diff options
| author | 刘学利 <[email protected]> | 2023-05-27 09:37:46 +0000 |
|---|---|---|
| committer | 刘学利 <[email protected]> | 2023-05-27 09:37:46 +0000 |
| commit | 7abc5766214917aec7073093271442c4a6a69eca (patch) | |
| tree | de42b79b27da6951b3c5386361e2dc410214a163 | |
| parent | bc7909e57bba412ff1f7f5d323f5c44c20486d3a (diff) | |
TSG-14946: 安全策略支持allow(deny)和monitor动作同时命中v6.0.13
| -rw-r--r-- | inc/tsg_label.h | 1 | ||||
| -rw-r--r-- | inc/tsg_rule.h | 2 | ||||
| -rw-r--r-- | src/tsg_action.cpp | 69 | ||||
| -rw-r--r-- | src/tsg_bridge.cpp | 26 | ||||
| -rw-r--r-- | src/tsg_bridge.h | 6 | ||||
| -rw-r--r-- | src/tsg_dns.cpp | 8 | ||||
| -rw-r--r-- | src/tsg_entry.cpp | 236 | ||||
| -rw-r--r-- | src/tsg_icmp.cpp | 79 | ||||
| -rw-r--r-- | src/tsg_protocol_common.h | 1 | ||||
| -rw-r--r-- | src/tsg_proxy.cpp | 29 | ||||
| -rw-r--r-- | src/tsg_rule.cpp | 21 | ||||
| -rw-r--r-- | src/tsg_rule_internal.h | 1 | ||||
| -rw-r--r-- | test/src/gtest_bridge.cpp | 4 | ||||
| -rw-r--r-- | test/src/gtest_master.cpp | 5 |
14 files changed, 186 insertions, 302 deletions
diff --git a/inc/tsg_label.h b/inc/tsg_label.h index 062c47b..52aa9f7 100644 --- a/inc/tsg_label.h +++ b/inc/tsg_label.h @@ -184,4 +184,5 @@ const char *srt_process_context_get_domain(const struct session_runtime_process_ const char *srt_process_context_get_http_url(const struct session_runtime_process_context *srt_process_context); const char *srt_process_context_get_quic_ua(const struct session_runtime_process_context *srt_process_context); enum TSG_PROTOCOL srt_process_context_get_protocol(const struct session_runtime_process_context *srt_process_context); +unsigned char srt_process_context_get_hitted_allow_flag(const struct session_runtime_process_context *srt_process_context); diff --git a/inc/tsg_rule.h b/inc/tsg_rule.h index d6fd454..9a0b632 100644 --- a/inc/tsg_rule.h +++ b/inc/tsg_rule.h @@ -75,6 +75,8 @@ size_t tsg_matched_rules_select(struct maat *feather, TSG_SERVICE service, long size_t tsg_scan_nesting_addr(const struct streaminfo *a_stream, struct maat *feather, enum TSG_PROTOCOL proto, struct maat_state *s_mid, struct maat_rule *rules, size_t n_rules); size_t session_matched_rules_copy(const struct streaminfo *a_stream, enum TSG_SERVICE service, struct maat_rule *rules, size_t n_rules); size_t tsg_select_rules_by_service_id(struct maat_rule *matched_rules, size_t n_matched_rules, struct maat_rule *rules, size_t n_rules, enum TSG_SERVICE service_id); +size_t tsg_select_rules_by_action(struct maat_rule *matched_rules, size_t n_matched_rules, struct maat_rule *rules, size_t n_rules, unsigned char action); + int tsg_get_fqdn_category_ids(struct maat *feather, char *fqdn, unsigned int *category_ids, int n_category_ids); unsigned char tsg_enforing_deny(const struct streaminfo *a_stream, struct maat_rule *p_result, enum TSG_PROTOCOL protocol, enum ACTION_RETURN_TYPE type, const void *user_data); diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp index 1c6486c..a2d1e0d 100644 --- a/src/tsg_action.cpp +++ b/src/tsg_action.cpp @@ -90,7 +90,7 @@ static int set_drop_stream(const struct streaminfo *a_stream, enum TSG_PROTOCOL break; } - return STATE_DROPME|STATE_DROPPKT; + return STATE_DROPME; } static int get_http_header(char *buff, int len, int code, char *user_define) @@ -564,21 +564,24 @@ static unsigned char do_action_reset(const struct streaminfo *a_stream, struct m set_drop_stream(a_stream, protocol); } - return STATE_DROPPKT|STATE_DROPME; + return STATE_DROPME; } static unsigned char do_action_drop(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, enum TSG_PROTOCOL protocol, const void *a_packet) { + int opt_value=1; + switch(protocol) - { + { case PROTO_DNS: - return STATE_GIVEME|STATE_DROPPKT; + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + return STATE_GIVEME; default: set_drop_stream(a_stream, protocol); break; } - return STATE_DROPME|STATE_DROPPKT; + return STATE_DROPME; } static unsigned char do_action_tamper(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, enum TSG_PROTOCOL protocol, const void *user_data, enum ACTION_RETURN_TYPE type) @@ -586,7 +589,7 @@ static unsigned char do_action_tamper(const struct streaminfo *a_stream, struct if(g_tsg_para.feature_tamper==0) { do_action_drop(a_stream, p_result, user_region, protocol, user_data); - return STATE_DROPME|STATE_DROPPKT; + return STATE_DROPME; } struct session_runtime_action_context * _context=(struct session_runtime_action_context *)session_runtime_action_context_get(a_stream); @@ -606,7 +609,9 @@ static unsigned char do_action_tamper(const struct streaminfo *a_stream, struct if(ACTION_RETURN_TYPE_APP == type) { - return STATE_GIVEME|STATE_DROPPKT|STATE_KILL_OTHER; + int opt_value=1; + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + return STATE_GIVEME; } if(a_stream->type == STREAM_TYPE_UDP) @@ -614,16 +619,18 @@ static unsigned char do_action_tamper(const struct streaminfo *a_stream, struct send_tamper_xxx(a_stream, &_context->tamper_count, user_data); } - return STATE_DROPME|STATE_DROPPKT; + return STATE_DROPME; } static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, enum TSG_PROTOCOL protocol, const void *user_data) { + int opt_value=1; struct deny_user_region *deny_region=NULL; if(user_region->session_para==NULL) { - return STATE_DROPME|STATE_DROPPKT; + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + return STATE_DROPME; } switch(a_stream->type) @@ -635,7 +642,8 @@ static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, st deny_region=&(user_region->session_para->udp); break; default: - return STATE_DROPME|STATE_DROPPKT; + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + return STATE_DROPME; break; } @@ -656,7 +664,7 @@ static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, st break; } - return STATE_DROPME|STATE_DROPPKT; + return STATE_DROPME; } static unsigned char do_action_ratelimit(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, enum ACTION_RETURN_TYPE type) @@ -677,15 +685,16 @@ static unsigned char do_action_ratelimit(const struct streaminfo *a_stream, stru if(type==ACTION_RETURN_TYPE_APP) { - return STATE_DROPME|STATE_KILL_OTHER; + return STATE_DROPME; } - return STATE_GIVEME|STATE_KILL_OTHER; + return STATE_GIVEME; } static unsigned char do_action_block_sip(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, const void *user_data) { int offset=0; + int opt_value=1; char payload[1024]={0}; switch(user_region->deny->code) { @@ -700,14 +709,17 @@ static unsigned char do_action_block_sip(const struct streaminfo *a_stream, stru memcpy(payload, "SIP/2.0 500 Server Internal Error\r\n", offset); break; default: - return STATE_DROPME|STATE_DROPPKT; + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + return STATE_DROPME; } memcpy(payload+offset, user_data, strlen((const char*)user_data)); unsigned char raw_route_dir=(a_stream->curdir==DIR_C2S) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir; tsg_send_inject_packet(a_stream, SIO_DEFAULT, payload, strlen(payload), raw_route_dir); - return STATE_DROPME|STATE_DROPPKT; + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + + return STATE_DROPME; } static unsigned char do_action_block_mail(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region) @@ -731,8 +743,11 @@ static unsigned char do_action_block_mail(const struct streaminfo *a_stream, str unsigned char raw_route_dir=(a_stream->curdir==DIR_C2S) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir; tsg_send_inject_packet(a_stream, SIO_DEFAULT, payload, strlen(payload), raw_route_dir); } + + int opt_value=1; + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); - return STATE_DROPME|STATE_DROPPKT; + return STATE_DROPME; } static unsigned char do_action_block_http(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, const void *a_packet) @@ -758,8 +773,11 @@ static unsigned char do_action_block_http(const struct streaminfo *a_stream, str opt_value=1; MESA_set_stream_opt(a_stream, MSO_TCP_RST_REMEDY, (void *)&opt_value, sizeof(opt_value)); } - - return STATE_DROPME|STATE_DROPPKT; + + opt_value=1; + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + + return STATE_DROPME; } static unsigned char do_action_block_xxx(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, enum TSG_PROTOCOL protocol, const void *user_data) @@ -789,11 +807,12 @@ static unsigned char do_action_block_xxx(const struct streaminfo *a_stream, stru set_drop_stream(a_stream, protocol); - return STATE_DROPME|STATE_DROPPKT; + return STATE_DROPME; } static unsigned char do_action_redirect_http(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region) { + int opt_value=1; int used_http_hdr_len=0; char http_hdr[1024]={0}; unsigned char raw_route_dir=0; @@ -805,14 +824,17 @@ static unsigned char do_action_redirect_http(const struct streaminfo *a_stream, used_http_hdr_len=http_get_redirect_url(a_stream, p_result, user_region->deny->redirect_url_to, user_region->deny->code, http_hdr, sizeof(http_hdr)); break; default: - return STATE_DROPME|STATE_DROPPKT; + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + return STATE_DROPME; break; } raw_route_dir=(a_stream->curdir==DIR_C2S) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir; tsg_send_inject_packet( a_stream, SIO_DEFAULT, http_hdr, used_http_hdr_len, raw_route_dir); - return STATE_DROPME|STATE_DROPPKT; + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + + return STATE_DROPME; } static unsigned char do_action_redirect_xxx(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, enum TSG_PROTOCOL protocol, const void *user_data) @@ -835,7 +857,7 @@ static