TSG-13659: 修复误将security policy通知shaping master,导致应用重启的问题
TSG-13727: 修复Intercpt动作重复发送日志的问题
This commit is contained in:
liuxueli
@@ -865,7 +865,7 @@ static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struc
|
|||||||
set_after_n_packet_to_tcpall(a_stream, user_region->deny->after_n_packets, a_stream->threadnum);
|
set_after_n_packet_to_tcpall(a_stream, user_region->deny->after_n_packets, a_stream->threadnum);
|
||||||
}
|
}
|
||||||
|
|
||||||
tsg_set_policy_result(a_stream, PULL_FW_RESULT, p_result, protocol, a_stream->threadnum);
|
//tsg_set_policy_result(a_stream, PULL_FW_RESULT, p_result, protocol, a_stream->threadnum);
|
||||||
local_state=((type==ACTION_RETURN_TYPE_PROT) ? (STATE_DROPME) : (STATE_DROPME|STATE_KILL_OTHER));
|
local_state=((type==ACTION_RETURN_TYPE_PROT) ? (STATE_DROPME) : (STATE_DROPME|STATE_KILL_OTHER));
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -83,6 +83,7 @@ struct master_context
|
|||||||
scan_status_t mid;
|
scan_status_t mid;
|
||||||
struct hited_app_para hited_para; // l7 protocol and app
|
struct hited_app_para hited_para; // l7 protocol and app
|
||||||
long long last_scan_time;
|
long long last_scan_time;
|
||||||
|
struct Maat_rule_t *hited_result;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct tcpall_context
|
struct tcpall_context
|
||||||
|
|||||||
@@ -1228,10 +1228,6 @@ static void set_security_result_to_project(const struct streaminfo *a_stream, st
|
|||||||
free_policy_label(a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, (void *)priority_label);
|
free_policy_label(a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, (void *)priority_label);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if(priority_label->security_result_num>0 && priority_label->security_result[0].action!=p_result[0].action)
|
|
||||||
{
|
|
||||||
}
|
|
||||||
|
|
||||||
int num=MIN(MAX_RESULT_NUM-priority_label->security_result_num, p_result_num);
|
int num=MIN(MAX_RESULT_NUM-priority_label->security_result_num, p_result_num);
|
||||||
for(int i=0; i<num; i++)
|
for(int i=0; i<num; i++)
|
||||||
@@ -1815,7 +1811,11 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
|||||||
|
|
||||||
if((state&APP_STATE_DROPPKT)==APP_STATE_DROPPKT || (state&APP_STATE_KILL_OTHER))
|
if((state&APP_STATE_DROPPKT)==APP_STATE_DROPPKT || (state&APP_STATE_KILL_OTHER))
|
||||||
{
|
{
|
||||||
master_send_log(a_stream, p_result, 1, context, a_stream->threadnum);
|
if(context->hited_result==NULL)
|
||||||
|
{
|
||||||
|
context->hited_result=(struct Maat_rule_t *)dictator_malloc(1, sizeof(struct Maat_rule_t));
|
||||||
|
memcpy(context->hited_result, p_result, sizeof(struct Maat_rule_t));
|
||||||
|
}
|
||||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||||
RLOG_LV_DEBUG,
|
RLOG_LV_DEBUG,
|
||||||
"DENY",
|
"DENY",
|
||||||
@@ -1825,7 +1825,8 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
|||||||
(unsigned char)p_result->action,
|
(unsigned char)p_result->action,
|
||||||
PRINTADDR(a_stream, g_tsg_para.level)
|
PRINTADDR(a_stream, g_tsg_para.level)
|
||||||
);
|
);
|
||||||
}else
|
}
|
||||||
|
else
|
||||||
{
|
{
|
||||||
set_security_result_to_project(a_stream, p_result, 1, PULL_FW_RESULT, a_stream->threadnum);
|
set_security_result_to_project(a_stream, p_result, 1, PULL_FW_RESULT, a_stream->threadnum);
|
||||||
}
|
}
|
||||||
@@ -1840,7 +1841,9 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
|||||||
break;
|
break;
|
||||||
case TSG_ACTION_BYPASS:
|
case TSG_ACTION_BYPASS:
|
||||||
context->is_hited_allow=1;
|
context->is_hited_allow=1;
|
||||||
set_security_result_to_project(a_stream, p_result, 1, PULL_FW_RESULT, a_stream->threadnum);
|
context->hited_result=(struct Maat_rule_t *)dictator_malloc(1, sizeof(struct Maat_rule_t));
|
||||||
|
memcpy(context->hited_result, p_result, sizeof(struct Maat_rule_t));
|
||||||
|
//set_security_result_to_project(a_stream, p_result, 1, PULL_FW_RESULT, a_stream->threadnum);
|
||||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1);
|
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1);
|
||||||
state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER;
|
state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER;
|
||||||
|
|
||||||
@@ -1848,7 +1851,7 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
|||||||
break;
|
break;
|
||||||
case TSG_ACTION_INTERCEPT:
|
case TSG_ACTION_INTERCEPT:
|
||||||
if(is_intercept_exclusion(a_stream, p_result, context->domain, a_stream->threadnum))
|
if(is_intercept_exclusion(a_stream, p_result, context->domain, a_stream->threadnum))
