支持APP的管控

2021-03-02 10:39:33 +08:00
parent 770c508b31
commit 2e123141f9
10 changed files with 1279 additions and 774 deletions
--- a/bin/tsg_log_field.conf
+++ b/bin/tsg_log_field.conf
@@ -53,4 +53,7 @@ STRING		ssl_ja3_hash		44
 STRING		common_data_center	45
 STRING		common_l7_protocol		46
 STRING		common_tcp_client_isn	47
-STRING		common_tcp_server_isn	48
+STRING		common_tcp_server_isn	48
 LONG		common_app_surrogate_id	49
 STRING		sip_from			50
 STRING		sip_to			51
--- a/bin/tsg_static_tableinfo.conf
+++ b/bin/tsg_static_tableinfo.conf
@@ -70,3 +70,6 @@
 58	APP_SELECTOR_GROUP_GROUP_RELATION	group2group	--
 59	APP_SELECTOR_PROPERTIES	expr_plus	UTF8	UTF8/GBK	yes	0
 60	APP_SELECTOR_ID	intval	UTF8	UTF8	yes	0
 61	TSG_FIELD_SIP_FROM	virtual	TSG_OBJ_ACCOUNT	--
 62	TSG_FIELD_SIP_TO	virtual	TSG_OBJ_ACCOUNT	--
 63	APP_ID_DICT	plugin	{"key":1,"valid":16}
--- a/inc/app_label.h
+++ b/inc/app_label.h
@@ -1,130 +1,13 @@
 #ifndef	__APP_LABEL_H__
 #define	__APP_LABEL_H__
-#define	MAX_APP_ID_PROPERTY_LEN	128
+struct app_id_label
 struct _quic_attribute_t
 {
 	char *version;
 	char *sni;
 	char *user_agent;
 };
 struct _dns_attribute_t
 {
 	unsigned short id;
 	unsigned short flag;
 	unsigned short qdcount;
 	unsigned short ancount;
 	unsigned short aucount;//authority count
 	unsigned short adcount;//additional count
 	unsigned short qtype;
 	unsigned short qclass;
 	char *qname;
 };
 struct _http_attribute_t
 {
 	char *host;
 	char *uri;
 	char *user_agent;
 	char *content_type;
 	char *content_encoding;
 	char *referer;
 	char *cookie;
 	char *set_cookie;
 };
 struct _ssl_attribute_t
 {
 	char *cn;
 	char *sni;
 	char *san;
 	char *version;
 	char *fingerprint;
 	char *serial_number;
 	char *issuer_common_name;
 	char *issuer_organition_name;
 	char *issuer_country_name;
 	char *subject_common_name;
 	char *subject_organition_name;
 	char *subject_country_name;
 	char *not_valid_before;
 	char *not_valid_after;
 	char *algotithm_id;
 	char *ja3_fingerprint;
 };
 struct _app_id_dict_t
 {
 	int ref_cnt;
 	int app_id;
 	int deny_action;
 	int continue_scanning;
 	int tcp_timeout;
 	int udp_timeout;
 	int tcp_time_wait;
 	int tcp_half_close;
 	int is_valid;
 	char risk[MAX_APP_ID_PROPERTY_LEN*4];
 	char app_name[MAX_APP_ID_PROPERTY_LEN];
 	char category[MAX_APP_ID_PROPERTY_LEN*4];
 	char subcategroy[MAX_APP_ID_PROPERTY_LEN*4];
 	char technology[MAX_APP_ID_PROPERTY_LEN*4];
 	char characteristics[MAX_APP_ID_PROPERTY_LEN*4];
 	char depends_on_app_ids[MAX_APP_ID_PROPERTY_LEN];
 	char implicitly_uses_app_ids[MAX_APP_ID_PROPERTY_LEN];
 };
 #define	MAX_APP_ID_NUM	8
 enum _APP_SESSION_PROTO
 {
 	SESSION_PROTO_HTTP=1,
 	SESSION_PROTO_SSL,
 	SESSION_PROTO_QUIC,
 	SESSION_PROTO_DNS,
 	_SESSION_PROTO_MAX
 };
 enum _APP_SESSION_FLAG
 {
 	SESSION_FLAG_TCP_CREATE_WITH_SYN=1,
 	SESSION_FLAG_SSL_USE_SELFSIGNED_CERT=2,
 	SESSION_FLAG_SSL_INCOMPLETE_CERT_CHAIN=4
 };
 typedef	struct _app_id_label_add_flag_t
 {
 	volatile char flag;
 }APP_ADD_ID_LABEL_T;
 struct _app_id_label_t
 {
 	char ref_cnt;
 	char session_flag; // enum SESSION_FLAG
 	char session_proto; //enum _APP_SESSION_PROTO
 	char app_id_num;
 	APP_ADD_ID_LABEL_T flag; //0: no; 1: yes
 	char pad[3];
 	int surrogate_id;
 	int app_id;
 	struct _app_id_dict_t *dict;
 	union
 	{
 		struct _ssl_attribute_t *ssl_attribute;
 		struct _dns_attribute_t *dns_attribute;
 		struct _http_attribute_t *http_attribute;
 		struct _quic_attribute_t *quic_attribute;
 		void *attribute; //quic sni or dns query qname
 	};
 };
-struct _basic_proto_label
+struct basic_proto_label
 {
 	unsigned char continue_scan_flag;  //0: stop; 1: continue
 	unsigned char pad;
@@ -141,17 +24,17 @@ enum _ATTRIBUTE_TYPE
 	_ATTRIBUTE_TYPE_MAX
 };
-struct _attribute_kv_t
+struct attribute_kv
 {
 	enum _ATTRIBUTE_TYPE type;
 	char *name;
 	void *value;
 };
-struct _user_defined_attribute_label_t
+struct user_defined_attribute_label
 {
 	int attribute_num;
-	struct _attribute_kv_t *attribute;
+	struct attribute_kv *attribute;
 };
 #endif
--- a/inc/tsg_label.h
+++ b/inc/tsg_label.h
@@ -28,6 +28,7 @@ typedef enum _tsg_protocol
   PROTO_IMAP,
   PROTO_POP3,
   PROTO_RTP,
   PROTO_APP,
   PROTO_MAX
 }tsg_protocol_t;
--- a/inc/tsg_rule.h
+++ b/inc/tsg_rule.h
@@ -5,6 +5,9 @@
 #include "tsg_label.h"
 #define TSG_DOMAIN_MAX 	256
 #define	MAX_APP_ID_PROPERTY_LEN	128
 #define	TSG_ACTION_NONE			0x00
 #define	TSG_ACTION_MONITOR		0x01
 #define	TSG_ACTION_INTERCEPT	0x02
@@ -13,7 +16,7 @@
 #define	TSG_ACTION_BYPASS		0x80
 #define	TSG_ACTION_MAX			0x80
-enum TSG_ETHOD_TYPE
+enum TSG_METHOD_TYPE
 {
 	TSG_METHOD_TYPE_UNKNOWN=0,
 	TSG_METHOD_TYPE_DROP,
@@ -24,13 +27,22 @@ enum TSG_ETHOD_TYPE
 	TSG_METHOD_TYPE_MAX
 };
-struct _identify_info
+struct identify_info
 {
 	tsg_protocol_t proto;	//enum _tsg_protocol (tsg_types.h)
 	int domain_len;
 	char domain[MAX_DOAMIN_LEN];
 };
 struct compile_user_region
 {
 	int code;
 	int ref_cnt;
 	int html_profile;
 	char protocol[32];
 	char method[32];
 	char *message;
 };
 typedef	enum _PULL_RESULT_TYPE
 {
@@ -38,14 +50,33 @@ typedef	enum _PULL_RESULT_TYPE
 	PULL_FW_RESULT
 }PULL_RESULT_TYPE;
-#define TSG_DOMAIN_MAX 	256
+struct app_id_dict_table
 {
 	int ref_cnt;
 	int app_id;
