From 67c83e29127f4b85035055fa9fb791cab43a4348 Mon Sep 17 00:00:00 2001 From: fumingwei Date: Thu, 18 Mar 2021 10:52:35 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9firewall=E9=85=8D=E7=BD=AE?= =?UTF-8?q?=E6=96=87=E4=BB=B6=EF=BC=8C=E8=BE=BE=E5=88=B0kni=E5=8F=91?= =?UTF-8?q?=E5=87=BA=E6=95=B0=E6=8D=AE=E5=8C=85=E7=9A=84=E7=9B=AE=E7=9A=84?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- config/mrzcpd/etc/mrglobal.conf | 4 +- config/sapp_run/etc/sapp.toml | 29 +++++++- config/sapp_run/tsgconf/maat.conf | 4 +- dockerfile/firewall/Dockerfile | 4 ++ .../etc/asymmetric_presence_layer.conf | 18 +++++ .../firewall/config/sapp_run/etc/kni/kni.conf | 30 ++++---- .../config/sapp_run/etc/send_raw_pkt.conf | 16 +++++ .../config/sapp_run/plug/conflist.inf | 8 +-- .../config/sapp_run/tsgconf/tsg_maat.json | 72 +++++++++++++++++++ 9 files changed, 160 insertions(+), 25 deletions(-) create mode 100644 dockerfile/firewall/config/sapp_run/etc/asymmetric_presence_layer.conf create mode 100644 dockerfile/firewall/config/sapp_run/etc/send_raw_pkt.conf create mode 100644 dockerfile/firewall/config/sapp_run/tsgconf/tsg_maat.json diff --git a/config/mrzcpd/etc/mrglobal.conf b/config/mrzcpd/etc/mrglobal.conf index 8feb83d..8341ea1 100644 --- a/config/mrzcpd/etc/mrglobal.conf +++ b/config/mrzcpd/etc/mrglobal.conf @@ -10,6 +10,8 @@ in_mask=255.255.255.0 promisc=1 [device:virtio_user1] +in_addr=172.16.1.2 +in_mask=255.255.0.0 promisc=1 [service] @@ -21,7 +23,7 @@ hashmode=0 [eal] virtaddr=0x7f40c4a00000 loglevel=8 -no-pci=1 +nopci=1 mem=4096 single-file-segments=0 diff --git a/config/sapp_run/etc/sapp.toml b/config/sapp_run/etc/sapp.toml index b278d86..c3aa403 100644 --- a/config/sapp_run/etc/sapp.toml +++ b/config/sapp_run/etc/sapp.toml @@ -10,8 +10,9 @@ instance_name = "sapp_v4.0" [CPU] worker_threads=4 +send_only_threads_max=1 ### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as [] -bind_mask=[5,6,7,8] +bind_mask=[5,6,7,8,9] [MEM] dictator_enable=1 @@ -27,6 +28,14 @@ dictator_enable=1 [packet_io.feature] inbound_route_dir=1 + BSD_packet_filter="" + pcap_capture_direction="in" + inject_pkt_mode=raw_ethernet_single_gateway + inject_mode_inline_device_sport=54789 + inject_mode_single_gateway_device=tap0 + inject_mode_single_gateway_src_mac=00:11:22:33:44:55 + inject_mode_single_gateway_dst_mac=00:11:22:33:44:66 + #inject_mode_inline_device_sport=54789 ### note, depolyment.mode options: [mirror, inline, transparent, dumpfile] [packet_io.depolyment] @@ -35,11 +44,25 @@ dictator_enable=1 ### note, interface.type options: [pag,pcap,marsio] [packet_io.internal.interface] type=marsio - name=virtio_user0 + name="virtio_user0" [packet_io.external.interface] type=pcap - name=eth0 + name="tap_sapp" + + +[packet_io.polling] + enabled=1 + polling_priority=1 + +[PROTOCOL_FEATURE] + ipv6_decapsulation_enabled=1 + ipv6_send_packet_enabled=1 + tcp_drop_pure_ack_pkt=0 + tcp_syn_option_parse_enabled=1 + skip_not_ip_layer_over_eth=0 + treat_vlan_as_mac_in_mac=0 + reverse_ethernet_addr=1 [STREAM] ### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S" diff --git a/config/sapp_run/tsgconf/maat.conf b/config/sapp_run/tsgconf/maat.conf index d09157e..fe2ea62 100644 --- a/config/sapp_run/tsgconf/maat.conf +++ b/config/sapp_run/tsgconf/maat.conf @@ -1,5 +1,5 @@ [STATIC] -MAAT_MODE=2 +MAAT_MODE=1 STAT_SWITCH=1 PERF_SWITCH=1 TABLE_INFO=tsgconf/tsg_static_tableinfo.conf @@ -15,7 +15,7 @@ FULL_CFG_DIR=tsgrule/full/index/ EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json [DYNAMIC] -MAAT_MODE=2 +MAAT_MODE=1 