gfwleak/tango-tsg-master
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-13106: 支持Flag Object作为策略条件之一

Browse Source
This commit is contained in:
liuxueli
2022-12-28 16:36:40 +08:00
parent 49f2557ed3
commit 0def1fe023
6 changed files with 94 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
bin/tsg_log_field.conf
View File

@@ -121,3 +121,4 @@ STRING common_tunnel_endpoint_a_desc 108
STRING common_tunnel_endpoint_b_desc 109 STRING common_tunnel_endpoint_b_desc 109
LONG common_t_vsys_id 110 LONG common_t_vsys_id 110
STRING common_app_full_path 111 STRING common_app_full_path 111
LONG common_flags 112

2
bin/tsg_static_tableinfo.conf
View File

@@ -89,3 +89,5 @@
77 TSG_TUNNEL_ENDPOINT ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":6,"estimate_size":4194304} 77 TSG_TUNNEL_ENDPOINT ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":6,"estimate_size":4194304}
78 TSG_TUNNEL_LABEL plugin {"key":2,"valid":3} -- 78 TSG_TUNNEL_LABEL plugin {"key":2,"valid":3} --
79 TSG_SECURITY_TUNNEL virtual TSG_OBJ_TUNNEL_ID -- 79 TSG_SECURITY_TUNNEL virtual TSG_OBJ_TUNNEL_ID --
80 TSG_OBJ_FLAG flag --
81 TSG_SECURITY_FLAG virtual TSG_OBJ_FLAG --

56
src/tsg_entry.cpp
View File

@@ -686,6 +686,9 @@ static int master_send_log(const struct streaminfo *a_stream, struct Maat_rule_t
TLD_append(TLD_handle, schema_field_name, (void *)g_tsg_proto_name2id[PROTO_APP].name, TLD_TYPE_STRING); TLD_append(TLD_handle, schema_field_name, (void *)g_tsg_proto_name2id[PROTO_APP].name, TLD_TYPE_STRING);
} }
char *flags_field_name=log_field_id2name(g_tsg_log_instance, LOG_COMMON_FLAGS);
TLD_append(TLD_handle, flags_field_name, (void *)context->session_flag, TLD_TYPE_LONG);
if(context!=NULL && context->hited_app_id>0) if(context!=NULL && context->hited_app_id>0)
{ {
char app_label_name[512]={0}; char app_label_name[512]={0};
@@ -1892,6 +1895,32 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_
return 0; return 0;
} }
static int session_flags_identify_result_cb(const struct streaminfo *a_stream, int bridge_id, void *data)
{
if(data==NULL)
{
return 0;
}
struct master_context *context=NULL;
struct Maat_rule_t scan_result[MAX_RESULT_NUM]={0};
context=(struct master_context *)get_struct_project(a_stream, g_tsg_para.context_project_id);
if(context==NULL)
{
init_context((void **)(&context), a_stream->threadnum);
set_struct_project(a_stream, g_tsg_para.context_project_id, (void *)context);
}
context->session_flag=*(unsigned long *)(data);
int hit_num=tsg_scan_session_flags(g_tsg_maat_feather, a_stream, scan_result, MAX_RESULT_NUM, &context->mid, g_tsg_para.table_id[TABLE_SESSION_FLAGS], context->session_flag, a_stream->threadnum);
master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL);
return 0;
}
static int deal_pending_state(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int result_num, void *a_packet) static int deal_pending_state(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int result_num, void *a_packet)
{ {
@@ -2010,6 +2039,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
if(is_hited_allow(context->result, context->hit_cnt)) if(is_hited_allow(context->result, context->hit_cnt))
{ {
state=APP_STATE_KILL_OTHER|APP_STATE_GIVEME;
break; break;
} }
@@ -2037,6 +2067,19 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
hit_num+=scan_application_id_and_properties(a_stream, scan_result+hit_num, MAX_RESULT_NUM-hit_num, context, &(gather_result[i]), thread_seq); hit_num+=scan_application_id_and_properties(a_stream, scan_result+hit_num, MAX_RESULT_NUM-hit_num, context, &(gather_result[i]), thread_seq);
} }
if(context->session_flag>0)
{
hit_num+=tsg_scan_session_flags(g_tsg_maat_feather,
a_stream,
scan_result+hit_num,
MAX_RESULT_NUM-hit_num,
&context->mid,
g_tsg_para.table_id[TABLE_SESSION_FLAGS],
context->session_flag,
thread_seq
);
}
p_result=tsg_policy_decision_criteria(scan_result, hit_num); p_result=tsg_policy_decision_criteria(scan_result, hit_num);
if(p_result!=NULL && p_result->action!=TSG_ACTION_MONITOR) if(p_result!=NULL && p_result->action!=TSG_ACTION_MONITOR)
{ {
@@ -2335,6 +2378,7 @@ extern "C" int TSG_MASTER_INIT()
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "APP_IDENTIFY_RESULT_BRIDGE", g_tsg_para.bridge_name[BRIDGE_TYPE_APP_IDENTIFY_RESULT],_MAX_TABLE_NAME_LEN, "APP_IDENTIFY_RESULT_BRIDGE"); MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "APP_IDENTIFY_RESULT_BRIDGE", g_tsg_para.bridge_name[BRIDGE_TYPE_APP_IDENTIFY_RESULT],_MAX_TABLE_NAME_LEN, "APP_IDENTIFY_RESULT_BRIDGE");
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "SKETCH_NOTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_RECV_CONN_SKETCH_DATA],_MAX_TABLE_NAME_LEN, "TSG_CONN_SKETCH_NOTIFY_DATA"); MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "SKETCH_NOTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_RECV_CONN_SKETCH_DATA],_MAX_TABLE_NAME_LEN, "TSG_CONN_SKETCH_NOTIFY_DATA");
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "MASTER_NOTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_SEND_CONN_SKETCH_DATA],_MAX_TABLE_NAME_LEN, "TSG_MASTER_NOTIFY_DATA"); MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "MASTER_NOTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_SEND_CONN_SKETCH_DATA],_MAX_TABLE_NAME_LEN, "TSG_MASTER_NOTIFY_DATA");
MESA_load_profile_string_def(tsg_conffile, "SESSION_FLAGS", "FLAGS_NOTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_NOTIFY_FLAGS],_MAX_TABLE_NAME_LEN, "SESSION_FLAGS_SYNC_NOTIFY_DATA");
for(i=0; i<BRIDGE_TYPE_MAX; i++) for(i=0; i<BRIDGE_TYPE_MAX; i++)
{ {
@@ -2357,6 +2401,18 @@ extern "C" int TSG_MASTER_INIT()
return -1; return -1;
} }
ret=stream_bridge_register_data_sync_cb(g_tsg_para.bridge_id[BRIDGE_TYPE_NOTIFY_FLAGS], session_flags_identify_result_cb);
if(ret<0)
{
MESA_handle_runtime_log(g_tsg_para.logger,
RLOG_LV_FATAL,
"APP_BRIDGE",
"Register callback failed, bridge_name: %d",
g_tsg_para.bridge_name[BRIDGE_TYPE_NOTIFY_FLAGS]
);
return -1;
}
g_tsg_para.context_project_id=project_producer_register("TSG_MASTER_CONTEXT", PROJECT_VAL_TYPE_STRUCT, free_context_label); g_tsg_para.context_project_id=project_producer_register("TSG_MASTER_CONTEXT", PROJECT_VAL_TYPE_STRUCT, free_context_label);
if(g_tsg_para.context_project_id<0) if(g_tsg_para.context_project_id<0)
{ {

6
src/tsg_entry.h
View File

@@ -95,6 +95,7 @@ enum MASTER_STATIC_TABLE{
TABLE_TUNNEL_CATALOG, TABLE_TUNNEL_CATALOG,
TABLE_TUNNEL_ENDPOINT, TABLE_TUNNEL_ENDPOINT,
TABLE_TUNNEL_LABEL, TABLE_TUNNEL_LABEL,
TABLE_SESSION_FLAGS,
TABLE_MAX TABLE_MAX
}; };
@@ -181,6 +182,7 @@ enum BRIDGE_TYPE
BRIDGE_TYPE_SEND_CONN_SKETCH_DATA=0, BRIDGE_TYPE_SEND_CONN_SKETCH_DATA=0,
BRIDGE_TYPE_RECV_CONN_SKETCH_DATA, BRIDGE_TYPE_RECV_CONN_SKETCH_DATA,
BRIDGE_TYPE_APP_IDENTIFY_RESULT, BRIDGE_TYPE_APP_IDENTIFY_RESULT,
BRIDGE_TYPE_NOTIFY_FLAGS,
BRIDGE_TYPE_MAX BRIDGE_TYPE_MAX
}; };
@@ -261,12 +263,13 @@ struct master_context
unsigned char is_dropme; unsigned char is_dropme;
unsigned char deal_pkt_num; unsigned char deal_pkt_num;
unsigned char is_app_link; unsigned char is_app_link;
unsigned char pad; unsigned char padding;
unsigned short timeout; unsigned short timeout;
tsg_protocol_t proto; tsg_protocol_t proto;
int hit_cnt; int hit_cnt;
int hited_app_id; int hited_app_id;
unsigned int quic_version; unsigned int quic_version;
unsigned long session_flag;
char *domain; char *domain;
union union
{ {
@@ -491,5 +494,6 @@ int tsg_get_ip_location(const struct streaminfo *a_stream, int table_id, MAAT_PL
int tsg_get_ip_asn(const struct streaminfo *a_stream, int table_id, MAAT_PLUGIN_EX_DATA* client_asn, MAAT_PLUGIN_EX_DATA* server_asn); int tsg_get_ip_asn(const struct streaminfo *a_stream, int table_id, MAAT_PLUGIN_EX_DATA* client_asn, MAAT_PLUGIN_EX_DATA* server_asn);
int tsg_get_subscribe_id(const struct streaminfo *a_stream, struct subscribe_id_info **source_subscribe_id, struct subscribe_id_info **dest_subscribe_id); int tsg_get_subscribe_id(const struct streaminfo *a_stream, struct subscribe_id_info **source_subscribe_id, struct subscribe_id_info **dest_subscribe_id);
int tsg_send_raw_packet(const struct streaminfo *a_stream, struct mirrored_vlan *vlan, int vlan_num, int thread_seq); int tsg_send_raw_packet(const struct streaminfo *a_stream, struct mirrored_vlan *vlan, int vlan_num, int thread_seq);
int tsg_scan_session_flags(Maat_feather_t maat_feather, const struct streaminfo *a_stream, Maat_rule_t *result, int result_num, scan_status_t *mid, int table_id, unsigned long flag, int thread_seq);
#endif #endif

25
src/tsg_rule.cpp
View File

@@ -1914,6 +1914,8 @@ int tsg_rule_init(const char* conffile, void *logger)
MESA_load_profile_string_def(conffile, "MAAT", "TUNNEL_ENDPOINT_TABLE", g_tsg_para.table_name[TABLE_TUNNEL_ENDPOINT], _MAX_TABLE_NAME_LEN, "TSG_TUNNEL_ENDPOINT"); MESA_load_profile_string_def(conffile, "MAAT", "TUNNEL_ENDPOINT_TABLE", g_tsg_para.table_name[TABLE_TUNNEL_ENDPOINT], _MAX_TABLE_NAME_LEN, "TSG_TUNNEL_ENDPOINT");
MESA_load_profile_string_def(conffile, "MAAT", "TUNNEL_LABEL_TABLE", g_tsg_para.table_name[TABLE_TUNNEL_LABEL], _MAX_TABLE_NAME_LEN, "TSG_TUNNEL_LABEL"); MESA_load_profile_string_def(conffile, "MAAT", "TUNNEL_LABEL_TABLE", g_tsg_para.table_name[TABLE_TUNNEL_LABEL], _MAX_TABLE_NAME_LEN, "TSG_TUNNEL_LABEL");
MESA_load_profile_string_def(conffile, "MAAT", "SESSION_FLAG_TABLE", g_tsg_para.table_name[TABLE_SESSION_FLAGS], _MAX_TABLE_NAME_LEN, "TSG_SECURITY_FLAG");
MESA_load_profile_int_def(conffile, "MAAT","LOG_LEVEL", &log_level, 30); MESA_load_profile_int_def(conffile, "MAAT","LOG_LEVEL", &log_level, 30);
MESA_load_profile_string_def(conffile, "MAAT", "LOG_PATH", log_path, sizeof(log_path), "./tsglog/maat/tsg_maat.log"); MESA_load_profile_string_def(conffile, "MAAT", "LOG_PATH", log_path, sizeof(log_path), "./tsglog/maat/tsg_maat.log");
g_tsg_para.maat_logger=MESA_create_runtime_log_handle(log_path, log_level); g_tsg_para.maat_logger=MESA_create_runtime_log_handle(log_path, log_level);
@@ -2868,6 +2870,29 @@ int tsg_scan_shared_policy(Maat_feather_t maat_feather, const struct streaminfo
return 0; return 0;
} }
int tsg_scan_session_flags(Maat_feather_t maat_feather, const struct streaminfo *a_stream, Maat_rule_t *result, int result_num, scan_status_t *mid, int table_id, unsigned long flag, int thread_seq)
{
int ret=Maat_scan_flag(maat_feather, table_id, flag, result, result_num, mid, thread_seq);
if(ret>0)
{
MESA_handle_runtime_log(g_tsg_para.logger,
RLOG_LV_DEBUG,
"SCAN_FLAGS",
"Hit flag=%llu policy_id: %d service: %d action: %d addr: %s",
flag,
result[0].config_id,
result[0].service_id,
(unsigned char)result[0].action,
PRINTADDR(a_stream, g_tsg_para.level)
);
return ret;
}
MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, "SCAN_FLAG", "Not hit flag=%llu ret: %d stream_dir: %d addr: %s", flag, ret, a_stream->dir, PRINTADDR(a_stream, g_tsg_para.level));
return 0;
}
struct Maat_rule_t *tsg_fetch_deny_rule(Maat_rule_t *result, int result_num) struct Maat_rule_t *tsg_fetch_deny_rule(Maat_rule_t *result, int result_num)
{ {

1
src/tsg_send_log_internal.h
View File

@@ -133,6 +133,7 @@ typedef enum _tsg_log_field_id
LOG_COMMON_TUNNELS_ENDPOINT_B_DESC, LOG_COMMON_TUNNELS_ENDPOINT_B_DESC,
LOG_COMMON_TRAFFIC_VSYSTEM_ID, LOG_COMMON_TRAFFIC_VSYSTEM_ID,
LOG_COMMON_APP_FULL_PATH, LOG_COMMON_APP_FULL_PATH,
LOG_COMMON_FLAGS,
LOG_COMMON_MAX LOG_COMMON_MAX
}tsg_log_field_id_t; }tsg_log_field_id_t;