2022-12-23 11:54:29 +08:00
|
|
|
|
#include <stdio.h>
|
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
|
#include <assert.h>
|
|
|
|
|
|
#include <sys/time.h>
|
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
|
#include <netinet/ip6.h>
|
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
|
#include <arpa/inet.h>
|
|
|
|
|
|
|
|
|
|
|
|
#include <MESA/http.h>
|
|
|
|
|
|
#include <MESA/ftp.h>
|
|
|
|
|
|
#include <MESA/ssl.h>
|
|
|
|
|
|
#include <MESA/mail.h>
|
|
|
|
|
|
#include <MESA/quic.h>
|
|
|
|
|
|
#include "MESA/sip.h"
|
|
|
|
|
|
#include <MESA/stream.h>
|
|
|
|
|
|
#include <MESA/MESA_handle_logger.h>
|
|
|
|
|
|
|
|
|
|
|
|
#include "app_label.h"
|
|
|
|
|
|
#include "tsg_rule.h"
|
|
|
|
|
|
#include "tsg_entry.h"
|
|
|
|
|
|
#include "tsg_statistic.h"
|
|
|
|
|
|
#include "tsg_send_log.h"
|
|
|
|
|
|
#include "tsg_protocol_common.h"
|
|
|
|
|
|
|
|
|
|
|
|
extern "C" int sendpacket_do_checksum(unsigned char *buf, int protocol, int len);
|
|
|
|
|
|
|
|
|
|
|
|
static int replace_policy_variable(const struct streaminfo *a_stream, ctemplate::TemplateDictionary *tpl_dict, int policy_id)
|
|
|
|
|
|
{
|
|
|
|
|
|
char ip_str[128]={0};
|
|
|
|
|
|
struct session_attribute_label *attr_label=NULL;
|
|
|
|
|
|
|
|
|
|
|
|
tpl_dict->SetIntValue("tsg_policy_id", policy_id);
|
|
|
|
|
|
|
|
|
|
|
|
attr_label=(struct session_attribute_label *)project_req_get_struct(a_stream, g_tsg_para.session_attribute_project_id);
|
|
|
|
|
|
if(attr_label!=NULL && attr_label->client_subscribe_id!=NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
tpl_dict->SetFormattedValue("tsg_subscriber_id", "%s", attr_label->client_subscribe_id->subscribe_id);
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
tpl_dict->SetFormattedValue("tsg_subscriber_id", "%s", "");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
switch(a_stream->addr.addrtype)
|
|
|
|
|
|
{
|
|
|
|
|
|
case ADDR_TYPE_IPV4:
|
|
|
|
|
|
inet_ntop(AF_INET, (const void *)&(a_stream->addr.ipv4->saddr), ip_str, sizeof(ip_str));
|
|
|
|
|
|
tpl_dict->SetFormattedValue("tsg_client_ip", "%s", ip_str);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case ADDR_TYPE_IPV6:
|
|
|
|
|
|
inet_ntop(AF_INET6, (const void *)(a_stream->addr.ipv6->saddr), ip_str, sizeof(ip_str));
|
|
|
|
|
|
tpl_dict->SetFormattedValue("tsg_client_ip", "%s", ip_str);
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
tpl_dict->SetFormattedValue("tsg_client_ip", "%s", "");
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int set_drop_stream(const struct streaminfo *a_stream, tsg_protocol_t protocol)
|
|
|
|
|
|
{
|
|
|
|
|
|
int ret=0, opt_value=1;
|
|
|
|
|
|
MESA_set_stream_opt(a_stream, MSO_DROP_STREAM, (void *)&opt_value, sizeof(opt_value));
|
|
|
|
|
|
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
|
|
|
|
|
|
|
|
|
|
|
|
switch(protocol)
|
|
|
|
|
|
{
|
|
|
|
|
|
case PROTO_MAIL:
|
|
|
|
|
|
case PROTO_POP3:
|
|
|
|
|
|
case PROTO_SMTP:
|
|
|
|
|
|
case PROTO_IMAP:
|
|
|
|
|
|
case PROTO_FTP:
|
|
|
|
|
|
ret=MESA_set_stream_opt(a_stream, MSO_TIMEOUT, (void *)&g_tsg_para.timeout, sizeof(g_tsg_para.timeout));
|
|
|
|
|
|
if(ret<0)
|
|
|
|
|
|
{
|
|
|
|
|
|
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_SET_TIMOUT_FAILED], 0, FS_OP_ADD, 1);
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_SET_TIMOUT_SUCCESS], 0, FS_OP_ADD, 1);
|
|
|
|
|
|
}
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return STATE_DROPME|STATE_DROPPKT;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int get_http_header(char *buff, int len, int code, char *user_define)
|
|
|
|
|
|
{
|
|
|
|
|
|
int used_len=0;
|
|
|
|
|
|
|
|
|
|
|
|
switch(code)
|
|
|
|
|
|
{
|
|
|
|
|
|
case 200:
|
|
|
|
|
|
used_len=snprintf(buff, len, "HTTP/1.1 %d OK\r\nContent-Type: text/html\r\n\r\n", code);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 204:
|
|
|
|
|
|
used_len=snprintf(buff, len, "HTTP/1.1 %d No Content\r\nContent-Type: text/html\r\n\r\n", code);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 403:
|
|
|
|
|
|
used_len=snprintf(buff, len, "HTTP/1.1 %d Forbidden\r\nContent-Type: text/html\r\n\r\n", code);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 404:
|
|
|
|
|
|
used_len=snprintf(buff, len, "HTTP/1.1 %d Not Found\r\nContent-Type: text/html\r\n\r\n", code);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 302:
|
|
|
|
|
|
used_len=snprintf(buff, len, "HTTP/1.1 %d Moved Temporarily\r\nContent-Type: text/html\r\nLocation: %s\r\n\r\n", code, user_define);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 303:
|
|
|
|
|
|
used_len=snprintf(buff, len, "HTTP/1.1 %d See Other\r\nLocation: %s\r\n\r\n", code, user_define);
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return used_len;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int get_tcp_mss_option(const struct streaminfo *a_stream, int type, void *out)
|
|
|
|
|
|
{
|
|
|
|
|
|
int tcp_opt_num=0;
|
|
|
|
|
|
struct tcp_option *tcp_opt=NULL;
|
|
|
|
|
|
|
2023-02-09 07:14:55 +00:00
|
|
|
|
int ret=MESA_get_stream_opt(a_stream, MSO_TCP_SYN_OPT, (void *)&tcp_opt, &tcp_opt_num);
|
2022-12-23 11:54:29 +08:00
|
|
|
|
if(ret>0)
|
|
|
|
|
|
{
|
2023-02-09 07:14:55 +00:00
|
|
|
|
for(int i=0; i<tcp_opt_num; i++)
|
2022-12-23 11:54:29 +08:00
|
|
|
|
{
|
|
|
|
|
|
if(tcp_opt[i].type!=type)
|
|
|
|
|
|
{
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
switch(tcp_opt[i].type)
|
|
|
|
|
|
{
|
|
|
|
|
|
case TCP_OPT_MSS:
|
|
|
|
|
|
*(short *)out=tcp_opt[i].short_value;
|
|
|
|
|
|
return 1;
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void template_generate(const struct streaminfo *a_stream, int status_code, int policy_id, const char* message, char **page_buff, size_t *page_size, int thread_seq)
|
|
|
|
|
|
{
|
|
|
|
|
|
std::string page_output, msg_output;
|
|
|
|
|
|
ctemplate::Template *tpl=NULL;
|
|
|
|
|
|
ctemplate::TemplateDictionary dict("pg_page_dict"); //dict is automatically finalized after function returned.
|
|
|
|
|
|
|
|
|
|
|
|
if(message!=NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
ctemplate::Template *tpl_message=ctemplate::Template::StringToTemplate(message, strlen(message), ctemplate::DO_NOT_STRIP);
|
|
|
|
|
|
if(tpl_message!=NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
ctemplate::TemplateDictionary dict_msg("msg_dict"); //dict is automatically finalized after function returned.
|
|
|
|
|
|
|
|
|
|
|
|
replace_policy_variable(a_stream, &dict_msg, policy_id);
|
|
|
|
|
|
|
|
|
|
|
|
tpl_message->Expand(&msg_output, &dict_msg);
|
|
|
|
|
|
|
2023-02-09 07:14:55 +00:00
|
|
|
|
int used_len=msg_output.length();
|
|
|
|
|
|
char *tmp_buff=(char *)dictator_malloc(a_stream->threadnum, (used_len+1)*sizeof(char));
|
2022-12-23 11:54:29 +08:00
|
|
|
|
memcpy(tmp_buff, msg_output.c_str(), used_len);
|
|
|
|
|
|
tmp_buff[used_len]='\0';
|
|
|
|
|
|
|
|
|
|
|
|
dict.SetValue("msg", tmp_buff);
|
|
|
|
|
|
|
|
|
|
|
|
dictator_free(thread_seq, tmp_buff);
|
|
|
|
|
|
tmp_buff=NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
dict.SetValue("msg", message);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
dict.SetValue("msg", "NULL");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
switch (status_code)
|
|
|
|
|
|
{
|
|
|
|
|
|
case 403:
|
|
|
|
|
|
tpl = g_tsg_para.tpl_403;
|
|
|
|
|
|
tpl->Expand(&page_output, &dict);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 404:
|
|
|
|
|
|
tpl = g_tsg_para.tpl_404;
|
|
|
|
|
|
tpl->Expand(&page_output, &dict);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 200:
|
|
|
|
|
|
tpl = g_tsg_para.tpl_200;
|
|
|
|
|
|
tpl->Expand(&page_output, &dict);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 204:
|
|
|
|
|
|
tpl = g_tsg_para.tpl_204;
|
|
|
|
|
|
tpl->Expand(&page_output, &dict);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 303:
|
|
|
|
|
|
tpl = g_tsg_para.tpl_303;
|
|
|
|
|
|
tpl->Expand(&page_output, &dict);
|
|
|
|
|
|
break;
|
|
|
|
|
|
default: return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
*page_size=page_output.length()+1;
|
|
|
|
|
|
char *_page_buff=(char *)dictator_malloc(thread_seq, (*page_size)*sizeof(char));
|
|
|
|
|
|
memcpy(_page_buff, page_output.c_str(), *page_size);
|
|
|
|
|
|
*page_buff=_page_buff;
|
|
|
|
|
|
|
|
|
|
|
|
return ;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int get_response_pages(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, struct compile_user_region *user_region, char **payload, int thread_seq)
|
|
|
|
|
|
{
|
|
|
|
|
|
char key[16]={0};
|
|
|
|
|
|
int payload_len=0;
|
|
|
|
|
|
struct http_response_pages *res_pages=NULL;
|
|
|
|
|
|
|
|
|
|
|
|
switch(user_region->deny->type)
|
|
|
|
|
|
{
|
|
|
|
|
|
case TSG_DENY_TYPE_MESSAGE:
|
|
|
|
|
|
template_generate(a_stream, user_region->deny->code, p_result->config_id, user_region->deny->message, payload, (size_t *)&payload_len, thread_seq);
|
|
|
|
|
|
return payload_len;
|
|
|
|
|
|
break;
|
|
|
|
|
|
case TSG_DENY_TYPE_PROFILE:
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
snprintf(key, sizeof(key), "%d", user_region->deny->profile_id);
|
|
|
|
|
|
res_pages=(struct http_response_pages *)Maat_plugin_get_EX_data(g_tsg_maat_feather,g_tsg_para.table_id[TABLE_RESPONSE_PAGES], key);
|
|
|
|
|
|
if(res_pages!=NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
switch(res_pages->format)
|
|
|
|
|
|
{
|
|
|
|
|
|
case HTTP_RESPONSE_FORMAT_HTML:
|
|
|
|
|
|
*payload=(char *)dictator_malloc(thread_seq, res_pages->content_len);
|
|
|
|
|
|
memcpy(*payload, res_pages->content, res_pages->content_len);
|
|
|
|
|
|
payload_len=res_pages->content_len;
|
|
|
|
|
|
break;
|
|
|
|
|
|
case HTTP_RESPONSE_FORMAT_TEMPLATE:
|
|
|
|
|
|
template_generate(a_stream, user_region->deny->code, p_result->config_id, res_pages->content, payload, (size_t *)&payload_len, thread_seq);
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
http_response_pages_free(g_tsg_para.table_id[TABLE_RESPONSE_PAGES], (MAAT_PLUGIN_EX_DATA *)&res_pages, 0, NULL);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return payload_len;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int set_tcp_rst_flags(char *packet, int ip_tcp_hdr_len)
|
|
|
|
|
|
{
|
|
|
|
|
|
struct tcphdr *tcp=(struct tcphdr *)(packet+(ip_tcp_hdr_len-20)); // tcp header=20 bytes
|
|
|
|
|
|
|
|
|
|
|
|
tcp->rst=1;
|
|
|
|
|
|
tcp->ack=1;
|
|
|
|
|
|
tcp->psh=0;
|
|
|
|
|
|
tcp->fin=0;
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int set_tcp_fin_flags(char *packet, int ip_tcp_hdr_len)
|
|
|
|
|
|
{
|
|
|
|
|
|
struct tcphdr *tcp=(struct tcphdr *)(packet+(ip_tcp_hdr_len-20)); // tcp header=20 bytes
|
|
|
|
|
|
|
|
|
|
|
|
tcp->fin=1;
|
|
|
|
|
|
tcp->ack=1;
|
|
|
|
|
|
tcp->psh=0;
|
|
|
|
|
|
tcp->rst=0;
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int reverse_ip_tcp_header(char *message, int ip_tcp_hdr_len, int v4_or_v6)
|
|
|
|
|
|
{
|
|
|
|
|
|
int ip_hdr_len=0;
|
|
|
|
|
|
struct tcphdr *tcp=NULL;
|
|
|
|
|
|
struct iphdr *ipv4=NULL;
|
|
|
|
|
|
struct ip6_hdr *ipv6=NULL;
|
|
|
|
|
|
struct in6_addr ipv6_addr;
|
|
|
|
|
|
unsigned short port=0;
|
|
|
|
|
|
unsigned int seq=0,addr=0;
|
|
|
|
|
|
|
|
|
|
|
|
switch(v4_or_v6)
|
|
|
|
|
|
{
|
|
|
|
|
|
case 4:
|
|
|
|
|
|
ipv4=(struct iphdr *)message;
|
|
|
|
|
|
ip_hdr_len=ipv4->ihl*4;
|
|
|
|
|
|
|
|
|
|
|
|
addr=ipv4->saddr;
|
|
|
|
|
|
ipv4->saddr=ipv4->daddr;
|
|
|
|
|
|
ipv4->daddr=addr;
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 6:
|
|
|
|
|
|
ipv6=(struct ip6_hdr *)message;
|
|
|
|
|
|
ip_hdr_len=sizeof(struct ip6_hdr);
|
|
|
|
|
|
|
|
|
|
|
|
memcpy((void *)&ipv6_addr, (void *)&(ipv6->ip6_src), sizeof(struct in6_addr));
|
|
|
|
|
|
memcpy((void *)&(ipv6->ip6_src), (void *)&(ipv6->ip6_dst), sizeof(struct in6_addr));
|
|
|
|
|
|
memcpy((void *)&(ipv6->ip6_dst), (void *)&ipv6_addr, sizeof(struct in6_addr));
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
tcp=(struct tcphdr *)((char *)message+ip_hdr_len);
|
|
|
|
|
|
port=tcp->source;
|
|
|
|
|
|
tcp->source=tcp->dest;
|
|
|
|
|
|
tcp->dest=port;
|
|
|
|
|
|
|
|
|
|
|
|
seq=tcp->seq;
|
|
|
|
|
|
tcp->seq=tcp->ack_seq;
|
|
|
|
|
|
tcp->ack_seq=seq;
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int copy_ip_tcp_header(const struct streaminfo *a_stream, const void *a_packet, char *message, int *ip_tcp_hdr_len, int *v4_or_v6)
|
|
|
|
|
|
{
|
|
|
|
|
|
int ip_hdr_len=0,tcp_hdr_len=0;
|
|
|
|
|
|
int tcp_hdr_len_tmp=0;
|
|
|
|
|
|
unsigned short total_len=0;
|
|
|
|
|
|
|
|
|
|
|
|
struct iphdr *ipv4=NULL;
|
|
|
|
|
|
struct ip6_hdr *ipv6=NULL;
|
|
|
|
|
|
|
|
|
|
|
|
switch(a_stream->addr.addrtype)
|
|
|
|
|
|
{
|
|
|
|
|
|
case ADDR_TYPE_IPV4:
|
|
|
|
|
|
case __ADDR_TYPE_IP_PAIR_V4:
|
|
|
|
|
|
(*v4_or_v6)=4;
|
|
|
|
|
|
ipv4=(struct iphdr *)a_packet;
|
|
|
|
|
|
ip_hdr_len=ipv4->ihl*4;
|
|
|
|
|
|
total_len=ipv4->tot_len;
|
|
|
|
|
|
break;
|
|
|
|
|
|
case ADDR_TYPE_IPV6:
|
|
|
|
|
|
case __ADDR_TYPE_IP_PAIR_V6:
|
|
|
|
|
|
(*v4_or_v6)=6;
|
|
|
|
|
|
ipv6=(struct ip6_hdr *)a_packet;
|
|
|
|
|
|
ip_hdr_len=sizeof(struct ip6_hdr);
|
|
|
|
|
|
total_len=ipv6->ip6_ctlun.ip6_un1.ip6_un1_plen;
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
memcpy(message, a_packet, ip_hdr_len);
|
|
|
|
|
|
|
|
|
|
|
|
struct tcphdr * tcp=(struct tcphdr *)((char *)a_packet+ip_hdr_len);
|
|
|
|
|
|
tcp_hdr_len_tmp=tcp->doff*4;
|
|
|
|
|
|
tcp_hdr_len=20;
|
|
|
|
|
|
|
|
|
|
|
|
memcpy(message+ip_hdr_len, (char *)a_packet+ip_hdr_len, tcp_hdr_len);/*skip tcp option*/
|
|
|
|
|
|
tcp=(struct tcphdr *)((char *)message+ip_hdr_len);
|
|
|
|
|
|
tcp->doff=5;
|
|
|
|
|
|
|
|
|
|
|
|
if((*v4_or_v6)==4)
|
|
|
|
|
|
{
|
|
|
|
|
|
tcp->seq=(unsigned int)htonl((unsigned int)ntohl(tcp->seq)+ntohs(total_len)-ip_hdr_len-tcp_hdr_len_tmp); // length of packet payload
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
tcp->seq=(unsigned int)htonl((unsigned int)ntohl(tcp->seq)+ntohs(total_len)-tcp_hdr_len_tmp); // length of packet payload
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
(*ip_tcp_hdr_len)=ip_hdr_len+tcp_hdr_len;
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int tsg_send_inject_packet(const struct streaminfo *a_stream, enum sapp_inject_opt sio, char *payload, int payload_len, unsigned char raw_route_dir)
|
|
|
|
|
|
{
|
|
|
|
|
|
int ret=0;
|
|
|
|
|
|
if(payload==NULL || payload_len<=0)
|
|
|
|
|
|
{
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ret=sapp_inject_pkt((struct streaminfo *)a_stream, sio, payload, payload_len, raw_route_dir);
|
|
|
|
|
|
if(ret<=0)
|
|
|
|
|
|
{
|
|
|
|
|
|
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_INJECT_PKT_FAILED], 0, FS_OP_ADD, 1);
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_INJECT_PKT_SUCCESS], 0, FS_OP_ADD, 1);
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int http_send_reponse_packet(const struct streaminfo *a_stream, char *packet, int payload_len, int v4_or_v6, int ip_tcp_hdr_len, int http_hdr_len)
|
|
|
|
|
|
{
|
|
|
|
|
|
struct iphdr *ipv4=NULL;
|
|
|
|
|
|
struct ip6_hdr *ipv6=NULL;
|
|
|
|
|
|
struct tcphdr *tcp=NULL;
|
|
|
|
|
|
unsigned char raw_route_dir=0;
|
|
|
|
|
