gfwleak/tango-tsg-container
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修改firewall配置文件,达到kni发出数据包的目的

Browse Source
This commit is contained in:
fumingwei
2021-03-18 10:52:35 +08:00
parent fb0b4c321c
commit 67c83e2912
9 changed files with 160 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
config/mrzcpd/etc/mrglobal.conf
View File

@@ -10,6 +10,8 @@ in_mask=255.255.255.0
promisc=1 promisc=1
[device:virtio_user1] [device:virtio_user1]
in_addr=172.16.1.2
in_mask=255.255.0.0
promisc=1 promisc=1
[service] [service]
@@ -21,7 +23,7 @@ hashmode=0
[eal] [eal]
virtaddr=0x7f40c4a00000 virtaddr=0x7f40c4a00000
loglevel=8 loglevel=8
no-pci=1 nopci=1
mem=4096 mem=4096
single-file-segments=0 single-file-segments=0

29
config/sapp_run/etc/sapp.toml
View File

@@ -10,8 +10,9 @@ instance_name = "sapp_v4.0"
[CPU] [CPU]
worker_threads=4 worker_threads=4
send_only_threads_max=1
### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as [] ### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as []
bind_mask=[5,6,7,8] bind_mask=[5,6,7,8,9]
[MEM] [MEM]
dictator_enable=1 dictator_enable=1
@@ -27,6 +28,14 @@ dictator_enable=1
[packet_io.feature] [packet_io.feature]
inbound_route_dir=1 inbound_route_dir=1
BSD_packet_filter=""
pcap_capture_direction="in"
inject_pkt_mode=raw_ethernet_single_gateway
inject_mode_inline_device_sport=54789
inject_mode_single_gateway_device=tap0
inject_mode_single_gateway_src_mac=00:11:22:33:44:55
inject_mode_single_gateway_dst_mac=00:11:22:33:44:66
#inject_mode_inline_device_sport=54789 #inject_mode_inline_device_sport=54789
### note, depolyment.mode options: [mirror, inline, transparent, dumpfile] ### note, depolyment.mode options: [mirror, inline, transparent, dumpfile]
[packet_io.depolyment] [packet_io.depolyment]
@@ -35,11 +44,25 @@ dictator_enable=1
### note, interface.type options: [pag,pcap,marsio] ### note, interface.type options: [pag,pcap,marsio]
[packet_io.internal.interface] [packet_io.internal.interface]
type=marsio type=marsio
name=virtio_user0 name="virtio_user0"
[packet_io.external.interface] [packet_io.external.interface]
type=pcap type=pcap
name=eth0 name="tap_sapp"
[packet_io.polling]
enabled=1
polling_priority=1
[PROTOCOL_FEATURE]
ipv6_decapsulation_enabled=1
ipv6_send_packet_enabled=1
tcp_drop_pure_ack_pkt=0
tcp_syn_option_parse_enabled=1
skip_not_ip_layer_over_eth=0
treat_vlan_as_mac_in_mac=0
reverse_ethernet_addr=1
[STREAM] [STREAM]
### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S" ### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S"

4
config/sapp_run/tsgconf/maat.conf
View File

@@ -1,5 +1,5 @@
[STATIC] [STATIC]
MAAT_MODE=2 MAAT_MODE=1
STAT_SWITCH=1 STAT_SWITCH=1
PERF_SWITCH=1 PERF_SWITCH=1
TABLE_INFO=tsgconf/tsg_static_tableinfo.conf TABLE_INFO=tsgconf/tsg_static_tableinfo.conf
@@ -15,7 +15,7 @@ FULL_CFG_DIR=tsgrule/full/index/
EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
[DYNAMIC] [DYNAMIC]
MAAT_MODE=2 MAAT_MODE=1
STAT_SWITCH=1 STAT_SWITCH=1
PERF_SWITCH=1 PERF_SWITCH=1
TABLE_INFO=tsgconf/tsg_dynamic_tableinfo.conf TABLE_INFO=tsgconf/tsg_dynamic_tableinfo.conf

4
dockerfile/firewall/Dockerfile
View File

@@ -63,6 +63,7 @@ RUN yum makecache \
RUN yum install -y \ RUN yum install -y \
fw_ftp_plug \ fw_ftp_plug \
app_proto_identify \
epel-release \ epel-release \
python3 \ python3 \
gdb \ gdb \
@@ -81,6 +82,9 @@ COPY config/sapp_run/etc/entrylist.conf /home/mesasoft/sapp_run/etc/entrylist.co
COPY config/sapp_run/tsgconf/app_l7_proto_id.conf /home/mesasoft/sapp_run/tsgconf/app_l7_proto_id.conf COPY config/sapp_run/tsgconf/app_l7_proto_id.conf /home/mesasoft/sapp_run/tsgconf/app_l7_proto_id.conf
COPY config/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf /home/mesasoft/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf COPY config/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf /home/mesasoft/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
COPY config/sapp_run/plug/conflist.inf /home/mesasoft/sapp_run/plug/conflist.inf COPY config/sapp_run/plug/conflist.inf /home/mesasoft/sapp_run/plug/conflist.inf
COPY config/sapp_run/tsgconf/tsg_maat.json /home/mesasoft/sapp_run/tsgconf/tsg_maat.json
COPY config/sapp_run/etc/send_raw_pkt.conf /home/mesasoft/sapp_run/etc/send_raw_pkt.conf
COPY config/sapp_run/etc/asymmetric_presence_layer.conf /home/mesasoft/sapp_run/etc/asymmetric_presence_layer.conf
WORKDIR /home/mesasoft/sapp_run/ WORKDIR /home/mesasoft/sapp_run/
ENTRYPOINT ["/usr/local/bin/supervisord" ,"-n","-c", "/etc/supervisord.conf"] ENTRYPOINT ["/usr/local/bin/supervisord" ,"-n","-c", "/etc/supervisord.conf"]

