15 files changed, 429 insertions, 0 deletions
diff --git a/roles/sapp/files/maat_redis_tool b/roles/sapp/files/maat_redis_tool
new file mode 100644
index 0000000..9e797bb
--- /dev/null
+++ b/roles/sapp/files/maat_redis_tool
diff --git a/roles/sapp/files/memory.conf b/roles/sapp/files/memory.conf
new file mode 100644
index 0000000..c0255fc
--- /dev/null
+++ b/roles/sapp/files/memory.conf
@@ -0,0 +1,3 @@
+[Service]
+MemoryLimit=80G
+ExecStartPost=/bin/bash -c "echo 80G > /sys/fs/cgroup/memory/system.slice/sapp.service/memory.memsw.limit_in_bytes"
diff --git a/roles/sapp/files/sapp-4.2.25.893d15d-2.el7.x86_64.rpm b/roles/sapp/files/sapp-4.2.25.893d15d-2.el7.x86_64.rpm
new file mode 100644
index 0000000..ca045ab
--- /dev/null
+++ b/roles/sapp/files/sapp-4.2.25.893d15d-2.el7.x86_64.rpm
diff --git a/roles/sapp/files/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm b/roles/sapp/files/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm
new file mode 100644
index 0000000..c5cb8cf
--- /dev/null
+++ b/roles/sapp/files/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm
diff --git a/roles/sapp/files/tera_fake_promisc_setup.conf b/roles/sapp/files/tera_fake_promisc_setup.conf
new file mode 100644
index 0000000..f505012
--- /dev/null
+++ b/roles/sapp/files/tera_fake_promisc_setup.conf
@@ -0,0 +1,2 @@
+[Service]
+ExecStartPre=/bin/bash tera_fake_promisc_setup.sh
diff --git a/roles/sapp/files/tera_fake_promisc_setup.sh b/roles/sapp/files/tera_fake_promisc_setup.sh
new file mode 100644
index 0000000..4e8665a
--- /dev/null
+++ b/roles/sapp/files/tera_fake_promisc_setup.sh
@@ -0,0 +1,4 @@
+set -ex
+dp_adapter_ether_addr=$(ifconfig ens1f2 | grep ether | awk '{print $2}')
+bpf_rule="ether dst $dp_adapter_ether_addr or ether dst 02:42:c0:a8:fd:03 or ether dst 02:42:c0:a8:fd:83 or ether dst 02:42:c0:a8:fd:82"
+sed -i "/BSD_packet_filter=/s/=.*/=\"$bpf_rule\"/" etc/sapp.toml
diff --git a/roles/sapp/tasks/main.yml b/roles/sapp/tasks/main.yml
new file mode 100644
index 0000000..3b7dd38
--- /dev/null
+++ b/roles/sapp/tasks/main.yml
@@ -0,0 +1,104 @@
+---
+- name: "copy sapp to destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "copy maat_redis_tool to destination server"
+  copy:
+    src: "{{ role_path }}/files/maat_redis_tool"
+    dest: /usr/local/bin
+    mode: 0755
+
+- name: "install sapp rpms from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/sapp-4.2.25.893d15d-2.el7.x86_64.rpm
+    state: present
+ 
+- name: "install tcpdump_mesa rpms from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm
+    state: present
+    skip_broken: yes
+
+- name: "mkdir tsgconf"
+  file:
+    path: /home/mesasoft/sapp_run/tsgconf
+    state: directory
+
+- name: Template the sapp.toml
+  template:
+    src: "{{ role_path }}/templates/sapp.toml.j2"
+    dest: /home/mesasoft/sapp_run/etc/sapp.toml
+  tags: template
+
+- name: Template the project_list.conf
+  template:
+    src: "{{ role_path }}/templates/project_list.conf.j2"
+    dest: /home/mesasoft/sapp_run/etc/project_list.conf
+  tags: template
+
+- name: Template the conflist.inf
+  template:
+    src: "{{ role_path }}/templates/conflist.inf.j2"
+    dest: /home/mesasoft/sapp_run/plug/conflist.inf
+  tags: template
+
+- name: Template the sapp_log.conf
+  template:
+    src: "{{ role_path }}/templates/sapp_log.conf.j2"
+    dest: /home/mesasoft/sapp_run/etc/sapp_log.conf
