gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-2620 策略验证支持quic协议

Browse Source
This commit is contained in:
fengweihao
2020-08-06 10:32:47 +08:00
parent afab73ad5f
commit 078228c53c
4 changed files with 33 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
common/include/verify_policy.h
View File

@@ -55,6 +55,7 @@ enum security_scan_table
PXY_SECURITY_HTTPS_CN,
PXY_SECURITY_HTTPS_SAN,
PXY_SECURITY_DNS_QNAME,
PXY_SECURITY_QUIC_SNI,
PXY_SECURITY_MAIL_ACCOUNT,
PXY_SECURITY_MAIL_FROM,
PXY_SECURITY_MAIL_TO,

5
platform/src/verify_policy.cpp
View File

@@ -81,6 +81,7 @@ enum verify_policy_type tsg_policy_type_str2idx(const char *action_str)
int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_str, char *buff, char **p)
{
const char * table_name[__SECURITY_TABLE_MAX] ={0};
size_t max = type != PXY_TABLE_MANIPULATION ? (int)PXY_SECURITY_APP_ID : (int)PXY_CTRL_DOH_HOST;
switch(type)
{
@@ -112,6 +113,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME";
table_name[PXY_SECURITY_QUIC_SNI] = "TSG_FIELD_QUIC_SNI";
table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM";
table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO";
@@ -130,8 +132,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
break;
}
size_t i = 0;
for (i = 0; i < sizeof(table_name) / sizeof(const char *); i++)
for (i = 0; i <= max; i++)
{
if (0 == strcasecmp(action_str, table_name[i]))
break;

47
resource/table_info_security.conf
View File

@@ -30,29 +30,30 @@
18 TSG_FIELD_SSL_CN virtual TSG_OBJ_FQDN --
19 TSG_FIELD_SSL_SAN virtual TSG_OBJ_FQDN --
20 TSG_FIELD_DNS_QNAME virtual TSG_OBJ_FQDN --
21 TSG_FIELD_MAIL_ACCOUNT virtual TSG_OBJ_ACCOUNT --
22 TSG_FIELD_MAIL_FROM virtual TSG_OBJ_ACCOUNT --
23 TSG_FIELD_MAIL_TO virtual TSG_OBJ_ACCOUNT --
24 TSG_FIELD_MAIL_SUBJECT virtual TSG_OBJ_KEYWORDS --
25 TSG_FIELD_MAIL_CONTENT virtual TSG_OBJ_KEYWORDS --
26 TSG_FIELD_MAIL_ATT_NAME virtual TSG_OBJ_KEYWORDS --
27 TSG_FIELD_MAIL_ATT_CONTENT virtual TSG_OBJ_KEYWORDS --
28 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL --
29 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS --
30 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT --
31 TSG_SECURITY_SOURCE_ADDR virtual TSG_OBJ_IP_ADDR --
32 TSG_SECURITY_DESTINATION_ADDR virtual TSG_OBJ_IP_ADDR --
33 TSG_SECURITY_ADDR composition {"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"}
34 TSG_IP_ASN_BUILT_IN ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
35 TSG_IP_ASN_USER_DEFINED ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
36 TSG_IP_LOCATION_BUILT_IN ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
37 TSG_IP_LOCATION_USER_DEFINED ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
38 TSG_OBJ_AS_NUMBER expr UTF8 UTF8/GBK yes 0
39 TSG_SECURITY_SOURCE_ASN virtual TSG_OBJ_AS_NUMBER --
40 TSG_SECURITY_DESTINATION_ASN virtual TSG_OBJ_AS_NUMBER --
41 TSG_OBJ_GEO_LOCATION expr UTF8 UTF8/GBK yes 0
42 TSG_SECURITY_SOURCE_LOCATION virtual TSG_OBJ_GEO_LOCATION --
43 TSG_SECURITY_DESTINATION_LOCATION virtual TSG_OBJ_GEO_LOCATION --
21 TSG_FIELD_QUIC_SNI virtual TSG_OBJ_FQDN --
22 TSG_FIELD_MAIL_ACCOUNT virtual TSG_OBJ_ACCOUNT --
23 TSG_FIELD_MAIL_FROM virtual TSG_OBJ_ACCOUNT --
24 TSG_FIELD_MAIL_TO virtual TSG_OBJ_ACCOUNT --
25 TSG_FIELD_MAIL_SUBJECT virtual TSG_OBJ_KEYWORDS --
26 TSG_FIELD_MAIL_CONTENT virtual TSG_OBJ_KEYWORDS --
27 TSG_FIELD_MAIL_ATT_NAME virtual TSG_OBJ_KEYWORDS --
28 TSG_FIELD_MAIL_ATT_CONTENT virtual TSG_OBJ_KEYWORDS --
29 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL --
30 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS --
31 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT --
32 TSG_SECURITY_SOURCE_ADDR virtual TSG_OBJ_IP_ADDR --
33 TSG_SECURITY_DESTINATION_ADDR virtual TSG_OBJ_IP_ADDR --
34 TSG_SECURITY_ADDR composition {"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"}
35 TSG_IP_ASN_BUILT_IN ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
36 TSG_IP_ASN_USER_DEFINED ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
37 TSG_IP_LOCATION_BUILT_IN ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
38 TSG_IP_LOCATION_USER_DEFINED ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
39 TSG_OBJ_AS_NUMBER expr UTF8 UTF8/GBK yes 0
40 TSG_SECURITY_SOURCE_ASN virtual TSG_OBJ_AS_NUMBER --
41 TSG_SECURITY_DESTINATION_ASN virtual TSG_OBJ_AS_NUMBER --
42 TSG_OBJ_GEO_LOCATION expr UTF8 UTF8/GBK yes 0
43 TSG_SECURITY_SOURCE_LOCATION virtual TSG_OBJ_GEO_LOCATION --
44 TSG_SECURITY_DESTINATION_LOCATION virtual TSG_OBJ_GEO_LOCATION --

