TSG-12885: 安全策略支持drop动作中包含send reset/send icmp子动作,reset动作向前兼容
This commit is contained in:
liuxueli
@@ -64,7 +64,8 @@ struct Maat_rule_t *tsg_fetch_deny_rule(Maat_rule_t *result, int result_num);
|
|||||||
enum ACTION_RETURN_TYPE
|
enum ACTION_RETURN_TYPE
|
||||||
{
|
{
|
||||||
ACTION_RETURN_TYPE_PROT=0,
|
ACTION_RETURN_TYPE_PROT=0,
|
||||||
ACTION_RETURN_TYPE_APP
|
ACTION_RETURN_TYPE_APP,
|
||||||
|
ACTION_RETURN_TYPE_TCPALL
|
||||||
};
|
};
|
||||||
unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol, enum ACTION_RETURN_TYPE type, const void *user_data);
|
unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol, enum ACTION_RETURN_TYPE type, const void *user_data);
|
||||||
|
|
||||||
|
|||||||
@@ -92,17 +92,6 @@ static int set_drop_stream(const struct streaminfo *a_stream, tsg_protocol_t pro
|
|||||||
return STATE_DROPME|STATE_DROPPKT;
|
return STATE_DROPME|STATE_DROPPKT;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int set_dropme_flag(const struct streaminfo *a_stream)
|
|
||||||
{
|
|
||||||
struct master_context *_context=(struct master_context *)get_struct_project(a_stream, g_tsg_para.context_project_id);
|
|
||||||
if(_context!=NULL)
|
|
||||||
{
|
|
||||||
_context->is_dropme=1;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int get_http_header(char *buff, int len, int code, char *user_define)
|
static int get_http_header(char *buff, int len, int code, char *user_define)
|
||||||
{
|
{
|
||||||
int used_len=0;
|
int used_len=0;
|
||||||
@@ -588,7 +577,7 @@ static unsigned char do_action_reset(const struct streaminfo *a_stream, Maat_rul
|
|||||||
|
|
||||||
static unsigned char do_action_drop(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *a_packet)
|
static unsigned char do_action_drop(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *a_packet)
|
||||||
{
|
{
|
||||||
{
|
if(user_region!=NULL && user_region->deny!=NULL)
|
||||||
{
|
{
|
||||||
send_icmp_unreachable(a_stream);
|
send_icmp_unreachable(a_stream);
|
||||||
}
|
}
|
||||||
@@ -673,8 +662,7 @@ static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, Ma
|
|||||||
case TSG_DENY_TYPE_DEFAULT_RST:
|
case TSG_DENY_TYPE_DEFAULT_RST:
|
||||||
do_action_reset(a_stream, p_result, protocol);
|
do_action_reset(a_stream, p_result, protocol);
|
||||||
break;
|
break;
|
||||||
break;
|
case TSG_DENY_TYPE_DROP:
|
||||||
case TSG_DENY_TYPE_SEND_ICMP:
|
|
||||||
struct compile_user_region tmp_user_region;
|
struct compile_user_region tmp_user_region;
|
||||||
tmp_user_region.deny=deny_region;
|
tmp_user_region.deny=deny_region;
|
||||||
tmp_user_region.capture.enabled=0;
|
tmp_user_region.capture.enabled=0;
|
||||||
@@ -691,25 +679,25 @@ static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, Ma
|
|||||||
|
|
||||||
static unsigned char do_action_ratelimit(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, enum ACTION_RETURN_TYPE type)
|
static unsigned char do_action_ratelimit(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, enum ACTION_RETURN_TYPE type)
|
||||||
{
|
{
|
||||||
{
|
|
||||||
struct leaky_bucket *bucket=create_bucket(user_region->deny->bps, a_stream->threadnum);
|
struct leaky_bucket *bucket=create_bucket(user_region->deny->bps, a_stream->threadnum);
|
||||||
|
|
||||||
|
int ret=set_bucket_to_tcpall(a_stream, bucket, a_stream->threadnum);
|
||||||
if(ret==0)
|
if(ret==0)
|
||||||
{
|
{
|
||||||
destroy_bucket(&bucket, a_stream->threadnum);
|
destroy_bucket(&bucket, a_stream->threadnum);
|
||||||
bucket=NULL;
|
bucket=NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
set_dropme_flag(a_stream);
|
|
||||||
|
|
||||||
context=NULL;
|
|
||||||
if(type==ACTION_RETURN_TYPE_PROT)
|
if(type==ACTION_RETURN_TYPE_PROT)
|
||||||
{
|
{
|
||||||
return STATE_DROPME;
|
return STATE_DROPME;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(type==ACTION_RETURN_TYPE_APP)
|
||||||
|
{
|
||||||
|
return STATE_DROPME|STATE_KILL_OTHER;
|
||||||
|
}
|
||||||
|
|
||||||
return STATE_GIVEME|STATE_KILL_OTHER;
|
return STATE_GIVEME|STATE_KILL_OTHER;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -851,13 +839,6 @@ static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struc
|
|||||||
|
|
||||||
switch(method_type)
|
switch(method_type)
|
||||||
{
|
{
|
||||||
{
|
|
||||||
case TSG_METHOD_TYPE_DROP:
|
|
||||||
local_state=do_action_drop(a_stream, p_result, user_region, protocol, user_data);
|
|
||||||
if(protocol==PROTO_DNS && type==ACTION_RETURN_TYPE_APP)
|
|
||||||
{
|
|
||||||
local_state=set_drop_stream(a_stream, protocol);
|
|
||||||
}
|
|
||||||
case TSG_METHOD_TYPE_RST:
|
case TSG_METHOD_TYPE_RST:
|
||||||
case TSG_METHOD_TYPE_RESET:
|
case TSG_METHOD_TYPE_RESET:
|
||||||
local_state=do_action_reset(a_stream, p_result, protocol);
|
local_state=do_action_reset(a_stream, p_result, protocol);
|
||||||
@@ -878,24 +859,35 @@ static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struc
|
|||||||
case TSG_METHOD_TYPE_DEFAULT:
|
case TSG_METHOD_TYPE_DEFAULT:
|
||||||
