支持Decryption Exclusion
初始化maat时增加应答文件路径设置 Friewall仅deny动作填写common_sub_action 更新相应配置文件
This commit is contained in:
liuxueli
@@ -291,18 +291,19 @@ static int master_send_log(struct streaminfo *a_stream, struct Maat_rule_t *p_re
|
||||
return 1;
|
||||
}
|
||||
|
||||
static struct Maat_rule_t *tsg_policy_decision_criteria(Maat_rule_t *result, int result_num, char *domain, int domain_len, int thread_seq)
|
||||
static struct Maat_rule_t *tsg_policy_decision_criteria(struct streaminfo *a_stream, Maat_rule_t *result, int result_num, char *domain, int domain_len, int thread_seq)
|
||||
{
|
||||
int i=0,ret=0;
|
||||
Maat_rule_t tmp_result;
|
||||
Maat_rule_t *p_result=NULL;
|
||||
Maat_rule_t q_result;
|
||||
Maat_rule_t *q_result=NULL;
|
||||
scan_status_t mid=NULL;
|
||||
|
||||
if(result==NULL || result_num<=0)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
|
||||
#if 0
|
||||
ret=Maat_rule_sort_by_evaluation_order(g_tsg_maat_feather, result, result_num);
|
||||
if(ret!=result_num)
|
||||
{
|
||||
@@ -318,7 +319,7 @@ static struct Maat_rule_t *tsg_policy_decision_criteria(Maat_rule_t *result, int
|
||||
CHARSET_UTF8,
|
||||
domain,
|
||||
domain_len,
|
||||
&q_result,
|
||||
&tmp_result,
|
||||
NULL,
|
||||
1,
|
||||
&mid,
|
||||
@@ -338,16 +339,22 @@ static struct Maat_rule_t *tsg_policy_decision_criteria(Maat_rule_t *result, int
|
||||
}
|
||||
|
||||
return p_result;
|
||||
|
||||
#endif
|
||||
p_result=&result[0];
|
||||
|
||||
for(i=1; i<result_num; i++)
|
||||
{
|
||||
if((unsigned char)result[i].action>(unsigned char)p_result->action)
|
||||
{
|
||||
q_result=p_result;
|
||||
p_result=&result[i];
|
||||
continue;
|
||||
}
|
||||
|
||||
if(q_result==NULL)
|
||||
{
|
||||
q_result=&result[i];
|
||||
}
|
||||
|
||||
if(result[i].action==p_result->action)
|
||||
{
|
||||
@@ -358,6 +365,47 @@ static struct Maat_rule_t *tsg_policy_decision_criteria(Maat_rule_t *result, int
|
||||
}
|
||||
}
|
||||
|
||||
if(p_result->action==TSG_ACTION_INTERCEPT && domain!=NULL && domain_len>0)
|
||||
{
|
||||
ret=Maat_full_scan_string(g_tsg_maat_feather,
|
||||
g_tsg_para.table_id[TABLE_EXCLUSION_SSL_SNI],
|
||||
CHARSET_UTF8,
|
||||
domain,
|
||||
domain_len,
|
||||
&tmp_result,
|
||||
NULL,
|
||||
1,
|
||||
&mid,
|
||||
thread_seq);
|
||||
|
||||
if(ret>0)
|
||||
{
|
||||
p_result=q_result;
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
"EXCLUSION_SSL_SNI",
|
||||
"Hit %s policy_id: %d service: %d action: %d addr: %s",
|
||||
domain,
|
||||
tmp_result.config_id,
|
||||
tmp_result.service_id,
|
||||
(unsigned char)tmp_result.action,
|
||||
printaddr(&a_stream->addr, thread_seq)
|
||||
);
|
||||
}
|
||||
else
|
||||
{
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
"EXCLUSION_SSL_SNI",
|
||||
"Not hit %s stream_dir: %d addr: %s scan ret: %d",
|
||||
domain,
|
||||
a_stream->dir,
|
||||
printaddr(&a_stream->addr, thread_seq),
|
||||
ret
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
return p_result;
|
||||
}
|
||||
|
||||
@@ -506,7 +554,7 @@ extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int t
|
||||
if(ret>0)
|
||||
{
|
||||
hit_num+=ret;
|
||||
q_result=tsg_policy_decision_criteria(all_result, hit_num, identify_info.domain, identify_info.domain_len, thread_seq);
|
||||
q_result=tsg_policy_decision_criteria(a_tcp, all_result, hit_num, identify_info.domain, identify_info.domain_len, thread_seq);
|
||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_HIT_ADDR], 0, FS_OP_ADD, 1);
|
||||
}
|
||||
|
||||
@@ -549,7 +597,7 @@ extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int t
|
||||
mid=NULL;
|
||||
}
|
||||
|
||||
p_result=tsg_policy_decision_criteria(all_result, hit_num, identify_info.domain, identify_info.domain_len, thread_seq);
