gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-18071 选择Internal作为Condition时,无法命中策略

Browse Source
This commit is contained in:
fengweihao
2023-12-25 14:43:00 +08:00
parent 4f9372d966
commit f69de9f4e3
5 changed files with 74 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
common/include/tfe_scan.h
View File

@@ -12,9 +12,5 @@ int tfe_scan_ip_location(const struct tfe_stream *stream, long long *result, str
int tfe_scan_fqdn_cat(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid,
int hit_cnt, void *logger, int table_id);
int tfe_scan_app_id(long long *result, struct maat_state *scan_mid, int hit_cnt, int app_id, int table_id);
int tfe_scan_ipv4_addr(long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr);
int tfe_scan_ipv6_addr(long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr);
int tfe_scan_ipv4_internal_addr(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid,
int hit_cnt, struct ipaddr sapp_addr);
int tfe_scan_ipv6_internal_addr(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid,
int hit_cnt, struct ipaddr sapp_addr);
int tfe_scan_ipv4_addr(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr);
int tfe_scan_ipv6_addr(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr);

155
common/src/tfe_scan.cpp
View File

@@ -341,80 +341,6 @@ int tfe_scan_app_id(long long *result, struct maat_state *scan_mid, int hit_cnt,
return hit_app_id;
}
int tfe_scan_ipv4_addr(long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr)
{
int table_id=0;
int scan_ret = 0;
int hit_cnt_ip = 0;
size_t n_hit_result = 0;
table_id = maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_SOURCE_ADDR");
scan_ret = maat_scan_ipv4((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id, sapp_addr.v4->saddr, sapp_addr.v4->source, 6,
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
scan_ret = maat_scan_not_logic((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id,
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
table_id = maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_DESTINATION_ADDR");
scan_ret = maat_scan_ipv4((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id, sapp_addr.v4->daddr, sapp_addr.v4->dest, 6,
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if(scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
scan_ret = maat_scan_not_logic((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id,
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
return hit_cnt_ip;
}
int tfe_scan_ipv6_addr(long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr)
{
int table_id=0;
int scan_ret = 0;
int hit_cnt_ip = 0;
size_t n_hit_result = 0;
table_id = maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_SOURCE_ADDR");
scan_ret = maat_scan_ipv6((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id, sapp_addr.v6->saddr, sapp_addr.v6->source, 6,
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
scan_ret = maat_scan_not_logic((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id,
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
table_id = maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_DESTINATION_ADDR");
scan_ret = maat_scan_ipv6((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id, sapp_addr.v6->daddr, sapp_addr.v6->dest, 6,
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
scan_ret = maat_scan_not_logic((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id,
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
return hit_cnt_ip;
}
static int get_route_dir(const struct tfe_stream * stream)
{
uint16_t out_size;
@@ -429,21 +355,54 @@ static int get_route_dir(const struct tfe_stream * stream)
return ret;
}
}
return (route_dir==69) ? 0 : 1;
return (route_dir==69) ? 1 : 0;
}
int tfe_scan_ipv4_internal_addr(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr)
int tfe_scan_internal_exteral_addr(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, int c2s)
{
int scan_ret = 0;
int table_id=0;
int hit_cnt_ip = 0;
size_t array_size=256;
size_t n_hit_result = 0;
long long group_id_array[256]={0};
int dir_is_e2i = get_route_dir(stream);
int scan_internal_table_id=maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_INTERNAL_ADDR");
int scan_external_table_id=maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_EXTERNAL_ADDR");
if(c2s == 1) table_id = (dir_is_e2i == 1) ? scan_internal_table_id : scan_external_table_id;
if(c2s == 0) table_id = (dir_is_e2i == 0) ? scan_internal_table_id : scan_external_table_id;
size_t n_last_hit_group = maat_state_get_last_hit_group_id_cnt(scan_mid);
if(n_last_hit_group > 0)
{
maat_state_get_last_hit_group_ids(scan_mid, group_id_array, array_size);
scan_ret = maat_scan_group((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id, group_id_array, array_size, result+hit_cnt+hit_cnt_ip,
MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if(scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
scan_ret = maat_scan_not_logic((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id,
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_ip += n_hit_result;
}
}
return hit_cnt_ip;
}
int tfe_scan_ipv4_addr(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr)
{
int table_id=0;
int scan_ret = 0;
int hit_cnt_ip = 0;
size_t n_hit_result = 0;
int dir_is_e2i = get_route_dir(stream);
int scan_internal_table_id=maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_INTERNAL_ADDR");
int scan_external_table_id=maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_EXTERNAL_ADDR");
table_id = (dir_is_e2i == 1) ? scan_internal_table_id : scan_external_table_id;
table_id = maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_SOURCE_ADDR");
scan_ret = maat_scan_ipv4((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id, sapp_addr.v4->saddr, sapp_addr.v4->source, 6,
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
@@ -456,8 +415,13 @@ int tfe_scan_ipv4_internal_addr(const struct tfe_stream *stream, long long *resu
{
hit_cnt_ip += n_hit_result;
}
scan_ret = tfe_scan_internal_exteral_addr(stream, result, scan_mid, hit_cnt, 1);
if(scan_ret > 0)
{
hit_cnt_ip += scan_ret;
}
table_id = (dir_is_e2i == 0) ? scan_internal_table_id : scan_external_table_id;
table_id = maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_DESTINATION_ADDR");
scan_ret = maat_scan_ipv4((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id, sapp_addr.v4->daddr, sapp_addr.v4->dest, 6,
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if(scan_ret == MAAT_SCAN_HIT)
@@ -470,22 +434,23 @@ int tfe_scan_ipv4_internal_addr(const struct tfe_stream *stream, long long *resu
{
hit_cnt_ip += n_hit_result;
}
scan_ret = tfe_scan_internal_exteral_addr(stream, result, scan_mid, hit_cnt, 0);
if(scan_ret > 0)
{
hit_cnt_ip += scan_ret;
}
return hit_cnt_ip;
}
int tfe_scan_ipv6_internal_addr(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr)
int tfe_scan_ipv6_addr(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, int hit_cnt, struct ipaddr sapp_addr)
{
int table_id=0;
int scan_ret = 0;
int hit_cnt_ip = 0;
size_t n_hit_result = 0;
int dir_is_e2i = get_route_dir(stream);
int scan_internal_table_id=maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_INTERNAL_ADDR");
int scan_external_table_id=maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_EXTERNAL_ADDR");
table_id = (dir_is_e2i == 1) ? scan_internal_table_id : scan_external_table_id;
table_id = maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_SOURCE_ADDR");
scan_ret = maat_scan_ipv6((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id, sapp_addr.v6->saddr, sapp_addr.v6->source, 6,
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
@@ -498,7 +463,13 @@ int tfe_scan_ipv6_internal_addr(const struct tfe_stream *stream, long long *resu
{
hit_cnt_ip += n_hit_result;
}
table_id = (dir_is_e2i == 0) ? scan_internal_table_id : scan_external_table_id;
scan_ret = tfe_scan_internal_exteral_addr(stream, result, scan_mid, hit_cnt, 1);
if(scan_ret > 0)
{
hit_cnt_ip += scan_ret;
}
table_id = maat_get_table_id((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), "ATTR_DESTINATION_ADDR");
scan_ret = maat_scan_ipv6((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id, sapp_addr.v6->daddr, sapp_addr.v6->dest, 6,
result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
@@ -511,5 +482,11 @@ int tfe_scan_ipv6_internal_addr(const struct tfe_stream *stream, long long *resu
{
hit_cnt_ip += n_hit_result;
}
scan_ret = tfe_scan_internal_exteral_addr(stream, result, scan_mid, hit_cnt, 0);
if(scan_ret > 0)
{
hit_cnt_ip += scan_ret;
}
return hit_cnt_ip;
}

