diff options
| author | wangmenglan <[email protected]> | 2024-09-23 18:35:47 +0800 |
|---|---|---|
| committer | luwenpeng <[email protected]> | 2024-09-25 18:10:57 +0800 |
| commit | 707b4182506ed31afc1f5fe290974b40e3f88311 (patch) | |
| tree | 975c77196f0d5438711212ef2fc4f015dacda3a3 | |
| parent | a571c85b4716b0d065cf347fbc87655cad9cf91a (diff) | |
TSG-22699 适配控制报文修改
| -rw-r--r-- | ci/travis.sh | 1 | ||||
| -rw-r--r-- | common/CMakeLists.txt | 2 | ||||
| -rw-r--r-- | common/include/intercept_policy.h | 3 | ||||
| -rw-r--r-- | common/include/tfe_cmsg.h | 6 | ||||
| -rw-r--r-- | common/include/tfe_ctrl_packet.h | 5 | ||||
| -rw-r--r-- | common/include/tfe_dp_trace.h | 12 | ||||
| -rw-r--r-- | common/include/tfe_fieldstat.h | 2 | ||||
| -rw-r--r-- | common/include/tfe_packet_io.h | 3 | ||||
| -rw-r--r-- | common/include/tfe_utils.h | 1 | ||||
| -rw-r--r-- | common/src/intercept_policy.cpp | 152 | ||||
| -rw-r--r-- | common/src/tfe_ctrl_packet.cpp | 75 | ||||
| -rw-r--r-- | common/src/tfe_fieldstat.cpp | 9 | ||||
| -rw-r--r-- | common/src/tfe_packet_io.cpp | 67 | ||||
| -rw-r--r-- | common/src/tfe_scan.cpp | 14 | ||||
| -rw-r--r-- | common/test/CMakeLists.txt | 1 | ||||
| -rw-r--r-- | common/test/test_mpack.cpp | 39 | ||||
| -rw-r--r-- | plugin/business/chaining-policy/src/chaining_policy.cpp | 80 | ||||
| -rw-r--r-- | plugin/business/chaining-policy/src/chaining_policy.h | 2 | ||||
| -rw-r--r-- | plugin/business/doh/src/logger.cpp | 6 | ||||
| -rw-r--r-- | plugin/business/tcp-policy/src/tcp_policy.cpp | 82 | ||||
| -rw-r--r-- | plugin/business/tsg-http/src/tsg_logger.cpp | 6 |
21 files changed, 314 insertions, 254 deletions
diff --git a/ci/travis.sh b/ci/travis.sh index 7575f85..8f8b149 100644 --- a/ci/travis.sh +++ b/ci/travis.sh @@ -39,6 +39,7 @@ yum install -y libMESA_htable-devel libMESA_prof_load-devel libwiredcfg-devel li yum install -y libasan yum install -y numactl-libs # required by mrzcpd yum install -y libibverbs # required by mrzcpd +yum install -y libuuid-devel if [ $ASAN_OPTION ];then source /opt/rh/devtoolset-7/enable diff --git a/common/CMakeLists.txt b/common/CMakeLists.txt index 0240edc..c992c3d 100644 --- a/common/CMakeLists.txt +++ b/common/CMakeLists.txt @@ -11,7 +11,7 @@ target_include_directories(common PUBLIC ${CMAKE_CURRENT_LIST_DIR}/../bpf/) target_include_directories(common PRIVATE ${CMAKE_CURRENT_LIST_DIR}/../platform/include/internal) target_link_libraries(common PUBLIC libevent-static libevent-static-openssl libevent-static-pthreads rdkafka) target_link_libraries(common PUBLIC MESA_handle_logger cjson bpf_obj mrzcpd MESA_prof_load maatframe fieldstat4) -target_link_libraries(common PUBLIC pthread) +target_link_libraries(common PUBLIC pthread uuid) if (SUPPORT_LIBURING) target_link_libraries(common PUBLIC uring) diff --git a/common/include/intercept_policy.h b/common/include/intercept_policy.h index 4d81169..b4d1cfc 100644 --- a/common/include/intercept_policy.h +++ b/common/include/intercept_policy.h @@ -1,12 +1,13 @@ #pragma once #include <tfe_cmsg.h> +#include <uuid/uuid.h> struct intercept_policy_enforcer; struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger); void intercept_policy_enforce_destory(struct intercept_policy_enforcer *enforcer); // return 0 : success // return -1 : error (need passthrough) -int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uint64_t *rule_id_array, int rule_id_num, uint64_t *selected_rule_id); +int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t selected_rule_id); // return 0 : success // return -1 : error (need passthrough) int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct tfe_cmsg *cmsg);
\ No newline at end of file diff --git a/common/include/tfe_cmsg.h b/common/include/tfe_cmsg.h index 1e67030..9784f48 100644 --- a/common/include/tfe_cmsg.h +++ b/common/include/tfe_cmsg.h @@ -100,9 +100,9 @@ enum tfe_cmsg_tlv_type TFE_CMSG_SRC_PHONE_NUM_STR, // string max size 256 TFE_CMSG_SRC_APN_STR, // string max size 256 - TFE_CMSG_SRC_IP_TAGS_IDS_STR, // string max size 21 * 128 = 2688, example: "1,2,3,4,5" - TFE_CMSG_DST_IP_TAGS_IDS_STR, // string max size 21 * 128 = 2688, example: "1,2,3,4,5" - TFE_CMSG_FQDN_TAGS_IDS_STR, // string max size 21 * 128 = 2688, example: "1,2,3,4,5" + TFE_CMSG_SRC_IP_TAGS_IDS_ARR, // uuid_t array + TFE_CMSG_DST_IP_TAGS_IDS_ARR, // uuid_t array + TFE_CMSG_FQDN_TAGS_IDS_ARR, // uuid_t array /* Add new cmsg here */ /* Add new cmsg here */ diff --git a/common/include/tfe_ctrl_packet.h b/common/include/tfe_ctrl_packet.h index 696fafd..c7584fb 100644 --- a/common/include/tfe_ctrl_packet.h +++ b/common/include/tfe_ctrl_packet.h @@ -7,6 +7,7 @@ extern "C" #endif #include <stdint.h> +#include <uuid/uuid.h> enum session_state { @@ -24,9 +25,9 @@ struct ctrl_pkt_parser uint64_t session_id; enum session_state state; char method[32]; - uint64_t tfe_policy_ids[MAX_HIT_RULES]; + uuid_t tfe_policy_ids[MAX_HIT_RULES]; int tfe_policy_id_num; - uint64_t sce_policy_ids[MAX_HIT_RULES]; + uuid_t sce_policy_ids[MAX_HIT_RULES]; int sce_policy_id_num; struct tfe_cmsg *cmsg; diff --git a/common/include/tfe_dp_trace.h b/common/include/tfe_dp_trace.h index a5c8931..e5acdb3 100644 --- a/common/include/tfe_dp_trace.h +++ b/common/include/tfe_dp_trace.h @@ -8,9 +8,9 @@ extern "C" #include <marsio.h> -static inline void record_msg_on_ctrl_pkt(char *buff, int size, uint64_t rule_id, uint64_t session_id, const char *state, const char *action, const char *reason) +static inline void record_msg_on_ctrl_pkt(char *buff, int size, char *rule_id, uint64_t session_id, const char *state, const char *action, const char *reason) { - int n = snprintf(buff, size, "intercept rule id=%lu, session=%lu, state=%s", rule_id, session_id, state); + int n = snprintf(buff, size, "intercept rule id=%s, session=%lu, state=%s", rule_id, session_id, state); if (action) { n += snprintf(buff + n, size - n, ", action=%s", action); @@ -21,16 +21,16 @@ static inline void record_msg_on_ctrl_pkt(char *buff, int size, uint64_t rule_id } } -static inline void record_msg_on_raw_pkt(char *buff, int size, uint64_t rule_id, const char *traffic, const char *action, const char *reason) +static inline void record_msg_on_raw_pkt(char *buff, int size, char *rule_id, const char *traffic, const char *action, const char *reason) { - int n = snprintf(buff, size, "intercept rule id=%lu, traffic=%s, action=%s", rule_id, traffic, action); + int n = snprintf(buff, size, "intercept rule id=%s, traffic=%s, action=%s", rule_id, traffic, action); if (reason) { snprintf(buff + n, size - n, ", reason=%s", reason); } } -static inline void tfe_dp_telemetry_on_ctrl_pkt(mr_instance *mr_ins, marsio_buff_t *mr_buff, uint64_t rule_id, uint64_t session_id, const char *state, const char *action, const char *reason) +static inline void tfe_dp_telemetry_on_ctrl_pkt(mr_instance *mr_ins, marsio_buff_t *mr_buff, char *rule_id, uint64_t session_id, const char *state, const char *action, const char *reason) { if (marsio_dp_trace_measurements_can_emit(mr_ins, mr_buff, DP_TRACE_MEASUREMENT_TYPE_TRACE)) { @@ -46,7 +46,7 @@ static inline void tfe_dp_telemetry_on_ctrl_pkt(mr_instance *mr_ins, marsio_buff } } -static inline void tfe_dp_on_raw_pkt(mr_instance *mr_ins, marsio_buff_t *mr_buff, uint64_t rule_id, const char *traffic, const char *action, const char *reason) +static inline void tfe_dp_on_raw_pkt(mr_instance *mr_ins, marsio_buff_t *mr_buff, char *rule_id, const char *traffic, const char *action, const char *reason) { if (marsio_dp_trace_measurements_can_emit(mr_ins, mr_buff, DP_TRACE_MEASUREMENT_TYPE_TRACE)) { diff --git a/common/include/tfe_fieldstat.h b/common/include/tfe_fieldstat.h index 8e2f750..bfa4b58 100644 --- a/common/include/tfe_fieldstat.h +++ b/common/include/tfe_fieldstat.h @@ -11,6 +11,8 @@ extern "C" #define FIELDSTAT_TAG_INIT(ptr, index, _key, _type, _value) \ do { ptr[index].key = _key; ptr[index].type = _type; ptr[index].value_longlong = _value; } while(0) +#define FIELDSTAT_TAG_STR(ptr, index, _key, _type, _value) \ + do { ptr[index].key = _key; ptr[index].type = _type; ptr[index].value_str = _value; } while(0) enum metric_columns_index { diff --git a/common/include/tfe_packet_io.h b/common/include/tfe_packet_io.h index db6be9a..07b62e2 100644 --- a/common/include/tfe_packet_io.h +++ b/common/include/tfe_packet_io.h @@ -6,6 +6,7 @@ extern "C" { #endif +#include <uuid/uuid.h> #include "tuple.h" #include "tfe_packet_io_fs.h" @@ -58,7 +59,7 @@ struct packet_info struct session_ctx { - uint64_t policy_ids; + uuid_t policy_ids; uint64_t session_id; uint8_t is_passthrough; uint8_t protocol; diff --git a/common/include/tfe_utils.h b/common/include/tfe_utils.h index d33f685..a14c78c 100644 --- a/common/include/tfe_utils.h +++ b/common/include/tfe_utils.h @@ -22,6 +22,7 @@ #define TFE_THREAD_MAX 256 #define TFE_FAKE_C_DEFAULT_TTL 60 #define TFE_FAKE_S_DEFAULT_TTL 65 +#define UUID_LEN 16 #define UUID_STRING_SIZE 37 diff --git a/common/src/intercept_policy.cpp b/common/src/intercept_policy.cpp index d8f57cb..777c871 100644 --- a/common/src/intercept_policy.cpp +++ b/common/src/intercept_policy.cpp @@ -7,7 +7,7 @@ struct intercept_param { int vsys_id; - uint64_t rule_id; + uuid_t rule_id; int do_log; int ref_cnt; int action; @@ -20,82 +20,77 @@ struct intercept_param struct intercept_policy_enforcer { struct maat *maat; - int table_id; + char table_name[32]; void *logger; }; -static void intercept_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) +static void intercept_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp) { int action = 0; + int do_log = 0; int vsys_id = 0; - size_t len = 0; - size_t offset = 0; - size_t do_log = 0; - char buffer[8] = {0}; - char *json_str = NULL; - cJSON *json = NULL; - cJSON *item = NULL; + cJSON * json_root = NULL; + cJSON * json_subroot = NULL; + cJSON * item = NULL; struct intercept_param *param = NULL; struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp; - if (maat_helper_read_column(table_line, 3, &offset, &len) < 0) + json_root = cJSON_Parse(table_line); + if (unlikely(!json_root)) { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept action: %s", table_line); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s %s", key, table_line); goto error_out; } - memcpy(buffer, table_line + offset, MIN(sizeof(buffer), len)); - action = atoi(buffer); - if (action != 2 && action != 3) + item = cJSON_GetObjectItem(json_root, "ACTION"); + if (unlikely(!item || !cJSON_IsNumber(item))) { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept action: %s", table_line); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid ACTION format) %s.", key, table_line); goto error_out; } - if (maat_helper_read_column(table_line, 5, &offset, &len) < 0) + if (item->valueint != 2 && item->valueint != 3) { - TFE_LOG_ERROR(enforcer->logger, "Invalid do log: %s", table_line); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid ACTION format) %s.", key, table_line); goto error_out; } - memset(buffer, 0, sizeof(buffer)); - memcpy(buffer, table_line + offset, MIN(sizeof(buffer), len)); - do_log = atoi(buffer); + action = item->valueint; - if (maat_helper_read_column(table_line, 7, &offset, &len) < 0) + item = cJSON_GetObjectItem(json_root, "DO_LOG"); + if (!item || !cJSON_IsNumber(item)) { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept user region: %s", table_line); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid DO_LOG format) %s.", key, table_line); goto error_out; } + param->do_log = !!item->valueint; - json_str = ALLOC(char, len + 1); - memcpy(json_str, table_line + offset, len); - json = cJSON_Parse(json_str); - if (json == NULL) + json_subroot = cJSON_GetObjectItem(json_root, "USER_REGION"); + if (unlikely(!json_subroot)) { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: id = %s", key); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid USER_REGION format) %s.", key, table_line); goto error_out; } - item = cJSON_GetObjectItem(json, "vsys_id"); + item = cJSON_GetObjectItem(json_subroot, "vsys_id"); if (!item || !cJSON_IsNumber(item)) { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %s invalid vsys_id format", key); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid vsys_id format) %s.", key, table_line); goto error_out; } vsys_id = item->valueint; - + param = ALLOC(struct intercept_param, 1); - param->vsys_id = vsys_id; - param->rule_id = atoll(key); - param->do_log = (do_log == 0 ? 0 : 1); param->ref_cnt = 1; param->action = action; + param->do_log = do_log; + param->vsys_id = vsys_id; + uuid_parse(key, param->rule_id); param->keyring_for_trusted = 1; param->keyring_for_untrusted = 0; param->decryption_profile = 0; param->tcp_option_profile = 0; - item = cJSON_GetObjectItem(json, "keyring_for_trusted"); + item = cJSON_GetObjectItem(json_subroot, "keyring_for_trusted"); if (item) { if (item->type == cJSON_Number) @@ -108,11 +103,11 @@ static void intercept_param_new_cb(const char *table_name, int table_id, const c } else { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid keyring_for_trusted format", param->rule_id); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: %s (invalid keyring_for_trusted format) %s.", key, table_line); } } - item = cJSON_GetObjectItem(json, "keyring_for_untrusted"); + item = cJSON_GetObjectItem(json_subroot, "keyring_for_untrusted"); if (item) { if (item->type == cJSON_Number) @@ -125,11 +120,11 @@ static void intercept_param_new_cb(const char *table_name, int table_id, const c } else { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid keyring_for_untrusted format", param->rule_id); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule: %s (invalid keyring_for_untrusted format) %s", key, table_line); } } - item = cJSON_GetObjectItem(json, "decryption_profile"); + item = cJSON_GetObjectItem(json_subroot, "decryption_profile"); if (item) { if (item->type == cJSON_Number) @@ -142,11 +137,11 @@ static void intercept_param_new_cb(const char *table_name, int table_id, const c } else { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid decryption_profile format", param->rule_id); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid decryption_profile format) %s.", key, table_line); } } - item = cJSON_GetObjectItem(json, "tcp_option_profile"); + item = cJSON_GetObjectItem(json_subroot, "tcp_option_profile"); if (item) { if (item->type == cJSON_Number) @@ -159,26 +154,23 @@ static void intercept_param_new_cb(const char *table_name, int table_id, const c } else { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid tcp_option_profile format", param->rule_id); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid tcp_option_profile format) %s.", key, table_line); } } *ad = param; - TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %lu", param->rule_id); + TFE_LOG_INFO(enforcer->logger, "Add intercept rule: %s", key); error_out: - if (json) - { - cJSON_Delete(json); - } - if (json_str) + if (json_root) { - free(json_str); + cJSON_Delete(json_root); } } -static void intercept_param_free_cb(int table_id, void **ad, long argl, void *argp) +static void intercept_param_free_cb(const char *table_name, void **ad, long argl, void *argp) { + char str_rule_id[UUID_STR_LEN] = {0}; struct intercept_policy_enforcer *enforcer = (struct intercept_policy_enforcer *)argp; struct intercept_param *param = (struct intercept_param *)*ad; if (param == NULL) @@ -188,13 +180,14 @@ static void intercept_param_free_cb(int table_id, void **ad, long argl, void *ar if ((__sync_sub_and_fetch(¶m->ref_cnt, 1) == 0)) { - TFE_LOG_INFO(enforcer->logger, "Del intercept policy %lu", param->rule_id); + uuid_unparse(param->rule_id, str_rule_id); + TFE_LOG_INFO(enforcer->logger, "Del intercept policy %s", str_rule_id); free(param); *ad = NULL; } } -static void intercept_param_dup_cb(int table_id, void **to, void **from, long argl, void *argp) +static void intercept_param_dup_cb(const char *table_name, void **to, void **from, long argl, void *argp) { struct intercept_param *param = (struct intercept_param *)*from; if (param) @@ -219,16 +212,10 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger) struct intercept_policy_enforcer *enforcer = ALLOC(struct intercept_policy_enforcer, 1); enforcer->maat = tfe_get_maat_handle(); enforcer->logger = logger; - enforcer->table_id = maat_get_table_id(enforcer->maat, "PXY_INTERCEPT_COMPILE"); - - if (enforcer->table_id < 0) - { - TFE_LOG_ERROR(enforcer->logger, "failed at register table of PXY_INTERCEPT_COMPILE, ret = %d", enforcer->table_id); - goto error_out; - } + snprintf(enforcer->table_name, sizeof(enforcer->table_name), "PXY_INTERCEPT_COMPILE"); ret = maat_plugin_table_ex_schema_register(enforcer->maat, - "PXY_INTERCEPT_COMPILE", + enforcer->table_name, intercept_param_new_cb, intercept_param_free_cb, intercept_param_dup_cb, @@ -258,25 +245,24 @@ void intercept_policy_enforce_destory(struct intercept_policy_enforcer *enforcer // return 0 : success // return -1 : error (need passthrough) -int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uint64_t *rule_id_array, int rule_id_num, uint64_t *selected_rule_id) +int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t *rule_id_array, int rule_id_num, uuid_t selected_rule_id) { - uint64_t rule_id = 0; + uuid_t rule_id; + char str_rule_id[UUID_STR_LEN] = {0}; uint8_t is_hit_intercept_rule = 0; uint8_t is_hit_no_intercept_rule = 0; - uint64_t max_intercept_rule_id = 0; - uint64_t max_no_intercept_rule_id = 0; - - char buff[16] = {0}; + uuid_t max_intercept_rule_id = {0}; + uuid_t max_no_intercept_rule_id = {0}; struct intercept_param *param = NULL; for (int i = 0; i < rule_id_num; i++) { - rule_id = rule_id_array[i]; - snprintf(buff, sizeof(buff), "%lu", rule_id); - param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_id, buff, strlen(buff)); + memcpy(rule_id, rule_id_array[i], UUID_LEN); + uuid_unparse(rule_id, str_rule_id); + param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1); if (param == NULL) { - TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %lu.", rule_id); + TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %s.", str_rule_id); continue; } @@ -284,27 +270,29 @@ int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uint64_t if (param->action == 2) { is_hit_intercept_rule = 1; - max_intercept_rule_id = MAX(max_intercept_rule_id, rule_id); - TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %lu is intercept.", i, rule_id_num, rule_id); + if (uuid_compare(max_intercept_rule_id, rule_id) < 0) + memcpy(max_intercept_rule_id, rule_id, UUID_LEN); + TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %s is intercept.", i, rule_id_num, str_rule_id); } // not intercept else { is_hit_no_intercept_rule = 1; - max_no_intercept_rule_id = MAX(max_no_intercept_rule_id, rule_id); - TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %lu is no intercept.", i, rule_id_num, rule_id); + if (uuid_compare(max_no_intercept_rule_id, rule_id) < 0) + memcpy(max_no_intercept_rule_id, rule_id, UUID_LEN); + TFE_LOG_INFO(enforcer->logger, "rule[%d/%d]: %s is no intercept.", i, rule_id_num, str_rule_id); } } if (is_hit_no_intercept_rule) { - *selected_rule_id = max_no_intercept_rule_id; + memcpy(selected_rule_id, max_no_intercept_rule_id, UUID_LEN); return 0; } if (is_hit_intercept_rule) { - *selected_rule_id = max_intercept_rule_id; + memcpy(selected_rule_id, max_intercept_rule_id, UUID_LEN); return 0; } @@ -318,26 +306,26 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct { int ret = 0; uint16_t size = 0; - uint64_t rule_id = 0; - char buff[16] = {0}; + uuid_t rule_id; + char str_rule_id[UUID_STR_LEN] = {0}; struct intercept_param *param = NULL; uint8_t hit_no_intercept = 0; int tcp_passthrough = 0; char reason_hit_no_intercept[] = "Hit No Intercept"; char reason_invalid_intercept_param[] = "Invalid Intercept Param"; - ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(rule_id), &size); + ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)rule_id, UUID_LEN, &size); if (ret < 0) { TFE_LOG_ERROR(g_default_logger, "Failed at fetch intercept rule_id from cmsg: %s", strerror(-ret)); goto error_passthrough; } - snprintf(buff, sizeof(buff), "%lu", rule_id); - param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_id, buff, strlen(buff)); + uuid_unparse(rule_id, str_rule_id); + param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1); if (param == NULL) { - TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %lu.", rule_id); + TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %s.", str_rule_id); goto error_passthrough; } diff --git a/common/src/tfe_ctrl_packet.cpp b/common/src/tfe_ctrl_packet.cpp index 509cc58..2941d81 100644 --- a/common/src/tfe_ctrl_packet.cpp +++ b/common/src/tfe_ctrl_packet.cpp @@ -59,15 +59,15 @@ enum { }; int tags_ids_cmsg_maps[] = { - [INDEX_SRC_IP_TAGS_IDS] = TFE_CMSG_SRC_IP_TAGS_IDS_STR, - [INDEX_DST_IP_TAGS_IDS] = TFE_CMSG_DST_IP_TAGS_IDS_STR, - [INDEX_FQDN_TAGS_IDS] = TFE_CMSG_FQDN_TAGS_IDS_STR, + [INDEX_SRC_IP_TAGS_IDS] = TFE_CMSG_SRC_IP_TAGS_IDS_ARR, + [INDEX_DST_IP_TAGS_IDS] = TFE_CMSG_DST_IP_TAGS_IDS_ARR, + [INDEX_FQDN_TAGS_IDS] = TFE_CMSG_FQDN_TAGS_IDS_ARR, }; const char *tags_ids_cmsg_name_maps[] = { - [INDEX_SRC_IP_TAGS_IDS] = "TFE_CMSG_SRC_IP_TAGS_IDS_STR", - [INDEX_DST_IP_TAGS_IDS] = "TFE_CMSG_DST_IP_TAGS_IDS_STR", - [INDEX_FQDN_TAGS_IDS] = "TFE_CMSG_FQDN_TAGS_IDS_STR", + [INDEX_SRC_IP_TAGS_IDS] = "TFE_CMSG_SRC_IP_TAGS_IDS_ARR", + [INDEX_DST_IP_TAGS_IDS] = "TFE_CMSG_DST_IP_TAGS_IDS_ARR", + [INDEX_FQDN_TAGS_IDS] = "TFE_CMSG_FQDN_TAGS_IDS_ARR", }; struct mpack_mmap_id2type @@ -118,6 +118,15 @@ struct mpack_mmap_id2type extern void * g_packet_io_logger; +static int mpack_parse_uuid(mpack_node_t node, uuid_t uuid) +{ + size_t len = mpack_node_bin_size(node); + if (len != UUID_LEN) + return -1; + memcpy(uuid, mpack_node_bin_data(node), len); + return 0; +} + static int sids_array_parse_mpack(struct ctrl_pkt_parser *handler, mpack_node_t node, int is_seq) { struct sids *sid = is_seq ? &handler->seq_sids : &handler->ack_sids; @@ -169,21 +178,23 @@ static int pkt_header_parse_mpack(struct ctrl_pkt_parser *handler, mpack_node_t static int tags_ids_array_parse_mpack(struct ctrl_pkt_parser *handler, mpack_node_t node, int map_index) { - uint64_t value = 0; - int tags_ids_len = 0; - char tags_ids_str[TAGS_IDS_STR_LEN] = {0}; - uint32_t array_cnt = mpack_node_array_length(node); if (!array_cnt) return 0; + int tags_ids_len = UUID_LEN*array_cnt; + uuid_t *tags_ids = (uuid_t *)calloc(tags_ids_len, 1); + for (uint32_t i = 0; i < array_cnt; i++) { - value = mpack_node_u64(mpack_node_array_at(node, i)); - tags_ids_len += snprintf(tags_ids_str+tags_ids_len, TAGS_IDS_STR_LEN-tags_ids_len, "%s%lu", i==0?"":",", value); + if (mpack_parse_uuid(mpack_node_array_at(node, i), tags_ids[i]) != 0) + { + TFE_LOG_ERROR(g_packet_io_logger, "%s: session %lu unexpected control packet: (%s[%d] len != uuid_t[%d])", LOG_TAG_CTRLPKT, handler->session_id, tags_ids_cmsg_name_maps[map_index], i, UUID_LEN); + return -1; + } } - tfe_cmsg_set(handler->cmsg, (enum tfe_cmsg_tlv_type)tags_ids_cmsg_maps[map_index], (const unsigned char*)tags_ids_str, tags_ids_len); + tfe_cmsg_set(handler->cmsg, (enum tfe_cmsg_tlv_type)tags_ids_cmsg_maps[map_index], (const unsigned char*)tags_ids, tags_ids_len); return 0; } @@ -336,8 +347,13 @@ static int proxy_parse_messagepack(mpack_node_t node, void *ctx, void *logger) return -1; } handler->tfe_policy_id_num = mpack_node_array_length(mpack_node_map_cstr(node, "rule_ids")); - for (int i = 0; i < handler->tfe_policy_id_num; i++) { - handler->tfe_policy_ids[i] = mpack_node_u64(mpack_node_array_at(mpack_node_map_cstr(node, "rule_ids"), i)); + for (int i = 0; i < handler->tfe_policy_id_num; i++) + { + if (mpack_parse_uuid(mpack_node_array_at(mpack_node_map_cstr(node, "rule_ids"), i), handler->tfe_policy_ids[i]) != 0) + { + TFE_LOG_ERROR(g_packet_io_logger, "%s: session %lu unexpected control packet: (proxy rule_ids[index:%d] len != uuid_t[16])", LOG_TAG_CTRLPKT, handler->session_id, i); + return -1; + } } mpack_node_t tcp_handshake = mpack_node_map_cstr(node, "tcp_handshake"); @@ -466,8 +482,13 @@ int ctrl_packet_parser_parse(void *ctx, const char* data, size_t length, void *l goto error; } handler->sce_policy_id_num = mpack_node_array_length(mpack_node_map_cstr(sce_map, "rule_ids")); - for (int i = 0; i < handler->sce_policy_id_num; i++) { - handler->sce_policy_ids[i] = mpack_node_u64(mpack_node_array_at(mpack_node_map_cstr(sce_map, "rule_ids"), i)); + for (int i = 0; i < handler->sce_policy_id_num; i++) + { + if (mpack_parse_uuid(mpack_node_array_at(mpack_node_map_cstr(sce_map, "rule_ids"), i), handler->sce_policy_ids[i]) != 0) + { + TFE_LOG_ERROR(logger, "%s: session %lu unexpected control packet: (sce rule_ids[index:%d] len != uuid_t[16])", LOG_TAG_CTRLPKT, handler->session_id, i); + goto error; + } } } @@ -545,7 +566,7 @@ void ctrl_packet_parser_dump(struct ctrl_pkt_parser *handler, void *logger) struct sids *sid = NULL; int map_index = 0; char *log_str = NULL; - char tags_ids_str[4096] = {0}; + uuid_t tags_ids_array[128]; int log_len = 0; log_str = (char *)calloc(1, LOG_STR_LEN); @@ -560,12 +581,16 @@ void ctrl_packet_parser_dump(struct ctrl_pkt_parser *handler, void *logger) log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", tfe policy_id_num: %d, tfe policy_ids[", handler->tfe_policy_id_num); for (int i = 0; i < handler->tfe_policy_id_num; i++) { - log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%03lu ", handler->tfe_policy_ids[i]); + char str_tfe_policy_ids[UUID_STR_LEN] = {0}; + uuid_unparse(handler->tfe_policy_ids[i], str_tfe_policy_ids); + log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%s, ", str_tfe_policy_ids); } log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "], sce policy_id_num: %d, sce policy_ids[", handler->sce_policy_id_num); for (int i = 0; i < handler->sce_policy_id_num; i++) { - log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%03lu ", handler->sce_policy_ids[i]); + char str_sce_policy_ids[UUID_STR_LEN] = {0}; + uuid_unparse(handler->sce_policy_ids[i], str_sce_policy_ids); + log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "%s, ", str_sce_policy_ids); } log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, "]"); @@ -596,13 +621,17 @@ void ctrl_packet_parser_dump(struct ctrl_pkt_parser *handler, void *logger) else if (mpack_table[i].type == MPACK_ARRAY_FQDN_TAGS_IDS) map_index = INDEX_FQDN_TAGS_IDS; - memset(tags_ids_str, 0, sizeof(tags_ids_str)); - ret = tfe_cmsg_get_value(handler->cmsg, (enum tfe_cmsg_tlv_type)tags_ids_cmsg_maps[map_index], (unsigned char *)tags_ids_str, sizeof(tags_ids_str), &size); + memset(tags_ids_array, 0, sizeof(tags_ids_array)); + ret = tfe_cmsg_get_value(handler->cmsg, (enum tfe_cmsg_tlv_type)tags_ids_cmsg_maps[map_index], (unsigned char *)tags_ids_array, sizeof(tags_ids_array), &size); if (ret < 0) { log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", %s:null", tags_ids_cmsg_name_maps[map_index]); break; } - log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", %s:%s", tags_ids_cmsg_name_maps[map_index], tags_ids_str); + for (int i = 0; i < size/UUID_LEN; i++) { + char str_tags_ids[UUID_STR_LEN] = {0}; + uuid_unparse(tags_ids_array[i], str_tags_ids); + log_len += snprintf(log_str + log_len, LOG_STR_LEN - log_len, ", %s:%s", tags_ids_cmsg_name_maps[map_index], str_tags_ids); + } break; case MPACK_ARRAY_SEQ_ROUTE_CTX: case MPACK_ARRAY_ACK_ROUTE_CTX: diff --git a/common/src/tfe_fieldstat.cpp b/common/src/tfe_fieldstat.cpp index 03ecacc..beab100 100644 --- a/common/src/tfe_fieldstat.cpp +++ b/common/src/tfe_fieldstat.cpp @@ -1,5 +1,6 @@ #include <stdlib.h> #include <unistd.h> +#include <uuid/uuid.h> #include <tfe_fieldstat.h> #include "tfe_stream.h" @@ -41,13 +42,15 @@ int tfe_fieldstat_intercept_incrby(struct fieldstat_easy_intercept *metrics, voi return 0; } - uint64_t rule_id = 0; - ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(rule_id), &out_size); + uuid_t rule_id; + char str_rule_id[UUID_STR_LEN] = {0}; + ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)rule_id, UUID_LEN, &out_size); if (ret != 0) { TFE_LOG_ERROR(g_default_logger, "failed at fetch rule_id from cmsg: %s", strerror(-ret)); return 0; } + uuid_unparse(rule_id, str_rule_id); uint8_t hit_no_intercept = 0; ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept), &out_size); @@ -98,7 +101,7 @@ int tfe_fieldstat_intercept_incrby(struct fieldstat_easy_intercept *metrics, voi struct field tags[5] = {0}; FIELDSTAT_TAG_INIT(tags, nr_tags, "vsys_id", FIELD_VALUE_INTEGER, vsys_id); nr_tags++; - FIELDSTAT_TAG_INIT(tags, nr_tags, "rule_id", FIELD_VALUE_INTEGER, rule_id); + FIELDSTAT_TAG_STR(tags, nr_tags, "rule_uuid", FIELD_VALUE_CSTRING, str_rule_id); nr_tags++; uint8_t pinning_status = 0; if (tfe_cmsg_get_value(cmsg, TFE_CMSG_SSL_PINNING_STATE, (unsigned char *)&pinning_status, sizeof(pinning_status), &out_size) == 0) diff --git a/common/src/tfe_packet_io.cpp b/common/src/tfe_packet_io.cpp index 32e1250..2d02213 100644 --- a/common/src/tfe_packet_io.cpp +++ b/common/src/tfe_packet_io.cpp @@ -156,7 +156,7 @@ struct packet_identify extern int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg *cmsg); extern int tfe_proxy_fds_accept(struct tfe_proxy * ctx, int fd_downstream, int fd_upstream, int fd_fake_c, int fd_fake_s, struct tfe_cmsg * cmsg); -extern void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id); +extern void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t rule_id); /****************************************************************************** * dup packet filter @@ -821,7 +821,7 @@ static void send_event_log(struct session_ctx *s_ctx, int thread_seq, void *ctx) int ret = 0; int do_log = 0; uint8_t hit_no_intercept = 0; - uint64_t rule_id = 0; + uuid_t rule_id; uint16_t length = 0; uint8_t ssl_intercept_status = 0; uint64_t ssl_upstream_latency = 0; @@ -844,7 +844,7 @@ static void send_event_log(struct session_ctx *s_ctx, int thread_seq, void *ctx) ret = tfe_cmsg_get_value(s_ctx->cmsg, TFE_CMSG_POLICY_DO_LOG, (unsigned char *)&do_log, sizeof(do_log), &length); if (ret < 0 || do_log == 0) return; - ret = tfe_cmsg_get_value(s_ctx->cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)&rule_id, sizeof(rule_id), &length); + ret = tfe_cmsg_get_value(s_ctx->cmsg, TFE_CMSG_POLICY_ID, (unsigned char *)rule_id, UUID_LEN, &length); if (ret < 0) return; ret = tfe_cmsg_get_value(s_ctx->cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept), &length); @@ -881,7 +881,7 @@ static void send_event_log(struct session_ctx *s_ctx, int thread_seq, void *ctx) // proxy rule list mpack_build_array(&writer); - mpack_write_u64(&writer, rule_id); + mpack_write_bin(&writer, (const char*)rule_id, UUID_LEN); mpack_complete_array(&writer); tfe_cmsg_get_value(s_ctx->cmsg, TFE_CMSG_SSL_INTERCEPT_STATE, (unsigned char *)&ssl_intercept_status, sizeof(ssl_intercept_status), &length); @@ -1127,22 +1127,24 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff, packet_get_innermost_tuple4(&pkt, &inner_tuple4); tfe_cmsg_get_value(parser->cmsg, TFE_CMSG_TCP_RESTORE_PROTOCOL, (unsigned char *)&stream_protocol_in_char, sizeof(stream_protocol_in_char), &size); - uint64_t rule_id = 0; - ret = intercept_policy_select(thread->ref_proxy->int_ply_enforcer, parser->tfe_policy_ids, parser->tfe_policy_id_num, &rule_id); + uuid_t rule_id = {0}; + char str_rule_id[UUID_STR_LEN] = {0}; + ret = intercept_policy_select(thread->ref_proxy->int_ply_enforcer, parser->tfe_policy_ids, parser->tfe_policy_id_num, rule_id); + uuid_unparse(rule_id, str_rule_id); if (ret != 0) { is_passthrough = 1; set_passthrough_reason(parser->cmsg, reason_invalid_intercept_param); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, 0, meta->session_id, "active", "passthrough", "invalid intercept param"); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid intercept param"); goto passthrough; } - tfe_cmsg_set(parser->cmsg, TFE_CMSG_POLICY_ID, (const unsigned char *)&rule_id, sizeof(uint64_t)); + tfe_cmsg_set(parser->cmsg, TFE_CMSG_POLICY_ID, (const unsigned char *)rule_id, UUID_LEN); ret = intercept_policy_enforce(thread->ref_proxy->int_ply_enforcer, parser->cmsg); if (ret != 0) { is_passthrough = 1; set_passthrough_reason(parser->cmsg, reason_invalid_intercept_param); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid intercept param"); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid intercept param"); goto passthrough; } @@ -1151,7 +1153,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff, is_passthrough = 1; __atomic_fetch_add(&packet_io_fs->hit_no_intercept_num, 1, __ATOMIC_RELAXED); set_passthrough_reason(parser->cmsg, reason_no_intercept_param); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "hit no intercept"); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "hit no intercept"); goto passthrough; } __atomic_fetch_add(&packet_io_fs->hit_intercept_num, 1, __ATOMIC_RELAXED); @@ -1162,7 +1164,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff, is_passthrough = 1; __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); goto passthrough; } @@ -1177,7 +1179,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff, is_passthrough = 1; __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); goto passthrough; } tcp_restore_info_dump(&restore_info, meta->session_id, logger); @@ -1189,7 +1191,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff, is_passthrough = 1; __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); goto passthrough; } @@ -1201,7 +1203,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff, is_passthrough = 1; __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); goto passthrough; } @@ -1219,7 +1221,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff, is_passthrough = 1; __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); goto passthrough; } @@ -1230,7 +1232,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff, is_passthrough = 1; __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); goto passthrough; } } @@ -1248,7 +1250,7 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff, is_passthrough = 1; __atomic_fetch_add(&packet_io_fs->tcp_pcy_inval_num, 1, __ATOMIC_RELAXED); set_passthrough_reason(parser->cmsg, reason_invalid_tcp_policy_param); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "invalid tcp policy param"); goto passthrough; } __atomic_fetch_add(&packet_io_fs->can_intercept_num, 1, __ATOMIC_RELAXED); @@ -1258,11 +1260,11 @@ static int handle_session_opening(struct metadata *meta, marsio_buff_t *rx_buff, set_passthrough_reason(parser->cmsg, reason_underlying_stream_error); if (parser->intercpet_data & IS_SINGLE) { __atomic_fetch_add(&packet_io_fs->asymmetric_num, 1, __ATOMIC_RELAXED); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "asymmetric traffic"); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "asymmetric traffic"); } else if (parser->intercpet_data & IS_TUNNEL) { __atomic_fetch_add(&packet_io_fs->tunnel_num, 1, __ATOMIC_RELAXED); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "passthrough", "tunnel traffic"); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "passthrough", "tunnel traffic"); } } @@ -1275,7 +1277,7 @@ passthrough: s_ctx->session_id = meta->session_id; tuple4_tostring(&inner_tuple4, s_ctx->session_addr, sizeof(s_ctx->session_addr)); s_ctx->cmsg = parser->cmsg; - s_ctx->policy_ids = rule_id; + memcpy(s_ctx->policy_ids, rule_id, UUID_LEN); s_ctx->is_passthrough = is_passthrough; metadata_deep_copy(s_ctx->ctrl_meta, meta); sids_copy(&s_ctx->ctrl_meta->sids, &meta->sids); @@ -1306,7 +1308,7 @@ passthrough: sids_copy(&s_ctx->s2c_info.sids, &parser->ack_sids); route_ctx_copy(&s_ctx->s2c_info.route_ctx, &parser->ack_route_ctx); - TFE_LOG_INFO(logger, "%s: session %lu %s active first, hit rule %lu", LOG_TAG_PKTIO, s_ctx->session_id, s_ctx->session_addr, rule_id); + TFE_LOG_INFO(logger, "%s: session %lu %s active first, hit rule %s", LOG_TAG_PKTIO, s_ctx->session_id, s_ctx->session_addr, str_rule_id); session_table_insert(thread->session_table, s_ctx->session_id, &(s_ctx->c2s_info.tuple4), s_ctx, session_value_free_cb); ATOMIC_INC(&(packet_io_fs->session_num)); if (parser->seq_header) @@ -1316,7 +1318,7 @@ passthrough: if (is_passthrough == 0) { - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, rule_id, meta->session_id, "active", "intercept", NULL); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_rule_id, meta->session_id, "active", "intercept", NULL); } return 0; } @@ -1344,6 +1346,7 @@ static int handle_session_closing(struct metadata *meta, marsio_buff_t *rx_buff, struct packet_io *packet_io = thread->ref_io; struct packet_io_fs *packet_io_fs = thread->ret_fs_state; void * logger = thread->logger; + char str_policy_id[UUID_STR_LEN] = {0}; struct session_node *node = session_table_search_by_id(thread->session_table, meta->session_id); if (node) @@ -1351,7 +1354,8 @@ static int handle_session_closing(struct metadata *meta, marsio_buff_t *rx_buff, struct session_ctx *s_ctx = (struct session_ctx *)node->val_data; tfe_fieldstat_intercept_incrby(thread->ref_acceptor_ctx->metrics, s_ctx, thread->thread_index); TFE_LOG_INFO(logger, "%s: session %lu closing", LOG_TAG_PKTIO, s_ctx->session_id); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, s_ctx->policy_ids, meta->session_id, "closing", NULL, NULL); + uuid_unparse(s_ctx->policy_ids, str_policy_id); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_policy_id, meta->session_id, "closing", NULL, NULL); session_table_delete_by_id(thread->session_table, meta->session_id); ATOMIC_DEC(&(packet_io_fs->session_num)); return 0; @@ -1369,9 +1373,10 @@ static int handle_session_resetall(struct metadata *meta, marsio_buff_t *rx_buff struct packet_io *packet_io = thread->ref_io; struct packet_io_fs *packet_io_fs = thread->ret_fs_state; void * logger = thread->logger; + char str_policy_id[UUID_STR_LEN] = {0}; TFE_LOG_ERROR(logger, "%s: session %lu resetall: notification clears all session tables !!!", LOG_TAG_PKTIO, meta->session_id); - tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, 0, meta->session_id, "resetall", NULL, NULL); + tfe_dp_telemetry_on_ctrl_pkt(packet_io->instance, rx_buff, str_policy_id, meta->session_id, "resetall", NULL, NULL); ATOMIC_ZERO(&(packet_io_fs->session_num)); for (int i = 0; i < acceptor_ctx->nr_worker_threads; i++) { @@ -1452,6 +1457,7 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx char *header = NULL; int header_len = 0; void * logger = thread->logger; + char str_policy_id[UUID_STR_LEN] = {0}; int raw_len = marsio_buff_datalen(rx_buff); char *raw_data = marsio_buff_mtod(rx_buff); @@ -1466,7 +1472,7 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx LOG_TAG_PKTIO, meta.session_id, meta.raw_len, meta.is_e2i_dir, meta.is_ctrl_pkt, meta.l7offset, meta.is_decrypted, meta.sids.num); throughput_metrics_inc(&packet_io_fs->raw_pkt_rx, 1, raw_len); throughput_metrics_inc(&packet_io_fs->raw_bypass, 1, raw_len); - tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, 0, "raw", "passthrough", "miss metadata"); + tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, str_policy_id, "raw", "passthrough", "miss metadata"); marsio_send_burst(handle->dev_nf_interface.mr_path, thread_seq, &rx_buff, 1); return -1; } @@ -1478,7 +1484,7 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx throughput_metrics_inc(&packet_io_fs->raw_pkt_rx, 1, raw_len); throughput_metrics_inc(&packet_io_fs->raw_bypass, 1, raw_len); throughput_metrics_inc(&packet_io_fs->dup_bypass, 1, raw_len); - tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, 0, "duplicated", "passthrough", NULL); + tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, str_policy_id, "duplicated", "passthrough", NULL); marsio_send_burst(handle->dev_nf_interface.mr_path, thread_seq, &rx_buff, 1); return -1; } @@ -1501,12 +1507,13 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx tuple4_tostring(&inner_addr, buffer, sizeof(buffer)); TFE_LOG_ERROR(logger, "packet from nf %lu: %s (ipid: %u) miss session table", meta.session_id, buffer, ipid); } - tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, 0, "decrypted", "passthrough", "miss session"); + tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, str_policy_id, "decrypted", "passthrough", "miss session"); marsio_send_burst(handle->dev_nf_interface.mr_path, thread_seq, &rx_buff, 1); return -1; } struct session_ctx *s_ctx = (struct session_ctx *)node->val_data; + uuid_unparse(s_ctx->policy_ids, str_policy_id); if (s_ctx->is_passthrough > 0) { throughput_metrics_inc(&packet_io_fs->raw_pkt_rx, 1, raw_len); @@ -1525,14 +1532,14 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx send_event_log(s_ctx, thread_seq, ctx); tfe_cmsg_set_flag(s_ctx->cmsg, TFE_CMSG_FLAG_INIT); } - tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, s_ctx->policy_ids, "decrypted", "passthrough", NULL); + tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, str_policy_id, "decrypted", "passthrough", NULL); marsio_send_burst(handle->dev_nf_interface.mr_path, thread_seq, &rx_buff, 1); return 0; } if (meta.is_decrypted) { - tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, s_ctx->policy_ids, "decrypted", "intercept", NULL); + tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, str_policy_id, "decrypted", "intercept", NULL); throughput_metrics_inc(&packet_io_fs->decrypt_rx, 1, raw_len); if (memcmp(&inner_addr, &s_ctx->c2s_info.tuple4, sizeof(struct tuple4)) == 0) { add_ether_header(raw_data, packet_io->config.tap_c_mac, packet_io->config.tap_s_mac); @@ -1557,7 +1564,7 @@ static int handle_raw_packet_from_nf(struct packet_io *handle, marsio_buff_t *rx } else { - tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, s_ctx->policy_ids, "raw", "intercept", NULL); + tfe_dp_on_raw_pkt(packet_io->instance, rx_buff, str_policy_id, "raw", "intercept", NULL); throughput_metrics_inc(&packet_io_fs->raw_pkt_rx, 1, raw_len); if (memcmp(&inner_addr, &s_ctx->c2s_info.tuple4, sizeof(struct tuple4)) == 0) { s_ctx->c2s_info.sids = meta.sids; diff --git a/common/src/tfe_scan.cpp b/common/src/tfe_scan.cpp index aa292bc..8191630 100644 --- a/common/src/tfe_scan.cpp +++ b/common/src/tfe_scan.cpp @@ -152,22 +152,22 @@ int tfe_get_library_tags(const struct tfe_stream *stream, cJSON *common_obj, tfe struct library_tag_ctx *library_tag =(struct library_tag_ctx *)maat_plugin_table_get_ex_data(tfe_get_maat_handle(), tfe_bussiness_tableid_get(PXY_CTRL_LIBRARY_TAG), (const char *)&tag_id_array[i], sizeof(long long)); if(library_tag != NULL) { - if(library_tag->category == CATEGORY_TYPE_ASN && tlv_type == TFE_CMSG_SRC_IP_TAGS_IDS_STR && atol(library_tag->tag_value) > 0) + if(library_tag->category == CATEGORY_TYPE_ASN && tlv_type == TFE_CMSG_SRC_IP_TAGS_IDS_ARR && atol(library_tag->tag_value) > 0) { cJSON_AddNumberToObject(common_obj, "client_asn", atol(library_tag->tag_value)); } - if(library_tag->category == CATEGORY_TYPE_CONTRY_CODE && tlv_type== TFE_CMSG_SRC_IP_TAGS_IDS_STR) + if(library_tag->category == CATEGORY_TYPE_CONTRY_CODE && tlv_type== TFE_CMSG_SRC_IP_TAGS_IDS_ARR) { cJSON_AddStringToObject(common_obj, "client_country", library_tag->tag_value); } - if(library_tag->category == CATEGORY_TYPE_ASN && tlv_type == TFE_CMSG_DST_IP_TAGS_IDS_STR && atol(library_tag->tag_value) > 0) + if(library_tag->category == CATEGORY_TYPE_ASN && tlv_type == TFE_CMSG_DST_IP_TAGS_IDS_ARR && atol(library_tag->tag_value) > 0) { cJSON_AddNumberToObject(common_obj, "server_asn", atol(library_tag->tag_value)); } - if(library_tag->category == CATEGORY_TYPE_CONTRY_CODE && tlv_type== TFE_CMSG_DST_IP_TAGS_IDS_STR) + if(library_tag->category == CATEGORY_TYPE_CONTRY_CODE && tlv_type== TFE_CMSG_DST_IP_TAGS_IDS_ARR) { cJSON_AddStringToObject(common_obj, "server_country", library_tag->tag_value); } @@ -190,7 +190,7 @@ int tfe_scan_ip_tags(const struct tfe_stream *stream, long long *result, struct int scan_ret = 0, hit_cnt_ip = 0, n_tag_ids = 0; char opt_val[128]={0}; - n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_SRC_IP_TAGS_IDS_STR, opt_val, tag_id_array); + n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_SRC_IP_TAGS_IDS_ARR, opt_val, tag_id_array); if(n_tag_ids == 0) { return hit_cnt_ip; @@ -224,7 +224,7 @@ int tfe_scan_ip_tags(const struct tfe_stream *stream, long long *result, struct memset(opt_val, 0, sizeof(opt_val)); memset(tag_id_array, 0, sizeof(tag_id_array)); - n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_DST_IP_TAGS_IDS_STR, opt_val, tag_id_array); + n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_DST_IP_TAGS_IDS_ARR, opt_val, tag_id_array); if(n_tag_ids == 0) { return hit_cnt_ip; @@ -261,7 +261,7 @@ int tfe_scan_fqdn_tags(const struct tfe_stream *stream, long long *result, struc long long tag_id_array[128]={0}; int scan_ret = 0, hit_cnt_fqdn = 0, n_tag_ids = 0; - n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_FQDN_TAGS_IDS_STR, opt_val, tag_id_array); + n_tag_ids = tfe_get_entry_tags(stream, (enum tfe_cmsg_tlv_type)TFE_CMSG_FQDN_TAGS_IDS_ARR, opt_val, tag_id_array); if(n_tag_ids == 0) { return hit_cnt_fqdn; diff --git a/common/test/CMakeLists.txt b/common/test/CMakeLists.txt index 26fcd2d..b0a65aa 100644 --- a/common/test/CMakeLists.txt +++ b/common/test/CMakeLists.txt @@ -29,6 +29,7 @@ target_link_libraries(gtest_session_table common gtest) add_executable(gtest_mpack test_mpack.cpp) target_include_directories(gtest_mpack PUBLIC ${CMAKE_SOURCE_DIR}/common/include) target_link_libraries(gtest_mpack common gtest) +target_link_libraries(gtest_mpack common uuid) ############################################################################### # gtest_discover_tests diff --git a/common/test/test_mpack.cpp b/common/test/test_mpack.cpp index 3146d6d..addbc33 100644 --- a/common/test/test_mpack.cpp +++ b/common/test/test_mpack.cpp @@ -1,5 +1,6 @@ #include <gtest/gtest.h> #include <arpa/inet.h> +#include <uuid/uuid.h> #include "mpack.h" #include "tfe_cmsg.h" @@ -38,8 +39,6 @@ void build_mpack_data(char **data, size_t *size) char src_imei[256] = "25762917001364"; char src_phone_number[256] = "623335886431"; char src_apn[256] = "www.lytest.com"; - uint64_t dst_ip_tags_ids[] = {324119, 18446744073709551615ULL, 324137, 324129}; - uint64_t fqdn_tags_ids[] = {324109, 324105, 18446744073709551615ULL, 324137, 324129}; uint8_t ja3_fingerprint[32] = {0}; uint16_t seq_sid[] = {1000, 1001, 1002, 1003}; uint16_t ack_sid[] = {1003, 1002, 1001, 1000}; @@ -48,6 +47,8 @@ void build_mpack_data(char **data, size_t *size) uint8_t seq_header[] = {0x00, 0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70}; uint8_t ack_header[] = {0x80, 0x90, 0xA0, 0xB0, 0xC0, 0xD0, 0xE0, 0xF0}; uint8_t tfe_flag = 0; + uuid_t uuid; + char str_uuid[UUID_STR_LEN] = {0}; mpack_writer_init_growable(&writer, data, size); mpack_build_map(&writer); @@ -72,7 +73,12 @@ void build_mpack_data(char **data, size_t *size) mpack_build_map(&writer); mpack_write_cstr(&writer, "rule_ids"); mpack_build_array(&writer); - mpack_write_u64(&writer, 1); + for (int i = 0; i < 2; i++) { + uuid_generate(uuid); + uuid_unparse(uuid, str_uuid); + printf("sce rule id:%s\n", str_uuid); + mpack_write_bin(&writer, (const char*)uuid, sizeof(uuid)); + } mpack_complete_array(&writer); mpack_complete_map(&writer); @@ -80,7 +86,12 @@ void build_mpack_data(char **data, size_t *size) mpack_build_map(&writer); mpack_write_cstr(&writer, "rule_ids"); mpack_build_array(&writer); - mpack_write_u64(&writer, 3); + for (int i = 0; i < 2; i++) { + uuid_generate(uuid); + uuid_unparse(uuid, str_uuid); + printf("proxy rule id:%s\n", str_uuid); + mpack_write_bin(&writer, (const char*)uuid, sizeof(uuid)); + } mpack_complete_array(&writer); mpack_write_cstr(&writer, "tcp_handshake"); @@ -112,17 +123,29 @@ void build_mpack_data(char **data, size_t *size) mpack_write_str(&writer, (const char*)src_apn, strlen(src_apn)); mpack_build_array(&writer); + for (int i = 0; i < 3; i++) { + uuid_generate(uuid); + uuid_unparse(uuid, str_uuid); + printf("src ip tags uuid:%s\n", str_uuid); + mpack_write_bin(&writer, (const char*)uuid, sizeof(uuid)); + } mpack_complete_array(&writer); mpack_build_array(&writer); - for (size_t i = 0; i < sizeof(dst_ip_tags_ids)/sizeof(dst_ip_tags_ids[0]); i++) { - mpack_write_u64(&writer, dst_ip_tags_ids[i]); + for (int i = 0; i < 4; i++) { + uuid_generate(uuid); + uuid_unparse(uuid, str_uuid); + printf("dst ip tags uuid:%s\n", str_uuid); + mpack_write_bin(&writer, (const char*)uuid, sizeof(uuid)); } mpack_complete_array(&writer); mpack_build_array(&writer); - for (size_t i = 0; i < sizeof(fqdn_tags_ids)/sizeof(fqdn_tags_ids[0]); i++) { - mpack_write_u64(&writer, fqdn_tags_ids[i]); + for (int i = 0; i < 5; i++) { + uuid_generate(uuid); + uuid_unparse(uuid, str_uuid); + printf("fqdn ip tags uuid:%s\n", str_uuid); + mpack_write_bin(&writer, (const char*)uuid, sizeof(uuid)); } mpack_complete_array(&writer); diff --git a/plugin/business/chaining-policy/src/chaining_policy.cpp b/plugin/business/chaining-policy/src/chaining_policy.cpp index 1e10910..86ffd68 100644 --- a/plugin/business/chaining-policy/src/chaining_policy.cpp +++ b/plugin/business/chaining-policy/src/chaining_policy.cpp @@ -17,7 +17,7 @@ enum traffic_type struct chaining_param { - uint64_t rule_id; + uuid_t rule_id; int ref_cnt; enum traffic_type type; }; @@ -25,42 +25,42 @@ struct chaining_param struct chaining_policy_enforcer { struct maat *maat; - int table_id; + char table_name[32]; void *logger; }; -static void chaining_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) +static void chaining_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp) { - cJSON *json = NULL; - cJSON *item = NULL; + cJSON * json_root = NULL; + cJSON * json_subroot = NULL; + cJSON * item = NULL; size_t user_region_offset = 0; size_t user_region_len = 0; struct chaining_param *param = NULL; struct chaining_policy_enforcer *enforcer = (struct chaining_policy_enforcer *)argp; - if (maat_helper_read_column(table_line, 7, &user_region_offset, &user_region_len) < 0) + json_root = cJSON_Parse(table_line); + if (unlikely(!json_root)) { - TFE_LOG_ERROR(enforcer->logger, "unexpected chaining rule: (invalid user region) %s", table_line); - return; + TFE_LOG_ERROR(enforcer->logger, "Invalid chaining profile: %s", table_line); + goto error_out; } - char *json_str = (char *)calloc(user_region_len + 1, sizeof(char)); - memcpy(json_str, table_line + user_region_offset, user_region_len); - json = cJSON_Parse(json_str); - if (json == NULL) + json_subroot = cJSON_GetObjectItem(json_root, "USER_REGION"); + if (unlikely(!json_subroot)) { - TFE_LOG_ERROR(enforcer->logger, "unexpected chaining rule: (invalid json format) %s", table_line); + TFE_LOG_ERROR(enforcer->logger, "Invalid chaining rule: %s (invalid USER_REGION format) %s.", key, table_line); goto error_out; } param = (struct chaining_param *)calloc(1, sizeof(struct chaining_param)); - param->rule_id = atoll(key); param->ref_cnt = 1; + uuid_parse(key, param->rule_id); - item = cJSON_GetObjectItem(json, "targeted_traffic"); + item = cJSON_GetObjectItem(json_subroot, "targeted_traffic"); if (!item || !cJSON_IsString(item)) { - TFE_LOG_ERROR(enforcer->logger, "unexpected chaining rule: (invalid targeted_traffic param) %s", table_line); + TFE_LOG_ERROR(enforcer->logger, "Invalid chaining rule: %s (invalid targeted_traffic format) %s.", key, table_line); goto error_out; } if (strcasecmp(item->valuestring, "raw") == 0) @@ -73,30 +73,21 @@ static void chaining_param_new_cb(const char *table_name, int table_id, const ch } else { - TFE_LOG_ERROR(enforcer->logger, "unexpected chaining rule: (invalid targeted_traffic param) %s", table_line); + TFE_LOG_ERROR(enforcer->logger, "Invalid chaining rule: %s (invalid targeted_traffic format) %s", key, table_line); goto error_out; } *ad = param; - TFE_LOG_INFO(enforcer->logger, "Add chaining rule: %lu", param->rule_id); - - cJSON_Delete(json); - free(json_str); + TFE_LOG_INFO(enforcer->logger, "Add chaining rule: %s", key); + cJSON_Delete(json_root); return; error_out: - if (json) - { - cJSON_Delete(json); - json = NULL; - } - - if (json_str) + if (json_root) { - free(json_str); - json_str = NULL; + cJSON_Delete(json_root); + json_root = NULL; } - if (param) { free(param); @@ -104,8 +95,9 @@ error_out: } } -static void chaining_param_free_cb(int table_id, void **ad, long argl, void *argp) +static void chaining_param_free_cb(const char *table_name, void **ad, long argl, void *argp) { + char str_rule_id[UUID_STR_LEN] = {0}; struct chaining_policy_enforcer *enforcer = (struct chaining_policy_enforcer *)argp; struct chaining_param *param = (struct chaining_param *)*ad; if (param == NULL) @@ -115,7 +107,8 @@ static void chaining_param_free_cb(int table_id, void **ad, long argl, void *arg if ((__sync_sub_and_fetch(¶m->ref_cnt, 1) == 0)) { - TFE_LOG_INFO(enforcer->logger, "Del chaining policy %lu", param->rule_id); + uuid_unparse(param->rule_id, str_rule_id); + TFE_LOG_INFO(enforcer->logger, "Del chaining policy %s", str_rule_id); free(param); *ad = NULL; } @@ -126,7 +119,7 @@ static void chaining_param_free(struct chaining_param *param) chaining_param_free_cb(0, (void **)¶m, 0, NULL); } -static void chaining_param_dup_cb(int table_id, void **to, void **from, long argl, void *argp) +static void chaining_param_dup_cb(const char *table_name, void **to, void **from, long argl, void *argp) { struct chaining_param *param = (struct chaining_param *)*from; if (param) @@ -146,14 +139,9 @@ struct chaining_policy_enforcer *chaining_policy_enforcer_create(void *logger) struct chaining_policy_enforcer *enforcer = ALLOC(struct chaining_policy_enforcer, 1); enforcer->maat = tfe_get_maat_handle(); enforcer->logger = logger; - enforcer->table_id = maat_get_table_id(enforcer->maat, "SERVICE_CHAINING_COMPILE"); - if (enforcer->table_id < 0) - { - TFE_LOG_ERROR(enforcer->logger, "failed at register table of SERVICE_CHAINING_COMPILE, ret = %d", enforcer->table_id); - goto error_out; - } + snprintf(enforcer->table_name, sizeof(enforcer->table_name), "SERVICE_CHAINING_COMPILE"); - ret = maat_plugin_table_ex_schema_register(enforcer->maat, "SERVICE_CHAINING_COMPILE", + ret = maat_plugin_table_ex_schema_register(enforcer->maat, enforcer->table_name, chaining_param_new_cb, chaining_param_free_cb, chaining_param_dup_cb, @@ -179,10 +167,10 @@ void chaining_policy_enforcer_destory(struct chaining_policy_enforcer *enforcer) } } -void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id) +void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t rule_id) { uint16_t size = 0; - char rule_id_str[16] = {0}; + char str_rule_id[UUID_STR_LEN] = {0}; uint8_t enalbe_decrypted_traffic_steering = 0; tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_DECRYPTED_TRAFFIC_STEERING, (unsigned char *)&enalbe_decrypted_traffic_steering, sizeof(enalbe_decrypted_traffic_steering), &size); @@ -191,11 +179,11 @@ void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct t return; } - snprintf(rule_id_str, sizeof(rule_id_str), "%lu", rule_id); - struct chaining_param *param = (struct chaining_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_id, rule_id_str, strlen(rule_id_str)); + uuid_unparse(rule_id, str_rule_id); + struct chaining_param *param = (struct chaining_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->table_name, str_rule_id, UUID_STR_LEN-1); if (param == NULL) { - TFE_LOG_INFO(enforcer->logger, "Failed to get chaining parameter of policy %lu.", rule_id); + TFE_LOG_INFO(enforcer->logger, "Failed to get chaining parameter of policy %s.", str_rule_id); return; } diff --git a/plugin/business/chaining-policy/src/chaining_policy.h b/plugin/business/chaining-policy/src/chaining_policy.h index 0fcbe81..e7fa485 100644 --- a/plugin/business/chaining-policy/src/chaining_policy.h +++ b/plugin/business/chaining-policy/src/chaining_policy.h @@ -5,4 +5,4 @@ struct chaining_policy_enforcer; struct chaining_policy_enforcer *chaining_policy_enforcer_create(void *logger); void chaining_policy_enforcer_destory(struct chaining_policy_enforcer *enforcer); -void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id);
\ No newline at end of file +void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uuid_t rule_id);
\ No newline at end of file diff --git a/plugin/business/doh/src/logger.cpp b/plugin/business/doh/src/logger.cpp index 8eca5bf..ae0ddf5 100644 --- a/plugin/business/doh/src/logger.cpp +++ b/plugin/business/doh/src/logger.cpp @@ -386,9 +386,9 @@ int doh_send_log(struct doh_conf *handle, const struct tfe_http_session *http, c doh_get_integer_by_cmsg(common_obj, cmsg, TFE_CMSG_COMMON_DIRECTION, "direction"); } - tfe_get_library_tags(stream, common_obj, TFE_CMSG_SRC_IP_TAGS_IDS_STR, "client_ip_tags"); - tfe_get_library_tags(stream, common_obj, TFE_CMSG_DST_IP_TAGS_IDS_STR, "server_ip_tags"); - tfe_get_library_tags(stream, common_obj, TFE_CMSG_FQDN_TAGS_IDS_STR, "server_fqdn_tags"); + tfe_get_library_tags(stream, common_obj, TFE_CMSG_SRC_IP_TAGS_IDS_ARR, "client_ip_tags"); + tfe_get_library_tags(stream, common_obj, TFE_CMSG_DST_IP_TAGS_IDS_ARR, "server_ip_tags"); + tfe_get_library_tags(stream, common_obj, TFE_CMSG_FQDN_TAGS_IDS_ARR, "server_fqdn_tags"); if (http->req) { diff --git a/plugin/business/tcp-policy/src/tcp_policy.cpp b/plugin/business/tcp-policy/src/tcp_policy.cpp index bba0297..26e54a2 100644 --- a/plugin/business/tcp-policy/src/tcp_policy.cpp +++ b/plugin/business/tcp-policy/src/tcp_policy.cpp @@ -10,7 +10,7 @@ struct tcp_policy_enforcer { struct maat *maat; - int table_id; + char table_name[32]; void *logger; }; @@ -37,19 +37,11 @@ struct tcp_profile_param struct side_conn_param server_side; }; -static int parser_side_conn_param(const char *json_str, struct side_conn_param *out_val, void *logger) +static int parser_side_conn_param(cJSON * json, struct side_conn_param *out_val, void *logger) { - cJSON *json = NULL; cJSON *object = NULL; cJSON *item = NULL; - json = cJSON_Parse(json_str); - if (json == NULL) - { - TFE_LOG_ERROR(logger, "Invalid tcp option param %s", json_str); - return -1; - } - object = cJSON_GetObjectItem(json, "tcp_maxseg"); if (object) { @@ -126,20 +118,16 @@ static int parser_side_conn_param(const char *json_str, struct side_conn_param * return 0; } -static void profile_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp) +static void profile_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp) { - int ret = 0; - int profile_id = 0; - int tcp_passthrough = 0; - int bypass_duplicated_packet = 0; - char client_side_conn_param[512] = {0}; - char server_side_conn_param[512] = {0}; - int is_valid = 0; + cJSON * json_root = NULL; + cJSON * json_subroot = NULL; + cJSON * item = NULL; struct tcp_profile_param *param = NULL; struct tcp_policy_enforcer *enforcer = (struct tcp_policy_enforcer *)argp; - ret = sscanf(table_line, "%d\t%d\t%d\t%s\t%s\t%d", &profile_id, &tcp_passthrough, &bypass_duplicated_packet, client_side_conn_param, server_side_conn_param, &is_valid); - if (ret != 6) + json_root = cJSON_Parse(table_line); + if (unlikely(!json_root)) { TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option profile: %s", table_line); goto error_out; @@ -147,21 +135,48 @@ static void profile_param_new_cb(const char *table_name, int table_id, const cha param = ALLOC(struct tcp_profile_param, 1); param->ref_cnt = 1; - param->tcp_passthrough = tcp_passthrough; - param->bypass_duplicated_packet = bypass_duplicated_packet; - if (parser_side_conn_param(client_side_conn_param, ¶m->client_side, enforcer->logger) == -1) + item = cJSON_GetObjectItem(json_root, "tcp_passthrough"); + if (unlikely(!item || !cJSON_IsNumber(item))) { + TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid tcp_passthrough format.", key); goto error_out; } + param->tcp_passthrough = item->valueint; - if (parser_side_conn_param(server_side_conn_param, ¶m->server_side, enforcer->logger) == -1) + item = cJSON_GetObjectItem(json_root, "bypass_duplicated_packet"); + if (unlikely(!item || !cJSON_IsNumber(item))) + { + TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid bypass_duplicated_packet format.", key); + goto error_out; + } + param->bypass_duplicated_packet = item->valueint; + + json_subroot = cJSON_GetObjectItem(json_root, "client_side_conn_param"); + if (unlikely(!json_subroot)) + { + TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid client_side_conn_param format.", key); + goto error_out; + } + if (parser_side_conn_param(json_subroot, ¶m->client_side, enforcer->logger) == -1) + { + goto error_out; + } + + json_subroot = cJSON_GetObjectItem(json_root, "server_side_conn_param"); + if (unlikely(!json_subroot)) + { + TFE_LOG_ERROR(enforcer->logger, "Invalid tcp option parameter: %s invalid server_side_conn_param format.", key); + goto error_out; + } + if (parser_side_conn_param(json_subroot, ¶m->server_side, enforcer->logger) == -1) { goto error_out; } *ad = param; TFE_LOG_INFO(enforcer->logger, "Add tcp option profile: %s", key); + cJSON_Delete(json_root); return; error_out: @@ -169,9 +184,13 @@ error_out: { free(param); } + if (json_root) + { + cJSON_Delete(json_root); + } } -static void profile_param_free_cb(int table_id, void **ad, long argl, void *argp) +static void profile_param_free_cb(const char *table_name, void **ad, long argl, void *argp) { struct tcp_profile_param *param = (struct tcp_profile_param *)*ad; if (param == NULL) @@ -186,7 +205,7 @@ static void profile_param_free_cb(int table_id, void **ad, long argl, void *argp } } -static void profile_param_dup_cb(int table_id, void **to, void **from, long argl, void *argp) +static void profile_param_dup_cb(const char *table_name, void **to, void **from, long argl, void *argp) { struct tcp_profile_param *param = (struct tcp_profile_param *)*from; if (param) @@ -211,14 +230,9 @@ struct tcp_policy_enforcer *tcp_policy_enforcer_create(void *logger) struct tcp_policy_enforcer *enforcer = ALLOC(struct tcp_policy_enforcer, 1); enforcer->maat = tfe_get_maat_handle(); enforcer->logger = logger; - enforcer->table_id = maat_get_table_id(enforcer->maat, "PXY_PROFILE_TCP_OPTION"); - if (enforcer->table_id < 0) - { - TFE_LOG_ERROR(enforcer->logger, "failed at register table of PXY_PROFILE_TCP_OPTION, ret = %d", enforcer->table_id); - goto error_out; - } + snprintf(enforcer->table_name, sizeof(enforcer->table_name), "PXY_PROFILE_TCP_OPTION"); - ret = maat_plugin_table_ex_schema_register(enforcer->maat, "PXY_PROFILE_TCP_OPTION", + ret = maat_plugin_table_ex_schema_register(enforcer->maat, enforcer->table_name, profile_param_new_cb, profile_param_free_cb, profile_param_dup_cb, @@ -261,7 +275,7 @@ int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg } snprintf(buffer, sizeof(buffer), "%d", profile_id); - struct tcp_profile_param *param = (struct tcp_profile_param *)maat_plugin_table_get_ex_data(tcp_enforcer->maat, tcp_enforcer->table_id, buffer, strlen(buffer)); + struct tcp_profile_param *param = (struct tcp_profile_param *)maat_plugin_table_get_ex_data(tcp_enforcer->maat, tcp_enforcer->table_name, buffer, strlen(buffer)); if (param == NULL) { TFE_LOG_INFO(tcp_enforcer->logger, "Failed to get tcp option parameter of profile %d.", profile_id); diff --git a/plugin/business/tsg-http/src/tsg_logger.cpp b/plugin/business/tsg-http/src/tsg_logger.cpp index 6aa0c4d..e79b80c 100644 --- a/plugin/business/tsg-http/src/tsg_logger.cpp +++ b/plugin/business/tsg-http/src/tsg_logger.cpp @@ -257,9 +257,9 @@ int proxy_send_log(struct proxy_logger* handle, const struct proxy_log* log_msg) tfe_get_integer_by_cmsg(common_obj, cmsg, TFE_CMSG_COMMON_DIRECTION, "direction"); } - tfe_get_library_tags(log_msg->stream, common_obj, TFE_CMSG_SRC_IP_TAGS_IDS_STR, "client_ip_tags"); - tfe_get_library_tags(log_msg->stream, common_obj, TFE_CMSG_DST_IP_TAGS_IDS_STR, "server_ip_tags"); - tfe_get_library_tags(log_msg->stream, common_obj, TFE_CMSG_FQDN_TAGS_IDS_STR, "server_fqdn_tags"); + tfe_get_library_tags(log_msg->stream, common_obj, TFE_CMSG_SRC_IP_TAGS_IDS_ARR, "client_ip_tags"); + tfe_get_library_tags(log_msg->stream, common_obj, TFE_CMSG_DST_IP_TAGS_IDS_ARR, "server_ip_tags"); + tfe_get_library_tags(log_msg->stream, common_obj, TFE_CMSG_FQDN_TAGS_IDS_ARR, "server_fqdn_tags"); if (http->req) { |