gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-13721 策略验证支持MAAT4

Browse Source
This commit is contained in:
fengweihao
2023-03-30 19:50:00 +08:00
parent 92e9c25946
commit 5287253976
14 changed files with 1819 additions and 736 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
common/include/verify_policy.h
View File

@@ -13,15 +13,15 @@
struct breakpad_instance;
#define TRAFFIC_VSYS_ID_MAX 255
#define VSYS_ID_MAX 255
enum verify_policy_type
enum compile_table_typle
{
TSG_TABLE_SECURITY,
PXY_TABLE_MANIPULATION,
PXY_TABLE_DEFENCE,
TSG_TRAFFIC_SHAPING,
TSG_SERVICE_CHAINGNG,
PXY_TABLE_DEFENCE,
__SCAN_POLICY_MAX
};
@@ -36,7 +36,8 @@ enum manipulate_sacn_table
PXY_CTRL_SOURCE_ADDR,
PXY_CTRL_DESTINATION_ADDR,
PXY_CTRL_HTTP_URL,
PXY_CTRL_HTTP_FQDN,
PXY_CTRL_HTTP_HOST,
PXY_CTRL_HTTP_HOST_CAT,
PXY_CTRL_HTTP_REQ_HDR,
PXY_CTRL_HTTP_REQ_BODY,
PXY_CTRL_HTTP_RES_HDR,
@@ -45,6 +46,7 @@ enum manipulate_sacn_table
PXY_CTRL_APP_ID,
PXY_CTRL_DOH_QNAME,
PXY_CTRL_DOH_HOST,
PXY_CTRL_DOH_HOST_CAT,
PXY_CTRL_IMSI,
PXY_CTRL_PHONE_NUMBER,
PXY_CTRL_APN,
@@ -60,18 +62,23 @@ enum security_scan_table
TSG_SECURITY_SOURCE_ADDR,
TSG_SECURITY_DESTINATION_ADDR,
TSG_SECURITY_HTTP_URL,
TSG_SECURITY_HTTP_FQDN,
TSG_SECURITY_HTTP_HOST,
TSG_SECURITY_HTTP_HOST_CAT,
TSG_SECURITY_HTTP_REQ_HDR,
TSG_SECURITY_HTTP_REQ_BODY,
TSG_SECURITY_HTTP_RES_HDR,
TSG_SECURITY_HTTP_RES_BODY,
TSG_SECURITY_SUBSCRIBE_ID,
TSG_SECURITY_APP_ID,
TSG_SECURITY_HTTPS_SNI,
TSG_SECURITY_HTTPS_CN,
TSG_SECURITY_HTTPS_SAN,
TSG_SECURITY_SSL_SNI,
TSG_SECURITY_SSL_SNI_CAT,
TSG_SECURITY_SSL_CN,
TSG_SECURITY_SSL_CN_CAT,
TSG_SECURITY_SSL_SAN,
TSG_SECURITY_SSL_SAN_CAT,
TSG_SECURITY_DNS_QNAME,
TSG_SECURITY_QUIC_SNI,
TSG_SECURITY_QUIC_SNI_CAT,
TSG_SECURITY_MAIL_ACCOUNT,
TSG_SECURITY_MAIL_FROM,
TSG_SECURITY_MAIL_TO,
@@ -97,28 +104,6 @@ enum security_scan_table
__SECURITY_TABLE_MAX
};
enum http_ev_bit_number
{
IP_BITNUM = 0,
URL_BITNUM,
FQDN_BITNUM,
REQ_HDR_BITNUM,
RESP_HDR_BITNUM,
CONTENT_BITNUM,
SUBSCRIBE_ID
};
enum policy_http_event
{
EV_HTTP_IP = 1ULL << IP_BITNUM,
EV_HTTP_URL = 1ULL << URL_BITNUM,
EV_HTTP_FQDN = 1ULL << FQDN_BITNUM,
EV_HTTP_REQ_HDR = 1ULL << REQ_HDR_BITNUM,
EV_HTTP_RESP_HDR = 1ULL << RESP_HDR_BITNUM,
EV_HTTP_CONTENT = 1ULL << CONTENT_BITNUM,
EV_HTTP_SUBSCRIBE_ID = 1ULL << SUBSCRIBE_ID,
};
struct verify_policy_thread
{
int id;
@@ -141,15 +126,16 @@ struct verify_policy
struct verify_policy_thread *work_threads[VERIFY_ARRAY_MAX];
};
struct verify_policy_query_obj
struct request_query_obj
{
int protocol_field;
int table_id;
int numeric;
char *keyword;
char *district;
char *attri_name;
int protocol;
struct ipaddr *ip_addr;
struct ipaddr *endpoint;
@@ -169,25 +155,19 @@ struct verify_policy_query_obj
struct verify_policy_query
{
int vsys_id;
int shaping;
enum verify_policy_type type;
struct verify_policy_query_obj verify_object[32];
enum compile_table_typle table_typle;
struct request_query_obj verify_object[32];
};
extern struct verify_policy * g_verify_proxy;
void * pangu_http_ctx_new(unsigned int thread_id);
void *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, enum compile_table_typle table_typle, int compile_table_id);
void pangu_http_ctx_free(void * pme);
size_t verify_policy_scan(int vsys_id, enum verify_policy_type policy_type, struct verify_policy_query_obj *query_obj, cJSON *data_obj, void *pme);
void http_get_scan_status(struct verify_policy_query_obj *query_obj, int type, int shaping, cJSON *attributes, cJSON *data_obj, void *pme);
size_t policy_verify_scan(int vsys_id, enum compile_table_typle policy_type, struct request_query_obj *query_obj, cJSON *data_obj, void *pme);
void http_get_scan_status(struct request_query_obj *query_obj, int type, cJSON *attributes, cJSON *data_obj, void *pme);
int proxy_policy_init(struct verify_policy * verify, const char* profile_path);
int security_policy_init(struct verify_policy * verify, const char* profile_path);
int http_hit_policy_list(enum verify_policy_type policy_type, int shaping, size_t hit_cnt, cJSON *data_obj, void *pme);
int http_hit_policy_list(int vsys_id, enum compile_table_typle policy_type, int compile_table_id, size_t hit_cnt, cJSON *data_obj, void *pme);
void verify_policy_tunnle_add(void * pme);
#endif

