From 98031e150462fac9e302774676d0378b960d456e Mon Sep 17 00:00:00 2001 From: liuxueli Date: Fri, 27 Aug 2021 19:33:54 +0800 Subject: [PATCH] =?UTF-8?q?TSG-7568:=20facebook=E3=80=81twitter=EF=BC=8CMo?= =?UTF-8?q?nitor=E5=8A=A8=E4=BD=9C=E6=97=A0=E6=97=A5=E5=BF=97?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- inc/tsg_rule.h | 2 +- src/tsg_action.cpp | 2 +- src/tsg_entry.cpp | 27 +++++++++++++++++---------- src/tsg_entry.h | 1 - src/tsg_rule.cpp | 8 ++++---- 5 files changed, 23 insertions(+), 17 deletions(-) diff --git a/inc/tsg_rule.h b/inc/tsg_rule.h index 53f2bdb..443ea37 100644 --- a/inc/tsg_rule.h +++ b/inc/tsg_rule.h @@ -24,7 +24,7 @@ enum TSG_METHOD_TYPE TSG_METHOD_TYPE_BLOCK, TSG_METHOD_TYPE_RESET, TSG_METHOD_TYPE_ALERT, - TSG_METHOD_TYPE_RATE_LINIT, + TSG_METHOD_TYPE_RATE_LIMIT, TSG_METHOD_TYPE_MIRRORED, TSG_METHOD_TYPE_MAX }; diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp index 9617f0a..060c180 100644 --- a/src/tsg_action.cpp +++ b/src/tsg_action.cpp @@ -702,7 +702,7 @@ unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_ case TSG_METHOD_TYPE_REDIRECTION: local_state=do_action_redirect_xxx( a_stream, p_result, user_region, protocol, user_data); break; - case TSG_METHOD_TYPE_RATE_LINIT: + case TSG_METHOD_TYPE_RATE_LIMIT: local_state=do_action_ratelimit(a_stream, p_result, user_region, type); break; default: diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index b43950d..8212ae2 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -493,7 +493,7 @@ static void free_tcpall_label(int thread_seq, void *project_req_value) dictator_free(thread_seq, (void *)(context->vlan)); context->vlan=NULL; break; - case TSG_METHOD_TYPE_RATE_LINIT: + case TSG_METHOD_TYPE_RATE_LIMIT: destroy_bucket(&(context->bucket), thread_seq); break; default: @@ -607,7 +607,7 @@ static void copy_result_to_project(const struct streaminfo *a_stream, struct mas MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_FATAL, "PROJECT_ADD", - "Add policy_priority_label failed, intercept policy, domain: %s policy_id: %d action: %d addr: %s", + "Add policy_priority_label failed, policy, domain: %s policy_id: %d action: %d addr: %s", (domain!=NULL ? domain : ""), priority_label->result[0].config_id, (unsigned char)priority_label->result[0].action, @@ -617,8 +617,8 @@ static void copy_result_to_project(const struct streaminfo *a_stream, struct mas MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, - "INTERCEPT", - "Hit intercept policy, domain: %s policy_id: %d action: %d addr: %s", + "COPY_RESULT", + "Hit policy, domain: %s policy_id: %d action: %d addr: %s", (domain!=NULL ? domain : ""), priority_label->result[0].config_id, (unsigned char)priority_label->result[0].action, @@ -1262,7 +1262,7 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, } break; case TSG_ACTION_MONITOR: - if(context->proto==PROTO_RTP || context->is_parent_ssl==1) + if(context->proto==PROTO_RTP) { break; } @@ -1297,9 +1297,10 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_id, void *data) { int hit_num=0,app_id=-1; + int is_parent_ssl=0; struct master_context *context=NULL; struct gather_app_result *gather_result=NULL; - struct Maat_rule_t scan_result[MAX_RESULT_NUM]={0}; + struct Maat_rule_t scan_result[MAX_RESULT_NUM]={0}, *p_result=NULL; struct app_identify_result *identify_result=(struct app_identify_result *)data; if(data==NULL) @@ -1350,7 +1351,7 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_ app_id==(int)tsg_l7_protocol_name2id("HTTPS") ) { - context->is_parent_ssl=1; + is_parent_ssl=1; } break; default: @@ -1362,8 +1363,14 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_ record_time_start(&(context->last_scan_time)); hit_num=scan_application_id_and_properties((struct streaminfo *)a_stream, scan_result, MAX_RESULT_NUM, &(context->mid), identify_result, a_stream->threadnum); - master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL); + p_result=tsg_policy_decision_criteria(scan_result, hit_num); + if(p_result==NULL || (p_result->action==TSG_ACTION_MONITOR && is_parent_ssl==1)) + { + return 0; + } + master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL); + return 0; } @@ -1577,7 +1584,7 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns case TSG_METHOD_TYPE_MIRRORED: tsg_send_raw_packet(a_stream, context->vlan, context->vlan_num, thread_seq); break; - case TSG_METHOD_TYPE_RATE_LINIT: + case TSG_METHOD_TYPE_RATE_LIMIT: eth_rawpkt_len=get_raw_packet_len(a_stream); if(eth_rawpkt_len<=0) { @@ -1623,7 +1630,7 @@ extern "C" unsigned char TSG_MASTER_UDP_ENTRY(const struct streaminfo *a_udp, vo } state1=tsg_master_all_entry(a_udp, a_udp->opstate, (void **)&(context->all_entry), thread_seq, a_packet); - if(context->all_entry==NULL || context->all_entry->method_type!=TSG_METHOD_TYPE_RATE_LINIT) + if(context->all_entry==NULL || context->all_entry->method_type!=TSG_METHOD_TYPE_RATE_LIMIT) { state2=tsg_master_data_entry(a_udp, (void **)&(context->data_entry), thread_seq, a_packet); } diff --git a/src/tsg_entry.h b/src/tsg_entry.h index a53e8ba..62cdbaa 100644 --- a/src/tsg_entry.h +++ b/src/tsg_entry.h @@ -177,7 +177,6 @@ struct master_context int is_esni; int is_log; int is_ratelimit; - int is_parent_ssl; char *domain; scan_status_t mid; struct Maat_rule_t *result; diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp index c1f6e36..c0cc961 100644 --- a/src/tsg_rule.cpp +++ b/src/tsg_rule.cpp @@ -39,7 +39,7 @@ const struct _str2index method2index[TSG_METHOD_TYPE_MAX]={ {TSG_METHOD_TYPE_UNK {TSG_METHOD_TYPE_BLOCK, 5, (char *)"block"}, {TSG_METHOD_TYPE_RESET, 3, (char *)"rst"}, {TSG_METHOD_TYPE_ALERT, 5, (char *)"alert"}, - {TSG_METHOD_TYPE_RATE_LINIT, 10, (char *)"rate_limit"} + {TSG_METHOD_TYPE_RATE_LIMIT, 10, (char *)"rate_limit"} }; //functioned as strdup, for dictator compatible. @@ -875,7 +875,7 @@ static struct compile_user_region *parse_deny_user_region(cJSON *object) } } break; - case TSG_METHOD_TYPE_RATE_LINIT: + case TSG_METHOD_TYPE_RATE_LIMIT: user_region->deny=(struct deny_user_region *)calloc(1, sizeof(struct deny_user_region)); user_region->deny->type=TSG_DENY_TYPE_MAX; get_integer_from_json(object, "bps", &(user_region->deny->bps)); @@ -1017,7 +1017,7 @@ void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* { case TSG_METHOD_TYPE_ALERT: case TSG_METHOD_TYPE_BLOCK: - case TSG_METHOD_TYPE_RATE_LINIT: + case TSG_METHOD_TYPE_RATE_LIMIT: case TSG_METHOD_TYPE_REDIRECTION: free_deny_user_region(user_region->deny); break; @@ -2516,7 +2516,7 @@ int tsg_set_bucket_to_tcpall(const struct streaminfo *a_stream, struct tcpall_co } } - _context->method_type=TSG_METHOD_TYPE_RATE_LINIT; + _context->method_type=TSG_METHOD_TYPE_RATE_LIMIT; _context->bucket=bucket; return 0;