TSG-8709: 支持执行Default Security Policy(Deny/Allow)
This commit is contained in:
liuxueli
@@ -28,6 +28,7 @@ enum TSG_METHOD_TYPE
|
||||
TSG_METHOD_TYPE_RATE_LIMIT,
|
||||
TSG_METHOD_TYPE_MIRRORED,
|
||||
TSG_METHOD_TYPE_TAMPER,
|
||||
TSG_METHOD_TYPE_DEFAULT,
|
||||
TSG_METHOD_TYPE_MAX
|
||||
};
|
||||
|
||||
|
||||
@@ -573,6 +573,85 @@ static unsigned char do_action_drop(const struct streaminfo *a_stream, Maat_rule
|
||||
return STATE_DROPME|STATE_DROPPKT;
|
||||
}
|
||||
|
||||
static unsigned char do_action_tamper(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data)
|
||||
{
|
||||
if(user_region==NULL)
|
||||
{
|
||||
return do_action_drop(a_stream, p_result, user_region, protocol, user_data);
|
||||
}
|
||||
|
||||
struct tcpall_context * _context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
|
||||
if(_context==NULL)
|
||||
{
|
||||
_context=(struct tcpall_context *)dictator_malloc(a_stream->threadnum, sizeof(struct tcpall_context));
|
||||
memset(_context, 0, sizeof(struct tcpall_context));
|
||||
set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context);
|
||||
_context->method_type=TSG_METHOD_TYPE_TAMPER;
|
||||
_context->tamper_count = 1;
|
||||
}else{
|
||||
if(_context->method_type != TSG_METHOD_TYPE_TAMPER)
|
||||
{
|
||||
_context->method_type=TSG_METHOD_TYPE_TAMPER;
|
||||
_context->tamper_count = 1;
|
||||
}
|
||||
else
|
||||
{
|
||||
//to do error log
|
||||
//_context->method_type
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
__FUNCTION__,
|
||||
"_context->method_type : %d",
|
||||
_context->method_type);
|
||||
|
||||
return STATE_GIVEME;
|
||||
}
|
||||
}
|
||||
|
||||
if(0 == send_tamper_xxx(a_stream, &_context->tamper_count, user_data)){
|
||||
return STATE_DROPPKT;
|
||||
}
|
||||
return STATE_GIVEME;
|
||||
}
|
||||
|
||||
static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data)
|
||||
{
|
||||
struct deny_user_region *deny_region=NULL;
|
||||
|
||||
switch(a_stream->type)
|
||||
{
|
||||
case STREAM_TYPE_TCP:
|
||||
deny_region=&(user_region->session_para->tcp);
|
||||
break;
|
||||
case STREAM_TYPE_UDP:
|
||||
deny_region=&(user_region->session_para->udp);
|
||||
break;
|
||||
default:
|
||||
return STATE_DROPME|STATE_DROPPKT;
|
||||
break;
|
||||
}
|
||||
|
||||
switch(deny_region->type)
|
||||
{
|
||||
case TSG_DENY_TYPE_DEFAULT_RST:
|
||||
do_action_reset(a_stream, p_result, protocol);
|
||||
break;
|
||||
case TSG_DENY_TYPE_SEND_ICMP:
|
||||
case TSG_DENY_TYPE_DEFAULT_DROP:
|
||||
struct compile_user_region tmp_user_region;
|
||||
tmp_user_region.deny=deny_region;
|
||||
tmp_user_region.capture.enabled=0;
|
||||
tmp_user_region.capture.depth=0;
|
||||
tmp_user_region.method_type=TSG_METHOD_TYPE_DROP;
|
||||
do_action_drop(a_stream, p_result, &tmp_user_region, protocol, user_data);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
return STATE_DROPME|STATE_DROPPKT;
|
||||
}
|
||||
|
||||
static unsigned char do_action_ratelimit(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, enum ACTION_RETURN_TYPE type)
|
||||
{
|
||||
struct tcpall_context *context=NULL;
|
||||
@@ -725,42 +804,6 @@ static unsigned char do_action_redirect_xxx(const struct streaminfo *a_stream, M
|
||||
return STATE_DROPME|STATE_DROPPKT;
|
||||
}
|
||||
|
||||
static unsigned char do_action_tamper(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data)
|
||||
{
|
||||
if(user_region==NULL){
|
||||
return do_action_drop(a_stream, p_result, user_region, protocol, user_data);
|
||||
}
|
||||
|
||||
struct tcpall_context * _context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
|
||||
if(_context==NULL){
