diff options
| author | liuxueli <[email protected]> | 2023-03-25 12:36:52 +0800 |
|---|---|---|
| committer | liuxueli <[email protected]> | 2023-03-25 12:36:52 +0800 |
| commit | 8f6a3e199a774be6c1865dbef4fc918f76d052e1 (patch) | |
| tree | 7cd1ebded06cac8c476da9ee98c738ba72db6cfe | |
| parent | 6e499f73b343c764e561ba0c806df12ee30b9377 (diff) | |
TSG-14338: LTS22.11版本 功能端安全策略Deny动作支持“生效方向”动作参数v5.8.13
| -rw-r--r-- | inc/tsg_rule.h | 5 | ||||
| -rw-r--r-- | src/tsg_action.cpp | 9 | ||||
| -rw-r--r-- | src/tsg_entry.cpp | 100 | ||||
| -rw-r--r-- | src/tsg_entry.h | 5 | ||||
| -rw-r--r-- | src/tsg_rule.cpp | 89 |
5 files changed, 163 insertions, 45 deletions
diff --git a/inc/tsg_rule.h b/inc/tsg_rule.h index af88866..a7a5e23 100644 --- a/inc/tsg_rule.h +++ b/inc/tsg_rule.h @@ -86,4 +86,9 @@ int tsg_scan_app_id_policy(Maat_feather_t maat_feather, const struct streaminfo int tsg_scan_fqdn_category_id(Maat_feather_t maat_feather, const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, scan_status_t *mid, int table_id, unsigned int *category_id, int category_id_num, int thread_seq); int tsg_notify_hited_monitor_result(const struct streaminfo *a_stream, struct Maat_rule_t *result, int result_num, int thread_seq); +struct Maat_rule_t *tsg_policy_decision_criteria(Maat_rule_t *result, int result_num); + +// 0: not do action, 1: do action +int tsg_is_do_deny_action_by_enforce_direction(const struct streaminfo *a_stream, struct Maat_rule_t *p_result); + #endif diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp index 9f8b35a..c120c4f 100644 --- a/src/tsg_action.cpp +++ b/src/tsg_action.cpp @@ -979,15 +979,6 @@ unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_ set_drop_stream(a_stream, protocol);
return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_DROPPKT|PROT_STATE_DROPME: APP_STATE_DROPME|APP_STATE_DROPPKT);
}
-
- if((user_region->method_type==TSG_METHOD_TYPE_DROP || user_region->method_type==TSG_METHOD_TYPE_RATE_LIMIT) && user_region->deny!=NULL)
- {
- if(user_region->deny->action.enforce_direction!=DIR_DOUBLE && a_stream->dir!=DIR_DOUBLE && (user_region->deny->action.enforce_direction)!=a_stream->dir)
- {
- security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
- return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_DROPME : APP_STATE_DROPME);
- }
- }
if(user_region->method_type==TSG_METHOD_TYPE_APP_DROP)
{
diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index 60e6a3a..805beda 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -788,6 +788,12 @@ static void free_tcpall_label(int thread_seq, void *project_req_value) break; } } + + if(context->enforce_direction_result!=NULL) + { + dictator_free(thread_seq, context->enforce_direction_result); + context->enforce_direction_result=NULL; + } dictator_free(thread_seq, project_req_value); project_req_value=NULL; @@ -988,11 +994,6 @@ static void copy_bypass_result(const struct streaminfo *a_stream, struct master_ int copy_app_result(struct gather_app_result *gather_result, struct app_identify_result *identify_result, int packet_sequence) { - if(identify_result->app_id_num<=gather_result->app_num) - { - return 0; - } - gather_result->app_num=0; for(int i=0; (i < identify_result->app_id_num) && i<MAX_APP_ID_NUM && (gather_result->app_num < MAX_APP_ID_NUM); i++) { @@ -1046,6 +1047,22 @@ static int l7_protocol_mapper(const char *filename) return 1; } +int tsg_select_monitor_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *p_result, int result_num, int thread_seq) +{ + for(int i=0; i<result_num; i++) + { + if(p_result[i].action!