gfwleak/tango-tsg-master
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(traffic mirror): 添加traffic mirror 功能

Browse Source
This commit is contained in:
刘学利
2021-08-01 10:48:19 +00:00
parent 3633fbc44b
commit ae72c88662
21 changed files with 1622 additions and 202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitlab-ci.yml
View File

@@ -3,7 +3,7 @@ variables:
GIT_STRATEGY: "clone"
BUILD_PADDING_PREFIX: /tmp/padding_for_CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX_PREFIX_PREFIX_PREFIX_PREFIX_PREFIX/
INSTALL_PREFIX: "/home/mesasoft/sapp_run/"
INSTALL_DEPENDENCY_LIBRARY: libMESA_handle_logger-devel libcjson-devel libMESA_field_stat2-devel sapp sapp-devel framework_env libMESA_prof_load-devel http-devel dns-devel ftp-devel mail-devel ssl-devel librdkafka-devel libmaatframe-devel quic-devel mesa_sip-devel gtp-devel libMESA_htable-devel libasan
INSTALL_DEPENDENCY_LIBRARY: libMESA_handle_logger-devel libcjson-devel libMESA_field_stat2-devel sapp sapp-devel framework_env libMESA_prof_load-devel http-devel dns-devel ftp-devel mail-devel ssl-devel librdkafka-devel libmaatframe-devel quic-devel mesa_sip-devel gtp-devel libMESA_htable-devel libasan mrzcpd
stages:
- build

7
CMakeLists.txt
View File

@@ -34,6 +34,7 @@ endif()
set(CMAKE_INSTALL_PREFIX /home/mesasoft/sapp_run)
add_subdirectory(support)
add_subdirectory(src)
SET(CPACK_RPM_LIBRARIES_PRE_INSTALL_SCRIPT_FILE "${PROJECT_SOURCE_DIR}/cmake/PreInstall.sh")
@@ -52,6 +53,12 @@ install(FILES bin/app_l7_proto_id.conf DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgco
install(FILES bin/tsg_l7_protocol.conf DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
install(FILES bin/tsg_maat.json DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
install(FILES bin/HTTP200.html DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
install(FILES bin/HTTP204.html DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
install(FILES bin/HTTP303.html DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
install(FILES bin/HTTP403.html DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
install(FILES bin/HTTP404.html DESTINATION ${CMAKE_INSTALL_PREFIX}/tsgconf COMPONENT PROFILE)
install(FILES inc/tsg_send_log.h DESTINATION /opt/MESA/include/tsg COMPONENT HEADER)
install(FILES inc/tsg_rule.h DESTINATION /opt/MESA/include/tsg COMPONENT HEADER)
install(FILES inc/tsg_statistic.h DESTINATION /opt/MESA/include/tsg COMPONENT HEADER)

11
bin/HTTP200.html Normal file
View File

@@ -0,0 +1,11 @@
<!DOCTYPE html>
<html lang="en">
<!-- Powerd by MESA Lab -->
<head>
<meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title> Successfull | 200 - OK </title>
</head>
<body>
<div class="cover"><h1> Successfull 200 <small>Successfully 200</small></h1><p class="lead">The requested resource accesss Successfully (TSG-{{cfg_id}}:{{msg}}).</p></div>
</body>
</html>

11
bin/HTTP204.html Normal file
View File

@@ -0,0 +1,11 @@
<!DOCTYPE html>
<html lang="en">
<!-- Powerd by MESA Lab -->
<head>
<meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title>We've got some trouble | 204 - Not Content </title>
</head>
<body>
<div class="cover"><h1>Not Content <small>Error 204</small></h1><p class="lead">The requested resource requires an authentication (TSG-{{cfg_id}}:{{msg}}).</p></div>
</body>
</html>

11
bin/HTTP303.html Normal file
View File

@@ -0,0 +1,11 @@
<!DOCTYPE html>
<html lang="en">
<!-- Powerd by MESA Lab -->
<head>
<meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title> 303 See Other </title>
</head>
<body>
<div class="cover"><h1> 303 See Other <small>303 See Other</small></h1><p class="lead">The requested resource accesss Successfully (TSG-{{cfg_id}}:{{msg}}).</p></div>
</body>
</html>

11
bin/HTTP403.html Normal file
View File

@@ -0,0 +1,11 @@
<!DOCTYPE html>
<html lang="en">
<!-- Powerd by MESA Lab -->
<head>
<meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title>We've got some trouble | 403 - Access Denied</title>
</head>
<body>
<div class="cover"><h1>Access Denied <small>Error 403</small></h1><p class="lead">The requested resource requires an authentication (TSG-{{cfg_id}}:{{msg}}).</p></div>
</body>
</html>

11
bin/HTTP404.html Normal file
View File

@@ -0,0 +1,11 @@
<!DOCTYPE html>
<html lang="en">
<!-- Powerd by MESA Lab -->
<head>
<meta charset="utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title>We've got some trouble | 404 - Resource not found</title>
</head>
<body>
<div class="cover"><h1>Resource not found <small>Error 404 </small></h1><p class="lead">The requested resource could not be found but may be available again in the future (TSG-{{cfg_id}}:{{msg}}).</p></div>
</body>
</html>

8
bin/main.conf
View File

@@ -37,4 +37,10 @@ APP_BRIDGE_NAME="APP_BRIDGE"
POLICY_PRIORITY_LABEL="POLICY_PRIORITY"
L7_RPTOCOL_FILE="./tsgconf/tsg_l7_protocol.conf"
DEVICE_SN_FILENAME="/opt/tsg/etc/tsg_sn.json"
DEVICE_ID_COMMAND="hostname | awk -F'-' '{print $3}'| awk -F'ADC' '{print $2}'"
DEVICE_ID_COMMAND="hostname | awk -F'-' '{print $3}'| awk -F'ADC' '{print $2}'"
[TRAFFIC_MIRROR]
TRAFFIC_MIRROR_ENABLE=1
NIC_NAME="eth_vf_mirr"
APP_NAME="TSG_MIRROR"
DEFAULT_VLAN_ID=1023

3
ci/travis.sh
View File

@@ -36,6 +36,7 @@ env | sort
if [ -n "${INSTALL_DEPENDENCY_LIBRARY}" ]; then
yum install -y $INSTALL_DEPENDENCY_LIBRARY
source /etc/profile.d/framework.sh
source /etc/profile.d/mrzcpd.sh
fi
if [ $ASAN_OPTION ];then
@@ -58,7 +59,7 @@ if [ -n "${PACKAGE}" ]; then
make package
fi
if [ -n "${UPLOAD_RPM}" ]; then
if [ -n "${UPLOAD_RPM}" ]; then
cp ~/rpm_upload_tools.py ./
python3 rpm_upload_tools.py ${PULP3_REPO_NAME} ${PULP3_DIST_NAME} *.rpm
fi

53
inc/tsg_rule.h
View File

@@ -24,9 +24,17 @@ enum TSG_METHOD_TYPE
TSG_METHOD_TYPE_BLOCK,
TSG_METHOD_TYPE_RESET,
TSG_METHOD_TYPE_ALERT,
TSG_METHOD_TYPE_RATE_LINIT,
TSG_METHOD_TYPE_MAX
};
enum TSG_DENY_TYPE
{
TSG_DENY_TYPE_MESSAGE=0,
TSG_DENY_TYPE_PROFILE,
TSG_DENY_TYPE_REDIRECT_TO,
TSG_DENY_TYPE_MAX
};
struct identify_info
{
tsg_protocol_t proto; //enum _tsg_protocol (tsg_types.h)
@@ -34,15 +42,37 @@ struct identify_info
char domain[MAX_DOAMIN_LEN];
};
struct compile_user_region
struct deny_user_region
{
int code;
enum TSG_DENY_TYPE type;
union
{
char *message;
char *redirect_url_to;
int profile_id;
int bytes_per_sec;
void *para;
};
};
struct monitor_user_region
{
int enabled;
int mirror_vlan_id;
};
struct compile_user_region
{
int ref_cnt;
int html_profile;
char protocol[32];
char method[32];
char *message;
Maat_rule_t *result;
enum TSG_METHOD_TYPE method_type;
union
{
struct deny_user_region *deny;
struct monitor_user_region *mirror;
struct Maat_rule_t *result; //XJ default policy
void *user_region_para;
};
};
typedef enum _PULL_RESULT_TYPE
@@ -85,10 +115,21 @@ int tsg_pull_policy_result(struct streaminfo *a_stream, PULL_RESULT_TYPE pull_re
//return NULL if none exists, otherwise return one deny rule;
struct Maat_rule_t *tsg_fetch_deny_rule(Maat_rule_t *result, int result_num);
enum ACTION_RETURN_TYPE
{
ACTION_RETURN_TYPE_PROT=0,
ACTION_RETURN_TYPE_APP
};
unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol, enum ACTION_RETURN_TYPE type, const void *a_packet);
int tsg_get_method_id(char *method);
int tsg_free_compile_user_region(const struct Maat_rule_t *rule, struct compile_user_region *user_region);
struct compile_user_region *tsg_get_compile_user_region(const Maat_feather_t maat_feather, struct Maat_rule_t *result);
int tsg_get_fqdn_category_id(Maat_feather_t maat_feather, char *fqdn, unsigned int *category_id, int category_id_num, void *logger, int thread_seq);
int tsg_scan_app_id_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *name, unsigned int id, int thread_seq);
int tsg_scan_fqdn_category_id(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, int table_id, unsigned int *category_id, int category_id_num, int thread_seq);
int tsg_notify_hited_monitor_result(const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, int thread_seq);
#endif

6
src/CMakeLists.txt
View File

@@ -2,18 +2,18 @@ cmake_minimum_required(VERSION 2.8)
add_definitions(-fPIC)
set(SRC tsg_entry.cpp tsg_rule.cpp tsg_ssl_utils.cpp tsg_send_log.cpp tsg_statistic.cpp tsg_ssh_utils.cpp tsg_gtp_signaling.cpp)
set(SRC tsg_entry.cpp tsg_rule.cpp tsg_ssl_utils.cpp tsg_send_log.cpp tsg_statistic.cpp tsg_ssh_utils.cpp tsg_gtp_signaling.cpp tsg_traffic_mirror.cpp tsg_send_raw_packet.cpp tsg_action.cpp)
include_directories(${CMAKE_SOURCE_DIR}/inc)
include_directories(/opt/MESA/include/MESA/)
set(TSG_MASTER_DEPEND_DYN_LIB MESA_handle_logger MESA_prof_load maatframe pthread MESA_field_stat2 rdkafka cjson)
set(TSG_MASTER_DEPEND_DYN_LIB MESA_handle_logger MESA_prof_load maatframe pthread MESA_field_stat2 rdkafka cjson marsio)
set(CMAKE_INSTALL_PREFIX /home/mesasoft/sapp_run)
add_library(tsg_master SHARED ${SRC})
set_target_properties(tsg_master PROPERTIES LINK_FLAGS "-Wl,--version-script=${PROJECT_SOURCE_DIR}/src/version.map")
target_link_libraries(tsg_master ${TSG_MASTER_DEPEND_DYN_LIB})
target_link_libraries(tsg_master ${TSG_MASTER_DEPEND_DYN_LIB} ctemplate-static)
set_target_properties(tsg_master PROPERTIES PREFIX "")
install(TARGETS tsg_master LIBRARY DESTINATION ${CMAKE_INSTALL_PREFIX}/plug/platform/tsg_master COMPONENT LIBRARIES)

