diff options
| author | fengweihao <[email protected]> | 2023-03-30 19:39:18 +0800 |
|---|---|---|
| committer | fengweihao <[email protected]> | 2023-03-30 19:39:18 +0800 |
| commit | df39fcda9032d028354f9d4f2dbe0009da6b09c7 (patch) | |
| tree | e2ac1093b1bd04ec2e3e78ef66c65b44e41e42f8 | |
| parent | a2a4c323848e4cc4eef29c065377d31577d92c77 (diff) | |
TSG-14484 Pxoxy支持Maat4
23 files changed, 1217 insertions, 562 deletions
diff --git a/ci/travis.sh b/ci/travis.sh index 1dfb5c6..958507c 100644 --- a/ci/travis.sh +++ b/ci/travis.sh @@ -34,8 +34,8 @@ env | sort # Install dependency from YUM yum install -y mrzcpd numactl-devel zlib-devel librdkafka-devel systemd-devel -yum install -y libcjson-devel libmaatframe-devel libMESA_field_stat2-devel libMESA_handle_logger-devel libelua-devel -yum install -y libMESA_htable-devel libMESA_prof_load-devel librulescan-devel libwiredcfg-devel libWiredLB-devel sapp-devel libbreakpad_mini-devel +yum install -y libcjson-devel libmaat4-devel libMESA_field_stat2-devel libMESA_handle_logger-devel libelua-devel +yum install -y libMESA_htable-devel libMESA_prof_load-devel libwiredcfg-devel libWiredLB-devel sapp-devel libbreakpad_mini-devel yum install -y libasan if [ $ASAN_OPTION ];then diff --git a/common/include/tfe_scan.h b/common/include/tfe_scan.h index c36230f..455d839 100644 --- a/common/include/tfe_scan.h +++ b/common/include/tfe_scan.h @@ -3,11 +3,11 @@ #include <tfe_stream.h> #define MAX_SCAN_RESULT 16 -int tfe_scan_subscribe_id(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid, - int hit_cnt, unsigned int thread_id, void *logger); -int tfe_scan_ip_asn(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid, - int hit_cnt, unsigned int thread_id, void *logger, char **asn_server, char **asn_client); -int tfe_scan_ip_location(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid, - int hit_cnt, unsigned int thread_id, void *logger, char **location_server, char **location_client); -int tfe_scan_fqdn_cat(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid, - int hit_cnt, unsigned int thread_id, void *logger, int table_id); +int tfe_scan_subscribe_id(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, + int hit_cnt, void *logger); +int tfe_scan_ip_asn(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, + int hit_cnt, void *logger, char **asn_server, char **asn_client); +int tfe_scan_ip_location(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, + int hit_cnt, void *logger, char **location_server, char **location_client); +int tfe_scan_fqdn_cat(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, + int hit_cnt, void *logger, int table_id); diff --git a/common/src/tfe_resource.cpp b/common/src/tfe_resource.cpp index c6dcd55..489bac1 100644 --- a/common/src/tfe_resource.cpp +++ b/common/src/tfe_resource.cpp @@ -1,5 +1,5 @@ #include <MESA/MESA_prof_load.h> -#include <MESA/Maat_rule.h> +#include <MESA/maat.h> #include <cjson/cJSON.h> #include <tfe_kafka_logger.h> #include <tfe_proxy.h> @@ -15,16 +15,16 @@ struct maat_table_info const char *name; }; -static Maat_feather_t static_maat = NULL; +static struct maat *static_maat = NULL; static tfe_kafka_logger_t *kafka_logger = NULL; static char *device_id = NULL; static char *effective_device_tag=NULL; -static Maat_feather_t create_maat_feather(const char *instance_name, const char *profile, const char *section, int max_thread, void *logger) +static struct maat *create_maat_feather(const char *instance_name, const char *profile, const char *section, int max_thread, void *logger) { - Maat_feather_t target; + struct maat *target=NULL; int input_mode = 0, maat_stat_on = 0, maat_perf_on = 0; - int ret = 0, scan_detail = 0, effect_interval = 60; + int ret = 0, effect_interval = 60, log_level=0; char table_info[TFE_STRING_MAX] = {0}, inc_cfg_dir[TFE_STRING_MAX] = {0}, ful_cfg_dir[TFE_STRING_MAX] = {0}; char redis_server[TFE_STRING_MAX] = {0}; char redis_port_range[TFE_STRING_MAX] = {0}; @@ -50,11 +50,14 @@ static Maat_feather_t create_maat_feather(const char *instance_name, const char MESA_load_profile_string_def(profile, section, "stat_file", maat_stat_file, sizeof(maat_stat_file), ""); MESA_load_profile_int_def(profile, section, "effect_interval_s", &(effect_interval), 60); MESA_load_profile_int_def(profile, section, "deferred_load_on", &(deferred_load_on), 0); + MESA_load_profile_int_def(profile, section, "log_level", &(log_level), LOG_LEVEL_FATAL); effect_interval *= 1000; //convert s to ms - target = Maat_feather(max_thread, table_info, logger); - Maat_set_feather_opt(target, MAAT_OPT_INSTANCE_NAME, instance_name, strlen(instance_name) + 1); + struct maat_options *opts = maat_options_new(); + maat_options_set_logger(opts, "log/maat.log", (enum log_level)log_level); + maat_options_set_instance_name(opts, instance_name); + maat_options_set_caller_thread_number(opts, max_thread); switch (input_mode) { case MAAT_INPUT_JSON: @@ -63,8 +66,7 @@ static Maat_feather_t create_maat_feather(const char *instance_name, const char TFE_LOG_ERROR(logger, "Invalid json_cfg_file, MAAT init failed."); goto error_out; } - - Maat_set_feather_opt(target, MAAT_OPT_JSON_FILE_PATH, json_cfg_file, strlen(json_cfg_file) + 1); + maat_options_set_json_file(opts, json_cfg_file); break; case MAAT_INPUT_REDIS: if (!strlen(redis_server)) @@ -89,10 +91,7 @@ static Maat_feather_t create_maat_feather(const char *instance_name, const char goto error_out; } - - Maat_set_feather_opt(target, MAAT_OPT_REDIS_IP, redis_server, strlen(redis_server) + 1); - Maat_set_feather_opt(target, MAAT_OPT_REDIS_PORT, &redis_port_select, sizeof(redis_port_select)); - Maat_set_feather_opt(target, MAAT_OPT_REDIS_INDEX, &redis_db_idx, sizeof(redis_db_idx)); + maat_options_set_redis(opts, redis_server, redis_port_select, redis_db_idx); break; case MAAT_INPUT_FILE: if (!strlen(ful_cfg_dir)) @@ -106,50 +105,47 @@ static Maat_feather_t create_maat_feather(const char *instance_name, const char TFE_LOG_ERROR(logger, "Invalid inc_cfg_dir, MAAT init failed."); goto error_out; } - - Maat_set_feather_opt(target, MAAT_OPT_FULL_CFG_DIR, ful_cfg_dir, strlen(ful_cfg_dir) + 1); - Maat_set_feather_opt(target, MAAT_OPT_INC_CFG_DIR, inc_cfg_dir, strlen(inc_cfg_dir) + 1); + maat_options_set_iris(opts, ful_cfg_dir, inc_cfg_dir); break; default: TFE_LOG_ERROR(logger, "Invalid MAAT Input Mode: %d.", input_mode); goto error_out; break; } - - Maat_set_feather_opt(target, MAAT_OPT_FOREIGN_CONT_DIR, "./pangu_files", strlen("./pangu_files") + 1); - if (maat_stat_on) - { - Maat_set_feather_opt(target, MAAT_OPT_STAT_FILE_PATH, maat_stat_file, strlen(maat_stat_file) + 1); - Maat_set_feather_opt(target, MAAT_OPT_STAT_ON, NULL, 0); - if (maat_perf_on) - { - Maat_set_feather_opt(target, MAAT_OPT_PERF_ON, NULL, 0); - } - } + maat_options_set_foreign_cont_dir(opts, "./pangu_files"); + if (maat_stat_on) + { + maat_options_set_stat_on(opts); + if (maat_perf_on) + { + maat_options_set_perf_on(opts); + } + } if (deferred_load_on) { - Maat_set_feather_opt(target, MAAT_OPT_DEFERRED_LOAD, &deferred_load_on, sizeof(deferred_load_on)); + maat_options_set_deferred_load_on(opts); } - Maat_set_feather_opt(target, MAAT_OPT_EFFECT_INVERVAL_MS, &effect_interval, sizeof(effect_interval)); - Maat_set_feather_opt(target, MAAT_OPT_SCAN_DETAIL, &scan_detail, sizeof(scan_detail)); + + maat_options_set_rule_effect_interval_ms(opts, effect_interval); if (strlen(accept_path) > 0) { MESA_load_profile_string_def(accept_path, "maat", "ACCEPT_TAGS", accept_tags, sizeof(accept_tags), "{\"tags\":[{\"tag\":\"device_id\",\"value\":\"device_1\"}]}"); - Maat_set_feather_opt(target, MAAT_OPT_ACCEPT_TAGS, &accept_tags, sizeof(accept_tags)); + maat_options_set_accept_tags(opts, accept_tags); TFE_LOG_INFO(logger, "tfe accept tags : %s", accept_tags); } - ret = Maat_initiate_feather(target); - if (ret < 0) + target = maat_new(opts, table_info); + if (!target) { TFE_LOG_ERROR(logger, "%s MAAT init failed.", __FUNCTION__); goto error_out; } - return target; + maat_options_free(opts); + return target; error_out: - Maat_burn_feather(target); + maat_options_free(opts); return NULL; } @@ -277,7 +273,7 @@ static int register_maat_table() { for (int i = 0; i < TABLE_TYPE_MAX; i++) { - maat_pub_tables[i].id = Maat_table_register(static_maat, maat_pub_tables[i].name); + maat_pub_tables[i].id = maat_get_table_id(static_maat, maat_pub_tables[i].name); if (maat_pub_tables[i].id < 0) { TFE_LOG_ERROR(g_default_logger, "Maat table %s register failed.", maat_pub_tables[i].name); diff --git a/common/src/tfe_scan.cpp b/common/src/tfe_scan.cpp index 05bf81c..6cfde1a 100644 --- a/common/src/tfe_scan.cpp +++ b/common/src/tfe_scan.cpp @@ -1,12 +1,13 @@ -#include <MESA/Maat_rule.h> +#include <MESA/maat.h> #include <tfe_resource.h> #include <tfe_scan.h> -int tfe_scan_subscribe_id(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid, - int hit_cnt, unsigned int thread_id, void *logger) +int tfe_scan_subscribe_id(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, + int hit_cnt, void *logger) { int scan_ret = 0; int hit_cnt_ip = 0; + size_t n_hit_result = 0; uint16_t opt_out_size; char dest_subscribe_id[TFE_STRING_MAX] = {0}; char source_subscribe_id[TFE_STRING_MAX] = {0}; @@ -28,15 +29,14 @@ int tfe_scan_subscribe_id(const struct tfe_stream *stream, struct Maat_rule_t *r if (strlen(source_subscribe_id)) { - scan_ret = Maat_full_scan_string(tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_OBJ_SUBSCRIBER_ID), - CHARSET_UTF8, source_subscribe_id, strlen(source_subscribe_id), - result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, - scan_mid, (int)thread_id); - if (scan_ret > 0) + scan_ret = maat_scan_string((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_OBJ_SUBSCRIBER_ID), + source_subscribe_id, strlen(source_subscribe_id),result + hit_cnt + hit_cnt_ip, + MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, &n_hit_result, scan_mid); + if (scan_ret == MAAT_SCAN_HIT) { - TFE_LOG_INFO(logger, "Scan src TSG_OBJ_SUBSCRIBER_ID, Hit subid: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s", - source_subscribe_id, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, stream->str_stream_info); - hit_cnt_ip += scan_ret; + TFE_LOG_INFO(logger, "Scan src TSG_OBJ_SUBSCRIBER_ID, Hit subid: %s scan ret: %d policy_id: %lld addr: %s", + source_subscribe_id, scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info); + hit_cnt_ip += n_hit_result; } else { @@ -47,15 +47,14 @@ int tfe_scan_subscribe_id(const struct tfe_stream *stream, struct Maat_rule_t *r if (strlen(dest_subscribe_id)) { - scan_ret = Maat_full_scan_string(tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_OBJ_SUBSCRIBER_ID), - CHARSET_UTF8, dest_subscribe_id, strlen(dest_subscribe_id), - result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, - scan_mid, (int)thread_id); - if (scan_ret > 0) + scan_ret = maat_scan_string((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_OBJ_SUBSCRIBER_ID), + dest_subscribe_id, strlen(dest_subscribe_id),result + hit_cnt + hit_cnt_ip, + MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip,&n_hit_result, scan_mid); + if (scan_ret == MAAT_SCAN_HIT) { - TFE_LOG_INFO(logger, "Scan dst TSG_OBJ_SUBSCRIBER_ID, Hit subid: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s", - dest_subscribe_id, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, stream->str_stream_info); - hit_cnt_ip += scan_ret; + TFE_LOG_INFO(logger, "Scan dst TSG_OBJ_SUBSCRIBER_ID, Hit subid: %s scan ret: %d policy_id: %lld addr: %s", + dest_subscribe_id, scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info); + hit_cnt_ip += n_hit_result; } else { @@ -67,13 +66,14 @@ int tfe_scan_subscribe_id(const struct tfe_stream *stream, struct Maat_rule_t *r return hit_cnt_ip; } -int tfe_scan_fqdn_cat(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid, - int hit_cnt, unsigned int thread_id, void *logger, int table_id) +int tfe_scan_fqdn_cat(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, + int hit_cnt, void *logger, int table_id) { int scan_ret = 0; unsigned int i = 0; uint16_t opt_out_size; int hit_cnt_fqdn = 0; + size_t n_hit_result = 0; unsigned int category_id_num = 0; unsigned int category_id_val[TFE_SYMBOL_MAX] = {0}; @@ -104,13 +104,13 @@ int tfe_scan_fqdn_cat(const struct tfe_stream *stream, struct Maat_rule_t *resul for (i = 0; i < category_id_num && i < 8; i++) { - scan_ret = Maat_scan_intval(tfe_bussiness_resouce_get(STATIC_MAAT), table_id, category_id_val[i], result + hit_cnt + hit_cnt_fqdn, - MAX_SCAN_RESULT - hit_cnt - hit_cnt_fqdn, scan_mid, (int)thread_id); - if (scan_ret > 0) + scan_ret = maat_scan_integer((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), table_id, category_id_val[i], result + hit_cnt + hit_cnt_fqdn, + MAX_SCAN_RESULT - hit_cnt - hit_cnt_fqdn, &n_hit_result, scan_mid); + if (scan_ret == MAAT_SCAN_HIT) { - TFE_LOG_INFO(logger, "Scan FQDN_CAT, Hit catid: %d scan ret: %d policy_id: %d service: %d action: %d addr: %s", - category_id_val[i], scan_ret, result[hit_cnt + hit_cnt_fqdn].config_id, result[hit_cnt + hit_cnt_fqdn].service_id, result[hit_cnt + hit_cnt_fqdn].action, stream->str_stream_info); - hit_cnt_fqdn += scan_ret; + TFE_LOG_INFO(logger, "Scan FQDN_CAT, Hit catid: %d scan ret: %d policy_id: %lld addr: %s", + category_id_val[i], scan_ret, result[hit_cnt + hit_cnt_fqdn], stream->str_stream_info); + hit_cnt_fqdn += n_hit_result; } else { @@ -121,11 +121,12 @@ int tfe_scan_fqdn_cat(const struct tfe_stream *stream, struct Maat_rule_t *resul return hit_cnt_fqdn; } -int tfe_scan_ip_location(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid, - int hit_cnt, unsigned int thread_id, void *logger, char **location_server, char **location_client) +int tfe_scan_ip_location(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, + int hit_cnt, void *logger, char **location_server, char **location_client) { int scan_ret = 0; int hit_cnt_ip = 0; + size_t n_hit_result = 0; uint16_t opt_out_size; char buff[TFE_STRING_MAX] = {0}; char src_city[TFE_STRING_MAX] = {0}; @@ -187,15 +188,14 @@ int tfe_scan_ip_location(const struct tfe_stream *stream, struct Maat_rule_t *re memset(buff, 0, sizeof(buff)); snprintf(buff, sizeof(buff),"%s.%s.%s.