修改firewall配置文件，达到kni发出数据包的目的

author: fumingwei <[email protected]> 2021-03-18 10:52:35 +0800
committer: fumingwei <[email protected]> 2021-03-18 10:52:35 +0800
commit: 67c83e29127f4b85035055fa9fb791cab43a4348 (patch)
tree: 0c81a3ed353c9da7fbecaef2bca06d5c899bc7d6
parent: fb0b4c321c6620d4befeb9928a73bd63cc2915a8 (diff)
9 files changed, 161 insertions, 26 deletions
diff --git a/config/mrzcpd/etc/mrglobal.conf b/config/mrzcpd/etc/mrglobal.conf
index 8feb83d..8341ea1 100644
--- a/config/mrzcpd/etc/mrglobal.conf
+++ b/config/mrzcpd/etc/mrglobal.conf
@@ -10,6 +10,8 @@ in_mask=255.255.255.0
 promisc=1
 
 [device:virtio_user1]
+in_addr=172.16.1.2
+in_mask=255.255.0.0
 promisc=1
 
 [service]
@@ -21,7 +23,7 @@ hashmode=0
 [eal]
 virtaddr=0x7f40c4a00000
 loglevel=8
-no-pci=1
+nopci=1
 mem=4096
 single-file-segments=0
 
diff --git a/config/sapp_run/etc/sapp.toml b/config/sapp_run/etc/sapp.toml
index b278d86..c3aa403 100644
--- a/config/sapp_run/etc/sapp.toml
+++ b/config/sapp_run/etc/sapp.toml
@@ -10,8 +10,9 @@ instance_name = "sapp_v4.0"
 
 [CPU]
 worker_threads=4
+send_only_threads_max=1
 ### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as []
-bind_mask=[5,6,7,8]
+bind_mask=[5,6,7,8,9]
 [MEM]
 dictator_enable=1
 
@@ -27,6 +28,14 @@ dictator_enable=1
 
     [packet_io.feature]
     inbound_route_dir=1
+    BSD_packet_filter=""
+    pcap_capture_direction="in"
+    inject_pkt_mode=raw_ethernet_single_gateway
+    inject_mode_inline_device_sport=54789
+    inject_mode_single_gateway_device=tap0
+    inject_mode_single_gateway_src_mac=00:11:22:33:44:55
+    inject_mode_single_gateway_dst_mac=00:11:22:33:44:66
+ 
 #inject_mode_inline_device_sport=54789
 ### note, depolyment.mode options: [mirror, inline, transparent, dumpfile]
   [packet_io.depolyment]
@@ -35,11 +44,25 @@ dictator_enable=1
 ### note, interface.type options: [pag,pcap,marsio]
   [packet_io.internal.interface]
   type=marsio
-  name=virtio_user0
+  name="virtio_user0"
 
   [packet_io.external.interface]
   type=pcap
-  name=eth0
+  name="tap_sapp"
+
+
+[packet_io.polling]
+  enabled=1
+  polling_priority=1
+
+[PROTOCOL_FEATURE]
+    ipv6_decapsulation_enabled=1
+    ipv6_send_packet_enabled=1
+    tcp_drop_pure_ack_pkt=0
+    tcp_syn_option_parse_enabled=1
+    skip_not_ip_layer_over_eth=0
+    treat_vlan_as_mac_in_mac=0
+    reverse_ethernet_addr=1
 
 [STREAM]
 ### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S" 
diff --git a/config/sapp_run/tsgconf/maat.conf b/config/sapp_run/tsgconf/maat.conf
index d09157e..fe2ea62 100644
--- a/config/sapp_run/tsgconf/maat.conf
+++ b/config/sapp_run/tsgconf/maat.conf
@@ -1,5 +1,5 @@
 [STATIC]
-MAAT_MODE=2
+MAAT_MODE=1
 STAT_SWITCH=1
 PERF_SWITCH=1
 TABLE_INFO=tsgconf/tsg_static_tableinfo.conf
@@ -15,7 +15,7 @@ FULL_CFG_DIR=tsgrule/full/index/
 EFFECTIVE_RANGE_FILE=/opt/tsg/etc/tsg_device_tag.json
 