648
src/tsg_action.cpp Normal file
View File

@@ -0,0 +1,648 @@
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <assert.h>
#include <sys/time.h>
#include <unistd.h>
#include <netinet/ip6.h>
#include <sys/stat.h>
#include <arpa/inet.h>
#include <MESA/http.h>
#include <MESA/ftp.h>
#include <MESA/ssl.h>
#include <MESA/mail.h>
#include <MESA/gquic.h>
#include "MESA/mesa_sip.h"
#include <MESA/stream.h>
#include <MESA/MESA_handle_logger.h>
#include "app_label.h"
#include "tsg_rule.h"
#include "tsg_entry.h"
#include "tsg_statistic.h"
extern "C" int sendpacket_do_checksum(unsigned char *buf, int protocol, int len);
static int set_drop_stream(const struct streaminfo *a_stream)
{
int opt_value=1;
MESA_set_stream_opt(a_stream, MSO_DROP_STREAM, (void *)&opt_value, sizeof(opt_value));
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
MESA_set_stream_opt(a_stream, MSO_TIMEOUT, (void *)&g_tsg_para.timeout, sizeof(g_tsg_para.timeout));
return 0;
}
static int get_http_header(char *buff, int len, int code, char *user_define)
{
int used_len=0;
switch(code)
{
case 200:
used_len=snprintf(buff, len, "HTTP/1.1 %d OK\r\nContent-Type: text/html\r\n\r\n", code);
break;
case 204:
used_len=snprintf(buff, len, "HTTP/1.1 %d No Content\r\nContent-Type: text/html\r\n\r\n", code);
break;
case 403:
used_len=snprintf(buff, len, "HTTP/1.1 %d Forbidden\r\nContent-Type: text/html\r\n\r\n", code);
break;
case 404:
used_len=snprintf(buff, len, "HTTP/1.1 %d Not Found\r\nContent-Type: text/html\r\n\r\n", code);
break;
case 302:
used_len=snprintf(buff, len, "HTTP/1.1 %d Moved Temporarily\r\nContent-Type: text/html\r\nLocation: %s\r\n\r\n", code, user_define);
break;
case 303:
used_len=snprintf(buff, len, "HTTP/1.1 %d See Other\r\nLocation: %s\r\n\r\n", code, user_define);
break;
default:
break;
}
return used_len;
}
static int get_tcp_mss_option(const struct streaminfo *a_stream, int type, void *out)
{
int i=0,ret=0;
int tcp_opt_num=0;
struct tcp_option *tcp_opt=NULL;
ret=MESA_get_stream_opt(a_stream, MSO_TCP_SYN_OPT, (void *)&tcp_opt, &tcp_opt_num);
if(ret>0)
{
for(i=0; i<tcp_opt_num; i++)
{
if(tcp_opt[i].type!=type)
{
continue;
}
switch(tcp_opt[i].type)
{
case TCP_OPT_MSS:
*(short *)out=tcp_opt[i].short_value;
return 1;
break;
default:
break;
}
}
}
return 0;
}
static void template_generate(int status_code, int cfg_id, const char* msg, char **page_buff, size_t *page_size, int thread_seq)
{
ctemplate::TemplateDictionary dict("pg_page_dict"); //dict is automatically finalized after function returned.
dict.SetIntValue("cfg_id", cfg_id);
if (NULL == msg)
{
dict.SetValue("msg", "NULL");
}
else
{
dict.SetValue("msg", msg);
}
std::string output;
ctemplate::Template * tpl = NULL;
switch (status_code)
{
case 403:
tpl = g_tsg_para.tpl_403;
tpl->Expand(&output, &dict);
break;
case 404:
tpl = g_tsg_para.tpl_404;
tpl->Expand(&output, &dict);
break;
case 200:
tpl = g_tsg_para.tpl_200;
tpl->Expand(&output, &dict);
break;
case 204:
tpl = g_tsg_para.tpl_204;
tpl->Expand(&output, &dict);
break;
case 303:
tpl = g_tsg_para.tpl_303;
tpl->Expand(&output, &dict);
break;
default: return;
}
*page_size=output.length()+1;
char *_page_buff=(char *)dictator_malloc(thread_seq, (*page_size)*sizeof(char));
memcpy(_page_buff, output.c_str(), *page_size);
*page_buff=_page_buff;
return ;
}
static int get_response_pages(struct Maat_rule_t *p_result, struct compile_user_region *user_region, char **payload, int thread_seq)
{
char key[16]={0};
int payload_len=0;
struct http_response_pages *res_pages=NULL;
switch(user_region->deny->type)
{
case TSG_DENY_TYPE_MESSAGE:
template_generate(user_region->deny->code, p_result->config_id, user_region->deny->message, payload, (size_t *)&payload_len, thread_seq);
return payload_len;
break;
case TSG_DENY_TYPE_PROFILE:
break;
default:
break;
}
snprintf(key, sizeof(key), "%d", user_region->deny->profile_id);
res_pages=(struct http_response_pages *)Maat_plugin_get_EX_data(g_tsg_maat_feather,g_tsg_para.table_id[TABLE_RESPONSE_PAGES], key);
if(res_pages!=NULL)
{
switch(res_pages->format)
{
case HTTP_RESPONSE_FORMAT_HTML:
*payload=(char *)dictator_malloc(thread_seq, res_pages->content_len);
memcpy(*payload, res_pages->content, res_pages->content_len);
payload_len=res_pages->content_len;
break;
case HTTP_RESPONSE_FORMAT_TEMPLATE:
template_generate(user_region->deny->code, p_result->config_id, res_pages->content, payload, (size_t *)&payload_len, thread_seq);
break;
default:
break;
}
http_response_pages_free(g_tsg_para.table_id[TABLE_RESPONSE_PAGES], (MAAT_PLUGIN_EX_DATA *)&res_pages, 0, NULL);
}
return payload_len;
}
static int set_tcp_flags(char *packet, int ip_tcp_hdr_len)
{
struct tcphdr *tcp=(struct tcphdr *)(packet+(ip_tcp_hdr_len-20)); // tcp header=20 bytes
tcp->fin=1;
tcp->psh=0;
tcp->ack=1;
return 0;
}
static int reverse_ip_tcp_header(char *message, int ip_tcp_hdr_len, int v4_or_v6)
{
int ip_hdr_len=0;
struct tcphdr *tcp=NULL;
struct iphdr *ipv4=NULL;
struct ip6_hdr *ipv6=NULL;
struct in6_addr ipv6_addr;
unsigned short port=0;
unsigned int seq=0,addr=0;
switch(v4_or_v6)
{
case 4:
ipv4=(struct iphdr *)message;
ip_hdr_len=ipv4->ihl*4;
addr=ipv4->saddr;
ipv4->saddr=ipv4->daddr;
ipv4->daddr=addr;
break;
case 6:
ipv6=(struct ip6_hdr *)message;
ip_hdr_len=sizeof(struct ip6_hdr);
memcpy((void *)&ipv6_addr, (void *)&(ipv6->ip6_src), sizeof(struct in6_addr));
memcpy((void *)&(ipv6->ip6_src), (void *)&(ipv6->ip6_dst), sizeof(struct in6_addr));
memcpy((void *)&(ipv6->ip6_dst), (void *)&ipv6_addr, sizeof(struct in6_addr));
break;
default:
return -1;
break;
}
tcp=(struct tcphdr *)((char *)message+ip_hdr_len);
port=tcp->source;
tcp->source=tcp->dest;
tcp->dest=port;
seq=tcp->seq;
tcp->seq=tcp->ack_seq;
tcp->ack_seq=seq;
return 0;
}
static int copy_ip_tcp_header(const struct streaminfo *a_stream, const void *a_packet, char *message, int *ip_tcp_hdr_len, int *v4_or_v6)
{
int ip_hdr_len=0,tcp_hdr_len=0;
int tcp_hdr_len_tmp=0;
unsigned short total_len=0;
struct iphdr *ipv4=NULL;
struct ip6_hdr *ipv6=NULL;
switch(a_stream->addr.addrtype)
{
case ADDR_TYPE_IPV4:
case __ADDR_TYPE_IP_PAIR_V4:
(*v4_or_v6)=4;
ipv4=(struct iphdr *)a_packet;
ip_hdr_len=ipv4->ihl*4;
total_len=ipv4->tot_len;
break;
case ADDR_TYPE_IPV6:
case __ADDR_TYPE_IP_PAIR_V6:
(*v4_or_v6)=6;
ipv6=(struct ip6_hdr *)a_packet;
ip_hdr_len=sizeof(struct ip6_hdr);
total_len=ipv6->ip6_ctlun.ip6_un1.ip6_un1_plen;
break;
default:
return -1;
break;
}
memcpy(message, a_packet, ip_hdr_len);
struct tcphdr * tcp=(struct tcphdr *)((char *)a_packet+ip_hdr_len);
tcp_hdr_len_tmp=tcp->doff*4;
tcp_hdr_len=20;
memcpy(message+ip_hdr_len, (char *)a_packet+ip_hdr_len, tcp_hdr_len);/*skip tcp option*/
tcp=(struct tcphdr *)((char *)message+ip_hdr_len);
tcp->doff=5;
if((*v4_or_v6)==4)
{
tcp->seq=(unsigned int)htonl((unsigned int)ntohl(tcp->seq)+ntohs(total_len)-ip_hdr_len-tcp_hdr_len_tmp); // length of packet payload
}
else
{
tcp->seq=(unsigned int)htonl((unsigned int)ntohl(tcp->seq)+ntohs(total_len)-tcp_hdr_len_tmp); // length of packet payload
}
(*ip_tcp_hdr_len)=ip_hdr_len+tcp_hdr_len;
return 0;
}
static unsigned char send_inject_packet(const struct streaminfo *a_stream, enum sapp_inject_opt sio, char *payload, int payload_len)
{
int ret=0;
unsigned char raw_route_dir=0;
if(payload==NULL || payload_len<=0)
{
return -1;
}
raw_route_dir=(a_stream->curdir==DIR_C2S) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir;
ret=sapp_inject_pkt((struct streaminfo *)a_stream, sio, payload, payload_len, raw_route_dir);
if(ret<=0)
{
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_INJECT_PKT_FAILED], 0, FS_OP_ADD, 1);
return -1;
}
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_INJECT_PKT_SUCCESS], 0, FS_OP_ADD, 1);
return 0;
}
static int send_reponse_packet(const struct streaminfo *a_stream, char *packet, int payload_len, int v4_or_v6, int ip_tcp_hdr_len, int http_hdr_len)
{
struct iphdr *ipv4=NULL;
struct ip6_hdr *ipv6=NULL;
struct tcphdr *tcp=NULL;
tcp=(struct tcphdr *)(packet+(ip_tcp_hdr_len-20)); // tcp header=20 bytes
if(v4_or_v6==4)
{
ipv4=(struct iphdr *)packet;
ipv4->tot_len=htons(ip_tcp_hdr_len+http_hdr_len+payload_len);
sendpacket_do_checksum((unsigned char *)packet, IPPROTO_TCP, tcp->doff*4 + http_hdr_len+payload_len);
sendpacket_do_checksum((unsigned char *)packet, IPPROTO_IP, ipv4->ihl*4);
}
else
{
ipv6=(struct ip6_hdr *)packet;
ipv6->ip6_ctlun.ip6_un1.ip6_un1_plen=htons(20+http_hdr_len+payload_len); //tcp_hdr_len=20
sendpacket_do_checksum((unsigned char *)packet, IPPROTO_TCP, tcp->doff*4 + http_hdr_len+payload_len);
}
send_inject_packet(a_stream, SIO_EXCLUDE_THIS_LAYER_HDR, packet, ip_tcp_hdr_len+http_hdr_len+payload_len);
tcp->seq=htonl(ntohl(tcp->seq)+http_hdr_len+payload_len);
return ip_tcp_hdr_len+http_hdr_len+payload_len;
}
static int build_response_pages(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, struct compile_user_region *user_region, const void *a_packet)
{
char *payload=NULL;
char message[1024*64]={0};
int v4_or_v6=0;
int http_hdr_len=0;
int payload_len=0;
int ip_tcp_hdr_len=0;
int i=0,one_payload_len=0;
int ret=0,send_pkt_len=0;
short max_segment_size=1400;
ret=copy_ip_tcp_header(a_stream, a_packet, message, &ip_tcp_hdr_len, &v4_or_v6);
if(ret!=0)
{
return 0;
}
if(a_stream->curdir==DIR_C2S)
{
reverse_ip_tcp_header(message, ip_tcp_hdr_len, v4_or_v6);
}
http_hdr_len=get_http_header(message+ip_tcp_hdr_len, sizeof(message)-ip_tcp_hdr_len, user_region->deny->code, NULL);
payload_len=get_response_pages(p_result, user_region, &payload, a_stream->threadnum);
//TLD_append(TLD_handle, (char *)"http_action_file_size", (void *)(long)payload_len, TLD_TYPE_LONG);
get_tcp_mss_option(a_stream, TCP_OPT_MSS, (void *)&max_segment_size);
for(i=0; i<payload_len; i+=one_payload_len)
{
one_payload_len=MIN(payload_len-i, max_segment_size-http_hdr_len);
memcpy((char *)message+ip_tcp_hdr_len+http_hdr_len, payload+i, one_payload_len);
send_pkt_len+=send_reponse_packet(a_stream, message, one_payload_len, v4_or_v6, ip_tcp_hdr_len, http_hdr_len);
http_hdr_len=0;
}
if(payload!=NULL)
{
dictator_free(a_stream->threadnum, payload);
payload=NULL;
}
set_tcp_flags(message, ip_tcp_hdr_len);
send_reponse_packet(a_stream, message, 0, v4_or_v6, ip_tcp_hdr_len, 0); //fin
reverse_ip_tcp_header(message, ip_tcp_hdr_len, v4_or_v6);
send_reponse_packet(a_stream, message, 0, v4_or_v6, ip_tcp_hdr_len, 0); //fin
return send_pkt_len;
}
static int get_content_303(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, char *url, char *http_hdr, int http_hdr_len)
{
int used_len=0;
char *tmp_buff=NULL;
char ip_str[128]={0};
std::string output;
struct _session_attribute_label_t *attr_label=NULL;
ctemplate::Template *tpl_303=ctemplate::Template::StringToTemplate(url, strlen(url), ctemplate::DO_NOT_STRIP);
ctemplate::TemplateDictionary dict_303("url_dict"); //dict is automatically finalized after function returned.
dict_303.SetIntValue("tsg_policy_id", p_result->config_id);
attr_label=(struct _session_attribute_label_t *)project_req_get_struct(a_stream, g_tsg_para.internal_project_id);
if(attr_label!=NULL && attr_label->client_subscribe_id!=NULL)
{
dict_303.SetFormattedValue("tsg_subscriber_id", "%s", attr_label->client_subscribe_id->subscribe_id);
}
else
{
dict_303.SetFormattedValue("tsg_subscriber_id", "%s", "");
}
switch(a_stream->addr.addrtype)
{
case ADDR_TYPE_IPV4:
inet_ntop(AF_INET, (const void *)&(a_stream->addr.ipv4->saddr), ip_str, sizeof(ip_str));
dict_303.SetFormattedValue("tsg_client_ip", "%s", ip_str);
break;
case ADDR_TYPE_IPV6:
inet_ntop(AF_INET6, (const void *)(a_stream->addr.ipv6->saddr), ip_str, sizeof(ip_str));
dict_303.SetFormattedValue("tsg_client_ip", "%s", ip_str);
break;
default:
dict_303.SetFormattedValue("tsg_client_ip", "%s", "");
break;
}
tpl_303->Expand(&output, &dict_303);
used_len=output.length();
tmp_buff=(char *)dictator_malloc(a_stream->threadnum, (used_len+1)*sizeof(char));
memcpy(tmp_buff, output.c_str(), used_len);
tmp_buff[used_len]='\0';
used_len=get_http_header(http_hdr, http_hdr_len, 303, tmp_buff);
dictator_free(a_stream->threadnum, tmp_buff);
tmp_buff=NULL;
return used_len;
}
static unsigned char do_action_reset(const struct streaminfo *a_stream, Maat_rule_t *p_result)
{
int ret=0,opt_value=0;
struct rst_tcp_para rst_paras={0};
if(a_stream->type==STREAM_TYPE_TCP)
{
rst_paras.rst_pkt_num=1;
rst_paras.signature_seed1=65535;
rst_paras.signature_seed2=13;
rst_paras.th_flags=4;
rst_paras.__pad_no_use=0;
rst_paras.dir=DIR_DOUBLE;
ret=MESA_rst_tcp((struct streaminfo *)a_stream, &rst_paras, sizeof(rst_paras));
if(ret<0)
{
MESA_handle_runtime_log(g_tsg_para.logger,
RLOG_LV_FATAL,
"RST_TCP",
"Send RST failed policy_id: %d service: %d action: %d addr: %s",
p_result->config_id,
p_result->service_id,
(unsigned char)p_result->action,
PRINTADDR(a_stream, g_tsg_para.level)
);
}
opt_value=1;
MESA_set_stream_opt(a_stream, MSO_TCP_RST_REMEDY, (void *)&opt_value, sizeof(opt_value));
}
set_drop_stream(a_stream);
return APP_STATE_DROPPKT|APP_STATE_DROPME;
}
static unsigned char do_action_block_mail(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region)
{
char *payload=NULL;
switch(user_region->deny->code)
{
case 550:
payload=(char *)"550 Mail was identified as spam.\r\n";
break;
case 551:
payload=(char *)"551 User not local; please try <forward-path>\r\n";
break;
default:
break;
}
if(payload!=NULL)
{
send_inject_packet(a_stream, SIO_DEFAULT, payload, strlen(payload));
}
return PROT_STATE_DROPME|PROT_STATE_DROPPKT;
}
static unsigned char do_action_block_http(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, const void *a_packet)
{
int send_pkt_len=0;
switch(user_region->deny->code)
{
case 200:
case 204:
case 403:
case 404:
send_pkt_len=build_response_pages(a_stream, p_result, user_region, a_packet);
tsg_set_statistic_opt(send_pkt_len, ((user_region->method_type==TSG_METHOD_TYPE_ALERT) ? OPT_TYPE_ALERT_BYTES : OPT_TYPE_BLOCK_BYTES), a_stream->threadnum);
break;
default:
break;
}
return PROT_STATE_DROPME|PROT_STATE_DROPPKT;
}
static unsigned char do_action_block_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *a_packet)
{
if(user_region==NULL || user_region->deny==NULL)
{
return do_action_reset(a_stream, p_result);
}
switch(protocol)
{
case PROTO_HTTP:
return do_action_block_http(a_stream, p_result, user_region, a_packet);
break;
case PROTO_POP3:
case PROTO_IMAP:
case PROTO_SMTP:
case PROTO_MAIL:
return do_action_block_mail(a_stream, p_result, user_region);
break;
default:
break;
}
set_drop_stream(a_stream);
return PROT_STATE_DROPME|PROT_STATE_DROPPKT;
}
static unsigned char do_action_redirect_http(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region)
{
int used_http_hdr_len=0;
char http_hdr[1024]={0};
switch(user_region->deny->code)
{
case 302:
used_http_hdr_len=get_http_header(http_hdr, sizeof(http_hdr), user_region->deny->code, user_region->deny->redirect_url_to);
send_inject_packet( a_stream, SIO_DEFAULT, http_hdr, used_http_hdr_len);
break;
case 303:
used_http_hdr_len=get_content_303(a_stream, p_result, user_region->deny->redirect_url_to, http_hdr, sizeof(http_hdr));
send_inject_packet( a_stream, SIO_DEFAULT, http_hdr, used_http_hdr_len);
break;
default:
break;
}
return PROT_STATE_DROPME|PROT_STATE_DROPPKT;
}
static unsigned char do_action_redirect_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol)
{
if(user_region==NULL || user_region->deny==NULL)
{
return do_action_reset(a_stream, p_result);
}
switch(protocol)
{
case PROTO_HTTP:
do_action_redirect_http(a_stream, p_result, user_region);
break;
default:
break;
}
set_drop_stream(a_stream);
return PROT_STATE_DROPME|PROT_STATE_DROPPKT;
}
unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol, enum ACTION_RETURN_TYPE type, const void *a_packet)
{
unsigned char state=APP_STATE_GIVEME;
int method_type=TSG_METHOD_TYPE_RESET;
struct compile_user_region *user_region=NULL;
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
if(user_region!=NULL)
{
method_type=user_region->method_type;
}
switch(method_type)
{
case TSG_METHOD_TYPE_DROP:
case TSG_METHOD_TYPE_RESET:
state=do_action_reset(a_stream, p_result);
break;
case TSG_METHOD_TYPE_BLOCK:
case TSG_METHOD_TYPE_ALERT:
state=do_action_block_xxx(a_stream, p_result, user_region, protocol, a_packet);
break;
case TSG_METHOD_TYPE_REDIRECTION:
state=do_action_redirect_xxx( a_stream, p_result, user_region, protocol);
break;
default:
break;
}
security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
state= ((type==ACTION_RETURN_TYPE_PROT) ? (PROT_STATE_DROPME|PROT_STATE_DROPPKT) : (PROT_STATE_DROPME|PROT_STATE_DROPPKT));
return state;
}

224
src/tsg_entry.cpp
View File

@@ -69,7 +69,13 @@ id2field_t g_tsg_fs2_field[TSG_FS2_MAX]={{0, TSG_FS2_TCP_LINKS, "tcp_links"},
{0, TSG_FS2_APP_DPKT_RESULT, "D_result"},
{0, TSG_FS2_APP_Q_RESULT, "Q_result"},
{0, TSG_FS2_APP_USER_RESULT, "U_result"},
{0, TSG_FS2_APP_BUILT_IN_RESULT, "B_result"}
{0, TSG_FS2_APP_BUILT_IN_RESULT, "B_result"},
{0, TSG_FS2_INJECT_PKT_SUCCESS, "inject_succuess"},
{0, TSG_FS2_INJECT_PKT_FAILED, "inject_failed"},
{0, TSG_FS2_MIRRORED_PKT_SUCCESS, "mirror_pkt_suc"},
{0, TSG_FS2_MIRRORED_PKT_FAILED, "mirror_pkt_fai"},
{0, TSG_FS2_MIRRORED_BYTE_SUCCESS, "mirror_byte_suc"},
{0, TSG_FS2_MIRRORED_BYTE_FAILED, "mirror_byte_fai"}
};
id2field_t g_tsg_proto_name2id[PROTO_MAX]={{PROTO_UNKONWN, 0, "unknown"},
@@ -259,18 +265,6 @@ static int is_hited_allow(struct Maat_rule_t *result, int hit_cnt)
return 0;
}
static int set_drop_stream(const struct streaminfo *a_stream)
{
int opt_value=1;
MESA_set_stream_opt(a_stream, MSO_DROP_STREAM, (void *)&opt_value, sizeof(opt_value));
MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
MESA_set_stream_opt(a_stream, MSO_TIMEOUT, (void *)&g_tsg_para.timeout, sizeof(g_tsg_para.timeout));
return 0;
}
static int set_struct_project(const struct streaminfo *a_stream, int project_id, void *data)
{
if(a_stream==NULL || project_id<0)
@@ -345,6 +339,24 @@ static int get_default_policy(int compile_id, struct Maat_rule_t *result)
return 0;
}
int set_vlan_id_to_project(const struct streaminfo *a_stream, struct tcpall_context *context, int *vlan_id, int vlan_id_num, int thread_seq)
{
int num=0;
context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
if(context==NULL)
{
context=(struct tcpall_context *)dictator_malloc(thread_seq, sizeof(struct tcpall_context));
memset(context, 0, sizeof(struct tcpall_context));
set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)context);
}
num=MIN(vlan_id_num, MAX_RESULT_NUM-context->vlan_id_num);
memcpy(context->vlan_id+context->vlan_id_num, vlan_id, num);
context->vlan_id_num+=num;
return 0;
}
static int master_send_log(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, int result_num, char *domain, tsg_protocol_t proto, int thread_seq)
{
tsg_log_t log_msg;
@@ -602,72 +614,6 @@ static void copy_bypass_result(const struct streaminfo *a_stream, struct master_
return ;
}
static unsigned char deal_deny_action(const struct streaminfo *a_stream, struct master_context *context, Maat_rule_t *p_result)
{
int ret=0,opt_value=0;
struct rst_tcp_para rst_paras;
unsigned char state=APP_STATE_GIVEME;
int method_type=TSG_METHOD_TYPE_UNKNOWN;
struct compile_user_region *user_region=NULL;
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
if(user_region!=NULL)
{
method_type=tsg_get_method_id(user_region->method);
security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
}
else
{
method_type=TSG_METHOD_TYPE_RESET;
}
switch(method_type)
{
case TSG_METHOD_TYPE_DROP:
set_drop_stream(a_stream);
state=APP_STATE_DROPPKT|APP_STATE_DROPME;
break;
case TSG_METHOD_TYPE_RESET:
if(a_stream->type==STREAM_TYPE_TCP)
{
rst_paras.rst_pkt_num=1;
rst_paras.signature_seed1=65535;
rst_paras.signature_seed2=13;
rst_paras.th_flags=4;
rst_paras.__pad_no_use=0;
rst_paras.dir=DIR_DOUBLE;
ret=MESA_rst_tcp((struct streaminfo *)a_stream, &rst_paras, sizeof(rst_paras));
if(ret<0)
{
MESA_handle_runtime_log(g_tsg_para.logger,
RLOG_LV_FATAL,
"RST_TCP",
"Send RST failed policy_id: %d service: %d action: %d addr: %s",
p_result->config_id,
p_result->service_id,
(unsigned char)p_result->action,
PRINTADDR(a_stream, g_tsg_para.level)
);
}
opt_value=1;
MESA_set_stream_opt(a_stream, MSO_TCP_RST_REMEDY, (void *)&opt_value, sizeof(opt_value));
}
set_drop_stream(a_stream);
state=APP_STATE_DROPPKT|APP_STATE_DROPME;
break;
case TSG_METHOD_TYPE_BLOCK:
case TSG_METHOD_TYPE_ALERT:
case TSG_METHOD_TYPE_REDIRECTION:
break;
default:
break;
}
return state;
}
static int l7_protocol_mapper(const char *filename)
{
int ret=0;
@@ -1256,7 +1202,7 @@ int scan_application_id_and_properties(const struct streaminfo *a_stream, struct
return hit_num;
}
static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int hit_num, void *a_packet)
static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int hit_num, const void *a_packet)
{
Maat_rule_t *p_result=NULL;
unsigned char state=APP_STATE_GIVEME;
@@ -1268,7 +1214,7 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
switch((unsigned char)p_result->action)
{
case TSG_ACTION_DENY:
state=deal_deny_action(a_stream, context, p_result);
state=tsg_deal_deny_action(a_stream, p_result, context->proto, ACTION_RETURN_TYPE_APP, a_packet);
if((state&APP_STATE_DROPPKT)==APP_STATE_DROPPKT)
{
context->hit_cnt=0;
@@ -1291,6 +1237,7 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
break;
}
copy_monitor_result(a_stream, context, result, hit_num, a_stream->threadnum);
tsg_notify_hited_monitor_result(a_stream, result, hit_num, a_stream->threadnum);
break;
case TSG_ACTION_BYPASS:
copy_bypass_result(a_stream, context, p_result, a_stream->threadnum);
@@ -1540,40 +1487,62 @@ extern "C" unsigned char TSG_MASTER_UDP_ENTRY(const struct streaminfo *a_udp, vo
return tsg_master_entry(a_udp, pme, thread_seq, a_packet);
}
extern "C" unsigned char TSG_MASTER_TCPALL_ENTRY(struct streaminfo *a_tcp, void **pme, int thread_seq,const void *ip_hdr)
extern "C" unsigned char TSG_MASTER_TCPALL_ENTRY(const struct streaminfo *a_tcp, void **pme, int thread_seq, const void *a_packet)
{
struct tcphdr *tcp=NULL;
if(ip_hdr==NULL || a_tcp==NULL)
{
return APP_STATE_GIVEME;
}
switch(a_tcp->addr.addrtype)
{
case ADDR_TYPE_IPV4:
tcp=(struct tcphdr *)MESA_net_jump_to_layer(ip_hdr, __ADDR_TYPE_IP_PAIR_V4, ADDR_TYPE_TCP);
break;
case ADDR_TYPE_IPV6:
tcp=(struct tcphdr *)MESA_net_jump_to_layer(ip_hdr, __ADDR_TYPE_IP_PAIR_V6, ADDR_TYPE_TCP);
break;
default:
return APP_STATE_GIVEME;
break;
}
if(!(tcp->syn))
{
set_session_attribute_label(a_tcp, TSG_ATTRIBUTE_TYPE_ESTABLISH_LATECY, NULL, a_tcp->threadnum);
set_session_attribute_label(a_tcp, TSG_ATTRIBUTE_TYPE_ASN, NULL, a_tcp->threadnum);
set_session_attribute_label(a_tcp, TSG_ATTRIBUTE_TYPE_LOCATION, NULL, a_tcp->threadnum);
set_session_attribute_label(a_tcp, TSG_ATTRIBUTE_TYPE_MLTS_USER_INFO, NULL, a_tcp->threadnum);
set_session_attribute_label(a_tcp, TSG_ATTRIBUTE_TYPE_SUBSCRIBER_ID, NULL, a_tcp->threadnum);
int hit_num=0;
int vlan_id_num=0;
int vlan_id[MAX_RESULT_NUM]={0};
scan_status_t scan_mid=NULL;
struct Maat_rule_t *p_result=NULL;
unsigned char state=APP_STATE_GIVEME;
struct Maat_rule_t result[MAX_RESULT_NUM]={0};
struct tcpall_context *context=(struct tcpall_context *)(*pme);
return APP_STATE_DROPME;
if(a_tcp->pktstate==OP_STATE_PENDING)
{
hit_num=tsg_scan_nesting_addr(g_tsg_maat_feather, a_tcp, PROTO_UNKONWN, &scan_mid, result, MAX_RESULT_NUM);
if(hit_num>0)
{
p_result=tsg_policy_decision_criteria(result, hit_num);
switch(p_result->action)
{
case TSG_ACTION_DENY:
state=tsg_deal_deny_action(a_tcp, p_result, PROTO_UNKONWN, ACTION_RETURN_TYPE_APP, a_packet);
master_send_log(a_tcp, p_result, hit_num, NULL, PROTO_UNKONWN, thread_seq);
break;
case TSG_ACTION_MONITOR:
vlan_id_num=tsg_get_vlan_id_by_monitor_rule(g_tsg_maat_feather, result, hit_num, vlan_id, MAX_RESULT_NUM);
if(vlan_id_num<=0)
{
break;
}
set_vlan_id_to_project(a_tcp, context, vlan_id, vlan_id_num, thread_seq);
*pme=(void *)(context);
tsg_send_raw_packet(a_tcp, context->vlan_id, context->vlan_id_num, thread_seq);
break;
default:
break;
}
}
Maat_clean_status(&scan_mid);
scan_mid=NULL;
}
if(context!=NULL && context->vlan_id_num>0)
{
tsg_send_raw_packet(a_tcp, context->vlan_id, context->vlan_id_num, thread_seq);
}
return APP_STATE_GIVEME;
if(a_tcp->pktstate==OP_STATE_CLOSE && (*pme)!=NULL)
{
dictator_free(thread_seq, *pme);
*pme=NULL;
}
return state;
}
extern "C" int TSG_MASTER_INIT()
@@ -1673,6 +1642,13 @@ extern "C" int TSG_MASTER_INIT()
return -1;
}
g_tsg_para.tcpall_project_id=project_producer_register("TSG_TCPALL_CONTEXT", PROJECT_VAL_TYPE_STRUCT, free_context_label);
if(g_tsg_para.tcpall_project_id<0)
{
MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_FATAL, "CONTEXT_LABEL", "project_customer_register is error, context label: %s","TSG_TCPALL_CONTEXT");
return -1;
}
g_tsg_para.gather_app_project_id=project_producer_register("APP_IDENTIFY_RESULT", PROJECT_VAL_TYPE_STRUCT, free_gather_app_result);
if(g_tsg_para.gather_app_project_id<0)
{
@@ -1680,6 +1656,23 @@ extern "C" int TSG_MASTER_INIT()
return -1;
}
char page_path[256];
memset(page_path, 0, sizeof(page_path));
MESA_load_profile_string_def(tsg_conffile, "HTTP_PLUG", "PAGE403", page_path, sizeof(page_path), "./tsgconf/HTTP403.html");
g_tsg_para.tpl_403 = ctemplate::Template::GetTemplate(page_path, ctemplate::DO_NOT_STRIP);
memset(page_path, 0, sizeof(page_path));
MESA_load_profile_string_def(tsg_conffile, "HTTP_PLUG", "PAGE404", page_path, sizeof(page_path), "./tsgconf/HTTP404.html");
g_tsg_para.tpl_404 = ctemplate::Template::GetTemplate(page_path, ctemplate::DO_NOT_STRIP);
memset(page_path, 0, sizeof(page_path));
MESA_load_profile_string_def(tsg_conffile, "HTTP_PLUG", "PAGE200", page_path, sizeof(page_path), "./tsgconf/HTTP200.html");
g_tsg_para.tpl_200 = ctemplate::Template::GetTemplate(page_path, ctemplate::DO_NOT_STRIP);
memset(page_path, 0, sizeof(page_path));
MESA_load_profile_string_def(tsg_conffile, "HTTP_PLUG", "PAGE204", page_path, sizeof(page_path), "./tsgconf/HTTP204.html");
g_tsg_para.tpl_204 = ctemplate::Template::GetTemplate(page_path, ctemplate::DO_NOT_STRIP);
ret=tsg_rule_init(tsg_conffile, g_tsg_para.logger);
if(ret<0)
{
@@ -1741,7 +1734,7 @@ extern "C" int TSG_MASTER_INIT()
for(i=0; i<thread_num; i++)
{
FS_operate(g_tsg_para.fs2_handle,g_tsg_log_instance ->fs_status_ids[i], 0, FS_OP_SET, g_tsg_log_instance->send_log_percent[i]);
FS_operate(g_tsg_para.fs2_handle, g_tsg_log_instance->fs_status_ids[i], 0, FS_OP_SET, g_tsg_log_instance->send_log_percent[i]);
}
ret=tsg_statistic_init(tsg_conffile, g_tsg_para.logger);
@@ -1760,7 +1753,12 @@ extern "C" int TSG_MASTER_INIT()
MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_FATAL, "INIT_GTP_HASH", "tsg_gtp_signaling_hash_init failed ...");
return -1;
}
ret=tsg_send_raw_packet_init(tsg_conffile, g_tsg_para.logger);
if(ret<0)
{
return -1;
}
return 0;
}