|
||||
p_result=tsg_policy_decision_criteria(a_tcp, all_result, hit_num, identify_info.domain, identify_info.domain_len, thread_seq);
|
||||
|
||||
if(p_result!=NULL)
|
||||
{
|
||||
@@ -582,6 +630,16 @@ extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int t
|
||||
memcpy(_context->domain, identify_info.domain, identify_info.domain_len);
|
||||
_context->domain_len=identify_info.domain_len;
|
||||
}
|
||||
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
"MONITOR",
|
||||
"Hit monitor policy, policy_id: %d service: %d action: %d addr: %s",
|
||||
p_result[0].config_id,
|
||||
p_result[0].service_id,
|
||||
(unsigned char)p_result[0].action,
|
||||
printaddr(&a_tcp->addr, thread_seq)
|
||||
);
|
||||
state=APP_STATE_GIVEME;
|
||||
}
|
||||
break;
|
||||
@@ -593,6 +651,17 @@ extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int t
|
||||
memcpy(_context->domain, identify_info.domain, identify_info.domain_len);
|
||||
_context->domain_len=identify_info.domain_len;
|
||||
}
|
||||
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
"ALLOW",
|
||||
"Hit allow policy, policy_id: %d service: %d action: %d addr: %s",
|
||||
p_result[0].config_id,
|
||||
p_result[0].service_id,
|
||||
(unsigned char)p_result[0].action,
|
||||
printaddr(&a_tcp->addr, thread_seq)
|
||||
);
|
||||
|
||||
state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER;
|
||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1);
|
||||
break;
|
||||
@@ -632,7 +701,7 @@ extern "C" char TSG_MASTER_TCP_ENTRY(struct streaminfo *a_tcp, void **pme, int t
|
||||
(unsigned char)priority_label->result[0].action,
|
||||
printaddr(&a_tcp->addr, thread_seq)
|
||||
);
|
||||
return APP_STATE_DROPME;
|
||||
return APP_STATE_DROPME|APP_STATE_KILL_OTHER;
|
||||
break;
|
||||
case TSG_ACTION_NONE:
|
||||
default:
|
||||
@@ -690,7 +759,7 @@ extern "C" char TSG_MASTER_UDP_ENTRY(struct streaminfo *a_udp, void **pme, int t
|
||||
Maat_clean_status(&mid);
|
||||
mid=NULL;
|
||||
}
|
||||
p_result=tsg_policy_decision_criteria(result, ret, identify_info.domain, identify_info.domain_len, thread_seq);
|
||||
p_result=tsg_policy_decision_criteria(a_udp, result, ret, identify_info.domain, identify_info.domain_len, thread_seq);
|
||||
if(p_result!=NULL)
|
||||
{
|
||||
switch((unsigned char)p_result->action)
|
||||
@@ -771,7 +840,13 @@ extern "C" int TSG_MASTER_INIT()
|
||||
g_tsg_para.priority_project_id=project_producer_register(label_buff, PROJECT_VAL_TYPE_STRUCT, free_policy_label);
|
||||
if(g_tsg_para.priority_project_id<0)
|
||||
{
|
||||
MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_FATAL, "PROJECT_REGISTER", "Register %s failed ...", label_buff);
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_FATAL,
|
||||
"PROJECT_REGISTER",
|
||||
"Register %s failed; please check :%s and add <POLICY_PRIORITY struct>",
|
||||
label_buff,
|
||||
"etc/project_list.conf"
|
||||
);
|
||||
return -1;
|
||||
}
|
||||
|
||||
@@ -779,7 +854,13 @@ extern "C" int TSG_MASTER_INIT()
|
||||
g_tsg_para.establish_latency_project_id=project_producer_register(label_buff, PROJECT_VAL_TYPE_LONG, NULL);
|
||||
if(g_tsg_para.establish_latency_project_id<0)
|
||||
{
|
||||
MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_FATAL, "PROJECT_REGISTER", "Register %s failed ...", label_buff);
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_FATAL,
|
||||
"PROJECT_REGISTER",
|
||||
"Register %s failed; please check :%s and add <ESTABLISH_LATENCY long>",
|
||||
label_buff,
|
||||
"etc/project_list.conf"
|
||||
);
|
||||
}
|
||||
|
||||
ret=tsg_rule_init(tsg_conffile, g_tsg_para.logger);
|
||||
|
||||
Reference in New Issue
Block a user