 	int deny_action;
 	int continue_scanning;
 	int tcp_timeout;
 	int udp_timeout;
 	int tcp_time_wait;
 	int tcp_half_close;
 	int is_valid;
 	char risk[MAX_APP_ID_PROPERTY_LEN*4];
 	char app_name[MAX_APP_ID_PROPERTY_LEN];
 	char category[MAX_APP_ID_PROPERTY_LEN*4];
 	char subcategroy[MAX_APP_ID_PROPERTY_LEN*4];
 	char technology[MAX_APP_ID_PROPERTY_LEN*4];
 	char characteristics[MAX_APP_ID_PROPERTY_LEN*4];
 	char depends_on_app_ids[MAX_APP_ID_PROPERTY_LEN];
 	char implicitly_uses_app_ids[MAX_APP_ID_PROPERTY_LEN];
 };
 extern Maat_feather_t g_tsg_maat_feather;
 int tsg_rule_init(const char *conffile, void *logger);
 int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *a_stream, tsg_protocol_t proto, scan_status_t *mid, Maat_rule_t*result, int result_num);
-int tsg_pull_policy_result(struct streaminfo *a_stream, PULL_RESULT_TYPE pull_result_type, Maat_rule_t*result, int result_num, struct _identify_info *identify_info);
+int tsg_pull_policy_result(struct streaminfo *a_stream, PULL_RESULT_TYPE pull_result_type, Maat_rule_t*result, int result_num, struct identify_info *identify_info);
 //return NULL if none exists, otherwise return one deny rule;
 struct Maat_rule_t *tsg_fetch_deny_rule(Maat_rule_t *result, int result_num);
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
--- a/src/tsg_entry.h
+++ b/src/tsg_entry.h
@@ -24,8 +24,21 @@ typedef int atomic_t;
 #define MIN(a, b)  	(((a) < (b)) ? (a) : (b))
 #endif
 #define	DNS_PROTO_ID	103
 #define	FTP_PROTO_ID	104
 #define	HTTP_PROTO_ID	106
 #define	MAIL_PROTO_ID	110
 #define	QUIC_PROTO_ID	119
 #define	SIP_PROTO_ID	120
 #define	SSL_PROTO_ID	126
 #define	RTP_PROTO_ID	142
 #define	APP_SCAN_FLAG_STOP	0
 #define	APP_SCAN_FLAG_CONTINUE	1
 enum MASTER_TABLE{
-	TABLE_IP_ADDR=0,
+	TABLE_SECURITY_COMPILE=0,
 	TABLE_IP_ADDR,
 	TABLE_SUBSCRIBER_ID,
 	TABLE_APP_ID,
 	TABLE_HTTP_HOST,
@@ -43,6 +56,9 @@ enum MASTER_TABLE{
 	TABLE_FQDN_CAT_ID,
 	TABLE_FQDN_CAT_USER_DEFINED,
 	TABLE_FQDN_CAT_BUILT_IN,
 	TABLE_APP_ID_DICT,
 	TABLE_SELECTOR_ID,
 	TABLE_SELECTOR_PROPERTIES,
 	TABLE_MAX
 };
@@ -65,6 +81,14 @@ enum TSG_FS2_TYPE{
 	TSG_FS2_MAX
 };
 enum TSG_ATTRIBUTE_TYPE
 {
 	TSG_ATTRIBUTE_TYPE_ESTABLISH_LATECY=0,
 	TSG_ATTRIBUTE_TYPE_PROTOCOL,
 	TSG_ATTRIBUTE_TYPE_JA3_HASH,
 	_MAX_TSG_ATTRIBUTE_TYPE
 };
 struct _str2index
 {
 	int index;
@@ -80,20 +104,29 @@ struct _fqdn_category_t
 	char fqdn[MAX_DOAMIN_LEN/8];
 };
-struct _master_context
+struct master_context
 {
 	tsg_protocol_t proto;
 	int hit_cnt;
 	int domain_len;
 	char domain[MAX_DOAMIN_LEN];
 	struct Maat_rule_t *result;
 	int app_id;
 	char continue_scan_app_id;
 	char continue_scan_proto_id;
 	unsigned short basic_proto_id;
 	char uuid_str[32];
 	scan_status_t mid;
 };
 #define	_MAX_TABLE_NAME_LEN	64
 typedef	struct _tsg_para
 {
-	int level;
+	int level;	
 	int mail_proto_id;
 	unsigned short timeout;
 	unsigned short depolyment_mode;
 	int app_id_table_type;
 	int device_id;
 	int entrance_id;
@@ -101,6 +134,8 @@ typedef	struct _tsg_para
 	int dyn_subscribe_ip_table_id; //TSG_DYN_SUBSCRIBER_IP
 	int priority_project_id;
 	int internal_project_id;
 	int l7_proto_project_id;
 	int app_id_project_id;
 	int proto_flag; //tsg_protocol_t
 	int fs2_field_id[TSG_FS2_MAX];
 	char device_sn[MAX_DOAMIN_LEN/8];
@@ -199,12 +234,13 @@ typedef	struct _tsg_statistic
 int tsg_statistic_init(const char *conffile, void *logger);
 int tsg_scan_shared_policy(Maat_feather_t maat_feather, struct _identify_info *identify_info, Maat_rule_t *result, int result_num, scan_status_t *mid, int thread_seq);
 void location_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
 void ASN_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
 void subscribe_id_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
 char *tsg_schema_index2string(tsg_protocol_t proto);
-
+struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, struct _identify_info *identify_info, int thread_seq);
 int tsg_scan_shared_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct identify_info *identify_info, Maat_rule_t *result, int result_num, scan_status_t *mid, int thread_seq);
 int tsg_scan_app_id_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *name, unsigned int id, int thread_seq);
 int tsg_scan_app_properties_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *property, char *district, int thread_seq);
 #endif
--- a/src/tsg_rule.cpp
+++ b/src/tsg_rule.cpp
@@ -57,6 +57,7 @@ const struct _str2index g_tsg_proto_string[PROTO_MAX+1]={{PROTO_UNKONWN, 0, (cha
 										 {PROTO_IMAP, 5, (char *)"MAIL."},
 										 {PROTO_POP3, 5, (char *)"MAIL."},
 										 {PROTO_RTP, 4, (char *)"RTP."},
 										 {PROTO_APP, 4, (char *)"APP."},
 										 {PROTO_MAX, 0, (char *)""}
 };
@@ -458,6 +459,174 @@ void subscribe_id_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, vo
 	return;
 }
 static void app_id_dict_dup_data(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void* argp)
 {
 	struct app_id_dict_table *app_id_dict=(struct app_id_dict_table *)(*from);
 	if(*from!=NULL)
 	{
 		atomic_inc(&app_id_dict->ref_cnt);
 		*to=*from;
 	}
 	return;
 }
 static void app_id_dict_new_data(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
 {
 	void *logger=argp;
 	int ret=0;
 	struct app_id_dict_table *app_id_dict=NULL;
 	app_id_dict=(struct app_id_dict_table *)calloc(1, sizeof(struct app_id_dict_table));
 	ret=sscanf(table_line,
 				"%d\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%d\t%d\t%d\t%d\t%d\t%d\t%d",
 				&app_id_dict->app_id, 
 				app_id_dict->app_name,
 				app_id_dict->category, 
 				app_id_dict->subcategroy, 
 				app_id_dict->technology,
 				app_id_dict->risk, 
 				app_id_dict->characteristics, 
 				app_id_dict->depends_on_app_ids, 
 				app_id_dict->implicitly_uses_app_ids, 
 				&app_id_dict->deny_action, 
 				&app_id_dict->continue_scanning, 
 				&app_id_dict->tcp_timeout, 
 				&app_id_dict->udp_timeout, 
 				&app_id_dict->tcp_half_close,
 				&app_id_dict->tcp_time_wait, 
 				&app_id_dict->is_valid);
 	if(ret!=16)
 	{
 		free(app_id_dict);
 		app_id_dict=NULL;
 		MESA_handle_runtime_log(logger, 
 									RLOG_LV_FATAL,
 									"APP_ID_DICT",
 									"Parse app_id_dict failed, ret: %d table_id: %d table_line: %s",
 									ret,
 									table_id,
 									table_line
 								);
 		return;
 	}
 	atomic_inc(&app_id_dict->ref_cnt);
 	eliminate_default_value(app_id_dict->app_name);
 	eliminate_default_value(app_id_dict->category);
 	eliminate_default_value(app_id_dict->subcategroy);
 	eliminate_default_value(app_id_dict->technology);
 	eliminate_default_value(app_id_dict->risk);
 	eliminate_default_value(app_id_dict->characteristics);
 	eliminate_default_value(app_id_dict->depends_on_app_ids);
 	eliminate_default_value(app_id_dict->implicitly_uses_app_ids);
 	*ad=(MAAT_PLUGIN_EX_DATA)app_id_dict;
 	return;
 }
 void app_id_dict_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
 {
 	struct app_id_dict_table *app_id_dict=(struct app_id_dict_table *)(*ad);
 	if(app_id_dict!=NULL)
 	{
 		atomic_dec(&app_id_dict->ref_cnt);
 		if(app_id_dict->ref_cnt<=0)
 		{
 			free(*ad);
 			*ad=NULL;
 		}
 	}
 	return;
 }
 void security_compile_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp)
 {	
 	int len=0;
 	cJSON *object=NULL, *item=NULL;
 	struct compile_user_region *user_region=NULL;
 	if(rule!=NULL && srv_def_large!=NULL && strlen(srv_def_large)>2)
 	{
 		object=cJSON_Parse(srv_def_large);
 		if(object!=NULL)
 		{
 			user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));
 			item=cJSON_GetObjectItem(object, "method");
 			if(item!=NULL)
 			{
 				len=MIN(strlen(item->valuestring), sizeof(user_region->method)-1);
 				memcpy(user_region->method, item->valuestring, len);
 			}
 			item=cJSON_GetObjectItem(object, "protocol");
 			if(item!=NULL)
 			{
 				len=MIN(strlen(item->valuestring), sizeof(user_region->protocol)-1);
 				memcpy(user_region->protocol, item->valuestring, len);
 			}
 			item=cJSON_GetObjectItem(object, "message");
 			if(item!=NULL)
 			{
 				len=strlen(item->valuestring)+1;
 				user_region->message=(char *)calloc(1, len);
 				memcpy(user_region->message, item->valuestring, len-1);
 			}
 			item=cJSON_GetObjectItem(object, "code");
 			if(item!=NULL)
 			{
 				user_region->code=item->valueint;
 			}
 			item=cJSON_GetObjectItem(object, "html_profile");
 			if(item!=NULL)
 			{
 				user_region->html_profile=item->valueint;
 			}
 			atomic_inc(&user_region->ref_cnt);
 			*ad=(MAAT_RULE_EX_DATA)user_region;
 		}
 	}
 	return ;
 }
 void security_compile_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp)
 {
 	struct compile_user_region *user_region=(struct compile_user_region *)(*from);
 	if(user_region!=NULL)
 	{
 		atomic_inc(&user_region->ref_cnt);
 		*to=*from;
 	}
 }
 void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp)
 {
 	struct compile_user_region *user_region=(struct compile_user_region *)(*ad);
 	if(user_region!=NULL)
 	{
 		atomic_dec(&user_region->ref_cnt);
 		if((user_region->ref_cnt-1)<=0)
 		{
 			free(user_region->message);
 			user_region->message=NULL;
 			free(*ad);
 			*ad=NULL;
 		}
 	}
 }
 static Maat_feather_t init_maat_feather(const char* conffile, char* instance_name, char *module, void *logger)
 {
 	unsigned short redis_port = 0;
@@ -584,7 +753,8 @@ int tsg_rule_init(const char* conffile, void *logger)
 	MESA_load_profile_int_def(conffile, "MAAT","APP_ID_TABLE_TYPE", &g_tsg_para.app_id_table_type, 1);
-	MESA_load_profile_string_def(conffile, "MAAT", "PROFILE", maat_conffile, sizeof(maat_conffile), "./tsgconf/maat.conf");	
+	MESA_load_profile_string_def(conffile, "MAAT", "PROFILE", maat_conffile, sizeof(maat_conffile), "./tsgconf/maat.conf");		
 	MESA_load_profile_string_def(conffile, "MAAT", "SECURITY_COMPILE", g_tsg_para.table_name[TABLE_SECURITY_COMPILE], _MAX_TABLE_NAME_LEN, "TSG_SECURITY_COMPILE");
 	MESA_load_profile_string_def(conffile, "MAAT", "IP_ADDR_TABLE", g_tsg_para.table_name[TABLE_IP_ADDR], _MAX_TABLE_NAME_LEN, "TSG_SECURITY_ADDR");
 	MESA_load_profile_string_def(conffile, "MAAT", "SUBSCRIBER_ID_TABLE", g_tsg_para.table_name[TABLE_SUBSCRIBER_ID], _MAX_TABLE_NAME_LEN, "TSG_OBJ_SUBSCRIBER_ID");
 	MESA_load_profile_string_def(conffile, "MAAT", "APP_ID_TABLE", g_tsg_para.table_name[TABLE_APP_ID], _MAX_TABLE_NAME_LEN, "TSG_OBJ_APP_ID");
@@ -608,6 +778,11 @@ int tsg_rule_init(const char* conffile, void *logger)
 	MESA_load_profile_string_def(conffile, "MAAT", "FQDN_CAT_BUILT_IN_TABLE", g_tsg_para.table_name[TABLE_FQDN_CAT_BUILT_IN], _MAX_TABLE_NAME_LEN, "TSG_FQDN_CATEGORY_BUILT_IN");
 	MESA_load_profile_string_def(conffile, "MAAT", "FQDN_CAT_USER_DEFINED_TABLE", g_tsg_para.table_name[TABLE_FQDN_CAT_USER_DEFINED], _MAX_TABLE_NAME_LEN, "TSG_FQDN_CATEGORY_USER_DEFINED");
 	MESA_load_profile_string_def(conffile, "MAAT", "APP_ID_DICT_TABLE", g_tsg_para.table_name[TABLE_APP_ID_DICT], _MAX_TABLE_NAME_LEN, "APP_ID_DICT");
 	MESA_load_profile_string_def(conffile, "MAAT", "APP_ID_TABLE", g_tsg_para.table_name[TABLE_APP_ID], _MAX_TABLE_NAME_LEN, "TSG_OBJ_APP_ID");
 	MESA_load_profile_string_def(conffile, "MAAT", "SELECTOR_ID_TABLE", g_tsg_para.table_name[TABLE_SELECTOR_ID], _MAX_TABLE_NAME_LEN, "APP_SELECTOR_ID");
 	MESA_load_profile_string_def(conffile, "MAAT", "SELECTOR_PROPERTIES_TABLE", g_tsg_para.table_name[TABLE_SELECTOR_PROPERTIES], _MAX_TABLE_NAME_LEN, "APP_SELECTOR_PROPERTIES");
 	//init static maat feather
 	g_tsg_maat_feather=init_maat_feather(maat_conffile, (char *)"TSG_STATIC", (char *)"STATIC", logger);
 	if(g_tsg_maat_feather==NULL)
@@ -616,7 +791,23 @@ int tsg_rule_init(const char* conffile, void *logger)
 		return -1;
 	}
-	for(i=0; i<TABLE_MAX; i++)
+	g_tsg_para.table_id[TABLE_SECURITY_COMPILE]=Maat_rule_get_ex_new_index(g_tsg_maat_feather,
 																g_tsg_para.table_name[TABLE_SECURITY_COMPILE],
 																security_compile_new,
 																security_compile_free,
 																security_compile_dup,
 																0,
 																logger
 															);
 	if(g_tsg_para.table_id[TABLE_SECURITY_COMPILE]<0)
 	{
 		MESA_handle_runtime_log(logger,	RLOG_LV_FATAL, "REGISTER_TABLE", "Register table: %s failed ...", g_tsg_para.table_name[TABLE_SECURITY_COMPILE]);		
 		return -1;
 	}
 	for(i=TABLE_IP_ADDR; i<TABLE_MAX; i++)
 	{
 		g_tsg_para.table_id[i]=Maat_table_register(g_tsg_maat_feather, g_tsg_para.table_name[i]);
 		if(g_tsg_para.table_id[i]<0)
@@ -628,7 +819,7 @@ int tsg_rule_init(const char* conffile, void *logger)
 									); 
 			return -1;
 		}
-	}	
+	}
 	for(i=TABLE_ASN_USER_DEFINED; i<=TABLE_ASN_BUILT_IN; i++)
 	{
@@ -695,6 +886,25 @@ int tsg_rule_init(const char* conffile, void *logger)
 		}
 	}
 	ret=Maat_plugin_EX_register(g_tsg_maat_feather,
 									g_tsg_para.table_id[TABLE_APP_ID_DICT],
 									app_id_dict_new_data,
 									app_id_dict_free_data,
 									app_id_dict_dup_data,
 									NULL,
 									0,
 									logger);
 	if(ret<0)
 	{
 		MESA_handle_runtime_log(logger, RLOG_LV_FATAL,
 									"RULE_INIT",
 									"Maat_ip_plugin_EX_register failed, table_name: %s table_id: %d",
 									g_tsg_para.table_name[TABLE_APP_ID_DICT],
 									g_tsg_para.table_id[TABLE_APP_ID_DICT]
 								); 
 		return -1;		
 	}
 	//init dynamic maat feather
 	g_tsg_dynamic_maat_feather=init_maat_feather(maat_conffile, (char *)"TSG_DYNAMIC", (char *)"DYNAMIC", logger);
 	if(g_tsg_maat_feather==NULL)
@@ -733,7 +943,7 @@ int tsg_rule_init(const char* conffile, void *logger)
 	return 0;
 }
-int tsg_pull_policy_result(struct streaminfo *a_stream, PULL_RESULT_TYPE pull_result_type, Maat_rule_t*result, int result_num, struct _identify_info *identify_info)
+int tsg_pull_policy_result(struct streaminfo *a_stream, PULL_RESULT_TYPE pull_result_type, Maat_rule_t*result, int result_num, struct identify_info *identify_info)
 {
 	int num=0;
 	policy_priority_label_t *label=NULL;
@@ -1024,7 +1234,7 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *
 	int hit_num=0,tans_proto=0;
 	int is_scan_addr=1, maat_ret=0,found_pos=0;
 	const struct streaminfo *cur_stream = a_stream;
-	struct _session_attribute_label_t *internal_label=NULL;
+	struct _session_attribute_label_t *attribute_label=NULL;
 	if(result==NULL || result_num<=0 || a_stream==NULL || maat_feather==NULL)
 	{
@@ -1083,7 +1293,7 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *
 											result+hit_num,
 											result_num-hit_num,
 											mid,
- 											cur_stream->threadnum);
+ 											(int)cur_stream->threadnum);
 			if(maat_ret>0)
 			{
 				MESA_handle_runtime_log(g_tsg_para.logger,
@@ -1176,43 +1386,43 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *
 		}
 	}
-	internal_label=(struct _session_attribute_label_t *)project_req_get_struct(a_stream, g_tsg_para.internal_project_id);
+	attribute_label=(struct _session_attribute_label_t *)project_req_get_struct(a_stream, g_tsg_para.internal_project_id);
-	if(internal_label==NULL)
+	if(attribute_label==NULL)
 	{
-		internal_label=(struct _session_attribute_label_t *)calloc(1, sizeof(struct _session_attribute_label_t));
+		attribute_label=(struct _session_attribute_label_t *)calloc(1, sizeof(struct _session_attribute_label_t));
-		memset(internal_label, 0, sizeof(struct _session_attribute_label_t));
+		memset(attribute_label, 0, sizeof(struct _session_attribute_label_t));
 	}
 	if(hit_num<result_num)
 	{
-		tsg_get_ip_location(a_stream, g_tsg_para.table_id[TABLE_LOCATION_USER_DEFINED], (void **)&(internal_label->client_location), (void **)&(internal_label->server_location));
+		tsg_get_ip_location(a_stream, g_tsg_para.table_id[TABLE_LOCATION_USER_DEFINED], (void **)&(attribute_label->client_location), (void **)&(attribute_label->server_location));
-		tsg_get_ip_location(a_stream, g_tsg_para.table_id[TABLE_LOCATION_BUILT_IN], (void **)&(internal_label->client_location), (void **)&(internal_label->server_location));
+		tsg_get_ip_location(a_stream, g_tsg_para.table_id[TABLE_LOCATION_BUILT_IN], (void **)&(attribute_label->client_location), (void **)&(attribute_label->server_location));
-		hit_num+=tsg_scan_ip_location(maat_feather, a_stream, internal_label->client_location, TABLE_SRC_LOCATION, mid, result+hit_num, result_num-hit_num);
+		hit_num+=tsg_scan_ip_location(maat_feather, a_stream, attribute_label->client_location, TABLE_SRC_LOCATION, mid, result+hit_num, result_num-hit_num);
-		hit_num+=tsg_scan_ip_location(maat_feather, a_stream, internal_label->server_location, TABLE_DST_LOCATION, mid, result+hit_num, result_num-hit_num);
+		hit_num+=tsg_scan_ip_location(maat_feather, a_stream, attribute_label->server_location, TABLE_DST_LOCATION, mid, result+hit_num, result_num-hit_num);
 	}
 	if(hit_num<result_num)
 	{
-		tsg_get_ip_asn(a_stream, g_tsg_para.table_id[TABLE_ASN_USER_DEFINED], (void **)&(internal_label->client_asn), (void **)&(internal_label->server_asn));
+		tsg_get_ip_asn(a_stream, g_tsg_para.table_id[TABLE_ASN_USER_DEFINED], (void **)&(attribute_label->client_asn), (void **)&(attribute_label->server_asn));
-		tsg_get_ip_asn(a_stream, g_tsg_para.table_id[TABLE_ASN_BUILT_IN], (void **)&(internal_label->client_asn), (void **)&(internal_label->server_asn));
+		tsg_get_ip_asn(a_stream, g_tsg_para.table_id[TABLE_ASN_BUILT_IN], (void **)&(attribute_label->client_asn), (void **)&(attribute_label->server_asn));
-		hit_num+=tsg_scan_ip_asn(maat_feather, a_stream, internal_label->client_asn, TABLE_SRC_ASN, mid, result+hit_num, result_num-hit_num);
+		hit_num+=tsg_scan_ip_asn(maat_feather, a_stream, attribute_label->client_asn, TABLE_SRC_ASN, mid, result+hit_num, result_num-hit_num);
-		hit_num+=tsg_scan_ip_asn(maat_feather, a_stream, internal_label->server_asn, TABLE_DST_ASN, mid, result+hit_num, result_num-hit_num);
+		hit_num+=tsg_scan_ip_asn(maat_feather, a_stream, attribute_label->server_asn, TABLE_DST_ASN, mid, result+hit_num, result_num-hit_num);
 	}
 	if(hit_num<result_num)
 	{
-		tsg_get_subscribe_id(a_stream, &internal_label->client_subscribe_id, &internal_label->server_subscribe_id);
+		tsg_get_subscribe_id(a_stream, &attribute_label->client_subscribe_id, &attribute_label->server_subscribe_id);
-		if(internal_label->client_subscribe_id!=NULL)
+		if(attribute_label->client_subscribe_id!=NULL)
 		{
 			maat_ret=Maat_full_scan_string(maat_feather,
 										g_tsg_para.table_id[TABLE_SUBSCRIBER_ID],
 										CHARSET_GBK,
-										internal_label->client_subscribe_id->subscribe_id,
+										attribute_label->client_subscribe_id->subscribe_id,
-										strlen(internal_label->client_subscribe_id->subscribe_id),
+										strlen(attribute_label->client_subscribe_id->subscribe_id),
 										result+hit_num,
 										&found_pos,
 										result_num-hit_num,
@@ -1224,7 +1434,7 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *
 											RLOG_LV_DEBUG,
 											"SCAN_SUBSCRIBER",
 											"Hit source subscribe id: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
-											internal_label->client_subscribe_id->subscribe_id,
+											attribute_label->client_subscribe_id->subscribe_id,
 											maat_ret,
 											result[hit_num].config_id,
 											result[hit_num].service_id,
@@ -1240,20 +1450,20 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *
 											RLOG_LV_DEBUG,
 											"SCAN_SUBSCRIBER",
 											"No hit source subscribe id: %s scan ret: %d addr: %s",
-											internal_label->client_subscribe_id->subscribe_id,
+											attribute_label->client_subscribe_id->subscribe_id,
 											maat_ret,
 											(g_tsg_para.level<RLOG_LV_FATAL ? printaddr(&a_stream->addr, a_stream->threadnum) : "")
 										);
 			}
 		}
-		if(internal_label->server_subscribe_id!=NULL)
+		if(attribute_label->server_subscribe_id!=NULL)
 		{
 			maat_ret=Maat_full_scan_string(maat_feather,
 										g_tsg_para.table_id[TABLE_SUBSCRIBER_ID],
 										CHARSET_GBK,
-										internal_label->server_subscribe_id->subscribe_id,
+										attribute_label->server_subscribe_id->subscribe_id,
-										strlen(internal_label->server_subscribe_id->subscribe_id),
+										strlen(attribute_label->server_subscribe_id->subscribe_id),
 										result+hit_num,
 										&found_pos,
 										result_num-hit_num,
@@ -1265,7 +1475,7 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *
 											RLOG_LV_DEBUG,
 											"SCAN_SUBSCRIBER",
 											"Hit dest subscribe id: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
-											internal_label->server_subscribe_id->subscribe_id,
+											attribute_label->server_subscribe_id->subscribe_id,
 											maat_ret,
 											result[hit_num].config_id,
 											result[hit_num].service_id,
@@ -1281,7 +1491,7 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *
 											RLOG_LV_DEBUG,
 											"SCAN_SUBSCRIBER",