local_state=do_action_default_xxx(a_stream, p_result, user_region, protocol, user_data);
|
local_state=do_action_default_xxx(a_stream, p_result, user_region, protocol, user_data);
|
||||||
break;
|
break;
|
||||||
|
case TSG_METHOD_TYPE_DROP:
|
||||||
case TSG_METHOD_TYPE_APP_DROP:
|
case TSG_METHOD_TYPE_APP_DROP:
|
||||||
case TSG_METHOD_TYPE_APP_DROP:
|
if(user_region->deny==NULL)
|
||||||
{
|
{
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(type!=ACTION_RETURN_TYPE_TCPALL && user_region->deny->after_n_packets>0)
|
||||||
|
{
|
||||||
|
set_protocol_to_tcpall(a_stream, protocol, a_stream->threadnum);
|
||||||
|
set_method_to_tcpall(a_stream, user_region->method_type, a_stream->threadnum);
|
||||||
|
set_after_n_packet_to_tcpall(a_stream, user_region->deny->after_n_packets, a_stream->threadnum);
|
||||||
|
tsg_set_policy_result(a_stream, PULL_FW_RESULT, p_result, protocol, a_stream->threadnum);
|
||||||
|
local_state=((type==ACTION_RETURN_TYPE_PROT) ? (STATE_DROPME) : (STATE_DROPME|STATE_KILL_OTHER));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
local_state=do_action_drop(a_stream, p_result, user_region, protocol, user_data);
|
local_state=do_action_drop(a_stream, p_result, user_region, protocol, user_data);
|
||||||
if(protocol==PROTO_DNS && type==ACTION_RETURN_TYPE_APP)
|
if(protocol==PROTO_DNS && type==ACTION_RETURN_TYPE_APP)
|
||||||
{
|
{
|
||||||
local_state=set_drop_stream(a_stream, protocol);
|
local_state=set_drop_stream(a_stream, protocol);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(user_region->deny->drop_para.send_icmp_enable==1)
|
||||||
{
|
{
|
||||||
local_state|=send_icmp_unreachable(a_stream);
|
local_state|=send_icmp_unreachable(a_stream);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(user_region->deny->drop_para.send_reset_enable==1)
|
||||||
{
|
{
|
||||||
local_state|=do_action_reset(a_stream, p_result, protocol);
|
local_state|=do_action_reset(a_stream, p_result, protocol);
|
||||||
}
|
}
|
||||||
@@ -908,8 +900,7 @@ static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struc
|
|||||||
|
|
||||||
if(method_type!=TSG_METHOD_TYPE_DEFAULT && method_type!=TSG_METHOD_TYPE_APP_DROP)
|
if(method_type!=TSG_METHOD_TYPE_DEFAULT && method_type!=TSG_METHOD_TYPE_APP_DROP)
|
||||||
{
|
{
|
||||||
{
|
set_method_to_tcpall(a_stream, (enum TSG_METHOD_TYPE)method_type, a_stream->threadnum);
|
||||||
struct tcpall_context *context=NULL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
state=((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_GIVEME : APP_STATE_GIVEME);
|
state=((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_GIVEME : APP_STATE_GIVEME);
|
||||||
|
|||||||
@@ -799,7 +799,7 @@ static void free_tcpall_label(int thread_seq, void *project_req_value)
|
|||||||
return ;
|
return ;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void free_policy_label(int thread_seq, void *project_req_value)
|
void free_policy_label(int thread_seq, void *project_req_value)
|
||||||
{
|
{
|
||||||
if(project_req_value!=NULL)
|
if(project_req_value!=NULL)
|
||||||
{
|
{
|
||||||
@@ -884,6 +884,7 @@ static void copy_result_to_project(const struct streaminfo *a_stream, struct mas
|
|||||||
if(priority_label==NULL)
|
if(priority_label==NULL)
|
||||||
{
|
{
|
||||||
priority_label=(struct policy_priority_label *)dictator_malloc(thread_seq, sizeof(struct policy_priority_label));
|
priority_label=(struct policy_priority_label *)dictator_malloc(thread_seq, sizeof(struct policy_priority_label));
|
||||||
|
memset(priority_label, 0, sizeof(struct policy_priority_label));
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
@@ -898,7 +899,6 @@ static void copy_result_to_project(const struct streaminfo *a_stream, struct mas
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
memset(priority_label, 0, sizeof(struct policy_priority_label));
|
|
||||||
|
|
||||||
priority_label->proto=context->proto;
|
priority_label->proto=context->proto;
|
||||||
if(context->domain!=NULL)
|
if(context->domain!=NULL)
|
||||||
@@ -1186,6 +1186,105 @@ static int set_l7_protocol_label(const struct streaminfo *a_stream, tsg_protocol
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int set_after_n_packet_to_tcpall(const struct streaminfo *a_stream, int after_n_packets, int thread_seq)
|
||||||
|
{
|
||||||
|
struct tcpall_context *_context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
|
||||||
|
if(_context==NULL)
|
||||||
|
{
|
||||||
|
_context=(struct tcpall_context *)dictator_malloc(thread_seq, sizeof(struct tcpall_context));
|
||||||
|
memset(_context, 0, sizeof(struct tcpall_context));
|
||||||
|
set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context);
|
||||||
|
}
|
||||||
|
|
||||||
|
_context->hited_para.after_n_packets=after_n_packets;
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
int set_hited_app_id_to_tcpall(const struct streaminfo *a_stream, int hited_app_id, int thread_seq)
|
||||||
|
{
|
||||||
|
