define scanner, security/monitor enforcer

author: liuxueli <[email protected]> 2024-10-29 09:29:22 +0000
committer: liuxueli <[email protected]> 2024-10-31 06:07:53 +0000
commit: d9a45c8d08622c946749aec035cc7aaadffde5fe (patch)
tree: ff2b3633cc0bfcfa35ed72ddb87f24f88390b4e5
parent: 9cbb008ec8499d0d728f7421c15a0eeb3de89d27 (diff)
10 files changed, 589 insertions, 65 deletions
diff --git a/enforcer/monitor/monitor.c b/enforcer/monitor/monitor.c
new file mode 100644
index 0000000..8143b1e
--- /dev/null
+++ b/enforcer/monitor/monitor.c
@@ -0,0 +1,28 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "uthash/utarray.h"
+/*
+    * @brief Monitor Enforcer Module
+    * @input
+    *   subscribe PACKET_STAGE_OUTPUT
+    *   subscribe HTTP transaction
+    *   subscribe monitor rule
+    * @output
+    *  mirror packet, mirrored packets and bytes
+    *  policy packet capture
+    *  dump http content
+*/
+
+struct monitor_mirror
+{
+    UT_array *vlan;
+    long long packets;
+    long long bytes;
+};
+
+struct monitor_exdata
+{
+    struct monitor_mirror *mirror;
+};
+\ No newline at end of file
diff --git a/enforcer/monitor/monitor.h b/enforcer/monitor/monitor.h
new file mode 100644
index 0000000..6f70f09
--- /dev/null
+++ b/enforcer/monitor/monitor.h
@@ -0,0 +1 @@
+#pragma once
diff --git a/enforcer/security/security.c b/enforcer/security/security.c
new file mode 100644
index 0000000..19513e9
--- /dev/null
+++ b/enforcer/security/security.c
@@ -0,0 +1,24 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "uthash/utarray.h"
+/*
+    * @brief Security Enforcer Module
+    * @input
+    *   subscribe PACKET_STAGE_OUTPUT
+    *   subscribe TCP/UDP session
+    *   subscribe security rule
+    * @output
+    *  policy packet capture
+    *  vsystem security option
+*/
+
+struct security_exdata
+{
+    /*
+        rate limit
+        drop after N packets
+        tamper packet
+    */
+};
+\ No newline at end of file
diff --git a/enforcer/security/security.h b/enforcer/security/security.h
new file mode 100644
index 0000000..7b9637e
--- /dev/null
+++ b/enforcer/security/security.h
@@ -0,0 +1 @@
+#pragma once
+\ No newline at end of file
diff --git a/include/stellar/action_parameter.h b/include/stellar/action_parameter.h
new file mode 100644
index 0000000..750d4ef
--- /dev/null
+++ b/include/stellar/action_parameter.h
@@ -0,0 +1,209 @@
+#pragma once
+
+#include <stdint.h>
+#include <stddef.h>
+#include <stdbool.h>
+#include <uuid/uuid.h>
+
+enum LOG_OPTION
+{
+	LOG_OPTION_NONE=0,
+	LOG_OPTION_ALL,
+	LOG_OPTION_METADATA,
+};
+
+enum response_type
+{
+    RESPONSE_UNKNOWN,
+	RESPONSE_TEXT,
+    RESPONSE_PROFILE,
+	RESPONSE_TEMPLATE,
+    RESPONSE_URL_TO,
+	RESPONSE_NO_CONTENT,   // alert 204
+	RESPONSE_CNAME,
+	RESPONSE_IPV4,
+	RESPONSE_IPV6,
+	RESPONSE_SPECIAL_TEXT // mail and sip block no response type
+};
+
+struct http_response_page
+{
+	enum response_type rtype;
+	size_t content_sz;
+	char *content;
+};
+
+enum dns_rr_type
+{
+    RR_TYPE_UNKNOWN=0,
+    RR_TYPE_A=1,		// DNS_TYPE_A
+	RR_TYPE_CNAME=5,	// DNS_TYPE_CNAME
+    RR_TYPE_AAAA=28,	// DNS_TYPE_AAAA
+};
+
+struct dns_answer_record
+{
+	int min_ttl;
+	int max_ttl;
+	int selected_num;
+	enum dns_rr_type qtype;     // dns query type
+	enum dns_rr_type atype;		// dns answer type
+	enum response_type rtype;	// response type
+	union
+	{
+		char *cname;
+		struct in_addr v4_addr;
+		struct in6_addr v6_addr;
+		uuid_t record_profile;
+	};
+};
+
+enum dns_answer_type
+{
+	DNS_ANSWER_TYPE_A_A=0,
+	DNS_ANSWER_TYPE_A_CNAME,
+	DNS_ANSWER_TYPE_AAAA_AAAA,
+	DNS_ANSWER_TYPE_AAAA_CNAME,
+	DNS_ANSWER_TYPE_MAX
+};
+
+struct dns_setting_details
+{
+	// qtype: A, atype: A
+	// qtype: AAAA, atype: AAAA
+	// qtype: A, atype: CNAME
+	// qtype: AAAA, atype: CNAME
+	UT_array *answer_array[DNS_ANSWER_TYPE_MAX];
+};
+
+struct dns_resource_record
+{
+	enum dns_rr_type atype;		// dns answer type