 											"No hit dest subscribe id: %s scan ret: %d addr: %s",
-											internal_label->server_subscribe_id->subscribe_id,
+											attribute_label->server_subscribe_id->subscribe_id,
 											maat_ret,
 											(g_tsg_para.level<RLOG_LV_FATAL ? printaddr(&a_stream->addr, a_stream->threadnum) : "")
 										);
@@ -1289,7 +1499,7 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *
 		}
 	}
-	ret=project_req_add_struct((struct streaminfo *)a_stream, g_tsg_para.internal_project_id, (void *)internal_label);
+	ret=project_req_add_struct((struct streaminfo *)a_stream, g_tsg_para.internal_project_id, (void *)attribute_label);
 	if(ret<0)
 	{
 		MESA_handle_runtime_log(g_tsg_para.logger,
@@ -1306,22 +1516,27 @@ int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *
 //return value: -1: failed, 0: not hit, >0: hit count 
-int tsg_scan_shared_policy(Maat_feather_t maat_feather, struct _identify_info *identify_info, Maat_rule_t *result, int result_num,  scan_status_t *mid, int thread_seq)
+int tsg_scan_shared_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct identify_info *identify_info, Maat_rule_t *result, int result_num,  scan_status_t *mid, int thread_seq)
 {
-	int ret=0,idx=0;
+	char *field_name=NULL;
-	
+	int i=0,ret=0,idx=0,hit_num=0;	
-	if(identify_info->proto!=PROTO_UNKONWN && identify_info->domain_len>0)
+	struct _session_attribute_label_t *attribute_label=NULL;
 	if(identify_info->proto!=PROTO_UNKONWN && strlen(identify_info->domain)>0 && identify_info->domain_len>0)
 	{
 		switch(identify_info->proto)
 		{
 			case	PROTO_HTTP:
 				idx=TABLE_HTTP_HOST;
 				field_name=(char *)"http_host";
 				break;
 			case	PROTO_SSL:
 				idx=TABLE_SSL_SNI;
 				field_name=(char *)"ssl_sni";
 				break;
 			case	PROTO_QUIC:
 				idx=TABLE_QUIC_SNI;
 				field_name=(char *)"quic_sni";
 				break;
 			default:
 				return 0;
@@ -1339,9 +1554,95 @@ int tsg_scan_shared_policy(Maat_feather_t maat_feather, struct _identify_info *i
 									mid,
 									thread_seq
 								);
 		if(ret>0)
 		{
 			FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_SHARE], 0, FS_OP_ADD, 1);
 			MESA_handle_runtime_log(g_tsg_para.logger,
 										RLOG_LV_DEBUG,
 										"SCAN_FQDN",
 										"Hit %s: %s policy_id: %d service: %d action: %d addr: %s",
 										field_name,
 										identify_info->domain,
 										result[hit_num].config_id,
 										result[hit_num].service_id,
 										(unsigned char)result[hit_num].action,
 										printaddr(&a_stream->addr, thread_seq)
 									);
 			hit_num+=ret;
 		}
 		else
 		{
 			MESA_handle_runtime_log(g_tsg_para.logger,
 										RLOG_LV_DEBUG,
 										"SCAN_FQDN",
 										"Not hit %s: %s ret: %d stream_dir: %d addr: %s",
 										(ret==-1) ?  "NULL" : ((identify_info->proto==PROTO_HTTP) ? "host" : "sni"),
 										(ret==-1) ? "NULL" : identify_info->domain,
 										ret,
 										a_stream->dir,
 										printaddr(&a_stream->addr, thread_seq)
 									);
 		}
 		ret=project_req_add_struct(a_stream, g_tsg_para.internal_project_id, (const void *)attribute_label);
 		if(ret>0)
 		{
 			attribute_label->fqdn_category_id_num=tsg_get_fqdn_category_id(g_tsg_maat_feather, 
 																				identify_info->domain,
 																				attribute_label->fqdn_category_id,
 																				MAX_CATEGORY_ID_NUM,
 																				g_tsg_para.logger,
 																				thread_seq
 																			);
 			for(i=0; i<attribute_label->fqdn_category_id_num; i++)
 			{
 				int idx=identify_info->proto==PROTO_HTTP ? TABLE_HTTP_HOST : TABLE_SSL_SNI;
 				ret=Maat_scan_intval(g_tsg_maat_feather,
 										g_tsg_para.table_id[idx],
 										(unsigned int)attribute_label->fqdn_category_id[i],
 										result+hit_num,
 										result_num-hit_num,
 										mid,
 										thread_seq
 									);
 				if(ret>0)
 				{
 					MESA_handle_runtime_log(g_tsg_para.logger,
 											RLOG_LV_DEBUG,
 											"SCAN_FQDN_CAT",
 											"Hit %s: %s category_id: %d policy_id: %d service: %d action: %d addr: %s",
 											(identify_info->proto==PROTO_HTTP) ? "host" : "sni",
 											identify_info->domain,
 											attribute_label->fqdn_category_id[i],
 											result[hit_num].config_id,
 											result[hit_num].service_id,
 											(unsigned char)result[hit_num].action,
 											printaddr(&a_stream->addr, thread_seq)
 										);
 					hit_num+=ret;
 				}
 				else
 				{
 					MESA_handle_runtime_log(g_tsg_para.logger,
 											RLOG_LV_DEBUG,
 											"SCAN_FQDN_CAT",
 											"Not hit %s: %s category_id: %d ret: %d stream_dir: %d addr: %s",
 											(ret==-1) ?  "NULL" : ((identify_info->proto==PROTO_HTTP) ? "host" : "sni"),
 											(ret==-1) ? "NULL" : identify_info->domain,
 											attribute_label->fqdn_category_id[i],
 											ret,
 											a_stream->dir,
 											printaddr(&a_stream->addr, thread_seq)
 										);
 				}
 			}
 		}
 	}
-	return ret;
+	return hit_num;
 }
@@ -1434,3 +1735,86 @@ int tsg_get_fqdn_category_id(Maat_feather_t maat_feather, char *fqdn, unsigned i
 	return 0;
 }
 int tsg_scan_app_id_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *name, unsigned int id, int thread_seq)
