[system] nr_worker_threads=8 enable_kni_v1=0 enable_kni_v2=0 enable_kni_v3=0 enable_kni_v4=1 # Only when (disable_coredump == 1 || (enable_breakpad == 1 && enable_breakpad_upload == 1)) is satisfied, the core will not be generated locally disable_coredump=0 enable_breakpad=1 enable_breakpad_upload=1 breakpad_upload_url=http://sentry.mesalab.cn:9000/api/3/minidump/?sentry_key=e8e446bb3bd8435c97f4c01770ca7025 # must be /run/tfe/crashreport,due to tmpfile limit breakpad_minidump_dir=/run/tfe/crashreport # ask for at least (1 + nr_worker_threads) masks # the first mask for acceptor thread # the others mask for worker thread enable_cpu_affinity=0 cpu_affinity_mask=1-9 # LEAST_CONN = 0; ROUND_ROBIN = 1 load_balance=1 # for enable kni v3 [nfq] device=tap0 queue_id=1 queue_maxlen=655350 queue_rcvbufsiz=983025000 queue_no_enobufs=1 [kni] # kni v1 #uxdomain=/var/run/.tfe_kni_acceptor_handler # kni v2 #scm_socket_file=/var/run/.tfe_kmod_scm_socket # send cmsg send_switch=1 ip=192.168.100.1 cmsg_port=2475 # watch dog watchdog_switch=1 watchdog_port=2476 [watchdog_tfe] # The worker thread updates the timestamp every two seconds # The watchdog thread checks the timestamp every second enable=1 timeout_seconds=5 statistics_window=20 timeout_cnt_as_fail=3 timeout_debug=0 [ssl] ssl_debug=0 ssl_ja3_table=PXY_SSL_FINGERPRINT # ssl version Not available, configured via TSG website # ssl_max_version=tls13 # ssl_min_version=ssl3 ssl_compression=1 no_ssl2=1 no_ssl3=0 no_tls10=0 no_tls11=0 no_tls12=0 default_ciphers=ALL:-aNULL no_cert_verify=0 # session ticket no_session_ticket=0 stek_group_num=4096 stek_rotation_time=3600 # session cache no_session_cache=0 session_cache_slots=4194304 session_cache_expire_seconds=1800 # service cache service_cache_slots=4194304 service_cache_expire_seconds=300 service_cache_fail_as_pinning_cnt=4 service_cache_fail_as_proto_err_cnt=5 service_cache_fail_time_window=30 # cert check_cert_crl=0 trusted_cert_load_local=1 # trusted_cert_file=resource/tfe/tls-ca-bundle.pem trusted_cert_file=resource/tfe/tsg_diagonse_ca.pem trusted_cert_dir=resource/tfe/trusted_storage # master key log_master_key=0 key_log_file=log/sslkeylog.log # mid cert cache mc_cache_enable=1 mc_vsystem_id=1 mc_cache_eth=eth0 mc_cache_broker_list=192.168.40.224:9092 mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT sasl_username=admin sasl_passwd=galaxy2019 [key_keeper] #Mode: debug - generate cert with ca_path, normal - generate cert with cert store #0 on cache 1 off cache no_cache=0 mode=normal cert_store_host=192.168.10.8 cert_store_port=9991 ca_path=resource/tfe/tango-ca-trust-ca.pem untrusted_ca_path=resource/tfe/tango-ca-untrust-ca.pem hash_slot_size=131072 hash_expire_seconds=300 cert_expire_time=24 # health_check only for "mode=normal" default 1 enable_health_check=1 [debug] # 1 : enforce tcp passthrough # 0 : Whether to passthrough depends on the tcp_options in cmsg passthrough_all_tcp=0 [ratelimit] read_rate=0 read_burst=0 write_rate=0 write_burst=0 [tcp] # read rcv_buff/snd_buff options from tfe conf sz_rcv_buffer=-1 sz_snd_buffer=-1 # 1 : use