TSG-2620 策略验证支持quic协议
This commit is contained in:
fengweihao
@@ -55,6 +55,7 @@ enum security_scan_table
|
|||||||
PXY_SECURITY_HTTPS_CN,
|
PXY_SECURITY_HTTPS_CN,
|
||||||
PXY_SECURITY_HTTPS_SAN,
|
PXY_SECURITY_HTTPS_SAN,
|
||||||
PXY_SECURITY_DNS_QNAME,
|
PXY_SECURITY_DNS_QNAME,
|
||||||
|
PXY_SECURITY_QUIC_SNI,
|
||||||
PXY_SECURITY_MAIL_ACCOUNT,
|
PXY_SECURITY_MAIL_ACCOUNT,
|
||||||
PXY_SECURITY_MAIL_FROM,
|
PXY_SECURITY_MAIL_FROM,
|
||||||
PXY_SECURITY_MAIL_TO,
|
PXY_SECURITY_MAIL_TO,
|
||||||
|
|||||||
@@ -81,6 +81,7 @@ enum verify_policy_type tsg_policy_type_str2idx(const char *action_str)
|
|||||||
int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_str, char *buff, char **p)
|
int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_str, char *buff, char **p)
|
||||||
{
|
{
|
||||||
const char * table_name[__SECURITY_TABLE_MAX] ={0};
|
const char * table_name[__SECURITY_TABLE_MAX] ={0};
|
||||||
|
size_t max = type != PXY_TABLE_MANIPULATION ? (int)PXY_SECURITY_APP_ID : (int)PXY_CTRL_DOH_HOST;
|
||||||
|
|
||||||
switch(type)
|
switch(type)
|
||||||
{
|
{
|
||||||
@@ -112,6 +113,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
|
|||||||
table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
|
table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
|
||||||
table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
|
table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
|
||||||
table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME";
|
table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME";
|
||||||
|
table_name[PXY_SECURITY_QUIC_SNI] = "TSG_FIELD_QUIC_SNI";
|
||||||
table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
|
table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
|
||||||
table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM";
|
table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM";
|
||||||
table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO";
|
table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO";
|
||||||
@@ -130,8 +132,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
size_t i = 0;
|
size_t i = 0;
|
||||||
|
for (i = 0; i <= max; i++)
|
||||||
for (i = 0; i < sizeof(table_name) / sizeof(const char *); i++)
|
|
||||||
{
|
{
|
||||||
if (0 == strcasecmp(action_str, table_name[i]))
|
if (0 == strcasecmp(action_str, table_name[i]))
|
||||||
break;
|
break;
|
||||||
|
|||||||
@@ -30,29 +30,30 @@
|
|||||||
18 TSG_FIELD_SSL_CN virtual TSG_OBJ_FQDN --
|
18 TSG_FIELD_SSL_CN virtual TSG_OBJ_FQDN --
|
||||||
19 TSG_FIELD_SSL_SAN virtual TSG_OBJ_FQDN --
|
19 TSG_FIELD_SSL_SAN virtual TSG_OBJ_FQDN --
|
||||||
20 TSG_FIELD_DNS_QNAME virtual TSG_OBJ_FQDN --
|
20 TSG_FIELD_DNS_QNAME virtual TSG_OBJ_FQDN --
|
||||||
21 TSG_FIELD_MAIL_ACCOUNT virtual TSG_OBJ_ACCOUNT --
|
21 TSG_FIELD_QUIC_SNI virtual TSG_OBJ_FQDN --
|
||||||
22 TSG_FIELD_MAIL_FROM virtual TSG_OBJ_ACCOUNT --
|
22 TSG_FIELD_MAIL_ACCOUNT virtual TSG_OBJ_ACCOUNT --
|
||||||
23 TSG_FIELD_MAIL_TO virtual TSG_OBJ_ACCOUNT --
|
23 TSG_FIELD_MAIL_FROM virtual TSG_OBJ_ACCOUNT --
|
||||||
24 TSG_FIELD_MAIL_SUBJECT virtual TSG_OBJ_KEYWORDS --
|
24 TSG_FIELD_MAIL_TO virtual TSG_OBJ_ACCOUNT --
|
||||||
25 TSG_FIELD_MAIL_CONTENT virtual TSG_OBJ_KEYWORDS --
|
25 TSG_FIELD_MAIL_SUBJECT virtual TSG_OBJ_KEYWORDS --
|
||||||
26 TSG_FIELD_MAIL_ATT_NAME virtual TSG_OBJ_KEYWORDS --
|
26 TSG_FIELD_MAIL_CONTENT virtual TSG_OBJ_KEYWORDS --
|
||||||
27 TSG_FIELD_MAIL_ATT_CONTENT virtual TSG_OBJ_KEYWORDS --
|
