TSG-13106: 支持Flag Object作为策略条件之一
This commit is contained in:
liuxueli
@@ -121,3 +121,4 @@ STRING common_tunnel_endpoint_a_desc 108
|
||||
STRING common_tunnel_endpoint_b_desc 109
|
||||
LONG common_t_vsys_id 110
|
||||
STRING common_app_full_path 111
|
||||
LONG common_flags 112
|
||||
|
||||
@@ -89,3 +89,5 @@
|
||||
77 TSG_TUNNEL_ENDPOINT ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":6,"estimate_size":4194304}
|
||||
78 TSG_TUNNEL_LABEL plugin {"key":2,"valid":3} --
|
||||
79 TSG_SECURITY_TUNNEL virtual TSG_OBJ_TUNNEL_ID --
|
||||
80 TSG_OBJ_FLAG flag --
|
||||
81 TSG_SECURITY_FLAG virtual TSG_OBJ_FLAG --
|
||||
@@ -686,6 +686,9 @@ static int master_send_log(const struct streaminfo *a_stream, struct Maat_rule_t
|
||||
TLD_append(TLD_handle, schema_field_name, (void *)g_tsg_proto_name2id[PROTO_APP].name, TLD_TYPE_STRING);
|
||||
}
|
||||
|
||||
char *flags_field_name=log_field_id2name(g_tsg_log_instance, LOG_COMMON_FLAGS);
|
||||
TLD_append(TLD_handle, flags_field_name, (void *)context->session_flag, TLD_TYPE_LONG);
|
||||
|
||||
if(context!=NULL && context->hited_app_id>0)
|
||||
{
|
||||
char app_label_name[512]={0};
|
||||
@@ -1892,6 +1895,32 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int session_flags_identify_result_cb(const struct streaminfo *a_stream, int bridge_id, void *data)
|
||||
{
|
||||
if(data==NULL)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
struct master_context *context=NULL;
|
||||
struct Maat_rule_t scan_result[MAX_RESULT_NUM]={0};
|
||||
|
||||
context=(struct master_context *)get_struct_project(a_stream, g_tsg_para.context_project_id);
|
||||
if(context==NULL)
|
||||
{
|
||||
init_context((void **)(&context), a_stream->threadnum);
|
||||
set_struct_project(a_stream, g_tsg_para.context_project_id, (void *)context);
|
||||
}
|
||||
|
||||
context->session_flag=*(unsigned long *)(data);
|
||||
|
||||
int hit_num=tsg_scan_session_flags(g_tsg_maat_feather, a_stream, scan_result, MAX_RESULT_NUM, &context->mid, g_tsg_para.table_id[TABLE_SESSION_FLAGS], context->session_flag, a_stream->threadnum);
|
||||
|
||||
master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static int deal_pending_state(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int result_num, void *a_packet)
|
||||
{
|
||||
@@ -2010,6 +2039,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
|
||||
|
||||
if(is_hited_allow(context->result, context->hit_cnt))
|
||||
{
|
||||
state=APP_STATE_KILL_OTHER|APP_STATE_GIVEME;
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -2037,6 +2067,19 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
|
||||
hit_num+=scan_application_id_and_properties(a_stream, scan_result+hit_num, MAX_RESULT_NUM-hit_num, context, &(gather_result[i]), thread_seq);
|
||||
}
|
||||
|
||||
if(context->session_flag>0)
|
||||
{
|
||||
hit_num+=tsg_scan_session_flags(g_tsg_maat_feather,
|
||||
a_stream,
|
||||
scan_result+hit_num,
|
||||
MAX_RESULT_NUM-hit_num,
|
||||
&context->mid,
|
||||
g_tsg_para.table_id[TABLE_SESSION_FLAGS],
|
||||
context->session_flag,
|
||||
thread_seq
|
||||
);
|
||||
}
|
||||
|
||||
p_result=tsg_policy_decision_criteria(scan_result, hit_num);
|
||||
if(p_result!=NULL && p_result->action!=TSG_ACTION_MONITOR)
|
||||
{
|
||||
@@ -2335,6 +2378,7 @@ extern "C" int TSG_MASTER_INIT()
|
||||
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "APP_IDENTIFY_RESULT_BRIDGE", g_tsg_para.bridge_name[BRIDGE_TYPE_APP_IDENTIFY_RESULT],_MAX_TABLE_NAME_LEN, "APP_IDENTIFY_RESULT_BRIDGE");
|
||||
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "SKETCH_NOTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_RECV_CONN_SKETCH_DATA],_MAX_TABLE_NAME_LEN, "TSG_CONN_SKETCH_NOTIFY_DATA");
|
||||
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "MASTER_NOTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_SEND_CONN_SKETCH_DATA],_MAX_TABLE_NAME_LEN, "TSG_MASTER_NOTIFY_DATA");
|
||||
MESA_load_profile_string_def(tsg_conffile, "SESSION_FLAGS", "FLAGS_NOTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_NOTIFY_FLAGS],_MAX_TABLE_NAME_LEN, "SESSION_FLAGS_SYNC_NOTIFY_DATA");
|
||||
|
||||
for(i=0; i<BRIDGE_TYPE_MAX; i++)
|
||||
{
|
||||
@@ -2357,6 +2401,18 @@ extern "C" int TSG_MASTER_INIT()
|
||||
return -1;
|
||||
}
|
||||
|
||||
ret=stream_bridge_register_data_sync_cb(g_tsg_para.bridge_id[BRIDGE_TYPE_NOTIFY_FLAGS], session_flags_identify_result_cb);
|
||||
if(ret<0)
|
||||
{
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_FATAL,
|
||||
"APP_BRIDGE",
|
||||
"Register callback failed, bridge_name: %d",
|
||||
g_tsg_para.bridge_name[BRIDGE_TYPE_NOTIFY_FLAGS]
|
||||
);
|
||||
return -1;
|
||||
}
|
||||
|
||||
g_tsg_para.context_project_id=project_producer_register("TSG_MASTER_CONTEXT", PROJECT_VAL_TYPE_STRUCT, free_context_label);
|
||||
if(g_tsg_para.context_project_id<0)
|
||||
{
|
||||
|
||||
@@ -95,6 +95,7 @@ enum MASTER_STATIC_TABLE{
|
||||
TABLE_TUNNEL_CATALOG,
|
||||
TABLE_TUNNEL_ENDPOINT,
|
||||
TABLE_TUNNEL_LABEL,
|
||||
TABLE_SESSION_FLAGS,
|
||||
TABLE_MAX
|
||||
};
|
||||
|
||||
@@ -181,6 +182,7 @@ enum BRIDGE_TYPE
|
||||
BRIDGE_TYPE_SEND_CONN_SKETCH_DATA=0,
|
||||
BRIDGE_TYPE_RECV_CONN_SKETCH_DATA,
|
||||
BRIDGE_TYPE_APP_IDENTIFY_RESULT,
|
||||
BRIDGE_TYPE_NOTIFY_FLAGS,
|
||||
BRIDGE_TYPE_MAX
|
||||
};
|
||||
|
||||
@@ -261,12 +263,13 @@ struct master_context
|
||||
unsigned char is_dropme;
|
||||
unsigned char deal_pkt_num;
|
||||
unsigned char is_app_link;
|
||||
unsigned char pad;
|
||||
unsigned char padding;
|
||||
unsigned short timeout;
|
||||
tsg_protocol_t proto;
|
||||
int hit_cnt;
|
||||
int hited_app_id;
|
||||
unsigned int quic_version;
|
||||
unsigned long session_flag;
|
||||
char *domain;
|
||||
union
|
||||
{
|
||||
@@ -491,5 +494,6 @@ int tsg_get_ip_location(const struct streaminfo *a_stream, int table_id, MAAT_PL
|
||||
int tsg_get_ip_asn(const struct streaminfo *a_stream, int table_id, MAAT_PLUGIN_EX_DATA* client_asn, MAAT_PLUGIN_EX_DATA* server_asn);
|
||||
int tsg_get_subscribe_id(const struct streaminfo *a_stream, struct subscribe_id_info **source_subscribe_id, struct subscribe_id_info **dest_subscribe_id);
|
||||
int tsg_send_raw_packet(const struct streaminfo *a_stream, struct mirrored_vlan *vlan, int vlan_num, int thread_seq);
|
||||
int tsg_scan_session_flags(Maat_feather_t maat_feather, const struct streaminfo *a_stream, Maat_rule_t *result, int result_num, scan_status_t *mid, int table_id, unsigned long flag, int thread_seq);
|
||||
|
||||
#endif
|
||||
|
||||
@@ -1914,6 +1914,8 @@ int tsg_rule_init(const char* conffile, void *logger)
|
||||
MESA_load_profile_string_def(conffile, "MAAT", "TUNNEL_ENDPOINT_TABLE", g_tsg_para.table_name[TABLE_TUNNEL_ENDPOINT], _MAX_TABLE_NAME_LEN, "TSG_TUNNEL_ENDPOINT");
|
||||
MESA_load_profile_string_def(conffile, "MAAT", "TUNNEL_LABEL_TABLE", g_tsg_para.table_name[TABLE_TUNNEL_LABEL], _MAX_TABLE_NAME_LEN, "TSG_TUNNEL_LABEL");
|
||||
|
||||
MESA_load_profile_string_def(conffile, "MAAT", "SESSION_FLAG_TABLE", g_tsg_para.table_name[TABLE_SESSION_FLAGS], _MAX_TABLE_NAME_LEN, "TSG_SECURITY_FLAG");
|
||||
|
||||
MESA_load_profile_int_def(conffile, "MAAT","LOG_LEVEL", &log_level, 30);
|
||||
MESA_load_profile_string_def(conffile, "MAAT", "LOG_PATH", log_path, sizeof(log_path), "./tsglog/maat/tsg_maat.log");
|
||||
g_tsg_para.maat_logger=MESA_create_runtime_log_handle(log_path, log_level);
|
||||
@@ -2868,6 +2870,29 @@ int tsg_scan_shared_policy(Maat_feather_t maat_feather, const struct streaminfo
|
||||
return 0;
|
||||
}
|
||||
|
||||
int tsg_scan_session_flags(Maat_feather_t maat_feather, const struct streaminfo *a_stream, Maat_rule_t *result, int result_num, scan_status_t *mid, int table_id, unsigned long flag, int thread_seq)
|
||||
{
|
||||
int ret=Maat_scan_flag(maat_feather, table_id, flag, result, result_num, mid, thread_seq);
|
||||
if(ret>0)
|
||||
{
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
"SCAN_FLAGS",
|
||||
"Hit flag=%llu policy_id: %d service: %d action: %d addr: %s",
|
||||
flag,
|
||||
result[0].config_id,
|
||||
result[0].service_id,
|
||||
(unsigned char)result[0].action,
|
||||
PRINTADDR(a_stream, g_tsg_para.level)
|
||||
);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, "SCAN_FLAG", "Not hit flag=%llu ret: %d stream_dir: %d addr: %s", flag, ret, a_stream->dir, PRINTADDR(a_stream, g_tsg_para.level));
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
struct Maat_rule_t *tsg_fetch_deny_rule(Maat_rule_t *result, int result_num)
|
||||
{
|
||||
|
||||
@@ -133,6 +133,7 @@ typedef enum _tsg_log_field_id
|
||||
LOG_COMMON_TUNNELS_ENDPOINT_B_DESC,
|
||||
LOG_COMMON_TRAFFIC_VSYSTEM_ID,
|
||||
LOG_COMMON_APP_FULL_PATH,
|
||||
LOG_COMMON_FLAGS,
|
||||
LOG_COMMON_MAX
|
||||
}tsg_log_field_id_t;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user