TSG-7600: 根据APP_ID_DICT中的timeout时间设置流超时时间

5 files changed, 75 insertions, 18 deletions

diff --git a/inc/tsg_rule.h b/inc/tsg_rule.h
index 443ea37..17cb903 100644
--- a/inc/tsg_rule.h
+++ b/inc/tsg_rule.h
@@ -50,8 +50,8 @@ struct app_id_dict
 	int parent_app_id;
 	int deny_action;
 	int continue_scanning;
-	int tcp_timeout;
-	int udp_timeout;
+	unsigned short tcp_timeout;
+	unsigned short udp_timeout;
 	int tcp_time_wait;
 	int tcp_half_close;
 	char *risk;
diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp
index 060c180..c64cd62 100644
--- a/src/tsg_action.cpp
+++ b/src/tsg_action.cpp
@@ -30,7 +30,16 @@ static int set_drop_stream(const struct streaminfo *a_stream)
 	int opt_value=1;
 	MESA_set_stream_opt(a_stream, MSO_DROP_STREAM, (void *)&opt_value, sizeof(opt_value));
 	MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value));
-	MESA_set_stream_opt(a_stream, MSO_TIMEOUT, (void *)&g_tsg_para.timeout, sizeof(g_tsg_para.timeout));
+
+	int ret=MESA_set_stream_opt(a_stream, MSO_TIMEOUT, (void *)&g_tsg_para.timeout, sizeof(g_tsg_para.timeout));
+	if(ret<0)
+	{
+		FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_SET_TIMOUT_FAILED], 0, FS_OP_ADD, 1); 		
+	}
+	else
+	{
+		FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_SET_TIMOUT_SUCCESS], 0, FS_OP_ADD, 1);
+	}
 
 	return STATE_DROPME|STATE_DROPPKT;				
 }
diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index 8212ae2..a633dc8 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -77,7 +77,9 @@ id2field_t g_tsg_fs2_field[TSG_FS2_MAX]={{0, TSG_FS2_TCP_LINKS, "tcp_links"},
 										 {0, TSG_FS2_MIRRORED_PKT_FAILED, "mirror_pkt_fai"},
 										 {0, TSG_FS2_MIRRORED_BYTE_FAILED, "mirror_byte_fai"},
 										 {0, TSG_FS2_DDOS_SUCCESS_LOG, "ddos_suc_log"},
-										 {0, TSG_FS2_DDOS_FAILED_LOG, "ddos_fai_log"}
+										 {0, TSG_FS2_DDOS_FAILED_LOG, "ddos_fai_log"},
+										 {0, TSG_FS2_SET_TIMOUT_SUCCESS, "set_timeout_suc"},
+										 {0, TSG_FS2_SET_TIMOUT_FAILED, "set_timeout_fai"}
 										};
 
 id2field_t g_tsg_proto_name2id[PROTO_MAX]={{PROTO_UNKONWN, 0, "unknown"}, 
@@ -145,6 +147,48 @@ static int tsg_get_sn(char *filename, char *device_sn, int device_sn_len)
 	return flags;
 }
 
+static int set_app_timeout(const struct streaminfo *a_stream, struct app_id_dict *dict, unsigned short *timeout)
+{
+	if(a_stream==NULL || dict==NULL)
+	{
+		return 0;
+	}
+	
+	switch(a_stream->type)
+	{
+		case	STREAM_TYPE_TCP:
+			if((*timeout) >= dict->tcp_timeout)
+			{
+				return 0;
+			}
+			
+			*timeout=dict->tcp_timeout;
+			break;
+		case	STREAM_TYPE_UDP:
+			if((*timeout) >= dict->udp_timeout)
+			{
+				return 0;
+			}
+			
+			*timeout=dict->udp_timeout;
+			break;
+		default:
+			return 0;
+	}
+	
+	int ret=MESA_set_stream_opt(a_stream, MSO_TIMEOUT, (void *)timeout, sizeof(unsigned short));
+	if(ret<0)
+	{
+		FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_SET_TIMOUT_FAILED], 0, FS_OP_ADD, 1); 		
+	}
+	else
+	{
+		FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_SET_TIMOUT_SUCCESS], 0, FS_OP_ADD, 1);
+	}
+	
+	return 1;
+}
+
 static int get_device_id(char *command, int datacenter_id)
 {
 	FILE *fp=NULL; 
@@ -1198,7 +1242,7 @@ static int identify_application_protocol(const struct streaminfo *a_stream, stru
 	return ret;
 }
 
-int scan_application_id_and_properties(const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, struct app_identify_result *identify_result, int thread_seq)
+int scan_application_id_and_properties(const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, struct master_context *context, struct app_identify_result *identify_result, int thread_seq)
 {
 	int i=0,hit_num=0;
 	char *name=NULL;
@@ -1211,23 +1255,24 @@ int scan_application_id_and_properties(const struct streaminfo *a_stream, struct
 		dict=(struct app_id_dict *)Maat_plugin_get_EX_data(g_tsg_maat_feather, g_tsg_para.table_id[TABLE_APP_ID_DICT], (const char *)app_id_buff);
 		if(dict!=NULL)
 		{
-			hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->risk, (char *)"risk", thread_seq);
-			hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->category, (char *)"category", thread_seq);	
-			hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->technology, (char *)"technology", thread_seq);	
-			hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->subcategroy, (char *)"subcategroy", thread_seq);	
-			hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->characteristics, (char *)"characteristics", thread_seq);
+			hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), dict->risk, (char *)"risk", thread_seq);
+			hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), dict->category, (char *)"category", thread_seq);	
+			hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), dict->technology, (char *)"technology", thread_seq);	
+			hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), dict->subcategroy, (char *)"subcategroy", thread_seq);	
+			hit_num+=tsg_scan_app_properties_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), dict->characteristics, (char *)"characteristics", thread_seq);
 
-			hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->app_name, identify_result->app_id[i], thread_seq);
+			hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), dict->app_name, identify_result->app_id[i], thread_seq);
 			//hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, dict->parent_app_name, dict->parent_app_id, thread_seq);
-			
+
+			set_app_timeout(a_stream, dict, &(context->timeout));
 			app_id_dict_free(g_tsg_para.table_id[TABLE_APP_ID_DICT], (MAAT_PLUGIN_EX_DATA *)&dict, 0, NULL);
 		}
 		else
 		{
 			name=tsg_l7_protocol_id2name(identify_result->app_id[i]);
-			hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, mid, ((name==NULL) ? (char *)"" : name), identify_result->app_id[i], thread_seq);
+			hit_num+=tsg_scan_app_id_policy(g_tsg_maat_feather, a_stream, result+hit_num, result_num-hit_num, &(context->mid), ((name==NULL) ? (char *)"" : name), identify_result->app_id[i], thread_seq);
 		}
-	}
+	}	
 
 	return hit_num;
 }
@@ -1362,7 +1407,7 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_
 	memcpy(&(gather_result->result[identify_result->origin]), identify_result, sizeof(struct app_identify_result));
 	record_time_start(&(context->last_scan_time));
 	
-	hit_num=scan_application_id_and_properties((struct streaminfo *)a_stream, scan_result, MAX_RESULT_NUM, &(context->mid), identify_result, a_stream->threadnum);
+	hit_num=scan_application_id_and_properties((struct streaminfo *)a_stream, scan_result, MAX_RESULT_NUM, context, identify_result, a_stream->threadnum);
 	p_result=tsg_policy_decision_criteria(scan_result, hit_num);
 	if(p_result==NULL || (p_result->action==TSG_ACTION_MONITOR && is_parent_ssl==1))
 	{
@@ -1494,7 +1539,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
 			identify_result=(struct gather_app_result *)get_struct_project(a_stream, g_tsg_para.gather_app_project_id);
 			for(i=0; i<ORIGIN_MAX && identify_result!=NULL; i++)
 			{
-				hit_num+=scan_application_id_and_properties(a_stream, scan_result+hit_num, MAX_RESULT_NUM-hit_num, &context->mid, &(identify_result->result[i]), thread_seq);
+				hit_num+=scan_application_id_and_properties(a_stream, scan_result+hit_num, MAX_RESULT_NUM-hit_num, context, &(identify_result->result[i]), thread_seq);
 			}
 
 			p_result=tsg_policy_decision_criteria(scan_result, hit_num);
diff --git a/src/tsg_entry.h b/src/tsg_entry.h
index 62cdbaa..1f3bba6 100644
--- a/src/tsg_entry.h
+++ b/src/tsg_entry.h
@@ -111,6 +111,8 @@ enum TSG_FS2_TYPE{
 	TSG_FS2_MIRRORED_BYTE_FAILED,
 	TSG_FS2_DDOS_SUCCESS_LOG,
 	TSG_FS2_DDOS_FAILED_LOG,
+	TSG_FS2_SET_TIMOUT_SUCCESS,
+	TSG_FS2_SET_TIMOUT_FAILED,
 	TSG_FS2_MAX
 };
 
@@ -177,6 +179,7 @@ struct master_context
 	int is_esni;
 	int is_log;
 	int is_ratelimit;
+	unsigned short timeout;
 	char *domain;
 	scan_status_t mid;	
 	struct Maat_rule_t *result;
diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp
index c0cc961..214ee59 100644
--- a/src/tsg_rule.cpp
+++ b/src/tsg_rule.cpp
@@ -509,8 +509,8 @@ static void app_id_dict_new(int table_id, const char* key, const char* table_lin
 			dict->characteristics=tsg_get_column_string_value(table_line, 7);
 			dict->deny_action=tsg_get_column_integer_value(table_line, 10);
 			dict->continue_scanning=tsg_get_column_integer_value(table_line, 11); 
-			dict->tcp_timeout=tsg_get_column_integer_value(table_line, 12);
-			dict->udp_timeout=tsg_get_column_integer_value(table_line, 13); 
+			dict->tcp_timeout=(unsigned short)tsg_get_column_integer_value(table_line, 12);
+			dict->udp_timeout=(unsigned short)tsg_get_column_integer_value(table_line, 13); 
 			dict->tcp_half_close=tsg_get_column_integer_value(table_line, 14);
 			dict->tcp_time_wait=tsg_get_column_integer_value(table_line, 15);
 			break;