gfwleak/tango-tsg-master
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-14946: 安全策略支持allow(deny)和monitor动作同时命中

Browse Source
This commit is contained in:
刘学利
2023-05-27 09:37:46 +00:00
parent bc7909e57b
commit 7abc576621
14 changed files with 183 additions and 299 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
inc/tsg_label.h
View File

@@ -184,4 +184,5 @@ const char *srt_process_context_get_domain(const struct session_runtime_process_
const char *srt_process_context_get_http_url(const struct session_runtime_process_context *srt_process_context);
const char *srt_process_context_get_quic_ua(const struct session_runtime_process_context *srt_process_context);
enum TSG_PROTOCOL srt_process_context_get_protocol(const struct session_runtime_process_context *srt_process_context);
unsigned char srt_process_context_get_hitted_allow_flag(const struct session_runtime_process_context *srt_process_context);

2
inc/tsg_rule.h
View File

@@ -75,6 +75,8 @@ size_t tsg_matched_rules_select(struct maat *feather, TSG_SERVICE service, long
size_t tsg_scan_nesting_addr(const struct streaminfo *a_stream, struct maat *feather, enum TSG_PROTOCOL proto, struct maat_state *s_mid, struct maat_rule *rules, size_t n_rules);
size_t session_matched_rules_copy(const struct streaminfo *a_stream, enum TSG_SERVICE service, struct maat_rule *rules, size_t n_rules);
size_t tsg_select_rules_by_service_id(struct maat_rule *matched_rules, size_t n_matched_rules, struct maat_rule *rules, size_t n_rules, enum TSG_SERVICE service_id);
size_t tsg_select_rules_by_action(struct maat_rule *matched_rules, size_t n_matched_rules, struct maat_rule *rules, size_t n_rules, unsigned char action);
int tsg_get_fqdn_category_ids(struct maat *feather, char *fqdn, unsigned int *category_ids, int n_category_ids);
unsigned char tsg_enforing_deny(const struct streaminfo *a_stream, struct maat_rule *p_result, enum TSG_PROTOCOL protocol, enum ACTION_RETURN_TYPE type, const void *user_data);

