TSG-14338: LTS22.11版本功能端安全策略Deny动作支持“生效方向”动作参数

4 files changed, 74 insertions, 27 deletions

diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp
index 124d7bd..9f8b35a 100644
--- a/src/tsg_action.cpp
+++ b/src/tsg_action.cpp
@@ -632,13 +632,13 @@ static unsigned char do_action_tamper(const struct streaminfo *a_stream, Maat_ru
         _context->tamper_count = 0;

     }

 

-    //当前为tsg_master_plug暂时不处理在tsg_master_all_entry处理,防止命中发两次

+    //当前为tsg_master_plug暂时不处理在tsg_master_all_entry处理,防止命中发两�?

     if(ACTION_RETURN_TYPE_APP == type)

     {

         return STATE_GIVEME|STATE_DROPPKT|STATE_KILL_OTHER;

     }

 

-    //TCP这里发送的话，tsg_master_all_entry仍会处理发送,UDP没有这个情况,所以加该判断

+    //TCP这里发送的话，tsg_master_all_entry仍会处理发�?UDP没有这个情况,所以加该判�?

     if(a_stream->type == STREAM_TYPE_UDP) 

     {

         send_tamper_xxx(a_stream, &_context->tamper_count, user_data);

@@ -692,7 +692,7 @@ static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, Ma
 static unsigned char do_action_ratelimit(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, enum ACTION_RETURN_TYPE type)

 {

 	struct tcpall_context *context=NULL;

-	struct leaky_bucket *bucket=create_bucket(user_region->deny->bps, a_stream->threadnum);

+	struct leaky_bucket *bucket=create_bucket(user_region->deny->action.bps, a_stream->threadnum);

 

 	int ret=tsg_set_bucket_to_tcpall(a_stream, &context, bucket, a_stream->threadnum);

 	if(ret==0)

@@ -890,12 +890,12 @@ static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struc
 				local_state=set_drop_stream(a_stream, protocol);

 			}

 			

-			if(user_region->deny->app_para.send_icmp_enable==1)

+			if(user_region->deny->action.send_icmp_enable==1)

 			{

 				 local_state|=send_icmp_unreachable(a_stream);

 			}

 

-			if(user_region->deny->app_para.send_reset_enable==1)

+			if(user_region->deny->action.send_reset_enable==1)

 			{

 				 local_state|=do_action_reset(a_stream, p_result, protocol);

 			}

@@ -980,6 +980,15 @@ unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_
 		return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_DROPPKT|PROT_STATE_DROPME: APP_STATE_DROPME|APP_STATE_DROPPKT);

 	}

 

+	if((user_region->method_type==TSG_METHOD_TYPE_DROP || user_region->method_type==TSG_METHOD_TYPE_RATE_LIMIT) && user_region->deny!=NULL)

+	{

+		if(user_region->deny->action.enforce_direction!=DIR_DOUBLE && a_stream->dir!=DIR_DOUBLE && (user_region->deny->action.enforce_direction)!=a_stream->dir)

+		{

+			security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);

+			return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_DROPME : APP_STATE_DROPME);

+		}

+	}

+	

 	if(user_region->method_type==TSG_METHOD_TYPE_APP_DROP)

 	{

 		unsigned int app_id=0;

diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index 7b1b443..60e6a3a 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -2121,11 +2121,11 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
 				state|=APP_STATE_GIVEME|APP_STATE_DROPPKT;
 			}
 			break;
-        case    TSG_METHOD_TYPE_TAMPER:
-            if(0 == send_tamper_xxx(a_stream, &all_context->tamper_count, a_packet)){
-                state|=APP_STATE_GIVEME|APP_STATE_DROPPKT;
-            }
-            break;
+		case	TSG_METHOD_TYPE_TAMPER:
+			if(0 == send_tamper_xxx(a_stream, &all_context->tamper_count, a_packet)){
+			state|=APP_STATE_GIVEME|APP_STATE_DROPPKT;
+			}
+			break;
 		case	TSG_METHOD_TYPE_DEFAULT:
 			if(!is_do_default_policy(a_stream, all_context->after_n_packets) || stream_state==OP_STATE_CLOSE)
 			{
@@ -2134,7 +2134,7 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
 			
 			if(get_default_policy(g_tsg_para.default_compile_id, &result[0]))
 			{
-				state=tsg_deal_deny_action(a_stream, &result[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_APP, a_packet);				
+				state=tsg_deal_deny_action(a_stream, &result[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_APP, a_packet);
 				master_send_log(a_stream, &result[0], 1, NULL, thread_seq);
 			}
 			break;
diff --git a/src/tsg_protocol_common.h b/src/tsg_protocol_common.h
index 1361837..61242c3 100644
--- a/src/tsg_protocol_common.h
+++ b/src/tsg_protocol_common.h
@@ -79,10 +79,18 @@ struct packet_capture
 	int depth;
 };
 
-struct app_action_para
+struct sub_action
 {
-	int send_reset_enable;
-	int send_icmp_enable;
+	union
+	{
+		int bps;				// override or app default ratelimit
+		int send_icmp_enable;	// override or app default drop
+	};
+	union 
+	{
+		int send_reset_enable;	// app default drop
+		int enforce_direction;	// override drop and ratelimit
+	};
 };
 
 struct deny_user_region
@@ -100,9 +108,8 @@ struct deny_user_region
 		char *redirect_url_to;
 		struct dns_user_region *records;
 		int profile_id;
-		int bps;
 		int send_icmp_enable;
-		struct app_action_para app_para;
+		struct sub_action action;
 		void *para;
 	};
 };
diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp
index 55ab44c..5b8c197 100644
--- a/src/tsg_rule.cpp
+++ b/src/tsg_rule.cpp
@@ -628,6 +628,35 @@ void subscriber_id_free(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void*
 	return;
 }
 