45
src/tsg_entry.h
View File

@@ -3,12 +3,14 @@
#include <MESA/Maat_rule.h>
#include <MESA/field_stat2.h>
#include <ctemplate/template.h>
#include "uthash.h"
#include "tsg_rule.h"
#include "app_label.h"
#include "tsg_label.h"
#include "tsg_statistic.h"
#include "tsg_traffic_mirror.h"
#if(__GNUC__ * 100 + __GNUC_MINOR__ * 10 + __GNUC_PATCHLEVEL__ >= 411)
#define atomic_inc(x) __sync_add_and_fetch((x),1)
@@ -60,6 +62,7 @@ enum MASTER_TABLE{
TABLE_GTP_APN,
TABLE_GTP_IMSI,
TABLE_GTP_PHONE_NUMBER,
TABLE_RESPONSE_PAGES,
TABLE_MAX
};
@@ -84,6 +87,12 @@ enum TSG_FS2_TYPE{
TSG_FS2_APP_Q_RESULT,
TSG_FS2_APP_USER_RESULT,
TSG_FS2_APP_BUILT_IN_RESULT,
TSG_FS2_INJECT_PKT_SUCCESS,
TSG_FS2_INJECT_PKT_FAILED,
TSG_FS2_MIRRORED_PKT_SUCCESS,
TSG_FS2_MIRRORED_PKT_FAILED,
TSG_FS2_MIRRORED_BYTE_SUCCESS,
TSG_FS2_MIRRORED_BYTE_FAILED,
TSG_FS2_MAX
};
@@ -99,6 +108,12 @@ enum TSG_ATTRIBUTE_TYPE
_MAX_TSG_ATTRIBUTE_TYPE
};
enum HTTP_RESPONSE_FORMAT
{
HTTP_RESPONSE_FORMAT_TEMPLATE=0,
HTTP_RESPONSE_FORMAT_HTML
};
struct _str2index
{
int index;
@@ -127,6 +142,16 @@ struct _fqdn_category_t
char fqdn[MAX_DOAMIN_LEN/8];
};
struct http_response_pages
{
int profile_id;
int content_len;
int ref_cnt;
enum HTTP_RESPONSE_FORMAT format;
char *content;
};
struct master_context
{
tsg_protocol_t proto;
@@ -139,10 +164,17 @@ struct master_context
struct timespec last_scan_time;
};
struct tcpall_context
{
int vlan_id_num;
int vlan_id[MAX_RESULT_NUM];
};
#define _MAX_TABLE_NAME_LEN 64
typedef struct _tsg_para
{
int level;
int level;
short mirror_switch;
unsigned short timeout;
int app_dict_field_num;
int device_id;
@@ -158,6 +190,7 @@ typedef struct _tsg_para
int priority_project_id;
int internal_project_id;
int context_project_id;
int tcpall_project_id;
int linkinfo_project_id;
int gather_app_project_id;
int app_bridge_id;
@@ -172,6 +205,10 @@ typedef struct _tsg_para
screen_stat_handle_t fs2_handle;
struct l7_protocol *name_by_id;
struct l7_protocol *id_by_name;
struct traffic_mirror *mirror_handle;
ctemplate::Template *tpl_403,*tpl_404;
ctemplate::Template *tpl_200,*tpl_204;
ctemplate::Template *tpl_303;
}g_tsg_para_t;
extern g_tsg_para_t g_tsg_para;
@@ -261,6 +298,7 @@ typedef struct _tsg_statistic
int tsg_statistic_init(const char *conffile, void *logger);
int tsg_gtp_signaling_hash_init(const char* conffile, void *logger);
int tsg_send_raw_packet_init(const char* conffile, void *logger);
//parent_app_name.app_name
int tsg_app_id2name(int app_id, char *app_name, int app_name_len, int is_joint_parent);
@@ -269,7 +307,10 @@ void location_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void*
void ASN_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
void subscribe_id_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
void app_id_dict_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
void http_response_pages_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
int set_vlan_id_to_project(const struct streaminfo *a_stream, struct tcpall_context *context, int *vlan_id, int vlan_id_num, int thread_seq);
void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp);
struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, int thread_seq);
int tsg_scan_addr(Maat_feather_t maat_feather, const struct streaminfo *a_stream, tsg_protocol_t proto, scan_status_t *mid, Maat_rule_t*result, int result_num);
int tsg_scan_shared_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, char *domain, Maat_rule_t *result, int result_num, scan_status_t *mid, int table_id, int thread_seq);
@@ -282,5 +323,7 @@ int tsg_scan_gtp_phone_number_policy(Maat_feather_t maat_feather, const struct s
int tsg_get_ip_location(const struct streaminfo *a_stream, int table_id, MAAT_PLUGIN_EX_DATA *client_location, MAAT_PLUGIN_EX_DATA *server_location);
int tsg_get_ip_asn(const struct streaminfo *a_stream, int table_id, MAAT_PLUGIN_EX_DATA* client_asn, MAAT_PLUGIN_EX_DATA* server_asn);
int tsg_get_subscribe_id(const struct streaminfo *a_stream, struct _subscribe_id_info_t **source_subscribe_id, struct _subscribe_id_info_t **dest_subscribe_id);
int tsg_send_raw_packet(const struct streaminfo *a_stream, int *vlan_id, int vlan_id_num, int thread_seq);
int tsg_get_vlan_id_by_monitor_rule(Maat_feather_t maat_feather, struct Maat_rule_t *result, int result_num, int *vlan_id, int vlan_id_num);
#endif