|
||||||
{
|
{
|
||||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_EXCLUSION], 0, FS_OP_ADD, 1);
|
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_EXCLUSION], 0, FS_OP_ADD, 1);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@@ -1953,7 +1956,7 @@ int session_flags_identify_result_cb(const struct streaminfo *a_stream, int brid
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
struct master_context *context=NULL;
|
struct master_context *context=NULL;
|
||||||
struct Maat_rule_t scan_result[MAX_RESULT_NUM]={0};
|
struct Maat_rule_t scan_result[MAX_RESULT_NUM]={0};
|
||||||
|
|
||||||
context=(struct master_context *)tsg_get_xxx_from_bridge(a_stream, g_tsg_para.bridge[BRIDGE_TYPE_DATA_CONTEXT].id);
|
context=(struct master_context *)tsg_get_xxx_from_bridge(a_stream, g_tsg_para.bridge[BRIDGE_TYPE_DATA_CONTEXT].id);
|
||||||
@@ -1982,6 +1985,7 @@ static int deal_pending_state(const struct streaminfo *a_stream, struct master_c
|
|||||||
if(ret==1)
|
if(ret==1)
|
||||||
{
|
{
|
||||||
set_l7_protocol_label(a_stream, context->proto);
|
set_l7_protocol_label(a_stream, context->proto);
|
||||||
|
context->is_app_link=FLAG_TRUE;
|
||||||
set_session_attribute_label(a_stream, TSG_ATTRIBUTE_TYPE_PROTOCOL, (void *)&(context->proto), sizeof(int), a_stream->threadnum);
|
set_session_attribute_label(a_stream, TSG_ATTRIBUTE_TYPE_PROTOCOL, (void *)&(context->proto), sizeof(int), a_stream->threadnum);
|
||||||
|
|
||||||
if(context->proto==PROTO_SSL)
|
if(context->proto==PROTO_SSL)
|
||||||
@@ -2144,7 +2148,11 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
|
|||||||
|
|
||||||
if((a_stream->opstate==OP_STATE_CLOSE) || (state&APP_STATE_DROPME)==APP_STATE_DROPME)
|
if((a_stream->opstate==OP_STATE_CLOSE) || (state&APP_STATE_DROPME)==APP_STATE_DROPME)
|
||||||
{
|
{
|
||||||
*pme = NULL;
|
if(context->hited_result)
|
||||||
|
{
|
||||||
|
master_send_log(a_stream, context->hited_result, 1, context, thread_seq);
|
||||||
|
}
|
||||||
|
*pme=NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
return state;
|
return state;
|
||||||
@@ -2193,7 +2201,7 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
int shaping_result_num=tsg_fetch_hited_security_result(hited_result, hit_num, shaping_result, MAX_RESULT_NUM);
|
int shaping_result_num=tsg_fetch_hited_shaping_result(hited_result, hit_num, shaping_result, MAX_RESULT_NUM);
|
||||||
if(state==APP_STATE_GIVEME && shaping_result_num>0)
|
if(state==APP_STATE_GIVEME && shaping_result_num>0)
|
||||||
{
|
{
|
||||||
master_deal_shaping_result(a_stream, shaping_result, shaping_result_num);
|
master_deal_shaping_result(a_stream, shaping_result, shaping_result_num);
|
||||||
|
|||||||
@@ -2232,12 +2232,15 @@ int tsg_send_log(struct tsg_log_instance_t *instance, struct TLD_handle_t *handl
|
|||||||
send_log(_instance, _handle, log_msg->a_stream, log_msg->result, log_msg->result_num, thread_id);
|
send_log(_instance, _handle, log_msg->a_stream, log_msg->result, log_msg->result_num, thread_id);
|
||||||
|
|
||||||
//fetch firewall result
|
//fetch firewall result
|
||||||
struct policy_priority_label *priority_label=(struct policy_priority_label *)tsg_get_xxx_from_bridge(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id);
|
if(log_msg->result[0].action!=TSG_ACTION_INTERCEPT)
|
||||||
if(priority_label!=NULL && priority_label->security_result_num>0)
|
|
||||||
{
|
{
|
||||||
send_log(_instance, _handle, log_msg->a_stream, priority_label->security_result, priority_label->security_result_num, thread_id);
|
struct policy_priority_label *priority_label=(struct policy_priority_label *)tsg_get_xxx_from_bridge(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id);
|
||||||
free_policy_label(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, (void *)priority_label);
|
if((log_msg->result[0].service_id==2 || log_msg->result[0].service_id==7) && priority_label!=NULL && priority_label->security_result_num>0)
|
||||||
tsg_set_xxx_to_bridge(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, NULL);
|
{
|
||||||
|
send_log(_instance, _handle, log_msg->a_stream, priority_label->security_result, priority_label->security_result_num, thread_id);
|
||||||
|
free_policy_label(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, (void *)priority_label);
|
||||||
|
tsg_set_xxx_to_bridge(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, NULL);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
TLD_cancel(handle);
|
TLD_cancel(handle);
|
||||||
|
|||||||
Reference in New Issue
Block a user