struct tcpall_context *_context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
|
||||||
|
if(_context==NULL)
|
||||||
|
{
|
||||||
|
_context=(struct tcpall_context *)dictator_malloc(thread_seq, sizeof(struct tcpall_context));
|
||||||
|
memset(_context, 0, sizeof(struct tcpall_context));
|
||||||
|
set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context);
|
||||||
|
}
|
||||||
|
|
||||||
|
_context->hited_para.hited_app_id=hited_app_id;
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
int set_protocol_to_tcpall(const struct streaminfo *a_stream, tsg_protocol_t protocol, int thread_seq)
|
||||||
|
{
|
||||||
|
struct tcpall_context *_context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
|
||||||
|
if(_context==NULL)
|
||||||
|
{
|
||||||
|
_context=(struct tcpall_context *)dictator_malloc(thread_seq, sizeof(struct tcpall_context));
|
||||||
|
memset(_context, 0, sizeof(struct tcpall_context));
|
||||||
|
set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context);
|
||||||
|
}
|
||||||
|
|
||||||
|
_context->protocol=protocol;
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
int set_method_to_tcpall(const struct streaminfo *a_stream, enum TSG_METHOD_TYPE method_type, int thread_seq)
|
||||||
|
{
|
||||||
|
struct tcpall_context *_context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
|
||||||
|
if(_context==NULL)
|
||||||
|
{
|
||||||
|
_context=(struct tcpall_context *)dictator_malloc(thread_seq, sizeof(struct tcpall_context));
|
||||||
|
memset(_context, 0, sizeof(struct tcpall_context));
|
||||||
|
set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context);
|
||||||
|
}
|
||||||
|
|
||||||
|
switch(_context->method_type)
|
||||||
|
{
|
||||||
|
case TSG_METHOD_TYPE_UNKNOWN:
|
||||||
|
case TSG_METHOD_TYPE_DEFAULT:
|
||||||
|
case TSG_METHOD_TYPE_MIRRORED:
|
||||||
|
_context->method_type=method_type;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
return 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
int set_bucket_to_tcpall(const struct streaminfo *a_stream, struct leaky_bucket *bucket, int thread_seq)
|
||||||
|
{
|
||||||
|
struct tcpall_context *_context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
|
||||||
|
if(_context==NULL)
|
||||||
|
{
|
||||||
|
_context=(struct tcpall_context *)dictator_malloc(thread_seq, sizeof(struct tcpall_context));
|
||||||
|
memset(_context, 0, sizeof(struct tcpall_context));
|
||||||
|
set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context);
|
||||||
|
}
|
||||||
|
|
||||||
|
switch(_context->method_type)
|
||||||
|
{
|
||||||
|
case TSG_METHOD_TYPE_RATE_LIMIT:
|
||||||
|
return 1;
|
||||||
|
break;
|
||||||
|
case TSG_METHOD_TYPE_DEFAULT:
|
||||||
|
case TSG_METHOD_TYPE_UNKNOWN:
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
return 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
_context->method_type=TSG_METHOD_TYPE_RATE_LIMIT;
|
||||||
|
_context->bucket=bucket;
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
void set_session_attribute_label(const struct streaminfo *a_stream, enum TSG_ATTRIBUTE_TYPE type, void *value, int value_len, int thread_seq)
|
void set_session_attribute_label(const struct streaminfo *a_stream, enum TSG_ATTRIBUTE_TYPE type, void *value, int value_len, int thread_seq)
|
||||||
{
|
{
|
||||||
unsigned long long create_time=0;
|
unsigned long long create_time=0;
|
||||||
@@ -1707,10 +1806,8 @@ int scan_application_id_and_properties(const struct streaminfo *a_stream, struct
|
|||||||
|
|
||||||
static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int hit_num, const void *a_packet)
|
static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int hit_num, const void *a_packet)
|
||||||
{
|
{
|
||||||
int ret=0;
|
|
||||||
Maat_rule_t *p_result=NULL;
|
Maat_rule_t *p_result=NULL;
|
||||||
unsigned char state=APP_STATE_GIVEME;
|
unsigned char state=APP_STATE_GIVEME;
|
||||||
struct tcpall_context *tmp_tcpall_context=NULL;
|
|
||||||
|
|
||||||
p_result=tsg_policy_decision_criteria(result, hit_num);
|
p_result=tsg_policy_decision_criteria(result, hit_num);
|
||||||
if(p_result!=NULL)
|
if(p_result!=NULL)
|
||||||
@@ -1726,23 +1823,8 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
|||||||
context->hited_para.hited_app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[context->proto].name);
|
context->hited_para.hited_app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[context->proto].name);
|
||||||
}
|
}
|
||||||
|
|
||||||
if(context->hited_para.after_n_packets>0)
|
set_hited_app_id_to_tcpall(a_stream, context->hited_para.hited_app_id, a_stream->threadnum);
|
||||||
{
|
state=tsg_deny_application(a_stream, p_result, context->proto, context->hited_para.hited_app_id, ACTION_RETURN_TYPE_APP, a_packet);
|
||||||
ret=tsg_set_method_to_tcpall(a_stream, &tmp_tcpall_context, TSG_METHOD_TYPE_APP_DROP, a_stream->threadnum);
|
|
||||||
if(ret>0)
|
|
||||||
{
|
|
||||||
tmp_tcpall_context->hited_para=context->hited_para;
|
|
||||||
}
|
|
||||||
