feature:TSG-14915:kni适配新版本tfe cmsg修改

author: fumingwei <[email protected]> 2023-04-28 18:03:22 +0800
committer: fumingwei <[email protected]> 2023-04-28 18:19:10 +0800
commit: 2e19f0a9d79a43f3a419830a9df9c1bf384ada32 (patch)
tree: c8371825f04f624ce8dffe3cf2d16e80c7f9e63b
parent: 19d0a2bd4867f81e2d747e55af950d409538de1b (diff)
4 files changed, 30 insertions, 18 deletions
diff --git a/common/include/kni_cmsg.h b/common/include/kni_cmsg.h
index d0a105b..4e9c507 100644
--- a/common/include/kni_cmsg.h
+++ b/common/include/kni_cmsg.h
@@ -32,8 +32,12 @@ enum tfe_cmsg_tlv_type
     TFE_CMSG_TCP_RESTORE_TS_CLIENT_VAL = 0xe,
     TFE_CMSG_TCP_RESTORE_TS_SERVER_VAL = 0xf,
 
-    TFE_CMSG_POLICY_ID = 0x10,
+    TFE_CMSG_POLICY_ID = 0x10, // size uint64_t
     TFE_CMSG_STREAM_TRACE_ID = 0x11,
+    TFE_CMSG_TCP_OPTION_PROFILE_ID,  // size int
+    TFE_CMSG_DECRYPTION_PROFILE_ID,  // size int
+    TFE_CMSG_KEYRING_FOR_TRUSTED_ID, // size int
+    TFE_CMSG_KEYRING_FOR_UNTRUSTED,  // size int
 
     TFE_CMSG_SSL_INTERCEPT_STATE,		//size uint64_t, 0-passthrough, 1-intercept, 2-shutdown, referer from enum ssl_stream_action
 	TFE_CMSG_SSL_UPSTREAM_LATENCY,		//size uint64_t, milisecond
@@ -47,21 +51,29 @@ enum tfe_cmsg_tlv_type
     TFE_CMSG_DST_MAC,
     
     /* TCP option information */
-    TFE_CMSG_DOWNSTREAM_TCP_NODELAY, 
+    TFE_CMSG_DOWNSTREAM_TCP_MSS_ENABLE,
+    TFE_CMSG_DOWNSTREAM_TCP_MSS_VALUE,
+    TFE_CMSG_DOWNSTREAM_TCP_NODELAY,
     TFE_CMSG_DOWNSTREAM_TCP_TTL,
     TFE_CMSG_DOWNSTREAM_TCP_KEEPALIVE,
     TFE_CMSG_DOWNSTREAM_TCP_KEEPCNT, 
     TFE_CMSG_DOWNSTREAM_TCP_KEEPIDLE,
     TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL, 
     TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT,
-    TFE_CMSG_UPSTREAM_TCP_NODELAY, 
-    TFE_CMSG_UPSTREAM_TCP_TTL, 
-    TFE_CMSG_UPSTREAM_TCP_KEEPALIVE, 
-    TFE_CMSG_UPSTREAM_TCP_KEEPCNT, 
+
+    TFE_CMSG_UPSTREAM_TCP_MSS_ENABLE,
+    TFE_CMSG_UPSTREAM_TCP_MSS_VALUE,
+    TFE_CMSG_UPSTREAM_TCP_NODELAY,
+    TFE_CMSG_UPSTREAM_TCP_TTL,
+    TFE_CMSG_UPSTREAM_TCP_KEEPALIVE,
+    TFE_CMSG_UPSTREAM_TCP_KEEPCNT,
     TFE_CMSG_UPSTREAM_TCP_KEEPIDLE,
     TFE_CMSG_UPSTREAM_TCP_KEEPINTVL, 
     TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT,
+
+    TFE_CMSG_HIT_NO_INTERCEPT, // size uint8_t
     TFE_CMSG_TCP_PASSTHROUGH,
+    TFE_CMSG_TCP_DECRYPTED_TRAFFIC_STEERING,
 
     // share session attribute
     TFE_CMSG_SRC_SUB_ID,              // string max size 256
diff --git a/entry/include/kni_entry.h b/entry/include/kni_entry.h
index 9f9473a..9a93b14 100644
--- a/entry/include/kni_entry.h
+++ b/entry/include/kni_entry.h
@@ -101,7 +101,7 @@ struct pme_info{
 	addr_type_t addr_type;
 	char stream_addr[KNI_ADDR_MAX];
 	int do_log;
-	int policy_id;
+	long long policy_id;
 	enum TSG_PROTOCOL protocol;
 	enum kni_action action;
 	int service;
@@ -131,13 +131,13 @@ struct pme_info{
 	int n_maat_rule;
 	struct maat_rule maat_rule;
 	//from tfe, kafka log
-	uint64_t ssl_intercept_state;
-	uint64_t ssl_pinningst;  //defalut 0
+	uint8_t ssl_intercept_state;
+	uint8_t ssl_pinningst;  //defalut 0
 	uint64_t ssl_server_side_latency;
 	uint64_t ssl_client_side_latency;
 	char ssl_server_side_version[KNI_SYMBOL_MAX];
 	char ssl_client_side_version[KNI_SYMBOL_MAX];
-	int64_t ssl_cert_verify;
+	int8_t ssl_cert_verify;
 	char ssl_error[KNI_STRING_MAX];
 
 	//for dup traffic detect
diff --git a/entry/src/kni_dynamic_bypass.cpp b/entry/src/kni_dynamic_bypass.cpp
index 004ae3a..c0d93e7 100644
--- a/entry/src/kni_dynamic_bypass.cpp
+++ b/entry/src/kni_dynamic_bypass.cpp
@@ -109,7 +109,7 @@ static int sslinfo2bypass_htable_search(MESA_htable_handle htable,char *key, int
     value = MESA_htable_search_cb(htable, (const unsigned char *)key, (unsigned int )klen, sslinfo2bypass_htable_search_cb, NULL, &cb_ret);
 	if(cb_ret == 0)
 	{
-		pmeinfo->ssl_pinningst = *((uint64_t *)value);
+		pmeinfo->ssl_pinningst = *((uint8_t *)value);
 		KNI_LOG_DEBUG(logger, "MESA_htable: success to search, table = sslinfo2bypass_htable,key = %s, key_size = %d, ret =%d", key, klen,cb_ret);
 	}
 	else
@@ -309,7 +309,7 @@ int ssl_dynamic_bypass_htable_add(struct pme_info *pmeinfo)
 	MESA_htable_handle traceid2sslinfo_htable = g_kni_handle->threads_handle[pmeinfo->thread_seq].traceid2sslinfo_htable;
 	if(pmeinfo->ssl_intercept_state == 0)
 	{
-		cb_ret = traceid2sslinfo_htable_search(traceid2sslinfo_htable,pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), pmeinfo->thread_seq, pmeinfo->ssl_pinningst);
+		cb_ret = traceid2sslinfo_htable_search(traceid2sslinfo_htable,pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), pmeinfo->thread_seq, (uint64_t)pmeinfo->ssl_pinningst);
 		if(cb_ret >= 0)
 		{
 			cb_ret = MESA_htable_del(traceid2sslinfo_htable, (const unsigned char *)pmeinfo->stream_traceid, strlen(pmeinfo->stream_traceid), NULL);
diff --git a/entry/src/kni_entry.cpp b/entry/src/kni_entry.cpp
index 5b7c2b2..1206007 100644
--- a/entry/src/kni_entry.cpp
+++ b/entry/src/kni_entry.cpp
@@ -199,9 +199,9 @@ static int log_generate(struct pme_info *pmeinfo){
 	if(pmeinfo->protocol == PROTO_SSL){
 		TLD_append(tld_handle, (char*)"ssl_sni", (void*)pmeinfo->domain.sni, TLD_TYPE_STRING);
 		//pinning state: from tfe
-		TLD_append(tld_handle, (char*)"ssl_pinningst", (void*)pmeinfo->ssl_pinningst, TLD_TYPE_LONG);
+		TLD_append(tld_handle, (char*)"ssl_pinningst", (void*)(long)pmeinfo->ssl_pinningst, TLD_TYPE_LONG);
 		//intercept state: from tfe
-		TLD_append(tld_handle, (char*)"ssl_intercept_state", (void*)pmeinfo->ssl_intercept_state, TLD_TYPE_LONG);
+		TLD_append(tld_handle, (char*)"ssl_intercept_state", (void*)(long)pmeinfo->ssl_intercept_state, TLD_TYPE_LONG);
 		//ssl upstream latency: from tfe
 		TLD_append(tld_handle, (char*)"ssl_server_side_latency", (void*)pmeinfo->ssl_server_side_latency, TLD_TYPE_LONG);
 		//ssl downstream latency: from tfe
@@ -215,7 +215,7 @@ static int log_generate(struct pme_info *pmeinfo){
 			TLD_append(tld_handle, (char*)"ssl_error", (void*)pmeinfo->ssl_error, TLD_TYPE_STRING);
 		//ssl cert verify
 		if(pmeinfo->ssl_cert_verify != -1){
-			TLD_append(tld_handle, (char*)"ssl_cert_verify", (void*)pmeinfo->ssl_cert_verify, TLD_TYPE_LONG);
+			TLD_append(tld_handle, (char*)"ssl_cert_verify", (void*)(long)pmeinfo->ssl_cert_verify, TLD_TYPE_LONG);
 		}
 		if (pmeinfo->ssl_intercept_state == 0){
 			if (strlen(pmeinfo->ssl_passthrough_reason))
@@ -619,7 +619,7 @@ static unsigned char* kni_cmsg_serialize_header_new(struct pme_info *pmeinfo, st
 
