From 9feef2359a2077e731788f2657858f4dbe383934 Mon Sep 17 00:00:00 2001
From: liuxueli <liuxueli@iieac.cn>
Date: Thu, 16 Feb 2023 19:56:22 +0800
Subject: [PATCH] =?UTF-8?q?TSG-13817,TSG-13815:=20=E4=BB=8Ebridge=E4=B8=AD?=
 =?UTF-8?q?=E5=9B=9E=E5=8E=BB=E5=91=BD=E4=B8=AD=E7=9A=84deny=20result?=
 =?UTF-8?q?=EF=BC=8C=E4=BF=AE=E5=A4=8D=E8=AE=BE=E7=BD=AEdrop=20after=20N?=
 =?UTF-8?q?=20packet=E5=8F=82=E6=95=B0=E5=90=8E=E6=97=A0=E6=95=88=E6=9E=9C?=
 =?UTF-8?q?=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/tsg_action.cpp | 36 +++++++++++++++++++++++++++++++++---
 src/tsg_entry.cpp  | 19 ++++++++++---------
 2 files changed, 43 insertions(+), 12 deletions(-)

diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp
index b04efa1..ed58b9c 100644
--- a/src/tsg_action.cpp
+++ b/src/tsg_action.cpp
@@ -687,6 +687,33 @@ static unsigned char do_action_ratelimit(const struct streaminfo *a_stream, Maat
 	return STATE_GIVEME|STATE_KILL_OTHER;
 }
 
+static unsigned char do_action_block_sip(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, const void *user_data)
+{
+	int offset=0;
+	char payload[1024]={0};
+	switch(user_region->deny->code)
+	{
+		case	480:
+			//"SIP/2.0 480 Temporarily Unavailable\r\n"
+			offset=strlen("SIP/2.0 480 Temporarily Unavailable\r\n");
+			memcpy(payload, "SIP/2.0 480 Temporarily Unavailable\r\n", offset);
+			break;
+		case	500:
+			//"SIP/2.0 500 Server Internal Error\r\n",
+			offset=strlen("SIP/2.0 500 Server Internal Error\r\n");
+			memcpy(payload, "SIP/2.0 500 Server Internal Error\r\n", offset);
+			break;
+		default:
+			return STATE_DROPME|STATE_DROPPKT;
+	}
+	
+	memcpy(payload+offset, user_data, strlen((const char*)user_data));
+	unsigned char raw_route_dir=(a_stream->curdir==DIR_C2S) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir;
+	tsg_send_inject_packet(a_stream, SIO_DEFAULT, payload, strlen(payload), raw_route_dir);
+
+	return STATE_DROPME|STATE_DROPPKT;
+}
+
 static unsigned char do_action_block_mail(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region)
 {
 	char *payload=NULL;
@@ -739,17 +766,17 @@ static unsigned char do_action_block_http(const struct streaminfo *a_stream, Maa
 	return STATE_DROPME|STATE_DROPPKT;
 }
 
-static unsigned char do_action_block_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *a_packet)
+static unsigned char do_action_block_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data)
 {
 	if(user_region==NULL || user_region->deny==NULL)
 	{
-		return do_action_drop(a_stream, p_result, user_region, protocol, a_packet);
+		return do_action_drop(a_stream, p_result, user_region, protocol, user_data);
 	}
 	
 	switch(protocol)
 	{
 		case	PROTO_HTTP:
-			return do_action_block_http(a_stream, p_result, user_region, a_packet);
+			return do_action_block_http(a_stream, p_result, user_region, user_data);
 			break;
 		case	PROTO_POP3:
 		case	PROTO_IMAP:
@@ -757,6 +784,9 @@ static unsigned char do_action_block_xxx(const struct streaminfo *a_stream, Maat
 		case	PROTO_MAIL:
 			return do_action_block_mail(a_stream, p_result, user_region);
 			break;
+		case	PROTO_SIP:
+			return do_action_block_sip(a_stream, p_result, user_region, user_data);
+			break;
 		default:
 			break;
 	}
diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index 2ce8d56..5b8ea56 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -2165,12 +2165,12 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
 	scan_status_t scan_mid=NULL;
 	struct Maat_rule_t *p_result=NULL;
 	unsigned char state=APP_STATE_GIVEME;
-	struct identify_info tmp_identify_info;
 	struct Maat_rule_t hited_result[MAX_TSG_ALL_RESULT_NUM]={0};
 	struct Maat_rule_t security_result[MAX_RESULT_NUM]={0};	
 	struct Maat_rule_t shaping_result[MAX_RESULT_NUM]={0};
 	struct tcpall_context *all_context=(struct tcpall_context *)(*pme);
-		
+	struct policy_priority_label *priority_label=NULL;
+
 	if(stream_state==OP_STATE_PENDING && all_context->method_type!=TSG_METHOD_TYPE_ALLOW && !(all_context->udp_data_dropme))
 	{
 		if(all_context->method_type==TSG_METHOD_TYPE_UNKNOWN)
@@ -2241,33 +2241,34 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
 			
 			if(get_default_policy(g_tsg_para.default_compile_id, &security_result[0]))
 			{
-				state=tsg_deal_deny_action(a_stream, &security_result[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet);				
+				state=tsg_deal_deny_action(a_stream, &security_result[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet);
+				master_send_log(a_stream, &security_result[0], 1, NULL, thread_seq);
 			}
 			break;
 		case	TSG_METHOD_TYPE_DROP:
 		case	TSG_METHOD_TYPE_APP_DROP:
 			// contain hited current packet, platform calls tcp first and tcpall secondary.
-			if(((all_context->hited_para.after_n_packets >= 0) && a_stream->type==STREAM_TYPE_TCP) ||
+			if(((all_context->hited_para.after_n_packets > 0) && a_stream->type==STREAM_TYPE_TCP) ||
 				((all_context->hited_para.after_n_packets > 0) && a_stream->type==STREAM_TYPE_UDP)
 				|| stream_state==OP_STATE_CLOSE)
 			{			
 				all_context->hited_para.after_n_packets--;
 				break;
 			}
-
-			ret=tsg_pull_policy_result((struct streaminfo *)a_stream,PULL_FW_RESULT, &security_result[0], 1, &tmp_identify_info);
-			if(ret<=0)
+			priority_label=(struct policy_priority_label *)tsg_get_xxx_from_bridge(a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id);
+			//ret=tsg_pull_policy_result((struct streaminfo *)a_stream,PULL_FW_RESULT, &security_result[0], 1, &tmp_identify_info);
+			if(priority_label==NULL || priority_label->security_result[0].action!=TSG_ACTION_DENY)
 			{
 				break;
 			}
 
 			if(all_context->hited_para.hited_app_id<=0)
 			{
-				state=tsg_deal_deny_action(a_stream, &security_result[0], all_context->protocol, ACTION_RETURN_TYPE_TCPALL, a_packet);
+				state=tsg_deal_deny_action(a_stream, &priority_label->security_result[0], all_context->protocol, ACTION_RETURN_TYPE_TCPALL, a_packet);
 			}
 			else
 			{
-				state=tsg_deny_application(a_stream, &security_result[0], all_context->protocol, all_context->hited_para.hited_app_id, ACTION_RETURN_TYPE_TCPALL, a_packet);
+				state=tsg_deny_application(a_stream, &priority_label->security_result[0], all_context->protocol, all_context->hited_para.hited_app_id, ACTION_RETURN_TYPE_TCPALL, a_packet);
 			}
 			break;
 		default: