From 36dafd426749cc11cd0e8e41daabc15dfaa0616f Mon Sep 17 00:00:00 2001 From: liuxueli Date: Wed, 10 May 2023 11:13:02 +0800 Subject: TSG-14961: SAPP接收的控制报文(TFE/SCE/SHAPER的LOG_UPDATE),规避检查是否为重复流量及校验IP报文长度的逻辑 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/dealpkt/deal_ipv4.c | 10 +++++++--- src/dealpkt/deal_tcp.c | 11 ++++++----- src/dealpkt/deal_udp.c | 11 ++++++----- src/packet_io/packet_io_hook.c | 32 ++++++++++++++++---------------- src/packet_io/sendpacket.c | 5 +++++ 5 files changed, 40 insertions(+), 29 deletions(-) diff --git a/src/dealpkt/deal_ipv4.c b/src/dealpkt/deal_ipv4.c index 65f2c7b..7b3e8b1 100644 --- a/src/dealpkt/deal_ipv4.c +++ b/src/dealpkt/deal_ipv4.c @@ -934,9 +934,13 @@ static inline int checkipv4pkt(const struct mesa_ip4_hdr * iph, const raw_pkt_t || (pkt_declare_len > pkt_actual_len) || (iph->ip_hl < 5) || (iph->ip_v != 4) - || (pkt_declare_len < iph->ip_hl << 2)){ - sapp_runtime_log(RLOG_LV_DEBUG, "ipv4 packet check error: pkt length, hdr len, or version error, pkt_declare_len:%d, pkt_actual_len:%d", pkt_declare_len, pkt_actual_len); - return -1; + || (pkt_declare_len < iph->ip_hl << 2)){ + + if(raw_pkt->is_ctrl_pkt==0) + { + sapp_runtime_log(RLOG_LV_DEBUG, "ipv4 packet check error: pkt length, hdr len, or version error, pkt_declare_len:%d, pkt_actual_len:%d", pkt_declare_len, pkt_actual_len); + return -1; + } } #if 0 diff --git a/src/dealpkt/deal_tcp.c b/src/dealpkt/deal_tcp.c index 6dcca56..cf4c112 100644 --- a/src/dealpkt/deal_tcp.c +++ b/src/dealpkt/deal_tcp.c @@ -2923,11 +2923,12 @@ static int deal_tcp_stream(struct streamindex *pindex, const void *this_iphdr, s 1)˴, شʶظĻ, sappֱPASS, ʵǸʵͨ˫, ûоtfe, ܾͶ. 2)firewalldrop, һdropɹ, Ӧòش, شʶظĻ, sappֱPASS, CT. */ - if(deal_tcp_stream_dup_pkt_check(pstream->threadnum, pstream_pr, pdetail_pr, (const struct mesa_ip4_hdr *)this_iphdr, this_tcphdr) != 0){ - local_sys_stat->count[SAPP_STAT_RCV_DUP_TCP]++; - local_sys_stat->length[SAPP_STAT_RCV_DUP_TCP] += tcplen; - cycle_pkt_dump_by_classify(pstream->threadnum, raw_pkt, PKT_CLASSIFY_REPEAT); - return PASS; + if(raw_pkt->is_ctrl_pkt==0 && + deal_tcp_stream_dup_pkt_check(pstream->threadnum, pstream_pr, pdetail_pr, (const struct mesa_ip4_hdr *)this_iphdr, this_tcphdr) != 0){ + local_sys_stat->count[SAPP_STAT_RCV_DUP_TCP]++; + local_sys_stat->length[SAPP_STAT_RCV_DUP_TCP] += tcplen; + cycle_pkt_dump_by_classify(pstream->threadnum, raw_pkt, PKT_CLASSIFY_REPEAT); + return PASS; } if(unlikely(pdetail_pr->drop_stream_flag != 0)){ diff --git a/src/dealpkt/deal_udp.c b/src/dealpkt/deal_udp.c index 42b620b..95ba2f5 100644 --- a/src/dealpkt/deal_udp.c +++ b/src/dealpkt/deal_udp.c @@ -647,11 +647,12 @@ int dealipv4udppkt(struct streamindex *pindex, const struct mesa_ip4_hdr * this_ return PASS; } - if(dealipv4udppkt_dup_check(pstream->threadnum, pstream_pr, pdetail_pr, is_overlay_udp_layer, this_iphdr, udph) != 0){ - local_sys_stat->count[SAPP_STAT_RCV_DUP_UDP]++; - local_sys_stat->length[SAPP_STAT_RCV_DUP_UDP] += ulen; - cycle_pkt_dump_by_classify(pstream->threadnum, raw_pkt, PKT_CLASSIFY_REPEAT); - return PASS; + if(raw_pkt->is_ctrl_pkt==0 && + dealipv4udppkt_dup_check(pstream->threadnum, pstream_pr, pdetail_pr, is_overlay_udp_layer, this_iphdr, udph) != 0){ + local_sys_stat->count[SAPP_STAT_RCV_DUP_UDP]++; + local_sys_stat->length[SAPP_STAT_RCV_DUP_UDP] += ulen; + cycle_pkt_dump_by_classify(pstream->threadnum, raw_pkt, PKT_CLASSIFY_REPEAT); + return PASS; } /* 2014-11-15 lijia add, for udp serial kill udp */ diff --git a/src/packet_io/packet_io_hook.c b/src/packet_io/packet_io_hook.c index d1b5777..f8d63e5 100644 --- a/src/packet_io/packet_io_hook.c +++ b/src/packet_io/packet_io_hook.c @@ -5,12 +5,12 @@ /* 2020-09-28 add: - 传统意义上的packet_io, 一般不会修改原始包内容的, 原样收、原样转发, + ͳϵpacket_io, һ㲻޸ԭʼݵ, ԭաԭת, - 但是在inline串联模式下, 如vxlan等, 需要对收到的包进行翻转, 如底层mac, 底层ip等. - 或者某些地址参数根本不在原始包里呈现, 要通过一些tes接口设置转发参数, 如A设备获取vlan、设置转发vlan, 等等, + inlineģʽ, vxlan, Ҫյİзת, ײmac, ײip. + ijЩַԭʼ, ҪͨһЩtesӿת, A豸ȡvlanתvlan, ȵ, - 原来都由mrtunnat完成, 对sapp透明, mrtunnat被取代后, 新增此层, 用于完成上述功能. + ԭmrtunnat, sapp͸, mrtunnatȡ, ˲, . */ #ifdef __cplusplus @@ -60,12 +60,12 @@ static int packet_io_hook_output_vlan_flipping(raw_pkt_t *raw_pkt, unsigned char } if(raw_pkt->route_dir == route_dir){ - /* 原始包同向发送, 需要设置发送vlan为couple vlan id */ + /* ԭʼͬ, Ҫ÷vlanΪcouple vlan id */ marsio_set_vlan_id_to_mbuff((void *)io_lib_pkt_reference, raw_pkt->vlan_flipping_couple[1]); sapp_runtime_log(RLOG_LV_DEBUG, "%s: input_vlan_id:%u, output_vlan_id:%u, mac_flapping:%d", action, raw_pkt->vlan_flipping_couple[0], raw_pkt->vlan_flipping_couple[1], raw_pkt->mac_flipping_enable); }else{ - /* 反向注入, 需要设置发送vlan为收包时的vlan id */ + /* ע, Ҫ÷vlanΪհʱvlan id */ marsio_set_vlan_id_to_mbuff((void *)io_lib_pkt_reference, raw_pkt->vlan_flipping_couple[0]); sapp_runtime_log(RLOG_LV_DEBUG, "%s: input_vlan_id:%u, output_vlan_id:%u, mac_flapping:%d", action, raw_pkt->vlan_flipping_couple[0], raw_pkt->vlan_flipping_couple[0], raw_pkt->mac_flipping_enable); @@ -81,13 +81,13 @@ static int packet_io_hook_output_vxlan(raw_pkt_t *raw_pkt, void *raw_pkt_data, u struct mesa_ethernet_hdr *send_ethh = (struct mesa_ethernet_hdr *)(raw_pkt_data); const struct mesa_ip4_hdr *raw_ip4h = (struct mesa_ip4_hdr *)((char *)raw_pkt->raw_pkt_data + sizeof(struct mesa_ethernet_hdr)); struct mesa_ip4_hdr *send_ip4h = (struct mesa_ip4_hdr *)((char *)raw_pkt_data + sizeof(struct mesa_ethernet_hdr)); - /* vxlan udp层不用翻转, checksum设为0即可 */ + /* vxlan udp㲻÷ת, checksumΪ0 */ struct mesa_udp_hdr *send_outer_udp_hdr = (struct mesa_udp_hdr *)((char *)raw_pkt_data + sizeof(struct mesa_ethernet_hdr)+sizeof(struct mesa_ip4_hdr)); const inline_vxlan_hdr_t *raw_vxlan_hdr = (inline_vxlan_hdr_t *)((char *)raw_pkt->raw_pkt_data + sizeof(struct mesa_ethernet_hdr) + sizeof(struct mesa_ip4_hdr) + sizeof(struct mesa_udp_hdr)); inline_vxlan_hdr_t *send_vxlan_hdr = (inline_vxlan_hdr_t *)((char *)raw_pkt_data + sizeof(struct mesa_ethernet_hdr) + sizeof(struct mesa_ip4_hdr) + sizeof(struct mesa_udp_hdr)); unsigned char tmp_mac_addr[ETH_ALEN]; unsigned int tmp_ip_addr; - /* 注意, 在forward时,raw_pkt->raw_pkt_data和raw_pkt_data实际上是一个地址, 需要暂存一下,不能直接像下面这样copy: */ + /* ע, forwardʱ,raw_pkt->raw_pkt_dataraw_pkt_dataʵһַ, Ҫݴһ,ֱcopy: */ #if 0 memcpy((void *)send_ethh->ether_shost, raw_ethh->ether_dhost, ETH_ALEN); memcpy((void *)send_ethh->ether_dhost, raw_ethh->ether_shost, ETH_ALEN); @@ -97,7 +97,7 @@ static int packet_io_hook_output_vxlan(raw_pkt_t *raw_pkt, void *raw_pkt_data, u memcpy((void *)send_ethh->ether_dhost, tmp_mac_addr, ETH_ALEN); #endif - /* 注意, 在forward时,raw_pkt->raw_pkt_data和raw_pkt_data实际上是一个地址, 需要暂存一下,不能直接像下面这样copy: */ + /* ע, forwardʱ,raw_pkt->raw_pkt_dataraw_pkt_dataʵһַ, Ҫݴһ,ֱcopy: */ #if 0 send_ip4h->ip_src.s_addr = raw_ip4h->ip_dst.s_addr; send_ip4h->ip_dst.s_addr = raw_ip4h->ip_src.s_addr; @@ -107,7 +107,7 @@ static int packet_io_hook_output_vxlan(raw_pkt_t *raw_pkt, void *raw_pkt_data, u send_ip4h->ip_dst.s_addr = tmp_ip_addr; #endif - /* keepalive icmp应答不是udp协议, 是g_dev_plug插件直接注入原始包, 是个特例, 此处要判断一下 */ + /* keepalive icmpӦudpЭ, g_dev_plugֱעԭʼ, Ǹ, ˴Ҫжһ */ if(IPPROTO_UDP == raw_ip4h->ip_p){ send_outer_udp_hdr->uh_sum = 0; //send_vxlan_hdr->dir = route_dir; //20220415 liuxueli for TSG-10227 @@ -126,10 +126,10 @@ static int packet_io_hook_update_vlan_couple(raw_pkt_t *raw_pkt, unsigned short raw_pkt->mac_flipping_enable = vlan_map[vlan_id].mac_flipping_enable; if('C' == vlan_map[vlan_id].this_vlan_route_location){ - /* 