+	UT_array *answer_array;
+};
+
+// Block/Alert/Redirect
+struct sub_action_response
+{
+    int32_t response_code;
+    enum response_type rtype;   // response type
+    union
+    {
+        char *message;
+        char *redirect_url_to;
+		uuid_t profile_uuid;
+    };
+};
+
+struct sub_action_drop
+{
+    bool send_reset_enable;
+    bool send_icmp_enable;
+    char padding[2];
+    int after_n_packets;
+};
+
+struct sub_action_rate_limit
+{
+    int bps;
+};
+
+enum TAMPER_MODE
+{
+	TAMPER_MODE_UNKNOWN=0,
+	TAMPER_MODE_COMPLETE,
+	TAMPER_MODE_CONTINUOUS,
+	TAMPER_MODE_RANDOM,
+	TAMPER_MODE_MAX
+};
+
+struct sub_action_tamper
+{
+	int32_t samples;
+	int32_t batch_size;
+	enum TAMPER_MODE mode;
+};
+
+enum RULE_SUB_ACTION
+{
+	RULE_SUB_ACTION_UNKNOWN=0,
+	RULE_SUB_ACTION_DROP,
+	RULE_SUB_ACTION_BLOCK,
+	RULE_SUB_ACTION_ALERT,
+    RULE_SUB_ACTION_TAMPER,
+	RULE_SUB_ACTION_RATE_LIMIT,
+	RULE_SUB_ACTION_HTTP_REDIRECT,
+	RULE_SUB_ACTION_DNS_REDIRECT,
+	RULE_SUB_ACTION_MAX
+};
+
+struct override_sub_action
+{
+	enum RULE_SUB_ACTION sub_action_type;
+	union
+	{
+        struct sub_action_drop drop;
+        struct sub_action_tamper *tamper;
+        struct sub_action_rate_limit rate_limit;
+        struct sub_action_response *block;      // sip, mail, http
+        struct sub_action_response *http_alert;      // http
+        struct sub_action_response *http_redirect;
+        struct dns_setting_details *dns_redirect;
+		void *parameter;
+	};
+};
+
+enum action_parameter_origin
+{
+    origin_unknown=0,
+    origin_app_id_dict,
+    origin_override
+};
+
+// packet capture
+struct packet_capture
+{
+	bool enable;
+	size_t depth;
+};
+
+struct deny_action_parameter
+{
+    enum action_parameter_origin origin;
+    union 
+    {
+        struct override_sub_action *override_action;
+        void *app_id_dict;
+    };
+    struct packet_capture capture;
+};
+
+// mirror traffic
+struct traffic_mirroring
+{
+	bool enable;
+	uuid_t mirroring_profile;
+};
+
+struct monitor_action_parameter
+{
+    struct traffic_mirroring mirror;
+    struct packet_capture capture;
+};
+
+struct app_id_dict
+{
+	int32_t app_id;
+	int32_t tcp_timeout;
+	int32_t udp_timeout;
+	size_t app_name_sz;
+	size_t category_sz;
+	size_t content_sz;
+	char *app_name;
+	char *category;
+	char *content;
+    uuid_t object_uuid;
+	struct override_sub_action sub_action;
+};
+
+struct app_id_dict *plugin_exdata_get0_app_id_dict(struct maat *cm_maat, int32_t appid);
+\ No newline at end of file
diff --git a/include/stellar/monitor.h b/include/stellar/monitor.h
new file mode 100644
index 0000000..69573e6
--- /dev/null
+++ b/include/stellar/monitor.h
@@ -0,0 +1,28 @@
+#pragma once
+
+#include <stdint.h>
+#include <stddef.h>
+#include <stdbool.h>
+#include <uuid/uuid.h>
+
+#include "stellar/action_parameter.h"
+
+// monitor
+#ifndef MAX_VLAN_ID_NUM
+#define MAX_VLAN_ID_NUM	64
+#endif
+struct mirroring_vlan
+{
+	size_t n_vlan_id;
+	uint32_t vlan_id[MAX_VLAN_ID_NUM];
+};
+
+struct monitor_rule
+{
+	uuid_t rule_uuid;
+	enum LOG_OPTION log_option;
+	struct monitor_action_parameter *monitor;
+};
+
+struct monitor_rule *plugin_exdata_get0_monitor_rule(struct maat *cm_maat, uuid_t rule_uuid);
+struct mirroring_vlan *plugin_exdata_get0_traffic_mirroring_vlan(struct maat *cm_maat, uuid_t profile_uuid);
diff --git a/include/stellar/recorder.h b/include/stellar/recorder.h
new file mode 100644
index 0000000..c22a4f9
--- /dev/null
+++ b/include/stellar/recorder.h
@@ -0,0 +1,8 @@
+#pragma once
+
+#include <stddef.h>
+
+struct recorder_module; 
+struct recorder_module *stellar_module_get_recorder(struct stellar_module_manager *mod_mgr);
+
+
diff --git a/include/stellar/scanner.h b/include/stellar/scanner.h
index c8ddb72..6655b9b 100644
--- a/include/stellar/scanner.h
+++ b/include/stellar/scanner.h
@@ -8,65 +8,83 @@ extern "C"
 #include "maat.h"
 #include <stddef.h>
 
-struct scanner; 
-struct scanner *stellar_module_get_scanner(struct stellar_module_manager *mod_mgr);
+struct scanner_module; 
+struct scanner_module *stellar_module_get_scanner(struct stellar_module_manager *mod_mgr);
 
 /*
     @ return cm maat instance
 */
-struct maat *scanner_get_maat_instance(struct scanner *scanner);
+struct maat *scanner_module_get_maat_instance(struct scanner_module *scanner);
+
+//const char *plugin_exdata_get0_object_table_name(struct maat *cm_maat, const char *attribute_name);
 
 /*
    @ exdata/message shares the memory of policy_exdata, so we need to free the memory of policy_exdata in exdata free callback
 */
 
+typedef void security_rule_on_packet_callback(struct packet *pkt, uuid_t rule_uuids[], int appid[], size_t n_rule_uuids, void *args);
+int scanner_module_subscribe_security_rule_on_packet(struct scanner_module *scanner, security_rule_on_packet_callback *cb, void *args);
+
+typedef void security_rule_on_session_callback(struct session *sess, uuid_t rule_uuids[], int appid[], size_t n_rule_uuids, void *args);
+int scanner_module_subscribe_security_rule_on_session(struct scanner_module *scanner, security_rule_on_session_callback *cb, void *args);
+
+typedef void monitor_rule_on_packet_callback(struct packet *pkt, uuid_t rule_uuids[], size_t n_rule_uuids, void *args);
+int scanner_module_subscribe_monitor_rule_on_packet(struct scanner_module *scanner, monitor_rule_on_packet_callback *cb, void *args);
+
+typedef void monitor_rule_on_session_callback(struct session *sess, uuid_t rule_uuids[], size_t n_rule_uuids, void *args);
+int scanner_module_subscribe_monitor_rule_on_session(struct scanner_module *scanner, monitor_rule_on_session_callback *cb, void *args);
+
+typedef void dos_protection_rule_on_packet_callback(struct packet *pkt, uuid_t rule_uuids[], size_t n_rule_uuids, void *args);
+int scanner_module_subscribe_dos_protection_rule_on_packet(struct scanner_module *scanner, dos_protection_rule_on_packet_callback *cb, void *args);
+
+typedef void dos_protection_rule_on_session_callback(struct session *sess, uuid_t rule_uuids[], size_t n_rule_uuids, void *args);
+int scanner_module_subscribe_dos_protection_rule_on_session(struct scanner_module *scanner, dos_protection_rule_on_session_callback *cb, void *args);
+
 enum RULE_TYPE
 {
   RULE_TYPE_UNKNOWN=0,
   RULE_TYPE_SECURITY,
-  RULE_TYPE_DOS_PROTECTION,
   RULE_TYPE_MONITOR,
+  RULE_TYPE_DOS_PROTECTION,
   RULE_TYPE_STATISTICS,
-  RULE_TYPE_PROXY,
   RULE_TYPE_SHAPING,
+  RULE_TYPE_PROXY,
   RULE_TYPE_SERVICE_CHAINING,
   RULE_TYPE_MAX
 };
 