%s.", dst_country, dst_provine, dst_city, dst_subdivsion); - scan_ret = Maat_full_scan_string(tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_DESTINATION_LOCATION), - CHARSET_GBK, buff, strlen(buff), - result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, - scan_mid, (int)thread_id); - if (scan_ret > 0) + scan_ret = maat_scan_string((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_DESTINATION_LOCATION), + buff, strlen(buff), result + hit_cnt + hit_cnt_ip,MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, + &n_hit_result, scan_mid); + if (scan_ret == MAAT_SCAN_HIT) { - TFE_LOG_INFO(logger, "Scan TSG_SECURITY_DESTINATION_LOCATION, Hit location: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s", - buff, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, stream->str_stream_info); - hit_cnt_ip += scan_ret; + TFE_LOG_INFO(logger, "Scan TSG_SECURITY_DESTINATION_LOCATION, Hit location: %s scan ret: %d policy_id: %lld addr: %s", + buff, scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info); + hit_cnt_ip += n_hit_result; } else { @@ -218,15 +218,14 @@ int tfe_scan_ip_location(const struct tfe_stream *stream, struct Maat_rule_t *re memset(buff, 0, sizeof(buff)); snprintf(buff, sizeof(buff), "%s.%s.%s.%s.", src_country, src_provine, src_city, src_subdivsion); - scan_ret = Maat_full_scan_string(tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_SOURCE_LOCATION), - CHARSET_GBK, buff, strlen(buff), - result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, - scan_mid, (int)thread_id); - if (scan_ret > 0) + scan_ret = maat_scan_string((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_SOURCE_LOCATION), + buff, strlen(buff),result + hit_cnt + hit_cnt_ip, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, + &n_hit_result, scan_mid); + if (scan_ret == MAAT_SCAN_HIT) { - TFE_LOG_INFO(logger, "Scan TSG_SECURITY_SOURCE_LOCATION, Hit location: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s", - buff, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, stream->str_stream_info); - hit_cnt_ip += scan_ret; + TFE_LOG_INFO(logger, "Scan TSG_SECURITY_SOURCE_LOCATION, Hit location: %s scan ret: %d policy_id: %lld addr: %s", + buff, scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info); + hit_cnt_ip += n_hit_result; } else { @@ -249,11 +248,12 @@ int tfe_scan_ip_location(const struct tfe_stream *stream, struct Maat_rule_t *re return hit_cnt_ip; } -int tfe_scan_ip_asn(const struct tfe_stream *stream, struct Maat_rule_t *result, scan_status_t *scan_mid, - int hit_cnt, unsigned int thread_id, void *logger, char **asn_server, char **asn_client) +int tfe_scan_ip_asn(const struct tfe_stream *stream, long long *result, struct maat_state *scan_mid, + int hit_cnt, void *logger, char **asn_server, char **asn_client) { int scan_ret = 0; int hit_cnt_ip = 0; + size_t n_hit_result = 0; uint16_t opt_out_size; char buff[TFE_STRING_MAX] = {0}; char src_asn[TFE_STRING_MAX] = {0}; @@ -288,15 +288,14 @@ int tfe_scan_ip_asn(const struct tfe_stream *stream, struct Maat_rule_t *result, if (strlen(dst_asn)) { - scan_ret = Maat_full_scan_string(tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_DESTINATION_ASN), - CHARSET_UTF8, dst_asn, strlen(dst_asn), - result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, - scan_mid, (int)thread_id); - if (scan_ret > 0) + scan_ret = maat_scan_string((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_DESTINATION_ASN), + dst_asn, strlen(dst_asn), result + hit_cnt + hit_cnt_ip, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, + &n_hit_result, scan_mid); + if (scan_ret == MAAT_SCAN_HIT) { - TFE_LOG_INFO(logger, "Scan TSG_SECURITY_DESTINATION_ASN, Hit asn: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s", - dst_asn, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, stream->str_stream_info); - hit_cnt_ip += scan_ret; + TFE_LOG_INFO(logger, "Scan TSG_SECURITY_DESTINATION_ASN, Hit asn: %s scan ret: %d policy_id: %lld addr: %s", + dst_asn, scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info); + hit_cnt_ip += n_hit_result; } else { @@ -309,15 +308,14 @@ int tfe_scan_ip_asn(const struct tfe_stream *stream, struct Maat_rule_t *result, } if (strlen(src_asn)) { - scan_ret = Maat_full_scan_string(tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_SOURCE_ASN), - CHARSET_UTF8, src_asn, strlen(src_asn), - result + hit_cnt + hit_cnt_ip, NULL, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, - scan_mid, (int)thread_id); - if (scan_ret > 0) + scan_ret = maat_scan_string((struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT), tfe_bussiness_tableid_get(TABLE_SECURITY_SOURCE_ASN), + src_asn, strlen(src_asn),result + hit_cnt + hit_cnt_ip, MAX_SCAN_RESULT - hit_cnt - hit_cnt_ip, + &n_hit_result, scan_mid); + if (scan_ret == MAAT_SCAN_HIT) { - TFE_LOG_INFO(logger, "Scan TSG_SECURITY_SOURCE_ASN, Hit asn: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s", - src_asn, scan_ret, result[hit_cnt + hit_cnt_ip].config_id, result[hit_cnt + hit_cnt_ip].service_id, result[hit_cnt + hit_cnt_ip].action, stream->str_stream_info); - hit_cnt_ip += scan_ret; + TFE_LOG_INFO(logger, "Scan TSG_SECURITY_SOURCE_ASN, Hit asn: %s scan ret: %d policy_id: %lld addr: %s", + src_asn, scan_ret, result[hit_cnt + hit_cnt_ip], stream->str_stream_info); + hit_cnt_ip += n_hit_result; } else { diff --git a/common/src/tfe_tcp_restore.cpp b/common/src/tfe_tcp_restore.cpp index 188c3d0..339921f 100644 --- a/common/src/tfe_tcp_restore.cpp +++ b/common/src/tfe_tcp_restore.cpp @@ -95,20 +95,20 @@ int tfe_tcp_restore_fd_create(const struct tcp_restore_endpoint *endpoint, const TFE_LOG_ERROR(g_default_logger, "failed at setsockopt(SO_MARK), %d: %s", errno, strerror(errno)); goto errout; } - + if (strlen(devname)) { result = setsockopt(sockfd, SOL_SOCKET, SO_BINDTODEVICE, devname, strlen(devname)); if (result < 0) { - TFE_LOG_ERROR(g_default_logger, "failed at setsockopt(SO_BINDTODEVICE) on %d, %d: %s", devname, errno, strerror(errno)); + TFE_LOG_ERROR(g_default_logger, "failed at setsockopt(SO_BINDTODEVICE) on %s, %d: %s", devname, errno, strerror(errno)); goto errout; } result = getsockopt(sockfd, SOL_SOCKET, SO_BINDTODEVICE, buffer, &buffer_len); if (result < 0) { - TFE_LOG_ERROR(g_default_logger, "failed at getsockopt(SO_BINDTODEVICE) on %d, %d: %s", devname, errno, strerror(errno)); + TFE_LOG_ERROR(g_default_logger, "failed at getsockopt(SO_BINDTODEVICE) on %s, %d: %s", devname, errno, strerror(errno)); goto errout; } TFE_LOG_DEBUG(g_default_logger, "sockfd %d successfully bound to %s device, so_mask: %x", sockfd, buffer, fd_so_mask); diff --git a/platform/src/ssl_service_cache.cpp b/platform/src/ssl_service_cache.cpp index 970edd7..a0c2f45 100644 --- a/platform/src/ssl_service_cache.cpp +++ b/platform/src/ssl_service_cache.cpp @@ -1,11 +1,11 @@ #include <ssl_service_cache.h> -#include <MESA/Maat_rule.h> +#include <MESA/maat.h> #include <tfe_resource.h> #include <ssl_stream.h> struct ssl_ja3_enforcer { - Maat_feather_t maat; + struct maat *maat; int table_id; }; @@ -28,7 +28,7 @@ struct ssl_svc_addr static struct ssl_ja3_enforcer g_static_enforcer = {0}; -static void ssl_svc_ja3_param_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp) +static void ssl_svc_ja3_param_dup_cb(int table_id, void **to, void **from, long argl, void *argp) { struct ssl_svc_ja3 *param = (struct ssl_svc_ja3 *)*from; if (param) @@ -43,7 +43,7 @@ static void ssl_svc_ja3_param_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT return; } -static void ssl_svc_ja3_param_new_cb(int table_id, const char *key, const char *table_line, MAAT_PLUGIN_EX_DATA *ad, long argl, void *argp) +static void ssl_svc_ja3_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) { int is_valid = 0; int pinning_state = 0; @@ -68,7 +68,7 @@ static void ssl_svc_ja3_param_new_cb(int table_id, const char *key, const char * param->fingerprint_id, param->ja3_hash, param->pinning_state, param->is_valid, param->ref_cnt); } -static void ssl_svc_ja3_param_free_cb(int table_id, MAAT_PLUGIN_EX_DATA *ad, long argl, void *argp) +static void ssl_svc_ja3_param_free_cb(int table_id, void **ad, long argl, void *argp) { struct ssl_svc_ja3 *param = (struct ssl_svc_ja3 *)*ad; if (param == NULL) @@ -93,21 +93,20 @@ static void ssl_svc_ja3_param_free(struct ssl_svc_ja3 *param) static int ssl_svc_ja3_init(const char *table_name) { - g_static_enforcer.maat = (Maat_feather_t)tfe_bussiness_resouce_get(STATIC_MAAT); - g_static_enforcer.table_id = Maat_table_register(g_static_enforcer.maat, table_name); + g_static_enforcer.maat = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT); + g_static_enforcer.table_id = maat_get_table_id(g_static_enforcer.maat, table_name); if (g_static_enforcer.table_id < 0) { TFE_LOG_ERROR(g_default_logger, "Maat table %s register failed.", table_name); return 0; } - int ret = Maat_plugin_EX_register(g_static_enforcer.maat, - g_static_enforcer.table_id, - ssl_svc_ja3_param_new_cb, - ssl_svc_ja3_param_free_cb, - ssl_svc_ja3_param_dup_cb, - NULL, - 0, - &g_static_enforcer); + int ret = maat_plugin_table_ex_schema_register(g_static_enforcer.maat, + table_name, + ssl_svc_ja3_param_new_cb, + ssl_svc_ja3_param_free_cb, + ssl_svc_ja3_param_dup_cb, + 0, + &g_static_enforcer); if (ret < 0) { TFE_LOG_ERROR(g_default_logger, "failed at Maat_plugin_EX_register(%s), table_id = %d, ret = %d", @@ -122,7 +121,8 @@ enum ssl_ja3_pinning_status ssl_svc_ja3_scan(char *ja3_hash, const char *addr_st { enum ssl_ja3_pinning_status ret = JA3_PINNING_STATUS_UNKNOWN; struct ssl_svc_ja3 *param = NULL; - param = (struct ssl_svc_ja3 *)Maat_plugin_get_EX_data(g_static_enforcer.maat, g_static_enforcer.table_id, ja3_hash); + + param = (struct ssl_svc_ja3 *)maat_plugin_table_get_ex_data(g_static_enforcer.maat, g_static_enforcer.table_id, ja3_hash); if (param == NULL) { ret = JA3_PINNING_STATUS_UNKNOWN; diff --git a/plugin/business/doh/src/doh.cpp b/plugin/business/doh/src/doh.cpp index 8c2b1a0..d7e89b0 100644 --- a/plugin/business/doh/src/doh.cpp +++ b/plugin/business/doh/src/doh.cpp @@ -1,5 +1,6 @@ #include "logger.h" #include <tfe_scan.h> +#include <MESA/stream.h> extern void increase_redirect_policy_hit_num(void); @@ -99,21 +100,78 @@ static cJSON *doh_get_answer_records(struct doh_ctx *ctx, cJSON *object, int qty return NULL; } -static void doh_get_cheat_data(Maat_rule_t *p_result, int qtype, struct doh_ctx *ctx, const char *str_stream_info) +struct doh_action_param +{ + int ref_cnt; + int action; + char *message; + char *position; + float enforcement_ratio; + int vsys_id; + int profile_id; + int status_code; + size_t n_rule; + void *repl_rule; + size_t e_rule; + void *elem_rule; + struct doh_maat_rule_t hit_rule; + pthread_mutex_t lock; +}; + +void doh_action_param_free_cb(int table_id, void **ad, long argl, void *argp) +{ + if(*ad==NULL) + { + return; + } + struct doh_action_param* param=(struct doh_action_param*)*ad; + pthread_mutex_lock(&(param->lock)); + param->ref_cnt--; + if(param->ref_cnt>0) + { + pthread_mutex_unlock(&(param->lock)); + return; + } + pthread_mutex_unlock(&(param->lock)); + pthread_mutex_destroy(&(param->lock)); + + if(param->hit_rule.srv_def_large) + FREE(&(param->hit_rule.srv_def_large)) + + FREE(&(param)); + return; +} + +static void doh_get_cheat_data(long long p_result, int qtype, struct doh_ctx *ctx, const char *str_stream_info) { int i; int answer_size = 0; - char *tmp = NULL; cJSON *items = NULL; cJSON *item = NULL; cJSON *object = NULL; cJSON *answer_array = NULL; + int table_id=0; - tmp = (char *)calloc(1, p_result->serv_def_len + 1); - Maat_read_rule(g_doh_conf->maat, p_result, MAAT_RULE_SERV_DEFINE, tmp, p_result->serv_def_len); - TFE_LOG_INFO(g_doh_conf->local_logger, "%s hit %d %s", str_stream_info, p_result->config_id, tmp); + table_id=maat_get_table_id(g_doh_conf->maat, "PXY_CTRL_COMPILE"); + if(table_id < 0) + { + return; + } + struct doh_action_param *get_ex_param=(struct doh_action_param *)maat_plugin_table_get_ex_data(g_doh_conf->maat, table_id, (const char *)&p_result); + if(get_ex_param==NULL) + { + return; + } - object = cJSON_Parse(tmp); + struct doh_maat_rule_t *hit_rule = &(get_ex_param->hit_rule); + if(hit_rule==NULL || hit_rule->srv_def_large==NULL) + { + goto end; + } + memcpy(ctx->result, hit_rule, sizeof(struct doh_maat_rule_t)); + TFE_LOG_INFO(g_doh_conf->local_logger, "%s hit %lld %s", str_stream_info, p_result, hit_rule->srv_def_large); + + object = cJSON_Parse(hit_rule->srv_def_large); if (object == NULL) { goto end; @@ -176,30 +234,28 @@ end: cJSON_Delete(object); object = NULL; } - - if (tmp) + if(get_ex_param) { - free(tmp); - tmp = NULL; + doh_action_param_free_cb(0, (void**)&get_ex_param, 0, NULL); } } -static struct Maat_rule_t *doh_fetch_rule(Maat_rule_t *result, int result_num) +static long long doh_fetch_rule(long long *result, int result_num) { int i = 0; - Maat_rule_t *p_result = NULL; + long long p_result = 0; for (i = 0; i < result_num && i < MAX_SCAN_RESULT; i++) { - if (p_result == NULL) + if (p_result == 0) { - p_result = &result[i]; + p_result = result[i]; continue; } - if (result[i].config_id > p_result->config_id) + if (result[i] > p_result) { - p_result = &result[i]; + p_result = result[i]; } } @@ -211,23 +267,24 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http int hit_cnt = 0; int scan_ret = 0; int app_id = 8006; + size_t n_hit_result; struct ipaddr sapp_addr; - struct Maat_rule_t *p_result = NULL; - struct Maat_rule_t result[MAX_SCAN_RESULT]; + long long p_result = 0; + long long result[MAX_SCAN_RESULT]; - scan_ret = tfe_scan_subscribe_id(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger); + scan_ret = tfe_scan_subscribe_id(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger); if (scan_ret > 0) { hit_cnt += scan_ret; } - scan_ret = tfe_scan_ip_location(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger, &(ctx->location_server), &(ctx->location_client)); + scan_ret = tfe_scan_ip_location(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger, &(ctx->location_server), &(ctx->location_client)); if (scan_ret > 0) { hit_cnt += scan_ret; } - scan_ret = tfe_scan_ip_asn(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger, &(ctx->asn_server), &(ctx->asn_client)); + scan_ret = tfe_scan_ip_asn(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger, &(ctx->asn_server), &(ctx->asn_client)); if (scan_ret > 0) { hit_cnt += scan_ret; @@ -237,13 +294,13 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http const char *host = session->req->req_spec.host; if (host) { - scan_ret = Maat_full_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_HOST].id, CHARSET_UTF8, - host, strlen(host), result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id); - if (scan_ret > 0) + scan_ret = maat_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_HOST].id,host, strlen(host), + result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + if (scan_ret == MAAT_SCAN_HIT) { - TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit host: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s", - g_doh_conf->tables[TYPE_HOST].name, host, scan_ret, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action, stream->str_stream_info); - hit_cnt += scan_ret; + TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit host: %s scan ret: %d policy_id: %lld