Feature default policy action switch
This commit is contained in:
刘学利
12
bin/tsg_dynamic_maat.json
Normal file
12
bin/tsg_dynamic_maat.json
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
{
|
||||||
|
"plugin_table":
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"table_name": "TSG_DYN_SUBSCRIBER_IP",
|
||||||
|
"table_content": [
|
||||||
|
"1052\t4\t192.168.50.52\ttest52\t1",
|
||||||
|
"1037\t4\t192.168.50.37\test37\t1"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
@@ -42,6 +42,7 @@ struct compile_user_region
|
|||||||
char protocol[32];
|
char protocol[32];
|
||||||
char method[32];
|
char method[32];
|
||||||
char *message;
|
char *message;
|
||||||
|
Maat_rule_t *result;
|
||||||
};
|
};
|
||||||
|
|
||||||
typedef enum _PULL_RESULT_TYPE
|
typedef enum _PULL_RESULT_TYPE
|
||||||
|
|||||||
@@ -155,7 +155,7 @@ static int get_device_id(char *command, int entrance_id)
|
|||||||
return (entrance_id<<7)+(atoi(buffer)%128);
|
return (entrance_id<<7)+(atoi(buffer)%128);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int is_repetitive_app_id(unsigned short proto_id)
|
static int is_repetitive_protocol_id(unsigned short proto_id)
|
||||||
{
|
{
|
||||||
switch(proto_id)
|
switch(proto_id)
|
||||||
{
|
{
|
||||||
@@ -175,6 +175,31 @@ static int is_repetitive_app_id(unsigned short proto_id)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int get_default_policy(int compile_id, struct Maat_rule_t *result)
|
||||||
|
{
|
||||||
|
struct Maat_rule_t p_result={0};
|
||||||
|
struct compile_user_region *user_region=NULL;
|
||||||
|
|
||||||
|
p_result.config_id=compile_id;
|
||||||
|
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, &p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
|
||||||
|
if(user_region!=NULL)
|
||||||
|
{
|
||||||
|
if(user_region->result!=NULL)
|
||||||
|
{
|
||||||
|
memcpy(result, user_region->result, sizeof(struct Maat_rule_t));
|
||||||
|
if(result->action==TSG_ACTION_BYPASS)
|
||||||
|
{
|
||||||
|
result->action=TSG_ACTION_NONE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], &p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static struct app_id_label *get_app_id_label(struct streaminfo *a_stream, struct master_context *context, int thread_seq)
|
static struct app_id_label *get_app_id_label(struct streaminfo *a_stream, struct master_context *context, int thread_seq)
|
||||||
{
|
{
|
||||||
struct app_id_label *app_id_label=NULL;
|
struct app_id_label *app_id_label=NULL;
|
||||||
@@ -192,8 +217,7 @@ static struct app_id_label *get_app_id_label(struct streaminfo *a_stream, struct
|
|||||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||||
RLOG_LV_DEBUG,
|
RLOG_LV_DEBUG,
|
||||||
"READ_APP_ID_FLAG",
|
"READ_APP_ID_FLAG",
|
||||||
"Get %s app id label, app_id: %d addr: %s",
|
"Get app id label, app_id: %d addr: %s",
|
||||||
context->uuid_str,
|
|
||||||
app_id_label->app_id,
|
app_id_label->app_id,
|
||||||
printaddr(&a_stream->addr, thread_seq)
|
printaddr(&a_stream->addr, thread_seq)
|
||||||
);
|
);
|
||||||
@@ -214,33 +238,14 @@ static int get_basic_proto_id(struct streaminfo *a_stream, struct master_context
|
|||||||
if(context->continue_scan_proto_id==APP_SCAN_FLAG_CONTINUE && g_tsg_para.l7_proto_project_id>=0)
|
if(context->continue_scan_proto_id==APP_SCAN_FLAG_CONTINUE && g_tsg_para.l7_proto_project_id>=0)
|
||||||
{
|
{
|
||||||
proto_label=(struct basic_proto_label *)project_req_get_struct(a_stream, g_tsg_para.l7_proto_project_id);
|
proto_label=(struct basic_proto_label *)project_req_get_struct(a_stream, g_tsg_para.l7_proto_project_id);
|
||||||
if(proto_label!=NULL && proto_label->proto_id!=context->basic_proto_id)
|
if(proto_label!=NULL)
