gfwleak/tango-tsg-service-chaining-engine
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

perf: 优化策略扫描

Browse Source
This commit is contained in:
luwenpeng
2023-11-03 10:02:50 +08:00
parent 0753e8018c
commit 3627addb85
5 changed files with 1456 additions and 332 deletions
Download Patch File Download Diff File Expand all files Collapse all files

353
common/include/utarray.h Normal file
View File

@@ -0,0 +1,353 @@
/*
Copyright (c) 2008-2022, Troy D. Hanson https://troydhanson.github.io/uthash/
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* a dynamic array implementation using macros
*/
#ifndef UTARRAY_H
#define UTARRAY_H
#define UTARRAY_VERSION 2.3.0
#include <stddef.h> /* size_t */
#include <string.h> /* memset, etc */
#include <stdlib.h> /* exit */
#ifdef __GNUC__
#define UTARRAY_UNUSED __attribute__((__unused__))
#else
#define UTARRAY_UNUSED
#endif
#ifndef utarray_oom
#define utarray_oom() exit(-1)
#endif
typedef void(ctor_f)(void *dst, const void *src);
typedef void(dtor_f)(void *elt);
typedef void(init_f)(void *elt);
typedef struct
{
size_t sz;
init_f *init;
ctor_f *copy;
dtor_f *dtor;
} UT_icd;
typedef struct
{
unsigned i, n; /* i: index of next available slot, n: num slots */
UT_icd icd; /* initializer, copy and destructor functions */
char *d; /* n slots of size icd->sz*/
} UT_array;
#define utarray_init(a, _icd) \
do \
{ \
memset(a, 0, sizeof(UT_array)); \
(a)->icd = *(_icd); \
} while (0)
#define utarray_done(a) \
do \
{ \
if ((a)->n) \
{ \
if ((a)->icd.dtor) \
{ \
unsigned _ut_i; \
for (_ut_i = 0; _ut_i < (a)->i; _ut_i++) \
{ \
(a)->icd.dtor(utarray_eltptr(a, _ut_i)); \
} \
} \
free((a)->d); \
} \
(a)->n = 0; \
} while (0)
#define utarray_new(a, _icd) \
do \
{ \
(a) = (UT_array *)malloc(sizeof(UT_array)); \
if ((a) == NULL) \
{ \
utarray_oom(); \
} \
utarray_init(a, _icd); \
} while (0)
#define utarray_free(a) \
do \
{ \
utarray_done(a); \
free(a); \
} while (0)
#define utarray_reserve(a, by) \
do \
{ \
if (((a)->i + (by)) > (a)->n) \
{ \
char *utarray_tmp; \
while (((a)->i + (by)) > (a)->n) \
{ \
(a)->n = ((a)->n ? (2 * (a)->n) : 8); \
} \
utarray_tmp = (char *)realloc((a)->d, (a)->n * (a)->icd.sz); \
if (utarray_tmp == NULL) \
{ \
utarray_oom(); \
} \
(a)->d = utarray_tmp; \
} \
} while (0)
#define utarray_push_back(a, p) \
do \
{ \
utarray_reserve(a, 1); \
if ((a)->icd.copy) \
{ \
(a)->icd.copy(_utarray_eltptr(a, (a)->i++), p); \
} \
else \
{ \
memcpy(_utarray_eltptr(a, (a)->i++), p, (a)->icd.sz); \
}; \
} while (0)
#define utarray_pop_back(a) \
do \
{ \
if ((a)->icd.dtor) \
{ \
(a)->icd.dtor(_utarray_eltptr(a, --((a)->i))); \
} \
else \
{ \
(a)->i--; \
} \
} while (0)
#define utarray_extend_back(a) \
do \
{ \
utarray_reserve(a, 1); \
if ((a)->icd.init) \
{ \
(a)->icd.init(_utarray_eltptr(a, (a)->i)); \
} \
else \
{ \
memset(_utarray_eltptr(a, (a)->i), 0, (a)->icd.sz); \
} \
(a)->i++; \
} while (0)
#define utarray_len(a) ((a)->i)
#define utarray_eltptr(a, j) (((j) < (a)->i) ? _utarray_eltptr(a, j) : NULL)
#define _utarray_eltptr(a, j) ((void *)((a)->d + ((a)->icd.sz * (j))))
#define utarray_insert(a, p, j) \
do \
{ \
if ((j) > (a)->i) \
utarray_resize(a, j); \
utarray_reserve(a, 1); \
if ((j) < (a)->i) \
{ \
memmove(_utarray_eltptr(a, (j) + 1), _utarray_eltptr(a, j), \
((a)->i - (j)) * ((a)->icd.sz)); \
} \
if ((a)->icd.copy) \
{ \
(a)->icd.copy(_utarray_eltptr(a, j), p); \
} \
else \
{ \
memcpy(_utarray_eltptr(a, j), p, (a)->icd.sz); \
}; \
(a)->i++; \
} while (0)
#define utarray_inserta(a, w, j) \
do \
{ \
if (utarray_len(w) == 0) \
break; \
if ((j) > (a)->i) \
utarray_resize(a, j); \
utarray_reserve(a, utarray_len(w)); \
if ((j) < (a)->i) \
{ \
memmove(_utarray_eltptr(a, (j) + utarray_len(w)), \
_utarray_eltptr(a, j), \
((a)->i - (j)) * ((a)->icd.sz)); \
} \
if ((a)->icd.copy) \
{ \
unsigned _ut_i; \
for (_ut_i = 0; _ut_i < (w)->i; _ut_i++) \
{ \
(a)->icd.copy(_utarray_eltptr(a, (j) + _ut_i), _utarray_eltptr(w, _ut_i)); \
} \
} \
else \
{ \
memcpy(_utarray_eltptr(a, j), _utarray_eltptr(w, 0), \
utarray_len(w) * ((a)->icd.sz)); \
} \
(a)->i += utarray_len(w); \
} while (0)
#define utarray_resize(dst, num) \
do \
{ \
unsigned _ut_i; \
if ((dst)->i > (unsigned)(num)) \
{ \
if ((dst)->icd.dtor) \
{ \
for (_ut_i = (num); _ut_i < (dst)->i; ++_ut_i) \
{ \
(dst)->icd.dtor(_utarray_eltptr(dst, _ut_i)); \
} \
} \
} \
else if ((dst)->i < (unsigned)(num)) \
{ \
utarray_reserve(dst, (num) - (dst)->i); \
if ((dst)->icd.init) \
{ \
for (_ut_i = (dst)->i; _ut_i < (unsigned)(num); ++_ut_i) \
{ \
(dst)->icd.init(_utarray_eltptr(dst, _ut_i)); \
} \
} \
else \
{ \
memset(_utarray_eltptr(dst, (dst)->i), 0, (dst)->icd.sz *((num) - (dst)->i)); \
} \
} \
(dst)->i = (num); \
} while (0)
#define utarray_concat(dst, src) \
do \
{ \
utarray_inserta(dst, src, utarray_len(dst)); \
} while (0)
#define utarray_erase(a, pos, len) \
do \
{ \
if ((a)->icd.dtor) \
{ \
unsigned _ut_i; \
for (_ut_i = 0; _ut_i < (len); _ut_i++) \
{ \
(a)->icd.dtor(utarray_eltptr(a, (pos) + _ut_i)); \
} \
} \
if ((a)->i > ((pos) + (len))) \
{ \
memmove(_utarray_eltptr(a, pos), _utarray_eltptr(a, (pos) + (len)), \
((a)->i - ((pos) + (len))) * (a)->icd.sz); \
} \
(a)->i -= (len); \
} while (0)
#define utarray_renew(a, u) \
do \
{ \
if (a) \
utarray_clear(a); \
else \
utarray_new(a, u); \
} while (0)
#define utarray_clear(a) \
do \
{ \
if ((a)->i > 0) \
{ \
if ((a)->icd.dtor) \
{ \
unsigned _ut_i; \
for (_ut_i = 0; _ut_i < (a)->i; _ut_i++) \
{ \
(a)->icd.dtor(_utarray_eltptr(a, _ut_i)); \
} \
} \
(a)->i = 0; \
} \
} while (0)
#define utarray_sort(a, cmp) \
do \
{ \
qsort((a)->d, (a)->i, (a)->icd.sz, cmp); \
} while (0)
#define utarray_find(a, v, cmp) bsearch((v), (a)->d, (a)->i, (a)->icd.sz, cmp)
#define utarray_front(a) (((a)->i) ? (_utarray_eltptr(a, 0)) : NULL)
#define utarray_next(a, e) (((e) == NULL) ? utarray_front(a) : (((a)->i != utarray_eltidx(a, e) + 1) ? _utarray_eltptr(a, utarray_eltidx(a, e) + 1) : NULL))
#define utarray_prev(a, e) (((e) == NULL) ? utarray_back(a) : ((utarray_eltidx(a, e) != 0) ? _utarray_eltptr(a, utarray_eltidx(a, e) - 1) : NULL))
#define utarray_back(a) (((a)->i) ? (_utarray_eltptr(a, (a)->i - 1)) : NULL)
#define utarray_eltidx(a, e) (((char *)(e) - (a)->d) / (a)->icd.sz)
/* last we pre-define a few icd for common utarrays of ints and strings */
static void utarray_str_cpy(void *dst, const void *src)
{
char *const *srcc = (char *const *)src;
char **dstc = (char **)dst;
if (*srcc == NULL)
{
*dstc = NULL;
}
else
{
*dstc = (char *)malloc(strlen(*srcc) + 1);
if (*dstc == NULL)
{
utarray_oom();
}
else
{
strcpy(*dstc, *srcc);
}
}
}
static void utarray_str_dtor(void *elt)
{
char **eltc = (char **)elt;
if (*eltc != NULL)
free(*eltc);
}
static const UT_icd ut_str_icd UTARRAY_UNUSED = {sizeof(char *), NULL, utarray_str_cpy, utarray_str_dtor};
static const UT_icd ut_int_icd UTARRAY_UNUSED = {sizeof(int), NULL, NULL, NULL};
static const UT_icd ut_ptr_icd UTARRAY_UNUSED = {sizeof(void *), NULL, NULL, NULL};
#endif /* UTARRAY_H */

8
platform/include/policy.h
View File

@@ -31,7 +31,7 @@ enum session_action
SESSION_ACTION_BLOCK = 2, SESSION_ACTION_BLOCK = 2,
}; };
enum action_reason enum action_desc
{ {
ACTION_BYPASS_DUE_DEFAULT = 0x00, ACTION_BYPASS_DUE_DEFAULT = 0x00,
ACTION_BYPASS_DUE_INVALID_POLICY = 0x01, ACTION_BYPASS_DUE_INVALID_POLICY = 0x01,
@@ -88,11 +88,10 @@ struct selected_sf
int sff_profile_id; int sff_profile_id;
enum forward_type sff_forward_type; enum forward_type sff_forward_type;
int sf_need_skip;
int sf_vsys_id; int sf_vsys_id;
int sf_profile_id; int sf_profile_id;
enum session_action sf_action; enum session_action sf_action;
enum action_reason sf_action_reason; enum action_desc sf_action_desc;
struct connectivity sf_connectivity; struct connectivity sf_connectivity;
struct throughput_metrics rx; struct throughput_metrics rx;
@@ -121,8 +120,7 @@ struct selected_chainings
const char *traffic_type_to_string(enum traffic_type traffic_type); const char *traffic_type_to_string(enum traffic_type traffic_type);
const char *forward_type_to_string(enum forward_type forward_type); const char *forward_type_to_string(enum forward_type forward_type);
const char *session_action_to_string(enum session_action session_action); const char *action_desc_to_string(enum action_desc action_desc);
const char *action_reason_to_string(enum action_reason action_reason);
const char *encapsulate_method_to_string(enum encapsulate_method encap_method); const char *encapsulate_method_to_string(enum encapsulate_method encap_method);
struct selected_chaining *selected_chaining_create(int chaining_size, uint64_t session_id, char *session_addr); struct selected_chaining *selected_chaining_create(int chaining_size, uint64_t session_id, char *session_addr);

54
platform/src/packet_io.cpp
View File

@@ -662,15 +662,11 @@ static void action_sf_chaining(struct thread_ctx *thread_ctx, struct session_ctx
for (sf_index = next_sf_index; sf_index < chaining->chaining_used; sf_index++) for (sf_index = next_sf_index; sf_index < chaining->chaining_used; sf_index++)
{ {
struct selected_sf *sf = &(chaining->chaining[sf_index]); struct selected_sf *sf = &(chaining->chaining[sf_index]);
LOG_INFO("%s: session: %lu %s execute chaining [%d/%d] rule_id: %lu, sff_profile_id: %d, sf_profile_id: %d, sf_need_skip: %d, sf_action_reason: %s, is_e2i: %d, is_decrypted: %d", LOG_INFO("%s: session: %lu %s execute chaining [%d/%d]: policy %lu->%d->%d, action %s->%s->%s->%s",
LOG_TAG_POLICY, session_ctx->session_id, session_ctx->session_addr, sf_index, chaining->chaining_used, LOG_TAG_POLICY, session_ctx->session_id, session_ctx->session_addr,