 [DYNAMIC]
-MAAT_MODE=2
+MAAT_MODE=1
 STAT_SWITCH=1
 PERF_SWITCH=1
 TABLE_INFO=tsgconf/tsg_dynamic_tableinfo.conf
diff --git a/dockerfile/firewall/Dockerfile b/dockerfile/firewall/Dockerfile
index 5cba5e1..4a77c94 100644
--- a/dockerfile/firewall/Dockerfile
+++ b/dockerfile/firewall/Dockerfile
@@ -63,6 +63,7 @@ RUN yum makecache \
 
 RUN yum install -y \
   fw_ftp_plug \
+  app_proto_identify \
   epel-release \
   python3 \
   gdb \
@@ -81,6 +82,9 @@ COPY config/sapp_run/etc/entrylist.conf /home/mesasoft/sapp_run/etc/entrylist.co
 COPY config/sapp_run/tsgconf/app_l7_proto_id.conf /home/mesasoft/sapp_run/tsgconf/app_l7_proto_id.conf
 COPY config/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf /home/mesasoft/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
 COPY config/sapp_run/plug/conflist.inf /home/mesasoft/sapp_run/plug/conflist.inf
+COPY config/sapp_run/tsgconf/tsg_maat.json /home/mesasoft/sapp_run/tsgconf/tsg_maat.json
+COPY config/sapp_run/etc/send_raw_pkt.conf /home/mesasoft/sapp_run/etc/send_raw_pkt.conf
+COPY config/sapp_run/etc/asymmetric_presence_layer.conf /home/mesasoft/sapp_run/etc/asymmetric_presence_layer.conf
 
 WORKDIR /home/mesasoft/sapp_run/
 ENTRYPOINT ["/usr/local/bin/supervisord" ,"-n","-c", "/etc/supervisord.conf"]
diff --git a/dockerfile/firewall/config/sapp_run/etc/asymmetric_presence_layer.conf b/dockerfile/firewall/config/sapp_run/etc/asymmetric_presence_layer.conf
new file mode 100644
index 0000000..2dbac8a
--- /dev/null
+++ b/dockerfile/firewall/config/sapp_run/etc/asymmetric_presence_layer.conf
@@ -0,0 +1,18 @@
+#用于指定哪些协议层, C2S, S2C两侧是不对称存在的, 常见的如vlan, mpls等, 
+#sapp创建新流时, 为了便于双向地址比较, 
+#sappv3是用配置文件skip_no_ip_layer跳过所有ethernet之上的非ip层, 此方式过于粗暴, mirror模式下还可以, 串联模式下就不对了.
+#sappv4使用本配置文件, 满足条件的需要创建一层虚拟层, 但无实际地址, 也不做地址比对.
+#layer name definition:  ipv4, ipv6, ethernet,vlan, arp, gre, mpls, pppoe, tcp, udp, l2tp, ppp, pptp, gtp
+#名称不区别大小写,  name is case insensitive, ipv4 is euqal to IPV4
+#
+# asymmetric_layer_name: 表示哪一层协议是非对称存在的, 需要创建空的虚拟层
+# under_of_this_asymmetric_layer: 表示非对称的下面一层的地址类型和层数
+# upper_of_this_asymmetric_layer: 表示非对称的上面一层的地址类型和层数
+# 需要同时满足under_of_this_asymmetric_layer和upper_of_this_asymmetric_layer才会创建虚拟层
+# []表示某个层的index, 从最外层ethernet开始, 从0开始计数, *表示不关心具体在哪层,只要地址类型符合即可   
+#pattern: asymmetric_layer_name    under_of_this_asymmetric_layer[layer_index]   upper_of_this_asymmetric_layer[layer_index]
+
+#mpls    ethernet[0]    ipv4[1]
+#mpls    ethernet[1]    ipv4[2]
+#mpls    ethernet[0]    ipv6[1]
+#mpls    ethernet[1]    ipv6[2]
diff --git a/dockerfile/firewall/config/sapp_run/etc/kni/kni.conf b/dockerfile/firewall/config/sapp_run/etc/kni/kni.conf
index 042d87f..cdc7a05 100644
--- a/dockerfile/firewall/config/sapp_run/etc/kni/kni.conf
+++ b/dockerfile/firewall/config/sapp_run/etc/kni/kni.conf
@@ -1,33 +1,33 @@
 [global]
 log_path = ./log/kni/kni.log
 log_level = 10
-tfe_node_count = 3
-manage_eth = ens1f3
-deploy_mode = tun
+tfe_node_count = 1
+manage_eth = eth0
+deploy_mode = normal
 tun_name = tun_kni
 src_mac_addr = 00:0e:c6:d6:72:c1
 dst_mac_addr = fe:65:b7:03:50:bd
 [tfe0]
 enabled = 1
-dev_eth_symbol = ens1f5
-ip_addr = 192.168.100.2
-
-[tfe1]
-enabled = 1
-dev_eth_symbol = ens1f6
-ip_addr = 192.168.100.3
-
-[tfe2]
-enabled = 1
-dev_eth_symbol = ens1f7
-ip_addr = 192.168.100.4
+dev_eth_symbol = virtio_user1
+ip_addr = 172.16.1.2
+
+#[tfe1]
+#enabled = 1
+#dev_eth_symbol = ens1f6
+#ip_addr = 192.168.100.3
+#
+#[tfe2]
+#enabled = 1
+#dev_eth_symbol = ens1f7
+#ip_addr = 192.168.100.4
 
