TFE适配MAAT4，编译表只注册一次

author: luwenpeng <[email protected]> 2023-04-23 16:35:42 +0800
committer: luwenpeng <[email protected]> 2023-04-23 16:35:42 +0800
commit: 2138d7f13e677d9d629b23eacb99a0b619ace34c (patch)
tree: 706454a4d1a866ee08a145bcb237c776bc2f2cb3 /plugin
parent: 97a4386bc47436ec7f4b69cffdbb16d3ba76111e (diff)
3 files changed, 79 insertions, 357 deletions
diff --git a/plugin/business/ssl-policy/src/ssl_policy.cpp b/plugin/business/ssl-policy/src/ssl_policy.cpp
index 140eebb..6cb0866 100644
--- a/plugin/business/ssl-policy/src/ssl_policy.cpp
+++ b/plugin/business/ssl-policy/src/ssl_policy.cpp
@@ -10,18 +10,9 @@
 struct ssl_policy_enforcer
 {
 	struct maat *maat;
-	int policy_table_id;
 	int profile_table_id;
 	void* logger;
 };
-struct intercept_param
-{
-	uint64_t policy_id;
-	int ref_cnt;
-	int keyring_for_trusted;
-	int keyring_for_untrusted;
-	int decryption_profile_id;
-};
 
 struct decryption_param
 {
@@ -43,147 +34,6 @@ struct decryption_param
 	int mirror_client_version;
 };
 
-void intercept_param_dup_cb(int table_id, void **to, void **from, long argl, void* argp)
-{
-	struct intercept_param* param= (struct intercept_param*) *from;
-	if(param)
-	{
-		 __sync_add_and_fetch(&(param->ref_cnt), 1);
-		*to = param;
-	}
-	else
-	{
-		*to=NULL;
-	}
-	return;
-}
-
-void intercept_param_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
-{
-	int ret=0;
-	size_t intercept_user_region_offset=0, len=0;
-	char* json_str=NULL;
-	cJSON *json=NULL, *item=NULL;
-	struct intercept_param* param=NULL;
-
-	struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
-	ret=maat_helper_read_column(table_line, 7, &intercept_user_region_offset, &len);
-	if(ret<0)
-	{
-		TFE_LOG_ERROR(enforcer->logger, "Get intercept user region: %s", table_line);
-		return;
-	}
-	json_str=ALLOC(char, len+1);
-	memcpy(json_str, table_line+intercept_user_region_offset, len);
-	json=cJSON_Parse(json_str);
-	if(json==NULL)
-	{
-		TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: id = %s", key);
-		goto error_out;
-	}
-
-	item=cJSON_GetObjectItem(json, "protocol");
-	if(unlikely(!item || !cJSON_IsString(item)))
-	{
-		TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %s invalid protocol format", key);
-        goto error_out;
-	}
-	if(0!=strcasecmp(item->valuestring, "SSL")&& 0!=strcasecmp(item->valuestring, "HTTP"))
-	{
-		goto error_out;
-	}
-
-	param=ALLOC(struct intercept_param, 1);
-	param->policy_id=atoll(key);
-	param->ref_cnt=1;
-	/*
-	param->bypass_mutual_auth=1;
-	param->bypass_pinning=1;
-	param->mirror_client_version=1;
-	*/
-	param->keyring_for_trusted=1;
-	param->keyring_for_untrusted=0;
-	param->decryption_profile_id=0;
-
-	item=cJSON_GetObjectItem(json, "keyring_for_trusted");
-	if(item)
-	{
-		if(item->type==cJSON_Number)
-		{
-			param->keyring_for_trusted=item->valueint;
-		}
-		else if(item->type==cJSON_String)
-		{
-			param->keyring_for_trusted=atoi(item->valuestring);
-		}
-		else
-		{
-			TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid keyring_for_trusted format", param->policy_id);
-		}
-	}
-
-	item=cJSON_GetObjectItem(json, "keyring_for_untrusted");
-	if(item)
-	{
-		if(item->type==cJSON_Number)
-		{
-			param->keyring_for_untrusted=item->valueint;
-		}
-		else if(item->type==cJSON_String)
-		{
-			param->keyring_for_untrusted=atoi(item->valuestring);
-		}
-		else
-		{
-			TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid keyring_for_untrusted format", param->policy_id);
-		}
-	}
-
-	item=cJSON_GetObjectItem(json, "decryption");
-	if(item)
-	{
-		if(item->type==cJSON_Number)
-		{
-			param->decryption_profile_id=item->valueint;
-		}
-		else if(item->type==cJSON_String)
-		{
-			param->decryption_profile_id=atoi(item->valuestring);
-		}
-		else
-		{
-			TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %lu invalid decryption format", param->policy_id);
-		}
-	}
-	*ad=param;
-	TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %lu", param->policy_id);
-error_out:
-	cJSON_Delete(json);
-	free(json_str);
-	return;
-}
-void intercept_param_free_cb(int table_id, void **ad, long argl, void* argp)
-{
-	struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)argp;
-	struct intercept_param* param= (struct intercept_param*) *ad;
-	if(param==NULL)
-	{
-		return;
-	}
-
-    if ((__sync_sub_and_fetch(&param->ref_cnt, 1) == 0))
-	{
-		TFE_LOG_INFO(enforcer->logger, "Del intercept policy %lu", param->policy_id);
-		free(param);
-		*ad=NULL;
-	}
-}
-void intercept_param_free(struct intercept_param* param)
-{
-	intercept_param_free_cb(0, (void**)&param, 0, NULL);
-	return;
-}
-
 void profile_param_dup_cb(int table_id, void **to, void **from, long argl, void* argp)
 {
 	struct decryption_param* param= (struct decryption_param*) *from;
@@ -319,21 +169,12 @@ error_out:
 }
 struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger)
 {
+	UNUSED int ret=0;
 	struct ssl_policy_enforcer* enforcer=ALLOC(struct ssl_policy_enforcer, 1);
 	enforcer->maat=(struct maat*)tfe_bussiness_resouce_get(STATIC_MAAT);;
 	enforcer->logger=logger;
-	enforcer->policy_table_id=maat_get_table_id(enforcer->maat, "TSG_SECURITY_COMPILE");
-	assert(enforcer->policy_table_id >= 0);
 	enforcer->profile_table_id=maat_get_table_id(enforcer->maat, "PXY_PROFILE_DECRYPTION");
 	assert(enforcer->profile_table_id >= 0);
-	UNUSED int ret=maat_plugin_table_ex_schema_register(enforcer->maat,
-												"TSG_SECURITY_COMPILE",
-												intercept_param_new_cb,
-												intercept_param_free_cb,
-												intercept_param_dup_cb,
-												0,
-												enforcer);
-	assert(ret==0);
 	ret=maat_plugin_table_ex_schema_register(enforcer->maat,
 										"PXY_PROFILE_DECRYPTION",
 										profile_param_new_cb,
@@ -347,32 +188,24 @@ struct ssl_policy_enforcer* ssl_policy_enforcer_create(void* logger)
 enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_para)
 {
 	UNUSED struct ssl_policy_enforcer* enforcer=(struct ssl_policy_enforcer*)u_para;
-	struct intercept_param *policy_param=NULL;
-	struct decryption_param *profile_param=NULL;
 	enum ssl_stream_action action=SSL_ACTION_PASSTHROUGH;
 	UNUSED int ret=0;
-	uint64_t policy_id=0;
-	char policy_id_str[16]={0};
+	char sni[512];
+	char addr_string[512];
 	char profile_id_str[16]={0};
-	char sni[512], addr_string[512];
-	policy_id = ssl_stream_get_policy_id(upstream);
-	snprintf(policy_id_str, sizeof(policy_id_str), "%lu", policy_id);
-	policy_param=(struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->policy_table_id, policy_id_str);
-	if(policy_param==NULL)
-	{
-		TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %lu.", policy_id);
-		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Invalid Intercept Param");
-		return SSL_ACTION_PASSTHROUGH;
-	}
-	else
-	{
-		ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_SNI, sni, sizeof(sni));
-		ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy %lu", addr_string, sni, policy_id);
-	}
 
-	snprintf(profile_id_str, sizeof(profile_id_str), "%u", policy_param->decryption_profile_id);
-	profile_param=(struct decryption_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->profile_table_id, profile_id_str);
+	uint64_t policy_id = ssl_stream_get_policy_id(upstream);
+	int decryption_profile_id = ssl_stream_get_decrypted_profile_id(upstream);
+	int keyring_for_trusted =  ssl_stream_get_trusted_keyring_profile_id(upstream);
+	int keyring_for_untrusted = ssl_stream_get_untrusted_keyring_profile_id(upstream);
+
+
+	ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_SNI, sni, sizeof(sni));
+	ssl_stream_get_string_opt(upstream, SSL_STREAM_OPT_ADDR, addr_string, sizeof(addr_string));
+	TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy %lu", addr_string, sni, policy_id);
+
+	snprintf(profile_id_str, sizeof(profile_id_str), "%u", decryption_profile_id);
+	struct decryption_param *profile_param=(struct decryption_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->profile_table_id, profile_id_str);
 	if (profile_param==NULL)
 	{
 		TFE_LOG_INFO(enforcer->logger, "Failed to get decryption parameter of profile %s.", profile_id_str);
@@ -397,8 +230,8 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 	{
 		ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_BLOCK_FAKE_CERT, 1);
 	}
-	ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_TRUSTED, policy_param->keyring_for_trusted);
-	ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED, policy_param->keyring_for_untrusted);
+	ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_TRUSTED, keyring_for_trusted);
+	ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_KEYRING_FOR_UNTRUSTED, keyring_for_untrusted);
 
 	ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
 	assert(ret==0);
@@ -415,46 +248,44 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 	{
 		action = SSL_ACTION_PASSTHROUGH;
 		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Not Installed");
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Not Installed", addr_string, sni, policy_param->policy_id);
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Not Installed", addr_string, sni, policy_id);
 	}
 	else if ((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning)
 	{
 		action = SSL_ACTION_PASSTHROUGH;
 		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Pinning");
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Pinning", addr_string, sni, policy_param->policy_id);
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Pinning", addr_string, sni, policy_id);
 	}
 	else if (is_mauth && profile_param->bypass_mutual_auth)
 	{
 		action = SSL_ACTION_PASSTHROUGH;
 		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Mutual Authentication");
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Mutual Authentication", addr_string, sni, policy_param->policy_id);
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Mutual Authentication", addr_string, sni, policy_id);
 	}
 	else if (is_ev && profile_param->bypass_ev_cert)
 	{
 		action = SSL_ACTION_PASSTHROUGH;
 		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "EV Certificate");
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to EV Certificate", addr_string, sni, policy_param->policy_id);
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to EV Certificate", addr_string, sni, policy_id);
 	}
 	else if (is_ct && profile_param->bypass_ct_cert)
 	{
 		action = SSL_ACTION_PASSTHROUGH;
 		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Transparency");
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Transparency", addr_string, sni, policy_param->policy_id);
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Certificate Transparency", addr_string, sni, policy_id);
 	}
 	else if (has_error && profile_param->bypass_protocol_errors)
 	{
 		action = SSL_ACTION_PASSTHROUGH;
 		ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Protocol Errors");
-		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Protocol Errors", addr_string, sni, policy_param->policy_id);
+		TFE_LOG_DEBUG(enforcer->logger, "%s %s enforce policy_id %lu, action PASSTHROUGH due to Protocol Errors", addr_string, sni, policy_id);
 	}
 	else
 	{
 		action = SSL_ACTION_INTERCEPT;
 	}
 
-	intercept_param_free(policy_param);
 	profile_param_free(profile_param);
-	policy_param=NULL;
 	profile_param=NULL;
 	return action;
 }
diff --git a/plugin/business/tcp-policy/src/tcp_policy.cpp b/plugin/business/tcp-policy/src/tcp_policy.cpp
index 4152d5d..aebc259 100644
--- a/plugin/business/tcp-policy/src/tcp_policy.cpp
+++ b/plugin/business/tcp-policy/src/tcp_policy.cpp
@@ -1,7 +1,6 @@
 #include <assert.h>
 #include <tfe_cmsg.h>
 #include <tfe_utils.h>
-#include <tfe_stream.h>
 #include <tfe_resource.h>
 #include <cjson/cJSON.h>
 #include <MESA/maat.h>
@@ -11,8 +10,7 @@
 struct tcp_policy_enforcer
 {
     struct maat *maat;
-    int policy_table_id;
-    int profile_table_id;
+    int table_id;
     void *logger;
 };
 
@@ -39,100 +37,6 @@ struct tcp_profile_param
     struct side_conn_param server_side;
 };
 
-struct intercept_param
-{
-    uint64_t rule_id;
-    int ref_cnt;
-    int tcp_option_profile;
-};
-
-static void intercept_param_new_cb(const char *table_name, int table_id, const char *key, const char *table_line, void **ad, long argl, void *argp)
-{
-    size_t offset = 0;
-    size_t len = 0;
-    char *json_str = NULL;
-    cJSON *json = NULL;
-    cJSON *item = NULL;
-    struct intercept_param *policy_param = NULL;
-    struct tcp_policy_enforcer *enforcer = (struct tcp_policy_enforcer *)argp;
-
-    if (maat_helper_read_column(table_line, 7, &offset, &len) < 0)
-    {
-        TFE_LOG_ERROR(enforcer->logger, "Invalid intercept user region: %s", table_line);
-        goto error_out;
-    }
-
-    json_str = ALLOC(char, len + 1);
-    memcpy(json_str, table_line + offset, len);
-    json = cJSON_Parse(json_str);
-    if (json == NULL)
-    {
-        TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: id = %s", key);
-        goto error_out;
-    }
-
-    item = cJSON_GetObjectItem(json, "tcp_option_profile");
-    if (item == NULL || item->type != cJSON_Number)
-    {
-        TFE_LOG_ERROR(enforcer->logger, "Invalid intercept parameter: %s invalid tcp_option_profile format", key);
-        goto error_out;
-    }
-
-    policy_param = ALLOC(struct intercept_param, 1);
-    policy_param->rule_id = atoll(key);
-    policy_param->ref_cnt = 1;
-    policy_param->tcp_option_profile = item->valueint;
-
-    *ad = policy_param;
-    TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %lu", policy_param->rule_id);
-
-error_out:
-    if (json)
-    {
-        cJSON_Delete(json);
-    }
-    if (json_str)
-    {
-        free(json_str);
-    }
-}
-
-static void intercept_param_free_cb(int table_id, void **ad, long argl, void *argp)
-{
-    struct tcp_policy_enforcer *enforcer = (struct tcp_policy_enforcer *)argp;
-    struct intercept_param *policy_param = (struct intercept_param *)*ad;
-    if (policy_param == NULL)
-    {
-        return;
-    }
-
-    if ((__sync_sub_and_fetch(&policy_param->ref_cnt, 1) == 0))
-    {
-        TFE_LOG_INFO(enforcer->logger, "Del intercept policy %lu", policy_param->rule_id);
-        free(policy_param);
-        *ad = NULL;
-    }
-}
-
-static void intercept_param_free(struct intercept_param *policy_param)
-{
-    intercept_param_free_cb(0, (void **)&policy_param, 0, NULL);
-}
-
-static void intercept_param_dup_cb(int table_id, void **to, void **from, long argl, void *argp)
-{
-    struct intercept_param *policy_param = (struct intercept_param *)*from;
-    if (policy_param)
-    {
-        __sync_add_and_fetch(&(policy_param->ref_cnt), 1);
-        *to = policy_param;
-    }
-    else
-    {
-        *to = NULL;
-    }
-}
-
 static int parser_side_conn_param(const char *json_str, struct side_conn_param *out_val, void *logger)
 {
     cJSON *json = NULL;
@@ -217,7 +121,7 @@ static void profile_param_new_cb(const char *table_name, int table_id, const cha
     char client_side_conn_param[512] = {0};
     char server_side_conn_param[512] = {0};
     int is_valid = 0;
-    struct tcp_profile_param *profile_param = NULL;
+    struct tcp_profile_param *param = NULL;
     struct tcp_policy_enforcer *enforcer = (struct tcp_policy_enforcer *)argp;
 
     ret = sscanf(table_line, "%d\t%d\t%d\t%s\t%s\t%d", &profile_id, &tcp_passthrough, &bypass_duplicated_packet, client_side_conn_param, server_side_conn_param, &is_valid);
@@ -227,60 +131,54 @@ static void profile_param_new_cb(const char *table_name, int table_id, const cha
         goto error_out;
     }
 
-    profile_param = ALLOC(struct tcp_profile_param, 1);
-    profile_param->ref_cnt = 1;
-    profile_param->tcp_passthrough = tcp_passthrough;
-    profile_param->bypass_duplicated_packet = bypass_duplicated_packet;
+    param = ALLOC(struct tcp_profile_param, 1);
+    param->ref_cnt = 1;
+    param->tcp_passthrough = tcp_passthrough;
+    param->bypass_duplicated_packet = bypass_duplicated_packet;
 
-    if (parser_side_conn_param(client_side_conn_param, &profile_param->client_side, enforcer->logger) == -1)
+    if (parser_side_conn_param(client_side_conn_param, &param->client_side, enforcer->logger) == -1)
     {
         goto error_out;
     }
 
-    if (parser_side_conn_param(server_side_conn_param, &profile_param->server_side, enforcer->logger) == -1)
+    if (parser_side_conn_param(server_side_conn_param, &param->server_side, enforcer->logger) == -1)
     {
         goto error_out;
     }
 
-    *ad = profile_param;
+    *ad = param;
     TFE_LOG_INFO(enforcer->logger, "Add tcp option profile: %s", key);
     return;
 
 error_out:
-    if (profile_param)
+    if (param)
     {
-        free(profile_param);
+        free(param);
     }
-    return;
 }
 
 static void profile_param_free_cb(int table_id, void **ad, long argl, void *argp)
 {
-    struct tcp_profile_param *profile_param = (struct tcp_profile_param *)*ad;
-    if (profile_param == NULL)
+    struct tcp_profile_param *param = (struct tcp_profile_param *)*ad;
+    if (param == NULL)
     {
         return;
     }
 
-    if ((__sync_sub_and_fetch(&profile_param->ref_cnt, 1) == 0))
+    if ((__sync_sub_and_fetch(&param->ref_cnt, 1) == 0))
     {
-        free(profile_param);
+        free(param);
         *ad = NULL;
     }
 }
 
-static void profile_param_free(struct tcp_profile_param *profile_param)
-{
-    profile_param_free_cb(0, (void **)&profile_param, 0, NULL);
-}
-
 static void profile_param_dup_cb(int table_id, void **to, void **from, long argl, void *argp)
 {
-    struct tcp_profile_param *profile_param = (struct tcp_profile_param *)*from;
-    if (profile_param)
+    struct tcp_profile_param *param = (struct tcp_profile_param *)*from;
+    if (param)
     {
-        __sync_add_and_fetch(&(profile_param->ref_cnt), 1);
-        *to = profile_param;
+        __sync_add_and_fetch(&(param->ref_cnt), 1);
+        *to = param;
     }
     else
     {
@@ -288,35 +186,24 @@ static void profile_param_dup_cb(int table_id, void **to, void **from, long argl
     }
 }
 
+static void profile_param_free(struct tcp_profile_param *param)
+{
+    profile_param_free_cb(0, (void **)&param, 0, NULL);
+}
+
 struct tcp_policy_enforcer *tcp_policy_enforcer_create(void *logger)
 {
     int ret = 0;
     struct tcp_policy_enforcer *enforcer = ALLOC(struct tcp_policy_enforcer, 1);
     enforcer->maat = (struct maat *)tfe_bussiness_resouce_get(STATIC_MAAT);
     enforcer->logger = logger;
-    enforcer->policy_table_id = maat_get_table_id(enforcer->maat, "TSG_SECURITY_COMPILE");
-    if (enforcer->policy_table_id < 0)
-    {
-        TFE_LOG_ERROR(enforcer->logger, "failed at register table of TSG_SECURITY_COMPILE, ret = %d", enforcer->policy_table_id);
-        goto error_out;
-    }
-    enforcer->profile_table_id = maat_get_table_id(enforcer->maat, "PXY_PROFILE_TCP_OPTION");
-    if (enforcer->profile_table_id < 0)
+    enforcer->table_id = maat_get_table_id(enforcer->maat, "PXY_PROFILE_TCP_OPTION");
+    if (enforcer->table_id < 0)
     {
-        TFE_LOG_ERROR(enforcer->logger, "failed at register table of PXY_PROFILE_TCP_OPTION, ret = %d", enforcer->profile_table_id);
+        TFE_LOG_ERROR(enforcer->logger, "failed at register table of PXY_PROFILE_TCP_OPTION, ret = %d", enforcer->table_id);
         goto error_out;
     }
 
-    ret = maat_plugin_table_ex_schema_register(enforcer->maat, "TSG_SECURITY_COMPILE",
-                                               intercept_param_new_cb,
-                                               intercept_param_free_cb,
-                                               intercept_param_dup_cb,
-                                               0, enforcer);
-    if (ret < 0)
-    {
-        TFE_LOG_ERROR(enforcer->logger, "failed at register callback of TSG_SECURITY_COMPILE, ret = %d", ret);
-        goto error_out;
-    }
     ret = maat_plugin_table_ex_schema_register(enforcer->maat, "PXY_PROFILE_TCP_OPTION",
                                                profile_param_new_cb,
                                                profile_param_free_cb,
@@ -343,31 +230,33 @@ void tcp_policy_enforcer_destory(struct tcp_policy_enforcer *enforcer)
     }
 }
 
-void tcp_policy_enforce(struct tcp_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id)
+// return  0 : success
+// return -1 : error (need passthrough)
+int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg *cmsg)
 {
-    char rule_id_str[16] = {0};
-    char profile_id_str[16] = {0};
+    int ret = 0;
+    int profile_id = 0;
+    uint16_t size = 0;
+    char buffer[16] = {0};
 
-    snprintf(rule_id_str, sizeof(rule_id_str), "%lu", rule_id);
-    struct intercept_param *policy_param = (struct intercept_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->policy_table_id, rule_id_str);
-    if (policy_param == NULL)
+    ret = tfe_cmsg_get_value(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (unsigned char *)&profile_id, sizeof(profile_id), &size);
+    if (ret < 0)
     {
-        TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %lu.", rule_id);
-        return;
+        TFE_LOG_ERROR(g_default_logger, "Failed at fetch tcp_option_profile from cmsg: %s", strerror(-ret));
+        return -1;
     }
 
-    snprintf(profile_id_str, sizeof(profile_id_str), "%d", policy_param->tcp_option_profile);
-    struct tcp_profile_param *profile_param = (struct tcp_profile_param *)maat_plugin_table_get_ex_data(enforcer->maat, enforcer->profile_table_id, profile_id_str);
-    if (profile_param == NULL)
+    snprintf(buffer, sizeof(buffer), "%d", profile_id);
+    struct tcp_profile_param *param = (struct tcp_profile_param *)maat_plugin_table_get_ex_data(tcp_enforcer->maat, tcp_enforcer->table_id, buffer);
+    if (param == NULL)
     {
-        TFE_LOG_INFO(enforcer->logger, "Failed to get tcp option parameter of profile %lu.", rule_id);
-        intercept_param_free(policy_param);
-        return;
+        TFE_LOG_INFO(tcp_enforcer->logger, "Failed to get tcp option parameter of profile %d.", profile_id);
+        return -1;
     }
 
-    tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (unsigned char *)&profile_param->tcp_passthrough, sizeof(profile_param->tcp_passthrough));
+    tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (unsigned char *)&param->tcp_passthrough, sizeof(param->tcp_passthrough));
 
-    struct side_conn_param *client_side = &profile_param->client_side;
+    struct side_conn_param *client_side = &param->client_side;
     tfe_cmsg_set(cmsg, TFE_CMSG_DOWNSTREAM_TCP_MSS_ENABLE, (unsigned char *)&client_side->maxseg_enable, sizeof(client_side->maxseg_enable));
     tfe_cmsg_set(cmsg, TFE_CMSG_DOWNSTREAM_TCP_MSS_VALUE, (unsigned char *)&client_side->maxseg_vaule, sizeof(client_side->maxseg_vaule));
     tfe_cmsg_set(cmsg, TFE_CMSG_DOWNSTREAM_TCP_NODELAY, (unsigned char *)&client_side->nodelay, sizeof(client_side->nodelay));
@@ -378,7 +267,7 @@ void tcp_policy_enforce(struct tcp_policy_enforcer *enforcer, struct tfe_cmsg *c
     tfe_cmsg_set(cmsg, TFE_CMSG_DOWNSTREAM_TCP_KEEPINTVL, (unsigned char *)&client_side->keepidle, sizeof(client_side->keepintvl));
     tfe_cmsg_set(cmsg, TFE_CMSG_DOWNSTREAM_TCP_USER_TIMEOUT, (unsigned char *)&client_side->user_timeout, sizeof(client_side->user_timeout));
 
-    struct side_conn_param *server_side = &profile_param->server_side;
+    struct side_conn_param *server_side = &param->server_side;
     tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_MSS_ENABLE, (unsigned char *)&server_side->maxseg_enable, sizeof(server_side->maxseg_enable));
     tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_MSS_VALUE, (unsigned char *)&server_side->maxseg_vaule, sizeof(server_side->maxseg_vaule));
     tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_NODELAY, (unsigned char *)&server_side->nodelay, sizeof(server_side->nodelay));
@@ -389,12 +278,13 @@ void tcp_policy_enforce(struct tcp_policy_enforcer *enforcer, struct tfe_cmsg *c
     tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_KEEPINTVL, (unsigned char *)&server_side->keepintvl, sizeof(server_side->keepintvl));
     tfe_cmsg_set(cmsg, TFE_CMSG_UPSTREAM_TCP_USER_TIMEOUT, (unsigned char *)&server_side->user_timeout, sizeof(server_side->user_timeout));
 
-    TFE_LOG_INFO(enforcer->logger, "hit rule_id %lu tcp_option_profile %d tcp_passthrough %d "
-                                   "client_side={maxseg_enable:%d, maxseg_vaule:%d, nodelay:%d, ttl:%d, keepalive:%d, keepcnt:%d, keepidle:%d, keepintvl:%d, user_timeout:%d} "
-                                   "server_side={maxseg_enable:%d, maxseg_vaule:%d, nodelay:%d, ttl:%d, keepalive:%d, keepcnt:%d, keepidle:%d, keepintvl:%d, user_timeout:%d} ",
-                 rule_id, policy_param->tcp_option_profile, profile_param->tcp_passthrough,
+    TFE_LOG_INFO(tcp_enforcer->logger, "hit tcp_option_profile %d tcp_passthrough %d "
+                                       "client_side={maxseg_enable:%d, maxseg_vaule:%d, nodelay:%d, ttl:%d, keepalive:%d, keepcnt:%d, keepidle:%d, keepintvl:%d, user_timeout:%d} "
+                                       "server_side={maxseg_enable:%d, maxseg_vaule:%d, nodelay:%d, ttl:%d, keepalive:%d, keepcnt:%d, keepidle:%d, keepintvl:%d, user_timeout:%d} ",
+                 profile_id, param->tcp_passthrough,
                  client_side->maxseg_enable, client_side->maxseg_vaule, client_side->nodelay, client_side->ttl, client_side->keepalive, client_side->keepcnt, client_side->keepidle, client_side->keepidle, client_side->user_timeout,
                  server_side->maxseg_enable, server_side->maxseg_vaule, server_side->nodelay, server_side->ttl, server_side->keepalive, server_side->keepcnt, server_side->keepidle, server_side->keepidle, server_side->user_timeout);
-    profile_param_free(profile_param);
-    intercept_param_free(policy_param);
+    profile_param_free(param);
+
+    return 0;
 }
 \ No newline at end of file
diff --git a/plugin/business/tcp-policy/src/tcp_policy.h b/plugin/business/tcp-policy/src/tcp_policy.h
index 5b34a5f..616bfe4 100644
--- a/plugin/business/tcp-policy/src/tcp_policy.h
+++ b/plugin/business/tcp-policy/src/tcp_policy.h
@@ -1,8 +1,9 @@
 #pragma once
 #include <tfe_cmsg.h>
-#include <MESA/maat.h>
 
 struct tcp_policy_enforcer;
 struct tcp_policy_enforcer *tcp_policy_enforcer_create(void *logger);
 void tcp_policy_enforcer_destory(struct tcp_policy_enforcer *enforcer);
-void tcp_policy_enforce(struct tcp_policy_enforcer *enforcer, struct tfe_cmsg *cmsg, uint64_t rule_id);
-\ No newline at end of file
+// return  0 : success
+// return -1 : error (need passthrough)
+int tcp_policy_enforce(struct tcp_policy_enforcer *tcp_enforcer, struct tfe_cmsg *cmsg);
+\ No newline at end of file
author	luwenpeng <[email protected]>	2023-04-23 16:35:42 +0800
committer	luwenpeng <[email protected]>	2023-04-23 16:35:42 +0800
commit	2138d7f13e677d9d629b23eacb99a0b619ace34c (patch)
tree	706454a4d1a866ee08a145bcb237c776bc2f2cb3 /plugin
parent	97a4386bc47436ec7f4b69cffdbb16d3ba76111e (diff)