TSG-9521: 支持按Application属性，按会话执行deny action和设置timeout参数

inc/tsg_rule.h

@@ -29,6 +29,7 @@ enum TSG_METHOD_TYPE
 	TSG_METHOD_TYPE_MIRRORED,
     TSG_METHOD_TYPE_TAMPER,
     TSG_METHOD_TYPE_DEFAULT,
+    TSG_METHOD_TYPE_APP_DROP,
 	TSG_METHOD_TYPE_MAX
 };
 
@@ -46,26 +47,6 @@ typedef	enum _PULL_RESULT_TYPE
 	PULL_ALL_RESULT
 }PULL_RESULT_TYPE;
 
-struct app_id_dict
-{
-	int ref_cnt;
-	int app_id;
-	int parent_app_id;
-	int deny_action;
-	int continue_scanning;
-	unsigned short tcp_timeout;
-	unsigned short udp_timeout;
-	int tcp_time_wait;
-	int tcp_half_close;
-	char *risk;
-	char *app_name;
-	char *parent_app_name;
-	char *category;
-	char *subcategroy;
-	char *technology;
-	char *characteristics;
-};
-
 extern Maat_feather_t g_tsg_maat_feather;
 
 int tsg_rule_init(const char *conffile, void *logger);

src/tsg_action.cpp

@@ -803,24 +803,16 @@ static unsigned char do_action_redirect_xxx(const struct streaminfo *a_stream, M
 	return STATE_DROPME|STATE_DROPPKT;
 }
 
-unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol, enum ACTION_RETURN_TYPE type, const void *user_data)
+static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struct compile_user_region *user_region, Maat_rule_t *p_result, tsg_protocol_t protocol, enum ACTION_RETURN_TYPE type, const void *user_data)
 {
 	unsigned char local_state=STATE_GIVEME;
 	unsigned char state=0;
 	int method_type=TSG_METHOD_TYPE_RESET;
-	struct compile_user_region *user_region=NULL;
-
-	if(p_result->action==TSG_ACTION_BYPASS)
-	{
-		return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_DROPME : APP_STATE_GIVEME);
-	}
-
-	user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
 	if(user_region!=NULL)
 	{
 		method_type=user_region->method_type;
 	}
-	
+
 	switch(method_type)
 	{
 		case	TSG_METHOD_TYPE_DROP:
@@ -850,20 +842,34 @@ unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_
 		case	TSG_METHOD_TYPE_DEFAULT:
 			local_state=do_action_default_xxx(a_stream, p_result, user_region, protocol, user_data);
 			break;
+		case	TSG_METHOD_TYPE_APP_DROP:
+			if(user_region->deny->type!=TSG_DENY_TYPE_APP_DROP)
+			{
+				break;
+			}
+			
+			local_state=0;
+			if(user_region->deny->app_para.send_icmp_enable==1)
+			{
+				 local_state|=do_action_tamper(a_stream, p_result, user_region, protocol, user_data);
+			}
+
+			if(user_region->deny->app_para.send_reset_enable==1)
+			{
+				 local_state|=do_action_reset(a_stream, p_result, protocol);
+			}
+			break;
 		default:
 			break;
 	}
-
 	
+	tsg_notify_hited_monitor_result(a_stream, p_result, 1, a_stream->threadnum);
+
 	if(method_type!=TSG_METHOD_TYPE_DEFAULT)
 	{
 		struct tcpall_context *context=NULL;
 		tsg_set_method_to_tcpall(a_stream, &context, (enum TSG_METHOD_TYPE)method_type, a_stream->threadnum);
 	}
-
-	tsg_notify_hited_monitor_result(a_stream, p_result, 1, a_stream->threadnum);
-
-	security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
 	
 	state=((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_GIVEME : APP_STATE_GIVEME);
 	state|=((type==ACTION_RETURN_TYPE_PROT) ? (local_state&STATE_DROPME ? PROT_STATE_DROPME : 0) : (local_state&STATE_DROPME ? APP_STATE_DROPME : 0));	
@@ -874,3 +880,61 @@ unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_
 	return state;
 }
 