457
src/tsg_rule.cpp
View File

@@ -37,7 +37,8 @@ const struct _str2index method2index[TSG_METHOD_TYPE_MAX]={ {TSG_METHOD_TYPE_UNK
{TSG_METHOD_TYPE_REDIRECTION, 8, (char *)"redirect"},
{TSG_METHOD_TYPE_BLOCK, 5, (char *)"block"},
{TSG_METHOD_TYPE_RESET, 3, (char *)"rst"},
{TSG_METHOD_TYPE_ALERT, 5, (char *)"alert"}
{TSG_METHOD_TYPE_ALERT, 5, (char *)"alert"},
{TSG_METHOD_TYPE_ALERT, 10, (char *)"rate_limit"}
};
static char* str_unescape(char* s)
@@ -556,75 +557,170 @@ void app_id_dict_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, voi
return;
}
void security_compile_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp)
{
int len=0;
cJSON *object=NULL, *item=NULL;
struct compile_user_region *user_region=NULL;
if(rule!=NULL)
static int get_string_from_json(cJSON *object, const char *key, char **value)
{
if(object==NULL || key==NULL)
{
if(srv_def_large!=NULL && strlen(srv_def_large)>2)
{
object=cJSON_Parse(srv_def_large);
if(object!=NULL)
{
user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));
atomic_inc(&user_region->ref_cnt);
return 0;
}
int len=0;
cJSON *item=cJSON_GetObjectItem(object, key);
if(item!=NULL)
{
len=strlen(item->valuestring);
(*value)=(char *)malloc(len+1);
memcpy((*value), item->valuestring, len);
(*value)[len]='\0';
item=cJSON_GetObjectItem(object, "method");
if(item!=NULL)
{
len=MIN(strlen(item->valuestring), sizeof(user_region->method)-1);
memcpy(user_region->method, item->valuestring, len);
}
return 1;
}
item=cJSON_GetObjectItem(object, "protocol");
if(item!=NULL)
{
len=MIN(strlen(item->valuestring), sizeof(user_region->protocol)-1);
memcpy(user_region->protocol, item->valuestring, len);
}
return 0;
}
item=cJSON_GetObjectItem(object, "message");
if(item!=NULL)
{
len=strlen(item->valuestring)+1;
user_region->message=(char *)calloc(1, len);
memcpy(user_region->message, item->valuestring, len-1);
}
static int get_integer_from_json(cJSON *object, const char *key, int *value)
{
if(object==NULL || key==NULL || (value)==NULL)
{
return 0;
}
cJSON *item=cJSON_GetObjectItem(object, key);
if(item!=NULL)
{
(*value)=item->valueint;
return 1;
}
item=cJSON_GetObjectItem(object, "code");
if(item!=NULL)
{
user_region->code=item->valueint;
}
return 0;
}
item=cJSON_GetObjectItem(object, "html_profile");
if(item!=NULL)
{
user_region->html_profile=item->valueint;
}
static struct compile_user_region *parse_monitor_user_region(cJSON *object)
{
cJSON *mirror_item=NULL;
struct compile_user_region *user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));
mirror_item=cJSON_GetObjectItem(object, "packet_mirror");
if(mirror_item)
{
user_region->mirror=(struct monitor_user_region *)calloc(1, sizeof(struct monitor_user_region));
get_integer_from_json(mirror_item, "enable", &(user_region->mirror->enabled));
get_integer_from_json(mirror_item, "mirror_vlan", &(user_region->mirror->mirror_vlan_id));
}
cJSON_Delete(object);
object=NULL;
}
}
return user_region;
}
if(g_tsg_para.default_compile_switch==1 && g_tsg_para.default_compile_id==rule->config_id)
{
if(user_region==NULL)
static struct compile_user_region *parse_deny_user_region(cJSON *object)
{
int ret=0;
cJSON *item=NULL;
struct compile_user_region *user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));
item=cJSON_GetObjectItem(object, "method");
if(item!=NULL)
{
user_region->method_type=(TSG_METHOD_TYPE)tsg_get_method_id(item->valuestring);
}
switch(user_region->method_type)
{
case TSG_METHOD_TYPE_ALERT:
case TSG_METHOD_TYPE_BLOCK:
user_region->deny=(struct deny_user_region *)calloc(1, sizeof(struct deny_user_region));
get_integer_from_json(object, "code", &(user_region->deny->code));
ret=get_integer_from_json(object, "html_profile", &(user_region->deny->profile_id));
if(ret==1)
{
user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));
atomic_inc(&user_region->ref_cnt);
user_region->deny->type=TSG_DENY_TYPE_PROFILE;
break;
}
user_region->result=(struct Maat_rule_t *)calloc(1, sizeof(struct Maat_rule_t));
memcpy(user_region->result, rule, sizeof(struct Maat_rule_t));
}
*ad=(MAAT_RULE_EX_DATA)user_region;
ret=get_string_from_json(object, "message", &(user_region->deny->message));
if(ret==1)
{
user_region->deny->type=TSG_DENY_TYPE_MESSAGE;
break;
}
user_region->deny->type=TSG_DENY_TYPE_MAX;
break;
case TSG_METHOD_TYPE_REDIRECTION:
user_region->deny=(struct deny_user_region *)calloc(1, sizeof(struct deny_user_region));
get_integer_from_json(object, "code", &(user_region->deny->code));
ret=get_string_from_json(object, "redirect_url", &(user_region->deny->redirect_url_to));
if(ret==1)
{
user_region->deny->type=TSG_DENY_TYPE_REDIRECT_TO;
break;
}
ret=get_string_from_json(object, "to", &(user_region->deny->redirect_url_to));
if(ret==1)
{
user_region->deny->type=TSG_DENY_TYPE_REDIRECT_TO;
break;
}
break;
case TSG_METHOD_TYPE_RATE_LINIT:
user_region->deny=(struct deny_user_region *)calloc(1, sizeof(struct deny_user_region));
get_integer_from_json(object, "bytes_per_sec", &(user_region->deny->bytes_per_sec));
break;
case TSG_METHOD_TYPE_DROP:
case TSG_METHOD_TYPE_RESET:
break;
default:
break;
}
return user_region;
}
void security_compile_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp)
{
cJSON *object=NULL;
struct compile_user_region *user_region=NULL;
if(rule==NULL)
{
return ;
}
if(srv_def_large!=NULL && strlen(srv_def_large)>2)
{
object=cJSON_Parse(srv_def_large);
if(object!=NULL)
{
switch(rule->action)
{
case TSG_ACTION_DENY:
user_region=parse_deny_user_region(object);
atomic_inc(&user_region->ref_cnt);
break;
case TSG_ACTION_MONITOR:
user_region=parse_monitor_user_region(object);
atomic_inc(&user_region->ref_cnt);
break;
default:
break;
}
cJSON_Delete(object);
object=NULL;
}
}
if(g_tsg_para.default_compile_switch==1 && g_tsg_para.default_compile_id==rule->config_id)
{
if(user_region==NULL)
{
user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));
atomic_inc(&user_region->ref_cnt);
}
user_region->result=(struct Maat_rule_t *)calloc(1, sizeof(struct Maat_rule_t));
memcpy(user_region->result, rule, sizeof(struct Maat_rule_t));
}
*ad=(MAAT_RULE_EX_DATA)user_region;
return ;
}
@@ -639,32 +735,183 @@ void security_compile_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *fro
}
}
static void free_deny_user_region(struct deny_user_region *deny)
{
if(deny==NULL)
{
return ;
}
switch(deny->type)
{
case TSG_DENY_TYPE_MESSAGE:
case TSG_DENY_TYPE_REDIRECT_TO:
if(deny->para)
{
free(deny->para);
deny->para=NULL;
}
break;
default:
break;
}
}
void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp)
{
struct compile_user_region *user_region=(struct compile_user_region *)(*ad);
if(user_region!=NULL)
if(user_region==NULL)
{
atomic_dec(&user_region->ref_cnt);
if(user_region->ref_cnt<=0)
{
if(user_region->message!=NULL)
{
free(user_region->message);
user_region->message=NULL;
}
return ;
}
atomic_dec(&user_region->ref_cnt);
if(user_region->ref_cnt>0)
{
return ;
}
switch(user_region->method_type)
{
case TSG_METHOD_TYPE_ALERT:
case TSG_METHOD_TYPE_BLOCK:
case TSG_METHOD_TYPE_RATE_LINIT:
case TSG_METHOD_TYPE_REDIRECTION:
free_deny_user_region(user_region->deny);
break;
default:
break;
}
if(user_region->user_region_para!=NULL)
{
free(user_region->user_region_para);
user_region->user_region_para=NULL;
}
free(*ad);
*ad=NULL;
}
if(user_region->result!=NULL)
{
free(user_region->result);
user_region->result=NULL;
}
free(*ad);
*ad=NULL;
}
static char *get_pages_content(const char *filename, int *filelen)
{
FILE *file = NULL;
long length = 0;
char *content = NULL;
size_t read_chars = 0;
file = fopen(filename, "rb");
if(file == NULL)
{
goto cleanup;
}
if(fseek(file, 0, SEEK_END) != 0)
{
goto cleanup;
}
length = ftell(file);
if(length < 0)
{
goto cleanup;
}
if(fseek(file, 0, SEEK_SET) != 0)
{
goto cleanup;
}
content = (char*)malloc((size_t)length + sizeof(""));
if(content == NULL)
{
goto cleanup;
}
read_chars = fread(content, sizeof(char), (size_t)length, file);
if ((long)read_chars != length)
{
free(content);
content = NULL;
goto cleanup;
}
*filelen = read_chars;
content[read_chars] = '\0';
cleanup:
if (file != NULL)
{
fclose(file);
}
return content;
}
void http_response_pages_dup(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void* argp)
{
struct http_response_pages *res_pages=(struct http_response_pages *)*from;
if(*from!=NULL)
{
*to=*from;
atomic_inc(&res_pages->ref_cnt);
}
}
void http_response_pages_new(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
{
int ret=0;
void *logger=argp;
int is_valid;
char format[256]={0};
char path[1024]={0};
char profile_name[256]={0};
struct http_response_pages *res_pages=NULL;
res_pages=(struct http_response_pages *)calloc(1, sizeof(struct http_response_pages));
ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%d", &res_pages->profile_id, profile_name, format, path, &is_valid);
if(ret!=5)
{
free(res_pages);
res_pages=NULL;
if(logger!=NULL)
{
MESA_handle_runtime_log(logger,
RLOG_LV_FATAL,
"RESPONSE_PAGES",
"Parse response pages failed, ret: %d table_id: %d key: %s table_line: %s",
ret,
table_id,
key,
table_line
);
}
return;
}
if((strncasecmp(format, "template", strlen(format)))==0)
{
res_pages->format=HTTP_RESPONSE_FORMAT_TEMPLATE;
}
else
{
res_pages->format=HTTP_RESPONSE_FORMAT_HTML;
}
atomic_inc(&res_pages->ref_cnt);
res_pages->content=get_pages_content(path, &res_pages->content_len);
*ad=(MAAT_PLUGIN_EX_DATA)res_pages;
}
void http_response_pages_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
{
struct http_response_pages *res_pages=(struct http_response_pages *)*ad;
atomic_dec(&res_pages->ref_cnt);
if(res_pages->ref_cnt<=0)
{
free(res_pages->content);
free(*ad);
*ad=NULL;
}
}
static int get_fqdn_category_id(Maat_feather_t maat_feather, int table_id, char *fqdn, unsigned int *category_id, int category_id_num, void *logger, int thread_seq)
{
@@ -858,6 +1105,8 @@ int tsg_rule_init(const char* conffile, void *logger)
MESA_load_profile_string_def(conffile, "MAAT", "GTP_APN", g_tsg_para.table_name[TABLE_GTP_APN], _MAX_TABLE_NAME_LEN, "TSG_FILED_GTP_APN");
MESA_load_profile_string_def(conffile, "MAAT", "GTP_IMSI", g_tsg_para.table_name[TABLE_GTP_IMSI], _MAX_TABLE_NAME_LEN, "TSG_FILED_GTP_IMSI");
MESA_load_profile_string_def(conffile, "MAAT", "GTP_PHONE_NUMBER", g_tsg_para.table_name[TABLE_GTP_PHONE_NUMBER], _MAX_TABLE_NAME_LEN, "TSG_FILED_GTP_PHONE_NUMBER");
MESA_load_profile_string_def(conffile, "MAAT", "GTP_PHONE_NUMBER", g_tsg_para.table_name[TABLE_GTP_PHONE_NUMBER], _MAX_TABLE_NAME_LEN, "TSG_FILED_GTP_PHONE_NUMBER");
MESA_load_profile_string_def(conffile, "MAAT", "RESPONSE_PAGES_TABLE", g_tsg_para.table_name[TABLE_RESPONSE_PAGES], _MAX_TABLE_NAME_LEN, "TSG_PROFILE_RESPONSE_PAGES");
//init static maat feather
g_tsg_maat_feather=init_maat_feather(maat_conffile, (char *)"TSG_STATIC", (char *)"STATIC", logger);
@@ -980,6 +1229,25 @@ int tsg_rule_init(const char* conffile, void *logger)
);
return -1;
}
ret=Maat_plugin_EX_register(g_tsg_maat_feather,
g_tsg_para.table_id[TABLE_RESPONSE_PAGES],
http_response_pages_new,
http_response_pages_free,
http_response_pages_dup,
NULL,
0,
logger);
if(ret<0)
{
MESA_handle_runtime_log(logger,
RLOG_LV_FATAL,
"RESPONSE_PAGES",
"Maat_plugin_EX_register failed, table_name: %s table_id: %d",
g_tsg_para.table_name[TABLE_RESPONSE_PAGES],
g_tsg_para.table_id[TABLE_RESPONSE_PAGES]);
return -1;
}
//init dynamic maat feather
g_tsg_dynamic_maat_feather=init_maat_feather(maat_conffile, (char *)"TSG_DYNAMIC", (char *)"DYNAMIC", logger);
@@ -1778,3 +2046,40 @@ int tsg_app_id2name(int app_id, char *app_name, int app_name_len, int is_joint_p
return offset;
}
int tsg_free_compile_user_region(const struct Maat_rule_t *rule, struct compile_user_region *user_region)
{
security_compile_free(0, rule, NULL , (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
return 0;
}
struct compile_user_region *tsg_get_compile_user_region(const Maat_feather_t maat_feather, struct Maat_rule_t *result)
{
return ((struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]));
}
int tsg_get_vlan_id_by_monitor_rule(Maat_feather_t maat_feather, struct Maat_rule_t *result, int result_num, int *vlan_id, int vlan_id_num)
{
int i=0,count=0;
struct compile_user_region *user_region=NULL;
for(i=0; i<result_num && count<vlan_id_num; i++)
{
if(result[i].action!=TSG_ACTION_MONITOR)
{
continue;
}
user_region=tsg_get_compile_user_region(maat_feather, &(result[i]));
if(user_region!=NULL)
{
vlan_id[count++]=user_region->mirror->mirror_vlan_id;
tsg_free_compile_user_region(&(result[i]), user_region);
user_region=NULL;
}
}
return count;
}