sf->rule_id, sf->sff_profile_id, sf->sf_profile_id, sf->sf_need_skip, action_reason_to_string(sf->sf_action_reason), sf_index, chaining->chaining_used,
meta->is_e2i_dir, meta->is_decrypted); sf->rule_id, sf->sff_profile_id, sf->sf_profile_id,
(meta->is_decrypted == 1 ? "decrypted" : "raw"), (meta->is_e2i_dir ? "E2I" : "I2E"), forward_type_to_string(sf->sff_forward_type), action_desc_to_string(sf->sf_action_desc));
if (sf->sf_need_skip)
{
continue;
}
switch (sf->sf_action) switch (sf->sf_action)
{ {
@@ -775,7 +771,7 @@ static int send_ctrl_packet(struct session_ctx *session_ctx, struct selected_cha
for (int i = 0; i < chaining->chaining_used; i++) for (int i = 0; i < chaining->chaining_used; i++)
{ {
struct selected_sf *sf = &(chaining->chaining[i]); struct selected_sf *sf = &(chaining->chaining[i]);
if (sf->sf_need_skip == 0 && sf->sf_action == SESSION_ACTION_FORWARD) if (sf->sf_action == SESSION_ACTION_FORWARD)
{ {
mpack_write_u32(&writer, sf->sf_profile_id); mpack_write_u32(&writer, sf->sf_profile_id);
} }
@@ -858,7 +854,7 @@ static void send_event_log(struct session_ctx *session_ctx, struct thread_ctx *t
} }
} }
static void dump_sf_metrics(struct session_ctx *session_ctx, struct selected_chaining *chaining, const char *tag) static void dump_sf_metrics(struct session_ctx *session_ctx, struct selected_chaining *chaining)
{ {
if (chaining == NULL) if (chaining == NULL)
{ {
@@ -868,8 +864,11 @@ static void dump_sf_metrics(struct session_ctx *session_ctx, struct selected_cha
for (int i = 0; i < chaining->chaining_used; i++) for (int i = 0; i < chaining->chaining_used; i++)
{ {
struct selected_sf *sf = &(chaining->chaining[i]); struct selected_sf *sf = &(chaining->chaining[i]);
LOG_INFO("%s: session %lu %s %s metrics: rule_id %lu sff_profile_id %d sf_profile_id %d sf_need_skip %d sf_action_reason %s rx_pkts %lu rx_bytes %lu tx_pkts %lu tx_bytes %lu", LOG_INFO("%s: session %lu %s metrics: policy %lu->%d->%d action %s->%s->%s rx_pkts %lu rx_bytes %lu tx_pkts %lu tx_bytes %lu",
LOG_TAG_METRICS, session_ctx->session_id, session_ctx->session_addr, tag, sf->rule_id, sf->sff_profile_id, sf->sf_profile_id, sf->sf_need_skip, action_reason_to_string(sf->sf_action_reason), sf->rx.n_pkts, sf->rx.n_bytes, sf->tx.n_pkts, sf->tx.n_bytes); LOG_TAG_METRICS, session_ctx->session_id, session_ctx->session_addr,
sf->rule_id, sf->sff_profile_id, sf->sf_profile_id,
traffic_type_to_string(sf->traffic_type), forward_type_to_string(sf->sff_forward_type), action_desc_to_string(sf->sf_action_desc),
sf->rx.n_pkts, sf->rx.n_bytes, sf->tx.n_pkts, sf->tx.n_bytes);
} }
} }
@@ -955,10 +954,10 @@ static void handle_session_closing(struct metadata *meta, struct control_packet
LOG_INFO("%s: session %lu %s closing", LOG_TAG_PKTIO, s_ctx->session_id, s_ctx->session_addr); LOG_INFO("%s: session %lu %s closing", LOG_TAG_PKTIO, s_ctx->session_id, s_ctx->session_addr);
struct selected_chaining *chaining_raw = s_ctx->chainings.chaining_raw; struct selected_chaining *chaining_raw = s_ctx->chainings.chaining_raw;
dump_sf_metrics(s_ctx, chaining_raw, "raw_traffic"); dump_sf_metrics(s_ctx, chaining_raw);
struct selected_chaining *chaining_decrypted = s_ctx->chainings.chaining_decrypted; struct selected_chaining *chaining_decrypted = s_ctx->chainings.chaining_decrypted;
dump_sf_metrics(s_ctx, chaining_decrypted, "decrypted_traffic"); dump_sf_metrics(s_ctx, chaining_decrypted);
session_table_delete_by_id(session_table, meta->session_id); session_table_delete_by_id(session_table, meta->session_id);
ATOMIC_DEC(&(thread_metrics->sf_session.num)); ATOMIC_DEC(&(thread_metrics->sf_session.num));
@@ -1264,16 +1263,13 @@ static int packet_io_config(const char *profile, struct config *config)
LOG_DEBUG("%s: PACKET_IO->min_timeout_ms : %d", LOG_TAG_PKTIO, config->min_timeout_ms); LOG_DEBUG("%s: PACKET_IO->min_timeout_ms : %d", LOG_TAG_PKTIO, config->min_timeout_ms);
LOG_DEBUG("%s: PACKET_IO->app_symbol : %s", LOG_TAG_PKTIO, config->app_symbol); LOG_DEBUG("%s: PACKET_IO->app_symbol : %s", LOG_TAG_PKTIO, config->app_symbol);
LOG_DEBUG("%s: PACKET_IO->dev_nf_name : %s", LOG_TAG_PKTIO, config->dev_nf_name); LOG_DEBUG("%s: PACKET_IO->dev_nf_name : %s", LOG_TAG_PKTIO, config->dev_nf_name);
LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l3_name : %s", LOG_TAG_PKTIO, config->dev_endpoint_l3_name); LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l3_name : %s", LOG_TAG_PKTIO, config->dev_endpoint_l3_name);
LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l3_ip : %s", LOG_TAG_PKTIO, config->dev_endpoint_l3_ip_str); LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l3_ip : %s", LOG_TAG_PKTIO, config->dev_endpoint_l3_ip_str);
LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l2_name : %s", LOG_TAG_PKTIO, config->dev_endpoint_l2_name); LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l2_name : %s", LOG_TAG_PKTIO, config->dev_endpoint_l2_name);
LOG_DEBUG("%s: PACKET_IO->vlan_encapsulate_replace_orig_vlan_header : %d", LOG_TAG_PKTIO, config->vlan_encapsulate_replace_orig_vlan_header); LOG_DEBUG("%s: PACKET_IO->vlan_encapsulate_replace_orig_vlan_header : %d", LOG_TAG_PKTIO, config->vlan_encapsulate_replace_orig_vlan_header);
if (strlen(config->dev_endpoint_l3_mac_str))
{
LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l3_mac : %s (get from configuration file)", LOG_TAG_PKTIO, config->dev_endpoint_l3_mac_str);
}
return 0; return 0;
} }
@@ -1342,6 +1338,14 @@ struct packet_io *packet_io_create(const char *profile, int thread_num, cpu_set_
goto error_out; goto error_out;
} }
if (strlen(handle->config.dev_endpoint_l3_mac_str) == 0)
{
marsio_get_device_ether_addr(handle->dev_endpoint_l3.mr_dev, handle->config.dev_endpoint_l3_mac_str, sizeof(handle->config.dev_endpoint_l3_mac_str));
LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l3_mac : %s (get from marsio api)", LOG_TAG_PKTIO, handle->config.dev_endpoint_l3_mac_str);
}
str_to_mac(handle->config.dev_endpoint_l3_mac_str, handle->config.dev_endpoint_l3_mac);
handle->config.dev_endpoint_l3_ip = inet_addr(handle->config.dev_endpoint_l3_ip_str);
handle->dev_endpoint_l2.mr_dev = marsio_open_device(handle->instance, handle->config.dev_endpoint_l2_name, handle->thread_num, handle->thread_num); handle->dev_endpoint_l2.mr_dev = marsio_open_device(handle->instance, handle->config.dev_endpoint_l2_name, handle->thread_num, handle->thread_num);
if (handle->dev_endpoint_l2.mr_dev == NULL) if (handle->dev_endpoint_l2.mr_dev == NULL)
{ {
@@ -1356,14 +1360,6 @@ struct packet_io *packet_io_create(const char *profile, int thread_num, cpu_set_
goto error_out; goto error_out;
} }
if (strlen(handle->config.dev_endpoint_l3_mac_str) == 0)
{
marsio_get_device_ether_addr(handle->dev_endpoint_l3.mr_dev, handle->config.dev_endpoint_l3_mac_str, sizeof(handle->config.dev_endpoint_l3_mac_str));
LOG_DEBUG("%s: PACKET_IO->dev_endpoint_l3_mac : %s (get from marsio api)", LOG_TAG_PKTIO, handle->config.dev_endpoint_l3_mac_str);
}
str_to_mac(handle->config.dev_endpoint_l3_mac_str, handle->config.dev_endpoint_l3_mac);
handle->config.dev_endpoint_l3_ip = inet_addr(handle->config.dev_endpoint_l3_ip_str);
return handle; return handle;
error_out: error_out:
@@ -1435,7 +1431,7 @@ int packet_io_thread_init(struct packet_io *handle, struct thread_ctx *thread_ct
void packet_io_thread_wait(struct packet_io *handle, struct thread_ctx *thread_ctx, int timeout_ms) void packet_io_thread_wait(struct packet_io *handle, struct thread_ctx *thread_ctx, int timeout_ms)
{ {
static __thread struct mr_vdev *vdevs[] = { struct mr_vdev *vdevs[3] = {
handle->dev_nf.mr_dev, handle->dev_nf.mr_dev,
handle->dev_endpoint_l3.mr_dev, handle->dev_endpoint_l3.mr_dev,
handle->dev_endpoint_l2.mr_dev, handle->dev_endpoint_l2.mr_dev,

603
platform/src/policy.cpp
View File

@@ -12,6 +12,7 @@
#include "utils.h" #include "utils.h"
#include "log.h" #include "log.h"
#include "sce.h" #include "sce.h"
#include "utarray.h"
/****************************************************************************** /******************************************************************************
* Struct policy_enforcer * Struct policy_enforcer
@@ -165,7 +166,7 @@ struct sf_param
}; };
/****************************************************************************** /******************************************************************************
* Private API * Private API -- Utils
******************************************************************************/ ******************************************************************************/
static const char *effective_type_to_string(enum effective_type type) static const char *effective_type_to_string(enum effective_type type)
@@ -310,6 +311,10 @@ static void policy_enforcer_config(const char *profile, struct policy_config *co
LOG_DEBUG("%s: MAAT->max_chaining_size : %d", LOG_TAG_POLICY, config->max_chaining_size); LOG_DEBUG("%s: MAAT->max_chaining_size : %d", LOG_TAG_POLICY, config->max_chaining_size);
} }
/******************************************************************************
* Private API -- MAAT Callback
******************************************************************************/
static void chaining_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) static void chaining_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp)
{ {
int iter = 0; int iter = 0;
@@ -1003,199 +1008,261 @@ static void sf_param_free(struct sf_param *param)
sf_param_free_cb(0, (void **)&param, 0, NULL); sf_param_free_cb(0, (void **)&param, 0, NULL);
} }
// After return must check array elem nums /******************************************************************************
static void select_sf_by_nearby_and_adminstatus(struct policy_enforcer *enforcer, struct sff_param *sff_param, struct mutable_array *array) * Private API -- Selected SF
******************************************************************************/
static void selected_sf_init(struct selected_sf *selected_sf)
{ {
char buffer[16]; if (selected_sf)
struct sf_param *sf = NULL; {
memset(selected_sf, 0, sizeof(struct selected_sf));
selected_sf->rule_vsys_id = 0;
selected_sf->rule_id = 0;
selected_sf->traffic_type = TRAFFIC_TYPE_NONE;
selected_sf->sff_profile_id = -1;
selected_sf->sff_forward_type = FORWARD_TYPE_NONE;
selected_sf->sf_profile_id = -1;
selected_sf->sf_action = SESSION_ACTION_BYPASS;
selected_sf->sf_action_desc = ACTION_BYPASS_DUE_DEFAULT;
}
}
static void selected_sf_set_info(struct selected_sf *selected_sf, struct sf_param *sf_param)
{
selected_sf->sf_vsys_id = sf_param->sf_vsys_id;
selected_sf->sf_profile_id = sf_param->sf_profile_id;
selected_sf->sf_connectivity = sf_param->sf_connectivity;
if (selected_sf->sf_connectivity.method == ENCAPSULATE_METHOD_VXLAN_G)
{
selected_sf->sf_dst_ip = inet_addr(selected_sf->sf_connectivity.dest_ip);
}
}
static void selected_sf_set_action(struct selected_sf *selected_sf, enum action_desc action_desc)
{
selected_sf->sf_action_desc = action_desc;
switch (action_desc)
{
case ACTION_BYPASS_DUE_DEFAULT:
case ACTION_BYPASS_DUE_INVALID_POLICY:
case ACTION_BYPASS_DUE_FAILURE_ACTION:
case ACTION_BYPASS_DUE_UNAVAILABLE_ACTION:
case ACTION_BYPASS_DUE_HEALTH_SF_LIMIT:
selected_sf->sf_action = SESSION_ACTION_BYPASS;
break;
case ACTION_BLOCK_DUE_FAILURE_ACTION:
case ACTION_BLOCK_DUE_UNAVAILABLE_ACTION:
selected_sf->sf_action = SESSION_ACTION_BLOCK;
break;
case ACTION_FORWAED_DUE_SELECTED_SF:
selected_sf->sf_action = SESSION_ACTION_FORWARD;
break;
}
}
// return 1 : current sf can be selected
// return 0 : current sf can't be selected
static int select_sf_by_admin_status(struct sf_param *sf)
{
if (sf->sf_admin_status == ADMMIN_STATUS_ACTIVE)
{
return 1;
}
else
{
return 0;
}
}
// return 1 : current sf can be selected
// return 0 : current sf can't be selected
static int select_sf_by_device_group(struct policy_enforcer *enforcer, struct sf_param *sf)
{
if (strcasecmp(enforcer->config.device_group, sf->sf_effective_range.value) == 0)
{
return 1;
}
else
{
return 0;
}
}
// return 1 : current sf can be selected
// return 0 : current sf can't be selected
static int select_sf_by_data_center(struct policy_enforcer *enforcer, struct sf_param *sf)
{
if (strcasecmp(enforcer->config.data_center, sf->sf_effective_range.value) == 0)
{
return 1;
}
else
{
return 0;
}
}
// return 1 : current sf can be selected
// return 0 : current sf can't be selected
static int select_sf_by_localization(struct policy_enforcer *enforcer, struct sff_param *sff_param, struct sf_param *sf)
{
if (sff_param->sff_ldbc.localiza == LDBC_LOCALIZATION_NEARBY)
{
if (sf->sf_effective_range.type == EFFECTIVE_TYPE_DEVICE_GROUP)
{
return select_sf_by_device_group(enforcer, sf);
}
else
{
return select_sf_by_data_center(enforcer, sf);
}
}
else
{
return 1;
}
}
// return 1 : current sf can be selected
// return 0 : current sf can't be selected
static int handle_fail_action(struct exception *sff_exception, struct selected_sf *selected_sf, int sf_num)
{
if (sff_exception->fail_action == FAILURE_ACTION_RE_DISPATCH)
{
if (sff_exception->health_service_func_lt > 0 && sf_num < sff_exception->health_service_func_lt)
{
selected_sf_set_action(selected_sf, ACTION_BYPASS_DUE_HEALTH_SF_LIMIT);
return 1;
}
else
{
if (sf_num == 0)
{
if (sff_exception->unavail_action == UNAVAILABLE_ACTION_BYPASSS)
{
selected_sf_set_action(selected_sf, ACTION_BYPASS_DUE_UNAVAILABLE_ACTION);
return 1;
}
else
{
selected_sf_set_action(selected_sf, ACTION_BLOCK_DUE_UNAVAILABLE_ACTION);
return 1;
}
}
else
{
return 0;
}
}
}
else if (sff_exception->fail_action == FAILURE_ACTION_BYPASS)
{
selected_sf_set_action(selected_sf, ACTION_BYPASS_DUE_FAILURE_ACTION);
return 1;
}
else if (sff_exception->fail_action == FAILURE_ACTION_BLOCK)
{
selected_sf_set_action(selected_sf, ACTION_BLOCK_DUE_FAILURE_ACTION);
return 1;
}
else
{
return 0;
}
}
static void select_sf_by_ldbc(struct sff_param *sff_param, struct selected_sf *selected_sf, struct session_ctx *s_ctx, UT_array *sf_array, uint64_t hash)
{
struct thread_metrics *thread_metrics = &s_ctx->ref_thread_ctx->thread_metrics;
while (utarray_len(sf_array))
{
unsigned int sf_index = (unsigned int)(hash % utarray_len(sf_array));
struct sf_param *sf_param = (struct sf_param *)utarray_eltptr(sf_array, sf_index);
if (sf_param->sf_connectivity.method == ENCAPSULATE_METHOD_LAYER2_SWITCH)
{
LOG_INFO("%s: session %lu %s select sf by ldbc, sf_profile_id %d to be selected", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, sf_param->sf_profile_id);
selected_sf_set_action(selected_sf, ACTION_FORWAED_DUE_SELECTED_SF);
selected_sf_set_info(selected_sf, sf_param);
return;
}
memset(selected_sf->sf_dst_mac, 0, sizeof(selected_sf->sf_dst_mac));
if (health_check_session_get_mac(sf_param->health_check_session_id, selected_sf->sf_dst_mac) == 0)
{
ATOMIC_INC(&(thread_metrics->sf_status.active));
LOG_INFO("%s: session %lu %s select sf by ldbc, sf_profile_id %d to be selected", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, sf_param->sf_profile_id);
selected_sf_set_action(selected_sf, ACTION_FORWAED_DUE_SELECTED_SF);
selected_sf_set_info(selected_sf, sf_param);
return;
}
else
{
ATOMIC_INC(&(thread_metrics->sf_status.inactive));
if (handle_fail_action(&sff_param->sff_exception, selected_sf, utarray_len(sf_array) - 1) == 0)
{
LOG_INFO("%s: session %lu %s select sf by re-dispatch, sf_profile_id %d to be excluded", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, sf_param->sf_profile_id);
utarray_erase(sf_array, sf_index, 1);
continue;
}
else
{
LOG_INFO("%s: session %lu %s select sf by fail-action, sf_profile_id %d to be selected", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, sf_param->sf_profile_id);
selected_sf_set_info(selected_sf, sf_param);
return;
}
}
}
handle_fail_action(&sff_param->sff_exception, selected_sf, 0);
}
static void select_sf_from_sff(struct policy_enforcer *enforcer, struct sff_param *sff_param, struct selected_sf *selected_sf, struct session_ctx *s_ctx, uint64_t packet_hash)
{
UT_array *sf_array;
UT_icd sf_icd = {sizeof(struct sf_param), NULL, NULL, NULL};
utarray_new(sf_array, &sf_icd);
for (int i = 0; i < sff_param->sf_profile_ids_num; i++) for (int i = 0; i < sff_param->sf_profile_ids_num; i++)
{ {
memset(&buffer, 0, sizeof(buffer)); char profile_id[16] = {0};
snprintf(buffer, sizeof(buffer), "%u", sff_param->sf_profile_ids[i]); snprintf(profile_id, sizeof(profile_id), "%u", sff_param->sf_profile_ids[i]);
sf = (struct sf_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->sf_table_id, buffer, strlen(buffer));
struct sf_param *sf = (struct sf_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->sf_table_id, profile_id, strlen(profile_id));
if (sf == NULL) if (sf == NULL)
{ {
LOG_ERROR("%s: failed to get sf parameter of profile %d", LOG_TAG_POLICY, sff_param->sf_profile_ids[i]); LOG_ERROR("%s: failed to get sf parameter of profile %d", LOG_TAG_POLICY, sff_param->sf_profile_ids[i]);
continue; continue;
} }
if (sff_param->sff_ldbc.localiza == LDBC_LOCALIZATION_NEARBY) if (select_sf_by_admin_status(sf) == 0)
{ {
if (sf->sf_effective_range.type == EFFECTIVE_TYPE_DEVICE_GROUP) LOG_INFO("%s: session %lu %s select sf by admin-status, sf_profile_id %d to be excluded", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, sf->sf_profile_id);
{ sf_param_free(sf);
if (strcasecmp(enforcer->config.device_group, sf->sf_effective_range.value) == 0)
{
if (sf->sf_admin_status == ADMMIN_STATUS_ACTIVE)
{
mutable_array_add_elem(array, sff_param->sf_profile_ids[i]);
}
}
}
else
{
if (strcasecmp(enforcer->config.data_center, sf->sf_effective_range.value) == 0)
{
if (sf->sf_admin_status == ADMMIN_STATUS_ACTIVE)
{
mutable_array_add_elem(array, sff_param->sf_profile_ids[i]);
}
}
}
}
else
{
if (sf->sf_admin_status == ADMMIN_STATUS_ACTIVE)
{
mutable_array_add_elem(array, sff_param->sf_profile_ids[i]);
}
}
sf_param_free(sf);
}
}
// return : SESSION_ACTION_BYPASS, not care selected_sf_profile_id
// return : SESSION_ACTION_BLOCK, not care selected_sf_profile_id
// return : SESSION_ACTION_FORWARD, care selected_sf_profile_id
static enum session_action select_sf_by_ldbc(struct policy_enforcer *enforcer, struct session_ctx *s_ctx, struct sff_param *sff_param, struct selected_sf *sf, struct mutable_array *array, uint64_t hash)
{
struct thread_ctx *thread = (struct thread_ctx *)s_ctx->ref_thread_ctx;
struct thread_metrics *thread_metrics = &thread->thread_metrics;
struct sf_param *sf_param = NULL;
char buffer[16];
sf->sf_profile_id = -1;
int sf_profile_id = 0;
int sf_profile_index = 0;
int sf_profile_num = 0;
uint64_t health_check_session_id = 0;
enum encapsulate_method encap_method;
sf_profile_num = mutable_array_count_elem(array);
while (sf_profile_num)
{
sf_profile_index = (int)(hash % sf_profile_num);
sf_profile_id = mutable_array_index_elem(array, sf_profile_index);
memset(&buffer, 0, sizeof(buffer));
snprintf(buffer, sizeof(buffer), "%u", sf_profile_id);
sf_param = (struct sf_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->sf_table_id, buffer, strlen(buffer));
if (sf_param == NULL)
{
LOG_ERROR("%s: failed to get sf parameter of profile %d", LOG_TAG_POLICY, sf_profile_id);
mutable_array_del_elem(array, sf_profile_id);
continue; continue;
} }
health_check_session_id = sf_param->health_check_session_id;
encap_method = sf_param->sf_connectivity.method;
sf_param_free(sf_param);
memset(sf->sf_dst_mac, 0, sizeof(sf->sf_dst_mac)); if (select_sf_by_localization(enforcer, sff_param, sf) == 0)
// VLAN encapsulation not require health check
if (encap_method == ENCAPSULATE_METHOD_LAYER2_SWITCH)
{ {
ATOMIC_INC(&(thread_metrics->sf_status.active)); LOG_INFO("%s: session %lu %s select sf by localization, sf_profile_id %d to be excluded", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, sf->sf_profile_id);
sf_param_free(sf);
sf->sf_profile_id = sf_profile_id; continue;
sf->sf_action_reason = ACTION_FORWAED_DUE_SELECTED_SF;
return SESSION_ACTION_FORWARD;
} }
// VXLAN encapsulation require health check utarray_push_back(sf_array, sf);
if (health_check_session_get_mac(health_check_session_id, sf->sf_dst_mac) == 0) sf_param_free(sf);
{
ATOMIC_INC(&(thread_metrics->sf_status.active));
sf->sf_profile_id = sf_profile_id;
sf->sf_action_reason = ACTION_FORWAED_DUE_SELECTED_SF;
return SESSION_ACTION_FORWARD;
}
else
{
ATOMIC_INC(&(thread_metrics->sf_status.inactive));
if (sff_param->sff_exception.fail_action == FAILURE_ACTION_RE_DISPATCH)
{
mutable_array_del_elem(array, sf_profile_id);
sf_profile_num = mutable_array_count_elem(array);
if (sff_param->sff_exception.health_service_func_lt > 0 && sf_profile_num < sff_param->sff_exception.health_service_func_lt)
{
sf->sf_action_reason = ACTION_BYPASS_DUE_HEALTH_SF_LIMIT;
return SESSION_ACTION_BYPASS;
}
else
{
if (sf_profile_num == 0)
{
if (sff_param->sff_exception.unavail_action == UNAVAILABLE_ACTION_BYPASSS)
{
sf->sf_action_reason = ACTION_BYPASS_DUE_UNAVAILABLE_ACTION;
return SESSION_ACTION_BYPASS;
}
else
{
sf->sf_action_reason = ACTION_BLOCK_DUE_UNAVAILABLE_ACTION;
return SESSION_ACTION_BLOCK;
}
}
else
{
continue;
}
}
}
else if (sff_param->sff_exception.fail_action == FAILURE_ACTION_BYPASS)
{
sf->sf_profile_id = sf_profile_id;
sf->sf_action_reason = ACTION_BYPASS_DUE_FAILURE_ACTION;
return SESSION_ACTION_BYPASS;
}
else if (sff_param->sff_exception.fail_action == FAILURE_ACTION_BLOCK)
{
sf->sf_profile_id = sf_profile_id;
sf->sf_action_reason = ACTION_BLOCK_DUE_FAILURE_ACTION;
return SESSION_ACTION_BLOCK;
}
}
};
sf->sf_action_reason = ACTION_BYPASS_DUE_INVALID_POLICY;
return SESSION_ACTION_BYPASS;
}
static void selected_sf_init(struct selected_sf *item)
{
if (item)
{
memset(item, 0, sizeof(struct selected_sf));
item->rule_vsys_id = 0;
item->rule_id = 0;
item->traffic_type = TRAFFIC_TYPE_NONE;
item->sff_profile_id = -1;
item->sff_forward_type = FORWARD_TYPE_NONE;
item->sf_need_skip = 0;
item->sf_profile_id = -1;
item->sf_action = SESSION_ACTION_BYPASS;
item->sf_action_reason = ACTION_BYPASS_DUE_DEFAULT;
} }
}
static void connectivity_copy(struct connectivity *dst, struct connectivity *src) select_sf_by_ldbc(sff_param, selected_sf, s_ctx, sf_array, packet_hash);
{ utarray_free(sf_array);
if (dst && src)
{
dst->method = src->method;
dst->int_vlan_tag = src->int_vlan_tag;
dst->ext_vlan_tag = src->ext_vlan_tag;
memcpy(dst->dest_ip, src->dest_ip, sizeof(dst->dest_ip));
}
} }
/****************************************************************************** /******************************************************************************
* Public API * Public API -- Utils
******************************************************************************/ ******************************************************************************/
const char *traffic_type_to_string(enum traffic_type traffic_type) const char *traffic_type_to_string(enum traffic_type traffic_type)
@@ -1228,41 +1295,26 @@ const char *forward_type_to_string(enum forward_type forward_type)
} }
} }
const char *session_action_to_string(enum session_action session_action) const char *action_desc_to_string(enum action_desc action_desc)
{ {
switch (session_action) switch (action_desc)
{
case SESSION_ACTION_BYPASS:
return "bypass";
case SESSION_ACTION_FORWARD:
return "forward";
case SESSION_ACTION_BLOCK:
return "block";
default:
return "unknown";
}
}
const char *action_reason_to_string(enum action_reason action_reason)
{
switch (action_reason)
{ {
case ACTION_BYPASS_DUE_DEFAULT: case ACTION_BYPASS_DUE_DEFAULT:
return "bypass_due_default"; return "bypass(default)";
case ACTION_BYPASS_DUE_HEALTH_SF_LIMIT: case ACTION_BYPASS_DUE_HEALTH_SF_LIMIT:
return "bypass_due_health_sf_limit"; return "bypass(health_sf_limit)";
case ACTION_BYPASS_DUE_UNAVAILABLE_ACTION: case ACTION_BYPASS_DUE_UNAVAILABLE_ACTION:
return "bypass_due_unavailable_action"; return "bypass(unavailable_action)";
case ACTION_BYPASS_DUE_FAILURE_ACTION: case ACTION_BYPASS_DUE_FAILURE_ACTION:
return "bypass_due_failure_action"; return "bypass(failure_action)";
case ACTION_BYPASS_DUE_INVALID_POLICY: case ACTION_BYPASS_DUE_INVALID_POLICY:
return "bypass_due_invalid_policy"; return "bypass(invalid_policy)";
case ACTION_BLOCK_DUE_UNAVAILABLE_ACTION: case ACTION_BLOCK_DUE_UNAVAILABLE_ACTION:
return "block_due_unavailable_action"; return "block(unavailable_action)";
case ACTION_BLOCK_DUE_FAILURE_ACTION: case ACTION_BLOCK_DUE_FAILURE_ACTION:
return "block_due_failure_action"; return "block(failure_action)";
case ACTION_FORWAED_DUE_SELECTED_SF: case ACTION_FORWAED_DUE_SELECTED_SF:
return "forward_due_selected_sf"; return "forward(selected_sf)";
default: default:
return "unknown"; return "unknown";
} }
@@ -1285,6 +1337,10 @@ const char *encapsulate_method_to_string(enum encapsulate_method encap_method)
} }
} }
/******************************************************************************
* Public API -- Selected Chaining
******************************************************************************/
// return NULL : error // return NULL : error
// return !NULL : success // return !NULL : success
struct selected_chaining *selected_chaining_create(int chaining_size, uint64_t session_id, char *session_addr) struct selected_chaining *selected_chaining_create(int chaining_size, uint64_t session_id, char *session_addr)
@@ -1342,9 +1398,7 @@ void selected_chaining_dump(struct selected_chaining *chaining)
LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sff_forward_type : %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, forward_type_to_string(node->sff_forward_type)); LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sff_forward_type : %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, forward_type_to_string(node->sff_forward_type));
// sf // sf
LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_profile_id : %d", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, node->sf_profile_id); LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_profile_id : %d", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, node->sf_profile_id);
LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_need_skip : %d", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, node->sf_need_skip); LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_action_desc : %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, action_desc_to_string(node->sf_action_desc));
LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_action : %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, session_action_to_string(node->sf_action));
LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_action_reason : %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, action_reason_to_string(node->sf_action_reason));
LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_connectivity->encapsulate_method : %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, encapsulate_method_to_string(node->sf_connectivity.method)); LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_connectivity->encapsulate_method : %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, encapsulate_method_to_string(node->sf_connectivity.method));
LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_connectivity->int_vlan_tag : %d", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, node->sf_connectivity.int_vlan_tag); LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_connectivity->int_vlan_tag : %d", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, node->sf_connectivity.int_vlan_tag);
LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_connectivity->ext_vlan_tag : %d", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, node->sf_connectivity.ext_vlan_tag); LOG_DEBUG("%s: session %lu %s selected_chaining->node[%d]->sf_connectivity->ext_vlan_tag : %d", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, i, node->sf_connectivity.ext_vlan_tag);
@@ -1373,9 +1427,9 @@ void selected_chaining_bref(struct selected_chaining *chaining)
buff_used += snprintf(buff + buff_used, buff_size - buff_used, ","); buff_used += snprintf(buff + buff_used, buff_size - buff_used, ",");
} }
buff_used += snprintf(buff + buff_used, buff_size - buff_used, buff_used += snprintf(buff + buff_used, buff_size - buff_used,
"\"node[%d]\":{\"skip\":%d,\"rule_id\":%lu,\"sff_profile_id\":%d,\"sf_profile_id\":%d,\"traffic_type\":\"%s\",\"sff_forward_type\":\"%s\",\"sf_action\":\"%s\",\"reason\":\"%s\"}", "\"node[%d]\":{\"policy\":\"%lu->%d->%d\",\"action\":\"%s->%s->%s\"}",
i, node->sf_need_skip, node->rule_id, node->sff_profile_id, node->sf_profile_id, i, node->rule_id, node->sff_profile_id, node->sf_profile_id,