|
|
|
|
|
|
|
tcp=(struct tcphdr *)(packet+(ip_tcp_hdr_len-20)); // tcp header=20 bytes
|
|
|
|
|
|
|
|
|
|
|
|
if(v4_or_v6==4)
|
|
|
|
|
|
{
|
|
|
|
|
|
ipv4=(struct iphdr *)packet;
|
|
|
|
|
|
ipv4->tot_len=htons(ip_tcp_hdr_len+http_hdr_len+payload_len);
|
|
|
|
|
|
sendpacket_do_checksum((unsigned char *)packet, IPPROTO_TCP, tcp->doff*4 + http_hdr_len+payload_len);
|
|
|
|
|
|
sendpacket_do_checksum((unsigned char *)packet, IPPROTO_IP, ipv4->ihl*4);
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
ipv6=(struct ip6_hdr *)packet;
|
|
|
|
|
|
ipv6->ip6_ctlun.ip6_un1.ip6_un1_plen=htons(20+http_hdr_len+payload_len); //tcp_hdr_len=20
|
|
|
|
|
|
sendpacket_do_checksum((unsigned char *)packet, IPPROTO_TCP, tcp->doff*4 + http_hdr_len+payload_len);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
raw_route_dir=(a_stream->curdir==DIR_C2S) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir;
|
|
|
|
|
|
tsg_send_inject_packet(a_stream, SIO_EXCLUDE_THIS_LAYER_HDR, packet, ip_tcp_hdr_len+http_hdr_len+payload_len, raw_route_dir);
|
|
|
|
|
|
|
|
|
|
|
|
tcp->seq=htonl(ntohl(tcp->seq)+http_hdr_len+payload_len);
|
|
|
|
|
|
|
|
|
|
|
|
return ip_tcp_hdr_len+http_hdr_len+payload_len;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int http_build_response_packet(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, struct compile_user_region *user_region, const void *a_packet)
|
|
|
|
|
|
{
|
|
|
|
|
|
char *payload=NULL;
|
|
|
|
|
|
char message[1024*64]={0};
|
|
|
|
|
|
int v4_or_v6=0;
|
|
|
|
|
|
int http_hdr_len=0;
|
|
|
|
|
|
int payload_len=0;
|
|
|
|
|
|
int ip_tcp_hdr_len=0;
|
|
|
|
|
|
int i=0,one_payload_len=0;
|
|
|
|
|
|
int ret=0,send_pkt_len=0;
|
|
|
|
|
|
short max_segment_size=1400;
|
|
|
|
|
|
|
|
|
|
|
|
ret=copy_ip_tcp_header(a_stream, a_packet, message, &ip_tcp_hdr_len, &v4_or_v6);
|
|
|
|
|
|
if(ret!=0)
|
|
|
|
|
|
{
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(a_stream->curdir==DIR_C2S)
|
|
|
|
|
|
{
|
|
|
|
|
|
reverse_ip_tcp_header(message, ip_tcp_hdr_len, v4_or_v6);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
http_hdr_len=get_http_header(message+ip_tcp_hdr_len, sizeof(message)-ip_tcp_hdr_len, user_region->deny->code, NULL);
|
|
|
|
|
|
payload_len=get_response_pages(a_stream, p_result, user_region, &payload, a_stream->threadnum);
|
|
|
|
|
|
|
|
|
|
|
|
set_session_attribute_label(a_stream, TSG_ATTRIBUTE_TYPE_HTTP_ACTION_FILESIZE, (void *)&payload_len, sizeof(int), a_stream->threadnum);
|
|
|
|
|
|
|
|
|
|
|
|
get_tcp_mss_option(a_stream, TCP_OPT_MSS, (void *)&max_segment_size);
|
|
|
|
|
|
|
|
|
|
|
|
for(i=0; i<payload_len; i+=one_payload_len)
|
|
|
|
|
|
{
|
|
|
|
|
|
one_payload_len=MIN(payload_len-i, max_segment_size-http_hdr_len);
|
|
|
|
|
|
memcpy((char *)message+ip_tcp_hdr_len+http_hdr_len, payload+i, one_payload_len);
|
|
|
|
|
|
|
|
|
|
|
|
send_pkt_len+=http_send_reponse_packet(a_stream, message, one_payload_len, v4_or_v6, ip_tcp_hdr_len, http_hdr_len);
|
|
|
|
|
|
http_hdr_len=0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(payload!=NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
dictator_free(a_stream->threadnum, payload);
|
|
|
|
|
|
payload=NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
set_tcp_fin_flags(message, ip_tcp_hdr_len);
|
|
|
|
|
|
http_send_reponse_packet(a_stream, message, 0, v4_or_v6, ip_tcp_hdr_len, 0); //fin
|
|
|
|
|
|
|
|
|
|
|
|
reverse_ip_tcp_header(message, ip_tcp_hdr_len, v4_or_v6);
|
|
|
|
|
|
http_send_reponse_packet(a_stream, message, 0, v4_or_v6, ip_tcp_hdr_len, 0); //fin
|
|
|
|
|
|
|
|
|
|
|
|
set_tcp_rst_flags(message, ip_tcp_hdr_len);
|
|
|
|
|
|
http_send_reponse_packet(a_stream, message, 0, v4_or_v6, ip_tcp_hdr_len, 0); //rst
|
|
|
|
|
|
|
|
|
|
|
|
reverse_ip_tcp_header(message, ip_tcp_hdr_len, v4_or_v6);
|
|
|
|
|
|
http_send_reponse_packet(a_stream, message, 0, v4_or_v6, ip_tcp_hdr_len, 0); //rst
|
|
|
|
|
|
|
|
|
|
|
|
return send_pkt_len;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int http_get_redirect_url(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, char *url, int code, char *http_hdr, int http_hdr_len)
|
|
|
|
|
|
{
|
|
|
|
|
|
int used_len=0;
|
|
|
|
|
|
char *tmp_buff=NULL;
|
|
|
|
|
|
std::string output;
|
|
|
|
|
|
|
|
|
|
|
|
ctemplate::Template *tpl_303=ctemplate::Template::StringToTemplate(url, strlen(url), ctemplate::DO_NOT_STRIP);
|
|
|
|
|
|
if(tpl_303!=NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
ctemplate::TemplateDictionary dict_303("url_dict"); //dict is automatically finalized after function returned.
|
|
|
|
|
|
|
|
|
|
|
|
replace_policy_variable(a_stream, &dict_303, p_result->config_id);
|
|
|
|
|
|
|
|
|
|
|
|
tpl_303->Expand(&output, &dict_303);
|
|
|
|
|
|
|
|
|
|
|
|
used_len=output.length();
|
|
|
|
|
|
tmp_buff=(char *)dictator_malloc(a_stream->threadnum, (used_len+1)*sizeof(char));
|
|
|
|
|
|
memcpy(tmp_buff, output.c_str(), used_len);
|
|
|
|
|
|
tmp_buff[used_len]='\0';
|
|
|
|
|
|
|
|
|
|
|
|
used_len=get_http_header(http_hdr, http_hdr_len, code, tmp_buff);
|
|
|
|
|
|
|
|
|
|
|
|
dictator_free(a_stream->threadnum, tmp_buff);
|
|
|
|
|
|
tmp_buff=NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
used_len=get_http_header(http_hdr, http_hdr_len, code, url);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return used_len;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static unsigned char do_action_reset(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol)
|
|
|
|
|
|
{
|
|
|
|
|
|
if(a_stream->type==STREAM_TYPE_TCP)
|
|
|
|
|
|
{
|
2023-02-09 07:14:55 +00:00
|
|
|
|
struct rst_tcp_para rst_paras={0};
|
2022-12-23 11:54:29 +08:00
|
|
|
|
rst_paras.rst_pkt_num=g_tsg_para.reset.pkt_num;
|
|
|
|
|
|
rst_paras.signature_seed1=g_tsg_para.reset.seed1;
|
|
|
|
|
|
rst_paras.signature_seed2=g_tsg_para.reset.seed2;
|
|
|
|
|
|
rst_paras.th_flags=g_tsg_para.reset.th_flags;
|
|
|
|
|
|
rst_paras.__pad_no_use=0;
|
|
|
|
|
|
rst_paras.dir=g_tsg_para.reset.dir;
|
2023-02-09 07:14:55 +00:00
|
|
|
|
int ret=MESA_rst_tcp((struct streaminfo *)a_stream, &rst_paras, sizeof(rst_paras));
|
2022-12-23 11:54:29 +08:00
|
|
|
|
if(ret<0)
|
|
|
|
|
|
{
|
|
|
|
|
|
MESA_handle_runtime_log(g_tsg_para.logger,
|
|
|
|
|
|
RLOG_LV_FATAL,
|
|
|
|
|
|
"RST_TCP",
|
|
|
|
|
|
"Send RST failed policy_id: %d service: %d action: %d addr: %s",
|
|
|
|
|
|
p_result->config_id,
|
|
|
|
|
|
p_result->service_id,
|
|
|
|
|
|
(unsigned char)p_result->action,
|
|
|
|
|
|
PRINTADDR(a_stream, g_tsg_para.level)
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(g_tsg_para.reset.remedy==1)
|
|
|
|
|
|
{
|
2023-02-09 07:14:55 +00:00
|
|
|
|
int opt_value=1;
|
2022-12-23 11:54:29 +08:00
|
|
|
|
MESA_set_stream_opt(a_stream, MSO_TCP_RST_REMEDY, (void *)&opt_value, sizeof(opt_value));
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
set_drop_stream(a_stream, protocol);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return STATE_DROPPKT|STATE_DROPME;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static unsigned char do_action_drop(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *a_packet)
|
|
|
|
|
|
{
|
|
|
|
|
|
switch(protocol)
|
|
|
|
|
|
{
|
|
|
|
|
|
case PROTO_DNS:
|
|
|
|
|
|
return STATE_GIVEME|STATE_DROPPKT;
|
|
|
|
|
|
default:
|
|
|
|
|
|
set_drop_stream(a_stream, protocol);
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return STATE_DROPME|STATE_DROPPKT;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static unsigned char do_action_tamper(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data, enum ACTION_RETURN_TYPE type)
|
|
|
|
|
|
{
|
|
|
|
|
|
if(g_tsg_para.feature_tamper==0)
|
|
|
|
|
|
{
|
|
|
|
|
|
do_action_drop(a_stream, p_result, user_region, protocol, user_data);
|
|
|
|
|
|
return STATE_DROPME|STATE_DROPPKT;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2023-02-09 07:14:55 +00:00
|
|
|
|
struct tcpall_context * _context=(struct tcpall_context *)tsg_get_xxx_from_bridge(a_stream, g_tsg_para.bridge[BRIDGE_TYPE_ALL_CONTEXT].id);
|
2022-12-23 11:54:29 +08:00
|
|
|
|
if(_context==NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
_context=(struct tcpall_context *)dictator_malloc(a_stream->threadnum, sizeof(struct tcpall_context));
|
|
|
|
|
|
memset(_context, 0, sizeof(struct tcpall_context));
|
2023-02-09 07:14:55 +00:00
|
|
|
|
tsg_set_xxx_to_bridge(a_stream, g_tsg_para.bridge[BRIDGE_TYPE_ALL_CONTEXT].id, (void *)_context);
|
2022-12-23 11:54:29 +08:00
|
|
|
|
_context->method_type=TSG_METHOD_TYPE_TAMPER;
|
|
|
|
|
|
_context->tamper_count = 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
_context->method_type = TSG_METHOD_TYPE_TAMPER;
|
|
|
|
|
|
_context->tamper_count = 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
//当前为tsg_master_plug暂时不处理在tsg_master_all_entry处理,防止命中发两次
|
|
|
|
|
|
if(ACTION_RETURN_TYPE_APP == type)
|
|
|
|
|
|
{
|
|
|
|
|
|
return STATE_GIVEME|STATE_DROPPKT|STATE_KILL_OTHER;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
//TCP这里发送的话,tsg_master_all_entry仍会处理发送,UDP没有这个情况,所以加该判断
|
|
|
|
|
|
if(a_stream->type == STREAM_TYPE_UDP)
|
|
|
|
|
|
{
|
|
|
|
|
|
send_tamper_xxx(a_stream, &_context->tamper_count, user_data);
|
|
|
|
|
|
}
|
|
|
|
|
|
return STATE_DROPME|STATE_DROPPKT;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data)
|
|
|
|
|
|
{
|
|
|
|
|
|
struct deny_user_region *deny_region=NULL;
|
|
|
|
|
|
|
|
|
|
|
|
if(user_region->session_para==NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