 {
 	int ret=0;
 	ret=Maat_scan_intval(maat_feather, g_tsg_para.table_id[TABLE_APP_ID], id, result, result_num, mid, thread_seq);
 	if(ret>0)
 	{
 		MESA_handle_runtime_log(g_tsg_para.logger, 
 									RLOG_LV_DEBUG,
 									"SCAN_ID",
 									"Hit %s %s_id: %d ret: %d policy_id: %d service: %d action: %d addr: %s",
 									name,
 									(id>1000) ? "app" : "proto",
 									id,
 									ret,
 									result[0].config_id,
 									result[0].service_id,
 									result[0].action,
 									printaddr(&a_stream->addr, thread_seq)
 								);
 		return ret;
 	}
 	MESA_handle_runtime_log(g_tsg_para.logger,
 								RLOG_LV_DEBUG,
 								"SCAN_ID",
 								"scan %s %s_id: %d ret: %d addr: %s",
 								name,
 								(id>1000) ? "app" : "proto",
 								id,
 								ret,
 								printaddr(&a_stream->addr, thread_seq)
 							);
 	return 0;
 }
 int tsg_scan_app_properties_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *property, char *district, int thread_seq)
 {
 	int i=0,ret=0;
 	int ret2=0, hit_num=0;
 	int district_len=strlen(district);
 	int property_len=strlen(property); 
 	struct Maat_rule_t property_result[MAX_RESULT_NUM]={0};
 	if(property!=NULL && property_len>0 && district_len>0)
 	{
 		Maat_set_scan_status(g_tsg_maat_feather, mid, MAAT_SET_SCAN_DISTRICT, (void *)district, district_len);
 		ret=Maat_full_scan_string(g_tsg_maat_feather, g_tsg_para.table_id[TABLE_SELECTOR_PROPERTIES], CHARSET_UTF8, property, property_len, property_result, NULL, MAX_RESULT_NUM,mid,thread_seq);
 		for(i=0; i<ret; i++)
 		{
 			ret2=Maat_scan_intval(g_tsg_maat_feather, g_tsg_para.table_id[TABLE_SELECTOR_ID], property_result[i].config_id, result, result_num, mid, thread_seq);
 			if(ret2>0)
 			{
 				MESA_handle_runtime_log(g_tsg_para.logger, 
 										RLOG_LV_DEBUG,
 										"SCAN_ID",
 										"Hit selector_id: %d ret: %d policy_id: %d service: %d action: %d addr: %s",
 										property_result[i].config_id,
 										ret2,
 										result[0].config_id,
 										result[0].service_id,
 										result[0].action,
 										printaddr(&a_stream->addr, thread_seq)
 									);
 				hit_num+=ret2;
 			}
 			else
 			{
 				MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, "SCAN_ID","Hit %s selector_id: %d ret: %d addr: %s", 
 												property, property_result[i].config_id, ret2, printaddr(&a_stream->addr, thread_seq));
 			}
 		}
 		MESA_handle_runtime_log(g_tsg_para.logger, 	RLOG_LV_DEBUG, "SCAN_PROPERTY", "scan %s: %s ret: %d addr: %s", district, property, ret, printaddr(&a_stream->addr, thread_seq));
 	}
 	return hit_num;
 }
--- a/src/tsg_send_log.cpp
+++ b/src/tsg_send_log.cpp
@@ -166,10 +166,10 @@ struct TLD_handle_t *TLD_create(int thread_id)
 static int set_l7_protocol(struct tsg_log_instance_t *_instance, struct TLD_handle_t *_handle, struct streaminfo *a_stream)
 {	
 	char *l7_protocol=NULL;
-	struct _basic_proto_label *l7_proto_label=NULL;
+	struct basic_proto_label *l7_proto_label=NULL;
-	l7_proto_label=(struct _basic_proto_label *)project_req_get_struct(a_stream, _instance->l7_proto_project_id);
+	l7_proto_label=(struct basic_proto_label *)project_req_get_struct(a_stream, g_tsg_para.l7_proto_project_id);
-	if(l7_proto_label!=NULL && l7_proto_label->proto_id!=_instance->mail_proto_id)
+	if(l7_proto_label!=NULL && l7_proto_label->proto_id!=g_tsg_para.mail_proto_id)
 	{
 		l7_protocol=tsg_l7_protocol_id2name(_instance, l7_proto_label->proto_id);
 		if(l7_protocol!=NULL)
@@ -245,17 +245,18 @@ int set_common_field_from_label(struct tsg_log_instance_t *_instance, struct TLD
 	char buff[1024]={0};
 	int l7_protocol_flag=0;
 	char *l7_protocol=NULL;
 	struct app_id_label *app_label=NULL;
 	struct _location_info_t *location=NULL;
-	struct _session_attribute_label_t *internal_label=NULL;
+	struct _session_attribute_label_t *attribute_label=NULL;
 	l7_protocol_flag=set_l7_protocol(_instance, _handle, a_stream);
-	internal_label=(struct _session_attribute_label_t *)project_req_get_struct(a_stream, _instance->internal_project_id);
+	attribute_label=(struct _session_attribute_label_t *)project_req_get_struct(a_stream, _instance->internal_project_id);
-	if(internal_label!=NULL)
+	if(attribute_label!=NULL)
 	{	
 		if(l7_protocol_flag==0)
 		{
-			l7_protocol=tsg_schema_index2string(internal_label->proto);
+			l7_protocol=tsg_schema_index2string(attribute_label->proto);
 			if(l7_protocol!=NULL)
 			{			
 				TLD_append(_handle, _instance->id2field[LOG_COMMON_L7_PROTOCOL].name, (void *)l7_protocol, TLD_TYPE_STRING);
@@ -266,37 +267,37 @@ int set_common_field_from_label(struct tsg_log_instance_t *_instance, struct TLD
 			}
 		}
-		TLD_append(_handle, _instance->id2field[LOG_COMMON_ESTABLISH_LATENCY_MS].name, (void *)internal_label->establish_latency_ms, TLD_TYPE_LONG);
+		TLD_append(_handle, _instance->id2field[LOG_COMMON_ESTABLISH_LATENCY_MS].name, (void *)attribute_label->establish_latency_ms, TLD_TYPE_LONG);
-		if(internal_label->client_asn!=NULL)
+		if(attribute_label->client_asn!=NULL)
 		{
-			snprintf(buff, sizeof(buff), "%s(%s)", internal_label->client_asn->asn, internal_label->client_asn->organization);
