diff options
| -rw-r--r-- | common/src/intercept_policy.cpp | 103 | ||||
| -rw-r--r-- | plugin/business/chaining-policy/src/chaining_policy.cpp | 8 |
2 files changed, 54 insertions, 57 deletions
diff --git a/common/src/intercept_policy.cpp b/common/src/intercept_policy.cpp index 777c871..5e5bd6f 100644 --- a/common/src/intercept_policy.cpp +++ b/common/src/intercept_policy.cpp @@ -11,10 +11,16 @@ struct intercept_param int do_log; int ref_cnt; int action; - int keyring_for_trusted; - int keyring_for_untrusted; - int decryption_profile; - int tcp_option_profile; + uuid_t keyring_for_trusted; + uuid_t keyring_for_untrusted; + uuid_t decryption_profile; + uuid_t tcp_option_profile; +}; + +enum { + ACTION_NONE, + ACTION_INTERCEPT, + ACTION_NO_INTERCEPT, }; struct intercept_policy_enforcer @@ -24,6 +30,16 @@ struct intercept_policy_enforcer void *logger; }; +static int intercept_action_map(char *action) +{ + if (strncasecmp(action, "intercept", strlen("intercept")) == 0) + return ACTION_INTERCEPT; + else if (strncasecmp(action, "no_intercept", strlen("no_intercept")) == 0) + return ACTION_NO_INTERCEPT; + else + return ACTION_NONE; +} + static void intercept_param_new_cb(const char *table_name, const char *key, const char *table_line, void **ad, long argl, void *argp) { int action = 0; @@ -42,32 +58,33 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons goto error_out; } - item = cJSON_GetObjectItem(json_root, "ACTION"); - if (unlikely(!item || !cJSON_IsNumber(item))) + item = cJSON_GetObjectItem(json_root, "action"); + if (unlikely(!item || !cJSON_IsString(item))) { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid ACTION format) %s.", key, table_line); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action format) %s.", key, table_line); goto error_out; } + action = intercept_action_map(item->valueint); - if (item->valueint != 2 && item->valueint != 3) + item = cJSON_GetObjectItem(json_root, "log_option"); + if (!item || !cJSON_IsString(item)) { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid ACTION format) %s.", key, table_line); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid log_option format) %s.", key, table_line); goto error_out; } - action = item->valueint; - - item = cJSON_GetObjectItem(json_root, "DO_LOG"); - if (!item || !cJSON_IsNumber(item)) + if (strncasecmp(item->valueint, "none", strlen("none")) == 0) { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid DO_LOG format) %s.", key, table_line); - goto error_out; + do_log = 0; + } + else + { + do_log = 1; } - param->do_log = !!item->valueint; - json_subroot = cJSON_GetObjectItem(json_root, "USER_REGION"); + json_subroot = cJSON_GetObjectItem(json_root, "action_parameter"); if (unlikely(!json_subroot)) { - TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid USER_REGION format) %s.", key, table_line); + TFE_LOG_ERROR(enforcer->logger, "Invalid intercept rule:%s (invalid action_parameter format) %s.", key, table_line); goto error_out; } @@ -85,21 +102,13 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons param->do_log = do_log; param->vsys_id = vsys_id; uuid_parse(key, param->rule_id); - param->keyring_for_trusted = 1; - param->keyring_for_untrusted = 0; - param->decryption_profile = 0; - param->tcp_option_profile = 0; item = cJSON_GetObjectItem(json_subroot, "keyring_for_trusted"); if (item) { - if (item->type == cJSON_Number) + if (item->type == cJSON_String) { - param->keyring_for_trusted = item->valueint; - } - else if (item->type == cJSON_String) - { - param->keyring_for_trusted = atoi(item->valuestring); + uuid_parse(item->valuestring, param->keyring_for_trusted); } else { @@ -110,13 +119,9 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons item = cJSON_GetObjectItem(json_subroot, "keyring_for_untrusted"); if (item) { - if (item->type == cJSON_Number) - { - param->keyring_for_untrusted = item->valueint; - } - else if (item->type == cJSON_String) + if (item->type == cJSON_String) { - param->keyring_for_untrusted = atoi(item->valuestring); + uuid_parse(item->valuestring, param->keyring_for_untrusted); } else { @@ -127,13 +132,9 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons item = cJSON_GetObjectItem(json_subroot, "decryption_profile"); if (item) { - if (item->type == cJSON_Number) - { - param->decryption_profile = item->valueint; - } - else if (item->type == cJSON_String) + if (item->type == cJSON_String) { - param->decryption_profile = atoi(item->valuestring); + uuid_parse(item->valuestring, param->decryption_profile); } else { @@ -144,13 +145,9 @@ static void intercept_param_new_cb(const