|
|
||||||
copy_result_to_project(a_stream, context, p_result, PULL_FW_RESULT, a_stream->threadnum);
|
|
||||||
context->is_dropme=1; //only tcp
|
|
||||||
state=APP_STATE_KILL_OTHER|APP_STATE_GIVEME;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
state=tsg_deny_application(a_stream, p_result, context->proto, context->hited_para.hited_app_id, ACTION_RETURN_TYPE_APP, a_packet);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
@@ -1779,7 +1861,7 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
|||||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1);
|
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1);
|
||||||
state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER;
|
state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER;
|
||||||
|
|
||||||
tsg_set_method_to_tcpall(a_stream, &tmp_tcpall_context, TSG_METHOD_TYPE_ALLOW, a_stream->threadnum);
|
set_method_to_tcpall(a_stream, TSG_METHOD_TYPE_ALLOW, a_stream->threadnum);
|
||||||
break;
|
break;
|
||||||
case TSG_ACTION_INTERCEPT:
|
case TSG_ACTION_INTERCEPT:
|
||||||
if(is_intercept_exclusion(a_stream, p_result, context->domain, a_stream->threadnum))
|
if(is_intercept_exclusion(a_stream, p_result, context->domain, a_stream->threadnum))
|
||||||
@@ -1792,7 +1874,7 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
|||||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_INTERCEPT], 0, FS_OP_ADD, 1);
|
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_INTERCEPT], 0, FS_OP_ADD, 1);
|
||||||
state=APP_STATE_DROPME|APP_STATE_KILL_OTHER;
|
state=APP_STATE_DROPME|APP_STATE_KILL_OTHER;
|
||||||
|
|
||||||
tsg_set_method_to_tcpall(a_stream, &tmp_tcpall_context, TSG_METHOD_TYPE_UNKNOWN, a_stream->threadnum);
|
set_method_to_tcpall(a_stream, TSG_METHOD_TYPE_UNKNOWN, a_stream->threadnum);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
@@ -1890,7 +1972,7 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL);
|
context->sync_cb_state=master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@@ -1916,7 +1998,7 @@ static int session_flags_identify_result_cb(const struct streaminfo *a_stream, i
|
|||||||
|
|
||||||
int hit_num=tsg_scan_session_flags(g_tsg_maat_feather, a_stream, scan_result, MAX_RESULT_NUM, &context->mid, g_tsg_para.table_id[TABLE_SESSION_FLAGS], context->session_flag, a_stream->threadnum);
|
int hit_num=tsg_scan_session_flags(g_tsg_maat_feather, a_stream, scan_result, MAX_RESULT_NUM, &context->mid, g_tsg_para.table_id[TABLE_SESSION_FLAGS], context->session_flag, a_stream->threadnum);
|
||||||
|
|
||||||
master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL);
|
context->sync_cb_state=master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@@ -2027,6 +2109,21 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
|
|||||||
context->deal_pkt_num++;
|
context->deal_pkt_num++;
|
||||||
break;
|
break;
|
||||||
case OP_STATE_DATA:
|
case OP_STATE_DATA:
|
||||||
|
if(context->sync_cb_state&APP_STATE_KILL_OTHER || context->sync_cb_state&APP_STATE_DROPPKT)
|
||||||
|
{
|
||||||
|
if(a_stream->type==STREAM_TYPE_TCP) //tcpall
|
||||||
|
{
|
||||||
|
state=context->sync_cb_state|APP_STATE_DROPME;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(a_stream->type==STREAM_TYPE_UDP) // allow, Deny(after drop N packets)
|
||||||
|
{
|
||||||
|
state=context->sync_cb_state&(~(APP_STATE_DROPME));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if(context->is_app_link==FLAG_FALSE && (context->deal_pkt_num++) == (g_tsg_para.identify_app_max_pkt_num+1))
|
if(context->is_app_link==FLAG_FALSE && (context->deal_pkt_num++) == (g_tsg_para.identify_app_max_pkt_num+1))
|
||||||
{
|
{
|
||||||
unknown_result.app_id_num=1;
|
unknown_result.app_id_num=1;
|
||||||
@@ -2090,11 +2187,6 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(context->is_dropme==1 && a_stream->type==STREAM_TYPE_TCP)
|
|
||||||
{
|
|
||||||
state=APP_STATE_KILL_OTHER|APP_STATE_DROPME;
|
|
||||||
}
|
|
||||||
|
|
||||||
if((a_stream->opstate==OP_STATE_CLOSE) || (state&APP_STATE_DROPME)==APP_STATE_DROPME)
|
if((a_stream->opstate==OP_STATE_CLOSE) || (state&APP_STATE_DROPME)==APP_STATE_DROPME)
|
||||||
{
|
{
|
||||||
if(context!=NULL && context->is_log==0 && context->hit_cnt>0 && context->result!=NULL)
|
if(context!=NULL && context->is_log==0 && context->hit_cnt>0 && context->result!=NULL)
|
||||||
@@ -2117,7 +2209,6 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
|
|||||||
unsigned char state=APP_STATE_GIVEME;
|
unsigned char state=APP_STATE_GIVEME;
|
||||||
struct identify_info tmp_identify_info;
|
struct identify_info tmp_identify_info;
|
||||||
struct Maat_rule_t result[MAX_RESULT_NUM]={0};
|
struct Maat_rule_t result[MAX_RESULT_NUM]={0};
|
||||||
struct master_context *data_context=NULL;
|
|
||||||
struct tcpall_context *all_context=(struct tcpall_context *)(*pme);
|
struct tcpall_context *all_context=(struct tcpall_context *)(*pme);
|
||||||
|
|
||||||
if(stream_state==OP_STATE_PENDING && all_context->method_type!=TSG_METHOD_TYPE_ALLOW)