addr: %s", + g_doh_conf->tables[TYPE_HOST].name, host, scan_ret, result[hit_cnt], stream->str_stream_info); + hit_cnt += n_hit_result; } else { @@ -251,7 +308,7 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http g_doh_conf->tables[TYPE_HOST].name, host, scan_ret, stream->str_stream_info); } - scan_ret = tfe_scan_fqdn_cat(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger, g_doh_conf->tables[TYPE_HOST].id); + scan_ret = tfe_scan_fqdn_cat(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger, g_doh_conf->tables[TYPE_HOST_CAT].id); if( scan_ret > 0) { hit_cnt += scan_ret; @@ -260,27 +317,48 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http // scan addr doh_addr_tfe2sapp(stream->addr, &sapp_addr); - scan_ret = Maat_scan_proto_addr(g_doh_conf->maat, g_doh_conf->tables[TYPE_ADDR].id, &sapp_addr, - 0, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id); - if (scan_ret > 0) + if (sapp_addr.addrtype == ADDR_TYPE_IPV4) { - TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit addr: %s scan ret: %d policy_id: %d service: %d action: %d", - g_doh_conf->tables[TYPE_ADDR].name, stream->str_stream_info, scan_ret, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action); - hit_cnt += scan_ret; + scan_ret = maat_scan_ipv4(g_doh_conf->maat, g_doh_conf->tables[TYPE_SRC_ADDR].id,sapp_addr.v4->saddr, + sapp_addr.v4->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, + &n_hit_result, ctx->scan_mid); + if (n_hit_result == MAAT_SCAN_HIT) + { + hit_cnt += n_hit_result; + } + scan_ret = maat_scan_ipv4(g_doh_conf->maat, g_doh_conf->tables[TYPE_DST_ADDR].id,sapp_addr.v4->daddr, + sapp_addr.v4->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, + &n_hit_result, ctx->scan_mid); + + if(scan_ret == MAAT_SCAN_HIT) + { + hit_cnt += n_hit_result; + } } - else + if (sapp_addr.addrtype == ADDR_TYPE_IPV6) { - TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, NO hit addr: %s scan ret: %d", - g_doh_conf->tables[TYPE_ADDR].name, stream->str_stream_info, scan_ret); - } - + scan_ret = maat_scan_ipv6(g_doh_conf->maat, g_doh_conf->tables[TYPE_SRC_ADDR].id, sapp_addr.v6->saddr, + sapp_addr.v6->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, + &n_hit_result, ctx->scan_mid); + if (scan_ret == MAAT_SCAN_HIT) + { + hit_cnt += n_hit_result; + } + scan_ret = maat_scan_ipv6(g_doh_conf->maat,g_doh_conf->tables[TYPE_DST_ADDR].id, sapp_addr.v6->daddr, + sapp_addr.v6->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, + &n_hit_result, ctx->scan_mid); + if (scan_ret == MAAT_SCAN_HIT) + { + hit_cnt += n_hit_result; + } + } // scan appid - scan_ret=Maat_scan_intval(g_doh_conf->maat, g_doh_conf->tables[TYPE_APPID].id, app_id, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id); - if (scan_ret > 0) + scan_ret=maat_scan_integer(g_doh_conf->maat, g_doh_conf->tables[TYPE_APPID].id, app_id, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + if (scan_ret == MAAT_SCAN_HIT) { - TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit proto: %d scan ret: %d policy_id: %d service: %d action: %d addr: %s", - g_doh_conf->tables[TYPE_APPID].name, app_id, scan_ret, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action, stream->str_stream_info); - hit_cnt += scan_ret; + TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit proto: %d scan ret: %d policy_id: %lld addr: %s", + g_doh_conf->tables[TYPE_APPID].name, app_id, scan_ret, result[hit_cnt], stream->str_stream_info); + hit_cnt += n_hit_result; } else { @@ -289,13 +367,13 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http } // scan qname - scan_ret = Maat_full_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_QNAME].id, CHARSET_UTF8, - qname, strlen(qname), result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id); - if (scan_ret > 0) + scan_ret = maat_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_QNAME].id, qname, strlen(qname), + result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + if (scan_ret == MAAT_SCAN_HIT) { - TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit domain: %s scan ret: %d qtype: %d policy_id: %d service: %d action: %d addr: %s", - g_doh_conf->tables[TYPE_QNAME].name, qname, scan_ret, qtype, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action, stream->str_stream_info); - hit_cnt += scan_ret; + TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit domain: %s scan ret: %d qtype: %d policy_id: %lld addr: %s", + g_doh_conf->tables[TYPE_QNAME].name, qname, scan_ret, qtype, result[hit_cnt], stream->str_stream_info); + hit_cnt += n_hit_result; } else { @@ -306,11 +384,10 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http if (hit_cnt) { p_result = doh_fetch_rule(result, hit_cnt); - if (p_result) + if (p_result != 0) { ctx->result_num = 1; - ctx->result = ALLOC(struct Maat_rule_t, ctx->result_num); - memcpy(ctx->result, p_result, sizeof(struct Maat_rule_t)); + ctx->result = ALLOC(struct doh_maat_rule_t, ctx->result_num); doh_get_cheat_data(p_result, qtype, ctx, stream->str_stream_info); } } @@ -318,18 +395,20 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http static int doh_maat_init(const char *profile, const char *section) { - g_doh_conf->maat = (Maat_feather_t)tfe_bussiness_resouce_get(STATIC_MAAT); + g_doh_conf->maat = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT); MESA_load_profile_string_def(profile, section, "table_appid", g_doh_conf->tables[TYPE_APPID].name, TFE_STRING_MAX, "TSG_OBJ_APP_ID"); - MESA_load_profile_string_def(profile, section, "table_addr", g_doh_conf->tables[TYPE_ADDR].name, TFE_STRING_MAX, "TSG_SECURITY_ADDR"); + MESA_load_profile_string_def(profile, section, "table_src_addr", g_doh_conf->tables[TYPE_SRC_ADDR].name, TFE_STRING_MAX, "TSG_SECURITY_SOURCE_ADDR"); + MESA_load_profile_string_def(profile, section, "table_dst_addr", g_doh_conf->tables[TYPE_DST_ADDR].name, TFE_STRING_MAX, "TSG_SECURITY_DESTINATION_ADDR"); MESA_load_profile_string_def(profile, section, "table_qname", g_doh_conf->tables[TYPE_QNAME].name, TFE_STRING_MAX, "TSG_FIELD_DOH_QNAME"); - MESA_load_profile_string_def(profile, section, "table_host", g_doh_conf->tables[TYPE_HOST].name, TFE_STRING_MAX, "TSG_FIELD_HTTP_HOST"); + MESA_load_profile_string_def(profile, section, "table_host", g_doh_conf->tables[TYPE_HOST].name, TFE_STRING_MAX, "TSG_FIELD_DOH_HOST"); + MESA_load_profile_string_def(profile, section, "table_host_cat", g_doh_conf->tables[TYPE_HOST_CAT].name, TFE_STRING_MAX, "TSG_FIELD_DOH_HOST_CAT"); for (int i = 0; i < TYPE_MAX; i++) { - g_doh_conf->tables[i].id = Maat_table_register(g_doh_conf->maat, g_doh_conf->tables[i].name); + g_doh_conf->tables[i].id = maat_get_table_id(g_doh_conf->maat, g_doh_conf->tables[i].name); if (g_doh_conf->tables[i].id < 0) { - TFE_LOG_ERROR(g_doh_conf->local_logger, "Maat_table_register failed, table_name: %s", g_doh_conf->tables[i].name); + TFE_LOG_ERROR(g_doh_conf->local_logger, "maat_get_table_id failed, table_name: %s", g_doh_conf->tables[i].name); return -1; } } @@ -377,7 +456,7 @@ static struct doh_ctx *doh_ctx_new(unsigned int thread_id) ctx->magic_num = DOH_CTX_MAGIC_NUM; ctx->thread_id = (int)thread_id; - ctx->scan_mid = NULL; + ctx->scan_mid = maat_state_new(g_doh_conf->maat, thread_id); ctx->opts_num = 0; ctx->opts = NULL; ctx->min_ttl = 0; @@ -524,7 +603,7 @@ static void doh_process_req(const struct tfe_stream *stream, const struct tfe_ht } doh_maat_scan(stream, session, ctx, (char *)ctx->doh_req->query_question.qname, ctx->doh_req->query_question.qtype); - Maat_clean_status(&(ctx->scan_mid)); + maat_state_free(ctx->scan_mid); ctx->scan_mid = NULL; if (!ctx->opts_num) { diff --git a/plugin/business/doh/src/logger.cpp b/plugin/business/doh/src/logger.cpp index 1c65288..6cb1d6b 100644 --- a/plugin/business/doh/src/logger.cpp +++ b/plugin/business/doh/src/logger.cpp @@ -15,8 +15,8 @@ enum _log_action //Bigger action number is prior. LG_ACTION_DROP = 0x20, /* N/A */ LG_ACTION_MANIPULATE = 0x30, LG_ACTION_RATELIMIT = 0x40, /* N/A */ - LG_ACTION_LOOP = 0x60, /* N/A */ - LG_ACTION_WHITELIST = 0x80, + LG_ACTION_WHITELIST = 0x60, + LG_ACTION_SHUNT = 0x80, __LG_ACTION_MAX }; @@ -299,7 +299,7 @@ int doh_kafka_init(const char *profile, struct doh_conf *conf) int doh_send_log(struct doh_conf *handle, const struct tfe_http_session *http, const struct tfe_stream *stream, struct doh_ctx *ctx) { - Maat_rule_t *result = ctx->result; + struct doh_maat_rule_t *result = ctx->result; size_t result_num = ctx->result_num; dns_info_t *dns_info = ctx->doh_req; const struct tfe_stream_addr *addr = stream->addr; diff --git a/plugin/business/doh/src/pub.h b/plugin/business/doh/src/pub.h index 82b9ec2..406b0f9 100644 --- a/plugin/business/doh/src/pub.h +++ b/plugin/business/doh/src/pub.h @@ -11,7 +11,7 @@ extern "C" #include <tfe_resource.h> #include <tfe_proxy.h> #include <tfe_plugin.h> -#include <MESA/Maat_rule.h> +#include <MESA/maat.h> #include <MESA/MESA_prof_load.h> #include <tfe_kafka_logger.h> @@ -30,10 +30,12 @@ enum pangu_http_stat enum table_type { - TYPE_ADDR, + TYPE_SRC_ADDR, + TYPE_DST_ADDR, TYPE_APPID, TYPE_QNAME, TYPE_HOST, + TYPE_HOST_CAT, TYPE_MAX }; @@ -68,10 +70,20 @@ struct doh_conf struct event_base *gc_evbase; screen_stat_handle_t fs_handle; - Maat_feather_t maat; + struct maat *maat; struct maat_table tables[TYPE_MAX]; }; +struct doh_maat_rule_t +{ + long long config_id; + int service_id; + unsigned char do_log; + unsigned char do_blacklist; + unsigned char action; + char *srv_def_large; +}; + struct doh_ctx { int count; @@ -82,9 +94,9 @@ struct doh_ctx int opts_num; int vsys_id; size_t result_num; - Maat_rule_t *result; + struct doh_maat_rule_t *result; cheat_pkt_opt_t *opts; - scan_status_t scan_mid; + struct maat_state *scan_mid; enum doh_content_type type; struct evbuffer *http_req_body; dns_info_t *doh_req; diff --git a/plugin/business/ssl-policy/src/ssl_policy.cpp b/plugin/business/ssl-policy/src/ssl_policy.cpp index 5ee9b3e..89858e4 100644 --- a/plugin/business/ssl-policy/src/ssl_policy.cpp +++ b/plugin/business/ssl-policy/src/ssl_policy.cpp @@ -1,6 +1,6 @@ #include <ssl_stream.h> #include <tfe_utils.h> -#include <MESA/Maat_rule.h> +#include <MESA/maat.h> #include <cjson/cJSON.h> #include <openssl/ssl.h> #include <assert.h> @@ -9,7 +9,7 @@ struct ssl_policy_enforcer { - Maat_feather_t maat; + struct maat *maat; int policy_table_id; int profile_table_id; void* logger; @@ -43,7 +43,7 @@ struct decryption_param int mirror_client_version; }; -void intercept_param_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_DATA* from, long argl, void* argp) +void intercept_param_dup_cb(int table_id, void **to, void **from, long argl, void* argp) { struct intercept_param* param= (struct intercept_param*) *from; if(param) @@ -57,7 +57,8 @@ void intercept_param_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_E } return; } -void intercept_param_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp) + +void intercept_param_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { int ret=0; size_t intercept_user_region_offset=0, len=0; @@ -66,7 +67,7 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin struct intercept_param* param=NULL; struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp; - ret=Maat_helper_read_column(table_line, 7, &intercept_user_region_offset, &len); + ret=maat_helper_read_column(table_line, 7, &intercept_user_region_offset, &len); if(ret<0) { TFE_LOG_ERROR(enforcer->logger, "Get intercept user region: %s", table_line); @@ -161,7 +162,7 @@ error_out: free(json_str); return; } -void intercept_param_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp) +void intercept_param_free_cb(int table_id, void **ad, long argl, void* argp) { struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp; struct intercept_param* param= (struct intercept_param*) *ad; @@ -183,7 +184,7 @@ void intercept_param_free(struct intercept_param* param) return; } -void profile_param_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_DATA* from, long argl, void* argp) +void profile_param_dup_cb(int table_id, void **to, void **from, long argl, void* argp) { struct decryption_param* param= (struct decryption_param*) *from; if(param) @@ -197,7 +198,7 @@ void profile_param_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_ } return; } -void profile_param_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp) +void profile_param_free_cb(int table_id, void **ad, long argl, void* argp) { struct decryption_param* param= (struct decryption_param*) *ad; if(param==NULL) @@ -216,7 +217,7 @@ void profile_param_free(struct decryption_param* param) profile_param_free_cb(0, (void**)¶m, 0, NULL); return; } -void profile_param_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp) +void profile_param_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { int ret=0; size_t offset=0, len=0; @@ -225,7 +226,7 @@ void profile_param_new_cb(int table_id, const char* key, const char* table_line, struct decryption_param* param=NULL; struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp; - ret=Maat_helper_read_column(table_line, 3, &offset, &len); + ret=maat_helper_read_column(table_line, 3, &offset, &len); if(ret<0) { TFE_LOG_ERROR(enforcer->logger, "Get decryption param: %s", table_line); @@ -319,29 +320,27 @@ error_out: struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger) { struct ssl_policy_enforcer* enforcer=ALLOC(struct ssl_policy_enforcer, 1); - enforcer->maat=(Maat_feather_t)tfe_bussiness_resouce_get(STATIC_MAAT);; + enforcer->maat=(struct maat*)tfe_bussiness_resouce_get(STATIC_MAAT);; enforcer->logger=logger; - enforcer->policy_table_id=Maat_table_register(enforcer->maat, "TSG_SECURITY_COMPILE"); + enforcer->policy_table_id=maat_get_table_id(enforcer->maat, "TSG_SECURITY_COMPILE"); assert(enforcer->policy_table_id >= 0); - enforcer->profile_table_id=Maat_table_register(enforcer->maat, "TSG_PROFILE_DECRYPTION"); + enforcer->profile_table_id=maat_get_table_id(enforcer->maat, "TSG_PROFILE_DECRYPTION"); assert(enforcer->profile_table_id >= 0); - UNUSED int ret=Maat_plugin_EX_register(enforcer->maat, - enforcer->policy_table_id, - intercept_param_new_cb, - intercept_param_free_cb, - intercept_param_dup_cb, - NULL, - 0, - enforcer); + UNUSED int ret=maat_plugin_table_ex_schema_register(enforcer->maat, + "TSG_SECURITY_COMPILE", + intercept_param_new_cb, + intercept_param_free_cb, + intercept_param_dup_cb, + 0, + enforcer); assert(ret==0); - ret=Maat_plugin_EX_register(enforcer->maat, - enforcer->profile_table_id, - profile_param_new_cb, - profile_param_free_cb, - profile_param_dup_cb, - NULL, - 0, - enforcer); + ret=maat_plugin_table_ex_schema_register(enforcer->maat, + "TSG_PROFILE_DECRYPTION", + profile_param_new_cb, + profile_param_free_cb, + profile_param_dup_cb, + 0, + enforcer); assert(ret==0); return