diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h index 65e4125..add619b 100644 --- a/common/include/verify_policy.h +++ b/common/include/verify_policy.h @@ -140,7 +140,7 @@ extern struct verify_policy * g_verify_proxy; void *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, int compile_table_id); void policy_scan_ctx_free(void * pme); -size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_query_obj *query_obj, cJSON *data_obj, void *pme); +size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_query_obj *query_obj, void *pme); void http_get_scan_status(struct request_query_obj *query_obj, int type, cJSON *attributes, cJSON *data_obj, void *pme); int maat_table_init(struct verify_policy * verify, const char* profile_path); int http_hit_policy_list(int vsys_id, int compile_table_id, size_t hit_cnt, cJSON *data_obj, void *pme); diff --git a/platform/src/verify_matcher.cpp b/platform/src/verify_matcher.cpp index d83dafc..a50f684 100644 --- a/platform/src/verify_matcher.cpp +++ b/platform/src/verify_matcher.cpp @@ -158,6 +158,8 @@ struct verify_policy_rt void * local_logger; int log_level; int thread_num; + int load_ip_location; + int load_fqdn_cat; int compile_table_id[__SCAN_POLICY_MAX]; int profile_table_id [POLICY_PROFILE_TABLE_MAX]; int scan_table_id[__TSG_OBJ_MAX]; @@ -1167,6 +1169,11 @@ int ip_location_scan(long long *result, struct ip_addr *sip, struct ip_addr *dip struct maat_hit_path hit_path[HIT_PATH_SIZE]; struct ip_data_table* ip_location_client=NULL, *ip_location_server=NULL; + if(!g_policy_rt->load_ip_location) + { + return 0; + } + maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[POLICY_LOCATION_USER_DEFINED], sip, (void **)&ip_location_client, 1); maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[POLICY_LOCATION_USER_DEFINED], dip, (void **)&ip_location_server, 1); @@ -1258,6 +1265,11 @@ int http_ip_asn_scan(long long *result, struct ip_addr* sip, struct ip_addr* dip struct maat_hit_path hit_path[HIT_PATH_SIZE]; struct ip_data_table* ip_asn_client=NULL, *ip_asn_server=NULL; + if(!g_policy_rt->load_ip_location) + { + return 0; + } + maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[POLICY_ASN_USER_DEFINED], sip, (void **)&ip_asn_client, 1); maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[POLICY_ASN_USER_DEFINED], dip, (void **)&ip_asn_server, 1); @@ -1316,6 +1328,11 @@ int get_fqdn_category_id(long long *result, const char *fqdn, int table_id, int int i=0,ret=0, hit_cnt_fqdn=0; struct fqdn_category_t *fqdn_cat_user[8]={0},*fqdn_cat_built[8]={0}; + if(!g_policy_rt->load_fqdn_cat) + { + return 0; + } + ret=maat_fqdn_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[POLICY_FQDN_CAT_USER_DEFINED], fqdn, (void **)fqdn_cat_user, 8); for(i=0; i local_logger = verify->logger; g_policy_rt->thread_num = verify->nr_work_threads; - for(vsys_id=0; vsys_id < VSYS_ID_MAX; vsys_id++) + MESA_load_profile_int_def(profile_path, "MAAT", "load_ip_location", &(g_policy_rt->load_ip_location), 1); + MESA_load_profile_int_def(profile_path, "MAAT", "load_fqdn_cat", &(g_policy_rt->load_fqdn_cat), 1); + MESA_load_profile_int_def(profile_path, "MAAT", "load_vsys_num", &(load_vsys_num), 255); + load_vsys_num = load_vsys_num > VSYS_ID_MAX ? VSYS_ID_MAX : load_vsys_num; + + for(vsys_id=0; vsys_id < load_vsys_num; vsys_id++) { g_policy_rt->feather[vsys_id] = create_maat_feather("static", profile_path, "MAAT", g_policy_rt->thread_num, log_path, vsys_id); if (!g_policy_rt->feather[vsys_id]) @@ -1966,7 +1994,7 @@ int maat_table_init(struct verify_policy * verify, const char* profile_path) maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id], "PXY_INTERCEPT_COMPILE", compile_table_new_cb, compile_free_data, compile_dup_data, 0,NULL); } - for(int i = POLICY_ASN_USER_DEFINED; i < POLICY_FQDN_CAT_USER_DEFINED; i++) + for(int i = POLICY_ASN_USER_DEFINED; i < POLICY_FQDN_CAT_USER_DEFINED && g_policy_rt->load_ip_location; i++) { ret = maat_ip_table_init(i, vsys_id, ip_table_free_cb, ip_table_dup_cb); if(ret<0) @@ -1974,7 +2002,7 @@ int maat_table_init(struct verify_policy * verify, const char* profile_path) goto error_out; } } - for(int i = POLICY_FQDN_CAT_USER_DEFINED; i <= POLICY_FQDN_CAT_BUILT_IN; i++) + for(int i = POLICY_FQDN_CAT_USER_DEFINED; i <= POLICY_FQDN_CAT_BUILT_IN && g_policy_rt->load_fqdn_cat; i++) { ret = maat_fqdn_cat_table_init(i, vsys_id, fqdn_cat_new_data, fqdn_cat_free_data, fqdn_cat_dup_data); if(ret<0) diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp index ff02bf0..be9d98c 100644 --- a/platform/src/verify_policy.cpp +++ b/platform/src/verify_policy.cpp @@ -435,7 +435,7 @@ int get_query_result_policy(cJSON *subitem, cJSON *data_obj, int thread_id) { goto free; } - hit_cnt = policy_verify_scan(verify_policy->vsys_id, verify_policy->compile_table_id, &verify_policy->verify_object[i], data_obj, ctx); + hit_cnt = policy_verify_scan(verify_policy->vsys_id, verify_policy->compile_table_id, &verify_policy->verify_object[i], ctx); if(0 == strcasecmp(verify_policy->verify_object[i].attri_name, "source") || 0 == strcasecmp(verify_policy->verify_object[i].attri_name, "destination")) { diff --git a/resource/table_info_simple.conf b/resource/table_info_simple.conf new file mode 100644 index 0000000..16706e8 --- /dev/null +++ b/resource/table_info_simple.conf @@ -0,0 +1,687 @@ +[ + { + "table_id":0, + "table_name":"TSG_SECURITY_COMPILE", + "table_type":"compile", + "user_region_encoded":"escape", + "valid_column":8, + "custom": { + "compile_id":1, + "service_id":2, + "action":3, + "do_blacklist":4, + "do_log":5, + "tags":6, + "user_region":7, + "clause_num":9, + "evaluation_order":10 + } + }, + { + "table_id":1, + "table_name":"GROUP_SECURITY_COMPILE_RELATION", + "table_type":"group2compile", + "associated_compile_table_id":0, + "valid_column":3, + "custom": { + "group_id":1, + "compile_id":2, + "not_flag":4, + "virtual_table_name":5, + "clause_index":6 + } + }, + { + "table_id":2, + "table_name":"PXY_CTRL_COMPILE", + "table_type":"compile", + "user_region_encoded":"escape", + "valid_column":8, + "custom": { + "compile_id":1, + "service_id":2, + "action":3, + "do_blacklist":4, + "do_log":5, + "tags":6, + "user_region":7, + "clause_num":9, + "evaluation_order":10 + } + }, + { + "table_id":3, + "table_name":"GROUP_PXY_CTRL_COMPILE_RELATION", + "table_type":"group2compile", + "associated_compile_table_id":2, + "valid_column":3, + "custom": { + "group_id":1, + "compile_id":2, + "not_flag":4, + "virtual_table_name":5, + "clause_index":6 + } + }, + { + "table_id":4, + "table_name":"TRAFFIC_SHAPING_COMPILE", + "table_type":"compile", + "user_region_encoded":"escape", + "valid_column":8, + "custom": { + "compile_id":1, + "service_id":2, + "action":3, + "do_blacklist":4, + "do_log":5, + "tags":6, + "user_region":7, + "clause_num":9, + "evaluation_order":10 + } + }, + { + "table_id":5, + "table_name":"GROUP_SHAPING_COMPILE_RELATION", + "table_type":"group2compile", + "associated_compile_table_id":4, + "valid_column":3, + "custom": { + "group_id":1, + "compile_id":2, + "not_flag":4, + "virtual_table_name":5, + "clause_index":6 + } + }, + { + "table_id":6, + "table_name":"SERVICE_CHAINING_COMPILE", + "table_type":"compile", + "user_region_encoded":"escape", + "valid_column":8, + "custom": { + "compile_id":1, + "service_id":2, + "action":3, + "do_blacklist":4, + "do_log":5, + "tags":6, + "user_region":7, + "clause_num":9, + "evaluation_order":10 + } + }, + { + "table_id":7, + "table_name":"GROUP_SERVICE_CHAINING_COMPILE_RELATION", + "table_type":"group2compile", + "associated_compile_table_id":6, + "valid_column":3, + "custom": { + "group_id":1, + "compile_id":2, + "not_flag":4, + "virtual_table_name":5, + "clause_index":6 + } + }, + { + "table_id":8, + "table_name":"PXY_INTERCEPT_COMPILE", + "table_type":"compile", + "user_region_encoded":"escape", + "valid_column":8, + "custom": { + "compile_id":1, + "service_id":2, + "action":3, + "do_blacklist":4, + "do_log":5, + "tags":6, + "user_region":7, + "clause_num":9, + "evaluation_order":10 + } + }, + { + "table_id":9, + "table_name":"GROUP_PXY_INTERCEPT_COMPILE_RELATION", + "table_type":"group2compile", + "associated_compile_table_id":8, + "valid_column":3, + "custom": { + "group_id":1, + "compile_id":2, + "not_flag":4, + "virtual_table_name":5, + "clause_index":6 + } + }, + { + "table_id":10, + "table_name":"GROUP_GROUP_RELATION", + "table_type":"group2group", + "valid_column":4, + "custom": { + "group_id":1, + "super_group_id":2, + "is_exclude":3 + } + }, + { + "table_id":11, + "table_name":"TSG_OBJ_IP", + "db_tables":["TSG_OBJ_IP_ADDR","TSG_OBJ_IP_LEARNING_ADDR"], + "table_type":"ip_plus", + "valid_column":11, + "custom": { + "item_id":1, + "group_id":2, + "addr_type":3, + "addr_format":4, + "ip1":5, + "ip2":6, + "port_format":7, + "port1":8, + "port2":9, + "protocol":10 + } + }, + { + "table_id":12, + "table_name":"TSG_OBJ_SUBSCRIBER_ID", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":13, + "table_name":"TSG_OBJ_ACCOUNT", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":14, + "table_name":"TSG_OBJ_URL", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":15, + "table_name":"TSG_OBJ_FQDN", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":16, + "table_name":"TSG_OBJ_FQDN_CAT", + "table_type":"intval", + "valid_column":5, + "custom": { + "item_id":1, + "group_id":2, + "low_bound":3, + "up_bound":4 + } + }, + { + "table_id":17, + "table_name":"TSG_OBJ_KEYWORDS", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":18, + "table_name":"TSG_OBJ_APP_ID", + "table_type":"intval", + "valid_column":5, + "custom": { + "item_id":1, + "group_id":2, + "low_bound":3, + "up_bound":4 + } + }, + { + "table_id":19, + "table_name":"TSG_OBJ_HTTP_SIGNATURE", + "table_type":"expr_plus", + "valid_column":8, + "custom": { + "item_id":1, + "group_id":2, + "district":3, + "keywords":4, + "expr_type":5, + "match_method":6, + "is_hexbin":7 + } + }, + { + "table_id":20, + "table_name":"TSG_FIELD_HTTP_HOST", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN" + }, + { + "table_id":21, + "table_name":"TSG_FIELD_HTTP_HOST_CAT", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN_CAT" + }, + { + "table_id":22, + "table_name":"TSG_FIELD_HTTP_URL", + "table_type":"virtual", + "physical_table": "TSG_OBJ_URL" + }, + { + "table_id":23, + "table_name":"TSG_FIELD_HTTP_REQ_HDR", + "table_type":"virtual", + "physical_table": "TSG_OBJ_HTTP_SIGNATURE" + }, + { + "table_id":24, + "table_name":"TSG_FIELD_HTTP_RES_HDR", + "table_type":"virtual", + "physical_table": "TSG_OBJ_HTTP_SIGNATURE" + }, + { + "table_id":25, + "table_name":"TSG_FIELD_HTTP_REQ_BODY", + "table_type":"virtual", + "physical_table": "TSG_OBJ_KEYWORDS" + }, + { + "table_id":26, + "table_name":"TSG_FIELD_HTTP_RES_BODY", + "table_type":"virtual", + "physical_table": "TSG_OBJ_KEYWORDS" + }, + { + "table_id":27, + "table_name":"TSG_FIELD_SSL_SNI", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN" + }, + { + "table_id":28, + "table_name":"TSG_FIELD_SSL_SNI_CAT", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN_CAT" + }, + { + "table_id":29, + "table_name":"TSG_FIELD_SSL_CN", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN" + }, + { + "table_id":30, + "table_name":"TSG_FIELD_SSL_CN_CAT", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN_CAT" + }, + { + "table_id":31, + "table_name":"TSG_FIELD_SSL_SAN", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN" + }, + { + "table_id":32, + "table_name":"TSG_FIELD_SSL_SAN_CAT", + "table_type":"virtual", + "physical_table":"TSG_OBJ_FQDN_CAT" + }, + { + "table_id":33, + "table_name":"TSG_FIELD_DNS_QNAME", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN" + }, + { + "table_id":34, + "table_name":"TSG_FIELD_QUIC_SNI", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN" + }, + { + "table_id":35, + "table_name":"TSG_FIELD_QUIC_SNI_CAT", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN_CAT" + }, + { + "table_id":36, + "table_name":"TSG_FIELD_MAIL_ACCOUNT", + "table_type":"virtual", + "physical_table": "TSG_OBJ_ACCOUNT" + }, + { + "table_id":37, + "table_name":"TSG_FIELD_MAIL_FROM", + "table_type":"virtual", + "physical_table": "TSG_OBJ_ACCOUNT" + }, + { + "table_id":38, + "table_name":"TSG_FIELD_MAIL_TO", + "table_type":"virtual", + "physical_table": "TSG_OBJ_ACCOUNT" + }, + { + "table_id":39, + "table_name":"TSG_FIELD_MAIL_SUBJECT", + "table_type":"virtual", + "physical_table": "TSG_OBJ_KEYWORDS" + }, + { + "table_id":40, + "table_name":"TSG_FIELD_MAIL_CONTENT", + "table_type":"virtual", + "physical_table": "TSG_OBJ_KEYWORDS" + }, + { + "table_id":41, + "table_name":"TSG_FIELD_MAIL_ATT_NAME", + "table_type":"virtual", + "physical_table": "TSG_OBJ_KEYWORDS" + }, + { + "table_id":42, + "table_name":"TSG_FIELD_MAIL_ATT_CONTENT", + "table_type":"virtual", + "physical_table": "TSG_OBJ_KEYWORDS" + }, + { + "table_id":43, + "table_name":"TSG_FIELD_FTP_URI", + "table_type":"virtual", + "physical_table": "TSG_OBJ_URL" + }, + { + "table_id":44, + "table_name":"TSG_FIELD_FTP_CONTENT", + "table_type":"virtual", + "physical_table": "TSG_OBJ_KEYWORDS" + }, + { + "table_id":45, + "table_name":"TSG_FIELD_FTP_ACCOUNT", + "table_type":"virtual", + "physical_table": "TSG_OBJ_ACCOUNT" + }, + { + "table_id":46, + "table_name":"TSG_SECURITY_SOURCE_ADDR", + "table_type":"virtual", + "physical_table": "TSG_OBJ_IP" + }, + { + "table_id":47, + "table_name":"TSG_SECURITY_DESTINATION_ADDR", + "table_type":"virtual", + "physical_table": "TSG_OBJ_IP" + }, + { + "table