gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-19601 PolicyVerify支持ASN Object TSG-19596 Object Match返回Protocol命中路径

Browse Source
This commit is contained in:
fengweihao
2024-03-01 15:36:17 +08:00
parent e834b5ad00
commit 620d367a50
4 changed files with 195 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
common/include/verify_policy.h
View File

@@ -86,6 +86,8 @@ enum tsg_obj_table
TSG_OBJ_SSL_ESNI, TSG_OBJ_SSL_ESNI,
TSG_OBJ_SSL_NO_SNI, TSG_OBJ_SSL_NO_SNI,
TSG_OBJ_TUNNEL_LEVEL, TSG_OBJ_TUNNEL_LEVEL,
TSG_OBJ_INTERNAL_ASN,
TSG_OBJ_EXTERNAL_ASN,
__TSG_OBJ_MAX __TSG_OBJ_MAX
}; };

236
platform/src/verify_matcher.cpp
View File

@@ -70,7 +70,7 @@ enum verify_profile_table
struct ip_data_table struct ip_data_table
{ {
int profile_id; int profile_id;
int group_id;
int ref_cnt; int ref_cnt;
char *asn; char *asn;
@@ -90,6 +90,17 @@ struct http_field_name
enum http_std_field field_id; enum http_std_field field_id;
}; };
enum nth_scan_type
{
NTH_SCAN_IP_SRC_LOCATION = 0,
NTH_SCAN_IP_DST_LOCATION,
NTH_SCAN_IP_DST_ASN,
NTH_SCAN_IP_SRC_ASN,
NTH_SCAN_IP_INTERNAL_ASN,
NTH_SCAN_IP_EXTERNAL_ASN,
NTH_SCAN_MAX
};
/** Nth_scan: Since there is no virtual table name in the request due to IP location and IP protocol, /** Nth_scan: Since there is no virtual table name in the request due to IP location and IP protocol,
* the current hit path scan count needs to be recorded to correspond to the virtual table name */ * the current hit path scan count needs to be recorded to correspond to the virtual table name */
struct ip_data_ctx struct ip_data_ctx
@@ -100,7 +111,7 @@ struct ip_data_ctx
char *organization_server; char *organization_server;
char *location_client; char *location_client;
char *location_server; char *location_server;
int Nth_scan[3]; int Nth_scan[NTH_SCAN_MAX];
}; };
struct fqdn_category_ctx struct fqdn_category_ctx
@@ -302,13 +313,13 @@ static char* verify_unescape(char* s)
void ip_asn_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) void ip_asn_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{ {
int addr_type; int addr_type, group_id=0;
int ret=0,profile_id=0,is_valid=0; int ret=0,profile_id=0,is_valid=0;
char start_ip[40], end_ip[40],asn[40]={0}; char start_ip[40], end_ip[40],asn[40]={0};
char organization[VERIFY_ARRAY_MAX]; char organization[VERIFY_ARRAY_MAX];
ret=sscanf(table_line, "%d\t%d\t%s\t%s\t%s\t%s\t%d", &profile_id, &addr_type, start_ip, end_ip, asn, organization, &is_valid); ret=sscanf(table_line, "%d\t%d\t%d\t%s\t%s\t%s\t%s\t%d", &profile_id, &group_id, &addr_type, start_ip, end_ip, asn, organization, &is_valid);
if(ret!=7) if(ret!=8)
{ {
mesa_runtime_log(RLOG_LV_FATAL, "Policy table parse ip ASN failed, ret:%d, %s", ret, table_line); mesa_runtime_log(RLOG_LV_FATAL, "Policy table parse ip ASN failed, ret:%d, %s", ret, table_line);
return; return;
@@ -320,6 +331,7 @@ void ip_asn_table_new_cb(const char *table_name, int table_id, const char* key,
ip_asn->profile_id=profile_id; ip_asn->profile_id=profile_id;
ip_asn->asn=strdup(asn); ip_asn->asn=strdup(asn);
ip_asn->organization=strdup(organization); ip_asn->organization=strdup(organization);
ip_asn->group_id=group_id;
ip_asn->ref_cnt=1; ip_asn->ref_cnt=1;
pthread_mutex_init(&(ip_asn->lock), NULL); pthread_mutex_init(&(ip_asn->lock), NULL);
@@ -530,8 +542,8 @@ void tunnel_label_table_new_cb(const char *table_name, int table_id, const char*
} }
const char *table_name_map[] = {"TSG_IP_ASN_USER_DEFINED", const char *table_name_map[] = {"TSG_OBJ_IP_ASN_USER_DEFINED",
"TSG_IP_ASN_BUILT_IN", "TSG_OBJ_IP_ASN_BUILT_IN",
"TSG_IP_LOCATION_USER_DEFINED", "TSG_IP_LOCATION_USER_DEFINED",
"TSG_IP_LOCATION_BUILT_IN", "TSG_IP_LOCATION_BUILT_IN",
"TSG_FQDN_CATEGORY_USER_DEFINED", "TSG_FQDN_CATEGORY_USER_DEFINED",
@@ -1035,10 +1047,9 @@ void http_get_location_status(cJSON *attributes, cJSON *attributeObj, struct ip_
if(item && item->type==cJSON_String) if(item && item->type==cJSON_String)
{ {
attri_name = item->valuestring; attri_name = item->valuestring;
if(strcasecmp(attri_name, "source") == 0) if((strcasecmp(attri_name, "source") == 0) || (strcasecmp(attri_name, "internal") == 0))
{ {
cJSON_AddStringToObject(attributeObj, "ipGeoLocation",ip_ctx->location_client); cJSON_AddStringToObject(attributeObj, "ipGeoLocation",ip_ctx->location_client);
ipAsn=cJSON_CreateArray(); ipAsn=cJSON_CreateArray();
cJSON_AddItemToObject(attributeObj, "ipAsn", ipAsn); cJSON_AddItemToObject(attributeObj, "ipAsn", ipAsn);
cJSON *ipAsnObj=NULL; cJSON *ipAsnObj=NULL;
@@ -1046,14 +1057,13 @@ void http_get_location_status(cJSON *attributes, cJSON *attributeObj, struct ip_
{ {
ipAsnObj=cJSON_CreateObject(); ipAsnObj=cJSON_CreateObject();
cJSON_AddItemToArray(ipAsn, ipAsnObj); cJSON_AddItemToArray(ipAsn, ipAsnObj);
cJSON_AddStringToObject(ipAsnObj, "asNumber", ip_ctx->asn_client); cJSON_AddStringToObject(ipAsnObj, "asn", ip_ctx->asn_client);
cJSON_AddStringToObject(ipAsnObj, "organization", ip_ctx->organization_client); cJSON_AddStringToObject(ipAsnObj, "organization", ip_ctx->organization_client);
} }
} }
if(strcasecmp(attri_name, "destination") == 0) if((strcasecmp(attri_name, "destination") == 0) || (strcasecmp(attri_name, "external") == 0))
{ {
cJSON_AddStringToObject(attributeObj, "ipGeoLocation",ip_ctx->location_server); cJSON_AddStringToObject(attributeObj, "ipGeoLocation",ip_ctx->location_server);
ipAsn=cJSON_CreateArray(); ipAsn=cJSON_CreateArray();
cJSON_AddItemToObject(attributeObj, "ipAsn", ipAsn); cJSON_AddItemToObject(attributeObj, "ipAsn", ipAsn);
cJSON *ipAsnObj=NULL; cJSON *ipAsnObj=NULL;
@@ -1061,7 +1071,7 @@ void http_get_location_status(cJSON *attributes, cJSON *attributeObj, struct ip_
{ {
ipAsnObj=cJSON_CreateObject(); ipAsnObj=cJSON_CreateObject();
cJSON_AddItemToArray(ipAsn, ipAsnObj); cJSON_AddItemToArray(ipAsn, ipAsnObj);
cJSON_AddStringToObject(ipAsnObj, "asNumber", ip_ctx->asn_server); cJSON_AddStringToObject(ipAsnObj, "asn", ip_ctx->asn_server);
cJSON_AddStringToObject(ipAsnObj, "organization", ip_ctx->organization_server); cJSON_AddStringToObject(ipAsnObj, "organization", ip_ctx->organization_server);
} }
} }
@@ -1096,6 +1106,18 @@ int hit_path_is_duplicate(struct maat_hit_path *src, struct maat_hit_path dest,
return 0; return 0;
} }
int hit_rule_match_is_duplicate(struct maat_hit_path *src, struct maat_hit_path dest, int result_cnt)
{
for(int i = 0; i < result_cnt; i++)
{
if(src[i].vtable_id == dest.vtable_id && src[i].top_group_id == dest.top_group_id)
{
return 1;
}
}
return 0;
}
void http_get_scan_status(struct request_query_obj *query_obj, int compile_table_id, cJSON *attributes, cJSON *data_obj, void *pme) void http_get_scan_status(struct request_query_obj *query_obj, int compile_table_id, cJSON *attributes, cJSON *data_obj, void *pme)
{ {
int i=0, j=0, result_cnt=0; int i=0, j=0, result_cnt=0;
@@ -1103,15 +1125,6 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table
cJSON *attributeObj=NULL,*hitPaths=NULL; cJSON *attributeObj=NULL,*hitPaths=NULL;
cJSON *item = NULL; cJSON *item = NULL;
if(query_obj->table_id == TSG_OBJ_IP_PROTOCOL)
{
if(query_obj->attributes)
{
cJSON_Delete(query_obj->attributes);
}
return;
}
struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme; struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme;
attributeObj=query_obj->attributes; attributeObj=query_obj->attributes;
@@ -1122,10 +1135,7 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table
{ {
if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) if(0 == strcasecmp(item->valuestring, "tunnel_endpointa"))
{ {
if(query_obj->attributes) cJSON_Delete(attributeObj);
{
cJSON_Delete(query_obj->attributes);
}
return; return;
} }
} }
@@ -1133,7 +1143,6 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table
if(compile_table_id == TSG_TABLE_SECURITY && query_obj->table_id == TSG_OBJ_TUNNEL) if(compile_table_id == TSG_TABLE_SECURITY && query_obj->table_id == TSG_OBJ_TUNNEL)
{ {
attributeObj=query_obj->attributes;
cJSON_DeleteItemFromObject(attributeObj, "attributeName"); cJSON_DeleteItemFromObject(attributeObj, "attributeName");
cJSON_AddStringToObject(attributeObj, "attributeName", "tunnel_endpoint_object"); cJSON_AddStringToObject(attributeObj, "attributeName", "tunnel_endpoint_object");
cJSON_DeleteItemFromObject(attributeObj, "attributeValue"); cJSON_DeleteItemFromObject(attributeObj, "attributeValue");
@@ -1188,26 +1197,54 @@ int policy_verify_regex_expression(const char *expression)
return maat_helper_verify_regex_expression(expression); return maat_helper_verify_regex_expression(expression);
} }
static int get_ip_location_asn_table_name(struct ip_data_ctx *ip_ctx, int Nth_scan, cJSON *topObject)
{
/*ip location**/
int xret = 0;
if(ip_ctx->Nth_scan[NTH_SCAN_IP_SRC_LOCATION] == Nth_scan)
{
cJSON_AddStringToObject(topObject, "tableName", "ATTR_SOURCE_LOCATION");
goto finish;
}
if(ip_ctx->Nth_scan[NTH_SCAN_IP_DST_LOCATION] == Nth_scan)
{
cJSON_AddStringToObject(topObject, "tableName", "ATTR_DESTINATION_LOCATION");
goto finish;
}
if(ip_ctx->Nth_scan[NTH_SCAN_IP_SRC_ASN] == Nth_scan)
{
cJSON_AddStringToObject(topObject, "tableName", "ATTR_SOURCE_ASN");
goto finish;
}
if(ip_ctx->Nth_scan[NTH_SCAN_IP_DST_ASN] == Nth_scan)
{
cJSON_AddStringToObject(topObject, "tableName", "ATTR_DESTINATION_ASN");
goto finish;
}
if(ip_ctx->Nth_scan[NTH_SCAN_IP_INTERNAL_ASN] == Nth_scan)
{
cJSON_AddStringToObject(topObject, "tableName", "ATTR_INTERNAL_ASN");
goto finish;
}
if(ip_ctx->Nth_scan[NTH_SCAN_IP_EXTERNAL_ASN] == Nth_scan)
{
cJSON_AddStringToObject(topObject, "tableName", "ATTR_EXTERNAL_ASN");
goto finish;
}
return xret;
finish:
xret = 1;
return xret;
}
int get_attributes_table_name(struct request_query_obj *request, int num, int Nth_scan, struct ip_data_ctx *ip_ctx, int tunnel_endpoint_x, cJSON *topObject) int get_attributes_table_name(struct request_query_obj *request, int num, int Nth_scan, struct ip_data_ctx *ip_ctx, int tunnel_endpoint_x, cJSON *topObject)
{ {
int i=0, j=0; int i=0, j=0;
cJSON *attributeObj=NULL, *subchild=NULL; cJSON *attributeObj=NULL, *subchild=NULL;
/*ip location**/ /*ip location**/
if(ip_ctx->Nth_scan[0] == Nth_scan) if(get_ip_location_asn_table_name(ip_ctx, Nth_scan, topObject))
{ {
cJSON_AddStringToObject(topObject, "tableName", "ATTR_SOURCE_IP");
return 0;
}
if(ip_ctx->Nth_scan[1] == Nth_scan)
{
cJSON_AddStringToObject(topObject, "tableName", "ATTR_DESTINATION_IP");
return 0;
}
/**ip protocol*/
if(ip_ctx->Nth_scan[2] == Nth_scan)
{
cJSON_AddStringToObject(topObject, "tableName", "ATTR_IP_PROTOCOL");
return 0; return 0;
} }
@@ -1235,7 +1272,6 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, siz
bool succeeded = false; bool succeeded = false;
size_t rules=0, i=0,j=0; size_t rules=0, i=0,j=0;
int result_config[MAX_SCAN_RESULT] = {0}; int result_config[MAX_SCAN_RESULT] = {0};
int result_object_id[512] = {0};
int vsys_id = verify_policy->vsys_id; int vsys_id = verify_policy->vsys_id;
int compile_table_id = verify_policy->compile_table_id; int compile_table_id = verify_policy->compile_table_id;
@@ -1283,7 +1319,7 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, siz
} }
cJSON_AddItemToArray(hit_obj, policy_obj); cJSON_AddItemToArray(hit_obj, policy_obj);
result_config[i] = ctx->hit_rules[i].config_id; result_config[i] = ctx->hit_rules[i].config_id;
memset(result_object_id, 0, sizeof(result_object_id)); struct maat_hit_path result_hit_path[MAX_SCAN_RESULT]={0}; int result_cnt=0;
topObjectList=cJSON_CreateArray(); topObjectList=cJSON_CreateArray();
cJSON_AddItemToObject(policy_obj, "topObjectList", topObjectList); cJSON_AddItemToObject(policy_obj, "topObjectList", topObjectList);
@@ -1291,15 +1327,25 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, siz
{ {
if(ctx->hit_path[j].compile_id > 0 && ctx->hit_path[j].compile_id == ctx->hit_rules[i].config_id) if(ctx->hit_path[j].compile_id > 0 && ctx->hit_path[j].compile_id == ctx->hit_rules[i].config_id)
{ {
if(hit_rule_match_is_duplicate(result_hit_path, ctx->hit_path[j], result_cnt))
{
continue;
}
else
{
memcpy(&result_hit_path[result_cnt], &ctx->hit_path[j], sizeof(struct maat_hit_path));
result_cnt++;
}
#if 0
if(http_hit_policy_match(result_object_id, j, ctx->hit_path[j].top_group_id)) if(http_hit_policy_match(result_object_id, j, ctx->hit_path[j].top_group_id))
{ {
continue; continue;
} }
#endif
topObject=cJSON_CreateObject(); topObject=cJSON_CreateObject();
cJSON_AddNumberToObject(topObject, "objectId", ctx->hit_path[j].top_group_id); cJSON_AddNumberToObject(topObject, "objectId", ctx->hit_path[j].top_group_id);
cJSON_AddNumberToObject(topObject, "notFlag", ctx->hit_path[j].NOT_flag); cJSON_AddNumberToObject(topObject, "notFlag", ctx->hit_path[j].NOT_flag);
cJSON_AddNumberToObject(topObject, "nthClause", ctx->hit_path[j].clause_index); cJSON_AddNumberToObject(topObject, "nthClause", ctx->hit_path[j].clause_index);
result_object_id[j] = ctx->hit_path[j].top_group_id;
get_attributes_table_name(verify_policy->request_object, num, ctx->hit_path[j].Nth_scan, &ctx->ip_ctx, ctx->tunnel_endpoint_x, topObject); get_attributes_table_name(verify_policy->request_object, num, ctx->hit_path[j].Nth_scan, &ctx->ip_ctx, ctx->tunnel_endpoint_x, topObject);
cJSON_AddItemToArray(topObjectList, topObject); cJSON_AddItemToArray(topObjectList, topObject);
} }
@@ -1396,7 +1442,7 @@ int ip_location_scan(struct policy_scan_ctx *ctx, int vsys_id, struct ip_addr *s
if(scan_ret >= MAAT_SCAN_OK) if(scan_ret >= MAAT_SCAN_OK)
{ {
ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE);
ctx->ip_ctx.Nth_scan[1] = maat_state_get_scan_count(ctx->scan_mid); ctx->ip_ctx.Nth_scan[NTH_SCAN_IP_DST_LOCATION] = maat_state_get_scan_count(ctx->scan_mid);
} }
} }
if(ip_location_client!=NULL) if(ip_location_client!=NULL)
@@ -1438,7 +1484,7 @@ int ip_location_scan(struct policy_scan_ctx *ctx, int vsys_id, struct ip_addr *s
if(scan_ret >= MAAT_SCAN_OK) if(scan_ret >= MAAT_SCAN_OK)
{ {
ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE);
ctx->ip_ctx.Nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); ctx->ip_ctx.Nth_scan[NTH_SCAN_IP_SRC_LOCATION] = maat_state_get_scan_count(ctx->scan_mid);
} }
} }
@@ -1449,10 +1495,11 @@ int ip_location_scan(struct policy_scan_ctx *ctx, int vsys_id, struct ip_addr *s
return hit_cnt_ip; return hit_cnt_ip;
} }
int ip_asn_scan(struct policy_scan_ctx * ctx, int vsys_id, struct ip_addr* sip, struct ip_addr* dip, int hit_cnt) int ip_asn_scan(struct policy_scan_ctx * ctx, int vsys_id, int table_id, struct ip_addr* sip, struct ip_addr* dip, int hit_cnt)
{ {
size_t n_hit_result=0; size_t n_hit_result=0;
int scan_ret=0, hit_cnt_ip=0; int scan_ret=0, hit_cnt_ip=0, Nth_scan_cnt=0;
struct maat_hit_path hit_path[HIT_PATH_SIZE];
struct ip_data_table* ip_asn_client=NULL, *ip_asn_server=NULL; struct ip_data_table* ip_asn_client=NULL, *ip_asn_server=NULL;
if(!g_policy_rt->load_ip_location) if(!g_policy_rt->load_ip_location)
@@ -1460,6 +1507,7 @@ int ip_asn_scan(struct policy_scan_ctx * ctx, int vsys_id, struct ip_addr* sip,
return 0; return 0;
} }
memset(hit_path, 0, sizeof(struct maat_hit_path)*HIT_PATH_SIZE);
maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_ASN_USER_DEFINED], sip, (void **)&ip_asn_client, 1); maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_ASN_USER_DEFINED], sip, (void **)&ip_asn_client, 1);
maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_ASN_USER_DEFINED], dip, (void **)&ip_asn_server, 1); maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_ASN_USER_DEFINED], dip, (void **)&ip_asn_server, 1);
@@ -1472,46 +1520,91 @@ int ip_asn_scan(struct policy_scan_ctx * ctx, int vsys_id, struct ip_addr* sip,
maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_ASN_BUILT_IN], dip,(void **)&ip_asn_server, 1); maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_ASN_BUILT_IN], dip,(void **)&ip_asn_server, 1);
} }
struct maat_hit_group hit_group;
if(ip_asn_server!=NULL) if(ip_asn_server!=NULL)
{ {
ctx->ip_ctx.asn_server=strdup(ip_asn_server->asn); ctx->ip_ctx.asn_server=strdup(ip_asn_server->asn);
ctx->ip_ctx.organization_server=strdup(ip_asn_server->organization); ctx->ip_ctx.organization_server=strdup(ip_asn_server->organization);
scan_ret = maat_scan_string(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_IP_DST_ASN], memset(&hit_group, 0, sizeof(hit_group));
ip_asn_server->asn, strlen(ip_asn_server->asn), hit_group.group_id=ip_asn_server->group_id;
ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
&n_hit_result, ctx->scan_mid);
if(table_id == TSG_OBJ_DESTINATION_ADDR)
{
table_id = TSG_OBJ_IP_DST_ASN;
}
else
{
table_id = (table_id==TSG_OBJ_INTERNAL_ADDR)?TSG_OBJ_INTERNAL_ASN:TSG_OBJ_EXTERNAL_ADDR;
}
scan_ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1,
ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid);
if(scan_ret == MAAT_SCAN_HIT) if(scan_ret == MAAT_SCAN_HIT)
{ {
hit_cnt_ip+=n_hit_result; hit_cnt_ip+=n_hit_result;
} }
scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_IP_DST_ASN], ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
&n_hit_result, ctx->scan_mid); &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT) if (scan_ret == MAAT_SCAN_HIT)
{ {
hit_cnt_ip+=n_hit_result; hit_cnt_ip+=n_hit_result;
} }
if(scan_ret >= MAAT_SCAN_OK)
{
ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE);
if(table_id == TSG_OBJ_IP_DST_ASN)
{
ctx->ip_ctx.Nth_scan[NTH_SCAN_IP_DST_ASN] = maat_state_get_scan_count(ctx->scan_mid);
}
else
{
Nth_scan_cnt = (table_id == TSG_OBJ_INTERNAL_ASN) ? NTH_SCAN_IP_INTERNAL_ASN : NTH_SCAN_IP_EXTERNAL_ASN;
ctx->ip_ctx.Nth_scan[Nth_scan_cnt] = maat_state_get_scan_count(ctx->scan_mid);
}
}
} }
if(ip_asn_client!=NULL) if(ip_asn_client!=NULL)
{ {
ctx->ip_ctx.asn_client=strdup(ip_asn_client->asn); ctx->ip_ctx.asn_client=strdup(ip_asn_client->asn);
ctx->ip_ctx.organization_client=strdup(ip_asn_client->organization); ctx->ip_ctx.organization_client=strdup(ip_asn_client->organization);
scan_ret = maat_scan_string(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_IP_SRC_ASN], memset(&hit_group, 0, sizeof(hit_group));
ip_asn_client->asn, strlen(ip_asn_client->asn), hit_group.group_id=ip_asn_client->group_id;
ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
&n_hit_result, ctx->scan_mid); if(table_id == TSG_OBJ_SOURCE_ADDR)
{
table_id = TSG_OBJ_IP_SRC_ASN;
}
else
{
table_id = (table_id==TSG_OBJ_INTERNAL_ADDR)?TSG_OBJ_INTERNAL_ASN:TSG_OBJ_EXTERNAL_ADDR;
}
scan_ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1,
ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid);
if(scan_ret == MAAT_SCAN_HIT) if(scan_ret == MAAT_SCAN_HIT)
{ {
hit_cnt_ip+=n_hit_result; hit_cnt_ip+=n_hit_result;
} }
scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_IP_SRC_ASN], ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
&n_hit_result, ctx->scan_mid); &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT) if (scan_ret == MAAT_SCAN_HIT)
{ {
hit_cnt_ip+=n_hit_result; hit_cnt_ip+=n_hit_result;
} }
if(scan_ret >= MAAT_SCAN_OK)
{
ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE);
if(table_id == TSG_OBJ_IP_SRC_ASN)
{
ctx->ip_ctx.Nth_scan[NTH_SCAN_IP_SRC_ASN] = maat_state_get_scan_count(ctx->scan_mid);
}
else
{
Nth_scan_cnt = (table_id == TSG_OBJ_INTERNAL_ASN) ? NTH_SCAN_IP_INTERNAL_ASN : NTH_SCAN_IP_EXTERNAL_ASN;
ctx->ip_ctx.Nth_scan[Nth_scan_cnt] = maat_state_get_scan_count(ctx->scan_mid);
}
}
} }
if(ip_asn_server) if(ip_asn_server)
ip_table_free(ip_asn_server); ip_table_free(ip_asn_server);
@@ -1537,7 +1630,6 @@ static int group_scan(struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, str
{ {
hit_cnt_group+=n_hit_result; hit_cnt_group+=n_hit_result;
} }
return hit_cnt_group; return hit_cnt_group;
} }
@@ -1845,7 +1937,7 @@ static int get_group_id_by_protocol(int protocol)
return group_id; return group_id;
} }
static int protocol_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, int virtual_method) static int protocol_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt)
{ {
int n_read=0; int n_read=0;
int scan_ret=0, hit_cnt_protocol=0; int scan_ret=0, hit_cnt_protocol=0;
@@ -1861,17 +1953,9 @@ static int protocol_scan(struct request_query_obj *request, struct policy_scan_c
hit_cnt_protocol+=scan_ret; hit_cnt_protocol+=scan_ret;
} }
n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE);
if(virtual_method)
{
request->merge_nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); request->merge_nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid);
ctx->n_read=n_read; ctx->n_read=n_read;
} }
else
{
ctx->ip_ctx.Nth_scan[2] = maat_state_get_scan_count(ctx->scan_mid);
ctx->ip_protocol_num++;
}
}
return hit_cnt_protocol; return hit_cnt_protocol;
} }
@@ -1882,12 +1966,6 @@ static int ip_addr_scan(struct request_query_obj *request, struct policy_scan_ct
size_t n_hit_result=0; size_t n_hit_result=0;
int table_id = request->table_id; int table_id = request->table_id;
scan_ret = protocol_scan(request, ctx, vsys_id, hit_cnt, 0);
if(scan_ret > 0)
{
hit_cnt_ip+=scan_ret;
}
if (request->ip_addr->addrtype == ADDR_TYPE_IPV4) if (request->ip_addr->addrtype == ADDR_TYPE_IPV4)
{ {
if(0 == strcasecmp(request->attri_name, "source") || 0 == strcasecmp(request->attri_name, "internal")) if(0 == strcasecmp(request->attri_name, "source") || 0 == strcasecmp(request->attri_name, "internal"))
@@ -1996,12 +2074,6 @@ static int port_scan(struct request_query_obj *request, struct policy_scan_ctx *
int table_id = request->table_id; int table_id = request->table_id;
int port = atoi(request->string); int port = atoi(request->string);
scan_ret = protocol_scan(request, ctx, vsys_id, hit_cnt, 0);
if(scan_ret > 0)
{
hit_cnt_port+=scan_ret;
}
scan_ret=maat_scan_integer(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], port, ctx->result+hit_cnt+hit_cnt_port, scan_ret=maat_scan_integer(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], port, ctx->result+hit_cnt+hit_cnt_port,
MAX_SCAN_RESULT-hit_cnt-hit_cnt_port, &n_hit_result, ctx->scan_mid); MAX_SCAN_RESULT-hit_cnt-hit_cnt_port, &n_hit_result, ctx->scan_mid);
if(scan_ret == MAAT_SCAN_HIT) if(scan_ret == MAAT_SCAN_HIT)
@@ -2049,7 +2121,7 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer
{ {
hit_cnt+=scan_ret; hit_cnt+=scan_ret;
} }
scan_ret = ip_asn_scan(ctx, vsys_id, &source_ip, &dest_ip, hit_cnt); scan_ret = ip_asn_scan(ctx, vsys_id, table_id, &source_ip, &dest_ip, hit_cnt);
if(scan_ret > 0) if(scan_ret > 0)
{ {
hit_cnt+=scan_ret; hit_cnt+=scan_ret;
@@ -2061,7 +2133,7 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer
} }
goto decide; goto decide;
case TSG_OBJ_IP_PROTOCOL: case TSG_OBJ_IP_PROTOCOL:
scan_ret = protocol_scan(request, ctx, vsys_id, hit_cnt, 1); scan_ret = protocol_scan(request, ctx, vsys_id, hit_cnt);
if(scan_ret > 0) if(scan_ret > 0)
{ {
hit_cnt+=scan_ret; hit_cnt+=scan_ret;
@@ -2322,6 +2394,8 @@ static void common_table_name_int(const char *table_name[__TSG_OBJ_MAX])
table_name[TSG_OBJ_SSL_ESNI]="ATTR_SSL_ESNI"; table_name[TSG_OBJ_SSL_ESNI]="ATTR_SSL_ESNI";
table_name[TSG_OBJ_SSL_NO_SNI]="ATTR_SSL_NO_SNI"; table_name[TSG_OBJ_SSL_NO_SNI]="ATTR_SSL_NO_SNI";
table_name[TSG_OBJ_TUNNEL_LEVEL]="ATTR_TUNNEL_LEVEL"; table_name[TSG_OBJ_TUNNEL_LEVEL]="ATTR_TUNNEL_LEVEL";
table_name[TSG_OBJ_INTERNAL_ASN]="ATTR_INTERNAL_ASN";
table_name[TSG_OBJ_EXTERNAL_ASN]="ATTR_EXTERNAL_ASN";
return; return;
} }

14
platform/src/verify_policy.cpp
View File

@@ -143,6 +143,8 @@ int protoco_field_type_str2idx(const char *action_str, char *buff, char **p)
table_name[TSG_OBJ_SSL_ESNI]="ATTR_SSL_ESNI"; table_name[TSG_OBJ_SSL_ESNI]="ATTR_SSL_ESNI";
table_name[TSG_OBJ_SSL_NO_SNI]="ATTR_SSL_NO_SNI"; table_name[TSG_OBJ_SSL_NO_SNI]="ATTR_SSL_NO_SNI";
table_name[TSG_OBJ_TUNNEL_LEVEL]="ATTR_TUNNEL_LEVEL"; table_name[TSG_OBJ_TUNNEL_LEVEL]="ATTR_TUNNEL_LEVEL";
table_name[TSG_OBJ_INTERNAL_ASN]="ATTR_INTERNAL_ASN";
table_name[TSG_OBJ_EXTERNAL_ASN]="ATTR_EXTERNAL_ASN";
size_t i = 0; size_t i = 0;
for (i = 0; i < __TSG_OBJ_MAX; i++) for (i = 0; i < __TSG_OBJ_MAX; i++)
@@ -245,6 +247,12 @@ static struct ipaddr * get_ip_from_json(cJSON *attributeValue, const char *attri
const char *Ip=NULL; const char *Ip=NULL;
unsigned int Port=0; unsigned int Port=0;
if(attributeName==NULL)
{
mesa_runtime_log(RLOG_LV_FATAL, "The attributeType is of type iP, but the attributeName is empty, resulting in IP type parsing failure.");
return NULL;
}
item = cJSON_GetObjectItem(attributeValue,"ip"); item = cJSON_GetObjectItem(attributeValue,"ip");
if(item && item->type==cJSON_String) Ip = item->valuestring; if(item && item->type==cJSON_String) Ip = item->valuestring;
item = cJSON_GetObjectItem(attributeValue,"port"); item = cJSON_GetObjectItem(attributeValue,"port");
@@ -254,6 +262,12 @@ static struct ipaddr * get_ip_from_json(cJSON *attributeValue, const char *attri
item=cJSON_GetObjectItem(attributeValue,"addrType"); item=cJSON_GetObjectItem(attributeValue,"addrType");
if(item && item->type==cJSON_Number) addr_type = item->valueint; if(item && item->type==cJSON_Number) addr_type = item->valueint;
if(strcasecmp(attributeName, "ip_protocol") == 0)
{
mesa_runtime_log(RLOG_LV_INFO, " [I] %s, protocol=%d", buff, *protocol);
return NULL;
}
struct ipaddr *ip_addr = NULL; struct ipaddr *ip_addr = NULL;
if(strcasecmp(attributeName, "source") == 0 || strcasecmp(attributeName, "internal") == 0 || if(strcasecmp(attributeName, "source") == 0 || strcasecmp(attributeName, "internal") == 0 ||
strcasecmp(attributeName, "tunnel_endpointa") == 0 || strcasecmp(attributeName, "tunnel_endpointb") == 0) strcasecmp(attributeName, "tunnel_endpointa") == 0 || strcasecmp(attributeName, "tunnel_endpointb") == 0)

28
resource/table_info.conf
View File

@@ -620,28 +620,28 @@
}, },
{ {
"table_id":59, "table_id":59,
"table_name":"TSG_IP_ASN_BUILT_IN", "table_name":"TSG_OBJ_IP_ASN_BUILT_IN",
"table_type":"ip_plugin", "table_type":"ip_plugin",
"valid_column":19, "valid_column":8,
"custom": { "custom": {
"item_id":1, "item_id":1,
"group_id":2,
"ip_type":3, "ip_type":3,
"start_ip":4, "start_ip":4,
"end_ip":5, "end_ip":5
"addr_format":7
} }
}, },
{ {
"table_id":60, "table_id":60,
"table_name":"TSG_IP_ASN_USER_DEFINED", "table_name":"TSG_OBJ_IP_ASN_USER_DEFINED",
"table_type":"ip_plugin", "table_type":"ip_plugin",
"valid_column":19, "valid_column":8,
"custom": { "custom": {
"item_id":1, "item_id":1,
"group_id":2,
"ip_type":3, "ip_type":3,
"start_ip":4, "start_ip":4,
"end_ip":5, "end_ip":5
"addr_format":7
} }
}, },
{ {
@@ -1023,5 +1023,17 @@
"table_name":"ATTR_TUNNEL_LEVEL", "table_name":"ATTR_TUNNEL_LEVEL",
"table_type":"virtual", "table_type":"virtual",
"physical_table": "TSG_TUNNEL_CATALOG" "physical_table": "TSG_TUNNEL_CATALOG"
},
{
"table_id":106,
"table_name":"ATTR_INTERNAL_ASN",
"table_type":"virtual",
"physical_table": "TSG_OBJ_AS_NUMBER"
},
{
"table_id":107,
"table_name":"ATTR_EXTERNAL_ASN",
"table_type":"virtual",
"physical_table": "TSG_OBJ_AS_NUMBER"
} }
] ]