enforcer; } @@ -359,7 +358,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_INTERCEPT_POLICY_ID, &policy_id); assert(ret==0); snprintf(policy_id_str, sizeof(policy_id_str), "%d", policy_id); - policy_param=(struct intercept_param *)Maat_plugin_get_EX_data(enforcer->maat, enforcer->policy_table_id, policy_id_str); + policy_param=(struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->policy_table_id, policy_id_str); if(policy_param==NULL) { TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %d.", policy_id); @@ -374,7 +373,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p } snprintf(profile_id_str, sizeof(profile_id_str), "%u", policy_param->decryption_profile_id); - profile_param=(struct decryption_param *)Maat_plugin_get_EX_data(enforcer->maat, enforcer->profile_table_id, profile_id_str); + profile_param=(struct decryption_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->profile_table_id, profile_id_str); if (profile_param==NULL) { TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str); diff --git a/plugin/business/ssl-policy/src/ssl_policy.h b/plugin/business/ssl-policy/src/ssl_policy.h index e38f98d..f4c784c 100644 --- a/plugin/business/ssl-policy/src/ssl_policy.h +++ b/plugin/business/ssl-policy/src/ssl_policy.h @@ -1,6 +1,6 @@ #pragma once #include <ssl_stream.h> -#include <MESA/Maat_rule.h> +#include <MESA/maat.h> struct ssl_policy_enforcer; struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger); diff --git a/plugin/business/traffic-mirror/include/traffic_mirror.h b/plugin/business/traffic-mirror/include/traffic_mirror.h index aedc628..9b1a3cd 100644 --- a/plugin/business/traffic-mirror/include/traffic_mirror.h +++ b/plugin/business/traffic-mirror/include/traffic_mirror.h @@ -4,6 +4,7 @@ #include <tfe_stream.h> #include <netinet/ether.h> #include <MESA/Maat_rule.h> +#include <MESA/maat.h> #include <pcap/pcap.h> enum traffic_mirror_ethdev_type @@ -25,7 +26,7 @@ struct traffic_mirror_instance unsigned int nr_threads; unsigned int default_vlan_id; - Maat_feather_t maat_feather; + struct maat* maat_feather; int policy_table_id; int profile_table_id; diff --git a/plugin/business/traffic-mirror/src/entry.cpp b/plugin/business/traffic-mirror/src/entry.cpp index 3dd5135..6d08632 100644 --- a/plugin/business/traffic-mirror/src/entry.cpp +++ b/plugin/business/traffic-mirror/src/entry.cpp @@ -28,8 +28,8 @@ void policy_table_ex_data_free(struct policy_table_ex_data * object) if ((__sync_sub_and_fetch(&object->atomic_refcnt, 1) == 0)) free(object); } -void policy_table_ex_data_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA * to, - MAAT_PLUGIN_EX_DATA * from, long argl, void * argp) +void policy_table_ex_data_dup_cb(int table_id, void **to, + void **from, long argl, void * argp) { struct policy_table_ex_data * ex_data = (struct policy_table_ex_data *)*from; if(ex_data==NULL) @@ -43,7 +43,7 @@ void policy_table_ex_data_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA * to, } } -void policy_table_ex_data_free_cb(int table_id, MAAT_PLUGIN_EX_DATA * ad, long argl, void * argp) +void policy_table_ex_data_free_cb(int table_id, void **ad, long argl, void * argp) { struct policy_table_ex_data * ex_data = (struct policy_table_ex_data *)*ad; if(ex_data) @@ -52,8 +52,8 @@ void policy_table_ex_data_free_cb(int table_id, MAAT_PLUGIN_EX_DATA * ad, long a } } -void policy_table_ex_data_new_cb(int table_id, const char * key, const char * table_line, - MAAT_PLUGIN_EX_DATA * ad, long argl, void * argp) +void policy_table_ex_data_new_cb(const char *table_name, int table_id, const char * key, const char * table_line, + void **ad, long argl, void * argp) { struct traffic_mirror_instance * instance = (struct traffic_mirror_instance *) argp; assert(instance != nullptr && instance->logger != nullptr); @@ -68,7 +68,7 @@ void policy_table_ex_data_new_cb(int table_id, const char * key, const char * ta size_t user_region_offset; size_t user_region_len; - int result = Maat_helper_read_column(table_line, 7, &user_region_offset, &user_region_len); + int result = maat_helper_read_column(table_line, 7, &user_region_offset, &user_region_len); if (unlikely(result < 0)) { TFE_LOG_ERROR(instance->logger, "Failed at get policy table's user region."); @@ -158,8 +158,8 @@ void profile_table_ex_data_free(struct profile_table_ex_data * object) if ((__sync_sub_and_fetch(&object->atomic_refcnt, 1) == 0)) free(object); } -void profile_table_ex_data_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA * to, - MAAT_PLUGIN_EX_DATA * from, long argl, void * argp) +void profile_table_ex_data_dup_cb(int table_id, void **to, + void **from, long argl, void * argp) { struct profile_table_ex_data * ex_data = (struct profile_table_ex_data *)*from; if(ex_data) @@ -173,7 +173,7 @@ void profile_table_ex_data_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA * to, } } -void profile_table_ex_data_free_cb(int table_id, MAAT_PLUGIN_EX_DATA * ad, long argl, void * argp) +void profile_table_ex_data_free_cb(int table_id, void **ad, long argl, void * argp) { struct profile_table_ex_data * ex_data = (struct profile_table_ex_data *)*ad; if(ex_data) @@ -182,8 +182,8 @@ void profile_table_ex_data_free_cb(int table_id, MAAT_PLUGIN_EX_DATA * ad, long } } -void profile_table_ex_data_new_cb(int table_id, const char * key, const char * table_line, - MAAT_PLUGIN_EX_DATA * ad, long argl, void * argp) +void profile_table_ex_data_new_cb(const char *table_name, int table_id, const char * key, const char * table_line, + void **ad, long argl, void * argp) { struct traffic_mirror_instance * instance = (struct traffic_mirror_instance *) argp; assert(instance != nullptr && instance->logger != nullptr); @@ -197,7 +197,7 @@ void profile_table_ex_data_new_cb(int table_id, const char * key, const char * t size_t addr_list_offset; size_t addr_list_len; - int result = Maat_helper_read_column(table_line, 3, &addr_list_offset, &addr_list_len); + int result = maat_helper_read_column(table_line, 3, &addr_list_offset, &addr_list_len); if (unlikely(result < 0)) { TFE_LOG_ERROR(instance->logger, "Failed at get profile table's addrlist."); @@ -244,7 +244,7 @@ void profile_table_ex_data_new_cb(int table_id, const char * key, const char * t goto ignore; } - TFE_LOG_DEBUG(instance->logger, "traffic mirror profile %s: vlan id[%d]: %d", key, iter, vlan_in_number); + TFE_LOG_DEBUG(instance->logger, "traffic mirror profile %s: vlan id[%d]£º %d", key, iter, vlan_in_number); ex_data->rewrite_vlan = 1; ex_data->vlans[iter] = vlan_in_number; ex_data->ether_addrs[iter] = ether_addr_broadcast; @@ -284,14 +284,13 @@ out: #define MAAT_INPUT_REDIS 1 #define MAAT_INPUT_FILE 2 -static Maat_feather_t maat_feather_create_with_override(const char * instance_name, +static struct maat* maat_feather_create_with_override(const char * instance_name, const char * profile, const char * section, const char * override_section, unsigned int max_thread, void * logger) { - Maat_feather_t target; + struct maat *target=NULL; int input_mode = 0, maat_stat_on = 0, maat_perf_on = 0; - int ret = 0, scan_detail = 0, effect_interval = 60; - + int ret = 0, effect_interval = 60, log_level=0; char table_info[TFE_STRING_MAX] = {0}, inc_cfg_dir[TFE_STRING_MAX] = {0}, ful_cfg_dir[TFE_STRING_MAX] = {0}; char redis_server[TFE_STRING_MAX] = {0}; char redis_port_range[TFE_STRING_MAX] = {0}; @@ -310,9 +309,9 @@ static Maat_feather_t maat_feather_create_with_override(const char * instance_na MESA_load_profile_string_def(profile, section, "accept_tags", accept_tags, sizeof(accept_tags), ""); MESA_load_profile_string_def(profile, section, "json_cfg_file", json_cfg_file, sizeof(json_cfg_file), ""); MESA_load_profile_string_def(profile, section, "maat_redis_server", redis_server, sizeof(redis_server), ""); - MESA_load_profile_string_def(profile, section, "maat_redis_port_range", redis_port_range, sizeof(redis_server), - "6379"); + MESA_load_profile_string_def(profile, section, "maat_redis_port_range", redis_port_range, sizeof(redis_server),"6379"); MESA_load_profile_int_def(profile, section, "deferred_load_on", &(deferred_load_on), 0); + MESA_load_profile_int_def(profile, section, "log_level", &(log_level), LOG_LEVEL_FATAL); ret = sscanf(redis_port_range, "%d-%d", &redis_port_begin, &redis_port_end); if (ret == 1) @@ -344,53 +343,57 @@ static Maat_feather_t maat_feather_create_with_override(const char * instance_na assert(strlen(inc_cfg_dir) != 0 || strlen(ful_cfg_dir) != 0 || strlen(redis_server) != 0 || strlen(json_cfg_file) != 0); - target = Maat_feather(max_thread, table_info, logger); - Maat_set_feather_opt(target, MAAT_OPT_INSTANCE_NAME, instance_name, strlen(instance_name) + 1); + struct maat_options *opts = maat_options_new(); + maat_options_set_logger(opts, "log/maat.log", (enum log_level)log_level); + maat_options_set_caller_thread_number(opts, max_thread); + maat_options_set_instance_name(opts, instance_name); + switch (input_mode) { case MAAT_INPUT_JSON: - Maat_set_feather_opt(target, MAAT_OPT_JSON_FILE_PATH, json_cfg_file, strlen(json_cfg_file) + 1); + maat_options_set_json_file(opts, json_cfg_file); break; - case MAAT_INPUT_REDIS:Maat_set_feather_opt(target, MAAT_OPT_REDIS_IP, redis_server, strlen(redis_server) + 1); - Maat_set_feather_opt(target, MAAT_OPT_REDIS_PORT, &redis_port_select, sizeof(redis_port_select)); - Maat_set_feather_opt(target, MAAT_OPT_REDIS_INDEX, &redis_db_idx, sizeof(redis_db_idx)); + case MAAT_INPUT_REDIS: + maat_options_set_redis(opts, redis_server, redis_port_select, redis_db_idx); break; - case MAAT_INPUT_FILE: Maat_set_feather_opt(target, MAAT_OPT_FULL_CFG_DIR, ful_cfg_dir, strlen(ful_cfg_dir) + 1); - Maat_set_feather_opt(target, MAAT_OPT_INC_CFG_DIR, inc_cfg_dir, strlen(inc_cfg_dir) + 1); + case MAAT_INPUT_FILE: + maat_options_set_iris(opts, ful_cfg_dir, inc_cfg_dir); break; default: TFE_LOG_ERROR(logger, "Invalid MAAT Input Mode: %d.", input_mode); goto error_out; break; } - if (maat_stat_on) - { - Maat_set_feather_opt(target, MAAT_OPT_STAT_FILE_PATH, maat_stat_file, strlen(maat_stat_file) + 1); - Maat_set_feather_opt(target, MAAT_OPT_STAT_ON, NULL, 0); - if (maat_perf_on) - { - Maat_set_feather_opt(target, MAAT_OPT_PERF_ON, NULL, 0); - } - } + if (maat_stat_on) + { + maat_options_set_stat_on(opts); + if (maat_perf_on) + { + maat_options_set_perf_on(opts); + } + } - Maat_set_feather_opt(target, MAAT_OPT_DEFERRED_LOAD, &deferred_load_on, sizeof(deferred_load_on)); - Maat_set_feather_opt(target, MAAT_OPT_EFFECT_INVERVAL_MS, &effect_interval, sizeof(effect_interval)); - Maat_set_feather_opt(target, MAAT_OPT_SCAN_DETAIL, &scan_detail, sizeof(scan_detail)); + if(deferred_load_on) + { + maat_options_set_deferred_load_on(opts); + } + maat_options_set_rule_effect_interval_ms(opts, effect_interval); if (strlen(accept_tags) > 0) { - Maat_set_feather_opt(target, MAAT_OPT_ACCEPT_TAGS, &accept_tags, sizeof(accept_tags)); + maat_options_set_accept_tags(opts, accept_tags); } - ret = Maat_initiate_feather(target); - if (ret < 0) + target = maat_new(opts, table_info); + if (!target) { - TFE_LOG_ERROR(logger, "%s MAAT init failed.", __FUNCTION__); + TFE_LOG_ERROR(logger, "%s MAAT init failed.", __FUNCTION__); goto error_out; } + maat_options_free(opts); + return target; - return target; error_out: - Maat_burn_feather(target); + maat_options_free(opts); return NULL; } @@ -467,34 +470,34 @@ int traffic_mirror_init(struct tfe_proxy * proxy) } /* REGISTER MAAT FEATHER */ - instance->policy_table_id = Maat_table_register(instance->maat_feather, "TSG_SECURITY_COMPILE"); - if (unlikely(instance->policy_table_id < 0)) + instance->policy_table_id = maat_get_table_id(instance->maat_feather, "TSG_SECURITY_COMPILE"); + if (instance->policy_table_id < 0) { TFE_LOG_ERROR(instance->logger, "failed at register table TSG_SECURITY_COMPILE, ret = %d", instance->policy_table_id); goto errout; } - instance->profile_table_id = Maat_table_register(instance->maat_feather, "TSG_PROFILE_TRAFFIC_MIRROR"); - if (unlikely(instance->profile_table_id < 0)) + instance->profile_table_id = maat_get_table_id(instance->maat_feather, "TSG_PROFILE_TRAFFIC_MIRROR"); + if (instance->profile_table_id < 0) { TFE_LOG_ERROR(instance->logger, "failed at register table TSG_PROFILE_TRAFFIC_MIRROR, ret = %d", instance->profile_table_id); goto errout; } - result = Maat_plugin_EX_register(instance->maat_feather, instance->policy_table_id, + result = maat_plugin_table_ex_schema_register(instance->maat_feather, "TSG_SECURITY_COMPILE", policy_table_ex_data_new_cb, policy_table_ex_data_free_cb, policy_table_ex_data_dup_cb, - nullptr, 0, instance); + 0, instance); - if(unlikely(result < 0)) + if(result < 0) { - TFE_LOG_ERROR(instance->logger, "failed at Maat_plugin_EX_register(TSG_SECURITY_COMPILE), " + TFE_LOG_ERROR(instance->logger, "failed at maat_plugin_table_ex_schema_register(TSG_SECURITY_COMPILE), " "table_id = %d, ret = %d", instance->policy_table_id, result); goto errout; } - result = Maat_plugin_EX_register(instance->maat_feather, instance->profile_table_id, + result = maat_plugin_table_ex_schema_register(instance->maat_feather, "TSG_PROFILE_TRAFFIC_MIRROR", profile_table_ex_data_new_cb, profile_table_ex_data_free_cb, profile_table_ex_data_dup_cb, - nullptr, 0, instance); + 0, instance); if (unlikely(result < 0)) { @@ -554,8 +557,7 @@ int traffic_mirror_on_open_cb(const struct tfe_stream * stream, unsigned int thr } snprintf(str_policy_id, sizeof(str_policy_id), "%u", opt_val); - policy_ex_data = (struct policy_table_ex_data *) Maat_plugin_get_EX_data(instance->maat_feather, - instance->policy_table_id, str_policy_id); + policy_ex_data = (struct policy_table_ex_data *)maat_plugin_table_get_ex_data(instance->maat_feather, instance->policy_table_id, str_policy_id); if (!policy_ex_data || !policy_ex_data->enable) { goto detach; @@ -582,8 +584,7 @@ int traffic_mirror_on_open_cb(const struct tfe_stream * stream, unsigned int thr if (policy_ex_data->is_profile_set) { snprintf(str_profile_id, sizeof(str_policy_id), "%u", policy_ex_data->profile_id); - profile_ex_data = (struct profile_table_ex_data *)Maat_plugin_get_EX_data(instance->maat_feather, - instance->profile_table_id, str_profile_id); + profile_ex_data = (struct profile_table_ex_data *)maat_plugin_table_get_ex_data(instance->maat_feather, instance->profile_table_id, str_profile_id); if (!profile_ex_data) { TFE_LOG_ERROR(instance->logger, "failed at getting policy %s's profile, profile id = %s, " @@ -718,7 +719,7 @@ void traffic_mirror_on_close_cb(const struct tfe_stream * stream, unsigned int t { return; } - + struct traffic_mirror_me * me = (struct traffic_mirror_me *)(*pme); traffic_mirror_rebuild_farewell(me->rebuild_ctx, thread_id); traffic_mirror_rebuild_destroy(me->rebuild_ctx); diff --git a/plugin/business/tsg-http/include/http_lua.h