|
||||
_context=(struct tcpall_context *)dictator_malloc(a_stream->threadnum, sizeof(struct tcpall_context));
|
||||
memset(_context, 0, sizeof(struct tcpall_context));
|
||||
set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context);
|
||||
_context->method_type=TSG_METHOD_TYPE_TAMPER;
|
||||
_context->tamper_count = -1;
|
||||
}else{
|
||||
if(_context->method_type == TSG_METHOD_TYPE_UNKNOWN){
|
||||
_context->method_type=TSG_METHOD_TYPE_TAMPER;
|
||||
_context->tamper_count = -1;
|
||||
}else if (_context->method_type == TSG_METHOD_TYPE_TAMPER){
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
__FUNCTION__,
|
||||
"Tamper is been processed, _context->method_type : %d",
|
||||
_context->method_type);
|
||||
return STATE_GIVEME;
|
||||
}
|
||||
}
|
||||
|
||||
if(a_stream->type != STREAM_TYPE_TCP){
|
||||
if(0 == send_tamper_xxx(a_stream, &_context->tamper_count, user_data)){
|
||||
return STATE_DROPPKT;
|
||||
}
|
||||
}
|
||||
|
||||
return STATE_GIVEME;
|
||||
}
|
||||
|
||||
unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_t *p_result, tsg_protocol_t protocol, enum ACTION_RETURN_TYPE type, const void *user_data)
|
||||
{
|
||||
unsigned char local_state=STATE_GIVEME;
|
||||
@@ -805,10 +848,20 @@ unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_
|
||||
case TSG_METHOD_TYPE_TAMPER:
|
||||
local_state=do_action_tamper(a_stream, p_result, user_region, protocol, user_data);
|
||||
break;
|
||||
case TSG_METHOD_TYPE_DEFAULT:
|
||||
local_state=do_action_default_xxx(a_stream, p_result, user_region, protocol, user_data);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
if(method_type!=TSG_METHOD_TYPE_DEFAULT)
|
||||
{
|
||||
struct tcpall_context *context=NULL;
|
||||
tsg_set_method_to_tcpall(a_stream, &context, (enum TSG_METHOD_TYPE)method_type, a_stream->threadnum);
|
||||
}
|
||||
|
||||
security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
|
||||
|
||||
state=((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_GIVEME : APP_STATE_GIVEME);
|
||||
|
||||
@@ -430,6 +430,37 @@ static int get_raw_packet_len(const struct streaminfo *a_stream)
|
||||
return raw_packet_len;
|
||||
}
|
||||
|
||||
static int get_default_para(const struct streaminfo *a_stream, int compile_id)
|
||||
{
|
||||
int after_n_packets=0;
|
||||
struct Maat_rule_t p_result={0};
|
||||
struct compile_user_region *user_region=NULL;
|
||||
|
||||
p_result.config_id=compile_id;
|
||||
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, &p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
|
||||
if(user_region!=NULL && user_region->method_type==TSG_METHOD_TYPE_DEFAULT)
|
||||
{
|
||||
if(user_region->session_para!=NULL && user_region->session_para->result.action==TSG_ACTION_DENY)
|
||||
{
|
||||
switch(a_stream->type)
|
||||
{
|
||||
case STREAM_TYPE_TCP:
|
||||
after_n_packets=user_region->session_para->tcp.after_n_packets;
|
||||
break;
|
||||
case STREAM_TYPE_UDP:
|
||||
after_n_packets=user_region->session_para->udp.after_n_packets;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], &p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
|
||||
}
|
||||
|
||||
return after_n_packets;
|
||||
}
|
||||
|
||||
static int get_default_policy(int compile_id, struct Maat_rule_t *result)
|
||||
{
|
||||
struct Maat_rule_t p_result={0};
|
||||
@@ -437,15 +468,11 @@ static int get_default_policy(int compile_id, struct Maat_rule_t *result)
|
||||
|
||||
p_result.config_id=compile_id;
|
||||
user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, &p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
|
||||
if(user_region!=NULL)
|
||||
if(user_region!=NULL && user_region->method_type==TSG_METHOD_TYPE_DEFAULT)
|
||||
{
|
||||
if(user_region->result!=NULL)
|
||||
if(user_region->session_para!=NULL && user_region->session_para->result.action==TSG_ACTION_DENY)
|
||||
{
|
||||
memcpy(result, user_region->result, sizeof(struct Maat_rule_t));
|
||||
if(result->action==TSG_ACTION_BYPASS)
|
||||
{
|
||||
result->action=TSG_ACTION_NONE;
|
||||
}
|
||||
memcpy(result, &(user_region->session_para->result), sizeof(struct Maat_rule_t));
|
||||
}
|
||||
|
||||
security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], &p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
|
||||
@@ -455,6 +482,33 @@ static int get_default_policy(int compile_id, struct Maat_rule_t *result)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int is_do_default_policy(const struct streaminfo *a_stream, int after_n_packets)
|
||||
{
|
||||
if(after_n_packets<=0 || a_stream->pdetail==NULL)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
switch(a_stream->type)
|
||||
{
|
||||
case STREAM_TYPE_TCP:
|
||||
if((int)(a_stream->ptcpdetail->clientpktnum+a_stream->ptcpdetail->serverpktnum) >= after_n_packets)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
break;
|
||||
case STREAM_TYPE_UDP:
|
||||
if((int)(a_stream->pudpdetail->clientpktnum+a_stream->pudpdetail->serverpktnum) >= after_n_packets)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int master_send_log(const struct streaminfo *a_stream, struct Maat_rule_t *p_result, int result_num, struct master_context *context, int thread_seq)
|
||||
{
|
||||
@@ -1423,6 +1477,7 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
||||
{
|
||||
Maat_rule_t *p_result=NULL;
|
||||
unsigned char state=APP_STATE_GIVEME;
|
||||
struct tcpall_context *tmp_tcpall_context=NULL;
|
||||
|
||||
p_result=tsg_policy_decision_criteria(result, hit_num);
|
||||
if(p_result!=NULL)
|
||||
@@ -1461,6 +1516,8 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
||||
copy_result_to_project(a_stream, context, p_result, context->domain, context->proto, PULL_FW_RESULT, a_stream->threadnum);
|
||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1);
|
||||
state=APP_STATE_GIVEME|APP_STATE_KILL_OTHER;
|
||||
|
||||
tsg_set_method_to_tcpall(a_stream, &tmp_tcpall_context, TSG_METHOD_TYPE_UNKNOWN, a_stream->threadnum);
|
||||
break;
|
||||
case TSG_ACTION_INTERCEPT:
|
||||
if(is_intercept_exclusion(a_stream, p_result, context->domain, a_stream->threadnum))
|
||||
@@ -1472,6 +1529,8 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
|
||||
copy_result_to_project(a_stream, context, p_result, context->domain, context->proto, PULL_KNI_RESULT, a_stream->threadnum);
|
||||
FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_INTERCEPT], 0, FS_OP_ADD, 1);
|
||||
state=APP_STATE_DROPME|APP_STATE_KILL_OTHER;
|
||||
|
||||
tsg_set_method_to_tcpall(a_stream, &tmp_tcpall_context, TSG_METHOD_TYPE_UNKNOWN, a_stream->threadnum);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
@@ -1657,15 +1716,6 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
|
||||
|
||||
hit_num+=deal_pending_state(a_stream, context, scan_result+hit_num, MAX_RESULT_NUM-hit_num, a_packet);
|
||||
p_result=tsg_policy_decision_criteria(scan_result, hit_num);
|
||||
if(g_tsg_para.default_compile_switch==1 && p_result==NULL)
|
||||
{
|
||||
if(get_default_policy(g_tsg_para.default_compile_id, &scan_result[0]))
|
||||
{
|
||||
hit_num=1;
|
||||
p_result=&scan_result[0];
|
||||
}
|
||||
}
|
||||
|
||||
state=master_deal_scan_result(a_stream, context, scan_result, hit_num, a_packet);
|
||||
break;
|
||||