+  tags: template
+
+- name: Template the sapp_tmpfile.conf
+  template:
+    src: "{{ role_path }}/templates/sapp_tmpfile.conf.j2"
+    dest: /etc/tmpfiles.d/sapp_tmpfile.conf
+  tags: template
+
+- name: Template the gdev.conf
+  template:
+    src: "{{ role_path }}/templates/gdev.conf.j2"
+    dest: /home/mesasoft/sapp_run/etc/gdev.conf
+  when: tsg_access_type == 1
+
+- name: Template the vlan_flipping_map.conf
+  template:
+    src: "{{ role_path }}/templates/vlan_flipping_map.conf.j2"
+    dest: /home/mesasoft/sapp_run/etc/vlan_flipping_map.conf
+  when: tsg_access_type == 2
+
+
+- name: "Template sapp.service destination server"
+  template:
+    src: "{{ role_path }}/templates/sapp.service.j2"
+    dest: /usr/lib/systemd/system/sapp.service
+    mode: 0755
+
+- name: "copy memory limit file to sapp.service.d"
+  copy:
+    src: "{{ role_path }}/files/memory.conf"
+    dest: /etc/systemd/system/sapp.service.d/
+    mode: 0644
+
+- name: "copy fake promisc tools for tera mode - service file"
+  copy:
+    src: "{{ role_path }}/files/tera_fake_promisc_setup.conf"
+    dest: /etc/systemd/system/sapp.service.d/
+    mode: 0644
+  when: tsg_access_type == 2
+
+- name: "copy fake promisc tools for tera mode - scripts"
+  copy:
+    src: "{{ role_path }}/files/tera_fake_promisc_setup.sh"
+    dest: /home/mesasoft/sapp_run/tera_fake_promisc_setup.sh
+    mode: 0755
+  when: tsg_access_type == 2
+ 
+- name: "enable sapp"
+  systemd:
+    name: sapp
+    enabled: yes
+    daemon_reload: yes
diff --git a/roles/sapp/templates/conflist.inf.j2 b/roles/sapp/templates/conflist.inf.j2
new file mode 100644
index 0000000..dd5f99c
--- /dev/null
+++ b/roles/sapp/templates/conflist.inf.j2
@@ -0,0 +1,12 @@
+[platform]
+
+[protocol]
+./plug/protocol/ssl/ssl.inf
+./plug/protocol/http/http.inf
+./plug/protocol/dns/dns.inf
+./plug/protocol/mail/mail.inf
+./plug/protocol/ftp/ftp.inf
+./plug/protocol/quic/quic.inf
+./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf
+
+[business]
diff --git a/roles/sapp/templates/gdev.conf.j2 b/roles/sapp/templates/gdev.conf.j2
new file mode 100644
index 0000000..0ce756a
--- /dev/null
+++ b/roles/sapp/templates/gdev.conf.j2
@@ -0,0 +1,11 @@
+[Module]
+{% if tsg_running_type == 2 %}
+pcapdevice={{ nic_data_incoming.name }}
+sendto_gdev_card={{ nic_data_incoming.name }}
+sendto_gdev_ip={{ inline_device_config.keepalive_ip }}
+{% else %}
+pcapdevice={{ inline_device_config.data_incoming }}
+sendto_gdev_card={{ inline_device_config.data_incoming }}
+sendto_gdev_ip={{ inline_device_config.keepalive_ip }}
+{% endif %}
+gdev_status_switch=1
diff --git a/roles/sapp/templates/project_list.conf.j2 b/roles/sapp/templates/project_list.conf.j2
new file mode 100644
index 0000000..ce5e9a3
--- /dev/null
+++ b/roles/sapp/templates/project_list.conf.j2
@@ -0,0 +1,20 @@
+tcp_flow_stat           struct
+udp_flow_stat           struct
+tcp_deduce_flow_stat    struct
+POLICY_PRIORITY	struct
+ESTABLISH_LATENCY	long
+MAIL_IDENTIFY	int
+TSG_MASTER_INTERNAL_LABEL	struct
+APP_ID_LABEL	struct
+BASIC_PROTO_LABEL	struct
+USER_DEFINED_ATTRIBUTE	struct
+SKETCH_TRANS_LAYER_CTX_LABEL    struct
+SKETCH_PROTO_CTX_LABEL   struct
+common_link_info_c2s	struct
+common_link_info_s2c	struct
+common_link_info struct
+JA3_FINGERPRINT_LABEL	struct
+DKPT_PRO_V2	struct
+DPKT_PROJECT_V2	struct
+PPROJECT_PRO_V2	struct
+DPKT_BHSTAT_PROJECT	struct