b/plugin/business/tsg-http/include/http_lua.h index 5f506cb..060fcec 100644 --- a/plugin/business/tsg-http/include/http_lua.h +++ b/plugin/business/tsg-http/include/http_lua.h @@ -19,11 +19,13 @@ struct tsg_script_ctx int config_id; int profile_id; int http_req_uri; + int rewrite_header; char *rewrite_uri; int execut_lua_sucess; struct elua_context *elua_ctx; enum tfe_http_event events; void * local_logger; + struct tfe_stream_addr * addr; const struct tfe_http_session *session; struct tfe_http_half *replacing; struct evbuffer *http_body; diff --git a/plugin/business/tsg-http/include/tsg_proxy_logger.h b/plugin/business/tsg-http/include/tsg_proxy_logger.h index 7903bb7..1e60702 100644 --- a/plugin/business/tsg-http/include/tsg_proxy_logger.h +++ b/plugin/business/tsg-http/include/tsg_proxy_logger.h @@ -2,13 +2,22 @@ #include <tfe_stream.h> #include <tfe_http.h> -#include <MESA/Maat_rule.h> + +struct log_rule_t +{ + long long config_id; + int service_id; + unsigned char do_log; + unsigned char do_blacklist; + unsigned char action; + char *srv_def_large; +}; struct proxy_log { const struct tfe_stream *stream; const struct tfe_http_session* http; - const Maat_rule_t*result; + const struct log_rule_t *result; size_t result_num; struct evbuffer* req_body, *resp_body; unsigned char action; diff --git a/plugin/business/tsg-http/include/tsg_proxy_web_cache.h b/plugin/business/tsg-http/include/tsg_proxy_web_cache.h index 1f384a3..4ebfe23 100644 --- a/plugin/business/tsg-http/include/tsg_proxy_web_cache.h +++ b/plugin/business/tsg-http/include/tsg_proxy_web_cache.h @@ -2,12 +2,12 @@ #include <event2/event.h> #include <event2/buffer.h> #include <tfe_future.h> -#include <MESA/Maat_rule.h> +#include <MESA/maat.h> struct cache_handle; -struct cache_handle* create_web_cache_handle(const char* profile_path, const char* section, - struct event_base* gc_evbase, Maat_feather_t feather, void *logger); +struct cache_handle* create_web_cache_handle(const char* profile_path, const char* section, + struct event_base* gc_evbase, struct maat *feather, void *logger); struct cached_meta { @@ -56,7 +56,7 @@ enum cache_pending_result web_cache_async_pending(struct cache_handle* handle, u struct cache_write_context; -struct cache_write_context* web_cache_write_start(struct cache_handle* handle, unsigned int thread_id, +struct cache_write_context* web_cache_write_start(struct cache_handle* handle, unsigned int thread_id, const struct tfe_http_session * session, struct cache_mid **mid); void web_cache_write(struct cache_write_context* ctx, const unsigned char * body_frag, size_t frag_size); //return 1 on success diff --git a/plugin/business/tsg-http/src/http_lua.cpp b/plugin/business/tsg-http/src/http_lua.cpp index b7bfb82..05cbb1f 100644 --- a/plugin/business/tsg-http/src/http_lua.cpp +++ b/plugin/business/tsg-http/src/http_lua.cpp @@ -449,6 +449,35 @@ static int http_lua_get_current_stage(struct elua_vm *vm) return 1; } +static int http_lua_get_5tuple(struct elua_vm *vm) +{ + struct tsg_script_ctx *tsg_ctx = (struct tsg_script_ctx *)elua_get_execute_userdata(vm); + if(tsg_ctx == NULL) + { + return 0; + } + struct tfe_stream_addr * addr = tsg_ctx->addr; + if(addr == NULL) + { + return 0; + } + + char ip_addr[64]={0}; + unsigned int source=0,dest=0,protocol; + char src_ip_str[MAX(INET6_ADDRSTRLEN,INET_ADDRSTRLEN)] = {0}; + char dst_ip_str[MAX(INET6_ADDRSTRLEN,INET_ADDRSTRLEN)] = {0}; + + protocol = addr->addrtype; + source = ntohs(addr->tuple4_v4->source); + dest = ntohs(addr->tuple4_v4->dest); + inet_ntop(AF_INET, &addr->tuple4_v4->saddr, src_ip_str, sizeof(src_ip_str)); + inet_ntop(AF_INET, &addr->tuple4_v4->daddr, dst_ip_str, sizeof(dst_ip_str)); + snprintf(ip_addr, sizeof(ip_addr), "%d %s %d %s %d", protocol, src_ip_str, source, dst_ip_str, dest); + http_set_string_to_lua(vm, ip_addr, strlen(ip_addr)); + + return 1; +} + static int http_lua_get_headers(struct elua_vm *vm) { struct tsg_script_ctx *tsg_ctx = (struct tsg_script_ctx *)elua_get_execute_userdata(vm); @@ -594,6 +623,48 @@ static int http_lua_set_headers(struct elua_vm *vm) return 0; } +static int http_lua_rewrite_header(struct elua_vm *vm) +{ + struct tsg_script_ctx *tsg_ctx = (struct tsg_script_ctx *)elua_get_execute_userdata(vm); + if(tsg_ctx == NULL) + { + return 0; + } + const struct tfe_http_session * session = tsg_ctx->session; + if(session == NULL) + { + return 0; + } + struct tfe_http_half *replacing = tsg_ctx->replacing; + if(replacing == NULL) + { + return 0; + } + + int out_lua_argc = 0; + struct elua_data *out_lua_argv = NULL; + + out_lua_argc = http_get_param_from_lua(vm, &out_lua_argv); + if(out_lua_argc != 2 || out_lua_argv == NULL) + { + return 0; + } + + char *field_name=out_lua_argv[0].buff, *field_value=out_lua_argv[1].buff; + + if(field_name == NULL || field_value == NULL) + { + return 0; + } + + tfe_http_nonstd_field_write(tsg_ctx->replacing, field_name, field_value); + tsg_ctx->execut_lua_sucess=1; + tsg_ctx->rewrite_header=1; + + http_free_params(out_lua_argv); + return 0; +} + static int http_lua_get_body(struct elua_vm *vm) { struct tsg_script_ctx *tsg_ctx = (struct tsg_script_ctx *)elua_get_execute_userdata(vm); @@ -669,6 +740,7 @@ void http_lua_ctx_free(struct tsg_lua_script *lua_script, unsigned int thread_id void http_lua_inject_http_consts(struct elua_vm *vm) { elua_register_cbinding(vm, NULL, "get_current_stage", http_lua_get_current_stage); + elua_register_cbinding(vm, NULL, "get_5tuple", http_lua_get_5tuple); elua_register_cbinding(vm, NULL, "log_debug", http_lua_log_debug); elua_register_cbinding(vm, NULL, "log_info", http_lua_log_info); elua_register_cbinding(vm, NULL, "log_error", http_lua_log_error); @@ -682,6 +754,7 @@ void http_lua_inject_req_header_api(struct elua_vm *vm) elua_register_cbinding(vm, "req", "set_uri", http_lua_set_uri); elua_register_cbinding(vm, "req", "get_headers", http_lua_get_headers); elua_register_cbinding(vm, "req", "set_header", http_lua_set_headers); + elua_register_cbinding(vm, "req", "rewrite_header", http_lua_rewrite_header); } void http_lua_inject_req_body_api(struct elua_vm *vm) @@ -695,8 +768,9 @@ void http_lua_inject_resp_header_api(struct elua_vm *vm) elua_register_cbinding(vm, "resp", "get_status_code", http_lua_get_status_code); elua_register_cbinding(vm, "resp", "set_status_code", http_lua_set_status_code); - elua_register_cbinding(vm, "resp", "get_headers", http_lua_get_headers); - elua_register_cbinding(vm, "resp", "set_header", http_lua_set_headers); + elua_register_cbinding(vm, "resp", "get_headers", http_lua_get_headers); + elua_register_cbinding(vm, "resp", "set_header", http_lua_set_headers); + elua_register_cbinding(vm, "resp", "rewrite_header", http_lua_rewrite_header); } void http_lua_inject_resp_body_api(struct elua_vm *vm) diff --git a/plugin/business/tsg-http/src/tsg_http.cpp b/plugin/business/tsg-http/src/tsg_http.cpp index 8c20465..6f8947d 100644 --- a/plugin/business/tsg-http/src/tsg_http.cpp +++ b/plugin/business/tsg-http/src/tsg_http.cpp @@ -13,10 +13,10 @@ #include <tfe_scan.h> #include <tfe_types.h> -#include <MESA/Maat_rule.h> #include <MESA/MESA_handle_logger.h> #include <MESA/MESA_prof_load.h> #include <MESA/stream.h> +#include <MESA/maat.h> #include <event2/event.h> #include <event2/buffer.h> @@ -43,8 +43,8 @@ enum proxy_action //Bigger action number is prior. PX_ACTION_DROP = 0x20, /* N/A */ PX_ACTION_MANIPULATE = 0x30, PX_ACTION_RATELIMIT = 0x40, /* N/A */ - PX_ACTION_LOOP = 0x60, /* N/A */ - PX_ACTION_WHITELIST = 0x80, + PX_ACTION_WHITELIST = 0x60, + PX_ACTION_SHUNT = 0x80, __PX_ACTION_MAX }; @@ -64,9 +64,11 @@ enum manipulate_action enum scan_table { - PXY_CTRL_IP, + PXY_CTRL_SOURCE_ADDR, + PXY_CTRL_DESTINATION_ADDR, PXY_CTRL_HTTP_URL, PXY_CTRL_HTTP_FQDN, + PXY_CTRL_HTTP_FQDN_CAT, PXY_CTRL_HTTP_REQ_HDR, PXY_CTRL_HTTP_REQ_BODY, PXY_CTRL_HTTP_RES_HDR, @@ -118,14 +120,22 @@ struct manipulate_profile pthread_mutex_t lock; }; +struct maat_rule_t +{ + long long config_id; + int service_id; + unsigned char do_log; + unsigned char do_blacklist; + unsigned char action; + char *srv_def_large; +}; + struct policy_action_param { int ref_cnt; enum manipulate_action action; - char *message; char *position; - float enforcement_ratio; int vsys_id; int profile_id; @@ -133,16 +143,15 @@ struct policy_action_param size_t n_rule; struct replace_rule *repl_rule; - size_t e_rule; struct edit_element_rule *elem_rule; - + struct maat_rule_t hit_rule; pthread_mutex_t lock; }; struct tsg_proxy_rt { - Maat_feather_t maat; + struct maat *feather; struct proxy_logger * send_logger; void * local_logger; int thread_num; @@ -223,7 +232,7 @@ void increase_redirect_policy_hit_num(void) void trusted_CA_update_start_cb(int update_type, void* u_para) { - if(update_type==MAAT_RULE_UPDATE_TYPE_FULL) + if(update_type==MAAT_UPDATE_TYPE_FULL) { if(g_proxy_rt->ca_store_reseting==0) { @@ -378,13 +387,25 @@ void octal_utf8_escapes(char *input) return; } -void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, - MAAT_RULE_EX_DATA* ad, long argl, void *argp) +void policy_action_param_new(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { + int ret=0; + int config_id=0, service_id=0, action=0; + int do_log=0,do_blacklist=0,is_valid=0; + char effective_range[1024]={0}; + char srv_def_large[8192]={0}; struct policy_action_param* param=NULL; + ret=sscanf(table_line, "%d\t%d\t%d\t%d\t%d\t%s\t%s\t%d", &config_id, &service_id, &action, &do_blacklist, &do_log,effective_range, srv_def_large, &is_valid); + if(ret!=8) + { + TFE_LOG_ERROR(g_proxy_rt->local_logger, "ctrl policy table parse failed, ret:%d, %s", ret, table_line); + return; + } + *ad=NULL; - if((unsigned int)rule->serv_def_len<strlen("{}")+1) + int serv_def_len=strlen(srv_def_large); + if((unsigned int)serv_def_len<strlen("{}")+1) { return; } @@ -394,29 +415,36 @@ void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char json=cJSON_Parse(srv_def_large); if(json==NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "invalid policy parameter: id = %d", rule->config_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "invalid policy parameter: id = %d", config_id); return; } item=cJSON_GetObjectItem(json, "protocol"); if(unlikely(!item || !cJSON_IsString(item))) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid policy parameter: %d invalid protocol format", rule->config_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid policy parameter: %d invalid protocol format", config_id); goto error_out; } - if(0!=strcasecmp(item->valuestring, "http")) - { - goto error_out; - } param=ALLOC(struct policy_action_param, 1); param->ref_cnt=1; + param->hit_rule.action=action; + param->hit_rule.config_id=config_id; + param->hit_rule.do_blacklist=do_blacklist; + param->hit_rule.do_log=do_log; + param->hit_rule.srv_def_large=tfe_strdup(srv_def_large); pthread_mutex_init(&(param->lock), NULL); + if(0!=strcasecmp(item->valuestring, "http")) + { + *ad=param; + goto error_out; + } + item=cJSON_GetObjectItem(json,"method"); if(item && item->type==cJSON_String) { - param->action =manipulate_action_str2idx(item->valuestring); + param->action=manipulate_action_str2idx(item->valuestring); } switch(param->action) @@ -628,13 +656,13 @@ void policy_action_param_new(int idx, const struct Maat_rule_t* rule, const char break; } *ad=param; - TFE_LOG_INFO(g_proxy_rt->local_logger, "Add ctrl policy: %d", rule->config_id); + TFE_LOG_INFO(g_proxy_rt->local_logger, "Add ctrl policy: %d", config_id); error_out: cJSON_Delete(json); return; } -void policy_action_param_free_cb(int table_id, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp) +void policy_action_param_free_cb(int table_id, void **ad, long argl, void *argp) { unsigned int i=0; if(*ad==NULL) @@ -674,17 +702,20 @@ void policy_action_param_free_cb(int table_id, const struct Maat_rule_t* rule, c FREE(&(param->message)); if (param->position) FREE(&(param->position)); + if(param->hit_rule.srv_def_large) + FREE(&(param->hit_rule.srv_def_large)) + FREE(&(param)); return; } void policy_action_param_free(struct policy_action_param* param) { - policy_action_param_free_cb(0, NULL, NULL, (void**)¶m, 0, NULL); + policy_action_param_free_cb(0, (void**)¶m, 0, NULL); return; } -void policy_action_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp) +void policy_action_param_dup(int idx, void **to, void **from, long argl, void *argp) { struct policy_action_param* from_param=*((struct policy_action_param**)from); if(from_param==NULL) @@ -699,7 +730,7 @@ void policy_action_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA * return; } -void ma_profile_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp) +void ma_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { int ret=0, profile_id=0, is_valid=0; char profile_name[128]={0}, formate[128]={0}; @@ -739,7 +770,7 @@ void ma_profile_table_new_cb(int table_id, const char* key, const char* table_li return; } -void ma_insert_profile_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp) +void ma_insert_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { int ret=0, profile_id=0, is_valid=0; char profile_name[128]={0}, formate[128]={0}; @@ -779,7 +810,7 @@ void ma_insert_profile_table_new_cb(int table_id, const char* key, const char* t return; } -void ma_hijack_profile_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp) +void ma_hijack_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { int ret=0, profile_id=0, is_valid=0; char profile_name[128]={0}, formate[128]={0}; @@ -806,7 +837,7 @@ void ma_hijack_profile_table_new_cb(int table_id, const char* key, const char* t return; } -void ma_lua_profile_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp) +void ma_lua_profile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { int timeout=0; int ret=0, profile_id=0, is_valid=0; @@ -848,7 +879,7 @@ void ma_lua_profile_table_new_cb(int table_id, const char* key, const char* tabl return; } -void ma_profile_table_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void *argp) +void ma_profile_table_free_cb(int table_id, void **ad, long argl, void *argp) { if(*ad==NULL) { @@ -895,7 +926,7 @@ void ma_profile_table_free(struct manipulate_profile* ply_obj) ma_profile_table_free_cb(0, (void **)&ply_obj, 0, NULL); } -void ma_profile_table_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void *argp) +void ma_profile_table_dup_cb(int table_id, void **to, void **from, long argl, void *argp) { struct manipulate_profile* ply_obj=(struct manipulate_profile*)(*from); pthread_mutex_lock(&(ply_obj->lock)); @@ -905,15 +936,15 @@ void ma_profile_table_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_ } int maat_table_init(const char* table_name, - Maat_start_callback_t *start, Maat_update_callback_t *update,Maat_finish_callback_t *finish, + maat_start_callback_t *start, maat_update_callback_t *update, maat_finish_callback_t *finish, void *u_para) { int table_id=0; - table_id=Maat_table_register(g_proxy_rt->maat, table_name); + table_id=maat_get_table_id(g_proxy_rt->feather, table_name); if(table_id>=0) { - Maat_table_callback_register(g_proxy_rt->maat, table_id, + maat_table_callback_register(g_proxy_rt->feather, table_id, start, update, finish, u_para); } return table_id; @@ -930,27 +961,27 @@ const char* table_name_idx2str(int profile_idx) } int maat_table_ex_init(int profile_idx, - Maat_plugin_EX_free_func_t* free_func, - Maat_plugin_EX_dup_func_t* dup_func) + maat_ex_free_func_t* free_func, + maat_ex_dup_func_t* dup_func) { int table_id = 0; const char *table_name = table_name_idx2str(profile_idx); - Maat_plugin_EX_new_func_t *new_func[] = { + maat_ex_new_func_t *new_func[] = { [POLICY_PROFLIE_TABLE_REJECT] = ma_profile_table_new_cb, [POLICY_PROFILE_TABLE_INSERT] = ma_insert_profile_table_new_cb, [POLICY_PROFILE_TABLE_HIJACK] = ma_hijack_profile_table_new_cb, [POLICY_PROFILE_TABLE_LUA] = ma_lua_profile_table_new_cb, }; - table_id=g_proxy_rt->plolicy_table_id[profile_idx]=Maat_table_register(g_proxy_rt->maat, table_name); + table_id=g_proxy_rt->plolicy_table_id[profile_idx]=maat_get_table_id(g_proxy_rt->feather, table_name); if(table_id >= 0) { - table_id=Maat_plugin_EX_register(g_proxy_rt->maat, table_id, - new_func[profile_idx], - free_func, - dup_func, - NULL, 0, NULL); + table_id=maat_plugin_table_ex_schema_register(g_proxy_rt->feather, table_name, + new_func[profile_idx], + free_func, + dup_func, + 0, NULL); return 0; } TFE_LOG_INFO(NULL, "Pangu HTTP register table %s failed.", table_name); @@ -960,12 +991,14 @@ int maat_table_ex_init(int profile_idx, int proxy_policy_init(const char* profile_path, const char* static_section, const char* dynamic_section) { int ret = 0; - g_proxy_rt->maat = (Maat_feather_t)tfe_bussiness_resouce_get(STATIC_MAAT); + g_proxy_rt->feather = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT); const char * table_name[__SCAN_TABLE_MAX]; - table_name[PXY_CTRL_IP] = "TSG_SECURITY_ADDR"; + table_name[PXY_CTRL_SOURCE_ADDR] = "TSG_SECURITY_SOURCE_ADDR"; + table_name[PXY_CTRL_DESTINATION_ADDR]="TSG_SECURITY_DESTINATION_ADDR"; table_name[PXY_CTRL_HTTP_URL] = "TSG_FIELD_HTTP_URL"; table_name[PXY_CTRL_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST"; + table_name[PXY_CTRL_HTTP_FQDN_CAT] = "TSG_FIELD_HTTP_HOST_CAT"; table_name[PXY_CTRL_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR"; table_name[PXY_CTRL_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_BODY"; table_name[PXY_CTRL_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR"; @@ -973,7 +1006,7 @@ int proxy_policy_init(const char* profile_path, const char* static_section, cons table_name[PXY_CTRL_APP_ID] = "TSG_OBJ_APP_ID"; for (int i = 0; i < __SCAN_TABLE_MAX; i++) { - g_proxy_rt->scan_table_id[i] = Maat_table_register(g_proxy_rt->maat, table_name[i]); + g_proxy_rt->scan_table_id[i] = maat_get_table_id(g_proxy_rt->feather, table_name[i]); if (g_proxy_rt->scan_table_id[i] < 0) { TFE_LOG_ERROR(NULL, "Pangu HTTP Maat table %s register failed.", table_name[i]); @@ -981,17 +1014,18 @@ int proxy_policy_init(const char* profile_path, const char* static_section, cons } } - g_proxy_rt->ctrl_compile_idx=Maat_rule_get_ex_new_index(g_proxy_rt->maat, "PXY_CTRL_COMPILE", - policy_action_param_new, - policy_action_param_free_cb, - policy_action_param_dup, - 0, NULL); + g_proxy_rt->ctrl_compile_idx=maat_get_table_id(g_proxy_rt->feather, "PXY_CTRL_COMPILE"); + maat_plugin_table_ex_schema_register(g_proxy_rt->feather, "PXY_CTRL_COMPILE", + policy_action_param_new, + policy_action_param_free_cb, + policy_action_param_dup, + 0, NULL); ret = maat_table_init("PXY_PROFILE_TRUSTED_CA_CERT", - trusted_CA_update_start_cb, - trusted_CA_update_cert_cb, - trusted_CA_update_finish_cb, - g_proxy_rt); + trusted_CA_update_start_cb, + trusted_CA_update_cert_cb, + trusted_CA_update_finish_cb, + g_proxy_rt); if(ret<0) { TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CERT failed."); @@ -999,10 +1033,10 @@ int proxy_policy_init(const char* profile_path, const char* static_section, cons } ret = maat_table_init("PXY_OBJ_TRUSTED_CA_CRL", - trusted_CA_update_start_cb, - trusted_CA_update_crl_cb, - trusted_CA_update_finish_cb, - g_proxy_rt); + trusted_CA_update_start_cb, + trusted_CA_update_crl_cb, + trusted_CA_update_finish_cb, + g_proxy_rt); if(ret<0) { TFE_LOG_INFO(NULL, "Pangu HTTP register table PXY_OBJ_TRUSTED_CA_CRL failed."); @@ -1131,7 +1165,7 @@ int proxy_http_init(struct tfe_proxy * proxy) if(g_proxy_rt->cache_enabled) { g_proxy_rt->cache = create_web_cache_handle(profile_path, "TANGO_CACHE", g_proxy_rt->gc_evbase, - g_proxy_rt->maat, g_proxy_rt->local_logger); + g_proxy_rt->feather, g_proxy_rt->local_logger); if(!g_proxy_rt->cache) { TFE_LOG_INFO(NULL, "Tango Cache init failed."); @@ -1187,11 +1221,11 @@ struct proxy_http_ctx enum proxy_action action; char * action_para; int hit_cnt; - struct Maat_rule_t result[MAX_SCAN_RESULT]; - scan_status_t scan_mid; - stream_para_t sp; + long long result[MAX_SCAN_RESULT]; + struct maat_state *scan_mid; + struct maat_stream *sp; struct cache_mid* cmid; - struct Maat_rule_t * enforce_rules; + struct maat_rule_t * enforce_rules; size_t n_enforce; struct policy_action_param *param; struct evbuffer* log_req_body, *log_resp_body; @@ -1293,7 +1327,7 @@ static struct proxy_http_ctx * proxy_http_ctx_new(unsigned int thread_id) { struct proxy_http_ctx * ctx = ALLOC(struct proxy_http_ctx, 1); ctx->magic_num=HTTP_CTX_MAGIC_NUM; - ctx->scan_mid = NULL; + ctx->scan_mid = maat_state_new(g_proxy_rt->feather, thread_id); ctx->thread_id = (int) thread_id; return ctx; } @@ -1327,12 +1361,14 @@ static void proxy_http_ctx_free(struct proxy_http_ctx * ctx) FREE(&ctx->enforce_rules); policy_action_param_free(ctx->param); ctx->param=NULL; - Maat_clean_status(&(ctx->scan_mid)); + + maat_state_free(ctx->scan_mid); ctx->scan_mid = NULL; if(ctx->sp) { - Maat_stream_scan_string_end(&(ctx->sp)); + maat_stream_free(ctx->sp); + ctx->sp=NULL; } if(ctx->cache_write_ctx) { @@ -1398,7 +1434,7 @@ static struct manipulate_profile* get_profile_by_id(int profile_table, int profi snprintf(cfg_id_str, sizeof(cfg_id_str), "%d", profile_id); int table_id = g_proxy_rt->plolicy_table_id[profile_table]; - result = (struct manipulate_profile*)Maat_plugin_get_EX_data(g_proxy_rt->maat, table_id, (const char*)cfg_id_str); + result = (struct manipulate_profile*)maat_plugin_table_get_ex_data(g_proxy_rt->feather, table_id, (const char*)cfg_id_str); return result; } @@ -1428,13 +1464,29 @@ static inline int action_cmp(enum proxy_action a1, enum proxy_action a2) } //enforce_rules[0] contains execute action. -static enum proxy_action decide_ctrl_action(const struct Maat_rule_t * hit_rules, size_t n_hit, - struct Maat_rule_t ** enforce_rules, size_t * n_enforce, struct policy_action_param **param) +static enum proxy_action decide_ctrl_action(long long *results, size_t n_hit, + struct maat_rule_t** enforce_rules, size_t * n_enforce, struct policy_action_param **param) { void *ex_data=NULL; size_t n_monit = 0, exist_enforce_num = 0, i = 0; - const struct Maat_rule_t * prior_rule = hit_rules; - struct Maat_rule_t monit_rule[n_hit]; + + struct policy_action_param *get_ex_param=NULL; + struct maat_rule_t *hit_rules=NULL; + + hit_rules=ALLOC(struct maat_rule_t, n_hit); + for (i = 0; i < n_hit && i<MAX_SCAN_RESULT; i++) + { + get_ex_param =(struct policy_action_param *)maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_compile_idx, (const char *)&results[i]); + if(get_ex_param==NULL) + { + continue; + } + memcpy(hit_rules+i, &get_ex_param->hit_rule, sizeof(struct maat_rule_t)); + policy_action_param_free(get_ex_param); + } + + const struct maat_rule_t * prior_rule = hit_rules; + struct maat_rule_t monit_rule[n_hit]; enum proxy_action prior_action = PX_ACTION_NONE; for (i = 0; i < n_hit && i<MAX_SCAN_RESULT; i++) @@ -1444,7 +1496,7 @@ static enum proxy_action decide_ctrl_action(const struct Maat_rule_t * hit_rules if (__action == PX_ACTION_MONIT) { - memcpy(monit_rule + n_monit, hit_rules + i, sizeof(struct Maat_rule_t)); + memcpy(monit_rule + n_monit, hit_rules + i, sizeof(struct maat_rule_t)); n_monit++; } if (action_cmp(__action, prior_action) > 0) @@ -1469,11 +1521,11 @@ static enum proxy_action decide_ctrl_action(const struct Maat_rule_t * hit_rules { if(*n_enforce==0) { - *enforce_rules=ALLOC(struct Maat_rule_t, 1); + *enforce_rules=ALLOC(struct maat_rule_t, 1); } *enforce_rules[0]=*prior_rule; *n_enforce=1; - ex_data=Maat_rule_get_ex_data(g_proxy_rt->maat, prior_rule, g_proxy_rt->ctrl_compile_idx); + ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_compile_idx, (const char *)&prior_rule->config_id); if(ex_data!=NULL) { *param=(struct policy_action_param*)ex_data; @@ -1491,19 +1543,19 @@ static enum proxy_action decide_ctrl_action(const struct Maat_rule_t * hit_rules *n_enforce += n_monit + 1; } - *enforce_rules = (struct Maat_rule_t *) realloc(*enforce_rules, sizeof(struct Maat_rule_t) * (*n_enforce)); + *enforce_rules = (struct maat_rule_t *) realloc(*enforce_rules, sizeof(struct maat_rule_t) * (*n_enforce)); if (prior_action == PX_ACTION_MONIT) { - memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct Maat_rule_t)); + memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct maat_rule_t)); } else { - memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct Maat_rule_t)); - memcpy(*enforce_rules, prior_rule, sizeof(struct Maat_rule_t)); - memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct Maat_rule_t)); + memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct maat_rule_t)); + memcpy(*enforce_rules, prior_rule, sizeof(struct maat_rule_t)); + memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct maat_rule_t)); } - ex_data=Maat_rule_get_ex_data(g_proxy_rt->maat, prior_rule, g_proxy_rt->ctrl_compile_idx); + ex_data=maat_plugin_table_get_ex_data(g_proxy_rt->feather, g_proxy_rt->ctrl_compile_idx, (const char *)&prior_rule->config_id); if(ex_data!=NULL) { *param=(struct policy_action_param*)ex_data; @@ -1644,6 +1696,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * struct policy_action_param *param = ctx->param; ctx->tsg_ctx = tsg_ctx = ALLOC(struct tsg_script_ctx, 1); tsg_ctx->profile_id = param->profile_id; + tsg_ctx->addr = stream->addr; tsg_ctx->elua_ctx = http_lua_ctx_new(lua_script, ctx->thread_id); } else @@ -1665,16 +1718,17 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * if ((events & EV_HTTP_REQ_HDR) || (events & EV_HTTP_RESP_HDR)) { + tsg_ctx->http_req_uri=1; tsg_ctx->execut_lua_sucess=0; + ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_id, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); + if(ret==0 && tsg_ctx->execut_lua_sucess==1) + { + tsg_ctx->actually_executed =1; + } + tsg_ctx->http_req_uri=0; + tsg_ctx->execut_lua_sucess=0; + if (tfe_http_in_request(events)) { - tsg_ctx->http_req_uri=1; tsg_ctx->execut_lua_sucess=0; - ret=execute_lua_script_rule(lua_script, tsg_ctx->profile_id, tsg_ctx->elua_ctx, ctx->thread_id, (void *)tsg_ctx); - if(ret==0 && tsg_ctx->execut_lua_sucess==1) - { - tsg_ctx->actually_executed =1; - } - tsg_ctx->http_req_uri=0; - tsg_ctx->execut_lua_sucess=0; tsg_ctx->replacing = tfe_http_session_request_create(to_write_sess, in_req_spec->method, tsg_ctx->rewrite_uri !=NULL ? tsg_ctx->rewrite_uri : in_req_spec->uri); tfe_http_session_request_set(to_write_sess, tsg_ctx->replacing); } @@ -1694,14 +1748,13 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * { tsg_ctx->actually_executed =1; } - struct tfe_http_half * in_half = tfe_http_in_request(events) ? in_req_half : in_resp_half; struct http_field_name in_header_field{}; const char * in_header_value = NULL; void * iterator = NULL; - while (true) + while (true && tsg_ctx->rewrite_header!=1) { if ((in_header_value = tfe_http_field_iterate(in_half, &iterator, &in_header_field)) == NULL) { @@ -1709,6 +1762,7 @@ void http_lua(const struct tfe_stream * stream, const struct tfe_http_session * } tfe_http_field_write(tsg_ctx->replacing, &in_header_field, in_header_value); } + tsg_ctx->rewrite_header=0; } if ((events & EV_HTTP_REQ_BODY_BEGIN) || (events & EV_HTTP_RESP_BODY_BEGIN)) @@ -2033,7 +2087,7 @@ static void http_redirect(const struct tfe_stream * stream, const struct tfe_htt } ctx->manipulate_replaced = 1; if (resp_code <= 0 || rd_url == NULL){ - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid redirect rule %d paramter", + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid redirect rule %lld paramter", ctx->enforce_rules[0].config_id); goto error_out; } @@ -2093,7 +2147,7 @@ static void http_block(const struct tfe_stream * stream, const struct tfe_http_s char *message = param->message; if (resp_code <= 0 || profile_id < 0){ - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid block rule %d", ctx->enforce_rules[0].config_id); + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid block rule %lld", ctx->enforce_rules[0].config_id); ctx->action = PX_ACTION_NONE; return; } @@ -2149,7 +2203,7 @@ static void http_hijack(const struct tfe_http_session * session, enum tfe_http_e if (param->profile_id <= 0) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid hijack rule %d", + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Invalid hijack rule %lld", ctx->enforce_rules[0].config_id); ctx->action = PX_ACTION_NONE; return; @@ -2525,7 +2579,7 @@ static void http_manipulate(const struct tfe_stream * stream, const struct tfe_h struct policy_action_param *param = ctx->param; if (param == NULL) { - TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get the json format parsed. config_id = %d", + TFE_LOG_ERROR(g_proxy_rt->local_logger, "Failed to get the json format parsed. config_id = %lld", ctx->enforce_rules[0].config_id); ctx->action = PX_ACTION_NONE; return; @@ -2590,9 +2644,10 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht const char * field_val = NULL; struct http_field_name field_name; struct tfe_http_half * http_half; - struct Maat_rule_t *result = ctx->result; + long long *result = ctx->result; char buff[TFE_STRING_MAX], * p = NULL; int scan_ret = 0, table_id = 0; + size_t n_hit_result=0; size_t hit_cnt = ctx->hit_cnt, i = 0; if (events & EV_HTTP_REQ_HDR) @@ -2601,13 +2656,13 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht int str_host_length = get_fqdn_len(str_host); if (str_host != NULL && str_host_length != 0) { - scan_ret = Maat_full_scan_string(g_proxy_rt->maat, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN], - CHARSET_UTF8, str_host, str_host_length, result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id); - if (scan_ret > 0) + scan_ret = maat_scan_string(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN], + str_host, str_host_length, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + if (scan_ret == MAAT_SCAN_HIT) { - hit_cnt += scan_ret; + hit_cnt += n_hit_result; } - scan_ret = tfe_scan_fqdn_cat(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_proxy_rt->local_logger, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN]); + scan_ret = tfe_scan_fqdn_cat(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_FQDN_CAT]); if (scan_ret > 0) { hit_cnt += scan_ret; @@ -2617,12 +2672,12 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht const char * str_url = session->req->req_spec.url; int str_url_length = (int) (strlen(session->req->req_spec.url)); - scan_ret = Maat_full_scan_string(g_proxy_rt->maat, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_URL], - CHARSET_UTF8, str_url, str_url_length, result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id); + scan_ret = maat_scan_string(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_URL], + str_url, str_url_length, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); - if (scan_ret > 0) + if (scan_ret == MAAT_SCAN_HIT) { - hit_cnt += scan_ret; + hit_cnt += n_hit_result; } } @@ -2640,16 +2695,14 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht } const char * str_field_name = http_field_name_to_string(&field_name); - scan_ret = Maat_set_scan_status(g_proxy_rt->maat, &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT, - str_field_name, strlen(str_field_name)); + scan_ret = maat_state_set_scan_district(ctx->scan_mid, str_field_name, strlen(str_field_name)); assert(scan_ret == 0); - scan_ret = Maat_full_scan_string(g_proxy_rt->maat, table_id, - CHARSET_UTF8, field_val, strlen(field_val), - result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id); - if (scan_ret > 0) + scan_ret = maat_scan_string(g_proxy_rt->feather, table_id, field_val, strlen(field_val), + result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + if (scan_ret == MAAT_SCAN_HIT) { - hit_cnt += scan_ret; + hit_cnt += n_hit_result; } } } @@ -2659,22 +2712,22 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht assert(ctx->sp == NULL); table_id = events & EV_HTTP_REQ_BODY_BEGIN ? g_proxy_rt->scan_table_id[PXY_CTRL_HTTP_REQ_BODY] : g_proxy_rt ->scan_table_id[PXY_CTRL_HTTP_RES_BODY]; - ctx->sp = Maat_stream_scan_string_start(g_proxy_rt->maat, table_id, ctx->thread_id); + ctx->sp = maat_stream_new(g_proxy_rt->feather, table_id, ctx->scan_mid); } if (body_frag != NULL) { - scan_ret = Maat_stream_scan_string(&(ctx->sp), CHARSET_UTF8, (const char *) body_frag, (int) frag_size, - result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid)); - if (scan_ret > 0) + scan_ret = maat_stream_scan(ctx->sp, (const char *)body_frag, (int)frag_size, + result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid); + if (scan_ret == MAAT_SCAN_HIT) { - hit_cnt += scan_ret; + hit_cnt += n_hit_result; } } if ((events & EV_HTTP_REQ_BODY_END) | (events & EV_HTTP_RESP_BODY_END)) { - Maat_stream_scan_string_end(&(ctx->sp)); + maat_stream_free(ctx->sp); ctx->sp = NULL; } @@ -2683,7 +2736,7 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht ctx->action = decide_ctrl_action(result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce, &ctx->param); if (ctx->action == PX_ACTION_WHITELIST) { - TFE_LOG_INFO(g_proxy_rt->local_logger, "Bypass rules matched: url=%s policy id=%d.", + TFE_LOG_INFO(g_proxy_rt->local_logger, "Bypass rules matched: url=%s policy id=%lld.", session->req->req_spec.url, ctx->enforce_rules[0].config_id); goto __out; } @@ -2692,12 +2745,12 @@ enum proxy_action http_scan(const struct tfe_http_session * session, enum tfe_ht p = buff; for (i = 0; i < hit_cnt && i<MAX_SCAN_RESULT; i++) { - p += snprintf(p, sizeof(buff) - (p - buff), "%d:", result[i].config_id); + p += snprintf(p, sizeof(buff) - (p - buff), "%lld:", result[i]); } *p = '\0'; - TFE_LOG_INFO(g_proxy_rt->local_logger, "Multiple rules matched: url=%s num=%lu ids=%s execute=%d.", + TFE_LOG_INFO(g_proxy_rt->local_logger, "Multiple rules matched: url=%s num=%lu ids=%s execute=%lld.", session->req->req_spec.url, hit_cnt, buff, ctx->enforce_rules[0].config_id); } ctx->hit_cnt=0; @@ -3015,39 +3068,68 @@ void proxy_on_http_begin(const struct tfe_stream * stream, assert(ctx == NULL); ATOMIC_INC(&(g_proxy_rt->stat_val[STAT_SESSION])); ctx = proxy_http_ctx_new(thread_id); - struct Maat_rule_t *result = ctx->result; + long long *result = ctx->result; + size_t n_hit_result=0; - scan_ret = tfe_scan_subscribe_id(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_proxy_rt->local_logger); + scan_ret = tfe_scan_subscribe_id(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger); if(scan_ret>0) { hit_cnt+=scan_ret; } - scan_ret = tfe_scan_ip_location(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_proxy_rt->local_logger, &(ctx->ip_ctx.location_server), &(ctx->ip_ctx.location_client)); + scan_ret = tfe_scan_ip_location(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger, &(ctx->ip_ctx.location_server), &(ctx->ip_ctx.location_client)); if(scan_ret>0) { hit_cnt+=scan_ret; } - scan_ret = tfe_scan_ip_asn(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_proxy_rt->local_logger, &(ctx->ip_ctx.asn_server), &(ctx->ip_ctx.asn_client)); + scan_ret = tfe_scan_ip_asn(stream, result, ctx->scan_mid, hit_cnt, g_proxy_rt->local_logger, &(ctx->ip_ctx.asn_server), &(ctx->ip_ctx.asn_client)); if(scan_ret>0) { hit_cnt+=scan_ret; } int scan_val=67; - scan_ret=Maat_scan_intval(g_proxy_rt->maat, g_proxy_rt->scan_table_id[PXY_CTRL_APP_ID], scan_val, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &(ctx->scan_mid), (int) thread_id); - if(scan_ret>0) + scan_ret=maat_scan_integer(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_APP_ID], scan_val, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &n_hit_result, ctx->scan_mid); + if(scan_ret==MAAT_SCAN_HIT) { - hit_cnt+=scan_ret; + hit_cnt+=n_hit_result; } addr_tfe2sapp(stream->addr, &sapp_addr); - scan_ret = Maat_scan_proto_addr(g_proxy_rt->maat, g_proxy_rt->scan_table_id[PXY_CTRL_IP], &sapp_addr, 0, - result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &(ctx->scan_mid), (int) thread_id); - if(scan_ret>0) + if (sapp_addr.addrtype == ADDR_TYPE_IPV4) { - hit_cnt+=scan_ret; - } + scan_ret = maat_scan_ipv4(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_SOURCE_ADDR], + sapp_addr.v4->saddr, sapp_addr.v4->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, + &n_hit_result, ctx->scan_mid); + if (n_hit_result == MAAT_SCAN_HIT) + { + hit_cnt += n_hit_result; + } + scan_ret = maat_scan_ipv4(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_DESTINATION_ADDR], + sapp_addr.v4->daddr, sapp_addr.v4->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, + &n_hit_result, ctx->scan_mid); + if(scan_ret == MAAT_SCAN_HIT) + { + hit_cnt += n_hit_result; + } + } + if (sapp_addr.addrtype == ADDR_TYPE_IPV6) + { + scan_ret = maat_scan_ipv6(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_SOURCE_ADDR], + sapp_addr.v6->saddr, sapp_addr.v6->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, + &n_hit_result, ctx->scan_mid); + if (scan_ret == MAAT_SCAN_HIT) + { + hit_cnt += n_hit_result; + } + scan_ret = maat_scan_ipv6(g_proxy_rt->feather, g_proxy_rt->scan_table_id[PXY_CTRL_DESTINATION_ADDR], + sapp_addr.v6->daddr, sapp_addr.v6->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, + &n_hit_result, ctx->scan_mid); + if (scan_ret == MAAT_SCAN_HIT) + { + hit_cnt += n_hit_result; + } + } if(hit_cnt > 0) { ctx->hit_cnt = hit_cnt; @@ -3151,7 +3233,7 @@ void proxy_on_http_end(const struct tfe_stream * stream, { if(i+1 > ctx->n_enforce) { - memmove(ctx->enforce_rules+i, ctx->enforce_rules+i+1, sizeof(struct Maat_rule_t)); + memmove(ctx->enforce_rules+i, ctx->enforce_rules+i+1, sizeof(struct maat_rule_t)); } j++; } @@ -3163,7 +3245,7 @@ void proxy_on_http_end(const struct tfe_stream * stream, FREE(&(ctx->enforce_rules)); } } - struct proxy_log log_msg = {.stream=stream, .http=session, .result=ctx->enforce_rules, .result_num=ctx->n_enforce, + struct proxy_log log_msg = {.stream=stream, .http=session, .result=(struct log_rule_t *)ctx->enforce_rules, .result_num=ctx->n_enforce, .req_body=ctx->log_req_body, .resp_body=ctx->log_resp_body, .action=0, .inject_sz=ctx->inject_sz, .asn_client=ctx->ip_ctx.asn_client, .asn_server=ctx->ip_ctx.asn_server, .location_client=ctx->ip_ctx.location_client, .location_server=ctx->ip_ctx.location_server}; diff --git a/plugin/business/tsg-http/src/tsg_logger.cpp b/plugin/business/tsg-http/src/tsg_logger.cpp index b0d7a6f..d9fb2fe 100644 --- a/plugin/business/tsg-http/src/tsg_logger.cpp +++ b/plugin/business/tsg-http/src/tsg_logger.cpp @@ -38,8 +38,8 @@ enum _log_action //Bigger action number is prior. LG_ACTION_DROP = 0x20, /* N/A */ LG_ACTION_MANIPULATE = 0x30, LG_ACTION_RATELIMIT = 0x40, /* N/A */ - LG_ACTION_LOOP = 0x60, /* N/A */ - LG_ACTION_WHITELIST = 0x80, + LG_ACTION_WHITELIST = 0x60, + LG_ACTION_SHUNT = 0x80, __LG_ACTION_MAX }; diff --git a/plugin/business/tsg-http/src/tsg_web_cache.cpp b/plugin/business/tsg-http/src/tsg_web_cache.cpp index fdc974b..5d23ba1 100644 --- a/plugin/business/tsg-http/src/tsg_web_cache.cpp +++ b/plugin/business/tsg-http/src/tsg_web_cache.cpp @@ -77,6 +77,8 @@ struct cache_param char ignore_res_nocache; char force_caching; + long long config_id; + int action; int min_use; time_t pinning_time_sec; time_t inactive_time_sec; @@ -114,8 +116,8 @@ struct cache_handle int cache_policy_enabled; //otherwise use default cache policy struct cache_param default_cache_policy; - Maat_feather_t ref_feather; - int cache_param_idx; + struct maat *ref_feather; + long long cache_param_idx; int table_url_constraint; int table_cookie_constraint; @@ -517,14 +519,26 @@ char* get_cache_key(const struct tfe_http_half * request, const struct cache_key return cache_key; } -void cache_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, - MAAT_RULE_EX_DATA* ad, long argl, void *argp) +void cache_param_new(const char *table_name, int idx, const char *key, const char *table_line, void **ad, long argl, void *argp) { struct cache_handle* cache=(struct cache_handle*) argp; unsigned int i=0; size_t len=0; + int ret=0; + int config_id=0, service_id=0, action=0; + int do_log=0,do_blacklist=0,is_valid=0; + char effective_range[1024]={0}; + char srv_def_large[8192]={0}; + + ret=sscanf(table_line, "%d\t%d\t%d\t%d\t%d\t%s\t%s\t%d", &config_id, &service_id, &action, &do_blacklist, &do_log, effective_range, srv_def_large, &is_valid); + if(ret!=8) + { + return; + } + *ad=NULL; - if((unsigned int)rule->serv_def_len<strlen("{}")+1) + int serv_def_len=strlen(srv_def_large); + if((unsigned int)serv_def_len<strlen("{}")+1) { return; } @@ -532,13 +546,14 @@ void cache_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_de json=cJSON_Parse(srv_def_large); if(json==NULL) { - TFE_LOG_ERROR(cache->logger, "invalid cache parameter: id = %d", rule->config_id); + TFE_LOG_ERROR(cache->logger, "invalid cache parameter: id = %d", config_id); return; } struct cache_param* param=ALLOC(struct cache_param, 1); - *param=cache->default_cache_policy; param->ref_cnt=1; + param->config_id=config_id; + param->action=action; pthread_mutex_init(&(param->lock), NULL); key_desc=cJSON_GetObjectItem(json,"cache_key"); if(key_desc && key_desc->type==cJSON_Object) @@ -569,8 +584,6 @@ void cache_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_de } } - - item=cJSON_GetObjectItem(json,"no_revalidate"); if(item && item->type==cJSON_Number) param->no_revalidate=item->valueint; @@ -611,7 +624,7 @@ void cache_param_new(int idx, const struct Maat_rule_t* rule, const char* srv_de *ad=param; return; } -void cache_param_free(int idx, const struct Maat_rule_t* rule, const char* srv_def_large, MAAT_RULE_EX_DATA* ad, long argl, void *argp) +void cache_param_free(int table_id, void **ad, long argl, void *argp) { unsigned int i=0; if(*ad==NULL) @@ -637,7 +650,7 @@ void cache_param_free(int idx, const struct Maat_rule_t* rule, const char* srv_d FREE(&(param)); return; } -void cache_param_dup(int idx, MAAT_RULE_EX_DATA *to, MAAT_RULE_EX_DATA *from, long argl, void *argp) +void cache_param_dup(int idx, void **to, void **from, long argl, void *argp) { struct cache_param* from_param=*((struct cache_param**)from); pthread_mutex_lock(&(from_param->lock)); @@ -670,7 +683,7 @@ void cache_mid_clear(struct cache_mid **mid) } if((*mid)->is_using_exception_param) { - cache_param_free(0, NULL, NULL, (void**)&((*mid)->param), 0, NULL); + cache_param_free(0, (void**)&((*mid)->param), 0, NULL); } FREE(&((*mid)->cache_key)); FREE(mid); @@ -689,7 +702,7 @@ static void cache_key_bloom_gc_cb(evutil_socket_t fd, short what, void * arg) } struct cache_handle* create_web_cache_handle(const char* profile_path, const char* section, - struct event_base* gc_evbase, Maat_feather_t feather, void *logger) + struct event_base* gc_evbase, struct maat *feather, void *logger) { struct cache_handle* cache=ALLOC(struct cache_handle, 1); int temp=0; @@ -771,12 +784,12 @@ struct cache_handle* create_web_cache_handle(const char* profile_path, const cha if(cache->cache_policy_enabled) { - cache->table_url_constraint=Maat_table_register(feather, "PXY_CACHE_HTTP_URL"); - cache->table_cookie_constraint=Maat_table_register(feather, "PXY_CACHE_HTTP_COOKIE"); - - cache->cache_param_idx=Maat_rule_get_ex_new_index(feather, "PXY_CACHE_COMPILE", - cache_param_new, cache_param_free, cache_param_dup, - 0, cache); + cache->cache_param_idx=maat_get_table_id(feather, "PXY_CACHE_COMPILE"); + cache->table_url_constraint=maat_get_table_id(feather, "PXY_CACHE_HTTP_URL"); + cache->table_cookie_constraint=maat_get_table_id(feather, "PXY_CACHE_HTTP_COOKIE"); + cache->cache_param_idx=maat_plugin_table_ex_schema_register(feather, "PXY_CACHE_COMPILE", + cache_param_new, cache_param_free, cache_param_dup, + 0, cache); cache->ref_feather=feather; } @@ -1044,11 +1057,12 @@ enum cache_pending_result web_cache_async_pending(struct cache_handle* handle, u const struct tfe_http_half * request, struct cache_mid** mid, struct future* f_revalidate) { enum cache_pending_result result=PENDING_RESULT_FOBIDDEN; - struct Maat_rule_t cache_policy; + long long cache_policy; struct cache_param* param=&(handle->default_cache_policy); - MAAT_RULE_EX_DATA ex_data=NULL; - scan_status_t scan_mid=NULL; + void *ex_data=NULL; + struct maat_state *scan_mid=maat_state_new(handle->ref_feather, thread_id); int ret=0; + size_t n_hit_result=0; const char* cookie=NULL; struct cache_mid* _mid=ALLOC(struct cache_mid, 1); *mid=_mid; @@ -1060,44 +1074,42 @@ enum cache_pending_result web_cache_async_pending(struct cache_handle* handle, u _mid->is_dyn_url=is_dynamic_url(request->req_spec.url); if(handle->cache_policy_enabled) { - ret=Maat_full_scan_string(handle->ref_feather, handle->table_url_constraint, CHARSET_UTF8, - request->req_spec.url, strlen(request->req_spec.url), - &cache_policy, NULL, 1, &scan_mid, thread_id); + ret=maat_scan_string(handle->ref_feather, handle->table_url_constraint, request->req_spec.url, + strlen(request->req_spec.url), &cache_policy, 1, &n_hit_result, scan_mid); - if(cookie && ret<=0) + if(cookie && ret<MAAT_SCAN_HIT) { - ret=Maat_full_scan_string(handle->ref_feather, handle->table_cookie_constraint, CHARSET_UTF8, - cookie, strlen(cookie), - &cache_policy, NULL, 1, &scan_mid, thread_id); + ret=maat_scan_string(handle->ref_feather, handle->table_cookie_constraint, cookie, strlen(cookie), + &cache_policy, 1, &n_hit_result, scan_mid); } - Maat_clean_status(&scan_mid); + maat_state_free(scan_mid); + scan_mid=NULL; - if(ret>0) + if(ret==MAAT_SCAN_HIT) { - - ex_data=Maat_rule_get_ex_data(handle->ref_feather, &cache_policy, handle->cache_param_idx); + ex_data=maat_plugin_table_get_ex_data(handle->ref_feather, handle->cache_param_idx, (const char *)&cache_policy); if(ex_data!