gfwleak/tango-verify-policy
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-20642 当ip归属地的group_id为-1时,不命中任何目标对象 TSG-20660 修复当TunnelA命中策略时,未能正确上报命中的objec对象

Browse Source 
TSG-20674 修复TunnelA和TunnelB同时扫描logic导致TUNNEL_COMPILE的非存在问题
This commit is contained in:
fengweihao
2024-04-18 17:16:35 +08:00
parent c7ffcb9301
commit e3ce9f2533
3 changed files with 106 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cmake/Package.cmake
View File

@@ -32,6 +32,7 @@ install(DIRECTORY ./resource DESTINATION ${CMAKE_INSTALL_PREFIX}/)
install(FILES script/service/verify-policy.service DESTINATION /usr/lib/systemd/system/) install(FILES script/service/verify-policy.service DESTINATION /usr/lib/systemd/system/)
install(FILES script/tmpfiles/verify_policy.conf DESTINATION /usr/lib/tmpfiles.d/) install(FILES script/tmpfiles/verify_policy.conf DESTINATION /usr/lib/tmpfiles.d/)
install(FILES script/service/service_override_memsw_limit.conf DESTINATION /usr/lib/systemd/system/verify-policy.service.d/) install(FILES script/service/service_override_memsw_limit.conf DESTINATION /usr/lib/systemd/system/verify-policy.service.d/)
install(FILES script/tarball/verify_policy_maat_stat.sh DESTINATION /opt/MESA/bin/)
# Must uninstall the debug package before install release package # Must uninstall the debug package before install release package
if(CMAKE_BUILD_TYPE STREQUAL "Debug") if(CMAKE_BUILD_TYPE STREQUAL "Debug")

74
platform/src/verify_matcher.cpp
View File

@@ -185,6 +185,10 @@ struct policy_scan_ctx
unsigned long long bool_id_array[256]; unsigned long long bool_id_array[256];
struct ip_data_ctx ip_ctx; struct ip_data_ctx ip_ctx;
/*exception handling*/
int tunnel_scan;
long long tunnel_result[2];
struct maat_state *tunnel_scan_mid; struct maat_state *tunnel_scan_mid;
}; };
@@ -1108,13 +1112,29 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table
if(ctx->tunnel_endpoint_x == 2) if(ctx->tunnel_endpoint_x == 2)
{ {
item = cJSON_GetObjectItem(attributeObj, "attributeName"); /*temp repair**/
if(item && item->type==cJSON_String) if (ctx->tunnel_scan ==2 && ctx->tunnel_result[0] == 1 && ctx->tunnel_result[1] == 0)
{ {
if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) item = cJSON_GetObjectItem(attributeObj, "attributeName");
if(item && item->type==cJSON_String)
{ {
cJSON_Delete(attributeObj); if(0 == strcasecmp(item->valuestring, "tunnel_endpointb"))
return; {
cJSON_Delete(attributeObj);
return;
}
}
}
else
{
item = cJSON_GetObjectItem(attributeObj, "attributeName");
if(item && item->type==cJSON_String)
{
if(0 == strcasecmp(item->valuestring, "tunnel_endpointa"))
{
cJSON_Delete(attributeObj);
return;
}
} }
} }
} }
@@ -1367,7 +1387,7 @@ int ip_addr_to_address(struct ipaddr *ip_addr, struct ip_addr *dest_ip, struct i
return 0; return 0;
} }
static int group_scan(struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, struct maat_hit_group hit_group, int table_id) static int group_scan(struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, struct maat_hit_group hit_group, int table_id, int logic)
{ {
size_t n_hit_result=0; size_t n_hit_result=0;
int scan_ret=0, hit_cnt_group=0; int scan_ret=0, hit_cnt_group=0;
@@ -1378,11 +1398,15 @@ static int group_scan(struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, str
{ {
hit_cnt_group+=n_hit_result; hit_cnt_group+=n_hit_result;
} }
scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result+hit_cnt+hit_cnt_group,
MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, ctx->scan_mid); if(logic)
if (scan_ret == MAAT_SCAN_HIT)
{ {
hit_cnt_group+=n_hit_result; scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result+hit_cnt+hit_cnt_group,
MAX_SCAN_RESULT-hit_cnt-hit_cnt_group, &n_hit_result, ctx->scan_mid);
if (scan_ret == MAAT_SCAN_HIT)
{
hit_cnt_group+=n_hit_result;
}
} }
return hit_cnt_group; return hit_cnt_group;
} }
@@ -1440,8 +1464,12 @@ int ip_location_scan(struct policy_scan_ctx *ctx, int vsys_id, struct ip_addr *s
{ {
memset(&hit_group, 0, sizeof(hit_group)); memset(&hit_group, 0, sizeof(hit_group));
hit_group.group_id=get_group_id_by_location(ip_location_server, level); hit_group.group_id=get_group_id_by_location(ip_location_server, level);
if(hit_group.group_id <= 0)
{
continue;
}
scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_IP_DST_GEO_COUNTRY+level); scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_IP_DST_GEO_COUNTRY+level, 1);
if(scan_ret > 0) if(scan_ret > 0)
{ {
hit_cnt_ip+=scan_ret; hit_cnt_ip+=scan_ret;
@@ -1460,7 +1488,12 @@ int ip_location_scan(struct policy_scan_ctx *ctx, int vsys_id, struct ip_addr *s
{ {
memset(&hit_group, 0, sizeof(hit_group)); memset(&hit_group, 0, sizeof(hit_group));
hit_group.group_id=get_group_id_by_location(ip_location_client, level); hit_group.group_id=get_group_id_by_location(ip_location_client, level);
scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_IP_SRC_GEO_COUNTRY+level); if(hit_group.group_id <= 0)
{
continue;
}
scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_IP_SRC_GEO_COUNTRY+level, 1);
if(scan_ret > 0) if(scan_ret > 0)
{ {
hit_cnt_ip+=scan_ret; hit_cnt_ip+=scan_ret;
@@ -1712,7 +1745,7 @@ int tunnel_level_scan(struct request_query_obj *request, struct policy_scan_ctx
memset(&hit_group, 0, sizeof(hit_group)); memset(&hit_group, 0, sizeof(hit_group));
hit_group.group_id=group_level_array[request->numeric]; hit_group.group_id=group_level_array[request->numeric];
scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, request->table_id); scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, request->table_id, 1);
if(scan_ret > 0) if(scan_ret > 0)
{ {
hit_cnt_tunnel += scan_ret; hit_cnt_tunnel += scan_ret;
@@ -1763,6 +1796,7 @@ int get_tunnel_type_table_id(char *tunnel_type)
int tunnel_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, struct ipaddr *ip_addr) int tunnel_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, struct ipaddr *ip_addr)
{ {
int logic =1;
int i=0,hit_path_cnt=0; int i=0,hit_path_cnt=0;
int n_read=0, hit_cnt_endpoint=0; int n_read=0, hit_cnt_endpoint=0;
struct maat_hit_group hit_group; struct maat_hit_group hit_group;
@@ -1815,13 +1849,18 @@ int tunnel_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx,
hit_group.group_id=result[i]; hit_group.group_id=result[i];
if(hit_group.group_id != 0) if(hit_group.group_id != 0)
{ {
scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_TUNNEL); if(ctx->tunnel_endpoint_x == 2 && ctx->tunnel_scan == 0)
{
logic=0;
}
scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_TUNNEL, logic);
if(scan_ret > 0) if(scan_ret > 0)
{ {
hit_cnt_tunnel+=scan_ret; hit_cnt_tunnel+=scan_ret;
} }
if(scan_ret >= MAAT_SCAN_OK) if(scan_ret >= MAAT_SCAN_OK)
{ {
ctx->tunnel_result[ctx->tunnel_scan]=1;
n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE);
request->merge_nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid); request->merge_nth_scan[hit_path_cnt] = maat_state_get_scan_count(ctx->scan_mid);
ctx->n_read=n_read; ctx->n_read=n_read;
@@ -1829,6 +1868,7 @@ int tunnel_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx,
} }
} }
} }
ctx->tunnel_scan++;
request->merge_nth_scan_num = hit_path_cnt; request->merge_nth_scan_num = hit_path_cnt;
finish: finish:
return hit_cnt_tunnel; return hit_cnt_tunnel;
@@ -1848,7 +1888,7 @@ static int app_id_scan(struct request_query_obj *request, struct policy_scan_ctx
} }
memset(&hit_group, 0, sizeof(hit_group)); memset(&hit_group, 0, sizeof(hit_group));
hit_group.group_id=app_dict->group_id; hit_group.group_id=app_dict->group_id;
scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, request->table_id); scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, request->table_id, 1);
if(scan_ret > 0) if(scan_ret > 0)
{ {
hit_cnt_app_id += scan_ret; hit_cnt_app_id += scan_ret;
@@ -1964,7 +2004,7 @@ static int protocol_scan(struct request_query_obj *request, struct policy_scan_c
hit_group.group_id=get_group_id_by_protocol(request->numeric); hit_group.group_id=get_group_id_by_protocol(request->numeric);
if(hit_group.group_id != 0 && ctx->ip_protocol_num == 0) if(hit_group.group_id != 0 && ctx->ip_protocol_num == 0)
{ {
scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_IP_PROTOCOL); scan_ret = group_scan(ctx, vsys_id, hit_cnt, hit_group, TSG_OBJ_IP_PROTOCOL, 1);
if(scan_ret > 0) if(scan_ret > 0)
{ {
hit_cnt_protocol+=scan_ret; hit_cnt_protocol+=scan_ret;
@@ -2072,7 +2112,7 @@ static int ssl_extension_scan(struct request_query_obj *request, struct policy_s
memset(&hit_group, 0, sizeof(hit_group)); memset(&hit_group, 0, sizeof(hit_group));
hit_group.group_id=(request->numeric == 1 ? BOOLEAN_TRUE_GROUP_ID : BOOLEAN_FLASE_GROUP_ID); hit_group.group_id=(request->numeric == 1 ? BOOLEAN_TRUE_GROUP_ID : BOOLEAN_FLASE_GROUP_ID);
scan_ret =group_scan(ctx, vsys_id, hit_cnt, hit_group, request->table_id); scan_ret =group_scan(ctx, vsys_id, hit_cnt, hit_group, request->table_id, 1);
if(scan_ret > 0) if(scan_ret > 0)
{ {
hit_cnt_ssl += scan_ret; hit_cnt_ssl += scan_ret;

47
script/tarball/verify_policy_maat_stat.sh Normal file
View File

@@ -0,0 +1,47 @@
#!/bin/bash
ARGC=$#
EXPORTER=/opt/MESA/bin/fieldstat_exporter.py
TARGET=/opt/tsg/verify-policy/log/maat_stat.db.1
case $1 in
-h|--help)
echo "$0"
echo "Usage: [exporter] [target]"
echo " exporter: path of exporter, default is $EXPORTER"
echo " target: path of target file, default is $TARGET"
exit 0
;;
esac
case $ARGC in
1)
EXPORTER=$1
;;
2)
EXPORTER=$1
TARGET=$2
;;
esac
python3 $EXPORTER local -j $TARGET -e -t '
{{
print_tables
(
"TBL",
[
"rule",
"reg/v6",
"scan_times",
"hit_times",
"scan_bytes",
"scan_cpu_time",
"hit_item_num",
"hit_pat_num",
"#Name<IN_Bps>#Ratio<scan_bytes,scan_cpu_time,100>",
"#Name<hit_rate>#Ratio<hit_times,scan_times,1>"
],
False
)
}}
'