return STATE_DROPME|STATE_DROPPKT;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
switch(a_stream->type)
|
|
|
|
|
|
{
|
|
|
|
|
|
case STREAM_TYPE_TCP:
|
|
|
|
|
|
deny_region=&(user_region->session_para->tcp);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case STREAM_TYPE_UDP:
|
|
|
|
|
|
deny_region=&(user_region->session_para->udp);
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
return STATE_DROPME|STATE_DROPPKT;
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
switch(deny_region->type)
|
|
|
|
|
|
{
|
|
|
|
|
|
case TSG_DENY_TYPE_DEFAULT_RST:
|
|
|
|
|
|
do_action_reset(a_stream, p_result, protocol);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case TSG_DENY_TYPE_DROP:
|
|
|
|
|
|
struct compile_user_region tmp_user_region;
|
|
|
|
|
|
tmp_user_region.deny=deny_region;
|
|
|
|
|
|
tmp_user_region.capture.enabled=0;
|
|
|
|
|
|
tmp_user_region.capture.depth=0;
|
|
|
|
|
|
tmp_user_region.method_type=TSG_METHOD_TYPE_DROP;
|
|
|
|
|
|
do_action_drop(a_stream, p_result, &tmp_user_region, protocol, user_data);
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return STATE_DROPME|STATE_DROPPKT;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static unsigned char do_action_ratelimit(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, enum ACTION_RETURN_TYPE type)
|
|
|
|
|
|
{
|
|
|
|
|
|
struct leaky_bucket *bucket=create_bucket(user_region->deny->bps, a_stream->threadnum);
|
|
|
|
|
|
|
|
|
|
|
|
int ret=set_bucket_to_tcpall(a_stream, bucket, a_stream->threadnum);
|
|
|
|
|
|
if(ret==0)
|
|
|
|
|
|
{
|
|
|
|
|
|
destroy_bucket(&bucket, a_stream->threadnum);
|
|
|
|
|
|
bucket=NULL;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(type==ACTION_RETURN_TYPE_PROT)
|
|
|
|
|
|
{
|
|
|
|
|
|
return STATE_DROPME;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(type==ACTION_RETURN_TYPE_APP)
|
|
|
|
|
|
{
|
|
|
|
|
|
return STATE_DROPME|STATE_KILL_OTHER;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return STATE_GIVEME|STATE_KILL_OTHER;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static unsigned char do_action_block_mail(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region)
|
|
|
|
|
|
{
|
|
|
|
|
|
char *payload=NULL;
|
|
|
|
|
|
|
|
|
|
|
|
switch(user_region->deny->code)
|
|
|
|
|
|
{
|
|
|
|
|
|
case 550:
|
|
|
|
|
|
payload=(char *)"550 Mail was identified as spam.\r\n";
|
|
|
|
|
|
break;
|
|
|
|
|
|
case 551:
|
|
|
|
|
|
payload=(char *)"551 User not local; please try <forward-path>\r\n";
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(payload!=NULL)
|
|
|
|
|
|
{
|
2023-02-09 07:14:55 +00:00
|
|
|
|
unsigned char raw_route_dir=(a_stream->curdir==DIR_C2S) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir;
|
2022-12-23 11:54:29 +08:00
|
|
|
|
tsg_send_inject_packet(a_stream, SIO_DEFAULT, payload, strlen(payload), raw_route_dir);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return STATE_DROPME|STATE_DROPPKT;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static unsigned char do_action_block_http(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, const void *a_packet)
|
|
|
|
|
|
{
|
|
|
|
|
|
int opt_value=0;
|
|
|
|
|
|
int send_pkt_len=0;
|
|
|
|
|
|
|
|
|
|
|
|
switch(user_region->deny->code)
|
|
|
|
|
|
{
|
|
|
|
|
|
case 200:
|
|
|
|
|
|
case 204:
|
|
|
|
|
|
case 403:
|
|
|
|
|
|
case 404:
|
|
|
|
|
|
send_pkt_len=http_build_response_packet(a_stream, p_result, user_region, a_packet);
|
|
|
|
|
|
tsg_set_statistic_opt(send_pkt_len, ((user_region->method_type==TSG_METHOD_TYPE_ALERT) ? OPT_TYPE_ALERT_BYTES : OPT_TYPE_BLOCK_BYTES), a_stream->threadnum);
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(g_tsg_para.reset.remedy==1)
|
|
|
|
|
|
{
|
|
|
|
|
|
opt_value=1;
|
|
|
|
|
|
MESA_set_stream_opt(a_stream, MSO_TCP_RST_REMEDY, (void *)&opt_value, sizeof(opt_value));
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return STATE_DROPME|STATE_DROPPKT;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static unsigned char do_action_block_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *a_packet)
|
|
|
|
|
|
{
|
|
|
|
|
|
if(user_region==NULL || user_region->deny==NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
return do_action_drop(a_stream, p_result, user_region, protocol, a_packet);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
switch(protocol)
|
|
|
|
|
|
{
|
|
|
|
|
|
case PROTO_HTTP:
|
|
|
|
|
|
return do_action_block_http(a_stream, p_result, user_region, a_packet);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case PROTO_POP3:
|
|
|
|
|
|
case PROTO_IMAP:
|
|
|
|
|
|
case PROTO_SMTP:
|
|
|
|
|
|
case PROTO_MAIL:
|
|
|
|
|
|
return do_action_block_mail(a_stream, p_result, user_region);
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
set_drop_stream(a_stream, protocol);
|
|
|
|
|
|
|
|
|
|
|
|
return STATE_DROPME|STATE_DROPPKT;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static unsigned char do_action_redirect_http(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region)