-typedef void on_rule_callback(struct session *sess, uuid_t rule_uuids[], size_t n_rule_uuids, void *args);
-int scanner_rule_create_topic(struct stellar_module_manager *mod_mgr, enum RULE_TYPE rule_type);
-int scanner_rule_subscribe(struct stellar_module_manager *mod_mgr, enum RULE_TYPE rule_type, on_rule_callback *cb, void *args);
-
 struct policy_exdata;
-struct policy_exdata *scanner_get_policy_exdata_on_session(struct scanner *scanner, struct session *sess);
-struct policy_exdata *scanner_get_policy_exdata_on_packet(struct scanner *scanner, struct packet *pkt);
+struct policy_exdata *scanner_module_get0_policy_exdata_on_session(struct scanner_module *scanner, struct session *sess);
+struct policy_exdata *scanner_module_get0_policy_exdata_on_packet(struct scanner_module *scanner, struct packet *pkt);
 
-size_t policy_exdata_get_cumulative_rule_count(struct policy_exdata *msg, enum RULE_TYPE rule_type);
-size_t policy_exdata_get_cumulative_rule_uuids(struct policy_exdata *msg, enum RULE_TYPE rule_type, uuid_t rule_uuids[], size_t n_rule_uuids);
+size_t policy_exdata_get0_cumulative_rule_count(struct policy_exdata *exdata, enum RULE_TYPE rule_type);
+size_t policy_exdata_get0_cumulative_rules(struct policy_exdata *exdata, enum RULE_TYPE rule_type, uuid_t rule_uuids[], char *rule_action[], size_t n_rule_uuids);
  
-size_t policy_exdata_get_delta_rule_count(struct policy_exdata *msg, enum RULE_TYPE rule_type);
-size_t policy_exdata_get_delta_rule_uuids(struct policy_exdata *msg, enum RULE_TYPE rule_type, uuid_t rule_uuids[], size_t n_rule_uuids);
+size_t policy_exdata_get0_delta_rule_count(struct policy_exdata *exdata, enum RULE_TYPE rule_type);
+size_t policy_exdata_get0_delta_rules(struct policy_exdata *exdata, enum RULE_TYPE rule_type, uuid_t rule_uuids[], char *rule_action[], size_t n_rule_uuids);
 
-enum OBJECT_TYPE
+enum ATTRIBUTE_TYPE
 {
-  OBJECT_TYPE_UNKNOWN=0,
-  OBJECT_TYPE_CLIENT_IP,
-  OBJECT_TYPE_SERVER_IP,
-  OBJECT_TYPE_OTHERS,
-  OBJECT_TYPE_MAX
+  ATTRIBUTE_TYPE_UNKNOWN=0,
+  ATTRIBUTE_TYPE_CLIENT_IP,
+  ATTRIBUTE_TYPE_SERVER_IP,
+  ATTRIBUTE_TYPE_OTHERS,
+  ATTRIBUTE_TYPE_MAX
 };
 
-size_t policy_exdata_get_cumulative_object_count(struct policy_exdata *msg, enum OBJECT_TYPE object_type);
-size_t policy_exdata_get_cumulative_hit_objects(struct policy_exdata *msg, enum OBJECT_TYPE object_type, struct maat_hit_object hit_objects[], size_t n_hit_objects);
- 
-size_t policy_exdata_get_delta_hit_object_count(struct policy_exdata *msg, enum OBJECT_TYPE object_type);
-size_t policy_exdata_get_delta_hit_objects(struct policy_exdata *msg, enum OBJECT_TYPE object_type, struct maat_hit_object hit_objects[], size_t n_hit_objects);
+const char *plugin_exdata_get0_available_object_type(struct maat *cm_maat, const char *attribute_name);
 
