldstat == NULL)
@@ -1466,8 +1519,16 @@ void proxy_send_metric_log(const struct tfe_stream * stream, struct proxy_http_c
 	{
 		fieldstat->tags[thread_id][TAG_VSYS_ID].value_longlong = ctx->enforce_rules[i].vsys_id;
 		fieldstat->tags[thread_id][TAG_RULE_ID].value_str = ctx->enforce_rules[i].config_uuid_string;
-		fieldstat->tags[thread_id][TAG_ACTION].value_longlong = 48;
+		fieldstat->tags[thread_id][TAG_ACTION].value_longlong = PX_ACTION_MANIPULATE;
-		fieldstat->tags[thread_id][TAG_SUB_ACTION].value_str = manipulate_action_map[ctx->param->action];
+		if(ctx->enforce_rules[i].action == PX_ACTION_MANIPULATE)
 		{
 			fieldstat->tags[thread_id][TAG_SUB_ACTION].value_str = manipulate_action_map[ctx->param->action];
 		}
 		else
 		{
 			fieldstat->tags[thread_id][TAG_SUB_ACTION].value_str = proxy_action_map[ctx->enforce_rules[i].action];
 		}
 		size_t c2s_byte_num = 0, s2c_byte_num =0;
 		tfe_stream_info_get(stream, INFO_FROM_DOWNSTREAM_RX_OFFSET, &c2s_byte_num, sizeof(c2s_byte_num));
 		tfe_stream_info_get(stream, INFO_FROM_UPSTREAM_RX_OFFSET, &s2c_byte_num, sizeof(s2c_byte_num));
@@ -1541,11 +1602,8 @@ void __pangu_action_weight_init()
 	pangu_action_weight[PX_ACTION_NONE] = 0;
 	pangu_action_weight[PX_ACTION_MONITOR] = 1;
 	pangu_action_weight[PX_ACTION_REDIRECT] = 2;
-	pangu_action_weight[PX_ACTION_REPLACE] = 2;
+	pangu_action_weight[PX_ACTION_EXECUTE] = 2;
-	pangu_action_weight[PX_ACTION_HIJACK] = 2;
+	pangu_action_weight[PX_ACTION_MANIPULATE] = 2;
 	pangu_action_weight[PX_ACTION_REJECT] = 2;
 	pangu_action_weight[PX_ACTION_EDIT_ELEMENT] = 2;
 	pangu_action_weight[PX_ACTION_RUN_SCRIPT] = 2;
 	pangu_action_weight[PX_ACTION_DENY] = 3;
 	pangu_action_weight[PX_ACTION_ALLOW] = 4;
 }
@@ -1767,7 +1825,7 @@ int http_lua_profile(char *profile_uuid_str, struct elua_script ***elua_ctx, cha
 {
 	int ret = 0;
-	struct manipulate_profile* lua_profile=get_profile_by_id("HTTP_MANIPULATION_SCRIPT", profile_uuid_str);
+	struct manipulate_profile* lua_profile=get_profile_by_id("PROXY_LUA_SCRIPT", profile_uuid_str);
 	if(lua_profile==NULL)
 	{
 		ret=-1;
@@ -2328,7 +2386,7 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e
 	if(events & EV_HTTP_RESP_HDR)
 	{
-		struct manipulate_profile* hijack_profile=get_profile_by_id("PROXY_HIJACK_FILE", param->profile_uuid_str);
+		struct manipulate_profile* hijack_profile=get_profile_by_id("PROXY_REPLACEMENT_FILE", param->profile_uuid_str);
 		if (NULL == hijack_profile)
 		{
 			TFE_LOG_ERROR(g_proxy_rt->local_logger, "get table obj faild, profile_id = %s", param->profile_uuid_str);
@@ -2394,7 +2452,7 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e
 	return;
 }
-static int format_insert_rule(char *profile_uuid, struct insert_rule *rule)
+static int format_insert_rule(char *profile_uuid, char *position, enum manipulate_action action, struct insert_rule *rule)
 {
 	int ret = 0;
@@ -2404,15 +2462,20 @@ static int format_insert_rule(char *profile_uuid, struct insert_rule *rule)
 		return ret;
 	}
-	struct manipulate_profile* insert_profile=get_profile_by_id("PROXY_INJECT_SCRIPT", profile_uuid);
+	const char *profile_type = (action==MA_ACTION_INJECT_JAVESCRIPT)? "js" : "css";
 	const char *proflie_table_name = (action==MA_ACTION_INJECT_JAVESCRIPT)? "PROXY_JS_FILE" : "PROXY_CSS_FILE";
 	struct manipulate_profile* insert_profile=get_profile_by_id(proflie_table_name, profile_uuid);
 	if(insert_profile==NULL)
 	{
 		ret=-1;
 		return ret;
 	}
 	rule->script = tfe_strdup(insert_profile->profile_msg);
-	rule->type = tfe_strdup(insert_profile->profile_type);