+unsigned char tsg_deny_application(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol, int app_id, enum ACTION_RETURN_TYPE type, const void *user_data)
+{
+	unsigned char state=0;
+	char app_id_buff[32]={0};
+	struct app_id_dict *dict=NULL;	
+	struct compile_user_region app_user_region={0}, *user_region=NULL;
+	
+	snprintf(app_id_buff, sizeof(app_id_buff), "%d", app_id);
+	dict=(struct app_id_dict *)Maat_plugin_get_EX_data(g_tsg_maat_feather, g_tsg_para.table_id[TABLE_APP_ID_DICT], (const char *)app_id_buff);
+	if(dict==NULL)
+	{
+		return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_GIVEME : APP_STATE_GIVEME);
+	}
+	
+	user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
+	if(user_region!=NULL)
+	{
+		app_user_region.capture=user_region->capture;		
+		security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
+	}
+
+	switch(dict->deny_app_para.type)
+	{
+		case	TSG_DENY_TYPE_APP_DROP:
+			app_user_region.method_type=TSG_METHOD_TYPE_APP_DROP;
+			app_user_region.deny=&(dict->deny_app_para);
+			break;
+		case	TSG_DENY_TYPE_APP_RATELIMIT:
+			app_user_region.method_type=TSG_METHOD_TYPE_RATE_LIMIT;
+			app_user_region.deny=&(dict->deny_app_para);
+			break;
+		default:
+			break;
+	}
+	
+	state=tsg_do_deny_action(a_stream, &app_user_region, p_result, protocol, type, user_data);
+	app_id_dict_free(g_tsg_para.table_id[TABLE_APP_ID_DICT], (MAAT_PLUGIN_EX_DATA *)&dict, 0, NULL);
+	
+	return state;
+}
+
+unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol, enum ACTION_RETURN_TYPE type, const void *user_data)
+{
+	unsigned char state=0;
+	struct compile_user_region *user_region=NULL;
+
+	if(p_result->action==TSG_ACTION_BYPASS)
+	{
+		return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_DROPME : APP_STATE_GIVEME);
+	}
+
+	user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
+	state=tsg_do_deny_action(a_stream, user_region, p_result, protocol, type, user_data);
+	security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
+
+	return state;
+}
+

src/tsg_entry.cpp

@@ -1488,9 +1488,12 @@ static int identify_application_protocol(const struct streaminfo *a_stream, stru
 int scan_application_id_and_properties(const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, struct master_context *context, struct app_identify_result *identify_result, int thread_seq)
 {
 	int i=0,hit_num=0;
+	int hited_app_id=0;
+	int after_n_packets=0;
 	char *name=NULL;
 	char app_id_buff[32]={0};
 	struct app_id_dict *dict=NULL;
+	struct Maat_rule_t *p_result, *d_result=NULL;
 
 	for(i=0; i< identify_result->app_id_num; i++)
 	{
@@ -1505,12 +1508,8 @@ int scan_application_id_and_properties(const struct streaminfo *a_stream, struct
 			hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), dict->characteristics, (char *)"characteristics", thread_seq);
 
 			hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), dict->app_name, identify_result->app_id[i], thread_seq);
-			//hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->parent_app_name, dict->parent_app_id, thread_seq);
+			after_n_packets=dict->deny_app_para.after_n_packets;
-
+			
-			if(context->hited_app_id==0 && hit_num>0 && identify_result->origin!=ORIGIN_BASIC_PROTOCOL)
-			{
-				context->hited_app_id=identify_result->app_id[i];
-			}
 			set_app_timeout(a_stream, dict, &(context->timeout));
 			app_id_dict_free(g_tsg_para.table_id[TABLE_APP_ID_DICT], (MAAT_PLUGIN_EX_DATA *)&dict, 0, NULL);
 		}
@@ -1519,15 +1518,47 @@ int scan_application_id_and_properties(const struct streaminfo *a_stream, struct
 			name=tsg_l7_protocol_id2name(identify_result->app_id[i]);
 			hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), ((name==NULL) ? (char *)"" : name), identify_result->app_id[i], thread_seq);
 		}
+
+		p_result=tsg_fetch_deny_rule(result, hit_num);
+		if(d_result==NULL)
+		{
+			d_result=p_result;
+			hited_app_id=identify_result->app_id[i];
+			continue;
+		}
+		
+		if(d_result->config_id!=p_result->config_id)
+		{
+			d_result=p_result;
+			hited_app_id=identify_result->app_id[i];
+		}
 	}	
 