diff --git a/roles/sapp/templates/sapp.service.j2 b/roles/sapp/templates/sapp.service.j2
new file mode 100644
index 0000000..fc91415
--- /dev/null
+++ b/roles/sapp/templates/sapp.service.j2
@@ -0,0 +1,22 @@
+[Unit]
+Description=sapp service
+{% if tsg_running_type != 0 %}
+Requires=mrzcpd.service
+After=mrzcpd.service
+{% endif %}
+[Service]
+Type=notify
+WorkingDirectory=/home/mesasoft/sapp_run
+ExecStart=/home/mesasoft/sapp_run/sapp
+TimeoutSec=900s
+RestartSec=10s
+Restart=always
+LimitNOFILE=524288
+LimitNPROC=infinity
+LimitCORE=0
+TasksMax=infinity
+Delegate=yes
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/sapp/templates/sapp.toml.j2 b/roles/sapp/templates/sapp.toml.j2
new file mode 100644
index 0000000..2fc5896
--- /dev/null
+++ b/roles/sapp/templates/sapp.toml.j2
@@ -0,0 +1,225 @@
+###################################################################################################
+# NOTE:
+#    The format of this file is toml (https://github.com/cktan/tomlc99)
+#    to make vim editor display colorful and human readable, 
+#    you can create a symbolic links named sapp.ini to sapp.toml, ln -sf sapp.toml sapp.ini
+###################################################################################################
+
+[SYSTEM]
+instance_name = "sapp4"
+
+[CPU]
+{% if tsg_access_type == 0 %}
+worker_threads=1
+{% else %}
+worker_threads={{ sapp.worker_threads }}
+{% endif %}
+send_only_threads_max={{ sapp.send_only_threads_max }}
+### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as []
+{% if tsg_access_type == 0 %}
+bind_mask=[]
+{% else %}
+bind_mask=[{{ sapp.bind_mask }}]
+{% endif %}
+
+[MEM]
+dictator_enable=0
+
+[PACKET_IO]
+
+    [overlay_tunnel_definition]
+### note, since 2020-10-01, L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) is process and offload by mrtunnat, 	
+### after 2020-10-01, sapp support L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) without mrtunnat.
+    l2_l3_tunnel_support=1
+
+### note, optional value is [none, vxlan]
+    overlay_mode=none
+    stream_compare_layer_cfg_file="etc/stream_compare_layer.conf"
+    vlan_flipping_cfg_file="etc/vlan_flipping_map.conf"
+    asymmetric_presence_layer_cfg_file="etc/asymmetric_presence_layer.conf"
+    asymmetric_addr_layer_cfg_file="etc/asymmetric_addr_layer.conf"
+    prune_inject_layer_cfg_file="etc/prune_inject_layer.conf"
+
+    [packet_io.feature]
+	
+	{% if tsg_access_type == 4 %}
+	### note, used to represent inbound or outbound direction value,
+	### because it comes from Third party device, so it needs to be specified manually,
+	### if inbound_route_dir=1, then outbound_route_dir=0, vice versa,
+	### in other words, outbound_route_dir = 1 ^ inbound_route_dir;
+	inbound_route_dir={{ sapp.inbound_route_dir }}
+	{% endif %}
+	
+### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as ""
+    BSD_packet_filter=""
+
+### note, same as tcpdump -Q/-P arg, possible values are `in', `out' and `inout', default is "in"
+    pcap_capture_direction="in"
+
+
+### note, depolyment.mode options: [sys_route, vxlan_by_inline_device, raw_ethernet_single_gateway, raw_ethernet_multi_gateway]
+### sys_route: send ip(ipv6) packet by system route table, this is default mode in mirror mode;
+### vxlan_by_inline_device: encapsulation inject packet with vxlan, and then send to inline device by udp socket.
+### raw_ethernet_single_gateway: send layer2 ethernet packet to specific gateway in same broadcast domain. 
+### raw_ethernet_multi_gateway: send layer2 ethernet packet to multiple gateway in same broadcast domain. 
+    inject_pkt_mode=sys_route
+
+### note, this config is valid if inject_pkt_mode==vxlan_by_inline_device, means udp socket src port.
+    inject_mode_inline_device_sport=54789
+
+### note, this config is valid if inject_pkt_mode==raw_ethernet_single_gateway.
+    inject_mode_single_gateway_device="eth1"
+### inject_mode_single_gateway_src_mac has lower priority than get smac from inject_mode_single_gateway_device
+    inject_mode_single_gateway_src_mac="00:11:22:77:88:99"
+    inject_mode_single_gateway_dst_mac="00:11:22:33:44:55"
+    dumpfile_sleep_time_before_exit=3
+   
+### note, depolyment.mode options: [mirror, inline, transparent]
+    [packet_io.depolyment]
+    {% if tsg_access_type == 0 %}
+    mode=transparent
+    {% else %}
+    mode=inline
+    {% endif %}
+
+### note, interface.type options: [pag,pcap,marsio]
+    [packet_io.internal.interface]
+    {% if tsg_access_type == 0 %}
+    type=pcap
+    name={{packet_io.internal_interface}}
+    {% else %}
+    type=marsio
+    name={{nic_data_incoming.name}}
+    {% endif %}
+
+    [packet_io.external.interface]
+    {% if tsg_access_type == 0 %}
+    type=pcap
+    name={{packet_io.external_interface}}
+    {% else %}
+    type=pcap
+    name=lo
+    {% endif %}
+
+    [packet_io.polling]
+### note, polling_priority = call sapp_recv_pkt every call polling_entry times,     
+    polling_priority=1
+
+[PROTOCOL_FEATURE]
+    ipv6_decapsulation_enabled=1
+    ipv6_send_packet_enabled=1
+    tcp_drop_pure_ack_pkt=0
+    tcp_syn_option_parse_enabled=1 
+    skip_not_ip_layer_over_eth=0
+    treat_vlan_as_mac_in_mac=0
+    reverse_ethernet_addr=1
+
+	
+[STREAM]
+### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S" 
+    stream_id_base_time="2018-08-08 08:00:00"
+    [stream.tcp]
+    max=100000
+    timeout=30
+    syn_mandatory=1
+    reorder_pkt_max=128
+    analyse_option_enabled=1
+    tuple4_reuse_time_interval=30
+
+    meaningful_statistics_minimum_pkt=3
+    meaningful_statistics_minimum_byte=5
+    
+        [stream.tcp.inject]
+        link_mss=1460
+	  
+        [stream.tcp.inject.rst]
+        auto_remedy=0
+        number=3
+        signature_enabled=1
+        signature_seed1=65535
+        signature_seed2=13
+        remedy_kill_tcp_by_inline_device=0
+	
+    [stream.udp]
+    max=100000
+    timeout=60
+    meaningful_statistics_minimum_pkt=3
+    meaningful_statistics_minimum_byte=5
+    
+
+[PROFILING]
+    [profiling.pkt_latency]
+    enabled=0
+### note, threshold unit is microseconds (us)
+    threshold=1000000
+	
+    [profiling.sanity_check]
+    raw_pkt_broken_enabled=0
+    symbol_conflict_enabled=0
+  
+    [profiling.log]
+    level=10
+    interval=5
+    
+        [profiling.log.local]
+        enabled=1
+### note, if "file_truncate_open_enabled=1", file will be truncated, otherwise open the file for appending.	 
+        file_truncate_enabled = 1
+        log_file_name = "fs2_sysinfo.log"
+        log_conf_name = "etc/sapp_log.conf"
+        [profiling.log.remote]
+        enabled=1
+        server_ip=127.0.0.1
+        server_port=8100
+
+        [profiling.log.remote.field_stat2]
+### note, is valid when "remote_send_out_type=field_stat2"	 
+### note, metric_type option value: [default, json]
+        metric_type = default
+        app_name=sapp
+     
+        [profiling.log.prometheus]
+        prometheus_enabled={{ sapp_prometheus_enable }}
+        prometheus_port={{ sapp_prometheus_port }}
+        prometheus_url_path="{{ sapp_prometheus_url_path }}"
+
+[TOOLS]
+    [tools.pkt_dump]
+    enabled=1
+### note, mode options value:[storage, udp_socket]
+    mode=udp_socket
+    BSD_packet_filter=""
+   
+        [tools.pkt_dump.threads]
+### note, if you want enable pkt dump in all thread, set dump_thread_all_enabled=1, then 'dump_thread_id' is obsoleted.
