1、修改判断stream_tunnel_type 代码 2、增加因 stream_tunnel 和以data建立连接导致拦截失败的fs_stat 和安全日志

author: fumingwei <[email protected]> 2020-10-29 21:55:35 +0800
committer: fumingwei <[email protected]> 2020-10-29 21:55:35 +0800
commit: 88028f788528ad446659df8fc30f010655969d99 (patch)
tree: d5491775955d5894c332715676d99601983fea51
parent: 50eea557a651d1721b7bac06f8a9449a2d66bf21 (diff)
3 files changed, 44 insertions, 11 deletions
diff --git a/common/include/kni_utils.h b/common/include/kni_utils.h
index 8255f9b..78f371e 100644
--- a/common/include/kni_utils.h
+++ b/common/include/kni_utils.h
@@ -74,6 +74,11 @@ enum kni_field{
 	//intercept error  link mode
 	KNI_FIELD_INTCPERR_GET_LINK_MODE_ERR,
 	KNI_FIELD_INTCPERR_NOT_LINK_MODE_BYSYN,
+
+	//intercept error  stream tun type
+	KNI_FIELD_INTCPERR_GET_STREAM_TUN_TYPE_ERR,
+	KNI_FIELD_INTCPERR_STREAM_IS_TUN_TYPE,
+
 	//intercept error
 	KNI_FIELD_INTCPERR_ASYM_ROUTING,
 	KNI_FIELD_INTCPERR_NO_SYN,
diff --git a/entry/include/kni_entry.h b/entry/include/kni_entry.h
index 26a25fb..5534805 100644
--- a/entry/include/kni_entry.h
+++ b/entry/include/kni_entry.h
@@ -30,6 +30,10 @@ enum intercept_error{
 	INTERCEPT_ERROR_NO_TFE = -8, 
 	INTERCEPT_ERROR_DUP_TRAFFIC = -9,
 	INTERCEPT_ERROR_CMSG_ADD_FAIL = -10,
+	INTERCEPT_ERROR_NOT_TCP_LINK_BYSYN = -11,
+	INTERCEPT_ERROR_GET_TCP_LINK_MODE_ERR= -12,
+	INTERCEPT_ERROR_STREAM_TUNNLE_TYPE= -13,
+	INTERCEPT_ERROR_GET_STREAM_TUNNLE_TYPE_ERR= -14,
 };
 