+	if(hit_num>0)
+	{
+		if(identify_result->origin!=ORIGIN_BASIC_PROTOCOL)
+		{
+			context->hited_app_id=hited_app_id;			
+		}
+		
+		context->hited_para.hited_app_id=hited_app_id;
+		context->hited_para.after_n_packets=after_n_packets;
+	}
+
+	if(d_result!=NULL && d_result->action==TSG_ACTION_DENY)
+	{
+		copy_result_to_project(a_stream, context, d_result, NULL, context->proto, PULL_FW_RESULT, thread_seq);
+	}
+		
 	return hit_num;
 }
 
 static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int hit_num, const void *a_packet)
 {
-	Maat_rule_t *p_result=NULL;
+	int ret=0;
-	unsigned char state=APP_STATE_GIVEME;
+	unsigned char state=APP_STATE_GIVEME;	
+	struct identify_info tmp_identify_info;	
+	Maat_rule_t *p_result=NULL, app_result={0};
 	struct tcpall_context *tmp_tcpall_context=NULL;
 
 	p_result=tsg_policy_decision_criteria(result, hit_num);
@@ -1537,7 +1568,29 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
 		switch((unsigned char)p_result->action)
 		{
 			case	TSG_ACTION_DENY:
-				state=tsg_deal_deny_action(a_stream, p_result, context->proto, ACTION_RETURN_TYPE_APP, a_packet);
+				ret=tsg_pull_policy_result((struct streaminfo* )a_stream, PULL_FW_RESULT, &app_result, 1, &tmp_identify_info);
+				if(ret>0 && app_result.action==TSG_ACTION_DENY && app_result.config_id==p_result->config_id)
+				{
+					if(context->hited_para.after_n_packets>0)
+					{
+						ret=tsg_set_method_to_tcpall(a_stream, &tmp_tcpall_context, TSG_METHOD_TYPE_APP_DROP, a_stream->threadnum);
+						if(ret>0)
+						{
+							tmp_tcpall_context->hited_para=context->hited_para;
+						}
+						state=APP_STATE_KILL_OTHER|APP_STATE_DROPME;
+						break;
+					}
+					else
+					{
+						state=tsg_deny_application(a_stream, p_result, context->proto, context->hited_para.hited_app_id, ACTION_RETURN_TYPE_APP, a_packet);
+					}
+				}
+				else
+				{
+					state=tsg_deal_deny_action(a_stream, p_result, context->proto, ACTION_RETURN_TYPE_APP, a_packet);
+				}
+				
 				if((state&APP_STATE_DROPPKT)==APP_STATE_DROPPKT || (state&APP_STATE_KILL_OTHER) || is_tamper_action(p_result))
 				{
 					context->hit_cnt=0;
@@ -1835,14 +1888,16 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
 	int eth_rawpkt_len=0;
 	scan_status_t scan_mid=NULL;
 	struct Maat_rule_t *p_result=NULL;	
-	unsigned char state=APP_STATE_GIVEME;
+	unsigned char state=APP_STATE_GIVEME;	
+	struct identify_info tmp_identify_info; 
 	struct Maat_rule_t result[MAX_RESULT_NUM]={0};	
-	struct tcpall_context *context=(struct tcpall_context *)(*pme);
+	struct master_context *data_context=NULL;
+	struct tcpall_context *all_context=(struct tcpall_context *)(*pme);
 		
 	if(stream_state==OP_STATE_PENDING)
 	{
-		context->method_type=TSG_METHOD_TYPE_DEFAULT;
+		all_context->method_type=TSG_METHOD_TYPE_DEFAULT;
-		context->after_n_packets=get_default_para(a_stream, g_tsg_para.default_compile_id);
+		all_context->after_n_packets=get_default_para(a_stream, g_tsg_para.default_compile_id);
 		
 		hit_num=tsg_scan_nesting_addr(g_tsg_maat_feather, a_stream, PROTO_UNKONWN, &scan_mid, result, MAX_RESULT_NUM);
 		if(hit_num>0)
@@ -1866,7 +1921,7 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
 		scan_mid=NULL;
 	}
 
-	switch(context->method_type)
+	switch(all_context->method_type)
 	{
 		case	TSG_METHOD_TYPE_RATE_LIMIT:
 			eth_rawpkt_len=get_raw_packet_len(a_stream);
@@ -1875,7 +1930,7 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
 				break;
 			}
 	
-			ret=is_permit_pass(eth_rawpkt_len*8, context->bucket, thread_seq);
+			ret=is_permit_pass(eth_rawpkt_len*8, all_context->bucket, thread_seq);
 			if(ret==0)
 			{
 				state|=APP_STATE_GIVEME|APP_STATE_DROPPKT;
@@ -1883,13 +1938,13 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
 			break;
         case    TSG_METHOD_TYPE_TAMPER:
             if(a_stream->opstate != OP_STATE_PENDING){
-                if(0 == send_tamper_xxx(a_stream, &context->tamper_count, a_packet)){
+                if(0 == send_tamper_xxx(a_stream, &all_context->tamper_count, a_packet)){
                     state|=APP_STATE_GIVEME|APP_STATE_DROPPKT;
                 }
             }
             break;
 		case	TSG_METHOD_TYPE_DEFAULT:
-			if(!is_do_default_policy(a_stream, context->after_n_packets) || stream_state==OP_STATE_CLOSE)
+			if(!is_do_default_policy(a_stream, all_context->after_n_packets) || stream_state==OP_STATE_CLOSE)
 			{
 				break;
 			}
@@ -1900,6 +1955,26 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
 				master_send_log(a_stream, &result[0], 1, NULL, thread_seq);
 			}
 			break;
+		case	TSG_METHOD_TYPE_APP_DROP:
+			if((all_context->hited_para.after_n_packets-- > 0) || stream_state==OP_STATE_CLOSE)
+			{
+				break;
+			}
+
+			ret=tsg_pull_policy_result((struct streaminfo *)a_stream,PULL_FW_RESULT, &result[0], 1, &tmp_identify_info);
+			if(ret>0)
+			{
+				data_context=(struct master_context *)get_struct_project(a_stream, g_tsg_para.context_project_id);
+				state=tsg_deny_application(a_stream, 
+											&result[0],
+											(data_context==NULL ? PROTO_UNKONWN : data_context->proto),
+											all_context->hited_para.hited_app_id,
+											ACTION_RETURN_TYPE_APP,
+											a_packet
+										);
+				master_send_log(a_stream, &result[0], 1, data_context, thread_seq);
+			}
+			break;
 		default:
 			break;
 	}

src/tsg_entry.h

@@ -17,6 +17,7 @@
 #include "tsg_label.h"
 #include "tsg_statistic.h"
 #include "tsg_leaky_bucket.h"
+#include "tsg_protocol_common.h"
 
 #if(__GNUC__ * 100 + __GNUC_MINOR__ * 10 + __GNUC_PATCHLEVEL__ >= 411)
 #define atomic_inc(x) __sync_add_and_fetch((x),1)
@@ -187,6 +188,31 @@ struct http_response_pages
 	char *content;
 };
 
+struct app_id_dict
+{
+	int ref_cnt;
+	int app_id;
+	int parent_app_id;
+	int continue_scanning;
+	unsigned short tcp_timeout;
+	unsigned short udp_timeout;
+	int tcp_time_wait;
+	int tcp_half_close;
+	char *risk;
+	char *app_name;
+	char *parent_app_name;
+	char *category;
+	char *subcategroy;
+	char *technology;
+	char *characteristics;
+	struct deny_user_region deny_app_para;
+};
+
+struct hited_app_para
+{
+	int hited_app_id;
+	int after_n_packets;
+};
 
 struct master_context
 {
@@ -202,6 +228,7 @@ struct master_context
 	char *quic_ua;
 	scan_status_t mid;	
 	struct Maat_rule_t *result;
+	struct hited_app_para hited_para;
 	struct timespec last_scan_time;
 };
 
@@ -213,7 +240,8 @@ struct tcpall_context
 	{
 		struct leaky_bucket *bucket;
 		long tamper_count;		
-		int after_n_packets;
+		int after_n_packets;		
+		struct hited_app_para hited_para;
 		void *para;
 	};
 };

src/tsg_protocol_common.h

@@ -23,6 +23,8 @@ enum TSG_DENY_TYPE
 	TSG_DENY_TYPE_SEND_ICMP,
 	TSG_DENY_TYPE_DEFAULT_RST,
 	TSG_DENY_TYPE_DEFAULT_DROP,
+	TSG_DENY_TYPE_APP_DROP,
+	TSG_DENY_TYPE_APP_RATELIMIT,
 	TSG_DENY_TYPE_MAX
 };
 
@@ -77,6 +79,12 @@ struct packet_capture
 	int depth;
 };
 