 [tfe_cmsg_receiver]
 listen_eth = lo
 listen_port = 2475
 
 [watch_dog]
-switch = 1
+switch = 0
 listen_eth = lo
 listen_port = 2476
 keepalive_idle = 2
diff --git a/dockerfile/firewall/config/sapp_run/etc/send_raw_pkt.conf b/dockerfile/firewall/config/sapp_run/etc/send_raw_pkt.conf
new file mode 100644
index 0000000..f6a82bc
--- /dev/null
+++ b/dockerfile/firewall/config/sapp_run/etc/send_raw_pkt.conf
@@ -0,0 +1,16 @@
+#����ԭʼ��������,
+#��ƽ̨���������ڲ�ͬ������,  �ײ��������Ҳ��ͬ,
+#����ͨģʽ��ʹ����������, DPDKģʽ��ʹ�ö˿ں�, PFRINGģʽ��ʹ��index��, ��������������ģʽ.
+#target_id���ڱ�ʾ���ĸ����ն˷���, 
+#���ڷ��͵����ݰ��ײ�MAC��Ŀ��IP��, ���ϲ����������, ƽֻ̨����������ԭʼ��.
+#target_id�൱�����ݿ�������
+
+#(0:pag,1:pcap,2:dumpfile,3:pfring,4:DPDK,5:ppf,6:NPacket,7:qnf,8:N95,9:pcap-dumpfile-list,10:topsec,
+##(11:ipfile, 12:marsio4, 13:agent_smith, 14:dpdk_vxlan, 15:marsio_vxlan, 16:pag_marsio
+
+#target_id
+0 	pag p7p2 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 virtio_user0 smith dpdk dpdk pag
+#1 	pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p1 smith dpdk dpdk pag
+#2 	pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p1 smith dpdk dpdk pag
+#3 	pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag
+#4 	pag eth1 eth1 dna0 dpdk ppf npacket qnf n95 eth1 topsec eth1 p7p2 smith dpdk dpdk pag
diff --git a/dockerfile/firewall/config/sapp_run/plug/conflist.inf b/dockerfile/firewall/config/sapp_run/plug/conflist.inf
index 78325d8..bf46d0b 100644
--- a/dockerfile/firewall/config/sapp_run/plug/conflist.inf
+++ b/dockerfile/firewall/config/sapp_run/plug/conflist.inf
@@ -1,8 +1,8 @@
 [platform]
 #./plug/platform/g_device_plug/g_device_plug.inf
-./plug/platform/wannat/wangw.inf
-./plug/platform/wire_graft/wire_graft.inf
-./plug/platform/http_healthcheck/http_healthcheck.inf
+#./plug/platform/wannat/wangw.inf
+#./plug/platform/wire_graft/wire_graft.inf
+#./plug/platform/http_healthcheck/http_healthcheck.inf
 ./plug/platform/app_proto_identify/app_proto_identify.inf
 ./plug/platform/tsg_master/tsg_master.inf
 
@@ -19,7 +19,7 @@
 [business]
 ./plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
 ./plug/business/capture_packet_plug/capture_packet_plug.inf
-#./plug/business/kni/kni.inf
+./plug/business/kni/kni.inf
 ./plug/business/fw_ssl_plug/fw_ssl_plug.inf
 ./plug/business/fw_http_plug/fw_http_plug.inf
 ./plug/business/fw_dns_plug/fw_dns_plug.inf
diff --git a/dockerfile/firewall/config/sapp_run/tsgconf/tsg_maat.json b/dockerfile/firewall/config/sapp_run/tsgconf/tsg_maat.json
new file mode 100644
index 0000000..b804b1e
--- /dev/null
+++ b/dockerfile/firewall/config/sapp_run/tsgconf/tsg_maat.json
@@ -0,0 +1,72 @@
+{
+    "compile_table": "TSG_SECURITY_COMPILE",
+    "group_table": "GROUP_COMPILE_RELATION",
+    "rules": [
+	{
+            "compile_id": 6,
+            "service": 0,
+            "action": 2,
+            "do_blacklist": 0,
+            "do_log": 1,
+            "effective_rage": 0,
+            "user_region": "anything",
+            "is_valid": "yes",
+            "groups": [
+	    	    {
+                    "group_name": "HOST",
+                    "virtual_table":"TSG_FIELD_HTTP_HOST",
+                    "not_flag" : 0,
+                    "regions": [
+                        {
+                            "table_name": "TSG_OBJ_FQDN",
+                            "table_type": "expr",
+                            "table_content": {
+                                "keywords": "geedge.net",
+                                "expr_type": "none",
+                                "match_method": "suffix",
+                                "format": "uncase plain"
+                            }
+                        }
+		    	        
+                    ]
+                }
+            ] 
+        },
+        {
+            "compile_id": 7,
+            "service": 0,
+            "action": 2,
+            "do_blacklist": 0,
+            "do_log": 1,
+            "effective_rage": 0,
+            "user_region": "anything",
+            "is_valid": "yes",
+            "groups": [
+	    	    {
+                    "group_name": "IP_ADDR_2",
+                    "virtual_table":"TSG_SECURITY_SOURCE_ADDR",
+                    "regions": [
+                        {
+                            "table_name": "TSG_OBJ_IP_ADDR",
+                            "table_type": "ip_plus",
+                            "table_content": {
+                                "addr_type": "ipv4",
+                                "src_ip": "192.168.50.37",
+                                "mask_src_ip": "255.255.255.255",
+                                "src_port": "0",
+                                "mask_src_port": "65535",
+                                "dst_ip": "0.0.0.0",
+                                "mask_dst_ip": "255.255.255.255",
+                                "dst_port": "0",
+                                "mask_dst_port": "65535",
+                                "protocol": 6,
+                                "direction": "double"
+                            }
+                        }
+                    ]
+                }
+            ] 
+        }
+    ]
+}
+
author	fumingwei <[email protected]>	2021-03-18 10:52:35 +0800
committer	fumingwei <[email protected]>	2021-03-18 10:52:35 +0800
commit	67c83e29127f4b85035055fa9fb791cab43a4348 (patch)
tree	0c81a3ed353c9da7fbecaef2bca06d5c899bc7d6
parent	fb0b4c321c6620d4befeb9928a73bd63cc2915a8 (diff)