27 TSG_FIELD_MAIL_ATT_NAME virtual TSG_OBJ_KEYWORDS --
|
||||||
28 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL --
|
28 TSG_FIELD_MAIL_ATT_CONTENT virtual TSG_OBJ_KEYWORDS --
|
||||||
29 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS --
|
29 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL --
|
||||||
30 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT --
|
30 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS --
|
||||||
31 TSG_SECURITY_SOURCE_ADDR virtual TSG_OBJ_IP_ADDR --
|
31 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT --
|
||||||
32 TSG_SECURITY_DESTINATION_ADDR virtual TSG_OBJ_IP_ADDR --
|
32 TSG_SECURITY_SOURCE_ADDR virtual TSG_OBJ_IP_ADDR --
|
||||||
33 TSG_SECURITY_ADDR composition {"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"}
|
33 TSG_SECURITY_DESTINATION_ADDR virtual TSG_OBJ_IP_ADDR --
|
||||||
34 TSG_IP_ASN_BUILT_IN ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
|
34 TSG_SECURITY_ADDR composition {"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"}
|
||||||
35 TSG_IP_ASN_USER_DEFINED ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
|
35 TSG_IP_ASN_BUILT_IN ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
|
||||||
36 TSG_IP_LOCATION_BUILT_IN ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
|
36 TSG_IP_ASN_USER_DEFINED ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
|
||||||
37 TSG_IP_LOCATION_USER_DEFINED ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
|
37 TSG_IP_LOCATION_BUILT_IN ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
|
||||||
38 TSG_OBJ_AS_NUMBER expr UTF8 UTF8/GBK yes 0
|
38 TSG_IP_LOCATION_USER_DEFINED ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
|
||||||
39 TSG_SECURITY_SOURCE_ASN virtual TSG_OBJ_AS_NUMBER --
|
39 TSG_OBJ_AS_NUMBER expr UTF8 UTF8/GBK yes 0
|
||||||
40 TSG_SECURITY_DESTINATION_ASN virtual TSG_OBJ_AS_NUMBER --
|
40 TSG_SECURITY_SOURCE_ASN virtual TSG_OBJ_AS_NUMBER --
|
||||||
41 TSG_OBJ_GEO_LOCATION expr UTF8 UTF8/GBK yes 0
|
41 TSG_SECURITY_DESTINATION_ASN virtual TSG_OBJ_AS_NUMBER --
|
||||||
42 TSG_SECURITY_SOURCE_LOCATION virtual TSG_OBJ_GEO_LOCATION --
|
42 TSG_OBJ_GEO_LOCATION expr UTF8 UTF8/GBK yes 0
|
||||||
43 TSG_SECURITY_DESTINATION_LOCATION virtual TSG_OBJ_GEO_LOCATION --
|
43 TSG_SECURITY_SOURCE_LOCATION virtual TSG_OBJ_GEO_LOCATION --
|
||||||
|
44 TSG_SECURITY_DESTINATION_LOCATION virtual TSG_OBJ_GEO_LOCATION --
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -576,7 +576,7 @@ int http_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, st
|
|||||||
if(ip_location_server!=NULL)
|
if(ip_location_server!=NULL)
|
||||||
{
|
{
|
||||||
memset(buff,0,sizeof(buff));
|
memset(buff,0,sizeof(buff));
|
||||||
snprintf(buff, sizeof(buff), "%s,%s,%s", ip_location_server->city_full, ip_location_server->province_full, ip_location_server->country_full);
|
snprintf(buff, sizeof(buff), "%s,%s", ip_location_server->city_full,ip_location_server->country_full);
|
||||||
ctx->ip_ctx.location_server=strdup(buff);
|
ctx->ip_ctx.location_server=strdup(buff);
|
||||||
|
|
||||||
ip_location_table = (policy_type == PXY_TABLE_SECURITY) ? (int)PXY_SECURITY_IP_DST_LOCATION : (int)PXY_CTRL_IP_DST_LOCATION;
|
ip_location_table = (policy_type == PXY_TABLE_SECURITY) ? (int)PXY_SECURITY_IP_DST_LOCATION : (int)PXY_CTRL_IP_DST_LOCATION;
|
||||||
@@ -594,7 +594,7 @@ int http_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, st
|
|||||||
if(ip_location_client!=NULL)
|
if(ip_location_client!=NULL)
|
||||||
{
|
