diff options
| author | liuxueli <[email protected]> | 2023-03-24 16:25:49 +0800 |
|---|---|---|
| committer | liuxueli <[email protected]> | 2023-03-24 16:25:49 +0800 |
| commit | c387b3f2d202a7fa080d45bd46c25ffc2cd6d6ea (patch) | |
| tree | c5c7e5bb83b6cf4dded83fd772788fef8381f99f | |
| parent | 7ce1b2976d6ca6140ef125087edf7ead53602998 (diff) | |
TSG-14338: LTS22.11版本 功能端安全策略Deny动作支持“生效方向”动作参数
| -rw-r--r-- | src/fw_dns_plug.cpp | 51 |
1 files changed, 40 insertions, 11 deletions
diff --git a/src/fw_dns_plug.cpp b/src/fw_dns_plug.cpp index a87d68c..86268f0 100644 --- a/src/fw_dns_plug.cpp +++ b/src/fw_dns_plug.cpp @@ -136,6 +136,22 @@ static int fw_dns_send_log(struct streaminfo *a_stream, dns_info_t *dns_info, st return 0; } +int fw_dns_select_monitor_result(struct streaminfo *a_stream, dns_info_t *dns_info, struct Maat_rule_t *result, int result_num, int thread_seq) +{ + for(int i=0; i<result_num; i++) + { + if(result[i].action!=TSG_ACTION_MONITOR) + { + continue; + } + + tsg_notify_hited_monitor_result(a_stream, &(result[i]), 1, thread_seq); + fw_dns_send_log(a_stream, dns_info, &(result[i]), 1, thread_seq); + } + + return 0; +} + extern "C" char FW_DNS_PLUG_ENTRY(stSessionInfo* session_info, void **pme, int thread_seq,struct streaminfo *a_stream,const void *a_packet) { int ret=0,hit_num=0; @@ -239,19 +255,32 @@ extern "C" char FW_DNS_PLUG_ENTRY(stSessionInfo* session_info, void **pme, int hit_num+=tsg_scan_fqdn_category_id(g_tsg_maat_feather, a_stream, result+hit_num,MAX_RESULT_NUM-hit_num, &mid, g_fw_dns_plug_info.table_qname_id, category_id, category_id_num, thread_seq); if(hit_num>0) { - p_result=tsg_fetch_deny_rule(result, hit_num); - if(p_result!=NULL) + p_result=tsg_policy_decision_criteria(result, hit_num); + switch(p_result->action) { - state=tsg_deal_deny_action(a_stream, p_result, PROTO_DNS, ACTION_RETURN_TYPE_PROT, (const void *)dns_info); - if(state!=PROT_STATE_GIVEME) - { + case TSG_ACTION_BYPASS: fw_dns_send_log(a_stream, dns_info, p_result, 1, thread_seq); - } - } - else - { - tsg_notify_hited_monitor_result(a_stream, result, hit_num, thread_seq); - fw_dns_send_log(a_stream, dns_info, result, hit_num, thread_seq); + break; + case TSG_ACTION_DENY: + ret=tsg_is_do_deny_action_by_enforce_direction(a_stream, p_result); + if(ret==0) + { + fw_dns_select_monitor_result(a_stream, dns_info, result, hit_num, thread_seq); + break; + } + + state=tsg_deal_deny_action(a_stream, p_result, PROTO_DNS, ACTION_RETURN_TYPE_PROT, (const void *)dns_info); + if(state!=PROT_STATE_GIVEME) + { + fw_dns_send_log(a_stream, dns_info, p_result, 1, thread_seq); + } + break; + case TSG_ACTION_MONITOR: + tsg_notify_hited_monitor_result(a_stream, result, hit_num, thread_seq); + fw_dns_send_log(a_stream, dns_info, result, hit_num, thread_seq); + break; + default: + break; } } |