case OP_STATE_DATA:
|
||||
@@ -1737,9 +1787,11 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
|
||||
struct Maat_rule_t result[MAX_RESULT_NUM]={0};
|
||||
struct tcpall_context *context=(struct tcpall_context *)(*pme);
|
||||
|
||||
switch(stream_state)
|
||||
if(stream_state==OP_STATE_PENDING)
|
||||
{
|
||||
case OP_STATE_PENDING:
|
||||
context->method_type=TSG_METHOD_TYPE_DEFAULT;
|
||||
context->after_n_packets=get_default_para(a_stream, g_tsg_para.default_compile_id);
|
||||
|
||||
hit_num=tsg_scan_nesting_addr(g_tsg_maat_feather, a_stream, PROTO_UNKONWN, &scan_mid, result, MAX_RESULT_NUM);
|
||||
if(hit_num>0)
|
||||
{
|
||||
@@ -1760,19 +1812,8 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
|
||||
|
||||
Maat_clean_status(&scan_mid);
|
||||
scan_mid=NULL;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
if(context==NULL)
|
||||
{
|
||||
context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
|
||||
*pme=(void *)context;
|
||||
}
|
||||
|
||||
if(context!=NULL && context->para!=NULL)
|
||||
{
|
||||
switch(context->method_type)
|
||||
{
|
||||
case TSG_METHOD_TYPE_RATE_LIMIT:
|
||||
@@ -1789,16 +1830,34 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
|
||||
}
|
||||
break;
|
||||
case TSG_METHOD_TYPE_TAMPER:
|
||||
if(a_stream->opstate != OP_STATE_PENDING){
|
||||
if(0 == send_tamper_xxx(a_stream, &context->tamper_count, a_packet)){
|
||||
state|=APP_STATE_GIVEME|APP_STATE_DROPPKT;
|
||||
}else{
|
||||
state=APP_STATE_GIVEME;
|
||||
}
|
||||
context->tamper_count += 1;
|
||||
MESA_handle_runtime_log(g_tsg_para.logger,
|
||||
RLOG_LV_DEBUG,
|
||||
__FUNCTION__,
|
||||
"Addr: %s, send_tamper_xxx num %ld",
|
||||
PRINTADDR(a_stream, g_tsg_para.level),
|
||||
context->tamper_count);
|
||||
break;
|
||||
|
||||
case TSG_METHOD_TYPE_DEFAULT:
|
||||
if(!is_do_default_policy(a_stream, context->after_n_packets) || stream_state==OP_STATE_CLOSE)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
if(get_default_policy(g_tsg_para.default_compile_id, &result[0]))
|
||||
{
|
||||
state=tsg_deal_deny_action(a_stream, &result[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_APP, a_packet);
|
||||
master_send_log(a_stream, &result[0], 1, NULL, thread_seq);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return state;
|
||||
@@ -1825,6 +1884,9 @@ extern "C" unsigned char TSG_MASTER_UDP_ENTRY(const struct streaminfo *a_udp, vo
|
||||
{
|
||||
*pme=dictator_malloc(thread_seq, sizeof(struct udp_context));
|
||||
memset(*pme, 0, sizeof(struct udp_context));
|
||||
context=(struct udp_context *)(*pme);
|
||||
|
||||
context->all_entry=(struct tcpall_context *)dictator_malloc(thread_seq, sizeof(struct tcpall_context));
|
||||
memset(context->all_entry, 0, sizeof(struct tcpall_context));
|
||||
}
|
||||
|
||||
@@ -1902,7 +1964,6 @@ extern "C" int TSG_MASTER_INIT()
|
||||
MESA_load_profile_int_def(tsg_conffile, "RESET", "DIR", &g_tsg_para.reset.dir, DIR_DOUBLE);
|
||||
MESA_load_profile_int_def(tsg_conffile, "RESET", "REMEDY", &g_tsg_para.reset.remedy, 1);
|
||||
|
||||
MESA_load_profile_int_def(tsg_conffile, "SYSTEM","DEFAULT_POLICY_SWITCH", &g_tsg_para.default_compile_switch, 0);
|
||||
MESA_load_profile_int_def(tsg_conffile, "SYSTEM","DEFAULT_POLICY_ID", &g_tsg_para.default_compile_id, 0);
|
||||
MESA_load_profile_int_def(tsg_conffile, "SYSTEM","HIT_PATH_SWITCH", &g_tsg_para.hit_path_switch, 0);
|
||||
|
||||
@@ -1955,7 +2016,7 @@ extern "C" int TSG_MASTER_INIT()
|
||||
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "APP_IDENTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_APP_IDENTIFY_RESULT],_MAX_TABLE_NAME_LEN, "APP_BRIDGE");
|
||||
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "SKETCH_NOTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_RECV_CONN_SKETCH_DATA],_MAX_TABLE_NAME_LEN, "TSG_CONN_SKETCH_NOTIFY_DATA");
|
||||
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "MASTER_NOTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_SEND_CONN_SKETCH_DATA],_MAX_TABLE_NAME_LEN, "TSG_MASTER_NOTIFY_DATA");
|
||||
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "APP_BEHAVIOR_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_APP_IDENTIFY_RESULT],_MAX_TABLE_NAME_LEN, "TSG_APPLICATION_BEHAVIOR");
|
||||
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "NOTIFY_EXEC_RESULT_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_CONN_SKETCH_EXEC_RESULT],_MAX_TABLE_NAME_LEN, "TSG_NOTIFICATION_EXECUTION_RESULT");
|
||||
MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "APP_BEHAVIOR_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_APP_BEHAVIOR_RESULT],_MAX_TABLE_NAME_LEN, "TSG_APPLICATION_BEHAVIOR");
|
||||
|
||||
for(i=0; i<BRIDGE_TYPE_MAX; i++)
|
||||
|
||||
@@ -207,12 +207,12 @@ struct master_context
|
||||
struct tcpall_context
|
||||
{
|
||||
int set_latency_flag;
|
||||
int vlan_num;
|
||||
enum TSG_METHOD_TYPE method_type;
|
||||
union
|
||||
{
|
||||
struct leaky_bucket *bucket;
|
||||
long tamper_count;
|
||||
int after_n_packets;
|
||||
void *para;
|
||||
};
|
||||
};
|
||||
@@ -242,7 +242,6 @@ typedef struct tsg_para
|
||||
enum DEPLOY_MODE deploy_mode;
|
||||
int scan_time_interval;
|
||||
int hit_path_switch;
|
||||
int default_compile_switch;
|
||||
int default_compile_id;
|
||||
int table_id[TABLE_MAX];
|
||||
int dyn_subscribe_ip_table_id; //TSG_DYN_SUBSCRIBER_IP
|
||||
@@ -376,7 +375,7 @@ void app_id_dict_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* ar
|
||||
void http_response_pages_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp);
|
||||
void dns_profile_records_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp);
|
||||
void set_session_attribute_label(const struct streaminfo *a_stream, enum TSG_ATTRIBUTE_TYPE type, void *value, int value_len, int thread_seq);
|
||||
|
||||
int tsg_set_method_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, enum TSG_METHOD_TYPE method_type, int thread_seq);
|
||||
int tsg_set_bucket_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, struct leaky_bucket *bucket, int thread_seq);
|
||||
void security_compile_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp);
|
||||
|
||||
|
||||
@@ -21,6 +21,8 @@ enum TSG_DENY_TYPE
|
||||
TSG_DENY_TYPE_REDIRECT_URL,
|
||||
TSG_DENY_TYPE_REDIRECT_RECORD,
|
||||
TSG_DENY_TYPE_SEND_ICMP,
|
||||
TSG_DENY_TYPE_DEFAULT_RST,
|
||||
TSG_DENY_TYPE_DEFAULT_DROP,
|
||||
TSG_DENY_TYPE_MAX
|
||||
};
|
||||
|
||||
@@ -52,7 +54,6 @@ struct dns_answer_records
|
||||
struct dns_record_val record_val;
|
||||
};
|
||||
|
||||
|
||||
struct dns_profile_records
|
||||
{
|
||||
int ref_cnt;
|
||||
@@ -83,6 +84,7 @@ struct deny_user_region
|
||||
{
|
||||
int code;
|
||||
int records_num;
|
||||
int after_n_packets;
|
||||
};
|
||||
union
|
||||
{
|
||||
@@ -91,7 +93,7 @@ struct deny_user_region
|
||||
struct dns_user_region *records;
|
||||
int profile_id;
|
||||
int bps;
|
||||
int send_icmp_unreachable_enable;
|
||||
int send_icmp_enable;
|
||||
void *para;
|
||||
};
|
||||
};
|
||||
@@ -109,6 +111,13 @@ struct monitor_user_region
|
||||
int profile_id;
|
||||
};
|
||||
|
||||
struct default_session_para
|
||||
{
|
||||
struct Maat_rule_t result; //XJ default policy
|
||||
struct deny_user_region tcp;
|
||||
struct deny_user_region udp;