|
||||||
{
|
{
|
||||||
if(proto_label->continue_scan_flag==APP_SCAN_FLAG_STOP)
|
if(proto_label->continue_scan_flag==APP_SCAN_FLAG_STOP)
|
||||||
{
|
{
|
||||||
context->continue_scan_proto_id=APP_SCAN_FLAG_STOP;
|
context->continue_scan_proto_id=APP_SCAN_FLAG_STOP;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(is_repetitive_app_id(proto_label->proto_id))
|
return proto_label->proto_id;
|
||||||
{
|
|
||||||
context->continue_scan_proto_id=APP_SCAN_FLAG_STOP;
|
|
||||||
switch(proto_label->proto_id)
|
|
||||||
{
|
|
||||||
case SIP_PROTO_ID:
|
|
||||||
context->proto=PROTO_SIP;
|
|
||||||
break;
|
|
||||||
case RTP_PROTO_ID:
|
|
||||||
context->proto=PROTO_RTP;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
context->basic_proto_id=proto_label->proto_id;
|
|
||||||
return context->basic_proto_id;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -595,7 +600,15 @@ void close_stream_free_context(struct streaminfo *a_stream, struct master_contex
|
|||||||
if(context->hit_cnt>0 && context->result!=NULL)
|
if(context->hit_cnt>0 && context->result!=NULL)
|
||||||
{
|
{
|
||||||
memset(&identify_info, 0, sizeof(identify_info));
|
memset(&identify_info, 0, sizeof(identify_info));
|
||||||
identify_info.proto=context->proto;
|
if(context->proto==PROTO_UNKONWN || context->proto>PROTO_APP)
|
||||||
|
{
|
||||||
|
identify_info.proto=PROTO_APP;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
identify_info.proto=context->proto;
|
||||||
|
}
|
||||||
|
|
||||||
if(context->domain_len>0)
|
if(context->domain_len>0)
|
||||||
{
|
{
|
||||||
memcpy(identify_info.domain, context->domain, context->domain_len);
|
memcpy(identify_info.domain, context->domain, context->domain_len);
|
||||||
@@ -1034,7 +1047,7 @@ extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int t
|
|||||||
int opt_value=0;
|
int opt_value=0;
|
||||||
int proto_id=0;
|
int proto_id=0;
|
||||||
char *l7_protocol=NULL;
|
char *l7_protocol=NULL;
|
||||||
int ret=0,hit_num=0;
|
int ret=0,hit_num=0;
|
||||||
int state=APP_STATE_GIVEME;
|
int state=APP_STATE_GIVEME;
|
||||||
Maat_rule_t *p_result=NULL;
|
Maat_rule_t *p_result=NULL;
|
||||||
struct identify_info identify_info;
|
struct identify_info identify_info;
|
||||||
@@ -1077,17 +1090,20 @@ extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int t
|
|||||||
hit_num+=ret;
|
hit_num+=ret;
|
||||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_ADDR], 0, FS_OP_ADD, 1);
|
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_ADDR], 0, FS_OP_ADD, 1);
|
||||||
}
|
}
|
||||||
|
context->proto=identify_info.proto;
|
||||||
|
context->continue_scan_proto_id=APP_SCAN_FLAG_STOP;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(context->proto==PROTO_UNKONWN || context->proto>PROTO_APP) /* support block/alert(deny), Do action in fw_http_plug */
|
if(context->proto==PROTO_UNKONWN || context->proto>PROTO_APP || context->continue_scan_proto_id==APP_SCAN_FLAG_CONTINUE) /* support block/alert(deny), Do action in fw_http_plug */
|
||||||
{
|
{
|
||||||
proto_id=get_basic_proto_id(a_tcp, context, thread_seq);
|
proto_id=get_basic_proto_id(a_tcp, context, thread_seq);
|
||||||
if(proto_id>0)
|
if(proto_id>0 && proto_id!=context->basic_proto_id)
|
||||||
{
|
{
|
||||||
context->proto=PROTO_APP;
|
context->proto=PROTO_APP;
|
||||||
|
context->basic_proto_id=proto_id;
|
||||||
l7_protocol=tsg_l7_protocol_id2name(g_tsg_log_instance, proto_id);
|
l7_protocol=tsg_l7_protocol_id2name(g_tsg_log_instance, proto_id);
|
||||||
if(l7_protocol==NULL && proto_id==g_tsg_para.mail_proto_id)
|
if(l7_protocol==NULL && proto_id==g_tsg_para.mail_proto_id)
|
||||||
{
|
{
|
||||||
@@ -1100,23 +1116,29 @@ extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int t
|
|||||||
|
|
||||||
hit_num+=scan_application_id_and_properties(a_tcp, context, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, thread_seq);
|
hit_num+=scan_application_id_and_properties(a_tcp, context, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, thread_seq);
|
||||||
p_result=tsg_policy_decision_criteria(a_tcp, result, hit_num, &identify_info, thread_seq);
|
p_result=tsg_policy_decision_criteria(a_tcp, result, hit_num, &identify_info, thread_seq);
|
||||||
|
if(g_tsg_para.default_compile_switch==1 && p_result==NULL)
|
||||||
|
{
|
||||||
|
if(get_default_policy(g_tsg_para.default_compile_id, &result[0]))
|
||||||
|
{
|
||||||
|
p_result=&result[0];
|
||||||
|
context->is_default_policy=1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if(p_result!=NULL)
|
if(p_result!=NULL)
|
||||||
{
|
{
|
||||||
switch((unsigned char)p_result->action)
|
switch((unsigned char)p_result->action)
|
||||||
{
|
{
|
||||||
case TSG_ACTION_DENY:
|
case TSG_ACTION_DENY:
|
||||||
if((context->result!=NULL && context->result[0].action==TSG_ACTION_BYPASS) || (is_repetitive_app_id(context->proto)))
|
if((context->result!=NULL && context->result[0].action==TSG_ACTION_BYPASS) || ((is_repetitive_protocol_id(context->proto)) && context->is_default_policy==0))
|
||||||
{
|
{
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
context->proto=PROTO_APP;
|
|
||||||
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
|
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
|
||||||
if(user_region!=NULL)
|
if(user_region!=NULL)
|
||||||
{
|
{
|
||||||
atomic_dec(&user_region->ref_cnt);
|
|
||||||
method_type=tsg_get_method_id(user_region->method);
|
method_type=tsg_get_method_id(user_region->method);
|
||||||
|
|
||||||
switch(method_type)
|
switch(method_type)
|
||||||
{
|
{
|
||||||
case TSG_METHOD_TYPE_DROP:
|
case TSG_METHOD_TYPE_DROP:
|
||||||
@@ -1148,6 +1170,8 @@ extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int t
|
|||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
|
||||||
}
|
}
|
||||||
copy_deny_result(a_tcp, context, p_result, thread_seq);
|
copy_deny_result(a_tcp, context, p_result, thread_seq);
|
||||||
break;
|
break;
|
||||||
@@ -1223,39 +1247,70 @@ extern "C" char TSG_MASTER_UDP_ENTRY(struct streaminfo *a_udp, void **pme, int t
|
|||||||
hit_num+=ret;
|
hit_num+=ret;
|
||||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_ADDR], 0, FS_OP_ADD, 1);
|
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_ADDR], 0, FS_OP_ADD, 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
context->proto=identify_info.proto;
|
||||||
|
context->continue_scan_proto_id=APP_SCAN_FLAG_STOP;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(context->proto==PROTO_UNKONWN || context->proto>PROTO_APP)
|
if(context->proto==PROTO_UNKONWN || context->proto>PROTO_APP || context->continue_scan_proto_id==APP_SCAN_FLAG_CONTINUE)
|
||||||
{
|
{
|
||||||
proto_id=get_basic_proto_id(a_udp, context, thread_seq);
|
proto_id=get_basic_proto_id(a_udp, context, thread_seq);
|
||||||
if(proto_id>0)
|
if(proto_id>0 && context->basic_proto_id!=proto_id)
|
||||||
{
|
{
|
||||||
hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_udp, result, MAX_RESULT_NUM-hit_num, &context->mid, l7_protocol, proto_id, thread_seq);
|
if(is_repetitive_protocol_id(proto_id))
|
||||||
|
{
|
||||||
|
context->continue_scan_proto_id=APP_SCAN_FLAG_STOP;
|
||||||
|
switch(proto_id)
|
||||||
|
{
|
||||||
|
case SIP_PROTO_ID:
|
||||||
|
context->proto=PROTO_SIP;
|
||||||
|
set_session_attribute_label(a_udp, TSG_ATTRIBUTE_TYPE_PROTOCOL, (void *)&(context->proto), thread_seq);
|
||||||
|
break;
|
||||||
|