65
src/tsg_action.cpp
View File

@@ -90,7 +90,7 @@ static int set_drop_stream(const struct streaminfo *a_stream, enum TSG_PROTOCOL
break;
}
return STATE_DROPME|STATE_DROPPKT;
return STATE_DROPME;
}
static int get_http_header(char *buff, int len, int code, char *user_define)
@@ -564,21 +564,24 @@ static unsigned char do_action_reset(const struct streaminfo *a_stream, struct m
set_drop_stream(a_stream, protocol);
}
return STATE_DROPPKT|STATE_DROPME;
return STATE_DROPME;
}
static unsigned char do_action_drop(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, enum TSG_PROTOCOL protocol, const void *a_packet)
{
int opt_value=1;
switch(protocol)
{
{
case PROTO_DNS:
return STATE_GIVEME|STATE_DROPPKT;
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_GIVEME;
default:
set_drop_stream(a_stream, protocol);
break;
}
return STATE_DROPME|STATE_DROPPKT;
return STATE_DROPME;
}
static unsigned char do_action_tamper(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, enum TSG_PROTOCOL protocol, const void *user_data, enum ACTION_RETURN_TYPE type)
@@ -586,7 +589,7 @@ static unsigned char do_action_tamper(const struct streaminfo *a_stream, struct
if(g_tsg_para.feature_tamper==0)
{
do_action_drop(a_stream, p_result, user_region, protocol, user_data);
return STATE_DROPME|STATE_DROPPKT;
return STATE_DROPME;
}
struct session_runtime_action_context * _context=(struct session_runtime_action_context *)session_runtime_action_context_get(a_stream);
@@ -606,7 +609,9 @@ static unsigned char do_action_tamper(const struct streaminfo *a_stream, struct
if(ACTION_RETURN_TYPE_APP == type)
{
return STATE_GIVEME|STATE_DROPPKT|STATE_KILL_OTHER;
int opt_value=1;
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_GIVEME;
}
if(a_stream->type == STREAM_TYPE_UDP)
@@ -614,16 +619,18 @@ static unsigned char do_action_tamper(const struct streaminfo *a_stream, struct
send_tamper_xxx(a_stream, &_context->tamper_count, user_data);
}
return STATE_DROPME|STATE_DROPPKT;
return STATE_DROPME;
}
static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, enum TSG_PROTOCOL protocol, const void *user_data)
{
int opt_value=1;
struct deny_user_region *deny_region=NULL;
if(user_region->session_para==NULL)
{
return STATE_DROPME|STATE_DROPPKT;
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_DROPME;
}
switch(a_stream->type)
@@ -635,7 +642,8 @@ static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, st
deny_region=&(user_region->session_para->udp);
break;
default:
return STATE_DROPME|STATE_DROPPKT;
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_DROPME;
break;
}
@@ -656,7 +664,7 @@ static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, st
break;
}
return STATE_DROPME|STATE_DROPPKT;
return STATE_DROPME;
}
static unsigned char do_action_ratelimit(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, enum ACTION_RETURN_TYPE type)
@@ -677,15 +685,16 @@ static unsigned char do_action_ratelimit(const struct streaminfo *a_stream, stru
if(type==ACTION_RETURN_TYPE_APP)
{
return STATE_DROPME|STATE_KILL_OTHER;
return STATE_DROPME;
}
return STATE_GIVEME|STATE_KILL_OTHER;
return STATE_GIVEME;
}
static unsigned char do_action_block_sip(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, const void *user_data)
{
int offset=0;
int opt_value=1;
char payload[1024]={0};
switch(user_region->deny->code)
{
@@ -700,14 +709,17 @@ static unsigned char do_action_block_sip(const struct streaminfo *a_stream, stru
memcpy(payload, "SIP/2.0 500 Server Internal Error\r\n", offset);
break;
default:
return STATE_DROPME|STATE_DROPPKT;
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_DROPME;
}
memcpy(payload+offset, user_data, strlen((const char*)user_data));
unsigned char raw_route_dir=(a_stream->curdir==DIR_C2S) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir;
tsg_send_inject_packet(a_stream, SIO_DEFAULT, payload, strlen(payload), raw_route_dir);
return STATE_DROPME|STATE_DROPPKT;
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_DROPME;
}
static unsigned char do_action_block_mail(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region)
@@ -732,7 +744,10 @@ static unsigned char do_action_block_mail(const struct streaminfo *a_stream, str
tsg_send_inject_packet(a_stream, SIO_DEFAULT, payload, strlen(payload), raw_route_dir);
}
return STATE_DROPME|STATE_DROPPKT;
int opt_value=1;
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_DROPME;
}
static unsigned char do_action_block_http(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, const void *a_packet)
@@ -759,7 +774,10 @@ static unsigned char do_action_block_http(const struct streaminfo *a_stream, str
MESA_set_stream_opt(a_stream, MSO_TCP_RST_REMEDY, (void *)&opt_value, sizeof(opt_value));
}
return STATE_DROPME|STATE_DROPPKT;
opt_value=1;
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_DROPME;
}
static unsigned char do_action_block_xxx(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, enum TSG_PROTOCOL protocol, const void *user_data)
@@ -789,11 +807,12 @@ static unsigned char do_action_block_xxx(const struct streaminfo *a_stream, stru
set_drop_stream(a_stream, protocol);
return STATE_DROPME|STATE_DROPPKT;
return STATE_DROPME;
}
static unsigned char do_action_redirect_http(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region)
{
int opt_value=1;
int used_http_hdr_len=0;
char http_hdr[1024]={0};
unsigned char raw_route_dir=0;
@@ -805,14 +824,17 @@ static unsigned char do_action_redirect_http(const struct streaminfo *a_stream,
used_http_hdr_len=http_get_redirect_url(a_stream, p_result, user_region->deny->redirect_url_to, user_region->deny->code, http_hdr, sizeof(http_hdr));
break;
default:
return STATE_DROPME|STATE_DROPPKT;
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_DROPME;
break;
}
raw_route_dir=(a_stream->curdir==DIR_C2S) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir;
tsg_send_inject_packet( a_stream, SIO_DEFAULT, http_hdr, used_http_hdr_len, raw_route_dir);
return STATE_DROPME|STATE_DROPPKT;
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_DROPME;
}
static unsigned char do_action_redirect_xxx(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, enum TSG_PROTOCOL protocol, const void *user_data)
@@ -835,7 +857,7 @@ static unsigned char do_action_redirect_xxx(const struct streaminfo *a_stream, s
break;
}
return STATE_DROPME|STATE_DROPPKT;
return STATE_DROPME;
}
static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struct compile_user_region *user_region, struct maat_rule *p_result, enum TSG_PROTOCOL protocol, enum ACTION_RETURN_TYPE type, const void *user_data)
@@ -926,7 +948,6 @@ static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struc
state|=((type==ACTION_RETURN_TYPE_PROT) ? (local_state&STATE_DROPME ? PROT_STATE_DROPME : 0) : (local_state&STATE_DROPME ? APP_STATE_DROPME : 0));
state|=((type==ACTION_RETURN_TYPE_PROT) ? (local_state&STATE_GIVEME ? PROT_STATE_GIVEME: 0) : 0);
//state|=((type==ACTION_RETURN_TYPE_PROT) ? (local_state&STATE_GIVEME ? PROT_STATE_GIVEME: 0) : (local_state&STATE_GIVEME ? APP_STATE_GIVEME: 0));
state|=((type==ACTION_RETURN_TYPE_PROT) ? (local_state&STATE_DROPPKT ? PROT_STATE_DROPPKT : 0) : (local_state&STATE_DROPPKT ? APP_STATE_DROPPKT: 0));
state|=((type==ACTION_RETURN_TYPE_PROT) ? (0) : (local_state&STATE_KILL_OTHER ? APP_STATE_KILL_OTHER : 0));
return state;

