1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
|
#pragma once
#ifndef __KNI_ENTRY_H__
#define __KNI_ENTRY_H__
#include "tsg/tsg_rule.h"
#include "kni_utils.h"
#include <tsg/tsg_statistic.h>
#include "tfe_mgr.h"
#include <tsg/tsg_label.h>
#include "kni_iouring.h"
#include "kni_fieldstat.h"
#define BURST_MAX 1
#define CALLER_SAPP 0
#define CALLER_TFE 1
#define _MAX_MAAT_TABLE_NAME_LEN 64
#define MAX_STRING_LEN 32
#define TSG_DIAGNOSE_POLICY_CNT 32
#define MAX_DOMAIN_LEN 2048
enum intercept_error{
INTERCEPT_ERROR_ASYM_ROUTING = -1,
INTERCEPT_ERROR_NO_SYN = -2,
INTERCEPT_ERROR_NO_SYN_ACK = -3,
INTERCEPT_ERROR_INVALID_IP_HDR = -4,
INTERCEPT_ERROR_EXCEED_MTU = -5,
//internal
INTERCEPT_ERROR_SENDTO_TFE_FAIL = -6,
INTERCEPT_ERROR_TUPLE2STM_ADD_FAIL = -7,
INTERCEPT_ERROR_NO_TFE = -8,
INTERCEPT_ERROR_DUP_TRAFFIC = -9,
INTERCEPT_ERROR_CMSG_ADD_FAIL = -10,
INTERCEPT_ERROR_NOT_TCP_LINK_BYSYN = -11,
INTERCEPT_ERROR_GET_TCP_LINK_MODE_ERR= -12,
INTERCEPT_ERROR_STREAM_TUNNLE_TYPE= -13,
INTERCEPT_ERROR_GET_STREAM_TUNNLE_TYPE_ERR= -14,
INTERCEPT_ERROR_GET_HAVE_DUP_PKT_ERR= -15,
INTERCEPT_ERROR_DUP_PKT_NOT_SURE_ERR= -16,
};
/* action
0x00: none
0x02: intercept
0x80: bypass
*/
enum kni_action{
KNI_ACTION_NONE = 0x00,
KNI_ACTION_INTERCEPT = 0x02,
KNI_ACTION_NO_INTERCEPT = 0x03,
KNI_ACTION_BYPASS = 0x80
};
enum PXY_TCP_OPTION_MAAT_TABLE{
TABLE_IP_ADDR=0,
TABLE_SSL_FQDN,
TABLE_COMPILE,
TABLE_MAX
};
//memset 0
struct dup_traffic_dabloom_key{
union{
struct stream_tuple4_v4 v4;
struct stream_tuple4_v6 v6;
}addr;
uint16_t ipid;
uint32_t seq;
uint32_t ack_seq;
uint32_t timestamp;
};
struct proxy_tcp_option{
int client_tcp_maxseg_enable;
int client_tcp_maxseg;
int client_tcp_nodelay;
int client_tcp_ttl;
int client_tcp_keepalive_enable;
int client_tcp_keepalive_keepcnt;
int client_tcp_keepalive_keepidle;
int client_tcp_keepalive_keepintvl;
int client_tcp_user_timeout;
int server_tcp_maxseg_enable;
int server_tcp_maxseg;
int server_tcp_nodelay;
int server_tcp_ttl;
int server_tcp_keepalive_enable;
int server_tcp_keepalive_keepcnt;
int server_tcp_keepalive_keepidle;
int server_tcp_keepalive_keepintvl;
int server_tcp_user_timeout;
int bypass_duplicated_packet;
int tcp_passthrough;
};
struct pme_info{
addr_type_t addr_type;
char stream_addr[KNI_ADDR_MAX];
int do_log;
long long policy_id;
enum TSG_PROTOCOL protocol;
enum kni_action action;
int service;
struct kni_tcpopt_info client_tcpopt;
struct kni_tcpopt_info server_tcpopt;
char has_syn;
char has_syn_ack;
uint16_t client_window;
uint16_t server_window;
int tfe_id;
pthread_mutex_t lock;
enum intercept_error intcp_error;
char stream_traceid[24];
//cjson check protocol
union{
char host[MAX_DOMAIN_LEN]; //http only
char sni[MAX_DOMAIN_LEN]; //ssl only
}domain;
int domain_len;
//tfe_release = 1: tfe don't need pmeinfo
int tfe_release;
int sapp_release;
//kafka log
struct TLD_handle_t *tld_handle;
const struct streaminfo *stream;
//int maat_result_num;
int n_maat_rule;
struct maat_rule maat_rule;
//from tfe, kafka log
uint8_t ssl_intercept_state;