-/*
-  @ Enforcer of security enforces security rule para by of app id dict, so need to get application id by rule id
-*/
+/* object option is brief or elaborate */
+size_t policy_exdata_get0_cumulative_object_count(struct policy_exdata *exdata, enum ATTRIBUTE_TYPE attr_type);
+size_t policy_exdata_get0_cumulative_hit_objects(struct policy_exdata *exdata, enum ATTRIBUTE_TYPE attr_type, struct maat_hit_object hit_objects[], size_t n_hit_objects);
+ 
+size_t policy_exdata_get0_delta_hit_object_count(struct policy_exdata *exdata, enum ATTRIBUTE_TYPE attr_type);
+size_t policy_exdata_get0_delta_hit_objects(struct policy_exdata *exdata, enum ATTRIBUTE_TYPE attr_type, struct maat_hit_object hit_objects[], size_t n_hit_objects);
 
-int policy_exdata_get_application_id_by_rule_uuid(struct policy_exdata *msg, uuid_t rule_uuid);
+void scanner_module_mark_log_option_on_session(struct scanner_module *scanner, struct session *sess, enum LOG_OPTION log_option);
+void scanner_module_mark_packet_capture_on_session(struct scanner_module *scanner, struct session *sess, size_t depth);
+void scanner_module_mark_packet_mirroring_on_session(struct scanner_module *scanner, struct session *sess, int32_t *vlan_id, size_t n_vlan_id);
+void scanner_module_mark_packet_mirroring_on_packet(struct scanner_module *scanner, struct packet *pkt, int32_t *vlan_id, size_t n_vlan_id);
 
 /*
   Session JSON: 
@@ -79,35 +97,81 @@ int policy_exdata_get_application_id_by_rule_uuid(struct policy_exdata *msg, uui
     Decode Path / Decode AS
 */
 
-struct attribute_exdata;
-struct attribute_exdata *scanner_get_attribute_exdata_on_session(struct scanner *scanner, struct session *sess);
-struct attribute_exdata *scanner_get_attribute_exdata_on_packet(struct scanner *scanner, struct packet *pkt);
-
-void attribute_exdata_get0_application(struct attribute_exdata *msg, char **application, size_t *application_sz);
-void attribute_exdata_get0_application_category(struct attribute_exdata *msg, char **application_category, size_t *application_category_sz);
-void attribute_exdata_get0_application_transition(struct attribute_exdata *msg, char **application_transition, size_t *application_transition_sz);
-void attribute_exdata_get0_application_content(struct attribute_exdata *msg, char **application_content, size_t *application_content_sz);
-void attribute_exdata_get0_server_fqdn(struct attribute_exdata *msg, char **server_fqdn, size_t *server_fqdn_sz);
-void attribute_exdata_get0_server_domain(struct attribute_exdata *msg, char **server_domain, size_t *server_domain_sz);
-void attribute_exdata_get0_imei(struct attribute_exdata *msg, char **imei, size_t *imei_sz);
-void attribute_exdata_get0_imsi(struct attribute_exdata *msg, char **imsi, size_t *imsi_sz);
-void attribute_exdata_get0_phone_number(struct attribute_exdata *msg, char **phone_number, size_t *phone_number_sz);
-void attribute_exdata_get0_apn(struct attribute_exdata *msg, char **apn, size_t *apn_sz);
-void attribute_exdata_get0_client_subscriber_id(struct attribute_exdata *msg, char **client_subscriber_id, size_t *client_subscriber_id_sz);
-void attribute_exdata_get0_client_asn(struct attribute_exdata *msg, char **client_asn, size_t *client_asn_sz);  // for dos enforcer
-void attribute_exdata_get0_server_asn(struct attribute_exdata *msg, char **server_asn, size_t *server_asn_sz);
-void attribute_exdata_get0_client_country(struct attribute_exdata *msg, char **client_country, size_t *client_country_sz);
-void attribute_exdata_get0_server_country(struct attribute_exdata *msg, char **server_country, size_t *server_country_sz);
-void attribute_exdata_get0_decode_path(struct attribute_exdata *msg, char **decode_path, size_t *decode_path_sz);
-void attribute_exdata_get0_decode_as(struct attribute_exdata *msg, char **decode_as, size_t *decode_as_sz);
-
-long long attribute_exdata_get0_client_asn_id(struct attribute_exdata *msg);  // for statistics enforcer and recorder
-long long attribute_exdata_get0_server_asn_id(struct attribute_exdata *msg);
-
-size_t attribute_exdata_get0_client_ip_tag_rule_uuids(struct attribute_exdata *msg, uuid_t tag_uuids[], size_t n_tag_uuids);
-size_t attribute_exdata_get0_server_ip_tag_rule_uuids(struct attribute_exdata *msg, uuid_t tag_uuids[], size_t n_tag_uuids);
-size_t attribute_exdata_get0_server_fqdn_tag_rule_uuids(struct attribute_exdata *msg, uuid_t tag_uuids[], size_t n_tag_uuids);
+struct attribute_exdata *scanner_module_get0_attribute_exdata_on_session(struct scanner_module *scanner, struct session *sess);
+struct attribute_exdata *scanner_module_get0_attribute_exdata_on_packet(struct scanner_module *scanner, struct packet *pkt);
+
+struct attribute_exdata
+{
+  char *application;
+  size_t application_sz;
+  char *application_category;
+  size_t application_category_sz;
+  char *application_transition;
+  size_t application_transition_sz;
+  char *application_content;
+  size_t application_content_sz;
+  char *server_fqdn;
+  size_t server_fqdn_sz;
+  char *server_domain;
+  size_t server_domain_sz;
+  char *imei;
+  size_t imei_sz;
+  char *imsi;
+  size_t imsi_sz;
+  char *phone_number;
+  size_t phone_number_sz;
+  char *apn;
+  size_t apn_sz;
+  char *client_subscriber_id;
+  size_t client_subscriber_id_sz;
+  char *client_asn;
+  size_t client_asn_sz;
+  char *server_asn;
+  size_t server_asn_sz;
+  char *client_country_code;
+  size_t client_country_code_sz;
+  char *server_country_code;
+  size_t server_country_code_sz;
+  char *decode_path;
+  size_t decode_path_sz;
+  char *decode_as;
+  size_t decode_as_sz;
+  uuid_t *client_ip_tag_rule_uuids;
+  size_t n_client_ip_tag_rule_uuids;
+  uuid_t *server_ip_tag_rule_uuids;
+  size_t n_server_ip_tag_rule_uuids;
+  uuid_t *server_fqdn_tag_rule_uuids;
+  size_t n_server_fqdn_tag_rule_uuids;
+};
 
 #ifdef __cplusplus
 }
 #endif
+
+
+
+
+// void attribute_exdata_get0_application(struct attribute_exdata *exdata, char **application, size_t *application_sz);
+// void attribute_exdata_get0_application_category(struct attribute_exdata *exdata, char **application_category, size_t *application_category_sz);
+// void attribute_exdata_get0_application_transition(struct attribute_exdata *exdata, char **application_transition, size_t *application_transition_sz);
+// void attribute_exdata_get0_application_content(struct attribute_exdata *exdata, char **application_content, size_t *application_content_sz);
+// void attribute_exdata_get0_server_fqdn(struct attribute_exdata *exdata, char **server_fqdn, size_t *server_fqdn_sz);
+// void attribute_exdata_get0_server_domain(struct attribute_exdata *exdata, char **server_domain, size_t *server_domain_sz);
+// void attribute_exdata_get0_imei(struct attribute_exdata *exdata, char **imei, size_t *imei_sz);
+// void attribute_exdata_get0_imsi(struct attribute_exdata *exdata, char **imsi, size_t *imsi_sz);
+// void attribute_exdata_get0_phone_number(struct attribute_exdata *exdata, char **phone_number, size_t *phone_number_sz);
+// void attribute_exdata_get0_apn(struct attribute_exdata *exdata, char **apn, size_t *apn_sz);
+// void attribute_exdata_get0_client_subscriber_id(struct attribute_exdata *exdata, char **client_subscriber_id, size_t *client_subscriber_id_sz);
+// void attribute_exdata_get0_client_asn(struct attribute_exdata *exdata, char **client_asn, size_t *client_asn_sz);  // for dos enforcer
+// void attribute_exdata_get0_server_asn(struct attribute_exdata *exdata, char **server_asn, size_t *server_asn_sz);
+// void attribute_exdata_get0_client_country_code(struct attribute_exdata *exdata, char **country_code, size_t *country_code_sz);
+// void attribute_exdata_get0_server_country_code(struct attribute_exdata *exdata, char **country_code, size_t *country_code_sz);
+// void attribute_exdata_get0_decode_path(struct attribute_exdata *exdata, char **decode_path, size_t *decode_path_sz);
+// void attribute_exdata_get0_decode_as(struct attribute_exdata *exdata, char **decode_as, size_t *decode_as_sz);
+
+// long long attribute_exdata_get0_client_asn_id(struct attribute_exdata *exdata);  // for statistics enforcer and recorder
+// long long attribute_exdata_get0_server_asn_id(struct attribute_exdata *exdata);
+
+// size_t attribute_exdata_get0_client_ip_tag_rule_uuids(struct attribute_exdata *exdata, uuid_t tag_uuids[], size_t n_tag_uuids);
+// size_t attribute_exdata_get0_server_ip_tag_rule_uuids(struct attribute_exdata *exdata, uuid_t tag_uuids[], size_t n_tag_uuids);
+// size_t attribute_exdata_get0_server_fqdn_tag_rule_uuids(struct attribute_exdata *exdata, uuid_t tag_uuids[], size_t n_tag_uuids);
diff --git a/include/stellar/security.h b/include/stellar/security.h
new file mode 100644
index 0000000..0378adc
--- /dev/null
+++ b/include/stellar/security.h
@@ -0,0 +1,37 @@
+#pragma once
+
+#pragma once
+
+#include <stdint.h>
+#include <stddef.h>
+#include <stdbool.h>
+#include <uuid/uuid.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <uthash/utarray.h>
+
+#include "stellar/action_parameter.h"
+
+enum SECURITY_RULE_ACTION
+{
+	SECURITY_RULE_ACTION_NONE=0,
+	//SECURITY_RULE_ACTION_MONITOR,
+	SECURITY_RULE_ACTION_DENY,
+	SECURITY_RULE_ACTION_ALLOW,
+	SECURITY_RULE_ACTION_SHUNT,
+	RULE_ACTION_MAX
+};
+
+struct security_rule
+{
+	uuid_t rule_uuid;
+	enum SECURITY_RULE_ACTION action;
+	enum LOG_OPTION log_option;
+	char *action_str;	
+	struct deny_action_parameter *deny;
+};
+
+struct security_rule *plugin_exdata_get0_security_rule(struct maat *cm_maat, uuid_t rule_uuid);
+
+struct http_response_page *plugin_exdata_get0_http_response_page(struct maat *cm_maat, uuid_t profile_uuid);
+struct dns_resource_record *plugin_exdata_get0_dns_resource_record(struct maat *cm_maat, uuid_t profile_uuid);
diff --git a/scanner/scanner.c b/scanner/scanner.c
index d7ed950..53f45e7 100644
--- a/scanner/scanner.c
+++ b/scanner/scanner.c
@@ -3,22 +3,146 @@
 #include <string.h>
 