18
dockerfile/firewall/config/sapp_run/etc/asymmetric_presence_layer.conf Normal file
View File

@@ -0,0 +1,18 @@
#用于指定哪些协议层, C2S, S2C两侧是不对称存在的, 常见的如vlan, mpls等,
#sapp创建新流时, 为了便于双向地址比较,
#sappv3是用配置文件skip_no_ip_layer跳过所有ethernet之上的非ip层, 此方式过于粗暴, mirror模式下还可以, 串联模式下就不对了.
#sappv4使用本配置文件, 满足条件的需要创建一层虚拟层, 但无实际地址, 也不做地址比对.
#layer name definition: ipv4, ipv6, ethernet,vlan, arp, gre, mpls, pppoe, tcp, udp, l2tp, ppp, pptp, gtp
#名称不区别大小写, name is case insensitive, ipv4 is euqal to IPV4
#
# asymmetric_layer_name: 表示哪一层协议是非对称存在的, 需要创建空的虚拟层
# under_of_this_asymmetric_layer: 表示非对称的下面一层的地址类型和层数
# upper_of_this_asymmetric_layer: 表示非对称的上面一层的地址类型和层数
# 需要同时满足under_of_this_asymmetric_layer和upper_of_this_asymmetric_layer才会创建虚拟层
# []表示某个层的index, 从最外层ethernet开始, 从0开始计数, *表示不关心具体在哪层,只要地址类型符合即可
#pattern: asymmetric_layer_name under_of_this_asymmetric_layer[layer_index] upper_of_this_asymmetric_layer[layer_index]
#mpls ethernet[0] ipv4[1]
#mpls ethernet[1] ipv4[2]
#mpls ethernet[0] ipv6[1]
#mpls ethernet[1] ipv6[2]

30
dockerfile/firewall/config/sapp_run/etc/kni/kni.conf
View File

@@ -1,33 +1,33 @@
[global] [global]
log_path = ./log/kni/kni.log log_path = ./log/kni/kni.log
log_level = 10 log_level = 10
tfe_node_count = 3 tfe_node_count = 1
manage_eth = ens1f3 manage_eth = eth0
deploy_mode = tun deploy_mode = normal
tun_name = tun_kni tun_name = tun_kni
src_mac_addr = 00:0e:c6:d6:72:c1 src_mac_addr = 00:0e:c6:d6:72:c1
dst_mac_addr = fe:65:b7:03:50:bd dst_mac_addr = fe:65:b7:03:50:bd
[tfe0] [tfe0]
enabled = 1 enabled = 1
dev_eth_symbol = ens1f5 dev_eth_symbol = virtio_user1
ip_addr = 192.168.100.2 ip_addr = 172.16.1.2
[tfe1] #[tfe1]
enabled = 1 #enabled = 1
dev_eth_symbol = ens1f6 #dev_eth_symbol = ens1f6
ip_addr = 192.168.100.3 #ip_addr = 192.168.100.3
#
[tfe2] #[tfe2]
enabled = 1 #enabled = 1
dev_eth_symbol = ens1f7 #dev_eth_symbol = ens1f7
ip_addr = 192.168.100.4 #ip_addr = 192.168.100.4
[tfe_cmsg_receiver] [tfe_cmsg_receiver]
listen_eth = lo listen_eth = lo
listen_port = 2475 listen_port = 2475
[watch_dog] [watch_dog]
switch = 1 switch = 0
listen_eth = lo listen_eth = lo
listen_port = 2476 listen_port = 2476
keepalive_idle = 2 keepalive_idle = 2

16
dockerfile/firewall/config/sapp_run/etc/send_raw_pkt.conf Normal file
View File

