From 0320b4b33f423241c5cb0e72327ca6fb8bb66717 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=88=98=E5=AD=A6=E5=88=A9?= Date: Sat, 10 Jul 2021 03:40:39 +0000 Subject: [PATCH] Feature copy allow deny result to project --- inc/tsg_rule.h | 3 ++- src/tsg_entry.cpp | 40 +++++++--------------------------------- src/tsg_rule.cpp | 15 +-------------- src/tsg_send_log.cpp | 7 ++++--- 4 files changed, 14 insertions(+), 51 deletions(-) diff --git a/inc/tsg_rule.h b/inc/tsg_rule.h index d412db1..d6a67ae 100644 --- a/inc/tsg_rule.h +++ b/inc/tsg_rule.h @@ -48,7 +48,8 @@ struct compile_user_region typedef enum _PULL_RESULT_TYPE { PULL_KNI_RESULT, - PULL_FW_RESULT + PULL_FW_RESULT, + PULL_ALL_RESULT }PULL_RESULT_TYPE; struct app_id_dict_table diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index 689dda1..2b5de2b 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -466,7 +466,7 @@ static void copy_monitor_result(const struct streaminfo *a_stream, struct master } -static void copy_intercept_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, char *domain, tsg_protocol_t proto, int thread_seq) +static void copy_result_to_project(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, char *domain, tsg_protocol_t proto, PULL_RESULT_TYPE result_type, int thread_seq) { int ret=0; policy_priority_label_t *priority_label=NULL; @@ -499,7 +499,7 @@ static void copy_intercept_result(const struct streaminfo *a_stream, struct mast } priority_label->result_num=1; - priority_label->result_type=PULL_KNI_RESULT; + priority_label->result_type=result_type; memcpy(priority_label->result, p_result, sizeof(struct Maat_rule_t)); ret=project_req_add_struct((struct streaminfo *)a_stream, g_tsg_para.priority_project_id, (void *)priority_label); @@ -530,34 +530,6 @@ static void copy_intercept_result(const struct streaminfo *a_stream, struct mast return ; } -static void copy_deny_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, int thread_seq) -{ - if(context->result==NULL) - { - context->hit_cnt=1; - context->result=(struct Maat_rule_t *)dictator_malloc(thread_seq, sizeof(struct Maat_rule_t)); - - memcpy(context->result, p_result, sizeof(struct Maat_rule_t)); - } - else - { - context->hit_cnt=1; - memcpy(context->result, p_result, sizeof(struct Maat_rule_t)); - } - - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "DENY", - "Hit deny policy, policy_id: %d service: %d action: %d addr: %s", - p_result[0].config_id, - p_result[0].service_id, - (unsigned char)p_result[0].action, - PRINTADDR(a_stream, g_tsg_para.level) - ); - - return ; -} - static void copy_bypass_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, int thread_seq) { if(context->result==NULL) @@ -1267,7 +1239,8 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, if((state&APP_STATE_DROPPKT)==APP_STATE_DROPPKT) { context->hit_cnt=0; - master_send_log(a_stream, p_result, 1, context->domain, context->proto, a_stream->threadnum); + master_send_log(a_stream, p_result, 1, context->domain, context->proto, a_stream->threadnum); + copy_result_to_project(a_stream, context, p_result, context->domain, context->proto, PULL_FW_RESULT, a_stream->threadnum); MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, "DENY", @@ -1287,7 +1260,8 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, copy_monitor_result(a_stream, context, result, hit_num, a_stream->threadnum); break; case TSG_ACTION_BYPASS: - copy_bypass_result(a_stream, context, p_result, a_stream->threadnum); + copy_bypass_result(a_stream, context, p_result, a_stream->threadnum); + copy_result_to_project(a_stream, context, p_result, context->domain, context->proto, PULL_FW_RESULT, a_stream->threadnum); FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1); state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER; break; @@ -1298,7 +1272,7 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, break; } - copy_intercept_result(a_stream, context, p_result, context->domain, context->proto, a_stream->threadnum); + copy_result_to_project(a_stream, context, p_result, context->domain, context->proto, PULL_KNI_RESULT, a_stream->threadnum); FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_INTERCEPT], 0, FS_OP_ADD, 1); state=APP_STATE_DROPME|APP_STATE_KILL_OTHER; break; diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp index 5b92afc..821e078 100644 --- a/src/tsg_rule.cpp +++ b/src/tsg_rule.cpp @@ -1027,7 +1027,7 @@ int tsg_pull_policy_result(struct streaminfo *a_stream, PULL_RESULT_TYPE pull_re label=(policy_priority_label_t *)project_req_get_struct(a_stream, g_tsg_para.priority_project_id); if(label!=NULL && result!=NULL && result_num>0 && identify_info!=NULL) { - if(label->result_type==pull_result_type) + if((label->result_type==pull_result_type) || (pull_result_type==PULL_ALL_RESULT)) { num=MIN(label->result_num, result_num); memcpy(result, label->result, num*sizeof(Maat_rule_t)); @@ -1042,19 +1042,6 @@ int tsg_pull_policy_result(struct streaminfo *a_stream, PULL_RESULT_TYPE pull_re return num; } - - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - "PULL_RESULT", - "pull policy failed, hit: %s %s: %s policy_id: %d service: %d action: %d addr: %s", - (label->result_type==PULL_KNI_RESULT) ? "KNI" : "FW", - label->proto==PROTO_HTTP ? "host" : "sni", - label->domain, - label->result->config_id, - label->result->service_id, - label->result->action, - PRINTADDR(a_stream, g_tsg_para.level) - ); } return 0; diff --git a/src/tsg_send_log.cpp b/src/tsg_send_log.cpp index 805f567..7cd6168 100644 --- a/src/tsg_send_log.cpp +++ b/src/tsg_send_log.cpp @@ -1296,14 +1296,15 @@ struct tsg_log_instance_t *tsg_sendlog_init(const char *conffile) rd_kafka_conf_set(rdkafka_conf, "queue.buffering.max.messages", _instance->send_queue_max_msg, kafka_errstr, sizeof(kafka_errstr)); rd_kafka_conf_set(rdkafka_conf, "topic.metadata.refresh.interval.ms", _instance->refresh_interval_ms, kafka_errstr, sizeof(kafka_errstr)); rd_kafka_conf_set(rdkafka_conf, "request.required.acks", _instance->require_ack, kafka_errstr, sizeof(kafka_errstr)); - rd_kafka_conf_set(rdkafka_conf, "socket.keepalive.enable", "true", kafka_errstr, sizeof(kafka_errstr)); + rd_kafka_conf_set(rdkafka_conf, "socket.keepalive.enable", "true", kafka_errstr, sizeof(kafka_errstr)); + rd_kafka_conf_set(rdkafka_conf, "bootstrap.servers", _instance->broker_list, kafka_errstr, sizeof(kafka_errstr)); if(!(kafka_handle=rd_kafka_new(RD_KAFKA_PRODUCER, rdkafka_conf, kafka_errstr, sizeof(kafka_errstr)))) { MESA_handle_runtime_log(_instance->logger, RLOG_LV_FATAL, "KAFKA_INIT", "rd_kafka_new is error"); return NULL; } - +#if 0 if(rd_kafka_brokers_add(kafka_handle, _instance->broker_list) == 0) { MESA_handle_runtime_log(_instance->logger, @@ -1314,7 +1315,7 @@ struct tsg_log_instance_t *tsg_sendlog_init(const char *conffile) ); return NULL; } - +#endif load_log_common_field(_instance->common_field_file, _instance->id2field, &(_instance->service2topic), &(_instance->max_service)); if(_instance->service2topic!=NULL)