2
src/tsg_send_log_internal.h
View File

@@ -105,6 +105,8 @@ typedef enum _tsg_log_field_id
LOG_COMMON_GTP_IMEI,
LOG_COMMON_GTP_MSISDN, //PHONE_NUMBER
LOG_COMMON_USERDEFINE_APP,
LOG_COMMON_MIRRORED_PKTS,
LOG_COMMON_MIRRORED_BYTES,
LOG_COMMON_MAX
}tsg_log_field_id_t;

107
src/tsg_send_raw_packet.cpp Normal file
View File

@@ -0,0 +1,107 @@
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <MESA/MESA_prof_load.h>
#include <MESA/MESA_handle_logger.h>
#include "tsg_rule.h"
#include "tsg_entry.h"
static int send_raw_packet(struct traffic_mirror *ttm,char * pkt_ptr,int pkt_len,int *vlan_array,int vlan_num,int thread_seq)
{
int ret=tsg_traffic_mirror_send_burst(ttm, (char *)pkt_ptr, pkt_len, vlan_array, vlan_num, thread_seq);
if(ret==TRRAFFIC_MIRROR_SEND_SUCCESS)
{
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_MIRRORED_PKT_SUCCESS], 0, FS_OP_ADD, 1);
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_MIRRORED_BYTE_SUCCESS], 0, FS_OP_ADD, pkt_len);
}
else
{
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_MIRRORED_PKT_FAILED], 0, FS_OP_ADD, 1);
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_MIRRORED_BYTE_FAILED], 0, FS_OP_ADD, pkt_len);
return -1;
}
return 0;
}
int tsg_send_raw_packet(const struct streaminfo *a_stream, int *vlan_id, int vlan_id_num, int thread_seq)
{
int ret=0;
void *p_eth_rawpkt=NULL;
int eth_rawpkt_len=0;
raw_ipfrag_list_t *frag_pkt=NULL;
if(g_tsg_para.mirror_switch==0)
{
return 0;
}
ret=get_rawpkt_opt_from_streaminfo(a_stream, RAW_PKT_GET_DATA, &p_eth_rawpkt);
switch(0)
{
case 0:
ret=get_rawpkt_opt_from_streaminfo(a_stream, RAW_PKT_GET_TOT_LEN, &eth_rawpkt_len);
if(ret<0)
{
break;
}
send_raw_packet(g_tsg_para.mirror_handle, (char *)p_eth_rawpkt, eth_rawpkt_len, vlan_id, vlan_id_num, thread_seq);
break;
case 1:
frag_pkt=(raw_ipfrag_list_t *)p_eth_rawpkt;
while(frag_pkt)
{
send_raw_packet(g_tsg_para.mirror_handle, (char *)(frag_pkt->frag_packet), frag_pkt->pkt_len, vlan_id, vlan_id_num, thread_seq);
frag_pkt = frag_pkt->next;
}
break;
default:
break;
}
return 0;
}
int tsg_notify_hited_monitor_result(const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, int thread_seq)
{
if(g_tsg_para.mirror_switch==0)
{
return 0;
}
int vlan_id_num=0;
int vlan_id[MAX_RESULT_NUM]={0};
struct tcpall_context *context=NULL;
vlan_id_num=tsg_get_vlan_id_by_monitor_rule(g_tsg_maat_feather, result, result_num, vlan_id, MAX_RESULT_NUM);
if(vlan_id_num<=0)
{
return 0;
}
set_vlan_id_to_project(a_stream, context, vlan_id, vlan_id_num, thread_seq);
return 1;
}
int tsg_send_raw_packet_init(const char* conffile, void *logger)
{
MESA_load_profile_short_def(conffile, "TRAFFIC_MIRROR", "TRAFFIC_MIRROR_ENABLE", &g_tsg_para.mirror_switch, 0);
if(g_tsg_para.mirror_switch==0)
{
return 0;
}
g_tsg_para.mirror_handle=tsg_traffic_mirror_init(conffile, g_tsg_para.logger);
if(g_tsg_para.mirror_handle==NULL)
{
return -1;
}
return 0;
}