uint8_t ssl_pinningst; //defalut 0
uint8_t ssl_pinningst_active;
uint64_t ssl_server_side_latency;
uint64_t ssl_client_side_latency;
char ssl_server_side_version[KNI_SYMBOL_MAX];
char ssl_client_side_version[KNI_SYMBOL_MAX];
int8_t ssl_cert_verify;
char ssl_error[KNI_STRING_MAX];
//for dup traffic detect
uint64_t has_dup_traffic;
int has_dup_syn;
int has_dup_syn_ack;
struct dup_traffic_dabloom_key *syn_packet;
struct dup_traffic_dabloom_key *syn_ack_packet;
struct traffic_info traffic_info;
//for kni dynamic bypass
int thread_seq;
int is_dynamic_bypass;
//for proxy tcp option
struct proxy_tcp_option pxy_tcp_option;
int pxy_tcp_option_is_scan;
struct session_runtime_attribute *session_attribute;
//for ssl passthrough reason
char ssl_passthrough_reason[KNI_SYMBOL_MAX];
struct proxy_metric_value proxy_metric_value;
};
struct wrapped_packet{
char data[KNI_MTU];
};
struct tcp_option_restore{
uint8_t kind;
uint8_t len;
uint16_t offset;
};
struct tfe_enabled_node{
int tfe_id;
struct mr_vdev *dev_eth_handler;
struct mr_sendpath *dev_eth_sendpath;
};
struct kni_marsio_handle{
struct mr_instance *instance;
int tfe_enabled_node_count;
struct tfe_enabled_node tfe_enabled_nodes[TFE_COUNT_MAX];
};
struct protocol_identify_result{
int protocol;
char domain[MAX_DOMAIN_LEN];
int domain_len;
};
struct thread_tfe_cmsg_receiver_args{
void *logger;
char profile[KNI_SYMBOL_MAX];
};
struct per_thread_handle{
int tap_fd;
int buff_size;
char *buff;
MESA_htable_handle tuple2stream_htable;
MESA_htable_handle traceid2sslinfo_htable;
struct expiry_dablooms_handle *dabloom_handle;
#if (SUPPORT_LIBURING)
struct io_uring_handle *iouring_handle;
#endif
};
struct tuple2stream_htable_value{
struct streaminfo *stream;
struct pme_info *pmeinfo;
int route_dir;
int reversed;
};
struct security_policy_shunt_tsg_diagnose{
int id_arr[TSG_DIAGNOSE_POLICY_CNT];
int id_num;
};
struct kni_handle{
int tap_rps_enable;
char tap_rps_mask[KNI_SYMBOL_MAX];
struct io_uring_conf iouring_conf;
struct kni_marsio_handle *marsio_handle;
struct bpf_ctx *tap_bpf_ctx;
struct kni_maat_handle *maat_handle;
struct kni_send_logger *send_logger;
MESA_htable_handle traceid2pme_htable;
struct per_thread_handle *threads_handle;
void *local_logger;
struct tfe_mgr *_tfe_mgr;
int thread_count;
int dup_traffic_switch;
int dup_traffic_action;
enum kni_deploy_mode deploy_mode;
char src_mac_addr[6];
char dst_mac_addr[6];
int tsg_diagnose_enable;
int *arr_last_tfe_dispatch_index;
struct security_policy_shunt_tsg_diagnose secpolicyid_shunt_tsg_diagnose;
int ssl_dynamic_bypass_enable;
MESA_htable_handle sslinfo2bypass_htable;
int pxy_tcp_option_enable; //for proxy tcp option enable
int pxy_tcp_option_enable_override;
char maat_table_name[TABLE_MAX][_MAX_MAAT_TABLE_NAME_LEN]; // for proxy tcp option maat name
int maat_table_id[TABLE_MAX];
struct proxy_tcp_option pxy_tcp_option;
// int session_attribute_id;
int log_level;
struct proxy_fieldstat *proxy_fieldstat;
};
struct traceid2pme_search_cb_args{
struct kni_cmsg *cmsg;
void *logger;
};
#endif
|