case RTP_PROTO_ID:
|
||||||
|
context->proto=PROTO_RTP;
|
||||||
|
set_session_attribute_label(a_udp, TSG_ATTRIBUTE_TYPE_PROTOCOL, (void *)&(context->proto), thread_seq);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
context->proto=PROTO_APP;
|
||||||
|
context->basic_proto_id=proto_id;
|
||||||
|
hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_udp, result, MAX_RESULT_NUM-hit_num, &context->mid, l7_protocol, proto_id, thread_seq);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
hit_num+=scan_application_id_and_properties(a_udp, context, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, thread_seq);
|
hit_num+=scan_application_id_and_properties(a_udp, context, result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, thread_seq);
|
||||||
p_result=tsg_policy_decision_criteria(a_udp, result, hit_num, &identify_info, thread_seq);
|
p_result=tsg_policy_decision_criteria(a_udp, result, hit_num, &identify_info, thread_seq);
|
||||||
|
if(g_tsg_para.default_compile_switch==1 && p_result==NULL)
|
||||||
|
{
|
||||||
|
if(get_default_policy(g_tsg_para.default_compile_id, &result[0]))
|
||||||
|
{
|
||||||
|
p_result=&result[0];
|
||||||
|
context->is_default_policy=1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if(p_result!=NULL)
|
if(p_result!=NULL)
|
||||||
{
|
{
|
||||||
switch((unsigned char)p_result->action)
|
switch((unsigned char)p_result->action)
|
||||||
{
|
{
|
||||||
case TSG_ACTION_DENY:
|
case TSG_ACTION_DENY:
|
||||||
if((context->result!=NULL && context->result[0].action==TSG_ACTION_BYPASS) || (is_repetitive_app_id(context->proto)))
|
if((context->result!=NULL && context->result[0].action==TSG_ACTION_BYPASS) || ((is_repetitive_protocol_id(context->proto)) && context->is_default_policy==0))
|
||||||
{
|
{
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
context->proto=PROTO_APP;
|
|
||||||
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
|
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
|
||||||
if(user_region!=NULL)
|
if(user_region!=NULL)
|
||||||
{
|
{
|
||||||
atomic_dec(&user_region->ref_cnt);
|
|
||||||
method_type=tsg_get_method_id(user_region->method);
|
method_type=tsg_get_method_id(user_region->method);
|
||||||
|
|
||||||
switch(method_type)
|
switch(method_type)
|
||||||
{
|
{
|
||||||
case TSG_METHOD_TYPE_DROP:
|
case TSG_METHOD_TYPE_DROP:
|
||||||
@@ -1267,6 +1322,8 @@ extern "C" char TSG_MASTER_UDP_ENTRY(struct streaminfo *a_udp, void **pme, int t
|
|||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
|
||||||
}
|
}
|
||||||
copy_deny_result(a_udp, context, p_result, thread_seq);
|
copy_deny_result(a_udp, context, p_result, thread_seq);
|
||||||
break;
|
break;
|
||||||
@@ -1319,7 +1376,11 @@ extern "C" int TSG_MASTER_INIT()
|
|||||||
printf("MESA_create_runtime_log_handle failed ...\n");
|
printf("MESA_create_runtime_log_handle failed ...\n");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
MESA_load_profile_int_def(tsg_conffile, "SYSTEM","DEFAULT_POLICY_ID", &g_tsg_para.default_compile_id, 0);
|
||||||
|
MESA_load_profile_int_def(tsg_conffile, "SYSTEM","DEFAULT_POLICY_SWITCH", &g_tsg_para.default_compile_switch, 0);
|
||||||
|
|
||||||
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "IDENTIFY_PROTO_NAME", identify_proto_name, sizeof(identify_proto_name), "HTTP;SSL;DNS;FTP;BGP;SIP;MAIL;STREAMING_MEDIA;QUIC;");
|
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "IDENTIFY_PROTO_NAME", identify_proto_name, sizeof(identify_proto_name), "HTTP;SSL;DNS;FTP;BGP;SIP;MAIL;STREAMING_MEDIA;QUIC;");
|
||||||
tsg_proto_name2flag(identify_proto_name, &g_tsg_para.proto_flag);
|
tsg_proto_name2flag(identify_proto_name, &g_tsg_para.proto_flag);