 	char src_mac[6] = {0};
 	char dst_mac[6] = {0};
-	int policy_id;
+	uint64_t policy_id;
 	unsigned int stream_common_direction;
 	
 	switch(pmeinfo->protocol)
@@ -688,7 +688,7 @@ static unsigned char* kni_cmsg_serialize_header_new(struct pme_info *pmeinfo, st
 	ret = wrapped_kni_cmsg_set(cmsg, TFE_CMSG_TCP_RESTORE_INFO_PACKET_CUR_DIR, (const unsigned char*)&stream_curdir, 1, pmeinfo);
 	if(ret < 0) goto error_out;
 	//maat policy id 
-	policy_id = pmeinfo->policy_id;
+	policy_id = (uint64_t)pmeinfo->policy_id;
 	ret = wrapped_kni_cmsg_set(cmsg, TFE_CMSG_POLICY_ID, (const unsigned char*)&policy_id, sizeof(policy_id), pmeinfo);
 	if(ret < 0) goto error_out;
 	//stream trace id
@@ -1736,7 +1736,7 @@ char first_data_process(struct streaminfo *stream, struct pme_info *pmeinfo, str
 		pmeinfo->session_attribute = kni_pull_session_attribute_results(stream,pmeinfo);
 		maat_hit = 1;
 		char *action_str = kni_maat_action_trans(pmeinfo->action);
-		KNI_LOG_INFO(logger, "intercept_policy_scan: %s, %s, maat_hit = %d, rule_id = %d, action = %d(%s), stream traceid = %s", 
+		KNI_LOG_INFO(logger, "intercept_policy_scan: %s, %s, maat_hit = %d, rule_id = %u, action = %d(%s), stream traceid = %s", 
 			pmeinfo->stream_addr, (char*)&(pmeinfo->domain), maat_hit, pmeinfo->policy_id, pmeinfo->action, action_str, pmeinfo->stream_traceid);
 	}
 	switch(pmeinfo->action){
author	fumingwei <[email protected]>	2023-04-28 18:03:22 +0800
committer	fumingwei <[email protected]>	2023-04-28 18:19:10 +0800
commit	2e19f0a9d79a43f3a419830a9df9c1bf384ada32 (patch)
tree	c8371825f04f624ce8dffe3cf2d16e80c7f9e63b
parent	19d0a2bd4867f81e2d747e55af950d409538de1b (diff)