TSG-14628 TFE适配TCP Option Profile库表的变更

platform/src/acceptor_kni_v3.cpp

@@ -18,6 +18,8 @@
 
 #define TCP_RESTORE_TCPOPT_KIND 88
 
+extern void tcp_policy_enforce(struct tcp_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id);
+
 struct acceptor_kni_v3
 {
 	struct tfe_proxy *proxy;
@@ -529,6 +531,51 @@ static int fake_tcp_handshake(struct tfe_proxy *proxy, struct tcp_restore_info *
 	return 0;
 }
 
+static int overwrite_tcp_mss(struct tfe_cmsg *cmsg, struct tcp_restore_info *restore)
+{
+	int ret = 0;
+	uint16_t size = 0;
+	int server_side_mss_enable = 0;
+	int server_side_mss_value = 0;
+	int client_side_mss_enable = 0;
+	int client_side_mss_value = 0;
+
+	ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_DOWNSTREAM_TCP_MSS_ENABLE, (unsigned char *)&client_side_mss_enable, sizeof(client_side_mss_enable), &size);
+	if (ret < 0)
+	{
+		TFE_LOG_ERROR(g_default_logger, "failed at fetch client side tcp mss from cmsg: %s", strerror(-ret));
+		return -1;
+	}
+	ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_DOWNSTREAM_TCP_MSS_VALUE, (unsigned char *)&client_side_mss_value, sizeof(client_side_mss_value), &size);
+	if (ret < 0)
+	{
+		TFE_LOG_ERROR(g_default_logger, "failed at fetch client side tcp mss value from cmsg: %s", strerror(-ret));
+		return -1;
+	}
+	ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_UPSTREAM_TCP_MSS_ENABLE, (unsigned char *)&server_side_mss_enable, sizeof(server_side_mss_enable), &size);
+	if (ret < 0)
+	{
+		TFE_LOG_ERROR(g_default_logger, "failed at fetch server side tcp mss from cmsg: %s", strerror(-ret));
+		return -1;
+	}
+	ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_UPSTREAM_TCP_MSS_VALUE, (unsigned char *)&server_side_mss_value, sizeof(server_side_mss_value), &size);
+	if (ret < 0)
+	{
+		TFE_LOG_ERROR(g_default_logger, "failed at fetch server side tcp mss value from cmsg: %s", strerror(-ret));
+		return -1;
+	}
+	if (client_side_mss_enable)
+	{
+		restore->client.mss = client_side_mss_value;
+	}
+	if (server_side_mss_enable)
+	{
+		restore->server.mss = server_side_mss_value;
+	}
+
+	return 0;
+}
+
 /*
  * nfmsg : message objetc that contains the packet
  * nfad : Netlink packet data handle
@@ -555,6 +602,7 @@ static int payload_handler_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, s
 	struct tcp_restore_info restore_info;
 	uint8_t stream_protocol_in_char = 0;
 	uint16_t size = 0;
+	uint64_t rule_id = 0;
 	struct acceptor_kni_v3 *__ctx = (struct acceptor_kni_v3 *)data;
 	clock_gettime(CLOCK_MONOTONIC, &(__ctx->start));
 	memset(&pktinfo, 0, sizeof(pktinfo));
@@ -659,6 +707,25 @@ static int payload_handler_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, s
 		pktinfo.tcphdr->check = tfe_pkt_checksum_tcp_v6((void*)pktinfo.tcphdr, pktinfo.ip_totlen - pktinfo.iphdr_len, pktinfo.iphdr.v6->ip6_src, pktinfo.iphdr.v6->ip6_dst);
 	}
 
+	if (tfe_cmsg_deserialize((const unsigned char *)restore_info.cmsg, restore_info.cmsg_len, &cmsg) < 0)
+	{
+		TFE_LOG_ERROR(g_default_logger, "failed at tfe_cmsg_deserialize()");
+		goto end;
+	}
+
+	ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(rule_id), &size);
+	if (ret < 0)
+	{
+		TFE_LOG_ERROR(g_default_logger, "failed at fetch rule_id from cmsg: %s", strerror(-ret));
+		goto end;
+	}
+	tcp_policy_enforce(__ctx->proxy->tcp_ply_enforcer, cmsg, rule_id);
+
+	if (overwrite_tcp_mss(cmsg, &restore_info))
+	{
+		goto end;
+	}
+
 	tfe_tcp_restore_info_dump(&restore_info);
 
 	// tcp repair C2S
@@ -677,12 +744,6 @@ static int payload_handler_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, s
 		goto end;
 	}
 
-	if (tfe_cmsg_deserialize((const unsigned char *)restore_info.cmsg, restore_info.cmsg_len, &cmsg) < 0)
-	{
-		TFE_LOG_ERROR(g_default_logger, "Failed at tfe_cmsg_deserialize()");
-		goto end;
-	}
-
 	tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_RESTORE_PROTOCOL, (unsigned char *)&stream_protocol_in_char, sizeof(stream_protocol_in_char), &size);
 	if (steering_device_is_available() && (
 			(STREAM_PROTO_PLAIN == (enum tfe_stream_proto)stream_protocol_in_char && __ctx->proxy->traffic_steering_options.enable_steering_http) ||

platform/src/proxy.cpp

@@ -61,6 +61,7 @@
 extern struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger);
 extern enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_para);
 
+extern struct tcp_policy_enforcer *tcp_policy_enforcer_create(void *logger);
 static int signals[] = {SIGHUP, SIGPIPE, SIGUSR1, SIGUSR2};
 
 /* Global Resource */
@@ -165,17 +166,16 @@ int tfe_proxy_fds_accept(struct tfe_proxy *ctx, int fd_downstream, int fd_upstre
     uint8_t stream_protocol_in_char = 0;
 	int tcp_passthrough = -1;
 	uint16_t size = 0;
+	int result = 0;
 
-	int result = tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_RESTORE_PROTOCOL, (unsigned char *)&stream_protocol_in_char,
-        sizeof(stream_protocol_in_char), &size);
-
+	result = tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_RESTORE_PROTOCOL, (unsigned char *)&stream_protocol_in_char, sizeof(stream_protocol_in_char), &size);
 	if (unlikely(result < 0))
-    {
-	    TFE_LOG_ERROR(ctx->logger, "failed at fetch connection's protocol from cmsg: %s", strerror(-result));
-	    goto __errout;
-    }
+	{
+		TFE_LOG_ERROR(ctx->logger, "failed at fetch connection's protocol from cmsg: %s", strerror(-result));
+		goto __errout;
+	}
 
-    stream_protocol = (enum tfe_stream_proto)stream_protocol_in_char;
+	stream_protocol = (enum tfe_stream_proto)stream_protocol_in_char;
 	tfe_stream_option_set(stream, TFE_STREAM_OPT_SESSION_TYPE, &stream_protocol, sizeof(stream_protocol));
 	tfe_stream_cmsg_setup(stream, cmsg);
 
@@ -697,7 +697,12 @@ int main(int argc, char * argv[])
 		TFE_LOG_INFO(g_default_logger, "Plugin %s initialized. ", plugin_iter->symbol);
 	}
 
-	g_default_proxy->ssl_ply_enforcer=ssl_policy_enforcer_create(g_default_logger);
+	g_default_proxy->tcp_ply_enforcer = tcp_policy_enforcer_create(g_default_logger);
+	CHECK_OR_EXIT(g_default_proxy->tcp_ply_enforcer == NULL, "Failed at creating tcp policy enforcer. Exit.");
+
+	g_default_proxy->ssl_ply_enforcer = ssl_policy_enforcer_create(g_default_logger);
+	CHECK_OR_EXIT(g_default_proxy->ssl_ply_enforcer == NULL, "Failed at creating ssl policy enforcer. Exit.");
+
 	ssl_manager_set_new_upstream_cb(g_default_proxy->ssl_mgr_handler, ssl_policy_enforce, g_default_proxy->ssl_ply_enforcer);
 	ret = tfe_proxy_work_thread_run(g_default_proxy);
 	CHECK_OR_EXIT(ret == 0, "Failed at creating thread. Exit.");

platform/src/ssl_stream.cpp

@@ -2180,9 +2180,7 @@ int ssl_stream_set_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
 int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, int *opt_val)
 {
 	struct ssl_service_status* svc=&upstream->up_parts.svc_status;
-	struct tfe_cmsg *cmsg=NULL;
 	UNUSED int ret=0;
-	uint16_t out_size=0;
 	switch(opt_type)
 	{
 		case	SSL_STREAM_OPT_IS_EV_CERT:
@@ -2203,18 +2201,24 @@ int ssl_stream_get_integer_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT
 		case	SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS:
 			*opt_val=svc->has_protocol_errors;
 			break;
-		case	SSL_STREAM_OPT_INTERCEPT_POLICY_ID:
-			cmsg=tfe_stream_get0_cmsg(upstream->tcp_stream);
-			ret=tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char*)opt_val, sizeof(*opt_val), &out_size);
-			assert(ret==0);
-			assert(out_size==sizeof(*opt_val));
-			break;
 		default:
 			return -1;
 	}
 	return 0;
 
 }
+
+uint64_t ssl_stream_get_policy_id(struct ssl_stream *upstream)
+{
+	uint16_t out_size;
+	uint64_t policy_id = 0;
+	struct tfe_cmsg *cmsg = tfe_stream_get0_cmsg(upstream->tcp_stream);
+	int ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)policy_id, sizeof(policy_id), &out_size);
+	assert(ret == 0);
+
+	return policy_id;
+}
+
 int ssl_stream_get_string_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT opt_type, char* in_buff, size_t sz)
 {
 	const char* sni=upstream->up_parts.client_hello->sni?upstream->up_parts.client_hello->sni:"null";