 #include "uthash/utarray.h"
-
-#include "scanner.h"
+#include "stellar/scanner.h"
 
 #define PLOLICY_MESSAGE_MAGIC   0x12121212
+enum SD_MAAT_PLUGIN
+{
+    SD_PLUGIN_GTP_IP2SIGNALING=0,
+	SD_PLUGIN_DYNAMIC_IPPORT_MAPPING,
+	SD_PLUGIN_MAX
+};
+
+enum CM_MAAT_PLUGIN
+{
+	CM_PLUGIN_SECURITY_RULE=0,
+    CM_PLUGIN_MONITOR_RULE,
+	CM_PLUGIN_APP_ID_DICT,
+	CM_PLUGIN_HTTP_RESPONSE_PAGES,
+	CM_PLUGIN_DNS_RESOURCE_RECORD,
+	CM_PLUGIN_MIRRORING_PROFILE,
+	CM_PLUGIN_SESSION_OPTION, //T_VSYS_INFO,
+	CM_PLUGIN_MONITOR_RULE,
+	CM_PLUGIN_POLICY_OBJECT,
+	CM_PLUGIN_LIBRARY_TAG,
+	CM_PLUGIN_IP_ADDR_ENTRY,
+	CM_PLUGIN_FQDN_ENTRY,
+	CM_PLUGIN_ATTRIBUTE_DICT,
+	CM_PLUGIN_MAX
+};
 