26
src/tsg_bridge.cpp
View File

@@ -109,12 +109,6 @@ void session_runtime_process_context_free(const struct streaminfo *a_stream, int
srt_process_context->mid=NULL;
}
if(srt_process_context->hited_result!=NULL)
{
dictator_free(a_stream->threadnum, (void *)srt_process_context->hited_result);
srt_process_context->hited_result=NULL;
}
dictator_free(a_stream->threadnum, (void *)srt_process_context);
srt_process_context=NULL;
}
@@ -561,6 +555,16 @@ const char *srt_process_context_get_quic_ua(const struct session_runtime_process
return NULL;
}
unsigned char srt_process_context_get_hitted_allow_flag(const struct session_runtime_process_context *srt_process_context)
{
if(srt_process_context!=NULL)
{
return srt_process_context->is_hitted_allow;
}
return 0;
}
int session_runtime_action_context_async(const struct streaminfo *a_stream, void *data)
{
return session_async_bridge_set_data(a_stream, g_tm_bridge_para[BRIDGE_TYPE_SESSION_ACTION_CONTEXT].id, data);
@@ -900,16 +904,6 @@ void session_matched_rules_notify(const struct streaminfo *a_stream, TSG_SERVICE
}
}
if(rules[0].action<matched_policy->rules[0].action)
{
return ;
}
if(rules[0].action>matched_policy->rules[0].action)
{
matched_policy->n_rules=0;
}
size_t num=MIN(MAX_RESULT_NUM-matched_policy->n_rules, n_rules);
for(size_t i=0; i<num; i++)
{

6
src/tsg_bridge.h
View File

@@ -65,7 +65,7 @@ struct hited_app_para
struct session_runtime_process_context
{
unsigned char is_esni;
unsigned char is_hited_allow;
unsigned char is_hitted_allow;
unsigned char deal_pkt_num;
unsigned char is_app_link;
unsigned char sync_cb_state;
@@ -92,7 +92,6 @@ struct session_runtime_process_context
struct maat_state *mid;
struct hited_app_para hited_para; // l7 protocol and app
long long last_scan_time;
struct maat_rule *hited_result;
};
struct session_runtime_action_context
@@ -195,3 +194,6 @@ int srt_action_context_set_hitted_app_id(const struct streaminfo * a_stream, int
char srt_action_context_get_direction(const struct streaminfo * a_stream);
const struct session_runtime_process_context *session_runtime_process_context_new(const struct streaminfo * a_stream);

8
src/tsg_dns.cpp
View File

@@ -219,6 +219,7 @@ static int dns_set_answer_records(char *payload, int payload_len, struct dns_ans
unsigned char do_action_redirect_dns(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, const void *user_data)
{
int opt_value=0;
int ret=0,used_len=0,record_num=0;
unsigned char raw_route_dir=0;
char payload[1024]={0};
@@ -247,7 +248,8 @@ unsigned char do_action_redirect_dns(const struct streaminfo *a_stream, struct m
ret=dns_set_response_question(payload+used_len, payload_len-used_len, &(dns_info->query_question));
if(ret==-1)
{
return STATE_GIVEME|STATE_DROPPKT;
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_GIVEME;
}
used_len+=ret;
@@ -263,6 +265,8 @@ unsigned char do_action_redirect_dns(const struct streaminfo *a_stream, struct m
raw_route_dir=(dns_info->hdr_info.qr==0) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir;
tsg_send_inject_packet(a_stream, SIO_DEFAULT, payload, used_len, raw_route_dir);
return STATE_GIVEME|STATE_DROPPKT;
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_GIVEME;
}