unsigned char do_action_redirect_xxx(const struct streaminfo *a_stream, s break; } - return STATE_DROPME|STATE_DROPPKT; + return STATE_DROPME; } static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struct compile_user_region *user_region, struct maat_rule *p_result, enum TSG_PROTOCOL protocol, enum ACTION_RETURN_TYPE type, const void *user_data) @@ -926,9 +948,8 @@ static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struc state|=((type==ACTION_RETURN_TYPE_PROT) ? (local_state&STATE_DROPME ? PROT_STATE_DROPME : 0) : (local_state&STATE_DROPME ? APP_STATE_DROPME : 0)); state|=((type==ACTION_RETURN_TYPE_PROT) ? (local_state&STATE_GIVEME ? PROT_STATE_GIVEME: 0) : 0); //state|=((type==ACTION_RETURN_TYPE_PROT) ? (local_state&STATE_GIVEME ? PROT_STATE_GIVEME: 0) : (local_state&STATE_GIVEME ? APP_STATE_GIVEME: 0)); - state|=((type==ACTION_RETURN_TYPE_PROT) ? (local_state&STATE_DROPPKT ? PROT_STATE_DROPPKT : 0) : (local_state&STATE_DROPPKT ? APP_STATE_DROPPKT: 0)); state|=((type==ACTION_RETURN_TYPE_PROT) ? (0) : (local_state&STATE_KILL_OTHER ? APP_STATE_KILL_OTHER : 0)); - + return state; } diff --git a/src/tsg_bridge.cpp b/src/tsg_bridge.cpp index 182d494..2d2c34a 100644 --- a/src/tsg_bridge.cpp +++ b/src/tsg_bridge.cpp @@ -109,12 +109,6 @@ void session_runtime_process_context_free(const struct streaminfo *a_stream, int srt_process_context->mid=NULL; } - if(srt_process_context->hited_result!=NULL) - { - dictator_free(a_stream->threadnum, (void *)srt_process_context->hited_result); - srt_process_context->hited_result=NULL; - } - dictator_free(a_stream->threadnum, (void *)srt_process_context); srt_process_context=NULL; } @@ -561,6 +555,16 @@ const char *srt_process_context_get_quic_ua(const struct session_runtime_process return NULL; } +unsigned char srt_process_context_get_hitted_allow_flag(const struct session_runtime_process_context *srt_process_context) +{ + if(srt_process_context!=NULL) + { + return srt_process_context->is_hitted_allow; + } + + return 0; +} + int session_runtime_action_context_async(const struct streaminfo *a_stream, void *data) { return session_async_bridge_set_data(a_stream, g_tm_bridge_para[BRIDGE_TYPE_SESSION_ACTION_CONTEXT].id, data); @@ -899,16 +903,6 @@ void session_matched_rules_notify(const struct streaminfo *a_stream, TSG_SERVICE session_matched_rules_free_by_bridge(a_stream, g_tm_bridge_para[bridge_idx].id, (void *)matched_policy); } } - - if(rules[0].action<matched_policy->rules[0].action) - { - return ; - } - - if(rules[0].action>matched_policy->rules[0].action) - { - matched_policy->n_rules=0; - } size_t num=MIN(MAX_RESULT_NUM-matched_policy->n_rules, n_rules); for(size_t i=0; i<num; i++) diff --git a/src/tsg_bridge.h b/src/tsg_bridge.h index bbbf0fc..837fa41 100644 --- a/src/tsg_bridge.h +++ b/src/tsg_bridge.h @@ -65,7 +65,7 @@ struct hited_app_para struct session_runtime_process_context { unsigned char is_esni; - unsigned char is_hited_allow; + unsigned char is_hitted_allow; unsigned char deal_pkt_num; unsigned char is_app_link; unsigned char sync_cb_state; @@ -92,7 +92,6 @@ struct session_runtime_process_context struct maat_state *mid; struct hited_app_para hited_para; // l7 protocol and app long long last_scan_time; - struct maat_rule *hited_result; }; struct session_runtime_action_context @@ -195,3 +194,6 @@ int srt_action_context_set_hitted_app_id(const struct streaminfo * a_stream, int char srt_action_context_get_direction(const struct streaminfo * a_stream); + +const struct session_runtime_process_context *session_runtime_process_context_new(const struct streaminfo * a_stream); + diff --git a/src/tsg_dns.cpp b/src/tsg_dns.cpp index f64cf3e..bcb8a8e 100644 --- a/src/tsg_dns.cpp +++ b/src/tsg_dns.cpp @@ -219,6 +219,7 @@ static int dns_set_answer_records(char *payload, int payload_len, struct dns_ans unsigned char do_action_redirect_dns(const struct streaminfo *a_stream, struct maat_rule *p_result, struct compile_user_region *user_region, const void *user_data) { + int opt_value=0; int ret=0,used_len=0,record_num=0; unsigned char raw_route_dir=0; char payload[1024]={0}; @@ -247,7 +248,8 @@ unsigned char do_action_redirect_dns(const struct streaminfo *a_stream, struct m ret=dns_set_response_question(payload+used_len, payload_len-used_len, &(dns_info->query_question)); if(ret==-1) { - return STATE_GIVEME|STATE_DROPPKT; + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + return STATE_GIVEME; } used_len+=ret; @@ -263,6 +265,8 @@ unsigned char do_action_redirect_dns(const struct streaminfo *a_stream, struct m raw_route_dir=(dns_info->hdr_info.qr==0) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir; tsg_send_inject_packet(a_stream, SIO_DEFAULT, payload, used_len, raw_route_dir); - return STATE_GIVEME|STATE_DROPPKT; + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + + return STATE_GIVEME; } diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index fb72631..5c3114c 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -32,6 +32,7 @@ #include "tsg_protocol_common.h" #include "tsg_sync_state.h" #include "tsg_proxy.h" +#include "tsg_bridge.h" #ifdef __cplusplus extern "C" @@ -182,14 +183,6 @@ static int init_fs2_handle(const char *conffile) return 0; } -static int init_context(void **pme, int thread_seq) -{ - *pme=dictator_malloc(thread_seq, sizeof(struct session_runtime_process_context)); - memset(*pme, 0, sizeof(struct session_runtime_process_context)); - - return 0; -} - static int tsg_get_sn(char *filename, char *device_sn, int device_sn_len) { int flags=0; @@ -1036,127 +1029,6 @@ int session_state_sync_in_activing(const struct streaminfo *a_stream, TSG_SERVIC return 1; } -static int session_runtime_process_log_send(const struct streaminfo *a_stream, struct maat_rule *rules, int n_rules, struct session_runtime_process_context *srt_process_context, int thread_seq) -{ - char *domain_field_name=NULL; - char *schema_field_name=NULL; - char *quic_ua_field_name=NULL; - char *quic_version_field_name=NULL; - struct TLD_handle_t *TLD_handle=NULL; - enum TSG_PROTOCOL proto=PROTO_UNKONWN; - struct tsg_conn_sketch_notify_data *notify=NULL; - if(srt_process_context!=NULL) - { - proto=srt_process_context->proto; - } - - if(rules[0].action==TSG_ACTION_MONITOR) - { - switch(proto) - { - case PROTO_SSH: - case PROTO_RDP: - case PROTO_STRATUM: - notify=(struct tsg_conn_sketch_notify_data *)session_conn_sketch_notify_data_get(a_stream); - if (notify != NULL && notify->pdata.TLD_handle!=NULL && (notify->protocol== PROTO_SSH || notify->protocol== PROTO_STRATUM || notify->protocol== PROTO_RDP)) - { - TLD_handle = TLD_duplicate(notify->pdata.TLD_handle); - if (TLD_handle!=NULL) - { - tsg_send_log(g_tsg_log_instance, TLD_handle, a_stream, LOG_TYPE_SECURITY_EVENT, rules, n_rules, thread_seq); - return 1; - } - } - break; - default: - break; - } - } - - TLD_handle=TLD_create(thread_seq); - schema_field_name=log_field_id2name(g_tsg_log_instance, LOG_COMMON_SCHAME_TYPE); - - if(proto>PROTO_UNKONWN && proto<PROTO_MAX) - { - if(proto==PROTO_IMAP || proto==PROTO_SMTP || proto==PROTO_POP3) - { - TLD_append(TLD_handle, schema_field_name, (void *)g_tsg_proto_name2id[PROTO_MAIL].name, TLD_TYPE_STRING); - TLD_append(TLD_handle, (char *)"mail_protocol_type", (void *)g_tsg_proto_name2id[proto].name, TLD_TYPE_STRING); - } - else - { - TLD_append(TLD_handle, schema_field_name, (void *)g_tsg_proto_name2id[proto].name, TLD_TYPE_STRING); - } - - - if(proto==PROTO_HTTP) - { - TLD_append(TLD_handle, (char *)"http_version", (void *)"http1", TLD_TYPE_STRING); - TLD_append(TLD_handle, (char *)"http_sequence", (void *)1, TLD_TYPE_LONG); - } - - if(srt_process_context!=NULL && srt_process_context->domain!=NULL) - { - switch(proto) - { - case PROTO_HTTP: - domain_field_name=log_field_id2name(g_tsg_log_instance, LOG_HTTP_HOST); - TLD_append(TLD_handle, domain_field_name, (void *)srt_process_context->domain, TLD_TYPE_STRING); - - if(srt_process_context->http_url!=NULL) - { - domain_field_name=log_field_id2name(g_tsg_log_instance, LOG_HTTP_URL); - TLD_append(TLD_handle, domain_field_name, (void *)srt_process_context->http_url, TLD_TYPE_STRING); - } - break; - case PROTO_SSL: - domain_field_name=log_field_id2name(g_tsg_log_instance, LOG_SSL_SNI); - TLD_append(TLD_handle, domain_field_name, (void *)srt_process_context->domain, TLD_TYPE_STRING); - break; - case PROTO_QUIC: - domain_field_name=log_field_id2name(g_tsg_log_instance, LOG_QUIC_SNI); - TLD_append(TLD_handle, domain_field_name, (void *)srt_process_context->domain, TLD_TYPE_STRING); - break; - case PROTO_DTLS: - domain_field_name=log_field_id2name(g_tsg_log_instance, LOG_DTLS_SNI); - TLD_append(TLD_handle, domain_field_name, (void *)srt_process_context->domain, TLD_TYPE_STRING); - break; - default: - break; - } - } - - if(srt_process_context!=NULL && srt_process_context->quic_version>0) - { - char quic_version[64]={0}; - if(quic_version_int2string(srt_process_context->quic_version, quic_version, sizeof(quic_version))) - { - quic_version_field_name=log_field_id2name(g_tsg_log_instance, LOG_QUIC_VERSION); - TLD_append(TLD_handle, quic_version_field_name, (void *)quic_version, TLD_TYPE_STRING); - } - - if(srt_process_context->quic_ua!=NULL) - { - quic_ua_field_name=log_field_id2name(g_tsg_log_instance, LOG_QUIC_USER_AGENT); - TLD_append(TLD_handle, quic_ua_field_name, (void *)srt_process_context->quic_ua, TLD_TYPE_STRING); - } - } - } - else - { - TLD_append(TLD_handle, schema_field_name, (void *)g_tsg_proto_name2id[PROTO_APP].name, TLD_TYPE_STRING); - } - - if(srt_process_context!=NULL && srt_process_context->hited_app_id>0) - { - session_app_gather_results_update_matched_app_id(a_stream, srt_process_context->hited_app_id); - } - - tsg_send_log(g_tsg_log_instance, TLD_handle, a_stream, LOG_TYPE_SECURITY_EVENT, rules, n_rules, thread_seq); - - return 1; -} - static char session_tcp_establish_latency_ms_set(const struct streaminfo *a_tcp, int thread_seq,const void *ip_hdr) { struct tcphdr *tcp=NULL; @@ -1506,6 +1378,7 @@ static unsigned char matched_security_rules_deal(const struct streaminfo *a_stre struct maat_rule *p_rule=matched_rules_decision_criteria(security_rules, n_security_rules); if(p_rule->action==TSG_ACTION_SHUNT) { + tsg_set_policy_flow(a_stream, p_rule, a_stream->threadnum); srt_action_context_set_rule_method(a_stream, TSG_METHOD_TYPE_SHUNT, a_stream->threadnum); return APP_STATE_DROPME|APP_STATE_KILL_OTHER; } @@ -1542,33 +1415,31 @@ static unsigned char matched_security_rules_deal(const struct streaminfo *a_stre } } - if(srt_process_context->hited_result==NULL) - { - srt_process_context->hited_result=(struct maat_rule *)dictator_malloc(1, sizeof(struct maat_rule)); - memcpy(srt_process_context->hited_result, p_rule, sizeof(struct maat_rule)); - } - break; - case TSG_ACTION_MONITOR: - if(srt_process_context->proto==PROTO_RTP) + if(srt_process_context->proto==PROTO_HTTP || srt_process_context->proto==PROTO_SSL) { - break; + state|=APP_STATE_KILL_OTHER; } - session_packet_capture_by_rules_notify(a_stream, security_rules, n_security_rules, a_stream->threadnum); - session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, security_rules, n_security_rules, a_stream->threadnum); + session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, p_rule, 1, a_stream->threadnum); break; case TSG_ACTION_BYPASS: - srt_process_context->is_hited_allow=1; - srt_process_context->hited_result=(struct maat_rule *)dictator_malloc(1, sizeof(struct maat_rule)); - memcpy(srt_process_context->hited_result, p_rule, sizeof(struct maat_rule)); - FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1); - state=APP_STATE_GIVEME|APP_STATE_KILL_FOLLOW; + srt_process_context->is_hitted_allow=1; + session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, p_rule, 1, a_stream->threadnum); + FS_operate(g_tsg_para.fs2_handle, g_tsg_para.fs2_field_id[TSG_FS2_BYPASS], 0, FS_OP_ADD, 1); srt_action_context_set_rule_method(a_stream, TSG_METHOD_TYPE_ALLOW, a_stream->threadnum); break; default: break; } + + struct maat_rule monitor_rules[MAX_RESULT_NUM]={0}; + size_t n_monitor_rules=tsg_select_rules_by_action(security_rules, n_security_rules, monitor_rules, MAX_RESULT_NUM, TSG_ACTION_MONITOR); + if(n_monitor_rules>0) + { + session_packet_capture_by_rules_notify(a_stream, monitor_rules, n_monitor_rules, a_stream->threadnum); + session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, monitor_rules, n_monitor_rules, a_stream->threadnum); + } return state; } @@ -1647,8 +1518,7 @@ int session_app_identify_result_cb(const struct streaminfo *a_stream, int bridge struct session_runtime_process_context *srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_get(a_stream); if(srt_process_context==NULL) { - init_context((void **)(&srt_process_context), a_stream->threadnum); - session_runtime_process_context_async(a_stream, (void *)srt_process_context); + srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_new(a_stream); } struct gather_app_result *gather_result=(struct gather_app_result *)session_gather_app_results_get(a_stream); @@ -1715,8 +1585,7 @@ int session_flags_identify_result_cb(const struct streaminfo *a_stream, int brid struct session_runtime_process_context *srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_get(a_stream); if(srt_process_context==NULL) { - init_context((void **)(&srt_process_context), a_stream->threadnum); - session_runtime_process_context_async(a_stream, (void *)srt_process_context); + srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_new(a_stream); } srt_process_context->session_flag=*(unsigned long *)(data); @@ -1820,9 +1689,8 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_get(a_stream); if(srt_process_context==NULL) { - init_context(pme, thread_seq); - srt_process_context=(struct session_runtime_process_context *)*pme; - session_runtime_process_context_async(a_stream, *pme); + srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_new(a_stream); + *pme=(void *)srt_process_context; } else { @@ -1871,9 +1739,9 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo session_app_identify_result_cb(a_stream, 0, (void *)&unknown_result); } - if(srt_process_context->is_hited_allow) + if(srt_process_context->is_hitted_allow) { - state=APP_STATE_KILL_OTHER|APP_STATE_GIVEME; + state=APP_STATE_GIVEME; break; } @@ -1924,10 +1792,6 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo if((a_stream->opstate==OP_STATE_CLOSE) || (state&APP_STATE_DROPME)==APP_STATE_DROPME) { - if(srt_process_context->hited_result) - { - session_runtime_process_log_send(a_stream, srt_process_context->hited_result, 1, srt_process_context, thread_seq); - } *pme=NULL; } @@ -1938,11 +1802,10 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns { int ret=0; int eth_rawpkt_len=0; - struct maat_rule *p_result=NULL; unsigned char state=APP_STATE_GIVEME; struct maat_rule matched_rules[MAX_TSG_ALL_RESULT_NUM]={0}; - struct maat_rule security_results[MAX_RESULT_NUM]={0}; - struct maat_rule shaping_results[MAX_RESULT_NUM]={0}; + struct maat_rule security_rules[MAX_RESULT_NUM]={0}; + struct maat_rule shaping_rules[MAX_RESULT_NUM]={0}; struct session_runtime_action_context *srt_action_context=(struct session_runtime_action_context *)(*pme); if(stream_state==OP_STATE_PENDING && srt_action_context->method_type!=TSG_METHOD_TYPE_SHUNT && !(srt_action_context->udp_data_dropme)) @@ -1953,41 +1816,28 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns srt_action_context->default_policy_after_n_packets=get_default_para(a_stream); } - struct maat_state *scan_mid=maat_state_new(g_tsg_maat_feather, thread_seq); int hit_num=tsg_scan_nesting_addr(a_stream, g_tsg_maat_feather, PROTO_UNKONWN, scan_mid, matched_rules, MAX_TSG_ALL_RESULT_NUM); if(hit_num>0) { - int security_result_num = tsg_select_rules_by_service_id(matched_rules, hit_num, security_results, MAX_RESULT_NUM, TSG_SERVICE_SECURITY); - p_result=matched_rules_decision_criteria(security_results, security_result_num); - if(p_result!=NULL) + int n_security_rules=tsg_select_rules_by_service_id(matched_rules, hit_num, security_rules, MAX_RESULT_NUM, TSG_SERVICE_SECURITY); + if(n_security_rules>0) { - switch(p_result->action) - { - case TSG_ACTION_DENY: - state=tsg_enforing_deny(a_stream, p_result, PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet); - session_runtime_process_log_send(a_stream, p_result, 1, NULL, thread_seq); - break; - case TSG_ACTION_MONITOR: - session_packet_capture_by_rules_notify(a_stream, security_results, hit_num, thread_seq); - session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, security_results, security_result_num,thread_seq); - break; - default: - break; - } + struct session_runtime_process_context *srt_process_context=(struct session_runtime_process_context *)session_runtime_process_context_new(a_stream); + state=matched_security_rules_deal(a_stream, srt_process_context, security_rules, n_security_rules, a_packet, thread_seq); } - - struct maat_rule s_chaining_result[MAX_RESULT_NUM]={0}; - size_t n_s_chaining_results=tsg_select_rules_by_service_id(matched_rules, hit_num, s_chaining_result, MAX_RESULT_NUM, TSG_SERVICE_CHAINING); - if(state==APP_STATE_GIVEME && n_s_chaining_results>0) + + struct maat_rule s_chaining_rules[MAX_RESULT_NUM]={0}; + size_t n_s_chaining_rules=tsg_select_rules_by_service_id(matched_rules, hit_num, s_chaining_rules, MAX_RESULT_NUM, TSG_SERVICE_CHAINING); + if(state==APP_STATE_GIVEME && n_s_chaining_rules>0) { - matched_service_chaining_rules_deal(a_stream, s_chaining_result, n_s_chaining_results, thread_seq); + matched_service_chaining_rules_deal(a_stream, s_chaining_rules, n_s_chaining_rules, thread_seq); } - size_t n_shaping_results=tsg_select_rules_by_service_id(matched_rules, hit_num, shaping_results, MAX_RESULT_NUM, TSG_SERVICE_SHAPING); - if(state==APP_STATE_GIVEME && n_shaping_results>0) + size_t n_shaping_rules=tsg_select_rules_by_service_id(matched_rules, hit_num, shaping_rules, MAX_RESULT_NUM, TSG_SERVICE_SHAPING); + if(state==APP_STATE_GIVEME && n_shaping_rules>0) { - matched_shaping_rules_deal(a_stream, shaping_results, n_shaping_results, thread_seq); + matched_shaping_rules_deal(a_stream, shaping_rules, n_shaping_rules, thread_seq); } } @@ -2022,10 +1872,10 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns break; } - if(get_default_policy(&security_results[0])) + if(get_default_policy(&security_rules[0])) { - state=tsg_enforing_deny(a_stream, &security_results[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet); - session_runtime_process_log_send(a_stream, &security_results[0], 1, NULL, thread_seq); + state=tsg_enforing_deny(a_stream, &security_rules[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet); + session_matched_rules_notify(a_stream, TSG_SERVICE_SECURITY, &security_rules[0], 1, thread_seq); } break; case TSG_METHOD_TYPE_DROP: @@ -2038,20 +1888,20 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns srt_action_context->hited_para.after_n_packets--; break; } - ret=session_matched_rules_copy(a_stream, TSG_SERVICE_SECURITY, &(security_results[0]), 1); + ret=session_matched_rules_copy(a_stream, TSG_SERVICE_SECURITY, &(security_rules[0]), 1); //ret=tsg_pull_policy_result((struct streaminfo *)a_stream,PULL_FW_RESULT, &security_result[0], 1, &tmp_identify_info); - if(ret<=0 || security_results[0].action!