|
|
|
|
|
|
{
|
|
|
|
|
|
int used_http_hdr_len=0;
|
|
|
|
|
|
char http_hdr[1024]={0};
|
|
|
|
|
|
unsigned char raw_route_dir=0;
|
|
|
|
|
|
|
|
|
|
|
|
switch(user_region->deny->code)
|
|
|
|
|
|
{
|
|
|
|
|
|
case 302:
|
|
|
|
|
|
case 303:
|
|
|
|
|
|
used_http_hdr_len=http_get_redirect_url(a_stream, p_result, user_region->deny->redirect_url_to, user_region->deny->code, http_hdr, sizeof(http_hdr));
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
return STATE_DROPME|STATE_DROPPKT;
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
raw_route_dir=(a_stream->curdir==DIR_C2S) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir;
|
|
|
|
|
|
tsg_send_inject_packet( a_stream, SIO_DEFAULT, http_hdr, used_http_hdr_len, raw_route_dir);
|
|
|
|
|
|
|
|
|
|
|
|
return STATE_DROPME|STATE_DROPPKT;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static unsigned char do_action_redirect_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data)
|
|
|
|
|
|
{
|
|
|
|
|
|
if(user_region==NULL || user_region->deny==NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
return do_action_drop(a_stream, p_result, user_region, protocol, user_data);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
switch(protocol)
|
|
|
|
|
|
{
|
|
|
|
|
|
case PROTO_DNS:
|
|
|
|
|
|
return do_action_redirect_dns(a_stream, p_result, user_region, user_data);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case PROTO_HTTP:
|
|
|
|
|
|
do_action_redirect_http(a_stream, p_result, user_region);
|
|
|
|
|
|
set_drop_stream(a_stream, protocol);
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return STATE_DROPME|STATE_DROPPKT;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struct compile_user_region *user_region, Maat_rule_t *p_result, tsg_protocol_t protocol, enum ACTION_RETURN_TYPE type, const void *user_data)
|
|
|
|
|
|
{
|
|
|
|
|
|
unsigned char local_state=STATE_GIVEME;
|
|
|
|
|
|
unsigned char state=0;
|
|
|
|
|
|
int method_type=TSG_METHOD_TYPE_RESET;
|
|
|
|
|
|
if(user_region!=NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
method_type=user_region->method_type;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
switch(method_type)
|
|
|
|
|
|
{
|
|
|
|
|
|
case TSG_METHOD_TYPE_RST:
|
|
|
|
|
|
case TSG_METHOD_TYPE_RESET:
|
|
|
|
|
|
local_state=do_action_reset(a_stream, p_result, protocol);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case TSG_METHOD_TYPE_BLOCK:
|
|
|
|
|
|
case TSG_METHOD_TYPE_ALERT:
|
|
|
|
|
|
local_state=do_action_block_xxx(a_stream, p_result, user_region, protocol, user_data);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case TSG_METHOD_TYPE_REDIRECTION:
|
|
|
|
|
|
local_state=do_action_redirect_xxx( a_stream, p_result, user_region, protocol, user_data);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case TSG_METHOD_TYPE_RATE_LIMIT:
|
|
|
|
|
|
local_state=do_action_ratelimit(a_stream, p_result, user_region, type);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case TSG_METHOD_TYPE_TAMPER:
|
|
|
|
|
|
local_state = do_action_tamper(a_stream, p_result, user_region, protocol, user_data, type);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case TSG_METHOD_TYPE_DEFAULT:
|
|
|
|
|
|
local_state=do_action_default_xxx(a_stream, p_result, user_region, protocol, user_data);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case TSG_METHOD_TYPE_DROP:
|
|
|
|
|
|
case TSG_METHOD_TYPE_APP_DROP:
|
|
|
|
|
|
if(user_region->deny==NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(type!=ACTION_RETURN_TYPE_TCPALL && user_region->deny->after_n_packets>0)
|
|
|
|
|
|
{
|
|
|
|
|
|
set_protocol_to_tcpall(a_stream, protocol, a_stream->threadnum);
|
|
|
|
|
|
set_method_to_tcpall(a_stream, user_region->method_type, a_stream->threadnum);
|
2023-01-09 17:46:23 +08:00
|
|
|
|
|
|
|
|
|
|
if(a_stream->type==STREAM_TYPE_UDP && type!=ACTION_RETURN_TYPE_PROT)
|
|
|
|
|
|
{
|
|
|
|
|
|
set_after_n_packet_to_tcpall(a_stream, user_region->deny->after_n_packets+1, a_stream->threadnum);
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
set_after_n_packet_to_tcpall(a_stream, user_region->deny->after_n_packets, a_stream->threadnum);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2022-12-23 11:54:29 +08:00
|
|
|
|
tsg_set_policy_result(a_stream, PULL_FW_RESULT, p_result, protocol, a_stream->threadnum);
|
|
|
|
|
|
local_state=((type==ACTION_RETURN_TYPE_PROT) ? (STATE_DROPME) : (STATE_DROPME|STATE_KILL_OTHER));
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
local_state=do_action_drop(a_stream, p_result, user_region, protocol, user_data);
|
|
|
|
|
|
if(protocol==PROTO_DNS && type==ACTION_RETURN_TYPE_APP)
|
|
|
|
|
|
{
|
|
|
|
|
|
local_state=set_drop_stream(a_stream, protocol);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(user_region->deny->drop_para.send_icmp_enable==1)
|
|
|
|
|
|
{
|
|
|