167
src/tsg_traffic_mirror.cpp Normal file
View File

@@ -0,0 +1,167 @@
#include <marsio.h>
#include <stdio.h>
#include <assert.h>
#include <stdlib.h>
#include <pthread.h>
#include <unistd.h>
#include <stream.h>
#include <MESA/MESA_prof_load.h>
#include <MESA/MESA_handle_logger.h>
#include "tsg_traffic_mirror.h"
#define BURST_MAX 64
#define PREDICT_FALSE(x) __builtin_expect((x),0)
#define PREDICT_TRUE(x) __builtin_expect((x),1)
struct traffic_mirror
{
struct mr_instance * mr_instance;
struct mr_vdev * dev_handler;
struct mr_sendpath * to_dev_sendpath;
char app_name[64];
char nic_name[32];
int nr_thread;
int default_vlan_id;
};
struct traffic_mirror *tsg_traffic_mirror_init(const char *conffile, void *logger)
{
int ret=0,traffic_mirror_enable=TRRAFFIC_MIRROR_DISABLE;
struct traffic_mirror *ttm = NULL;
ttm=(struct traffic_mirror *)calloc(1, sizeof(struct traffic_mirror));
if (conffile == NULL)
{
MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Conffile Path Is Null !!!");
goto init_error;
}
MESA_load_profile_int_def(conffile, "TRAFFIC_MIRROR", "TRAFFIC_MIRROR_ENABLE", &traffic_mirror_enable, 0);
if (traffic_mirror_enable != TRRAFFIC_MIRROR_ENABLE)
{
MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Traffic Mirror Is Disable !!!");
goto init_error;
}
MESA_load_profile_string_def(conffile, "TRAFFIC_MIRROR", "NIC_NAME", ttm->nic_name, sizeof(ttm->nic_name), "lo");
if (ttm->nic_name == NULL)
{
MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Traffic Mirror Cfg No Setting Nic Name !!!");
goto init_error;
}
MESA_load_profile_string_def(conffile, "TRAFFIC_MIRROR", "APP_NAME", ttm->app_name, sizeof(ttm->app_name),"tsg_traffic_mirror");
MESA_load_profile_int_def(conffile, "TRAFFIC_MIRROR", "DEFAULT_VLAN_ID", &ttm->default_vlan_id, 0);
ttm->mr_instance = marsio_create();
if (ttm->mr_instance == NULL)
{
MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Marsion Create Error !!!");
goto init_error;
}
ret = marsio_init(ttm->mr_instance, ttm->app_name);
if (ret < 0)
{
MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Marsion Init Error !!!");
goto init_error;
}
ttm->nr_thread = get_thread_count();
if (ttm->nr_thread <= 0)
{
MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Get Thread Count Error :%d",ttm->nr_thread);
goto init_error;
}
ttm->dev_handler = marsio_open_device(ttm->mr_instance, ttm->nic_name, 0, ttm->nr_thread);
if (ttm->dev_handler == NULL)
{
MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Marsion Open Device Error :%s",ttm->nic_name);
goto init_error;
}
ttm->to_dev_sendpath = marsio_sendpath_create_by_vdev(ttm->dev_handler);
if (ttm->to_dev_sendpath == NULL)
{
MESA_handle_runtime_log(logger, RLOG_LV_FATAL, "TSG_TRAFFIC_MIRROR", "Marsion Create Sendpath Error !!!");
goto init_error;
}
return ttm;
init_error:
if (ttm->mr_instance != NULL)
{
marsio_destory(ttm->mr_instance);
}
free(ttm);
return NULL;
}
int tsg_traffic_mirror_send_burst(struct traffic_mirror *ttm,char * pkt_ptr,int pkt_len,int *vlan_array,int vlan_num,int thread_seq)
{
int i=0,ret=0,tx_buffer_num=0;
marsio_buff_t * tx_buff[BURST_MAX];
int *vlan_tag_array = NULL;
if (PREDICT_FALSE((ttm == NULL) || (ttm->to_dev_sendpath == NULL)))
{
return SEND_ERROR_NOT_INIT;
}
if (PREDICT_FALSE(thread_seq >= ttm->nr_thread))
{
return SEND_ERROR_THREAD_SEQ_ERR;
}
if (PREDICT_FALSE(pkt_ptr == NULL))
{
return SEND_ERROR_PKT_BUFFER_IS_NULL;
}
if (PREDICT_FALSE(pkt_len == 0))
{
return SEND_ERROR_PKT_LEN_ERROR;
}
if (PREDICT_FALSE(vlan_num > BURST_MAX))
{
return SEND_ERROR_VLAN_NUM_EXCEED_BURST_MAX;
}
if (PREDICT_FALSE((vlan_num <= 1) || (vlan_array == NULL)))
{
tx_buffer_num = 1;
vlan_tag_array = &ttm->default_vlan_id;
}
else
{
tx_buffer_num = vlan_num;
vlan_tag_array = vlan_array;
}
ret = marsio_buff_malloc_global(ttm->mr_instance, tx_buff, tx_buffer_num, MARSIO_SOCKET_ID_ANY, MARSIO_LCORE_ID_ANY);
if (PREDICT_FALSE(ret < 0 ))
{
return SEND_ERROR_BUFF_MALLOC_ERROR;
}
for (i = 0; i < tx_buffer_num; i++)
{
unsigned int vlan_id = vlan_tag_array[i];
marsio_buff_t * tx_buff_ptr = tx_buff[i];
char * tx_buff_begin = marsio_buff_append(tx_buff_ptr, pkt_len);
memcpy(tx_buff_begin, pkt_ptr, pkt_len);
marsio_buff_set_metadata(tx_buff_ptr,MR_BUFF_METADATA_VLAN_TCI,&vlan_id,sizeof(vlan_id));
}
ret = marsio_send_burst_with_options(ttm->to_dev_sendpath, thread_seq, tx_buff, tx_buffer_num, MARSIO_SEND_OPT_FAST);
if (PREDICT_FALSE(ret < 0))
{
return TRRAFFIC_MIRROR_SEND_ERROR_DROP;
}
return TRRAFFIC_MIRROR_SEND_SUCCESS;
}

23
src/tsg_traffic_mirror.h Normal file
View File

@@ -0,0 +1,23 @@
#ifndef __TSG_TRAFFIC_MIRROR_H__
#define __TSG_TRAFFIC_MIRROR_H__
#define TRRAFFIC_MIRROR_DISABLE 0
#define TRRAFFIC_MIRROR_ENABLE 1
#define TRRAFFIC_MIRROR_SEND_SUCCESS 0
#define SEND_ERROR_NOT_INIT -1
#define SEND_ERROR_THREAD_SEQ_ERR -2
#define SEND_ERROR_PKT_BUFFER_IS_NULL -3
#define SEND_ERROR_PKT_LEN_ERROR -4
#define SEND_ERROR_VLAN_BUFFER_IS_NULL -5
#define SEND_ERROR_VLAN_NUM_ERROR -6
#define SEND_ERROR_VLAN_NUM_EXCEED_BURST_MAX -7
#define SEND_ERROR_BUFF_MALLOC_ERROR -8
#define TRRAFFIC_MIRROR_SEND_ERROR_DROP -9
struct traffic_mirror;
struct traffic_mirror *tsg_traffic_mirror_init(const char *conffile, void *logger);
int tsg_traffic_mirror_send_burst(struct traffic_mirror *ttm,char * pkt_ptr,int pkt_len,int *vlan_array,int vlan_num,int thread_seq);
#endif

17
support/CMakeLists.txt Normal file
View File

@@ -0,0 +1,17 @@
include(ExternalProject)
### ctemplate
ExternalProject_Add(ctemplate PREFIX ctemplate
URL ${CMAKE_CURRENT_SOURCE_DIR}/ctemplate-2.3.tar.gz
URL_MD5 3b91f3c1e7aa55cb4c2957acf77d6b9a
BUILD_COMMAND sh autogen.sh
CONFIGURE_COMMAND CPPFLAGS=-fPIC ./configure --prefix=<INSTALL_DIR> CFLAGS=-fPIC CXXFLAGS=-fPIC LDFLAGS=-fPIC
BUILD_IN_SOURCE 1)
ExternalProject_Get_Property(ctemplate INSTALL_DIR)
file(MAKE_DIRECTORY ${INSTALL_DIR}/include)
add_library(ctemplate-static STATIC IMPORTED GLOBAL)
add_dependencies(ctemplate-static ctemplate)
set_property(TARGET ctemplate-static PROPERTY IMPORTED_LOCATION ${INSTALL_DIR}/lib/libctemplate.a)
set_property(TARGET ctemplate-static PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${INSTALL_DIR}/include)

BIN
support/ctemplate-2.3.tar.gz Normal file
View File

Binary file not shown.