+###       if dump_thread_all_enabled=0, then use dump_thread_id to specify separate specified thread index.
+        all_threads_enabled=1
+   
+### note, dump_thread_id start from 0, max is CPU.worker_threads-1
+        dump_thread_id=[0,1,2,3,4]
+   
+        [tools.pkt_dump.udp]
+        command_port=9345
+
+        [tools.pkt_dump.storage]
+### note, file path must be double quotation mark extension, for example,  path="/dev/shm/pkt_dump"
+        path="/dev/shm/pkt_dump"
+### note, file size unit: MB
+        file_size_max_per_thread=10000 
+
+### note:
+### These configurations format is complex and difficult to describe with toml grammar,
+### so, create a Independent config file to description specific information.
+[SPECIAL_CONFIG_LINK]	 
+    project_list_path="./etc/project_list.conf"
+    plugin_path="./etc/plugin.conf"
+    entrylist_path="./etc/entrylist.conf"
+    send_raw_pkt_path="./etc/send_raw_pkt.conf"
+    vxlan_sport_service_map_path="./etc/vxlan_sport_service_map.conf"
+
+[breakpad]
+    disable_coredump=1
+    enable_breakpad=1
+    breakpad_minidump_dir="/tmp/crashreport"
+    enable_breakpad_upload=1
+    breakpad_upload_url="{{ breakpad_upload_url }}"
diff --git a/roles/sapp/templates/sapp_log.conf.j2 b/roles/sapp/templates/sapp_log.conf.j2
new file mode 100644
index 0000000..8ec2230
--- /dev/null
+++ b/roles/sapp/templates/sapp_log.conf.j2
@@ -0,0 +1,14 @@
+[global]
+default format = "%d(%c), %V, %U, %m%n"
+[levels]
+DEBUG=10
+INFO=20
+FATAL=30
+[formats]
+other = "%d(%c), %V, %F, %U, %m%n"
+plugin = "%d(%c), %m%n"
+[rules]
+__log_runtimelog.info    "./log/runtimelog.%d(%F)"
+__log_runtimelog_plugin.fatal    >stdout; plugin
+__log_runtimelog_plugin.info    "./log/plugin.log"; plugin
+!.fatal    "./log/%c.%d(%F)"; other
diff --git a/roles/sapp/templates/sapp_tmpfile.conf.j2 b/roles/sapp/templates/sapp_tmpfile.conf.j2
new file mode 100644
index 0000000..485725b
--- /dev/null
+++ b/roles/sapp/templates/sapp_tmpfile.conf.j2
@@ -0,0 +1 @@
+d /home/mesasoft/sapp_run/log          	    0755 - -   2d -
diff --git a/roles/sapp/templates/vlan_flipping_map.conf.j2 b/roles/sapp/templates/vlan_flipping_map.conf.j2
new file mode 100644
index 0000000..599e8f8
--- /dev/null
+++ b/roles/sapp/templates/vlan_flipping_map.conf.j2
@@ -0,0 +1,11 @@
+#for inline a device vlan flipping 
+#数据包来自C路由器端, 即C2I(I2E)方向, 
+#数据包来自I路由器端, 即I2C(E2I)方向, 
+#平台会根据vlan_id,设置当前包route_dir的值, 以便上层业务插件做两个方向的流量统计,
+#如果一对vlan_id写反了, 网络是通的, 但是I2E,E2I的流量统计就颠倒了.
+#配置文件格式, pattern:
+#来自C路由器vlan_id	  	来自I路由器vlan_id   	是否开启mac地址翻转
+#C_router_vlan_id  I_router_vlan_id mac_flipping_enable
+1301	1302	1
+1201	1202	1
+4000	4001	0