 /* action
diff --git a/entry/src/kni_entry.cpp b/entry/src/kni_entry.cpp
index 23f7378..dba7f06 100644
--- a/entry/src/kni_entry.cpp
+++ b/entry/src/kni_entry.cpp
@@ -86,6 +86,14 @@ static char* stream_errmsg_session_record(enum intercept_error _errno){
 			return (char*)"e_internal_4";
 		case INTERCEPT_ERROR_CMSG_ADD_FAIL:
 			return (char*)"e_internal_5";
+		case INTERCEPT_ERROR_NOT_TCP_LINK_BYSYN:
+			return (char*)"e_internal_6";
+		case INTERCEPT_ERROR_GET_TCP_LINK_MODE_ERR:
+			return (char*)"e_internal_7";
+		case INTERCEPT_ERROR_STREAM_TUNNLE_TYPE:
+			return (char *)"e_stream_type_tunnel";
+		case INTERCEPT_ERROR_GET_STREAM_TUNNLE_TYPE_ERR:
+			return (char *)"e_internal_8";
 		default:
 			return (char*)"unknown error";
 	}
@@ -1072,20 +1080,42 @@ static int first_data_intercept(struct streaminfo *stream, struct pme_info *pmei
 	int ret, len;
     //intercept_error: TCP CTEAT LINK NOT BYSYN or TCP_CREATE_LINK_MODE error
 	unsigned char intercept_stream_link_mode;
-	int intercept_stream_link_mode_len = 1;
+	int intercept_stream_link_mode_len = sizeof(unsigned char);
+	unsigned short stream_tunnel_type = STREAM_TUNNLE_NON;
+	int stream_tunnel_type_len = sizeof(unsigned short);
 	ret=MESA_get_stream_opt(stream, MSO_TCP_CREATE_LINK_MODE, (void *)&intercept_stream_link_mode, &intercept_stream_link_mode_len);
 	if(ret == 0){
 		if(intercept_stream_link_mode != TCP_CTEAT_LINK_BYSYN){
 			KNI_LOG_DEBUG(logger, "Intercept error: TCP_CREATE_LINK_MODE is not BYSYN, link_mode=%d, link_mode_len=%d,stream traceid = %s, stream addr = %s", intercept_stream_link_mode,intercept_stream_link_mode_len,pmeinfo->stream_traceid, pmeinfo->stream_addr);
+			pmeinfo->intcp_error = INTERCEPT_ERROR_NOT_TCP_LINK_BYSYN;
 			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCPERR_NOT_LINK_MODE_BYSYN], 0, FS_OP_ADD, 1);
 			goto error_out;
 		}
 	}
 	else{
-		KNI_LOG_DEBUG(logger, "Intercept error: get TCP_CREATE_LINK_MODE error, ret = %d, stream traceid = %s, stream addr = %s",ret, pmeinfo->stream_traceid, pmeinfo->stream_addr);
+		KNI_LOG_DEBUG(logger, "Intercept error: get MSO_TCP_CREATE_LINK_MODE error, ret = %d, stream traceid = %s, stream addr = %s",ret, pmeinfo->stream_traceid, pmeinfo->stream_addr);
+		pmeinfo->intcp_error = INTERCEPT_ERROR_GET_TCP_LINK_MODE_ERR;
 		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCPERR_GET_LINK_MODE_ERR], 0, FS_OP_ADD, 1);
 		goto error_out;
 	}
+
+	ret=MESA_get_stream_opt(stream, MSO_STREAM_TUNNEL_TYPE, (void *)&stream_tunnel_type, &stream_tunnel_type_len);
+	if(ret == 0){
+		if(stream_tunnel_type != STREAM_TUNNLE_NON){
+			KNI_LOG_DEBUG(logger, "Intercept error: stream type is tunnel, STREAM_TUNNLE_TYPE = %d, stream traceid = %s, stream addr = %s", stream_tunnel_type,pmeinfo->stream_traceid, pmeinfo->stream_addr);
+			pmeinfo->intcp_error = INTERCEPT_ERROR_STREAM_TUNNLE_TYPE;
+			FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCPERR_STREAM_IS_TUN_TYPE], 0, FS_OP_ADD, 1);
+			goto error_out;
+		}
+	}
+	else
+	{
+		KNI_LOG_DEBUG(logger, "Intercept error: get MSO_STREAM_TUNNEL_TYPE error, ret = %d, stream traceid = %s, stream addr = %s",ret, pmeinfo->stream_traceid, pmeinfo->stream_addr);
+		pmeinfo->intcp_error = INTERCEPT_ERROR_GET_STREAM_TUNNLE_TYPE_ERR;
+		FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_INTCPERR_GET_STREAM_TUN_TYPE_ERR], 0, FS_OP_ADD, 1);
+		goto error_out;
+	}
+	
 	//intercept_error: no tfe
 	if(tsg_diagnose_judge_streamshunt(pmeinfo->maat_result.config_id,pmeinfo) == 0) // tsg  diagnose shunt
 		pmeinfo->tfe_id = tfe_mgr_alive_node_get(g_kni_handle->_tfe_mgr, thread_seq);
@@ -1565,8 +1595,6 @@ extern "C" char kni_tcpall_entry(struct streaminfo *stream, void** pme, int thre
 	int ret;
 	int can_destroy;
 	struct pme_info *pmeinfo = *(struct pme_info **)pme;
-	unsigned short stream_tunnel_type = STREAM_TUNNLE_NON;
-	int stream_tunnel_type_len = sizeof(unsigned short);
 	/*  a_packet == NULL && not op_state_close, continue
 		close: a_packet may be null, if a_packet = null, do not send to tfe
 	*/
@@ -1580,13 +1608,6 @@ extern "C" char kni_tcpall_entry(struct streaminfo *stream, void** pme, int thre
 		return APP_STATE_FAWPKT | APP_STATE_DROPME;
 	}
 
-	ret=MESA_get_stream_opt(stream, MSO_STREAM_TUNNEL_TYPE, (void *)&stream_tunnel_type, &stream_tunnel_type_len);
-	if(stream_tunnel_type != STREAM_TUNNLE_NON)
-	{
-		KNI_LOG_DEBUG(logger, "stream type is tunnel, type = %d",ret);
-		return APP_STATE_FAWPKT | APP_STATE_DROPME;
-	}
-
 	switch(stream->pktstate){
 		case OP_STATE_PENDING:
 			//FS_operate(g_kni_fs_handle->handle, g_kni_fs_handle->fields[KNI_FIELD_STATE_PENDING], 0, FS_OP_ADD, 1);
@@ -2102,6 +2123,9 @@ static struct kni_field_stat_handle * fs_init(const char *profile){
 	//intercept error  link mode
 	fs_handle->fields[KNI_FIELD_INTCPERR_GET_LINK_MODE_ERR] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "e_get_link_mode_err");
 	fs_handle->fields[KNI_FIELD_INTCPERR_NOT_LINK_MODE_BYSYN] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "e_no_link_mode_bysyn");
+	//intercept error  stream tunnel type
+	fs_handle->fields[KNI_FIELD_INTCPERR_GET_STREAM_TUN_TYPE_ERR] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "e_get_stream_tuntype_err");
+	fs_handle->fields[KNI_FIELD_INTCPERR_STREAM_IS_TUN_TYPE] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "e_stream_is_tuntype");	
 	//intercept_error
 	fs_handle->fields[KNI_FIELD_INTCPERR_ASYM_ROUTING] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "e_asym_route");
 	fs_handle->fields[KNI_FIELD_INTCPERR_NO_SYN] = FS_register(handle, FS_STYLE_FIELD, FS_CALC_CURRENT, "e_no_syn");
author	fumingwei <[email protected]>	2020-10-29 21:55:35 +0800
committer	fumingwei <[email protected]>	2020-10-29 21:55:35 +0800
commit	88028f788528ad446659df8fc30f010655969d99 (patch)
tree	d5491775955d5894c332715676d99601983fea51
parent	50eea557a651d1721b7bac06f8a9449a2d66bf21 (diff)