diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h index 5ff348d..618d9e6 100644 --- a/common/include/verify_policy.h +++ b/common/include/verify_policy.h @@ -49,9 +49,7 @@ enum tsg_obj_table TSG_OBJ_HTTP_RES_HDR, TSG_OBJ_HTTP_RES_BODY, TSG_OBJ_SSL_CN, - TSG_OBJ_SSL_CN_CAT, TSG_OBJ_SSL_SAN, - TSG_OBJ_SSL_SAN_CAT, TSG_OBJ_DOH_QNAME, TSG_OBJ_DNS_QNAME, TSG_OBJ_MAIL_ACCOUNT, @@ -72,18 +70,7 @@ enum tsg_obj_table TSG_OBJ_TUNNEL, TSG_OBJ_FLAG, TSG_OBJ_GTP_IMEI, - TSG_OBJ_IP_SRC_ASN, - TSG_OBJ_IP_DST_ASN, - TSG_OBJ_IP_SRC_GEO_COUNTRY, - TSG_OBJ_IP_SRC_GEO_SUPER_ADMINISTRATIVE_AREA, - TSG_OBJ_IP_SRC_GEO_ADMINISTRATIVE_AREA, - TSG_OBJ_IP_SRC_GEO_SUB_ADMINISTRATIVE_AREA, - TSG_OBJ_IP_DST_GEO_COUNTRY, - TSG_OBJ_IP_DST_GEO_SUPER_ADMINISTRATIVE_AREA, - TSG_OBJ_IP_DST_GEO_ADMINISTRATIVE_AREA, - TSG_OBJ_IP_DST_GEO_SUB_ADMINISTRATIVE_AREA, TSG_OBJ_DST_SERVER_FQDN, - TSG_OBJ_DST_SERVER_FQDN_CAT, TSG_OBJ_INTERNAL_ADDR, TSG_OBJ_EXTERNAL_ADDR, TSG_OBJ_SOURCE_PORT, @@ -95,8 +82,6 @@ enum tsg_obj_table TSG_OBJ_SSL_ESNI, TSG_OBJ_SSL_NO_SNI, TSG_OBJ_TUNNEL_LEVEL, - TSG_OBJ_INTERNAL_ASN, - TSG_OBJ_EXTERNAL_ASN, TSG_OBJ_TUNNEL_GTP_ENDPOINT, TSG_OBJ_TUNNEL_GRE_ENDPOINT, TSG_OBJ_TUNNEL_IP_IN_IP_ENDPOINT, @@ -125,10 +110,11 @@ struct verify_policy struct verify_policy_thread *work_threads[VERIFY_ARRAY_MAX]; }; -struct fqdn_category_id +struct fqdn_category_entry { - int fqdn_cat_num; - long long int group_id[8]; + int fqdn_entry_num; + long long entry_id[MAX_TAG_ID_NUM]; + long long tag_id[MAX_TAG_ID_NUM]; }; #define MERGE_SCAN_NTH 128 @@ -147,8 +133,7 @@ struct request_query_obj int exclude_nth_scan[MERGE_SCAN_NTH]; int merge_nth_scan[MERGE_SCAN_NTH]; cJSON* attributes; - struct fqdn_category_id fqdn_user; - struct fqdn_category_id fqdn_builtin; + struct fqdn_category_entry fqdn_entry; }; struct verify_policy_query diff --git a/common/include/verify_policy_utils.h b/common/include/verify_policy_utils.h index b6c1391..4d6966e 100644 --- a/common/include/verify_policy_utils.h +++ b/common/include/verify_policy_utils.h @@ -8,6 +8,7 @@ #define VERIFY_PATH_MAX 258 #define VERIFY_STRING_MAX 2048 #define VERIFY_ARRAY_MAX 512 +#define MAX_TAG_ID_NUM 128 /** Alway treated the expr as true */ #ifndef likely diff --git a/platform/src/verify_matcher.cpp b/platform/src/verify_matcher.cpp index f32bda3..6cc3461 100644 --- a/platform/src/verify_matcher.cpp +++ b/platform/src/verify_matcher.cpp @@ -20,6 +20,7 @@ #include "verify_policy.h" #include "verify_policy_utils.h" +#define MAX_EX_DATA_LEN 16 #define HIT_PATH_SIZE 4096 #define MAX_SCAN_RESULT 16 @@ -54,85 +55,40 @@ enum http_std_field enum verify_profile_table { - PROFILE_ASN_USER_DEFINED, - PROFILE_ASN_BUILT_IN, - PROFILE_LOCATION_USER_DEFINED, - PROFILE_LOCATION_BUILT_IN, - PROFILE_FQDN_CAT_USER_DEFINED, - PROFILE_FQDN_CAT_BUILT_IN, PROFILE_TUNNEL_CATALOG, PROFILE_TUNNEL_ENDPOINT, PROFILE_TUNNEL_LABEL, PROFILE_APP_DI_DICT, PROFILE_FQDN_ENTRY, PROFILE_IP_ADDR_ENTRY, + PROFILE_LIBRARY_TAG, PROFILE_TABLE_MAX, }; -struct ip_data_table -{ - int profile_id; - int asn_group_id; - int geoname_group_id; - int country_region_group_id; - int province_group_id; - int city_group_id; - int subdivision_group_id; - char *asn; - char *organization; - char *country_full; - char *province_full; - char *city_full; - char *subdivision_addr; - int ref_cnt; - pthread_mutex_t lock; -}; - struct http_field_name { const char * field_name; enum http_std_field field_id; }; -enum nth_scan_type -{ - NTH_SCAN_IP_SRC_GEO_COUNTRY = 0, - NTH_SCAN_IP_SRC_GEO_SUPER_ADMINISTRATIVE_AREA, - NTH_SCAN_IP_SRC_GEO_ADMINISTRATIVE_AREA, - NTH_SCAN_IP_SRC_GEO_SUB_ADMINISTRATIVE_AREA, - NTH_SCAN_IP_DST_GEO_COUNTRY, - NTH_SCAN_IP_DST_GEO_SUPER_ADMINISTRATIVE_AREA, - NTH_SCAN_IP_DST_GEO_ADMINISTRATIVE_AREA, - NTH_SCAN_IP_DST_GEO_SUB_ADMINISTRATIVE_AREA, - NTH_SCAN_IP_DST_ASN, - NTH_SCAN_IP_SRC_ASN, - NTH_SCAN_IP_INTERNAL_ASN, - NTH_SCAN_IP_EXTERNAL_ASN, - NTH_SCAN_MAX -}; - /** Nth_scan: Since there is no virtual table name in the request due to IP location and IP protocol, * the current hit path scan count needs to be recorded to correspond to the virtual table name */ -struct ip_data_ctx +struct ip_entry_hit_path { - char *asn_client; - char *asn_server; - char *organization_client; - char *organization_server; - char *location_client; - char *location_server; - int Nth_scan[NTH_SCAN_MAX]; + int entry_num; + int Nth_scan_num; + int category[MAX_TAG_ID_NUM]; + int Nth_scan[MAX_TAG_ID_NUM]; + long long entry_id[MAX_TAG_ID_NUM]; + int tag_id[MAX_TAG_ID_NUM]; }; -struct fqdn_category_ctx +struct ip_data_ctx { - int ref_cnt; - unsigned int fqdn_cat_id; - int match_method; - char fqdn[VERIFY_ARRAY_MAX]; - - long long int group_id; - pthread_mutex_t lock; + struct ip_entry_hit_path source_entry; + struct ip_entry_hit_path internal_entry; + struct ip_entry_hit_path destination_entry; + struct ip_entry_hit_path external_entry; }; struct tunnel_data_ctx @@ -165,11 +121,46 @@ struct app_id_dict pthread_mutex_t lock; }; +enum statistics_option_type +{ + STATISTICS_OPTION_NONE=0, + STATISTICS_OPTION_BRIEF, + STATISTICS_OPTION_ELABORATE, + STATISTICS_OPTION_MAX +}; + +enum category_type +{ + CATEGORY_TYPE_UNKNOWN = 0, + CATEGORY_TYPE_GEOIP, + CATEGORY_TYPE_CONTRY_CODE, + CATEGORY_TYPE_ASN, + CATEGORY_TYPE_WEBSITE_CATEGORY, + CATEGORY_TYPE_INTERNET_SERVICE, + CATEGORY_TYPE_IOC, + CATEGORY_TYPE_RISK, + CATEGORY_TYPE_MAX +}; + struct library_entry_ctx { int ref_cnt; int entry_id; + int n_tag_ids; + long long tag_id_array[MAX_TAG_ID_NUM]; char *tag_ids; + + pthread_mutex_t lock; +}; + +struct library_tag_ctx +{ + int ref_cnt; + int tag_id; + char tag_key[VERIFY_SYMBOL_MAX]; + char tag_value[VERIFY_ARRAY_MAX]; + enum category_type category; + enum statistics_option_type option_type; pthread_mutex_t lock; }; @@ -192,9 +183,9 @@ struct policy_scan_ctx int tunnel_endpoint_x; int bool_id_array_idx; unsigned long long bool_id_array[256]; - + struct ip_data_ctx ip_ctx; - + /*exception handling*/ int tunnel_scan; long long tunnel_result[2]; @@ -263,20 +254,6 @@ void policy_scan_ctx_free(void * pme) maat_state_free(ctx->tunnel_scan_mid); ctx->tunnel_scan_mid = NULL; } - - struct ip_data_ctx *ip_ctx = &ctx->ip_ctx; - if(ip_ctx->asn_client) - FREE(&ip_ctx->asn_client); - if(ip_ctx->asn_server) - FREE(&ip_ctx->asn_server); - if(ip_ctx->organization_client) - FREE(&ip_ctx->organization_client); - if(ip_ctx->organization_server) - FREE(&ip_ctx->organization_server); - if(ip_ctx->location_client) - FREE(&ip_ctx->location_client); - if(ip_ctx->location_server) - FREE(&ip_ctx->location_server); FREE(&ctx); } @@ -302,6 +279,7 @@ static inline int action_cmp(enum policy_action a1, enum policy_action a2) return policy_action_weight[a1] - policy_action_weight[a2]; } +#ifdef INCLUDE_UNUSED_FUNCTIONS static char* verify_unescape(char* s) { int i=0,j=0; @@ -338,125 +316,7 @@ static char* verify_unescape(char* s) s[j]='\0'; return s; } - -void ip_asn_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) -{ - int addr_type, group_id=0; - int ret=0,profile_id=0,is_valid=0; - char addr_format[40]={0}; - char start_ip[40], end_ip[40],asn[40]={0}; - char organization[VERIFY_ARRAY_MAX]; - - ret=sscanf(table_line, "%d\t%d\t%d\t%s\t%s\t%s\t%s\t%s\t%d", &profile_id, &group_id, &addr_type, addr_format, start_ip, end_ip, asn, organization, &is_valid); - if(ret!=9) - { - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_MATCHER, "Policy table parse ip ASN failed, ret:%d, %s", ret, table_line); - return; - } - verify_unescape(organization); - - struct ip_data_table* ip_asn=ALLOC(struct ip_data_table, 1); - memset(ip_asn, 0, sizeof(struct ip_data_table)); - ip_asn->profile_id=profile_id; - ip_asn->asn=strdup(asn); - ip_asn->organization=strdup(organization); - ip_asn->asn_group_id=group_id; - ip_asn->ref_cnt=1; - pthread_mutex_init(&(ip_asn->lock), NULL); - - log_debug(g_verify_proxy->logger, MODULE_VERIFY_MATCHER, "Policy table add success %d", profile_id); - *ad = ip_asn; -} - -void ip_location_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) -{ - int ret=0,profile_id=0,is_valid=0; - int geoname_id=0, addr_type=0; - char addr_format[VERIFY_PATH_MAX]; - int country_region_group_id=0; - int province_group_id=0,city_group_id=0,subdivision_group_id=0; - double latitude, longitude, coords; - char language[40], start_ip[40], end_ip[40]; - char continent_abbr[VERIFY_ARRAY_MAX],continent_full[VERIFY_ARRAY_MAX]; - char country_abbr[VERIFY_ARRAY_MAX],province_abbr[VERIFY_ARRAY_MAX], time_zone[VERIFY_ARRAY_MAX]; - char country_full[VERIFY_ARRAY_MAX],province_full[VERIFY_ARRAY_MAX], city_full[VERIFY_ARRAY_MAX]; - char subdivision_addr[VERIFY_STRING_MAX]; - - ret=sscanf(table_line, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t %s\t%s\t%s\t%lf\t%lf\t%lf\t%s\t %s\t%s\t%s\t%s\t%s\t%s \t%s\t%s\t%s\t%d", &profile_id,&geoname_id, - &country_region_group_id,&province_group_id,&city_group_id,&subdivision_group_id,&addr_type,addr_format,start_ip,end_ip,&latitude,&longitude,&coords,language, - continent_abbr,continent_full,country_abbr,country_full,province_abbr,province_full,city_full,subdivision_addr,time_zone,&is_valid); - - if(ret != 24) - { - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_MATCHER, "Policy table parse ip location failed, ret:%d, %s", ret, table_line); - return; - } - - verify_unescape(continent_full); - verify_unescape(country_full); - verify_unescape(province_full); - verify_unescape(city_full); - verify_unescape(subdivision_addr); - - struct ip_data_table* ip_location=ALLOC(struct ip_data_table, 1); - memset(ip_location, 0, sizeof(struct ip_data_table)); - ip_location->profile_id=profile_id; - ip_location->country_region_group_id=country_region_group_id; - ip_location->province_group_id=province_group_id; - ip_location->city_group_id=city_group_id; - ip_location->subdivision_group_id=subdivision_group_id; - ip_location->country_full=strdup(country_full); - ip_location->province_full=strdup(province_full); - ip_location->city_full=strdup(city_full); - ip_location->subdivision_addr=strdup(subdivision_addr); - ip_location->ref_cnt=1; - pthread_mutex_init(&(ip_location->lock), NULL); - log_debug(g_verify_proxy->logger, MODULE_VERIFY_MATCHER, "Policy table add success %d", profile_id); - *ad = ip_location; -} - -void ip_table_dup_cb(int table_id, void **to, void **from, long argl, void* argp) -{ - struct ip_data_table* ip_asn=(struct ip_data_table*)(*from); - pthread_mutex_lock(&(ip_asn->lock)); - ip_asn->ref_cnt++; - pthread_mutex_unlock(&(ip_asn->lock)); - *to=ip_asn; -} - -void ip_table_free_cb(int table_id, void **ad, long argl, void* argp) -{ - if(*ad==NULL) - { - return; - } - struct ip_data_table* ip_asn=(struct ip_data_table*)(*ad); - pthread_mutex_lock(&(ip_asn->lock)); - ip_asn->ref_cnt--; - if(ip_asn->ref_cnt>0) - { - pthread_mutex_unlock(&(ip_asn->lock)); - return; - } - pthread_mutex_unlock(&(ip_asn->lock)); - pthread_mutex_destroy(&(ip_asn->lock)); - - if(ip_asn->asn) FREE(&ip_asn->asn); - if(ip_asn->organization) FREE(&ip_asn->organization); - if(ip_asn->country_full) FREE(&ip_asn->country_full); - if(ip_asn->province_full) FREE(&ip_asn->province_full); - if(ip_asn->city_full) FREE(&ip_asn->city_full); - if(ip_asn->subdivision_addr) FREE(&ip_asn->subdivision_addr); - - FREE(&ip_asn); - *ad=NULL; - return; -} - -void ip_table_free(struct ip_data_table* ip_asn) -{ - ip_table_free_cb(0, (void **)&ip_asn, 0, NULL); -} +#endif void tunnel_catalog_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { @@ -532,18 +392,13 @@ void tunnel_label_table_new_cb(const char *table_name, int table_id, const char* *ad = tunnel; } -const char *table_name_map[] = {"TSG_OBJ_IP_ASN_USER_DEFINED", - "TSG_OBJ_IP_ASN_BUILT_IN", - "TSG_IP_LOCATION_USER_DEFINED", - "TSG_IP_LOCATION_BUILT_IN", - "TSG_FQDN_CATEGORY_USER_DEFINED", - "TSG_FQDN_CATEGORY_BUILT_IN", - "TSG_TUNNEL_CATALOG", +const char *table_name_map[] = {"TSG_TUNNEL_CATALOG", "TSG_TUNNEL_ENDPOINT", "TSG_TUNNEL_LABEL", "APP_ID_DICT", "FQDN_ENTRY", - "IP_ADDR_ENTRY"}; + "IP_ADDR_ENTRY", + "LIBRARY_TAG"}; int maat_tunnel_table_init(int profile_idx,int vsys_id, maat_ex_free_func_t* free_func, @@ -552,12 +407,6 @@ int maat_tunnel_table_init(int profile_idx,int vsys_id, int table_id=0; maat_ex_new_func_t *new_func[] = { - [PROFILE_ASN_USER_DEFINED] = NULL, - [PROFILE_ASN_BUILT_IN] = NULL, - [PROFILE_LOCATION_USER_DEFINED] = NULL, - [PROFILE_LOCATION_BUILT_IN] = NULL, - [PROFILE_FQDN_CAT_USER_DEFINED] = NULL, - [PROFILE_FQDN_CAT_BUILT_IN] = NULL, [PROFILE_TUNNEL_CATALOG] = tunnel_catalog_table_new_cb, [PROFILE_TUNNEL_ENDPOINT] = tunnel_endpoint_table_new_cb, [PROFILE_TUNNEL_LABEL] = tunnel_label_table_new_cb @@ -655,7 +504,7 @@ void app_dict_table_new_cb(const char *table_name, int table_id, const char* key app_dict->app_id=atoi(app_id_str); FREE(&app_id_str); } - + ret = maat_helper_read_column(table_line, 18, &offset, &len); if(ret >= 0) { @@ -710,7 +559,28 @@ void app_dict_table_dup_cb(int table_id, void **to, void **from, long argl, void return; } -void library_search_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +int get_tag_id_array(char *tag_ids, long long *tag_id_array) +{ + if(tag_ids==NULL) + { + return 0; + } + + int n_tag_ids=0; + char *tag_ids_tmp = ALLOC(char, strlen(tag_ids)+1); + strncpy(tag_ids_tmp, tag_ids, strlen(tag_ids)); + + char *tag_ids_str=strtok(tag_ids_tmp, ","); + while(tag_ids_str!=NULL && n_tag_ids < MAX_TAG_ID_NUM) + { + tag_id_array[n_tag_ids++]=strtoll(tag_ids_str, NULL, 10); + tag_ids_str=strtok(NULL, ","); + } + FREE(&tag_ids_tmp); + return n_tag_ids; +} + +void library_entry_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { int ret=0; size_t offset=0, len=0; @@ -732,6 +602,7 @@ void library_search_new_cb(const char *table_name, int table_id, const char* key entry_ctx->tag_ids=ALLOC(char, len+1); memcpy(entry_ctx->tag_ids, table_line+offset, len); } + entry_ctx->n_tag_ids = get_tag_id_array(entry_ctx->tag_ids, entry_ctx->tag_id_array); entry_ctx->ref_cnt=1; pthread_mutex_init(&(entry_ctx->lock), NULL); @@ -739,7 +610,7 @@ void library_search_new_cb(const char *table_name, int table_id, const char* key return; } -void library_search_free_cb(int table_id, void **ad, long argl, void* argp) +void library_entry_free_cb(int table_id, void **ad, long argl, void* argp) { if(*ad==NULL) { @@ -766,12 +637,12 @@ void library_search_free_cb(int table_id, void **ad, long argl, void* argp) return; } -void library_search_free(struct library_entry_ctx *entry_ctx) +void library_entry_free(struct library_entry_ctx *entry_ctx) { - library_search_free_cb(0, (void **)&entry_ctx, 0, NULL); + library_entry_free_cb(0, (void **)&entry_ctx, 0, NULL); } -void library_search_dup_cb(int table_id, void **to, void **from, long argl, void* argp) +void library_entry_dup_cb(int table_id, void **to, void **from, long argl, void* argp) { struct library_entry_ctx *entry_ctx=(struct library_entry_ctx *)(*from); pthread_mutex_lock(&(entry_ctx->lock)); @@ -780,88 +651,91 @@ void library_search_dup_cb(int table_id, void **to, void **from, long argl, void *to=entry_ctx; } -int maat_ip_table_init(int profile_idx,int vsys_id, - maat_ex_free_func_t* free_func, - maat_ex_dup_func_t* dup_func) +int get_statistics_option_type_str2idx(const char *statistics_option_type) { - int table_id=0; - - maat_ex_new_func_t *new_func[] = { - [PROFILE_ASN_USER_DEFINED] = ip_asn_table_new_cb, - [PROFILE_ASN_BUILT_IN] = ip_asn_table_new_cb, - [PROFILE_LOCATION_USER_DEFINED] = ip_location_table_new_cb, - [PROFILE_LOCATION_BUILT_IN] = ip_location_table_new_cb, - }; - - const char *table_name = table_name_map[profile_idx]; - table_id=g_policy_rt->profile_table_id[profile_idx]=maat_get_table_id(g_policy_rt->feather[vsys_id], table_name); - if(table_id >= 0) + size_t i = 0; + const char *statistics_option_name[] = {"none", "brief", "elaborate"}; + for (i = 0; i < sizeof(statistics_option_name) / sizeof(const char *); i++) { - table_id=maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id], table_name, new_func[profile_idx], free_func, dup_func, - 0, NULL); - return 0; + if (0 == strcasecmp(statistics_option_type, statistics_option_name[i])) + break; } - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_MATCHER, "Register table %s failed.", table_name); - return -1; + return i; } -void fqdn_cat_dup_data(int table_id, void **to, void **from, long argl, void* argp) +int get_category_type_str2idx(const char *category) { - struct fqdn_category_ctx *fqdn_cat=(struct fqdn_category_ctx *)(*from); - pthread_mutex_lock(&(fqdn_cat->lock)); - fqdn_cat->ref_cnt++; - pthread_mutex_unlock(&(fqdn_cat->lock)); - *to=fqdn_cat; - - return; + size_t i = 0; + const char *category_name[] = {"unknown", "geoip", "country_code", "asn", "website_category", "internet_service", "ioc", "compliance_risk"}; + for (i = 0; i < sizeof(category_name) / sizeof(const char *); i++) + { + if (0 == strcasecmp(category, category_name[i])) + break; + } + return i; } -void fqdn_cat_new_data(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +void library_tag_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { - int ret=0,id=0,is_valid=0; + int ret=0,is_valid=0; + char statistics_option[VERIFY_ARRAY_MAX]={0}; + char category[VERIFY_ARRAY_MAX]={0}; - struct fqdn_category_ctx *fqdn_cat = ALLOC(struct fqdn_category_ctx, 1); + struct library_tag_ctx *tag_ctx = ALLOC(struct library_tag_ctx, 1); - ret=sscanf(table_line, "%d\t%u\t%s\t%d\t%llu\t%d",&id, &fqdn_cat->fqdn_cat_id, fqdn_cat->fqdn, &fqdn_cat->match_method, &fqdn_cat->group_id, &is_valid); + ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%s\t%d",&tag_ctx->tag_id, statistics_option, category, tag_ctx->tag_key, tag_ctx->tag_value, &is_valid); if(ret!=6) { - FREE(&fqdn_cat); - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_MATCHER, "Parse fqdn category failed, ret: %d table_id: %d table_line: %s", ret, table_id, table_line); + FREE(&tag_ctx); + log_fatal(g_verify_proxy->logger, MODULE_VERIFY_MATCHER, "Parse library tag failed, ret: %d table_id: %d table_line: %s", ret, table_id, table_line); return; } - fqdn_cat->ref_cnt=1; - pthread_mutex_init(&(fqdn_cat->lock), NULL); + tag_ctx->ref_cnt=1; + tag_ctx->option_type=(enum statistics_option_type)get_statistics_option_type_str2idx(statistics_option); + tag_ctx->category=(enum category_type)get_category_type_str2idx(category); + pthread_mutex_init(&(tag_ctx->lock), NULL); - *ad=fqdn_cat; + *ad=tag_ctx; return; } -void fqdn_cat_free_data(int table_id, void **ad, long argl, void* argp) +void library_tag_free_cb(int table_id, void **ad, long argl, void* argp) { if(*ad==NULL) { return; } - struct fqdn_category_ctx *fqdn_cat=(struct fqdn_category_ctx *)(*ad); - pthread_mutex_lock(&(fqdn_cat->lock)); - fqdn_cat->ref_cnt--; - if(fqdn_cat->ref_cnt>0) + struct library_tag_ctx *tag_ctx=(struct library_tag_ctx *)(*ad); + pthread_mutex_lock(&(tag_ctx->lock)); + tag_ctx->ref_cnt--; + if(tag_ctx->ref_cnt>0) { - pthread_mutex_unlock(&(fqdn_cat->lock)); + pthread_mutex_unlock(&(tag_ctx->lock)); return; } - pthread_mutex_unlock(&(fqdn_cat->lock)); - pthread_mutex_destroy(&(fqdn_cat->lock)); + pthread_mutex_unlock(&(tag_ctx->lock)); + pthread_mutex_destroy(&(tag_ctx->lock)); - FREE(&fqdn_cat); + FREE(&tag_ctx); *ad=NULL; return; } -void fqdn_cat_table_free(struct fqdn_category_ctx *fqdn_cat) +void library_tag_dup_cb(int table_id, void **to, void **from, long argl, void* argp) { - fqdn_cat_free_data(0, (void **)&fqdn_cat, 0, NULL); + struct library_tag_ctx *tag_ctx=(struct library_tag_ctx *)(*from); + pthread_mutex_lock(&(tag_ctx->lock)); + tag_ctx->ref_cnt++; + pthread_mutex_unlock(&(tag_ctx->lock)); + *to=tag_ctx; + + return; +} + +void library_tag_free(struct library_tag_ctx *tag_ctx) +{ + library_tag_free_cb(0, (void **)&tag_ctx, 0, NULL); } void compile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) @@ -1058,89 +932,85 @@ static inline int request_in_fqdn_cat(int table_id) } } -void http_get_fqdn_cat_id(struct request_query_obj *query_obj, cJSON *attributeObj) +void http_add_ip_entry_to_hit_paths(cJSON *hitPaths, cJSON *attributeObj, struct ip_data_ctx *ip_ctx) { int i=0; - cJSON *sniCategory=NULL; + cJSON *histObj=NULL; + cJSON *item=NULL; + char *attri_name=NULL; - if(!request_in_fqdn_cat(query_obj->table_id)) - { - return; - } - - sniCategory=cJSON_CreateArray(); - if(query_obj->table_id == TSG_OBJ_DST_SERVER_FQDN) - { - cJSON_AddItemToObject(attributeObj, "serverCategory", sniCategory); - } - else - { - cJSON_AddItemToObject(attributeObj, "sniCategory", sniCategory); - } - - cJSON *fqdnObj=NULL; - for(i=0; ifqdn_user.fqdn_cat_num; i++) - { - fqdnObj=cJSON_CreateObject(); - cJSON_AddItemToArray(sniCategory, fqdnObj); - cJSON_AddNumberToObject(fqdnObj, "objectId", query_obj->fqdn_user.group_id[i]); - } - - for(i=0; ifqdn_builtin.fqdn_cat_num; i++) - { - fqdnObj=cJSON_CreateObject(); - cJSON_AddItemToArray(sniCategory, fqdnObj); - cJSON_AddNumberToObject(fqdnObj, "objectId", query_obj->fqdn_builtin.group_id[i]); - } -} - -void http_get_location_status(cJSON *attributes, cJSON *attributeObj, struct ip_data_ctx *ip_ctx ) -{ - int i=0; - cJSON* item=NULL; char *attri_name=NULL; - cJSON* ipAsn=NULL; - - item = cJSON_GetObjectItem(attributeObj, "attributeType"); + item = cJSON_GetObjectItem(attributeObj, "attribute_type"); if(item == NULL || item->type!=cJSON_String || strcasecmp(item->valuestring, "ip") != 0) { return; } - item = cJSON_GetObjectItem(attributeObj, "attributeName"); + item = cJSON_GetObjectItem(attributeObj, "attribute_name"); if(item && item->type==cJSON_String) { attri_name = item->valuestring; - if((strcasecmp(attri_name, "source") == 0) || (strcasecmp(attri_name, "internal") == 0)) + if(strcasecmp(attri_name, "source") == 0) { - cJSON_AddStringToObject(attributeObj, "ipGeoLocation",ip_ctx->location_client); - ipAsn=cJSON_CreateArray(); - cJSON_AddItemToObject(attributeObj, "ipAsn", ipAsn); - cJSON *ipAsnObj=NULL; - for(i=0; i< 1; i++) + for(i=0; i < ip_ctx->source_entry.entry_num; i++) { - ipAsnObj=cJSON_CreateObject(); - cJSON_AddItemToArray(ipAsn, ipAsnObj); - cJSON_AddStringToObject(ipAsnObj, "asn", ip_ctx->asn_client); - cJSON_AddStringToObject(ipAsnObj, "organization", ip_ctx->organization_client); + histObj=cJSON_CreateObject(); + cJSON_AddItemToArray(hitPaths, histObj); + cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->source_entry.entry_id[i]); + cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->source_entry.tag_id[i]); } } - if((strcasecmp(attri_name, "destination") == 0) || (strcasecmp(attri_name, "external") == 0)) + if(strcasecmp(attri_name, "internal") == 0) { - cJSON_AddStringToObject(attributeObj, "ipGeoLocation",ip_ctx->location_server); - ipAsn=cJSON_CreateArray(); - cJSON_AddItemToObject(attributeObj, "ipAsn", ipAsn); - cJSON *ipAsnObj=NULL; - for(i=0; i< 1; i++) + for(i=0; i < ip_ctx->internal_entry.entry_num; i++) { - ipAsnObj=cJSON_CreateObject(); - cJSON_AddItemToArray(ipAsn, ipAsnObj); - cJSON_AddStringToObject(ipAsnObj, "asn", ip_ctx->asn_server); - cJSON_AddStringToObject(ipAsnObj, "organization", ip_ctx->organization_server); + histObj=cJSON_CreateObject(); + cJSON_AddItemToArray(hitPaths, histObj); + cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->internal_entry.entry_id[i]); + cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->internal_entry.tag_id[i]); + } + } + if(strcasecmp(attri_name, "destination") == 0) + { + for(i=0; i < ip_ctx->destination_entry.entry_num; i++) + { + histObj=cJSON_CreateObject(); + cJSON_AddItemToArray(hitPaths, histObj); + cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->destination_entry.entry_id[i]); + cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->destination_entry.tag_id[i]); + } + } + if(strcasecmp(attri_name, "external") == 0) + { + for(i=0; i < ip_ctx->external_entry.entry_num; i++) + { + histObj=cJSON_CreateObject(); + cJSON_AddItemToArray(hitPaths, histObj); + cJSON_AddNumberToObject(histObj, "entry_id", ip_ctx->external_entry.entry_id[i]); + cJSON_AddNumberToObject(histObj, "tag_id", ip_ctx->external_entry.tag_id[i]); } } } return; } +void http_add_fqdn_entry_to_hit_paths(cJSON *hitPaths, int table_id, struct fqdn_category_entry *fqdn_entry) +{ + int i=0; + cJSON *histObj=NULL; + + if(!request_in_fqdn_cat(table_id)) + { + return; + } + + for(i=0; ifqdn_entry_num; i++) + { + histObj=cJSON_CreateObject(); + cJSON_AddItemToArray(hitPaths, histObj); + cJSON_AddNumberToObject(histObj, "entry_id", fqdn_entry->entry_id[i]); + cJSON_AddNumberToObject(histObj, "tag_id",fqdn_entry->tag_id[i]); + } +} + /*In the case of multiple hits, the hit path is append behavior to obtain the last hit path force***/ int http_hit_policy_match(int result_config[], int cnt, int config) { @@ -1195,10 +1065,10 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table /*temp repair**/ if (ctx->tunnel_scan ==2 && ctx->tunnel_result[0] == 1 && ctx->tunnel_result[1] == 0) { - item = cJSON_GetObjectItem(attributeObj, "attributeName"); + item = cJSON_GetObjectItem(attributeObj, "attribute_name"); if(item && item->type==cJSON_String) { - if(0 == strcasecmp(item->valuestring, "tunnel_endpointb")) + if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) { cJSON_Delete(attributeObj); return; @@ -1207,7 +1077,7 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table } else { - item = cJSON_GetObjectItem(attributeObj, "attributeName"); + item = cJSON_GetObjectItem(attributeObj, "attribute_name"); if(item && item->type==cJSON_String) { if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) @@ -1221,14 +1091,17 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table if(compile_table_id == TSG_TABLE_SECURITY && query_obj->table_id == TSG_OBJ_TUNNEL) { - cJSON_DeleteItemFromObject(attributeObj, "attributeName"); - cJSON_AddStringToObject(attributeObj, "attributeName", "tunnel_endpoint_object"); - cJSON_DeleteItemFromObject(attributeObj, "attributeValue"); + cJSON_DeleteItemFromObject(attributeObj, "attribute_name"); + cJSON_AddStringToObject(attributeObj, "attribute_name", "tunnel_endpoint_object"); + cJSON_DeleteItemFromObject(attributeObj, "atrribute_value"); } cJSON_AddItemToArray(attributes, attributeObj); hitPaths=cJSON_CreateArray(); - cJSON_AddItemToObject(attributeObj, "hitPaths", hitPaths); + cJSON_AddItemToObject(attributeObj, "hit_paths", hitPaths); + + http_add_ip_entry_to_hit_paths(hitPaths, attributeObj, &ctx->ip_ctx); + http_add_fqdn_entry_to_hit_paths(hitPaths, query_obj->table_id, &query_obj->fqdn_entry); cJSON *histObj=NULL; for(i=0; i< ctx->n_read; i++) @@ -1255,19 +1128,16 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table } histObj=cJSON_CreateObject(); cJSON_AddItemToArray(hitPaths, histObj); - cJSON_AddNumberToObject(histObj, "itemId", ctx->hit_path[i].item_id); - cJSON_AddNumberToObject(histObj, "objectId", ctx->hit_path[i].sub_group_id); + cJSON_AddNumberToObject(histObj, "itemt_id", ctx->hit_path[i].item_id); if (ctx->hit_path[i].top_group_id < 0) { ctx->hit_path[i].top_group_id = ctx->hit_path[i].sub_group_id; } - cJSON_AddNumberToObject(histObj, "superiorObjectId", ctx->hit_path[i].top_group_id); + cJSON_AddNumberToObject(histObj, "superior_object_id", ctx->hit_path[i].top_group_id); break; } } } - http_get_location_status(attributes, attributeObj, &ctx->ip_ctx); - http_get_fqdn_cat_id(query_obj, attributeObj); } int policy_verify_regex_expression(const char *expression) @@ -1275,89 +1145,74 @@ int policy_verify_regex_expression(const char *expression) return maat_helper_verify_regex_expression(expression); } -static int get_ip_location_asn_table_name(struct ip_data_ctx *ip_ctx, int Nth_scan, cJSON *topObject) -{ - /*ip location**/ - int xret = 0, level=0; - const char *client_table_name[]={"ATTR_SOURCE_GEO_COUNTRY", "ATTR_SOURCE_GEO_SUPER_ADMINISTRATIVE_AREA", - "ATTR_SOURCE_GEO_ADMINISTRATIVE_AREA", "ATTR_SOURCE_GEO_SUB_ADMINISTRATIVE_AREA"}; - const char *server_tabel_name[]={"ATTR_DESTINATION_GEO_COUNTRY", "ATTR_DESTINATION_GEO_SUPER_ADMINISTRATIVE_AREA", - "ATTR_DESTINATION_GEO_ADMINISTRATIVE_AREA", "ATTR_DESTINATION_GEO_SUB_ADMINISTRATIVE_AREA"}; - - for(level = NTH_SCAN_IP_SRC_GEO_COUNTRY; level <= NTH_SCAN_IP_SRC_GEO_SUB_ADMINISTRATIVE_AREA; level++) - { - if(ip_ctx->Nth_scan[level] == Nth_scan) - { - cJSON_AddStringToObject(topObject, "tableName", client_table_name[level]); - goto finish; - } - } - - for(level = NTH_SCAN_IP_DST_GEO_COUNTRY; level <= NTH_SCAN_IP_DST_GEO_SUB_ADMINISTRATIVE_AREA; level ++) - { - if(ip_ctx->Nth_scan[level] == Nth_scan) - { - cJSON_AddStringToObject(topObject, "tableName", server_tabel_name[level-NTH_SCAN_IP_DST_GEO_COUNTRY]); - goto finish; - } - } - if(ip_ctx->Nth_scan[NTH_SCAN_IP_SRC_ASN] == Nth_scan) - { - cJSON_AddStringToObject(topObject, "tableName", "ATTR_SOURCE_ASN"); - goto finish; - } - if(ip_ctx->Nth_scan[NTH_SCAN_IP_DST_ASN] == Nth_scan) - { - cJSON_AddStringToObject(topObject, "tableName", "ATTR_DESTINATION_ASN"); - goto finish; - } - if(ip_ctx->Nth_scan[NTH_SCAN_IP_INTERNAL_ASN] == Nth_scan) - { - cJSON_AddStringToObject(topObject, "tableName", "ATTR_INTERNAL_ASN"); - goto finish; - } - if(ip_ctx->Nth_scan[NTH_SCAN_IP_EXTERNAL_ASN] == Nth_scan) - { - cJSON_AddStringToObject(topObject, "tableName", "ATTR_EXTERNAL_ASN"); - goto finish; - } - return xret; -finish: - xret = 1; - return xret; -} - -int get_attributes_table_name(struct request_query_obj *request, int num, int Nth_scan, struct ip_data_ctx *ip_ctx, int tunnel_endpoint_x, cJSON *topObject) +int get_attributes_table_name(struct request_query_obj *request, struct ip_data_ctx *ip_ctx, int attribute_num, int Nth_scan, int top_group_id, cJSON *topObject) { int i=0, j=0; cJSON *attributeObj=NULL, *subchild=NULL; - /*ip location**/ - if(get_ip_location_asn_table_name(ip_ctx, Nth_scan, topObject)) + /* set soruce entry table name **/ + for(i = 0; i < ip_ctx->source_entry.Nth_scan_num; i++) { - return 0; + if(ip_ctx->source_entry.Nth_scan[i] == Nth_scan) + { + cJSON_AddNumberToObject(topObject, "tag_id", top_group_id); + cJSON_AddStringToObject(topObject, "table_name", "ATTR_SOURCE_IP"); + goto finish; + } + } + /* set internal entry table name **/ + for(i = 0; i < ip_ctx->internal_entry.Nth_scan_num; i++) + { + if(ip_ctx->internal_entry.Nth_scan[i] == Nth_scan) + { + cJSON_AddNumberToObject(topObject, "tag_id", top_group_id); + cJSON_AddStringToObject(topObject, "table_name", "ATTR_INTERNAL_IP"); + goto finish; + } + } + /* set destination entry table name **/ + for(i = 0; i < ip_ctx->destination_entry.Nth_scan_num; i++) + { + if(ip_ctx->destination_entry.Nth_scan[i] == Nth_scan) + { + cJSON_AddNumberToObject(topObject, "tag_id", top_group_id); + cJSON_AddStringToObject(topObject, "table_name", "ATTR_DESTINATION_IP"); + goto finish; + } + } + /* set external entry table name **/ + for(i = 0; i < ip_ctx->external_entry.Nth_scan_num; i++) + { + if(ip_ctx->external_entry.Nth_scan[i] == Nth_scan) + { + cJSON_AddNumberToObject(topObject, "tag_id", top_group_id); + cJSON_AddStringToObject(topObject, "table_name", "ATTR_EXTERNAL_IP"); + goto finish; + } } - for(i=0; itype==cJSON_String) { - cJSON_AddStringToObject(topObject, "tableName", subchild->valuestring); + cJSON_AddStringToObject(topObject, "table_name", subchild->valuestring); } break; } } } +finish: return 0; } -int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, size_t hit_cnt, cJSON *data_obj, void *pme) +int http_hit_policy_list(struct verify_policy_query *verify_policy, int attribute_num, size_t hit_cnt, cJSON *data_obj, void *pme) { bool succeeded = false; size_t rules=0, i=0,j=0; @@ -1399,20 +1254,20 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, siz { if (ctx->enforce_rules[rules].config_id == ctx->hit_rules[i].config_id) { - cJSON_AddBoolToObject(policy_obj, "isExecutePolicy", true); + cJSON_AddBoolToObject(policy_obj, "is_execute_policy", true); succeeded = true; } } if (succeeded == false) { - cJSON_AddBoolToObject(policy_obj, "isExecutePolicy", false); + cJSON_AddBoolToObject(policy_obj, "is_execute_policy", false); } cJSON_AddItemToArray(hit_obj, policy_obj); result_config[i] = ctx->hit_rules[i].config_id; struct maat_hit_path result_hit_path[MAX_SCAN_RESULT]={0}; int result_cnt=0; topObjectList=cJSON_CreateArray(); - cJSON_AddItemToObject(policy_obj, "topObjectList", topObjectList); + cJSON_AddItemToObject(policy_obj, "top_object_list", topObjectList); for(j=0; j<=(size_t)ctx->n_read; j++) { if(ctx->hit_path[j].compile_id > 0 && ctx->hit_path[j].compile_id == ctx->hit_rules[i].config_id) @@ -1426,17 +1281,10 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, siz memcpy(&result_hit_path[result_cnt], &ctx->hit_path[j], sizeof(struct maat_hit_path)); result_cnt++; } - #if 0 - if(http_hit_policy_match(result_object_id, j, ctx->hit_path[j].top_group_id)) - { - continue; - } - #endif topObject=cJSON_CreateObject(); - cJSON_AddNumberToObject(topObject, "objectId", ctx->hit_path[j].top_group_id); - cJSON_AddNumberToObject(topObject, "notFlag", ctx->hit_path[j].NOT_flag); - cJSON_AddNumberToObject(topObject, "nthClause", ctx->hit_path[j].clause_index); - get_attributes_table_name(verify_policy->request_object, num, ctx->hit_path[j].Nth_scan, &ctx->ip_ctx, ctx->tunnel_endpoint_x, topObject); + get_attributes_table_name(verify_policy->request_object, &ctx->ip_ctx, attribute_num, ctx->hit_path[j].Nth_scan, ctx->hit_path[j].top_group_id, topObject); + cJSON_AddNumberToObject(topObject, "not_flag", ctx->hit_path[j].NOT_flag); + cJSON_AddNumberToObject(topObject, "nth_clause", ctx->hit_path[j].clause_index); cJSON_AddItemToArray(topObjectList, topObject); } } @@ -1491,332 +1339,214 @@ static int group_scan(struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, str return hit_cnt_group; } - -static int get_group_id_by_location(const struct ip_data_table* ip_location, size_t level) -{ - const int* group_ids[] = { - &ip_location->country_region_group_id, - &ip_location->province_group_id, - &ip_location->city_group_id, - &ip_location->subdivision_group_id - }; - - if (level >= 0 && level < sizeof(group_ids) / sizeof(group_ids[0])) - { - return *group_ids[level]; - } - - return 0; -} - int get_fqdn_entry_tag_ids(cJSON *hit_library, int vsys_id, const char *fqdn) { int ret=0, hit_fqdn_entry=0; cJSON *fqdn_entry_item=NULL; - struct library_entry_ctx *entry_ctx[8]={0}; if(fqdn == NULL) { return 0; } + + struct library_entry_ctx *entry_ctx[8]={0}; ret=maat_fqdn_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_FQDN_ENTRY], fqdn, (void **)entry_ctx, 8); - for(int i=0; i entry_id); - cJSON_AddStringToObject(fqdn_entry_item, "tag_ids", entry_ctx[i]->tag_ids); - cJSON_AddItemToArray(hit_library, fqdn_entry_item); - hit_fqdn_entry++; - } - library_search_free(entry_ctx[i]); + fqdn_entry_item=cJSON_CreateObject(); + cJSON_AddNumberToObject(fqdn_entry_item, "entry_id", entry_ctx[i]->entry_id); + cJSON_AddStringToObject(fqdn_entry_item, "tag_ids", entry_ctx[i]->tag_ids); + cJSON_AddItemToArray(hit_library, fqdn_entry_item); + hit_fqdn_entry++; + + library_entry_free(entry_ctx[i]); } - return hit_fqdn_entry; + return hit_fqdn_entry; } int get_ip_entry_tag_ids(cJSON *hit_library, int vsys_id, struct ipaddr *ip_addr) { int ret=0, hit_ip_entry=0; cJSON *ip_entry_item=NULL; - struct ip_addr dest_ip, source_ip; - struct library_entry_ctx *entry_ctx[8]={0}; if(ip_addr == NULL) { return 0; } + struct ip_addr dest_ip, source_ip; ip_addr_to_address(ip_addr, &dest_ip, &source_ip); + + struct library_entry_ctx *entry_ctx[8]={0}; ret = maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_IP_ADDR_ENTRY], &source_ip, (void **)&entry_ctx, 8); - for(int i=0; i entry_id); - cJSON_AddStringToObject(ip_entry_item, "tag_ids", entry_ctx[i]->tag_ids); - cJSON_AddItemToArray(hit_library, ip_entry_item); - hit_ip_entry++; - } - library_search_free(entry_ctx[i]); + ip_entry_item=cJSON_CreateObject(); + cJSON_AddNumberToObject(ip_entry_item, "entry_id", entry_ctx[i]->entry_id); + cJSON_AddStringToObject(ip_entry_item, "tag_ids", entry_ctx[i]->tag_ids); + cJSON_AddItemToArray(hit_library, ip_entry_item); + hit_ip_entry++; + + library_entry_free(entry_ctx[i]); } - return hit_ip_entry; } -int ip_location_scan(struct policy_scan_ctx *ctx, int vsys_id, struct ip_addr *sip, struct ip_addr *dip, int hit_cnt) +enum category_type get_library_tag_category(long long tag_id, int vsys_id) { - int scan_ret=0, hit_cnt_ip=0; - char buff[VERIFY_STRING_MAX * 2]={0}; - struct maat_hit_group hit_group; - struct maat_hit_path hit_path[HIT_PATH_SIZE]; - struct ip_data_table* ip_location_client=NULL, *ip_location_server=NULL; - - if(!g_policy_rt->load_ip_location) + struct library_tag_ctx *tag_ctx =(struct library_tag_ctx *)maat_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_LIBRARY_TAG], + (const char *)&tag_id, sizeof(long long)); + if(tag_ctx != NULL) { - return 0; + enum category_type category = tag_ctx->category; + library_tag_free(tag_ctx); + return category; } - memset(hit_path, 0, sizeof(struct maat_hit_path)*HIT_PATH_SIZE); - maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_LOCATION_USER_DEFINED], sip, (void **)&ip_location_client, 1); - maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_LOCATION_USER_DEFINED], dip, (void **)&ip_location_server, 1); - - if (ip_location_client == NULL) - { - maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_LOCATION_BUILT_IN], sip,(void **)&ip_location_client, 1); - } - if (ip_location_server == NULL) - { - maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_LOCATION_BUILT_IN], dip, (void **)&ip_location_server, 1); - } - - if(ip_location_server!=NULL) - { - memset(buff,0,sizeof(buff)); - snprintf(buff, sizeof(buff), "%s.%s.%s.%s", ip_location_server->country_full, ip_location_server->province_full, ip_location_server->city_full, ip_location_server->subdivision_addr); - ctx->ip_ctx.location_server=strdup(buff); - - for(int level=0; level < 4; level++) - { - memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=get_group_id_by_location(ip_location_server, level); - if(hit_group.group_id <= 0) - { - continue; - } - - scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_IP_DST_GEO_COUNTRY+level, 1); - if(scan_ret > 0) - { - hit_cnt_ip+=scan_ret; - } - ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); - ctx->ip_ctx.Nth_scan[NTH_SCAN_IP_DST_GEO_COUNTRY+level] = maat_state_get_scan_count(ctx->scan_mid); - } - } - if(ip_location_client!=NULL) - { - memset(buff,0,sizeof(buff)); - snprintf(buff, sizeof(buff), "%s.%s.%s.%s", ip_location_client->country_full, ip_location_client->province_full, ip_location_client->city_full, ip_location_client->subdivision_addr); - ctx->ip_ctx.location_client=strdup(buff); - - for(int level=0; level < 4; level++) - { - memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=get_group_id_by_location(ip_location_client, level); - if(hit_group.group_id <= 0) - { - continue; - } - - scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_IP_SRC_GEO_COUNTRY+level, 1); - if(scan_ret > 0) - { - hit_cnt_ip+=scan_ret; - } - ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); - ctx->ip_ctx.Nth_scan[NTH_SCAN_IP_SRC_GEO_COUNTRY+level] = maat_state_get_scan_count(ctx->scan_mid); - } - } - - if(ip_location_server) - ip_table_free(ip_location_server); - if(ip_location_client) - ip_table_free(ip_location_client); - return hit_cnt_ip; + return CATEGORY_TYPE_UNKNOWN; } -int ip_asn_scan(struct policy_scan_ctx * ctx, int vsys_id, int table_id, struct ip_addr* sip, struct ip_addr* dip, int hit_cnt) +int ip_entry_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt) { - size_t n_hit_result=0; - int scan_ret=0, hit_cnt_ip=0, Nth_scan_cnt=0; + int scan_ret=0, hit_cnt_ip=0; + struct maat_hit_group hit_group; struct maat_hit_path hit_path[HIT_PATH_SIZE]; - struct ip_data_table* ip_asn_client=NULL, *ip_asn_server=NULL; + struct library_entry_ctx *source_entry_ctx[MAX_EX_DATA_LEN]={0}; + struct library_entry_ctx *destination_entry_ctx[MAX_EX_DATA_LEN]={0}; if(!g_policy_rt->load_ip_location) { return 0; } - + + struct ip_addr dip, sip; + ip_addr_to_address(request->ip_addr, &dip, &sip); + memset(hit_path, 0, sizeof(struct maat_hit_path)*HIT_PATH_SIZE); - maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_ASN_USER_DEFINED], sip, (void **)&ip_asn_client, 1); - maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_ASN_USER_DEFINED], dip, (void **)&ip_asn_server, 1); + int ret1 = maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_IP_ADDR_ENTRY], &sip, (void **)&source_entry_ctx, MAX_EX_DATA_LEN); + int ret2 = maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_IP_ADDR_ENTRY], &dip, (void **)&destination_entry_ctx, MAX_EX_DATA_LEN); - if (ip_asn_client == NULL) + if(ret1 > 0) { - maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_ASN_BUILT_IN], sip,(void **)&ip_asn_client, 1); - } - if (ip_asn_server == NULL) - { - maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_ASN_BUILT_IN], dip,(void **)&ip_asn_server, 1); + for(int i=0; i < ret1 && i < MAX_EX_DATA_LEN; i++) + { + if(source_entry_ctx[i] == NULL) + { + continue; + } + + for(int tag_id=0; tag_idn_tag_ids; tag_id++) + { + memset(&hit_group, 0, sizeof(hit_group)); + hit_group.group_id=source_entry_ctx[i]->tag_id_array[tag_id]; + if(hit_group.group_id <= 0) + { + continue; + } + + scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, request->table_id, 1); + if(scan_ret > 0) + { + hit_cnt_ip+=scan_ret; + } + + struct ip_entry_hit_path *entry_hit_path = (request->table_id == TSG_OBJ_SOURCE_ADDR) ? &ctx->ip_ctx.source_entry : &ctx->ip_ctx.internal_entry; + entry_hit_path->entry_id[entry_hit_path->entry_num]=source_entry_ctx[i]->entry_id; + entry_hit_path->tag_id[entry_hit_path->entry_num]=source_entry_ctx[i]->tag_id_array[tag_id]; + entry_hit_path->category[entry_hit_path->entry_num]= get_library_tag_category(source_entry_ctx[i]->tag_id_array[tag_id], vsys_id); + entry_hit_path->entry_num++; + + ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); + entry_hit_path->Nth_scan[entry_hit_path->Nth_scan_num++] = maat_state_get_scan_count(ctx->scan_mid); + } + library_entry_free(source_entry_ctx[i]); + } } - struct maat_hit_group hit_group; - if(ip_asn_server!=NULL) + if(ret2 > 0) { - ctx->ip_ctx.asn_server=strdup(ip_asn_server->asn); - ctx->ip_ctx.organization_server=strdup(ip_asn_server->organization); - - memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=ip_asn_server->asn_group_id; - - if(table_id == TSG_OBJ_DESTINATION_ADDR) + for(int i=0; i < ret2 && i < MAX_EX_DATA_LEN; i++) { - table_id = TSG_OBJ_IP_DST_ASN; - } - else - { - table_id = (table_id==TSG_OBJ_INTERNAL_ADDR)?TSG_OBJ_INTERNAL_ASN:TSG_OBJ_EXTERNAL_ASN; - } - scan_ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1, - ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid); - if(scan_ret == MAAT_SCAN_HIT) - { - hit_cnt_ip+=n_hit_result; - } - scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, - &n_hit_result, ctx->scan_mid); - if (scan_ret == MAAT_SCAN_HIT) - { - hit_cnt_ip+=n_hit_result; - } - if(scan_ret >= MAAT_SCAN_OK) - { - ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); - if(table_id == TSG_OBJ_IP_DST_ASN) + if(destination_entry_ctx[i] == NULL) { - ctx->ip_ctx.Nth_scan[NTH_SCAN_IP_DST_ASN] = maat_state_get_scan_count(ctx->scan_mid); + continue; } - else + + for(int tag_id=0; tag_idn_tag_ids; tag_id++) { - Nth_scan_cnt = (table_id == TSG_OBJ_INTERNAL_ASN) ? NTH_SCAN_IP_INTERNAL_ASN : NTH_SCAN_IP_EXTERNAL_ASN; - ctx->ip_ctx.Nth_scan[Nth_scan_cnt] = maat_state_get_scan_count(ctx->scan_mid); + memset(&hit_group, 0, sizeof(hit_group)); + hit_group.group_id=destination_entry_ctx[i]->tag_id_array[tag_id]; + if(hit_group.group_id <= 0) + { + continue; + } + + scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, request->table_id, 1); + if(scan_ret > 0) + { + hit_cnt_ip+=scan_ret; + } + + struct ip_entry_hit_path *entry_hit_path = (request->table_id == TSG_OBJ_DESTINATION_ADDR) ? &ctx->ip_ctx.destination_entry : &ctx->ip_ctx.external_entry; + entry_hit_path->entry_id[entry_hit_path->entry_num]=destination_entry_ctx[i]->entry_id; + entry_hit_path->tag_id[entry_hit_path->entry_num]=destination_entry_ctx[i]->tag_id_array[tag_id]; + entry_hit_path->category[entry_hit_path->entry_num]= get_library_tag_category(destination_entry_ctx[i]->tag_id_array[tag_id], vsys_id); + entry_hit_path->entry_num++; + + ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); + entry_hit_path->Nth_scan[entry_hit_path->Nth_scan_num++] = maat_state_get_scan_count(ctx->scan_mid); } + library_entry_free(destination_entry_ctx[i]); } } - if(ip_asn_client!=NULL) - { - ctx->ip_ctx.asn_client=strdup(ip_asn_client->asn); - ctx->ip_ctx.organization_client=strdup(ip_asn_client->organization); - memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=ip_asn_client->asn_group_id; - - if(table_id == TSG_OBJ_SOURCE_ADDR) - { - table_id = TSG_OBJ_IP_SRC_ASN; - } - else - { - table_id = (table_id==TSG_OBJ_INTERNAL_ADDR)?TSG_OBJ_INTERNAL_ASN:TSG_OBJ_EXTERNAL_ADDR; - } - scan_ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1, - ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid); - if(scan_ret == MAAT_SCAN_HIT) - { - hit_cnt_ip+=n_hit_result; - } - scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, - &n_hit_result, ctx->scan_mid); - if (scan_ret == MAAT_SCAN_HIT) - { - hit_cnt_ip+=n_hit_result; - } - if(scan_ret >= MAAT_SCAN_OK) - { - ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); - - if(table_id == TSG_OBJ_IP_SRC_ASN) - { - ctx->ip_ctx.Nth_scan[NTH_SCAN_IP_SRC_ASN] = maat_state_get_scan_count(ctx->scan_mid); - } - else - { - Nth_scan_cnt = (table_id == TSG_OBJ_INTERNAL_ASN) ? NTH_SCAN_IP_INTERNAL_ASN : NTH_SCAN_IP_EXTERNAL_ASN; - ctx->ip_ctx.Nth_scan[Nth_scan_cnt] = maat_state_get_scan_count(ctx->scan_mid); - } - } - } - if(ip_asn_server) - ip_table_free(ip_asn_server); - if(ip_asn_client) - ip_table_free(ip_asn_client); return hit_cnt_ip; } int get_fqdn_category_id(struct request_query_obj *request, struct policy_scan_ctx * ctx, int vsys_id, const char *fqdn, int table_id, int hit_cnt) { - int j=0, k=0; size_t n_read=0, n_hit_result=0; int hit_path_cnt=0; - int i=0,ret=0, hit_cnt_fqdn=0; - struct fqdn_category_ctx *fqdn_cat_user[8]={0},*fqdn_cat_built[8]={0}; + int i=0, j=0, ret=0, hit_cnt_fqdn=0; + enum category_type category=CATEGORY_TYPE_UNKNOWN; + struct library_entry_ctx *fqdn_entry_ctx[MAX_EX_DATA_LEN]={0}; if(!g_policy_rt->load_fqdn_cat) { return 0; } - ret=maat_fqdn_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_FQDN_CAT_USER_DEFINED], fqdn, (void **)fqdn_cat_user, 8); - for(i=0; i feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_FQDN_ENTRY], fqdn, (void **)fqdn_entry_ctx, MAX_EX_DATA_LEN); + for(i=0; i < ret && i < MAX_EX_DATA_LEN; i++) { - if(i < 8) + if(fqdn_entry_ctx[i] == NULL) { - if(http_hit_policy_match((int *)(request->fqdn_user.group_id), j, (int)fqdn_cat_user[i]->group_id)) + continue; + } + + for(int tag_id=0; tag_idn_tag_ids; tag_id++) + { + category = get_library_tag_category(fqdn_entry_ctx[i]->tag_id_array[tag_id], vsys_id); + if(category != CATEGORY_TYPE_WEBSITE_CATEGORY) { continue; } - request->fqdn_user.group_id[j] = fqdn_cat_user[i]->group_id; + request->fqdn_entry.entry_id[j] = fqdn_entry_ctx[i]->entry_id; + request->fqdn_entry.tag_id[j] = fqdn_entry_ctx[i]->tag_id_array[tag_id]; j++; } - fqdn_cat_table_free(fqdn_cat_user[i]); + library_entry_free(fqdn_entry_ctx[i]); } - request->fqdn_user.fqdn_cat_num = j< 8 ? j : 8; + request->fqdn_entry.fqdn_entry_num = j< MAX_EX_DATA_LEN ? j : MAX_EX_DATA_LEN; - ret=maat_fqdn_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_FQDN_CAT_BUILT_IN], fqdn, (void **)fqdn_cat_built, 8); - for(i=0; i fqdn_builtin.group_id), k, (int)fqdn_cat_built[i]->group_id)) - { - continue; - } - request->fqdn_builtin.group_id[k] = fqdn_cat_built[i]->group_id; - k++; - } - fqdn_cat_table_free(fqdn_cat_built[i]); - } - request->fqdn_builtin.fqdn_cat_num = k < 8 ? k : 8; struct maat_hit_group hit_group; - if(request->fqdn_user.fqdn_cat_num > 0) + if(request->fqdn_entry.fqdn_entry_num > 0) { - for(i=0; ifqdn_user.fqdn_cat_num; i++) + for(i=0; ifqdn_entry.fqdn_entry_num; i++) { memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=request->fqdn_user.group_id[i]; + hit_group.group_id=request->fqdn_entry.tag_id[i]; ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1, ctx->result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &n_hit_result, ctx->scan_mid); if(ret == MAAT_SCAN_HIT) @@ -1838,37 +1568,7 @@ int get_fqdn_category_id(struct request_query_obj *request, struct policy_scan_c hit_path_cnt++; } } - goto finish; } - if (request->fqdn_builtin.fqdn_cat_num > 0) - { - for(i=0; ifqdn_builtin.fqdn_cat_num; i++) - { - memset(&hit_group, 0, sizeof(hit_group)); - hit_group.group_id=request->fqdn_builtin.group_id[i]; - ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1, - ctx->result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &n_hit_result, ctx->scan_mid); - if(ret>0) - { - hit_cnt_fqdn+=n_hit_result; - } - ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result+hit_cnt+hit_cnt_fqdn, - MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &n_hit_result, ctx->scan_mid); - if (ret == MAAT_SCAN_HIT) - { - hit_cnt_fqdn+=n_hit_result; - } - n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); - if(ret >= MAAT_SCAN_OK) - { - request->merge_nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid); - request->exclude_nth_scan[hit_path_cnt] = 1; - ctx->n_read=n_read; - hit_path_cnt++; - } - } - } -finish: request->merge_nth_scan_num = hit_path_cnt; return hit_cnt_fqdn; } @@ -1948,18 +1648,18 @@ int tunnel_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, ctx->tunnel_scan_mid = maat_state_new(g_policy_rt->feather[vsys_id], ctx->thread_id); maat_state_set_scan_compile_table(ctx->tunnel_scan_mid, g_policy_rt->compile_table_id[TSG_TUNNEL]); } - + int tunnel_table_id = get_tunnel_type_table_id(request->tunnel_type); if (ip_addr->addrtype == ADDR_TYPE_IPV4) { - scan_ret = maat_scan_ipv4_port(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[tunnel_table_id], ip_addr->v4->saddr, ip_addr->v4->source, + scan_ret = maat_scan_ipv4_port(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[tunnel_table_id], ip_addr->v4->saddr, ip_addr->v4->source, result, MAX_SCAN_RESULT, &n_hit_result, ctx->tunnel_scan_mid); if(scan_ret == MAAT_SCAN_HIT) { hit_cnt_endpoint+=n_hit_result; } } - + if (ip_addr->addrtype == ADDR_TYPE_IPV6) { scan_ret = maat_scan_ipv6_port(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[tunnel_table_id], ip_addr->v6->saddr, ip_addr->v6->source, @@ -2120,28 +1820,22 @@ enum ip_protocol_type PROCOCOL_TCP=6, PROCOCOL_UDP=17, }; + static int get_group_id_by_protocol(int protocol) { - int group_id = 0; switch(protocol) { case PROCOCOL_ANY: - group_id = PROTOCOL_ANY_GROUP_ID; - break; + return PROTOCOL_ANY_GROUP_ID; case PROTOCOL_ICMP: - group_id = PROTOCOL_ICMP_GROUP_ID; - break; + return PROTOCOL_ICMP_GROUP_ID; case PROCOCOL_TCP: - group_id = PROTOCOL_TCP_GROUP_ID; - break; + return PROTOCOL_TCP_GROUP_ID; case PROCOCOL_UDP: - group_id = PROTOCOL_UDP_GROUP_ID; - break; + return PROTOCOL_UDP_GROUP_ID; default: - group_id = 0; - break; + return 0; } - return group_id; } static int protocol_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt) @@ -2157,7 +1851,7 @@ static int protocol_scan(struct request_query_obj *request, struct policy_scan_c scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_IP_PROTOCOL, 1); if(scan_ret > 0) { - hit_cnt_protocol+=scan_ret; + hit_cnt_protocol+=scan_ret; } n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); request->merge_nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); @@ -2177,7 +1871,7 @@ static int ip_addr_scan(struct request_query_obj *request, struct policy_scan_ct { if(0 == strcasecmp(request->attri_name, "source") || 0 == strcasecmp(request->attri_name, "internal")) { - scan_ret = maat_scan_ipv4_port(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], request->ip_addr->v4->saddr, request->ip_addr->v4->source, + scan_ret = maat_scan_ipv4_port(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], request->ip_addr->v4->saddr, request->ip_addr->v4->source, ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid); if(scan_ret == MAAT_SCAN_HIT) { @@ -2192,7 +1886,7 @@ static int ip_addr_scan(struct request_query_obj *request, struct policy_scan_ct } if(0 == strcasecmp(request->attri_name, "destination") || 0 == strcasecmp(request->attri_name, "external")) { - scan_ret = maat_scan_ipv4_port(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], request->ip_addr->v4->daddr, request->ip_addr->v4->dest, + scan_ret = maat_scan_ipv4_port(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], request->ip_addr->v4->daddr, request->ip_addr->v4->dest, ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid); if(scan_ret == MAAT_SCAN_HIT) { @@ -2320,15 +2014,7 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer { goto decide; } - struct ip_addr dest_ip, source_ip; - ip_addr_to_address(request->ip_addr, &dest_ip, &source_ip); - - scan_ret = ip_location_scan(ctx, vsys_id, &source_ip, &dest_ip, hit_cnt); - if(scan_ret > 0) - { - hit_cnt+=scan_ret; - } - scan_ret = ip_asn_scan(ctx, vsys_id, table_id, &source_ip, &dest_ip, hit_cnt); + scan_ret = ip_entry_scan(request, ctx, vsys_id, hit_cnt); if(scan_ret > 0) { hit_cnt+=scan_ret; @@ -2364,8 +2050,7 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer } goto decide; case TSG_OBJ_TUNNEL: - memset(&dest_ip, 0, sizeof(dest_ip)); - memset(&source_ip, 0, sizeof(source_ip)); + struct ip_addr dest_ip, source_ip; ip_addr_to_address(request->ip_addr, &dest_ip, &source_ip); scan_ret = tunnel_scan(request, ctx, vsys_id, hit_cnt, request->ip_addr); if(scan_ret) @@ -2410,14 +2095,13 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer if(request_in_fqdn_cat(table_id)) { - /*TSG_HOST, TSG_HOST+1=TSG_HOST_CAT**/ - scan_ret = get_fqdn_category_id(request, ctx, vsys_id, value, table_id+1, hit_cnt); + scan_ret = get_fqdn_category_id(request, ctx, vsys_id, value, TSG_OBJ_DST_SERVER_FQDN, hit_cnt); if(scan_ret>0) { hit_cnt+=scan_ret; } } - + scan_ret = maat_scan_string(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], value, strlen(value), ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &n_hit_result, ctx->scan_mid); @@ -2545,9 +2229,7 @@ static