+struct app_action_para
+{
+	int send_reset_enable;
+	int send_icmp_enable;
+};
+
 struct deny_user_region
 {
 	enum TSG_DENY_TYPE type;
@@ -93,7 +101,8 @@ struct deny_user_region
 		struct dns_user_region *records;
 		int profile_id;
 		int bps;
-		int send_icmp_enable;		
+		int send_icmp_enable;
+		struct app_action_para app_para;
 		void *para;
 	};
 };
@@ -137,5 +146,6 @@ unsigned char do_action_redirect_dns(const struct streaminfo *a_stream, Maat_rul
 
 unsigned char send_icmp_unreachable(const struct streaminfo *a_stream);
 int send_tamper_xxx(const struct streaminfo *a_stream, long *tamper_count, const void *raw_pkt);
+unsigned char tsg_deny_application(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol, int app_id, enum ACTION_RETURN_TYPE type, const void *user_data);
 
 #endif

src/tsg_rule.cpp

@@ -317,6 +317,45 @@ static char *_malloc_field(const char *field_start, size_t field_len)
 	return field;
 }
 
+static int get_string_from_json(cJSON *object, const char *key, char **value)
+{
+	if(object==NULL || key==NULL)
+	{
+		return 0;
+	}
+	int len=0;
+	cJSON *item=cJSON_GetObjectItem(object, key);
+	if(item!=NULL)
+	{
+		len=strlen(item->valuestring);
+		(*value)=(char *)malloc(len+1);
+		memcpy((*value), item->valuestring, len);
+		(*value)[len]='\0';
+
+		return 1;
+	}
+
+	return 0;
+}
+
+static int get_integer_from_json(cJSON *object, const char *key, int *value)
+{
+	if(object==NULL || key==NULL || (value)==NULL)
+	{
+		return 0;
+	}
+	
+	cJSON *item=cJSON_GetObjectItem(object, key);
+	if(item!=NULL)
+	{
+		(*value)=item->valueint;
+		return 1;
+	}
+
+	return 0;
+}
+
+
 void ASN_number_dup(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void* argp)
 {
 	if((*from)!=NULL)
@@ -521,6 +560,49 @@ void subscriber_id_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void*
 	return;
 }
 
+static int parse_deny_action(char *deny_action_str, struct deny_user_region *deny_app_para)
+{
+	if(deny_action_str==NULL)
+	{
+		return 0;
+	}
+
+	cJSON *app_para=cJSON_Parse(deny_action_str);
+	if(app_para==NULL)
+	{
+		return 0;
+	}
+
+	char *method=NULL;	
+	int ret=get_string_from_json(app_para, "method", &method);	
+	if(ret==1)
+	{
+		int method_type=tsg_get_method_id(method);
+		switch(method_type)
+		{
+			case	TSG_METHOD_TYPE_DROP:
+				deny_app_para->type=TSG_DENY_TYPE_APP_DROP;
+				get_integer_from_json(app_para, "send_tcp_reset", &(deny_app_para->app_para.send_reset_enable));	
+				get_integer_from_json(app_para, "after_n_packets", &(deny_app_para->after_n_packets));	
+				get_integer_from_json(app_para, "send_icmp_unreachable", &(deny_app_para->app_para.send_icmp_enable));
+				break;
+			case	TSG_METHOD_TYPE_RATE_LIMIT:
+				deny_app_para->type=TSG_DENY_TYPE_APP_RATELIMIT;
+				get_integer_from_json(app_para, "bps", &(deny_app_para->bps)); 
+				break;
+			default:
+				break;
+		}
+
+		free(method);
+		method=NULL;
+	}
+	cJSON_Delete(app_para);
+	app_para=NULL;
+
+	return 1;
+}
+
 static void app_id_dict_dup(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void* argp)
 {
 	if((*from)!=NULL)
@@ -535,9 +617,9 @@ static void app_id_dict_dup(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_E
 
 static void app_id_dict_new(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
 {
+	char *deny_action_str=NULL;
 	struct app_id_dict *dict=NULL;
 
-	
 	switch(g_tsg_para.app_dict_field_num)
 	{
 		case	16:
@@ -550,12 +632,13 @@ static void app_id_dict_new(int table_id, const char* key, const char* table_lin
 			dict->technology=tsg_get_column_string_value(table_line, 5);
 			dict->risk=tsg_get_column_string_value(table_line, 6); 
 			dict->characteristics=tsg_get_column_string_value(table_line, 7);
-			dict->deny_action=tsg_get_column_integer_value(table_line, 10);
 			dict->continue_scanning=tsg_get_column_integer_value(table_line, 11); 
 			dict->tcp_timeout=(unsigned short)tsg_get_column_integer_value(table_line, 12);
 			dict->udp_timeout=(unsigned short)tsg_get_column_integer_value(table_line, 13); 
 			dict->tcp_half_close=tsg_get_column_integer_value(table_line, 14);
 			dict->tcp_time_wait=tsg_get_column_integer_value(table_line, 15);
+			
+			deny_action_str=tsg_get_column_string_value(table_line, 10);
 			break;
 		case	18:
 			dict=(struct app_id_dict *)calloc(1, sizeof(struct app_id_dict));
@@ -569,18 +652,23 @@ static void app_id_dict_new(int table_id, const char* key, const char* table_lin
 			dict->technology=tsg_get_column_string_value(table_line, 7);
 			dict->risk=tsg_get_column_string_value(table_line, 8); 
 			dict->characteristics=tsg_get_column_string_value(table_line, 9);
-			dict->deny_action=tsg_get_column_integer_value(table_line, 12);
 			dict->continue_scanning=tsg_get_column_integer_value(table_line, 13); 
 			dict->tcp_timeout=tsg_get_column_integer_value(table_line, 14);
 			dict->udp_timeout=tsg_get_column_integer_value(table_line, 15); 
 			dict->tcp_half_close=tsg_get_column_integer_value(table_line, 16);
 			dict->tcp_time_wait=tsg_get_column_integer_value(table_line, 17);
+
+			deny_action_str=tsg_get_column_string_value(table_line, 12);
 			break;
 		default:
 			return ;
 			break;
 	}
 
+	parse_deny_action(deny_action_str, &(dict->deny_app_para));
+	_free_field(deny_action_str);
+	deny_action_str=NULL;
+	
 	str_unescape(dict->risk);
 	str_unescape(dict->app_name);
 	str_unescape(dict->parent_app_name);
@@ -616,44 +704,6 @@ void app_id_dict_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* ar
 	return;
 }
 
-static int get_string_from_json(cJSON *object, const char *key, char **value)
-{
-	if(object==NULL || key==NULL)
-	{
-		return 0;
-	}
-	int len=0;
-	cJSON *item=cJSON_GetObjectItem(object, key);
-	if(item!=NULL)
-	{
-		len=strlen(item->valuestring);
-		(*value)=(char *)malloc(len+1);
-		memcpy((*value), item->valuestring, len);
-		(*value)[len]='\0';
-
-		return 1;
-	}
-
-	return 0;
-}
-
-static int get_integer_from_json(cJSON *object, const char *key, int *value)
-{
-	if(object==NULL || key==NULL || (value)==NULL)
-	{
-		return 0;
-	}
-	
-	cJSON *item=cJSON_GetObjectItem(object, key);
-	if(item!=NULL)
-	{
-		(*value)=item->valueint;
-		return 1;
-	}
-
-	return 0;
-}
-
 static int parse_answer_ttl(struct dns_user_region *user_region_records, cJSON *one_record, int answer_type)
 {
 	if(one_record==NULL || user_region_records==NULL)
@@ -2781,8 +2831,10 @@ int tsg_set_method_to_tcpall(const struct streaminfo *a_stream, struct tcpall_co
 		case	TSG_METHOD_TYPE_DEFAULT:
 		case	TSG_METHOD_TYPE_MIRRORED:			
 			_context->method_type=method_type;
+			*context=_context;
 			break;
 		default:
+			return 0;
 			break;
 	}
 
@@ -2802,6 +2854,7 @@ int tsg_set_bucket_to_tcpall(const struct streaminfo *a_stream, struct tcpall_co
 	switch(_context->method_type)
 	{
 		case	TSG_METHOD_TYPE_RATE_LIMIT:
+			*context=_context;
 			return 1;	
 			break;
 		case	TSG_METHOD_TYPE_DEFAULT:
@@ -2813,6 +2866,7 @@ int tsg_set_bucket_to_tcpall(const struct streaminfo *a_stream, struct tcpall_co
 
 	_context->method_type=TSG_METHOD_TYPE_RATE_LIMIT;
 	_context->bucket=bucket;
+	*context=_context;
 	
 	return 1;
 }