+	rule->type = tfe_strdup(profile_type);
-	rule->position = tfe_strdup(insert_profile->profile_position);
+	if(position)
 	{
 		rule->position = tfe_strdup(position);
 	}
 	rule->inject_sz = insert_profile->msg_len;
 	ma_profile_table_free(insert_profile);
@@ -2421,7 +2484,7 @@ static int format_insert_rule(char *profile_uuid, struct insert_rule *rule)
 }
 static void http_insert(const struct tfe_stream * stream, const struct tfe_http_session * session, enum tfe_http_event events,
-	const unsigned char * body_frag, size_t frag_size, struct proxy_http_ctx * ctx)
+	const unsigned char * body_frag, size_t frag_size, enum manipulate_action action, struct proxy_http_ctx * ctx)
 {
 	struct tfe_http_session * to_write_sess = NULL;
 	char * rewrite_buff = NULL;
@@ -2452,7 +2515,7 @@ static void http_insert(const struct tfe_stream * stream, const struct tfe_http_
 		{
 			ctx->ins_ctx = ins_ctx = ALLOC(struct insert_ctx, 1);
 			ins_ctx->rule = ALLOC(struct insert_rule, 1);
-			int ret=format_insert_rule(param->profile_uuid_str, ins_ctx->rule);
+			int ret=format_insert_rule(param->profile_uuid_str, param->position, action, ins_ctx->rule);
 			if (ret<0)
 			{
 				TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get policy table, profile_id = %s", param->profile_uuid_str);
@@ -2697,24 +2760,19 @@ static void http_manipulate(const struct tfe_stream * stream, const struct tfe_h
 	switch(param->action)
 	{
-		case PX_ACTION_REDIRECT:
+		case MA_ACTION_REPLACE_TEXT:
 			http_redirect(stream, session, events, ctx);
 			break;
 		case PX_ACTION_REPLACE:
 			http_replace(stream, session, events, body_frag, frag_size, ctx);
 			break;
-		case PX_ACTION_HIJACK:
+		case MA_ACTION_REPLACE_FILE:
 			http_hijack(session, events, ctx);
 			break;
-		case PX_ACTION_REJECT:
+		case MA_ACTION_INJECT_JAVESCRIPT:
-			http_insert(stream, session, events, body_frag, frag_size, ctx);
+		case MA_ACTION_INJECT_CSS:
 			http_insert(stream, session, events, body_frag, frag_size, param->action, ctx);
 			break;
-		case PX_ACTION_EDIT_ELEMENT:
+		case MA_ACTION_EDIT_ELEMENT:
 			http_element(stream, session, events, body_frag, frag_size, ctx);
 			break;
 		case PX_ACTION_RUN_SCRIPT:
 			http_lua(stream, session, events, body_frag, frag_size, ctx);
 			break;
 		default: assert(0);
 			break;
 	}
@@ -2813,6 +2871,7 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht
 			{
 				break;
 			}
 			scan_ret = maat_scan_string(g_proxy_rt->feather, "TSG_OBJ_KEYWORD", attribute_name, field_val, strlen(field_val),
 					  				    result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
 			if (scan_ret == MAAT_SCAN_HIT)
@@ -2915,12 +2974,20 @@ void enforce_control_policy(const struct tfe_stream * stream, const struct tfe_h
 		case PX_ACTION_DENY:
 			http_block(stream, session, events, ctx);
 			break;
 		case PX_ACTION_MANIPULATE:
 			http_manipulate(stream, session, events, body_frag, frag_size, ctx);
 			break;
 		case PX_ACTION_ALLOW:
 			tfe_http_session_detach(session);
 			ATOMIC_INC(&(g_proxy_rt->stat_val[STAT_ACTION_WHITELSIT]));
 			break;
-		default:
+		case PX_ACTION_REDIRECT:
-			http_manipulate(stream, session, events, body_frag, frag_size, ctx);
+			http_redirect(stream, session, events, ctx);
 			break;
 		case PX_ACTION_EXECUTE:
 			http_lua(stream, session, events, body_frag, frag_size, ctx);
 			break;
 		default: assert(0);
 			break;
 	}
@@ -3041,11 +3108,11 @@ void proxy_on_http_end(const struct tfe_stream * stream,
 	size_t i=0, j=0;
 	int ret=0;
