gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

策略验证支持wannat

Browse Source
This commit is contained in:
fengweihao
2021-01-28 18:42:19 +08:00
parent 1a0cadafeb
commit c900e0ab28
8 changed files with 105 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
common/include/verify_policy.h
View File

@@ -17,10 +17,17 @@ enum verify_policy_type
{ {
PXY_TABLE_SECURITY, PXY_TABLE_SECURITY,
PXY_TABLE_MANIPULATION, PXY_TABLE_MANIPULATION,
PXY_TABLE_WANNAT,
PXY_TABLE_DEFENCE, PXY_TABLE_DEFENCE,
__SCAN_POLICY_MAX __SCAN_POLICY_MAX
}; };
enum common_scan_table
{
PXY_COMMON_SOURCE_ADDR,
PXY_COMMON_DESTINATION_ADDR
};
enum manipulate_sacn_table enum manipulate_sacn_table
{ {
PXY_CTRL_SOURCE_ADDR, PXY_CTRL_SOURCE_ADDR,
@@ -76,6 +83,14 @@ enum security_scan_table
__SECURITY_TABLE_MAX __SECURITY_TABLE_MAX
}; };
enum wannat_scan_table
{
PXY_WANNAT_SOURCE_ADDR,
PXY_WANNAT_DESTINATION_ADDR,
__WANNAT_TABLE_MAX
};
enum http_ev_bit_number enum http_ev_bit_number
{ {
IP_BITNUM = 0, IP_BITNUM = 0,
@@ -160,6 +175,8 @@ void http_get_scan_status(struct verify_policy_query_obj *query_obj, int type, c
int security_policy_init(struct verify_policy * verify, const char* profile_path); int security_policy_init(struct verify_policy * verify, const char* profile_path);
int wannat_policy_init(struct verify_policy * verify, const char* profile_path);
int http_hit_policy_list(enum verify_policy_type policy_type, size_t hit_cnt, cJSON *data_obj, void *pme); int http_hit_policy_list(enum verify_policy_type policy_type, size_t hit_cnt, cJSON *data_obj, void *pme);
#endif #endif

1
conf/verify_policy.conf
View File

@@ -20,6 +20,7 @@ thread-nu = 4
maat_input_mode=1 maat_input_mode=1
table_info=./resource/table_info_proxy.conf table_info=./resource/table_info_proxy.conf
table_info_tsg=./resource/table_info_security.conf table_info_tsg=./resource/table_info_security.conf
table_info_wannat=./resource/table_info_wannat.conf
json_cfg_file=./resource/pangu_http.json json_cfg_file=./resource/pangu_http.json
stat_file=logs/verify-policy.status stat_file=logs/verify-policy.status
full_cfg_dir=verify-policy/ full_cfg_dir=verify-policy/

2
platform/CMakeLists.txt
View File

@@ -6,7 +6,7 @@ add_executable(verify-policy src/verify_policy.cpp)
#target_include_directories(verify-policy PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include) #target_include_directories(verify-policy PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include)
target_link_libraries(verify-policy common pangu-http) target_link_libraries(verify-policy common policy_scan)
target_link_libraries(verify-policy pthread dl target_link_libraries(verify-policy pthread dl
libevent-static libevent-static
MESA_handle_logger MESA_handle_logger