traffic_type_to_string(node->traffic_type), forward_type_to_string(node->sff_forward_type), session_action_to_string(node->sf_action), action_reason_to_string(node->sf_action_reason)); traffic_type_to_string(node->traffic_type), forward_type_to_string(node->sff_forward_type), action_desc_to_string(node->sf_action_desc));
} }
} }
LOG_INFO("%s: session %lu %s selected_chaining_bref: %s}", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, buff); LOG_INFO("%s: session %lu %s selected_chaining_bref: %s}", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, buff);
@@ -1390,21 +1444,44 @@ void selected_chaining_uniq(struct selected_chaining *chaining)
// Selected Service Chaining Before Unique : [1,2,3,1,2] // Selected Service Chaining Before Unique : [1,2,3,1,2]
// Selected Service Chaining After Unique : [1,2,3] // Selected Service Chaining After Unique : [1,2,3]
for (int i = 0; i < chaining->chaining_used; i++)
int i = 0;
int j = 0;
int k = 0;
int is_exist = 0;
for (i = 0; i < chaining->chaining_used; i++)
{ {
struct selected_sf *node_i = &(chaining->chaining[i]); is_exist = 0;
for (int j = 0; j < i; j++) for (j = 0; j < i; j++)
{ {
struct selected_sf *node_j = &(chaining->chaining[j]); if (chaining->chaining[i].sf_profile_id == chaining->chaining[j].sf_profile_id && chaining->chaining[i].sf_action == chaining->chaining[j].sf_action)
if (node_i->sf_profile_id == node_j->sf_profile_id)
{ {
node_i->sf_need_skip = 1; is_exist = 1;
break; break;
} }
} }
if (is_exist == 0)
{
if (i != k)
{
memcpy(&(chaining->chaining[k]), &(chaining->chaining[i]), sizeof(struct selected_sf));
}
k++;
}
}
chaining->chaining_used = k;
// Selected Service Chaining After Unique : [1,2,3,1,2] -> [1,2,3,0,0]
for (i = chaining->chaining_used; i < chaining->chaining_size; i++)
{
selected_sf_init(&(chaining->chaining[i]));
} }
} }
/******************************************************************************
* Public API -- Policy Enforcer
******************************************************************************/
// return NULL : error // return NULL : error
// return !NULL : success // return !NULL : success
struct policy_enforcer *policy_enforcer_create(const char *instance, const char *profile, int thread_num, void *logger) struct policy_enforcer *policy_enforcer_create(const char *instance, const char *profile, int thread_num, void *logger)
@@ -1607,16 +1684,11 @@ int policy_enforce_chaining_size(struct policy_enforcer *enforcer)
void policy_enforce_select_chainings(struct policy_enforcer *enforcer, struct selected_chainings *chainings, struct session_ctx *s_ctx, struct data_packet *data_pkt, uint64_t rule_id, int dir_is_i2e) void policy_enforce_select_chainings(struct policy_enforcer *enforcer, struct selected_chainings *chainings, struct session_ctx *s_ctx, struct data_packet *data_pkt, uint64_t rule_id, int dir_is_i2e)
{ {
uint64_t hash_value = 0;
char buffer[16] = {0}; char buffer[16] = {0};
struct sf_param *sf_param = NULL;
struct sff_param *sff_param = NULL;
struct mutable_array array = {0};
struct chaining_param *chaining_param = NULL;
struct selected_chaining *chaining = NULL; struct selected_chaining *chaining = NULL;
snprintf(buffer, sizeof(buffer), "%lu", rule_id); snprintf(buffer, sizeof(buffer), "%lu", rule_id);
chaining_param = (struct chaining_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->compile_table_id, buffer, strlen(buffer)); struct chaining_param *chaining_param = (struct chaining_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->compile_table_id, buffer, strlen(buffer));
if (chaining_param == NULL) if (chaining_param == NULL)
{ {
LOG_ERROR("%s: session %lu %s failed to get chaining parameter of policy %lu", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, rule_id); LOG_ERROR("%s: session %lu %s failed to get chaining parameter of policy %lu", LOG_TAG_POLICY, s_ctx->session_id, s_ctx->session_addr, rule_id);
@@ -1631,95 +1703,44 @@ void policy_enforce_select_chainings(struct policy_enforcer *enforcer, struct se
{ {
chaining = chainings->chaining_decrypted; chaining = chainings->chaining_decrypted;
} }
LOG_INFO("%s: session %lu %s enforce %s chaining rule %lu", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, traffic_type_to_string(chaining_param->traffic_type), rule_id); LOG_INFO("%s: session %lu %s enforce %s chaining: rule_id %lu", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, traffic_type_to_string(chaining_param->traffic_type), rule_id);
for (int i = 0; i < chaining_param->sff_profile_ids_num && chaining->chaining_used < chaining->chaining_size; i++) for (int i = 0; i < chaining_param->sff_profile_ids_num && chaining->chaining_used < chaining->chaining_size; i++)
{ {
struct selected_sf *item = &(chaining->chaining[chaining->chaining_used]); struct selected_sf *selected_sf = &(chaining->chaining[chaining->chaining_used]);
selected_sf_init(item); selected_sf_init(selected_sf);
item->rule_id = rule_id;
item->rule_vsys_id = chaining_param->vsys_id;
item->traffic_type = chaining_param->traffic_type;
item->sff_profile_id = chaining_param->sff_profile_ids[i];
item->sf_index = chaining->chaining_used;
memset(buffer, 0, sizeof(buffer)); memset(buffer, 0, sizeof(buffer));
snprintf(buffer, sizeof(buffer), "%u", item->sff_profile_id); snprintf(buffer, sizeof(buffer), "%u", chaining_param->sff_profile_ids[i]);
sff_param = (struct sff_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->sff_table_id, buffer, strlen(buffer)); struct sff_param *sff_param = (struct sff_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->sff_table_id, buffer, strlen(buffer));
if (sff_param == NULL) if (sff_param == NULL)
{ {
LOG_ERROR("%s: session %lu %s failed to get sff parameter of profile %d, bypass current sff !!!", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, item->sff_profile_id); LOG_ERROR("%s: session %lu %s failed to get sff parameter of profile %d, bypass current sff !!!", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, chaining_param->sff_profile_ids[i]);
item->sf_action = SESSION_ACTION_BYPASS;
item->sf_action_reason = ACTION_BYPASS_DUE_INVALID_POLICY;
chaining->chaining_used++;
continue;
}
item->sff_forward_type = sff_param->sff_forward_type;
memset(&array, 0, sizeof(array));
mutable_array_init(&array);
select_sf_by_nearby_and_adminstatus(enforcer, sff_param, &array);
LOG_DEBUG("%s: session %lu %s select sf from chaining rule %lu sff_profile %d, sf_profile_num (before filter: %d -> filter nearby/admin_status: %d)", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, rule_id, item->sff_profile_id, sff_param->sf_profile_ids_num, mutable_array_count_elem(&array));
if (mutable_array_count_elem(&array) == 0)
{
switch (sff_param->sff_exception.fail_action)
{
case FAILURE_ACTION_BYPASS:
item->sf_action = SESSION_ACTION_BYPASS;
item->sf_action_reason = ACTION_BYPASS_DUE_FAILURE_ACTION;
break;
case FAILURE_ACTION_BLOCK:
item->sf_action = SESSION_ACTION_BLOCK;
item->sf_action_reason = ACTION_BLOCK_DUE_FAILURE_ACTION;
break;
case FAILURE_ACTION_RE_DISPATCH:
if (sff_param->sff_exception.unavail_action == UNAVAILABLE_ACTION_BYPASSS)
{
item->sf_action = SESSION_ACTION_BYPASS;
item->sf_action_reason = ACTION_BYPASS_DUE_UNAVAILABLE_ACTION;
}
else // UNAVAILABLE_ACTION_BLOCK
{
item->sf_action = SESSION_ACTION_BLOCK;
item->sf_action_reason = ACTION_BLOCK_DUE_UNAVAILABLE_ACTION;
}
break;
}
LOG_DEBUG("%s: session %lu %s rule_id %lu sff_profile_id %d, no sf available after filtering by 'nearby & admin_status', %s", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, rule_id, item->sff_profile_id, action_reason_to_string(item->sf_action_reason));
chaining->chaining_used++;
sff_param_free(sff_param);
continue; continue;
} }
hash_value = data_packet_get_hash(data_pkt, sff_param->sff_ldbc.method, dir_is_i2e); // sc info
item->sf_action = select_sf_by_ldbc(enforcer, s_ctx, sff_param, item, &array, hash_value); selected_sf->rule_id = rule_id;
if (item->sf_action != SESSION_ACTION_FORWARD) selected_sf->rule_vsys_id = chaining_param->vsys_id;
{ selected_sf->traffic_type = chaining_param->traffic_type;
chaining->chaining_used++;
sff_param_free(sff_param);
continue;
}
memset(&buffer, 0, sizeof(buffer)); // sff info
snprintf(buffer, sizeof(buffer), "%u", item->sf_profile_id); selected_sf->sff_profile_id = chaining_param->sff_profile_ids[i];
sf_param = (struct sf_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->sf_table_id, buffer, strlen(buffer)); selected_sf->sff_forward_type = sff_param->sff_forward_type;
if (sf_param == NULL)
{ // sf_index
LOG_ERROR("%s: session %lu %s failed to get sf parameter of profile %d, bypass current sff !!!", LOG_TAG_POLICY, chaining->session_id, chaining->session_addr, item->sf_profile_id); selected_sf->sf_index = chaining->chaining_used;
item->sf_action = SESSION_ACTION_BYPASS;
item->sf_action_reason = ACTION_BYPASS_DUE_INVALID_POLICY; uint64_t packet_hash = data_packet_get_hash(data_pkt, sff_param->sff_ldbc.method, dir_is_i2e);
chaining->chaining_used++; select_sf_from_sff(enforcer, sff_param, selected_sf, s_ctx, packet_hash);
sff_param_free(sff_param);
continue; LOG_INFO("%s: session %lu %s enforce chaining [%d/%d]: policy: %lu->%d->%d, action: %s->%s->%s",
} LOG_TAG_POLICY, chaining->session_id, chaining->session_addr,
selected_sf->sf_index, chaining->chaining_size,
selected_sf->rule_id, selected_sf->sff_profile_id, selected_sf->sf_profile_id,
traffic_type_to_string(chaining_param->traffic_type), forward_type_to_string(selected_sf->sff_forward_type), action_desc_to_string(selected_sf->sf_action_desc));
item->sf_vsys_id = sf_param->sf_vsys_id;
connectivity_copy(&item->sf_connectivity, &sf_param->sf_connectivity);