9
scan/src/pangu_http.cpp
View File

@@ -576,7 +576,7 @@ int http_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, st
if(ip_location_server!=NULL)
{
memset(buff,0,sizeof(buff));
snprintf(buff, sizeof(buff), "%s,%s,%s", ip_location_server->city_full, ip_location_server->province_full, ip_location_server->country_full);
snprintf(buff, sizeof(buff), "%s,%s", ip_location_server->city_full,ip_location_server->country_full);
ctx->ip_ctx.location_server=strdup(buff);
ip_location_table = (policy_type == PXY_TABLE_SECURITY) ? (int)PXY_SECURITY_IP_DST_LOCATION : (int)PXY_CTRL_IP_DST_LOCATION;
@@ -594,7 +594,7 @@ int http_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, st
if(ip_location_client!=NULL)
{
memset(buff,0,sizeof(buff));
snprintf(buff, sizeof(buff), "%s,%s,%s", ip_location_client->city_full, ip_location_client->province_full, ip_location_client->country_full);
snprintf(buff, sizeof(buff), "%s,%s", ip_location_client->city_full, ip_location_client->country_full);
ctx->ip_ctx.location_client=strdup(buff);
ip_location_table = (policy_type == PXY_TABLE_SECURITY) ? (int)PXY_SECURITY_IP_SRC_LOCATION : (int)PXY_CTRL_IP_SRC_LOCATION;
@@ -603,7 +603,7 @@ int http_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, st
snprintf(buff, sizeof(buff), "%s.%s.", ip_location_client->country_full, ip_location_client->city_full);
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][ip_location_table],
CHARSET_GBK, buff, strlen(buff),
result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt,
result+hit_cnt+hit_cnt_ip, NULL, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
&(ctx->scan_mid), (int) thread_id);
if(scan_ret>0)
{
@@ -660,7 +660,7 @@ int http_ip_asn_scan(struct Maat_rule_t *result, struct ip_address* sip, struct
ip_asn_table = (policy_type == PXY_TABLE_SECURITY) ? (int)PXY_SECURITY_IP_SRC_ASN : (int)PXY_CTRL_IP_SRC_ASN;
scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][ip_asn_table],
CHARSET_UTF8, ip_asn_client->asn, strlen(ip_asn_client->asn),
result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt,
result+hit_cnt+hit_cnt_ip, NULL, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
&(ctx->scan_mid), (int) thread_id);
if(scan_ret>0)
{
@@ -984,6 +984,7 @@ int security_policy_init(struct verify_policy * verify, const char* profile_path
table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME";
table_name[PXY_SECURITY_QUIC_SNI] = "TSG_FIELD_QUIC_SNI";
table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM";
table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO";