TSG-14484 Pxoxy支持Maat4

3 files changed, 159 insertions, 68 deletions

diff --git a/plugin/business/doh/src/doh.cpp b/plugin/business/doh/src/doh.cpp
index 8c2b1a0..d7e89b0 100644
--- a/plugin/business/doh/src/doh.cpp
+++ b/plugin/business/doh/src/doh.cpp
@@ -1,5 +1,6 @@
 #include "logger.h"
 #include <tfe_scan.h>
+#include <MESA/stream.h>
 
 extern void increase_redirect_policy_hit_num(void);
 
@@ -99,21 +100,78 @@ static cJSON *doh_get_answer_records(struct doh_ctx *ctx, cJSON *object, int qty
 	return NULL;
 }
 
-static void doh_get_cheat_data(Maat_rule_t *p_result, int qtype, struct doh_ctx *ctx, const char *str_stream_info)
+struct doh_action_param
+{
+	int ref_cnt;
+	int action;
+	char *message;
+	char *position;
+	float enforcement_ratio;
+	int vsys_id;
+	int profile_id;
+	int status_code;
+	size_t n_rule;
+	void *repl_rule;
+	size_t e_rule;
+	void *elem_rule;
+	struct doh_maat_rule_t hit_rule;
+	pthread_mutex_t lock;
+};
+
+void doh_action_param_free_cb(int table_id, void **ad, long argl, void *argp)
+{
+	if(*ad==NULL)
+	{
+		return;
+	}
+	struct doh_action_param* param=(struct doh_action_param*)*ad;
+	pthread_mutex_lock(&(param->lock));
+	param->ref_cnt--;
+	if(param->ref_cnt>0)
+	{
+		pthread_mutex_unlock(&(param->lock));
+		return;
+	}
+	pthread_mutex_unlock(&(param->lock));
+	pthread_mutex_destroy(&(param->lock));
+
+	if(param->hit_rule.srv_def_large)
+		FREE(&(param->hit_rule.srv_def_large))
+
+	FREE(&(param));
+	return;
+}
+
+static void doh_get_cheat_data(long long p_result, int qtype, struct doh_ctx *ctx, const char *str_stream_info)
 {
 	int i;
 	int answer_size = 0;
-	char *tmp = NULL;
 	cJSON *items = NULL;
 	cJSON *item = NULL;
 	cJSON *object = NULL;
 	cJSON *answer_array = NULL;
+	int table_id=0;
 
-	tmp = (char *)calloc(1, p_result->serv_def_len + 1);
-	Maat_read_rule(g_doh_conf->maat, p_result, MAAT_RULE_SERV_DEFINE, tmp, p_result->serv_def_len);
-	TFE_LOG_INFO(g_doh_conf->local_logger, "%s hit %d %s", str_stream_info, p_result->config_id, tmp);
+	table_id=maat_get_table_id(g_doh_conf->maat, "PXY_CTRL_COMPILE");
+	if(table_id < 0)
+	{
+		return;
+	}
+	struct doh_action_param *get_ex_param=(struct doh_action_param *)maat_plugin_table_get_ex_data(g_doh_conf->maat, table_id, (const char *)&p_result);
+	if(get_ex_param==NULL)
+	{
+		return;
+	}
 
-	object = cJSON_Parse(tmp);
+	struct doh_maat_rule_t *hit_rule = &(get_ex_param->hit_rule);
+	if(hit_rule==NULL || hit_rule->srv_def_large==NULL)
+	{
+		goto end;
+	}
+	memcpy(ctx->result, hit_rule, sizeof(struct doh_maat_rule_t));
+	TFE_LOG_INFO(g_doh_conf->local_logger, "%s hit %lld %s", str_stream_info, p_result, hit_rule->srv_def_large);
+
+	object = cJSON_Parse(hit_rule->srv_def_large);
 	if (object == NULL)
 	{
 		goto end;
@@ -176,30 +234,28 @@ end:
 		cJSON_Delete(object);
 		object = NULL;
 	}
-
-	if (tmp)
+	if(get_ex_param)
 	{
-		free(tmp);
-		tmp = NULL;
+		doh_action_param_free_cb(0, (void**)&get_ex_param, 0, NULL);
 	}
 }
 
-static struct Maat_rule_t *doh_fetch_rule(Maat_rule_t *result, int result_num)
+static long long doh_fetch_rule(long long *result, int result_num)
 {
 	int i = 0;
-	Maat_rule_t *p_result = NULL;
+	long long p_result = 0;
 
 	for (i = 0; i < result_num && i < MAX_SCAN_RESULT; i++)
 	{
-		if (p_result == NULL)
+		if (p_result == 0)
 		{
-			p_result = &result[i];
+			p_result = result[i];
 			continue;
 		}
 
-		if (result[i].config_id > p_result->config_id)
+		if (result[i] > p_result)
 		{
-			p_result = &result[i];
+			p_result = result[i];
 		}
 	}
 
@@ -211,23 +267,24 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
 	int hit_cnt = 0;
 	int scan_ret = 0;
 	int app_id = 8006;
+	size_t n_hit_result;
 	struct ipaddr sapp_addr;
-	struct Maat_rule_t *p_result = NULL;
-	struct Maat_rule_t result[MAX_SCAN_RESULT];
+	long long p_result = 0;
+	long long result[MAX_SCAN_RESULT];
 
-	scan_ret = tfe_scan_subscribe_id(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger);
+	scan_ret = tfe_scan_subscribe_id(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger);
 	if (scan_ret > 0)
 	{
 		hit_cnt += scan_ret;
 	}
 
-	scan_ret = tfe_scan_ip_location(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger, &(ctx->location_server), &(ctx->location_client));
+	scan_ret = tfe_scan_ip_location(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger, &(ctx->location_server), &(ctx->location_client));
 	if (scan_ret > 0)
 	{
 		hit_cnt += scan_ret;
 	}
 
-	scan_ret = tfe_scan_ip_asn(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger, &(ctx->asn_server), &(ctx->asn_client));
+	scan_ret = tfe_scan_ip_asn(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger, &(ctx->asn_server), &(ctx->asn_client));
 	if (scan_ret > 0)
 	{
 		hit_cnt += scan_ret;
@@ -237,13 +294,13 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
 	const char *host = session->req->req_spec.host;
 	if (host)
 	{
-		scan_ret = Maat_full_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_HOST].id, CHARSET_UTF8,
-										 host, strlen(host), result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
-		if (scan_ret > 0)
+ 		scan_ret = maat_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_HOST].id,host, strlen(host),
+									result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
+		if (scan_ret == MAAT_SCAN_HIT)
 		{
-            TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit host: %s scan ret: %d policy_id: %d service: %d action: %d addr: %s",
-                         g_doh_conf->tables[TYPE_HOST].name, host, scan_ret, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action, stream->str_stream_info);
-            hit_cnt += scan_ret;
+            TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit host: %s scan ret: %d policy_id: %lld addr: %s",
+                         g_doh_conf->tables[TYPE_HOST].name, host, scan_ret, result[hit_cnt], stream->str_stream_info);
+            hit_cnt += n_hit_result;
 		}
 		else
 		{
@@ -251,7 +308,7 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
                          g_doh_conf->tables[TYPE_HOST].name, host, scan_ret, stream->str_stream_info);
         }
 
-        scan_ret = tfe_scan_fqdn_cat(stream, result, &(ctx->scan_mid), hit_cnt, ctx->thread_id, g_doh_conf->local_logger, g_doh_conf->tables[TYPE_HOST].id);
+        scan_ret = tfe_scan_fqdn_cat(stream, result, ctx->scan_mid, hit_cnt, g_doh_conf->local_logger, g_doh_conf->tables[TYPE_HOST_CAT].id);
         if( scan_ret > 0)
 		{
 			hit_cnt += scan_ret;
@@ -260,27 +317,48 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
 
 	// scan addr
 	doh_addr_tfe2sapp(stream->addr, &sapp_addr);
-	scan_ret = Maat_scan_proto_addr(g_doh_conf->maat, g_doh_conf->tables[TYPE_ADDR].id, &sapp_addr,
-									0, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
-	if (scan_ret > 0)
+	if (sapp_addr.addrtype == ADDR_TYPE_IPV4)
 	{
-        TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit addr: %s scan ret: %d policy_id: %d service: %d action: %d",
-                     g_doh_conf->tables[TYPE_ADDR].name, stream->str_stream_info, scan_ret, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action);
-        hit_cnt += scan_ret;
+		scan_ret = maat_scan_ipv4(g_doh_conf->maat, g_doh_conf->tables[TYPE_SRC_ADDR].id,sapp_addr.v4->saddr,
+								  sapp_addr.v4->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+								  &n_hit_result, ctx->scan_mid);
+		if (n_hit_result == MAAT_SCAN_HIT)
+		{
+			hit_cnt += n_hit_result;
+		}
+		scan_ret = maat_scan_ipv4(g_doh_conf->maat, g_doh_conf->tables[TYPE_DST_ADDR].id,sapp_addr.v4->daddr,
+								  sapp_addr.v4->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+								  &n_hit_result, ctx->scan_mid);
+
+		if(scan_ret == MAAT_SCAN_HIT)
+		{
+			hit_cnt += n_hit_result;
+		}
 	}
-	else
+	if (sapp_addr.addrtype == ADDR_TYPE_IPV6)
 	{
-        TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, NO hit addr: %s scan ret: %d",
-                     g_doh_conf->tables[TYPE_ADDR].name, stream->str_stream_info, scan_ret);
-    }
-
+		scan_ret = maat_scan_ipv6(g_doh_conf->maat, g_doh_conf->tables[TYPE_SRC_ADDR].id, sapp_addr.v6->saddr,
+								 sapp_addr.v6->source, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+								 &n_hit_result, ctx->scan_mid);
+		if (scan_ret == MAAT_SCAN_HIT)
+		{
+			hit_cnt += n_hit_result;
+		}
+		scan_ret = maat_scan_ipv6(g_doh_conf->maat,g_doh_conf->tables[TYPE_DST_ADDR].id, sapp_addr.v6->daddr,
+								 sapp_addr.v6->dest, 0, result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+								 &n_hit_result, ctx->scan_mid);
+		if (scan_ret == MAAT_SCAN_HIT)
+		{
+			hit_cnt += n_hit_result;
+		}
+	}
 	// scan appid
-	scan_ret=Maat_scan_intval(g_doh_conf->maat, g_doh_conf->tables[TYPE_APPID].id, app_id, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
-	if (scan_ret > 0)
+	scan_ret=maat_scan_integer(g_doh_conf->maat, g_doh_conf->tables[TYPE_APPID].id, app_id, result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
+	if (scan_ret == MAAT_SCAN_HIT)
 	{
-        TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit proto: %d scan ret: %d policy_id: %d service: %d action: %d addr: %s",
-                     g_doh_conf->tables[TYPE_APPID].name, app_id, scan_ret, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action, stream->str_stream_info);
-        hit_cnt += scan_ret;
+        TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit proto: %d scan ret: %d policy_id: %lld addr: %s",
+                     g_doh_conf->tables[TYPE_APPID].name, app_id, scan_ret, result[hit_cnt], stream->str_stream_info);
+        hit_cnt += n_hit_result;
 	}
 	else
 	{
@@ -289,13 +367,13 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
     }
 
 	// scan qname
-	scan_ret = Maat_full_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_QNAME].id, CHARSET_UTF8,
-									 qname, strlen(qname), result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
-	if (scan_ret > 0)
+	scan_ret = maat_scan_string(g_doh_conf->maat, g_doh_conf->tables[TYPE_QNAME].id, qname, strlen(qname),
+							    result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, &n_hit_result, ctx->scan_mid);
+	if (scan_ret == MAAT_SCAN_HIT)
 	{
-        TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit domain: %s scan ret: %d qtype: %d policy_id: %d service: %d action: %d addr: %s",
-                     g_doh_conf->tables[TYPE_QNAME].name, qname, scan_ret, qtype, result[hit_cnt].config_id, result[hit_cnt].service_id, result[hit_cnt].action, stream->str_stream_info);
-        hit_cnt += scan_ret;
+        TFE_LOG_INFO(g_doh_conf->local_logger, "Scan %s, Hit domain: %s scan ret: %d qtype: %d policy_id: %lld addr: %s",
+                     g_doh_conf->tables[TYPE_QNAME].name, qname, scan_ret, qtype, result[hit_cnt], stream->str_stream_info);
+        hit_cnt += n_hit_result;
 	}
 	else
 	{
@@ -306,11 +384,10 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
 	if (hit_cnt)
 	{
 		p_result = doh_fetch_rule(result, hit_cnt);
-		if (p_result)
+		if (p_result != 0)
 		{
 			ctx->result_num = 1;
-			ctx->result = ALLOC(struct Maat_rule_t, ctx->result_num);
-			memcpy(ctx->result, p_result, sizeof(struct Maat_rule_t));
+			ctx->result = ALLOC(struct doh_maat_rule_t, ctx->result_num);
 			doh_get_cheat_data(p_result, qtype, ctx, stream->str_stream_info);
 		}
 	}
@@ -318,18 +395,20 @@ static void doh_maat_scan(const struct tfe_stream *stream, const struct tfe_http
 
 static int doh_maat_init(const char *profile, const char *section)
 {
-	g_doh_conf->maat = (Maat_feather_t)tfe_bussiness_resouce_get(STATIC_MAAT);
+	g_doh_conf->maat = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT);
 	MESA_load_profile_string_def(profile, section, "table_appid", g_doh_conf->tables[TYPE_APPID].name, TFE_STRING_MAX, "TSG_OBJ_APP_ID");
-	MESA_load_profile_string_def(profile, section, "table_addr", g_doh_conf->tables[TYPE_ADDR].name, TFE_STRING_MAX, "TSG_SECURITY_ADDR");
+	MESA_load_profile_string_def(profile, section, "table_src_addr", g_doh_conf->tables[TYPE_SRC_ADDR].name, TFE_STRING_MAX, "TSG_SECURITY_SOURCE_ADDR");
+	MESA_load_profile_string_def(profile, section, "table_dst_addr", g_doh_conf->tables[TYPE_DST_ADDR].name, TFE_STRING_MAX, "TSG_SECURITY_DESTINATION_ADDR");
 	MESA_load_profile_string_def(profile, section, "table_qname", g_doh_conf->tables[TYPE_QNAME].name, TFE_STRING_MAX, "TSG_FIELD_DOH_QNAME");
-	MESA_load_profile_string_def(profile, section, "table_host", g_doh_conf->tables[TYPE_HOST].name, TFE_STRING_MAX, "TSG_FIELD_HTTP_HOST");
+	MESA_load_profile_string_def(profile, section, "table_host", g_doh_conf->tables[TYPE_HOST].name, TFE_STRING_MAX, "TSG_FIELD_DOH_HOST");
+	MESA_load_profile_string_def(profile, section, "table_host_cat", g_doh_conf->tables[TYPE_HOST_CAT].name, TFE_STRING_MAX, "TSG_FIELD_DOH_HOST_CAT");
 
 	for (int i = 0; i < TYPE_MAX; i++)
 	{
-		g_doh_conf->tables[i].id = Maat_table_register(g_doh_conf->maat, g_doh_conf->tables[i].name);
+		g_doh_conf->tables[i].id = maat_get_table_id(g_doh_conf->maat, g_doh_conf->tables[i].name);
 		if (g_doh_conf->tables[i].id < 0)
 		{
-			TFE_LOG_ERROR(g_doh_conf->local_logger, "Maat_table_register failed, table_name: %s", g_doh_conf->tables[i].name);
+			TFE_LOG_ERROR(g_doh_conf->local_logger, "maat_get_table_id failed, table_name: %s", g_doh_conf->tables[i].name);
 			return -1;
 		}
 	}
@@ -377,7 +456,7 @@ static struct doh_ctx *doh_ctx_new(unsigned int thread_id)
 
 	ctx->magic_num = DOH_CTX_MAGIC_NUM;
 	ctx->thread_id = (int)thread_id;
-	ctx->scan_mid = NULL;
+	ctx->scan_mid = maat_state_new(g_doh_conf->maat, thread_id);
 	ctx->opts_num = 0;
 	ctx->opts = NULL;
 	ctx->min_ttl = 0;
@@ -524,7 +603,7 @@ static void doh_process_req(const struct tfe_stream *stream, const struct tfe_ht
 		}
 
 		doh_maat_scan(stream, session, ctx, (char *)ctx->doh_req->query_question.qname, ctx->doh_req->query_question.qtype);
-		Maat_clean_status(&(ctx->scan_mid));
+		maat_state_free(ctx->scan_mid);
 		ctx->scan_mid = NULL;
 		if (!ctx->opts_num)
 		{
diff --git a/plugin/business/doh/src/logger.cpp b/plugin/business/doh/src/logger.cpp
index 1c65288..6cb1d6b 100644
--- a/plugin/business/doh/src/logger.cpp
+++ b/plugin/business/doh/src/logger.cpp
@@ -15,8 +15,8 @@ enum _log_action //Bigger action number is prior.
     LG_ACTION_DROP = 0x20, /* N/A */
     LG_ACTION_MANIPULATE = 0x30,
     LG_ACTION_RATELIMIT = 0x40, /* N/A */
-    LG_ACTION_LOOP = 0x60,      /* N/A */
-    LG_ACTION_WHITELIST = 0x80,
+	LG_ACTION_WHITELIST = 0x60,
+	LG_ACTION_SHUNT = 0x80,
     __LG_ACTION_MAX
 };
 
@@ -299,7 +299,7 @@ int doh_kafka_init(const char *profile, struct doh_conf *conf)
 
 int doh_send_log(struct doh_conf *handle, const struct tfe_http_session *http, const struct tfe_stream *stream, struct doh_ctx *ctx)
 {
-    Maat_rule_t *result = ctx->result;
+    struct doh_maat_rule_t *result = ctx->result;
     size_t result_num = ctx->result_num;
     dns_info_t *dns_info = ctx->doh_req;
     const struct tfe_stream_addr *addr = stream->addr;
diff --git a/plugin/business/doh/src/pub.h b/plugin/business/doh/src/pub.h
index 82b9ec2..406b0f9 100644
--- a/plugin/business/doh/src/pub.h
+++ b/plugin/business/doh/src/pub.h
@@ -11,7 +11,7 @@ extern "C"
 #include <tfe_resource.h>
 #include <tfe_proxy.h>
 #include <tfe_plugin.h>
-#include <MESA/Maat_rule.h>
+#include <MESA/maat.h>
 #include <MESA/MESA_prof_load.h>
 #include <tfe_kafka_logger.h>
 
@@ -30,10 +30,12 @@ enum pangu_http_stat
 
 enum table_type
 {
-	TYPE_ADDR,
+    TYPE_SRC_ADDR,
+    TYPE_DST_ADDR,
 	TYPE_APPID,
 	TYPE_QNAME,
 	TYPE_HOST,
+    TYPE_HOST_CAT,
 	TYPE_MAX
 };
 
@@ -68,10 +70,20 @@ struct doh_conf
 	struct event_base *gc_evbase;
 	screen_stat_handle_t fs_handle;
 
-	Maat_feather_t maat;
+	struct maat *maat;
 	struct maat_table tables[TYPE_MAX];
 };
 
+struct doh_maat_rule_t
+{
+	long long config_id;
+	int service_id;
+	unsigned char do_log;
+	unsigned char do_blacklist;
+	unsigned char action;
+	char *srv_def_large;
+};
+
 struct doh_ctx
 {
 	int count;
@@ -82,9 +94,9 @@ struct doh_ctx
 	int opts_num;
     int vsys_id;
 	size_t result_num;
-	Maat_rule_t *result;
+	struct doh_maat_rule_t *result;
 	cheat_pkt_opt_t *opts;
-	scan_status_t scan_mid;
+    struct maat_state *scan_mid;
 	enum doh_content_type type;
 	struct evbuffer *http_req_body;
 	dns_info_t *doh_req;