234
src/tsg_entry.cpp
View File

@@ -32,6 +32,7 @@
#include "tsg_protocol_common.h"
#include "tsg_sync_state.h"
#include "tsg_proxy.h"
#include "tsg_bridge.h"
#ifdef __cplusplus
extern "C"
@@ -182,14 +183,6 @@ static int init_fs2_handle(const char *conffile)
return 0;
}
static int init_context(void **pme, int thread_seq)
{
*pme=dictator_malloc(thread_seq, sizeof(struct session_runtime_process_context));
memset(*pme, 0, sizeof(struct session_runtime_process_context));
return 0;
}
static int tsg_get_sn(char *filename, char *device_sn, int device_sn_len)
{
int flags=0;
@@ -1036,127 +1029,6 @@ int session_state_sync_in_activing(const struct streaminfo *a_stream, TSG_SERVIC
return 1;
}
static int session_runtime_process_log_send(const struct streaminfo *a_stream, struct maat_rule *rules, int n_rules, struct session_runtime_process_context *srt_process_context, int thread_seq)
{
char *domain_field_name=NULL;
char *schema_field_name=NULL;
char *quic_ua_field_name=NULL;
char *quic_version_field_name=NULL;
struct TLD_handle_t *TLD_handle=NULL;
enum TSG_PROTOCOL proto=PROTO_UNKONWN;
struct tsg_conn_sketch_notify_data *notify=NULL;
if(srt_process_context!=NULL)
{
proto=srt_process_context->proto;
}
if(rules[0].action==TSG_ACTION_MONITOR)
{
switch(proto)
{
case PROTO_SSH:
case PROTO_RDP:
case PROTO_STRATUM:
notify=(struct tsg_conn_sketch_notify_data *)session_conn_sketch_notify_data_get(a_stream);
if (notify != NULL && notify->pdata.TLD_handle!=NULL && (notify->protocol== PROTO_SSH || notify->protocol== PROTO_STRATUM || notify->protocol== PROTO_RDP))
{
TLD_handle = TLD_duplicate(notify->pdata.TLD_handle);
if (TLD_handle!=NULL)
{
tsg_send_log(g_tsg_log_instance, TLD_handle, a_stream, LOG_TYPE_SECURITY_EVENT, rules, n_rules, thread_seq);
return 1;
}
}
break;
default:
break;
}
}
TLD_handle=TLD_create(thread_seq);
schema_field_name=log_field_id2name(g_tsg_log_instance, LOG_COMMON_SCHAME_TYPE);
if(proto>PROTO_UNKONWN && proto<PROTO_MAX)
{
if(proto==PROTO_IMAP || proto==PROTO_SMTP || proto==PROTO_POP3)
{
TLD_append(TLD_handle, schema_field_name, (void *)g_tsg_proto_name2id[PROTO_MAIL].name, TLD_TYPE_STRING);
TLD_append(TLD_handle, (char *)"mail_protocol_type", (void *)g_tsg_proto_name2id[proto].name, TLD_TYPE_STRING);
}
else
{
TLD_append(TLD_handle, schema_field_name, (void *)g_tsg_proto_name2id[proto].name, TLD_TYPE_STRING);
}
if(proto==PROTO_HTTP)
{
TLD_append(TLD_handle, (char *)"http_version", (void *)"http1", TLD_TYPE_STRING);
TLD_append(TLD_handle, (char *)"http_sequence", (void *)1, TLD_TYPE_LONG);
}
if(srt_process_context!=NULL && srt_process_context->domain!=NULL)
{
switch(proto)
{
case PROTO_HTTP:
domain_field_name=log_field_id2name(g_tsg_log_instance, LOG_HTTP_HOST);
TLD_append(TLD_handle, domain_field_name, (void *)srt_process_context->domain, TLD_TYPE_STRING);
if(srt_process_context->http_url!=NULL)
{
domain_field_name=log_field_id2name(g_tsg_log_instance, LOG_HTTP_URL);
TLD_append(TLD_handle, domain_field_name, (void *)srt_process_context->http_url, TLD_TYPE_STRING);
}
break;
case PROTO_SSL:
domain_field_name=log_field_id2name(g_tsg_log_instance, LOG_SSL_SNI);
TLD_append(TLD_handle, domain_field_name, (void *)srt_process_context->domain, TLD_TYPE_STRING);
break;
case PROTO_QUIC:
domain_field_name=log_field_id2name(g_tsg_log_instance, LOG_QUIC_SNI);
TLD_append(TLD_handle, domain_field_name, (void *)srt_process_context->domain, TLD_TYPE_STRING);
break;
case PROTO_DTLS:
domain_field_name=log_field_id2name(g_tsg_log_instance, LOG_DTLS_SNI);
TLD_append(TLD_handle, domain_field_name, (void *)srt_process_context->domain, TLD_TYPE_STRING);
break;
default:
break;
}
}
if(srt_process_context!=NULL && srt_process_context->quic_version>0)
{
char quic_version[64]={0};
if(quic_version_int2string(srt_process_context->quic_version, quic_version, sizeof(quic_version)))
{
quic_version_field_name=log_field_id2name(g_tsg_log_instance, LOG_QUIC_VERSION);
TLD_append(TLD_handle, quic_version_field_name, (void *)quic_version, TLD_TYPE_STRING);
}
if(srt_process_context->quic_ua!=NULL)
{
quic_ua_field_name=log_field_id2name(g_tsg_log_instance, LOG_QUIC_USER_AGENT);
TLD_append(TLD_handle, quic_ua_field_name, (void *)srt_process_context->quic_ua, TLD_TYPE_STRING);
}
}
}
else
{
TLD_append(TLD_handle, schema_field_name, (void *)g_tsg_proto_name2id[PROTO_APP].name, TLD_TYPE_STRING);
}
if(srt_process_context!=NULL && srt_process_context->hited_app_id>0)
{
session_app_gather_results_update_matched_app_id(a_stream, srt_process_context->hited_app_id);
}
tsg_send_log(g_tsg_log_instance, TLD_handle, a_stream, LOG_TYPE_SECURITY_EVENT, rules, n_rules, thread_seq);
return 1;
}
static char session_tcp_establish_latency_ms_set(const struct streaminfo *a_tcp, int thread_seq,const void *ip_hdr)
{
struct tcphdr *tcp=NULL;
@@ -1506,6 +1378,7 @@ static unsigned char matched_security_rules_deal(const struct streaminfo *a_stre