数据包来自C路由器端, 即C2I(I2E)方向, 根据inbound_route_dir的值, 更新当前包route_dir的值 */ + /* ݰC·, C2I(I2E), inbound_route_dirֵ, µǰroute_dirֵ */ raw_pkt->route_dir = sapp_global_val->config.packet_io.inbound_route_dir ^ 1; }else{ - /* 数据包来自I路由器端, 即I2C(E2I)方向, 根据inbound_route_dir的值, 更新当前包route_dir的值 */ + /* ݰI·, I2C(E2I), inbound_route_dirֵ, µǰroute_dirֵ */ raw_pkt->route_dir = sapp_global_val->config.packet_io.inbound_route_dir; } @@ -140,7 +140,7 @@ static int packet_io_hook_update_vlan_couple(raw_pkt_t *raw_pkt, unsigned short } /* - 如果从metadata里获取不到, 从原始包里解析vlan头部获取. + metadataȡ, ԭʼvlanͷȡ. */ static unsigned short get_vlan_id_from_rawpkt(raw_pkt_t *raw_pkt) { @@ -156,13 +156,13 @@ static int packet_io_hook_input_vlan_flipping(raw_pkt_t *raw_pkt, unsigned char int ret = 0; vlan_id = marsio_get_vlan_id_from_mbuff((void *)raw_pkt->io_lib_pkt_reference); - if((vlan_id > 1) && (vlan_map[vlan_id].couple_vlan_id > 1)){ /* vlan_id 不在vlan flipping表中, 不算作overlay packet */ + if((vlan_id > 1) && (vlan_map[vlan_id].couple_vlan_id > 1)){ /* vlan_id vlan flipping, overlay packet */ packet_io_hook_update_vlan_couple(raw_pkt, vlan_id); ret= 0; raw_pkt->overlay_layer_bytes = 0; }else{ vlan_id = get_vlan_id_from_rawpkt(raw_pkt); - if((vlan_id > 1) && (vlan_map[vlan_id].couple_vlan_id > 1)){ /* vlan_id 不在vlan flipping表中, 不算作overlay packet */ + if((vlan_id > 1) && (vlan_map[vlan_id].couple_vlan_id > 1)){ /* vlan_id vlan flipping, overlay packet */ packet_io_hook_update_vlan_couple(raw_pkt, vlan_id); }else{ sapp_runtime_log(RLOG_LV_DEBUG, "packet_io_hook_input(), not found vlan_id:%u in vlan flipping table\n", vlan_id); @@ -217,7 +217,7 @@ int packet_io_hook_input(raw_pkt_t *raw_pkt, unsigned char dir, int thread_num) { int ret = 0; - /* vlan flipping与overlay可共存, 如果metadata或原始包里有vlan且命中flip规则, 则进行翻转,可能是本机自检流量; */ + /* vlan flippingoverlayɹ, metadataԭʼvlanflip, зת,DZԼ; */ ret = packet_io_hook_input_vlan_flipping(raw_pkt, dir, thread_num); if(ret >= 0){ return 0; diff --git a/src/packet_io/sendpacket.c b/src/packet_io/sendpacket.c index 2d78a80..99f2dcd 100644 --- a/src/packet_io/sendpacket.c +++ b/src/packet_io/sendpacket.c @@ -3407,6 +3407,11 @@ int __sapp_inject_pkt(struct streaminfo *raw_stream, enum sapp_inject_opt sio, { ((raw_pkt_t *)raw_pkt)->stream_trace_id = raw_stream_pr->stream_trace_id; } + + if (((raw_pkt_t *)raw_pkt)->is_ctrl_pkt != 0) + { + ((raw_pkt_t *)raw_pkt)->payload_len=payload_len; + } /* injectʹõroutedir, ˴תstream dir, ע: Ķܲɵǰ, kni, Ǵյݰ, ע·, -- cgit v1.2.3