=TSG_ACTION_DENY) + if(ret<=0 || security_rules[0].action!=TSG_ACTION_DENY) { break; } if(srt_action_context->hited_para.hited_app_id<=0) { - state=tsg_enforing_deny(a_stream, &(security_results[0]), srt_action_context->protocol, ACTION_RETURN_TYPE_TCPALL, a_packet); + state=tsg_enforing_deny(a_stream, &(security_rules[0]), srt_action_context->protocol, ACTION_RETURN_TYPE_TCPALL, a_packet); } else { - state=tsg_enforing_deny_application(a_stream, &(security_results[0]), srt_action_context->protocol, srt_action_context->hited_para.hited_app_id, ACTION_RETURN_TYPE_TCPALL, a_packet); + state=tsg_enforing_deny_application(a_stream, &(security_rules[0]), srt_action_context->protocol, srt_action_context->hited_para.hited_app_id, ACTION_RETURN_TYPE_TCPALL, a_packet); } break; case TSG_METHOD_TYPE_SHUNT: diff --git a/src/tsg_icmp.cpp b/src/tsg_icmp.cpp index ef502c8..daabb9d 100644 --- a/src/tsg_icmp.cpp +++ b/src/tsg_icmp.cpp @@ -306,48 +306,41 @@ static void format_icmp(const char *raw_pkt, char *icmp_buf, int *icmp_len, int unsigned char send_icmp_unreachable(const struct streaminfo *a_stream) { - char icmp_buf[ICMP_MAX_LEN] = {0}; - char debug_buf[512] = {0}; - int icmp_len = 0; - int get_rawpkt_ret = 0; - void *raw_pkt = NULL; - - if(a_stream==NULL){ - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - __FUNCTION__, - "a_stream is NULL"); - return STATE_DROPPKT; - } - - get_rawpkt_ret = get_rawpkt_opt_from_streaminfo(a_stream, RAW_PKT_GET_DATA, &raw_pkt); - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - __FUNCTION__, - "get_raw_opt_from_streaminfo() get_rawpkt_ret = %d", get_rawpkt_ret); - if(0==get_rawpkt_ret && NULL!=raw_pkt){ - //(struct mesa_ethernet_hdr *)raw_pkt_data; - format_icmp((char *)raw_pkt+ETHERNET_BYTE_LEN, icmp_buf, &icmp_len, a_stream->addr.addrtype); - }else if(1==get_rawpkt_ret && NULL!=raw_pkt){ - //(raw_ipfrag_list_t *)raw_pkt_data; - //format_icmp((char *)(((raw_ipfrag_list_t *)raw_pkt)->frag_packet)+ETHERNET_BYTE_LEN, icmp_buf, &icmp_len, a_stream->addr.addrtype); - return STATE_DROPPKT; - }else{ - //error - return STATE_DROPPKT; - } - - if(0 == tsg_send_inject_packet(a_stream, SIO_EXCLUDE_THIS_LAYER_HDR, icmp_buf, icmp_len, MESA_dir_reverse(a_stream->routedir))){ - sprintf(debug_buf, "Addr: %s, send sucess, get_rawpkt_ret %d, icmp_buf %p, icmp_len %d", PRINTADDR(a_stream, g_tsg_para.level), get_rawpkt_ret, icmp_buf, icmp_len); - }else{ - sprintf(debug_buf, "Addr: %s, send failed, get_rawpkt_ret %d, icmp_buf %p, icmp_len %d", PRINTADDR(a_stream, g_tsg_para.level), get_rawpkt_ret, icmp_buf, icmp_len); - } - - MESA_handle_runtime_log(g_tsg_para.logger, - RLOG_LV_DEBUG, - __FUNCTION__, - debug_buf); - - return STATE_DROPME|STATE_DROPPKT; + char icmp_buf[ICMP_MAX_LEN] = {0}; + int icmp_len = 0; + int get_rawpkt_ret = 0; + void *raw_pkt = NULL; + int opt_value=1; + + if(a_stream==NULL) + { + MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, __FUNCTION__, "a_stream is NULL"); + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + return STATE_GIVEME; + } + + get_rawpkt_ret = get_rawpkt_opt_from_streaminfo(a_stream, RAW_PKT_GET_DATA, &raw_pkt); + MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, __FUNCTION__, "get_raw_opt_from_streaminfo() get_rawpkt_ret = %d", get_rawpkt_ret); + if(0==get_rawpkt_ret && NULL!=raw_pkt) + { + format_icmp((char *)raw_pkt+ETHERNET_BYTE_LEN, icmp_buf, &icmp_len, a_stream->addr.addrtype); + } + else if(1==get_rawpkt_ret && NULL!=raw_pkt) + { + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + return STATE_GIVEME; + } + else + { + //error + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + return STATE_GIVEME; + } + + tsg_send_inject_packet(a_stream, SIO_EXCLUDE_THIS_LAYER_HDR, icmp_buf, icmp_len, MESA_dir_reverse(a_stream->routedir)); + + MESA_set_stream_opt(a_stream, MSO_DROP_CURRENT_PKT, (void *)&opt_value, sizeof(opt_value)); + + return STATE_DROPME; } diff --git a/src/tsg_protocol_common.h b/src/tsg_protocol_common.h index 6d8a4ff..13a339c 100644 --- a/src/tsg_protocol_common.h +++ b/src/tsg_protocol_common.h @@ -9,7 +9,6 @@ #define STATE_GIVEME 1 #define STATE_DROPME 2 -#define STATE_DROPPKT 4 #define STATE_KILL_OTHER 8 enum TSG_DENY_TYPE diff --git a/src/tsg_proxy.cpp b/src/tsg_proxy.cpp index 7d7372f..5f069e3 100644 --- a/src/tsg_proxy.cpp +++ b/src/tsg_proxy.cpp @@ -310,24 +310,29 @@ void tsg_proxy_first_data_process(const struct streaminfo *stream, struct tsg_pr void tsg_proxy_tcp_options_parse(const struct streaminfo *stream, const void *a_packet) { - struct pkt_info pktinfo; - struct tsg_proxy_tcp_attribute *tcp_attr = tsg_proxy_tcp_attribute_get(stream); + if(a_packet==NULL) + { + return ; + } + + struct pkt_info pktinfo; + struct