|
||||
};
|
||||
|
||||
struct compile_user_region
|
||||
{
|
||||
int ref_cnt;
|
||||
@@ -117,7 +126,7 @@ struct compile_user_region
|
||||
{
|
||||
struct deny_user_region *deny;
|
||||
struct monitor_user_region *mirror;
|
||||
struct Maat_rule_t *result; //XJ default policy
|
||||
struct default_session_para *session_para;
|
||||
void *user_region_para;
|
||||
};
|
||||
struct packet_capture capture;
|
||||
|
||||
115
src/tsg_rule.cpp
115
src/tsg_rule.cpp
@@ -42,7 +42,8 @@ const struct _str2index method2index[TSG_METHOD_TYPE_MAX]={ {TSG_METHOD_TYPE_UNK
|
||||
{TSG_METHOD_TYPE_ALERT, 5, (char *)"alert"},
|
||||
{TSG_METHOD_TYPE_RATE_LIMIT, 10, (char *)"rate_limit"},
|
||||
{TSG_METHOD_TYPE_MIRRORED, 8, (char *)"mirrored"},
|
||||
{TSG_METHOD_TYPE_TAMPER, 6, (char *)"tamper"}
|
||||
{TSG_METHOD_TYPE_TAMPER, 6, (char *)"tamper"},
|
||||
{TSG_METHOD_TYPE_DEFAULT, 7, (char *)"default"}
|
||||
};
|
||||
|
||||
|
||||
@@ -860,6 +861,67 @@ static struct dns_user_region *parse_dns_user_region(cJSON *resolution_array, in
|
||||
return records;
|
||||
}
|
||||
|
||||
static int parse_default_para(cJSON *deny_user_region_object, struct compile_user_region *user_region)
|
||||
{
|
||||
cJSON *method_item=NULL;
|
||||
cJSON *tcp_session_item=cJSON_GetObjectItem(deny_user_region_object, "tcp_session");
|
||||
cJSON *udp_session_item=cJSON_GetObjectItem(deny_user_region_object, "udp_session");
|
||||
if(tcp_session_item==NULL || udp_session_item==NULL)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
user_region->method_type=TSG_METHOD_TYPE_DEFAULT;
|
||||
user_region->session_para=(struct default_session_para *)calloc(1, sizeof(struct default_session_para));
|
||||
|
||||
method_item=cJSON_GetObjectItem(tcp_session_item, "method");
|
||||
if(method_item!=NULL)
|
||||
{
|
||||
int method_type=tsg_get_method_id(method_item->valuestring);
|
||||
switch(method_type)
|
||||
{
|
||||
case TSG_METHOD_TYPE_RST:
|
||||
case TSG_METHOD_TYPE_RESET:
|
||||
user_region->session_para->tcp.type=TSG_DENY_TYPE_DEFAULT_RST;
|
||||
get_integer_from_json(tcp_session_item, "after_n_packets", &(user_region->session_para->tcp.after_n_packets));
|
||||
break;
|
||||
case TSG_METHOD_TYPE_DROP:
|
||||
get_integer_from_json(tcp_session_item, "after_n_packets", &(user_region->session_para->tcp.after_n_packets));
|
||||
get_integer_from_json(tcp_session_item, "send_icmp_unreachable", &(user_region->session_para->tcp.send_icmp_enable));
|
||||
if(user_region->session_para->tcp.send_icmp_enable==1)
|
||||
{
|
||||
user_region->session_para->tcp.type=TSG_DENY_TYPE_SEND_ICMP;
|
||||
}
|
||||
else
|
||||
{
|
||||
user_region->session_para->tcp.type=TSG_DENY_TYPE_DEFAULT_DROP;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
method_item=cJSON_GetObjectItem(udp_session_item, "method");
|
||||
if(method_item!=NULL)
|
||||
{
|
||||
user_region->session_para->udp.type=TSG_DENY_TYPE_DEFAULT_DROP;
|
||||
get_integer_from_json(udp_session_item, "after_n_packets", &(user_region->session_para->udp.after_n_packets));
|
||||
get_integer_from_json(udp_session_item, "send_icmp_unreachable", &(user_region->session_para->udp.send_icmp_enable));
|
||||
if(user_region->session_para->udp.send_icmp_enable==1)
|
||||
{
|
||||
user_region->session_para->udp.type=TSG_DENY_TYPE_SEND_ICMP;
|
||||
}
|
||||
else
|
||||
{
|
||||
user_region->session_para->udp.type=TSG_DENY_TYPE_DEFAULT_DROP;
|
||||
}
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int parse_packet_capture(cJSON *packet_capture_object, struct compile_user_region *user_region)
|
||||
{
|
||||
if(packet_capture_object==NULL || user_region==NULL)
