diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h index fb76e79..2abdf97 100644 --- a/common/include/verify_policy.h +++ b/common/include/verify_policy.h @@ -116,6 +116,8 @@ struct fqdn_category_id long long int group_id[8]; }; +#define MERGE_SCAN_NTH 128 + struct request_query_obj { int table_id; @@ -130,10 +132,11 @@ struct request_query_obj char *subscriberid; - int nth_scan[256]; - int nth_scan_num; - cJSON* attributes; + int merge_nth_scan_num; + int exclude_nth_scan[MERGE_SCAN_NTH]; + int merge_nth_scan[MERGE_SCAN_NTH]; + cJSON* attributes; struct fqdn_category_id fqdn_user; struct fqdn_category_id fqdn_builtin; }; @@ -142,7 +145,7 @@ struct verify_policy_query { int vsys_id; int compile_table_id; - struct request_query_obj verify_object[32]; + struct request_query_obj request_object[32]; }; extern struct verify_policy * g_verify_proxy; diff --git a/platform/src/verify_matcher.cpp b/platform/src/verify_matcher.cpp index 5c5c5b4..0c01dd4 100644 --- a/platform/src/verify_matcher.cpp +++ b/platform/src/verify_matcher.cpp @@ -1159,15 +1159,15 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table cJSON *histObj=NULL; for(i=0; i< ctx->n_read; i++) { - for(j=0; j<=query_obj->nth_scan_num; j++) + for(j=0; j<=query_obj->merge_nth_scan_num; j++) { - if (query_obj->nth_scan[j] == ctx->hit_path[i].Nth_scan) + if (query_obj->merge_nth_scan[j] == ctx->hit_path[i].Nth_scan && query_obj->exclude_nth_scan[j] != 1) { if(ctx->hit_path[i].compile_id > 0) { if(hit_path_is_duplicate(result_hit_path, ctx->hit_path[i], result_cnt)) { - break; + break; } else { @@ -1218,9 +1218,9 @@ int get_attributes_table_name(struct request_query_obj *query_obj, int num, int for(i=0; ivsys_id; int compile_table_id = verify_policy->compile_table_id; @@ -1298,7 +1298,7 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, siz cJSON_AddNumberToObject(topObject, "objectId", ctx->hit_path[j].top_group_id); cJSON_AddNumberToObject(topObject, "notFlag", ctx->hit_path[j].NOT_flag); cJSON_AddNumberToObject(topObject, "nthClause", ctx->hit_path[j].clause_index); - get_attributes_table_name(verify_policy->verify_object, num, ctx->hit_path[j].Nth_scan, &ctx->ip_ctx, ctx->tunnel_endpoint_x, topObject); + get_attributes_table_name(verify_policy->request_object, num, ctx->hit_path[j].Nth_scan, &ctx->ip_ctx, ctx->tunnel_endpoint_x, topObject); cJSON_AddItemToArray(topObjectList, topObject); } } @@ -1521,7 +1521,7 @@ int ip_asn_scan(long long *result, struct ip_addr* sip, struct ip_addr* dip, int int get_fqdn_category_id(long long *result, const char *fqdn, int table_id, int hit_cnt, unsigned int thread_id, int vsys_id, struct policy_scan_ctx * ctx, struct request_query_obj *query_obj) { int j=0, k=0; - size_t n_hit_result=0; + size_t n_read=0, n_hit_result=0; int hit_path_cnt=0; int i=0,ret=0, hit_cnt_fqdn=0; struct fqdn_category_ctx *fqdn_cat_user[8]={0},*fqdn_cat_built[8]={0}; @@ -1579,7 +1579,14 @@ int get_fqdn_category_id(long long *result, const char *fqdn, int table_id, int { hit_cnt_fqdn+=n_hit_result; } - hit_path_cnt++; + n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); + if(ret >= MAAT_SCAN_OK) + { + query_obj->merge_nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid);; + query_obj->exclude_nth_scan[hit_path_cnt] = 1; + ctx->n_read=n_read; + hit_path_cnt++; + } } goto finish; } @@ -1593,17 +1600,24 @@ int get_fqdn_category_id(long long *result, const char *fqdn, int table_id, int { hit_cnt_fqdn+=n_hit_result; } - ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], result+hit_cnt+hit_cnt_fqdn, + ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &n_hit_result, ctx->scan_mid); if (ret == MAAT_SCAN_HIT) { hit_cnt_fqdn+=n_hit_result; } - hit_path_cnt++; + n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); + if(ret >= MAAT_SCAN_OK) + { + query_obj->merge_nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid); + query_obj->exclude_nth_scan[hit_path_cnt] = 