feature:temp commit refactor firewall config
This commit is contained in:
fumingwei
@@ -75,7 +75,7 @@
|
||||
{% endif %}
|
||||
./plug/business/conn_telemetry/conn_telemetry.inf
|
||||
./plug/business/stat_policy_enforcer/stat_policy_enforcer.inf
|
||||
{% if app.identify_by.user_defined_signature == 1 %}
|
||||
{% if app.identify_by.context_based_detector == 1 %}
|
||||
./plug/business/app_sketch_local/app_sketch_local.inf
|
||||
{% endif %}
|
||||
{% if radius.enable == 1 %}
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
{{- end }}
|
||||
./plug/platform/tsg_master/tsg_master.inf
|
||||
{{- if eq .Values.appsketch.enable .Values.define_enable_val_yes }}
|
||||
{{- if eq .Values.appsketch.builtin_engine .Values.define_enable_val_yes }}
|
||||
{{- if eq .Values.appsketch.qdpi_detector .Values.define_enable_val_yes }}
|
||||
./plug/platform/app_proto_engine/app_proto_engine.inf
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -75,9 +75,6 @@
|
||||
{{- if eq .Values.firewall.enable .Values.define_enable_val_yes }}
|
||||
./plug/business/firewall/firewall.inf
|
||||
{{- end }}
|
||||
{{- if eq .Values.encrypt_traffic_identify.voice_bahavior_engine .Values.define_enable_val_yes }}
|
||||
./plug/business/tsg_vulpes/tsg_vulpes.inf
|
||||
{{- end }}
|
||||
{{- if eq .Values.sessionrecord.enable .Values.define_enable_val_yes }}
|
||||
./plug/business/session_record/session_record.inf
|
||||
{{- end }}
|
||||
@@ -86,7 +83,7 @@
|
||||
{{- end }}
|
||||
./plug/business/stat_policy_enforcer/stat_policy_enforcer.inf
|
||||
{{- if eq .Values.appsketch.enable .Values.define_enable_val_yes }}
|
||||
{{- if eq .Values.appsketch.user_defined_signature .Values.define_enable_val_yes }}
|
||||
{{- if eq .Values.appsketch.context_based_detector .Values.define_enable_val_yes }}
|
||||
./plug/business/app_sketch_local/app_sketch_local.inf
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -24,32 +24,53 @@ SASL_USERNAME="{{ .Values.external_resources.olap.kafka_brokers.sasl_username }}
|
||||
SASL_PASSWD="{{ .Values.external_resources.olap.kafka_brokers.sasl_password }}"
|
||||
BROKER_LIST="{{- include "traffic-engine.config.olap-address" (list . ",") }}"
|
||||
COMMON_FIELD_FILE="tsgconf/tsg_log_field.conf"
|
||||
{{- if eq .Values.sessionrecord.contains_app_id.enable .Values.define_enable_val_yes }}
|
||||
{{- if eq .Values.firewall.logs.contains_app_id.enable .Values.define_enable_val_yes }}
|
||||
SEND_APP_ID_SWITCH=1
|
||||
{{- else }}
|
||||
SEND_APP_ID_SWITCH=0
|
||||
{{- end }}
|
||||
{{- if eq .Values.sessionrecord.contains_nat_linkinfo.enable .Values.define_enable_val_yes }}
|
||||
{{- if eq .Values.firewall.logs.contains_nat_linkinfo.enable .Values.define_enable_val_yes }}
|
||||
SEND_NAT_LINKINFO_SWITCH=1
|
||||
{{- else }}
|
||||
SEND_NAT_LINKINFO_SWITCH=0
|
||||
{{- end }}
|
||||
SEND_INTERCEPT_LOG=1
|
||||
{{- if and (eq .Values.sessionrecord.enable .Values.define_enable_val_yes) (eq .Values.sessionrecord.interim_record.enable .Values.define_enable_val_yes) }}
|
||||
SEND_INTERIM_RECORD=1
|
||||
{{- else }}
|
||||
SEND_INTERIM_RECORD=0
|
||||
{{- end }}
|
||||
{{- if and (eq .Values.sessionrecord.enable .Values.define_enable_val_yes) (eq .Values.sessionrecord.transaction_record.enable .Values.define_enable_val_yes) }}
|
||||
SEND_TRANSCATION_RECORD=1
|
||||
{{- else }}
|
||||
SEND_TRANSCATION_RECORD=0
|
||||
{{- end }}
|
||||
TCP_MIN_PKTS=3
|
||||
TCP_MIN_BYTES=5
|
||||
UDP_MIN_PKTS=3
|
||||
UDP_MIN_BYTES=5
|
||||
RAPIDJSON_CHUNK_CAPACITY={{ .Values.firewall.rapidjson_chunk_capacity }}
|
||||
{{- if eq .Values.define_enable_val_yes .Values.transaction_record.enable_http }}
|
||||
SEND_HTTP_TRANSCATION_RECORD=1
|
||||
{{- else }}
|
||||
SEND_HTTP_TRANSCATION_RECORD=0
|
||||
{{- end }}
|
||||
{{- if eq .Values.define_enable_val_yes .Values.transaction_record.enable_dns }}
|
||||
SEND_DNS_TRANSCATION_RECORD=1
|
||||
{{- else }}
|
||||
SEND_DNS_TRANSCATION_RECORD=0
|
||||
{{- end }}
|
||||
{{- if eq .Values.define_enable_val_yes .Values.transaction_record.enable_mail }}
|
||||
SEND_MAIL_TRANSCATION_RECORD=1
|
||||
{{- else }}
|
||||
SEND_MAIL_TRANSCATION_RECORD=0
|
||||
{{- end }}
|
||||
{{- if eq .Values.define_enable_val_yes .Values.voip_record.enable_sip }}
|
||||
SEND_SIP_RECORD=1
|
||||
{{- else }}
|
||||
SEND_SIP_RECORD=0
|
||||
{{- end }}
|
||||
{{- if eq .Values.define_enable_val_yes .Values.voip_record.enable_rtp }}
|
||||
SEND_RTP_RECORD=1
|
||||
{{- else }}
|
||||
SEND_RTP_RECORD=0
|
||||
{{- end }}
|
||||
{{- if eq .Values.define_enable_val_yes .Values.packet_capture.enable }}
|
||||
ENFORCE_TROUBLESHOOTING_SWITCH=1
|
||||
{{- else }}
|
||||
ENFORCE_TROUBLESHOOTING_SWITCH=0
|
||||
{{- end }}
|
||||
|
||||
|
||||
[SECURITY_HITS_METRICS]
|
||||
CYCLE_INTERVAL_MS=1000
|
||||
@@ -115,33 +136,6 @@ CYCLE=30
|
||||
#TELEGRAF_IP=127.0.0.1
|
||||
OUTPUT_PATH="log/firewall.status"
|
||||
|
||||
[SESSION_RECORD]
|
||||
interim_intervals_time = {{ .Values.sessionrecord.interim_record.intervals_in_sec }}
|
||||
sendlog_in_tcp_close=1
|
||||
{{- if eq .Values.sessionrecord.contains_dns_resource_record.enable .Values.define_enable_val_yes }}
|
||||
send_dns_rr_switch=1
|
||||
{{- else }}
|
||||
send_dns_rr_switch=0
|
||||
{{- end }}
|
||||
log_level=30
|
||||
log_path="log/session_record"
|
||||
|
||||
[HOS_CONF]
|
||||
{{- if eq .Values.external_resources.olap.hos_servers.use .Values.define_enable_val_yes }}
|
||||
hos_serverip="{{- include "traffic-engine.config.hos-address" . }}"
|
||||
hos_serverport={{- include "traffic-engine.config.hos-port" . }}
|
||||
hos_token="{{ .Values.external_resources.olap.hos_servers.token }}"
|
||||
hos_log_level=30
|
||||
hos_timeout=20
|
||||
hos_connection_timeout=10
|
||||
hos_thread_max_store_request_num=5000
|
||||
hos_thread_max_store_size=1073741824
|
||||
hos_thread_batch_request_num=20
|
||||
hos_thread_max_connection_num=10
|
||||
hos_fd_request_cache_size=1500
|
||||
hos_fd_request_cache_count=10
|
||||
{{- end }}
|
||||
|
||||
[APP_SKETCH_LOCAL]
|
||||
LOG_LEVEL=30
|
||||
LOG_PATH="log/app_sketch.log"
|
||||
@@ -205,10 +199,6 @@ SENDLOG_SWITCH=0
|
||||
SIGNALING_ORIGIN="REDIS"
|
||||
{{- end }}
|
||||
|
||||
[CAPTURE]
|
||||
|
||||
HOS_IP="{{- include "traffic-engine.config.hos-address" . }}"
|
||||
HOS_PORT={{- include "traffic-engine.config.hos-port" . }}
|
||||
|
||||
[PROTO_IDENTIFY]
|
||||
MAX_IDENTIFY_PACKETS=10
|
||||
|
||||
@@ -1,109 +0,0 @@
|
||||
[PLUGINFO]
|
||||
PLUGNAME=session_record
|
||||
SO_PATH=./plug/business/session_record/session_record.so
|
||||
INIT_FUNC=session_record_init
|
||||
DESTROY_FUNC=session_record_destroy
|
||||
|
||||
|
||||
[TCP]
|
||||
FUNC_FLAG=ALL
|
||||
FUNC_NAME=session_record_tcp_entry
|
||||
|
||||
[TCP_ALL]
|
||||
FUNC_FLAG=ALL
|
||||
FUNC_NAME=session_record_tcpall_entry
|
||||
|
||||
[UDP]
|
||||
FUNC_FLAG=ALL
|
||||
FUNC_NAME=session_record_udp_entry
|
||||
|
||||
|
||||
{{- if eq .Values.decoders.HTTP .Values.define_enable_val_yes }}
|
||||
[HTTP]
|
||||
FUNC_FLAG=ALL
|
||||
FUNC_NAME=session_record_http_entry
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- if eq .Values.decoders.SSL .Values.define_enable_val_yes }}
|
||||
[SSL]
|
||||
FUNC_FLAG=SSL_CLIENT_HELLO,SSL_SERVER_HELLO,SSL_APPLICATION_DATA,SSL_CERTIFICATE_DETAIL
|
||||
FUNC_NAME=session_record_ssl_entry
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- if eq .Values.decoders.DNS .Values.define_enable_val_yes }}
|
||||
[DNS]
|
||||
FUNC_FLAG=ALL
|
||||
FUNC_NAME=session_record_dns_entry
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- if eq .Values.decoders.MAIL .Values.define_enable_val_yes }}
|
||||
[MAIL]
|
||||
FUNC_FLAG=ALL
|
||||
FUNC_NAME=session_record_mail_entry
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- if and (eq .Values.voip_record.enable_rtp .Values.define_enable_val_yes) (eq .Values.decoders.RTP .Values.define_enable_val_yes ) }}
|
||||
[RTP]
|
||||
FUNC_FLAG=ALL
|
||||
FUNC_NAME=session_record_rtp_entry
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- if and (eq .Values.voip_record.enable_sip .Values.define_enable_val_yes) (eq .Values.decoders.SIP .Values.define_enable_val_yes ) }}
|
||||
[SIP]
|
||||
FUNC_FLAG=ALL
|
||||
FUNC_NAME=session_record_sip_entry
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- if eq .Values.decoders.FTP .Values.define_enable_val_yes }}
|
||||
[FTP]
|
||||
FUNC_FLAG=ALL
|
||||
FUNC_NAME=session_record_ftp_entry
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- if eq .Values.decoders.QUIC .Values.define_enable_val_yes }}
|
||||
[QUIC]
|
||||
FUNC_FLAG=QUIC_CLIENT_HELLO,QUIC_SERVER_HELLO,QUIC_CACHED_CERT,QUIC_COMM_CERT,QUIC_CERT_CHAIN,QUIC_VERSION,QUIC_APPLICATION_DATA
|
||||
FUNC_NAME=session_record_quic_entry
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- if eq .Values.decoders.SSH .Values.define_enable_val_yes }}
|
||||
[SSH]
|
||||
FUNC_FLAG=ALL
|
||||
FUNC_NAME=session_record_ssh_entry
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- if eq .Values.decoders.STRATUM .Values.define_enable_val_yes }}
|
||||
[STRATUM]
|
||||
FUNC_FLAG=ALL
|
||||
FUNC_NAME=session_record_stratum_entry
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- if eq .Values.decoders.RDP .Values.define_enable_val_yes }}
|
||||
[RDP]
|
||||
FUNC_FLAG=ALL
|
||||
FUNC_NAME=session_record_rdp_entry
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- if and (eq .Values.bgp_record.enable .Values.define_enable_val_yes) (eq .Values.decoders.BGP .Values.define_enable_val_yes) }}
|
||||
[BGP]
|
||||
FUNC_FLAG=ALL
|
||||
FUNC_NAME=session_record_bgp_entry
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- if eq .Values.decoders.DTLS .Values.define_enable_val_yes }}
|
||||
[DTLS]
|
||||
FUNC_FLAG=DTLS_CLIENT_HELLO,DTLS_SERVER_HELLO,DTLS_HELLO_VERIFY_REQUEST,DTLS_CLIENT_EXTENSION
|
||||
FUNC_NAME=session_record_dtls_entry
|
||||
{{- end }}
|
||||
40
ansible/roles/traffic-engine/files/helm/conf/spec.toml
Normal file
40
ansible/roles/traffic-engine/files/helm/conf/spec.toml
Normal file
@@ -0,0 +1,40 @@
|
||||
{{- if eq .Values.session_flags.enable .Values.define_enable_val_yes }}
|
||||
[[plugin]]
|
||||
path = "./stellar_plugin/session_flags/session_flags.so"
|
||||
init = "session_flags_plugin_init"
|
||||
exit = "session_flags_plugin_exit"
|
||||
{{- end }}
|
||||
|
||||
[[plugin]]
|
||||
path = "./stellar_plugin/app_proto_identify.so"
|
||||
init = "APP_L7_PROTOCOL_INIT"
|
||||
exit = "APP_L7_PROTOCOL_DESTROY"
|
||||
|
||||
[[plugin]]
|
||||
path = "./plug/business/firewall/firewall.so"
|
||||
init = "firewall_stellar_runtime_init"
|
||||
exit = "firewall_stellar_runtime_exit"
|
||||
|
||||
[[plugin]]
|
||||
path = "./stellar_plugin/stat_policy_enforcer.so"
|
||||
init = "statistics_init"
|
||||
exit = "statistics_exit"
|
||||
|
||||
[[plugin]]
|
||||
path = "./stellar_plugin/sf_classifier.so"
|
||||
init = "sf_classifier_init"
|
||||
exit = "sf_classifier_exit"
|
||||
|
||||
{{- if eq .Values.appsketch.qdpi_detector .Values.define_enable_val_yes }}
|
||||
[[plugin]]
|
||||
path = "./stellar_plugin/app_proto_engine/app_proto_engine.so"
|
||||
init = "app_proto_engine_init"
|
||||
exit = "app_proto_engine_destroy"
|
||||
{{- end }}
|
||||
|
||||
{{- if eq .Values.appsketch.context_based_detector .Values.define_enable_val_yes }}
|
||||
[[plugin]]
|
||||
path = "./stellar_plugin/app_sketch_local/app_sketch_local.so"
|
||||
init = "APP_SKETCH_LOCAL_INIT"
|
||||
exit = "APP_SKETCH_LOCAL_DESTROY"
|
||||
{{- end }}
|
||||
@@ -150,7 +150,6 @@ enable_breakpad_upload=0
|
||||
cp /opt/tsg/config/sapp.toml /opt/tsg/sapp/etc/sapp.toml
|
||||
cp /opt/tsg/config/wangw.conf /opt/tsg/sapp/etc/wannat/wangw.conf
|
||||
cp /opt/tsg/config/wire_graft.conf /opt/tsg/sapp/etc/wire_graft/wire_graft.conf
|
||||
cp /opt/tsg/config/session_record.inf /opt/tsg/sapp/plug/business/session_record/session_record.inf
|
||||
cp /opt/tsg/config/send_raw_pkt.conf /opt/tsg/sapp/etc/send_raw_pkt.conf
|
||||
cp /opt/tsg/config/tsg_device_tag.json /opt/tsg/etc/tsg_device_tag.json
|
||||
cp /opt/tsg/config/app_sketch_local.inf /opt/tsg/sapp/plug/business/app_sketch_local/app_sketch_local.inf
|
||||
@@ -160,6 +159,7 @@ enable_breakpad_upload=0
|
||||
cp /opt/tsg/config/http_main.conf /opt/tsg/sapp/conf/http/http_main.conf
|
||||
cp /opt/tsg/config/mail.conf /opt/tsg/sapp/conf/mail/mail.conf
|
||||
cp /opt/tsg/config/ssl_main.conf /opt/tsg/sapp/conf/ssl/ssl_main.conf
|
||||
cp /opt/tsg/config/spec.toml /opt/tsg/sapp/stellar_plugin/spec.toml
|
||||
{{- end -}}
|
||||
|
||||
{{- define "traffic-engine.proxy.copy-config-to-dest" -}}
|
||||
|
||||
@@ -8,7 +8,6 @@ data:
|
||||
gdev.conf: {{ tpl (.Files.Get "conf/gdev.conf") . | quote }}
|
||||
main.conf: {{ tpl (.Files.Get "conf/main.conf") . | quote }}
|
||||
maat.conf: {{ tpl (.Files.Get "conf/maat.conf") . | quote }}
|
||||
session_record.inf: {{ tpl (.Files.Get "conf/session_record.inf") . | quote }}
|
||||
sapp.toml: {{ tpl (.Files.Get "conf/sapp.toml") . | quote }}
|
||||
send_raw_pkt.conf: {{ tpl (.Files.Get "conf/send_raw_pkt.conf") . | quote }}
|
||||
wangw.conf: {{ tpl (.Files.Get "conf/wangw.conf") . | quote }}
|
||||
@@ -20,4 +19,5 @@ data:
|
||||
necessary_plug_list.conf: {{ tpl (.Files.Get "conf/necessary_plug_list.conf") . | quote }}
|
||||
http_main.conf: {{ tpl (.Files.Get "conf/http_main.conf") . | quote }}
|
||||
mail.conf: {{ tpl (.Files.Get "conf/mail.conf") . | quote }}
|
||||
ssl_main.conf: {{ tpl (.Files.Get "conf/ssl_main.conf") . | quote }}
|
||||
ssl_main.conf: {{ tpl (.Files.Get "conf/ssl_main.conf") . | quote }}
|
||||
spec.toml: {{ tpl (.Files.Get "conf/spec.toml") . | quote }}
|
||||
@@ -63,28 +63,20 @@ firewall:
|
||||
enable: yes
|
||||
rapidjson_chunk_capacity: 2048
|
||||
enable_smartoffload: no
|
||||
logs:
|
||||
contains_app_id: yes
|
||||
contains_nat_linkinfo: yes
|
||||
contains_dns_resource_record: yes
|
||||
|
||||
appsketch:
|
||||
enable: yes
|
||||
builtin_engine: yes
|
||||
user_defined_signature: yes
|
||||
qdpi_detector: yes
|
||||
context_based_detector: yes
|
||||
|
||||
encrypt_traffic_identify:
|
||||
voice_bahavior_engine: yes
|
||||
|
||||
sessionrecord:
|
||||
enable: yes
|
||||
interim_record:
|
||||
enable: yes
|
||||
intervals_in_sec: 120
|
||||
transaction_record:
|
||||
enable: yes
|
||||
contains_app_id:
|
||||
enable: no
|
||||
contains_nat_linkinfo:
|
||||
enable: no
|
||||
contains_dns_resource_record:
|
||||
enable: no
|
||||
transaction_record:
|
||||
enable_http: yes
|
||||
enable_dns: yes
|
||||
enable_mail: yes
|
||||
|
||||
session_manager:
|
||||
tcp_session_max: 20021
|
||||
|
||||
Reference in New Issue
Block a user