TSG-14789 TFE扫描service chaining策略，执行Decrypted Traffic Steering

2023-04-17 18:26:33 +08:00
parent f741c3c025
commit f421e4df54
11 changed files with 249 additions and 4 deletions
--- a/platform/src/acceptor_kni_v3.cpp
+++ b/platform/src/acceptor_kni_v3.cpp
@@ -19,6 +19,7 @@
 #define TCP_RESTORE_TCPOPT_KIND 88

 extern void tcp_policy_enforce(struct tcp_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id);
+extern void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id);

 struct acceptor_kni_v3
 {
@@ -601,8 +602,10 @@ static int payload_handler_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, s
 	struct pkt_info pktinfo;
 	struct tcp_restore_info restore_info;
 	uint8_t stream_protocol_in_char = 0;
+	uint8_t enalbe_decrypted_traffic_steering = 0;
 	uint16_t size = 0;
 	uint64_t rule_id = 0;
+	uint64_t chaining_rule_id = 0; // only use for acceptv4
 	struct acceptor_kni_v3 *__ctx = (struct acceptor_kni_v3 *)data;
 	clock_gettime(CLOCK_MONOTONIC, &(__ctx->start));
 	memset(&pktinfo, 0, sizeof(pktinfo));
@@ -720,6 +723,7 @@ static int payload_handler_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, s
 		goto end;
 	}
 	tcp_policy_enforce(__ctx->proxy->tcp_ply_enforcer, cmsg, rule_id);
+	chaining_policy_enforce(__ctx->proxy->chain_ply_enforcer, cmsg,  chaining_rule_id);

 	if (overwrite_tcp_mss(cmsg, &restore_info))
 	{
@@ -745,9 +749,12 @@ static int payload_handler_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, s
 	}

 	tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_RESTORE_PROTOCOL, (unsigned char *)&stream_protocol_in_char, sizeof(stream_protocol_in_char), &size);
+	tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_DECRYPTED_TRAFFIC_STEERING, (unsigned char *)&enalbe_decrypted_traffic_steering, sizeof(enalbe_decrypted_traffic_steering), &size);
+
 	if (steering_device_is_available() && (
 			(STREAM_PROTO_PLAIN == (enum tfe_stream_proto)stream_protocol_in_char && __ctx->proxy->traffic_steering_options.enable_steering_http) ||
-		 	(STREAM_PROTO_SSL == (enum tfe_stream_proto)stream_protocol_in_char && __ctx->proxy->traffic_steering_options.enable_steering_ssl)))
+		 	(STREAM_PROTO_SSL == (enum tfe_stream_proto)stream_protocol_in_char && __ctx->proxy->traffic_steering_options.enable_steering_ssl) ||
+			enalbe_decrypted_traffic_steering == 1))
 	{
 		if (fake_tcp_handshake(__ctx->proxy, &restore_info) == -1)
 		{
--- a/platform/src/proxy.cpp
+++ b/platform/src/proxy.cpp
@@ -58,10 +58,11 @@
 /* Systemd */
 #include <systemd/sd-daemon.h>

-extern struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger);
-extern enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_para);
-
 extern struct tcp_policy_enforcer *tcp_policy_enforcer_create(void *logger);
+extern struct chaining_policy_enforcer *chaining_policy_enforcer_create(void *logger);
+extern struct ssl_policy_enforcer *ssl_policy_enforcer_create(void *logger);
+extern enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void *u_para);
+
 static int signals[] = {SIGHUP, SIGPIPE, SIGUSR1, SIGUSR2};

 /* Global Resource */
@@ -703,6 +704,9 @@ int main(int argc, char * argv[])
 	g_default_proxy->ssl_ply_enforcer = ssl_policy_enforcer_create(g_default_logger);
 	CHECK_OR_EXIT(g_default_proxy->ssl_ply_enforcer == NULL, "Failed at creating ssl policy enforcer. Exit.");

+	g_default_proxy->chain_ply_enforcer = chaining_policy_enforcer_create(g_default_logger);
+	CHECK_OR_EXIT(g_default_proxy->chain_ply_enforcer == NULL, "Failed at creating chaining policy enforcer. Exit.");
+
 	ssl_manager_set_new_upstream_cb(g_default_proxy->ssl_mgr_handler, ssl_policy_enforce, g_default_proxy->ssl_ply_enforcer);
 	ret = tfe_proxy_work_thread_run(g_default_proxy);
 	CHECK_OR_EXIT(ret == 0, "Failed at creating thread. Exit.");