diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h index b48f409..cd5c258 100644 --- a/common/include/verify_policy.h +++ b/common/include/verify_policy.h @@ -83,6 +83,8 @@ enum tsg_obj_table TSG_OBJ_IP_DST_LOCATION, TSG_OBJ_DST_SERVER_FQDN, TSG_OBJ_DST_SERVER_FQDN_CAT, + TSG_OBJ_INTERNAL_ADDR, + TSG_OBJ_EXTERNAL_ADDR, __TSG_OBJ_MAX }; @@ -126,7 +128,6 @@ struct request_query_obj int protocol; struct ipaddr *ip_addr; - struct ipaddr *endpoint; char *subscriberid; diff --git a/platform/src/verify_matcher.cpp b/platform/src/verify_matcher.cpp index b460522..154f593 100644 --- a/platform/src/verify_matcher.cpp +++ b/platform/src/verify_matcher.cpp @@ -1303,6 +1303,7 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, siz topObject=cJSON_CreateObject(); cJSON_AddNumberToObject(topObject, "objectId", ctx->hit_path[j].top_group_id); cJSON_AddNumberToObject(topObject, "notFlag", ctx->hit_path[j].NOT_flag); + cJSON_AddNumberToObject(topObject, "nthClause", ctx->hit_path[j].clause_index); result_object_id[j] = ctx->hit_path[j].top_group_id; get_attributes_table_name(verify_policy->verify_object, num, ctx->hit_path[j].Nth_scan, &ctx->ip_ctx, ctx->tunnel_endpoint_x, topObject); cJSON_AddItemToArray(topObjectList, topObject); @@ -1555,12 +1556,12 @@ int get_fqdn_category_id(long long *result, const char *fqdn, int table_id, int { ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &query_obj->fqdn_user.group_id[i], 1, result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &n_hit_result, ctx->scan_mid); - if(ret>0) + if(ret == MAAT_SCAN_HIT) { hit_cnt_fqdn+=n_hit_result; } n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); - if(ret >0) + if(ret >= MAAT_SCAN_OK) { query_obj->nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid);; ctx->n_read=n_read; @@ -1608,7 +1609,7 @@ finish: return hit_cnt_fqdn; } -int policy_verify_scan_tunnel_id(long long *result, struct ip_addr *sip, int hit_cnt, unsigned int thread_id, int vsys_id, struct policy_scan_ctx * ctx, struct request_query_obj *query_obj) +int policy_verify_scan_tunnel(long long *result, struct ip_addr *sip, int hit_cnt, unsigned int thread_id, int vsys_id, struct policy_scan_ctx * ctx, struct request_query_obj *query_obj) { #define TUNNEL_BOOL_ID_MAX 128 #define TUNNEL_CATALOG_MAX 128 @@ -1633,12 +1634,12 @@ int policy_verify_scan_tunnel_id(long long *result, struct ip_addr *sip, int hit { scan_ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_TUNNEL], &tunnel_catalog[i]->group_id, 1, result+hit_cnt+hit_cnt_tunnel, MAX_SCAN_RESULT-hit_cnt-hit_cnt_tunnel, &n_hit_result, ctx->scan_mid); - if(scan_ret>= MAAT_SCAN_HALF_HIT) + if(scan_ret == MAAT_SCAN_HIT) { hit_cnt_tunnel+=n_hit_result; } - - if(scan_ret >= MAAT_SCAN_HALF_HIT) + + if(scan_ret >= MAAT_SCAN_OK) { n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); query_obj->nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid); @@ -1751,7 +1752,7 @@ static int ip_addr_scan(struct request_query_obj *request, struct policy_scan_ct int protocol = request->protocol; if (request->ip_addr->addrtype == ADDR_TYPE_IPV4) { - if(0 == strcasecmp(request->attri_name, "source")) + if(0 == strcasecmp(request->attri_name, "source") || 0 == strcasecmp(request->attri_name, "internal")) { scan_ret = maat_scan_ipv4(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], request->ip_addr->v4->saddr, request->ip_addr->v4->source, protocol, ctx->result+hit_cnt+hit_cnt_ip, @@ -1761,7 +1762,7 @@ static int ip_addr_scan(struct request_query_obj *request, struct policy_scan_ct hit_cnt_ip += n_hit_result; } } - if(0 == strcasecmp(request->attri_name, "destination")) + if(0 == strcasecmp(request->attri_name, "destination") || 0 == strcasecmp(request->attri_name, "external")) { scan_ret = maat_scan_ipv4(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], request->ip_addr->v4->daddr, request->ip_addr->v4->dest, protocol,ctx->result+hit_cnt+hit_cnt_ip, @@ -1781,7 +1782,7 @@ static int ip_addr_scan(struct request_query_obj *request, struct policy_scan_ct } if (request->ip_addr->addrtype == ADDR_TYPE_IPV6) { - if(0 == strcasecmp(request->attri_name, "source")) + if(0 == strcasecmp(request->attri_name, "source") || 0 == strcasecmp(request->attri_name, "internal")) { scan_ret = maat_scan_ipv6(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], request->ip_addr->v6->saddr, request->ip_addr->v6->source, protocol,ctx->result+hit_cnt+hit_cnt_ip, @@ -1791,7 +1792,7 @@ static int ip_addr_scan(struct request_query_obj *request, struct policy_scan_ct hit_cnt_ip += n_hit_result; } } - if(0 == strcasecmp(request->attri_name, "destination")) + if(0 == strcasecmp(request->attri_name, "destination") || 0 == strcasecmp(request->attri_name, "external")) { scan_ret = maat_scan_ipv6(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], request->ip_addr->v6->daddr, request->ip_addr->v6->dest, protocol, ctx->result+hit_cnt+hit_cnt_ip, @@ -1826,9 +1827,11 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer { case TSG_OBJ_SOURCE_ADDR: case TSG_OBJ_DESTINATION_ADDR: + case TSG_OBJ_INTERNAL_ADDR: + case TSG_OBJ_EXTERNAL_ADDR: if(request->ip_addr == NULL) { - break; + goto decide; } struct ip_addr dest_ip, source_ip; ip_addr_to_address(request->ip_addr, &dest_ip, &source_ip); @@ -1852,8 +1855,8 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer case TSG_OBJ_TUNNEL: memset(&dest_ip, 0, sizeof(dest_ip)); memset(&source_ip, 0, sizeof(source_ip)); - ip_addr_to_address(request->endpoint, &dest_ip, &source_ip); - scan_ret = policy_verify_scan_tunnel_id(ctx->result, &source_ip, hit_cnt, ctx->thread_id, vsys_id, ctx, request); + ip_addr_to_address(request->ip_addr, &dest_ip, &source_ip); + scan_ret = policy_verify_scan_tunnel(ctx->result, &source_ip, hit_cnt, ctx->thread_id, vsys_id, ctx, request); if(scan_ret) { hit_cnt+=scan_ret; @@ -2080,6 +2083,8 @@ static void common_table_name_int(const char *table_name[__TSG_OBJ_MAX]) table_name[TSG_OBJ_IP_DST_LOCATION]="ATTR_DESTINATION_LOCATION"; table_name[TSG_OBJ_DST_SERVER_FQDN]="ATTR_DESTINATION_SERVER_FQDN"; table_name[TSG_OBJ_DST_SERVER_FQDN_CAT]="ATTR_DESTINATION_SERVER_FQDN_CAT"; + table_name[TSG_OBJ_INTERNAL_ADDR]="ATTR_INTERNAL_ADDR"; + table_name[TSG_OBJ_EXTERNAL_ADDR]="ATTR_EXTERNAL_ADDR"; return; } diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp index a725039..f6fa4d1 100644 --- a/platform/src/verify_policy.cpp +++ b/platform/src/verify_policy.cpp @@ -140,6 +140,8 @@ int protoco_field_type_str2idx(const char *action_str, char *buff, char **p) table_name[TSG_OBJ_IP_DST_LOCATION]="ATTR_DESTINATION_LOCATION"; table_name[TSG_OBJ_DST_SERVER_FQDN]="ATTR_DESTINATION_SERVER_FQDN"; table_name[TSG_OBJ_DST_SERVER_FQDN_CAT]="ATTR_DESTINATION_SERVER_FQDN_CAT"; + table_name[TSG_OBJ_INTERNAL_ADDR]="ATTR_INTERNAL_ADDR"; + table_name[TSG_OBJ_EXTERNAL_ADDR]="ATTR_EXTERNAL_ADDR"; size_t i = 0; for (i = 0; i < __TSG_OBJ_MAX; i++) @@ -152,7 +154,21 @@ int protoco_field_type_str2idx(const char *action_str, char *buff, char **p) return i; } -struct ipaddr *ip_to_stream_addr(const char *clientIp1, unsigned int clientPort1, const char *serverIp1, unsigned int serverPort1, int addr_type) +int match_ip_attribute_name(char *attri_name) +{ + size_t i = 0; + const char *attribute_name_map[] ={"source", "destination", "tunnel_endpointa", "tunnel_endpointb", "internal", "external"}; + for(i = 0; i < sizeof(attribute_name_map)/sizeof(attribute_name_map[0]); i++) + { + if(0 == strcasecmp(attri_name, attribute_name_map[i])) + { + return i; + } + } + return -1; +} + +struct ipaddr *ip_to_stream_addr(const char *clientIp1, unsigned int clientPort1, const char *serverIp1, unsigned int serverPort1, int addr_type, const char *attributeName) { struct ipaddr *ip_addr = ALLOC(struct ipaddr, 1); if(addr_type == 4) @@ -175,7 +191,7 @@ struct ipaddr *ip_to_stream_addr(const char *clientIp1, unsigned int clientPort1 v6_addr->dest=htons(serverPort1); ip_addr->v6=v6_addr; } - mesa_runtime_log(RLOG_LV_INFO, "[I] attributeName = ip, clientIp1=%s, clientPort1=%d, serverIp=%s, serverPort=%d, addr_type = %d", + mesa_runtime_log(RLOG_LV_INFO, "[I] attributeName = %s, clientIp1=%s, clientPort1=%d, serverIp=%s, serverPort=%d, addr_type = %d", attributeName, clientIp1, clientPort1, serverIp1, serverPort1, addr_type); return ip_addr; @@ -217,10 +233,10 @@ void ipaddr_free(struct ipaddr *ip_addr) free(ip_addr); } -static struct ipaddr * get_ip_from_json(cJSON *attributeValue, const char *attributeName) +static struct ipaddr * get_ip_from_json(cJSON *attributeValue, const char *attributeName, int *protocol) { cJSON* item = NULL; - int addr_type=0, __attribute__((__unused__))protocol=0; + int addr_type=0; const char *Ip=NULL; unsigned int Port=0; @@ -229,19 +245,20 @@ static struct ipaddr * get_ip_from_json(cJSON *attributeValue, const char *attri item = cJSON_GetObjectItem(attributeValue,"port"); if(item && item->type==cJSON_String) Port =atoi(item->valuestring); item = cJSON_GetObjectItem(attributeValue,"protocol"); - if(item && item->type==cJSON_Number) protocol = item->valueint; + if(item && item->type==cJSON_Number) *protocol = item->valueint; item=cJSON_GetObjectItem(attributeValue,"addrType"); if(item && item->type==cJSON_Number) addr_type = item->valueint; struct ipaddr *ip_addr = NULL; - if(strcasecmp(attributeName, "source") == 0) + if(strcasecmp(attributeName, "source") == 0 || strcasecmp(attributeName, "internal") == 0 || + strcasecmp(attributeName, "tunnel_endpointa") == 0 || strcasecmp(attributeName, "tunnel_endpointb") == 0) { - ip_addr = ip_to_stream_addr(Ip, Port, "0.0.0.0", 0, addr_type); + ip_addr = ip_to_stream_addr(Ip, Port, "0.0.0.0", 0, addr_type, attributeName); } - if(strcasecmp(attributeName, "destination") == 0) + if(strcasecmp(attributeName, "destination") == 0 || strcasecmp(attributeName, "external") == 