TSG-7568: facebook、twitter，Monitor动作无日志v5.3.2

author: liuxueli <[email protected]> 2021-08-27 19:33:54 +0800
committer: liuxueli <[email protected]> 2021-08-27 19:33:54 +0800
commit: 98031e150462fac9e302774676d0378b960d456e (patch)
tree: 1ffb07677ef5b79eaa4173f9c10bf5eb52155408
parent: ac265ec46b41f23fb8212547945bffb8bc388e1c (diff)
5 files changed, 23 insertions, 17 deletions
diff --git a/inc/tsg_rule.h b/inc/tsg_rule.h
index 53f2bdb..443ea37 100644
--- a/inc/tsg_rule.h
+++ b/inc/tsg_rule.h
@@ -24,7 +24,7 @@ enum TSG_METHOD_TYPE
 	TSG_METHOD_TYPE_BLOCK,
 	TSG_METHOD_TYPE_RESET,
 	TSG_METHOD_TYPE_ALERT,
-	TSG_METHOD_TYPE_RATE_LINIT,
+	TSG_METHOD_TYPE_RATE_LIMIT,
 	TSG_METHOD_TYPE_MIRRORED,
 	TSG_METHOD_TYPE_MAX
 };
diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp
index 9617f0a..060c180 100644
--- a/src/tsg_action.cpp
+++ b/src/tsg_action.cpp
@@ -702,7 +702,7 @@ unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_
 		case	TSG_METHOD_TYPE_REDIRECTION:
 			local_state=do_action_redirect_xxx( a_stream, p_result, user_region, protocol, user_data);
 			break;
-		case	TSG_METHOD_TYPE_RATE_LINIT:
+		case	TSG_METHOD_TYPE_RATE_LIMIT:
 			local_state=do_action_ratelimit(a_stream, p_result, user_region, type);
 			break;
 		default:
diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index b43950d..8212ae2 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -493,7 +493,7 @@ static void free_tcpall_label(int thread_seq, void *project_req_value)
 					dictator_free(thread_seq, (void *)(context->vlan));
 					context->vlan=NULL;
 					break;
-				case	TSG_METHOD_TYPE_RATE_LINIT:
+				case	TSG_METHOD_TYPE_RATE_LIMIT:
 					destroy_bucket(&(context->bucket), thread_seq);
 					break;
 				default:
@@ -607,7 +607,7 @@ static void copy_result_to_project(const struct streaminfo *a_stream, struct mas
 		MESA_handle_runtime_log(g_tsg_para.logger,
 										RLOG_LV_FATAL,
 										"PROJECT_ADD",
-										"Add policy_priority_label failed, intercept policy, domain: %s policy_id: %d action: %d addr: %s",
+										"Add policy_priority_label failed, policy, domain: %s policy_id: %d action: %d addr: %s",
 										(domain!=NULL ? domain : ""),
 										priority_label->result[0].config_id,
 										(unsigned char)priority_label->result[0].action,
@@ -617,8 +617,8 @@ static void copy_result_to_project(const struct streaminfo *a_stream, struct mas
 	
 	MESA_handle_runtime_log(g_tsg_para.logger, 
 									RLOG_LV_DEBUG,
-									"INTERCEPT",
-									"Hit intercept policy, domain: %s policy_id: %d action: %d addr: %s",
+									"COPY_RESULT",
+									"Hit policy, domain: %s policy_id: %d action: %d addr: %s",
 									(domain!=NULL ? domain : ""),
 									priority_label->result[0].config_id,
 									(unsigned char)priority_label->result[0].action,
@@ -1262,7 +1262,7 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
 				}
 				break;
 			case	TSG_ACTION_MONITOR:
-				if(context->proto==PROTO_RTP || context->is_parent_ssl==1)
+				if(context->proto==PROTO_RTP)
 				{
 					break;
 				}
@@ -1297,9 +1297,10 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
 static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_id, void *data)
 {
 	int hit_num=0,app_id=-1;
+	int is_parent_ssl=0;
 	struct master_context *context=NULL;	
 	struct gather_app_result *gather_result=NULL;
-	struct Maat_rule_t scan_result[MAX_RESULT_NUM]={0};
+	struct Maat_rule_t scan_result[MAX_RESULT_NUM]={0}, *p_result=NULL;
 	struct app_identify_result *identify_result=(struct app_identify_result *)data;
 
 	if(data==NULL)
@@ -1350,7 +1351,7 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_
 			app_id==(int)tsg_l7_protocol_name2id("HTTPS")
 			)
 			{
-				context->is_parent_ssl=1;
+				is_parent_ssl=1;
 			}
 			break;
 		default:
@@ -1362,8 +1363,14 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_
 	record_time_start(&(context->last_scan_time));
 	
 	hit_num=scan_application_id_and_properties((struct streaminfo *)a_stream, scan_result, MAX_RESULT_NUM, &(context->mid), identify_result, a_stream->threadnum);
-	master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL);
+	p_result=tsg_policy_decision_criteria(scan_result, hit_num);
+	if(p_result==NULL || (p_result->action==TSG_ACTION_MONITOR && is_parent_ssl==1))
+	{
+		return 0;
+	}
 