|
||||||
|
|
||||||
|
|||||||
@@ -109,15 +109,14 @@ struct master_context
|
|||||||
{
|
{
|
||||||
tsg_protocol_t proto;
|
tsg_protocol_t proto;
|
||||||
int hit_cnt;
|
int hit_cnt;
|
||||||
int domain_len;
|
|
||||||
char domain[MAX_DOAMIN_LEN];
|
|
||||||
struct Maat_rule_t *result;
|
|
||||||
|
|
||||||
int app_id;
|
int app_id;
|
||||||
|
int is_default_policy;
|
||||||
char continue_scan_app_id;
|
char continue_scan_app_id;
|
||||||
char continue_scan_proto_id;
|
char continue_scan_proto_id;
|
||||||
unsigned short basic_proto_id;
|
unsigned short basic_proto_id;
|
||||||
char uuid_str[32];
|
int domain_len;
|
||||||
|
char domain[MAX_DOAMIN_LEN];
|
||||||
|
struct Maat_rule_t *result;
|
||||||
scan_status_t mid;
|
scan_status_t mid;
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -131,6 +130,8 @@ typedef struct _tsg_para
|
|||||||
int app_id_table_type;
|
int app_id_table_type;
|
||||||
int device_id;
|
int device_id;
|
||||||
int entrance_id;
|
int entrance_id;
|
||||||
|
int default_compile_switch;
|
||||||
|
int default_compile_id;
|
||||||
int table_id[TABLE_MAX];
|
int table_id[TABLE_MAX];
|
||||||
int dyn_subscribe_ip_table_id; //TSG_DYN_SUBSCRIBER_IP
|
int dyn_subscribe_ip_table_id; //TSG_DYN_SUBSCRIBER_IP
|
||||||
int priority_project_id;
|
int priority_project_id;
|
||||||
@@ -238,6 +239,7 @@ int tsg_statistic_init(const char *conffile, void *logger);
|
|||||||
void location_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
|
void location_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
|
||||||
void ASN_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
|
void ASN_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
|
||||||
void subscribe_id_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
|
void subscribe_id_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
|
||||||
|
void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp);
|
||||||
char *tsg_schema_index2string(tsg_protocol_t proto);
|
char *tsg_schema_index2string(tsg_protocol_t proto);
|
||||||
struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, struct _identify_info *identify_info, int thread_seq);
|
struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, struct _identify_info *identify_info, int thread_seq);
|
||||||
int tsg_scan_shared_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct identify_info *identify_info, Maat_rule_t *result, int result_num, scan_status_t *mid, int thread_seq);
|
int tsg_scan_shared_policy(Maat_feather_t maat_feather, struct streaminfo *a_stream, struct identify_info *identify_info, Maat_rule_t *result, int result_num, scan_status_t *mid, int thread_seq);
|
||||||
|
|||||||
113
src/tsg_rule.cpp
113
src/tsg_rule.cpp
@@ -550,51 +550,65 @@ void security_compile_new(int idx, const struct Maat_rule_t* rule, const char* s
|
|||||||
cJSON *object=NULL, *item=NULL;
|
cJSON *object=NULL, *item=NULL;
|
||||||
struct compile_user_region *user_region=NULL;
|
struct compile_user_region *user_region=NULL;
|
||||||
|
|
||||||
if(rule!=NULL && srv_def_large!=NULL && strlen(srv_def_large)>2)
|
if(rule!=NULL)
|
||||||
{
|
{
|
||||||
object=cJSON_Parse(srv_def_large);
|
if(srv_def_large!=NULL && strlen(srv_def_large)>2)
|
||||||
if(object!=NULL)
|
|
||||||
{
|
{
|
||||||
user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));
|
object=cJSON_Parse(srv_def_large);
|
||||||
|
if(object!=NULL)
|
||||||
item=cJSON_GetObjectItem(object, "method");
|
{
|
||||||
if(item!=NULL)
|
user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));
|
||||||
{
|
atomic_inc(&user_region->ref_cnt);
|
||||||
len=MIN(strlen(item->valuestring), sizeof(user_region->method)-1);
|
|
||||||