-	if(ctx->param != NULL && ctx->param->action == PX_ACTION_REPLACE && ctx->rep_ctx->actually_replaced==0)
+	if(ctx->action == PX_ACTION_MANIPULATE && ctx->param->action == MA_ACTION_REPLACE_TEXT && ctx->rep_ctx->actually_replaced==0)
 	{
 		for(i=0; i< ctx->n_enforce; i++)
 		{
-			if((unsigned char)ctx->enforce_rules[i].action == PX_ACTION_REPLACE)
+			if((unsigned char)ctx->enforce_rules[i].action == PX_ACTION_MANIPULATE)
 			{
 				if(i+1 > ctx->n_enforce)
 				{
@@ -3062,8 +3129,12 @@ void proxy_on_http_end(const struct tfe_stream * stream,
 		}
 	}
 	struct proxy_log log_msg =  {.stream=stream, .http=session, .result=(struct log_rule_t *)ctx->enforce_rules, .result_num=ctx->n_enforce,
-								.req_body=ctx->log_req_body, .resp_body=ctx->log_resp_body, .action=ctx->action, .inject_sz=ctx->inject_sz, .c2s_byte_num=ctx->c2s_byte_num,
+								.req_body=ctx->log_req_body, .resp_body=ctx->log_resp_body, .action=0, .inject_sz=ctx->inject_sz, .c2s_byte_num=ctx->c2s_byte_num,
 							    .s2c_byte_num=ctx->s2c_byte_num};
 	if(ctx->action == PX_ACTION_MANIPULATE)
 	{
 		log_msg.action = ctx->param->action;
 	}
 	if(ctx->action != PX_ACTION_NONE &&
 	   (((ctx_actually_replaced(ctx)) || (ctx_actually_inserted(ctx)) || (ctx_actually_edited(ctx)) ||
--- a/plugin/business/tsg-http/src/tsg_logger.cpp
+++ b/plugin/business/tsg-http/src/tsg_logger.cpp
@@ -32,15 +32,12 @@ struct proxy_logger
 enum _log_action
 {
 	LG_ACTION_NONE = 0,
-	LG_ACTION_DENY = 1,
+	LG_ACTION_ALLOW = 1,
-	LG_ACTION_ALLOW = 2,
+	LG_ACTION_DENY = 2,
 	LG_ACTION_MONITOR = 3,
 	LG_ACTION_REDIRECT = 4,
-	LG_ACTION_REPLACE = 5,
+	LG_ACTION_EXECUTE = 5,
-	LG_ACTION_HIJACK = 6,
+	LG_ACTION_MANIPULATE = 6,
 	LG_ACTION_REJECT = 7,
 	LG_ACTION_EDIT_ELEMENT = 8,
 	LG_ACTION_RUN_SCRIPT = 9,
 	__LG_ACTION_MAX
 };
@@ -214,7 +211,9 @@ int proxy_send_log(struct proxy_logger* handle, const struct proxy_log* log_msg)
 	char dst_ip_str[MAX(INET6_ADDRSTRLEN,INET_ADDRSTRLEN)] = {0};
 	const char *app_proto[]= {"unkonw","http1", "http2"};
-	const char *manipulate_action_map[]= {"none","deny","allow","monitor","redirect","replace","hijack","inject","edit_element","run_script"};
+
 	const char *manipulate_action_map[]= {"replace_text","replace_file","edit_element","inject_javascript","inject_css"};
 	const char *panggu_action_map[] = {"none", "allow", "deny", "monitor", "redirect", "execute", "modify"};
 	struct json_spec req_fields[]={	{"http_cookie", TFE_HTTP_COOKIE},
 									{"http_referer", TFE_HTTP_REFERER},
@@ -235,7 +234,7 @@ int proxy_send_log(struct proxy_logger* handle, const struct proxy_log* log_msg)
 	gettimeofday(&cur_time, NULL);
 	cJSON_AddNumberToObject(common_obj, "start_timestamp_ms", get_time_ms(http->start_time));
 	cJSON_AddNumberToObject(common_obj, "end_timestamp_ms", get_time_ms(cur_time));
-	
+
 	struct tfe_cmsg *cmsg = tfe_stream_get0_cmsg(log_msg->stream);
 	if (cmsg != NULL)
 	{
@@ -394,8 +393,16 @@ int proxy_send_log(struct proxy_logger* handle, const struct proxy_log* log_msg)
 		}
 		cJSON_AddItemToObject(per_hit_obj, "proxy_rule_list", proxy_rule_list);
 		cJSON_AddNumberToObject(per_hit_obj, "vsys_id", log_msg->result[i].vsys_id);
-		cJSON_AddStringToObject(per_hit_obj, "proxy_action", manipulate_action_map[log_msg->result[i].action]);
+		if(log_msg->result[i].action == LG_ACTION_MANIPULATE)
-		cJSON_AddNumberToObject(per_hit_obj, "http_action_file_size", log_msg->inject_sz);
+		{
 			cJSON_AddStringToObject(per_hit_obj, "proxy_action", manipulate_action_map[log_msg->action]);
 			cJSON_AddNumberToObject(per_hit_obj, "http_action_file_size", log_msg->inject_sz);
