diff --git a/ansible/roles/sapp/templates/conflist.inf.j2.j2 b/ansible/roles/sapp/templates/conflist.inf.j2.j2 index be5ba892..72a4867b 100644 --- a/ansible/roles/sapp/templates/conflist.inf.j2.j2 +++ b/ansible/roles/sapp/templates/conflist.inf.j2.j2 @@ -75,7 +75,7 @@ {% endif %} ./plug/business/conn_telemetry/conn_telemetry.inf ./plug/business/stat_policy_enforcer/stat_policy_enforcer.inf -{% if app.identify_by.user_defined_signature == 1 %} +{% if app.identify_by.context_based_detector == 1 %} ./plug/business/app_sketch_local/app_sketch_local.inf {% endif %} {% if radius.enable == 1 %} diff --git a/ansible/roles/traffic-engine/files/helm/conf/conflist.inf b/ansible/roles/traffic-engine/files/helm/conf/conflist.inf index c8e73293..39b8a7ee 100644 --- a/ansible/roles/traffic-engine/files/helm/conf/conflist.inf +++ b/ansible/roles/traffic-engine/files/helm/conf/conflist.inf @@ -12,7 +12,7 @@ {{- end }} ./plug/platform/tsg_master/tsg_master.inf {{- if eq .Values.appsketch.enable .Values.define_enable_val_yes }} -{{- if eq .Values.appsketch.builtin_engine .Values.define_enable_val_yes }} +{{- if eq .Values.appsketch.qdpi_detector .Values.define_enable_val_yes }} ./plug/platform/app_proto_engine/app_proto_engine.inf {{- end }} {{- end }} @@ -75,9 +75,6 @@ {{- if eq .Values.firewall.enable .Values.define_enable_val_yes }} ./plug/business/firewall/firewall.inf {{- end }} -{{- if eq .Values.encrypt_traffic_identify.voice_bahavior_engine .Values.define_enable_val_yes }} -./plug/business/tsg_vulpes/tsg_vulpes.inf -{{- end }} {{- if eq .Values.sessionrecord.enable .Values.define_enable_val_yes }} ./plug/business/session_record/session_record.inf {{- end }} @@ -86,7 +83,7 @@ {{- end }} ./plug/business/stat_policy_enforcer/stat_policy_enforcer.inf {{- if eq .Values.appsketch.enable .Values.define_enable_val_yes }} -{{- if eq .Values.appsketch.user_defined_signature .Values.define_enable_val_yes }} +{{- if eq .Values.appsketch.context_based_detector .Values.define_enable_val_yes }} ./plug/business/app_sketch_local/app_sketch_local.inf {{- end }} {{- end }} diff --git a/ansible/roles/traffic-engine/files/helm/conf/main.conf b/ansible/roles/traffic-engine/files/helm/conf/main.conf index 51cf5989..6de17b0f 100644 --- a/ansible/roles/traffic-engine/files/helm/conf/main.conf +++ b/ansible/roles/traffic-engine/files/helm/conf/main.conf @@ -24,32 +24,53 @@ SASL_USERNAME="{{ .Values.external_resources.olap.kafka_brokers.sasl_username }} SASL_PASSWD="{{ .Values.external_resources.olap.kafka_brokers.sasl_password }}" BROKER_LIST="{{- include "traffic-engine.config.olap-address" (list . ",") }}" COMMON_FIELD_FILE="tsgconf/tsg_log_field.conf" -{{- if eq .Values.sessionrecord.contains_app_id.enable .Values.define_enable_val_yes }} +{{- if eq .Values.firewall.logs.contains_app_id.enable .Values.define_enable_val_yes }} SEND_APP_ID_SWITCH=1 {{- else }} SEND_APP_ID_SWITCH=0 {{- end }} -{{- if eq .Values.sessionrecord.contains_nat_linkinfo.enable .Values.define_enable_val_yes }} +{{- if eq .Values.firewall.logs.contains_nat_linkinfo.enable .Values.define_enable_val_yes }} SEND_NAT_LINKINFO_SWITCH=1 {{- else }} SEND_NAT_LINKINFO_SWITCH=0 {{- end }} SEND_INTERCEPT_LOG=1 -{{- if and (eq .Values.sessionrecord.enable .Values.define_enable_val_yes) (eq .Values.sessionrecord.interim_record.enable .Values.define_enable_val_yes) }} -SEND_INTERIM_RECORD=1 -{{- else }} -SEND_INTERIM_RECORD=0 -{{- end }} -{{- if and (eq .Values.sessionrecord.enable .Values.define_enable_val_yes) (eq .Values.sessionrecord.transaction_record.enable .Values.define_enable_val_yes) }} -SEND_TRANSCATION_RECORD=1 -{{- else }} -SEND_TRANSCATION_RECORD=0 -{{- end }} TCP_MIN_PKTS=3 TCP_MIN_BYTES=5 UDP_MIN_PKTS=3 UDP_MIN_BYTES=5 RAPIDJSON_CHUNK_CAPACITY={{ .Values.firewall.rapidjson_chunk_capacity }} +{{- if eq .Values.define_enable_val_yes .Values.transaction_record.enable_http }} +SEND_HTTP_TRANSCATION_RECORD=1 +{{- else }} +SEND_HTTP_TRANSCATION_RECORD=0 +{{- end }} +{{- if eq .Values.define_enable_val_yes .Values.transaction_record.enable_dns }} +SEND_DNS_TRANSCATION_RECORD=1 +{{- else }} +SEND_DNS_TRANSCATION_RECORD=0 +{{- end }} +{{- if eq .Values.define_enable_val_yes .Values.transaction_record.enable_mail }} +SEND_MAIL_TRANSCATION_RECORD=1 +{{- else }} +SEND_MAIL_TRANSCATION_RECORD=0 +{{- end }} +{{- if eq .Values.define_enable_val_yes .Values.voip_record.enable_sip }} +SEND_SIP_RECORD=1 +{{- else }} +SEND_SIP_RECORD=0 +{{- end }} +{{- if eq .Values.define_enable_val_yes .Values.voip_record.enable_rtp }} +SEND_RTP_RECORD=1 +{{- else }} +SEND_RTP_RECORD=0 +{{- end }} +{{- if eq .Values.define_enable_val_yes .Values.packet_capture.enable }} +ENFORCE_TROUBLESHOOTING_SWITCH=1 +{{- else }} +ENFORCE_TROUBLESHOOTING_SWITCH=0 +{{- end }} + [SECURITY_HITS_METRICS] CYCLE_INTERVAL_MS=1000 @@ -115,33 +136,6 @@ CYCLE=30 #TELEGRAF_IP=127.0.0.1 OUTPUT_PATH="log/firewall.status" -[SESSION_RECORD] -interim_intervals_time = {{ .Values.sessionrecord.interim_record.intervals_in_sec }} -sendlog_in_tcp_close=1 -{{- if eq .Values.sessionrecord.contains_dns_resource_record.enable .Values.define_enable_val_yes }} -send_dns_rr_switch=1 -{{- else }} -send_dns_rr_switch=0 -{{- end }} -log_level=30 -log_path="log/session_record" - -[HOS_CONF] -{{- if eq .Values.external_resources.olap.hos_servers.use .Values.define_enable_val_yes }} -hos_serverip="{{- include "traffic-engine.config.hos-address" . }}" -hos_serverport={{- include "traffic-engine.config.hos-port" . }} -hos_token="{{ .Values.external_resources.olap.hos_servers.token }}" -hos_log_level=30 -hos_timeout=20 -hos_connection_timeout=10 -hos_thread_max_store_request_num=5000 -hos_thread_max_store_size=1073741824 -hos_thread_batch_request_num=20 -hos_thread_max_connection_num=10 -hos_fd_request_cache_size=1500 -hos_fd_request_cache_count=10 -{{- end }} - [APP_SKETCH_LOCAL] LOG_LEVEL=30 LOG_PATH="log/app_sketch.log" @@ -205,10 +199,6 @@ SENDLOG_SWITCH=0 SIGNALING_ORIGIN="REDIS" {{- end }} -[CAPTURE] - -HOS_IP="{{- include "traffic-engine.config.hos-address" . }}" -HOS_PORT={{- include "traffic-engine.config.hos-port" . }} [PROTO_IDENTIFY] MAX_IDENTIFY_PACKETS=10 diff --git a/ansible/roles/traffic-engine/files/helm/conf/session_record.inf b/ansible/roles/traffic-engine/files/helm/conf/session_record.inf deleted file mode 100644 index 7cd1070c..00000000 --- a/ansible/roles/traffic-engine/files/helm/conf/session_record.inf +++ /dev/null @@ -1,109 +0,0 @@ -[PLUGINFO] -PLUGNAME=session_record -SO_PATH=./plug/business/session_record/session_record.so -INIT_FUNC=session_record_init -DESTROY_FUNC=session_record_destroy - - -[TCP] -FUNC_FLAG=ALL -FUNC_NAME=session_record_tcp_entry - -[TCP_ALL] -FUNC_FLAG=ALL -FUNC_NAME=session_record_tcpall_entry - -[UDP] -FUNC_FLAG=ALL -FUNC_NAME=session_record_udp_entry - - -{{- if eq .Values.decoders.HTTP .Values.define_enable_val_yes }} -[HTTP] -FUNC_FLAG=ALL -FUNC_NAME=session_record_http_entry -{{- end }} - - -{{- if eq .Values.decoders.SSL .Values.define_enable_val_yes }} -[SSL] -FUNC_FLAG=SSL_CLIENT_HELLO,SSL_SERVER_HELLO,SSL_APPLICATION_DATA,SSL_CERTIFICATE_DETAIL -FUNC_NAME=session_record_ssl_entry -{{- end }} - - -{{- if eq .Values.decoders.DNS .Values.define_enable_val_yes }} -[DNS] -FUNC_FLAG=ALL -FUNC_NAME=session_record_dns_entry -{{- end }} - - -{{- if eq .Values.decoders.MAIL .Values.define_enable_val_yes }} -[MAIL] -FUNC_FLAG=ALL -FUNC_NAME=session_record_mail_entry -{{- end }} - - -{{- if and (eq .Values.voip_record.enable_rtp .Values.define_enable_val_yes) (eq .Values.decoders.RTP .Values.define_enable_val_yes ) }} -[RTP] -FUNC_FLAG=ALL -FUNC_NAME=session_record_rtp_entry -{{- end }} - - -{{- if and (eq .Values.voip_record.enable_sip .Values.define_enable_val_yes) (eq .Values.decoders.SIP .Values.define_enable_val_yes ) }} -[SIP] -FUNC_FLAG=ALL -FUNC_NAME=session_record_sip_entry -{{- end }} - - -{{- if eq .Values.decoders.FTP .Values.define_enable_val_yes }} -[FTP] -FUNC_FLAG=ALL -FUNC_NAME=session_record_ftp_entry -{{- end }} - - -{{- if eq .Values.decoders.QUIC .Values.define_enable_val_yes }} -[QUIC] -FUNC_FLAG=QUIC_CLIENT_HELLO,QUIC_SERVER_HELLO,QUIC_CACHED_CERT,QUIC_COMM_CERT,QUIC_CERT_CHAIN,QUIC_VERSION,QUIC_APPLICATION_DATA -FUNC_NAME=session_record_quic_entry -{{- end }} - - -{{- if eq .Values.decoders.SSH .Values.define_enable_val_yes }} -[SSH] -FUNC_FLAG=ALL -FUNC_NAME=session_record_ssh_entry -{{- end }} - - -{{- if eq .Values.decoders.STRATUM .Values.define_enable_val_yes }} -[STRATUM] -FUNC_FLAG=ALL -FUNC_NAME=session_record_stratum_entry -{{- end }} - - -{{- if eq .Values.decoders.RDP .Values.define_enable_val_yes }} -[RDP] -FUNC_FLAG=ALL -FUNC_NAME=session_record_rdp_entry -{{- end }} - - -{{- if and (eq .Values.bgp_record.enable .Values.define_enable_val_yes) (eq .Values.decoders.BGP .Values.define_enable_val_yes) }} -[BGP] -FUNC_FLAG=ALL -FUNC_NAME=session_record_bgp_entry -{{- end }} - - -{{- if eq .Values.decoders.DTLS .Values.define_enable_val_yes }} -[DTLS] -FUNC_FLAG=DTLS_CLIENT_HELLO,DTLS_SERVER_HELLO,DTLS_HELLO_VERIFY_REQUEST,DTLS_CLIENT_EXTENSION -FUNC_NAME=session_record_dtls_entry -{{- end }} \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/conf/spec.toml b/ansible/roles/traffic-engine/files/helm/conf/spec.toml new file mode 100644 index 00000000..87eba42c --- /dev/null +++ b/ansible/roles/traffic-engine/files/helm/conf/spec.toml @@ -0,0 +1,40 @@ +{{- if eq .Values.session_flags.enable .Values.define_enable_val_yes }} +[[plugin]] +path = "./stellar_plugin/session_flags/session_flags.so" +init = "session_flags_plugin_init" +exit = "session_flags_plugin_exit" +{{- end }} + +[[plugin]] +path = "./stellar_plugin/app_proto_identify.so" +init = "APP_L7_PROTOCOL_INIT" +exit = "APP_L7_PROTOCOL_DESTROY" + +[[plugin]] +path = "./plug/business/firewall/firewall.so" +init = "firewall_stellar_runtime_init" +exit = "firewall_stellar_runtime_exit" + +[[plugin]] +path = "./stellar_plugin/stat_policy_enforcer.so" +init = "statistics_init" +exit = "statistics_exit" + +[[plugin]] +path = "./stellar_plugin/sf_classifier.so" +init = "sf_classifier_init" +exit = "sf_classifier_exit" + +{{- if eq .Values.appsketch.qdpi_detector .Values.define_enable_val_yes }} +[[plugin]] +path = "./stellar_plugin/app_proto_engine/app_proto_engine.so" +init = "app_proto_engine_init" +exit = "app_proto_engine_destroy" +{{- end }} + +{{- if eq .Values.appsketch.context_based_detector .Values.define_enable_val_yes }} +[[plugin]] +path = "./stellar_plugin/app_sketch_local/app_sketch_local.so" +init = "APP_SKETCH_LOCAL_INIT" +exit = "APP_SKETCH_LOCAL_DESTROY" +{{- end }} \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/templates/_config.tpl b/ansible/roles/traffic-engine/files/helm/templates/_config.tpl index 783553f0..81680af1 100644 --- a/ansible/roles/traffic-engine/files/helm/templates/_config.tpl +++ b/ansible/roles/traffic-engine/files/helm/templates/_config.tpl @@ -150,7 +150,6 @@ enable_breakpad_upload=0 cp /opt/tsg/config/sapp.toml /opt/tsg/sapp/etc/sapp.toml cp /opt/tsg/config/wangw.conf /opt/tsg/sapp/etc/wannat/wangw.conf cp /opt/tsg/config/wire_graft.conf /opt/tsg/sapp/etc/wire_graft/wire_graft.conf - cp /opt/tsg/config/session_record.inf /opt/tsg/sapp/plug/business/session_record/session_record.inf cp /opt/tsg/config/send_raw_pkt.conf /opt/tsg/sapp/etc/send_raw_pkt.conf cp /opt/tsg/config/tsg_device_tag.json /opt/tsg/etc/tsg_device_tag.json cp /opt/tsg/config/app_sketch_local.inf /opt/tsg/sapp/plug/business/app_sketch_local/app_sketch_local.inf @@ -160,6 +159,7 @@ enable_breakpad_upload=0 cp /opt/tsg/config/http_main.conf /opt/tsg/sapp/conf/http/http_main.conf cp /opt/tsg/config/mail.conf /opt/tsg/sapp/conf/mail/mail.conf cp /opt/tsg/config/ssl_main.conf /opt/tsg/sapp/conf/ssl/ssl_main.conf + cp /opt/tsg/config/spec.toml /opt/tsg/sapp/stellar_plugin/spec.toml {{- end -}} {{- define "traffic-engine.proxy.copy-config-to-dest" -}} diff --git a/ansible/roles/traffic-engine/files/helm/templates/sapp.yaml b/ansible/roles/traffic-engine/files/helm/templates/sapp.yaml index 2a37a13b..cd4ca693 100644 --- a/ansible/roles/traffic-engine/files/helm/templates/sapp.yaml +++ b/ansible/roles/traffic-engine/files/helm/templates/sapp.yaml @@ -8,7 +8,6 @@ data: gdev.conf: {{ tpl (.Files.Get "conf/gdev.conf") . | quote }} main.conf: {{ tpl (.Files.Get "conf/main.conf") . | quote }} maat.conf: {{ tpl (.Files.Get "conf/maat.conf") . | quote }} - session_record.inf: {{ tpl (.Files.Get "conf/session_record.inf") . | quote }} sapp.toml: {{ tpl (.Files.Get "conf/sapp.toml") . | quote }} send_raw_pkt.conf: {{ tpl (.Files.Get "conf/send_raw_pkt.conf") . | quote }} wangw.conf: {{ tpl (.Files.Get "conf/wangw.conf") . | quote }} @@ -20,4 +19,5 @@ data: necessary_plug_list.conf: {{ tpl (.Files.Get "conf/necessary_plug_list.conf") . | quote }} http_main.conf: {{ tpl (.Files.Get "conf/http_main.conf") . | quote }} mail.conf: {{ tpl (.Files.Get "conf/mail.conf") . | quote }} - ssl_main.conf: {{ tpl (.Files.Get "conf/ssl_main.conf") . | quote }} \ No newline at end of file + ssl_main.conf: {{ tpl (.Files.Get "conf/ssl_main.conf") . | quote }} + spec.toml: {{ tpl (.Files.Get "conf/spec.toml") . | quote }} \ No newline at end of file diff --git a/ansible/roles/traffic-engine/files/helm/values.yaml b/ansible/roles/traffic-engine/files/helm/values.yaml index fbe34c3f..e1089b90 100644 --- a/ansible/roles/traffic-engine/files/helm/values.yaml +++ b/ansible/roles/traffic-engine/files/helm/values.yaml @@ -63,28 +63,20 @@ firewall: enable: yes rapidjson_chunk_capacity: 2048 enable_smartoffload: no + logs: + contains_app_id: yes + contains_nat_linkinfo: yes + contains_dns_resource_record: yes appsketch: enable: yes - builtin_engine: yes - user_defined_signature: yes + qdpi_detector: yes + context_based_detector: yes -encrypt_traffic_identify: - voice_bahavior_engine: yes - -sessionrecord: - enable: yes - interim_record: - enable: yes - intervals_in_sec: 120 - transaction_record: - enable: yes - contains_app_id: - enable: no - contains_nat_linkinfo: - enable: no - contains_dns_resource_record: - enable: no +transaction_record: + enable_http: yes + enable_dns: yes + enable_mail: yes session_manager: tcp_session_max: 20021