item->sf_dst_ip = inet_addr(sf_param->sf_connectivity.dest_ip);
chaining->chaining_used++; chaining->chaining_used++;
sf_param_free(sf_param);
sff_param_free(sff_param); sff_param_free(sff_param);
} }

770
platform/test/gtest_policy.cpp
View File

@@ -14,17 +14,647 @@ unsigned char data1[] = {
0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd,
0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd}; 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd, 0xab, 0xcd};
TEST(POLICY, SELECTED_CHAINING_LIFE_CYCLE) // 都不同
TEST(POLICY, SELECTED_CHAINING1)
{ {
struct selected_chaining *chaining = NULL; struct selected_chaining *chainings = NULL;
chaining = selected_chaining_create(128, 1, (char *)"1.1.1.1 11 2.2.2.2 22"); chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
EXPECT_TRUE(chaining != nullptr); EXPECT_TRUE(chainings != nullptr);
selected_chaining_destory(chaining); chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
chainings->chaining[chainings->chaining_used++].sf_profile_id = 2;
chainings->chaining[chainings->chaining_used++].sf_profile_id = 3;
selected_chaining_uniq(chainings);
selected_chaining_dump(chainings);
EXPECT_TRUE(chainings->chaining_used == 3);
EXPECT_TRUE(chainings->chaining[0].sf_profile_id == 1);
EXPECT_TRUE(chainings->chaining[1].sf_profile_id == 2);
EXPECT_TRUE(chainings->chaining[2].sf_profile_id == 3);
selected_chaining_destory(chainings);
} }
TEST(POLICY, POLICY_ENFORCER_LIFE_CYCLE) // 都相同
TEST(POLICY, SELECTED_CHAINING2)
{
struct selected_chaining *chainings = NULL;
chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
EXPECT_TRUE(chainings != nullptr);
chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
selected_chaining_uniq(chainings);
selected_chaining_dump(chainings);
EXPECT_TRUE(chainings->chaining_used == 1);
EXPECT_TRUE(chainings->chaining[0].sf_profile_id == 1);
selected_chaining_destory(chainings);
}
// 两个相同 (1,2相同)
TEST(POLICY, SELECTED_CHAINING3)
{
struct selected_chaining *chainings = NULL;
chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
EXPECT_TRUE(chainings != nullptr);
chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
chainings->chaining[chainings->chaining_used++].sf_profile_id = 2;
selected_chaining_uniq(chainings);
selected_chaining_dump(chainings);
EXPECT_TRUE(chainings->chaining_used == 2);
EXPECT_TRUE(chainings->chaining[0].sf_profile_id == 1);
EXPECT_TRUE(chainings->chaining[1].sf_profile_id == 2);
selected_chaining_destory(chainings);
}
// 两个相同 (1,3相同)
TEST(POLICY, SELECTED_CHAINING4)
{
struct selected_chaining *chainings = NULL;
chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
EXPECT_TRUE(chainings != nullptr);
chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
chainings->chaining[chainings->chaining_used++].sf_profile_id = 2;
chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
selected_chaining_uniq(chainings);
selected_chaining_dump(chainings);
EXPECT_TRUE(chainings->chaining_used == 2);
EXPECT_TRUE(chainings->chaining[0].sf_profile_id == 1);
EXPECT_TRUE(chainings->chaining[1].sf_profile_id == 2);
selected_chaining_destory(chainings);
}
// 两个相同 (23相同)
TEST(POLICY, SELECTED_CHAINING5)
{
struct selected_chaining *chainings = NULL;
chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
EXPECT_TRUE(chainings != nullptr);
chainings->chaining[chainings->chaining_used++].sf_profile_id = 2;
chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
selected_chaining_uniq(chainings);
selected_chaining_dump(chainings);
EXPECT_TRUE(chainings->chaining_used == 2);
EXPECT_TRUE(chainings->chaining[0].sf_profile_id == 2);
EXPECT_TRUE(chainings->chaining[1].sf_profile_id == 1);
selected_chaining_destory(chainings);
}
// 没有数据
TEST(POLICY, SELECTED_CHAINING6)
{
struct selected_chaining *chainings = NULL;
chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
EXPECT_TRUE(chainings != nullptr);
selected_chaining_uniq(chainings);
selected_chaining_dump(chainings);
EXPECT_TRUE(chainings->chaining_used == 0);
selected_chaining_destory(chainings);
}
// 只有一个
TEST(POLICY, SELECTED_CHAINING7)
{
struct selected_chaining *chainings = NULL;
chainings = selected_chaining_create(3, 1, (char *)"1.1.1.1 11 2.2.2.2 22");
EXPECT_TRUE(chainings != nullptr);
chainings->chaining[chainings->chaining_used++].sf_profile_id = 1;
selected_chaining_uniq(chainings);
selected_chaining_dump(chainings);
EXPECT_TRUE(chainings->chaining_used == 1);
EXPECT_TRUE(chainings->chaining[0].sf_profile_id == 1);
selected_chaining_destory(chainings);
}
#if 1
TEST(POLICY, POLICY_ENFORCER_RAW_TRAFFIC1)
{
struct global_metrics global_metrics;
struct thread_ctx t_ctx;
struct session_ctx s_ctx;
t_ctx.ref_global_metrics = &global_metrics;
s_ctx.ref_thread_ctx = &t_ctx;
s_ctx.session_id = 1;
s_ctx.session_addr = (char *)"1.1.1.1 11 2.2.2.2 22";
struct data_packet handler;
const void *payload = data_packet_parse(&handler, (const void *)data1, sizeof(data1), 0);
EXPECT_TRUE(payload != nullptr);
EXPECT_TRUE((char *)payload - (char *)&data1 == 70);
const char *profile = "./test_resource/sce.conf";
struct policy_enforcer *enforcer = policy_enforcer_create("SCE", profile, 8, NULL);
EXPECT_TRUE(enforcer != nullptr);
EXPECT_TRUE(policy_enforcer_register(enforcer) == 0);
int dir_is_i2e = 1;
struct selected_chainings chainings;
chainings.chaining_raw = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 1, dir_is_i2e);
/*
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 1, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
*/
EXPECT_TRUE(chainings.chaining_raw->chaining_used == 1);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].rule_id == 1);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sff_profile_id == 1);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action == SESSION_ACTION_BYPASS);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
selected_chaining_dump(chainings.chaining_raw);
selected_chaining_bref(chainings.chaining_raw);
selected_chaining_destory(chainings.chaining_raw);
printf("Before Sleep\n");
sleep(1);
printf("After Sleep\n");
policy_enforcer_destory(enforcer);
}
#endif
#if 1
TEST(POLICY, POLICY_ENFORCER_RAW_TRAFFIC2)
{
struct global_metrics global_metrics;
struct thread_ctx t_ctx;
struct session_ctx s_ctx;
t_ctx.ref_global_metrics = &global_metrics;
s_ctx.ref_thread_ctx = &t_ctx;
s_ctx.session_id = 1;
s_ctx.session_addr = (char *)"1.1.1.1 11 2.2.2.2 22";
struct data_packet handler;
const void *payload = data_packet_parse(&handler, (const void *)data1, sizeof(data1), 0);
EXPECT_TRUE(payload != nullptr);
EXPECT_TRUE((char *)payload - (char *)&data1 == 70);
const char *profile = "./test_resource/sce.conf";
struct policy_enforcer *enforcer = policy_enforcer_create("SCE", profile, 8, NULL);
EXPECT_TRUE(enforcer != nullptr);
EXPECT_TRUE(policy_enforcer_register(enforcer) == 0);
int dir_is_i2e = 1;
struct selected_chainings chainings;
chainings.chaining_raw = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 2, dir_is_i2e);
/*
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 4 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 5 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 6 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 7 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 8 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 2, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 3, sf_profile_id -1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 4, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_health_sf_limit
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 5, sf_profile_id -1, sf_action block, sf_action_desc block_due_unavailable_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 6, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 7, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 8, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 9, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 10, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
*/
EXPECT_TRUE(chainings.chaining_raw->chaining_used == 3);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].rule_id == 2);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sff_profile_id == 1);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action == SESSION_ACTION_BYPASS);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].rule_id == 2);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].sff_profile_id == 3);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_action == SESSION_ACTION_BLOCK);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].rule_id == 2);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].sff_profile_id == 6);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_profile_id == 1);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_action == SESSION_ACTION_BLOCK);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
selected_chaining_dump(chainings.chaining_raw);
selected_chaining_bref(chainings.chaining_raw);
selected_chaining_destory(chainings.chaining_raw);
printf("Before Sleep\n");
sleep(1);
printf("After Sleep\n");
policy_enforcer_destory(enforcer);
}
#endif
#if 1
TEST(POLICY, POLICY_ENFORCER_RAW_TRAFFIC_MUTIL_HITS)
{
struct global_metrics global_metrics;
struct thread_ctx t_ctx;
struct session_ctx s_ctx;
t_ctx.ref_global_metrics = &global_metrics;
s_ctx.ref_thread_ctx = &t_ctx;
s_ctx.session_id = 1;
s_ctx.session_addr = (char *)"1.1.1.1 11 2.2.2.2 22";
struct data_packet handler;
const void *payload = data_packet_parse(&handler, (const void *)data1, sizeof(data1), 0);
EXPECT_TRUE(payload != nullptr);
EXPECT_TRUE((char *)payload - (char *)&data1 == 70);
