TSG-13817,TSG-13815: 从bridge中回去命中的deny result，修复设置drop after N packet参数后无效果的问题v5.10.4

2 files changed, 43 insertions, 12 deletions

diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp
index b04efa1..ed58b9c 100644
--- a/src/tsg_action.cpp
+++ b/src/tsg_action.cpp
@@ -687,6 +687,33 @@ static unsigned char do_action_ratelimit(const struct streaminfo *a_stream, Maat
 	return STATE_GIVEME|STATE_KILL_OTHER;
 }
 
+static unsigned char do_action_block_sip(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, const void *user_data)
+{
+	int offset=0;
+	char payload[1024]={0};
+	switch(user_region->deny->code)
+	{
+		case	480:
+			//"SIP/2.0 480 Temporarily Unavailable\r\n"
+			offset=strlen("SIP/2.0 480 Temporarily Unavailable\r\n");
+			memcpy(payload, "SIP/2.0 480 Temporarily Unavailable\r\n", offset);
+			break;
+		case	500:
+			//"SIP/2.0 500 Server Internal Error\r\n",
+			offset=strlen("SIP/2.0 500 Server Internal Error\r\n");
+			memcpy(payload, "SIP/2.0 500 Server Internal Error\r\n", offset);
+			break;
+		default:
+			return STATE_DROPME|STATE_DROPPKT;
+	}
+	
+	memcpy(payload+offset, user_data, strlen((const char*)user_data));
+	unsigned char raw_route_dir=(a_stream->curdir==DIR_C2S) ? MESA_dir_reverse(a_stream->routedir) : a_stream->routedir;
+	tsg_send_inject_packet(a_stream, SIO_DEFAULT, payload, strlen(payload), raw_route_dir);
+
+	return STATE_DROPME|STATE_DROPPKT;
+}
+
 static unsigned char do_action_block_mail(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region)
 {
 	char *payload=NULL;
@@ -739,17 +766,17 @@ static unsigned char do_action_block_http(const struct streaminfo *a_stream, Maa
 	return STATE_DROPME|STATE_DROPPKT;
 }
 
-static unsigned char do_action_block_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *a_packet)
+static unsigned char do_action_block_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data)
 {
 	if(user_region==NULL || user_region->deny==NULL)
 	{
-		return do_action_drop(a_stream, p_result, user_region, protocol, a_packet);
+		return do_action_drop(a_stream, p_result, user_region, protocol, user_data);
 	}
 	
 	switch(protocol)
 	{
 		case	PROTO_HTTP:
-			return do_action_block_http(a_stream, p_result, user_region, a_packet);
+			return do_action_block_http(a_stream, p_result, user_region, user_data);
 			break;
 		case	PROTO_POP3:
 		case	PROTO_IMAP:
@@ -757,6 +784,9 @@ static unsigned char do_action_block_xxx(const struct streaminfo *a_stream, Maat
 		case	PROTO_MAIL:
 			return do_action_block_mail(a_stream, p_result, user_region);
 			break;
+		case	PROTO_SIP:
+			return do_action_block_sip(a_stream, p_result, user_region, user_data);
+			break;
 		default:
 			break;
 	}
diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index 2ce8d56..5b8ea56 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -2165,12 +2165,12 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
 	scan_status_t scan_mid=NULL;
 	struct Maat_rule_t *p_result=NULL;
 	unsigned char state=APP_STATE_GIVEME;
-	struct identify_info tmp_identify_info;
 	struct Maat_rule_t hited_result[MAX_TSG_ALL_RESULT_NUM]={0};
 	struct Maat_rule_t security_result[MAX_RESULT_NUM]={0};	
 	struct Maat_rule_t shaping_result[MAX_RESULT_NUM]={0};
 	struct tcpall_context *all_context=(struct tcpall_context *)(*pme);
-		
+	struct policy_priority_label *priority_label=NULL;
+
 	if(stream_state==OP_STATE_PENDING && all_context->method_type!=TSG_METHOD_TYPE_ALLOW && !(all_context->udp_data_dropme))
 	{
 		if(all_context->method_type==TSG_METHOD_TYPE_UNKNOWN)
@@ -2241,33 +2241,34 @@ static unsigned char tsg_master_all_entry(const struct streaminfo *a_stream, uns
 			
 			if(get_default_policy(g_tsg_para.default_compile_id, &security_result[0]))
 			{
-				state=tsg_deal_deny_action(a_stream, &security_result[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet);				
+				state=tsg_deal_deny_action(a_stream, &security_result[0], PROTO_UNKONWN, ACTION_RETURN_TYPE_TCPALL, a_packet);
+				master_send_log(a_stream, &security_result[0], 1, NULL, thread_seq);
 			}
 			break;
 		case	TSG_METHOD_TYPE_DROP:
 		case	TSG_METHOD_TYPE_APP_DROP:
 			// contain hited current packet, platform calls tcp first and tcpall secondary.
-			if(((all_context->hited_para.after_n_packets >= 0) && a_stream->type==STREAM_TYPE_TCP) ||
+			if(((all_context->hited_para.after_n_packets > 0) && a_stream->type==STREAM_TYPE_TCP) ||
 				((all_context->hited_para.after_n_packets > 0) && a_stream->type==STREAM_TYPE_UDP)
 				|| stream_state==OP_STATE_CLOSE)
 			{			
 				all_context->hited_para.after_n_packets--;
 				break;
 			}
-
-			ret=tsg_pull_policy_result((struct streaminfo *)a_stream,PULL_FW_RESULT, &security_result[0], 1, &tmp_identify_info);
-			if(ret<=0)
+			priority_label=(struct policy_priority_label *)tsg_get_xxx_from_bridge(a_stream, g_tsg_para.bridge[BRIDGE_TYPE_POLICY_PRIORITY].id);
+			//ret=tsg_pull_policy_result((struct streaminfo *)a_stream,PULL_FW_RESULT, &security_result[0], 1, &tmp_identify_info);
+			if(priority_label==NULL || priority_label->security_result[0].action!=TSG_ACTION_DENY)
 			{
 				break;
 			}
 
 			if(all_context->hited_para.hited_app_id<=0)
 			{
-				state=tsg_deal_deny_action(a_stream, &security_result[0], all_context->protocol, ACTION_RETURN_TYPE_TCPALL, a_packet);
+				state=tsg_deal_deny_action(a_stream, &priority_label->security_result[0], all_context->protocol, ACTION_RETURN_TYPE_TCPALL, a_packet);
 			}
 			else
 			{
-				state=tsg_deny_application(a_stream, &security_result[0], all_context->protocol, all_context->hited_para.hited_app_id, ACTION_RETURN_TYPE_TCPALL, a_packet);
+				state=tsg_deny_application(a_stream, &priority_label->security_result[0], all_context->protocol, all_context->hited_para.hited_app_id, ACTION_RETURN_TYPE_TCPALL, a_packet);
 			}
 			break;
 		default: