gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-14186 策略验证支持Service Chaining

Browse Source
This commit is contained in:
fengweihao
2023-03-14 10:36:03 +08:00
parent 212cd1a4f6
commit 92e9c25946
4 changed files with 24 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
common/include/verify_policy.h
View File

@@ -21,6 +21,7 @@ enum verify_policy_type
PXY_TABLE_MANIPULATION, PXY_TABLE_MANIPULATION,
PXY_TABLE_DEFENCE, PXY_TABLE_DEFENCE,
TSG_TRAFFIC_SHAPING, TSG_TRAFFIC_SHAPING,
TSG_SERVICE_CHAINGNG,
__SCAN_POLICY_MAX __SCAN_POLICY_MAX
}; };

6
platform/src/verify_policy.cpp
View File

@@ -75,6 +75,7 @@ enum verify_policy_type tsg_policy_type_str2idx(const char *action_str)
policy_name[PXY_TABLE_MANIPULATION] = "pxy_manipulation"; policy_name[PXY_TABLE_MANIPULATION] = "pxy_manipulation";
policy_name[PXY_TABLE_DEFENCE] = "active_defence"; policy_name[PXY_TABLE_DEFENCE] = "active_defence";
policy_name[TSG_TRAFFIC_SHAPING] = "traffic_shaping"; policy_name[TSG_TRAFFIC_SHAPING] = "traffic_shaping";
policy_name[TSG_SERVICE_CHAINGNG] = "service_chaining";
size_t i = 0; size_t i = 0;
@@ -374,6 +375,11 @@ cJSON *get_query_from_request(const char *data, int thread_id)
verify_policy->shaping=1; verify_policy->shaping=1;
verify_policy->type = TSG_TABLE_SECURITY; verify_policy->type = TSG_TABLE_SECURITY;
} }
if(verify_policy->type == TSG_SERVICE_CHAINGNG)
{
verify_policy->shaping=2;
verify_policy->type = TSG_TABLE_SECURITY;
}
if (verify_policy->type >= __SCAN_POLICY_MAX) if (verify_policy->type >= __SCAN_POLICY_MAX)
{ {
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "policy type error, policy id = %d", verify_policy->type); mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "policy type error, policy id = %d", verify_policy->type);

1
resource/table_info_security.conf
View File

@@ -10,6 +10,7 @@
#id name type src_charset dst_charset do_merge cross_cache quickswitch #id name type src_charset dst_charset do_merge cross_cache quickswitch
0 TSG_SECURITY_COMPILE compile escape -- 0 TSG_SECURITY_COMPILE compile escape --
0 TRAFFIC_SHAPING_COMPILE compile escape -- 0 TRAFFIC_SHAPING_COMPILE compile escape --
0 SERVICE_CHAINING_COMPILE compile escape --
1 GROUP_COMPILE_RELATION group2compile -- 1 GROUP_COMPILE_RELATION group2compile --
2 GROUP_GROUP_RELATION group2group -- 2 GROUP_GROUP_RELATION group2group --
3 TSG_OBJ_IP_ADDR ip_plus UTF8 UTF8 no 0 3 TSG_OBJ_IP_ADDR ip_plus UTF8 UTF8 no 0

19
scan/src/policy_scan.cpp
View File

@@ -34,6 +34,7 @@ enum policy_action
PG_ACTION_REJECT = 0x10, PG_ACTION_REJECT = 0x10,
PG_ACTION_SHAPING = 0x20, PG_ACTION_SHAPING = 0x20,
PG_ACTION_MANIPULATE = 0x30, PG_ACTION_MANIPULATE = 0x30,
PG_ACTION_SERVICE_CHAINING = 0x40,
PG_ACTION_INLINE_DEVICE = 0x60, PG_ACTION_INLINE_DEVICE = 0x60,
PG_ACTION_WHITELIST = 0x80, PG_ACTION_WHITELIST = 0x80,
__PG_ACTION_MAX __PG_ACTION_MAX
@@ -754,7 +755,11 @@ static enum policy_action decide_ctrl_action(enum verify_policy_type policy_type
{ {
continue; continue;
} }
if (shaping == 0 && __action == PG_ACTION_SHAPING) if (shaping ==2 && __action != PG_ACTION_SERVICE_CHAINING)
{
continue;
}
if (shaping == 0 && (__action == PG_ACTION_SHAPING || __action == PG_ACTION_SERVICE_CHAINING))
{ {
continue; continue;
} }
@@ -950,7 +955,11 @@ int verify_shaping_policy_filter(struct verify_policy_scan_ctx * ctx, int shapin
{ {
return 1; return 1;
} }
if(shaping == 0 && ctx->result[i].action != PG_ACTION_SHAPING) if(shaping == 2 && ctx->result[i].action == PG_ACTION_SERVICE_CHAINING)
{
return 1;
}
if(shaping == 0 && (ctx->result[i].action != PG_ACTION_SHAPING || ctx->result[i].action != PG_ACTION_SERVICE_CHAINING))
{ {
return 1; return 1;
} }
@@ -1059,7 +1068,11 @@ int http_hit_policy_list(enum verify_policy_type policy_type, int shaping, size_
{ {
continue; continue;
} }
if(shaping == 0 && ctx->result[i].action == PG_ACTION_SHAPING) if(shaping == 2 && ctx->result[i].action != PG_ACTION_SERVICE_CHAINING)
{
continue;
}
if(shaping == 0 && (ctx->result[i].action == PG_ACTION_SHAPING || ctx->result[i].action == PG_ACTION_SERVICE_CHAINING))
{ {
continue; continue;
} }