diff --git a/inc/tsg_label.h b/inc/tsg_label.h index a1e6cf0..a674ded 100644 --- a/inc/tsg_label.h +++ b/inc/tsg_label.h @@ -104,6 +104,7 @@ struct session_attribute_label struct umts_user_info *user_info; struct tunnel_endpoint *client_endpoint; struct tunnel_endpoint *server_endpoint; + unsigned long session_flags; }; struct policy_priority_label diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp index 00da958..e9edde6 100644 --- a/src/tsg_action.cpp +++ b/src/tsg_action.cpp @@ -577,21 +577,12 @@ static unsigned char do_action_reset(const struct streaminfo *a_stream, Maat_rul static unsigned char do_action_drop(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *a_packet) { - if(user_region!=NULL && user_region->deny!=NULL) - { - send_icmp_unreachable(a_stream); - } - switch(protocol) { case PROTO_DNS: return STATE_GIVEME|STATE_DROPPKT; default: set_drop_stream(a_stream, protocol); - if(g_tsg_para.deploy_mode==DEPLOY_MODE_MIRROR) - { - return do_action_reset(a_stream, p_result, protocol); - } break; } @@ -870,7 +861,16 @@ static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struc { set_protocol_to_tcpall(a_stream, protocol, a_stream->threadnum); set_method_to_tcpall(a_stream, user_region->method_type, a_stream->threadnum); - set_after_n_packet_to_tcpall(a_stream, user_region->deny->after_n_packets, a_stream->threadnum); + + if(a_stream->type==STREAM_TYPE_UDP && type!=ACTION_RETURN_TYPE_PROT) + { + set_after_n_packet_to_tcpall(a_stream, user_region->deny->after_n_packets+1, a_stream->threadnum); + } + else + { + set_after_n_packet_to_tcpall(a_stream, user_region->deny->after_n_packets, a_stream->threadnum); + } + tsg_set_policy_result(a_stream, PULL_FW_RESULT, p_result, protocol, a_stream->threadnum); local_state=((type==ACTION_RETURN_TYPE_PROT) ? (STATE_DROPME) : (STATE_DROPME|STATE_KILL_OTHER)); break; diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index 28eca47..639ef15 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -505,23 +505,27 @@ static int get_default_para(const struct streaminfo *a_stream, int compile_id) static int get_default_policy(int compile_id, struct Maat_rule_t *result) { + int ret=0; struct Maat_rule_t p_result={0}; struct compile_user_region *user_region=NULL; p_result.config_id=compile_id; user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, &p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]); - if(user_region!=NULL && user_region->method_type==TSG_METHOD_TYPE_DEFAULT) + if(user_region!=NULL) { - if(user_region->session_para!=NULL && user_region->session_para->result.action==TSG_ACTION_DENY) + if(user_region->method_type==TSG_METHOD_TYPE_DEFAULT) { - memcpy(result, &(user_region->session_para->result), sizeof(struct Maat_rule_t)); + if(user_region->session_para!=NULL && user_region->session_para->result.action==TSG_ACTION_DENY) + { + memcpy(result, &(user_region->session_para->result), sizeof(struct Maat_rule_t)); + } + + ret=1; } - security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], &p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL); - return 1; } - return 0; + return ret; } static int get_packet_sequence(const struct streaminfo *a_stream) @@ -684,10 +688,7 @@ static int master_send_log(const struct streaminfo *a_stream, struct Maat_rule_t else { TLD_append(TLD_handle, schema_field_name, (void *)g_tsg_proto_name2id[PROTO_APP].name, TLD_TYPE_STRING); - } - - char *flags_field_name=log_field_id2name(g_tsg_log_instance, LOG_COMMON_FLAGS); - TLD_append(TLD_handle, flags_field_name, (void *)context->session_flag, TLD_TYPE_LONG); + } if(context!