0) { - ip_addr = ip_to_stream_addr("0.0.0.0", 0, Ip, Port, addr_type); + ip_addr = ip_to_stream_addr("0.0.0.0", 0, Ip, Port, addr_type, attributeName); } return ip_addr; } @@ -277,18 +294,10 @@ static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_p { goto finish; } - if(0 == strcasecmp(policy_query->verify_object[curr_id].attri_name, "source") || - 0 == strcasecmp(policy_query->verify_object[curr_id].attri_name, "destination")) - { - policy_query->verify_object[curr_id].ip_addr = get_ip_from_json(attributeValue, policy_query->verify_object[curr_id].attri_name); - policy_query->verify_object[curr_id].protocol= cJSON_GetObjectItem(attributeValue , "protocol")->valueint; - goto end; - } - if(0 == strcasecmp(policy_query->verify_object[curr_id].attri_name, "tunnel_endpointa") || - 0 == strcasecmp(policy_query->verify_object[curr_id].attri_name, "tunnel_endpointb")) + if(match_ip_attribute_name(policy_query->verify_object[curr_id].attri_name) >= 0) { - policy_query->verify_object[curr_id].endpoint = get_ip_from_json(attributeValue, "source"); + policy_query->verify_object[curr_id].ip_addr = get_ip_from_json(attributeValue, policy_query->verify_object[curr_id].attri_name, &(policy_query->verify_object[curr_id].protocol)); goto end; } @@ -461,17 +470,10 @@ int get_query_result_policy(cJSON *subitem, cJSON *data_obj, int thread_id) goto free; } hit_cnt = policy_verify_scan(verify_policy->vsys_id, verify_policy->compile_table_id, &verify_policy->verify_object[i], ctx); - if(0 == strcasecmp(verify_policy->verify_object[i].attri_name, "source") || - 0 == strcasecmp(verify_policy->verify_object[i].attri_name, "destination")) + if(match_ip_attribute_name(verify_policy->verify_object[i].attri_name) >= 0) { ipaddr_free(verify_policy->verify_object[i].ip_addr); } - if(0 == strcasecmp(verify_policy->verify_object[i].attri_name, "tunnel_endpointa") || - 0 == strcasecmp(verify_policy->verify_object[i].attri_name, "tunnel_endpointb")) - { - ipaddr_free(verify_policy->verify_object[i].endpoint); - } - i++; } http_hit_policy_list(verify_policy, i, hit_cnt, data_obj, ctx); diff --git a/resource/table_info.conf b/resource/table_info.conf index b49e25a..5bd1549 100644 --- a/resource/table_info.conf +++ b/resource/table_info.conf @@ -992,5 +992,17 @@ "table_name": "ATTR_DESTINATION_SERVER_FQDN_CAT", "table_type": "virtual", "physical_table": "TSG_OBJ_FQDN_CAT" + }, + { + "table_id":102, + "table_name":"ATTR_INTERNAL_ADDR", + "table_type":"virtual", + "physical_table": "TSG_OBJ_IP" + }, + { + "table_id":103, + "table_name":"ATTR_EXTERNAL_ADDR", + "table_type":"virtual", + "physical_table": "TSG_OBJ_IP" } ] \ No newline at end of file diff --git a/resource/table_info_simple.conf b/resource/table_info_simple.conf index f59c9a3..e0ad657 100644 --- a/resource/table_info_simple.conf +++ b/resource/table_info_simple.conf @@ -918,5 +918,17 @@ "table_name": "ATTR_DESTINATION_SERVER_FQDN_CAT", "table_type": "virtual", "physical_table": "TSG_OBJ_FQDN_CAT" + }, + { + "table_id":102, + "table_name":"ATTR_INTERNAL_ADDR", + "table_type":"virtual", + "physical_table": "TSG_OBJ_IP" + }, + { + "table_id":103, + "table_name":"ATTR_EXTERNAL_ADDR", + "table_type":"virtual", + "physical_table": "TSG_OBJ_IP" } ] \ No newline at end of file