TSG-9722: 适配APP执行default动作
This commit is contained in:
liuxueli
@@ -21,6 +21,7 @@
|
||||
#include "tsg_rule.h"
|
||||
#include "tsg_entry.h"
|
||||
#include "tsg_statistic.h"
|
||||
#include "tsg_send_log.h"
|
||||
#include "tsg_protocol_common.h"
|
||||
|
||||
extern "C" int sendpacket_do_checksum(unsigned char *buf, int protocol, int len);
|
||||
@@ -617,6 +618,11 @@ static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, Ma
|
||||
{
|
||||
struct deny_user_region *deny_region=NULL;
|
||||
|
||||
if(user_region->session_para==NULL)
|
||||
{
|
||||
return STATE_DROPME|STATE_DROPPKT;
|
||||
}
|
||||
|
||||
switch(a_stream->type)
|
||||
{
|
||||
case STREAM_TYPE_TCP:
|
||||
@@ -843,7 +849,7 @@ static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struc
|
||||
local_state=do_action_default_xxx(a_stream, p_result, user_region, protocol, user_data);
|
||||
break;
|
||||
case TSG_METHOD_TYPE_APP_DROP:
|
||||
if(user_region->deny->type!=TSG_DENY_TYPE_APP_DROP)
|
||||
if((user_region->deny==NULL) || (user_region->deny->type!=TSG_DENY_TYPE_APP_DROP))
|
||||
{
|
||||
break;
|
||||
}
|
||||
@@ -896,7 +902,7 @@ unsigned char tsg_deny_application(const struct streaminfo *a_stream, Maat_rule_
|
||||
dict=(struct app_id_dict *)Maat_plugin_get_EX_data(g_tsg_maat_feather, g_tsg_para.table_id[TABLE_APP_ID_DICT], (const char *)app_id_buff);
|
||||
if(dict==NULL)
|
||||
{
|
||||
return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_GIVEME : APP_STATE_GIVEME);
|
||||
return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_DROPPKT|PROT_STATE_DROPME: APP_STATE_DROPME|APP_STATE_DROPPKT);
|
||||
}
|
||||
|
||||
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
|
||||
@@ -937,7 +943,30 @@ unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_
|
||||
}
|
||||
|
||||
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
|
||||
state=tsg_do_deny_action(a_stream, user_region, p_result, protocol, type, user_data);
|
||||
if(user_region==NULL)
|
||||
{
|
||||
return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_DROPPKT|PROT_STATE_DROPME: APP_STATE_DROPME|APP_STATE_DROPPKT);
|
||||
}
|
||||
|
||||
if(user_region->method_type==TSG_METHOD_TYPE_APP_DROP)
|
||||
{
|
||||
unsigned int app_id=0;
|
||||
|
||||
if(protocol==PROTO_MAIL)
|
||||
{
|
||||
app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[PROTO_SMTP].name);
|
||||
}
|
||||
else
|
||||
{
|
||||
app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[protocol].name);
|
||||
}
|
||||
state=tsg_deny_application(a_stream, p_result, protocol, app_id, ACTION_RETURN_TYPE_APP, user_data);
|
||||
}
|
||||
else
|
||||
{
|
||||
state=tsg_do_deny_action(a_stream, user_region, p_result, protocol, type, user_data);
|
||||
}
|
||||
|
||||
security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
|
||||
|
||||
return state;
|
||||
|
||||
@@ -362,6 +362,27 @@ static int is_dns_protocol(const struct streaminfo *a_stream)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int is_deny_application(Maat_rule_t *p_result)
|
||||
{
|
||||
int ret=0;
|
||||
struct compile_user_region *user_region=NULL;
|
||||
|
||||
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
|
||||
if(user_region==NULL)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
if(user_region->method_type==TSG_METHOD_TYPE_APP_DROP)
|
||||
{
|
||||
ret=1;
|
||||
}
|
||||
|
||||
security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int set_struct_project(const struct streaminfo *a_stream, int project_id, void *data)
|
||||
{
|
||||