struct maat_rule *p_rule=matched_rules_decision_criteria(security_rules, n_security_rules);
if(p_rule->action==TSG_ACTION_SHUNT)
{
tsg_set_policy_flow(a_stream, p_rule, a_stream->threadnum);
srt_action_context_set_rule_method(a_stream, TSG_METHOD_TYPE_SHUNT, a_stream->threadnum);
return APP_STATE_DROPME|APP_STATE_KILL_OTHER;
}
@@ -1542,34 +1415,32 @@ static unsigned char matched_security_rules_deal(const struct streaminfo *a_stre
}
}
if(srt_process_context->hited_result==NULL)
if(srt_process_context->proto==PROTO_HTTP || srt_process_context->proto==PROTO_SSL)
{
srt_process_context->hited_result=(struct maat_rule *)dictator_malloc(1, sizeof(struct maat_rule));
memcpy(srt_process_context->hited_result, p_rule, sizeof(struct maat_rule));
}
break;
case TSG_ACTION_MONITOR:
if(srt_process_context->proto==PROTO_RTP)
{
break;
state|=APP_STATE_KILL_OTHER;
}
session_packet_capture_by_rules_notify(a_stream, security_rules, n_security_rules, a_stream->threadnum);
session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, security_rules, n_security_rules, a_stream->threadnum);
session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, p_rule, 1, a_stream->threadnum);
break;
case TSG_ACTION_BYPASS:
srt_process_context->is_hited_allow=1;
srt_process_context->hited_result=(struct maat_rule *)dictator_malloc(1, sizeof(struct maat_rule));
memcpy(srt_process_context->hited_result, p_rule, sizeof(struct maat_rule));
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1);
state=APP_STATE_GIVEME|APP_STATE_KILL_FOLLOW;
srt_process_context->is_hitted_allow=1;
session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, p_rule, 1, a_stream->threadnum);
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1);
srt_action_context_set_rule_method(a_stream, TSG_METHOD_TYPE_ALLOW, a_stream->threadnum);
break;
default:
break;
}
struct maat_rule monitor_rules[MAX_RESULT_NUM]={0};
size_t n_monitor_rules=tsg_select_rules_by_action(security_rules, n_security_rules, monitor_rules, MAX_RESULT_NUM, TSG_ACTION_MONITOR);
if(n_monitor_rules>0)
{
session_packet_capture_by_rules_notify(a_stream, monitor_rules, n_monitor_rules, a_stream->threadnum);
session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, monitor_rules, n_monitor_rules, a_stream->threadnum);
}
return state;
}
@@ -1647,8 +1518,7 @@ int session_app_identify_result_cb(const struct streaminfo *a_stream, int bridge
struct session_runtime_process_context *srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_get(a_stream);
if(srt_process_context==NULL)
{
init_context((void **)(&srt_process_context), a_stream->threadnum);
session_runtime_process_context_async(a_stream, (void *)srt_process_context);
srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_new(a_stream);
}
struct gather_app_result *gather_result=(struct gather_app_result *)session_gather_app_results_get(a_stream);
@@ -1715,8 +1585,7 @@ int session_flags_identify_result_cb(const struct streaminfo *a_stream, int brid
struct session_runtime_process_context *srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_get(a_stream);
if(srt_process_context==NULL)
{
init_context((void **)(&srt_process_context), a_stream->threadnum);
session_runtime_process_context_async(a_stream, (void *)srt_process_context);
srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_new(a_stream);
}
srt_process_context->session_flag=*(unsigned long *)(data);
@@ -1820,9 +1689,8 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_get(a_stream);
if(srt_process_context==NULL)
{
init_context(pme, thread_seq);
srt_process_context=(struct session_runtime_process_context *)*pme;
session_runtime_process_context_async(a_stream, *pme);
srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_new(a_stream);
*pme=(void *)srt_process_context;
}
else
{
@@ -1871,9 +1739,9 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
session_app_identify_result_cb(a_stream, 0, (void *)&unknown_result);
}
if(srt_process_context->is_hited_allow)
if(srt_process_context->is_hitted_allow)
{
state=APP_STATE_KILL_OTHER|APP_STATE_GIVEME;
state=APP_STATE_GIVEME;
break;
}
@@ -1924,10 +1792,6 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
if((a_stream->opstate==OP_STATE_CLOSE) || (state&APP_STATE_DROPME)==APP_STATE_DROPME)
{
if(srt_process_context->hited_result)
{
session_runtime_process_log_send(a_stream, srt_process_context->hited_result, 1, srt_process_context, thread_seq);
}
*pme=NULL;
}
@@ -1938,11 +1802,10 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
{
int ret=0;
int eth_rawpkt_len=0;
struct maat_rule *p_result=NULL;
unsigned char state=APP_STATE_GIVEME;
struct maat_rule matched_rules[MAX_TSG_ALL_RESULT_NUM]={0};
struct maat_rule security_results[MAX_RESULT_NUM]={0};
struct maat_rule shaping_results[MAX_RESULT_NUM]={0};
struct maat_rule security_rules[MAX_RESULT_NUM]={0};
struct maat_rule shaping_rules[MAX_RESULT_NUM]={0};