_id":52, + "table_name":"TSG_OBJ_AS_NUMBER", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":53, + "table_name":"TSG_SECURITY_SOURCE_ASN", + "table_type":"virtual", + "physical_table": "TSG_OBJ_AS_NUMBER" + }, + { + "table_id":54, + "table_name":"TSG_SECURITY_DESTINATION_ASN", + "table_type":"virtual", + "physical_table": "TSG_OBJ_AS_NUMBER" + }, + { + "table_id":55, + "table_name":"TSG_OBJ_GEO_LOCATION", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":56, + "table_name":"TSG_SECURITY_SOURCE_LOCATION", + "table_type":"virtual", + "physical_table": "TSG_OBJ_GEO_LOCATION" + }, + { + "table_id":57, + "table_name":"TSG_SECURITY_DESTINATION_LOCATION", + "table_type":"virtual", + "physical_table": "TSG_OBJ_GEO_LOCATION" + }, + { + "table_id":60, + "table_name":"TSG_FIELD_SIP_ORIGINATOR_DESCRIPTION", + "table_type":"virtual", + "physical_table": "TSG_OBJ_ACCOUNT" + }, + { + "table_id":61, + "table_name":"TSG_FIELD_SIP_RESPONDER_DESCRIPTION", + "table_type":"virtual", + "physical_table": "TSG_OBJ_ACCOUNT" + }, + { + "table_id":62, + "table_name":"TSG_OBJ_IMSI", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":63, + "table_name":"TSG_OBJ_PHONE_NUMBER", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":64, + "table_name":"TSG_OBJ_APN", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":65, + "table_name":"TSG_FILED_GTP_IMSI", + "table_type":"virtual", + "physical_table": "TSG_OBJ_IMSI" + }, + { + "table_id":66, + "table_name":"TSG_FILED_GTP_PHONE_NUMBER", + "table_type":"virtual", + "physical_table": "TSG_OBJ_PHONE_NUMBER" + }, + { + "table_id":67, + "table_name":"TSG_FILED_GTP_APN", + "table_type":"virtual", + "physical_table": "TSG_OBJ_APN" + }, + { + "table_id":68, + "table_name":"TSG_DECYPTION_EXCLUSION_SSL_SNI", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN" + }, + { + "table_id":69, + "table_name":"TSG_OBJ_TUNNEL_ID", + "table_type":"intval", + "valid_column":5, + "custom": { + "item_id":1, + "group_id":2, + "low_bound":3, + "up_bound":4 + } + }, + { + "table_id":70, + "table_name":"TSG_TUNNEL_CATALOG", + "table_type":"bool_plugin", + "valid_column":5, + "custom": { + "item_id":1, + "bool_expr":4 + } + }, + { + "table_id":71, + "table_name":"TSG_TUNNEL_ENDPOINT", + "table_type":"ip_plugin", + "valid_column":6, + "custom": { + "item_id":1, + "ip_type":2, + "start_ip":3, + "end_ip":4, + "addr_format":7 + } + }, + { + "table_id":72, + "table_name":"TSG_TUNNEL_LABEL", + "table_type":"plugin", + "valid_column":4, + "custom": { + "key":1, + "key_type":"pointer", + "tag":3 + } + }, + { + "table_id":73, + "table_name":"TSG_SECURITY_TUNNEL", + "table_type":"virtual", + "physical_table": "TSG_OBJ_TUNNEL_ID" + }, + { + "table_id":74, + "table_name":"TSG_OBJ_FLAG", + "table_type":"flag", + "valid_column":5, + "custom": { + "item_id":1, + "group_id":2, + "flag":3, + "flag_mask":4 + } + }, + { + "table_id":75, + "table_name":"TSG_SECURITY_FLAG", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FLAG" + }, + { + "table_id":76, + "table_name":"TSG_FIELD_DOH_QNAME", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN" + }, + { + "table_id":77, + "table_name":"TSG_FIELD_DOH_HOST", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN" + }, + { + "table_id":78, + "table_name":"TSG_FIELD_DOH_HOST_CAT", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN_CAT" + } +] \ No newline at end of file