if(a_stream==NULL || project_id<0)
|
||||
@@ -1573,20 +1594,14 @@ int scan_application_id_and_properties(const struct streaminfo *a_stream, struct
|
||||
context->hited_para.after_n_packets=after_n_packets;
|
||||
}
|
||||
|
||||
if(d_result!=NULL && d_result->action==TSG_ACTION_DENY)
|
||||
{
|
||||
copy_result_to_project(a_stream, context, d_result, NULL, context->proto, PULL_FW_RESULT, thread_seq);
|
||||
}
|
||||
|
||||
return hit_num;
|
||||
}
|
||||
|
||||
static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int hit_num, const void *a_packet)
|
||||
{
|
||||
int ret=0;
|
||||
Maat_rule_t *p_result=NULL;
|
||||
unsigned char state=APP_STATE_GIVEME;
|
||||
struct identify_info tmp_identify_info;
|
||||
Maat_rule_t *p_result=NULL, app_result={0};
|
||||
struct tcpall_context *tmp_tcpall_context=NULL;
|
||||
|
||||
p_result=tsg_policy_decision_criteria(result, hit_num);
|
||||
@@ -1596,9 +1611,13 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
||||
switch((unsigned char)p_result->action)
|
||||
{
|
||||
case TSG_ACTION_DENY:
|
||||
ret=tsg_pull_policy_result((struct streaminfo* )a_stream, PULL_FW_RESULT, &app_result, 1, &tmp_identify_info);
|
||||
if(ret>0 && app_result.action==TSG_ACTION_DENY && app_result.config_id==p_result->config_id)
|
||||
if(is_deny_application(p_result))
|
||||
{
|
||||
if(context->hited_para.hited_app_id==0)
|
||||
{
|
||||
context->hited_para.hited_app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[context->proto].name);
|
||||
}
|
||||
|
||||
if(context->hited_para.after_n_packets>0)
|
||||
{
|
||||
ret=tsg_set_method_to_tcpall(a_stream, &tmp_tcpall_context, TSG_METHOD_TYPE_APP_DROP, a_stream->threadnum);
|
||||
@@ -1606,6 +1625,8 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
||||
{
|
||||
tmp_tcpall_context->hited_para=context->hited_para;
|
||||
}
|
||||
|
||||
copy_result_to_project(a_stream, context, p_result, context->domain, context->proto, PULL_FW_RESULT, a_stream->threadnum);
|
||||
state=APP_STATE_KILL_OTHER|APP_STATE_DROPME;
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -18,6 +18,7 @@
|
||||
#include "tsg_statistic.h"
|
||||
#include "tsg_leaky_bucket.h"
|
||||
#include "tsg_protocol_common.h"
|
||||
#include "tsg_send_log_internal.h"
|
||||
|
||||
#if(__GNUC__ * 100 + __GNUC_MINOR__ * 10 + __GNUC_PATCHLEVEL__ >= 411)
|
||||
#define atomic_inc(x) __sync_add_and_fetch((x),1)
|
||||
@@ -305,6 +306,7 @@ typedef struct tsg_para
|
||||
|
||||
extern g_tsg_para_t g_tsg_para;
|
||||
extern Maat_feather_t g_tsg_dynamic_maat_feather;
|
||||
extern id2field_t g_tsg_proto_name2id[PROTO_MAX];
|
||||
|
||||
typedef enum tsg_statis_field_id
|
||||
{
|
||||
|
||||
@@ -43,7 +43,8 @@ const struct _str2index method2index[TSG_METHOD_TYPE_MAX]={ {TSG_METHOD_TYPE_UNK
|
||||
{TSG_METHOD_TYPE_RATE_LIMIT, 10, (char *)"rate_limit"},
|
||||
{TSG_METHOD_TYPE_MIRRORED, 8, (char *)"mirrored"},
|
||||
{TSG_METHOD_TYPE_TAMPER, 6, (char *)"tamper"},
|
||||
{TSG_METHOD_TYPE_DEFAULT, 7, (char *)"default"}
|
||||
{TSG_METHOD_TYPE_DEFAULT, 14, (char *)"default_policy"}, // policy id=0, default policy
|
||||
{TSG_METHOD_TYPE_APP_DROP, 7, (char *)"default"} // use action of app_id_dict
|
||||
};
|
||||
|
||||
|
||||
@@ -1077,6 +1078,8 @@ static struct compile_user_region *parse_deny_user_region(cJSON *deny_user_regio
|
||||
break;
|
||||
}
|
||||
break;
|
||||
case TSG_METHOD_TYPE_APP_DROP:
|
||||
break;
|
||||
case TSG_METHOD_TYPE_RST:
|
||||
case TSG_METHOD_TYPE_RESET:
|
||||
break;
|
||||
|
||||
Reference in New Issue
Block a user