kni适配firewall

3 files changed, 155 insertions, 32 deletions

diff --git a/entry/include/kni_maat.h b/entry/include/kni_maat.h
deleted file mode 100644
index 7569ff7..0000000
--- a/entry/include/kni_maat.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#pragma once
-#define KNI_MAAT_READCONF_IRIS			0
-#define KNI_MAAT_READCONF_JSON			1
-#define KNI_MAAT_READCONF_REDIS			2
-#define KNI_MAAT_RULE_NUM_MAX           8
-struct kni_maat_handle;
-
-
-/* action
-	0x00: none
-	0x01: monitor
-	0x02: intercept
-	0x10: reject
-	0x30: Manipulate
-	0x60: steer
-	0x80: bypass
-*/
-enum kni_action{
-	KNI_ACTION_NONE = 0x00,
-	KNI_ACTION_MONITOR = 0x01,
-	KNI_ACTION_INTERCEPT = 0x02,
-	KNI_ACTION_REJECT = 0x10,
-	KNI_ACTION_MANIPULATE = 0x30,
-	KNI_ACTION_STEER = 0x60,
-	KNI_ACTION_BYPASS = 0x80
-};
-
-struct kni_maat_handle* kni_maat_init(const char* profile, void *logger, int thread_count);
-void kni_maat_destroy(struct kni_maat_handle *handle);
-enum kni_action intercept_policy_scan(struct kni_maat_handle* handle, struct ipaddr *addr, char *domain, int domain_len, 
-		int thread_seq, int *policy_id, int *do_log, int *is_hit_policy);
-char* kni_maat_action_trans(enum kni_action action);
diff --git a/entry/include/tsg_rule.h b/entry/include/tsg_rule.h
new file mode 100644
index 0000000..f7cfcf3
--- /dev/null
+++ b/entry/include/tsg_rule.h
@@ -0,0 +1,46 @@
+#ifndef	__TSG_RULE_H__
+#define	__TSG_RULE_H__
+
+#include <MESA/Maat_rule.h>
+#include "tsg_types.h"
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#define	MAX_DOAMIN_LEN	2048
+
+struct _identify_info
+{
+	tsg_protocol_t proto;	//enum _tsg_protocol (tsg_types.h)
+	int domain_len;
+	char domain[MAX_DOAMIN_LEN];
+};
+
+typedef	enum _PULL_RESULT_TYPE
+{
+	PULL_KNI_RESULT,
+	PULL_FW_RESULT
+}PULL_RESULT_TYPE;
+
+extern Maat_feather_t g_tsg_maat_feather;
+
+int tsg_rule_init(const char *conffile);
+
+int tsg_scan_nesting_addr(Maat_feather_t maat_feather, const struct streaminfo *a_stream, tsg_protocol_t proto, scan_status_t *mid, Maat_rule_t*result, int result_num);
+
+//return 0 if failed, return >0 on success;
+int tsg_pull_policy_result(struct streaminfo *a_stream, PULL_RESULT_TYPE pull_result_type, Maat_rule_t *result, int result_num, struct _identify_info *identify_info);
+
+//return -1 if failed, return 0 on success;
+int tsg_shared_table_init(const char *conffile, Maat_feather_t maat_feather, void *logger);
+
+//return value: -1: failed, 0: not hit, >0: hit count 
+int tsg_scan_shared_policy(Maat_feather_t maat_feather, void *pkt, int pkt_len, Maat_rule_t *result, int result_num, struct _identify_info *identify_info, scan_status_t *mid, void *logger, int thread_seq);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/entry/include/tsg_types.h b/entry/include/tsg_types.h