void http_table_name_init(const char *table_name[__TSG_OBJ_MAX]) table_name[TSG_OBJ_HTTP_RES_HDR] = "ATTR_HTTP_RES_HDR"; table_name[TSG_OBJ_HTTP_RES_BODY] = "ATTR_HTTP_RES_BODY"; table_name[TSG_OBJ_SSL_CN] = "ATTR_SSL_CN"; - table_name[TSG_OBJ_SSL_CN_CAT] = "ATTR_SSL_CN_CAT"; table_name[TSG_OBJ_SSL_SAN] = "ATTR_SSL_SAN"; - table_name[TSG_OBJ_SSL_SAN_CAT] = "ATTR_SSL_SAN_CAT"; return; } @@ -2583,18 +2265,7 @@ static void common_table_name_int(const char *table_name[__TSG_OBJ_MAX]) table_name[TSG_OBJ_TUNNEL]="ATTR_TUNNEL", table_name[TSG_OBJ_FLAG]="ATTR_FLAG"; table_name[TSG_OBJ_GTP_IMEI]="ATTR_GTP_IMEI"; - table_name[TSG_OBJ_IP_SRC_ASN]="ATTR_SOURCE_ASN"; - table_name[TSG_OBJ_IP_DST_ASN]="ATTR_DESTINATION_ASN"; - table_name[TSG_OBJ_IP_SRC_GEO_COUNTRY]="ATTR_SOURCE_GEO_COUNTRY"; - table_name[TSG_OBJ_IP_SRC_GEO_SUPER_ADMINISTRATIVE_AREA]="ATTR_SOURCE_GEO_SUPER_ADMINISTRATIVE_AREA"; - table_name[TSG_OBJ_IP_SRC_GEO_ADMINISTRATIVE_AREA]="ATTR_SOURCE_GEO_ADMINISTRATIVE_AREA"; - table_name[TSG_OBJ_IP_SRC_GEO_SUB_ADMINISTRATIVE_AREA]="ATTR_SOURCE_GEO_SUB_ADMINISTRATIVE_AREA"; - table_name[TSG_OBJ_IP_DST_GEO_COUNTRY]="ATTR_DESTINATION_GEO_COUNTRY"; - table_name[TSG_OBJ_IP_DST_GEO_SUPER_ADMINISTRATIVE_AREA]="ATTR_DESTINATION_GEO_SUPER_ADMINISTRATIVE_AREA"; - table_name[TSG_OBJ_IP_DST_GEO_ADMINISTRATIVE_AREA]="ATTR_DESTINATION_GEO_ADMINISTRATIVE_AREA"; - table_name[TSG_OBJ_IP_DST_GEO_SUB_ADMINISTRATIVE_AREA]="ATTR_DESTINATION_GEO_SUB_ADMINISTRATIVE_AREA"; table_name[TSG_OBJ_DST_SERVER_FQDN]="ATTR_SERVER_FQDN"; - table_name[TSG_OBJ_DST_SERVER_FQDN_CAT]="ATTR_SERVER_FQDN_CAT"; table_name[TSG_OBJ_INTERNAL_ADDR]="ATTR_INTERNAL_IP"; table_name[TSG_OBJ_EXTERNAL_ADDR]="ATTR_EXTERNAL_IP"; table_name[TSG_OBJ_SOURCE_PORT]="ATTR_SOURCE_PORT"; @@ -2606,8 +2277,6 @@ static void common_table_name_int(const char *table_name[__TSG_OBJ_MAX]) table_name[TSG_OBJ_SSL_ESNI]="ATTR_SSL_ESNI"; table_name[TSG_OBJ_SSL_NO_SNI]="ATTR_SSL_NO_SNI"; table_name[TSG_OBJ_TUNNEL_LEVEL]="ATTR_TUNNEL_LEVEL"; - table_name[TSG_OBJ_INTERNAL_ASN]="ATTR_INTERNAL_ASN"; - table_name[TSG_OBJ_EXTERNAL_ASN]="ATTR_EXTERNAL_ASN"; table_name[TSG_OBJ_TUNNEL_GTP_ENDPOINT]="ATTR_TUNNEL_GTP_ENDPOINT"; table_name[TSG_OBJ_TUNNEL_GRE_ENDPOINT]="ATTR_TUNNEL_GRE_ENDPOINT"; table_name[TSG_OBJ_TUNNEL_IP_IN_IP_ENDPOINT]="ATTR_TUNNEL_IP_IN_IP_ENDPOINT"; @@ -2620,7 +2289,7 @@ int maat_complie_plugin_table_init(int vsys_id, int compile_type_id) const char *table_name=NULL; const char *conjunction_table_name_map[] = {"SECURITY_COMPILE_CONJUNCTION", "PXY_CTRL_COMPILE_CONJUNCTION", "TRAFFIC_SHAPING_COMPILE_CONJUNCTION", - "SERVICE_CHAINING_COMPILE_CONJUNCTION", "PXY_INTERCEPT_COMPILE_CONJUNCTION","STATISTICS_COMPILE_CONJUNCTION", + "SERVICE_CHAINING_COMPILE_CONJUNCTION", "PXY_INTERCEPT_COMPILE_CONJUNCTION","STATISTICS_COMPILE_CONJUNCTION", "MONITOR_COMPILE_CONJUNCTION", "DOS_PROTECTION_COMPILE_CONJUNCTION", "TUNNEL_COMPILE_CONJUNCTION"}; table_name = conjunction_table_name_map[compile_type_id]; @@ -2719,23 +2388,7 @@ int maat_table_init(struct verify_policy * verify, const char* profile_path) } } - for(int i = PROFILE_ASN_USER_DEFINED; i < PROFILE_FQDN_CAT_USER_DEFINED && g_policy_rt->load_ip_location; i++) - { - ret = maat_ip_table_init(i, vsys_id, ip_table_free_cb, ip_table_dup_cb); - if(ret<0) - { - goto error_out; - } - } - for(int i = PROFILE_FQDN_CAT_USER_DEFINED; i <= PROFILE_FQDN_CAT_BUILT_IN && g_policy_rt->load_fqdn_cat; i++) - { - ret = maat_plugin_table_ex_init(i, vsys_id, fqdn_cat_new_data, fqdn_cat_free_data, fqdn_cat_dup_data); - if(ret<0) - { - goto error_out; - } - } - for(int i=PROFILE_TUNNEL_CATALOG; i <=PROFILE_TUNNEL_LABEL; i++) + for(int i=0; i <=PROFILE_TUNNEL_LABEL; i++) { ret = maat_tunnel_table_init(i, vsys_id, tunnel_table_free_data, tunnel_table_dup_data); if(ret<0) @@ -2743,19 +2396,29 @@ int maat_table_init(struct verify_policy * verify, const char* profile_path) goto error_out; } } + ret = maat_plugin_table_ex_init(PROFILE_APP_DI_DICT, vsys_id, app_dict_table_new_cb, app_dict_table_free_cb, app_dict_table_dup_cb); if(ret<0) { goto error_out; } - - for(int i=PROFILE_FQDN_ENTRY; i <=PROFILE_IP_ADDR_ENTRY; i++) + + ret = maat_plugin_table_ex_init(PROFILE_FQDN_ENTRY, vsys_id, library_entry_new_cb, library_entry_free_cb, library_entry_dup_cb); + if(ret<0) { - ret = maat_plugin_table_ex_init(i, vsys_id, library_search_new_cb, library_search_free_cb, library_search_dup_cb); - if(ret<0) - { - goto error_out; - } + goto error_out; + } + + ret = maat_plugin_table_ex_init(PROFILE_IP_ADDR_ENTRY, vsys_id, library_entry_new_cb, library_entry_free_cb, library_entry_dup_cb); + if(ret<0) + { + goto error_out; + } + + ret = maat_plugin_table_ex_init(PROFILE_LIBRARY_TAG, vsys_id, library_tag_new_cb, library_tag_free_cb, library_tag_dup_cb); + if(ret<0) + { + goto error_out; } } ret = 0; diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp index 7d67cae..47ba8a1 100644 --- a/platform/src/verify_policy.cpp +++ b/platform/src/verify_policy.cpp @@ -15,6 +15,7 @@ #include #include #include +#include #include #include @@ -105,9 +106,7 @@ int protoco_field_type_str2idx(const char *action_str, char *buff, char **p) table_name[TSG_OBJ_HTTP_RES_HDR] = "ATTR_HTTP_RES_HDR"; table_name[TSG_OBJ_HTTP_RES_BODY] = "ATTR_HTTP_RES_BODY"; table_name[TSG_OBJ_SSL_CN] = "ATTR_SSL_CN"; - table_name[TSG_OBJ_SSL_CN_CAT] = "ATTR_SSL_CN_CAT"; table_name[TSG_OBJ_SSL_SAN] = "ATTR_SSL_SAN"; - table_name[TSG_OBJ_SSL_SAN_CAT] = "ATTR_SSL_SAN_CAT"; table_name[TSG_OBJ_DOH_QNAME]="ATTR_DOH_QNAME"; table_name[TSG_OBJ_DNS_QNAME] = "ATTR_DNS_QNAME"; table_name[TSG_OBJ_MAIL_ACCOUNT] = "ATTR_MAIL_ACCOUNT"; @@ -128,18 +127,7 @@ int protoco_field_type_str2idx(const char *action_str, char *buff, char **p) table_name[TSG_OBJ_TUNNEL]="ATTR_TUNNEL", table_name[TSG_OBJ_FLAG]="ATTR_FLAG"; table_name[TSG_OBJ_GTP_IMEI]="ATTR_GTP_IMEI"; - table_name[TSG_OBJ_IP_SRC_ASN]="ATTR_SOURCE_ASN"; - table_name[TSG_OBJ_IP_DST_ASN]="ATTR_DESTINATION_ASN"; - table_name[TSG_OBJ_IP_SRC_GEO_COUNTRY]="ATTR_SOURCE_GEO_COUNTRY"; - table_name[TSG_OBJ_IP_SRC_GEO_SUPER_ADMINISTRATIVE_AREA]="ATTR_SOURCE_GEO_SUPER_ADMINISTRATIVE_AREA"; - table_name[TSG_OBJ_IP_SRC_GEO_ADMINISTRATIVE_AREA]="ATTR_SOURCE_GEO_ADMINISTRATIVE_AREA"; - table_name[TSG_OBJ_IP_SRC_GEO_SUB_ADMINISTRATIVE_AREA]="ATTR_SOURCE_GEO_SUB_ADMINISTRATIVE_AREA"; - table_name[TSG_OBJ_IP_DST_GEO_COUNTRY]="ATTR_DESTINATION_GEO_COUNTRY"; - table_name[TSG_OBJ_IP_DST_GEO_SUPER_ADMINISTRATIVE_AREA]="ATTR_DESTINATION_GEO_SUPER_ADMINISTRATIVE_AREA"; - table_name[TSG_OBJ_IP_DST_GEO_ADMINISTRATIVE_AREA]="ATTR_DESTINATION_GEO_ADMINISTRATIVE_AREA"; - table_name[TSG_OBJ_IP_DST_GEO_SUB_ADMINISTRATIVE_AREA]="ATTR_DESTINATION_GEO_SUB_ADMINISTRATIVE_AREA"; table_name[TSG_OBJ_DST_SERVER_FQDN]="ATTR_SERVER_FQDN"; - table_name[TSG_OBJ_DST_SERVER_FQDN_CAT]="ATTR_SERVER_FQDN_CAT"; table_name[TSG_OBJ_INTERNAL_ADDR]="ATTR_INTERNAL_IP"; table_name[TSG_OBJ_EXTERNAL_ADDR]="ATTR_EXTERNAL_IP"; table_name[TSG_OBJ_SOURCE_PORT]="ATTR_SOURCE_PORT"; @@ -151,12 +139,10 @@ int protoco_field_type_str2idx(const char *action_str, char *buff, char **p) table_name[TSG_OBJ_SSL_ESNI]="ATTR_SSL_ESNI"; table_name[TSG_OBJ_SSL_NO_SNI]="ATTR_SSL_NO_SNI"; table_name[TSG_OBJ_TUNNEL_LEVEL]="ATTR_TUNNEL_LEVEL"; - table_name[TSG_OBJ_INTERNAL_ASN]="ATTR_INTERNAL_ASN"; - table_name[TSG_OBJ_EXTERNAL_ASN]="ATTR_EXTERNAL_ASN"; table_name[TSG_OBJ_TUNNEL_GTP_ENDPOINT]="ATTR_TUNNEL_GTP_ENDPOINT"; table_name[TSG_OBJ_TUNNEL_GRE_ENDPOINT]="ATTR_TUNNEL_GRE_ENDPOINT"; table_name[TSG_OBJ_TUNNEL_IP_IN_IP_ENDPOINT]="ATTR_TUNNEL_IP_IN_IP_ENDPOINT"; - + size_t i = 0; for (i = 0; i < __TSG_OBJ_MAX; i++) { @@ -234,7 +220,7 @@ struct ipaddr *tunnel_to_stream_addr(const char *Ip, int addr_type) inet_pton(AF_INET6,Ip,&(v6_addr->saddr)); ip_addr->v6=v6_addr; } - log_debug(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] attributeName = ip, clientIp1=%s, addr_type = %d", Ip, addr_type); + log_debug(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] attribute_name = ip, clientIp1=%s, addr_type = %d", Ip, addr_type); return ip_addr; } @@ -266,7 +252,7 @@ static struct ipaddr * get_ip_from_json(cJSON *attributeValue, const char *attri if(attributeName==NULL) { - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "The attributeType is of type iP, but the attributeName is empty, resulting in IP type parsing failure."); + log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "The attribute_type is of type iP, but the attribute_name is empty, resulting in IP type parsing failure."); return NULL; } @@ -276,7 +262,7 @@ static struct ipaddr * get_ip_from_json(cJSON *attributeValue, const char *attri if(item && item->type==cJSON_String) Port =atoi(item->valuestring); item = cJSON_GetObjectItem(attributeValue,"protocol"); if(item && item->type==cJSON_Number) *protocol = item->valueint; - item=cJSON_GetObjectItem(attributeValue,"addrType"); + item=cJSON_GetObjectItem(attributeValue,"addr_type"); if(item && item->type==cJSON_Number) addr_type = item->valueint; if(strcasecmp(attributeName, "ip_protocol") == 0) @@ -305,7 +291,7 @@ static char* get_port_from_json(cJSON *attributeValue, int *protocol, char *buff char *string=NULL; item = cJSON_GetObjectItem(attributeValue,"port"); - if(item && item->type==cJSON_String) + if(item && item->type==cJSON_String) { string = item->valuestring; } @@ -321,7 +307,7 @@ static char* get_port_from_json(cJSON *attributeValue, int *protocol, char *buff static inline int match_attributeType_in_numeric(const char *attribute_type, int table_id) { - if(0 == strcasecmp(attribute_type, "numeric") || 0 == strcasecmp(attribute_type, "flag") || + if(0 == strcasecmp(attribute_type, "numeric") || 0 == strcasecmp(attribute_type, "flag") || 0 == strcasecmp(attribute_type, "boolean") || table_id == TSG_OBJ_IP_PROTOCOL) { return 1; @@ -340,22 +326,22 @@ static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_p cJSON* item = NULL, *attributeValue=NULL, *tunnelType_item=NULL; p = buff; - item = cJSON_GetObjectItem(subchild, "attributeType"); + item = cJSON_GetObjectItem(subchild, "attribute_type"); if(item && item->type==cJSON_String) { attribute_type = item->valuestring; - p += snprintf(p, sizeof(buff) - (p - buff), "attributeType = %s", attribute_type); + p += snprintf(p, sizeof(buff) - (p - buff), "attribute_type = %s", attribute_type); } - item = cJSON_GetObjectItem(subchild, "attributeName"); + item = cJSON_GetObjectItem(subchild, "attribute_name"); if(item && item->type==cJSON_String) { policy_query->request_object[curr_id].attri_name = item->valuestring; - p += snprintf(p, sizeof(buff) - (p - buff), ", attributeName = %s",policy_query->request_object[curr_id].attri_name); + p += snprintf(p, sizeof(buff) - (p - buff), ", attribute_name = %s",policy_query->request_object[curr_id].attri_name); } policy_query->request_object[curr_id].attributes=cJSON_Duplicate(subchild, 1); - item = cJSON_GetObjectItem(subchild, "tableName"); + item = cJSON_GetObjectItem(subchild, "table_name"); if(item && item->type==cJSON_String) { policy_query->request_object[curr_id].table_id = protoco_field_type_str2idx(item->valuestring, buff, &p); @@ -366,17 +352,17 @@ static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_p } } - attributeValue = cJSON_GetObjectItem(subchild, "attributeValue"); + attributeValue = cJSON_GetObjectItem(subchild, "atrribute_value"); if(attributeValue == NULL || attributeValue->type!=cJSON_Object) { goto finish; } - tunnelType_item = cJSON_GetObjectItem(attributeValue,"tunnelType"); + tunnelType_item = cJSON_GetObjectItem(attributeValue,"tunnel_type"); if(tunnelType_item && tunnelType_item->type==cJSON_String) { policy_query->request_object[curr_id].tunnel_type=tunnelType_item->valuestring; - p += snprintf(p, sizeof(buff) - (p - buff), ", tunnelType=%s",policy_query->request_object[curr_id].tunnel_type); + p += snprintf(p, sizeof(buff) - (p - buff), ", tunnel_type=%s",policy_query->request_object[curr_id].tunnel_type); } if(0 == strcasecmp(attribute_type, "ip")) @@ -386,7 +372,7 @@ static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_p } if(0 == strcasecmp(attribute_type, "port")) { - policy_query->request_object[curr_id].string = get_port_from_json(attributeValue, &(policy_query->request_object[curr_id].numeric), buff); + policy_query->request_object[curr_id].string = get_port_from_json(attributeValue, &(policy_query->request_object[curr_id].numeric), buff); goto end; } @@ -428,7 +414,7 @@ enum verify_type get_verify_type(cJSON* http_respone) cJSON *item = NULL; enum verify_type type = VERIFY_TYPE_POLICY; - item = cJSON_GetObjectItem(http_respone,"verifyType"); + item = cJSON_GetObjectItem(http_respone,"verify_type"); if(item && item->type==cJSON_String) { if(0 == strcasecmp(item->valuestring, "policy")) @@ -440,7 +426,7 @@ enum verify_type get_verify_type(cJSON* http_respone) { type = VERIFY_TYPE_REGEX; } - log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] verifyType= %s", item->valuestring); + log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] verify_type= %s", item->valuestring); } return type; } @@ -451,7 +437,7 @@ static int get_query_result_regex(cJSON *verifylist_array_item, cJSON *http_body cJSON *regexstr_obj[32],*attributes=NULL; cJSON *item = NULL, *subchild = NULL; - attributes = cJSON_GetObjectItem(verifylist_array_item, "verifyRegex"); + attributes = cJSON_GetObjectItem(verifylist_array_item, "verify_regex"); if(attributes==NULL || attributes->type != cJSON_Array) { return -1; @@ -459,7 +445,7 @@ static int get_query_result_regex(cJSON *verifylist_array_item, cJSON *http_body for (subchild = attributes->child; subchild != NULL; subchild = subchild->next) { - item = cJSON_GetObjectItem(subchild, "regexStr"); + item = cJSON_GetObjectItem(subchild, "regex_str"); if(item && item->type==cJSON_String) { is_valid[cur_id] = policy_verify_regex_expression(item->valuestring); @@ -471,12 +457,12 @@ static int get_query_result_regex(cJSON *verifylist_array_item, cJSON *http_body cJSON *verify_regex_obj=NULL; cJSON *verifyRegex=cJSON_CreateArray(); - cJSON_AddItemToObject(http_body, "verifyRegex", verifyRegex); + cJSON_AddItemToObject(http_body, "verify_regex", verifyRegex); for (i = 0; i < cur_id; i++) { verify_regex_obj=cJSON_CreateObject(); - cJSON_AddItemToObject(verify_regex_obj, "regexStr", regexstr_obj[i]); - cJSON_AddNumberToObject(verify_regex_obj, "isValid", is_valid[i]); + cJSON_AddItemToObject(verify_regex_obj, "regex_str", regexstr_obj[i]); + cJSON_AddNumberToObject(verify_regex_obj, "is_valid", is_valid[i]); cJSON_AddItemToArray(verifyRegex, verify_regex_obj); } return 1; @@ -486,7 +472,7 @@ static void get_count_form_attributeName(void *ctx, cJSON *subchild) { cJSON *item = NULL; - item = cJSON_GetObjectItem(subchild, "attributeName"); + item = cJSON_GetObjectItem(subchild, "attribute_name"); if(item && item->type==cJSON_String) { if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) @@ -503,7 +489,7 @@ static void get_count_form_attributeName(void *ctx, cJSON *subchild) int get_query_result_policy(cJSON *verifylist_array_item, cJSON *http_body, int thread_id) { - int i = 0; + int attribute_num = 0; int hit_cnt = 0, xret =0; cJSON *item = NULL, *subchild = NULL, *attributes=NULL; struct verify_policy_query *verify_policy = NULL; @@ -520,14 +506,14 @@ int get_query_result_policy(cJSON *verifylist_array_item, cJSON *http_body, int } } - item = cJSON_GetObjectItem(verifylist_array_item, "vsysId"); + item = cJSON_GetObjectItem(verifylist_array_item, "vsys_id"); if(item && item->type==cJSON_Number) { verify_policy->vsys_id = item->valueint; } - log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] vsysId= %d", verify_policy->vsys_id); + log_info(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "[I] vsys_id= %d", verify_policy->vsys_id); - item = cJSON_GetObjectItem(verifylist_array_item,"verifySession"); + item = cJSON_GetObjectItem(verifylist_array_item,"verify_session"); if(item == NULL || item->type!=cJSON_Object) { goto free; @@ -545,33 +531,33 @@ int get_query_result_policy(cJSON *verifylist_array_item, cJSON *http_body, int for (subchild = attributes->child; subchild != NULL; subchild = subchild->next) { - xret = get_attribute_from_json(i, subchild, verify_policy); + xret = get_attribute_from_json(attribute_num, subchild, verify_policy); if (xret < 0) { goto free; } - hit_cnt = policy_verify_scan(verify_policy->vsys_id, verify_policy->compile_table_id, &verify_policy->request_object[i], ctx); - if(match_ip_attribute_name(verify_policy->request_object[i].attri_name) >= 0) + hit_cnt = policy_verify_scan(verify_policy->vsys_id, verify_policy->compile_table_id, &verify_policy->request_object[attribute_num], ctx); + if(match_ip_attribute_name(verify_policy->request_object[attribute_num].attri_name) >= 0) { - ipaddr_free(verify_policy->request_object[i].ip_addr); + ipaddr_free(verify_policy->request_object[attribute_num].ip_addr); } - i++; + attribute_num++; } - http_hit_policy_list(verify_policy, i, hit_cnt, http_body, ctx); + http_hit_policy_list(verify_policy, attribute_num, hit_cnt, http_body, ctx); int item = 0; cJSON *verfifySession = cJSON_CreateObject(); - cJSON_AddItemToObject(http_body, "verifySession", verfifySession); + cJSON_AddItemToObject(http_body, "verify_session", verfifySession); cJSON *attributes=cJSON_CreateArray(); cJSON_AddItemToObject(verfifySession, "attributes", attributes); - for (item = 0; item < i; item++) + for (item = 0; item < attribute_num; item++) { http_get_scan_status(&verify_policy->request_object[item], verify_policy->compile_table_id, attributes, http_body, ctx); } policy_scan_ctx_free(ctx); } - i=0; + attribute_num=0; free: if (verify_policy) { @@ -603,7 +589,7 @@ cJSON *get_verify_policy_query(const char *data, ssize_t data_len, int thread_id int type=get_verify_type(http_request); cJSON *item = NULL, *subitem = NULL; - item = cJSON_GetObjectItem(http_request,"verifyList"); + item = cJSON_GetObjectItem(http_request,"verify_list"); if(item && item->type==cJSON_Array) { for (subitem = item->child; subitem != NULL; subitem = subitem->next) @@ -646,9 +632,9 @@ int http_get_headers(struct evhttp_request *evh_req, struct evkeyvalq *headers) int http_get_int_param(struct evhttp_request *evh_req, const char *key) { - int xret=-1; + int xret=-1, vsys_id=-1; struct evkeyvalq headers; - + xret = http_get_headers(evh_req, &headers); if(xret != 0) { @@ -657,10 +643,10 @@ int http_get_int_param(struct evhttp_request *evh_req, const char *key) const char *value = evhttp_find_header(&headers, key); if (value) { - xret = atoi(value); + vsys_id = atoi(value); } evhttp_clear_headers(&headers); - return xret; + return vsys_id; } char *http_get_string_param(struct evhttp_request *evh_req, const char *key) @@ -692,8 +678,8 @@ int get_ip_type(const char *ip) if (inet_pton(AF_INET, ip, &(sa.sin_addr)) > 0) { addr_type = 4; - } - else if (inet_pton(AF_INET6, ip, &(sa6.sin6_addr)) > 0) + } + else if (inet_pton(AF_INET6, ip, &(sa6.sin6_addr)) > 0) { addr_type = 6; } @@ -716,6 +702,7 @@ cJSON *get_library_search_query(struct evhttp_request *evh_req) int vsys_id = http_get_int_param(evh_req, "vsys_id"); if(vsys_id < 0) { + log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "invalid vsys_id"); return NULL; } @@ -776,7 +763,7 @@ void verify_policy_request_cb(struct evhttp_request *evh_req, void *arg) struct evbuffer * evbuf_body = NULL; char *input = NULL; ssize_t inputlen=0; - struct verify_policy_thread *thread_ctx = (struct verify_policy_thread *)arg; + struct verify_policy_thread *thread = (struct verify_policy_thread *)arg; if (evhttp_request_get_command(evh_req) != EVHTTP_REQ_POST) { @@ -792,7 +779,7 @@ void verify_policy_request_cb(struct evhttp_request *evh_req, void *arg) goto error; } - http_payload = get_verify_policy_query(input, inputlen, thread_ctx->id); + http_payload = get_verify_policy_query(input, inputlen, thread->id); if(http_payload == NULL) { goto error; @@ -847,163 +834,92 @@ finish: void * verify_policy_thread_func(void * arg) { struct evhttp_bound_socket *bound = NULL; - struct verify_policy_thread *thread_ctx = (struct verify_policy_thread *)arg; + struct verify_policy_thread *thread = (struct verify_policy_thread *)arg; - thread_ctx->base = event_base_new(); - if (! thread_ctx->base) + thread->http = evhttp_new(thread->base); + if (!thread->http) { - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "Can'thread_ctx allocate event base"); - goto finish; - } - thread_ctx->http = evhttp_new(thread_ctx->base); - if (!thread_ctx->http) - { - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "couldn'thread_ctx create evhttp. Exiting."); + log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "couldn'thread create evhttp. Exiting."); goto error; } - evhttp_set_cb(thread_ctx->http, "/v1/policy/trouble_shooting/policy_verification", verify_policy_request_cb, thread_ctx); - evhttp_set_cb(thread_ctx->http, "/v1/policy/trouble_shooting/library_search", library_search_request_cb, thread_ctx); + evhttp_set_cb(thread->http, "/v1/policy/trouble_shooting/policy_verification", verify_policy_request_cb, thread); + evhttp_set_cb(thread->http, "/v1/policy/trouble_shooting/library_search", library_search_request_cb, thread); - bound = evhttp_accept_socket_with_handle(thread_ctx->http, thread_ctx->accept_fd); + bound = evhttp_accept_socket_with_handle(thread->http, thread->accept_fd); if (bound == NULL) { goto error; } - log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "Work thread %u is run...", thread_ctx->id); + log_fatal(g_verify_proxy->logger, MODULE_VERIFY_POLICY, "Work thread %u is run...", thread->id); - event_base_dispatch(thread_ctx->base); + event_base_dispatch(thread->base); error: - event_base_free(thread_ctx->base); -finish: + event_base_free(thread->base); return NULL; } -static int -evutil_fast_socket_nonblocking(evutil_socket_t fd) +int create_and_listen_socket(const struct sockaddr *sa, int socklen, int backlog) { -#ifdef _WIN32 - return evutil_make_socket_nonblocking(fd); -#else - if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1) { - return -1; - } - return 0; -#endif -} + int fd; + int on = 1; + int family = sa ? sa->sa_family : AF_UNSPEC; + int socktype = SOCK_STREAM | EVUTIL_SOCK_NONBLOCK; -static int -evutil_fast_socket_closeonexec(evutil_socket_t fd) -{ -#if !defined(_WIN32) && defined(EVENT__HAVE_SETFD) - if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) { - return -1; - } -#endif - return 0; -} - -evutil_socket_t -evutil_socket_(int domain, int type, int protocol) -{ - evutil_socket_t r; -#if defined(SOCK_NONBLOCK) && defined(SOCK_CLOEXEC) - r = socket(domain, type, protocol); - if (r >= 0) - return r; - else if ((type & (SOCK_NONBLOCK|SOCK_CLOEXEC)) == 0) - return -1; -#endif -#define SOCKET_TYPE_MASK (~(EVUTIL_SOCK_NONBLOCK|EVUTIL_SOCK_CLOEXEC)) - r = socket(domain, type & SOCKET_TYPE_MASK, protocol); - if (r < 0) - return -1; - if (type & EVUTIL_SOCK_NONBLOCK) { - if (evutil_fast_socket_nonblocking(r) < 0) { - evutil_closesocket(r); - return -1; - } - } - if (type & EVUTIL_SOCK_CLOEXEC) { - if (evutil_fast_socket_closeonexec(r) < 0) { - evutil_closesocket(r); - return -1; - } - } - return r; -} - -static evutil_socket_t -evhttp_listen_socket_byuser(const struct sockaddr *sa, int socklen, - unsigned flags, int backlog) -{ - evutil_socket_t fd; - int on = 1; - int family = sa ? sa->sa_family : AF_UNSPEC; - int socktype = SOCK_STREAM | EVUTIL_SOCK_NONBLOCK; - - if (flags & LEV_OPT_CLOSE_ON_EXEC) - socktype |= EVUTIL_SOCK_CLOEXEC; - - fd = evutil_socket_(family, socktype, 0); - if (fd == -1) - return fd; - - if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (void*)&on, sizeof(on))<0) - goto err; - if (flags & LEV_OPT_REUSEABLE) { - if (evutil_make_listen_socket_reuseable(fd) < 0) - goto err; - } - if (flags & LEV_OPT_REUSEABLE_PORT) { - if (evutil_make_listen_socket_reuseable_port(fd) < 0){ - goto err; - } - } - if (sa) { - if (bind(fd, sa, socklen)<0) - goto err; - } - if (listen(fd, backlog) == -1) { - goto err; + fd = socket(family, socktype, 0); + if (fd == -1) + { + return fd; } - return fd; -err: - evutil_closesocket(fd); - return fd; + + if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) != 0 || + setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &on, sizeof(on)) != 0) + { + evutil_closesocket(fd); + return -1; + } + + if (bind(fd, sa, socklen) < 0) + { + evutil_closesocket(fd); + return -1; + } + + listen(fd, backlog); + return fd; } int verify_policy_work_thread_run(struct verify_policy * verify) { int xret = 0; - unsigned int tid = 0; - struct verify_policy_thread *thread_ctx = NULL; + struct verify_policy_thread *thread = NULL; struct sockaddr_in sin; memset(&sin, 0, sizeof(struct sockaddr_in)); sin.sin_family = AF_INET; sin.sin_port = htons(verify->listen_port); - evutil_socket_t accept_fd = evhttp_listen_socket_byuser((struct sockaddr*)&sin, sizeof(struct sockaddr_in),LEV_OPT_REUSEABLE_PORT|LEV_OPT_CLOSE_ON_FREE, -1); + evutil_socket_t accept_fd = create_and_listen_socket((struct sockaddr*)&sin, sizeof(struct sockaddr_in), -1); if (accept_fd < 0) { log_fatal(verify->logger, MODULE_VERIFY_POLICY, "Could not create a listen!"); goto finish; } - for (tid = 0; tid < verify->nr_work_threads; tid++) + for (unsigned tid = 0; tid < verify->nr_work_threads; tid++) { verify->work_threads[tid] = ALLOC(struct verify_policy_thread, 1); - thread_ctx = verify->work_threads[tid]; - thread_ctx->id = tid; - thread_ctx->accept_fd =accept_fd; - thread_ctx->routine = verify_policy_thread_func; + thread = verify->work_threads[tid]; + thread->id = tid; + thread->accept_fd = accept_fd; + thread->base = event_base_new(); + thread->routine = verify_policy_thread_func; - if (pthread_create(&thread_ctx->pid, thread_ctx->attr, thread_ctx->routine, thread_ctx)) + if (pthread_create(&thread->pid, thread->attr, thread->routine, thread)) { log_fatal(verify->logger, MODULE_VERIFY_POLICY, "%s", strerror(errno)); goto finish; } - if (pthread_detach(thread_ctx->pid)) + if (pthread_detach(thread->pid)) { log_fatal(verify->logger, MODULE_VERIFY_POLICY, "%s", strerror(errno)); goto finish; diff --git a/resource/table_info.conf b/resource/table_info.conf index c8bb0f2..305457a 100644 --- a/resource/table_info.conf +++ b/resource/table_info.conf @@ -552,18 +552,6 @@ }, { "table_id":42, - "table_name":"TSG_OBJ_FQDN_CAT", - "table_type":"interval", - "valid_column":5, - "custom": { - "item_id":1, - "group_id":2, - "low_boundary":3, - "up_boundary":4 - } - }, - { - "table_id":43, "table_name":"TSG_OBJ_KEYWORDS", "table_type":"expr", "valid_column":7, @@ -577,7 +565,7 @@ } }, { - "table_id":44, + "table_id":43, "table_name":"TSG_OBJ_HTTP_SIGNATURE", "table_type":"expr_plus", "valid_column":8, @@ -592,315 +580,139 @@ } }, { - "table_id":45, + "table_id":44, "table_name":"ATTR_HTTP_URL", "table_type":"virtual", "physical_table": "TSG_OBJ_URL" }, { - "table_id":46, + "table_id":45, "table_name":"ATTR_HTTP_REQ_HDR", "table_type":"virtual", "physical_table": "TSG_OBJ_HTTP_SIGNATURE" }, { - "table_id":47, + "table_id":46, "table_name":"ATTR_HTTP_RES_HDR", "table_type":"virtual", "physical_table": "TSG_OBJ_HTTP_SIGNATURE" }, { - "table_id":48, + "table_id":47, "table_name":"ATTR_HTTP_REQ_BODY", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":49, + "table_id":48, "table_name":"ATTR_HTTP_RES_BODY", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":50, + "table_id":49, "table_name":"ATTR_SSL_CN", "table_type":"virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":51, - "table_name":"ATTR_SSL_CN_CAT", - "table_type":"virtual", - "physical_table": "TSG_OBJ_FQDN_CAT" - }, - { - "table_id":52, + "table_id":50, "table_name":"ATTR_SSL_SAN", "table_type":"virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":53, - "table_name":"ATTR_SSL_SAN_CAT", - "table_type":"virtual", - "physical_table":"TSG_OBJ_FQDN_CAT" - }, - { - "table_id":54, + "table_id":51, "table_name":"ATTR_DNS_QNAME", "table_type":"virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":55, + "table_id":52, "table_name":"ATTR_MAIL_ACCOUNT", "table_type":"virtual", "physical_table": "TSG_OBJ_ACCOUNT" }, { - "table_id":56, + "table_id":53, "table_name":"ATTR_MAIL_FROM", "table_type":"virtual", "physical_table": "TSG_OBJ_ACCOUNT" }, { - "table_id":57, + "table_id":54, "table_name":"ATTR_MAIL_TO", "table_type":"virtual", "physical_table": "TSG_OBJ_ACCOUNT" }, { - "table_id":58, + "table_id":55, "table_name":"ATTR_MAIL_SUBJECT", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":59, + "table_id":56, "table_name":"ATTR_MAIL_CONTENT", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":60, + "table_id":57, "table_name":"ATTR_MAIL_ATT_NAME", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":61, + "table_id":58, "table_name":"ATTR_MAIL_ATT_CONTENT", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":62, + "table_id":59, "table_name":"ATTR_FTP_URI", "table_type":"virtual", "physical_table": "TSG_OBJ_URL" }, { - "table_id":63, + "table_id":60, "table_name":"ATTR_FTP_CONTENT", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":64, + "table_id":61, "table_name":"ATTR_FTP_ACCOUNT", "table_type":"virtual", "physical_table": "TSG_OBJ_ACCOUNT" }, { - "table_id":65, + "table_id":62, "table_name":"ATTR_SOURCE_IP", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" }, { - "table_id":66, + "table_id":63, "table_name":"ATTR_DESTINATION_IP", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" - }, - { - "table_id":67, - "table_name":"TSG_OBJ_IP_ASN_BUILT_IN", - "table_type":"ip_plugin", - "valid_column":9, - "custom": { - "item_id":1, - "group_id":2, - "ip_type":3, - "addr_format":4, - "start_ip":5, - "end_ip":6 - } }, { - "table_id":68, - "table_name":"TSG_OBJ_IP_ASN_USER_DEFINED", - "table_type":"ip_plugin", - "valid_column":9, - "custom": { - "item_id":1, - "group_id":2, - "ip_type":3, - "addr_format":4, - "start_ip":5, - "end_ip":6 - } - }, - { - "table_id":69, - "table_name":"TSG_IP_LOCATION_BUILT_IN", - "table_type":"ip_plugin", - "valid_column":24, - "custom": { - "item_id":1, - "ip_type":7, - "start_ip":9, - "end_ip":10, - "addr_format":8 - } - }, - { - "table_id":70, - "table_name":"TSG_IP_LOCATION_USER_DEFINED", - "table_type":"ip_plugin", - "valid_column":24, - "custom": { - "item_id":1, - "ip_type":7, - "start_ip":9, - "end_ip":10, - "addr_format":8 - } - }, - { - "table_id":71, - "table_name":"TSG_OBJ_AS_NUMBER", - "table_type":"expr", - "valid_column":7, - "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 - } - }, - { - "table_id":72, - "table_name":"ATTR_SOURCE_ASN", - "table_type":"virtual", - "physical_table": "TSG_OBJ_AS_NUMBER" - }, - { - "table_id":73, - "table_name":"ATTR_DESTINATION_ASN", - "table_type":"virtual", - "physical_table": "TSG_OBJ_AS_NUMBER" - }, - { - "table_id":74, - "table_name":"TSG_OBJ_GEO_LOCATION", - "table_type":"expr", - "valid_column":7, - "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 - } - }, - { - "table_id":75, - "table_name":"ATTR_SOURCE_GEO_COUNTRY", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":76, - "table_name":"ATTR_SOURCE_GEO_SUPER_ADMINISTRATIVE_AREA", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":77, - "table_name":"ATTR_SOURCE_GEO_ADMINISTRATIVE_AREA", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":78, - "table_name":"ATTR_SOURCE_GEO_SUB_ADMINISTRATIVE_AREA", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":79, - "table_name":"ATTR_DESTINATION_GEO_COUNTRY", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":80, - "table_name":"ATTR_DESTINATION_GEO_SUPER_ADMINISTRATIVE_AREA", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":81, - "table_name":"ATTR_DESTINATION_GEO_ADMINISTRATIVE_AREA", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":82, - "table_name":"ATTR_DESTINATION_GEO_SUB_ADMINISTRATIVE_AREA", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":83, - "table_name":"TSG_FQDN_CATEGORY_BUILT_IN", - "table_type":"fqdn_plugin", - "valid_column":6, - "custom": { - "item_id":1, - "suffix_match_method":4, - "fqdn":3 - } - }, - { - "table_id":84, - "table_name":"TSG_FQDN_CATEGORY_USER_DEFINED", - "table_type":"fqdn_plugin", - "valid_column":6, - "custom": { - "item_id":1, - "suffix_match_method":4, - "fqdn":3 - } - }, - { - "table_id":85, + "table_id":64, "table_name":"ATTR_SIP_ORIGINATOR_DESCRIPTION", "table_type":"virtual", "physical_table": "TSG_OBJ_ACCOUNT" }, { - "table_id":86, + "table_id":65, "table_name":"ATTR_SIP_RESPONDER_DESCRIPTION", "table_type":"virtual", "physical_table": "TSG_OBJ_ACCOUNT" }, { - "table_id":87, + "table_id":66, "table_name":"TSG_OBJ_IMSI", "table_type":"expr", "valid_column":7, @@ -914,7 +726,7 @@ } }, { - "table_id":88, + "table_id":67, "table_name":"TSG_OBJ_PHONE_NUMBER", "table_type":"expr", "valid_column":7, @@ -928,7 +740,7 @@ } }, { - "table_id":89, + "table_id":68, "table_name":"TSG_OBJ_APN", "table_type":"expr", "valid_column":7, @@ -942,25 +754,25 @@ } }, { - "table_id":90, + "table_id":69, "table_name":"ATTR_GTP_IMSI", "table_type":"virtual", "physical_table": "TSG_OBJ_IMSI" }, { - "table_id":91, + "table_id":70, "table_name":"ATTR_GTP_PHONE_NUMBER", "table_type":"virtual", "physical_table": "TSG_OBJ_PHONE_NUMBER" }, { - "table_id":92, + "table_id":71, "table_name":"ATTR_GTP_APN", "table_type":"virtual", "physical_table": "TSG_OBJ_APN" }, { - "table_id":93, + "table_id":72, "table_name":"TSG_TUNNEL_CATALOG", "table_type":"bool_plugin", "valid_column":6, @@ -970,7 +782,7 @@ } }, { - "table_id":94, + "table_id":73, "table_name":"TSG_TUNNEL_ENDPOINT", "table_type":"ip_plugin", "valid_column":6, @@ -982,7 +794,7 @@ } }, { - "table_id":95, + "table_id":74, "table_name":"TSG_TUNNEL_LABEL", "table_type":"plugin", "valid_column":4, @@ -993,13 +805,13 @@ } }, { - "table_id":96, + "table_id":75, "table_name":"ATTR_TUNNEL", "table_type":"virtual", "physical_table": "TSG_TUNNEL_CATALOG" }, { - "table_id":97, + "table_id":76, "table_name":"TSG_OBJ_FLAG", "table_type":"flag", "valid_column":5, @@ -1011,19 +823,19 @@ } }, { - "table_id":98, + "table_id":77, "table_name":"ATTR_FLAG", "table_type":"virtual", "physical_table": "TSG_OBJ_FLAG" }, { - "table_id":99, + "table_id":78, "table_name":"ATTR_DOH_QNAME", "table_type":"virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":100, + "table_id":79, "table_name":"TSG_OBJ_IMEI", "table_type":"expr", "valid_column":7, @@ -1037,13 +849,13 @@ } }, { - "table_id":101, + "table_id":80, "table_name":"ATTR_GTP_IMEI", "table_type":"virtual", "physical_table": "TSG_OBJ_IMEI" }, { - "table_id":102, + "table_id":81, "table_name": "APP_ID_DICT", "table_type": "plugin", "valid_column": 19, @@ -1054,43 +866,37 @@ } }, { - "table_id":103, + "table_id":82, "table_name":"ATTR_SUBSCRIBER_ID", "table_type":"virtual", "physical_table": "TSG_OBJ_SUBSCRIBER_ID" }, { - "table_id":104, + "table_id":83, "table_name":"ATTR_APP_ID", "table_type":"virtual", "physical_table": "APP_ID_DICT" }, { - "table_id":105, + "table_id":84, "table_name": "ATTR_SERVER_FQDN", "table_type": "virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":106, - "table_name": "ATTR_SERVER_FQDN_CAT", - "table_type": "virtual", - "physical_table": "TSG_OBJ_FQDN_CAT" - }, - { - "table_id":107, + "table_id":85, "table_name":"ATTR_INTERNAL_IP", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" }, { - "table_id":108, + "table_id":86, "table_name":"ATTR_EXTERNAL_IP", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" }, { - "table_id":109, + "table_id":87, "table_name": "TSG_IP_PROTOCOL", "table_type": "plugin", "valid_column": 4, @@ -1101,7 +907,7 @@ } }, { - "table_id":110, + "table_id":88, "table_name":"TSG_OBJ_PORT", "table_type":"interval", "valid_column":5, @@ -1113,91 +919,90 @@ } }, { - "table_id":111, + "table_id":89, "table_name": "ATTR_SOURCE_PORT", "table_type": "virtual", "physical_table": "TSG_OBJ_PORT" }, { - "table_id":112, + "table_id":90, "table_name": "ATTR_DESTINATION_PORT", "table_type": "virtual", "physical_table": "TSG_OBJ_PORT" }, { - "table_id":113, + "table_id":91, "table_name": "ATTR_INTERNAL_PORT", "table_type": "virtual", "physical_table": "TSG_OBJ_PORT" }, { - "table_id":114, + "table_id":92, "table_name": "ATTR_EXTERNAL_PORT", "table_type": "virtual", "physical_table": "TSG_OBJ_PORT" }, { - "table_id":115, + "table_id":93, "table_name": "ATTR_IP_PROTOCOL", "table_type": "virtual", "physical_table": "TSG_IP_PROTOCOL" }, { - "table_id":116, + "table_id":94, "table_name": "ATTR_SSL_ECH", "table_type": "virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":117, + "table_id":95, "table_name": "ATTR_SSL_ESNI", "table_type": "virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":118, + "table_id":96, "table_name": "ATTR_SSL_NO_SNI", "table_type": "virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":119, + "table_id":97, "table_name":"ATTR_TUNNEL_LEVEL", "table_type":"virtual", "physical_table": "TSG_TUNNEL_CATALOG" }, { - "table_id":120, - "table_name":"ATTR_INTERNAL_ASN", - "table_type":"virtual", - "physical_table": "TSG_OBJ_AS_NUMBER" - }, - { - "table_id":121, - "table_name":"ATTR_EXTERNAL_ASN", - "table_type":"virtual", - "physical_table": "TSG_OBJ_AS_NUMBER" - }, - { - "table_id":122, + "table_id":98, "table_name":"ATTR_TUNNEL_GTP_ENDPOINT", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" }, { - "table_id":123, + "table_id":99, "table_name":"ATTR_TUNNEL_GRE_ENDPOINT", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" }, { - "table_id":124, + "table_id":100, "table_name":"ATTR_TUNNEL_IP_IN_IP_ENDPOINT", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" }, { - "table_id":125, + "table_id": 101, + "table_name": "LIBRARY_TAG", + "table_type": "plugin", + "valid_column": 6, + "custom": { + "key": 1, + "key_type": "integer", + "key_len": 8 + } + }, + { + "table_id":102, "table_name":"FQDN_ENTRY", "table_type":"fqdn_plugin", "valid_column":5, @@ -1208,10 +1013,10 @@ } }, { - "table_id":126, + "table_id":103, "table_name":"IP_ADDR_ENTRY", "table_type":"ip_plugin", - "valid_column":8, + "valid_column":7, "custom": { "item_id":1, "ip_type":3, diff --git a/resource/table_info_simple.conf b/resource/table_info_simple.conf index 19c8861..73ab4e1 100644 --- a/resource/table_info_simple.conf +++ b/resource/table_info_simple.conf @@ -552,18 +552,6 @@ }, { "table_id":42, - "table_name":"TSG_OBJ_FQDN_CAT", - "table_type":"interval", - "valid_column":5, - "custom": { - "item_id":1, - "group_id":2, - "low_boundary":3, - "up_boundary":4 - } - }, - { - "table_id":43, "table_name":"TSG_OBJ_KEYWORDS", "table_type":"expr", "valid_column":7, @@ -577,7 +565,7 @@ } }, { - "table_id":44, + "table_id":43, "table_name":"TSG_OBJ_HTTP_SIGNATURE", "table_type":"expr_plus", "valid_column":8, @@ -592,239 +580,139 @@ } }, { - "table_id":45, + "table_id":44, "table_name":"ATTR_HTTP_URL", "table_type":"virtual", "physical_table": "TSG_OBJ_URL" }, { - "table_id":46, + "table_id":45, "table_name":"ATTR_HTTP_REQ_HDR", "table_type":"virtual", "physical_table": "TSG_OBJ_HTTP_SIGNATURE" }, { - "table_id":47, + "table_id":46, "table_name":"ATTR_HTTP_RES_HDR", "table_type":"virtual", "physical_table": "TSG_OBJ_HTTP_SIGNATURE" }, { - "table_id":48, + "table_id":47, "table_name":"ATTR_HTTP_REQ_BODY", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":49, + "table_id":48, "table_name":"ATTR_HTTP_RES_BODY", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":50, + "table_id":49, "table_name":"ATTR_SSL_CN", "table_type":"virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":51, - "table_name":"ATTR_SSL_CN_CAT", - "table_type":"virtual", - "physical_table": "TSG_OBJ_FQDN_CAT" - }, - { - "table_id":52, + "table_id":50, "table_name":"ATTR_SSL_SAN", "table_type":"virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":53, - "table_name":"ATTR_SSL_SAN_CAT", - "table_type":"virtual", - "physical_table":"TSG_OBJ_FQDN_CAT" - }, - { - "table_id":54, + "table_id":51, "table_name":"ATTR_DNS_QNAME", "table_type":"virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":55, + "table_id":52, "table_name":"ATTR_MAIL_ACCOUNT", "table_type":"virtual", "physical_table": "TSG_OBJ_ACCOUNT" }, { - "table_id":56, + "table_id":53, "table_name":"ATTR_MAIL_FROM", "table_type":"virtual", "physical_table": "TSG_OBJ_ACCOUNT" }, { - "table_id":57, + "table_id":54, "table_name":"ATTR_MAIL_TO", "table_type":"virtual", "physical_table": "TSG_OBJ_ACCOUNT" }, { - "table_id":58, + "table_id":55, "table_name":"ATTR_MAIL_SUBJECT", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":59, + "table_id":56, "table_name":"ATTR_MAIL_CONTENT", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":60, + "table_id":57, "table_name":"ATTR_MAIL_ATT_NAME", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":61, + "table_id":58, "table_name":"ATTR_MAIL_ATT_CONTENT", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":62, + "table_id":59, "table_name":"ATTR_FTP_URI", "table_type":"virtual", "physical_table": "TSG_OBJ_URL" }, { - "table_id":63, + "table_id":60, "table_name":"ATTR_FTP_CONTENT", "table_type":"virtual", "physical_table": "TSG_OBJ_KEYWORDS" }, { - "table_id":64, + "table_id":61, "table_name":"ATTR_FTP_ACCOUNT", "table_type":"virtual", "physical_table": "TSG_OBJ_ACCOUNT" }, { - "table_id":65, + "table_id":62, "table_name":"ATTR_SOURCE_IP", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" }, { - "table_id":66, + "table_id":63, "table_name":"ATTR_DESTINATION_IP", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" }, { - "table_id":67, - "table_name":"TSG_OBJ_AS_NUMBER", - "table_type":"expr", - "valid_column":7, - "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 - } - }, - { - "table_id":72, - "table_name":"ATTR_SOURCE_ASN", - "table_type":"virtual", - "physical_table": "TSG_OBJ_AS_NUMBER" - }, - { - "table_id":73, - "table_name":"ATTR_DESTINATION_ASN", - "table_type":"virtual", - "physical_table": "TSG_OBJ_AS_NUMBER" - }, - { - "table_id":74, - "table_name":"TSG_OBJ_GEO_LOCATION", - "table_type":"expr", - "valid_column":7, - "custom": { - "item_id":1, - "group_id":2, - "keywords":3, - "expr_type":4, - "match_method":5, - "is_hexbin":6 - } - }, - { - "table_id":75, - "table_name":"ATTR_SOURCE_GEO_COUNTRY", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":76, - "table_name":"ATTR_SOURCE_GEO_SUPER_ADMINISTRATIVE_AREA", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":77, - "table_name":"ATTR_SOURCE_GEO_ADMINISTRATIVE_AREA", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":78, - "table_name":"ATTR_SOURCE_GEO_SUB_ADMINISTRATIVE_AREA", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":79, - "table_name":"ATTR_DESTINATION_GEO_COUNTRY", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":80, - "table_name":"ATTR_DESTINATION_GEO_SUPER_ADMINISTRATIVE_AREA", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":81, - "table_name":"ATTR_DESTINATION_GEO_ADMINISTRATIVE_AREA", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":82, - "table_name":"ATTR_DESTINATION_GEO_SUB_ADMINISTRATIVE_AREA", - "table_type":"virtual", - "physical_table": "TSG_OBJ_GEO_LOCATION" - }, - { - "table_id":85, + "table_id":64, "table_name":"ATTR_SIP_ORIGINATOR_DESCRIPTION", "table_type":"virtual", "physical_table": "TSG_OBJ_ACCOUNT" }, { - "table_id":86, + "table_id":65, "table_name":"ATTR_SIP_RESPONDER_DESCRIPTION", "table_type":"virtual", "physical_table": "TSG_OBJ_ACCOUNT" }, { - "table_id":87, + "table_id":66, "table_name":"TSG_OBJ_IMSI", "table_type":"expr", "valid_column":7, @@ -838,7 +726,7 @@ } }, { - "table_id":88, + "table_id":67, "table_name":"TSG_OBJ_PHONE_NUMBER", "table_type":"expr", "valid_column":7, @@ -852,7 +740,7 @@ } }, { - "table_id":89, + "table_id":68, "table_name":"TSG_OBJ_APN", "table_type":"expr", "valid_column":7, @@ -866,25 +754,25 @@ } }, { - "table_id":90, + "table_id":69, "table_name":"ATTR_GTP_IMSI", "table_type":"virtual", "physical_table": "TSG_OBJ_IMSI" }, { - "table_id":91, + "table_id":70, "table_name":"ATTR_GTP_PHONE_NUMBER", "table_type":"virtual", "physical_table": "TSG_OBJ_PHONE_NUMBER" }, { - "table_id":92, + "table_id":71, "table_name":"ATTR_GTP_APN", "table_type":"virtual", "physical_table": "TSG_OBJ_APN" }, { - "table_id":93, + "table_id":72, "table_name":"TSG_TUNNEL_CATALOG", "table_type":"bool_plugin", "valid_column":6, @@ -894,7 +782,7 @@ } }, { - "table_id":94, + "table_id":73, "table_name":"TSG_TUNNEL_ENDPOINT", "table_type":"ip_plugin", "valid_column":6, @@ -906,7 +794,7 @@ } }, { - "table_id":95, + "table_id":74, "table_name":"TSG_TUNNEL_LABEL", "table_type":"plugin", "valid_column":4, @@ -917,13 +805,13 @@ } }, { - "table_id":96, + "table_id":75, "table_name":"ATTR_TUNNEL", "table_type":"virtual", "physical_table": "TSG_TUNNEL_CATALOG" }, { - "table_id":97, + "table_id":76, "table_name":"TSG_OBJ_FLAG", "table_type":"flag", "valid_column":5, @@ -935,19 +823,19 @@ } }, { - "table_id":98, + "table_id":77, "table_name":"ATTR_FLAG", "table_type":"virtual", "physical_table": "TSG_OBJ_FLAG" }, { - "table_id":99, + "table_id":78, "table_name":"ATTR_DOH_QNAME", "table_type":"virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":100, + "table_id":79, "table_name":"TSG_OBJ_IMEI", "table_type":"expr", "valid_column":7, @@ -961,13 +849,13 @@ } }, { - "table_id":101, + "table_id":80, "table_name":"ATTR_GTP_IMEI", "table_type":"virtual", "physical_table": "TSG_OBJ_IMEI" }, { - "table_id":102, + "table_id":81, "table_name": "APP_ID_DICT", "table_type": "plugin", "valid_column": 19, @@ -978,43 +866,37 @@ } }, { - "table_id":103, + "table_id":82, "table_name":"ATTR_SUBSCRIBER_ID", "table_type":"virtual", "physical_table": "TSG_OBJ_SUBSCRIBER_ID" }, { - "table_id":104, + "table_id":83, "table_name":"ATTR_APP_ID", "table_type":"virtual", "physical_table": "APP_ID_DICT" }, { - "table_id":105, + "table_id":84, "table_name": "ATTR_SERVER_FQDN", "table_type": "virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":106, - "table_name": "ATTR_SERVER_FQDN_CAT", - "table_type": "virtual", - "physical_table": "TSG_OBJ_FQDN_CAT" - }, - { - "table_id":107, + "table_id":85, "table_name":"ATTR_INTERNAL_IP", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" }, { - "table_id":108, + "table_id":86, "table_name":"ATTR_EXTERNAL_IP", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" }, { - "table_id":109, + "table_id":87, "table_name": "TSG_IP_PROTOCOL", "table_type": "plugin", "valid_column": 4, @@ -1025,7 +907,7 @@ } }, { - "table_id":110, + "table_id":88, "table_name":"TSG_OBJ_PORT", "table_type":"interval", "valid_column":5, @@ -1037,91 +919,90 @@ } }, { - "table_id":111, + "table_id":89, "table_name": "ATTR_SOURCE_PORT", "table_type": "virtual", "physical_table": "TSG_OBJ_PORT" }, { - "table_id":112, + "table_id":90, "table_name": "ATTR_DESTINATION_PORT", "table_type": "virtual", "physical_table": "TSG_OBJ_PORT" }, { - "table_id":113, + "table_id":91, "table_name": "ATTR_INTERNAL_PORT", "table_type": "virtual", "physical_table": "TSG_OBJ_PORT" }, { - "table_id":114, + "table_id":92, "table_name": "ATTR_EXTERNAL_PORT", "table_type": "virtual", "physical_table": "TSG_OBJ_PORT" }, { - "table_id":115, + "table_id":93, "table_name": "ATTR_IP_PROTOCOL", "table_type": "virtual", "physical_table": "TSG_IP_PROTOCOL" }, { - "table_id":116, + "table_id":94, "table_name": "ATTR_SSL_ECH", "table_type": "virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":117, + "table_id":95, "table_name": "ATTR_SSL_ESNI", "table_type": "virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":118, + "table_id":96, "table_name": "ATTR_SSL_NO_SNI", "table_type": "virtual", "physical_table": "TSG_OBJ_FQDN" }, { - "table_id":119, + "table_id":97, "table_name":"ATTR_TUNNEL_LEVEL", "table_type":"virtual", "physical_table": "TSG_TUNNEL_CATALOG" }, { - "table_id":120, - "table_name":"ATTR_INTERNAL_ASN", - "table_type":"virtual", - "physical_table": "TSG_OBJ_AS_NUMBER" - }, - { - "table_id":121, - "table_name":"ATTR_EXTERNAL_ASN", - "table_type":"virtual", - "physical_table": "TSG_OBJ_AS_NUMBER" - }, - { - "table_id":122, + "table_id":98, "table_name":"ATTR_TUNNEL_GTP_ENDPOINT", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" }, { - "table_id":123, + "table_id":99, "table_name":"ATTR_TUNNEL_GRE_ENDPOINT", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" }, { - "table_id":124, + "table_id":100, "table_name":"ATTR_TUNNEL_IP_IN_IP_ENDPOINT", "table_type":"virtual", "physical_table": "TSG_OBJ_IP" }, { - "table_id":125, + "table_id": 101, + "table_name": "LIBRARY_TAG", + "table_type": "plugin", + "valid_column": 6, + "custom": { + "key": 1, + "key_type": "integer", + "key_len": 8 + } + }, + { + "table_id":102, "table_name":"FQDN_ENTRY", "table_type":"fqdn_plugin", "valid_column":5, @@ -1132,10 +1013,10 @@ } }, { - "table_id":126, + "table_id":103, "table_name":"IP_ADDR_ENTRY", "table_type":"ip_plugin", - "valid_column":8, + "valid_column":7, "custom": { "item_id":1, "ip_type":3, diff --git a/resource/verify-policy.json b/resource/verify-policy.json index d6053f2..cc03616 100644 --- a/resource/verify-policy.json +++ b/resource/verify-policy.json @@ -31,34 +31,48 @@ } } ] + }, + { + "virtual_table":"ATTR_SERVER_FQDN", + "group_name":"http_fqdn", + "group_id":1011, + "not_flag":0, + "regions": [ + { + "table_name": "TSG_OBJ_FQDN", + "table_type": "expr", + "table_content": { + "keywords": "baidu.com", + "expr_type": "regex", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + }, + { + "virtual_table":"ATTR_SSL_SAN", + "group_name":"ssl_san", + "group_id":11011, + "not_flag":0, + "regions": [ + { + "table_name": "TSG_OBJ_FQDN", + "table_type": "expr", + "table_content": { + "keywords": "baidu.com", + "expr_type": "regex", + "match_method": "sub", + "format": "uncase plain" + } + } + ] }, { "virtual_table":"ATTR_APP_ID", "group_name":"app_id", "group_id":201, "not_flag":0 - }, - { - "not_flag": 0, - "group_id": 301, - "group_name":"ipv4_addr", - "virtual_table": "ATTR_SOURCE_IP", - "regions": [ - { - "table_type": "ip", - "table_name": "TSG_IP_ADDR", - "table_content": { - "addr_type": "ipv4", - "addr_format": "range", - "ip1": "192.168.55.4", - "ip2": "192.168.55.4", - "port_format": "range", - "port1": "80", - "port2": "80", - "protocol": -1 - } - } - ] } ] }, @@ -74,8 +88,132 @@ "is_valid": "yes", "groups": [ { - "group_name":"http_url", - "virtual_table":"ATTR_HTTP_URL" + "group_name":"http_fqdn", + "virtual_table":"ATTR_SERVER_FQDN" + }, + { + "group_name":"ssl_san", + "virtual_table":"ATTR_SSL_SAN" + }, + { + "not_flag": 0, + "group_id": 604, + "group_name":"IPv4TCPSoureServiceChaining604", + "virtual_table": "ATTR_SOURCE_IP", + "regions": [ + { + "table_type": "ip", + "table_name": "TSG_OBJ_IP_ADDR", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "192.168.55.4", + "ip2": "192.168.55.4" + } + } + ] + }, + { + "group_id": 9, + "group_name": "ip.source.ip12", + "virtual_table": "ATTR_SOURCE_IP" + }, + { + "group_id": 10, + "group_name": "ip.source.ip13", + "virtual_table": "ATTR_DESTINATION_IP" + }, + { + "group_id": 6, + "group_name": "host.fqdn6", + "virtual_table": "ATTR_SERVER_FQDN" + }, + { + "group_id": 9, + "group_name": "ip.source.ip14", + "virtual_table": "ATTR_INTERNAL_IP" + }, + { + "group_id": 10, + "group_name": "ip.source.ip15", + "virtual_table": "ATTR_EXTERNAL_IP" + } + ] + }, + { + "compile_id": 11022, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "tags":"{\"tag_sets\":[[{\"tag\":\"device_id\",\"value\":[\"device_3\",\"device_4\"]}]]}", + "user_region": "{\"protocol\":\"http\",\"method\":\"redirect\",\"code\":302,\"to\":\"https://www.jd.com\"}", + "is_valid": "no", + "groups": [ + { + "not_flag": 0, + "group_id": 704, + "group_name":"IPv4TCPSoureServiceChaining604", + "virtual_table": "ATTR_SOURCE_IP", + "regions": [ + { + "table_type": "ip", + "table_name": "TSG_OBJ_IP_ADDR", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "192.168.55.7", + "ip2": "192.168.55.7" + } + } + ] + } + ] + }, + { + "compile_id": 11023, + "service": 1, + "action": 48, + "do_blacklist": 1, + "do_log": 1, + "effective_range": 0, + "tags":"{\"tag_sets\":[[{\"tag\":\"device_id\",\"value\":[\"device_3\",\"device_4\"]}]]}", + "user_region": "{\"protocol\":\"http\",\"method\":\"redirect\",\"code\":302,\"to\":\"https://www.jd.com\"}", + "is_valid": "yes", + "groups": [ + { + "not_flag": 0, + "group_id": 604, + "group_name":"IPv4TCPSoureServiceChaining604", + "virtual_table": "ATTR_SOURCE_IP", + "regions": [ + { + "table_type": "ip", + "table_name": "TSG_OBJ_IP_ADDR", + "table_content": { + "addr_type": "ipv4", + "addr_format": "range", + "ip1": "192.168.55.4", + "ip2": "192.168.55.4" + } + } + ] + }, + { + "group_id": 9, + "group_name": "ip.source.ip12", + "virtual_table": "ATTR_SOURCE_IP" + }, + { + "group_id": 10, + "group_name": "ip.source.ip13", + "virtual_table": "ATTR_DESTINATION_IP" + }, + { + "group_id": 9, + "group_name": "ip.source.ip14", + "virtual_table": "ATTR_INTERNAL_IP" } ] }, @@ -309,33 +447,34 @@ "68\thttps\t0\tnull\tnetworking\tinfrastructure\tnetwork-protocol\t3\tused-by-malware,vulnerability,widely-used\tnull\tnull\t{\"method\":\"rate_limit\",\"bps\":1000}\t0\t0\t0\t0\t0\t68000\t1" ] }, - { - "table_name": "TSG_FQDN_CATEGORY_BUILT_IN", - "table_content": [ - "0\t1\t126.com\t1\t601\t1", - "1\t2\tbaidu.com\t1\t602\t1" - ] - }, - { - "table_name": "TSG_FQDN_CATEGORY_USER_DEFINED", - "table_content": [ - "0\t3\t126.com\t1\t701\t1", - "1\t4\tbaidu.com\t1\t702\t1" - ] - }, - { + { "table_name": "FQDN_ENTRY", "table_content": [ "1\t2,4,5\twww.126.com\t1\t1", "2\t6,7,8\twww.baidu.com\t1\t1" ] }, - { + { "table_name": "IP_ADDR_ENTRY", "table_content": [ - "1\t2,4,5\t4\tsingle\t192.168.55.4\t192.168.55.4\t0\t1", - "1\t2,4,5\t4\tsingle\t192.168.55.4\t192.168.55.4\t0\t1" + "7\t12,14,15\t4\tsingle\t192.168.55.5\t192.168.55.5\t1", + "8\t22,24,25\t4\tsingle\t192.168.55.5\t192.168.55.5\t1", + "9\t9,15\t4\trange\t192.168.55.4\t192.168.55.4\t1", + "10\t10\t4\trange\t192.168.55.6\t192.168.55.6\t1" ] - } + }, + { + "table_name": "LIBRARY_TAG", + "table_content": [ + "6\tnone\twebsite_category\twebsite_category\tsearch\\bengines\t1", + "7\tnone\twebsite_category\twebsite_category\tbusiness\t1", + "8\tnone\twebsite_category\twebsite_category\tsearch\\bengines\t1", + "12\tnone\tgeoip\ttest1\ttest1\t1", + "14\tnone\tgeoip\ttest2\ttest2\t1", + "15\tnone\tgeoip\ttest3\ttest3\t1", + "9\tnone\tgeoip\ttest4\ttest4\t1", + "10\tnone\tgeoip\ttest5\ttest5\t1" + ] + } ] }