diff options
| author | luwenpeng <[email protected]> | 2023-04-17 18:26:33 +0800 |
|---|---|---|
| committer | luwenpeng <[email protected]> | 2023-04-21 18:31:36 +0800 |
| commit | f421e4df5403f977603ab22950f83baa7fc3cffd (patch) | |
| tree | 17ac5bb058e9cfcae9c4887bc4fdac4867458192 /platform | |
| parent | f741c3c025c91da2803246a8213fd5fe2d069a50 (diff) | |
TSG-14789 TFE扫描service chaining策略,执行Decrypted Traffic Steering
Diffstat (limited to 'platform')
| -rw-r--r-- | platform/CMakeLists.txt | 4 | ||||
| -rw-r--r-- | platform/include/internal/proxy.h | 1 | ||||
| -rw-r--r-- | platform/src/acceptor_kni_v3.cpp | 9 | ||||
| -rw-r--r-- | platform/src/proxy.cpp | 10 |
4 files changed, 20 insertions, 4 deletions
diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt index 6622586..d0c2b17 100644 --- a/platform/CMakeLists.txt +++ b/platform/CMakeLists.txt @@ -52,6 +52,10 @@ if(ENABLE_PLUGIN_TCP_POLICY) target_link_libraries(tfe -Wl,--whole-archive tcp-policy -Wl,--no-whole-archive) endif() +if(ENABLE_PLUGIN_CHAINING_POLICY) + target_link_libraries(tfe -Wl,--whole-archive chaining-policy -Wl,--no-whole-archive) +endif() + if(ENABLE_PLUGIN_TRAFFIC_MIRROR) target_link_libraries(tfe -Wl,--whole-archive traffic-mirror -Wl,--no-whole-archive) endif() diff --git a/platform/include/internal/proxy.h b/platform/include/internal/proxy.h index f45ba11..3e6c442 100644 --- a/platform/include/internal/proxy.h +++ b/platform/include/internal/proxy.h @@ -132,6 +132,7 @@ struct tfe_proxy struct ssl_mgr * ssl_mgr_handler; struct tcp_policy_enforcer *tcp_ply_enforcer; struct ssl_policy_enforcer *ssl_ply_enforcer; + struct chaining_policy_enforcer *chain_ply_enforcer; struct key_keeper * key_keeper_handler; unsigned int en_kni_v1_acceptor; diff --git a/platform/src/acceptor_kni_v3.cpp b/platform/src/acceptor_kni_v3.cpp index 004c2e8..b923f93 100644 --- a/platform/src/acceptor_kni_v3.cpp +++ b/platform/src/acceptor_kni_v3.cpp @@ -19,6 +19,7 @@ #define TCP_RESTORE_TCPOPT_KIND 88 extern void tcp_policy_enforce(struct tcp_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id); +extern void chaining_policy_enforce(struct chaining_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id); struct acceptor_kni_v3 { @@ -601,8 +602,10 @@ static int payload_handler_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, s struct pkt_info pktinfo; struct tcp_restore_info restore_info; uint8_t stream_protocol_in_char = 0; + uint8_t enalbe_decrypted_traffic_steering = 0; uint16_t size = 0; uint64_t rule_id = 0; + uint64_t chaining_rule_id = 0; // only use for acceptv4 struct acceptor_kni_v3 *__ctx = (struct acceptor_kni_v3 *)data; clock_gettime(CLOCK_MONOTONIC, &(__ctx->start)); memset(&pktinfo, 0, sizeof(pktinfo)); @@ -720,6 +723,7 @@ static int payload_handler_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, s goto end; } tcp_policy_enforce(__ctx->proxy->tcp_ply_enforcer, cmsg, rule_id); + chaining_policy_enforce(__ctx->proxy->chain_ply_enforcer, cmsg, chaining_rule_id); if (overwrite_tcp_mss(cmsg, &restore_info)) { @@ -745,9 +749,12 @@ static int payload_handler_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, s } tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_RESTORE_PROTOCOL, (unsigned char *)&stream_protocol_in_char, sizeof(stream_protocol_in_char), &size); + tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_DECRYPTED_TRAFFIC_STEERING, (unsigned char *)&enalbe_decrypted_traffic_steering, sizeof(enalbe_decrypted_traffic_steering), &size); + if (steering_device_is_available() && ( (STREAM_PROTO_PLAIN == (enum tfe_stream_proto)stream_protocol_in_char && __ctx->proxy->traffic_steering_options.enable_steering_http) || - (STREAM_PROTO_SSL == (enum tfe_stream_proto)stream_protocol_in_char && __ctx->proxy->traffic_steering_options.enable_steering_ssl))) + (STREAM_PROTO_SSL == (enum tfe_stream_proto)stream_protocol_in_char && __ctx->proxy->traffic_steering_options.enable_steering_ssl) || + enalbe_decrypted_traffic_steering == 1)) { if (fake_tcp_handshake(__ctx->proxy, &restore_info) == -1) { diff --git a/platform/src/proxy.cpp b/platform/src/proxy.cpp index 575bbbb..0e3e8df 100644 --- a/platform/src/proxy.cpp +++ b/platform/src/proxy.cpp @@ -58,10 +58,11 @@ /* Systemd */ #include <systemd/sd-daemon.h> -extern struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger); -extern enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_para); - extern struct tcp_policy_enforcer *tcp_policy_enforcer_create(void *logger); +extern struct chaining_policy_enforcer *chaining_policy_enforcer_create(void *logger); +extern struct ssl_policy_enforcer *ssl_policy_enforcer_create(void *logger); +extern enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void *u_para); + static int signals[] = {SIGHUP, SIGPIPE, SIGUSR1, SIGUSR2}; /* Global Resource */ @@ -703,6 +704,9 @@ int main(int argc, char * argv[]) g_default_proxy->ssl_ply_enforcer = ssl_policy_enforcer_create(g_default_logger); CHECK_OR_EXIT(g_default_proxy->ssl_ply_enforcer == NULL, "Failed at creating ssl policy enforcer. Exit."); + g_default_proxy->chain_ply_enforcer = chaining_policy_enforcer_create(g_default_logger); + CHECK_OR_EXIT(g_default_proxy->chain_ply_enforcer == NULL, "Failed at creating chaining policy enforcer. Exit."); + ssl_manager_set_new_upstream_cb(g_default_proxy->ssl_mgr_handler, ssl_policy_enforce, g_default_proxy->ssl_ply_enforcer); ret = tfe_proxy_work_thread_run(g_default_proxy); CHECK_OR_EXIT(ret == 0, "Failed at creating thread. Exit."); |