=TSG_ACTION_MONITOR) + { + continue; + } + + copy_monitor_result(a_stream, context, &(p_result[i]), 1, a_stream->threadnum); + tsg_notify_hited_monitor_result(a_stream, &(p_result[i]), 1, a_stream->threadnum); + } + + return 1; +} + char *tsg_l7_protocol_id2name(unsigned int l7_protocol_id) { struct l7_protocol *l7_proto=NULL; @@ -1402,37 +1419,6 @@ static void free_session_attribute_label(int thread_seq, void *project_req_value } } -struct Maat_rule_t *tsg_policy_decision_criteria(Maat_rule_t *result, int result_num) -{ - int i=0; - Maat_rule_t *p_result=NULL; - - for(i=0; i<result_num; i++) - { - if(p_result==NULL) - { - p_result=&result[i]; - continue; - } - - if((unsigned char)result[i].action>(unsigned char)p_result->action) - { - p_result=&result[i]; - continue; - } - - if(result[i].action==p_result->action) - { - if(result[i].config_id>p_result->config_id) - { - p_result=&result[i]; - } - } - } - - return p_result; -} - static int identify_application_protocol(const struct streaminfo *a_stream, struct master_context *context, void *a_packet) { int ret=0, length=0; @@ -1716,6 +1702,18 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, switch((unsigned char)p_result->action) { case TSG_ACTION_DENY: + ret=tsg_is_do_deny_action_by_enforce_direction(a_stream, p_result); + if(ret==0) + { + if(context->proto!=PROTO_RTP) + { + tsg_select_monitor_result(a_stream, context, result, hit_num, a_stream->threadnum); + } + + tsg_set_enforce_direction_deny_rule_to_tcpall(a_stream, &tmp_tcpall_context, p_result, a_stream->threadnum); + break; + } + if(is_deny_application(p_result)) { if(context->hited_para.hited_app_id==0) @@ -2091,6 +2089,12 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns switch(p_result->action) { case TSG_ACTION_DENY: + ret=tsg_is_do_deny_action_by_enforce_direction(a_stream, p_result); + if(ret==0) + { + tsg_set_enforce_direction_deny_rule_to_tcpall(a_stream, &all_context, p_result, thread_seq); + break; + } state=tsg_deal_deny_action(a_stream, p_result, PROTO_UNKONWN, ACTION_RETURN_TYPE_APP, a_packet); master_send_log(a_stream, p_result, 1, NULL, thread_seq); break; @@ -2159,6 +2163,30 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns } break; default: + if(all_context->enforce_direction_result==NULL) + { + break; + } + + data_context=(struct master_context *)get_struct_project(a_stream, g_tsg_para.context_project_id); + if(data_context!=NULL && (data_context->proto==PROTO_DNS || data_context->proto==PROTO_QUIC || data_context->proto==PROTO_SIP || data_context->proto==PROTO_RTP || data_context->proto==PROTO_DTLS)) + { + break; + } + + ret=tsg_is_do_deny_action_by_enforce_direction(a_stream, all_context->enforce_direction_result); + if(ret==0) + { + break; + } + + state=tsg_deal_deny_action(a_stream, all_context->enforce_direction_result, (data_context==NULL ? PROTO_UNKONWN : data_context->proto), ACTION_RETURN_TYPE_APP, a_packet); + master_send_log(a_stream, all_context->enforce_direction_result, 1, data_context, thread_seq); + + if(data_context!=NULL) + { + data_context->is_log=1; + } break; } diff --git a/src/tsg_entry.h b/src/tsg_entry.h index 49965d6..d2968d6 100644 --- a/src/tsg_entry.h +++ b/src/tsg_entry.h @@ -293,6 +293,8 @@ struct tcpall_context struct hited_app_para hited_para;
void *para;
};
+
+ struct Maat_rule_t *enforce_direction_result;
};
struct reset_argv
@@ -493,4 +495,7 @@ int tsg_get_ip_asn(const struct streaminfo *a_stream, int table_id, MAAT_PLUGIN_ int tsg_get_subscribe_id(const struct streaminfo *a_stream, struct subscribe_id_info **source_subscribe_id, struct subscribe_id_info **dest_subscribe_id);
int tsg_send_raw_packet(const struct streaminfo *a_stream, struct mirrored_vlan *vlan, int vlan_num, int thread_seq);
+int tsg_set_enforce_direction_deny_rule_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, struct Maat_rule_t *p_result, int thread_seq);
+
+
#endif
diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp index 5b8c197..229cf22 100644 --- a/src/tsg_rule.cpp +++ b/src/tsg_rule.cpp @@ -2931,6 +2931,38 @@ struct Maat_rule_t *tsg_fetch_deny_rule(Maat_rule_t *result, int result_num) return p_result; } +struct Maat_rule_t *tsg_policy_decision_criteria(Maat_rule_t *result, int result_num) +{ + int i=0; + Maat_rule_t *p_result=NULL; + + for(i=0; i<result_num; i++) + { + if(p_result==NULL) + { + p_result=&result[i]; + continue; + } + + if((unsigned char)result[i].action>(unsigned char)p_result->action) + { + p_result=&result[i]; + continue; + } + + if(result[i].action==p_result->action) + { + if(result[i].config_id>p_result->config_id) + { + p_result=&result[i]; + } + } + } + + return p_result; +} + + int tsg_get_method_id(char *method) { int i=0; @@ -3314,6 +3346,37 @@ int tsg_notify_hited_monitor_result(const struct streaminfo *a_stream, struct Ma return 1; } +int tsg_set_enforce_direction_deny_rule_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, struct Maat_rule_t *p_result, int thread_seq) +{ + if(p_result==NULL) + { + return 0; + } + + struct tcpall_context *_context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id); + if(_context==NULL) + { + _context=(struct tcpall_context *)dictator_malloc(thread_seq, sizeof(struct tcpall_context)); + memset(_context, 0, sizeof(struct tcpall_context)); + set_struct_project(a_stream, g_tsg_para.tcpall_project_id, (void *)_context); + } + + if(_context->enforce_direction_result==NULL) + { + _context->enforce_direction_result=(struct Maat_rule_t *)dictator_malloc(thread_seq, sizeof(struct Maat_rule_t)); + memcpy(_context->enforce_direction_result, p_result, sizeof(struct Maat_rule_t)); + + return 1; + } + + if(_context->enforce_direction_result->config_id < p_result->config_id) + { + memcpy(_context->enforce_direction_result, p_result, sizeof(struct Maat_rule_t)); + } + + return 1; +} + int tsg_set_method_to_tcpall(const struct streaminfo *a_stream, struct tcpall_context **context, enum TSG_METHOD_TYPE method_type, int thread_seq) { struct tcpall_context *_context=(struct tcpall_context *)get_struct_project(a_stream, g_tsg_para.tcpall_project_id); @@ -3423,3 +3486,29 @@ struct umts_user_info *tsg_get_umts_user_info_form_redis(unsigned int teid) return (struct umts_user_info *)Maat_plugin_get_EX_data(g_tsg_dynamic_maat_feather, g_tsg_para.dyn_table_id[DYN_TABLE_GTP_SIGNALING], (const char *)teid_str); } +int tsg_is_do_deny_action_by_enforce_direction(const struct streaminfo *a_stream, struct Maat_rule_t *p_result) +{ + if(p_result==NULL || p_result->action!=TSG_ACTION_DENY) + { + return 0; + } + + struct compile_user_region *user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]); + if(user_region==NULL) + { + return 1; + } + + if((user_region->method_type==TSG_METHOD_TYPE_DROP || user_region->method_type==TSG_METHOD_TYPE_RATE_LIMIT) && user_region->deny!=NULL) + { + if(user_region->deny->action.enforce_direction!=DIR_DOUBLE && a_stream->dir!=DIR_DOUBLE && (user_region->deny->action.enforce_direction)!=a_stream->dir) + { + security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL); + return 0; + } + } + + security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL); + + return 1; +} |