1; + ctx->n_read=n_read; + hit_path_cnt++; + } } } finish: - query_obj->nth_scan_num = hit_path_cnt; + query_obj->merge_nth_scan_num = hit_path_cnt; return hit_cnt_fqdn; } @@ -1645,13 +1659,13 @@ int policy_verify_scan_tunnel(long long *result, struct ip_addr *sip, int hit_cn if(scan_ret >= MAAT_SCAN_OK) { n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); - query_obj->nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid); + query_obj->merge_nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid); ctx->n_read=n_read; hit_path_cnt++; } tunnel_table_free(tunnel_catalog[i]); } - query_obj->nth_scan_num = hit_path_cnt; + query_obj->merge_nth_scan_num = hit_path_cnt; return hit_cnt_tunnel; } @@ -1685,7 +1699,7 @@ static int policy_verify_scan_app_id(struct request_query_obj *request, struct p } app_id_dict_free(app_dict); n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); - request->nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); + request->merge_nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); ctx->n_read=n_read; return hit_cnt_app_id; } @@ -1713,7 +1727,7 @@ static int policy_verify_scan_flag(struct request_query_obj *request, struct pol hit_cnt_flag+=n_hit_result; } n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); - request->nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); + request->merge_nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); ctx->n_read=n_read; return hit_cnt_flag; } @@ -1751,7 +1765,7 @@ static int policy_verify_scan_http_hdr(struct request_query_obj *request, struct } } n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); - request->nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); + request->merge_nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); ctx->n_read=n_read; return hit_cnt_hdr; } @@ -1802,7 +1816,7 @@ static int ip_addr_scan(struct request_query_obj *request, struct policy_scan_ct if(scan_ret >= MAAT_SCAN_OK) { n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); - request->nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); + request->merge_nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); ctx->n_read=n_read; } } @@ -1843,7 +1857,7 @@ static int ip_addr_scan(struct request_query_obj *request, struct policy_scan_ct if(scan_ret >= MAAT_SCAN_OK) { n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); - request->nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); + request->merge_nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); ctx->n_read=n_read; } } @@ -1958,7 +1972,7 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer hit_cnt+=n_hit_result; } n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); - request->nth_scan[request->nth_scan_num] = maat_state_get_scan_count(ctx->scan_mid); + request->merge_nth_scan[request->merge_nth_scan_num] = maat_state_get_scan_count(ctx->scan_mid); ctx->n_read=n_read; decide: ctx->hit_cnt = hit_cnt; diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp index f6fa4d1..ea2ddb7 100644 --- a/platform/src/verify_policy.cpp +++ b/platform/src/verify_policy.cpp @@ -273,16 +273,16 @@ static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_p item = cJSON_GetObjectItem(subchild, "attributeName"); if(item && item->type==cJSON_String) { - policy_query->verify_object[curr_id].attri_name = item->valuestring; - p += snprintf(p, sizeof(buff) - (p - buff), "attributeName = %s",policy_query->verify_object[curr_id].attri_name); + policy_query->request_object[curr_id].attri_name = item->valuestring; + p += snprintf(p, sizeof(buff) - (p - buff), "attributeName = %s",policy_query->request_object[curr_id].attri_name); } - policy_query->verify_object[curr_id].attributes=cJSON_Duplicate(subchild, 1); + policy_query->request_object[curr_id].attributes=cJSON_Duplicate(subchild, 1); item = cJSON_GetObjectItem(subchild, "tableName"); if(item && item->type==cJSON_String) { - policy_query->verify_object[curr_id].table_id = protoco_field_type_str2idx(item->valuestring, buff, &p); - if(policy_query->verify_object[curr_id].table_id == __TSG_OBJ_MAX) + policy_query->request_object[curr_id].table_id = protoco_field_type_str2idx(item->valuestring, buff, &p); + if(policy_query->request_object[curr_id].table_id == __TSG_OBJ_MAX) { mesa_runtime_log(RLOG_LV_FATAL, "Get table id failed form table name:%s", item->valuestring); return xret; @@ -295,27 +295,27 @@ static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_p goto finish; } - if(match_ip_attribute_name(policy_query->verify_object[curr_id].attri_name) >= 0) + if(match_ip_attribute_name(policy_query->request_object[curr_id].attri_name) >= 0) { - policy_query->verify_object[curr_id].ip_addr = get_ip_from_json(attributeValue, policy_query->verify_object[curr_id].attri_name, &(policy_query->verify_object[curr_id].protocol)); + policy_query->request_object[curr_id].ip_addr = get_ip_from_json(attributeValue, policy_query->request_object[curr_id].attri_name, &(policy_query->request_object[curr_id].protocol)); goto end; } item = cJSON_GetObjectItem(attributeValue,"district"); if(item!=NULL) { - policy_query->verify_object[curr_id].district = item->valuestring; - p += snprintf(p, sizeof(buff) - (p - buff), ", district = %s",policy_query->verify_object[curr_id].district); + policy_query->request_object[curr_id].district = item->valuestring; + p += snprintf(p, sizeof(buff) - (p - buff), ", district = %s",policy_query->request_object[curr_id].district); } - if(policy_query->verify_object[curr_id].table_id == TSG_OBJ_APP_ID || - policy_query->verify_object[curr_id].table_id == TSG_OBJ_FLAG) + if(policy_query->request_object[curr_id].table_id == TSG_OBJ_APP_ID || + policy_query->request_object[curr_id].table_id == TSG_OBJ_FLAG) { item = cJSON_GetObjectItem(attributeValue, "numeric"); if(item && item->type==cJSON_Number) { - policy_query->verify_object[curr_id].numeric = item->valueint; - p += snprintf(p, sizeof(buff) - (p - buff), ", content = %d", policy_query->verify_object[curr_id].numeric); + policy_query->request_object[curr_id].numeric = item->valueint; + p += snprintf(p, sizeof(buff) - (p - buff), ", content = %d", policy_query->request_object[curr_id].numeric); } } else @@ -323,8 +323,8 @@ static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_p item = cJSON_GetObjectItem(attributeValue, "string"); if(item!=NULL) { - policy_query->verify_object[curr_id].keyword = item->valuestring; - p += snprintf(p, sizeof(buff) - (p - buff), ", content = %s",policy_query->verify_object[curr_id].keyword); + policy_query->request_object[curr_id].keyword = item->valuestring; + p += snprintf(p, sizeof(buff) - (p - buff), ", content = %s",policy_query->request_object[curr_id].keyword); } } mesa_runtime_log(RLOG_LV_INFO, "[I] %s", buff); @@ -469,10 +469,10 @@ int get_query_result_policy(cJSON *subitem, cJSON *data_obj, int thread_id) { goto free; } - hit_cnt = policy_verify_scan(verify_policy->vsys_id, verify_policy->compile_table_id, &verify_policy->verify_object[i], ctx); - if(match_ip_attribute_name(verify_policy->verify_object[i].attri_name) >= 0) + hit_cnt = policy_verify_scan(verify_policy->vsys_id, verify_policy->compile_table_id, &verify_policy->request_object[i], ctx); + if(match_ip_attribute_name(verify_policy->request_object[i].attri_name) >= 0) { - ipaddr_free(verify_policy->verify_object[i].ip_addr); + ipaddr_free(verify_policy->request_object[i].ip_addr); } i++; } @@ -485,7 +485,7 @@ int get_query_result_policy(cJSON *subitem, cJSON *data_obj, int thread_id) cJSON_AddItemToObject(verfifySession, "attributes", attributes); for (item = 0; item < i; item++) { - http_get_scan_status(&verify_policy->verify_object[item], verify_policy->compile_table_id, attributes,data_obj, ctx); + http_get_scan_status(&verify_policy->request_object[item], verify_policy->compile_table_id, attributes,data_obj, ctx); } policy_scan_ctx_free(ctx); }