struct session_runtime_action_context *srt_action_context=(struct session_runtime_action_context *)(*pme);
if(stream_state==OP_STATE_PENDING && srt_action_context->method_type!=TSG_METHOD_TYPE_SHUNT && !(srt_action_context->udp_data_dropme))
@@ -1953,41 +1816,28 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
srt_action_context->default_policy_after_n_packets=get_default_para(a_stream);
}
struct maat_state *scan_mid=maat_state_new(g_tsg_maat_feather, thread_seq);
int hit_num=tsg_scan_nesting_addr(a_stream, g_tsg_maat_feather, PROTO_UNKONWN, scan_mid, matched_rules, MAX_TSG_ALL_RESULT_NUM);
if(hit_num>0)
{
int security_result_num = tsg_select_rules_by_service_id(matched_rules, hit_num, security_results, MAX_RESULT_NUM, TSG_SERVICE_SECURITY);
p_result=matched_rules_decision_criteria(security_results, security_result_num);
if(p_result!=NULL)
int n_security_rules=tsg_select_rules_by_service_id(matched_rules, hit_num, security_rules, MAX_RESULT_NUM, TSG_SERVICE_SECURITY);
if(n_security_rules>0)
{
switch(p_result->action)
{
case TSG_ACTION_DENY:
state=tsg_enforing_deny(a_stream, p_result, PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet);
session_runtime_process_log_send(a_stream, p_result, 1, NULL, thread_seq);
break;
case TSG_ACTION_MONITOR:
session_packet_capture_by_rules_notify(a_stream, security_results, hit_num, thread_seq);
session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, security_results, security_result_num,thread_seq);
break;
default:
break;
}
struct session_runtime_process_context *srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_new(a_stream);
state=matched_security_rules_deal(a_stream, srt_process_context, security_rules, n_security_rules, a_packet, thread_seq);
}
struct maat_rule s_chaining_result[MAX_RESULT_NUM]={0};
size_t n_s_chaining_results=tsg_select_rules_by_service_id(matched_rules, hit_num, s_chaining_result, MAX_RESULT_NUM, TSG_SERVICE_CHAINING);
if(state==APP_STATE_GIVEME && n_s_chaining_results>0)
struct maat_rule s_chaining_rules[MAX_RESULT_NUM]={0};
size_t n_s_chaining_rules=tsg_select_rules_by_service_id(matched_rules, hit_num, s_chaining_rules, MAX_RESULT_NUM, TSG_SERVICE_CHAINING);
if(state==APP_STATE_GIVEME && n_s_chaining_rules>0)
{
matched_service_chaining_rules_deal(a_stream, s_chaining_result, n_s_chaining_results, thread_seq);
matched_service_chaining_rules_deal(a_stream, s_chaining_rules, n_s_chaining_rules, thread_seq);
}
size_t n_shaping_results=tsg_select_rules_by_service_id(matched_rules, hit_num, shaping_results, MAX_RESULT_NUM, TSG_SERVICE_SHAPING);
if(state==APP_STATE_GIVEME && n_shaping_results>0)
size_t n_shaping_rules=tsg_select_rules_by_service_id(matched_rules, hit_num, shaping_rules, MAX_RESULT_NUM, TSG_SERVICE_SHAPING);
if(state==APP_STATE_GIVEME && n_shaping_rules>0)
{
matched_shaping_rules_deal(a_stream, shaping_results, n_shaping_results, thread_seq);
matched_shaping_rules_deal(a_stream, shaping_rules, n_shaping_rules, thread_seq);
}
}
@@ -2022,10 +1872,10 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
break;
}
if(get_default_policy(&security_results[0]))
if(get_default_policy(&security_rules[0]))
{
state=tsg_enforing_deny(a_stream, &security_results[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet);
session_runtime_process_log_send(a_stream, &security_results[0], 1, NULL, thread_seq);
state=tsg_enforing_deny(a_stream, &security_rules[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet);
session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, &security_rules[0], 1, thread_seq);
}
break;
case TSG_METHOD_TYPE_DROP:
@@ -2038,20 +1888,20 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
srt_action_context->hited_para.after_n_packets--;
break;
}
ret=session_matched_rules_copy(a_stream, TSG_SERVICE_SECURITY, &(security_results[0]), 1);
ret=session_matched_rules_copy(a_stream, TSG_SERVICE_SECURITY, &(security_rules[0]), 1);
//ret=tsg_pull_policy_result((struct streaminfo *)a_stream,PULL_FW_RESULT, &security_result[0], 1, &tmp_identify_info);
if(ret<=0 || security_results[0].action!=TSG_ACTION_DENY)
if(ret<=0 || security_rules[0].action!=TSG_ACTION_DENY)
{
break;
}
if(srt_action_context->hited_para.hited_app_id<=0)
{
state=tsg_enforing_deny(a_stream, &(security_results[0]), srt_action_context->protocol, ACTION_RETURN_TYPE_TCPALL, a_packet);
state=tsg_enforing_deny(a_stream, &(security_rules[0]), srt_action_context->protocol, ACTION_RETURN_TYPE_TCPALL, a_packet);
}
else
{
state=tsg_enforing_deny_application(a_stream, &(security_results[0]), srt_action_context->protocol, srt_action_context->hited_para.hited_app_id, ACTION_RETURN_TYPE_TCPALL, a_packet);
state=tsg_enforing_deny_application(a_stream, &(security_rules[0]), srt_action_context->protocol, srt_action_context->hited_para.hited_app_id, ACTION_RETURN_TYPE_TCPALL, a_packet);
}
break;
case TSG_METHOD_TYPE_SHUNT:

69
src/tsg_icmp.cpp
View File

@@ -306,48 +306,41 @@ static void format_icmp(const char *raw_pkt, char *icmp_buf, int *icmp_len, int
unsigned char send_icmp_unreachable(const struct streaminfo *a_stream)
{
char icmp_buf[ICMP_MAX_LEN] = {0};
char debug_buf[512] = {0};
int icmp_len = 0;
int get_rawpkt_ret = 0;
void *raw_pkt = NULL;
char icmp_buf[ICMP_MAX_LEN] = {0};
int icmp_len = 0;
int get_rawpkt_ret = 0;
void *raw_pkt = NULL;
int opt_value=1;
if(a_stream==NULL){
MESA_handle_runtime_log(g_tsg_para.logger,
RLOG_LV_DEBUG,
__FUNCTION__,
"a_stream is NULL");
return STATE_DROPPKT;
}
if(a_stream==NULL)
{
MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, __FUNCTION__, "a_stream is NULL");
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_GIVEME;
}
get_rawpkt_ret = get_rawpkt_opt_from_streaminfo(a_stream, RAW_PKT_GET_DATA, &raw_pkt);
MESA_handle_runtime_log(g_tsg_para.logger,
RLOG_LV_DEBUG,
__FUNCTION__,
"get_raw_opt_from_streaminfo() get_rawpkt_ret = %d", get_rawpkt_ret);
if(0==get_rawpkt_ret && NULL!=raw_pkt){
//(struct mesa_ethernet_hdr *)raw_pkt_data;
format_icmp((char *)raw_pkt+ETHERNET_BYTE_LEN, icmp_buf, &icmp_len, a_stream->addr.addrtype);
}else if(1==get_rawpkt_ret && NULL!=raw_pkt){
//(raw_ipfrag_list_t *)raw_pkt_data;
//format_icmp((char *)(((raw_ipfrag_list_t *)raw_pkt)->frag_packet)+ETHERNET_BYTE_LEN, icmp_buf, &icmp_len, a_stream->addr.addrtype);
return STATE_DROPPKT;
}else{
//error
return STATE_DROPPKT;
}
get_rawpkt_ret = get_rawpkt_opt_from_streaminfo(a_stream, RAW_PKT_GET_DATA, &raw_pkt);
MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, __FUNCTION__, "get_raw_opt_from_streaminfo() get_rawpkt_ret = %d", get_rawpkt_ret);
if(0==get_rawpkt_ret && NULL!=raw_pkt)
{
format_icmp((char *)raw_pkt+ETHERNET_BYTE_LEN, icmp_buf, &icmp_len, a_stream->addr.addrtype);
}
else if(1==get_rawpkt_ret && NULL!=raw_pkt)
{
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_GIVEME;
}
else
{
//error
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_GIVEME;
}
if(0 == tsg_send_inject_packet(a_stream, SIO_EXCLUDE_THIS_LAYER_HDR, icmp_buf, icmp_len, MESA_dir_reverse(a_stream->routedir))){
sprintf(debug_buf, "Addr: %s, send sucess, get_rawpkt_ret %d, icmp_buf %p, icmp_len %d", PRINTADDR(a_stream, g_tsg_para.level), get_rawpkt_ret, icmp_buf, icmp_len);
}else{
sprintf(debug_buf, "Addr: %s, send failed, get_rawpkt_ret %d, icmp_buf %p, icmp_len %d", PRINTADDR(a_stream, g_tsg_para.level), get_rawpkt_ret, icmp_buf, icmp_len);
}
tsg_send_inject_packet(a_stream, SIO_EXCLUDE_THIS_LAYER_HDR, icmp_buf, icmp_len, MESA_dir_reverse(a_stream->routedir));
MESA_handle_runtime_log(g_tsg_para.logger,
RLOG_LV_DEBUG,
__FUNCTION__,
debug_buf);
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
return STATE_DROPME|STATE_DROPPKT;
return STATE_DROPME;
}

1
src/tsg_protocol_common.h
View File

@@ -9,7 +9,6 @@
#define STATE_GIVEME 1
#define STATE_DROPME 2
#define STATE_DROPPKT 4
#define STATE_KILL_OTHER 8
enum TSG_DENY_TYPE