@@ -0,0 +1,16 @@
#<23><><EFBFBD><EFBFBD>ԭʼ<D4AD><CABC><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
#<23><>ƽ̨<C6BD><CCA8><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڲ<EFBFBD>ͬ<EFBFBD><CDAC><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20>ײ<EFBFBD><D7B2><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҳ<EFBFBD><D2B2>ͬ,
#<23><><EFBFBD><EFBFBD>ͨģʽ<C4A3><CABD>ʹ<EFBFBD><CAB9><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, DPDKģʽ<C4A3><CABD>ʹ<EFBFBD>ö˿ں<CBBF>, PFRINGģʽ<C4A3><CABD>ʹ<EFBFBD><CAB9>index<65><78>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ģʽ.
#target_id<69><64><EFBFBD>ڱ<EFBFBD>ʾ<EFBFBD><CABE><EFBFBD>ĸ<EFBFBD><C4B8><EFBFBD><EFBFBD>ն˷<D5B6><CBB7><EFBFBD>,
#<23><><EFBFBD>ڷ<EFBFBD><DAB7>͵<EFBFBD><CDB5><EFBFBD><EFBFBD>ݰ<EFBFBD><DDB0>ײ<EFBFBD>MAC<41><43>Ŀ<EFBFBD><C4BF>IP<49><50>, <20><><EFBFBD>ϲ<EFBFBD><CFB2><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, ƽֻ̨<CCA8><D6BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ԭʼ<D4AD><CABC>.
#target_id<69><EFBFBD><E0B5B1><EFBFBD><EFBFBD><EFBFBD>ݿ<EFBFBD><DDBF><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
#(0:pag,1:pcap,2:dumpfile,3:pfring,4:DPDK,5:ppf,6:NPacket,7:qnf,8:N95,9:pcap-dumpfile-list,10:topsec,
##(11:ipfile, 12:marsio4, 13:agent_smith, 14:dpdk_vxlan, 15:marsio_vxlan, 16:pag_marsio
#target_id
0 pag p7p2 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 virtio_user0 smith dpdk dpdk pag
#1 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p1 smith dpdk dpdk pag
#2 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p1 smith dpdk dpdk pag
#3 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag
#4 pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag

8
dockerfile/firewall/config/sapp_run/plug/conflist.inf
View File

@@ -1,8 +1,8 @@
[platform] [platform]
#./plug/platform/g_device_plug/g_device_plug.inf #./plug/platform/g_device_plug/g_device_plug.inf
./plug/platform/wannat/wangw.inf #./plug/platform/wannat/wangw.inf
./plug/platform/wire_graft/wire_graft.inf #./plug/platform/wire_graft/wire_graft.inf
./plug/platform/http_healthcheck/http_healthcheck.inf #./plug/platform/http_healthcheck/http_healthcheck.inf
./plug/platform/app_proto_identify/app_proto_identify.inf ./plug/platform/app_proto_identify/app_proto_identify.inf
./plug/platform/tsg_master/tsg_master.inf ./plug/platform/tsg_master/tsg_master.inf
@@ -19,7 +19,7 @@
[business] [business]
./plug/business/tsg_conn_sketch/tsg_conn_sketch.inf ./plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
./plug/business/capture_packet_plug/capture_packet_plug.inf ./plug/business/capture_packet_plug/capture_packet_plug.inf
#./plug/business/kni/kni.inf ./plug/business/kni/kni.inf
./plug/business/fw_ssl_plug/fw_ssl_plug.inf ./plug/business/fw_ssl_plug/fw_ssl_plug.inf
./plug/business/fw_http_plug/fw_http_plug.inf ./plug/business/fw_http_plug/fw_http_plug.inf
./plug/business/fw_dns_plug/fw_dns_plug.inf ./plug/business/fw_dns_plug/fw_dns_plug.inf

72
dockerfile/firewall/config/sapp_run/tsgconf/tsg_maat.json Normal file
View File

@@ -0,0 +1,72 @@
{
"compile_table": "TSG_SECURITY_COMPILE",
"group_table": "GROUP_COMPILE_RELATION",
"rules": [
{
"compile_id": 6,
"service": 0,
"action": 2,
"do_blacklist": 0,
"do_log": 1,
"effective_rage": 0,
"user_region": "anything",
"is_valid": "yes",
"groups": [
{
"group_name": "HOST",
"virtual_table":"TSG_FIELD_HTTP_HOST",
"not_flag" : 0,
"regions": [
{
"table_name": "TSG_OBJ_FQDN",
"table_type": "expr",
"table_content": {
"keywords": "geedge.net",
"expr_type": "none",
"match_method": "suffix",
"format": "uncase plain"
}
}
]
}
]
},
{
"compile_id": 7,
"service": 0,
"action": 2,
"do_blacklist": 0,
"do_log": 1,
"effective_rage": 0,
"user_region": "anything",
"is_valid": "yes",
"groups": [
{
"group_name": "IP_ADDR_2",
"virtual_table":"TSG_SECURITY_SOURCE_ADDR",
"regions": [
{
"table_name": "TSG_OBJ_IP_ADDR",
"table_type": "ip_plus",
"table_content": {
"addr_type": "ipv4",
"src_ip": "192.168.50.37",
"mask_src_ip": "255.255.255.255",
"src_port": "0",
"mask_src_port": "65535",
"dst_ip": "0.0.0.0",
"mask_dst_ip": "255.255.255.255",
"dst_port": "0",
"mask_dst_port": "65535",
"protocol": 6,
"direction": "double"
}
}
]
}
]
}
]
}