|
|
|
local_state|=send_icmp_unreachable(a_stream);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(user_region->deny->drop_para.send_reset_enable==1)
|
|
|
|
|
|
{
|
|
|
|
|
|
local_state|=do_action_reset(a_stream, p_result, protocol);
|
|
|
|
|
|
}
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
tsg_notify_hited_monitor_result(a_stream, p_result, 1, a_stream->threadnum);
|
|
|
|
|
|
|
|
|
|
|
|
if(method_type!=TSG_METHOD_TYPE_DEFAULT && method_type!=TSG_METHOD_TYPE_APP_DROP)
|
|
|
|
|
|
{
|
|
|
|
|
|
set_method_to_tcpall(a_stream, (enum TSG_METHOD_TYPE)method_type, a_stream->threadnum);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
state=((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_GIVEME : APP_STATE_GIVEME);
|
2023-02-10 21:54:35 +08:00
|
|
|
|
state|=((type==ACTION_RETURN_TYPE_PROT) ? (local_state&STATE_DROPME ? PROT_STATE_DROPME : 0) : (local_state&STATE_DROPME ? APP_STATE_DROPME : 0));
|
|
|
|
|
|
state|=((type==ACTION_RETURN_TYPE_PROT) ? (local_state&STATE_GIVEME ? PROT_STATE_GIVEME: 0) : 0);
|
|
|
|
|
|
//state|=((type==ACTION_RETURN_TYPE_PROT) ? (local_state&STATE_GIVEME ? PROT_STATE_GIVEME: 0) : (local_state&STATE_GIVEME ? APP_STATE_GIVEME: 0));
|
2022-12-23 11:54:29 +08:00
|
|
|
|
state|=((type==ACTION_RETURN_TYPE_PROT) ? (local_state&STATE_DROPPKT ? PROT_STATE_DROPPKT : 0) : (local_state&STATE_DROPPKT ? APP_STATE_DROPPKT: 0));
|
|
|
|
|
|
state|=((type==ACTION_RETURN_TYPE_PROT) ? (0) : (local_state&STATE_KILL_OTHER ? APP_STATE_KILL_OTHER : 0));
|
|
|
|
|
|
|
|
|
|
|
|
return state;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
unsigned char tsg_deny_application(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol, int app_id, enum ACTION_RETURN_TYPE type, const void *user_data)
|
|
|
|
|
|
{
|
|
|
|
|
|
unsigned char state=0;
|
|
|
|
|
|
char app_id_buff[32]={0};
|
|
|
|
|
|
struct app_id_dict *dict=NULL;
|
|
|
|
|
|
struct compile_user_region app_user_region={0}, *user_region=NULL;
|
|
|
|
|
|
|
|
|
|
|
|
snprintf(app_id_buff, sizeof(app_id_buff), "%d", app_id);
|
|
|
|
|
|
dict=(struct app_id_dict *)Maat_plugin_get_EX_data(g_tsg_maat_feather, g_tsg_para.table_id[TABLE_APP_ID_DICT], (const char *)app_id_buff);
|
|
|
|
|
|
if(dict==NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
set_drop_stream(a_stream, protocol);
|
|
|
|
|
|
return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_DROPPKT|PROT_STATE_DROPME: APP_STATE_DROPME|APP_STATE_DROPPKT);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
|
|
|
|
|
|
if(user_region!=NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
app_user_region.capture=user_region->capture;
|
|
|
|
|
|
security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
switch(dict->deny_app_para.type)
|
|
|
|
|
|
{
|
|
|
|
|
|
case TSG_DENY_TYPE_APP_DROP:
|
|
|
|
|
|
app_user_region.method_type=TSG_METHOD_TYPE_APP_DROP;
|
|
|
|
|
|
app_user_region.deny=&(dict->deny_app_para);
|
|
|
|
|
|
break;
|
|
|
|
|
|
case TSG_DENY_TYPE_APP_RATELIMIT:
|
|
|
|
|
|
app_user_region.method_type=TSG_METHOD_TYPE_RATE_LIMIT;
|
|
|
|
|
|
app_user_region.deny=&(dict->deny_app_para);
|
|
|
|
|
|
break;
|
|
|
|
|
|
default:
|
|
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
state=tsg_do_deny_action(a_stream, &app_user_region, p_result, protocol, type, user_data);
|
|
|
|
|
|
app_id_dict_free(g_tsg_para.table_id[TABLE_APP_ID_DICT], (MAAT_PLUGIN_EX_DATA *)&dict, 0, NULL);
|
|
|
|
|
|
|
|
|
|
|
|
return state;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol, enum ACTION_RETURN_TYPE type, const void *user_data)
|
|
|
|
|
|
{
|
|
|
|
|
|
unsigned char state=0;
|
|
|
|
|
|
struct compile_user_region *user_region=NULL;
|
|
|
|
|
|
|
|
|
|
|
|
if(p_result->action==TSG_ACTION_BYPASS)
|
|
|
|
|
|
{
|
|
|
|
|
|
return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_DROPME : APP_STATE_GIVEME);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
|
|
|
|
|
|
if(user_region==NULL)
|
|
|
|
|
|
{
|
|
|
|
|
|
set_drop_stream(a_stream, protocol);
|
|
|
|
|
|
return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_DROPPKT|PROT_STATE_DROPME: APP_STATE_DROPME|APP_STATE_DROPPKT);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(user_region->method_type==TSG_METHOD_TYPE_APP_DROP)
|
|
|
|
|
|
{
|
|
|
|
|
|
unsigned int app_id=0;
|
|
|
|
|
|
|
|
|
|
|
|
if(protocol==PROTO_MAIL)
|
|
|
|
|
|
{
|
|
|
|
|
|
app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[PROTO_SMTP].name);
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[protocol].name);
|
|
|
|
|
|
}
|
|
|
|
|
|
state=tsg_deny_application(a_stream, p_result, protocol, app_id, ACTION_RETURN_TYPE_APP, user_data);
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
state=tsg_do_deny_action(a_stream, user_region, p_result, protocol, type, user_data);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
|
|
|
|
|
|
|
|
|
|
|
|
return state;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