 struct policy_exdata
 {
     int magic;
     UT_array *rule_delta[RULE_TYPE_MAX];
     UT_array *rule_cumulative[RULE_TYPE_MAX];
-    UT_array *object_delta[OBJECT_TYPE_MAX];
-    UT_array *object_cumulative[OBJECT_TYPE_MAX];
+    UT_array *object_delta[ATTRIBUTE_TYPE_MAX];
+    UT_array *object_cumulative[ATTRIBUTE_TYPE_MAX];
+};
+
+#define	MAX_DATA_CENTER_LEN	128
+#define	MAX_DEVICE_TAG		128
+struct maat_runtime_para
+{
+	int session_record_switch;
+	char device_tag[MAX_DEVICE_TAG];
+	char data_center[MAX_DATA_CENTER_LEN];
+	//struct mirror_vlan_id default_vlan;
+
+	struct maat_plugin_table cm_plugin_table[CM_PLUGIN_MAX];
+	struct maat_plugin_table sd_plugin_table[SD_PLUGIN_MAX];
+};
+
+struct user_equipment
+{
+	char *apn;
+	char *imsi;
+	char *imei;
+	char *msisdn; //MSISDN: phone number
+};
+
+struct subscriber_id
+{
+	char *subscriber_id;
+};
+
+struct user_identification
+{
+	struct user_equipment *ue;
+	struct subscriber_id subscriber;
+};
+
+
+// plugin_fqdn_entry
+// plugin_ip_addr_entry
+struct plugin_entry
+{
+	size_t n_tag_uuids;
+	uuid_t *tag_uuids;
+};
+
+struct attribute_dict
+{
+	char *object_table_name;
+	char *available_object_type;
+};
+
+
+#define MAX_TABLENAME_LEN 128
+
+struct maat_plugin_table
+{
+	char name[MAX_TABLENAME_LEN];
+	maat_ex_new_func_t *ex_new;
+	maat_ex_free_func_t *ex_free;
+	maat_ex_dup_func_t *ex_dup;
+};
+
+enum LIBRARY_TAG_CATEGORY
+{
+	LIBRARY_TAG_CATEGORY_NONE=0x0,
+	LIBRARY_TAG_CATEGORY_GEOIP_CITY,
+	LIBRARY_TAG_CATEGORY_GEOIP_COUNTRY,
+	LIBRARY_TAG_CATEGORY_GEOIP_ASN,
+	LIBRARY_TAG_CATEGORY_WEBSITE_CLASSIFICATION,
+	LIBRARY_TAG_CATEGORY_INTERNET_SERVICE,
+	LIBRARY_TAG_CATEGORY_SECURITY_THREAT,
+	LIBRARY_TAG_CATEGORY_COMPLIANCE_RISK,
+	LIBRARY_TAG_CATEGORY_MAX
 };
 
+enum POLICY_OBJECT_OPTION
+{
+    POLICY_OBJECT_OPTION_DISABLE=1,
+    POLICY_OBJECT_OPTION_NONE,
+    POLICY_OBJECT_OPTION_BRIEF,
+    POLICY_OBJECT_OPTION_ELABORATE
+};
 
-struct attribute_exdata
+struct plugin_library_tag
 {
-    
-};
-\ No newline at end of file
+	char *key;
+	char *value;
+	enum LIBRARY_TAG_CATEGORY category;
+	enum POLICY_OBJECT_OPTION object_option;
+};
+
+#define MAX_TAG_IDS_NUM 256
+struct plugin_library_tag *plugin_exdata_get0_library_tag(struct maat *cm_maat, uuid_t tag_uuid);
+int plugin_exdata_get0_fqdn_entry(struct maat *cm_maat, char *server_fqdn, struct plugin_fqdn_entry **exdata, size_t n_exdata);
+int plugin_exdata_get0_ip_addr_entry(struct maat *cm_maat, struct ip_addr *ip_addr, uint16_t port, struct plugin_ip_addr_entry **exdata, size_t n_exdata);
+
+struct security_option_parameter
+{
+    enum RULE_ACTION action;
+	struct override_sub_action *tcp;
+	struct override_sub_action *udp;
+};
+
+struct session_option
+{
+	int log_enabled;
+	int limited_min_pkts;
+	struct security_option_parameter security_parameter;
+};
+struct session_option *plugin_exdata_get0_session_option(struct maat *cm_maat, int32_t t_vsys_id);
+\ No newline at end of file
author	liuxueli <[email protected]>	2024-10-29 09:29:22 +0000
committer	liuxueli <[email protected]>	2024-10-31 06:07:53 +0000
commit	d9a45c8d08622c946749aec035cc7aaadffde5fe (patch)
tree	ff2b3633cc0bfcfa35ed72ddb87f24f88390b4e5
parent	9cbb008ec8499d0d728f7421c15a0eeb3de89d27 (diff)