8
common/include/verify_policy_logging.h
View File

@@ -29,9 +29,7 @@ extern RTLogInit2Data logging_sc_lid;
/* The maximum length of the log message */
#define RT_LOG_MAX_LOG_MSG_LEN 4096
extern void mesa_logging_print(int log_level, const char *module, const char *msg);
#define mesa_log(x, y, z, ...) do { \
#define mesa_log(x, y, ...) do { \
char _sc_log_msg[RT_LOG_MAX_LOG_MSG_LEN] = ""; \
char *_sc_log_temp = _sc_log_msg; \
if ( !x ) \
@@ -40,11 +38,11 @@ extern void mesa_logging_print(int log_level, const char *module, const char *ms
(RT_LOG_MAX_LOG_MSG_LEN - \
(_sc_log_temp - _sc_log_msg)), \
__VA_ARGS__); \
mesa_logging_print(y, z, _sc_log_msg); \
MESA_handle_runtime_log(logging_sc_lid.run_log_handle, y, __FUNCTION__, _sc_log_msg); \
} \
} while(0)
#define mesa_runtime_log(level, module, ...) mesa_log(logging_sc_lid.debug_switch, level, module, __VA_ARGS__)
#define mesa_runtime_log(level, ...) mesa_log(logging_sc_lid.debug_switch, level, __VA_ARGS__)
extern void * verify_syslog_init(const char *config);

2
common/include/verify_policy_utils.h
View File

@@ -52,6 +52,6 @@
char* rt_strdup(const char* s);
#define CHECK_OR_EXIT(condition, fmt, ...) \
do { if(!(condition)) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, fmt, ##__VA_ARGS__); exit(EXIT_FAILURE); } } while(0) \
do { if(!(condition)) { mesa_runtime_log(RLOG_LV_FATAL, fmt, ##__VA_ARGS__); exit(EXIT_FAILURE); } } while(0) \
#endif