diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h index a1b9390..1dea7bc 100644 --- a/common/include/verify_policy.h +++ b/common/include/verify_policy.h @@ -17,10 +17,17 @@ enum verify_policy_type { PXY_TABLE_SECURITY, PXY_TABLE_MANIPULATION, + PXY_TABLE_WANNAT, PXY_TABLE_DEFENCE, __SCAN_POLICY_MAX }; +enum common_scan_table +{ + PXY_COMMON_SOURCE_ADDR, + PXY_COMMON_DESTINATION_ADDR +}; + enum manipulate_sacn_table { PXY_CTRL_SOURCE_ADDR, @@ -76,6 +83,14 @@ enum security_scan_table __SECURITY_TABLE_MAX }; +enum wannat_scan_table +{ + PXY_WANNAT_SOURCE_ADDR, + PXY_WANNAT_DESTINATION_ADDR, + __WANNAT_TABLE_MAX +}; + + enum http_ev_bit_number { IP_BITNUM = 0, @@ -160,6 +175,8 @@ void http_get_scan_status(struct verify_policy_query_obj *query_obj, int type, c int security_policy_init(struct verify_policy * verify, const char* profile_path); +int wannat_policy_init(struct verify_policy * verify, const char* profile_path); + int http_hit_policy_list(enum verify_policy_type policy_type, size_t hit_cnt, cJSON *data_obj, void *pme); #endif diff --git a/conf/verify_policy.conf b/conf/verify_policy.conf index f1e4943..5d84e84 100644 --- a/conf/verify_policy.conf +++ b/conf/verify_policy.conf @@ -20,6 +20,7 @@ thread-nu = 4 maat_input_mode=1 table_info=./resource/table_info_proxy.conf table_info_tsg=./resource/table_info_security.conf +table_info_wannat=./resource/table_info_wannat.conf json_cfg_file=./resource/pangu_http.json stat_file=logs/verify-policy.status full_cfg_dir=verify-policy/ diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt index d3858ff..e6aaaa1 100644 --- a/platform/CMakeLists.txt +++ b/platform/CMakeLists.txt @@ -6,7 +6,7 @@ add_executable(verify-policy src/verify_policy.cpp) #target_include_directories(verify-policy PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include) -target_link_libraries(verify-policy common pangu-http) +target_link_libraries(verify-policy common policy_scan) target_link_libraries(verify-policy pthread dl libevent-static MESA_handle_logger diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp index d40a325..2efeb8f 100644 --- a/platform/src/verify_policy.cpp +++ b/platform/src/verify_policy.cpp @@ -73,6 +73,7 @@ enum verify_policy_type tsg_policy_type_str2idx(const char *action_str) const char * policy_name[__SCAN_POLICY_MAX]; policy_name[PXY_TABLE_SECURITY] = "tsg_security"; policy_name[PXY_TABLE_MANIPULATION] = "pxy_manipulation"; + policy_name[PXY_TABLE_WANNAT] = "pxy_wannat"; policy_name[PXY_TABLE_DEFENCE] = "active_defence"; size_t i = 0; @@ -88,8 +89,8 @@ enum verify_policy_type tsg_policy_type_str2idx(const char *action_str) int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_str, char *buff, char **p) { + size_t scan_table_max=0; const char * table_name[__SECURITY_TABLE_MAX] ={0}; - size_t max = type != PXY_TABLE_MANIPULATION ? (int)PXY_SECURITY_FTP_ACCOUNT : (int)PXY_CTRL_DOH_HOST; switch(type) { @@ -106,6 +107,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_ table_name[PXY_CTRL_APP_ID] = "TSG_OBJ_APP_ID"; table_name[PXY_CTRL_DOH_QNAME]="TSG_FIELD_DOH_QNAME"; table_name[PXY_CTRL_DOH_HOST]="TSG_FIELD_DOH_HOST"; + scan_table_max = PXY_CTRL_DOH_HOST; break; case PXY_TABLE_SECURITY: table_name[PXY_SECURITY_SOURCE_ADDR]="TSG_SECURITY_SOURCE_ADDR"; @@ -117,6 +119,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_ table_name[PXY_SECURITY_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR"; table_name[PXY_SECURITY_HTTP_RES_BODY] = "TSG_FIELD_HTTP_RES_CONTENT"; table_name[PXY_SECURITY_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID"; + table_name[PXY_SECURITY_APP_ID] = "TSG_OBJ_APP_ID"; table_name[PXY_SECURITY_HTTPS_SNI] = "TSG_FIELD_SSL_SNI"; table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN"; table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN"; @@ -132,7 +135,12 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_ table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI"; table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT"; table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_FTP_ACCOUNT"; - table_name[PXY_SECURITY_APP_ID] = "TSG_OBJ_APP_ID"; + scan_table_max = PXY_SECURITY_FTP_ACCOUNT; + break; + case PXY_TABLE_WANNAT: + table_name[PXY_WANNAT_SOURCE_ADDR]="TSG_SECURITY_SOURCE_ADDR"; + table_name[PXY_WANNAT_DESTINATION_ADDR]="TSG_SECURITY_DESTINATION_ADDR"; + scan_table_max = PXY_WANNAT_DESTINATION_ADDR; break; case PXY_TABLE_DEFENCE: break; @@ -140,7 +148,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_ break; } size_t i = 0; - for (i = 0; i <= max; i++) + for (i = 0; i <= scan_table_max; i++) { if (0 == strcasecmp(action_str, table_name[i])) break; @@ -878,6 +886,9 @@ int main(int argc, char * argv[]) ret = proxy_policy_init(g_verify_proxy, main_profile); CHECK_OR_EXIT(ret == 0, "Failed at init panggu module, Exit."); + ret = wannat_policy_init(g_verify_proxy, main_profile); + CHECK_OR_EXIT(ret == 0, "Failed at init wannat module, Exit."); + clock_gettime(CLOCK_REALTIME, &(end_time)); mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Read table_info_proxy.conf, take time %lu(s)", end_time.tv_sec - start_time.tv_sec); printf("Read table_info_proxy.conf, take time %lu(s)\n", end_time.tv_sec - start_time.tv_sec); diff --git a/resource/table_info_wannat.conf b/resource/table_info_wannat.conf new file mode 100644 index 0000000..269b883 --- /dev/null +++ b/resource/table_info_wannat.conf @@ -0,0 +1,17 @@ +#each collumn seperate with '\t' +#id (0~65535) +#name string +#type one of ip,expr,expr_plus,digest,intval,compile or plugin +#src_charset one of GBK,BIG5,UNICODE,UTF8 +#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/' +#do_merege yes or no +#cross cache 0~max +#quickswitch quickon or quick off +#id name type src_charset dst_charset do_merge cross_cache quickswitch +0 WANNAT_COMPILE compile escape -- +1 GROUP_COMPILE_RELATION group2compile -- +2 GROUP_GROUP_RELATION group2group -- +3 TSG_OBJ_IP_ADDR ip_plus -- +4 TSG_SECURITY_SOURCE_ADDR virtual TSG_OBJ_IP_ADDR -- +5 TSG_SECURITY_DESTINATION_ADDR virtual TSG_OBJ_IP_ADDR -- +6 TSG_SECURITY_ADDR composition {"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"} diff --git a/scan/CMakeLists.txt b/scan/CMakeLists.txt index ddc69a5..1527e23 100644 --- a/scan/CMakeLists.txt +++ b/scan/CMakeLists.txt @@ -1,6 +1,6 @@ -add_library(pangu-http src/pangu_http.cpp) -target_include_directories(pangu-http PUBLIC ${CMAKE_CURRENT_LIST_DIR}/incluce) -target_link_libraries(pangu-http PUBLIC common pthread cjson maatframe) +add_library(policy_scan src/policy_scan.cpp) +target_include_directories(policy_scan PUBLIC ${CMAKE_CURRENT_LIST_DIR}/incluce) +target_link_libraries(policy_scan PUBLIC common pthread cjson maatframe) diff --git a/scan/include/pangu_http.h b/scan/include/policy_scan.h similarity index 93% rename from scan/include/pangu_http.h rename to scan/include/policy_scan.h index 07f3fe2..7f97345 100644 --- a/scan/include/pangu_http.h +++ b/scan/include/policy_scan.h @@ -1,5 +1,5 @@ /************************************************************************* - > File Name: panggu_http.h + > File Name: policy_scan.h > Author: > Mail: > Created Time: 2019年08月26日 星期一 19时30分49秒 diff --git a/scan/src/pangu_http.cpp b/scan/src/policy_scan.cpp similarity index 95% rename from scan/src/pangu_http.cpp rename to scan/src/policy_scan.cpp index 95da2a0..046ac29 100644 --- a/scan/src/pangu_http.cpp +++ b/scan/src/policy_scan.cpp @@ -1,5 +1,5 @@ /************************************************************************* - > File Name: pangu_http.cpp + > File Name: policy_scan.cpp > Author: > Mail: > Created Time: 2019年08月23日 星期五 16时53分25秒 @@ -24,27 +24,27 @@ #define MAX_SCAN_RESULT 16 -enum pangu_action //Bigger action number is prior. +enum pangu_action { PG_ACTION_NONE = 0x00, PG_ACTION_MONIT = 0x01, - PG_ACTION_FORWARD = 0x02, /* N/A */ + PG_ACTION_INTERCEPT = 0x02, /* N/A */ + PG_ACTION_ACTIVE_DEFENCE = 0x04, + PG_ACTION_WANNAT = 0x08, PG_ACTION_REJECT = 0x10, - PG_ACTION_DROP = 0x20, /* N/A */ PG_ACTION_MANIPULATE = 0x30, - PG_ACTION_RATELIMIT = 0x40, /* N/A */ - PG_ACTION_LOOP = 0x60, /* N/A */ + PG_ACTION_INLINE_DEVICE = 0x60, PG_ACTION_WHITELIST = 0x80, __PG_ACTION_MAX }; -enum tfe_http_std_field +enum http_std_field { - TFE_HTTP_UNKNOWN_FIELD = 0, - TFE_HTTP_USER_AGENT, - TFE_HTTP_COOKIE, - TFE_HTTP_SET_COOKIE, - TFE_HTTP_CONT_TYPE, + HTTP_UNKNOWN_FIELD = 0, + HTTP_USER_AGENT, + HTTP_COOKIE, + HTTP_SET_COOKIE, + HTTP_CONT_TYPE, }; enum verify_profile_table @@ -77,7 +77,7 @@ struct ip_data_table struct http_field_name { const char * field_name; - enum tfe_http_std_field field_id; + enum http_std_field field_id; }; struct ip_data_ctx @@ -176,9 +176,10 @@ void __pangu_action_weight_init() { pangu_action_weight[PG_ACTION_NONE] = 0; pangu_action_weight[PG_ACTION_MONIT] = 1; - pangu_action_weight[PG_ACTION_MANIPULATE] = 2; - pangu_action_weight[PG_ACTION_REJECT] = 3; - pangu_action_weight[PG_ACTION_WHITELIST] = 4; + pangu_action_weight[PG_ACTION_INTERCEPT] = 2; + pangu_action_weight[PG_ACTION_MANIPULATE] = 3; + pangu_action_weight[PG_ACTION_REJECT] = 4; + pangu_action_weight[PG_ACTION_WHITELIST] = 5; } static inline int action_cmp(enum pangu_action a1, enum pangu_action a2) @@ -716,10 +717,9 @@ int http_hit_policy_match(int result_config[], int cnt, int config) int http_hit_policy_list(enum verify_policy_type policy_type, size_t hit_cnt, cJSON *data_obj, void *pme) { bool succeeded = false; - size_t rules=0, i=0, j = 0; + size_t rules=0, i=0; int result_config[MAX_SCAN_RESULT] = {0}; - Maat_feather_t maat = g_pangu_rt->maat[policy_type]; struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme; hit_cnt = ctx->hit_cnt; @@ -993,11 +993,11 @@ size_t verify_policy_scan(enum verify_policy_type policy_type, struct verify_pol int scan_ret=0, n_read; //size_t hit_cnt=0; - struct http_field_name req_fields[]={ {"User-Agent", TFE_HTTP_USER_AGENT}, - {"Cookie", TFE_HTTP_COOKIE}}; + struct http_field_name req_fields[]={ {"User-Agent", HTTP_USER_AGENT}, + {"Cookie", HTTP_COOKIE}}; - struct http_field_name resp_fields[]={ {"Set-Cookie", TFE_HTTP_SET_COOKIE}, - {"Content-Type", TFE_HTTP_CONT_TYPE}}; + struct http_field_name resp_fields[]={ {"Set-Cookie", HTTP_SET_COOKIE}, + {"Content-Type", HTTP_CONT_TYPE}}; struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme; size_t hit_cnt = ctx->hit_cnt; @@ -1005,7 +1005,7 @@ size_t verify_policy_scan(enum verify_policy_type policy_type, struct verify_pol int protocol_field = query_obj->protocol_field; const char *value = query_obj->keyword; - if ((protocol_field == PXY_CTRL_SOURCE_ADDR || protocol_field == PXY_CTRL_DESTINATION_ADDR) && query_obj->ip_addr != NULL) + if ((protocol_field == PXY_COMMON_SOURCE_ADDR || protocol_field == PXY_COMMON_DESTINATION_ADDR) && query_obj->ip_addr != NULL) { struct ip_address dest_ip, source_ip; verify_ip_addr_to_address(query_obj->ip_addr, &dest_ip, &source_ip); @@ -1250,6 +1250,34 @@ void subscribe_id_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_D return; } +int wannat_policy_init(struct verify_policy * verify, const char* profile_path) +{ + int ret = -1; + + g_pangu_rt->maat[PXY_TABLE_WANNAT] = create_maat_feather("static", profile_path, "MAAT", "table_info_wannat", g_pangu_rt->thread_num, g_pangu_rt->local_logger); + if (!g_pangu_rt->maat[PXY_TABLE_WANNAT]) + { + goto error_out; + } + const char * table_name[__WANNAT_TABLE_MAX]; + table_name[PXY_WANNAT_SOURCE_ADDR] = "TSG_SECURITY_SOURCE_ADDR"; + table_name[PXY_WANNAT_DESTINATION_ADDR] = "TSG_SECURITY_DESTINATION_ADDR"; + + for (int i = 0; i < __WANNAT_TABLE_MAX; i++) + { + g_pangu_rt->scan_table_id[PXY_TABLE_WANNAT][i] = Maat_table_register(g_pangu_rt->maat[PXY_TABLE_WANNAT], table_name[i]); + if (g_pangu_rt->scan_table_id[PXY_TABLE_WANNAT][i] < 0) + { + mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Wannat policy maat table %s register failed.", table_name[i]); + goto error_out; + } + mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Wannat policy register maat %p, table name %s, table id %d", g_pangu_rt->maat[PXY_TABLE_WANNAT], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_WANNAT][i]); + } + ret = 0; +error_out: + return ret; +} + int proxy_policy_init(struct verify_policy * verify, const char* profile_path) { int ret = -1;