14
plugin/business/doh/src/doh.cpp
View File

@@ -325,12 +325,7 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
doh_addr_tfe2sapp(stream->addr, &sapp_addr);
if (sapp_addr.addrtype == ADDR_TYPE_IPV4)
{
scan_ret = tfe_scan_ipv4_addr(result, ctx->scan_mid, hit_cnt, sapp_addr);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
scan_ret = tfe_scan_ipv4_internal_addr(stream, result, ctx->scan_mid, hit_cnt, sapp_addr);
scan_ret = tfe_scan_ipv4_addr(stream, result, ctx->scan_mid, hit_cnt, sapp_addr);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
@@ -338,12 +333,7 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
}
if (sapp_addr.addrtype == ADDR_TYPE_IPV6)
{
scan_ret = tfe_scan_ipv6_addr(result, ctx->scan_mid, hit_cnt, sapp_addr);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
scan_ret = tfe_scan_ipv6_internal_addr(stream, result, ctx->scan_mid, hit_cnt, sapp_addr);
scan_ret = tfe_scan_ipv6_addr(stream, result, ctx->scan_mid, hit_cnt, sapp_addr);
if (scan_ret > 0)
{
hit_cnt += scan_ret;

14
plugin/business/tsg-http/src/tsg_http.cpp
View File

@@ -3159,12 +3159,7 @@ void proxy_on_http_begin(const struct tfe_stream *stream, const struct tfe_http_
addr_tfe2sapp(stream->addr, &sapp_addr);
if (sapp_addr.addrtype == ADDR_TYPE_IPV4)
{
scan_ret = tfe_scan_ipv4_addr(result, ctx->scan_mid, hit_cnt, sapp_addr);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
scan_ret = tfe_scan_ipv4_internal_addr(stream, result, ctx->scan_mid, hit_cnt, sapp_addr);
scan_ret = tfe_scan_ipv4_addr(stream, result, ctx->scan_mid, hit_cnt, sapp_addr);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
@@ -3172,12 +3167,7 @@ void proxy_on_http_begin(const struct tfe_stream *stream, const struct tfe_http_
}
if (sapp_addr.addrtype == ADDR_TYPE_IPV6)
{
scan_ret = tfe_scan_ipv6_addr(result, ctx->scan_mid, hit_cnt, sapp_addr);
if (scan_ret > 0)
{
hit_cnt += scan_ret;
}
scan_ret = tfe_scan_ipv6_internal_addr(stream, result, ctx->scan_mid, hit_cnt, sapp_addr);
scan_ret = tfe_scan_ipv6_addr(stream, result, ctx->scan_mid, hit_cnt, sapp_addr);
if (scan_ret > 0)
{
hit_cnt += scan_ret;

4
resource/pangu/table_info.conf
View File

@@ -130,14 +130,14 @@
{
"table_id": 10,
"table_name": "ATTR_HTTP_HOST_VIRTUAL",
"db_tables": ["ATTR_HTTP_HOST", "ATTR_DESTINATION_SERVER_FQDN"],
"db_tables": ["ATTR_HTTP_HOST", "ATTR_SERVER_FQDN"],
"table_type": "virtual",
"physical_table": "TSG_OBJ_FQDN"
},
{
"table_id": 11,
"table_name": "ATTR_HTTP_HOST_CAT_VIRTUAL",
"db_tables": ["ATTR_HTTP_HOST_CAT", "ATTR_DESTINATION_SERVER_FQDN_CAT"],
"db_tables": ["ATTR_HTTP_HOST_CAT", "ATTR_SERVER_FQDN_CAT"],
"table_type": "virtual",
"physical_table": "TSG_OBJ_FQDN_CAT"
},