17
platform/src/verify_policy.cpp
View File

@@ -73,6 +73,7 @@ enum verify_policy_type tsg_policy_type_str2idx(const char *action_str)
const char * policy_name[__SCAN_POLICY_MAX]; const char * policy_name[__SCAN_POLICY_MAX];
policy_name[PXY_TABLE_SECURITY] = "tsg_security"; policy_name[PXY_TABLE_SECURITY] = "tsg_security";
policy_name[PXY_TABLE_MANIPULATION] = "pxy_manipulation"; policy_name[PXY_TABLE_MANIPULATION] = "pxy_manipulation";
policy_name[PXY_TABLE_WANNAT] = "pxy_wannat";
policy_name[PXY_TABLE_DEFENCE] = "active_defence"; policy_name[PXY_TABLE_DEFENCE] = "active_defence";
size_t i = 0; size_t i = 0;
@@ -88,8 +89,8 @@ enum verify_policy_type tsg_policy_type_str2idx(const char *action_str)
int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_str, char *buff, char **p) int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_str, char *buff, char **p)
{ {
size_t scan_table_max=0;
const char * table_name[__SECURITY_TABLE_MAX] ={0}; const char * table_name[__SECURITY_TABLE_MAX] ={0};
size_t max = type != PXY_TABLE_MANIPULATION ? (int)PXY_SECURITY_FTP_ACCOUNT : (int)PXY_CTRL_DOH_HOST;
switch(type) switch(type)
{ {
@@ -106,6 +107,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
table_name[PXY_CTRL_APP_ID] = "TSG_OBJ_APP_ID"; table_name[PXY_CTRL_APP_ID] = "TSG_OBJ_APP_ID";
table_name[PXY_CTRL_DOH_QNAME]="TSG_FIELD_DOH_QNAME"; table_name[PXY_CTRL_DOH_QNAME]="TSG_FIELD_DOH_QNAME";
table_name[PXY_CTRL_DOH_HOST]="TSG_FIELD_DOH_HOST"; table_name[PXY_CTRL_DOH_HOST]="TSG_FIELD_DOH_HOST";
scan_table_max = PXY_CTRL_DOH_HOST;
break; break;
case PXY_TABLE_SECURITY: case PXY_TABLE_SECURITY:
table_name[PXY_SECURITY_SOURCE_ADDR]="TSG_SECURITY_SOURCE_ADDR"; table_name[PXY_SECURITY_SOURCE_ADDR]="TSG_SECURITY_SOURCE_ADDR";
@@ -117,6 +119,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
table_name[PXY_SECURITY_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR"; table_name[PXY_SECURITY_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR";
table_name[PXY_SECURITY_HTTP_RES_BODY] = "TSG_FIELD_HTTP_RES_CONTENT"; table_name[PXY_SECURITY_HTTP_RES_BODY] = "TSG_FIELD_HTTP_RES_CONTENT";
table_name[PXY_SECURITY_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID"; table_name[PXY_SECURITY_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID";
table_name[PXY_SECURITY_APP_ID] = "TSG_OBJ_APP_ID";
table_name[PXY_SECURITY_HTTPS_SNI] = "TSG_FIELD_SSL_SNI"; table_name[PXY_SECURITY_HTTPS_SNI] = "TSG_FIELD_SSL_SNI";
table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN"; table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN"; table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
@@ -132,7 +135,12 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI"; table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI";
table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT"; table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT";
table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_FTP_ACCOUNT"; table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_FTP_ACCOUNT";
table_name[PXY_SECURITY_APP_ID] = "TSG_OBJ_APP_ID"; scan_table_max = PXY_SECURITY_FTP_ACCOUNT;
break;
case PXY_TABLE_WANNAT:
table_name[PXY_WANNAT_SOURCE_ADDR]="TSG_SECURITY_SOURCE_ADDR";
table_name[PXY_WANNAT_DESTINATION_ADDR]="TSG_SECURITY_DESTINATION_ADDR";
scan_table_max = PXY_WANNAT_DESTINATION_ADDR;
break; break;
case PXY_TABLE_DEFENCE: case PXY_TABLE_DEFENCE:
break; break;
@@ -140,7 +148,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
break; break;
} }
size_t i = 0; size_t i = 0;
for (i = 0; i <= max; i++) for (i = 0; i <= scan_table_max; i++)
{ {
if (0 == strcasecmp(action_str, table_name[i])) if (0 == strcasecmp(action_str, table_name[i]))
break; break;
@@ -878,6 +886,9 @@ int main(int argc, char * argv[])
ret = proxy_policy_init(g_verify_proxy, main_profile); ret = proxy_policy_init(g_verify_proxy, main_profile);
CHECK_OR_EXIT(ret == 0, "Failed at init panggu module, Exit."); CHECK_OR_EXIT(ret == 0, "Failed at init panggu module, Exit.");
ret = wannat_policy_init(g_verify_proxy, main_profile);
CHECK_OR_EXIT(ret == 0, "Failed at init wannat module, Exit.");
clock_gettime(CLOCK_REALTIME, &(end_time)); clock_gettime(CLOCK_REALTIME, &(end_time));
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Read table_info_proxy.conf, take time %lu(s)", end_time.tv_sec - start_time.tv_sec); mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Read table_info_proxy.conf, take time %lu(s)", end_time.tv_sec - start_time.tv_sec);
printf("Read table_info_proxy.conf, take time %lu(s)\n", end_time.tv_sec - start_time.tv_sec); printf("Read table_info_proxy.conf, take time %lu(s)\n", end_time.tv_sec - start_time.tv_sec);

17
resource/table_info_wannat.conf Normal file
View File

@@ -0,0 +1,17 @@
#each collumn seperate with '\t'
#id (0~65535)
#name string
#type one of ip,expr,expr_plus,digest,intval,compile or plugin
#src_charset one of GBK,BIG5,UNICODE,UTF8
#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/'
#do_merege yes or no
#cross cache 0~max
#quickswitch quickon or quick off
#id name type src_charset dst_charset do_merge cross_cache quickswitch
0 WANNAT_COMPILE compile escape --
1 GROUP_COMPILE_RELATION group2compile --
2 GROUP_GROUP_RELATION group2group --
3 TSG_OBJ_IP_ADDR ip_plus --
4 TSG_SECURITY_SOURCE_ADDR virtual TSG_OBJ_IP_ADDR --
5 TSG_SECURITY_DESTINATION_ADDR virtual TSG_OBJ_IP_ADDR --
6 TSG_SECURITY_ADDR composition {"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"}

6
scan/CMakeLists.txt
View File

@@ -1,6 +1,6 @@
add_library(pangu-http src/pangu_http.cpp) add_library(policy_scan src/policy_scan.cpp)
target_include_directories(pangu-http PUBLIC ${CMAKE_CURRENT_LIST_DIR}/incluce) target_include_directories(policy_scan PUBLIC ${CMAKE_CURRENT_LIST_DIR}/incluce)
target_link_libraries(pangu-http PUBLIC common pthread cjson maatframe) target_link_libraries(policy_scan PUBLIC common pthread cjson maatframe)

2
scan/include/pangu_http.h → scan/include/policy_scan.h
View File

@@ -1,5 +1,5 @@
/************************************************************************* /*************************************************************************
> File Name: panggu_http.h > File Name: policy_scan.h
> Author: > Author:
> Mail: > Mail:
> Created Time: 20190826 193049 > Created Time: 20190826 193049

74
scan/src/pangu_http.cpp → scan/src/policy_scan.cpp
View File

@@ -1,5 +1,5 @@
/************************************************************************* /*************************************************************************
> File Name: pangu_http.cpp > File Name: policy_scan.cpp
> Author: > Author:
> Mail: > Mail:
> Created Time: 20190823 165325 > Created Time: 20190823 165325
@@ -24,27 +24,27 @@
#define MAX_SCAN_RESULT 16 #define MAX_SCAN_RESULT 16
enum pangu_action //Bigger action number is prior. enum pangu_action
{ {
PG_ACTION_NONE = 0x00, PG_ACTION_NONE = 0x00,
PG_ACTION_MONIT = 0x01, PG_ACTION_MONIT = 0x01,
PG_ACTION_FORWARD = 0x02, /* N/A */ PG_ACTION_INTERCEPT = 0x02, /* N/A */
PG_ACTION_ACTIVE_DEFENCE = 0x04,
PG_ACTION_WANNAT = 0x08,
PG_ACTION_REJECT = 0x10, PG_ACTION_REJECT = 0x10,
PG_ACTION_DROP = 0x20, /* N/A */
PG_ACTION_MANIPULATE = 0x30, PG_ACTION_MANIPULATE = 0x30,
PG_ACTION_RATELIMIT = 0x40, /* N/A */ PG_ACTION_INLINE_DEVICE = 0x60,
PG_ACTION_LOOP = 0x60, /* N/A */
PG_ACTION_WHITELIST = 0x80, PG_ACTION_WHITELIST = 0x80,
__PG_ACTION_MAX __PG_ACTION_MAX
}; };
enum tfe_http_std_field enum http_std_field
{ {
TFE_HTTP_UNKNOWN_FIELD = 0, HTTP_UNKNOWN_FIELD = 0,
TFE_HTTP_USER_AGENT, HTTP_USER_AGENT,
TFE_HTTP_COOKIE, HTTP_COOKIE,
TFE_HTTP_SET_COOKIE, HTTP_SET_COOKIE,
TFE_HTTP_CONT_TYPE, HTTP_CONT_TYPE,
}; };
enum verify_profile_table enum verify_profile_table
@@ -77,7 +77,7 @@ struct ip_data_table
struct http_field_name struct http_field_name
{ {
const char * field_name; const char * field_name;
enum tfe_http_std_field field_id; enum http_std_field field_id;
}; };
struct ip_data_ctx struct ip_data_ctx
@@ -176,9 +176,10 @@ void __pangu_action_weight_init()
{ {
pangu_action_weight[PG_ACTION_NONE] = 0; pangu_action_weight[PG_ACTION_NONE] = 0;
pangu_action_weight[PG_ACTION_MONIT] = 1; pangu_action_weight[PG_ACTION_MONIT] = 1;
pangu_action_weight[PG_ACTION_MANIPULATE] = 2; pangu_action_weight[PG_ACTION_INTERCEPT] = 2;
pangu_action_weight[PG_ACTION_REJECT] = 3; pangu_action_weight[PG_ACTION_MANIPULATE] = 3;
pangu_action_weight[PG_ACTION_WHITELIST] = 4; pangu_action_weight[PG_ACTION_REJECT] = 4;
pangu_action_weight[PG_ACTION_WHITELIST] = 5;
} }
static inline int action_cmp(enum pangu_action a1, enum pangu_action a2) static inline int action_cmp(enum pangu_action a1, enum pangu_action a2)
@@ -716,10 +717,9 @@ int http_hit_policy_match(int result_config[], int cnt, int config)
int http_hit_policy_list(enum verify_policy_type policy_type, size_t hit_cnt, cJSON *data_obj, void *pme) int http_hit_policy_list(enum verify_policy_type policy_type, size_t hit_cnt, cJSON *data_obj, void *pme)
{ {
bool succeeded = false; bool succeeded = false;
size_t rules=0, i=0, j = 0; size_t rules=0, i=0;
int result_config[MAX_SCAN_RESULT] = {0}; int result_config[MAX_SCAN_RESULT] = {0};
Maat_feather_t maat = g_pangu_rt->maat[policy_type];
struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme; struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme;
hit_cnt = ctx->hit_cnt; hit_cnt = ctx->hit_cnt;
@@ -993,11 +993,11 @@ size_t verify_policy_scan(enum verify_policy_type policy_type, struct verify_pol
int scan_ret=0, n_read; int scan_ret=0, n_read;
//size_t hit_cnt=0; //size_t hit_cnt=0;
struct http_field_name req_fields[]={ {"User-Agent", TFE_HTTP_USER_AGENT}, struct http_field_name req_fields[]={ {"User-Agent", HTTP_USER_AGENT},
{"Cookie", TFE_HTTP_COOKIE}}; {"Cookie", HTTP_COOKIE}};
struct http_field_name resp_fields[]={ {"Set-Cookie", TFE_HTTP_SET_COOKIE}, struct http_field_name resp_fields[]={ {"Set-Cookie", HTTP_SET_COOKIE},
{"Content-Type", TFE_HTTP_CONT_TYPE}}; {"Content-Type", HTTP_CONT_TYPE}};
struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme; struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme;
size_t hit_cnt = ctx->hit_cnt; size_t hit_cnt = ctx->hit_cnt;
@@ -1005,7 +1005,7 @@ size_t verify_policy_scan(enum verify_policy_type policy_type, struct verify_pol
int protocol_field = query_obj->protocol_field; int protocol_field = query_obj->protocol_field;
const char *value = query_obj->keyword; const char *value = query_obj->keyword;
if ((protocol_field == PXY_CTRL_SOURCE_ADDR || protocol_field == PXY_CTRL_DESTINATION_ADDR) && query_obj->ip_addr != NULL) if ((protocol_field == PXY_COMMON_SOURCE_ADDR || protocol_field == PXY_COMMON_DESTINATION_ADDR) && query_obj->ip_addr != NULL)
{ {
struct ip_address dest_ip, source_ip; struct ip_address dest_ip, source_ip;
verify_ip_addr_to_address(query_obj->ip_addr, &dest_ip, &source_ip); verify_ip_addr_to_address(query_obj->ip_addr, &dest_ip, &source_ip);
@@ -1250,6 +1250,34 @@ void subscribe_id_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_D
return; return;
} }
int wannat_policy_init(struct verify_policy * verify, const char* profile_path)
{
int ret = -1;
g_pangu_rt->maat[PXY_TABLE_WANNAT] = create_maat_feather("static", profile_path, "MAAT", "table_info_wannat", g_pangu_rt->thread_num, g_pangu_rt->local_logger);
if (!g_pangu_rt->maat[PXY_TABLE_WANNAT])
{
goto error_out;
}
const char * table_name[__WANNAT_TABLE_MAX];
table_name[PXY_WANNAT_SOURCE_ADDR] = "TSG_SECURITY_SOURCE_ADDR";
table_name[PXY_WANNAT_DESTINATION_ADDR] = "TSG_SECURITY_DESTINATION_ADDR";
for (int i = 0; i < __WANNAT_TABLE_MAX; i++)
{
g_pangu_rt->scan_table_id[PXY_TABLE_WANNAT][i] = Maat_table_register(g_pangu_rt->maat[PXY_TABLE_WANNAT], table_name[i]);
if (g_pangu_rt->scan_table_id[PXY_TABLE_WANNAT][i] < 0)
{
mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Wannat policy maat table %s register failed.", table_name[i]);
goto error_out;
}
mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Wannat policy register maat %p, table name %s, table id %d", g_pangu_rt->maat[PXY_TABLE_WANNAT], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_WANNAT][i]);
}
ret = 0;
error_out:
return ret;
}
int proxy_policy_init(struct verify_policy * verify, const char* profile_path) int proxy_policy_init(struct verify_policy * verify, const char* profile_path)
{ {
int ret = -1; int ret = -1;