=NULL && context->hited_app_id>0) { @@ -1375,6 +1376,9 @@ void set_session_attribute_label(const struct streaminfo *a_stream, enum TSG_ATT memcpy(attribute_label->fqdn_category_id, value, sizeof(unsigned int)*value_len); attribute_label->fqdn_category_id_num=value_len; break; + case TSG_ATTRIBUTE_TYPE_SESSION_FLAGS: + attribute_label->session_flags=*(unsigned long *)(value); + break; default: break; } @@ -1382,7 +1386,7 @@ void set_session_attribute_label(const struct streaminfo *a_stream, enum TSG_ATT return ; } -static int set_tcp_establish_latency_ms(const struct streaminfo *a_tcp, int thread_seq,const void *ip_hdr) +static char set_tcp_establish_latency_ms(const struct streaminfo *a_tcp, int thread_seq,const void *ip_hdr) { struct tcphdr *tcp=NULL; @@ -1973,7 +1977,6 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_ } context->sync_cb_state=master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL); - return 0; } @@ -1995,11 +1998,13 @@ static int session_flags_identify_result_cb(const struct streaminfo *a_stream, i } context->session_flag=*(unsigned long *)(data); + set_session_attribute_label(a_stream, TSG_ATTRIBUTE_TYPE_SESSION_FLAGS, data, sizeof(unsigned long), a_stream->threadnum); int hit_num=tsg_scan_session_flags(g_tsg_maat_feather, a_stream, scan_result, MAX_RESULT_NUM, &context->mid, g_tsg_para.table_id[TABLE_SESSION_FLAGS], context->session_flag, a_stream->threadnum); context->sync_cb_state=master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL); + return 0; } @@ -2108,22 +2113,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo state=master_deal_scan_result(a_stream, context, scan_result, hit_num, a_packet); context->deal_pkt_num++; break; - case OP_STATE_DATA: - if(context->sync_cb_state&APP_STATE_KILL_OTHER || context->sync_cb_state&APP_STATE_DROPPKT) - { - if(a_stream->type==STREAM_TYPE_TCP) //tcpall - { - state=context->sync_cb_state|APP_STATE_DROPME; - break; - } - - if(a_stream->type==STREAM_TYPE_UDP) // allow, Deny(after drop N packets) - { - state=context->sync_cb_state&(~(APP_STATE_DROPME)); - break; - } - } - + case OP_STATE_DATA: if(context->is_app_link==FLAG_FALSE && (context->deal_pkt_num++) == (g_tsg_para.identify_app_max_pkt_num+1)) { unknown_result.app_id_num=1; @@ -2139,6 +2129,13 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo state=APP_STATE_KILL_OTHER|APP_STATE_GIVEME; break; } + + if(context->sync_cb_state&APP_STATE_KILL_OTHER || context->sync_cb_state&APP_STATE_DROPPKT) + { + //tcpall, udp -> allow, Deny(after drop N packets) + state=context->sync_cb_state|APP_STATE_DROPME; + break; + } if(get_current_time_ms()-context->last_scan_time < (g_tsg_para.scan_time_interval*1000)) { @@ -2186,7 +2183,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo default: break; } - + if((a_stream->opstate==OP_STATE_CLOSE) || (state&APP_STATE_DROPME)==APP_STATE_DROPME) { if(context!=NULL && context->is_log==0 && context->hit_cnt>0 && context->result!=NULL) @@ -2211,12 +2208,12 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns struct Maat_rule_t result[MAX_RESULT_NUM]={0}; struct tcpall_context *all_context=(struct tcpall_context *)(*pme); - if(stream_state==OP_STATE_PENDING && all_context->method_type!=TSG_METHOD_TYPE_ALLOW) + if(stream_state==OP_STATE_PENDING && all_context->method_type!=TSG_METHOD_TYPE_ALLOW && !