+	master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL);
+	
 	return 0;
 }
 
@@ -1577,7 +1584,7 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
 			case	TSG_METHOD_TYPE_MIRRORED:
 				tsg_send_raw_packet(a_stream, context->vlan, context->vlan_num, thread_seq);
 				break;
-			case	TSG_METHOD_TYPE_RATE_LINIT:
+			case	TSG_METHOD_TYPE_RATE_LIMIT:
 				eth_rawpkt_len=get_raw_packet_len(a_stream);
 				if(eth_rawpkt_len<=0)
 				{
@@ -1623,7 +1630,7 @@ extern "C" unsigned char TSG_MASTER_UDP_ENTRY(const struct streaminfo *a_udp, vo
 	}
 	
 	state1=tsg_master_all_entry(a_udp, a_udp->opstate, (void **)&(context->all_entry), thread_seq, a_packet);
-	if(context->all_entry==NULL || context->all_entry->method_type!=TSG_METHOD_TYPE_RATE_LINIT)
+	if(context->all_entry==NULL || context->all_entry->method_type!=TSG_METHOD_TYPE_RATE_LIMIT)
 	{
 		state2=tsg_master_data_entry(a_udp, (void **)&(context->data_entry), thread_seq, a_packet);		
 	}
diff --git a/src/tsg_entry.h b/src/tsg_entry.h
index a53e8ba..62cdbaa 100644
--- a/src/tsg_entry.h
+++ b/src/tsg_entry.h
@@ -177,7 +177,6 @@ struct master_context
 	int is_esni;
 	int is_log;
 	int is_ratelimit;
-	int is_parent_ssl;
 	char *domain;
 	scan_status_t mid;	
 	struct Maat_rule_t *result;
diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp
index c1f6e36..c0cc961 100644
--- a/src/tsg_rule.cpp
+++ b/src/tsg_rule.cpp
@@ -39,7 +39,7 @@ const struct _str2index method2index[TSG_METHOD_TYPE_MAX]={	{TSG_METHOD_TYPE_UNK
 													{TSG_METHOD_TYPE_BLOCK, 5, (char *)"block"},
 													{TSG_METHOD_TYPE_RESET, 3, (char *)"rst"},
 													{TSG_METHOD_TYPE_ALERT, 5, (char *)"alert"},
-													{TSG_METHOD_TYPE_RATE_LINIT, 10, (char *)"rate_limit"}
+													{TSG_METHOD_TYPE_RATE_LIMIT, 10, (char *)"rate_limit"}
 	};
 
 //functioned as strdup, for dictator compatible.
@@ -875,7 +875,7 @@ static struct compile_user_region *parse_deny_user_region(cJSON *object)
 				}
 			}
 			break;
-		case	TSG_METHOD_TYPE_RATE_LINIT:
+		case	TSG_METHOD_TYPE_RATE_LIMIT:
 			user_region->deny=(struct deny_user_region *)calloc(1, sizeof(struct deny_user_region));
 			user_region->deny->type=TSG_DENY_TYPE_MAX;
 			get_integer_from_json(object, "bps", &(user_region->deny->bps));
@@ -1017,7 +1017,7 @@ void security_compile_free(int idx, const struct Maat_rule_t* rule, const char*
 		{
 			case	TSG_METHOD_TYPE_ALERT:
 			case	TSG_METHOD_TYPE_BLOCK:
-			case	TSG_METHOD_TYPE_RATE_LINIT:
+			case	TSG_METHOD_TYPE_RATE_LIMIT:
 			case	TSG_METHOD_TYPE_REDIRECTION:
 				free_deny_user_region(user_region->deny);
 				break;
@@ -2516,7 +2516,7 @@ int tsg_set_bucket_to_tcpall(const struct streaminfo *a_stream, struct tcpall_co
 		}
 	}
 	
-	_context->method_type=TSG_METHOD_TYPE_RATE_LINIT;
+	_context->method_type=TSG_METHOD_TYPE_RATE_LIMIT;
 	_context->bucket=bucket;
 	
 	return 0;
author	liuxueli <[email protected]>	2021-08-27 19:33:54 +0800
committer	liuxueli <[email protected]>	2021-08-27 19:33:54 +0800
commit	98031e150462fac9e302774676d0378b960d456e (patch)
tree	1ffb07677ef5b79eaa4173f9c10bf5eb52155408
parent	ac265ec46b41f23fb8212547945bffb8bc388e1c (diff)