STAT_SWITCH=1 PERF_SWITCH=1 TABLE_INFO=tsgconf/tsg_dynamic_tableinfo.conf diff --git a/dockerfile/firewall/Dockerfile b/dockerfile/firewall/Dockerfile index 5cba5e1..4a77c94 100644 --- a/dockerfile/firewall/Dockerfile +++ b/dockerfile/firewall/Dockerfile @@ -63,6 +63,7 @@ RUN yum makecache \ RUN yum install -y \ fw_ftp_plug \ + app_proto_identify \ epel-release \ python3 \ gdb \ @@ -81,6 +82,9 @@ COPY config/sapp_run/etc/entrylist.conf /home/mesasoft/sapp_run/etc/entrylist.co COPY config/sapp_run/tsgconf/app_l7_proto_id.conf /home/mesasoft/sapp_run/tsgconf/app_l7_proto_id.conf COPY config/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf /home/mesasoft/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf COPY config/sapp_run/plug/conflist.inf /home/mesasoft/sapp_run/plug/conflist.inf +COPY config/sapp_run/tsgconf/tsg_maat.json /home/mesasoft/sapp_run/tsgconf/tsg_maat.json +COPY config/sapp_run/etc/send_raw_pkt.conf /home/mesasoft/sapp_run/etc/send_raw_pkt.conf +COPY config/sapp_run/etc/asymmetric_presence_layer.conf /home/mesasoft/sapp_run/etc/asymmetric_presence_layer.conf WORKDIR /home/mesasoft/sapp_run/ ENTRYPOINT ["/usr/local/bin/supervisord" ,"-n","-c", "/etc/supervisord.conf"] diff --git a/dockerfile/firewall/config/sapp_run/etc/asymmetric_presence_layer.conf b/dockerfile/firewall/config/sapp_run/etc/asymmetric_presence_layer.conf new file mode 100644 index 0000000..2dbac8a --- /dev/null +++ b/dockerfile/firewall/config/sapp_run/etc/asymmetric_presence_layer.conf @@ -0,0 +1,18 @@ +#用于指定哪些协议层, C2S, S2C两侧是不对称存在的, 常见的如vlan, mpls等, +#sapp创建新流时, 为了便于双向地址比较, +#sappv3是用配置文件skip_no_ip_layer跳过所有ethernet之上的非ip层, 此方式过于粗暴, mirror模式下还可以, 串联模式下就不对了. +#sappv4使用本配置文件, 满足条件的需要创建一层虚拟层, 但无实际地址, 也不做地址比对. +#layer name definition: ipv4, ipv6, ethernet,vlan, arp, gre, mpls, pppoe, tcp, udp, l2tp, ppp, pptp, gtp +#名称不区别大小写, name is case insensitive, ipv4 is euqal to IPV4 +# +# asymmetric_layer_name: 表示哪一层协议是非对称存在的, 需要创建空的虚拟层 +# under_of_this_asymmetric_layer: 表示非对称的下面一层的地址类型和层数 +# upper_of_this_asymmetric_layer: 表示非对称的上面一层的地址类型和层数 +# 需要同时满足under_of_this_asymmetric_layer和upper_of_this_asymmetric_layer才会创建虚拟层 +# []表示某个层的index, 从最外层ethernet开始, 从0开始计数, *表示不关心具体在哪层,只要地址类型符合即可 +#pattern: asymmetric_layer_name under_of_this_asymmetric_layer[layer_index] upper_of_this_asymmetric_layer[layer_index] + +#mpls ethernet[0] ipv4[1] +#mpls ethernet[1] ipv4[2] +#mpls ethernet[0] ipv6[1] +#mpls ethernet[1] ipv6[2] diff --git a/dockerfile/firewall/config/sapp_run/etc/kni/kni.conf b/dockerfile/firewall/config/sapp_run/etc/kni/kni.conf index 042d87f..cdc7a05 100644 --- a/dockerfile/firewall/config/sapp_run/etc/kni/kni.conf +++ b/dockerfile/firewall/config/sapp_run/etc/kni/kni.conf @@ -1,33 +1,33 @@ [global] log_path = ./log/kni/kni.log log_level = 10 -tfe_node_count = 3 -manage_eth = ens1f3 -deploy_mode = tun +tfe_node_count = 1 +manage_eth = eth0 +deploy_mode = normal tun_name = tun_kni src_mac_addr = 00:0e:c6:d6:72:c1 dst_mac_addr = fe:65:b7:03:50:bd [tfe0] enabled = 1 -dev_eth_symbol = ens1f5 -ip_addr = 192.168.100.2 +dev_eth_symbol = virtio_user1 +ip_addr = 172.16.1.2 -[tfe1] -enabled = 1 -dev_eth_symbol = ens1f6 -ip_addr = 192.168.100.3 - -[tfe2] -enabled = 1 -dev_eth_symbol = ens1f7 -ip_addr = 192.168.100.4 +#[tfe1] +#enabled = 1 +#dev_eth_symbol = ens1f6 +#ip_addr = 192.168.100.3 +# +#[tfe2] +#enabled = 1 +#dev_eth_symbol = ens1f7 +#ip_addr = 192.168.100.4 [tfe_cmsg_receiver] listen_eth = lo listen_port = 2475 [watch_dog] -switch = 1 +switch = 0 listen_eth = lo listen_port = 2476 keepalive_idle = 2 diff --git a/dockerfile/firewall/config/sapp_run/etc/send_raw_pkt.conf b/dockerfile/firewall/config/sapp_run/etc/send_raw_pkt.conf new file mode 100644 index 0000000..f6a82bc --- /dev/null +++ b/dockerfile/firewall/config/sapp_run/etc/send_raw_pkt.conf @@ -0,0 +1,16 @@ +#ԭʼ, +#ƽ̨ڲͬ, ײҲͬ, +#ͨģʽʹ, DPDKģʽʹö˿ں, PFRINGģʽʹindex, ģʽ. +#target_idڱʾĸն˷, +#ڷ͵ݰײMACĿIP, ϲ, ƽֻ̨ԭʼ. +#target_id൱ݿ + +#(0:pag,1:pcap,2:dumpfile,3:pfring,4:DPDK,5:ppf,6:NPacket,7:qnf,8:N95,9:pcap-dumpfile-list,10:topsec, +##(11:ipfile, 12:marsio4, 13:agent_smith, 14:dpdk_vxlan, 15:marsio_vxlan, 16:pag_marsio + +#target_id +0 pag p7p2 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 virtio_user0 smith dpdk dpdk pag +#1 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p1 smith dpdk dpdk pag +#2 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p1 smith dpdk dpdk pag +#3 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag +#4 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag diff --git a/dockerfile/firewall/config/sapp_run/plug/conflist.inf b/dockerfile/firewall/config/sapp_run/plug/conflist.inf index 78325d8..bf46d0b 100644 --- a/dockerfile/firewall/config/sapp_run/plug/conflist.inf +++ b/dockerfile/firewall/config/sapp_run/plug/conflist.inf @@ -1,8 +1,8 @@ [platform] #./plug/platform/g_device_plug/g_device_plug.inf -./plug/platform/wannat/wangw.inf -./plug/platform/wire_graft/wire_graft.inf -./plug/platform/http_healthcheck/http_healthcheck.inf +#./plug/platform/wannat/wangw.inf +#./plug/platform/wire_graft/wire_graft.inf +#./plug/platform/http_healthcheck/http_healthcheck.inf ./plug/platform/app_proto_identify/app_proto_identify.inf ./plug/platform/tsg_master/tsg_master.inf @@ -19,7 +19,7 @@ [business] ./plug/business/tsg_conn_sketch/tsg_conn_sketch.inf ./plug/business/capture_packet_plug/capture_packet_plug.inf -#./plug/business/kni/kni.inf +./plug/business/kni/kni.inf ./plug/business/fw_ssl_plug/fw_ssl_plug.inf ./plug/business/fw_http_plug/fw_http_plug.inf ./plug/business/fw_dns_plug/fw_dns_plug.inf diff --git a/dockerfile/firewall/config/sapp_run/tsgconf/tsg_maat.json b/dockerfile/firewall/config/sapp_run/tsgconf/tsg_maat.json new file mode 100644 index 0000000..b804b1e --- /dev/null +++ b/dockerfile/firewall/config/sapp_run/tsgconf/tsg_maat.json @@ -0,0 +1,72 @@ +{ + "compile_table": "TSG_SECURITY_COMPILE", + "group_table": "GROUP_COMPILE_RELATION", + "rules": [ + { + "compile_id": 6, + "service": 0, + "action": 2, + "do_blacklist": 0, + "do_log": 1, + "effective_rage": 0, + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "group_name": "HOST", + "virtual_table":"TSG_FIELD_HTTP_HOST", + "not_flag" : 0, + "regions": [ + { + "table_name": "TSG_OBJ_FQDN", + "table_type": "expr", + "table_content": { + "keywords": "geedge.net", + "expr_type": "none", + "match_method": "suffix", + "format": "uncase plain" + } + } + + ] + } + ] + }, + { + "compile_id": 7, + "service": 0, + "action": 2, + "do_blacklist": 0, + "do_log": 1, + "effective_rage": 0, + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "group_name": "IP_ADDR_2", + "virtual_table":"TSG_SECURITY_SOURCE_ADDR", + "regions": [ + { + "table_name": "TSG_OBJ_IP_ADDR", + "table_type": "ip_plus", + "table_content": { + "addr_type": "ipv4", + "src_ip": "192.168.50.37", + "mask_src_ip": "255.255.255.255", + "src_port": "0", + "mask_src_port": "65535", + "dst_ip": "0.0.0.0", + "mask_dst_ip": "255.255.255.255", + "dst_port": "0", + "mask_dst_port": "65535", + "protocol": 6, + "direction": "double" + } + } + ] + } + ] + } + ] +} +