|
||||
@@ -957,7 +1019,7 @@ static struct compile_user_region *parse_deny_user_region(cJSON *deny_user_regio
|
||||
break;
|
||||
case TSG_METHOD_TYPE_DROP:
|
||||
user_region->deny=(struct deny_user_region *)calloc(1, sizeof(struct deny_user_region));
|
||||
ret=get_integer_from_json(deny_user_region_object, "send_icmp_unreachable", &(user_region->deny->send_icmp_unreachable_enable));
|
||||
ret=get_integer_from_json(deny_user_region_object, "send_icmp_unreachable", &(user_region->deny->send_icmp_enable));
|
||||
if(ret==1)
|
||||
{
|
||||
user_region->deny->type=TSG_DENY_TYPE_SEND_ICMP;
|
||||
@@ -970,6 +1032,7 @@ static struct compile_user_region *parse_deny_user_region(cJSON *deny_user_regio
|
||||
case TSG_METHOD_TYPE_TAMPER:
|
||||
break;
|
||||
default:
|
||||
parse_default_para(deny_user_region_object, user_region);
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -1015,16 +1078,12 @@ void security_compile_new(int idx, const struct Maat_rule_t* rule, const char* s
|
||||
}
|
||||
}
|
||||
|
||||
if(g_tsg_para.default_compile_switch==1 && g_tsg_para.default_compile_id==rule->config_id)
|
||||
if(g_tsg_para.default_compile_id==rule->config_id && user_region!=NULL)
|
||||
{
|
||||
if(user_region==NULL)
|
||||
if(user_region->method_type==TSG_METHOD_TYPE_DEFAULT && user_region->session_para!=NULL)
|
||||
{
|
||||
user_region=(struct compile_user_region *)calloc(1, sizeof(struct compile_user_region));
|
||||
atomic_inc(&user_region->ref_cnt);
|
||||
memcpy(&(user_region->session_para->result), rule, sizeof(struct Maat_rule_t));
|
||||
}
|
||||
|
||||
user_region->result=(struct Maat_rule_t *)calloc(1, sizeof(struct Maat_rule_t));
|
||||
memcpy(user_region->result, rule, sizeof(struct Maat_rule_t));
|
||||
}
|
||||
|
||||
*ad=(MAAT_RULE_EX_DATA)user_region;
|
||||
@@ -2697,6 +2756,29 @@ int tsg_notify_hited_monitor_result(const struct streaminfo *a_stream, struct Ma
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tsg_set_method_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, enum TSG_METHOD_TYPE method_type, int thread_seq)
|
||||
{
|
||||
struct tcpall_context *_context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
|
||||
if(_context==NULL)
|
||||
{
|
||||
_context=(struct tcpall_context *)dictator_malloc(thread_seq, sizeof(struct tcpall_context));
|
||||
memset(_context, 0, sizeof(struct tcpall_context));
|
||||
set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context);
|
||||
}
|
||||
|
||||
switch(_context->method_type)
|
||||
{
|
||||
case TSG_METHOD_TYPE_DEFAULT:
|
||||
case TSG_METHOD_TYPE_MIRRORED:
|
||||
_context->method_type=method_type;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tsg_set_bucket_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, struct leaky_bucket *bucket, int thread_seq)
|
||||
{
|
||||
struct tcpall_context *_context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id);
|
||||
@@ -2706,16 +2788,17 @@ int tsg_set_bucket_to_tcpall(const struct streaminfo *a_stream, struct tcpall_co
|
||||
memset(_context, 0, sizeof(struct tcpall_context));
|
||||
set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context);
|
||||
}
|
||||
else
|
||||
{
|
||||
if(_context->method_type==TSG_METHOD_TYPE_RATE_LIMIT)
|
||||
|
||||
switch(_context->method_type)
|
||||
{
|
||||
case TSG_METHOD_TYPE_RATE_LIMIT:
|
||||
return 1;
|
||||
}
|
||||
else
|
||||
{
|
||||
break;
|
||||
case TSG_METHOD_TYPE_DEFAULT:
|
||||
break;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
_context->method_type=TSG_METHOD_TYPE_RATE_LIMIT;
|
||||
|
||||
Reference in New Issue
Block a user