(all_context->udp_data_dropme)) { if(all_context->method_type==TSG_METHOD_TYPE_UNKNOWN) { all_context->method_type=TSG_METHOD_TYPE_DEFAULT; - all_context->after_n_packets=get_default_para(a_stream, g_tsg_para.default_compile_id); + all_context->default_policy_after_n_packets=get_default_para(a_stream, g_tsg_para.default_compile_id); } hit_num=tsg_scan_nesting_addr(g_tsg_maat_feather, a_stream, PROTO_UNKONWN, &scan_mid, result, MAX_RESULT_NUM); @@ -2262,7 +2259,7 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns } break; case TSG_METHOD_TYPE_DEFAULT: - if(!is_do_default_policy(a_stream, all_context->after_n_packets) || stream_state==OP_STATE_CLOSE) + if(!is_do_default_policy(a_stream, all_context->default_policy_after_n_packets) || stream_state==OP_STATE_CLOSE) { break; } @@ -2275,16 +2272,28 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns break; case TSG_METHOD_TYPE_DROP: case TSG_METHOD_TYPE_APP_DROP: - if((all_context->hited_para.after_n_packets-- > 0) || stream_state==OP_STATE_CLOSE) - { + // contain hited current packet, platform calls tcp first and tcpall secondary. + if(((all_context->hited_para.after_n_packets >= 0) && a_stream->type==STREAM_TYPE_TCP) || + ((all_context->hited_para.after_n_packets > 0) && a_stream->type==STREAM_TYPE_UDP) + || stream_state==OP_STATE_CLOSE) + { + all_context->hited_para.after_n_packets--; break; } ret=tsg_pull_policy_result((struct streaminfo *)a_stream,PULL_FW_RESULT, &result[0], 1, &tmp_identify_info); - if(ret>0) + if(ret<=0) + { + break; + } + + if(all_context->hited_para.hited_app_id<=0) + { + state=tsg_deal_deny_action(a_stream, &result[0], all_context->protocol, ACTION_RETURN_TYPE_TCPALL, a_packet); + } + else { state=tsg_deny_application(a_stream, &result[0], all_context->protocol, all_context->hited_para.hited_app_id, ACTION_RETURN_TYPE_TCPALL, a_packet); - //master_send_log(a_stream, &result[0], 1, data_context, thread_seq); } break; default: @@ -2323,10 +2332,20 @@ extern "C" unsigned char TSG_MASTER_UDP_ENTRY(const struct streaminfo *a_udp, vo memset(context->all_entry, 0, sizeof(struct tcpall_context)); set_struct_project(a_udp, g_tsg_para.tcpall_project_id, (void *)(context->all_entry)); } - - state2=tsg_master_data_entry(a_udp, (void **)&(context->data_entry), thread_seq, a_packet); - if(!(state2&APP_STATE_DROPME)) + + if(context->all_entry->udp_data_dropme==0) { + state2=tsg_master_data_entry(a_udp, (void **)&(context->data_entry), thread_seq, a_packet); + } + + if(!(state2&APP_STATE_DROPME) || context->all_entry->hited_para.after_n_packets>0) + { + if(state2&APP_STATE_DROPME) + { + context->all_entry->udp_data_dropme=1; + state2=state2&(~(APP_STATE_DROPME)); + } + state1=tsg_master_all_entry(a_udp, a_udp->opstate, (void **)&(context->all_entry), thread_seq, a_packet); } diff --git a/src/tsg_entry.h b/src/tsg_entry.h index 686dc36..fafd9e5 100644 --- a/src/tsg_entry.h +++ b/src/tsg_entry.h @@ -168,6 +168,7 @@ enum TSG_ATTRIBUTE_TYPE TSG_ATTRIBUTE_TYPE_SUBSCRIBER_ID, TSG_ATTRIBUTE_TYPE_HTTP_ACTION_FILESIZE, TSG_ATTRIBUTE_TYPE_CATEGORY_ID, + TSG_ATTRIBUTE_TYPE_SESSION_FLAGS, _MAX_TSG_ATTRIBUTE_TYPE }; @@ -284,14 +285,16 @@ struct master_context struct tcpall_context { - int set_latency_flag; + char udp_data_dropme; + char set_latency_flag; + char padding[6]; enum TSG_METHOD_TYPE method_type; tsg_protocol_t protocol; union { struct leaky_bucket *bucket; long tamper_count; - int after_n_packets; + int default_policy_after_n_packets; struct hited_app_para hited_para; void *para; }; diff --git a/src/tsg_send_log.cpp b/src/tsg_send_log.cpp index 4f1be74..3c698dd 100644 --- a/src/tsg_send_log.cpp +++ b/src/tsg_send_log.cpp @@ -1698,6 +1698,11 @@ int set_session_attributes(struct tsg_log_instance_t *_instance, struct TLD_hand TLD_append(_handle, _instance->id2field[LOG_COMMON_TUNNELS_ENDPOINT_B_DESC].name, (void *)attribute_label->server_endpoint->description, TLD_TYPE_STRING); } + if(attribute_label->session_flags>0 && !(TLD_search(_handle, _instance->id2field[LOG_COMMON_FLAGS].name))) + { + TLD_append(_handle, _instance->id2field[LOG_COMMON_FLAGS].name, (void *)attribute_label->session_flags, TLD_TYPE_LONG); + } + return 1; }