|
if(stream_state==OP_STATE_PENDING && all_context->method_type!=TSG_METHOD_TYPE_ALLOW)
|
||||||
@@ -2135,7 +2226,7 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
|
|||||||
switch(p_result->action)
|
switch(p_result->action)
|
||||||
{
|
{
|
||||||
case TSG_ACTION_DENY:
|
case TSG_ACTION_DENY:
|
||||||
state=tsg_deal_deny_action(a_stream, p_result, PROTO_UNKONWN, ACTION_RETURN_TYPE_APP, a_packet);
|
state=tsg_deal_deny_action(a_stream, p_result, PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet);
|
||||||
master_send_log(a_stream, p_result, 1, NULL, thread_seq);
|
master_send_log(a_stream, p_result, 1, NULL, thread_seq);
|
||||||
break;
|
break;
|
||||||
case TSG_ACTION_MONITOR:
|
case TSG_ACTION_MONITOR:
|
||||||
@@ -2178,10 +2269,11 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
|
|||||||
|
|
||||||
if(get_default_policy(g_tsg_para.default_compile_id, &result[0]))
|
if(get_default_policy(g_tsg_para.default_compile_id, &result[0]))
|
||||||
{
|
{
|
||||||
state=tsg_deal_deny_action(a_stream, &result[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_APP, a_packet);
|
state=tsg_deal_deny_action(a_stream, &result[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet);
|
||||||
master_send_log(a_stream, &result[0], 1, NULL, thread_seq);
|
master_send_log(a_stream, &result[0], 1, NULL, thread_seq);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case TSG_METHOD_TYPE_DROP:
|
||||||
case TSG_METHOD_TYPE_APP_DROP:
|
case TSG_METHOD_TYPE_APP_DROP:
|
||||||
if((all_context->hited_para.after_n_packets-- > 0) || stream_state==OP_STATE_CLOSE)
|
if((all_context->hited_para.after_n_packets-- > 0) || stream_state==OP_STATE_CLOSE)
|
||||||
{
|
{
|
||||||
@@ -2191,15 +2283,8 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
|
|||||||
ret=tsg_pull_policy_result((struct streaminfo *)a_stream,PULL_FW_RESULT, &result[0], 1, &tmp_identify_info);
|
ret=tsg_pull_policy_result((struct streaminfo *)a_stream,PULL_FW_RESULT, &result[0], 1, &tmp_identify_info);
|
||||||
if(ret>0)
|
if(ret>0)
|
||||||
{
|
{
|
||||||
data_context=(struct master_context *)get_struct_project(a_stream, g_tsg_para.context_project_id);
|
state=tsg_deny_application(a_stream, &result[0], all_context->protocol, all_context->hited_para.hited_app_id, ACTION_RETURN_TYPE_TCPALL, a_packet);
|
||||||
state=tsg_deny_application(a_stream,
|
//master_send_log(a_stream, &result[0], 1, data_context, thread_seq);
|
||||||
&result[0],
|
|
||||||
(data_context==NULL ? PROTO_UNKONWN : data_context->proto),
|
|
||||||
all_context->hited_para.hited_app_id,
|
|
||||||
ACTION_RETURN_TYPE_APP,
|
|
||||||
a_packet
|
|
||||||
);
|
|
||||||
master_send_log(a_stream, &result[0], 1, data_context, thread_seq);
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
@@ -2214,12 +2299,6 @@ extern "C" unsigned char TSG_MASTER_TCP_ENTRY(const struct streaminfo *a_tcp, vo
|
|||||||
return tsg_master_data_entry(a_tcp, pme, thread_seq, a_packet);
|
return tsg_master_data_entry(a_tcp, pme, thread_seq, a_packet);
|
||||||
}
|
}
|
||||||
|
|
||||||
struct udp_context
|
|
||||||
{
|
|
||||||
struct master_context *data_entry;
|
|
||||||
struct tcpall_context *all_entry;
|
|
||||||
};
|
|
||||||
|
|
||||||
extern "C" unsigned char TSG_MASTER_UDP_ENTRY(const struct streaminfo *a_udp, void **pme, int thread_seq,void *a_packet)
|
extern "C" unsigned char TSG_MASTER_UDP_ENTRY(const struct streaminfo *a_udp, void **pme, int thread_seq,void *a_packet)
|
||||||
{
|
{
|
||||||
unsigned char state1=APP_STATE_GIVEME;
|
unsigned char state1=APP_STATE_GIVEME;
|
||||||
|
|||||||
@@ -260,10 +260,9 @@ struct master_context
|
|||||||
{
|
{
|
||||||
unsigned char is_esni;
|
unsigned char is_esni;
|
||||||
unsigned char is_log;
|
unsigned char is_log;
|
||||||
unsigned char is_dropme;
|
|
||||||
unsigned char deal_pkt_num;
|
unsigned char deal_pkt_num;
|
||||||
unsigned char is_app_link;
|
unsigned char is_app_link;
|
||||||
unsigned char padding;
|
unsigned char sync_cb_state;
|
||||||
unsigned short timeout;
|
unsigned short timeout;
|
||||||
tsg_protocol_t proto;
|
tsg_protocol_t proto;
|
||||||
int hit_cnt;
|
int hit_cnt;
|
||||||
@@ -287,6 +286,7 @@ struct tcpall_context
|
|||||||
{
|
{
|
||||||
int set_latency_flag;
|
int set_latency_flag;
|
||||||
enum TSG_METHOD_TYPE method_type;
|
enum TSG_METHOD_TYPE method_type;
|
||||||
|
tsg_protocol_t protocol;
|
||||||
union
|
union
|
||||||
{
|
{
|
||||||
struct leaky_bucket *bucket;
|
struct leaky_bucket *bucket;
|
||||||
@@ -297,6 +297,12 @@ struct tcpall_context
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
struct udp_context
|
||||||
|
{
|
||||||
|
struct master_context *data_entry;
|
||||||
|
struct tcpall_context *all_entry;
|
||||||
|
};
|
||||||
|
|
||||||
struct reset_argv
|
struct reset_argv
|
||||||
{
|
{
|
||||||
int pkt_num;
|
int pkt_num;
|
||||||
@@ -474,8 +480,10 @@ void tunnel_endpoint_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void
|
|||||||