=NULL) { param=(struct cache_param*)ex_data; _mid->is_using_exception_param=1; _mid->param=param; - } - if((unsigned char)cache_policy.action==CACHE_ACTION_BYPASS) - { - _mid->shall_bypass=1; - } - _mid->cfg_id=cache_policy.config_id; - if(param->key_descr.is_not_empty) - { - _mid->cache_key=get_cache_key(request, &(param->key_descr)); - } - TFE_LOG_DEBUG(handle->logger, "cache policy %d matched: url=%s alt-key=%s", - cache_policy.config_id, - request->req_spec.url, - _mid->cache_key!=NULL?_mid->cache_key:"null"); - ATOMIC_INC(&(handle->stat_val[STAT_CACHE_POLICY_MATCH])); + if((unsigned char)param->action==CACHE_ACTION_BYPASS) + { + _mid->shall_bypass=1; + } + _mid->cfg_id=param->config_id; + if(param->key_descr.is_not_empty) + { + _mid->cache_key=get_cache_key(request, &(param->key_descr)); + } + TFE_LOG_DEBUG(handle->logger, "cache policy %llu matched: url=%s alt-key=%s", + param->config_id, + request->req_spec.url, + _mid->cache_key!=NULL?_mid->cache_key:"null"); + ATOMIC_INC(&(handle->stat_val[STAT_CACHE_POLICY_MATCH])); + } } if(_mid->shall_bypass || (!param->force_caching && !param->cache_dyn_url && _mid->is_dyn_url && param->key_descr.qs_num==0) || diff --git a/resource/pangu/table_info.conf b/resource/pangu/table_info.conf index cb284d9..14e31d6 100644 --- a/resource/pangu/table_info.conf +++ b/resource/pangu/table_info.conf @@ -1,61 +1,448 @@ -#each collumn seperate with '\t' -#id (0~65535) -#name string -#type one of ip,expr,expr_plus,digest,intval,compile or plugin -#src_charset one of GBK,BIG5,UNICODE,UTF8 -#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/' -#do_merege [yes/no] -#cross cache [number] -#quick mode [quickon/quickoff], default [quickoff] -#For ip/intval/digest/compile/group -#id name type -# -#For plugin table -#id name type json_descr -# -#For expr/expr_plus Table -#id name type src_charset dst_charset do_merge cross_cache quick_mode -0 PXY_CTRL_COMPILE compile escape -- -1 GROUP_COMPILE_RELATION group2compile -- -2 GROUP_GROUP_RELATION group2group -- -3 TSG_OBJ_IP_ADDR ip_plus --- -3 TSG_OBJ_IP_LEARNING_ADDR ip_plus UTF8 UTF8 no 0 -4 TSG_OBJ_URL expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff -5 TSG_FIELD_HTTP_URL virtual TSG_OBJ_URL -- -6 TSG_OBJ_FQDN expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff -7 TSG_OBJ_FQDN_CAT intval UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff -8 TSG_FIELD_HTTP_HOST virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] -- -9 TSG_OBJ_HTTP_SIGNATURE expr_plus UTF8 UTF8 yes 0 quickoff -10 TSG_FIELD_HTTP_REQ_HDR virtual TSG_OBJ_HTTP_SIGNATURE -- -11 TSG_FIELD_HTTP_RES_HDR virtual TSG_OBJ_HTTP_SIGNATURE -- -12 TSG_OBJ_KEYWORDS expr UTF8 GBK/UNICODE/UTF8 yes 128 quickoff -13 TSG_FIELD_HTTP_REQ_BODY virtual TSG_OBJ_KEYWORDS -- -14 TSG_FIELD_HTTP_RES_BODY virtual TSG_OBJ_KEYWORDS -- -15 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 yes 0 quickon -16 TSG_OBJ_APP_ID intval UTF8 UTF8 yes 0 -17 TSG_SECURITY_SOURCE_ADDR virtual TSG_OBJ_IP_ADDR -- -18 TSG_SECURITY_DESTINATION_ADDR virtual TSG_OBJ_IP_ADDR -- -19 TSG_SECURITY_ADDR composition {"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"} -20 PXY_CACHE_COMPILE compile escape -- -21 PXY_CACHE_GROUP group -- -22 PXY_CACHE_HTTP_URL expr UTF8 UTF8 yes 0 quickoff -23 PXY_CACHE_HTTP_COOKIE expr UTF8 UTF8 yes 0 quickoff -24 PXY_PROFILE_TRUSTED_CA_CERT plugin {"key":1,"valid":4,"foreign":"3"} -24 PXY_EXCH_INTERMEDIA_CERT plugin {"key":1,"valid":4,"foreign":"3"} -25 PXY_OBJ_TRUSTED_CA_CRL plugin {"valid":4,"foreign":"3"} -26 TSG_PROFILE_RESPONSE_PAGES plugin {"key":1,"foreign":"4","valid":5} -27 PXY_PROFILE_HIJACK_FILES plugin {"key":1,"foreign":"5","valid":6} -28 PXY_PROFILE_INSERT_SCRIPTS plugin {"key":1,"foreign":"4","valid":6} -29 TSG_SECURITY_COMPILE plugin {"key":1,"valid":8} -30 TSG_PROFILE_TRAFFIC_MIRROR plugin {"key":1,"valid":4} -31 TSG_PROFILE_DECRYPTION plugin {"key":1,"valid":4} -32 TSG_OBJ_AS_NUMBER expr UTF8 UTF8/GBK yes 0 -33 TSG_SECURITY_SOURCE_ASN virtual TSG_OBJ_AS_NUMBER -- -34 TSG_SECURITY_DESTINATION_ASN virtual TSG_OBJ_AS_NUMBER -- -35 TSG_OBJ_GEO_LOCATION expr UTF8 UTF8/GBK yes 0 -36 TSG_SECURITY_SOURCE_LOCATION virtual TSG_OBJ_GEO_LOCATION -- -37 TSG_SECURITY_DESTINATION_LOCATION virtual TSG_OBJ_GEO_LOCATION -- -38 TSG_FIELD_DOH_QNAME virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] -- -39 TSG_FIELD_DOH_HOST virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] -- -40 PXY_SSL_FINGERPRINT plugin {"key":2,"valid":4} -41 PXY_PROFILE_RUN_SCRIPTS plugin {"key":1,"foreign":"2","valid":4} +[ + { + "table_id":0, + "table_name":"PXY_CTRL_COMPILE", + "table_type":"compile", + "user_region_encoded":"escape", + "valid_column":8, + "custom": { + "compile_id":1, + "service_id":2, + "action":3, + "do_blacklist":4, + "do_log":5, + "tags":6, + "user_region":7, + "clause_num":9, + "evaluation_order":10 + } + }, + { + "table_id":1, + "table_name":"GROUP_PXY_CTRL_COMPILE_RELATION", + "table_type":"group2compile", + "associated_compile_table_id":0, + "valid_column":3, + "custom": { + "group_id":1, + "compile_id":2, + "not_flag":4, + "virtual_table_name":5, + "clause_index":6 + } + }, + { + "table_id":2, + "table_name":"GROUP_GROUP_RELATION", + "table_type":"group2group", + "valid_column":3, + "custom": { + "group_id":1, + "super_group_id":2 + } + }, + { + "table_id":3, + "table_name":"TSG_OBJ_IP", + "db_tables":["TSG_OBJ_IP_ADDR","TSG_OBJ_IP_LEARNING_ADDR"], + "table_type":"ip_plus", + "valid_column":11, + "custom": { + "item_id":1, + "group_id":2, + "addr_type":3, + "addr_format":4, + "ip1":5, + "ip2":6, + "port_format":7, + "port1":8, + "port2":9, + "protocol":10 + } + }, + { + "table_id":4, + "table_name":"TSG_OBJ_URL", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":5, + "table_name":"TSG_FIELD_HTTP_URL", + "table_type":"virtual", + "physical_table": "TSG_OBJ_URL" + }, + { + "table_id":6, + "table_name":"TSG_OBJ_FQDN", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":7, + "table_name":"TSG_OBJ_FQDN_CAT", + "table_type":"intval", + "valid_column":5, + "custom": { + "item_id":1, + "group_id":2, + "low_bound":3, + "up_bound":4 + } + }, + { + "table_id":8, + "table_name":"TSG_FIELD_HTTP_HOST", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN" + }, + { + "table_id":9, + "table_name":"TSG_FIELD_HTTP_HOST_CAT", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN_CAT" + }, + { + "table_id":10, + "table_name":"TSG_OBJ_HTTP_SIGNATURE", + "table_type":"expr_plus", + "valid_column":8, + "custom": { + "item_id":1, + "group_id":2, + "district":3, + "keywords":4, + "expr_type":5, + "match_method":6, + "is_hexbin":7 + } + }, + { + "table_id":11, + "table_name":"TSG_FIELD_HTTP_REQ_HDR", + "table_type":"virtual", + "physical_table": "TSG_OBJ_HTTP_SIGNATURE" + }, + { + "table_id":12, + "table_name":"TSG_FIELD_HTTP_RES_HDR", + "table_type":"virtual", + "physical_table": "TSG_OBJ_HTTP_SIGNATURE" + }, + { + "table_id":13, + "table_name":"TSG_OBJ_KEYWORDS", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":14, + "table_name":"TSG_FIELD_HTTP_REQ_BODY", + "table_type":"virtual", + "physical_table": "TSG_OBJ_KEYWORDS" + }, + { + "table_id":15, + "table_name":"TSG_FIELD_HTTP_RES_BODY", + "table_type":"virtual", + "physical_table": "TSG_OBJ_KEYWORDS" + }, + { + "table_id":16, + "table_name":"TSG_OBJ_SUBSCRIBER_ID", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":17, + "table_name":"TSG_OBJ_APP_ID", + "table_type":"intval", + "valid_column":5, + "custom": { + "item_id":1, + "group_id":2, + "low_bound":3, + "up_bound":4 + } + }, + { + "table_id":18, + "table_name":"TSG_SECURITY_SOURCE_ADDR", + "table_type":"virtual", + "physical_table": "TSG_OBJ_IP" + }, + { + "table_id":19, + "table_name":"TSG_SECURITY_DESTINATION_ADDR", + "table_type":"virtual", + "physical_table": "TSG_OBJ_IP" + }, + { + "table_id":20, + "table_name":"PXY_CACHE_COMPILE", + "table_type":"compile", + "user_region_encoded":"escape", + "valid_column":8, + "custom": { + "compile_id":1, + "service_id":2, + "action":3, + "do_blacklist":4, + "do_log":5, + "tags":6, + "user_region":7, + "clause_num":9, + "evaluation_order":10 + } + }, + { + "table_id":21, + "table_name":"PXY_CACHE_GROUP", + "table_type":"group2compile", + "associated_compile_table_id":0, + "valid_column":3, + "custom": { + "group_id":1, + "compile_id":2, + "not_flag":4, + "virtual_table_name":5, + "clause_index":6 + } + }, + { + "table_id":22, + "table_name":"PXY_CACHE_HTTP_URL", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":23, + "table_name":"PXY_CACHE_HTTP_COOKIE", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":24, + "table_name":"PXY_PROFILE_TRUSTED_CA_CERT", + "table_type":"plugin", + "valid_column":4, + "custom": { + "key":1, + "key_type":"pointer", + "foreign": [3] + } + }, + { + "table_id":25, + "table_name":"PXY_OBJ_TRUSTED_CA_CRL", + "table_type":"plugin", + "valid_column":4, + "custom": { + "key":1, + "key_type":"pointer", + "foreign": [3] + } + }, + { + "table_id":26, + "table_name":"TSG_PROFILE_RESPONSE_PAGES", + "table_type":"plugin", + "valid_column":5, + "custom": { + "key":1, + "key_type":"pointer", + "foreign": [4] + } + }, + { + "table_id":27, + "table_name":"PXY_PROFILE_HIJACK_FILES", + "table_type":"plugin", + "valid_column":6, + "custom": { + "key":1, + "key_type":"pointer", + "foreign": [5] + } + }, + { + "table_id":28, + "table_name":"PXY_PROFILE_INSERT_SCRIPTS", + "table_type":"plugin", + "valid_column":6, + "custom": { + "key":1, + "key_type":"pointer", + "foreign": [4] + } + }, + { + "table_id":29, + "table_name":"TSG_SECURITY_COMPILE", + "table_type":"plugin", + "valid_column":8, + "custom": { + "key":1, + "key_type":"pointer" + } + }, + { + "table_id":30, + "table_name":"TSG_PROFILE_TRAFFIC_MIRROR", + "table_type":"plugin", + "valid_column":4, + "custom": { + "key":1, + "key_type":"pointer" + } + }, + { + "table_id":31, + "table_name":"TSG_PROFILE_DECRYPTION", + "table_type":"plugin", + "valid_column":4, + "custom": { + "key":1, + "key_type":"pointer" + } + }, + { + "table_id":32, + "table_name":"TSG_OBJ_AS_NUMBER", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":33, + "table_name":"TSG_SECURITY_SOURCE_ASN", + "table_type":"virtual", + "physical_table": "TSG_OBJ_AS_NUMBER" + }, + { + "table_id":34, + "table_name":"TSG_SECURITY_DESTINATION_ASN", + "table_type":"virtual", + "physical_table": "TSG_OBJ_AS_NUMBER" + }, + { + "table_id":35, + "table_name":"TSG_OBJ_GEO_LOCATION", + "table_type":"expr", + "valid_column":7, + "custom": { + "item_id":1, + "group_id":2, + "keywords":3, + "expr_type":4, + "match_method":5, + "is_hexbin":6 + } + }, + { + "table_id":36, + "table_name":"TSG_SECURITY_SOURCE_LOCATION", + "table_type":"virtual", + "physical_table": "TSG_OBJ_GEO_LOCATION" + }, + { + "table_id":37, + "table_name":"TSG_SECURITY_DESTINATION_LOCATION", + "table_type":"virtual", + "physical_table": "TSG_OBJ_GEO_LOCATION" + }, + { + "table_id":38, + "table_name":"TSG_FIELD_DOH_QNAME", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN" + }, + { + "table_id":39, + "table_name":"TSG_FIELD_DOH_HOST", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN" + }, + { + "table_id":40, + "table_name":"TSG_FIELD_DOH_HOST_CAT", + "table_type":"virtual", + "physical_table": "TSG_OBJ_FQDN_CAT" + }, + { + "table_id":41, + "table_name":"PXY_SSL_FINGERPRINT", + "table_type":"plugin", + "valid_column":4, + "custom": { + "key":2, + "key_type":"pointer" + } + }, + { + "table_id":42, + "table_name":"PXY_PROFILE_RUN_SCRIPTS", + "table_type":"plugin", + "valid_column":4, + "custom": { + "key":1, + "key_type":"pointer", + "foreign": [2] + } + } +]
\ No newline at end of file diff --git a/resource/pangu/table_info_traffic_mirror.conf b/resource/pangu/table_info_traffic_mirror.conf index f7bf53b..3ec86f7 100644 --- a/resource/pangu/table_info_traffic_mirror.conf +++ b/resource/pangu/table_info_traffic_mirror.conf @@ -1,19 +1,22 @@ -#each collumn seperate with '\t' -#id (0~65535) -#name string -#type one of ip,expr,expr_plus,digest,intval,compile or plugin -#src_charset one of GBK,BIG5,UNICODE,UTF8 -#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/' -#do_merege [yes/no] -#cross cache [number] -#quick mode [quickon/quickoff], default [quickoff] -#For ip/intval/digest/compile/group -#id name type -# -#For plugin table -#id name type json_descr -# -#For expr/expr_plus Table -#id name type src_charset dst_charset do_merge cross_cache quick_mode -0 TSG_SECURITY_COMPILE plugin {"key":1,"valid":8} -1 TSG_PROFILE_TRAFFIC_MIRROR plugin {"key":1,"valid":4} +[ + { + "table_id":0, + "table_name":"TSG_SECURITY_COMPILE", + "table_type":"plugin", + "valid_column":8, + "custom": { + "key":1, + "key_type":"pointer" + } + }, + { + "table_id":1, + "table_name":"TSG_PROFILE_TRAFFIC_MIRROR", + "table_type":"plugin", + "valid_column":4, + "custom": { + "key":1, + "key_type":"pointer" + } + } +] diff --git a/vendor/CMakeLists.txt b/vendor/CMakeLists.txt index a361c16..b35d926 100644 --- a/vendor/CMakeLists.txt +++ b/vendor/CMakeLists.txt @@ -162,7 +162,7 @@ set_property(TARGET wiredLB PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR} set_property(TARGET wiredLB PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR}) add_library(maatframe SHARED IMPORTED GLOBAL) -set_property(TARGET maatframe PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/libmaatframe.so) +set_property(TARGET maatframe PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/libmaat4.so) set_property(TARGET maatframe PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR}) add_library(MESA_field_stat SHARED IMPORTED GLOBAL) |