tcp_options in tfe.conf # 0 : use tcp_options in cmsg enable_overwrite=0 tcp_nodelay=1 so_keepalive=1 tcp_keepcnt=8 tcp_keepintvl=15 tcp_keepidle=30 tcp_user_timeout=600 tcp_ttl_upstream=75 tcp_ttl_downstream=70 [stat] statsd_server=127.0.0.1 statsd_port=8100 statsd_cycle=5 # 1:FS_OUTPUT_STATSD; 2:FS_OUTPUT_INFLUX_LINE statsd_format=2 histogram_bins=0.5,0.8,0.9,0.95 statsd_set_prometheus_port=9001 statsd_set_prometheus_url_path=/tfe_prometheus [traffic_mirror] enable=1 device=eth4 # 0:TRAFFIC_MIRROR_ETHDEV_AF_PACKET; 1:TRAFFIC_MIRROR_ETHDEV_MARSIO type=1 default_vlan_id=2 table_info=resource/pangu/table_info_traffic_mirror.conf stat_file=log/traffic_mirror.status [traffic_steering] enable_steering_http=0 enable_steering_ssl=0 # 17: 0x11 so_mask_client=17 # 34: 0x22 so_mask_server=34 device_client=tap_c device_server=tap_s http_keepalive_enable=1 http_keepalive_path="/metrics" http_keepalive_addr=192.168.41.60 http_keepalive_port=9273 [kafka] enable=1 vsystem_id=1 NIC_NAME=enp2s0 kafka_brokerlist=192.168.40.224:9092 kafka_topic=PROXY-EVENT sasl_username=admin sasl_passwd=galaxy2019 device_id_filepath=/opt/tsg/etc/tsg_sn.json [maat] # 0:json 1:redis 2:iris maat_input_mode=1 stat_switch=1 perf_switch=1 table_info=resource/pangu/table_info.conf accept_path=/opt/tsg/etc/tsg_device_tag.json accept_tag_key=device_id stat_file=log/pangu_scan.fs2 effect_interval_s=1 deferred_load_on=0 # json mode conf iterm json_cfg_file=resource/pangu/pangu_http.json # redis mode conf iterm maat_redis_server=10.4.34.4 maat_redis_port_range=6380-6389 maat_redis_db_index=4 # iris mode conf iterm full_cfg_dir=pangu_policy/full/index/ inc_cfg_dir=pangu_policy/inc/index/ [proxy_hits] cycle=1000 telegraf_port=8400 telegraf_ip=127.0.0.1 app_name="proxy_rule_hits" # for enable kni v4 [packet_io] packet_io_threads=8 packet_io_cpu_affinity_mask=1-9 firewall_sids=1000 proxy_sids=1001 service_chaining_sids=1002 # bypass_all_traffic:1 NF2NF and SF2SF bypass_all_traffic=0 rx_burst_max=128 app_symbol=tfe dev_nf_interface=eth_nf_interface src_mac_addr = 00:0e:c6:d6:72:c1 # tap config tap_name=tap0 # 1.tap_allow_mutilthread=1 load bpf rss obj # 2.tap_allow_mutilthread=0 not load bpf rss obj tap_allow_mutilthread=1 bpf_obj=/opt/tsg/tfe/resource/bpf/bpf_tun_rss_steering.o # tap_bpf_debug_log: cat /sys/kernel/debug/tracing/trace_pipe bpf_debug_log=0 # 2: BPF 使用二元组分流 # 4: BPF 使用四元组分流 bpf_hash_mode=2 # 配置 tap 网卡的 RPS tap_rps_enable=1 tap_rps_mask=0,1fffffff,c0000000,00000000 # iouring config enable_iouring=1 enable_debuglog=0 ring_size=1024 buff_size=2048 # io_uring_setup() flags # IORING_SETUP_IOPOLL (1U << 0) /* io_context is polled */ # IORING_SETUP_SQPOLL (1U << 1) /* SQ poll thread */ # IORING_SETUP_SQ_AFF (1U << 2) /* sq_thread_cpu is valid */ # IORING_SETUP_CQSIZE (1U << 3) /* app defines CQ size */ # IORING_SETUP_CLAMP (1U << 4) /* clamp SQ/CQ ring sizes */ # IORING_SETUP_ATTACH_WQ (1U << 5) /* attach to existing wq */ # IORING_SETUP_R_DISABLED (1U << 6) /* start with ring disabled */ # IORING_SETUP_SUBMIT_ALL (1U << 7) /* continue submit on error */ flags=0 sq_thread_idle=0