+static int parse_enforce_direction(cJSON *app_para, int *value)
+{
+	char *enforce_direction=NULL;
+	int ret=get_string_from_json(app_para, "enforce_direction", &enforce_direction);
+	if(ret==0 || enforce_direction==NULL)
+	{
+		*value=DIR_DOUBLE;
+		return 1;
+	}
+
+	if(strcasecmp(enforce_direction, "c2s")==0)
+	{
+		*value=DIR_C2S;
+	}
+	else if(strcasecmp(enforce_direction, "s2c")==0)
+	{
+		*value=DIR_S2C;
+	}
+	else
+	{
+		*value=DIR_DOUBLE;
+	}
+	
+	free(enforce_direction);
+	enforce_direction=NULL;
+
+	return 1;
+}
+
 static int parse_deny_action(char *deny_action_str, struct deny_user_region *deny_app_para)
 {
 	if(deny_action_str==NULL)
@@ -650,13 +679,13 @@ static int parse_deny_action(char *deny_action_str, struct deny_user_region *den
 		{
 			case	TSG_METHOD_TYPE_DROP:
 				deny_app_para->type=TSG_DENY_TYPE_APP_DROP;
-				get_integer_from_json(app_para, "send_tcp_reset", &(deny_app_para->app_para.send_reset_enable));	
+				get_integer_from_json(app_para, "send_tcp_reset", (int *)&(deny_app_para->action.send_reset_enable));	
 				get_integer_from_json(app_para, "after_n_packets", &(deny_app_para->after_n_packets));	
-				get_integer_from_json(app_para, "send_icmp_unreachable", &(deny_app_para->app_para.send_icmp_enable));
+				get_integer_from_json(app_para, "send_icmp_unreachable", (int *)&(deny_app_para->action.send_icmp_enable));
 				break;
 			case	TSG_METHOD_TYPE_RATE_LIMIT:
 				deny_app_para->type=TSG_DENY_TYPE_APP_RATELIMIT;
-				get_integer_from_json(app_para, "bps", &(deny_app_para->bps)); 
+				get_integer_from_json(app_para, "bps", &(deny_app_para->action.bps));
 				break;
 			default:
 				break;
@@ -981,7 +1010,7 @@ static int parse_default_para(cJSON *deny_user_region_object, struct compile_use
 				break;
 			case	TSG_METHOD_TYPE_DROP:
 				get_integer_from_json(tcp_session_item, "after_n_packets", &(user_region->session_para->tcp.after_n_packets));
-				get_integer_from_json(tcp_session_item, "send_icmp_unreachable", &(user_region->session_para->tcp.send_icmp_enable));
+				get_integer_from_json(tcp_session_item, "send_icmp_unreachable", (int *)&(user_region->session_para->tcp.send_icmp_enable));
 				if(user_region->session_para->tcp.send_icmp_enable==1)
 				{
 					user_region->session_para->tcp.type=TSG_DENY_TYPE_SEND_ICMP;
@@ -1002,7 +1031,7 @@ static int parse_default_para(cJSON *deny_user_region_object, struct compile_use
 	{
 		user_region->session_para->udp.type=TSG_DENY_TYPE_DEFAULT_DROP;
 		get_integer_from_json(udp_session_item, "after_n_packets", &(user_region->session_para->udp.after_n_packets));
-		get_integer_from_json(udp_session_item, "send_icmp_unreachable", &(user_region->session_para->udp.send_icmp_enable));
+		get_integer_from_json(udp_session_item, "send_icmp_unreachable", (int *)&(user_region->session_para->udp.send_icmp_enable));
 		if(user_region->session_para->udp.send_icmp_enable==1)
 		{
 			user_region->session_para->udp.type=TSG_DENY_TYPE_SEND_ICMP;
@@ -1137,25 +1166,27 @@ static struct compile_user_region *parse_deny_user_region(cJSON *deny_user_regio
 		case	TSG_METHOD_TYPE_RATE_LIMIT:
 			user_region->deny=(struct deny_user_region *)calloc(1, sizeof(struct deny_user_region));
 			user_region->deny->type=TSG_DENY_TYPE_MAX;
-			get_integer_from_json(deny_user_region_object, "bps", &(user_region->deny->bps));
+			get_integer_from_json(deny_user_region_object, "bps", &(user_region->deny->action.bps));
+			parse_enforce_direction(deny_user_region_object, &(user_region->deny->action.enforce_direction));
 			break;
 		case	TSG_METHOD_TYPE_DROP:
 			user_region->deny=(struct deny_user_region *)calloc(1, sizeof(struct deny_user_region));
-			ret=get_integer_from_json(deny_user_region_object, "send_icmp_unreachable", &(user_region->deny->send_icmp_enable));
+			parse_enforce_direction(deny_user_region_object, &(user_region->deny->action.enforce_direction));
+			ret=get_integer_from_json(deny_user_region_object, "send_icmp_unreachable", (int *)&(user_region->deny->action.send_icmp_enable));
 			if(ret==1)
 			{
 				user_region->deny->type=TSG_DENY_TYPE_SEND_ICMP;
 				break;
 			}
-            break;
+			break;
 		case	TSG_METHOD_TYPE_APP_DROP:
 			break;
 		case	TSG_METHOD_TYPE_RST:
 		case	TSG_METHOD_TYPE_RESET:
 			break;
-        case    TSG_METHOD_TYPE_TAMPER:
-            break;
-		default:			
+		case	TSG_METHOD_TYPE_TAMPER:
+			break;
+		default:
 			parse_default_para(deny_user_region_object, user_region);
 			break;
 	}