+			snprintf(buff, sizeof(buff), "%s(%s)", attribute_label->client_asn->asn, attribute_label->client_asn->organization);
 			TLD_append(_handle, _instance->id2field[LOG_COMMON_CLINET_ASN].name, (void *)buff, TLD_TYPE_STRING);
 		}
-		if(internal_label->server_asn!=NULL)
+		if(attribute_label->server_asn!=NULL)
 		{
-			snprintf(buff, sizeof(buff), "%s(%s)", internal_label->server_asn->asn, internal_label->server_asn->organization);
+			snprintf(buff, sizeof(buff), "%s(%s)", attribute_label->server_asn->asn, attribute_label->server_asn->organization);
 			TLD_append(_handle, _instance->id2field[LOG_COMMON_CLINET_ASN].name, (void *)buff, TLD_TYPE_STRING);
 		}
-		if(internal_label->client_location!=NULL)
+		if(attribute_label->client_location!=NULL)
 		{
-			location=internal_label->client_location;
+			location=attribute_label->client_location;
 			snprintf(buff, sizeof(buff), "%s,%s,%s", location->city_full, location->province_full, location->country_full);
 			TLD_append(_handle, _instance->id2field[LOG_COMMON_CLINET_LOCATION].name, (void *)buff, TLD_TYPE_STRING);
 		}
-		if(internal_label->server_location!=NULL)
+		if(attribute_label->server_location!=NULL)
 		{
-			location=internal_label->server_location;
+			location=attribute_label->server_location;
 			snprintf(buff, sizeof(buff), "%s,%s,%s", location->city_full, location->province_full, location->country_full);
 			TLD_append(_handle, _instance->id2field[LOG_COMMON_SERVER_LOCATION].name, (void *)buff, TLD_TYPE_STRING);
 		}
-		if(internal_label->ja3_fingerprint!=NULL)
+		if(attribute_label->ja3_fingerprint!=NULL)
 		{
-			TLD_append(_handle, _instance->id2field[LOG_SSL_JA3_FINGERPRINT].name, (void *)internal_label->ja3_fingerprint, TLD_TYPE_STRING);
+			TLD_append(_handle, _instance->id2field[LOG_SSL_JA3_FINGERPRINT].name, (void *)attribute_label->ja3_fingerprint, TLD_TYPE_STRING);
 		}
 	}
 	else
@@ -307,6 +308,13 @@ int set_common_field_from_label(struct tsg_log_instance_t *_instance, struct TLD
 		}
 	}
 	app_label=(struct app_id_label *)project_req_get_struct(a_stream, g_tsg_para.app_id_project_id);
 	if(app_label!=NULL)
 	{
 		TLD_append(_handle, _instance->id2field[LOG_COMMON_APP_ID].name, (void *)(long)app_label->app_id, TLD_TYPE_LONG);		
 		TLD_append(_handle, _instance->id2field[LOG_COMMON_APP_SURROGATE_ID].name, (void *)(long)app_label->surrogate_id, TLD_TYPE_LONG);
 	}
 	return 0;
 }
@@ -619,7 +627,6 @@ struct tsg_log_instance_t *tsg_sendlog_init(const char *conffile)
 	MESA_load_profile_int_def(conffile, "TSG_LOG", "LOG_LEVEL",&(_instance->level), 30);	
 	MESA_load_profile_string_def(conffile, "TSG_LOG", "LOG_PATH", _instance->log_path, sizeof(_instance->log_path), "./tsglog/tsglog");
 	MESA_load_profile_int_def(conffile, "TSG_LOG", "MAIL_PROTOCOL_ID",&(_instance->mail_proto_id), 110);	
 	MESA_load_profile_int_def(conffile, "TSG_LOG", "SEND_USER_REGION",&(_instance->send_user_region), 0);	
 	_instance->logger=MESA_create_runtime_log_handle(_instance->log_path, _instance->level);
@@ -647,7 +654,6 @@ struct tsg_log_instance_t *tsg_sendlog_init(const char *conffile)
 	MESA_load_profile_string_def(conffile, "TSG_LOG", "TCP_LABEL", _instance->tcp_label, sizeof(_instance->tcp_label), "tcp_flow_stat");
 	MESA_load_profile_string_def(conffile, "TSG_LOG", "UDP_LABEL", _instance->udp_label, sizeof(_instance->udp_label), "udp_flow_stat");
 	MESA_load_profile_string_def(conffile, "TSG_LOG", "L7_PROTO_LABEL", _instance->l7_proto_label, sizeof(_instance->l7_proto_label), "BASIC_PROTO_LABEL");
 	_instance->tcp_flow_project_id=project_customer_register(_instance->tcp_label, "struct");
 	_instance->udp_flow_project_id=project_customer_register(_instance->udp_label, "struct");
@@ -662,17 +668,6 @@ struct tsg_log_instance_t *tsg_sendlog_init(const char *conffile)
 								);
 	}
 	_instance->l7_proto_project_id=project_customer_register(_instance->l7_proto_label, "struct");
 	if(_instance->l7_proto_project_id<0)
 	{
 		MESA_handle_runtime_log(_instance->logger,
 									RLOG_LV_FATAL,
 									"L7_PROTO_LABEL",
 									"project_customer_register is error, l7_proto_label: %s, please check etc/project.conf",
 									_instance->l7_proto_label
 								);	
 	}
 	MESA_load_profile_string_def(conffile, "TSG_LOG", "NIC_NAME", nic_name, sizeof(nic_name), "eth0");	
 	ret=MESA_get_dev_ipv4(nic_name, (int *)&local_ip_nr);
 	if(ret<0)
--- a/src/tsg_send_log_internal.h
+++ b/src/tsg_send_log_internal.h
@@ -74,6 +74,7 @@ typedef enum _tsg_log_field_id
 	LOG_COMMON_L7_PROTOCOL,
 	LOG_COMMON_TCP_CLIENT_ISN,
 	LOG_COMMON_TCP_SERVER_ISN,
 	LOG_COMMON_APP_SURROGATE_ID,
 	LOG_COMMON_MAX
 }tsg_log_field_id_t;
@@ -94,11 +95,9 @@ struct tsg_log_instance_t
 {
 	int mode;
 	int level;
 	int mail_proto_id;
 	int max_service;
 	int send_user_region;
 	int recovery_interval;
 	int l7_proto_project_id;
 	int internal_project_id;
 	int tcp_flow_project_id;
 	int udp_flow_project_id;
@@ -108,7 +107,6 @@ struct tsg_log_instance_t
 	char log_path[MAX_STRING_LEN*2];
 	char tcp_label[MAX_STRING_LEN];
 	char udp_label[MAX_STRING_LEN];
 	char l7_proto_label[MAX_STRING_LEN];
 	char common_field_file[MAX_STRING_LEN*4];
 	char broker_list[MAX_STRING_LEN*4];
 	char send_queue_max_msg[MAX_STRING_LEN];