memcpy(user_region->method, item->valuestring, len);
|
item=cJSON_GetObjectItem(object, "method");
|
||||||
|
if(item!=NULL)
|
||||||
|
{
|
||||||
|
len=MIN(strlen(item->valuestring), sizeof(user_region->method)-1);
|
||||||
|
memcpy(user_region->method, item->valuestring, len);
|
||||||
|
}
|
||||||
|
|
||||||
|
item=cJSON_GetObjectItem(object, "protocol");
|
||||||
|
if(item!=NULL)
|
||||||
|
{
|
||||||
|
len=MIN(strlen(item->valuestring), sizeof(user_region->protocol)-1);
|
||||||
|
memcpy(user_region->protocol, item->valuestring, len);
|
||||||
|
}
|
||||||
|
|
||||||
|
item=cJSON_GetObjectItem(object, "message");
|
||||||
|
if(item!=NULL)
|
||||||
|
{
|
||||||
|
len=strlen(item->valuestring)+1;
|
||||||
|
user_region->message=(char *)calloc(1, len);
|
||||||
|
memcpy(user_region->message, item->valuestring, len-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
item=cJSON_GetObjectItem(object, "code");
|
||||||
|
if(item!=NULL)
|
||||||
|
{
|
||||||
|
user_region->code=item->valueint;
|
||||||
|
}
|
||||||
|
|
||||||
|
item=cJSON_GetObjectItem(object, "html_profile");
|
||||||
|
if(item!=NULL)
|
||||||
|
{
|
||||||
|
user_region->html_profile=item->valueint;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
item=cJSON_GetObjectItem(object, "protocol");
|
|
||||||
if(item!=NULL)
|
|
||||||
{
|
|
||||||
len=MIN(strlen(item->valuestring), sizeof(user_region->protocol)-1);
|
|
||||||
memcpy(user_region->protocol, item->valuestring, len);
|
|
||||||
}
|
|
||||||
|
|
||||||
item=cJSON_GetObjectItem(object, "message");
|
|
||||||
if(item!=NULL)
|
|
||||||
{
|
|
||||||
len=strlen(item->valuestring)+1;
|
|
||||||
user_region->message=(char *)calloc(1, len);
|
|
||||||
memcpy(user_region->message, item->valuestring, len-1);
|
|
||||||
}
|
|
||||||
|
|
||||||
item=cJSON_GetObjectItem(object, "code");
|
|
||||||
if(item!=NULL)
|
|
||||||
{
|
|
||||||
user_region->code=item->valueint;
|
|
||||||
}
|
|
||||||
|
|
||||||
item=cJSON_GetObjectItem(object, "html_profile");
|
|
||||||
if(item!=NULL)
|
|
||||||
{
|
|
||||||
user_region->html_profile=item->valueint;
|
|
||||||
}
|
|
||||||
|
|
||||||
atomic_inc(&user_region->ref_cnt);
|
|
||||||
|
|
||||||
*ad=(MAAT_RULE_EX_DATA)user_region;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(g_tsg_para.default_compile_switch==1 && g_tsg_para.default_compile_id==rule->config_id)
|
||||||
|
{
|
||||||
|
if(user_region==NULL)
|
||||||
|
{
|
||||||
|
user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));
|
||||||
|
atomic_inc(&user_region->ref_cnt);
|
||||||
|
}
|
||||||
|
|
||||||
|
user_region->result=(struct Maat_rule_t *)calloc(1, sizeof(struct Maat_rule_t));
|
||||||
|
memcpy(user_region->result, rule, sizeof(struct Maat_rule_t));
|
||||||
|
}
|
||||||
|
|
||||||
|
*ad=(MAAT_RULE_EX_DATA)user_region;
|
||||||
}
|
}
|
||||||
|
|
||||||
return ;
|
return ;
|
||||||
@@ -616,11 +630,20 @@ void security_compile_free(int idx, const struct Maat_rule_t* rule, const char*
|
|||||||
if(user_region!=NULL)
|
if(user_region!=NULL)
|
||||||
{
|
{
|
||||||
atomic_dec(&user_region->ref_cnt);
|
atomic_dec(&user_region->ref_cnt);
|
||||||
if((user_region->ref_cnt-1)<=0)
|
if(user_region->ref_cnt<=0)
|
||||||
{
|
{
|
||||||
free(user_region->message);
|
if(user_region->message!=NULL)
|
||||||
user_region->message=NULL;
|
{
|
||||||
|
free(user_region->message);
|
||||||
|
user_region->message=NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(user_region->result!=NULL)
|
||||||
|
{
|
||||||
|
free(user_region->result);
|
||||||
|
user_region->result=NULL;
|
||||||
|
}
|
||||||
|
|
||||||
free(*ad);
|
free(*ad);
|
||||||
*ad=NULL;
|
*ad=NULL;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user