 		}
 		else
 		{
 			cJSON_AddStringToObject(per_hit_obj, "proxy_action", panggu_action_map[(unsigned char)(log_msg->result[i].action)]);
 		}
 		log_payload = cJSON_PrintUnformatted(per_hit_obj);
 		TFE_LOG_DEBUG(handle->local_logger, "%s", log_payload);
--- a/resource/pangu/doh.json
+++ b/resource/pangu/doh.json
@@ -1,6 +1,6 @@
 {
    "rule_table": "PXY_CTRL_RULE",
-    "object2object_table": "OBJECT_GROUP",
+    "object_group_table": "OBJECT_GROUP",
    "rules": [
        {
            "uuid": "40c9c6a7-70a9-48ae-9fba-ec7966edd3c6",
--- a/resource/pangu/pangu_http.json
+++ b/resource/pangu/pangu_http.json
@@ -1,6 +1,6 @@
 {
    "rule_table": "PXY_CTRL_RULE",
-    "object2object_table": "OBJECT_GROUP",
+    "object_group_table": "OBJECT_GROUP",
    "rules": [
        {
            "uuid": "00001021-0000-0000-0000-000000000000",
@@ -153,13 +153,13 @@
            ]
        },
        {
-            "table_name": "PROXY_HIJACK_FILE",
+            "table_name": "PROXY_REPLACEMENT_FILE",
            "table_content": [
                {"uuid":"00000201-0000-0000-0000-000000000000","profile_name":"chakanqi","content_name":"chakanqi-947KB.exe","content_type":"application/x-msdos-program","path":"./resource/pangu/policy_file/chakanqi-947KB.exe","is_valid":1,"modified_time":"1716531859000000"}
            ]
        },
 		{
-            "table_name": "PROXY_INJECT_SCRIPT",
+            "table_name": "PROXY_JS_FILE",
            "table_content": [
                {"uuid":"00000301-0000-0000-0000-000000000000","profile_name":"time","format":"js","insert_on":"before_page_load","path":"./resource/pangu/policy_file/time.js","is_valid":1,"modified_time":"1716531859000000"}
            ]
--- a/resource/pangu/table_info.conf
+++ b/resource/pangu/table_info.conf
@@ -24,7 +24,7 @@
 {
        "table_id":3,
        "table_name":"OBJECT_GROUP",
-        "table_type":"object2object"
+        "table_type":"object_group"
    },
    {
        "table_id":4,
@@ -115,7 +115,7 @@
    },
 	{
        "table_id":17,
-        "table_name":"PROXY_HIJACK_FILE",
+        "table_name":"PROXY_REPLACEMENT_FILE",
        "table_type":"plugin",
        "custom": {
            "key_name":"uuid",
@@ -123,9 +123,19 @@
            "foreign_names": ["path"]
        }
    },
-	{
+    {
        "table_id":18,
-        "table_name":"PROXY_INJECT_SCRIPT",
+        "table_name":"PROXY_JS_FILE",
        "table_type":"plugin",
        "custom": {
            "key_name":"uuid",
            "key_type":"pointer",
            "foreign_names": ["path"]
        }
    },
    {
        "table_id":19,
        "table_name":"PROXY_CSS_FILE",
        "table_type":"plugin",
        "custom": {
            "key_name":"uuid",
@@ -134,7 +144,7 @@
        }
    },
 	{
-        "table_id":19,
+        "table_id":20,
        "table_name":"PXY_INTERCEPT_RULE",
        "table_type":"plugin",
        "custom": {
@@ -143,7 +153,7 @@
        }
    },
 	{
-        "table_id":20,
+        "table_id":21,
        "table_name":"TRAFFIC_MIRRORING_PROFILE",
        "table_type":"plugin",
        "custom": {
@@ -152,7 +162,7 @@
        }
    },
 	{
-        "table_id":21,
+        "table_id":22,
        "table_name":"DECRYPTION_PROFILE",
        "table_type":"plugin",
        "custom": {
@@ -162,7 +172,7 @@
    },
 	{
        "table_id":23,
-        "table_name":"HTTP_MANIPULATION_SCRIPT",
+        "table_name":"PROXY_LUA_SCRIPT",
        "table_type":"plugin",
        "custom": {
            "key_type":"pointer",