void http_response_pages_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
|
void http_response_pages_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
|
||||||
void dns_profile_records_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp);
|
void dns_profile_records_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp);
|
||||||
void set_session_attribute_label(const struct streaminfo *a_stream, enum TSG_ATTRIBUTE_TYPE type, void *value, int value_len, int thread_seq);
|
void set_session_attribute_label(const struct streaminfo *a_stream, enum TSG_ATTRIBUTE_TYPE type, void *value, int value_len, int thread_seq);
|
||||||
int tsg_set_method_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, enum TSG_METHOD_TYPE method_type, int thread_seq);
|
int set_method_to_tcpall(const struct streaminfo *a_stream, enum TSG_METHOD_TYPE method_type, int thread_seq);
|
||||||
int tsg_set_bucket_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, struct leaky_bucket *bucket, int thread_seq);
|
int set_protocol_to_tcpall(const struct streaminfo *a_stream, tsg_protocol_t protocol, int thread_seq);
|
||||||
|
int set_bucket_to_tcpall(const struct streaminfo *a_stream, struct leaky_bucket *bucket, int thread_seq);
|
||||||
|
int set_after_n_packet_to_tcpall(const struct streaminfo *a_stream, int after_n_packets, int thread_seq);
|
||||||
void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp);
|
void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp);
|
||||||
|
|
||||||
struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, int thread_seq);
|
struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, int thread_seq);
|
||||||
@@ -487,6 +495,8 @@ int tsg_scan_subscribe_id_policy(Maat_feather_t maat_feather, const struct strea
|
|||||||
int tsg_get_umts_user_info(const struct streaminfo *a_stream, struct umts_user_info **user_info);
|
int tsg_get_umts_user_info(const struct streaminfo *a_stream, struct umts_user_info **user_info);
|
||||||
struct umts_user_info *tsg_get_umts_user_info_form_redis(unsigned int teid);
|
struct umts_user_info *tsg_get_umts_user_info_form_redis(unsigned int teid);
|
||||||
|
|
||||||
|
void free_policy_label(int thread_seq, void *project_req_value);
|
||||||
|
int tsg_set_policy_result(const struct streaminfo *a_stream, PULL_RESULT_TYPE result_type, struct Maat_rule_t *p_result, tsg_protocol_t proto, int thread_seq);
|
||||||
int tsg_scan_gtp_apn_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *apn, int thread_seq);
|
int tsg_scan_gtp_apn_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *apn, int thread_seq);
|
||||||
int tsg_scan_gtp_imsi_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *imsi, int thread_seq);
|
int tsg_scan_gtp_imsi_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *imsi, int thread_seq);
|
||||||
int tsg_scan_gtp_phone_number_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *phone_number, int thread_seq);
|
int tsg_scan_gtp_phone_number_policy(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, char *phone_number, int thread_seq);
|
||||||
|
|||||||
@@ -20,9 +20,8 @@ enum TSG_DENY_TYPE
|
|||||||
TSG_DENY_TYPE_REDIRECT_TO,
|
TSG_DENY_TYPE_REDIRECT_TO,
|
||||||
TSG_DENY_TYPE_REDIRECT_URL,
|
TSG_DENY_TYPE_REDIRECT_URL,
|
||||||
TSG_DENY_TYPE_REDIRECT_RECORD,
|
TSG_DENY_TYPE_REDIRECT_RECORD,
|
||||||
TSG_DENY_TYPE_SEND_ICMP,
|
TSG_DENY_TYPE_DROP,
|
||||||
TSG_DENY_TYPE_DEFAULT_RST,
|
TSG_DENY_TYPE_DEFAULT_RST,
|
||||||
TSG_DENY_TYPE_DEFAULT_DROP,
|
|
||||||
TSG_DENY_TYPE_APP_DROP,
|
TSG_DENY_TYPE_APP_DROP,
|
||||||
TSG_DENY_TYPE_APP_RATELIMIT,
|
TSG_DENY_TYPE_APP_RATELIMIT,
|
||||||
TSG_DENY_TYPE_MAX
|
TSG_DENY_TYPE_MAX
|
||||||
@@ -79,7 +78,7 @@ struct packet_capture
|
|||||||
int depth;
|
int depth;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct app_action_para
|
struct action_para
|
||||||
{
|
{
|
||||||
int send_reset_enable;
|
int send_reset_enable;
|
||||||
int send_icmp_enable;
|
int send_icmp_enable;
|
||||||
@@ -101,8 +100,7 @@ struct deny_user_region
|
|||||||
struct dns_user_region *records;
|
struct dns_user_region *records;
|
||||||
int profile_id;
|
int profile_id;
|
||||||
int bps;
|
int bps;
|
||||||
int send_icmp_enable;
|
struct action_para drop_para;
|
||||||
struct app_action_para app_para;
|
|
||||||
void *para;
|
void *para;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
140
src/tsg_rule.cpp
140
src/tsg_rule.cpp
@@ -650,9 +650,9 @@ static int parse_deny_action(char *deny_action_str, struct deny_user_region *den
|
|||||||
{
|
{
|
||||||
case TSG_METHOD_TYPE_DROP:
|
case TSG_METHOD_TYPE_DROP:
|
||||||
deny_app_para->type=TSG_DENY_TYPE_APP_DROP;
|
deny_app_para->type=TSG_DENY_TYPE_APP_DROP;
|
||||||
get_integer_from_json(app_para, "send_tcp_reset", &(deny_app_para->app_para.send_reset_enable));
|
get_integer_from_json(app_para, "send_tcp_reset", &(deny_app_para->drop_para.send_reset_enable));
|
||||||
get_integer_from_json(app_para, "after_n_packets", &(deny_app_para->after_n_packets));