const char *profile = "./test_resource/sce.conf";
struct policy_enforcer *enforcer = policy_enforcer_create("SCE", profile, 8, NULL);
EXPECT_TRUE(enforcer != nullptr);
EXPECT_TRUE(policy_enforcer_register(enforcer) == 0);
int dir_is_i2e = 1;
struct selected_chainings chainings;
chainings.chaining_raw = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 1, dir_is_i2e);
policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 2, dir_is_i2e);
/*
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 1
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 1, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 4 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 5 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 6 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 7 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 8 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 2, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 3, sf_profile_id -1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 4, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_health_sf_limit
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 5, sf_profile_id -1, sf_action block, sf_action_desc block_due_unavailable_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 6, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 7, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 8, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 9, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 10, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
*/
EXPECT_TRUE(chainings.chaining_raw->chaining_used == 3);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].rule_id == 1);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sff_profile_id == 1);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action == SESSION_ACTION_BYPASS);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].rule_id == 2);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].sff_profile_id == 3);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_action == SESSION_ACTION_BLOCK);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].rule_id == 2);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].sff_profile_id == 6);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_profile_id == 1);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_action == SESSION_ACTION_BLOCK);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
selected_chaining_dump(chainings.chaining_raw);
selected_chaining_bref(chainings.chaining_raw);
selected_chaining_destory(chainings.chaining_raw);
printf("Before Sleep\n");
sleep(1);
printf("After Sleep\n");
policy_enforcer_destory(enforcer);
}
#endif
#if 1
TEST(POLICY, POLICY_ENFORCER_DECRYPTED_TRAFFIC1)
{
struct global_metrics global_metrics;
struct thread_ctx t_ctx;
struct session_ctx s_ctx;
t_ctx.ref_global_metrics = &global_metrics;
s_ctx.ref_thread_ctx = &t_ctx;
s_ctx.session_id = 1;
s_ctx.session_addr = (char *)"1.1.1.1 11 2.2.2.2 22";
struct data_packet handler;
const void *payload = data_packet_parse(&handler, (const void *)data1, sizeof(data1), 0);
EXPECT_TRUE(payload != nullptr);
EXPECT_TRUE((char *)payload - (char *)&data1 == 70);
const char *profile = "./test_resource/sce.conf";
struct policy_enforcer *enforcer = policy_enforcer_create("SCE", profile, 8, NULL);
EXPECT_TRUE(enforcer != nullptr);
EXPECT_TRUE(policy_enforcer_register(enforcer) == 0);
int dir_is_i2e = 1;
struct selected_chainings chainings;
chainings.chaining_decrypted = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 11, dir_is_i2e);
/*
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 11
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 11, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
*/
EXPECT_TRUE(chainings.chaining_decrypted->chaining_used == 1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].rule_id == 11);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sff_profile_id == 1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action == SESSION_ACTION_BYPASS);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
selected_chaining_dump(chainings.chaining_decrypted);
selected_chaining_bref(chainings.chaining_decrypted);
selected_chaining_destory(chainings.chaining_decrypted);
printf("Before Sleep\n");
sleep(1);
printf("After Sleep\n");
policy_enforcer_destory(enforcer);
}
#endif
#if 1
TEST(POLICY, POLICY_ENFORCER_DECRYPTED_TRAFFIC2)
{
struct global_metrics global_metrics;
struct thread_ctx t_ctx;
struct session_ctx s_ctx;
t_ctx.ref_global_metrics = &global_metrics;
s_ctx.ref_thread_ctx = &t_ctx;
s_ctx.session_id = 1;
s_ctx.session_addr = (char *)"1.1.1.1 11 2.2.2.2 22";
struct data_packet handler;
const void *payload = data_packet_parse(&handler, (const void *)data1, sizeof(data1), 0);
EXPECT_TRUE(payload != nullptr);
EXPECT_TRUE((char *)payload - (char *)&data1 == 70);
const char *profile = "./test_resource/sce.conf";
struct policy_enforcer *enforcer = policy_enforcer_create("SCE", profile, 8, NULL);
EXPECT_TRUE(enforcer != nullptr);
EXPECT_TRUE(policy_enforcer_register(enforcer) == 0);
int dir_is_i2e = 1;
struct selected_chainings chainings;
chainings.chaining_decrypted = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 12, dir_is_i2e);
/*
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 4 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 5 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 6 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 7 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 8 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 2, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 3, sf_profile_id -1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 4, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_health_sf_limit
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 5, sf_profile_id -1, sf_action block, sf_action_desc block_due_unavailable_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 6, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 7, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 8, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 9, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 10, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
*/
EXPECT_TRUE(chainings.chaining_decrypted->chaining_used == 3);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].rule_id == 12);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sff_profile_id == 1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action == SESSION_ACTION_BYPASS);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].rule_id == 12);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sff_profile_id == 3);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_action == SESSION_ACTION_BLOCK);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].rule_id == 12);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sff_profile_id == 6);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_profile_id == 1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_action == SESSION_ACTION_BLOCK);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
selected_chaining_dump(chainings.chaining_decrypted);
selected_chaining_bref(chainings.chaining_decrypted);
selected_chaining_destory(chainings.chaining_decrypted);
printf("Before Sleep\n");
sleep(1);
printf("After Sleep\n");
policy_enforcer_destory(enforcer);
}
#endif
#if 1
TEST(POLICY, POLICY_ENFORCER_DECRYPTED_TRAFFIC_MUTIL_HITS)
{
struct global_metrics global_metrics;
struct thread_ctx t_ctx;
struct session_ctx s_ctx;
t_ctx.ref_global_metrics = &global_metrics;
s_ctx.ref_thread_ctx = &t_ctx;
s_ctx.session_id = 1;
s_ctx.session_addr = (char *)"1.1.1.1 11 2.2.2.2 22";
struct data_packet handler;
const void *payload = data_packet_parse(&handler, (const void *)data1, sizeof(data1), 0);
EXPECT_TRUE(payload != nullptr);
EXPECT_TRUE((char *)payload - (char *)&data1 == 70);
const char *profile = "./test_resource/sce.conf";
struct policy_enforcer *enforcer = policy_enforcer_create("SCE", profile, 8, NULL);
EXPECT_TRUE(enforcer != nullptr);
EXPECT_TRUE(policy_enforcer_register(enforcer) == 0);
int dir_is_i2e = 1;
struct selected_chainings chainings;
chainings.chaining_decrypted = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 11, dir_is_i2e);
policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 12, dir_is_i2e);
/*
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 11
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 11, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 4 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 5 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 6 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 7 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 8 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 2, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 3, sf_profile_id -1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 4, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_health_sf_limit
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 5, sf_profile_id -1, sf_action block, sf_action_desc block_due_unavailable_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 6, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 7, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 8, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 9, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 10, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
*/
EXPECT_TRUE(chainings.chaining_decrypted->chaining_used == 3);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].rule_id == 11);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sff_profile_id == 1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action == SESSION_ACTION_BYPASS);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].rule_id == 12);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sff_profile_id == 3);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_action == SESSION_ACTION_BLOCK);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].rule_id == 12);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sff_profile_id == 6);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_profile_id == 1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_action == SESSION_ACTION_BLOCK);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
selected_chaining_dump(chainings.chaining_decrypted);
selected_chaining_bref(chainings.chaining_decrypted);
selected_chaining_destory(chainings.chaining_decrypted);
printf("Before Sleep\n");
sleep(1);
printf("After Sleep\n");
policy_enforcer_destory(enforcer);
}
#endif
#if 1
TEST(POLICY, POLICY_ENFORCER_MIX_TRAFFIC_MUTIL_HITS)
{ {
struct global_metrics global_metrics; struct global_metrics global_metrics;
struct thread_ctx t_ctx; struct thread_ctx t_ctx;
@@ -50,25 +680,151 @@ TEST(POLICY, POLICY_ENFORCER_LIFE_CYCLE)
struct selected_chainings chainings; struct selected_chainings chainings;
chainings.chaining_raw = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr); chainings.chaining_raw = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
chainings.chaining_decrypted = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr); chainings.chaining_decrypted = selected_chaining_create(64, s_ctx.session_id, s_ctx.session_addr);
// raw traffic multi hits
policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 1, dir_is_i2e); policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 1, dir_is_i2e);
policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 2, dir_is_i2e); policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 2, dir_is_i2e);
// decrypted traffic multi hits
policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 11, dir_is_i2e); policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 11, dir_is_i2e);
policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 12, dir_is_i2e); policy_enforce_select_chainings(enforcer, &chainings, &s_ctx, &handler, 12, dir_is_i2e);
/*
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 1
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 1, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 4 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 5 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 6 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 7 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 8 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 2, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 3, sf_profile_id -1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 4, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_health_sf_limit
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 5, sf_profile_id -1, sf_action block, sf_action_desc block_due_unavailable_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 6, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 7, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 8, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 9, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce raw chaining: rule_id 2, sff_profile_id 10, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 11
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 11, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 1, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 4 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 5 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 6 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 7 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by admin-status, sf_profile_id 8 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 2, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 3, sf_profile_id -1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 4, sf_profile_id -1, sf_action bypass, sf_action_desc bypass_due_health_sf_limit
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 1 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 2 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by localization, sf_profile_id 3 to be excluded
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 5, sf_profile_id -1, sf_action block, sf_action_desc block_due_unavailable_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 6, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 7, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 8, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 9, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 select sf by fail-action, sf_profile_id 1 to be selected
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 enforce decrypted chaining: rule_id 12, sff_profile_id 10, sf_profile_id 1, sf_action block, sf_action_desc block_due_failure_action
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 selected_chaining_bref: chaining_size:64, chaining_used:3, {
"node[0]":{"rule_id":1,"sff_profile_id":1,"sf_profile_id":-1,"traffic_type":"raw","sff_forward_type":"steering","sf_action":"bypass","reason":"bypass_due_failure_action"},
"node[1]":{"rule_id":2,"sff_profile_id":3,"sf_profile_id":-1,"traffic_type":"raw","sff_forward_type":"steering","sf_action":"block","reason":"block_due_failure_action"},
"node[2]":{"rule_id":2,"sff_profile_id":6,"sf_profile_id":1,"traffic_type":"raw","sff_forward_type":"steering","sf_action":"block","reason":"block_due_failure_action"}}
POLICY: session 1 1.1.1.1 11 2.2.2.2 22 selected_chaining_bref: chaining_size:64, chaining_used:3, {
"node[0]":{"rule_id":11,"sff_profile_id":1,"sf_profile_id":-1,"traffic_type":"decrypted","sff_forward_type":"steering","sf_action":"bypass","reason":"bypass_due_failure_action"},
"node[1]":{"rule_id":12,"sff_profile_id":3,"sf_profile_id":-1,"traffic_type":"decrypted","sff_forward_type":"steering","sf_action":"block","reason":"block_due_failure_action"},
"node[2]":{"rule_id":12,"sff_profile_id":6,"sf_profile_id":1,"traffic_type":"decrypted","sff_forward_type":"steering","sf_action":"block","reason":"block_due_failure_action"}}
*/
// raw traffic
EXPECT_TRUE(chainings.chaining_raw->chaining_used == 3);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].rule_id == 1);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sff_profile_id == 1);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action == SESSION_ACTION_BYPASS);
EXPECT_TRUE(chainings.chaining_raw->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].rule_id == 2);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].sff_profile_id == 3);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_action == SESSION_ACTION_BLOCK);
EXPECT_TRUE(chainings.chaining_raw->chaining[1].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].rule_id == 2);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].sff_profile_id == 6);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_profile_id == 1);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_action == SESSION_ACTION_BLOCK);
EXPECT_TRUE(chainings.chaining_raw->chaining[2].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
selected_chaining_dump(chainings.chaining_raw); selected_chaining_dump(chainings.chaining_raw);
selected_chaining_bref(chainings.chaining_raw); selected_chaining_bref(chainings.chaining_raw);
selected_chaining_destory(chainings.chaining_raw); selected_chaining_destory(chainings.chaining_raw);
// decrypted traffic
EXPECT_TRUE(chainings.chaining_decrypted->chaining_used == 3);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].rule_id == 11);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sff_profile_id == 1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action == SESSION_ACTION_BYPASS);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[0].sf_action_desc == ACTION_BYPASS_DUE_FAILURE_ACTION);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].rule_id == 12);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sff_profile_id == 3);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_profile_id == -1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_action == SESSION_ACTION_BLOCK);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[1].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].rule_id == 12);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sff_profile_id == 6);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_profile_id == 1);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_action == SESSION_ACTION_BLOCK);
EXPECT_TRUE(chainings.chaining_decrypted->chaining[2].sf_action_desc == ACTION_BLOCK_DUE_FAILURE_ACTION);
selected_chaining_dump(chainings.chaining_decrypted); selected_chaining_dump(chainings.chaining_decrypted);
selected_chaining_bref(chainings.chaining_decrypted); selected_chaining_bref(chainings.chaining_decrypted);
selected_chaining_destory(chainings.chaining_decrypted); selected_chaining_destory(chainings.chaining_decrypted);
printf("Before Sleep\n"); printf("Before Sleep\n");
sleep(3); sleep(1);
printf("After Sleep\n"); printf("After Sleep\n");
policy_enforcer_destory(enforcer); policy_enforcer_destory(enforcer);
} }
#endif
int main(int argc, char **argv) int main(int argc, char **argv)
{ {