{
|
||||||
memset(buff,0,sizeof(buff));
|
memset(buff,0,sizeof(buff));
|
||||||
snprintf(buff, sizeof(buff), "%s,%s,%s", ip_location_client->city_full, ip_location_client->province_full, ip_location_client->country_full);
|
snprintf(buff, sizeof(buff), "%s,%s", ip_location_client->city_full, ip_location_client->country_full);
|
||||||
ctx->ip_ctx.location_client=strdup(buff);
|
ctx->ip_ctx.location_client=strdup(buff);
|
||||||
|
|
||||||
ip_location_table = (policy_type == PXY_TABLE_SECURITY) ? (int)PXY_SECURITY_IP_SRC_LOCATION : (int)PXY_CTRL_IP_SRC_LOCATION;
|
ip_location_table = (policy_type == PXY_TABLE_SECURITY) ? (int)PXY_SECURITY_IP_SRC_LOCATION : (int)PXY_CTRL_IP_SRC_LOCATION;
|
||||||
@@ -603,7 +603,7 @@ int http_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, st
|
|||||||
snprintf(buff, sizeof(buff), "%s.%s.", ip_location_client->country_full, ip_location_client->city_full);
|
snprintf(buff, sizeof(buff), "%s.%s.", ip_location_client->country_full, ip_location_client->city_full);
|
||||||
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][ip_location_table],
|
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][ip_location_table],
|
||||||
CHARSET_GBK, buff, strlen(buff),
|
CHARSET_GBK, buff, strlen(buff),
|
||||||
result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt,
|
result+hit_cnt+hit_cnt_ip, NULL, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
|
||||||
&(ctx->scan_mid), (int) thread_id);
|
&(ctx->scan_mid), (int) thread_id);
|
||||||
if(scan_ret>0)
|
if(scan_ret>0)
|
||||||
{
|
{
|
||||||
@@ -660,7 +660,7 @@ int http_ip_asn_scan(struct Maat_rule_t *result, struct ip_address* sip, struct
|
|||||||
ip_asn_table = (policy_type == PXY_TABLE_SECURITY) ? (int)PXY_SECURITY_IP_SRC_ASN : (int)PXY_CTRL_IP_SRC_ASN;
|
ip_asn_table = (policy_type == PXY_TABLE_SECURITY) ? (int)PXY_SECURITY_IP_SRC_ASN : (int)PXY_CTRL_IP_SRC_ASN;
|
||||||
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][ip_asn_table],
|
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][ip_asn_table],
|
||||||
CHARSET_UTF8, ip_asn_client->asn, strlen(ip_asn_client->asn),
|
CHARSET_UTF8, ip_asn_client->asn, strlen(ip_asn_client->asn),
|
||||||
result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt,
|
result+hit_cnt+hit_cnt_ip, NULL, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
|
||||||
&(ctx->scan_mid), (int) thread_id);
|
&(ctx->scan_mid), (int) thread_id);
|
||||||
if(scan_ret>0)
|
if(scan_ret>0)
|
||||||
{
|
{
|
||||||
@@ -984,6 +984,7 @@ int security_policy_init(struct verify_policy * verify, const char* profile_path
|
|||||||
table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
|
table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
|
||||||
table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
|
table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
|
||||||
table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME";
|
table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME";
|
||||||
|
table_name[PXY_SECURITY_QUIC_SNI] = "TSG_FIELD_QUIC_SNI";
|
||||||
table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
|
table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
|
||||||
table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM";
|
table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM";
|
||||||
table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO";
|
table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO";
|
||||||
|
|||||||
Reference in New Issue
Block a user