new file mode 100644
index 0000000..0967ef3
--- /dev/null
+++ b/entry/include/tsg_types.h
@@ -0,0 +1,109 @@
+#ifndef	__TSG_TYPES_H__
+#define	__TSG_TYPES_H__
+
+typedef	enum _tsg_opt
+{
+	LOG_OPT_HTTP_URL=1,
+	LOG_OPT_HTTP_HOST,
+	LOG_OPT_HTTP_REQUEST_LINE,
+	LOG_OPT_HTTP_RESPONSE_LINE,
+	LOG_OPT_HTTP_REQUEST_HEADER,
+	LOG_OPT_HTTP_RESPONSE_HEADER,
+	LOG_OPT_HTTP_REQUEST_BODY,
+	LOG_OPT_HTTP_RESPONSE_BODY,
+	LOG_OPT_HTTP_PROXY_FLAG,
+	LOG_OPT_HTTP_SEQUENCE,
+	LOG_OPT_HTTP_SNAPSHOT,
+	LOG_OPT_HTTP_COOKIE,
+	LOG_OPT_HTTP_REFERER,
+	LOG_OPT_HTTP_USER_AGENT,
+	LOG_OPT_HTTP_CONTENT_LENGTH,
+	LOG_OPT_HTTP_CONTENT_TYPE,
+	LOG_OPT_HTTP_SET_COOKIE,
+	LOG_OPT_HTTP_VERSION,
+
+	LOG_OPT_MAIL_PROTOCOL_TYPE,
+	LOG_OPT_MAIL_SENDER,
+	LOG_OPT_MAIL_RECEIVER,
+	LOG_OPT_MAIL_SUBJECT,
+	LOG_OPT_MAIL_CONTENT,
+	LOG_OPT_MAIL_ATTACHMENT_NAME,
+	LOG_OPT_MAIL_ATTACHMENT_CONTENT,
+	LOG_OPT_MAIL_EML_FILE,
+	LOG_OPT_MAIL_SNAPSHOT,
+	LOG_OPT_MAIL_SUBJECT_CHARSET,
+
+	LOG_OPT_DNS_MESSAGE_ID,
+	LOG_OPT_DNS_QR,
+	LOG_OPT_DNS_OPCODE,
+	LOG_OPT_DNS_AA,
+	LOG_OPT_DNS_TC,
+	LOG_OPT_DNS_RD,
+	LOG_OPT_DNS_RA,
+	LOG_OPT_DNS_RCODE,
+	LOG_OPT_DNS_QDCOUNT,
+	LOG_OPT_DNS_ANCOUNT,
+	LOG_OPT_DNS_NSCOUNT,
+	LOG_OPT_DNS_ARCOUNT,
+	LOG_OPT_DNS_QNAME,
+	LOG_OPT_DNS_QTYPE,
+	LOG_OPT_DNS_QCLASS,
+	LOG_OPT_DNS_CNAME,
+	LOG_OPT_DNS_SUB,
+	LOG_OPT_DNS_RR,
+
+	LOG_OPT_SSL_VERSION,
+	LOG_OPT_SSL_SNI,
+	LOG_OPT_SSL_SAN,
+	LOG_OPT_SSL_CN,
+	LOG_OPT_SSL_PINNINGST,
+	LOG_OPT_SSL_INTERCEPT_STATE,
+	LOG_OPT_SSL_SERVER_SIDE_LATENCY,
+	LOG_OPT_SSL_CLINET_SIDE_LATENCY,
+	LOG_OPT_SSL_SERVER_SIDE_VERSION,
+	LOG_OPT_SSL_CLIENT_SIDE_VERSION,
+	LOG_OPT_SSL_CERT_VERIFY,
+	LOG_OPT_SSL_ERROR,
+	LOG_OPT_SSL_CON_LATENCY_MS,
+
+	LOG_OPT_FTP_URL,
+	LOG_OPT_FTP_CONTENT,
+
+	LOG_OPT_BGP_TYPE,
+	LOG_OPT_BGP_AS_NUM,
+	LOG_OPT_BGP_ROUTE,
+
+	LOG_OPT_VOIP_CALLING_ACCOUNT,
+	LOG_OPT_VOIP_CALLED_ACCOUNT,
+	LOG_OPT_VOIP_CALLING_NUMBER,
+	LOG_OPT_VOIP_CALLED_NUMBER,
+
+	LOG_OPT_RADIUS_PACKET_TYPE,
+	LOG_OPT_RADIUS_NAS_IP,
+	LOG_OPT_RADIUS_FRAMED_IP,
+	LOG_OPT_RADIUS_ACCOUNT,
+	LOG_OPT_RADIUS_SEESION_TIMEOUT,
+	LOG_OPT_RADIUS_IDLE_TIMEOUT,
+	LOG_OPT_RADIUS_ACCT_STATUS_TYPE,
+	LOG_OPT_RADIUS_ACCT_TERMINATE_CAUSE,
+	LOG_OPT_MAX
+}tsg_opt_t;
+
+typedef enum _tsg_protocol
+{
+   PROTO_IPv4,
+   PROTO_IPv6,
+   PROTO_TCP,
+   PROTO_UDP,
+   PROTO_HTTP,
+   PROTO_MAIL,
+   PROTO_DNS,
+   PROTO_FTP,
+   PROTO_SSL,
+   PROTO_SIP,
+   PROTO_BGP,
+   PROTO_STREAMING_MEDIA,
+   PROTO_MAX
+}tsg_protocol_t;
+
+#endif