|
get_integer_from_json(app_para, "after_n_packets", &(deny_app_para->after_n_packets));
|
||||||
get_integer_from_json(app_para, "send_icmp_unreachable", &(deny_app_para->app_para.send_icmp_enable));
|
get_integer_from_json(app_para, "send_icmp_unreachable", &(deny_app_para->drop_para.send_icmp_enable));
|
||||||
break;
|
break;
|
||||||
case TSG_METHOD_TYPE_RATE_LIMIT:
|
case TSG_METHOD_TYPE_RATE_LIMIT:
|
||||||
deny_app_para->type=TSG_DENY_TYPE_APP_RATELIMIT;
|
deny_app_para->type=TSG_DENY_TYPE_APP_RATELIMIT;
|
||||||
@@ -980,16 +980,10 @@ static int parse_default_para(cJSON *deny_user_region_object, struct compile_use
|
|||||||
get_integer_from_json(tcp_session_item, "after_n_packets", &(user_region->session_para->tcp.after_n_packets));
|
get_integer_from_json(tcp_session_item, "after_n_packets", &(user_region->session_para->tcp.after_n_packets));
|
||||||
break;
|
break;
|
||||||
case TSG_METHOD_TYPE_DROP:
|
case TSG_METHOD_TYPE_DROP:
|
||||||
|
user_region->session_para->tcp.type=TSG_DENY_TYPE_DROP;
|
||||||
get_integer_from_json(tcp_session_item, "after_n_packets", &(user_region->session_para->tcp.after_n_packets));
|
get_integer_from_json(tcp_session_item, "after_n_packets", &(user_region->session_para->tcp.after_n_packets));
|
||||||
get_integer_from_json(tcp_session_item, "send_icmp_unreachable", &(user_region->session_para->tcp.send_icmp_enable));
|
get_integer_from_json(tcp_session_item, "send_icmp_unreachable", &(user_region->session_para->tcp.drop_para.send_icmp_enable));
|
||||||
if(user_region->session_para->tcp.send_icmp_enable==1)
|
get_integer_from_json(tcp_session_item, "send_tcp_reset", &(user_region->session_para->tcp.drop_para.send_reset_enable));
|
||||||
{
|
|
||||||
user_region->session_para->tcp.type=TSG_DENY_TYPE_SEND_ICMP;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
user_region->session_para->tcp.type=TSG_DENY_TYPE_DEFAULT_DROP;
|
|
||||||
}
|
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
@@ -1000,17 +994,9 @@ static int parse_default_para(cJSON *deny_user_region_object, struct compile_use
|
|||||||
method_item=cJSON_GetObjectItem(udp_session_item, "method");
|
method_item=cJSON_GetObjectItem(udp_session_item, "method");
|
||||||
if(method_item!=NULL)
|
if(method_item!=NULL)
|
||||||
{
|
{
|
||||||
user_region->session_para->udp.type=TSG_DENY_TYPE_DEFAULT_DROP;
|
user_region->session_para->udp.type=TSG_DENY_TYPE_DROP;
|
||||||
get_integer_from_json(udp_session_item, "after_n_packets", &(user_region->session_para->udp.after_n_packets));
|
get_integer_from_json(udp_session_item, "after_n_packets", &(user_region->session_para->udp.after_n_packets));
|
||||||
get_integer_from_json(udp_session_item, "send_icmp_unreachable", &(user_region->session_para->udp.send_icmp_enable));
|
get_integer_from_json(udp_session_item, "send_icmp_unreachable", &(user_region->session_para->udp.drop_para.send_icmp_enable));
|
||||||
if(user_region->session_para->udp.send_icmp_enable==1)
|
|
||||||
{
|
|
||||||
user_region->session_para->udp.type=TSG_DENY_TYPE_SEND_ICMP;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
user_region->session_para->udp.type=TSG_DENY_TYPE_DEFAULT_DROP;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
@@ -1141,12 +1127,10 @@ static struct compile_user_region *parse_deny_user_region(cJSON *deny_user_regio
|
|||||||
break;
|
break;
|
||||||
case TSG_METHOD_TYPE_DROP:
|
case TSG_METHOD_TYPE_DROP:
|
||||||
user_region->deny=(struct deny_user_region *)calloc(1, sizeof(struct deny_user_region));
|
user_region->deny=(struct deny_user_region *)calloc(1, sizeof(struct deny_user_region));
|
||||||
ret=get_integer_from_json(deny_user_region_object, "send_icmp_unreachable", &(user_region->deny->send_icmp_enable));
|
user_region->deny->type=TSG_DENY_TYPE_DROP;
|
||||||
if(ret==1)
|
get_integer_from_json(deny_user_region_object, "send_icmp_unreachable", &(user_region->deny->drop_para.send_icmp_enable));
|
||||||
{
|
get_integer_from_json(deny_user_region_object, "send_tcp_reset", &(user_region->deny->drop_para.send_reset_enable));
|
||||||
user_region->deny->type=TSG_DENY_TYPE_SEND_ICMP;
|
get_integer_from_json(deny_user_region_object, "after_n_packets", &(user_region->deny->after_n_packets));
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
break;
|
||||||
case TSG_METHOD_TYPE_APP_DROP:
|
case TSG_METHOD_TYPE_APP_DROP:
|
||||||
break;
|
break;
|
||||||
@@ -2250,6 +2234,51 @@ static int get_fqdn_category_id(Maat_feather_t maat_feather, int table_id, char
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int tsg_set_policy_result(const struct streaminfo *a_stream, PULL_RESULT_TYPE result_type, struct Maat_rule_t *p_result, tsg_protocol_t proto, int thread_seq)
|
||||||
|
{
|
||||||
|
struct policy_priority_label *priority_label=NULL;
|
||||||
|
|
||||||
|
priority_label=(struct policy_priority_label *)project_req_get_struct((struct streaminfo *)a_stream, g_tsg_para.priority_project_id);
|
||||||
|
if(priority_label==NULL)
|
||||||
|
{
|
||||||
|
priority_label=(struct policy_priority_label *)dictator_malloc(thread_seq, sizeof(struct policy_priority_label));
|
||||||
|
memset(priority_label, 0, sizeof(struct policy_priority_label));
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
priority_label->proto=proto;
|
||||||
|
priority_label->result_num=1;
|
||||||
|
priority_label->result_type=result_type;
|
||||||
|
memcpy(priority_label->result, p_result, sizeof(struct Maat_rule_t));
|
||||||
|
|
||||||
|
int ret=project_req_add_struct((struct streaminfo *)a_stream, g_tsg_para.priority_project_id, (void *)priority_label);
|
||||||
|
if(ret<0)
|
||||||
|
{
|
||||||
|
free_policy_label(thread_seq, (void *)priority_label);
|
||||||
|
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||||
|
RLOG_LV_FATAL,
|
||||||
|
"PROJECT_ADD",
|
||||||
|
"Add policy_priority_label failed, policy, policy_id: %d action: %d addr: %s",
|
||||||
|
priority_label->result[0].config_id,
|
||||||
|
(unsigned char)priority_label->result[0].action,
|
||||||
|
PRINTADDR(a_stream, g_tsg_para.level)
|
||||||
|
);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||||
|
RLOG_LV_DEBUG,
|
||||||
|
"COPY_RESULT",
|
||||||
|
"Hit policy, policy_id: %d action: %d addr: %s",
|
||||||
|
priority_label->result[0].config_id,
|
||||||
|
(unsigned char)priority_label->result[0].action,
|
||||||
|
PRINTADDR(a_stream, g_tsg_para.level)
|
||||||
|
);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
int tsg_pull_policy_result(struct streaminfo *a_stream, PULL_RESULT_TYPE pull_result_type, Maat_rule_t*result, int result_num, struct identify_info *identify_info)
|
int tsg_pull_policy_result(struct streaminfo *a_stream, PULL_RESULT_TYPE pull_result_type, Maat_rule_t*result, int result_num, struct identify_info *identify_info)
|
||||||
{
|
{
|
||||||
int num=0;
|
int num=0;
|
||||||
@@ -3308,63 +3337,6 @@ int tsg_notify_hited_monitor_result(const struct streaminfo *a_stream, struct Ma
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int tsg_set_method_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, enum TSG_METHOD_TYPE method_type, int thread_seq)
|
|
||||||
{
|
|
||||||
struct tcpall_context *_context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
|
|
||||||
if(_context==NULL)
|
|
||||||
{
|
|
||||||
_context=(struct tcpall_context *)dictator_malloc(thread_seq, sizeof(struct tcpall_context));
|
|
||||||
memset(_context, 0, sizeof(struct tcpall_context));
|
|
||||||
set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context);
|
|
||||||
}
|
|
||||||
|
|
||||||
switch(_context->method_type)
|
|
||||||
{
|
|
||||||
case TSG_METHOD_TYPE_UNKNOWN:
|
|
||||||
case TSG_METHOD_TYPE_DEFAULT:
|
|
||||||
case TSG_METHOD_TYPE_MIRRORED:
|
|
||||||
_context->method_type=method_type;
|
|
||||||
*context=_context;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
return 0;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
int tsg_set_bucket_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, struct leaky_bucket *bucket, int thread_seq)
|
|
||||||
{
|
|
||||||
struct tcpall_context *_context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
|
|
||||||
if(_context==NULL)
|
|
||||||
{
|
|
||||||
_context=(struct tcpall_context *)dictator_malloc(thread_seq, sizeof(struct tcpall_context));
|
|
||||||
memset(_context, 0, sizeof(struct tcpall_context));
|
|
||||||
set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context);
|
|
||||||
}
|
|
||||||
|
|
||||||
switch(_context->method_type)
|
|
||||||
{
|
|
||||||
case TSG_METHOD_TYPE_RATE_LIMIT:
|
|
||||||
*context=_context;
|
|
||||||
return 1;
|
|
||||||
break;
|
|
||||||
case TSG_METHOD_TYPE_DEFAULT:
|
|
||||||
case TSG_METHOD_TYPE_UNKNOWN:
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
return 0;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
_context->method_type=TSG_METHOD_TYPE_RATE_LIMIT;
|
|
||||||
_context->bucket=bucket;
|
|
||||||
*context=_context;
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
char *tsg_get_column_string_value(const char* line, int column_seq)
|
char *tsg_get_column_string_value(const char* line, int column_seq)
|
||||||
{
|
{
|
||||||
int ret=0;
|
int ret=0;
|
||||||
|
|||||||
@@ -1933,9 +1933,12 @@ int load_log_common_field(const char *filename, id2field_t *id2field, struct top
|
|||||||
case TLD_TYPE_FILE:
|
case TLD_TYPE_FILE:
|
||||||
case TLD_TYPE_LONG:
|
case TLD_TYPE_LONG:
|
||||||
case TLD_TYPE_STRING:
|
case TLD_TYPE_STRING:
|
||||||
id2field[id].type = tld_type[i].type;
|
if(id<LOG_COMMON_MAX)
|
||||||
id2field[id].id = id;
|
{
|
||||||
memcpy(id2field[id].name, field_name, strlen(field_name));
|
id2field[id].type = tld_type[i].type;
|
||||||
|
id2field[id].id = id;
|
||||||
|
memcpy(id2field[id].name, field_name, strlen(field_name));
|
||||||
|
}
|
||||||
flag=1;
|
flag=1;
|
||||||
break;
|
break;
|
||||||
case TLD_TYPE_TOPIC:
|
case TLD_TYPE_TOPIC:
|
||||||
|
|||||||
Reference in New Issue
Block a user