char *table_name, const char *key, cons item = cJSON_GetObjectItem(json_subroot, "tcp_option_profile"); if (item) { - if (item->type == cJSON_Number) - { - param->tcp_option_profile = item->valueint; - } - else if (item->type == cJSON_String) + if (item->type == cJSON_String) { - param->tcp_option_profile = atoi(item->valuestring); + uuid_parse(item->valuestring, param->tcp_option_profile); } else { @@ -212,7 +209,7 @@ struct intercept_policy_enforcer *intercept_policy_enforcer_create(void *logger) struct intercept_policy_enforcer *enforcer = ALLOC(struct intercept_policy_enforcer, 1); enforcer->maat = tfe_get_maat_handle(); enforcer->logger = logger; - snprintf(enforcer->table_name, sizeof(enforcer->table_name), "PXY_INTERCEPT_COMPILE"); + snprintf(enforcer->table_name, sizeof(enforcer->table_name), "PXY_INTERCEPT_RULE"); ret = maat_plugin_table_ex_schema_register(enforcer->maat, enforcer->table_name, @@ -267,7 +264,7 @@ int intercept_policy_select(struct intercept_policy_enforcer *enforcer, uuid_t * } // intercept - if (param->action == 2) + if (param->action == ACTION_INTERCEPT) { is_hit_intercept_rule = 1; if (uuid_compare(max_intercept_rule_id, rule_id) < 0) @@ -330,7 +327,7 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct } // intercept - if (param->action == 2) + if (param->action == ACTION_INTERCEPT) { tcp_passthrough = 0; hit_no_intercept = 0; @@ -347,10 +344,10 @@ int intercept_policy_enforce(struct intercept_policy_enforcer *enforcer, struct tfe_cmsg_set(cmsg, TFE_CMSG_POLICY_VSYS_ID, (const unsigned char *)¶m->vsys_id, sizeof(param->vsys_id)); tfe_cmsg_set(cmsg, TFE_CMSG_TCP_PASSTHROUGH, (const unsigned char *)&tcp_passthrough, sizeof(tcp_passthrough)); tfe_cmsg_set(cmsg, TFE_CMSG_HIT_NO_INTERCEPT, (const unsigned char *)&hit_no_intercept, sizeof(hit_no_intercept)); - tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)&(param->tcp_option_profile), sizeof(param->tcp_option_profile)); - tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)&(param->decryption_profile), sizeof(param->decryption_profile)); - tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)&(param->keyring_for_trusted), sizeof(param->keyring_for_trusted)); - tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_UNTRUSTED, (const unsigned char *)&(param->keyring_for_untrusted), sizeof(param->keyring_for_untrusted)); + tfe_cmsg_set(cmsg, TFE_CMSG_TCP_OPTION_PROFILE_ID, (const unsigned char *)param->tcp_option_profile, UUID_LEN); + tfe_cmsg_set(cmsg, TFE_CMSG_DECRYPTION_PROFILE_ID, (const unsigned char *)param->decryption_profile, UUID_LEN); + tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_TRUSTED_ID, (const unsigned char *)param->keyring_for_trusted, UUID_LEN); + tfe_cmsg_set(cmsg, TFE_CMSG_KEYRING_FOR_UNTRUSTED, (const unsigned char *)param->keyring_for_untrusted, UUID_LEN); intercept_param_free(param); diff --git a/plugin/business/chaining-policy/src/chaining_policy.cpp b/plugin/business/chaining-policy/src/chaining_policy.cpp index 86ffd68..4edfc92 100644 --- a/plugin/business/chaining-policy/src/chaining_policy.cpp +++ b/plugin/business/chaining-policy/src/chaining_policy.cpp @@ -46,10 +46,10 @@ static void chaining_param_new_cb(const char *table_name, const char *key, const goto error_out; } - json_subroot = cJSON_GetObjectItem(json_root, "USER_REGION"); + json_subroot = cJSON_GetObjectItem(json_root, "action_parameter"); if (unlikely(!json_subroot)) { - TFE_LOG_ERROR(enforcer->logger, "Invalid chaining rule: %s (invalid USER_REGION format) %s.", key, table_line); + TFE_LOG_ERROR(enforcer->logger, "Invalid chaining rule: %s (invalid action_parameter format) %s.", key, table_line); goto error_out; } @@ -139,7 +139,7 @@ struct chaining_policy_enforcer *chaining_policy_enforcer_create(void *logger) struct chaining_policy_enforcer *enforcer = ALLOC(struct chaining_policy_enforcer, 1); enforcer->maat = tfe_get_maat_handle(); enforcer->logger = logger; - snprintf(enforcer->table_name, sizeof(enforcer->table_name), "SERVICE_CHAINING_COMPILE"); + snprintf(enforcer->table_name, sizeof(enforcer->table_name), "SERVICE_CHAINING_RULE"); ret = maat_plugin_table_ex_schema_register(enforcer->maat, enforcer->table_name, chaining_param_new_cb, @@ -148,7 +148,7 @@ struct chaining_policy_enforcer *chaining_policy_enforcer_create(void *logger) 0, enforcer); if (ret < 0) { - TFE_LOG_ERROR(enforcer->logger, "failed at register callback of SERVICE_CHAINING_COMPILE, ret = %d", ret); + TFE_LOG_ERROR(enforcer->logger, "failed at register callback of SERVICE_CHAINING_RULE, ret = %d", ret); goto error_out; } return enforcer; |