29
src/tsg_proxy.cpp
View File

@@ -310,24 +310,29 @@ void tsg_proxy_first_data_process(const struct streaminfo *stream, struct tsg_pr
void tsg_proxy_tcp_options_parse(const struct streaminfo *stream, const void *a_packet)
{
struct pkt_info pktinfo;
struct tsg_proxy_tcp_attribute *tcp_attr = tsg_proxy_tcp_attribute_get(stream);
if(a_packet==NULL)
{
return ;
}
struct pkt_info pktinfo;
struct tsg_proxy_tcp_attribute *tcp_attr = tsg_proxy_tcp_attribute_get(stream);
if (tcp_attr == NULL) {
return;
}
if (tcp_attr == NULL) {
return;
}
if (tcp_attr->first_data_pkt_processed) {
return;
}
memset(&pktinfo, 0, sizeof(struct pkt_info));
tsg_proxy_ip_header_parse(a_packet, (enum addr_type_t)stream->addr.addrtype, stream, &pktinfo);
if (pktinfo.parse_failed) {
MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_FATAL, "PROXY", "invalid ip header, bypass pkt");
return;
}
memset(&pktinfo, 0, sizeof(struct pkt_info));
tsg_proxy_ip_header_parse(a_packet, (enum addr_type_t)stream->addr.addrtype, stream, &pktinfo);
if (pktinfo.parse_failed) {
MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_FATAL, "PROXY", "invalid ip header, bypass pkt");
return;
}
if(stream->ptcpdetail->datalen > 0) {
tsg_proxy_first_data_process(stream, tcp_attr, &pktinfo);
@@ -337,7 +342,7 @@ void tsg_proxy_tcp_options_parse(const struct streaminfo *stream, const void *a_
tsg_proxy_tcp_parse(tcp_attr, &pktinfo, stream);
return;
return;
}
static void tsg_proxy_cmsg_subscriber_fill(struct session_runtime_attribute *session_attr, struct proxy_cmsg *cmsg)

21
src/tsg_rule.cpp
View File

@@ -3080,6 +3080,27 @@ size_t tsg_matched_rules_select(struct maat *feather, TSG_SERVICE service, long
return offset;
}
size_t tsg_select_rules_by_action(struct maat_rule *matched_rules, size_t n_matched_rules, struct maat_rule *rules, size_t n_rules, unsigned char action)
{
size_t offset=0;
for(size_t i=0; i<n_matched_rules; i++)
{
if(offset>=n_rules)
{
break;
}
if(matched_rules[i].action!=action)
{
continue;
}
rules[offset++]=matched_rules[i];
}
return offset;
}
size_t tsg_select_rules_by_service_id(struct maat_rule *matched_rules, size_t n_matched_rules, struct maat_rule *rules, size_t n_rules, enum TSG_SERVICE service_id)
{
size_t offset=0;

1
src/tsg_rule_internal.h
View File

@@ -171,5 +171,6 @@ size_t tsg_scan_fqdn_category_id(const struct streaminfo * a_stream, struct maat
int tsg_scan_intercept_exclusion(const struct streaminfo *a_stream, struct maat *feather, struct maat_rule *p_result, char *domain, int thread_seq);
struct maat_rule *tsg_select_deny_rule(struct maat_rule *rules, size_t n_rules);
size_t tsg_select_rules_by_action(struct maat_rule *matched_rules, size_t n_matched_rules, struct maat_rule *rules, size_t n_rules, unsigned char action);
struct umts_user_info *tsg_get_umts_user_info_form_redis(struct maat *feather, long long teid);

4
test/src/gtest_bridge.cpp
View File

@@ -389,9 +389,6 @@ static void tsg_bridge_test_init_process_ctx(const struct streaminfo *a_stream,
process_ctx->http_url = (char *)dictator_malloc(a_stream->threadnum, strlen("thisishttp_url") + 1);
memset(process_ctx->http_url, 0, strlen("thisishttp_url") + 1);
memcpy(process_ctx->http_url, "thisishttp_url", strlen("thisishttp_url"));
process_ctx->hited_result = (struct maat_rule *)dictator_malloc(a_stream->threadnum, sizeof(struct maat_rule));
process_ctx->hited_result->rule_id = 10;
}
TEST(TSG_Bridge, ProcessAndActionContextAsync)
@@ -403,7 +400,6 @@ TEST(TSG_Bridge, ProcessAndActionContextAsync)
EXPECT_EQ(session_runtime_action_context_get(&a_stream), action_ctx);
struct session_runtime_process_context *process_test = (struct session_runtime_process_context *)session_runtime_process_context_get(&a_stream);
EXPECT_EQ(process_test->hited_result[0].rule_id, 10);
EXPECT_STREQ(process_test->domain, "thisisdomain");
EXPECT_STREQ(process_test->http_url, "thisishttp_url");
session_runtime_action_context_free(&a_stream, g_tm_bridge_para[BRIDGE_TYPE_SESSION_ACTION_CONTEXT].id, (void *)action_ctx);

5
test/src/gtest_master.cpp
View File

@@ -552,11 +552,6 @@ TEST(TSGMaster, SecurityMultiplePolicyMonitorToIntercept)
EXPECT_EQ(TSG_ACTION_MONITOR, matched_policy[2].action);
EXPECT_EQ(TSG_ACTION_MONITOR, matched_policy[2].rule_id);
ret=session_matched_rules_copy(&a_stream, TSG_SERVICE_SECURITY, &(matched_policy[2]), 1);
EXPECT_EQ(1, ret);
EXPECT_EQ(TSG_ACTION_MONITOR, matched_policy[2].action);
EXPECT_EQ(TSG_ACTION_MONITOR, matched_policy[2].rule_id);
const struct matched_policy_rules *hited_security=session_matched_rules_get(&a_stream, TSG_SERVICE_SECURITY);
EXPECT_NE(nullptr, hited_security);
EXPECT_EQ(1, hited_security->n_rules);