tsg_proxy_tcp_attribute *tcp_attr = tsg_proxy_tcp_attribute_get(stream); - if (tcp_attr == NULL) { - return; - } + if (tcp_attr == NULL) { + return; + } if (tcp_attr->first_data_pkt_processed) { return; } - memset(&pktinfo, 0, sizeof(struct pkt_info)); - tsg_proxy_ip_header_parse(a_packet, (enum addr_type_t)stream->addr.addrtype, stream, &pktinfo); - if (pktinfo.parse_failed) { - MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_FATAL, "PROXY", "invalid ip header, bypass pkt"); - return; - } + memset(&pktinfo, 0, sizeof(struct pkt_info)); + tsg_proxy_ip_header_parse(a_packet, (enum addr_type_t)stream->addr.addrtype, stream, &pktinfo); + if (pktinfo.parse_failed) { + MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_FATAL, "PROXY", "invalid ip header, bypass pkt"); + return; + } if(stream->ptcpdetail->datalen > 0) { tsg_proxy_first_data_process(stream, tcp_attr, &pktinfo); @@ -337,7 +342,7 @@ void tsg_proxy_tcp_options_parse(const struct streaminfo *stream, const void *a_ tsg_proxy_tcp_parse(tcp_attr, &pktinfo, stream); - return; + return; } static void tsg_proxy_cmsg_subscriber_fill(struct session_runtime_attribute *session_attr, struct proxy_cmsg *cmsg) diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp index 619a62d..7de6a99 100644 --- a/src/tsg_rule.cpp +++ b/src/tsg_rule.cpp @@ -3080,6 +3080,27 @@ size_t tsg_matched_rules_select(struct maat *feather, TSG_SERVICE service, long return offset; } +size_t tsg_select_rules_by_action(struct maat_rule *matched_rules, size_t n_matched_rules, struct maat_rule *rules, size_t n_rules, unsigned char action) +{ + size_t offset=0; + for(size_t i=0; i<n_matched_rules; i++) + { + if(offset>=n_rules) + { + break; + } + + if(matched_rules[i].action!=action) + { + continue; + } + + rules[offset++]=matched_rules[i]; + } + + return offset; +} + size_t tsg_select_rules_by_service_id(struct maat_rule *matched_rules, size_t n_matched_rules, struct maat_rule *rules, size_t n_rules, enum TSG_SERVICE service_id) { size_t offset=0; diff --git a/src/tsg_rule_internal.h b/src/tsg_rule_internal.h index 4989413..3ec8ef4 100644 --- a/src/tsg_rule_internal.h +++ b/src/tsg_rule_internal.h @@ -171,5 +171,6 @@ size_t tsg_scan_fqdn_category_id(const struct streaminfo * a_stream, struct maat int tsg_scan_intercept_exclusion(const struct streaminfo *a_stream, struct maat *feather, struct maat_rule *p_result, char *domain, int thread_seq); struct maat_rule *tsg_select_deny_rule(struct maat_rule *rules, size_t n_rules); +size_t tsg_select_rules_by_action(struct maat_rule *matched_rules, size_t n_matched_rules, struct maat_rule *rules, size_t n_rules, unsigned char action); struct umts_user_info *tsg_get_umts_user_info_form_redis(struct maat *feather, long long teid); diff --git a/test/src/gtest_bridge.cpp b/test/src/gtest_bridge.cpp index 3d16ff0..333bf01 100644 --- a/test/src/gtest_bridge.cpp +++ b/test/src/gtest_bridge.cpp @@ -389,9 +389,6 @@ static void tsg_bridge_test_init_process_ctx(const struct streaminfo *a_stream, process_ctx->http_url = (char *)dictator_malloc(a_stream->threadnum, strlen("thisishttp_url") + 1); memset(process_ctx->http_url, 0, strlen("thisishttp_url") + 1); memcpy(process_ctx->http_url, "thisishttp_url", strlen("thisishttp_url")); - - process_ctx->hited_result = (struct maat_rule *)dictator_malloc(a_stream->threadnum, sizeof(struct maat_rule)); - process_ctx->hited_result->rule_id = 10; } TEST(TSG_Bridge, ProcessAndActionContextAsync) @@ -403,7 +400,6 @@ TEST(TSG_Bridge, ProcessAndActionContextAsync) EXPECT_EQ(session_runtime_action_context_get(&a_stream), action_ctx); struct session_runtime_process_context *process_test = (struct session_runtime_process_context *)session_runtime_process_context_get(&a_stream); - EXPECT_EQ(process_test->hited_result[0].rule_id, 10); EXPECT_STREQ(process_test->domain, "thisisdomain"); EXPECT_STREQ(process_test->http_url, "thisishttp_url"); session_runtime_action_context_free(&a_stream, g_tm_bridge_para[BRIDGE_TYPE_SESSION_ACTION_CONTEXT].id, (void *)action_ctx); diff --git a/test/src/gtest_master.cpp b/test/src/gtest_master.cpp index 4795275..90febc9 100644 --- a/test/src/gtest_master.cpp +++ b/test/src/gtest_master.cpp @@ -552,11 +552,6 @@ TEST(TSGMaster, SecurityMultiplePolicyMonitorToIntercept) EXPECT_EQ(TSG_ACTION_MONITOR, matched_policy[2].action); EXPECT_EQ(TSG_ACTION_MONITOR, matched_policy[2].rule_id); - ret=session_matched_rules_copy(&a_stream, TSG_SERVICE_SECURITY, &(matched_policy[2]), 1); - EXPECT_EQ(1, ret); - EXPECT_EQ(TSG_ACTION_MONITOR, matched_policy[2].action); - EXPECT_EQ(TSG_ACTION_MONITOR, matched_policy[2].rule_id); - const struct matched_policy_rules *hited_security=session_matched_rules_get(&a_stream, TSG_SERVICE_SECURITY); EXPECT_NE(nullptr, hited_security); EXPECT_EQ(1, hited_security->n_rules); |