diff options
| author | liuxueli <[email protected]> | 2023-06-12 19:35:50 +0800 |
|---|---|---|
| committer | liuxueli <[email protected]> | 2023-06-12 19:35:50 +0800 |
| commit | c77480e1596a3d7e0d01bd08569d5e27adbb2ab2 (patch) | |
| tree | 49c6947fe5f247d7ef4090c0340ca9537ba65208 | |
| parent | 1d47ee19ad9a1f21eb14036f463bdf3fd63c0242 (diff) | |
TSG-15436: dns协议命中deny策略,master执行非redirect的子动作v6.0.23
| -rw-r--r-- | src/tsg_dns.cpp | 5 | ||||
| -rw-r--r-- | src/tsg_entry.cpp | 11 |
2 files changed, 13 insertions, 3 deletions
diff --git a/src/tsg_dns.cpp b/src/tsg_dns.cpp index cba642f..5accc16 100644 --- a/src/tsg_dns.cpp +++ b/src/tsg_dns.cpp @@ -228,6 +228,11 @@ unsigned char do_action_redirect_dns(const struct streaminfo *a_stream, struct m struct dns_user_region *user_region_record=NULL; struct _dns_info *dns_info=(struct _dns_info *)user_data; + if(dns_info==NULL) + { + return STATE_GIVEME; + } + if(dns_info->hdr_info.qr==1 && g_tsg_para.deploy_mode==DEPLOY_MODE_MIRROR) //mirror { return STATE_GIVEME; diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index 3c6330e..6902f47 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -1793,6 +1793,7 @@ size_t session_app_gather_results_scan(const struct streaminfo *a_stream, struct static unsigned char matched_security_rules_deal(const struct streaminfo *a_stream, struct session_runtime_process_context *srt_process_context, struct maat_rule *security_rules, size_t n_security_rules, const void *a_packet, int thread_seq) { + void *user_data=NULL; unsigned char state=APP_STATE_GIVEME; struct maat_rule *p_rule=matched_rules_decision_criteria(security_rules, n_security_rules); if(p_rule->action==TSG_ACTION_SHUNT) @@ -1807,7 +1808,11 @@ static unsigned char matched_security_rules_deal(const struct streaminfo *a_stre case TSG_ACTION_DENY: if(srt_process_context->proto==PROTO_DNS) /* deal action of deny in firewall */ { - break; + user_data=NULL; + } + else + { + user_data=(void *)a_packet; } if(is_deny_application(p_rule)) @@ -1818,11 +1823,11 @@ static unsigned char matched_security_rules_deal(const struct streaminfo *a_stre } srt_action_context_set_hitted_app_id(a_stream, srt_process_context->hited_para.matched_app_id, a_stream->threadnum); - state=tsg_enforing_deny_application(a_stream, p_rule, srt_process_context->proto, srt_process_context->hited_para.matched_app_id, ACTION_RETURN_TYPE_APP, a_packet); + state=tsg_enforing_deny_application(a_stream, p_rule, srt_process_context->proto, srt_process_context->hited_para.matched_app_id, ACTION_RETURN_TYPE_APP, user_data); } else { - state=tsg_enforing_deny(a_stream, p_rule, srt_process_context->proto, ACTION_RETURN_TYPE_APP, a_packet); + state=tsg_enforing_deny(a_stream, p_rule, srt_process_context->proto, ACTION_RETURN_TYPE_APP, user_data); } if(is_deny_after_N_packets(p_rule)) |