TSG-13659: 修复误将security policy通知shaping master,导致应用重启的问题
TSG-13727: 修复Intercpt动作重复发送日志的问题
This commit is contained in:
liuxueli
@@ -865,7 +865,7 @@ static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struc
|
||||
set_after_n_packet_to_tcpall(a_stream, user_region->deny->after_n_packets, a_stream->threadnum);
|
||||
}
|
||||
|
||||
tsg_set_policy_result(a_stream, PULL_FW_RESULT, p_result, protocol, a_stream->threadnum);
|
||||
//tsg_set_policy_result(a_stream, PULL_FW_RESULT, p_result, protocol, a_stream->threadnum);
|
||||
local_state=((type==ACTION_RETURN_TYPE_PROT) ? (STATE_DROPME) : (STATE_DROPME|STATE_KILL_OTHER));
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -83,6 +83,7 @@ struct master_context
|
||||
scan_status_t mid;
|
||||
struct hited_app_para hited_para; // l7 protocol and app
|
||||
long long last_scan_time;
|
||||
struct Maat_rule_t *hited_result;
|
||||
};
|
||||
|
||||
struct tcpall_context
|
||||
|
||||
@@ -1229,10 +1229,6 @@ static void set_security_result_to_project(const struct streaminfo *a_stream, st
|
||||
}
|
||||
}
|
||||
|
||||
if(priority_label->security_result_num>0 && priority_label->security_result[0].action!=p_result[0].action)
|
||||
{
|
||||
}
|
||||
|
||||
int num=MIN(MAX_RESULT_NUM-priority_label->security_result_num, p_result_num);
|
||||
for(int i=0; i<num; i++)
|
||||
{
|
||||
@@ -1815,7 +1811,11 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
||||
|
||||
if((state&APP_STATE_DROPPKT)==APP_STATE_DROPPKT || (state&APP_STATE_KILL_OTHER))
|
||||
{
|
||||
master_send_log(a_stream, p_result, 1, context, a_stream->threadnum);
|
||||
if(context->hited_result==NULL)
|
||||
{
|
||||
context->hited_result=(struct Maat_rule_t *)dictator_malloc(1, sizeof(struct Maat_rule_t));
|
||||
memcpy(context->hited_result, p_result, sizeof(struct Maat_rule_t));
|
||||
}
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
"DENY",
|
||||
@@ -1825,7 +1825,8 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
||||
(unsigned char)p_result->action,
|
||||
PRINTADDR(a_stream, g_tsg_para.level)
|
||||
);
|
||||
}else
|
||||
}
|
||||
else
|
||||
{
|
||||
set_security_result_to_project(a_stream, p_result, 1, PULL_FW_RESULT, a_stream->threadnum);
|
||||
}
|
||||
@@ -1840,7 +1841,9 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
||||
break;
|
||||
case TSG_ACTION_BYPASS:
|
||||
context->is_hited_allow=1;
|
||||
set_security_result_to_project(a_stream, p_result, 1, PULL_FW_RESULT, a_stream->threadnum);
|
||||
context->hited_result=(struct Maat_rule_t *)dictator_malloc(1, sizeof(struct Maat_rule_t));
|
||||
memcpy(context->hited_result, p_result, sizeof(struct Maat_rule_t));
|
||||
//set_security_result_to_project(a_stream, p_result, 1, PULL_FW_RESULT, a_stream->threadnum);
|
||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1);
|
||||
state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER;
|
||||
|
||||
@@ -1982,6 +1985,7 @@ static int deal_pending_state(const struct streaminfo *a_stream, struct master_c
|
||||
if(ret==1)
|
||||
{
|
||||
set_l7_protocol_label(a_stream, context->proto);
|
||||
context->is_app_link=FLAG_TRUE;
|
||||
set_session_attribute_label(a_stream, TSG_ATTRIBUTE_TYPE_PROTOCOL, (void *)&(context->proto), sizeof(int), a_stream->threadnum);
|
||||
|
||||
if(context->proto==PROTO_SSL)
|
||||
@@ -2144,6 +2148,10 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
|
||||
|
||||
if((a_stream->opstate==OP_STATE_CLOSE) || (state&APP_STATE_DROPME)==APP_STATE_DROPME)
|
||||
{
|
||||
if(context->hited_result)
|
||||
{
|
||||
master_send_log(a_stream, context->hited_result, 1, context, thread_seq);
|
||||
}
|
||||
*pme=NULL;
|
||||
}
|
||||
|
||||
@@ -2193,7 +2201,7 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
|
||||
}
|
||||
}
|
||||
|
||||
int shaping_result_num=tsg_fetch_hited_security_result(hited_result, hit_num, shaping_result, MAX_RESULT_NUM);
|
||||
int shaping_result_num=tsg_fetch_hited_shaping_result(hited_result, hit_num, shaping_result, MAX_RESULT_NUM);
|
||||
if(state==APP_STATE_GIVEME && shaping_result_num>0)
|
||||
{
|
||||
master_deal_shaping_result(a_stream, shaping_result, shaping_result_num);
|
||||
|
||||
@@ -2232,13 +2232,16 @@ int tsg_send_log(struct tsg_log_instance_t *instance, struct TLD_handle_t *handl
|
||||
send_log(_instance, _handle, log_msg->a_stream, log_msg->result, log_msg->result_num, thread_id);
|
||||
|
||||
//fetch firewall result
|
||||
if(log_msg->result[0].action!=TSG_ACTION_INTERCEPT)
|
||||
{
|
||||
struct policy_priority_label *priority_label=(struct policy_priority_label *)tsg_get_xxx_from_bridge(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id);
|
||||
if(priority_label!=NULL && priority_label->security_result_num>0)
|
||||
if((log_msg->result[0].service_id==2 || log_msg->result[0].service_id==7) && priority_label!=NULL && priority_label->security_result_num>0)
|
||||
{
|
||||
send_log(_instance, _handle, log_msg->a_stream, priority_label->security_result, priority_label->security_result_num, thread_id);
|
||||
free_policy_label(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, (void *)priority_label);
|
||||
tsg_set_xxx_to_bridge(log_msg->a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id, NULL);
|
||||
}
|
||||
}
|
||||
|
||||
TLD_cancel(handle);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user